diff --git a/.github/workflows/ScanSecrets.yaml b/.github/workflows/ScanSecrets.yaml index 137c7939e5a..eabe9b9657e 100644 --- a/.github/workflows/ScanSecrets.yaml +++ b/.github/workflows/ScanSecrets.yaml @@ -13,6 +13,5 @@ jobs: fetch-depth: 0 - name: Secret Scanning uses: trufflesecurity/trufflehog@main - continue-on-error: true with: extra_args: --exclude-paths=.script/SecretScanning/Excludepathlist --only-verified diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 06752088548..ba61823ac7c 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -42,7 +42,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -54,7 +54,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -68,4 +68,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml b/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml index 37ecc164f8b..0aa38dbf804 100644 --- a/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml +++ b/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml @@ -15,6 +15,7 @@ on: - 'Parsers/ASimRegistryEvent/Parsers/**' - 'Parsers/ASimUserManagement/Parsers/**' - 'Parsers/ASimDhcpEvent/Parsers/**' + - 'Parsers/ASimAlertEvent/Parsers/**' env: GITHUB_APPS_ID: "${{ secrets.APPLICATION_ID }}" diff --git a/.github/workflows/runAsimSchemaAndDataTesters.yaml b/.github/workflows/runAsimSchemaAndDataTesters.yaml index 624970622b8..42ed83b6542 100644 --- a/.github/workflows/runAsimSchemaAndDataTesters.yaml +++ b/.github/workflows/runAsimSchemaAndDataTesters.yaml @@ -17,6 +17,7 @@ on: - 'Parsers/ASimRegistryEvent/Parsers/**' - 'Parsers/ASimUserManagement/Parsers/**' - 'Parsers/ASimDhcpEvent/Parsers/**' + - 'Parsers/ASimAlertEvent/Parsers/**' # Allows you to run this workflow manually from the Actions tab workflow_dispatch: @@ -192,8 +193,6 @@ jobs: # Execute the script & $filePath azPSVersion: "latest" - errorActionPreference: continue - failOnStandardError: false Run-ASim-Parser-Filtering-Tests: needs: Run-ASim-Sample-Data-Ingest name: Run ASim Parser Filtering tests diff --git a/.script/dataConnectorValidator.ts b/.script/dataConnectorValidator.ts index 7b5e1218674..be340c4cc62 100644 --- a/.script/dataConnectorValidator.ts +++ b/.script/dataConnectorValidator.ts @@ -26,7 +26,11 @@ export async function IsValidDataConnectorSchema(filePath: string): Promise + Version: '0.1.0' + LastUpdated: +Product: + Name: +Normalization: + Schema: AlertEvent + Version: '' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing the logs to the ASIM 'Alert' normalized schema. +ParserName: +EquivalentBuiltInParser: <_ASim_AlertEvent_Vendor+Product> +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let parser = ( + disabled:bool = false + ) + { + + }; + parser (disabled = disabled) diff --git a/ASIM/dev/Parser YAML templates/ASimAuditEventTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimAuditEventTemplate.yaml index 2f8ec699ed3..35e359b4374 100644 --- a/ASIM/dev/Parser YAML templates/ASimAuditEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimAuditEventTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: ASIM Audit Event parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM parser supports normalizing the logs to the ASIM Audit Event normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_AuditEvent_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_AuditEvent_Vendor+Product> ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/ASimAuthenticationTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimAuthenticationTemplate.yaml index 44a226ee176..8e0f5393134 100644 --- a/ASIM/dev/Parser YAML templates/ASimAuthenticationTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimAuthenticationTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: ASIM Authentication parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM parser supports normalizing the logs to the ASIM Authentication normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_Authentication_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_Authentication_Vendor+Product> ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/ASimDhcpEventTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimDhcpEventTemplate.yaml index 9701611d7d3..e6d0f702dbf 100644 --- a/ASIM/dev/Parser YAML templates/ASimDhcpEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimDhcpEventTemplate.yaml @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM parser supports normalizing logs to the ASIM Dhcp normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_DhcpEvent_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_DhcpEvent_Vendor+Product ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/ASimDnsTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimDnsTemplate.yaml index c0ce303cec3..4b528a04936 100644 --- a/ASIM/dev/Parser YAML templates/ASimDnsTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimDnsTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: DNS activity ASIM parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https://aka.ms/AboutASIM Description: | This ASIM parser supports normalizing the logs to the ASIM DNS activity normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_Dns_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_Dns_Vendor+Product> ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/ASimFileEventTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimFileEventTemplate.yaml index 9b60011a994..feb51701aec 100644 --- a/ASIM/dev/Parser YAML templates/ASimFileEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimFileEventTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: File events ASIM parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https://aka.ms/AboutASIM Description: | This ASIM parser supports normalizing the logs to the ASIM file activity normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_FileEvent_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_FileEvent_Vendor+Product> ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/ASimNetworkSessionTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimNetworkSessionTemplate.yaml index 516be25e466..9d13fe70153 100644 --- a/ASIM/dev/Parser YAML templates/ASimNetworkSessionTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimNetworkSessionTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Network Session ASIM parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM parser supports normalizing logs to the ASIM Network Session normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_NetworkSession_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_NetworkSession_Vendor+Product> ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/ASimProcessEventTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimProcessEventTemplate.yaml index 5fb4ab297c6..4d323e6cc4b 100644 --- a/ASIM/dev/Parser YAML templates/ASimProcessEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimProcessEventTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Process event ASIM parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ references: Link: https:/aka.ms/AboutASIM Description: This ASIM parser supports normalizing the logs to the ASIM process event normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_ProcessEvent_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_ProcessEvent_Vendor+Product> ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/ASimRegistryEventTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimRegistryEventTemplate.yaml index 9b2d1aaf059..f7fc02357af 100644 --- a/ASIM/dev/Parser YAML templates/ASimRegistryEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimRegistryEventTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Registry Event ASIM parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM parser supports normalizing logs to the ASIM Registry event normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_RegistryEvent_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_RegistryEvent_Vendor+Product> ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/ASimUserManagementTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimUserManagementTemplate.yaml index 25aee7cfddd..20e8ffbac02 100644 --- a/ASIM/dev/Parser YAML templates/ASimUserManagementTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimUserManagementTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: User Management activity ASIM parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https://aka.ms/AboutASIM Description: | This ASIM parser supports normalizing the logs to the ASIM User Management activity normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_UserManagement_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_UserManagement_Vendor+Product> ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/ASimWebSessionTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimWebSessionTemplate.yaml index abbeb912d92..ce935389811 100644 --- a/ASIM/dev/Parser YAML templates/ASimWebSessionTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimWebSessionTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Web Session ASIM parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM parser supports normalizing logs to the ASIM Web Session normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_WebSession_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_WebSession_Vendor+Product ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/vimAlertEventTemplate.yaml b/ASIM/dev/Parser YAML templates/vimAlertEventTemplate.yaml new file mode 100644 index 00000000000..f82271cfa02 --- /dev/null +++ b/ASIM/dev/Parser YAML templates/vimAlertEventTemplate.yaml @@ -0,0 +1,82 @@ +Parser: + Title: Alert Event ASIM filtering parser for + Version: '0.1.0' + LastUpdated: +Product: + Name: +Normalization: + Schema: AlertEvent + Version: '' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +Description: | + This ASIM filtering parser supports normalizing the logs to the ASIM Alert normalized schema. +ParserName: +EquivalentBuiltInParser: <_Im_AlertEvent_Vendor+Product> +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: ipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: hostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: username_has_any + Type: dynamic + Default: dynamic([]) + - Name: attacktactics_has_any + Type: dynamic + Default: dynamic([]) + - Name: attacktechniques_has_any + Type: dynamic + Default: dynamic([]) + - Name: threatcategory_has_any + Type: dynamic + Default: dynamic([]) + - Name: alertverdict_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventseverity_has_any + Type: dynamic + Default: dynamic([]) + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let parser = ( + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + ipaddr_has_any_prefix: dynamic=dynamic([]), + hostname_has_any: dynamic=dynamic([]), + username_has_any: dynamic=dynamic([]), + attacktactics_has_any: dynamic=dynamic([]), + attacktechniques_has_any: dynamic=dynamic([]), + threatcategory_has_any: dynamic=dynamic([]), + alertverdict_has_any: dynamic=dynamic([]), + eventseverity_has_any: dynamic=dynamic([]), + disabled:bool=false + ) + { + + }; + parser ( + starttime = starttime, + endtime = endtime, + ipaddr_has_any_prefix = ipaddr_has_any_prefix, + hostname_has_any = hostname_has_any, + username_has_any = username_has_any, + attacktactics_has_any = attacktactics_has_any, + attacktechniques_has_any = attacktechniques_has_any, + threatcategory_has_any = threatcategory_has_any, + alertverdict_has_any = alertverdict_has_any, + eventseverity_has_any = eventseverity_has_any, + disabled = disabled + ) diff --git a/ASIM/dev/Parser YAML templates/vimAuditEventTemplate.yaml b/ASIM/dev/Parser YAML templates/vimAuditEventTemplate.yaml index 3b4a2fc7d01..28fbaca7695 100644 --- a/ASIM/dev/Parser YAML templates/vimAuditEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimAuditEventTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Audit Event ASIM filtering parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM filtering parser supports normalizing the logs to the ASIM Audit Event normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_AuditEvent_Product> +ParserName: +EquivalentBuiltInParser: <_Im_AuditEvent_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/ASIM/dev/Parser YAML templates/vimAuthenticationTemplate.yaml b/ASIM/dev/Parser YAML templates/vimAuthenticationTemplate.yaml index 5df2091d903..b9f093f108b 100644 --- a/ASIM/dev/Parser YAML templates/vimAuthenticationTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimAuthenticationTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Authentication ASIM filtering parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM filtering parser supports filtering and normalizing the logs to the ASIM authentication normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_Authentication_Product> +ParserName: +EquivalentBuiltInParser: <_Im_Authentication_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/ASIM/dev/Parser YAML templates/vimDhcpEventTemplate.yaml b/ASIM/dev/Parser YAML templates/vimDhcpEventTemplate.yaml index 4a10b9ee264..a07c0f1a862 100644 --- a/ASIM/dev/Parser YAML templates/vimDhcpEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimDhcpEventTemplate.yaml @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM filtering parser supports filtering and normalizing the logs to the ASIM authentication normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_DhcpEvent_Product> +ParserName: +EquivalentBuiltInParser: <_Im_DhcpEvent_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/ASIM/dev/Parser YAML templates/vimDnsTemplate.yaml b/ASIM/dev/Parser YAML templates/vimDnsTemplate.yaml index 8d85587e4f2..bb4cdd22515 100644 --- a/ASIM/dev/Parser YAML templates/vimDnsTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimDnsTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: DNS activity ASIM filtering parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https://aka.ms/AboutASIM Description: | This ASIM filtering parser supports filtering and normalizing the logs to the ASIM DNS activity normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_Dns_Product> +ParserName: +EquivalentBuiltInParser: <_Im_Dns_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/ASIM/dev/Parser YAML templates/vimFileEventTemplate.yaml b/ASIM/dev/Parser YAML templates/vimFileEventTemplate.yaml index d153ea2c5f1..c3fa3de879e 100644 --- a/ASIM/dev/Parser YAML templates/vimFileEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimFileEventTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: File events ASIM filtering parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https://aka.ms/AboutASIM Description: | This ASIM filtering parser supports normalizing the logs to the ASIM file activity normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_FileEvent_Product> +ParserName: +EquivalentBuiltInParser: <_Im_FileEvent_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/ASIM/dev/Parser YAML templates/vimNetworkSessionTemplate.yaml b/ASIM/dev/Parser YAML templates/vimNetworkSessionTemplate.yaml index 43cb268866d..8d238ca37a3 100644 --- a/ASIM/dev/Parser YAML templates/vimNetworkSessionTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimNetworkSessionTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Network Session ASIM filtering parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM filtering parser supports filtering and normalizing logs to the ASIM Network Session normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_NetworkSession_Product> +ParserName: +EquivalentBuiltInParser: <_Im_NetworkSession_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/ASIM/dev/Parser YAML templates/vimProcessEventTemplate.yaml b/ASIM/dev/Parser YAML templates/vimProcessEventTemplate.yaml index 6d29557cbdf..23f09bdace1 100644 --- a/ASIM/dev/Parser YAML templates/vimProcessEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimProcessEventTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Process event ASIM filtering parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ references: Link: https:/aka.ms/AboutASIM Description: This ASIM filtering parser supports normalizing the logs to the ASIM process event normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_ProcessEvent_Product> +ParserName: +EquivalentBuiltInParser: <_Im_ProcessEvent_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/ASIM/dev/Parser YAML templates/vimRegistryEventTemplate.yaml b/ASIM/dev/Parser YAML templates/vimRegistryEventTemplate.yaml index 0c3c985f48d..1b5b8142965 100644 --- a/ASIM/dev/Parser YAML templates/vimRegistryEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimRegistryEventTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Registry Event ASIM filtering parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM filtering parser supports normalizing logs to the ASIM Registry event normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_RegistryEvent_Product> +ParserName: +EquivalentBuiltInParser: <_Im_RegistryEvent_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/ASIM/dev/Parser YAML templates/vimUserManagementTemplate.yaml b/ASIM/dev/Parser YAML templates/vimUserManagementTemplate.yaml index fcbc9181939..4d13c60d852 100644 --- a/ASIM/dev/Parser YAML templates/vimUserManagementTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimUserManagementTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: User Management activity ASIM filtering parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https://aka.ms/AboutASIM Description: | This ASIM filtering parser supports normalizing the logs to the ASIM User Management activity normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_UserManagement_Product> +ParserName: +EquivalentBuiltInParser: <_Im_UserManagement_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/ASIM/dev/Parser YAML templates/vimWebSessionTemplate.yaml b/ASIM/dev/Parser YAML templates/vimWebSessionTemplate.yaml index a2291be6ded..b958e0e61b9 100644 --- a/ASIM/dev/Parser YAML templates/vimWebSessionTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimWebSessionTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Web Session ASIM filtering parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM filtering parser supports filtering and normalizing logs to the ASIM Web Session normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_WebSession_Product> +ParserName: +EquivalentBuiltInParser: <_Im_WebSession_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/DataConnectors/AWS-S3-AzureFunction/azuredeploy_awss3.json b/DataConnectors/AWS-S3-AzureFunction/azuredeploy_awss3.json index bcb68d5a9be..270b2555c00 100644 --- a/DataConnectors/AWS-S3-AzureFunction/azuredeploy_awss3.json +++ b/DataConnectors/AWS-S3-AzureFunction/azuredeploy_awss3.json @@ -198,7 +198,7 @@ "alwaysOn": true, "reserved": true, "siteConfig": { - "linuxFxVersion": "python|3.8" + "linuxFxVersion": "python|3.9" }, "serverFarmId": "[concat('/subscriptions/', subscription().subscriptionId,'/resourcegroups/', resourceGroup().name, '/providers/Microsoft.Web/serverfarms/', variables('HostingPlanName'))]" }, diff --git a/DataConnectors/AWS-S3/CloudWatchLambdaFunction.py b/DataConnectors/AWS-S3/CloudWatchLambdaFunction.py index 94495eae20e..3aec727392f 100644 --- a/DataConnectors/AWS-S3/CloudWatchLambdaFunction.py +++ b/DataConnectors/AWS-S3/CloudWatchLambdaFunction.py @@ -13,7 +13,7 @@ # Please set the following parameters: LOG_GROUP_NAME = os.environ['LOG_GROUP_NAME'] # Please enter log group name -LOG_STREAM_NAME = os.environ['LOG_STREAM_NAME'] # Please enter log stream name +LOG_STREAM_PREFIX = os.environ['LOG_STREAM_PREFIX'] # Please enter log stream prefix BUCKET_NAME = os.environ['BUCKET_NAME'] # Please enter bucket name BUCKET_PREFIX = os.environ['BUCKET_PREFIX'] # Please enter bucket prefix that ends with '/' , if no such, leave empty OUTPUT_FILE_NAME = os.environ['OUTPUT_FILE_NAME'] # Please change to desired name @@ -29,36 +29,49 @@ def lambda_handler(event, context): unix_start_time = int(time.mktime(START_TIME_UTC.timetuple()))*1000 unix_end_time = int(time.mktime(END_TIME_UTC.timetuple()))*1000 try: - # Gets objects from cloud watch - response = logs.get_log_events( + # Get log streams that match the prefix + log_streams_response = logs.describe_log_streams( logGroupName=LOG_GROUP_NAME, - logStreamName=LOG_STREAM_NAME, - startTime=unix_start_time, - endTime=unix_end_time, + logStreamNamePrefix=LOG_STREAM_PREFIX # Use the prefix for the log stream ) - - # Convert events to json object - json_string = json.dumps(response) - json_object = json.loads(json_string) - - df = pd.DataFrame(json_object['events']) - if df.empty: - print('No events for specified time') - return None - - # Convert unix time to zulu time for example from 1671086934783 to 2022-12-15T06:48:54.783Z - df['timestamp'] = pd.to_datetime(df['timestamp'], unit='ms') - df['timestamp'] = df['timestamp'].dt.strftime('%Y-%m-%dT%H:%M:%S.%f').str[:-3]+'Z' - - # Remove unnecessary column - fileToS3 = df.drop(columns=["ingestionTime"]) - # Export data to temporary file in the right format, which will be deleted as soon as the session ends - fileToS3.to_csv( f'/tmp/{OUTPUT_FILE_NAME}.gz', index=False, header=False, compression='gzip', sep = ' ', escapechar=' ', doublequote=False, quoting=csv.QUOTE_NONE) - - # Upload data to desired folder in bucket - s3.Bucket(BUCKET_NAME).upload_file(f'/tmp/{OUTPUT_FILE_NAME}.gz', f'{BUCKET_PREFIX}{OUTPUT_FILE_NAME}.gz') + # Iterate over the log streams and fetch log events for each + for log_stream in log_streams_response['logStreams']: + log_stream_name = log_stream['logStreamName'] + + # Gets objects from cloud watch + response = logs.get_log_events( + logGroupName=LOG_GROUP_NAME, + logStreamName=log_stream_name, + startTime=unix_start_time, + endTime=unix_end_time, + ) + + # Convert events to json object + json_string = json.dumps(response) + json_object = json.loads(json_string) + + df = pd.DataFrame(json_object['events']) + print(unix_start_time) + if df.empty: + print('No events for specified time in the log stream', log_stream_name) + continue + + # Convert unix time to zulu time for example from 1671086934783 to 2022-12-15T06:48:54.783Z + df['timestamp'] = pd.to_datetime(df['timestamp'], unit='ms') + df['timestamp'] = df['timestamp'].dt.strftime('%Y-%m-%dT%H:%M:%S.%f').str[:-3]+'Z' + + # Remove unnecessary column + fileToS3 = df.drop(columns=["ingestionTime"]) + + sanitized_stream_name = log_stream_name.replace('/', '_') + + # Export data to temporary file in the right format, which will be deleted as soon as the session ends + fileToS3.to_csv( f'/tmp/{OUTPUT_FILE_NAME}_{sanitized_stream_name}.gz', index=False, header=False, compression='gzip', sep = ' ', escapechar=' ', doublequote=False, quoting=csv.QUOTE_NONE) + + # Upload data to desired folder in bucket + s3.Bucket(BUCKET_NAME).upload_file(f'/tmp/{OUTPUT_FILE_NAME}_{sanitized_stream_name}.gz', f'{BUCKET_PREFIX}{OUTPUT_FILE_NAME}_{sanitized_stream_name}.gz') + except Exception as e: - print(" Error exporting %s: %s" % (LOG_GROUP_NAME, getattr(e, 'message', repr(e)))) - + print(" Error exporting %s: %s" % (LOG_GROUP_NAME, getattr(e, 'message', repr(e)))) \ No newline at end of file diff --git a/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml b/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml index e6f298983a2..df4836794a3 100644 --- a/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml +++ b/Detections/CommonSecurityLog/MultiVendor-PossibleDGAContacts.yaml @@ -4,7 +4,8 @@ description: | 'Identifies contacts with domains names in CommonSecurityLog that might have been generated by a Domain Generation Algorithm (DGA). DGAs can be used by malware to generate rendezvous points that are difficult to predict in advance. This detection uses the Alexa Top 1 million domain names to build a model of what normal domains look like. It uses this to identify domains that may have been randomly generated by an algorithm. The triThreshold is set to 500 - increase this to report on domains that are less likely to have been randomly generated, decrease it for more likely. - The start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported.' + The start time and end time look back over 6 hours of data and the dgaLengthThreshold is set to 8 - meaning domains whose length is 8 or more are reported. + NOTE - The top1M csv zip file used in the query is dynamic and may produce different results over various time periods. It's important to cross-check the events against the entities involved in the incident.' severity: Medium requiredDataConnectors: - connectorId: Zscaler @@ -118,7 +119,7 @@ entityMappings: fieldMappings: - identifier: DomainName columnName: Name -version: 1.0.5 +version: 1.0.6 kind: Scheduled metadata: source: diff --git a/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml b/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml index 9a8ccd83601..6a1131490ed 100644 --- a/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml +++ b/Detections/MultipleDataSources/AADHostLoginCorrelation.yaml @@ -41,7 +41,7 @@ query: | let suspicious_signins = table(tableName) | where ResultType !in ("0", "50125", "50140") - | where IPAddress !in ('127.0.0.1', '::1') + | where IPAddress !in ('127.0.0.1', '::1', '') | summarize count() by IPAddress | where count_ > signin_threshold | summarize make_set(IPAddress); @@ -115,7 +115,7 @@ entityMappings: fieldMappings: - identifier: Address columnName: IpAddress -version: 1.3.1 +version: 1.3.2 kind: Scheduled metadata: source: @@ -125,4 +125,4 @@ metadata: support: tier: Community categories: - domains: [ "Security - Others", "Identity" ] \ No newline at end of file + domains: [ "Security - Others", "Identity" ] diff --git a/Hunting Queries/DeviceProcess/VScodeExtensionofanUser.yaml b/Hunting Queries/DeviceProcess/VScodeExtensionofanUser.yaml new file mode 100644 index 00000000000..09d36696a1f --- /dev/null +++ b/Hunting Queries/DeviceProcess/VScodeExtensionofanUser.yaml @@ -0,0 +1,45 @@ +id: 75830932-794e-4a18-b62f-cc2a010080b5 +name: List all the VScode Extensions which are installed on a user system +description: | + 'Detects potentially malicious Visual Studio Code (VSCode) extensions installed on a users system, which threat actors might use to control devices and exfiltrate personal information. + Ref: https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-with-more-than-45k-downloads-steal-pii-and-enable-backdoors/' +requiredDataConnectors: + - connectorId: MicrosoftThreatProtection + dataTypes: + - DeviceProcessEvents +tactics: + - Persistence +relevantTechniques: + - T1547.006 +query: | + DeviceProcessEvents + | where ProcessCommandLine contains "VSIxs" or ProcessCommandLine contains "vsce-sign.exe" + | extend ExtensionName = case( + ProcessCommandLine contains "vsce-sign.exe", extract('CachedExtensionVSIXs\\\\([^\\s"]+)', 1, ProcessCommandLine), + ProcessCommandLine contains "VSIxs", extract('CachedExtensionVSIXs/([^"]+)', 1, ProcessCommandLine), + "") + | extend ExtensionName = iif(isempty(ExtensionName), "", ExtensionName) + | summarize ExtensionName = make_set(ExtensionName) ,count() by DeviceName, AccountName +entityMappings: + - entityType: File + fieldMappings: + - identifier: Name + columnName: ExtensionName + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: DeviceName + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountName +version: 1.0.1 +metadata: + source: + kind: Community + author: + name: Anish Bhowmick + support: + tier: Community + categories: + domains: [ "Security - Threat Protection" ] \ No newline at end of file diff --git a/Logos/CTERA_Logo.svg b/Logos/CTERA_Logo.svg new file mode 100644 index 00000000000..4217888dfc1 --- /dev/null +++ b/Logos/CTERA_Logo.svg @@ -0,0 +1,228 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json b/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json new file mode 100644 index 00000000000..64b4cf2a02d --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAlertEvent", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Alert Event ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimAlertEvent", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimAlertEventEmpty,\n ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))),\n ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers))))\n}; \nparser (pack=pack)\n", + "version": 1, + "functionParameters": "pack:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/README.md b/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/README.md new file mode 100644 index 00000000000..dd7d8c8df5d --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/README.md @@ -0,0 +1,18 @@ +# Source agnostic ASIM AlertEvent Normalization Parser + +ARM template for ASIM AlertEvent schema parser for Source agnostic. + +This ASIM parser supports normalizing Alert logs from all supported sources to the ASIM Alert normalized schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEvent%2FASimAlertEvent.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEvent%2FASimAlertEvent.json) diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/ASimAlertEventMicrosoftDefenderXDR.json b/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/ASimAlertEventMicrosoftDefenderXDR.json new file mode 100644 index 00000000000..9184630b92e --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/ASimAlertEventMicrosoftDefenderXDR.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAlertEventMicrosoftDefenderXDR", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Alert Event ASIM parser for Microsoft Defender XDR", + "category": "ASIM", + "FunctionAlias": "ASimAlertEventMicrosoftDefenderXDR", + "query": "let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string)\n[\n\"User\", \"User\",\n\"Machine\", \"Host\",\n\"Process\", \"Process\",\n\"File\", \"File\",\n\"Ip\", \"Ip\",\n\"Url\", \"Url\",\n\"RegistryValue\", \"Registry\",\n\"CloudLogonSession\", \"LogonSession\",\n\"CloudApplication\", \"Application\",\n\"Mailbox\", \"Mailbox\",\n\"MailMessage\", \"Email\",\n\"CloudResource\", \"Cloud Resource\"\n];\nlet IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string)\n [\n \"Related\", \"Associated\",\n \"Impacted\", \"Targeted\"\n];\nlet RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string)\n [\n \"ExpandString\", \"Reg_Expand_Sz\"\n];\nlet AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string)\n [\n \"Malicious\", \"True Positive\",\n \"Suspicious\", \"True Positive\",\n \"NoThreatsFound\", \"Benign Positive\"\n];\nlet AttackTacticSet = dynamic([\"Exfiltration\", \"PrivilegeEscalation\", \"Persistence\", \"LateralMovement\", \"Execution\", \"Discovery\", \"InitialAccess\", \"CredentialAccess\", \"DefenseEvasion\", \"CommandAndControl\", \"Impact\"]);\nlet ThreatCategorySet = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet parser = (\n disabled: bool=false) {\n AlertEvidence\n | where not(disabled)\n // Mapping Inspection Fields\n | extend \n EventUid = AlertId,\n AlertName = Title,\n AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict),\n AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate),\n AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\"),\n AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState),\n AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == \"Active\", \"Active\", \"Closed\"), \"\"),\n DetectionMethod = DetectionSource\n | lookup AlertVerdictLookup on AlertVerdict_Custom\n | lookup IndicatorTypeLookup on EntityType\n | lookup IndicatorAssociationLookup on EvidenceRole\n // Mapping Threat Fields\n | extend\n ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\")\n // Mapping User Entity\n | extend \n UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)),\n UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)),\n Username = coalesce(AccountUpn, tostring(AdditionalFields.Account.UserPrincipalName)),\n UserSessionId = tostring(AdditionalFields.SessionId),\n UserScopeId = tostring(AdditionalFields.AadTenantId),\n HttpUserAgent_s = tostring(AdditionalFields.UserAgent)\n | extend\n UserIdType = iif(isnotempty(UserId), \"EntraUserID\", iif(isnotempty(UserSid), \"SID\", \"\")),\n UserId = coalesce(UserId, UserSid),\n UserType = _ASIM_GetUserType(Username, UserSid),\n UsernameType = _ASIM_GetUsernameType(Username)\n // Mapping Device Entity\n | extend \n DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)),\n DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP),\n DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)),\n DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)),\n DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)),\n DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, \"/\")[2]), (tostring(split(AdditionalFields.ResourceId, \"/\")[2])))\n | extend DvcIdType = iif(isnotempty(DvcId), \"MDEid\", \"\")\n | invoke _ASIM_ResolveDvcFQDN(\"DeviceName\")\n // Mapping Additional Fields\n | extend\n GeoCity_s = AdditionalFields.Location.City,\n GeoCountry_s = AdditionalFields.Location.CountryCode,\n GeoLatitude_s = AdditionalFields.Location.Latitude,\n GeoLongitude_s = AdditionalFields.Location.Longitude,\n GeoRegion_s = AdditionalFields.Location.State\n // Mapping Process Entity\n | extend \n ProcessId = AdditionalFields.ProcessId,\n ProcessCommandLine,\n ProcessName = iif(IndicatorType == \"Process\", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName), \"\"),\n ProcessFileCompany = AdditionalFields.Publisher,\n // Parent Process Fields\n ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId,\n ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine,\n ParentProcessName_s = iif(IndicatorType == \"Process\", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, \"\\\\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), \"\"),\n ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1,\n ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256,\n ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5\n // Mapping File Entity\n | extend \n FileName,\n FileDirectory = FolderPath,\n FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName),\n FileSHA1 = SHA1,\n FileSHA256 = SHA256,\n FileMD5 = AdditionalFields.FileHashes[1].Value,\n FileSize = FileSize\n // Mapping Url Entity\n | extend \n Url = RemoteUrl\n // Mapping Registry Entity\n | extend \n RegistryKey,\n RegistryValue = RegistryValueName,\n RegistryValueData,\n ValueType = tostring(AdditionalFields.ValueType)\n | lookup RegistryValueTypeLookup on ValueType\n // Mapping Application Entity\n | extend \n AppId_s = ApplicationId,\n AppName_s = Application\n // Mapping Email Entity\n | extend \n EmailMessageId = NetworkMessageId,\n EmailSubject\n | extend AdditionalFields = bag_pack(\n \"AlertVerdictDate\",\n AlertVerdictDate_s,\n \"HttpUserAgent\",\n HttpUserAgent_s,\n \"GeoCity\",\n GeoCity_s,\n \"GeoCountry\",\n GeoCountry_s,\n \"GeoLatitude\",\n GeoLatitude_s,\n \"GeoLongitude\",\n GeoLongitude_s,\n \"GeoRegion\",\n GeoRegion_s,\n \"ParentProcessId\",\n ParentProcessId_s,\n \"ParentProcessCommandLine\",\n ParentProcessCommandLine_s,\n \"ParentProcessName\",\n ParentProcessName_s,\n \"ParentProcessSHA256\",\n ParentProcessSHA256_s,\n \"ParentProcessMD5\",\n ParentProcessMD5_s\n )\n // Mapping common event fields\n | extend\n EventSubType = \"Threat\", // All events in AlertEvidence contains threat info\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = ServiceSource,\n EventVendor = 'Microsoft',\n EventSchema = 'AlertEvent',\n EventSchemaVersion = '0.1',\n EventType = 'Alert',\n EventCount = int(1)\n // MApping Alias\n | extend \n IpAddr = DvcIpAddr,\n Hostname = DvcHostname,\n User = Username\n | project-away\n Title,\n Categories,\n EntityType,\n EvidenceRole,\n DetectionSource,\n ServiceSource,\n ThreatFamily,\n RemoteIP,\n RemoteUrl,\n AccountName,\n AccountDomain,\n DeviceName,\n LocalIP,\n AlertVerdict_Custom,\n EvidenceDirection,\n Account*,\n ApplicationId,\n Application,\n *_s\n};\nparser(\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/README.md b/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/README.md new file mode 100644 index 00000000000..8e655ffa98b --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/README.md @@ -0,0 +1,18 @@ +# Microsoft Defender XDR ASIM AlertEvent Normalization Parser + +ARM template for ASIM AlertEvent schema parser for Microsoft Defender XDR. + +This ASIM parser supports normalizing the Microsoft Defender XDR logs to the ASIM Alert normalized schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEventMicrosoftDefenderXDR%2FASimAlertEventMicrosoftDefenderXDR.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEventMicrosoftDefenderXDR%2FASimAlertEventMicrosoftDefenderXDR.json) diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/ASimAlertEventSentinelOneSingularity.json b/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/ASimAlertEventSentinelOneSingularity.json new file mode 100644 index 00000000000..8a16b3f6868 --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/ASimAlertEventSentinelOneSingularity.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAlertEventSentinelOneSingularity", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Alert Event ASIM parser for SentinelOne Singularity platform", + "category": "ASIM", + "FunctionAlias": "ASimAlertEventSentinelOneSingularity", + "query": "let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)\n [\n \"Undefined\", \"Unknown\",\n \"true_positive\", \"True Positive\",\n \"suspicious\", \"True Positive\",\n \"false_positive\", \"False Positive\"\n];\nlet ThreatCategoryArray = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet DetectionMethodLookup = datatable (\n threatInfo_engines_s: string,\n DetectionMethod: string\n)\n [\n \"Intrusion Detection\", \"Intrusion Detection\",\n \"User-Defined Blocklist\", \"User Defined Blocked List\",\n \"Reputation\", \"Reputation\"\n];\nlet parser = (\n disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s in (\"Threats.\")\n // Mapping Inspection Fields\n | extend \n AlertId = threatInfo_threatId_s,\n AlertName = threatInfo_threatName_s,\n AlertStatus = iif(threatInfo_incidentStatus_s == \"resolved\", \"Closed\", \"Active\"),\n AlertOriginalStatus = threatInfo_incidentStatus_s,\n Names = extract_all('\"name\":\"([^\"]+)\"', dynamic([1]), indicators_s),\n ThreatId = threatInfo_threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatLastReportedTime = threatInfo_updatedAt_t,\n ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, \"\"),\n ThreatOriginalCategory = threatInfo_classification_s\n | extend\n AttackTechniques = tostring(extract_all('\"(T[0-9]+\\\\.[0-9]+|T[0-9]+)\"', dynamic([1]), tostring(Names))),\n AttackTactics = tostring(extract_all('\"([^T][^0-9]+)\"', dynamic([1]), tostring(Names)))\n | project-away Names\n | lookup DetectionMethodLookup on threatInfo_engines_s\n | extend analystVerdict_s = threatInfo_analystVerdict_s\n | lookup AlertVerdictLookup on analystVerdict_s\n // Mapping Dvc Fields\n | extend \n DvcHostname = agentRealtimeInfo_agentComputerName_s,\n DvcOs = agentRealtimeInfo_agentOsName_s,\n DvcOsVersion = agentRealtimeInfo_agentOsRevision_s,\n DvcId = agentRealtimeInfo_agentId_s,\n DvcIdType = \"Other\",\n DvcDomain = agentRealtimeInfo_agentDomain_s,\n DvcDomainType = \"Windows\",\n DvcIpAddr = agentDetectionInfo_agentIpV4_s\n // Mapping Process Entity\n | extend\n ProcessCommandLine = threatInfo_maliciousProcessArguments_s,\n ProcessName = threatInfo_originatorProcess_s\n // Mapping File Fields\n | extend \n FileMD5 = threatInfo_md5_g,\n FileSHA1 = threatInfo_sha1_s,\n FileSHA256 = threatInfo_sha256_s,\n FilePath=threatInfo_filePath_s,\n FileSize = threatInfo_fileSize_d\n // Mapping User Fields\n | extend \n Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)\n | extend UsernameType = _ASIM_GetUsernameType(Username)\n // Event Fields\n | extend\n EventType = 'Alert',\n EventOriginalType = event_name_s,\n EventUid = threatInfo_threatId_s,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = 'Singularity',\n EventVendor = 'SentinelOne',\n EventSchemaVersion = '0.1',\n EventSchema = \"AlertEvent\"\n | extend EventSubType = \"Threat\"\n // Aliases\n | extend\n IpAddr = DvcIpAddr,\n User = Username,\n Hostname = DvcHostname\n | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d\n};\nparser (\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/README.md b/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/README.md new file mode 100644 index 00000000000..33136ba8125 --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/README.md @@ -0,0 +1,18 @@ +# SentinelOne ASIM AlertEvent Normalization Parser + +ARM template for ASIM AlertEvent schema parser for SentinelOne. + +This ASIM parser supports normalizing the SentinelOne alerts to the ASIM Alert normalized schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEventSentinelOneSingularity%2FASimAlertEventSentinelOneSingularity.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEventSentinelOneSingularity%2FASimAlertEventSentinelOneSingularity.json) diff --git a/Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json b/Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json new file mode 100644 index 00000000000..511d954dd5f --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json @@ -0,0 +1,163 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAlertEvent", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAlertEventMicrosoftDefenderXDR", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/ASimAlertEventMicrosoftDefenderXDR.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAlertEventSentinelOneSingularity", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/ASimAlertEventSentinelOneSingularity/ASimAlertEventSentinelOneSingularity.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedimAlertEvent", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAlertEventEmpty", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/vimAlertEventEmpty.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAlertEventMicrosoftDefenderXDR", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAlertEventSentinelOneSingularity", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/vimAlertEventSentinelOneSingularity.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/ARM/README.md b/Parsers/ASimAlertEvent/ARM/README.md new file mode 100644 index 00000000000..16b73ae5710 --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/README.md @@ -0,0 +1,17 @@ +# Advanced Security Information Model (ASIM) AlertEvent parsers + +This template deploys all ASIM AlertEvent parsers. + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/ASimAlertEventARM) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/ASimAlertEventARMgov) + +
diff --git a/Parsers/ASimAlertEvent/ARM/imAlertEvent/README.md b/Parsers/ASimAlertEvent/ARM/imAlertEvent/README.md new file mode 100644 index 00000000000..fa5309b353d --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/imAlertEvent/README.md @@ -0,0 +1,18 @@ +# Source agnostic ASIM AlertEvent Normalization Parser + +ARM template for ASIM AlertEvent schema parser for Source agnostic. + +This ASIM parser supports filtering and normalizing Alert logs from all supported sources to the ASIM 'Alert' normalized schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FimAlertEvent%2FimAlertEvent.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FimAlertEvent%2FimAlertEvent.json) diff --git a/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json b/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json new file mode 100644 index 00000000000..62cf5a1abda --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "imAlertEvent", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Alert Event ASIM filtering parser", + "category": "ASIM", + "FunctionAlias": "imAlertEvent", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n pack:bool=false)\n{\nunion isfuzzy=true\n vimAlertEventEmpty,\n vimAlertEventMicrosoftDefenderXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertMicrosoftDefenderXDR' in (DisabledParsers)))),\n vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers))))\n};\nparser (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, pack=pack)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),ipaddr_has_any_prefix:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),attacktactics_has_any:dynamic=dynamic([]),attacktechniques_has_any:dynamic=dynamic([]),threatcategory_has_any:dynamic=dynamic([]),alertverdict_has_any:dynamic=dynamic([]),eventseverity_has_any:dynamic=dynamic([]),pack:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/README.md b/Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/README.md new file mode 100644 index 00000000000..b64b1516851 --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/README.md @@ -0,0 +1,18 @@ +# Microsoft ASIM AlertEvent Normalization Parser + +ARM template for ASIM AlertEvent schema parser for Microsoft. + +This function returns an empty ASIM Dhcp Event schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FvimAlertEventEmpty%2FvimAlertEventEmpty.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FvimAlertEventEmpty%2FvimAlertEventEmpty.json) diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/vimAlertEventEmpty.json b/Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/vimAlertEventEmpty.json new file mode 100644 index 00000000000..d47f9a14ad1 --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventEmpty/vimAlertEventEmpty.json @@ -0,0 +1,45 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAlertEventEmpty", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Alert Event ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimAlertEventEmpty", + "query": "let EmptyAlertEvents =datatable (\n TimeGenerated:datetime\n, _ResourceId:string\n, Type:string\n// ****** Event fields ******\n, AdditionalFields:dynamic\n, EventCount:int\n, EventType:string\n, EventProduct:string\n, EventProductVersion:string\n, EvenMessage:string\n, EventVendor:string\n, EventSchema:string\n, EventSchemaVersion:string\n, EventSeverity:string\n, EventOriginalSeverity:string\n, EventSubType:string\n, EventOriginalUid:string\n, EventOwner:string\n, EventOriginalType:string\n, EventOriginalSubType:string\n, EventEndTime:datetime\n, EventReportUrl:string\n, EventResult:string\n, EventStartTime:datetime\n, EventUid:string\n//****** Device fields ******\n, DvcAction:string\n, DvcDescription:string\n, DvcId:string\n, DvcIdType:string\n, DvcInterface:string\n, DvcHostname:string\n, DvcDomain:string\n, DvcDomainType:string\n, DvcIpAddr:string\n, DvcOs:string\n, DvcOsVersion:string\n, DvcMacAddr:string\n, DvcOriginalAction:string\n, DvcScope:string\n, DvcScopeId:string\n, DvcFQDN:string\n, DvcZone:string\n//****** Inspection fields ******\n, AlertId:string\n, AlertName:string\n, AlertDescription:string\n, AlertStatus:string\n, AlertOriginalStatus:string\n, AlertVerdict:string\n, AttackTactics:string\n, AttackTechniques:string\n, AttackRemediationSteps:string\n, IndicatorType:string\n, IndicatorAssociation:string\n, DetectionMethod:string\n, Rule: string\n, RuleNumber:int\n, RuleName:string\n, RuleDescription:string\n, ThreatId:string\n, ThreatName:string\n, ThreatFirstReportedTime:datetime\n, ThreatLastReportedTime:datetime\n, ThreatCategory:string\n, ThreatOriginalCategory:string\n, ThreatIsActive:bool\n, ThreatRiskLevel:int\n, ThreatOriginalRiskLevel:string\n, ThreatConfidence:int\n, ThreatOriginalConfidence:string\n//****** Source User fields ******\n, UserId:string\n, UserTdType:string\n, Username:string\n, UsernameType:string\n, UserType:string\n, OriginalUserType:string\n, SessionId:string\n, UserScopeId:string\n, UserScope:string\n//****** Process fields ******\n, ProcessId:string\n, ProcessName:string\n, ProcessCommandLine:string\n, ProcessFileCompany:string\n//****** File fields ******\n, FileName:string\n, FilePath:string\n, FileSHA1:string\n, FileMD5:string\n, FileSHA256:string\n, FileSize:int\n//****** Registry fields ******\n, RegistryKey:string\n, RegistryValue:string\n, RegistryValueType:string\n, RegistryValueData:string\n//****** Email fields ******\n, EmailSubject:string\n, EmailMessageId:string\n//****** Url fields ******\n, Url:string\n//****** Aliases ******\n, IpAddr:string\n, Hostname:string\n, User:string\n)[];\nEmptyAlertEvents", + "version": 1 + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/README.md b/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/README.md new file mode 100644 index 00000000000..31caa77e5c1 --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/README.md @@ -0,0 +1,18 @@ +# Microsoft Defender XDR ASIM AlertEvent Normalization Parser + +ARM template for ASIM AlertEvent schema parser for Microsoft Defender XDR. + +This ASIM parser supports normalizing and filtering the Microsoft Defender XDR logs to the ASIM Alert normalized schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FvimAlertEventMicrosoftDefenderXDR%2FvimAlertEventMicrosoftDefenderXDR.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FvimAlertEventMicrosoftDefenderXDR%2FvimAlertEventMicrosoftDefenderXDR.json) diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json b/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json new file mode 100644 index 00000000000..8656327fbc5 --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAlertEventMicrosoftDefenderXDR", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Alert Event ASIM filtering parser for Microsoft Defender XDR", + "category": "ASIM", + "FunctionAlias": "vimAlertEventMicrosoftDefenderXDR", + "query": "let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string)\n [\n \"User\", \"User\",\n \"Machine\", \"Host\",\n \"Process\", \"Process\",\n \"File\", \"File\",\n \"Ip\", \"Ip\",\n \"Url\", \"Url\",\n \"RegistryValue\", \"Registry\",\n \"CloudLogonSession\", \"LogonSession\",\n \"CloudApplication\", \"Application\",\n \"Mailbox\", \"Mailbox\",\n \"MailMessage\", \"Email\",\n \"CloudResource\", \"Cloud Resource\"\n ];\n let IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string)\n [\n \"Related\", \"Associated\",\n \"Impacted\", \"Targeted\"\n ];\n let RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string)\n [\n \"ExpandString\", \"Reg_Expand_Sz\"\n ];\n let AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string)\n [\n \"Malicious\", \"True Positive\",\n \"Suspicious\", \"True Positive\",\n \"NoThreatsFound\", \"Benign Positive\"\n ];\n let AttackTacticSet = dynamic([\"Exfiltration\", \"PrivilegeEscalation\", \"Persistence\", \"LateralMovement\", \"Execution\", \"Discovery\", \"InitialAccess\", \"CredentialAccess\", \"DefenseEvasion\", \"CommandAndControl\", \"Impact\"]);\n let ThreatCategorySet = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\n let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n AlertEvidence\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LocalIP, ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(tostring(AdditionalFields.Host.IpInterfaces[0].Address), ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(RemoteIP, ipaddr_has_any_prefix)))\n and ((array_length(hostname_has_any) == 0) or (DeviceName has_any (hostname_has_any)) or (tostring(AdditionalFields.Host.NetBiosName) has_any (hostname_has_any)))\n and ((array_length(username_has_any) == 0) or (AccountUpn has_any (username_has_any)) or (tostring(AdditionalFields.Account.UserPrincipalName) has_any (username_has_any)))\n and ((array_length(attacktactics_has_any) == 0) or (Categories has_any (attacktactics_has_any)))\n and ((array_length(attacktechniques_has_any) == 0) or (AttackTechniques has_any (attacktechniques_has_any)))\n // ThreatCategory filtering done later in the parser\n // AlertVerdict filtering done later in the parser\n and ((array_length(eventseverity_has_any) == 0)) // EventSeverity detail not available in this parser.\n // Mapping Inspection Fields\n | extend \n EventUid = AlertId,\n AlertName = Title,\n AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict),\n AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate),\n AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\"),\n AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState),\n AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == \"Active\", \"Active\", \"Closed\"), \"\"),\n DetectionMethod = DetectionSource\n | lookup AlertVerdictLookup on AlertVerdict_Custom\n // Filter for AlertVerdict\n | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any)))\n | lookup IndicatorTypeLookup on EntityType\n | lookup IndicatorAssociationLookup on EvidenceRole\n // Mapping Threat Fields\n | extend\n ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\")\n // Filter for ThreatCategory\n | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any)))\n // Mapping User Entity\n | extend \n UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)),\n UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)),\n Username = coalesce(AccountUpn, tostring(AdditionalFields.Account.UserPrincipalName)),\n UserSessionId = tostring(AdditionalFields.SessionId),\n UserScopeId = tostring(AdditionalFields.AadTenantId),\n HttpUserAgent_s = tostring(AdditionalFields.UserAgent)\n | extend\n UserIdType = iif(isnotempty(UserId), \"EntraUserID\", iif(isnotempty(UserSid), \"SID\", \"\")),\n UserId = coalesce(UserId, UserSid),\n UserType = _ASIM_GetUserType(Username, UserSid),\n UsernameType = _ASIM_GetUsernameType(Username)\n // Mapping Device Entity\n | extend \n DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)),\n DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP),\n DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)),\n DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)),\n DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)),\n DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, \"/\")[2]), (tostring(split(AdditionalFields.ResourceId, \"/\")[2])))\n | extend DvcIdType = iif(isnotempty(DvcId), \"MDEid\", \"\")\n | invoke _ASIM_ResolveDvcFQDN(\"DeviceName\")\n // Mapping Additional Fields\n | extend\n GeoCity_s = AdditionalFields.Location.City,\n GeoCountry_s = AdditionalFields.Location.CountryCode,\n GeoLatitude_s = AdditionalFields.Location.Latitude,\n GeoLongitude_s = AdditionalFields.Location.Longitude,\n GeoRegion_s = AdditionalFields.Location.State\n // Mapping Process Entity\n | extend \n ProcessId = AdditionalFields.ProcessId,\n ProcessCommandLine,\n ProcessName = iif(IndicatorType == \"Process\", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName), \"\"),\n ProcessFileCompany = AdditionalFields.Publisher,\n // Parent Process Fields\n ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId,\n ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine,\n ParentProcessName_s = iif(IndicatorType == \"Process\", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, \"\\\\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), \"\"),\n ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1,\n ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256,\n ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5\n // Mapping File Entity\n | extend \n FileName,\n FileDirectory = FolderPath,\n FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName),\n FileSHA1 = SHA1,\n FileSHA256 = SHA256,\n FileMD5 = AdditionalFields.FileHashes[1].Value,\n FileSize = FileSize\n // Mapping Url Entity\n | extend \n Url = RemoteUrl\n // Mapping Registry Entity\n | extend \n RegistryKey,\n RegistryValue = RegistryValueName,\n RegistryValueData,\n ValueType = tostring(AdditionalFields.ValueType)\n | lookup RegistryValueTypeLookup on ValueType\n // Mapping Application Entity\n | extend \n AppId_s = ApplicationId,\n AppName_s = Application\n // Mapping Email Entity\n | extend \n EmailMessageId = NetworkMessageId,\n EmailSubject\n | extend AdditionalFields = bag_pack(\n \"AlertVerdictDate\",\n AlertVerdictDate_s,\n \"HttpUserAgent\",\n HttpUserAgent_s,\n \"GeoCity\",\n GeoCity_s,\n \"GeoCountry\",\n GeoCountry_s,\n \"GeoLatitude\",\n GeoLatitude_s,\n \"GeoLongitude\",\n GeoLongitude_s,\n \"GeoRegion\",\n GeoRegion_s,\n \"ParentProcessId\",\n ParentProcessId_s,\n \"ParentProcessCommandLine\",\n ParentProcessCommandLine_s,\n \"ParentProcessName\",\n ParentProcessName_s,\n \"ParentProcessSHA256\",\n ParentProcessSHA256_s,\n \"ParentProcessMD5\",\n ParentProcessMD5_s\n )\n // Mapping common event fields\n | extend\n EventSubType = \"Threat\", // All events in AlertEvidence contains threat info\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = ServiceSource,\n EventVendor = 'Microsoft',\n EventSchema = 'AlertEvent',\n EventSchemaVersion = '0.1',\n EventType = 'Alert',\n EventCount = int(1)\n // MApping Alias\n | extend \n IpAddr = DvcIpAddr,\n Hostname = DvcHostname,\n User = Username\n | project-away\n Title,\n Categories,\n EntityType,\n EvidenceRole,\n DetectionSource,\n ServiceSource,\n ThreatFamily,\n RemoteIP,\n RemoteUrl,\n AccountName,\n AccountDomain,\n DeviceName,\n LocalIP,\n AlertVerdict_Custom,\n EvidenceDirection,\n Account*,\n ApplicationId,\n Application,\n *_s\n };\n parser(\n starttime = starttime, \n endtime = endtime, \n ipaddr_has_any_prefix = ipaddr_has_any_prefix,\n hostname_has_any = hostname_has_any,\n username_has_any = username_has_any,\n attacktactics_has_any = attacktactics_has_any,\n attacktechniques_has_any = attacktechniques_has_any,\n threatcategory_has_any = threatcategory_has_any,\n alertverdict_has_any = alertverdict_has_any,\n eventseverity_has_any = eventseverity_has_any,\n disabled = disabled\n )\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),ipaddr_has_any_prefix:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),attacktactics_has_any:dynamic=dynamic([]),attacktechniques_has_any:dynamic=dynamic([]),threatcategory_has_any:dynamic=dynamic([]),alertverdict_has_any:dynamic=dynamic([]),eventseverity_has_any:dynamic=dynamic([]),disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/README.md b/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/README.md new file mode 100644 index 00000000000..27b49ecb962 --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/README.md @@ -0,0 +1,18 @@ +# SentinelOne ASIM AlertEvent Normalization Parser + +ARM template for ASIM AlertEvent schema parser for SentinelOne. + +This ASIM parser supports normalizing and filtering the SentinelOne alerts to the ASIM Alert normalized schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FvimAlertEventSentinelOneSingularity%2FvimAlertEventSentinelOneSingularity.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FvimAlertEventSentinelOneSingularity%2FvimAlertEventSentinelOneSingularity.json) diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/vimAlertEventSentinelOneSingularity.json b/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/vimAlertEventSentinelOneSingularity.json new file mode 100644 index 00000000000..447a4b34eba --- /dev/null +++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventSentinelOneSingularity/vimAlertEventSentinelOneSingularity.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAlertEventSentinelOneSingularity", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Alert Event ASIM filtering parser for SentinelOne Singularity platform", + "category": "ASIM", + "FunctionAlias": "vimAlertEventSentinelOneSingularity", + "query": "let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string)\n [\n \"Undefined\", \"Unknown\",\n \"true_positive\", \"True Positive\",\n \"suspicious\", \"True Positive\",\n \"false_positive\", \"False Positive\"\n];\nlet ThreatCategoryArray = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet DetectionMethodLookup = datatable (\n threatInfo_engines_s: string,\n DetectionMethod: string\n)\n [\n \"Intrusion Detection\", \"Intrusion Detection\",\n \"User-Defined Blocklist\", \"User Defined Blocked List\",\n \"Reputation\", \"Reputation\"\n];\nlet parser = (starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s in (\"Threats.\")\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(agentDetectionInfo_agentIpV4_s, ipaddr_has_any_prefix)))\n and ((array_length(hostname_has_any) == 0) or (agentRealtimeInfo_agentComputerName_s has_any (hostname_has_any)))\n //and ((array_length(username_has_any) == 0) or (agentDetectionInfo_agentLastLoggedInUpn_s has_any (username_has_any)) or (threatInfo_processUser_s has_any (username_has_any)))\n and ((array_length(attacktactics_has_any) == 0) or (indicators_s has_any (attacktactics_has_any)))\n and ((array_length(attacktechniques_has_any) == 0) or (indicators_s has_any (attacktechniques_has_any)))\n // ThreatCategory filtering done later in the parser\n // AlertVerdict filtering done later in the parser\n and (array_length(eventseverity_has_any) == 0) // EventSeverity details not coming from source\n // Mapping Inspection Fields\n | extend \n AlertId = threatInfo_threatId_s,\n AlertName = threatInfo_threatName_s,\n AlertStatus = iif(threatInfo_incidentStatus_s == \"resolved\", \"Closed\", \"Active\"),\n AlertOriginalStatus = threatInfo_incidentStatus_s,\n Names = extract_all('\"name\":\"([^\"]+)\"', dynamic([1]), indicators_s),\n ThreatId = threatInfo_threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatLastReportedTime = threatInfo_updatedAt_t,\n ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, \"\"),\n ThreatOriginalCategory = threatInfo_classification_s\n // Filter for ThreatCategory\n | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any)))\n | extend\n AttackTechniques = tostring(extract_all('\"(T[0-9]+\\\\.[0-9]+|T[0-9]+)\"', dynamic([1]), tostring(Names))),\n AttackTactics = tostring(extract_all('\"([^T][^0-9]+)\"', dynamic([1]), tostring(Names)))\n | project-away Names\n | lookup DetectionMethodLookup on threatInfo_engines_s\n | extend analystVerdict_s = threatInfo_analystVerdict_s\n | lookup AlertVerdictLookup on analystVerdict_s\n // Filter for AlertVerdict\n | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any)))\n // Mapping Dvc Fields\n | extend \n DvcHostname = agentRealtimeInfo_agentComputerName_s,\n DvcOs = agentRealtimeInfo_agentOsName_s,\n DvcOsVersion = agentRealtimeInfo_agentOsRevision_s,\n DvcId = agentRealtimeInfo_agentId_s,\n DvcIdType = \"Other\",\n DvcDomain = agentRealtimeInfo_agentDomain_s,\n DvcDomainType = \"Windows\",\n DvcIpAddr = agentDetectionInfo_agentIpV4_s\n // Mapping Process Entity\n | extend\n ProcessCommandLine = threatInfo_maliciousProcessArguments_s,\n ProcessName = threatInfo_originatorProcess_s\n // Mapping File Fields\n | extend \n FileMD5 = threatInfo_md5_g,\n FileSHA1 = threatInfo_sha1_s,\n FileSHA256 = threatInfo_sha256_s,\n FilePath=threatInfo_filePath_s,\n FileSize = threatInfo_fileSize_d\n // Mapping User Fields\n | extend \n Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s)\n | extend UsernameType = _ASIM_GetUsernameType(Username)\n // Event Fields\n | extend\n EventType = 'Alert',\n EventOriginalType = event_name_s,\n EventUid = threatInfo_threatId_s,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = 'Singularity',\n EventVendor = 'SentinelOne',\n EventSchemaVersion = '0.1',\n EventSchema = \"AlertEvent\"\n | extend EventSubType = \"Threat\"\n // Aliases\n | extend\n IpAddr = DvcIpAddr,\n User = Username,\n Hostname = DvcHostname\n | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d\n};\nparser (\n starttime = starttime, \n endtime = endtime, \n ipaddr_has_any_prefix = ipaddr_has_any_prefix,\n hostname_has_any = hostname_has_any,\n username_has_any = username_has_any,\n attacktactics_has_any = attacktactics_has_any,\n attacktechniques_has_any = attacktechniques_has_any,\n threatcategory_has_any = threatcategory_has_any,\n alertverdict_has_any = alertverdict_has_any,\n eventseverity_has_any = eventseverity_has_any,\n disabled = disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),ipaddr_has_any_prefix:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),attacktactics_has_any:dynamic=dynamic([]),attacktechniques_has_any:dynamic=dynamic([]),threatcategory_has_any:dynamic=dynamic([]),alertverdict_has_any:dynamic=dynamic([]),eventseverity_has_any:dynamic=dynamic([]),disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml b/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml new file mode 100644 index 00000000000..c2a89f06e56 --- /dev/null +++ b/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml @@ -0,0 +1,36 @@ +Parser: + Title: Alert Event ASIM parser + Version: '0.1.0' + LastUpdated: Oct 18, 2024 +Product: + Name: Source agnostic +Normalization: + Schema: AlertEvent + Version: '0.1' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing Alert logs from all supported sources to the ASIM Alert normalized schema. +ParserName: ASimAlertEvent +EquivalentBuiltInParser: _ASim_AlertEvent +Parsers: + - _Im_AlertEvent_Empty + - _ASim_AlertEvent_MicrosoftDefenderXDR + - _ASim_AlertEvent_SentinelOneSingularity +ParserParams: + - Name: pack + Type: bool + Default: false +ParserQuery: | + let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser)); + let ASimBuiltInDisabled=toscalar('ExcludeASimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); + let parser=(pack:bool=false){ + union isfuzzy=true + vimAlertEventEmpty, + ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))), + ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers)))) + }; + parser (pack=pack) diff --git a/Parsers/ASimAlertEvent/Parsers/ASimAlertEventMicrosoftDefenderXDR.yaml b/Parsers/ASimAlertEvent/Parsers/ASimAlertEventMicrosoftDefenderXDR.yaml new file mode 100644 index 00000000000..00b2d8ca3f7 --- /dev/null +++ b/Parsers/ASimAlertEvent/Parsers/ASimAlertEventMicrosoftDefenderXDR.yaml @@ -0,0 +1,211 @@ +Parser: + Title: Alert Event ASIM parser for Microsoft Defender XDR + Version: '0.1.0' + LastUpdated: Oct 09, 2024 +Product: + Name: Microsoft Defender XDR +Normalization: + Schema: AlertEvent + Version: '0.1' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing the Microsoft Defender XDR logs to the ASIM Alert normalized schema. +ParserName: ASimAlertEventMicrosoftDefenderXDR +EquivalentBuiltInParser: _ASim_AlertEvent_MicrosoftDefenderXDR +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string) + [ + "User", "User", + "Machine", "Host", + "Process", "Process", + "File", "File", + "Ip", "Ip", + "Url", "Url", + "RegistryValue", "Registry", + "CloudLogonSession", "LogonSession", + "CloudApplication", "Application", + "Mailbox", "Mailbox", + "MailMessage", "Email", + "CloudResource", "Cloud Resource" + ]; + let IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string) + [ + "Related", "Associated", + "Impacted", "Targeted" + ]; + let RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string) + [ + "ExpandString", "Reg_Expand_Sz" + ]; + let AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string) + [ + "Malicious", "True Positive", + "Suspicious", "True Positive", + "NoThreatsFound", "Benign Positive" + ]; + let AttackTacticSet = dynamic(["Exfiltration", "PrivilegeEscalation", "Persistence", "LateralMovement", "Execution", "Discovery", "InitialAccess", "CredentialAccess", "DefenseEvasion", "CommandAndControl", "Impact"]); + let ThreatCategorySet = dynamic(["Malware", "Ransomware", "Trojan", "Virus", "Worm", "Adware", "Spyware", "Rootkit", "Cryptominor", "Phishing", "Spam", "MaliciousUrl", "Spoofing", "Security Policy Violation", "Unknown", "SuspiciousActivity"]); + let parser = ( + disabled: bool=false) { + AlertEvidence + | where not(disabled) + // Mapping Inspection Fields + | extend + EventUid = AlertId, + AlertName = Title, + AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict), + AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate), + AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@"[\[\]\""]", "", Categories), ""), + AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState), + AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == "Active", "Active", "Closed"), ""), + DetectionMethod = DetectionSource + | lookup AlertVerdictLookup on AlertVerdict_Custom + | lookup IndicatorTypeLookup on EntityType + | lookup IndicatorAssociationLookup on EvidenceRole + // Mapping Threat Fields + | extend + ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@"[\[\]\""]", "", Categories), "") + // Mapping User Entity + | extend + UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)), + UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)), + Username = coalesce(AccountUpn, tostring(AdditionalFields.Account.UserPrincipalName)), + UserSessionId = tostring(AdditionalFields.SessionId), + UserScopeId = tostring(AdditionalFields.AadTenantId), + HttpUserAgent_s = tostring(AdditionalFields.UserAgent) + | extend + UserIdType = iif(isnotempty(UserId), "EntraUserID", iif(isnotempty(UserSid), "SID", "")), + UserId = coalesce(UserId, UserSid), + UserType = _ASIM_GetUserType(Username, UserSid), + UsernameType = _ASIM_GetUsernameType(Username) + // Mapping Device Entity + | extend + DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)), + DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP), + DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)), + DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)), + DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)), + DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, "/")[2]), (tostring(split(AdditionalFields.ResourceId, "/")[2]))) + | extend DvcIdType = iif(isnotempty(DvcId), "MDEid", "") + | invoke _ASIM_ResolveDvcFQDN("DeviceName") + // Mapping Additional Fields + | extend + GeoCity_s = AdditionalFields.Location.City, + GeoCountry_s = AdditionalFields.Location.CountryCode, + GeoLatitude_s = AdditionalFields.Location.Latitude, + GeoLongitude_s = AdditionalFields.Location.Longitude, + GeoRegion_s = AdditionalFields.Location.State + // Mapping Process Entity + | extend + ProcessId = AdditionalFields.ProcessId, + ProcessCommandLine, + ProcessName = iif(IndicatorType == "Process", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), ""), + ProcessFileCompany = AdditionalFields.Publisher, + // Parent Process Fields + ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId, + ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine, + ParentProcessName_s = iif(IndicatorType == "Process", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, "\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), ""), + ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1, + ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256, + ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5 + // Mapping File Entity + | extend + FileName, + FileDirectory = FolderPath, + FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), + FileSHA1 = SHA1, + FileSHA256 = SHA256, + FileMD5 = AdditionalFields.FileHashes[1].Value, + FileSize = FileSize + // Mapping Url Entity + | extend + Url = RemoteUrl + // Mapping Registry Entity + | extend + RegistryKey, + RegistryValue = RegistryValueName, + RegistryValueData, + ValueType = tostring(AdditionalFields.ValueType) + | lookup RegistryValueTypeLookup on ValueType + // Mapping Application Entity + | extend + AppId_s = ApplicationId, + AppName_s = Application + // Mapping Email Entity + | extend + EmailMessageId = NetworkMessageId, + EmailSubject + | extend AdditionalFields = bag_pack( + "AlertVerdictDate", + AlertVerdictDate_s, + "HttpUserAgent", + HttpUserAgent_s, + "GeoCity", + GeoCity_s, + "GeoCountry", + GeoCountry_s, + "GeoLatitude", + GeoLatitude_s, + "GeoLongitude", + GeoLongitude_s, + "GeoRegion", + GeoRegion_s, + "ParentProcessId", + ParentProcessId_s, + "ParentProcessCommandLine", + ParentProcessCommandLine_s, + "ParentProcessName", + ParentProcessName_s, + "ParentProcessSHA256", + ParentProcessSHA256_s, + "ParentProcessMD5", + ParentProcessMD5_s + ) + // Mapping common event fields + | extend + EventSubType = "Threat", // All events in AlertEvidence contains threat info + EventEndTime = TimeGenerated, + EventStartTime = TimeGenerated, + EventProduct = ServiceSource, + EventVendor = 'Microsoft', + EventSchema = 'AlertEvent', + EventSchemaVersion = '0.1', + EventType = 'Alert', + EventCount = int(1) + // MApping Alias + | extend + IpAddr = DvcIpAddr, + Hostname = DvcHostname, + User = Username + | project-away + Title, + Categories, + EntityType, + EvidenceRole, + DetectionSource, + ServiceSource, + ThreatFamily, + RemoteIP, + RemoteUrl, + AccountName, + AccountDomain, + DeviceName, + LocalIP, + AlertVerdict_Custom, + EvidenceDirection, + Account*, + ApplicationId, + Application, + *_s + }; + parser( + disabled = disabled + ) \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/Parsers/ASimAlertEventSentinelOneSingularity.yaml b/Parsers/ASimAlertEvent/Parsers/ASimAlertEventSentinelOneSingularity.yaml new file mode 100644 index 00000000000..dbd8a8ce831 --- /dev/null +++ b/Parsers/ASimAlertEvent/Parsers/ASimAlertEventSentinelOneSingularity.yaml @@ -0,0 +1,113 @@ +Parser: + Title: Alert Event ASIM parser for SentinelOne Singularity platform + Version: '0.1.0' + LastUpdated: Oct 09, 2024 +Product: + Name: SentinelOne +Normalization: + Schema: AlertEvent + Version: '0.1' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing the SentinelOne alerts to the ASIM Alert normalized schema. +ParserName: ASimAlertEventSentinelOneSingularity +EquivalentBuiltInParser: _ASim_AlertEvent_SentinelOneSingularity +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string) + [ + "Undefined", "Unknown", + "true_positive", "True Positive", + "suspicious", "True Positive", + "false_positive", "False Positive" + ]; + let ThreatCategoryArray = dynamic(["Malware", "Ransomware", "Trojan", "Virus", "Worm", "Adware", "Spyware", "Rootkit", "Cryptominor", "Phishing", "Spam", "MaliciousUrl", "Spoofing", "Security Policy Violation", "Unknown", "SuspiciousActivity"]); + let DetectionMethodLookup = datatable ( + threatInfo_engines_s: string, + DetectionMethod: string + ) + [ + "Intrusion Detection", "Intrusion Detection", + "User-Defined Blocklist", "User Defined Blocked List", + "Reputation", "Reputation" + ]; + let parser = ( + disabled: bool=false) { + SentinelOne_CL + | where not(disabled) + | where event_name_s in ("Threats.") + // Mapping Inspection Fields + | extend + AlertId = threatInfo_threatId_s, + AlertName = threatInfo_threatName_s, + AlertStatus = iif(threatInfo_incidentStatus_s == "resolved", "Closed", "Active"), + AlertOriginalStatus = threatInfo_incidentStatus_s, + Names = extract_all('"name":"([^"]+)"', dynamic([1]), indicators_s), + ThreatId = threatInfo_threatId_s, + ThreatName = threatInfo_threatName_s, + ThreatFirstReportedTime = threatInfo_identifiedAt_t, + ThreatLastReportedTime = threatInfo_updatedAt_t, + ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, ""), + ThreatOriginalCategory = threatInfo_classification_s + | extend + AttackTechniques = tostring(extract_all('"(T[0-9]+\\.[0-9]+|T[0-9]+)"', dynamic([1]), tostring(Names))), + AttackTactics = tostring(extract_all('"([^T][^0-9]+)"', dynamic([1]), tostring(Names))) + | project-away Names + | lookup DetectionMethodLookup on threatInfo_engines_s + | extend analystVerdict_s = threatInfo_analystVerdict_s + | lookup AlertVerdictLookup on analystVerdict_s + // Mapping Dvc Fields + | extend + DvcHostname = agentRealtimeInfo_agentComputerName_s, + DvcOs = agentRealtimeInfo_agentOsName_s, + DvcOsVersion = agentRealtimeInfo_agentOsRevision_s, + DvcId = agentRealtimeInfo_agentId_s, + DvcIdType = "Other", + DvcDomain = agentRealtimeInfo_agentDomain_s, + DvcDomainType = "Windows", + DvcIpAddr = agentDetectionInfo_agentIpV4_s + // Mapping Process Entity + | extend + ProcessCommandLine = threatInfo_maliciousProcessArguments_s, + ProcessName = threatInfo_originatorProcess_s + // Mapping File Fields + | extend + FileMD5 = threatInfo_md5_g, + FileSHA1 = threatInfo_sha1_s, + FileSHA256 = threatInfo_sha256_s, + FilePath=threatInfo_filePath_s, + FileSize = threatInfo_fileSize_d + // Mapping User Fields + | extend + Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s) + | extend UsernameType = _ASIM_GetUsernameType(Username) + // Event Fields + | extend + EventType = 'Alert', + EventOriginalType = event_name_s, + EventUid = threatInfo_threatId_s, + EventCount = int(1), + EventEndTime = TimeGenerated, + EventStartTime = TimeGenerated, + EventProduct = 'Singularity', + EventVendor = 'SentinelOne', + EventSchemaVersion = '0.1', + EventSchema = "AlertEvent" + | extend EventSubType = "Threat" + // Aliases + | extend + IpAddr = DvcIpAddr, + User = Username, + Hostname = DvcHostname + | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d + }; + parser ( + disabled = disabled + ) \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml b/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml new file mode 100644 index 00000000000..7bd90619955 --- /dev/null +++ b/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml @@ -0,0 +1,78 @@ +Parser: + Title: Alert Event ASIM filtering parser + Version: '0.1.0' + LastUpdated: Mar 11 2024 +Product: + Name: Source agnostic +Normalization: + Schema: AlertEvent + Version: '0.1' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports filtering and normalizing Alert logs from all supported sources to the ASIM 'Alert' normalized schema. +ParserName: imAlertEvent +EquivalentBuiltInParser: _Im_AlertEvent +Parsers: + - _Im_AlertEvent_Empty + - _Im_AlertEvent_MicrosoftDefenderXDR + - _Im_AlertEvent_SentinelOneSingularity +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: ipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: hostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: username_has_any + Type: dynamic + Default: dynamic([]) + - Name: attacktactics_has_any + Type: dynamic + Default: dynamic([]) + - Name: attacktechniques_has_any + Type: dynamic + Default: dynamic([]) + - Name: threatcategory_has_any + Type: dynamic + Default: dynamic([]) + - Name: alertverdict_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventseverity_has_any + Type: dynamic + Default: dynamic([]) + - Name: pack + Type: bool + Default: false +ParserQuery: | + let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser)); + let vimBuiltInDisabled=toscalar('ExcludevimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); + let parser=( + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + ipaddr_has_any_prefix: dynamic=dynamic([]), + hostname_has_any: dynamic=dynamic([]), + username_has_any: dynamic=dynamic([]), + attacktactics_has_any: dynamic=dynamic([]), + attacktechniques_has_any: dynamic=dynamic([]), + threatcategory_has_any: dynamic=dynamic([]), + alertverdict_has_any: dynamic=dynamic([]), + eventseverity_has_any: dynamic=dynamic([]), + pack:bool=false) + { + union isfuzzy=true + vimAlertEventEmpty, + vimAlertEventMicrosoftDefenderXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertMicrosoftDefenderXDR' in (DisabledParsers)))), + vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers)))) + }; + parser (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, pack=pack) diff --git a/Parsers/ASimAlertEvent/Parsers/vimAlertEventEmpty.yaml b/Parsers/ASimAlertEvent/Parsers/vimAlertEventEmpty.yaml new file mode 100644 index 00000000000..181123941e7 --- /dev/null +++ b/Parsers/ASimAlertEvent/Parsers/vimAlertEventEmpty.yaml @@ -0,0 +1,129 @@ +Parser: + Title: Alert Event ASIM schema function + Version: '0.1.0' + LastUpdated: Oct 18 2024 +Product: + Name: Microsoft +Normalization: + Schema: AlertEvent + Version: '0.1' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This function returns an empty ASIM Dhcp Event schema. +ParserName: vimAlertEventEmpty +EquivalentBuiltInParser: _Im_AlertEvent_Empty +ParserQuery: | + let EmptyAlertEvents =datatable ( + TimeGenerated:datetime + , _ResourceId:string + , Type:string + // ****** Event fields ****** + , AdditionalFields:dynamic + , EventCount:int + , EventType:string + , EventProduct:string + , EventProductVersion:string + , EvenMessage:string + , EventVendor:string + , EventSchema:string + , EventSchemaVersion:string + , EventSeverity:string + , EventOriginalSeverity:string + , EventSubType:string + , EventOriginalUid:string + , EventOwner:string + , EventOriginalType:string + , EventOriginalSubType:string + , EventEndTime:datetime + , EventReportUrl:string + , EventResult:string + , EventStartTime:datetime + , EventUid:string + //****** Device fields ****** + , DvcAction:string + , DvcDescription:string + , DvcId:string + , DvcIdType:string + , DvcInterface:string + , DvcHostname:string + , DvcDomain:string + , DvcDomainType:string + , DvcIpAddr:string + , DvcOs:string + , DvcOsVersion:string + , DvcMacAddr:string + , DvcOriginalAction:string + , DvcScope:string + , DvcScopeId:string + , DvcFQDN:string + , DvcZone:string + //****** Inspection fields ****** + , AlertId:string + , AlertName:string + , AlertDescription:string + , AlertStatus:string + , AlertOriginalStatus:string + , AlertVerdict:string + , AttackTactics:string + , AttackTechniques:string + , AttackRemediationSteps:string + , IndicatorType:string + , IndicatorAssociation:string + , DetectionMethod:string + , Rule: string + , RuleNumber:int + , RuleName:string + , RuleDescription:string + , ThreatId:string + , ThreatName:string + , ThreatFirstReportedTime:datetime + , ThreatLastReportedTime:datetime + , ThreatCategory:string + , ThreatOriginalCategory:string + , ThreatIsActive:bool + , ThreatRiskLevel:int + , ThreatOriginalRiskLevel:string + , ThreatConfidence:int + , ThreatOriginalConfidence:string + //****** Source User fields ****** + , UserId:string + , UserTdType:string + , Username:string + , UsernameType:string + , UserType:string + , OriginalUserType:string + , SessionId:string + , UserScopeId:string + , UserScope:string + //****** Process fields ****** + , ProcessId:string + , ProcessName:string + , ProcessCommandLine:string + , ProcessFileCompany:string + //****** File fields ****** + , FileName:string + , FilePath:string + , FileSHA1:string + , FileMD5:string + , FileSHA256:string + , FileSize:int + //****** Registry fields ****** + , RegistryKey:string + , RegistryValue:string + , RegistryValueType:string + , RegistryValueData:string + //****** Email fields ****** + , EmailSubject:string + , EmailMessageId:string + //****** Url fields ****** + , Url:string + //****** Aliases ****** + , IpAddr:string + , Hostname:string + , User:string + )[]; + EmptyAlertEvents \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/Parsers/vimAlertEventMicrosoftDefenderXDR.yaml b/Parsers/ASimAlertEvent/Parsers/vimAlertEventMicrosoftDefenderXDR.yaml new file mode 100644 index 00000000000..b494510f4cf --- /dev/null +++ b/Parsers/ASimAlertEvent/Parsers/vimAlertEventMicrosoftDefenderXDR.yaml @@ -0,0 +1,275 @@ +Parser: + Title: Alert Event ASIM filtering parser for Microsoft Defender XDR + Version: '0.1.0' + LastUpdated: Oct 09, 2024 +Product: + Name: Microsoft Defender XDR +Normalization: + Schema: AlertEvent + Version: '0.1' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing and filtering the Microsoft Defender XDR logs to the ASIM Alert normalized schema. +ParserName: vimAlertEventMicrosoftDefenderXDR +EquivalentBuiltInParser: _Im_AlertEvent_MicrosoftDefenderXDR +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: ipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: hostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: username_has_any + Type: dynamic + Default: dynamic([]) + - Name: attacktactics_has_any + Type: dynamic + Default: dynamic([]) + - Name: attacktechniques_has_any + Type: dynamic + Default: dynamic([]) + - Name: threatcategory_has_any + Type: dynamic + Default: dynamic([]) + - Name: alertverdict_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventseverity_has_any + Type: dynamic + Default: dynamic([]) + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string) + [ + "User", "User", + "Machine", "Host", + "Process", "Process", + "File", "File", + "Ip", "Ip", + "Url", "Url", + "RegistryValue", "Registry", + "CloudLogonSession", "LogonSession", + "CloudApplication", "Application", + "Mailbox", "Mailbox", + "MailMessage", "Email", + "CloudResource", "Cloud Resource" + ]; + let IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string) + [ + "Related", "Associated", + "Impacted", "Targeted" + ]; + let RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string) + [ + "ExpandString", "Reg_Expand_Sz" + ]; + let AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string) + [ + "Malicious", "True Positive", + "Suspicious", "True Positive", + "NoThreatsFound", "Benign Positive" + ]; + let AttackTacticSet = dynamic(["Exfiltration", "PrivilegeEscalation", "Persistence", "LateralMovement", "Execution", "Discovery", "InitialAccess", "CredentialAccess", "DefenseEvasion", "CommandAndControl", "Impact"]); + let ThreatCategorySet = dynamic(["Malware", "Ransomware", "Trojan", "Virus", "Worm", "Adware", "Spyware", "Rootkit", "Cryptominor", "Phishing", "Spam", "MaliciousUrl", "Spoofing", "Security Policy Violation", "Unknown", "SuspiciousActivity"]); + let parser = ( + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + ipaddr_has_any_prefix: dynamic=dynamic([]), + hostname_has_any: dynamic=dynamic([]), + username_has_any: dynamic=dynamic([]), + attacktactics_has_any: dynamic=dynamic([]), + attacktechniques_has_any: dynamic=dynamic([]), + threatcategory_has_any: dynamic=dynamic([]), + alertverdict_has_any: dynamic=dynamic([]), + eventseverity_has_any: dynamic=dynamic([]), + disabled: bool=false) { + AlertEvidence + | where not(disabled) + | where (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LocalIP, ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(tostring(AdditionalFields.Host.IpInterfaces[0].Address), ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(RemoteIP, ipaddr_has_any_prefix))) + and ((array_length(hostname_has_any) == 0) or (DeviceName has_any (hostname_has_any)) or (tostring(AdditionalFields.Host.NetBiosName) has_any (hostname_has_any))) + and ((array_length(username_has_any) == 0) or (AccountUpn has_any (username_has_any)) or (tostring(AdditionalFields.Account.UserPrincipalName) has_any (username_has_any))) + and ((array_length(attacktactics_has_any) == 0) or (Categories has_any (attacktactics_has_any))) + and ((array_length(attacktechniques_has_any) == 0) or (AttackTechniques has_any (attacktechniques_has_any))) + // ThreatCategory filtering done later in the parser + // AlertVerdict filtering done later in the parser + and ((array_length(eventseverity_has_any) == 0)) // EventSeverity detail not available in this parser. + // Mapping Inspection Fields + | extend + EventUid = AlertId, + AlertName = Title, + AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict), + AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate), + AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@"[\[\]\""]", "", Categories), ""), + AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState), + AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == "Active", "Active", "Closed"), ""), + DetectionMethod = DetectionSource + | lookup AlertVerdictLookup on AlertVerdict_Custom + // Filter for AlertVerdict + | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any))) + | lookup IndicatorTypeLookup on EntityType + | lookup IndicatorAssociationLookup on EvidenceRole + // Mapping Threat Fields + | extend + ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@"[\[\]\""]", "", Categories), "") + // Filter for ThreatCategory + | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any))) + // Mapping User Entity + | extend + UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)), + UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)), + Username = coalesce(AccountUpn, tostring(AdditionalFields.Account.UserPrincipalName)), + UserSessionId = tostring(AdditionalFields.SessionId), + UserScopeId = tostring(AdditionalFields.AadTenantId), + HttpUserAgent_s = tostring(AdditionalFields.UserAgent) + | extend + UserIdType = iif(isnotempty(UserId), "EntraUserID", iif(isnotempty(UserSid), "SID", "")), + UserId = coalesce(UserId, UserSid), + UserType = _ASIM_GetUserType(Username, UserSid), + UsernameType = _ASIM_GetUsernameType(Username) + // Mapping Device Entity + | extend + DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)), + DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP), + DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)), + DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)), + DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)), + DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, "/")[2]), (tostring(split(AdditionalFields.ResourceId, "/")[2]))) + | extend DvcIdType = iif(isnotempty(DvcId), "MDEid", "") + | invoke _ASIM_ResolveDvcFQDN("DeviceName") + // Mapping Additional Fields + | extend + GeoCity_s = AdditionalFields.Location.City, + GeoCountry_s = AdditionalFields.Location.CountryCode, + GeoLatitude_s = AdditionalFields.Location.Latitude, + GeoLongitude_s = AdditionalFields.Location.Longitude, + GeoRegion_s = AdditionalFields.Location.State + // Mapping Process Entity + | extend + ProcessId = AdditionalFields.ProcessId, + ProcessCommandLine, + ProcessName = iif(IndicatorType == "Process", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), ""), + ProcessFileCompany = AdditionalFields.Publisher, + // Parent Process Fields + ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId, + ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine, + ParentProcessName_s = iif(IndicatorType == "Process", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, "\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), ""), + ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1, + ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256, + ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5 + // Mapping File Entity + | extend + FileName, + FileDirectory = FolderPath, + FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), + FileSHA1 = SHA1, + FileSHA256 = SHA256, + FileMD5 = AdditionalFields.FileHashes[1].Value, + FileSize = FileSize + // Mapping Url Entity + | extend + Url = RemoteUrl + // Mapping Registry Entity + | extend + RegistryKey, + RegistryValue = RegistryValueName, + RegistryValueData, + ValueType = tostring(AdditionalFields.ValueType) + | lookup RegistryValueTypeLookup on ValueType + // Mapping Application Entity + | extend + AppId_s = ApplicationId, + AppName_s = Application + // Mapping Email Entity + | extend + EmailMessageId = NetworkMessageId, + EmailSubject + | extend AdditionalFields = bag_pack( + "AlertVerdictDate", + AlertVerdictDate_s, + "HttpUserAgent", + HttpUserAgent_s, + "GeoCity", + GeoCity_s, + "GeoCountry", + GeoCountry_s, + "GeoLatitude", + GeoLatitude_s, + "GeoLongitude", + GeoLongitude_s, + "GeoRegion", + GeoRegion_s, + "ParentProcessId", + ParentProcessId_s, + "ParentProcessCommandLine", + ParentProcessCommandLine_s, + "ParentProcessName", + ParentProcessName_s, + "ParentProcessSHA256", + ParentProcessSHA256_s, + "ParentProcessMD5", + ParentProcessMD5_s + ) + // Mapping common event fields + | extend + EventSubType = "Threat", // All events in AlertEvidence contains threat info + EventEndTime = TimeGenerated, + EventStartTime = TimeGenerated, + EventProduct = ServiceSource, + EventVendor = 'Microsoft', + EventSchema = 'AlertEvent', + EventSchemaVersion = '0.1', + EventType = 'Alert', + EventCount = int(1) + // MApping Alias + | extend + IpAddr = DvcIpAddr, + Hostname = DvcHostname, + User = Username + | project-away + Title, + Categories, + EntityType, + EvidenceRole, + DetectionSource, + ServiceSource, + ThreatFamily, + RemoteIP, + RemoteUrl, + AccountName, + AccountDomain, + DeviceName, + LocalIP, + AlertVerdict_Custom, + EvidenceDirection, + Account*, + ApplicationId, + Application, + *_s + }; + parser( + starttime = starttime, + endtime = endtime, + ipaddr_has_any_prefix = ipaddr_has_any_prefix, + hostname_has_any = hostname_has_any, + username_has_any = username_has_any, + attacktactics_has_any = attacktactics_has_any, + attacktechniques_has_any = attacktechniques_has_any, + threatcategory_has_any = threatcategory_has_any, + alertverdict_has_any = alertverdict_has_any, + eventseverity_has_any = eventseverity_has_any, + disabled = disabled + ) diff --git a/Parsers/ASimAlertEvent/Parsers/vimAlertEventSentinelOneSingularity.yaml b/Parsers/ASimAlertEvent/Parsers/vimAlertEventSentinelOneSingularity.yaml new file mode 100644 index 00000000000..564c4d88696 --- /dev/null +++ b/Parsers/ASimAlertEvent/Parsers/vimAlertEventSentinelOneSingularity.yaml @@ -0,0 +1,176 @@ +Parser: + Title: Alert Event ASIM filtering parser for SentinelOne Singularity platform + Version: '0.1.0' + LastUpdated: Oct 09, 2024 +Product: + Name: SentinelOne +Normalization: + Schema: AlertEvent + Version: '0.1' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing and filtering the SentinelOne alerts to the ASIM Alert normalized schema. +ParserName: vimAlertEventSentinelOneSingularity +EquivalentBuiltInParser: _Im_AlertEvent_SentinelOneSingularity +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: ipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: hostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: username_has_any + Type: dynamic + Default: dynamic([]) + - Name: attacktactics_has_any + Type: dynamic + Default: dynamic([]) + - Name: attacktechniques_has_any + Type: dynamic + Default: dynamic([]) + - Name: threatcategory_has_any + Type: dynamic + Default: dynamic([]) + - Name: alertverdict_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventseverity_has_any + Type: dynamic + Default: dynamic([]) + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string) + [ + "Undefined", "Unknown", + "true_positive", "True Positive", + "suspicious", "True Positive", + "false_positive", "False Positive" + ]; + let ThreatCategoryArray = dynamic(["Malware", "Ransomware", "Trojan", "Virus", "Worm", "Adware", "Spyware", "Rootkit", "Cryptominor", "Phishing", "Spam", "MaliciousUrl", "Spoofing", "Security Policy Violation", "Unknown", "SuspiciousActivity"]); + let DetectionMethodLookup = datatable ( + threatInfo_engines_s: string, + DetectionMethod: string + ) + [ + "Intrusion Detection", "Intrusion Detection", + "User-Defined Blocklist", "User Defined Blocked List", + "Reputation", "Reputation" + ]; + let parser = (starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + ipaddr_has_any_prefix: dynamic=dynamic([]), + hostname_has_any: dynamic=dynamic([]), + username_has_any: dynamic=dynamic([]), + attacktactics_has_any: dynamic=dynamic([]), + attacktechniques_has_any: dynamic=dynamic([]), + threatcategory_has_any: dynamic=dynamic([]), + alertverdict_has_any: dynamic=dynamic([]), + eventseverity_has_any: dynamic=dynamic([]), + disabled: bool=false) { + SentinelOne_CL + | where not(disabled) + | where event_name_s in ("Threats.") + | where (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(agentDetectionInfo_agentIpV4_s, ipaddr_has_any_prefix))) + and ((array_length(hostname_has_any) == 0) or (agentRealtimeInfo_agentComputerName_s has_any (hostname_has_any))) + //and ((array_length(username_has_any) == 0) or (agentDetectionInfo_agentLastLoggedInUpn_s has_any (username_has_any)) or (threatInfo_processUser_s has_any (username_has_any))) + and ((array_length(attacktactics_has_any) == 0) or (indicators_s has_any (attacktactics_has_any))) + and ((array_length(attacktechniques_has_any) == 0) or (indicators_s has_any (attacktechniques_has_any))) + // ThreatCategory filtering done later in the parser + // AlertVerdict filtering done later in the parser + and (array_length(eventseverity_has_any) == 0) // EventSeverity details not coming from source + // Mapping Inspection Fields + | extend + AlertId = threatInfo_threatId_s, + AlertName = threatInfo_threatName_s, + AlertStatus = iif(threatInfo_incidentStatus_s == "resolved", "Closed", "Active"), + AlertOriginalStatus = threatInfo_incidentStatus_s, + Names = extract_all('"name":"([^"]+)"', dynamic([1]), indicators_s), + ThreatId = threatInfo_threatId_s, + ThreatName = threatInfo_threatName_s, + ThreatFirstReportedTime = threatInfo_identifiedAt_t, + ThreatLastReportedTime = threatInfo_updatedAt_t, + ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, ""), + ThreatOriginalCategory = threatInfo_classification_s + // Filter for ThreatCategory + | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any))) + | extend + AttackTechniques = tostring(extract_all('"(T[0-9]+\\.[0-9]+|T[0-9]+)"', dynamic([1]), tostring(Names))), + AttackTactics = tostring(extract_all('"([^T][^0-9]+)"', dynamic([1]), tostring(Names))) + | project-away Names + | lookup DetectionMethodLookup on threatInfo_engines_s + | extend analystVerdict_s = threatInfo_analystVerdict_s + | lookup AlertVerdictLookup on analystVerdict_s + // Filter for AlertVerdict + | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any))) + // Mapping Dvc Fields + | extend + DvcHostname = agentRealtimeInfo_agentComputerName_s, + DvcOs = agentRealtimeInfo_agentOsName_s, + DvcOsVersion = agentRealtimeInfo_agentOsRevision_s, + DvcId = agentRealtimeInfo_agentId_s, + DvcIdType = "Other", + DvcDomain = agentRealtimeInfo_agentDomain_s, + DvcDomainType = "Windows", + DvcIpAddr = agentDetectionInfo_agentIpV4_s + // Mapping Process Entity + | extend + ProcessCommandLine = threatInfo_maliciousProcessArguments_s, + ProcessName = threatInfo_originatorProcess_s + // Mapping File Fields + | extend + FileMD5 = threatInfo_md5_g, + FileSHA1 = threatInfo_sha1_s, + FileSHA256 = threatInfo_sha256_s, + FilePath=threatInfo_filePath_s, + FileSize = threatInfo_fileSize_d + // Mapping User Fields + | extend + Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s) + | extend UsernameType = _ASIM_GetUsernameType(Username) + // Event Fields + | extend + EventType = 'Alert', + EventOriginalType = event_name_s, + EventUid = threatInfo_threatId_s, + EventCount = int(1), + EventEndTime = TimeGenerated, + EventStartTime = TimeGenerated, + EventProduct = 'Singularity', + EventVendor = 'SentinelOne', + EventSchemaVersion = '0.1', + EventSchema = "AlertEvent" + | extend EventSubType = "Threat" + // Aliases + | extend + IpAddr = DvcIpAddr, + User = Username, + Hostname = DvcHostname + | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d + }; + parser ( + starttime = starttime, + endtime = endtime, + ipaddr_has_any_prefix = ipaddr_has_any_prefix, + hostname_has_any = hostname_has_any, + username_has_any = username_has_any, + attacktactics_has_any = attacktactics_has_any, + attacktechniques_has_any = attacktechniques_has_any, + threatcategory_has_any = threatcategory_has_any, + alertverdict_has_any = alertverdict_has_any, + eventseverity_has_any = eventseverity_has_any, + disabled = disabled + ) diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json index b56305d3f48..382856e0058 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit event ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimAuditEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludeASimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty, \n ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n ASimAuditEventMicrosoftSecurityEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftSecurityEvents' in (DisabledParsers))),\n ASimAuditEventMicrosoftEvent (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftEvents' in (DisabledParsers))),\n ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers))),\n ASimAuditEventCiscoMeraki (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMeraki' in (DisabledParsers))),\n ASimAuditEventCiscoMerakiSyslog (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMerakiSyslog' in (DisabledParsers))),\n ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaWAF' in (DisabledParsers))),\n ASimAuditEventBarracudaCEF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaCEF' in (DisabledParsers))),\n ASimAuditEventCiscoISE (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),\n ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers))),\n ASimAuditEventSentinelOne (BuiltInDisabled or ('ExcludeASimAuditEventSentinelOne' in (DisabledParsers))),\n ASimAuditEventCrowdStrikeFalconHost(BuiltInDisabled or ('ExcludeASimAuditEventCrowdStrikeFalconHost' in (DisabledParsers))),\n ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers)))\n", - "version": 1, - "functionParameters": "pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit event ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimAuditEvent", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludeASimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty, \n ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n ASimAuditEventMicrosoftSecurityEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftSecurityEvents' in (DisabledParsers))),\n ASimAuditEventMicrosoftEvent (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftEvents' in (DisabledParsers))),\n ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers))),\n ASimAuditEventCiscoMeraki (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMeraki' in (DisabledParsers))),\n ASimAuditEventCiscoMerakiSyslog (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMerakiSyslog' in (DisabledParsers))),\n ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaWAF' in (DisabledParsers))),\n ASimAuditEventBarracudaCEF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaCEF' in (DisabledParsers))),\n ASimAuditEventCiscoISE (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),\n ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers))),\n ASimAuditEventSentinelOne (BuiltInDisabled or ('ExcludeASimAuditEventSentinelOne' in (DisabledParsers))),\n ASimAuditEventCrowdStrikeFalconHost(BuiltInDisabled or ('ExcludeASimAuditEventCrowdStrikeFalconHost' in (DisabledParsers))),\n ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))),\n ASimAuditEventInfobloxBloxOne(BuiltInDisabled or ('ExcludeASimAuditEventInfobloxBloxOne' in (DisabledParsers))),\n ASimAuditEventIllumioSaaSCore(BuiltInDisabled or ('ExcludeASimAuditEventIllumioSaaSCore' in (DisabledParsers)))\n", + "version": 1, + "functionParameters": "pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventAzureAdminActivity/ASimAuditEventAzureAdminActivity.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventAzureAdminActivity/ASimAuditEventAzureAdminActivity.json index 7458c2cf4c0..34929ff6da1 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventAzureAdminActivity/ASimAuditEventAzureAdminActivity.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventAzureAdminActivity/ASimAuditEventAzureAdminActivity.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventAzureActivity')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventAzureActivity", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Azure administrative activity", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventAzureActivity", - "query": "let parser=(disabled:bool=false){\n let AzureActivityOperationLookup = datatable (op:string, EventType:string) \n [\n 'ACTION', 'Execute',\n 'WRITE', 'Set',\n 'DELETE', 'Delete'\n ];\n let AzureActivityStatusLookup = datatable (ActivityStatusValue:string, ActivitySubstatusValue:string, EventResult:string, EventResultDetails:string) \n [\n \"Accept\",\"Accepted\",\"Success\",\"\",\n \"Accept\",\"Created\",\"Success\",\"\",\n \"Accept\",\"OK\",\"Success\",\"\",\n \"Accept\",\"\",\"Success\",\"\",\n \"Accepted\",\"\",\"Success\",\"\",\n \"Active\",\"\",\"Success\",\"Active\",\n \"Failed\",\"\",\"Failure\",\"\",\n \"Failure\",\"BadRequest\",\"Failure\",\"Bad Request\",\n \"Failure\",\"Conflict\",\"Failure\",\"Bad Request\",\n \"Failure\",\"Forbidden\",\"Failure\",\"Unauthorized\",\n \"Failure\",\"InternalServerError\",\"Failure\",\"Internal error\",\n \"Failure\",\"MethodNotAllowed\",\"Failure\",\"Bad Request\",\n \"Failure\",\"NotFound\",\"Failure\",\"Not found\",\n \"Failure\",\"Unauthorized\",\"Failure\",\"Unauthorized\",\n \"Failure\",\"\",\"Failure\",\"\",\n \"In Progress\",\"\",\"Success\",\"In Progress\",\n \"Resolved\",\"\",\"Success\",\"\",\n \"Start\",\"\",\"Success\",\"Start\",\n \"Started\",\"\",\"Success\",\"Start\",\n \"Succeeded\",\"\",\"Success\",\"\",\n \"Success\",\"Created\",\"Success\",\"\",\n \"Success\",\"NoContent\",\"Success\",\"\",\n \"Success\",\"OK\",\"Success\",\"\",\n \"Success\",\"\",\"Success\",\"\",\n \"Updated\",\"\",\"Success\",\"\",\n \"Succeeded\",\"OK\",\"Success\",\"\",\n \"Accepted\",\"Accepted\",\"Success\",\"\",\n \"Accepted\",\"OK\",\"Success\",\"\",\n \"Failed\",\"Forbidden\",\"Failure\",\"Unauthorized\",\n \"Succeeded\",\"Created\",\"Success\",\"\",\n \"Failed\",\"BadRequest\",\"Failure\",\"Bad request\",\n \"Accepted\",\"Created\",\"Success\",\"\",\n \"Failed\",\"Conflict\",\"Failure\",\"Bad request\",\n \"Failed\",\"MethodNotAllowed\",\"Failure\",\"Bad request\",\n \"Failure\",\"BadGateway\",\"Failure\",\"Bad request\",\n \"Succeeded\",\"NoContent\",\"Success\",\"\",\n \"Failure\",\"ServiceUnavailable\",\"Failure\",\"Internal error\",\n \"Failure\",\"GatewayTimeout\",\"Failure\",\"Internal error\",\n \"Failed\",\"NotFound\",\"Failure\",\"Not found\",\n \"Failed\",\"BadGateway\",\"Failure\",\"Bad request\",\n \"Failure\",\"UnsupportedMediaType\",\"Failure\",\"Bad request\",\n \"Failed\",\"Unauthorized\",\"Failure\",\"Unauthorized\",\n \"Cancel\",\"\",\"Failure\",\"Cancelled\"\n ];\n AzureActivity \n | where not(disabled)\n | where CategoryValue == \"Administrative\"\n | project-away HTTPRequest, Level, SourceSystem, EventSubmissionTimestamp, TenantId, OperationId, Hierarchy, Category, ResourceId, ResourceProvider, Resource\n | project-rename \n Operation = OperationNameValue,\n SrcIpAddr = CallerIpAddress,\n EventOriginalUid = EventDataId,\n ActorSessionId = CorrelationId,\n EventOriginalType = CategoryValue\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Azure',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n ObjectType = \"Cloud Resource\",\n TargetAppName = \"Azure\",\n TargetAppType = \"CSP\"\n // --\n // Calculate EventResult, EventResultDetails, and EventResultOriginalDetails\n | extend\n EventOriginalResultDetails = strcat (\n ActivityStatusValue, \n iff (ActivitySubstatusValue !=\"\", strcat(' [', ActivitySubstatusValue, ']'), \"\")\n )\n | extend \n ActivitySubstatusValue = iff (ActivitySubstatusValue matches regex \"\\\\d+\", \"\", ActivitySubstatusValue)\n | lookup AzureActivityStatusLookup on ActivityStatusValue, ActivitySubstatusValue\n | extend EventResult = iff(EventResult == \"\", \"Other\", EventResult)\n | extend EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\n | project-away ActivityStatus*, ActivitySubstatus*\n // --\n // Calculate Actor\n | extend \n Caller = iff(Caller == \"Microsoft.RecoveryServices\", \"\", Caller)\n | extend \n ActorUsernameType = iff (Caller has \"@\", \"UPN\", \"\")\n | extend \n ActorUsername = iff (ActorUsernameType == \"UPN\", Caller, \"\"),\n ActorUserId = iff (ActorUsernameType != \"UPN\", Caller, \"\")\n | extend\n ActorUserIdType = iff (ActorUserId != \"\", \"AADID\", \"\")\n | project-away Caller\n // --\n // Calculate Object\n | extend \n entity = tostring(Properties_d.entity), \n resource = tostring(Properties_d.resource),\n entity_name = tostring(Properties_d.[\"Entity Name\"])\n | extend Object = case ( \n entity != \"\", entity,\n strcat (\"/subscriptions/\", SubscriptionId, \"/resourceGroups/\", ResourceGroup, \"/providers/\", ResourceProviderValue, \"/\",resource, iff (entity_name != \"\", strcat(\"/\", entity_name), \"\"))\n )\n | project-away entity, resource,entity_name, _SubscriptionId, SubscriptionId, ResourceGroup, ResourceProviderValue\n // --\n // Calculate EventType\n | extend op = toupper(tostring(split(Operation,\"/\")[-1]))\n | lookup AzureActivityOperationLookup on op\n | extend EventType = iff (EventType == \"\", \"Other\", EventType)\n | project-away op\n // Aliases\n | extend AdditionalFields = pack_dictionary(\"Authorization\", Authorization_d, \"Claims\", Claims_d, \"Error\", Properties_d.statusMessage)\n // -- Aliases\n | extend \n IpAddr = SrcIpAddr,\n User = ActorUsername,\n Application = TargetAppName,\n Dst = TargetAppName,\n Src = SrcIpAddr,\n // -- Entity identifier explicit aliases\n ActorUserUpn = ActorUsername,\n ActorUserAadId = ActorUserId\n | project-away OperationName, Properties*, Authorization*, Claims*\n // -- Properties*\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Azure administrative activity", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventAzureActivity", + "query": "let parser=(disabled:bool=false){\n let AzureActivityOperationLookup = datatable (op:string, EventType:string) \n [\n 'ACTION', 'Execute',\n 'WRITE', 'Set',\n 'DELETE', 'Delete'\n ];\n let AzureActivityStatusLookup = datatable (ActivityStatusValue:string, ActivitySubstatusValue:string, EventResult:string, EventResultDetails:string) \n [\n \"Accept\",\"Accepted\",\"Success\",\"\",\n \"Accept\",\"Created\",\"Success\",\"\",\n \"Accept\",\"OK\",\"Success\",\"\",\n \"Accept\",\"\",\"Success\",\"\",\n \"Accepted\",\"\",\"Success\",\"\",\n \"Active\",\"\",\"Success\",\"Active\",\n \"Failed\",\"\",\"Failure\",\"\",\n \"Failure\",\"BadRequest\",\"Failure\",\"Bad Request\",\n \"Failure\",\"Conflict\",\"Failure\",\"Bad Request\",\n \"Failure\",\"Forbidden\",\"Failure\",\"Unauthorized\",\n \"Failure\",\"InternalServerError\",\"Failure\",\"Internal error\",\n \"Failure\",\"MethodNotAllowed\",\"Failure\",\"Bad Request\",\n \"Failure\",\"NotFound\",\"Failure\",\"Not found\",\n \"Failure\",\"Unauthorized\",\"Failure\",\"Unauthorized\",\n \"Failure\",\"\",\"Failure\",\"\",\n \"In Progress\",\"\",\"Success\",\"In Progress\",\n \"Resolved\",\"\",\"Success\",\"\",\n \"Start\",\"\",\"Success\",\"Start\",\n \"Started\",\"\",\"Success\",\"Start\",\n \"Succeeded\",\"\",\"Success\",\"\",\n \"Success\",\"Created\",\"Success\",\"\",\n \"Success\",\"NoContent\",\"Success\",\"\",\n \"Success\",\"OK\",\"Success\",\"\",\n \"Success\",\"\",\"Success\",\"\",\n \"Updated\",\"\",\"Success\",\"\",\n \"Succeeded\",\"OK\",\"Success\",\"\",\n \"Accepted\",\"Accepted\",\"Success\",\"\",\n \"Accepted\",\"OK\",\"Success\",\"\",\n \"Failed\",\"Forbidden\",\"Failure\",\"Unauthorized\",\n \"Succeeded\",\"Created\",\"Success\",\"\",\n \"Failed\",\"BadRequest\",\"Failure\",\"Bad request\",\n \"Accepted\",\"Created\",\"Success\",\"\",\n \"Failed\",\"Conflict\",\"Failure\",\"Bad request\",\n \"Failed\",\"MethodNotAllowed\",\"Failure\",\"Bad request\",\n \"Failure\",\"BadGateway\",\"Failure\",\"Bad request\",\n \"Succeeded\",\"NoContent\",\"Success\",\"\",\n \"Failure\",\"ServiceUnavailable\",\"Failure\",\"Internal error\",\n \"Failure\",\"GatewayTimeout\",\"Failure\",\"Internal error\",\n \"Failed\",\"NotFound\",\"Failure\",\"Not found\",\n \"Failed\",\"BadGateway\",\"Failure\",\"Bad request\",\n \"Failure\",\"UnsupportedMediaType\",\"Failure\",\"Bad request\",\n \"Failed\",\"Unauthorized\",\"Failure\",\"Unauthorized\",\n \"Cancel\",\"\",\"Failure\",\"Cancelled\"\n ];\n AzureActivity \n | where not(disabled)\n | where CategoryValue == \"Administrative\"\n | project-away HTTPRequest, Level, SourceSystem, EventSubmissionTimestamp, TenantId, OperationId, Hierarchy, Category, ResourceId, ResourceProvider, Resource\n | project-rename \n Operation = OperationNameValue,\n SrcIpAddr = CallerIpAddress,\n EventOriginalUid = EventDataId,\n ActorSessionId = CorrelationId,\n EventOriginalType = CategoryValue\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Azure',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n ObjectType = \"Cloud Resource\",\n TargetAppName = \"Azure\",\n TargetAppType = \"CSP\"\n // --\n // Calculate EventResult, EventResultDetails, and EventResultOriginalDetails\n | extend\n EventOriginalResultDetails = strcat (\n ActivityStatusValue, \n iff (ActivitySubstatusValue !=\"\", strcat(' [', ActivitySubstatusValue, ']'), \"\")\n )\n | extend \n ActivitySubstatusValue = iff (ActivitySubstatusValue matches regex \"\\\\d+\", \"\", ActivitySubstatusValue)\n | lookup AzureActivityStatusLookup on ActivityStatusValue, ActivitySubstatusValue\n | extend EventResult = iff(EventResult == \"\", \"Other\", EventResult)\n | extend EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\n | project-away ActivityStatus*, ActivitySubstatus*\n // --\n // Calculate Actor\n | extend \n Caller = iff(Caller == \"Microsoft.RecoveryServices\", \"\", Caller)\n | extend \n ActorUsernameType = iff (Caller has \"@\", \"UPN\", \"\")\n | extend \n ActorUsername = iff (ActorUsernameType == \"UPN\", Caller, \"\"),\n ActorUserId = iff (ActorUsernameType != \"UPN\", Caller, \"\")\n | extend\n ActorUserIdType = iff (ActorUserId != \"\", \"AADID\", \"\")\n | project-away Caller\n // --\n // Calculate Object\n | extend \n entity = tostring(Properties_d.entity), \n resource = tostring(Properties_d.resource),\n entity_name = tostring(Properties_d.[\"Entity Name\"])\n | extend Object = case ( \n entity != \"\", entity,\n strcat (\"/subscriptions/\", SubscriptionId, \"/resourceGroups/\", ResourceGroup, \"/providers/\", ResourceProviderValue, \"/\",resource, iff (entity_name != \"\", strcat(\"/\", entity_name), \"\"))\n )\n | project-away entity, resource,entity_name, _SubscriptionId, SubscriptionId, ResourceGroup, ResourceProviderValue\n // --\n // Calculate EventType\n | extend op = toupper(tostring(split(Operation,\"/\")[-1]))\n | lookup AzureActivityOperationLookup on op\n | extend EventType = iff (EventType == \"\", \"Other\", EventType)\n | project-away op\n // Aliases\n | extend AdditionalFields = pack_dictionary(\"Authorization\", Authorization_d, \"Claims\", Claims_d, \"Error\", Properties_d.statusMessage)\n // -- Aliases\n | extend \n IpAddr = SrcIpAddr,\n User = ActorUsername,\n Application = TargetAppName,\n Dst = TargetAppName,\n Src = SrcIpAddr,\n // -- Entity identifier explicit aliases\n ActorUserUpn = ActorUsername,\n ActorUserAadId = ActorUserId\n | project-away OperationName, Properties*, Authorization*, Claims*\n // -- Properties*\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaCEF/ASimAuditEventBarracudaCEF.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaCEF/ASimAuditEventBarracudaCEF.json index dfd07538af7..f3cabe4c350 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaCEF/ASimAuditEventBarracudaCEF.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaCEF/ASimAuditEventBarracudaCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventBarracudaCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventBarracudaCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventBarracudaCEF", - "query": "let EventTypeLookup = datatable (\n ChangeType_s: string,\n EventType_lookup: string\n)\n [\n \"SET\", \"Set\",\n \"ADD\", \"Create\",\n \"DEL\", \"Delete\",\n \"NONE\", \"Other\",\n \"\", \"Other\"\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\n \"global\", \"Other\",\n \"Services\", \"Service\",\n \"web_firewall_policy\", \"Policy Rule\",\n \"service\", \"Service\",\n \"json_url_profile\", \"Other\",\n \"server\", \"Service\",\n \"header_acl\", \"Directory Service Object\",\n \"virtual_ip_config_address\", \"Configuration Atom\",\n \"aps_req_rewrite_policy\", \"Policy Rule\",\n \"aps_url_acl\", \"Directory Service Object\",\n \"websocket_security_policy\", \"Policy Rule\",\n \"aps_ftp_acl\", \"Directory Service Object\",\n \"user_system_ip\", \"Configuration Atom\",\n \"syslog_server\", \"Service\",\n \"attack_action\", \"Configuration Atom\",\n \"global_adr\", \"Configuration Atom\",\n \"aps_content_protection\", \"Other\"\n];\nlet parser = (disabled: bool=false) {\n let BarracudaCEF = \n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor startswith \"Barracuda\"\n and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\" \n and (toupper(ProcessName) !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason: string \n | extend Reason = trim('\"', Reason)\n | extend \n EventResultDetails = Reason,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | lookup EventTypeLookup on $left.EventOutcome == $right.ChangeType_s\n | lookup ObjectTypeLookup on $left.FileType == $right.ObjectType_s\n | extend\n EventResult = \"Success\", \n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n EventType = EventType_lookup,\n Dvc = DeviceName, \n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime) - tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n Operation = ProcessName,\n DvcIpAddr = DeviceAddress,\n NewValue = DeviceCustomString1,\n SrcIpAddr = SourceIP,\n EventMessage = Message,\n OldValue = DeviceCustomString2,\n DvcHostname = DeviceName,\n ActorUsername = DestinationUserName,\n Object = FileName,\n ThreatConfidence = toint(ThreatConfidence) ,\n EventUid = _ItemId \n | extend\n Src = SrcIpAddr,\n EventEndTime = EventStartTime,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue \n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value), \"Other\", \"\")\n | project-away\n EventType_lookup,\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Reason,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,\n CollectorHostName,\n _ItemId;\n BarracudaCEF\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventBarracudaCEF", + "query": "let EventTypeLookup = datatable (\n ChangeType_s: string,\n EventType_lookup: string\n)\n [\n \"SET\", \"Set\",\n \"ADD\", \"Create\",\n \"DEL\", \"Delete\",\n \"NONE\", \"Other\",\n \"\", \"Other\"\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\n \"global\", \"Other\",\n \"Services\", \"Service\",\n \"web_firewall_policy\", \"Policy Rule\",\n \"service\", \"Service\",\n \"json_url_profile\", \"Other\",\n \"server\", \"Service\",\n \"header_acl\", \"Directory Service Object\",\n \"virtual_ip_config_address\", \"Configuration Atom\",\n \"aps_req_rewrite_policy\", \"Policy Rule\",\n \"aps_url_acl\", \"Directory Service Object\",\n \"websocket_security_policy\", \"Policy Rule\",\n \"aps_ftp_acl\", \"Directory Service Object\",\n \"user_system_ip\", \"Configuration Atom\",\n \"syslog_server\", \"Service\",\n \"attack_action\", \"Configuration Atom\",\n \"global_adr\", \"Configuration Atom\",\n \"aps_content_protection\", \"Other\"\n];\nlet parser = (disabled: bool=false) {\n let BarracudaCEF = \n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor startswith \"Barracuda\"\n and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\" \n and (toupper(ProcessName) !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason: string \n | extend Reason = trim('\"', Reason)\n | extend \n EventResultDetails = Reason,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | lookup EventTypeLookup on $left.EventOutcome == $right.ChangeType_s\n | lookup ObjectTypeLookup on $left.FileType == $right.ObjectType_s\n | extend\n EventResult = \"Success\", \n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n EventType = EventType_lookup,\n Dvc = DeviceName, \n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime) - tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n Operation = ProcessName,\n DvcIpAddr = DeviceAddress,\n NewValue = DeviceCustomString1,\n SrcIpAddr = SourceIP,\n EventMessage = Message,\n OldValue = DeviceCustomString2,\n DvcHostname = DeviceName,\n ActorUsername = DestinationUserName,\n Object = FileName,\n ThreatConfidence = toint(ThreatConfidence) ,\n EventUid = _ItemId \n | extend\n Src = SrcIpAddr,\n EventEndTime = EventStartTime,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue \n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value), \"Other\", \"\")\n | project-away\n EventType_lookup,\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Reason,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,\n CollectorHostName,\n _ItemId;\n BarracudaCEF\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/ASimAuditEventBarracudaWAF.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/ASimAuditEventBarracudaWAF.json index c2962c4d54d..6bf210aa676 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/ASimAuditEventBarracudaWAF.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/ASimAuditEventBarracudaWAF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventBarracudaWAF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventBarracudaWAF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventBarracudaWAF", - "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n ChangeType_s: string,\n CommandName_s: string,\n Severity_s: string,\n LoginIP_s: string,\n NewValue_s: string,\n HostIP_s: string,\n host_s: string,\n OldValue_s: string,\n EventMessage_s: string,\n AdminName_s: string,\n ObjectType_s: string,\n ObjectName_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string\n)[];\nlet EventTypeLookup = datatable (\n ChangeType_s: string,\n EventType_lookup: string\n)\n [\n \"SET\", \"Set\",\n \"ADD\", \"Create\",\n \"DEL\", \"Delete\",\n \"NONE\", \"Other\",\n \"\", \"Other\"\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\n \"global\", \"Other\",\n \"Services\", \"Service\",\n \"web_firewall_policy\", \"Policy Rule\",\n \"service\", \"Service\",\n \"json_url_profile\", \"Other\",\n \"server\", \"Service\",\n \"header_acl\", \"Directory Service Object\",\n \"virtual_ip_config_address\", \"Configuration Atom\",\n \"aps_req_rewrite_policy\", \"Policy Rule\",\n \"aps_url_acl\", \"Directory Service Object\",\n \"websocket_security_policy\", \"Policy Rule\",\n \"aps_ftp_acl\", \"Directory Service Object\",\n \"user_system_ip\", \"Configuration Atom\",\n \"syslog_server\", \"Service\",\n \"attack_action\", \"Configuration Atom\",\n \"global_adr\", \"Configuration Atom\",\n \"aps_content_protection\", \"Other\"\n];\nlet parser = (disabled: bool=false) {\n let BarracudaCustom = \n (union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled) \n and LogType_s == \"AUDIT\" \n and EventName_s !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\")\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason: string\n | extend Reason = trim('\"', Reason)\n | extend\n EventResultDetails = Reason,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | lookup EventTypeLookup on ChangeType_s\n | lookup ObjectTypeLookup on ObjectType_s\n | extend\n EventType = EventType_lookup,\n EventResult = \"Success\", \n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n Dvc = UnitName_s, \n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s) - tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n Operation = CommandName_s,\n DvcIpAddr = HostIP_s,\n NewValue = NewValue_s,\n SrcIpAddr = LoginIP_s,\n EventMessage = EventMessage_s,\n OldValue = OldValue_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s,\n Object = ObjectName_s \n | extend\n Src = SrcIpAddr,\n EventEndTime = EventStartTime,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue \n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value), \"Other\", \"\")\n | project-away\n *_d,\n *_s,\n EventType_lookup,\n _ResourceId,\n Reason,\n severity,\n RawData,\n SourceIP,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem\n );\n BarracudaCustom\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventBarracudaWAF", + "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n ChangeType_s: string,\n CommandName_s: string,\n Severity_s: string,\n LoginIP_s: string,\n NewValue_s: string,\n HostIP_s: string,\n host_s: string,\n OldValue_s: string,\n EventMessage_s: string,\n AdminName_s: string,\n ObjectType_s: string,\n ObjectName_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string\n)[];\nlet EventTypeLookup = datatable (\n ChangeType_s: string,\n EventType_lookup: string\n)\n [\n \"SET\", \"Set\",\n \"ADD\", \"Create\",\n \"DEL\", \"Delete\",\n \"NONE\", \"Other\",\n \"\", \"Other\"\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\n \"global\", \"Other\",\n \"Services\", \"Service\",\n \"web_firewall_policy\", \"Policy Rule\",\n \"service\", \"Service\",\n \"json_url_profile\", \"Other\",\n \"server\", \"Service\",\n \"header_acl\", \"Directory Service Object\",\n \"virtual_ip_config_address\", \"Configuration Atom\",\n \"aps_req_rewrite_policy\", \"Policy Rule\",\n \"aps_url_acl\", \"Directory Service Object\",\n \"websocket_security_policy\", \"Policy Rule\",\n \"aps_ftp_acl\", \"Directory Service Object\",\n \"user_system_ip\", \"Configuration Atom\",\n \"syslog_server\", \"Service\",\n \"attack_action\", \"Configuration Atom\",\n \"global_adr\", \"Configuration Atom\",\n \"aps_content_protection\", \"Other\"\n];\nlet parser = (disabled: bool=false) {\n let BarracudaCustom = \n (union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled) \n and LogType_s == \"AUDIT\" \n and EventName_s !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\")\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason: string\n | extend Reason = trim('\"', Reason)\n | extend\n EventResultDetails = Reason,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | lookup EventTypeLookup on ChangeType_s\n | lookup ObjectTypeLookup on ObjectType_s\n | extend\n EventType = EventType_lookup,\n EventResult = \"Success\", \n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n Dvc = UnitName_s, \n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s) - tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n Operation = CommandName_s,\n DvcIpAddr = HostIP_s,\n NewValue = NewValue_s,\n SrcIpAddr = LoginIP_s,\n EventMessage = EventMessage_s,\n OldValue = OldValue_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s,\n Object = ObjectName_s \n | extend\n Src = SrcIpAddr,\n EventEndTime = EventStartTime,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue \n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value), \"Other\", \"\")\n | project-away\n *_d,\n *_s,\n EventType_lookup,\n _ResourceId,\n Reason,\n severity,\n RawData,\n SourceIP,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem\n );\n BarracudaCustom\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/ASimAuditEventCiscoISE.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/ASimAuditEventCiscoISE.json index 0f110d63c3d..7d5c5488a14 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/ASimAuditEventCiscoISE.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/ASimAuditEventCiscoISE.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventCiscoISE')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventCiscoISE", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM filtering parser for Cisco ISE", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventCiscoISE", - "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventType: string,\nEventResult: string,\nEventOriginalSeverity: string,\nEventSeverity: string,\nObject: string,\nOperation: string,\nEventMessage: string\n)[\n\"52000\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Added configuration\", \"Added configuration\",\n\"52001\", \"Set\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Changed configuration\", \"Changed configuration\",\n\"52002\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deleted configuration\", \"Deleted configuration\",\n\"52003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deregister Node\", \"One of the ISE instances in the deployment has been de-registered.\",\n\"52004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Register Node\", \"A new ISE instance has been registered and has joined the deployment.\",\n\"52005\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Activate Node\", \"An ISE instance has been activated to receive updates from the Primary node.\",\n\"52006\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deactivate ISE Node\", \"An ISE instance has been deactivated and will no longer receive updates from the Primary node.\",\n\"52007\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Force Full replication\", \"A Force Full replication has been issued for an ISE instance.\",\n\"52008\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Replacement Register Handler\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52009\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Promote Node\", \"A Secondary node has been promoted to be the Primary node of the deployment.\",\n\"52013\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Hardware Replacement\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52015\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Target\", \"Enable LogCollector Target\", \"Enable the deployment Log Collector target.\",\n\"52016\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Node\", \"Select LogCollector Node\", \"The Log Collector node for the deployment has been selected.\",\n\"52017\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Apply software update\", \"Apply a software update to the selected ISE instances.\",\n\"52030\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Full replication succeeded\", \"Full replication was completed successfully\",\n\"52031\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Full replication failed\", \"Failed to complete full replication\",\n\"52033\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"Registration with the primary node was completed successfully\",\n\"52035\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"Failed to perform the full replication requested by the primary instance\",\n\"52038\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"The ISE instance was successfully joined to a distributed ISE deployment\",\n\"52039\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"The ISE instance was unable to join a distributed deployment\",\n\"52042\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Primary instance\", \"Demotion succeeded\", \"Demotion of the existing primary instance was completed successfully\",\n\"52043\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Primary instance\", \"Demotion failed\", \"Demotion of the existing primary instance failed\",\n\"52045\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Secondary instance\", \"Promotion succeeded\", \"Promotion of the secondary instance was completed successfully\",\n\"52046\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Secondary instance\", \"Promotion failed\", \"Promotion of a secondary instance failed\",\n\"52072\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deregister succeeded\", \"Deregistration was completed successfully\",\n\"52073\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Deregister failed\", \"Deregistration failed\",\n\"52078\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the deployment\",\n\"52079\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary instance\", \"Delete node succeeded\", \"The ISE primary instance successfully deleted the secondary instance in inactive mode\",\n\"52080\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the primary instance\",\n\"52082\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Backup failed\", \"An immediate backup for the secondary instance failed\",\n\"52084\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE primary instance\", \"Backup succeeded\", \"An immediate backup for the primary instance was completed successfully\",\n\"52085\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE primary instance\", \"Backup failed\", \"An immediate backup for the primary failed\",\n\"52091\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Update bundle\", \"Software update failed\", \"Software update download of update bundle failed\",\n\"52092\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Software update succeeded\", \"The software update was completed successfully\",\n\"52093\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Software update failed\", \"The software update failed\",\n\"57000\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Log file(s)\", \"Deleted rolled-over local log file(s)\", \"Deleted rolled-over local log file(s)\",\n\"58001\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process started\", \"An ISE process has started\",\n\"58002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process stopped\", \"An ISE process has stopped\",\n\"58003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes started\", \"All ISE processes have started\",\n\"58004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes stopped\", \"All ISE processes have stopped\",\n\"58005\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process was restarted by watchdog service\", \"The watchdog service has restarted an ISE process\",\n\"60000\", \"Install\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch installation completed successfully on the node\", \"Patch installation completed successfully on the node\",\n\"60001\", \"Install\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch installation failed on the node\", \"Patch installation failed on the node\",\n\"60002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch rollback completed successfully on the node\", \"Patch rollback completed successfully on the node\",\n\"60003\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch rollback failed on the node\", \"Patch rollback failed on the node\",\n\"60050\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node added to deployment successfully\", \"Node added to deployment successfully\",\n\"60051\", \"Create\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to add node to deployment\", \"Failed to add node to deployment\",\n\"60052\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node removed from deployment\", \"Node removed from deployment\",\n\"60053\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to remove node from deployment\", \"Failed to remove node from deployment\",\n\"60054\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node updated successfully\", \"Node updated successfully\",\n\"60055\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to update node\", \"Failed to update node\",\n\"60056\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Cluster\", \"The runtime status of the node group has changed\", \"There is a change in the cluster state\",\n\"60057\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"PSN node\", \"A PSN node went down\", \"One of the PSN nodes in the node group has gone down\",\n\"60058\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Heartbeat System\", \"The initial status of the heartbeat system\", \"The initial status of the heartbeat system\",\n\"60059\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node has successfully registered with MnT\", \"Node has successfully registered with MnT\",\n\"60060\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\", \"The ISE Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\",\n\"60061\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"OCSP Clear Cache operation completed successfully\", \"OCSP Clear Cache operation completed successfully on all Policy Service nodes\",\n\"60062\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Policy Service nodes\", \"OCSP Clear Cache operation terminated with error\", \"OCSP Clear Cache clear operation terminated with error on one or more Policy Service nodes\",\n\"60063\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary node\", \"Replication to node completed successfully\", \"Replication of data to secondary node completed successfully\",\n\"60064\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary node\", \"Replication to node failed\", \"Replication of data to secondary node failed\",\n\"60068\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - manual download initiated\", \"The Profiler Feed Service has begun the check and download of new and/or updated Profiles in response to Administrator's request\",\n\"60069\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - Profiles Downloaded\", \"The Profiler Feed Service has downloaded new and/or updated Profiles\",\n\"60070\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - No Profiles Downloaded\", \"The Profiler Feed Service found no new and/or updated Profiles to download\",\n\"60083\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"Syslog Server\", \"Syslog Server configuration change\", \"Syslog Server configuration change has occurred\",\n\"60084\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI user\", \"ADEOS CLI user configuration change\", \"Configuration change occurred for ADEOS CLI user\",\n\"60085\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Repository\", \"ADEOS Repository configuration change\", \"Configuration change occurred for ADEOS repository\",\n\"60086\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SSH Service\", \"ADEOS SSH Service configuration change\", \"Configuration change occurred for ADEOS SSH Service\",\n\"60087\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Maximum SSH CLI sessions\", \"ADEOS Maximum SSH CLI sessions configuration change\", \"Configuration change occurred for ADEOS Maximum CLI sessions\",\n\"60088\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SNMP agent\", \"ADEOS SNMP agent configuration change\", \"Configuration change occurred for ADEOS SNMP agent\",\n\"60089\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler policy configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler policy\",\n\"60090\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler occurence configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler occurence\",\n\"60091\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI pre-login banner\", \"ADEOS CLI pre-login banner configuration change\", \"Configuration change occurred for ADEOS CLI pre-login banner\",\n\"60092\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI post-login banner\", \"ADEOS CLI post-login banner configuration change\", \"Configuration change occurred for ADEOS CLI post-login banner\",\n\"60094\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Backup has completed successfully\", \"ISE Backup has completed successfully\",\n\"60095\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Backup has failed\", \"ISE Backup has failed\",\n\"60097\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Log Backup has completed successfully\", \"ISE Log Backup has completed successfully\",\n\"60098\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Log Backup has failed\", \"ISE Log Backup has failed\",\n\"60100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Restore has completed successfully\", \"ISE Restore has completed successfully\",\n\"60101\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Restore has failed\", \"ISE Restore has failed\",\n\"60102\", \"Install\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application installation completed successfully\", \"Application installation completed successfully\",\n\"60103\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application installation failed\", \"Application installation failed\",\n\"60105\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application remove completed successfully\", \"Application remove completed successfully\",\n\"60106\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application remove failed\", \"Application remove failed\",\n\"60107\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application upgrade failed\", \"Application upgrade failed\",\n\"60111\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application patch remove has completed successfully\", \"Application patch remove has completed successfully\",\n\"60112\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch remove has failed\", \"Application patch remove has failed\",\n\"60113\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server reload has been initiated\", \"ISE server reload has been initiated\",\n\"60114\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server shutdown has been initiated\", \"ISE server shutdown has been initiated\",\n\"60118\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used delete CLI to delete file\", \"ADEOS CLI user has used delete CLI to delete file\",\n\"60119\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used copy CLI to copy file\", \"ADEOS CLI user has used copy CLI to copy file\",\n\"60120\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"Directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\",\n\"60121\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied out running system configuration\", \"ADEOS CLI user has copied out running system configuration\",\n\"60122\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied in system configuration\", \"ADEOS CLI user has copied in system configuration\",\n\"60123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has saved running system configuration\", \"ADEOS CLI user has saved running system configuration\",\n\"60126\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch installation failed\", \"Application patch installation failed\",\n\"60128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file in from ADEOS CLI\", \"Failure occurred trying to copy file in from ADEOS CLI\",\n\"60129\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file out from ADEOS CLI\", \"Failure occurred trying to copy file out from ADEOS CLI\",\n\"60130\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE Backup\", \"ISE Scheduled Backup has been configured\", \"ISE Scheduled Backup has been configured\",\n\"60131\", \"Create\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been created from web UI\", \"ISE Support bundle has been created from web UI\",\n\"60132\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been deleted from web UI\", \"ISE Support bundle has been deleted from web UI\",\n\"60133\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE Support bundle\", \"ISE Support bundle generation from web UI has failed\", \"ISE Support bundle generation from web UI has failed\",\n\"60153\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Certificate\", \"Certificate has been exported\", \"Certificate has been exported\",\n\"60166\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate will expire soon\", \"Certificate Expiration warning\",\n\"60167\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate has expired\", \"Certificate has expired\",\n\"60172\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Alarm(s) has/have been acknowledged\", \"These alarms are acknowledged and will not be displayed on the Dashboard\",\n\"60173\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Outdated alarms are purged\", \"Only latest 15000 alarms would be retained and rest of them are purged\",\n\"60187\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application upgrade succeeded\", \"Application upgrade succeeded\",\n\"60189\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Terminal Session timeout has been modified\", \"Configuration change occurred for ADEOS CLI Terminal Session timeout\",\n\"60193\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"RSA key configuration has been modified\", \"Configuration change occurred for ADEOS CLI RSA key\",\n\"60194\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Host key configuration has been modified\", \"Configuration change occurred for ADEOS CLI host key\",\n\"60197\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Certificate\", \"Revoked ISE CA issued Certificate.\", \"Certificate issued to Endpoint by ISE CA is revoked by Administrator\",\n\"60198\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"MnT\", \"MnT purge event occurred\", \"MnT purge event occurred\",\n\"60199\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"An IP-SGT mapping was deployed successfully\", \"An IP-SGT mapping was deployed successfully to a TrustSec device\",\n\"60200\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"An IP-SGT mapping has failed deploying\", \"An IP-SGT mapping has failed deploying to a TrustSec device\",\n\"60201\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"IP-SGT deployment to TrustSec device was successful\", \"IP-SGT deployment to TrustSec device was successful\",\n\"60202\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"IP-SGT deployment to TrustSec device failed\", \"IP-SGT deployment to TrustSec device failed\",\n\"60207\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Logging loglevel configuration has been modified\", \"Configuration change occurred for ADEOS CLI logging loglevel\",\n\"60208\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Root CA certificate has been replaced\", \"Root CA certificate has been replaced\",\n\"60209\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service enabled\", \"CA service enabled\",\n\"60210\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service disabled\", \"CA service disabled\",\n\"60213\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were replaced by import operation\", \"CA keys were replaced by import operation\",\n\"60214\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were exported\", \"CA keys were exported\",\n\"60215\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were marked expired\", \"Endpoint certs were marked expired by daily scheduled job\",\n\"60216\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were purged\", \"Endpoint certs were purged by daily scheduled job\",\n\"60451\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is enabled on this deployment\", \"Telemetry is enabled on this deployment\",\n\"60452\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is disabled on this deployment\", \"Telemetry is disabled on this deployment\",\n\"61002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SGT from IEPG\", \"ISE has learned a new SGT from IEPG\",\n\"61003\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new EEPG to APIC\", \"ISE has propagated a new EEPG to APIC.\",\n\"61004\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SXP mapping from APIC endpoint\", \"ISE has learned a new SXP mapping from APIC endpoint\",\n\"61005\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\",\n\"61006\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SGT\", \"ISE has removed an SGT due to deleted IEPG\", \"ISE has removed an SGT due to deleted IEPG\",\n\"61007\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed EEPG from APIC due to SGT deletion\", \"ISE has removed EEPG from APIC due to SGT deletion\",\n\"61008\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\",\n\"61009\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\",\n\"61016\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EPG subscriber against APIC\", \"ISE failed to refresh EPG subscriber against APIC\",\n\"61017\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh endpoint subscriber against APIC\", \"ISE failed to refresh endpoint subscriber against APIC\",\n\"61018\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EEPG subscriber against APIC\", \"ISE failed to refresh EEPG subscriber against APIC\",\n\"61020\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\",\n\"61022\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to propagate SGT to EEPG\", \"ISE has failed to propagate SGT to EEPG\",\n\"61023\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to learn IEPG from APIC\", \"ISE has failed to learn IEPG from APIC\",\n\"61024\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to parse VRF for EPG\", \"ISE has failed to parse VRF for EPG\",\n\"61030\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"TrustSec deploy verification was canceled.\", \"TrustSec deployment verification process was canceled as a new TrustSec deploy started.\",\n\"61033\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"TrustSec deployment verification process succeeded.\", \"ISE trustsec configuration was successfully deployed to all network access devices.\",\n\"61034\", \"Other\", \"\", \"INFO\", \"Low\", \"ISE instance\", \"Maximum resource limit reached.\", \"Maximum resource limit reached.\",\n\"61051\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Synflood-limit configured\", \"Synflood-limit configured\",\n\"61052\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Rate-limit configured\", \"Rate-limit configured\",\n\"61100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from ACI\", \"ISE has learned a new tenant from ACI\",\n\"61101\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"ISE has removed ACI tenant\", \"ISE has removed ACI tenant\",\n\"61102\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn new tenant from ACI in ISE\", \"Failed to learn new tenant from ACI in ISE\",\n\"61103\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to remove ACI tenant in ISE\", \"Failed to remove ACI tenant in ISE\",\n\"61104\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from SDA\", \"ISE has learned a new tenant from SDA\",\n\"61105\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new VN info\", \"IISE has learned a new VN info\",\n\"61106\", \"Create\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to create VN info in ISE\", \"Failed to create VN info in ISE\",\n\"61107\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"VN info is updated in ISE\", \"VN info is updated in ISE\",\n\"61108\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to update VN info in ISE\", \"Failed to update VN info in ISE\",\n\"61109\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"VN info is deleted in ISE\", \"VN info is deleted in ISE\",\n\"61110\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to deleted VN info in ISE\", \"Failed to deleted VN info in ISE\",\n\"61111\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration process failed\", \"Domain registration process failed\",\n\"61114\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Domain registration completed successfully\", \"Domain registration completed successfully\",\n\"61115\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration failed\", \"Domain registration failed\",\n\"61116\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Unable to store ACI certificate\", \"Unable to store ACI certificate\",\n\"61117\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI connector\", \"ACI connector started successfully\", \"ACI connector started successfully\",\n\"61118\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI connector\", \"Failed to start ACI connector\", \"Failed to start ACI connector\",\n\"61120\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI certificate\", \"Successfully deleted ACI certificate from ISE\", \"Successfully deleted ACI certificate from ISE\",\n\"61121\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Failed to delete ACI certificate from ISE\", \"Failed to delete ACI certificate from ISE\",\n\"61122\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI keystore\", \"Failed to delete ACI keystore\", \"Failed to delete ACI keystore\",\n\"61123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new ACI domain\", \"ISE has learned a new ACI domain\",\n\"61124\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new ACI domain\", \"Failed to learn a new ACI domain\",\n\"61125\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI domain\", \"ISE has removed ACI domain\", \"ISE has removed ACI domain\",\n\"61126\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI domain\", \"Failed to remove ACI domain\", \"Failed to remove ACI domain\",\n\"61127\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SDA domain\", \"ISE has learned a new SDA domain\",\n\"61128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new SDA domain\", \"Failed to learn a new SDA domain\",\n\"61129\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SDA domain\", \"ISE has removed SDA domain\", \"ISE has removed SDA domain\",\n\"61130\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"SDA domain\", \"Failed to remove SDA domain\", \"Failed to remove SDA domain\",\n\"61158\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed in receiving SDA SXP configuration\", \"ISE failed in receiving SDA SXP configuration\",\n\"61160\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed to publish Gateway advertisement message to ACI\", \"ISE failed to publish Gateway advertisement message to ACI\",\n\"61161\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE learned new SXP Listener\", \"ISE learned new SXP Listener\",\n\"61162\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates VN defined for SXP Listener\", \"ISE updates VN defined for SXP Listener\",\n\"61163\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE learned new VN defined for SXP Listener\", \"ISE learned new VN defined for SXP Listener\",\n\"61164\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates SXP Listener\", \"ISE updates SXP Listener\",\n\"61165\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\",\n\"61166\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI\", \"ACI published Gateway advertisement message to SDA\", \"ACI published Gateway advertisement message to SDA\",\n\"61167\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Send ACI Gateway advertisement message to ISE\", \"Send ACI Gateway advertisement message to ISE\",\n\"61168\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to send ACI Gateway advertisement message to ISE\", \"Failed to send ACI Gateway advertisement message to ISE/SDA\",\n\"61169\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Successfully Send ACI Gateway advertisement message\", \"Successfully Send ACI Gateway advertisement message\",\n\"61234\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE instance\", \"Got event with unknown properties\", \"Got event with unknown properties\",\n\"62000\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script execute completed\", \"Agentless script execute completed\",\n\"62001\", \"Execute\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script execute failed\", \"Agentless script execute failed\",\n\"62002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script upload completed\", \"Agentless script upload completed\",\n\"62003\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script upload failed\", \"Agentless script upload failed\",\n\"61300\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Network Access policy request\", \"Network Access policy request\",\n\"61301\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Device Admin policy request\", \"Device Admin policy request\",\n\"61302\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Policy component request\", \"Policy component request\",\n\"60467\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"OCSP Certificate renewal failed\", \"OCSP Certificate renewal failed.\",\n\"60468\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Root CA Regeneration failed\", \"Regeneration of Root CA failed.\",\n\"62008\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service starts\", \"Meraki connector sync service starts\",\n\"62009\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service stops\", \"Meraki connector sync service stops\",\n\"62010\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync service failure\", \"Meraki connector sync service failure\",\n\"62011\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle starts\", \"Meraki connector sync cycle starts\",\n\"62012\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle stops\", \"Meraki connector sync cycle stops\",\n\"62013\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync cycle failure\", \"Meraki connector sync cycle failure\",\n\"62014\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync operation success\", \"Meraki connector sync operation success\",\n\"62015\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync operation failure\", \"Meraki connector sync operation failure\",\n\"62016\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Port 2484 opened for Data Connect\", \"Port 2484 opened for Data Connect\",\n\"62017\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Data Connect port 2484 closed\", \"Data Connect port 2484 closed\"];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n| summarize make_set(EventOriginalType));\nlet CiscoISEAuditParser=(disabled: bool=false) {\nSyslog\n| where not(disabled)\n| where ProcessName has_any (\"CISE\", \"CSCO\")\n| parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n| where EventOriginalType in (EventOriginalTypeList)\n| lookup EventFieldsLookup on EventOriginalType \n| parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n| project-rename SrcIpAddr=['Remote-Address'], TargetIpAddr =['Device IP Address']\n| extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n| extend ActorUsername = coalesce(['User-Name'], UserName, User)\n| extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \n| extend \n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"AuditEvent\"\n , EventSchemaVersion = \"0.1.0\"\n , ObjectType = \"Configuration Atom\"\n , TargetAppName = \"ISE\"\n , TargetAppType = \"Service\"\n// ***************** ********************\n| extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n , Application = TargetAppName\n , IpAddr = coalesce(SrcIpAddr, TargetIpAddr)\n , Dst = TargetIpAddr\n , Src = SrcIpAddr\n , User = ActorUsername\n// ***************** *******************\n| project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n NetworkDeviceName,\n ['User-Name'],\n UserName\n};\nCiscoISEAuditParser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventCiscoISE", + "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventType: string,\nEventResult: string,\nEventOriginalSeverity: string,\nEventSeverity: string,\nObject: string,\nOperation: string,\nEventMessage: string\n)[\n\"52000\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Added configuration\", \"Added configuration\",\n\"52001\", \"Set\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Changed configuration\", \"Changed configuration\",\n\"52002\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deleted configuration\", \"Deleted configuration\",\n\"52003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deregister Node\", \"One of the ISE instances in the deployment has been de-registered.\",\n\"52004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Register Node\", \"A new ISE instance has been registered and has joined the deployment.\",\n\"52005\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Activate Node\", \"An ISE instance has been activated to receive updates from the Primary node.\",\n\"52006\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deactivate ISE Node\", \"An ISE instance has been deactivated and will no longer receive updates from the Primary node.\",\n\"52007\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Force Full replication\", \"A Force Full replication has been issued for an ISE instance.\",\n\"52008\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Replacement Register Handler\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52009\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Promote Node\", \"A Secondary node has been promoted to be the Primary node of the deployment.\",\n\"52013\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Hardware Replacement\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52015\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Target\", \"Enable LogCollector Target\", \"Enable the deployment Log Collector target.\",\n\"52016\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Node\", \"Select LogCollector Node\", \"The Log Collector node for the deployment has been selected.\",\n\"52017\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Apply software update\", \"Apply a software update to the selected ISE instances.\",\n\"52030\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Full replication succeeded\", \"Full replication was completed successfully\",\n\"52031\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Full replication failed\", \"Failed to complete full replication\",\n\"52033\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"Registration with the primary node was completed successfully\",\n\"52035\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"Failed to perform the full replication requested by the primary instance\",\n\"52038\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"The ISE instance was successfully joined to a distributed ISE deployment\",\n\"52039\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"The ISE instance was unable to join a distributed deployment\",\n\"52042\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Primary instance\", \"Demotion succeeded\", \"Demotion of the existing primary instance was completed successfully\",\n\"52043\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Primary instance\", \"Demotion failed\", \"Demotion of the existing primary instance failed\",\n\"52045\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Secondary instance\", \"Promotion succeeded\", \"Promotion of the secondary instance was completed successfully\",\n\"52046\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Secondary instance\", \"Promotion failed\", \"Promotion of a secondary instance failed\",\n\"52072\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deregister succeeded\", \"Deregistration was completed successfully\",\n\"52073\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Deregister failed\", \"Deregistration failed\",\n\"52078\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the deployment\",\n\"52079\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary instance\", \"Delete node succeeded\", \"The ISE primary instance successfully deleted the secondary instance in inactive mode\",\n\"52080\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the primary instance\",\n\"52082\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Backup failed\", \"An immediate backup for the secondary instance failed\",\n\"52084\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE primary instance\", \"Backup succeeded\", \"An immediate backup for the primary instance was completed successfully\",\n\"52085\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE primary instance\", \"Backup failed\", \"An immediate backup for the primary failed\",\n\"52091\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Update bundle\", \"Software update failed\", \"Software update download of update bundle failed\",\n\"52092\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Software update succeeded\", \"The software update was completed successfully\",\n\"52093\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Software update failed\", \"The software update failed\",\n\"57000\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Log file(s)\", \"Deleted rolled-over local log file(s)\", \"Deleted rolled-over local log file(s)\",\n\"58001\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process started\", \"An ISE process has started\",\n\"58002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process stopped\", \"An ISE process has stopped\",\n\"58003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes started\", \"All ISE processes have started\",\n\"58004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes stopped\", \"All ISE processes have stopped\",\n\"58005\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process was restarted by watchdog service\", \"The watchdog service has restarted an ISE process\",\n\"60000\", \"Install\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch installation completed successfully on the node\", \"Patch installation completed successfully on the node\",\n\"60001\", \"Install\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch installation failed on the node\", \"Patch installation failed on the node\",\n\"60002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch rollback completed successfully on the node\", \"Patch rollback completed successfully on the node\",\n\"60003\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch rollback failed on the node\", \"Patch rollback failed on the node\",\n\"60050\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node added to deployment successfully\", \"Node added to deployment successfully\",\n\"60051\", \"Create\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to add node to deployment\", \"Failed to add node to deployment\",\n\"60052\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node removed from deployment\", \"Node removed from deployment\",\n\"60053\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to remove node from deployment\", \"Failed to remove node from deployment\",\n\"60054\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node updated successfully\", \"Node updated successfully\",\n\"60055\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to update node\", \"Failed to update node\",\n\"60056\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Cluster\", \"The runtime status of the node group has changed\", \"There is a change in the cluster state\",\n\"60057\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"PSN node\", \"A PSN node went down\", \"One of the PSN nodes in the node group has gone down\",\n\"60058\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Heartbeat System\", \"The initial status of the heartbeat system\", \"The initial status of the heartbeat system\",\n\"60059\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node has successfully registered with MnT\", \"Node has successfully registered with MnT\",\n\"60060\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\", \"The ISE Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\",\n\"60061\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"OCSP Clear Cache operation completed successfully\", \"OCSP Clear Cache operation completed successfully on all Policy Service nodes\",\n\"60062\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Policy Service nodes\", \"OCSP Clear Cache operation terminated with error\", \"OCSP Clear Cache clear operation terminated with error on one or more Policy Service nodes\",\n\"60063\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary node\", \"Replication to node completed successfully\", \"Replication of data to secondary node completed successfully\",\n\"60064\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary node\", \"Replication to node failed\", \"Replication of data to secondary node failed\",\n\"60068\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - manual download initiated\", \"The Profiler Feed Service has begun the check and download of new and/or updated Profiles in response to Administrator's request\",\n\"60069\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - Profiles Downloaded\", \"The Profiler Feed Service has downloaded new and/or updated Profiles\",\n\"60070\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - No Profiles Downloaded\", \"The Profiler Feed Service found no new and/or updated Profiles to download\",\n\"60083\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"Syslog Server\", \"Syslog Server configuration change\", \"Syslog Server configuration change has occurred\",\n\"60084\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI user\", \"ADEOS CLI user configuration change\", \"Configuration change occurred for ADEOS CLI user\",\n\"60085\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Repository\", \"ADEOS Repository configuration change\", \"Configuration change occurred for ADEOS repository\",\n\"60086\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SSH Service\", \"ADEOS SSH Service configuration change\", \"Configuration change occurred for ADEOS SSH Service\",\n\"60087\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Maximum SSH CLI sessions\", \"ADEOS Maximum SSH CLI sessions configuration change\", \"Configuration change occurred for ADEOS Maximum CLI sessions\",\n\"60088\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SNMP agent\", \"ADEOS SNMP agent configuration change\", \"Configuration change occurred for ADEOS SNMP agent\",\n\"60089\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler policy configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler policy\",\n\"60090\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler occurence configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler occurence\",\n\"60091\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI pre-login banner\", \"ADEOS CLI pre-login banner configuration change\", \"Configuration change occurred for ADEOS CLI pre-login banner\",\n\"60092\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI post-login banner\", \"ADEOS CLI post-login banner configuration change\", \"Configuration change occurred for ADEOS CLI post-login banner\",\n\"60094\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Backup has completed successfully\", \"ISE Backup has completed successfully\",\n\"60095\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Backup has failed\", \"ISE Backup has failed\",\n\"60097\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Log Backup has completed successfully\", \"ISE Log Backup has completed successfully\",\n\"60098\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Log Backup has failed\", \"ISE Log Backup has failed\",\n\"60100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Restore has completed successfully\", \"ISE Restore has completed successfully\",\n\"60101\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Restore has failed\", \"ISE Restore has failed\",\n\"60102\", \"Install\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application installation completed successfully\", \"Application installation completed successfully\",\n\"60103\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application installation failed\", \"Application installation failed\",\n\"60105\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application remove completed successfully\", \"Application remove completed successfully\",\n\"60106\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application remove failed\", \"Application remove failed\",\n\"60107\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application upgrade failed\", \"Application upgrade failed\",\n\"60111\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application patch remove has completed successfully\", \"Application patch remove has completed successfully\",\n\"60112\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch remove has failed\", \"Application patch remove has failed\",\n\"60113\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server reload has been initiated\", \"ISE server reload has been initiated\",\n\"60114\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server shutdown has been initiated\", \"ISE server shutdown has been initiated\",\n\"60118\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used delete CLI to delete file\", \"ADEOS CLI user has used delete CLI to delete file\",\n\"60119\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used copy CLI to copy file\", \"ADEOS CLI user has used copy CLI to copy file\",\n\"60120\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"Directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\",\n\"60121\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied out running system configuration\", \"ADEOS CLI user has copied out running system configuration\",\n\"60122\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied in system configuration\", \"ADEOS CLI user has copied in system configuration\",\n\"60123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has saved running system configuration\", \"ADEOS CLI user has saved running system configuration\",\n\"60126\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch installation failed\", \"Application patch installation failed\",\n\"60128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file in from ADEOS CLI\", \"Failure occurred trying to copy file in from ADEOS CLI\",\n\"60129\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file out from ADEOS CLI\", \"Failure occurred trying to copy file out from ADEOS CLI\",\n\"60130\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE Backup\", \"ISE Scheduled Backup has been configured\", \"ISE Scheduled Backup has been configured\",\n\"60131\", \"Create\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been created from web UI\", \"ISE Support bundle has been created from web UI\",\n\"60132\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been deleted from web UI\", \"ISE Support bundle has been deleted from web UI\",\n\"60133\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE Support bundle\", \"ISE Support bundle generation from web UI has failed\", \"ISE Support bundle generation from web UI has failed\",\n\"60153\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Certificate\", \"Certificate has been exported\", \"Certificate has been exported\",\n\"60166\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate will expire soon\", \"Certificate Expiration warning\",\n\"60167\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate has expired\", \"Certificate has expired\",\n\"60172\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Alarm(s) has/have been acknowledged\", \"These alarms are acknowledged and will not be displayed on the Dashboard\",\n\"60173\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Outdated alarms are purged\", \"Only latest 15000 alarms would be retained and rest of them are purged\",\n\"60187\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application upgrade succeeded\", \"Application upgrade succeeded\",\n\"60189\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Terminal Session timeout has been modified\", \"Configuration change occurred for ADEOS CLI Terminal Session timeout\",\n\"60193\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"RSA key configuration has been modified\", \"Configuration change occurred for ADEOS CLI RSA key\",\n\"60194\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Host key configuration has been modified\", \"Configuration change occurred for ADEOS CLI host key\",\n\"60197\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Certificate\", \"Revoked ISE CA issued Certificate.\", \"Certificate issued to Endpoint by ISE CA is revoked by Administrator\",\n\"60198\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"MnT\", \"MnT purge event occurred\", \"MnT purge event occurred\",\n\"60199\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"An IP-SGT mapping was deployed successfully\", \"An IP-SGT mapping was deployed successfully to a TrustSec device\",\n\"60200\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"An IP-SGT mapping has failed deploying\", \"An IP-SGT mapping has failed deploying to a TrustSec device\",\n\"60201\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"IP-SGT deployment to TrustSec device was successful\", \"IP-SGT deployment to TrustSec device was successful\",\n\"60202\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"IP-SGT deployment to TrustSec device failed\", \"IP-SGT deployment to TrustSec device failed\",\n\"60207\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Logging loglevel configuration has been modified\", \"Configuration change occurred for ADEOS CLI logging loglevel\",\n\"60208\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Root CA certificate has been replaced\", \"Root CA certificate has been replaced\",\n\"60209\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service enabled\", \"CA service enabled\",\n\"60210\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service disabled\", \"CA service disabled\",\n\"60213\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were replaced by import operation\", \"CA keys were replaced by import operation\",\n\"60214\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were exported\", \"CA keys were exported\",\n\"60215\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were marked expired\", \"Endpoint certs were marked expired by daily scheduled job\",\n\"60216\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were purged\", \"Endpoint certs were purged by daily scheduled job\",\n\"60451\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is enabled on this deployment\", \"Telemetry is enabled on this deployment\",\n\"60452\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is disabled on this deployment\", \"Telemetry is disabled on this deployment\",\n\"61002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SGT from IEPG\", \"ISE has learned a new SGT from IEPG\",\n\"61003\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new EEPG to APIC\", \"ISE has propagated a new EEPG to APIC.\",\n\"61004\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SXP mapping from APIC endpoint\", \"ISE has learned a new SXP mapping from APIC endpoint\",\n\"61005\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\",\n\"61006\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SGT\", \"ISE has removed an SGT due to deleted IEPG\", \"ISE has removed an SGT due to deleted IEPG\",\n\"61007\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed EEPG from APIC due to SGT deletion\", \"ISE has removed EEPG from APIC due to SGT deletion\",\n\"61008\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\",\n\"61009\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\",\n\"61016\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EPG subscriber against APIC\", \"ISE failed to refresh EPG subscriber against APIC\",\n\"61017\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh endpoint subscriber against APIC\", \"ISE failed to refresh endpoint subscriber against APIC\",\n\"61018\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EEPG subscriber against APIC\", \"ISE failed to refresh EEPG subscriber against APIC\",\n\"61020\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\",\n\"61022\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to propagate SGT to EEPG\", \"ISE has failed to propagate SGT to EEPG\",\n\"61023\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to learn IEPG from APIC\", \"ISE has failed to learn IEPG from APIC\",\n\"61024\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to parse VRF for EPG\", \"ISE has failed to parse VRF for EPG\",\n\"61030\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"TrustSec deploy verification was canceled.\", \"TrustSec deployment verification process was canceled as a new TrustSec deploy started.\",\n\"61033\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"TrustSec deployment verification process succeeded.\", \"ISE trustsec configuration was successfully deployed to all network access devices.\",\n\"61034\", \"Other\", \"\", \"INFO\", \"Low\", \"ISE instance\", \"Maximum resource limit reached.\", \"Maximum resource limit reached.\",\n\"61051\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Synflood-limit configured\", \"Synflood-limit configured\",\n\"61052\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Rate-limit configured\", \"Rate-limit configured\",\n\"61100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from ACI\", \"ISE has learned a new tenant from ACI\",\n\"61101\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"ISE has removed ACI tenant\", \"ISE has removed ACI tenant\",\n\"61102\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn new tenant from ACI in ISE\", \"Failed to learn new tenant from ACI in ISE\",\n\"61103\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to remove ACI tenant in ISE\", \"Failed to remove ACI tenant in ISE\",\n\"61104\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from SDA\", \"ISE has learned a new tenant from SDA\",\n\"61105\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new VN info\", \"IISE has learned a new VN info\",\n\"61106\", \"Create\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to create VN info in ISE\", \"Failed to create VN info in ISE\",\n\"61107\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"VN info is updated in ISE\", \"VN info is updated in ISE\",\n\"61108\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to update VN info in ISE\", \"Failed to update VN info in ISE\",\n\"61109\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"VN info is deleted in ISE\", \"VN info is deleted in ISE\",\n\"61110\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to deleted VN info in ISE\", \"Failed to deleted VN info in ISE\",\n\"61111\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration process failed\", \"Domain registration process failed\",\n\"61114\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Domain registration completed successfully\", \"Domain registration completed successfully\",\n\"61115\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration failed\", \"Domain registration failed\",\n\"61116\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Unable to store ACI certificate\", \"Unable to store ACI certificate\",\n\"61117\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI connector\", \"ACI connector started successfully\", \"ACI connector started successfully\",\n\"61118\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI connector\", \"Failed to start ACI connector\", \"Failed to start ACI connector\",\n\"61120\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI certificate\", \"Successfully deleted ACI certificate from ISE\", \"Successfully deleted ACI certificate from ISE\",\n\"61121\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Failed to delete ACI certificate from ISE\", \"Failed to delete ACI certificate from ISE\",\n\"61122\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI keystore\", \"Failed to delete ACI keystore\", \"Failed to delete ACI keystore\",\n\"61123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new ACI domain\", \"ISE has learned a new ACI domain\",\n\"61124\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new ACI domain\", \"Failed to learn a new ACI domain\",\n\"61125\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI domain\", \"ISE has removed ACI domain\", \"ISE has removed ACI domain\",\n\"61126\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI domain\", \"Failed to remove ACI domain\", \"Failed to remove ACI domain\",\n\"61127\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SDA domain\", \"ISE has learned a new SDA domain\",\n\"61128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new SDA domain\", \"Failed to learn a new SDA domain\",\n\"61129\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SDA domain\", \"ISE has removed SDA domain\", \"ISE has removed SDA domain\",\n\"61130\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"SDA domain\", \"Failed to remove SDA domain\", \"Failed to remove SDA domain\",\n\"61158\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed in receiving SDA SXP configuration\", \"ISE failed in receiving SDA SXP configuration\",\n\"61160\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed to publish Gateway advertisement message to ACI\", \"ISE failed to publish Gateway advertisement message to ACI\",\n\"61161\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE learned new SXP Listener\", \"ISE learned new SXP Listener\",\n\"61162\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates VN defined for SXP Listener\", \"ISE updates VN defined for SXP Listener\",\n\"61163\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE learned new VN defined for SXP Listener\", \"ISE learned new VN defined for SXP Listener\",\n\"61164\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates SXP Listener\", \"ISE updates SXP Listener\",\n\"61165\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\",\n\"61166\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI\", \"ACI published Gateway advertisement message to SDA\", \"ACI published Gateway advertisement message to SDA\",\n\"61167\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Send ACI Gateway advertisement message to ISE\", \"Send ACI Gateway advertisement message to ISE\",\n\"61168\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to send ACI Gateway advertisement message to ISE\", \"Failed to send ACI Gateway advertisement message to ISE/SDA\",\n\"61169\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Successfully Send ACI Gateway advertisement message\", \"Successfully Send ACI Gateway advertisement message\",\n\"61234\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE instance\", \"Got event with unknown properties\", \"Got event with unknown properties\",\n\"62000\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script execute completed\", \"Agentless script execute completed\",\n\"62001\", \"Execute\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script execute failed\", \"Agentless script execute failed\",\n\"62002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script upload completed\", \"Agentless script upload completed\",\n\"62003\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script upload failed\", \"Agentless script upload failed\",\n\"61300\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Network Access policy request\", \"Network Access policy request\",\n\"61301\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Device Admin policy request\", \"Device Admin policy request\",\n\"61302\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Policy component request\", \"Policy component request\",\n\"60467\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"OCSP Certificate renewal failed\", \"OCSP Certificate renewal failed.\",\n\"60468\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Root CA Regeneration failed\", \"Regeneration of Root CA failed.\",\n\"62008\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service starts\", \"Meraki connector sync service starts\",\n\"62009\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service stops\", \"Meraki connector sync service stops\",\n\"62010\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync service failure\", \"Meraki connector sync service failure\",\n\"62011\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle starts\", \"Meraki connector sync cycle starts\",\n\"62012\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle stops\", \"Meraki connector sync cycle stops\",\n\"62013\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync cycle failure\", \"Meraki connector sync cycle failure\",\n\"62014\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync operation success\", \"Meraki connector sync operation success\",\n\"62015\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync operation failure\", \"Meraki connector sync operation failure\",\n\"62016\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Port 2484 opened for Data Connect\", \"Port 2484 opened for Data Connect\",\n\"62017\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Data Connect port 2484 closed\", \"Data Connect port 2484 closed\"];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n| summarize make_set(EventOriginalType));\nlet CiscoISEAuditParser=(disabled: bool=false) {\nSyslog\n| where not(disabled)\n| where ProcessName has_any (\"CISE\", \"CSCO\")\n| parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n| where EventOriginalType in (EventOriginalTypeList)\n| lookup EventFieldsLookup on EventOriginalType \n| parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n| project-rename SrcIpAddr=['Remote-Address'], TargetIpAddr =['Device IP Address']\n| extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n| extend ActorUsername = coalesce(['User-Name'], UserName, User)\n| extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \n| extend \n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"AuditEvent\"\n , EventSchemaVersion = \"0.1.0\"\n , ObjectType = \"Configuration Atom\"\n , TargetAppName = \"ISE\"\n , TargetAppType = \"Service\"\n// ***************** ********************\n| extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n , Application = TargetAppName\n , IpAddr = coalesce(SrcIpAddr, TargetIpAddr)\n , Dst = TargetIpAddr\n , Src = SrcIpAddr\n , User = ActorUsername\n// ***************** *******************\n| project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n NetworkDeviceName,\n ['User-Name'],\n UserName\n};\nCiscoISEAuditParser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/ASimAuditEventCiscoMeraki.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/ASimAuditEventCiscoMeraki.json index edd5821b03d..58c6e771407 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/ASimAuditEventCiscoMeraki.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/ASimAuditEventCiscoMeraki.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventCiscoMeraki')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventCiscoMeraki", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventCiscoMeraki", - "query": "let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\n[\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\n \"port status change\", \"Port status change\", \"\", \"\"\n];\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\n \"Success\", \"Informational\",\n \"Partial\", \"Informational\",\n \"Failure\", \"Low\"\n];\nlet parser=(disabled: bool=false) {\nlet allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n );\nlet PreFilteredData = allData\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\";\nlet SiteToSiteData = PreFilteredData\n | where Substring has_cs \"Site-to-site\";\nlet SiteToSite_deleted = SiteToSiteData\n | where Substring has \"ISAKMP-SA deleted\"\n | extend TempOperation = \"ISAKMP-SA deleted\"\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_deletedSrcIp,\n temp_targetipport = temp_deletedTargetIp;\nlet SiteToSite_negotiation = SiteToSiteData\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"<=>\" temp_negotiationTargetIp:string\n | extend temp_srcipport = temp_negotiationSrcIp,\n temp_targetipport = temp_negotiationTargetIp;\nlet SiteToSite_ESP = SiteToSiteData\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\n | extend temp_srcipport = temp_espSrcIp,\n temp_targetipport = temp_espTargetIp;\nlet SiteToSite_tunnel = SiteToSiteData\n | where Substring has \"IPsec-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_tunnelSrcIp,\n temp_targetipport = temp_tunnelTargetIp;\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\n | where Substring has \"ISAKMP-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\n temp_srcipport = temp_estSrcIp,\n temp_targetipport = temp_estTargetIp;\nlet SiteToSite_IPsecSArequest = SiteToSiteData\n | where Substring has \"IPsec-SA request\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\n | extend temp_targetipport = temp_forTaregtSrcIp;\nlet SiteToSite_purging = SiteToSiteData\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\nlet SiteToSite_failed = SiteToSiteData\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\nlet VPNConnectivityChangeData = PreFilteredData\n | where Substring has \"vpn_connectivity_change\"\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend type = trim('\"', type),\n connectivity = trim('\"', connectivity)\n | extend TempOperation = type,\n temp_srcipport = peer_contact;\nlet StatusChangedData = PreFilteredData\n | where Substring has \"status changed\"\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\n | extend TempOperation = \"port status change\";\nlet PortData = PreFilteredData\n | where Substring has_cs \"Port\"\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\n | extend Port = coalesce(Port1,Port2)\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\nlet VRRPData = PreFilteredData\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\n | extend TempOperation = \"VRRP transition\";\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\n | extend Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | lookup EventFieldsLookup on TempOperation\n | extend \n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\n | extend \n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\n | extend\n temp_srcipport = trim(\"'\", temp_srcipport),\n temp_targetipport = trim(\"'\", temp_targetipport)\n | extend \n temp_srcipport = trim('\"', temp_srcipport),\n temp_targetipport = trim('\"', temp_targetipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\n | extend SrcPortNumber = case(\n isnotempty(temp_srcipport),\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\n Substring has_cs \"Port\",\n toint(Port),\n Operation == \"Port status change\",\n toint(port),\n int(null)\n )\n | extend EventResult = case(\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\n \"Success\",\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\n \"Failure\",\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\n \"Partial\",\n EventResult\n )\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\n EventType\n )\n | lookup EventSeverityLookup on EventResult\n | extend\n EventResultDetails = case(\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\n Substring\n ),\n EventMessage = Substring,\n EventOriginalType = LogType,\n EventUid = _ResourceId\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime, \n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n TempOperation*,\n temp*,\n STPMac,\n peer_contact,\n connectivity,\n Port*,\n port,\n portnextpart,\n LogType,\n type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData\n };\n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventCiscoMeraki", + "query": "let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\n[\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\n \"port status change\", \"Port status change\", \"\", \"\"\n];\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\n \"Success\", \"Informational\",\n \"Partial\", \"Informational\",\n \"Failure\", \"Low\"\n];\nlet parser=(disabled: bool=false) {\nlet allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n );\nlet PreFilteredData = allData\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\";\nlet SiteToSiteData = PreFilteredData\n | where Substring has_cs \"Site-to-site\";\nlet SiteToSite_deleted = SiteToSiteData\n | where Substring has \"ISAKMP-SA deleted\"\n | extend TempOperation = \"ISAKMP-SA deleted\"\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_deletedSrcIp,\n temp_targetipport = temp_deletedTargetIp;\nlet SiteToSite_negotiation = SiteToSiteData\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"<=>\" temp_negotiationTargetIp:string\n | extend temp_srcipport = temp_negotiationSrcIp,\n temp_targetipport = temp_negotiationTargetIp;\nlet SiteToSite_ESP = SiteToSiteData\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\n | extend temp_srcipport = temp_espSrcIp,\n temp_targetipport = temp_espTargetIp;\nlet SiteToSite_tunnel = SiteToSiteData\n | where Substring has \"IPsec-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_tunnelSrcIp,\n temp_targetipport = temp_tunnelTargetIp;\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\n | where Substring has \"ISAKMP-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\n temp_srcipport = temp_estSrcIp,\n temp_targetipport = temp_estTargetIp;\nlet SiteToSite_IPsecSArequest = SiteToSiteData\n | where Substring has \"IPsec-SA request\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\n | extend temp_targetipport = temp_forTaregtSrcIp;\nlet SiteToSite_purging = SiteToSiteData\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\nlet SiteToSite_failed = SiteToSiteData\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\nlet VPNConnectivityChangeData = PreFilteredData\n | where Substring has \"vpn_connectivity_change\"\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend type = trim('\"', type),\n connectivity = trim('\"', connectivity)\n | extend TempOperation = type,\n temp_srcipport = peer_contact;\nlet StatusChangedData = PreFilteredData\n | where Substring has \"status changed\"\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\n | extend TempOperation = \"port status change\";\nlet PortData = PreFilteredData\n | where Substring has_cs \"Port\"\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\n | extend Port = coalesce(Port1,Port2)\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\nlet VRRPData = PreFilteredData\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\n | extend TempOperation = \"VRRP transition\";\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\n | extend Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | lookup EventFieldsLookup on TempOperation\n | extend \n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\n | extend \n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\n | extend\n temp_srcipport = trim(\"'\", temp_srcipport),\n temp_targetipport = trim(\"'\", temp_targetipport)\n | extend \n temp_srcipport = trim('\"', temp_srcipport),\n temp_targetipport = trim('\"', temp_targetipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\n | extend SrcPortNumber = case(\n isnotempty(temp_srcipport),\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\n Substring has_cs \"Port\",\n toint(Port),\n Operation == \"Port status change\",\n toint(port),\n int(null)\n )\n | extend EventResult = case(\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\n \"Success\",\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\n \"Failure\",\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\n \"Partial\",\n EventResult\n )\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\n EventType\n )\n | lookup EventSeverityLookup on EventResult\n | extend\n EventResultDetails = case(\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\n Substring\n ),\n EventMessage = Substring,\n EventOriginalType = LogType,\n EventUid = _ResourceId\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime, \n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n TempOperation*,\n temp*,\n STPMac,\n peer_contact,\n connectivity,\n Port*,\n port,\n portnextpart,\n LogType,\n type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData\n };\n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMerakiSyslog/ASimAuditEventCiscoMerakiSyslog.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMerakiSyslog/ASimAuditEventCiscoMerakiSyslog.json index f0c0216bef7..207a26099d0 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMerakiSyslog/ASimAuditEventCiscoMerakiSyslog.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMerakiSyslog/ASimAuditEventCiscoMerakiSyslog.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventCiscoMerakiSyslog')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventCiscoMerakiSyslog", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventCiscoMerakiSyslog", - "query": "let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\n[\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\n \"port status change\", \"Port status change\", \"\", \"\"\n];\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\n \"Success\", \"Informational\",\n \"Partial\", \"Informational\",\n \"Failure\", \"Low\"\n];\nlet parser=(disabled: bool=false) {\nlet allData = union isfuzzy=true\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\nlet PreFilteredData = allData\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\";\nlet SiteToSiteData = PreFilteredData\n | where Substring has_cs \"Site-to-site\";\nlet SiteToSite_deleted = SiteToSiteData\n | where Substring has \"ISAKMP-SA deleted\"\n | extend TempOperation = \"ISAKMP-SA deleted\"\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_deletedSrcIp,\n temp_targetipport = temp_deletedTargetIp;\nlet SiteToSite_negotiation = SiteToSiteData\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"<=>\" temp_negotiationTargetIp:string\n | extend temp_srcipport = temp_negotiationSrcIp,\n temp_targetipport = temp_negotiationTargetIp;\nlet SiteToSite_ESP = SiteToSiteData\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\n | extend temp_srcipport = temp_espSrcIp,\n temp_targetipport = temp_espTargetIp;\nlet SiteToSite_tunnel = SiteToSiteData\n | where Substring has \"IPsec-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_tunnelSrcIp,\n temp_targetipport = temp_tunnelTargetIp;\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\n | where Substring has \"ISAKMP-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\n temp_srcipport = temp_estSrcIp,\n temp_targetipport = temp_estTargetIp;\nlet SiteToSite_IPsecSArequest = SiteToSiteData\n | where Substring has \"IPsec-SA request\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\n | extend temp_targetipport = temp_forTaregtSrcIp;\nlet SiteToSite_purging = SiteToSiteData\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\nlet SiteToSite_failed = SiteToSiteData\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\nlet VPNConnectivityChangeData = PreFilteredData\n | where Substring has \"vpn_connectivity_change\"\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend type = trim('\"', type),\n connectivity = trim('\"', connectivity)\n | extend TempOperation = type,\n temp_srcipport = peer_contact;\nlet StatusChangedData = PreFilteredData\n | where Substring has \"status changed\"\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\n | extend TempOperation = \"port status change\";\nlet PortData = PreFilteredData\n | where Substring has_cs \"Port\"\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\n | extend Port = coalesce(Port1,Port2)\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\nlet VRRPData = PreFilteredData\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\n | extend TempOperation = \"VRRP transition\";\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\n | extend Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | lookup EventFieldsLookup on TempOperation\n | extend \n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\n | extend \n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\n | extend\n temp_srcipport = trim(\"'\", temp_srcipport),\n temp_targetipport = trim(\"'\", temp_targetipport)\n | extend \n temp_srcipport = trim('\"', temp_srcipport),\n temp_targetipport = trim('\"', temp_targetipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\n | extend SrcPortNumber = case(\n isnotempty(temp_srcipport),\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\n Substring has_cs \"Port\",\n toint(Port),\n Operation == \"Port status change\",\n toint(port),\n int(null)\n )\n | extend EventResult = case(\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\n \"Success\",\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\n \"Failure\",\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\n \"Partial\",\n EventResult\n )\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\n EventType\n )\n | lookup EventSeverityLookup on EventResult\n | extend\n EventResultDetails = case(\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\n Substring\n ),\n EventMessage = Substring,\n EventOriginalType = LogType,\n EventUid = _ResourceId\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime, \n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n TempOperation*,\n temp*,\n STPMac,\n peer_contact,\n connectivity,\n Port*,\n port,\n portnextpart,\n LogType,\n type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,CollectorHostName\n };\n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventCiscoMerakiSyslog", + "query": "let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\n[\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\n \"port status change\", \"Port status change\", \"\", \"\"\n];\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\n \"Success\", \"Informational\",\n \"Partial\", \"Informational\",\n \"Failure\", \"Low\"\n];\nlet parser=(disabled: bool=false) {\nlet allData = union isfuzzy=true\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\nlet PreFilteredData = allData\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\";\nlet SiteToSiteData = PreFilteredData\n | where Substring has_cs \"Site-to-site\";\nlet SiteToSite_deleted = SiteToSiteData\n | where Substring has \"ISAKMP-SA deleted\"\n | extend TempOperation = \"ISAKMP-SA deleted\"\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_deletedSrcIp,\n temp_targetipport = temp_deletedTargetIp;\nlet SiteToSite_negotiation = SiteToSiteData\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"<=>\" temp_negotiationTargetIp:string\n | extend temp_srcipport = temp_negotiationSrcIp,\n temp_targetipport = temp_negotiationTargetIp;\nlet SiteToSite_ESP = SiteToSiteData\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\n | extend temp_srcipport = temp_espSrcIp,\n temp_targetipport = temp_espTargetIp;\nlet SiteToSite_tunnel = SiteToSiteData\n | where Substring has \"IPsec-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_tunnelSrcIp,\n temp_targetipport = temp_tunnelTargetIp;\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\n | where Substring has \"ISAKMP-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\n temp_srcipport = temp_estSrcIp,\n temp_targetipport = temp_estTargetIp;\nlet SiteToSite_IPsecSArequest = SiteToSiteData\n | where Substring has \"IPsec-SA request\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\n | extend temp_targetipport = temp_forTaregtSrcIp;\nlet SiteToSite_purging = SiteToSiteData\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\nlet SiteToSite_failed = SiteToSiteData\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\nlet VPNConnectivityChangeData = PreFilteredData\n | where Substring has \"vpn_connectivity_change\"\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend type = trim('\"', type),\n connectivity = trim('\"', connectivity)\n | extend TempOperation = type,\n temp_srcipport = peer_contact;\nlet StatusChangedData = PreFilteredData\n | where Substring has \"status changed\"\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\n | extend TempOperation = \"port status change\";\nlet PortData = PreFilteredData\n | where Substring has_cs \"Port\"\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\n | extend Port = coalesce(Port1,Port2)\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\nlet VRRPData = PreFilteredData\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\n | extend TempOperation = \"VRRP transition\";\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\n | extend Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | lookup EventFieldsLookup on TempOperation\n | extend \n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\n | extend \n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\n | extend\n temp_srcipport = trim(\"'\", temp_srcipport),\n temp_targetipport = trim(\"'\", temp_targetipport)\n | extend \n temp_srcipport = trim('\"', temp_srcipport),\n temp_targetipport = trim('\"', temp_targetipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\n | extend SrcPortNumber = case(\n isnotempty(temp_srcipport),\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\n Substring has_cs \"Port\",\n toint(Port),\n Operation == \"Port status change\",\n toint(port),\n int(null)\n )\n | extend EventResult = case(\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\n \"Success\",\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\n \"Failure\",\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\n \"Partial\",\n EventResult\n )\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\n EventType\n )\n | lookup EventSeverityLookup on EventResult\n | extend\n EventResultDetails = case(\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\n Substring\n ),\n EventMessage = Substring,\n EventOriginalType = LogType,\n EventUid = _ResourceId\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime, \n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n TempOperation*,\n temp*,\n STPMac,\n peer_contact,\n connectivity,\n Port*,\n port,\n portnextpart,\n LogType,\n type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,CollectorHostName\n };\n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCrowdStrikeFalconHost/ASimAuditEventCrowdStrikeFalconHost.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCrowdStrikeFalconHost/ASimAuditEventCrowdStrikeFalconHost.json index 40990c8936d..f8e2201aa65 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCrowdStrikeFalconHost/ASimAuditEventCrowdStrikeFalconHost.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCrowdStrikeFalconHost/ASimAuditEventCrowdStrikeFalconHost.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventCrowdStrikeFalconHost')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventCrowdStrikeFalconHost", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for CrowdStrike Falcon Endpoint Protection", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventCrowdStrikeFalconHost", - "query": "let EventFieldsLookup = datatable(\n Activity: string,\n Operation: string,\n EventType_lookup: string,\n EventSubType: string,\n Object: string,\n ObjectType: string\n) \n [\n \"delete_report_execution\", \"Delete Report Execution\", \"Delete\", \"\", \"Report Execution\", \"Scheduled Task\",\n \"delete_scheduled_report\", \"Delete Scheduled Report\", \"Delete\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"update_scheduled_report\", \"Update Scheduled Report\", \"Set\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"create_scheduled_report\", \"Create Scheduled Report\", \"Create\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"update_class_action\", \"Update Class Action\", \"Set\", \"\", \"Class Action\", \"Other\",\n \"update_policy\", \"Update Policy\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\n \"enable_policy\", \"Enable Policy\", \"Enable\", \"\", \"Policy\", \"Policy Rule\",\n \"create_policy\", \"Create Policy\", \"Create\", \"\", \"Policy\", \"Policy Rule\",\n \"remove_rule_group\", \"Remove Rule Group\", \"Other\", \"Remove\", \"Rule Group\", \"Service\",\n \"create_rule_group\", \"Create Rule Group\", \"Create\", \"\", \"Rule Group\", \"Service\",\n \"delete_rule_group\", \"Delete Rule Group\", \"Delete\", \"\", \"Rule Group\", \"Service\",\n \"add_rule_group\", \"Add Rule Group\", \"Other\", \"Add\", \"Rule Group\", \"Service\",\n \"delete_rule\", \"Delete Rule\", \"Delete\", \"\", \"Rule\", \"Policy Rule\",\n \"update_rule\", \"Update Rule\", \"Set\", \"\", \"Rule\", \"Policy Rule\",\n \"create_rule\", \"Create Rule\", \"Create\", \"\", \"Rule\", \"Policy Rule\",\n \"disable_policy\", \"Disable Policy\", \"Disable\", \"\", \"Policy\", \"Policy Rule\",\n \"delete_policy\", \"Delete Policy\", \"Delete\", \"\", \"Policy\", \"Policy Rule\",\n \"update_priority\", \"Update Priority\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\n \"assign_policy\", \"Assign Policy\", \"Other\", \"Assign\", \"Policy\", \"Policy Rule\",\n \"remove_policy\", \"Remove Policy\", \"Other\", \"Remove\", \"Policy\", \"Policy Rule\",\n \"ip_rules_added\", \"IP Rules Added\", \"Create\", \"\", \"Rule\", \"Other\",\n \"ip_rules_removed\", \"IP Rules Removed\", \"Delete\", \"\", \"Rule\", \"Other\",\n \"hide_host_requested\", \"Hide Host Requested\", \"Delete\", \"\", \"Host\", \"Other\",\n \"mobile_hide_host_requested\", \"Mobile Hide Host Requested\", \"Delete\", \"\", \"Mobile Host\", \"Other\",\n \"CreateAPIClient\", \"Create API Client\", \"Create\", \"\", \"API Client\", \"Service\",\n \"UpdateAPIClient\", \"Update API Client\", \"Set\", \"\", \"API Client\", \"Service\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet UserAuditActivities = dynamic([\"delete_report_execution\", \"delete_scheduled_report\", \"update_scheduled_report\", \"create_scheduled_report\", \"update_class_action\", \"update_policy\", \"enable_policy\", \"create_policy\", \"remove_rule_group\", \"create_rule_group\", \"delete_rule_group\", \"add_rule_group\", \"delete_rule\", \"update_rule\", \"create_rule\", \"disable_policy\", \"delete_policy\", \"update_priority\", \"assign_policy\", \"remove_policy\", \"ip_rules_added\", \"ip_rules_removed\", \"hide_host_requested\", \"mobile_hide_host_requested\"]);\nlet AuthAuditActivities = dynamic([\"CreateAPIClient\", \"UpdateAPIClient\"]);\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n | where (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n | where (DeviceEventClassID == \"UserActivityAuditEvent\" and Activity in (UserAuditActivities)) or (DeviceEventCategory == \"AuthActivityAuditEvent\" and Activity in (AuthAuditActivities))\n | lookup EventFieldsLookup on Activity\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventType = EventType_lookup,\n EventStartTime = case(\n DeviceEventClassID == \"UserActivityAuditEvent\",\n unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\n DeviceEventCategory == \"AuthActivityAuditEvent\",\n todatetime(DeviceCustomDate1),\n datetime(null)\n ),\n EventOriginalType = case(\n DeviceEventClassID == \"UserActivityAuditEvent\",\n DeviceEventClassID,\n DeviceEventCategory == \"AuthActivityAuditEvent\",\n DeviceEventCategory,\n \"\"\n ),\n EventResult = iff(EventOutcome == \"false\", \"Failure\", \"Success\"),\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventCount = int(1),\n DvcAction = \"Allowed\",\n EventProduct = \"FalconHost\",\n EventVendor = \"CrowdStrike\"\n | project-rename\n ActorUsername = DestinationUserName,\n EventUid = _ItemId,\n DvcIpAddr = DestinationTranslatedAddress,\n EventOriginalSeverity = LogSeverity,\n EventProductVersion = DeviceVersion,\n TargetAppName = ProcessName,\n EventOriginalResultDetails = EventOutcome,\n EventOriginalSubType = Activity\n | extend\n EventEndTime = EventStartTime,\n Application = TargetAppName,\n TargetIpAddr = DvcIpAddr,\n User = ActorUsername,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\")\n | extend\n Dvc = coalesce(DvcIpAddr, EventProduct),\n Dst = TargetIpAddr\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n IndicatorThreatType,\n EventType_*\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for CrowdStrike Falcon Endpoint Protection", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventCrowdStrikeFalconHost", + "query": "let EventFieldsLookup = datatable(\n Activity: string,\n Operation: string,\n EventType_lookup: string,\n EventSubType: string,\n Object: string,\n ObjectType: string\n) \n [\n \"delete_report_execution\", \"Delete Report Execution\", \"Delete\", \"\", \"Report Execution\", \"Scheduled Task\",\n \"delete_scheduled_report\", \"Delete Scheduled Report\", \"Delete\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"update_scheduled_report\", \"Update Scheduled Report\", \"Set\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"create_scheduled_report\", \"Create Scheduled Report\", \"Create\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"update_class_action\", \"Update Class Action\", \"Set\", \"\", \"Class Action\", \"Other\",\n \"update_policy\", \"Update Policy\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\n \"enable_policy\", \"Enable Policy\", \"Enable\", \"\", \"Policy\", \"Policy Rule\",\n \"create_policy\", \"Create Policy\", \"Create\", \"\", \"Policy\", \"Policy Rule\",\n \"remove_rule_group\", \"Remove Rule Group\", \"Other\", \"Remove\", \"Rule Group\", \"Service\",\n \"create_rule_group\", \"Create Rule Group\", \"Create\", \"\", \"Rule Group\", \"Service\",\n \"delete_rule_group\", \"Delete Rule Group\", \"Delete\", \"\", \"Rule Group\", \"Service\",\n \"add_rule_group\", \"Add Rule Group\", \"Other\", \"Add\", \"Rule Group\", \"Service\",\n \"delete_rule\", \"Delete Rule\", \"Delete\", \"\", \"Rule\", \"Policy Rule\",\n \"update_rule\", \"Update Rule\", \"Set\", \"\", \"Rule\", \"Policy Rule\",\n \"create_rule\", \"Create Rule\", \"Create\", \"\", \"Rule\", \"Policy Rule\",\n \"disable_policy\", \"Disable Policy\", \"Disable\", \"\", \"Policy\", \"Policy Rule\",\n \"delete_policy\", \"Delete Policy\", \"Delete\", \"\", \"Policy\", \"Policy Rule\",\n \"update_priority\", \"Update Priority\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\n \"assign_policy\", \"Assign Policy\", \"Other\", \"Assign\", \"Policy\", \"Policy Rule\",\n \"remove_policy\", \"Remove Policy\", \"Other\", \"Remove\", \"Policy\", \"Policy Rule\",\n \"ip_rules_added\", \"IP Rules Added\", \"Create\", \"\", \"Rule\", \"Other\",\n \"ip_rules_removed\", \"IP Rules Removed\", \"Delete\", \"\", \"Rule\", \"Other\",\n \"hide_host_requested\", \"Hide Host Requested\", \"Delete\", \"\", \"Host\", \"Other\",\n \"mobile_hide_host_requested\", \"Mobile Hide Host Requested\", \"Delete\", \"\", \"Mobile Host\", \"Other\",\n \"CreateAPIClient\", \"Create API Client\", \"Create\", \"\", \"API Client\", \"Service\",\n \"UpdateAPIClient\", \"Update API Client\", \"Set\", \"\", \"API Client\", \"Service\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet UserAuditActivities = dynamic([\"delete_report_execution\", \"delete_scheduled_report\", \"update_scheduled_report\", \"create_scheduled_report\", \"update_class_action\", \"update_policy\", \"enable_policy\", \"create_policy\", \"remove_rule_group\", \"create_rule_group\", \"delete_rule_group\", \"add_rule_group\", \"delete_rule\", \"update_rule\", \"create_rule\", \"disable_policy\", \"delete_policy\", \"update_priority\", \"assign_policy\", \"remove_policy\", \"ip_rules_added\", \"ip_rules_removed\", \"hide_host_requested\", \"mobile_hide_host_requested\"]);\nlet AuthAuditActivities = dynamic([\"CreateAPIClient\", \"UpdateAPIClient\"]);\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n | where (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n | where (DeviceEventClassID == \"UserActivityAuditEvent\" and Activity in (UserAuditActivities)) or (DeviceEventCategory == \"AuthActivityAuditEvent\" and Activity in (AuthAuditActivities))\n | lookup EventFieldsLookup on Activity\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventType = EventType_lookup,\n EventStartTime = case(\n DeviceEventClassID == \"UserActivityAuditEvent\",\n unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\n DeviceEventCategory == \"AuthActivityAuditEvent\",\n todatetime(DeviceCustomDate1),\n datetime(null)\n ),\n EventOriginalType = case(\n DeviceEventClassID == \"UserActivityAuditEvent\",\n DeviceEventClassID,\n DeviceEventCategory == \"AuthActivityAuditEvent\",\n DeviceEventCategory,\n \"\"\n ),\n EventResult = iff(EventOutcome == \"false\", \"Failure\", \"Success\"),\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventCount = int(1),\n DvcAction = \"Allowed\",\n EventProduct = \"FalconHost\",\n EventVendor = \"CrowdStrike\"\n | project-rename\n ActorUsername = DestinationUserName,\n EventUid = _ItemId,\n DvcIpAddr = DestinationTranslatedAddress,\n EventOriginalSeverity = LogSeverity,\n EventProductVersion = DeviceVersion,\n TargetAppName = ProcessName,\n EventOriginalResultDetails = EventOutcome,\n EventOriginalSubType = Activity\n | extend\n EventEndTime = EventStartTime,\n Application = TargetAppName,\n TargetIpAddr = DvcIpAddr,\n User = ActorUsername,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\")\n | extend\n Dvc = coalesce(DvcIpAddr, EventProduct),\n Dst = TargetIpAddr\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n IndicatorThreatType,\n EventType_*\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/ASimAuditEventIllumioSaaSCore.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/ASimAuditEventIllumioSaaSCore.json new file mode 100644 index 00000000000..39e5b27654b --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/ASimAuditEventIllumioSaaSCore.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventIllumioSaaSCore')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Illumio SaaS Core audit events", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventIllumioSaaSCore", + "query": "let EventTypeLookup = datatable(\n event_type: string, // what Illumio sends\n Operation: string,\n ObjectType:string, // an enumerated list [ Configuration Atom, Policy Rule, Cloud Resource, Other],\n Object:string,\n EventType: string, // an enumerated list [ Set, Read, Create, Delete, Execute, Install, Clear, Enable, Disable, Other ] event type\n)\n[\n 'access_restriction.create', 'Access restriction created', 'Cloud Resource', 'Access_restriction', 'Create',\n 'access_restriction.delete', 'Access restriction deleted', 'Cloud Resource', 'Access_restriction', 'Delete',\n 'access_restriction.update', 'Access restriction updated', 'Cloud Resource', 'Access_restriction', 'Set',\n 'agent.activate', 'Agent paired', 'Cloud Resource', 'Agent', 'Other',\n 'agent.activate_clone', 'Agent clone activated', 'Cloud Resource', 'Agent', 'Other',\n 'agent.clone_detected', 'Agent clone detected', 'Cloud Resource', 'Agent', 'Other',\n 'agent.deactivate', 'Agent unpaired', 'Cloud Resource', 'Agent', 'Other',\n 'agent.generate_maintenance_token', 'Generate maintenance token for any agent', 'Cloud Resource', 'Agent', 'Other',\n 'agent.goodbye', 'Agent disconnected', 'Cloud Resource', 'Agent', 'Other',\n 'agent.machine_identifier', 'Agent machine identifiers updated', 'Cloud Resource', 'Agent', 'Other',\n 'agent.refresh_token', 'Agent refreshed token', 'Cloud Resource', 'Agent', 'Other',\n 'agent.refresh_policy', 'Success or failure to apply policy on VEN', 'Cloud Resource', 'Agent', 'Other',\n 'agent.request_upgrade', 'VEN upgrade request sent', 'Cloud Resource', 'Agent', 'Other',\n 'agent.service_not_available', 'Agent reported a service not running', 'Cloud Resource', 'Agent', 'Other',\n 'agent.suspend', 'Agent suspended', 'Cloud Resource', 'Agent', 'Other',\n 'agent.tampering', 'Agent firewall tampered', 'Cloud Resource', 'Agent', 'Other',\n 'agent.unsuspend', 'Agent unsuspended', 'Cloud Resource', 'Agent', 'Other',\n 'agent.update', 'Agent properties updated.', 'Cloud Resource', 'Agent', 'Set',\n 'agent.update_interactive_users', 'Agent interactive users updated', 'Cloud Resource', 'Agent', 'Set',\n 'agent.update_iptables_href', 'Agent updated existing iptables href', 'Cloud Resource', 'Agent', 'Set',\n 'agent.update_running_containers', 'Agent updated existing containers', 'Cloud Resource', 'Agent', 'Set',\n 'agent.upload_existing_ip_table_rules', 'Agent existing IP tables uploaded', 'Cloud Resource', 'Agent', 'Other',\n 'agent.upload_support_report', 'Agent support report uploaded', 'Cloud Resource', 'Agent', 'Other',\n 'agent_support_report_request.create', 'Agent support report request created', 'Cloud Resource', 'Agent_support_report_request', 'Create',\n 'agent_support_report_request.delete', 'Agent support report request deleted', 'Cloud Resource', 'Agent_support_report_request', 'Delete',\n 'agents.clear_conditions', 'Condition cleared from a list of VENs', 'Cloud Resource', 'Agents', 'Other',\n 'agents.unpair', 'Multiple agents unpaired', 'Cloud Resource', 'Agents', 'Other',\n 'api_key.create', 'API key created', 'Cloud Resource', 'Api_key', 'Create',\n 'api_key.delete', 'API key deleted', 'Cloud Resource', 'Api_key', 'Delete',\n 'api_key.update', 'API key updated', 'Cloud Resource', 'Api_key', 'Set',\n 'auth_security_principal.create', 'RBAC auth security principal created', 'Cloud Resource', 'Auth_security_principal', 'Create',\n 'auth_security_principal.delete', 'RBAC auth security principal deleted', 'Cloud Resource', 'Auth_security_principal', 'Delete',\n 'auth_security_principal.update', 'RBAC auth security principal updated', 'Cloud Resource', 'Auth_security_principal', 'Set',\n 'authentication_settings.update', 'Authentication settings updated', 'Other', 'Authentication_settings', 'Set',\n 'cluster.create', 'PCE cluster created', 'Cloud Resource', 'Cluster', 'Create',\n 'cluster.delete', 'PCE cluster deleted', 'Cloud Resource', 'Cluster', 'Delete',\n 'cluster.update', 'PCE cluster updated', 'Cloud Resource', 'Cluster', 'Set',\n 'container_workload.update', 'Container workload updated', 'Cloud Resource', 'Container_workload', 'Set',\n 'container_cluster.create', 'Container cluster created', 'Cloud Resource', 'Container_cluster', 'Create',\n 'container_cluster.delete', 'Container cluster deleted', 'Cloud Resource', 'Container_cluster', 'Delete',\n 'container_cluster.update', 'Container cluster updated', 'Cloud Resource', 'Container_cluster', 'Set',\n 'container_cluster.update_label_map', 'Container cluster label mappings updated all at once', 'Cloud Resource', 'Container_cluster', 'Set',\n 'container_cluster.update_services', 'Container cluster services updated, created, or deleted by Kubelink', 'Cloud Resource', 'Container_cluster', 'Set',\n 'container_workload_profile.create', 'Container workload profile created', 'Cloud Resource', 'Container_workload_profile', 'Create',\n 'container_workload_profile.delete', 'Container workload profile deleted', 'Cloud Resource', 'Container_workload_profile', 'Delete',\n 'container_workload_profile.update', 'Container workload profile updated', 'Cloud Resource', 'Container_workload_profile', 'Set',\n 'database.temp_table_autocleanup_started', 'DB temp table cleanup started', 'Other', 'Database', 'Other',\n 'database.temp_table_autocleanup_completed', 'DB temp table cleanup completed', 'Other', 'Database', 'Other',\n 'domain.create', 'Domain created', 'Other', 'Domain', 'Create',\n 'domain.delete', 'Domain deleted', 'Other', 'Domain', 'Delete',\n 'domain.update', 'Domain updated', 'Other', 'Domain', 'Set',\n 'enforcement_boundary.create', 'Enforcement boundary created', 'Cloud Resource', 'Enforcement_boundary', 'Create',\n 'enforcement_boundary.delete', 'Enforcement boundary deleted', 'Cloud Resource', 'Enforcement_boundary', 'Delete',\n 'enforcement_boundary.update', 'Enforcement boundary updated', 'Cloud Resource', 'Enforcement_boundary', 'Set',\n 'event_settings.update', 'Event settings updated', 'Other', 'Event_settings', 'Set',\n 'firewall_settings.update', 'Global policy settings updated', 'Other', 'Firewall_settings', 'Set',\n 'group.create', 'Group created', 'Other', 'Group', 'Create',\n 'group.update', 'Group updated', 'Other', 'Group', 'Set',\n 'ip_list.create', 'IP list created', 'Cloud Resource', 'Ip_list', 'Create',\n 'ip_list.delete', 'IP list deleted', 'Cloud Resource', 'Ip_list', 'Delete',\n 'ip_list.update', 'IP list updated', 'Cloud Resource', 'Ip_list', 'Set',\n 'ip_lists.delete', 'IP lists deleted', 'Cloud Resource', 'Ip_lists', 'Delete',\n 'ip_tables_rule.create', 'IP tables rules created', 'Cloud Resource', 'Ip_tables_rule', 'Create',\n 'ip_tables_rule.delete', 'IP tables rules deleted', 'Cloud Resource', 'Ip_tables_rule', 'Delete',\n 'ip_tables_rule.update', 'IP tables rules updated', 'Cloud Resource', 'Ip_tables_rule', 'Set',\n 'job.delete', 'Job deleted', 'Other', 'Job', 'Delete',\n 'label.create', 'Label created', 'Cloud Resource', 'Label', 'Create',\n 'label.delete', 'Label deleted', 'Cloud Resource', 'Label', 'Delete',\n 'label.update', 'Label updated', 'Cloud Resource', 'Label', 'Set',\n 'label_group.create', 'Label group created', 'Cloud Resource', 'Label_group', 'Create',\n 'label_group.delete', 'Label group deleted', 'Cloud Resource', 'Label_group', 'Delete',\n 'label_group.update', 'Label group updated', 'Cloud Resource', 'Label_group', 'Set',\n 'labels.delete', 'Labels deleted', 'Cloud Resource', 'Labels', 'Delete',\n 'ldap_config.create', 'LDAP configuration created', 'Other', 'Ldap_config', 'Create',\n 'ldap_config.delete', 'LDAP configuration deleted', 'Other', 'Ldap_config', 'Delete',\n 'ldap_config.update', 'LDAP configuration updated', 'Other', 'Ldap_config', 'Set',\n 'ldap_config.verify_connection', 'LDAP server connection verified', 'Other', 'Ldap_config', 'Other',\n 'license.delete', 'License deleted', 'Other', 'License', 'Delete',\n 'license.update', 'License updated', 'Other', 'License', 'Set',\n 'login_proxy_ldap_config.create', 'Interservice call to login service to create LDAP config', 'Other', 'Login_proxy_ldap_config', 'Create',\n 'login_proxy_ldap_config.delete', 'Interservice call to login service to delete LDAP config', 'Other', 'Login_proxy_ldap_config', 'Delete',\n 'login_proxy_ldap_config.update', 'Interservice call to login service to update LDAP config', 'Other', 'Login_proxy_ldap_config', 'Set',\n 'login_proxy_ldap_config.verify_connection', 'Interservice call to login service to verify connection to the LDAP server', 'Other', 'Login_proxy_ldap_config', 'Other',\n 'login_proxy_msp_tenants.create', 'New MSP tenant created', 'Other', 'Login_proxy_msp_tenants', 'Create',\n 'login_proxy_msp_tenants.delete', 'MSP tenant deleted', 'Other', 'Login_proxy_msp_tenants', 'Delete',\n 'login_proxy_msp_tenants.update', 'MSP tenant updated', 'Other', 'Login_proxy_msp_tenants', 'Set',\n 'login_proxy_orgs.create', 'New managed organization created', 'Other', 'Login_proxy_orgs', 'Create',\n 'login_proxy_orgs.delete', 'Managed organization deleted', 'Other', 'Login_proxy_orgs', 'Delete',\n 'login_proxy_orgs.update', 'Managed organization updated', 'Other', 'Login_proxy_orgs', 'Set',\n 'lost_agent.found', 'Lost agent found', 'Cloud Resource', 'Lost_agent', 'Other',\n 'network.create', 'Network created', 'Cloud Resource', 'Network', 'Create',\n 'network.delete', 'Network deleted', 'Cloud Resource', 'Network', 'Delete',\n 'network.update', 'Network updated', 'Cloud Resource', 'Network', 'Set',\n 'network_device.ack_enforcement_instructions_applied', 'Enforcement instruction applied to a network device', 'Cloud Resource', 'Network_device', 'Other',\n 'network_device.assign_workload', 'Existing or new unmanaged workload assigned to a network device', 'Cloud Resource', 'Network_device', 'Other',\n 'network_device.create', 'Network device created', 'Cloud Resource', 'Network_device', 'Create',\n 'network_device.delete', 'Network device deleted', 'Cloud Resource', 'Network_device', 'Delete',\n 'network_device.update', 'Network device updated', 'Cloud Resource', 'Network_device', 'Set',\n 'network_devices.ack_multi_enforcement_instructions_applied', 'Enforcement instructions applied to multiple network devices', 'Cloud Resource', 'Network_devices', 'Other',\n 'network_endpoint.create', 'Network endpoint created', 'Cloud Resource', 'Network_endpoint', 'Create',\n 'network_endpoint.delete', 'Network endpoint deleted', 'Cloud Resource', 'Network_endpoint', 'Delete',\n 'network_endpoint.update', 'Network endpoint updated', 'Cloud Resource', 'Network_endpoint', 'Set',\n 'network_enforcement_node.activate', 'Network enforcement node activated', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.clear_conditions', 'Network enforcement node conditions cleared', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.deactivate', 'Network enforcement node deactivated', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.degraded', 'Network enforcement node failed or primary lost connectivity to secondary', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.missed_heartbeats', 'Network enforcement node did not heartbeat for more than 15 minutes', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.missed_heartbeats_check', 'Network enforcement node missed heartbeats check', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.network_devices_network_endpoints_workloads', 'Workload added to network endpoint', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.policy_ack', 'Network enforcement node acknowledgment of policy', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.request_policy', 'Network enforcement node policy requested', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.update_status', 'Network enforcement node reports when switches are not reachable', 'Cloud Resource', 'Network_enforcement_node', 'Set',\n 'network_enforcement_nodes.clear_conditions', 'A condition was cleared from a list of network enforcement nodes', 'Cloud Resource', 'Network_enforcement_nodes', 'Other',\n 'nfc.activate', 'Network function controller created', 'Other', 'Nfc', 'Other',\n 'nfc.delete', 'Network function controller deleted', 'Other', 'Nfc', 'Delete',\n 'nfc.update_discovered_virtual_servers', 'Network function controller virtual servers discovered', 'Cloud Resource', 'Nfc', 'Set',\n 'nfc.update_policy_status', 'Network function controller policy status', 'Other', 'Nfc', 'Set',\n 'nfc.update_slb_state', 'Network function controller SLB state updated', 'Other', 'Nfc', 'Set',\n 'org.create', 'Organization created', 'Other', 'Org', 'Create',\n 'org.recalc_rules', 'Rules for organization recalculated', 'Other', 'Org', 'Other',\n 'org.update', 'Organization information updated', 'Other', 'Org', 'Set',\n 'pairing_profile.create', 'Pairing profile created', 'Cloud Resource', 'Pairing_profile', 'Create',\n 'pairing_profile.create_pairing_key', 'Pairing profile pairing key created', 'Cloud Resource', 'Pairing_profile', 'Create',\n 'pairing_profile.delete', 'Pairing profile deleted', 'Cloud Resource', 'Pairing_profile', 'Delete',\n 'pairing_profile.update', 'Pairing profile updated', 'Cloud Resource', 'Pairing_profile', 'Set',\n 'pairing_profile.delete_all_pairing_keys', 'Pairing keys deleted from pairing profile', 'Cloud Resource', 'Pairing_profile', 'Delete',\n 'pairing_profiles.delete', 'Pairing profiles deleted', 'Cloud Resource', 'Pairing_profiles', 'Delete',\n 'password_policy.create', 'Password policy created', 'Cloud Resource', 'Password_policy', 'Create',\n 'password_policy.delete', 'Password policy deleted', 'Cloud Resource', 'Password_policy', 'Delete',\n 'password_policy.update', 'Password policy updated', 'Cloud Resource', 'Password_policy', 'Set',\n 'permission.create', 'RBAC permission created', 'Cloud Resource', 'Permission', 'Create',\n 'permission.delete', 'RBAC permission deleted', 'Cloud Resource', 'Permission', 'Delete',\n 'permission.update', 'RBAC permission updated', 'Cloud Resource', 'Permission', 'Set',\n 'radius_config.create', 'Create domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Create',\n 'radius_config.delete', 'Delete domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Delete',\n 'radius_config.update', 'Update domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Set',\n 'radius_config.verify_shared_secret', 'Verify RADIUS shared secret', 'Cloud Resource', 'Radius_config', 'Other',\n 'request.authentication_failed', 'API request authentication failed', 'Other', 'Request', 'Other',\n 'request.authorization_failed', 'API request authorization failed', 'Other', 'Request', 'Other',\n 'request.internal_server_error', 'API request failed due to internal server error', 'Other', 'Request', 'Other',\n 'request.service_unavailable', 'API request failed due to unavailable service', 'Other', 'Request', 'Other',\n 'request.unknown_server_error', 'API request failed due to unknown server error', 'Other', 'Request', 'Other',\n 'resource.create', 'Login resource created', 'Other', 'Resource', 'Create',\n 'resource.delete', 'Login resource deleted', 'Other', 'Resource', 'Delete',\n 'resource.update', 'Login resource updated', 'Other', 'Resource', 'Set',\n 'rule_set.create', 'Rule set created', 'Policy Rule', 'Rule_set', 'Create',\n 'rule_set.delete', 'Rule set deleted', 'Policy Rule', 'Rule_set', 'Delete',\n 'rule_set.update', 'Rule set updated', 'Policy Rule', 'Rule_set', 'Set',\n 'rule_sets.delete', 'Rule sets deleted', 'Policy Rule', 'Rule_sets', 'Delete',\n 'saml_acs.update', 'SAML assertion consumer services updated', 'Other', 'Saml_acs', 'Set',\n 'saml_config.create', 'SAML configuration created', 'Cloud Resource', 'Saml_config', 'Create',\n 'saml_config.delete', 'SAML configuration deleted', 'Cloud Resource', 'Saml_config', 'Delete',\n 'saml_config.pce_signing_cert', 'Generate a new cert for signing SAML AuthN requests', 'Cloud Resource', 'Saml_config', 'Other',\n 'saml_config.update', 'SAML configuration updated', 'Cloud Resource', 'Saml_config', 'Set',\n 'saml_sp_config.create', 'SAML Service Provider created', 'Cloud Resource', 'Saml_sp_config', 'Create',\n 'saml_sp_config.delete', 'SAML Service Provider deleted', 'Cloud Resource', 'Saml_sp_config', 'Delete',\n 'saml_sp_config.update', 'SAML Service Provider updated', 'Cloud Resource', 'Saml_sp_config', 'Set',\n 'sec_policy.create', 'Security policy created', 'Other', 'Sec_policy', 'Create',\n 'sec_policy_pending.delete', 'Pending security policy deleted', 'Other', 'Sec_policy_pending', 'Delete',\n 'sec_policy.restore', 'Security policy restored', 'Other', 'Sec_policy', 'Other',\n 'sec_rule.create', 'Security policy rules created', 'Policy Rule', 'Sec_rule', 'Create',\n 'sec_rule.delete', 'Security policy rules deleted', 'Policy Rule', 'Sec_rule', 'Delete',\n 'sec_rule.update', 'Security policy rules updated', 'Policy Rule', 'Sec_rule', 'Set',\n 'secure_connect_gateway.create', 'SecureConnect gateway created', 'Other', 'Secure_connect_gateway', 'Create',\n 'secure_connect_gateway.delete', 'SecureConnect gateway deleted', 'Other', 'Secure_connect_gateway', 'Delete',\n 'secure_connect_gateway.update', 'SecureConnect gateway updated', 'Other', 'Secure_connect_gateway', 'Set',\n 'security_principal.create', 'RBAC security principal created', 'Other', 'Security_principal', 'Create',\n 'security_principal.delete', 'RBAC security principal bulk deleted', 'Other', 'Security_principal', 'Delete',\n 'security_principal.update', 'RBAC security principal bulk updated', 'Other', 'Security_principal', 'Set',\n 'security_principals.bulk_create', 'RBAC security principals bulk created', 'Other', 'Security_principals', 'Other',\n 'service.create', 'Service created', 'Other', 'Service', 'Create',\n 'service.delete', 'Service deleted', 'Other', 'Service', 'Delete',\n 'service.update', 'Service updated', 'Other', 'Service', 'Set',\n 'service_account.create', 'Service account created', 'Other', 'Service_account', 'Create',\n 'service_account.delete', 'Service account deleted', 'Other', 'Service_account', 'Delete',\n 'service_account.update', 'Service account updated', 'Other', 'Service_account', 'Set',\n 'service_binding.create', 'Service binding created', 'Other', 'Service_binding', 'Create',\n 'service_binding.delete', 'Service binding created', 'Other', 'Service_binding', 'Delete',\n 'service_bindings.delete', 'Service bindings deleted', 'Other', 'Service_bindings', 'Delete',\n 'service_bindings.delete', 'Service binding deleted', 'Other', 'Service_bindings', 'Delete',\n 'services.delete', 'Services deleted', 'Other', 'Services', 'Delete',\n 'settings.update', 'Explorer settings updated', 'Other', 'Settings', 'Set',\n 'slb.create', 'Server load balancer created', 'Other', 'Slb', 'Create',\n 'slb.delete', 'Server load balancer deleted', 'Other', 'Slb', 'Delete',\n 'slb.update', 'Server load balancer updated', 'Other', 'Slb', 'Set',\n 'support_report.upload', 'Support report uploaded', 'Other', 'Support_report', 'Other',\n 'syslog_destination.create', 'syslog remote destination created', 'Other', 'Syslog_destination', 'Create',\n 'syslog_destination.delete', 'syslog remote destination deleted', 'Other', 'Syslog_destination', 'Delete',\n 'syslog_destination.update', 'syslog remote destination updated', 'Other', 'Syslog_destination', 'Set',\n 'system_task.agent_missed_heartbeats_check', 'Agent missed heartbeats', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_missing_heartbeats_after_upgrade', 'VEN missing heartbeat after upgrade', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_offline_check', 'Agents marked offline', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_self_signed_certs_check', 'VEN self signed certificate housekeeping check', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_settings_invalidation_error_state_check', 'VEN settings invalidation error state check', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_uninstall_timeout', 'VEN uninstall timeout', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.clear_auth_recover_condition', 'Clear VEN authentication recovery condition', 'Other', 'System_task', 'Other',\n 'system_task.compute_policy_for_unmanaged_workloads', 'Compute policy for unmanaged workloads', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.delete_expired_service_account_api_keys', 'An expired service account api_key was successfully deleted', 'Cloud Resource', 'System_task', 'Delete',\n 'system_task.delete_old_cached_perspectives', 'Delete old cached perspectives', 'Other', 'System_task', 'Delete',\n 'system_task.endpoint_offline_check', 'Endpoint marked offline', 'Other', 'System_task', 'Other',\n 'system_task.provision_container_cluster_services', 'Container cluster services provisioned', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.prune_old_log_events', 'Event pruning completed', 'Other', 'System_task', 'Other',\n 'system_task.remove_stale_zone_subsets', 'Stale zone subnets removed', 'Other', 'System_task', 'Other',\n 'system_task.set_server_sync_check', 'Set server synced', 'Other', 'System_task', 'Other',\n 'system_task.vacuum_deactivated_agent_and_deleted_workloads', 'Deactivated and deleted workloads have been vacuumed', 'Cloud Resource', 'System_task', 'Other',\n 'traffic_collector_setting.create', 'Traffic collector setting created', 'Other', 'Traffic_collector_setting', 'Create',\n 'traffic_collector_setting.delete', 'Traffic collector setting deleted', 'Other', 'Traffic_collector_setting', 'Delete',\n 'traffic_collector_setting.update', 'Traffic collector setting updated', 'Other', 'Traffic_collector_setting', 'Set',\n 'trusted_proxy_ips.update', 'Trusted proxy IPs created or updated', 'Other', 'Trusted_proxy_ips', 'Set',\n 'user.accept_invitation', 'User invitation accepted', 'Cloud Resource', 'User', 'Other',\n 'user.authenticate', 'User authenticated', 'Cloud Resource', 'User', 'Other',\n 'user.create', 'User created', 'Cloud Resource', 'User', 'Create',\n 'user.delete', 'User deleted', 'Cloud Resource', 'User', 'Delete',\n 'user.invite', 'User invited', 'Cloud Resource', 'User', 'Other',\n 'user.update', 'User information updated', 'Cloud Resource', 'User', 'Set', \n 'user.reset_password', 'User password reset', 'Cloud Resource', 'User', 'Other',\n 'user.pce_session_terminated', 'User session terminated', 'Cloud Resource', 'User', 'Other',\n 'user.login_session_terminated', 'User login session terminated', 'Cloud Resource', 'User', 'Other',\n 'user.reset_password', 'User password reset', 'Cloud Resource', 'User', 'Other',\n 'user.update', 'User information updated', 'Cloud Resource', 'User', 'Set',\n 'user.update_password', 'User password updated', 'Cloud Resource', 'User', 'Set',\n 'user.use_expired_password', 'User entered expired password', 'Cloud Resource', 'User', 'Other',\n 'user.verify_mfa', 'User verified MFA', 'Cloud Resource', 'User', 'Other',\n 'users.auth_token', 'Auth token returned for user authentication on PCE', 'Other', 'Users', 'Other',\n 'user_local_profile.create', 'User local profile created', 'Other', 'User_local_profile', 'Create',\n 'user_local_profile.delete', 'User local profile deleted', 'Other', 'User_local_profile', 'Delete',\n 'user_local_profile.reinvite', 'User local profile reinvited', 'Other', 'User_local_profile', 'Other',\n 'user_local_profile.update_password', 'User local password updated', 'Other', 'User_local_profile', 'Set',\n 'ven_settings.update', 'VEN settings updated', 'Other', 'Ven_settings', 'Set',\n 'ven_software.upgrade', 'VEN software release upgraded', 'Other', 'Ven_software', 'Set',\n 'ven_software_release.create', 'VEN software release created', 'Other', 'Ven_software_release', 'Create',\n 'ven_software_release.delete', 'VEN software release deleted', 'Other', 'Ven_software_release', 'Delete',\n 'ven_software_release.deploy', 'VEN software release deployed', 'Other', 'Ven_software_release', 'Other',\n 'ven_software_release.update', 'VEN software release updated', 'Other', 'Ven_software_release', 'Set',\n 'ven_software_releases.set_default_version', 'Default VEN software version set', 'Other', 'Ven_software_releases', 'Other',\n 'virtual_server.create', 'Virtual server created', 'Cloud Resource', 'Virtual_server', 'Create',\n 'virtual_server.delete', 'Virtual server created', 'Cloud Resource', 'Virtual_server', 'Delete',\n 'virtual_server.update', 'Virtual server updated', 'Cloud Resource', 'Virtual_server', 'Set',\n 'virtual_service.create', 'Virtual service created', 'Cloud Resource', 'Virtual_service', 'Create',\n 'virtual_service.delete', 'Virtual service deleted', 'Cloud Resource', 'Virtual_service', 'Delete',\n 'virtual_service.update', 'Virtual service updated', 'Cloud Resource', 'Virtual_service', 'Set',\n 'virtual_services.bulk_create', 'Virtual services created in bulk', 'Cloud Resource', 'Virtual_services', 'Other',\n 'virtual_services.bulk_update', 'Virtual services updated in bulk', 'Cloud Resource', 'Virtual_services', 'Other',\n 'vulnerability.create', 'Vulnerability record created', 'Other', 'Vulnerability', 'Create',\n 'vulnerability.delete', 'Vulnerability record deleted', 'Other', 'Vulnerability', 'Delete',\n 'vulnerability.update', 'Vulnerability record updated', 'Other', 'Vulnerability', 'Set',\n 'vulnerability_report.delete', 'Vulnerability report deleted', 'Other', 'Vulnerability_report', 'Delete',\n 'vulnerability_report.update', 'Vulnerability report updated', 'Other', 'Vulnerability_report', 'Set',\n 'workload.create', 'Workload created', 'Cloud Resource', 'Workload', 'Create',\n 'workload.delete', 'Workload deleted', 'Cloud Resource', 'Workload', 'Delete',\n 'workload.online', 'Workload online', 'Cloud Resource', 'Workload', 'Other',\n 'workload.recalc_rules', 'Workload policy recalculated', 'Cloud Resource', 'Workload', 'Other',\n 'workload.redetect_network', 'Workload network redetected', 'Cloud Resource', 'Workload', 'Other',\n 'workload.undelete', 'Workload undeleted', 'Cloud Resource', 'Workload', 'Other',\n 'workload.update', 'Workload settings updated', 'Cloud Resource', 'Workload', 'Set',\n 'workload.upgrade', 'Workload upgraded', 'Cloud Resource', 'Workload', 'Set',\n 'workload_interface.create', 'Workload interface created', 'Cloud Resource', 'Workload_interface', 'Create',\n 'workload_interface.delete', 'Workload interface deleted', 'Cloud Resource', 'Workload_interface', 'Delete',\n 'workload_interface.update', 'Workload interface updated', 'Cloud Resource', 'Workload_interface', 'Set',\n 'workload_interfaces.update', 'Workload interfaces updated', 'Cloud Resource', 'Workload_interfaces', 'Set',\n '', 'For example, IP address changes, new interface added, and interface shut down.', 'Other', '', 'Other',\n 'workload_service_report.update', 'Workload service report updated', 'Cloud Resource', 'Workload_service_report', 'Set',\n 'workload_settings.update', 'Workload settings updated', 'Cloud Resource', 'Workload_settings', 'Set',\n 'workloads.apply_policy', 'Workloads policies applied', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.bulk_create', 'Workloads created in bulk', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.bulk_delete', 'Workloads deleted in bulk', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.bulk_update', 'Workloads updated in bulk', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.remove_labels', 'Workloads labels removed', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.set_flow_reporting_frequency', 'Workload flow reporting frequency changed', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.set_labels', 'Workload labels applied', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.unpair', 'Workloads unpaired', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.update', 'Workloads updated', 'Cloud Resource', 'Workloads', 'Set'\n];\nlet EventSeverityLookup = datatable(\n severity: string,\n EventSeverity: string\n)\n [\n \"err\", \"High\",\n \"info\", \"Informational\",\n \"warning\", \"Medium\"\n];\nlet EventResultLookup = datatable(\n status: string,\n EventResult: string\n)\n [\n \"success\", \"Success\",\n \"failure\", \"Failure\",\n \"\", \"NA\"\n];\nlet parser = (disabled: bool = false) {\n Illumio_Auditable_Events_CL\n | where not(disabled) and event_type !startswith \"user\" // filter out user auth events \n | lookup EventTypeLookup on event_type // fetch Object, ObjectType,EventType, Operation from lookup\n | lookup EventSeverityLookup on severity // fetch EventSeverity from lookup\n | lookup EventResultLookup on status // fetch EventResult from lookup\n | extend\n ActorUsername = case(\n isnotnull(created_by.system), \"System\",\n isnotnull(created_by.user), created_by.user.username,\n isnotnull(created_by.agent), created_by.agent.hostname,\n \"Unknown\"\n )\n | extend ActorUsernameType = \"Simple\",\n temp_resource_changes = parse_json(resource_changes), \n temp_notifications = parse_json(notifications)\n | extend\n NewValue = iff(isnotnull(temp_resource_changes), temp_resource_changes[0].changes, ''),\n EventMessage = iff(isnotnull(temp_resource_changes), temp_resource_changes[0].resource, ''), \n SrcIpAddr = iff(action.src_ip == 'FILTERED', \"\", action.src_ip),\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime= TimeGenerated,\n EventProduct = 'Core',\n EventVendor = 'Illumio',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n Dvc = pce_fqdn,\n EventType = iff(isnull(EventType), event_type, EventType),\n EventOriginalUid = href,\n EventUid = _ItemId\n //aliases\n | extend \n IpAddr = SrcIpAddr,\n User = ActorUsername,\n Value = NewValue\n | project-away\n temp_*,\n event_type, // used by EventType\n severity, // used by EventSeverity\n resource_changes, // used by NewValue and EventMessage\n notifications,\n version, // simply drop version, no need to translate\n action, //used by src_ip\n status, // used by EventResult\n created_by, // used by ActorUsername and ActorType\n pce_fqdn, // used by Dvc\n href, // used by EventOriginalUid\n TenantId\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/README.md b/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/README.md new file mode 100644 index 00000000000..251c9c9ac47 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/README.md @@ -0,0 +1,18 @@ +# Illumio Core ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Illumio Core. + +This ASIM parser supports normalizing Illumio Core audit events logs ingested in 'Illumio_Auditable_Events_CL' table to the ASIM Audit Event schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventIllumioSaaSCore%2FASimAuditEventIllumioSaaSCore.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventIllumioSaaSCore%2FASimAuditEventIllumioSaaSCore.json) diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/ASimAuditEventInfobloxBloxOne.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/ASimAuditEventInfobloxBloxOne.json new file mode 100644 index 00000000000..eab8b1dd870 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/ASimAuditEventInfobloxBloxOne.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventInfobloxBloxOne')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "AuditEvent ASIM parser for Infoblox BloxOne", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventInfobloxBloxOne", + "query": "let EventSeverityLookup = datatable (LogSeverity:string, EventSeverity:string) [ \"0\", \"Low\", \"1\", \"Low\", \"2\", \"Low\", \"3\", \"Low\", \"4\", \"Medium\", \"5\", \"Medium\", \"6\", \"Medium\", \"7\", \"High\", \"8\", \"High\", \"9\", \"High\", \"10\", \"High\" ]; let OperationLookup = datatable (DeviceAction:string, Object:string, ObjectType:string) [ \"CreateSecurityPolicy\", \"Security Policy\", \"Policy Role\", \"UpdateSecurityPolicy\", \"Security Policy\", \"Policy\", \"Create\", \"Network Resource\", \"Service\", \"Update\", \"Network Resource\", \"Service\", \"Restore\", \"Infoblox Resource\", \"Service\", \"CreateOrGetDoHFQDN\", \"DOHFQDN\", \"Service\", \"CreateOrUpdateDfpService\", \"Dfp Service\", \"Service\", \"MoveToRecyclebin\", \"Recyclebin\", \"Other\", \"CreateCategoryFilter\", \"Category Filter\", \"Other\", \"GetLookalikeThreatCounts\", \"Lookalike Threat Counts\", \"Other\", \"GetLookalikeDomainCounts\", \"Lookalike Domain Counts\", \"Other\", \"CreateRoamingDeviceGroup\", \"Roaming Device Group\", \"Configuration Atom\", \"UpdatePartialRoamingDeviceGroup\", \"Partial Roaming Device Group\", \"Configuration Atom\" ]; let parser = (disabled:bool=false) { CommonSecurityLog | where not(disabled) and DeviceVendor == \"Infoblox\" and DeviceEventClassID has \"AUDIT\" | parse-kv AdditionalExtensions as (InfobloxHTTPReqBody:string, InfobloxHTTPRespBody:string) with (pair_delimiter=\";\", kv_delimiter=\"=\") | lookup EventSeverityLookup on LogSeverity | lookup OperationLookup on DeviceAction | invoke _ASIM_ResolveDvcFQDN('CollectorHostName') | project-rename EventResult = EventOutcome, Operation = DeviceAction, ActorUsername = SourceUserName, SrcIpAddr = SourceIP, EventOriginalSeverity = LogSeverity, EventMessage = Message, EventOriginalType = DeviceEventClassID, EventUid = _ItemId | extend Dvc = DvcHostname, EventEndTime = TimeGenerated, EventStartTime = TimeGenerated, EventType = case( Operation has_any (\"update\", \"upsert\"), \"Set\", Operation has \"create\", \"Create\", Operation has \"delete\", \"Delete\", \"Other\" ), Object = iff(isempty(Object), \"Infoblox Network Resource\", Object), ObjectType = iff(isempty(ObjectType), \"Service\", ObjectType), Src = SrcIpAddr, ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"), AdditionalFields = bag_pack( \"InfobloxHTTPReqBody\", InfobloxHTTPReqBody, \"InfobloxHTTPRespBody\", InfobloxHTTPRespBody ), User = ActorUsername, IpAddr = SrcIpAddr, ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) | extend EventCount = toint(1), EventProduct = \"BloxOne\", EventVendor = \"Infoblox\", EventSchema = \"AuditEvent\", EventSchemaVersion = \"0.1\" | project-away Source*, Destination*, Device*, AdditionalExtensions, CommunicationDirection, Protocol, SimplifiedDeviceAction, ExternalID, EndTime, FieldDevice*, Flex*, File*, Old*, MaliciousIP*, OriginalLogSeverity, Process*, ReceivedBytes, SentBytes, Remote*, Request*, StartTime, TenantId, ReportReferenceLink, ReceiptTime, Indicator*, _ResourceId, ThreatConfidence, ThreatDescription, ThreatSeverity, Computer, ApplicationProtocol, ExtID, Reason, Activity, Infoblox* }; parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/README.md b/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/README.md new file mode 100644 index 00000000000..677be52108b --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/README.md @@ -0,0 +1,18 @@ +# Infoblox BloxOne ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Infoblox BloxOne. + +This ASIM parser supports normalizing AuditEvent logs from Infoblox BloxOne to the ASIM AuditEvent normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventInfobloxBloxOne%2FASimAuditEventInfobloxBloxOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventInfobloxBloxOne%2FASimAuditEventInfobloxBloxOne.json) diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftEvent/ASimAuditEventMicrosoftEvent.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftEvent/ASimAuditEventMicrosoftEvent.json index 5550bdd0a24..e709dd3ace8 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftEvent/ASimAuditEventMicrosoftEvent.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftEvent/ASimAuditEventMicrosoftEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventMicrosoftEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventMicrosoftEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Microsoft Windows Events audit events", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventMicrosoftEvent", - "query": "let parser = (disabled: bool = false) {\n // Parsed Events Ids\n let ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n // Eventlog Event Ids\n let EventlogEventIds = dynamic([1102]);\n // Scheduled Task Event Ids\n let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n // Active Directory Replica Source Naming Context Event Ids\n let ActiveDirectoryReplicaIds = dynamic([4929]);\n // Firewall Event Ids\n let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n // Service Event Ids\n let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n // Directory Service Object Ids\n let DirectoryServiceIds = dynamic([5136]);\n // Clear Audit Log Event\n let AuditLogClearedEventID = dynamic([1102]); \n // EventID Lookup\n let EventIDLookup = datatable(\n EventID: int,\n Operation: string,\n EventType: string,\n Object: string,\n ObjectType: string,\n EventResult: string\n )\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n ];\n let ParsedEvents =\n Event\n | where not(disabled)\n | where EventID in(ParsedEventIds)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | parse-kv EventData as \n (\n SubjectUserSid: string,\n SubjectUserName: string,\n SubjectDomainName: string,\n SubjectLogonId: string,\n TaskName: string,\n TaskContent: string,\n TaskContentNew: string,\n ClientProcessId: string,\n DestinationDRA: string,\n SourceDRA: string,\n SourceAddr: string,\n ObjectDN: string,\n AttributeValue: string\n )\n with (regex=@'{?([^<]*?)}?')\n | project-away EventData\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n | extend \n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer\n };\n parser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Microsoft Windows Events audit events", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventMicrosoftEvent", + "query": "let parser = (disabled: bool = false) {\n // Parsed Events Ids\n let ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n // Eventlog Event Ids\n let EventlogEventIds = dynamic([1102]);\n // Scheduled Task Event Ids\n let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n // Active Directory Replica Source Naming Context Event Ids\n let ActiveDirectoryReplicaIds = dynamic([4929]);\n // Firewall Event Ids\n let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n // Service Event Ids\n let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n // Directory Service Object Ids\n let DirectoryServiceIds = dynamic([5136]);\n // Clear Audit Log Event\n let AuditLogClearedEventID = dynamic([1102]); \n // EventID Lookup\n let EventIDLookup = datatable(\n EventID: int,\n Operation: string,\n EventType: string,\n Object: string,\n ObjectType: string,\n EventResult: string\n )\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n ];\n let ParsedEvents =\n Event\n | where not(disabled)\n | where EventID in(ParsedEventIds)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | parse-kv EventData as \n (\n SubjectUserSid: string,\n SubjectUserName: string,\n SubjectDomainName: string,\n SubjectLogonId: string,\n TaskName: string,\n TaskContent: string,\n TaskContentNew: string,\n ClientProcessId: string,\n DestinationDRA: string,\n SourceDRA: string,\n SourceAddr: string,\n ObjectDN: string,\n AttributeValue: string\n )\n with (regex=@'{?([^<]*?)}?')\n | project-away EventData\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n | extend \n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer\n };\n parser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftExchangeAdmin365/ASimAuditEventMicrosoftExchangeAdmin365.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftExchangeAdmin365/ASimAuditEventMicrosoftExchangeAdmin365.json index be4739ab1d7..dd2be732ec4 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftExchangeAdmin365/ASimAuditEventMicrosoftExchangeAdmin365.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftExchangeAdmin365/ASimAuditEventMicrosoftExchangeAdmin365.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventMicrosoftExchangeAdmin365')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventMicrosoftExchangeAdmin365", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Microsoft Exchange 365 administrative activity", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventMicrosoftExchangeAdmin365", - "query": "let usertypes=datatable (ActorOriginalUserType:string, ActorUserType:string)\n[\n // Regular, Regular\n \"Admin\", \"Admin\"\n , \"DcAdmin\", \"Admin\"\n , \"System\", \"System\"\n , \"Application\", \"Application\"\n , \"ServicePrincipal\", \"Service Principal\"\n , \"CustomPolicy\", \"Other\"\n , \"SystemPolicy\", \"Other\"\n , \"Reserved\", \"Other\"\n];\nlet eventtypes=datatable (op:string, EventType:string)\n[\n \"Remove\", \"Delete\",\n \"New\", \"Create\",\n \"Add\", \"Create\",\n \"Enable\", \"Enable\",\n \"Install\", \"Install\",\n \"Set\", \"Set\",\n \"Disable\", \"Disable\",\n \"disable\", \"Disable\"\n];\nlet parser=(disabled:bool=false){\n OfficeActivity\n | where not(disabled)\n | where RecordType in ('ExchangeAdmin')\n | project Operation, ResultStatus, Parameters, OrganizationName, OrganizationId, OfficeObjectId, ClientIP, UserId, UserKey, UserAgent, UserType, TimeGenerated, OriginatingServer, SourceRecordId, Type, _ResourceId\n | extend \n SplitOp = split (Operation,\"-\")\n | extend\n op=tostring(SplitOp[0])\n | lookup eventtypes on op\n | project-away op\n // --\n // Calculate Object\n | extend\n SplitObject = extract_all(@'^(.*?)[\\\\/](.*)$', OfficeObjectId)[0]\n | extend \n Object = case (\n SplitObject[0] == OrganizationName, SplitObject[1], \n OfficeObjectId == \"\", SplitOp[1],\n OfficeObjectId\n )\n | project-away SplitOp, OfficeObjectId\n // --\n // Calculate source IP address and port\n | extend \n SplitIpAddr = extract_all(@'^\\[?(.*?)\\]?:(\\d+)$', ClientIP)[0]\n | extend \n SrcIpAddr = iff (SplitIpAddr[1] == \"\", ClientIP, SplitIpAddr[0]),\n SrcPortNumber = toint(iff (SplitIpAddr[1] == \"\", \"\", SplitIpAddr[1]))\n | parse UserId with ActorUsername \" (\" ActingAppName \")\"\n | extend \n ActorUsernameType = iff (ActorUsername == \"\", \"UPN\", \"Windows\"),\n ActorUsername = iff (ActorUsername == \"\", UserId, ActorUsername),\n ActingAppType = iff (ActingAppName == \"\", \"\", \"Process\")\n | project-rename\n SrcDescription = OriginatingServer,\n NewValue = Parameters \n | project-away SplitObject, UserKey, SplitIpAddr, ClientIP, UserId\n | project-rename\n HttpUserAgent = UserAgent, \n ActorOriginalUserType = UserType,\n ActorScopeId = OrganizationId,\n ActorScope = OrganizationName,\n EventOriginalUid = SourceRecordId\n | lookup usertypes on ActorOriginalUserType\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Exchange 365',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n TargetAppName = 'Exchange 365',\n TargetAppType = 'SaaS application',\n EventResult = iff(ResultStatus == \"True\", \"Success\", \"Failure\")\n | project-away \n ResultStatus\n | extend\n EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\n // -- Aliases\n | extend \n User=ActorUsername,\n IpAddr = SrcIpAddr,\n Value = NewValue,\n Application = TargetAppName,\n Dst = TargetAppName,\n Src = coalesce (SrcIpAddr, SrcDescription),\n Dvc = TargetAppName,\n // -- Entity identifier explicit aliases\n ActorUserUpn = iif (ActorUsernameType == \"UPN\", ActorUsername, \"\"),\n ActorWindowsUsername = iif (ActorUsernameType == \"Windows\", ActorUsername, \"\")\n };\n parser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Microsoft Exchange 365 administrative activity", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventMicrosoftExchangeAdmin365", + "query": "let usertypes=datatable (ActorOriginalUserType:string, ActorUserType:string)\n[\n // Regular, Regular\n \"Admin\", \"Admin\"\n , \"DcAdmin\", \"Admin\"\n , \"System\", \"System\"\n , \"Application\", \"Application\"\n , \"ServicePrincipal\", \"Service Principal\"\n , \"CustomPolicy\", \"Other\"\n , \"SystemPolicy\", \"Other\"\n , \"Reserved\", \"Other\"\n];\nlet eventtypes=datatable (op:string, EventType:string)\n[\n \"Remove\", \"Delete\",\n \"New\", \"Create\",\n \"Add\", \"Create\",\n \"Enable\", \"Enable\",\n \"Install\", \"Install\",\n \"Set\", \"Set\",\n \"Disable\", \"Disable\",\n \"disable\", \"Disable\"\n];\nlet parser=(disabled:bool=false){\n OfficeActivity\n | where not(disabled)\n | where RecordType in ('ExchangeAdmin')\n | project Operation, ResultStatus, Parameters, OrganizationName, OrganizationId, OfficeObjectId, ClientIP, UserId, UserKey, UserAgent, UserType, TimeGenerated, OriginatingServer, SourceRecordId, Type, _ResourceId\n | extend \n SplitOp = split (Operation,\"-\")\n | extend\n op=tostring(SplitOp[0])\n | lookup eventtypes on op\n | project-away op\n // --\n // Calculate Object\n | extend\n SplitObject = extract_all(@'^(.*?)[\\\\/](.*)$', OfficeObjectId)[0]\n | extend \n Object = case (\n SplitObject[0] == OrganizationName, SplitObject[1], \n OfficeObjectId == \"\", SplitOp[1],\n OfficeObjectId\n )\n | project-away SplitOp, OfficeObjectId\n // --\n // Calculate source IP address and port\n | extend \n SplitIpAddr = extract_all(@'^\\[?(.*?)\\]?:(\\d+)$', ClientIP)[0]\n | extend \n SrcIpAddr = iff (SplitIpAddr[1] == \"\", ClientIP, SplitIpAddr[0]),\n SrcPortNumber = toint(iff (SplitIpAddr[1] == \"\", \"\", SplitIpAddr[1]))\n | parse UserId with ActorUsername \" (\" ActingAppName \")\"\n | extend \n ActorUsernameType = iff (ActorUsername == \"\", \"UPN\", \"Windows\"),\n ActorUsername = iff (ActorUsername == \"\", UserId, ActorUsername),\n ActingAppType = iff (ActingAppName == \"\", \"\", \"Process\")\n | project-rename\n SrcDescription = OriginatingServer,\n NewValue = Parameters \n | project-away SplitObject, UserKey, SplitIpAddr, ClientIP, UserId\n | project-rename\n HttpUserAgent = UserAgent, \n ActorOriginalUserType = UserType,\n ActorScopeId = OrganizationId,\n ActorScope = OrganizationName,\n EventOriginalUid = SourceRecordId\n | lookup usertypes on ActorOriginalUserType\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Exchange 365',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n TargetAppName = 'Exchange 365',\n TargetAppType = 'SaaS application',\n EventResult = iff(ResultStatus == \"True\", \"Success\", \"Failure\")\n | project-away \n ResultStatus\n | extend\n EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\n // -- Aliases\n | extend \n User=ActorUsername,\n IpAddr = SrcIpAddr,\n Value = NewValue,\n Application = TargetAppName,\n Dst = TargetAppName,\n Src = coalesce (SrcIpAddr, SrcDescription),\n Dvc = TargetAppName,\n // -- Entity identifier explicit aliases\n ActorUserUpn = iif (ActorUsernameType == \"UPN\", ActorUsername, \"\"),\n ActorWindowsUsername = iif (ActorUsernameType == \"Windows\", ActorUsername, \"\")\n };\n parser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftSecurityEvents/ASimAuditEventMicrosoftSecurityEvents.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftSecurityEvents/ASimAuditEventMicrosoftSecurityEvents.json index be994c442df..161fdc34df2 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftSecurityEvents/ASimAuditEventMicrosoftSecurityEvents.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftSecurityEvents/ASimAuditEventMicrosoftSecurityEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventMicrosoftSecurityEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventMicrosoftSecurityEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Microsoft Windows Events audit events", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventMicrosoftSecurityEvents", - "query": "let parser = (disabled: bool = false) {\n // Parsed Events Ids\n let ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n // Eventlog Event Ids\n let EventlogEventIds = dynamic([1102]);\n // Scheduled Task Event Ids\n let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n // Active Directory Replica Source Naming Context Event Ids\n let ActiveDirectoryReplicaIds = dynamic([4929]);\n // Firewall Event Ids\n let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n // Service Event Ids\n let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n // Directory Service Object Ids\n let DirectoryServiceIds = dynamic([5136]);\n // Clear Audit Log Event\n let AuditLogClearedEventID = dynamic([1102]); \n // EventID Lookup\n let EventIDLookup = datatable(\n EventID: int,\n Operation: string,\n EventType: string,\n Object: string,\n ObjectType: string,\n EventResult: string\n )\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n ];\n let ParsedEvents =\n union\n (\n // SecurityEvents\n SecurityEvent\n | where not(disabled)\n | where EventID in(ParsedEventIds)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | parse-kv EventData as \n (\n SubjectUserSid: string,\n SubjectUserName: string,\n SubjectDomainName: string,\n SubjectLogonId: string,\n TaskName: string,\n TaskContent: string,\n TaskContentNew: string,\n ClientProcessId: string,\n DestinationDRA: string,\n SourceDRA: string,\n SourceAddr: string,\n ObjectDN: string,\n AttributeValue: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-away EventData\n ),\n (\n SecurityEvent\n | where not(disabled)\n | where EventID in (AuditLogClearedEventID) and EventSourceName == \"Microsoft-Windows-Eventlog\"\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend Parsed_EventData = parse_xml(EventData)\n | extend\n SubjectUserSid = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserSid),\n SubjectUserName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserName),\n SubjectDomainName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectDomainName),\n SubjectLogonId = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectLogonId)\n | project-away EventData, Parsed_EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n | extend \n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer\n };\n parser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Microsoft Windows Events audit events", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventMicrosoftSecurityEvents", + "query": "let parser = (disabled: bool = false) {\n // Parsed Events Ids\n let ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n // Eventlog Event Ids\n let EventlogEventIds = dynamic([1102]);\n // Scheduled Task Event Ids\n let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n // Active Directory Replica Source Naming Context Event Ids\n let ActiveDirectoryReplicaIds = dynamic([4929]);\n // Firewall Event Ids\n let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n // Service Event Ids\n let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n // Directory Service Object Ids\n let DirectoryServiceIds = dynamic([5136]);\n // Clear Audit Log Event\n let AuditLogClearedEventID = dynamic([1102]); \n // EventID Lookup\n let EventIDLookup = datatable(\n EventID: int,\n Operation: string,\n EventType: string,\n Object: string,\n ObjectType: string,\n EventResult: string\n )\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n ];\n let ParsedEvents =\n union\n (\n // SecurityEvents\n SecurityEvent\n | where not(disabled)\n | where EventID in(ParsedEventIds)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | parse-kv EventData as \n (\n SubjectUserSid: string,\n SubjectUserName: string,\n SubjectDomainName: string,\n SubjectLogonId: string,\n TaskName: string,\n TaskContent: string,\n TaskContentNew: string,\n ClientProcessId: string,\n DestinationDRA: string,\n SourceDRA: string,\n SourceAddr: string,\n ObjectDN: string,\n AttributeValue: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-away EventData\n ),\n (\n SecurityEvent\n | where not(disabled)\n | where EventID in (AuditLogClearedEventID) and EventSourceName == \"Microsoft-Windows-Eventlog\"\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend Parsed_EventData = parse_xml(EventData)\n | extend\n SubjectUserSid = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserSid),\n SubjectUserName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserName),\n SubjectDomainName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectDomainName),\n SubjectLogonId = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectLogonId)\n | project-away EventData, Parsed_EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n | extend \n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer\n };\n parser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftWindowsEvents/ASimAuditEventMicrosoftWindowsEvents.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftWindowsEvents/ASimAuditEventMicrosoftWindowsEvents.json index 547ac47bac8..1b9e9da427b 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftWindowsEvents/ASimAuditEventMicrosoftWindowsEvents.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftWindowsEvents/ASimAuditEventMicrosoftWindowsEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventMicrosoftWindowsEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventMicrosoftWindowsEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Microsoft Windows Events audit events", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventMicrosoftWindowsEvents", - "query": "let parser = (disabled: bool = false) {\n // Parsed Events Ids\n let ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n // Eventlog Event Ids\n let EventlogEventIds = dynamic([1102]);\n // Scheduled Task Event Ids\n let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n // Active Directory Replica Source Naming Context Event Ids\n let ActiveDirectoryReplicaIds = dynamic([4929]);\n // Firewall Event Ids\n let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n // Service Event Ids\n let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n // Directory Service Object Ids\n let DirectoryServiceIds = dynamic([5136]);\n // Clear Audit Log Event\n let AuditLogClearedEventID = dynamic([1102]); \n // EventID Lookup\n let EventIDLookup = datatable(\n EventID: int,\n Operation: string,\n EventType: string,\n Object: string,\n ObjectType: string,\n EventResult: string\n )\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n ];\n let ParsedEvents =\n union\n (\n WindowsEvent\n | where not(disabled)\n | where EventID in(ParsedEventIds)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId),\n TaskName = tostring(EventData.TaskName),\n TaskContent = tostring(EventData.TaskContent),\n TaskContentNew = tostring(EventData.TaskContentNew),\n ClientProcessId = tostring(EventData.ClientProcessId),\n DestinationDRA = tostring(EventData.DestinationDRA),\n SourceDRA = tostring(EventData.SourceDRA),\n SourceAddr = tostring(EventData.SourceAddr),\n ObjectDN = tostring(EventData.ObjectDN),\n AttributeValue = tostring(EventData.AttributeValue)\n | project-away EventData\n ),\n (\n WindowsEvent\n | where not(disabled)\n | where EventID in (AuditLogClearedEventID) and Provider == \"Microsoft-Windows-Eventlog\"\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId)\n | project-away EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n | extend \n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer\n };\n parser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Microsoft Windows Events audit events", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventMicrosoftWindowsEvents", + "query": "let parser = (disabled: bool = false) {\n // Parsed Events Ids\n let ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n // Eventlog Event Ids\n let EventlogEventIds = dynamic([1102]);\n // Scheduled Task Event Ids\n let ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n // Active Directory Replica Source Naming Context Event Ids\n let ActiveDirectoryReplicaIds = dynamic([4929]);\n // Firewall Event Ids\n let FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n // Service Event Ids\n let ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n // Directory Service Object Ids\n let DirectoryServiceIds = dynamic([5136]);\n // Clear Audit Log Event\n let AuditLogClearedEventID = dynamic([1102]); \n // EventID Lookup\n let EventIDLookup = datatable(\n EventID: int,\n Operation: string,\n EventType: string,\n Object: string,\n ObjectType: string,\n EventResult: string\n )\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n ];\n let ParsedEvents =\n union\n (\n WindowsEvent\n | where not(disabled)\n | where EventID in(ParsedEventIds)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId),\n TaskName = tostring(EventData.TaskName),\n TaskContent = tostring(EventData.TaskContent),\n TaskContentNew = tostring(EventData.TaskContentNew),\n ClientProcessId = tostring(EventData.ClientProcessId),\n DestinationDRA = tostring(EventData.DestinationDRA),\n SourceDRA = tostring(EventData.SourceDRA),\n SourceAddr = tostring(EventData.SourceAddr),\n ObjectDN = tostring(EventData.ObjectDN),\n AttributeValue = tostring(EventData.AttributeValue)\n | project-away EventData\n ),\n (\n WindowsEvent\n | where not(disabled)\n | where EventID in (AuditLogClearedEventID) and Provider == \"Microsoft-Windows-Eventlog\"\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId)\n | project-away EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n | extend \n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer\n };\n parser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventSentinelOne/ASimAuditEventSentinelOne.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventSentinelOne/ASimAuditEventSentinelOne.json index f89a67bcae3..889fbe25144 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventSentinelOne/ASimAuditEventSentinelOne.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventSentinelOne/ASimAuditEventSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventSentinelOne", - "query": "let EventFieldsLookup = datatable(\n activityType_d: real,\n Operation: string,\n EventType_activity: string,\n EventSubType: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 39, \"Research Settings Modified\", \"\", \"\", \"Success\", \"Research Settings\", \"Policy Rule\",\n 41, \"Learning Mode Settings Modified\", \"Set\", \"\", \"Success\", \"Mitigation policy\", \"Policy Rule\",\n 44, \"Auto decommission On\", \"Enable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 45, \"Auto decommission Off\", \"Disable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 46, \"Auto Decommission Period Modified\", \"Set\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 56, \"Auto Mitigation Actions Modified\", \"Set\", \"\", \"Success\", \"Mitigation action\", \"Other\",\n 57, \"Quarantine Network Settings Modified\", \"\", \"\", \"Success\", \"NetworkSettings\", \"Configuration Atom\",\n 68, \"Engine Modified In Policy\", \"Set\", \"\", \"Success\", \"Engine Policy\", \"Policy Rule\",\n 69, \"Mitigation Policy Modified\", \"Set\", \"\", \"Success\", \"Threat Mitigation Policy\", \"Policy Rule\",\n 70, \"Policy Setting - Agent Notification On Suspicious Modified\", \"\", \"\", \"Success\", \"Agent notification\", \"Service\",\n 82, \"Monitor On Execute\", \"\", \"\", \"Success\", \"On execute setting\", \"Configuration Atom\",\n 83, \"Monitor On Write\", \"\", \"\", \"Success\", \"On write setting\", \"Configuration Atom\",\n 105, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility Setting\", \"Configuration Atom\",\n 116, \"Policy Settings Modified\", \"Disable\", \"\", \"Success\", \"Policy Settings\", \"Policy Rule\",\n 150, \"Live Security Updates Policy Modified\", \"\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n 151, \"Live Security Updates Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n 200, \"File Upload Settings Modified\", \"Set\", \"\", \"Success\", \"Binary Vault Settings\", \"Configuration Atom\",\n 201, \"File Upload Enabled/Disabled\", \"\", \"\", \"Success\", \"Binary Vault\", \"Policy Rule\",\n 4004, \"Policy Setting - Show Suspicious Activities Configuration Enabled\", \"Enable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n 4005, \"Policy Setting - Show Suspicious Activities Configuration Disabled\", \"Disable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n 4104, \"STAR Manual Response Marked Event As Malicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n 4105, \"STAR Manual Response Marked Event As Suspicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n 5012, \"Group Token Regenerated\", \"Create\", \"\", \"Success\", \"Token\", \"Policy Rule\",\n 5020, \"Site Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5021, \"Site Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5022, \"Site Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5024, \"Site Policy Reverted\", \"\", \"\", \"Success\", \"\", \"Other\",\n 5025, \"Site Marked As Expired\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n 5026, \"Site Duplicated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5027, \"Site Token Regenerated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 6000, \"Mobile Policy updated\", \"Set\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6001, \"Mobile Policy created\", \"Create\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6002, \"Mobile Policy removed\", \"Delete\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6010, \"UEM Connection created\", \"Create\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 6011, \"UEM Connection updated\", \"Set\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 6012, \"UEM Connection Removed\", \"Delete\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 73, \"Scan New Agents Changed\", \"\", \"\", \"Success\", \"Scan new agents Setting\", \"Configuration Atom\",\n 76, \"Anti Tampering Modified\", \"\", \"\", \"Success\", \"Anti tampering setting\", \"Configuration Atom\",\n 77, \"Agent UI Settings Modified\", \"Set \", \"\", \"Success\", \"Agent UI setting\", \"Configuration Atom\",\n 78, \"Snapshots Settings Modified\", \"\", \"\", \"Success\", \"Snapshots setting\", \"Configuration Atom\",\n 79, \"Agent Logging Modified\", \"\", \"\", \"Success\", \"Agent logging setting\", \"Configuration Atom\",\n 84, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility setting\", \"Configuration Atom\",\n 87, \"Remote Shell Settings Modified\", \"\", \"\", \"Success\", \"Remote Shell Settings\", \"Configuration Atom\",\n 2100, \"Upgrade Policy - Concurrency Limit Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n 2101, \"Upgrade Policy - Concurrency Limit Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n 2111, \"Upgrade Policy - Maintenance Window Time Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n ];\n let EventFieldsLookupMachineActivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_machineactivity: string,\n EventSubType_machineactivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 52, \"User Approved Agent Uninstall Request\", \"Other\", \"Approve\", \"Success\", \"Agent\", \"Service\",\n 53, \"User Rejected Agent Uninstall Request\", \"Other\", \"Reject\", \"Failure\", \"Agent\", \"Service\",\n 54, \"User Decommissioned Agent\", \"Disable\", \"\", \"Success\", \"Agent\", \"Service\",\n 55, \"User Recommissioned Agent\", \"Enable\", \"\", \"Success\", \"Agent\", \"Service\",\n 61, \"User Disconnected Agent From Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 62, \"User Reconnected Agent to Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 63, \"User Shutdown Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 93, \"User Reset Agent's Local Config\", \"Set\", \"\", \"Success\", \"Local config\", \"Configuration Atom\",\n 95, \"User Moved Agent to Group\", \"Other\", \"Move\", \"Success\", \"Agent\", \"Service\",\n 117, \"User Disabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 118, \"User Enabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 4100, \"User Marked Deep Visibility Event As Threat\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n 4101, \"User Marked Deep Visibility Event As Suspicious\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n ];\n let EventFieldsLookupAccountActivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_accountactivity: string,\n EventSubType_accountactivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 130, \"Opt-in To EA program\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 131, \"Opt-out From EA Program\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5040, \"Account Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5041, \"Account Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5042, \"Account Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5044, \"Account Policy Reverted\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 7200, \"Add cloud account\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 7201, \"Disable cloud Account\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n 7202, \"Enable cloud Account\", \"Enable\", \"\", \"Success\", \"\", \"Other\"\n ];\n let EventFieldsLookup_useractivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_useractivity: string,\n EventSubType_useractivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 88, \"User Remote Shell Modified\", \"\", \"\", \"Success\", \"Remote Shell\", \"Configuration Atom\",\n 114, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\"\n ];\n let EventFieldsLookup_otheractivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_otheractivity: string,\n EventSubType_otheractivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 2, \"Hash Defined as Malicious By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 40, \"Cloud Intelligence Settings Modified\", \"\", \"\", \"Success\", \"Cloud Intelligence Settings\", \"Policy Rule\",\n 58, \"Notification Option Level Modified\", \"Set\", \"\", \"Success\", \"Notification Level\", \"Service\",\n 59, \"Event Severity Level Modified\", \"Set\", \"\", \"Success\", \"EventSeverity Level\", \"Other\",\n 60, \"Notification - Recipients Configuration Modified\", \"Set\", \"\", \"Success\", \"Recipients configuration\", \"Policy Rule\",\n 101, \"User Changed Agent's Customer Identifier\", \"Set\", \"\", \"Success\", \"Customer Identifier string\", \"Configuration Atom\",\n 106, \"User Commanded Agents To Move To Another Console\", \"Execute\", \"\", \"Failure\", \"Agents\", \"Service\",\n 107, \"User Created RBAC Role\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 108, \"User Edited RBAC Role\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 109, \"User Deleted RBAC Role\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 112, \"API token Generated\", \"Create\", \"\", \"Success\", \"API Token\", \"Service\",\n 113, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\",\n 129, \"Allowed Domains Settings Changed\", \"Set\", \"\", \"Success\", \"User Domain Setting\", \"Other\",\n 1501, \"Location Created\", \"Create\", \"\", \"Success\", \"\", \"Service\",\n 1502, \"Location Copied\", \"Set\", \"Copy\", \"Success\", \"\", \"Service\",\n 1503, \"Location Modified\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n 1504, \"Location Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Service\",\n 2011, \"User Issued Kill Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2012, \"User Issued Remediate Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2013, \"User Issued Rollback Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2014, \"User Issued Quarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2015, \"User Issued Unquarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2016, \"User Marked Application As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2028, \"Threat Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2029, \"Ticket Number Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2030, \"Analyst Verdict Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2036, \"Threat Confidence Level Changed By Agent\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2037, \"Threat Confidence Level Changed By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 3001, \"User Added Hash Exclusion\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n 3002, \"User Added Blocklist Hash\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n 3008, \"New Path Exclusion\", \"Create\", \"\", \"Success\", \"Path\", \"Other\",\n 3009, \"New Signer Identity Exclusion\", \"Create\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3010, \"New File Type Exclusion\", \"Create\", \"\", \"Success\", \"File Type\", \"Other\",\n 3011, \"New Browser Type Exclusion\", \"Create\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3012, \"Path Exclusion Modified\", \"Set\", \"\", \"Success\", \"Path\", \"Other\",\n 3013, \"Signer Identity Exclusion Modified\", \"Set\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3014, \"File Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"File Type\", \"Other\",\n 3015, \"Browser Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3016, \"Path Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Path\", \"Other\",\n 3017, \"Signer Identity Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3018, \"File Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"File Type\", \"Other\",\n 3019, \"Browser Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3020, \"User Deleted Hash From Blocklist\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n 3021, \"User Deleted Hash Exclusion\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n 3100, \"User Added Package\", \"Create\", \"\", \"Success\", \"Package\", \"Other\",\n 3101, \"User Modified Package\", \"Set\", \"\", \"Success\", \"Package\", \"Other\",\n 3102, \"User Deleted Package\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n 3103, \"Package Deleted By System - Too Many Packages\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n 3500, \"User Toggled Ranger Status\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Other\",\n 3501, \"Ranger Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Configuration Atom\",\n 3502, \"Ranger Network Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Network Setting\", \"Other\",\n 3506, \"Ranger - Device Review Modified\", \"Set\", \"\", \"Success\", \"Device Review\", \"Other\",\n 3507, \"Ranger - Device Tag Modified On Host\", \"Set\", \"\", \"Success\", \"Device Tag\", \"Other\",\n 3521, \"Ranger Deploy Initiated\", \"Initialize\", \"\", \"Success\", \"Ranger Deploy\", \"Other\",\n 3525, \"Ranger Deploy - Credential Created\", \"Create\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3526, \"Ranger Deploy - Credential Deleted\", \"Delete\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3527, \"Ranger Deploy - Credential Overridden\", \"Set\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3530, \"Ranger Labels Updated\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n 3531, \"Ranger labels reverted\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n 3600, \"Custom Rules - User Created A Rule\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3601, \"Custom Rules - User Changed A Rule\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3602, \"Custom Rules - User Deleted A Rule\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3603, \"Custom Rules - Rule Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3604, \"Custom Rules - Rule Status Change Failed\", \"Set\", \"\", \"Failure\", \"\", \"Policy Rule\",\n 3626, \"User 2FA Email Verification Changed\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n 3628, \"2FA Code Verification\", \"Set\", \"\", \"Success\", \"2FA\", \"Service\",\n 3641, \"Ranger self Provisioning Default Features Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 3650, \"Tag Manager - User Created New Tag\", \"Create\", \"\", \"Success\", \"Tag\", \"Other\",\n 3651, \"Tag Manager - User Modified Tag\", \"Set\", \"\", \"Success\", \"Tag\", \"Other\",\n 3652, \"Tag Manager - User Deleted Tag\", \"Delete\", \"\", \"Success\", \"Tag\", \"Other\",\n 3653, \"Tag Manager - User Attached Tag\", \"Other\", \"Attach\", \"Success\", \"Tags\", \"Other\",\n 3654, \"Tag Manager - User Detached Tag\", \"Detach\", \"\", \"Success\", \"Tags\", \"Other\", \n 3750, \"Auto-Upgrade Policy Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3751, \"Auto-Upgrade Policy Disabled\", \"Disable\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3752, \"Auto-Upgrade Policy Activated\", \"Enable\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3753, \"Auto-Upgrade Policy Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3754, \"Auto-Upgrade Policy Reordered\", \"Other\", \"Reorder\", \"Success\", \"\", \"Policy Rule\",\n 3755, \"Upgrade Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Upgrade Policy\", \"Policy Rule\",\n 3756, \"Auto-Upgrade Policy Edited\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3767, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3768, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3769, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3770, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3771, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3772, \"Local Upgrade Unauthorized\", \"Other\", \"Unauthorize\", \"Failure\", \"Local Upgrade Authorization\", \"Service\",\n 3773, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3774, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 4001, \"Suspicious Threat Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4002, \"Suspicious Threat Was Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4006, \"Remember Me Length Modified\", \"Set\", \"\", \"Success\", \"Stay Sign in Duration\", \"Policy Rule\",\n 4007, \"Suspicious Threat Was Marked As Benign\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4008, \"Threat Mitigation Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4009, \"Process Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4011, \"Suspicious Threat Was Unresolved\", \"Set\", \"\", \"Failure\", \"\", \"Other\",\n 4012, \"UI Inactivity Timeout Modified\", \"Set\", \"\", \"Success\", \"Inactivity timeout\", \"Configuration Atom\",\n 5242, \"Ranger - Device Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5243, \"Ranger - Device Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5244, \"Ranger - Device Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5250, \"Firewall Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5251, \"Firewall Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5252, \"Firewall Control Tag Updated\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5253, \"Network Quarantine Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5254, \"Network Quarantine Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5255, \"Network Quarantine Control Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5256, \"Firewall Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5257, \"Firewall Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Firewall Control tags\", \"Other\",\n 5258, \"Network Quarantine Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5259, \"Network Quarantine Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Network Quarantine Control Tag\", \"Other\",\n 7500, \"Remote Ops Password Configured\", \"Set\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n 7501, \"Remote Ops Password Deleted\", \"Delete\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n 7602, \"User Edited Run Script Guardrails\", \"Set\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 7603, \"User Enabled Run Script Guardrails\", \"Enable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 7604, \"User Disabled Run Script Guardrails\", \"Disable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 5120, \"Device Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5121, \"Device Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5122, \"Device Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5123, \"Device Rules Reordered\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5124, \"Device Rules Settings Modified\", \"Set\", \"\", \"Success\", \"Device Control settings\", \"Policy Rule\",\n 5129, \"Device Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5220, \"Firewall Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5221, \"Firewall Rule Modified\", \"Set/Other\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5222, \"Firewall Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5225, \"Firewall Control Settings Modified\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n 5226, \"Firewall Rules Reordered\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n 5231, \"Firewall Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5234, \"Network Quarantine Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5235, \"Network Quarantine Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5236, \"Network Quarantine Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5237, \"Network Quarantine Control Settings Modified\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n 5238, \"Network Quarantine Rules Reordered\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n 5241, \"Network Quarantine Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 6030, \"Mobile Device Updated\", \"Other\", \"\", \"Success\", \"Device\", \"Other\",\n 6053, \"Mobile Incident Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 6054, \"Mobile Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 6055, \"Mobile Incident Analyst Verdict Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\"\n ];\n let EventTypeLookup_onoff = datatable(\n field: string,\n EventType_field: string,\n NewValue_field: string\n )\n [\n \"true\", \"Enable\", \"on\",\n \"false\", \"Disable\", \"off\"\n ];\n let EventTypeLookup_enableddisabled = datatable(\n field: string,\n EventType_fieldenableddisabled: string,\n NewValue_fieldenableddisabled: string\n )\n [\n \"true\", \"Enable\", \"enabled\",\n \"false\", \"Disable\", \"disabled\"\n ];\n let EventSeverityLookup = datatable (EventResult: string, EventSeverity_lookup: string)\n [\n \"Success\", \"Informational\",\n \"Failure\", \"Low\"\n ];\n let EventSeverityLookup_activity = datatable (activityType_d: real, EventSeverity_activity: string)\n [\n 4100, \"Medium\",\n 4101, \"High\",\n 2016, \"Medium\",\n 2028, \"Low\",\n 4001, \"Medium\",\n 4002, \"Low\",\n 4007, \"Low\",\n 4008, \"Medium\",\n 4009, \"Medium\",\n 4011, \"High\",\n 2, \"Medium\",\n 2011, \"Low\",\n 2012, \"Low\",\n 2013, \"Medium\",\n 2014, \"Low\",\n 2015, \"Low\",\n 4002, \"Low\",\n 4104, \"High\",\n 4105, \"Medium\"\n ];\n let ThreatConfidenceLookup_undefined = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n )\n [\n \"false_positive\", 5,\n \"undefined\", 15,\n \"suspicious\", 25,\n \"true_positive\", 33 \n ];\n let ThreatConfidenceLookup_suspicious = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n )\n [\n \"false_positive\", 40,\n \"undefined\", 50,\n \"suspicious\", 60,\n \"true_positive\", 67 \n ];\n let ThreatConfidenceLookup_malicious = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n )\n [\n \"false_positive\", 75,\n \"undefined\", 80,\n \"suspicious\", 90,\n \"true_positive\", 100 \n ];\n let parser = (disabled: bool=false) {\n let RawGroupSiteActivityIds = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111]);\n let RawOtherActivityIds = dynamic([2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);\n let activitydata = SentinelOne_CL\n | where not(disabled) and event_name_s == \"Activities.\"\n | project-away\n threatInfo_confidenceLevel_s,\n threatInfo_analystVerdict_s,\n threatInfo_threatName_s,\n threatInfo_incidentStatus_s,\n threatInfo_identifiedAt_t,\n threatInfo_updatedAt_t,\n threatInfo_threatId_s,\n mitigationStatus_s;\n let rawgroupsiteactivitydata = activitydata\n | where activityType_d in (RawGroupSiteActivityIds)\n | parse-kv DataFields_s as (username: string, userName: string, userFullName: string, newValue: string, policyEnabled: string, siteName: string, oldValue: string, ipAddress: string, oldSiteName: string, policy: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | parse-kv policy as (id: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | project-rename ObjectId = id\n | lookup EventFieldsLookup on activityType_d;\n let groupsiteactivitydata_onoff = rawgroupsiteactivitydata\n | where activityType_d in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150)\n | lookup EventTypeLookup_onoff on $left.newValue == $right.field\n | lookup EventTypeLookup_onoff on $left.policyEnabled == $right.field\n | extend\n EventType = coalesce(EventType_field, EventType_field1),\n NewValue = coalesce(NewValue_field, NewValue_field1);\n let groupsiteactivitydata_enabledisabled = rawgroupsiteactivitydata\n | where activityType_d in (70, 82, 83, 201)\n | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n | extend\n EventType = EventType_fieldenableddisabled,\n NewValue = NewValue_fieldenableddisabled;\n let groupsiteactivitydata_other = rawgroupsiteactivitydata\n | where activityType_d !in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150, 70, 82, 83, 201)\n | extend EventType = EventType_activity;\n let groupsiteactivitydata = union\n groupsiteactivitydata_onoff,\n groupsiteactivitydata_enabledisabled,\n groupsiteactivitydata_other\n | extend\n ActorUsername = coalesce(username, userName, userFullName),\n Object = coalesce(Object, siteName, oldSiteName),\n NewValue = coalesce(NewValue, newValue),\n OldValue = oldValue;\n let machineactivitydata = activitydata\n | where activityType_d in (52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101)\n | parse-kv DataFields_s as (username: string, userName: string, computerName: string, threatClassification: string, ipAddress: string, groupName: string, targetGroupName: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookupMachineActivity on activityType_d\n | extend\n EventType = EventType_machineactivity,\n EventSubType = EventSubType_machineactivity,\n ThreatCategory_datafields = threatClassification,\n OldValue = groupName,\n NewValue = targetGroupName,\n ObjectId = agentId_s\n | extend ActorUsername = coalesce(username, userName)\n | invoke _ASIM_ResolveDvcFQDN('computerName');\n let accountactivitydata = activitydata\n | where activityType_d in (130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203)\n | parse-kv DataFields_s as (username: string, accountName: string, cloudProviderAccountName: string, ipAddress: string, accountId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookupAccountActivity on activityType_d\n | extend\n EventType = EventType_accountactivity,\n EventSubType = EventSubType_accountactivity,\n Object = coalesce(accountName, cloudProviderAccountName),\n ObjectId = accountId;\n let useractivitydata = activitydata\n | where activityType_d in (88, 114)\n | parse-kv DataFields_s as (username: string, byUser: string, newValue: string, ipAddress: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup_useractivity on activityType_d\n | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n | extend\n ActorUsername = byUser,\n EventType = coalesce(EventType_useractivity, EventType_fieldenableddisabled),\n EventSubType = EventSubType_useractivity,\n NewValue = NewValue_fieldenableddisabled;\n let rawotheractivitydata = activitydata\n | where activityType_d in (RawOtherActivityIds)\n | parse-kv DataFields_s as (username: string, userName: string, email: string, globalTwoFaEnabled: string, cloudIntelligenceOn: string, fileDisplayName: string, roleName: string, oldIncidentStatusTitle: string, oldTicketId: string, oldAnalystVerdictTitle: string, oldConfidenceLevel: string, previous: string, oldStatus: string, oldTagName: string, oldTagDescription: string, newIncidentStatusTitle: string, newTicketId: string, newAnalystVerdictTitle: string, newConfidenceLevel: string, newStatus: string, current: string, Status: string, newTagName: string, newTagDescription: string, value: string, rulesAdded: string, rulesRemoved: string, tagsAdded: string, tagsRemoved: string, incidentName: string, ruleName: string, deviceId: string, ip: string, externalIp: string, affectedDevices: string, featureValue: string, featureName: string, recoveryEmail: string, policyName: string, tagName: string, gatewayExternalIp: string, gatewayMac: string, threatClassification: string, ipAddress: string, applicationPath: string, externalId: string, consoleUrl: string, ruleId: string, policyId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup_otheractivity on activityType_d\n | lookup EventTypeLookup_onoff on $left.cloudIntelligenceOn == $right.field\n | lookup EventTypeLookup_onoff on $left.globalTwoFaEnabled == $right.field\n | extend\n ActorUsername = coalesce(username, userName),\n EventType = coalesce(EventType_otheractivity, EventType_field, EventType_field1),\n EventSubType = EventSubType_otheractivity,\n Object = coalesce(Object, fileDisplayName, applicationPath, roleName, ruleName, incidentName, recoveryEmail, featureName, policyName, tagName),\n NewValue = coalesce(newIncidentStatusTitle, newTicketId, newAnalystVerdictTitle, newConfidenceLevel, newStatus, current, Status, newTagName, newTagDescription, featureValue),\n OldValue = coalesce(oldIncidentStatusTitle, oldTicketId, oldAnalystVerdictTitle, oldConfidenceLevel, oldStatus, previous, oldTagName, oldTagDescription),\n TargetIpAddr = coalesce(externalIp, ip, gatewayExternalIp),\n ThreatCategory_datafields = threatClassification,\n RuleName = ruleName,\n TargetDvcId = deviceId,\n ObjectId = coalesce(ruleId, policyId, externalId, deviceId)\n | invoke _ASIM_ResolveDstFQDN('affectedDevices')\n | project-rename\n TargetHostname = DstHostname,\n TargetDomain = DstDomain,\n TargetDomainType = DstDomainType,\n TargetFQDN = DstFQDN,\n TargetUrl = consoleUrl;\n let parsedotheractivitydata_eventtype = rawotheractivitydata\n | where activityType_d in (5256, 5258)\n | extend EventType = case(\n isnotempty(rulesAdded) or isnotempty(tagsAdded),\n \"Create\",\n isnotempty(rulesRemoved) or isnotempty(tagsRemoved),\n \"Delete\",\n \"Set\"\n );\n let parsedotheractivitydata_objectvalue = rawotheractivitydata\n | where activityType_d in (3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3650, 3651, 3652, 3653, 3654)\n | extend Object = strcat(Object, ' ', value);\n let parsedotheractivitydata_severity = rawotheractivitydata\n | where activityType_d in (2036, 2037, 2030)\n | extend EventSeverity_specific = case(\n primaryDescription_s has_any (\"to malicious\", \"to True positive\"),\n \"High\", \n primaryDescription_s has_any (\"to suspicious\", \"to Undefined\"),\n \"Medium\",\n primaryDescription_s has \"to False positive\",\n \"Low\",\n \"Informational\"\n );\n let ParsedActivitydata = union\n groupsiteactivitydata,\n machineactivitydata,\n accountactivitydata,\n useractivitydata,\n rawotheractivitydata,\n parsedotheractivitydata_eventtype,\n parsedotheractivitydata_objectvalue\n | where activityType_d !in(2030, 2036, 2037)\n | lookup EventSeverityLookup on EventResult\n | lookup EventSeverityLookup_activity on activityType_d;\n let UnParsedActivitydatawithThreat = union ParsedActivitydata, parsedotheractivitydata_severity\n | where isnotempty(threatId_s)\n | join kind=inner (SentinelOne_CL\n | where event_name_s == \"Threats.\"\n | project\n TimeGenerated,\n threatInfo_confidenceLevel_s,\n threatInfo_analystVerdict_s,\n threatInfo_threatName_s,\n threatInfo_incidentStatus_s,\n threatInfo_identifiedAt_t,\n threatInfo_updatedAt_t,\n threatInfo_threatId_s,\n mitigationStatus_s)\n on $left.threatId_s == $right.threatInfo_threatId_s\n | where TimeGenerated1 >= TimeGenerated\n | summarize arg_min(TimeGenerated1, *) by activityType_d, threatId_s, createdAt_t, TimeGenerated;\n let undefineddata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"Undefined\"\n | lookup ThreatConfidenceLookup_undefined on threatInfo_analystVerdict_s;\n let suspiciousdata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on threatInfo_analystVerdict_s;\n let maliciousdata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"malicious\"\n | lookup ThreatConfidenceLookup_malicious on threatInfo_analystVerdict_s;\n let ParsedActivitydatawithThreat = union undefineddata, suspiciousdata, maliciousdata\n | extend\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\n AdditionalFields = bag_pack(\n \"threatUpdatedAt\",\n threatInfo_updatedAt_t,\n \"threatAnalystVerdict\",\n threatInfo_analystVerdict_s,\n \"threatIncidentStatus\",\n threatInfo_incidentStatus_s,\n \"mitigationStatus\",\n mitigationStatus_s\n )\n | project-rename\n ThreatId = threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatCategory_threats = threatInfo_classification_s,\n ThreatOriginalConfidence = threatInfo_confidenceLevel_s;\n let ParsedActivitydatawithoutThreat = ParsedActivitydata\n | where isempty(threatId_s);\n union ParsedActivitydatawithThreat, ParsedActivitydatawithoutThreat\n | extend \n EventSeverity = coalesce(EventSeverity_specific, EventSeverity_activity, EventSeverity_lookup),\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventCount = toint(1),\n AdditionalFields = bag_merge(AdditionalFields, todynamic(DataFields_s)),\n EventOriginalType = tostring(toint(activityType_d)),\n SrcIpAddr = iff(ipAddress != \"null\", ipAddress, \"\"),\n DvcAction = iff(EventResult == \"Success\", \"Allow\", \"Deny\"),\n ThreatCategory = coalesce(ThreatCategory_datafields, ThreatCategory_threats)\n | project-rename\n EventStartTime = createdAt_t,\n EventUid = _ItemId,\n EventMessage = primaryDescription_s,\n ActorUserId = userId_s,\n DvcId = agentId_s,\n EventOriginalUid = activityUuid_g\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\n | extend\n EventEndTime = EventStartTime,\n User = ActorUsername,\n IpAddr = SrcIpAddr,\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\n Dst = coalesce(TargetHostname, TargetIpAddr),\n Src = SrcIpAddr,\n Rule = RuleName,\n Value = NewValue\n | project-away\n *_d,\n *_s,\n *_t,\n *_g,\n *_b,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n username,\n userName,\n userFullName,\n newValue,\n policyEnabled,\n siteName,\n oldValue,\n computerName,\n accountName,\n cloudProviderAccountName,\n email,\n globalTwoFaEnabled,\n cloudIntelligenceOn,\n fileDisplayName,\n roleName,\n oldIncidentStatusTitle,\n oldTicketId,\n oldAnalystVerdictTitle,\n oldConfidenceLevel,\n previous,\n oldStatus,\n oldTagName,\n oldTagDescription,\n newIncidentStatusTitle,\n newTicketId,\n newAnalystVerdictTitle,\n newConfidenceLevel,\n newStatus,\n current,\n Status,\n newTagName,\n newTagDescription,\n value,\n rulesAdded,\n rulesRemoved,\n tagsAdded,\n tagsRemoved,\n incidentName,\n ruleName,\n deviceId,\n ip,\n externalIp,\n affectedDevices,\n featureValue,\n featureName,\n recoveryEmail,\n policyName,\n policy,\n tagName,\n gatewayExternalIp,\n gatewayMac,\n threatClassification,\n applicationPath,\n externalId,\n groupName,\n oldSiteName,\n targetGroupName,\n ipAddress,\n EventType_*,\n EventSubType_*,\n EventSeverity_*,\n NewValue_*,\n _ResourceId,\n TimeGenerated1,\n ThreatCategory_*,\n ThreatConfidence_*,\n accountId,\n policyId,\n ruleId,\n byUser\n };\n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventSentinelOne", + "query": "let EventFieldsLookup = datatable(\n activityType_d: real,\n Operation: string,\n EventType_activity: string,\n EventSubType: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 39, \"Research Settings Modified\", \"\", \"\", \"Success\", \"Research Settings\", \"Policy Rule\",\n 41, \"Learning Mode Settings Modified\", \"Set\", \"\", \"Success\", \"Mitigation policy\", \"Policy Rule\",\n 44, \"Auto decommission On\", \"Enable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 45, \"Auto decommission Off\", \"Disable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 46, \"Auto Decommission Period Modified\", \"Set\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 56, \"Auto Mitigation Actions Modified\", \"Set\", \"\", \"Success\", \"Mitigation action\", \"Other\",\n 57, \"Quarantine Network Settings Modified\", \"\", \"\", \"Success\", \"NetworkSettings\", \"Configuration Atom\",\n 68, \"Engine Modified In Policy\", \"Set\", \"\", \"Success\", \"Engine Policy\", \"Policy Rule\",\n 69, \"Mitigation Policy Modified\", \"Set\", \"\", \"Success\", \"Threat Mitigation Policy\", \"Policy Rule\",\n 70, \"Policy Setting - Agent Notification On Suspicious Modified\", \"\", \"\", \"Success\", \"Agent notification\", \"Service\",\n 82, \"Monitor On Execute\", \"\", \"\", \"Success\", \"On execute setting\", \"Configuration Atom\",\n 83, \"Monitor On Write\", \"\", \"\", \"Success\", \"On write setting\", \"Configuration Atom\",\n 105, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility Setting\", \"Configuration Atom\",\n 116, \"Policy Settings Modified\", \"Disable\", \"\", \"Success\", \"Policy Settings\", \"Policy Rule\",\n 150, \"Live Security Updates Policy Modified\", \"\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n 151, \"Live Security Updates Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n 200, \"File Upload Settings Modified\", \"Set\", \"\", \"Success\", \"Binary Vault Settings\", \"Configuration Atom\",\n 201, \"File Upload Enabled/Disabled\", \"\", \"\", \"Success\", \"Binary Vault\", \"Policy Rule\",\n 4004, \"Policy Setting - Show Suspicious Activities Configuration Enabled\", \"Enable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n 4005, \"Policy Setting - Show Suspicious Activities Configuration Disabled\", \"Disable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n 4104, \"STAR Manual Response Marked Event As Malicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n 4105, \"STAR Manual Response Marked Event As Suspicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n 5012, \"Group Token Regenerated\", \"Create\", \"\", \"Success\", \"Token\", \"Policy Rule\",\n 5020, \"Site Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5021, \"Site Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5022, \"Site Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5024, \"Site Policy Reverted\", \"\", \"\", \"Success\", \"\", \"Other\",\n 5025, \"Site Marked As Expired\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n 5026, \"Site Duplicated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5027, \"Site Token Regenerated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 6000, \"Mobile Policy updated\", \"Set\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6001, \"Mobile Policy created\", \"Create\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6002, \"Mobile Policy removed\", \"Delete\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6010, \"UEM Connection created\", \"Create\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 6011, \"UEM Connection updated\", \"Set\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 6012, \"UEM Connection Removed\", \"Delete\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 73, \"Scan New Agents Changed\", \"\", \"\", \"Success\", \"Scan new agents Setting\", \"Configuration Atom\",\n 76, \"Anti Tampering Modified\", \"\", \"\", \"Success\", \"Anti tampering setting\", \"Configuration Atom\",\n 77, \"Agent UI Settings Modified\", \"Set \", \"\", \"Success\", \"Agent UI setting\", \"Configuration Atom\",\n 78, \"Snapshots Settings Modified\", \"\", \"\", \"Success\", \"Snapshots setting\", \"Configuration Atom\",\n 79, \"Agent Logging Modified\", \"\", \"\", \"Success\", \"Agent logging setting\", \"Configuration Atom\",\n 84, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility setting\", \"Configuration Atom\",\n 87, \"Remote Shell Settings Modified\", \"\", \"\", \"Success\", \"Remote Shell Settings\", \"Configuration Atom\",\n 2100, \"Upgrade Policy - Concurrency Limit Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n 2101, \"Upgrade Policy - Concurrency Limit Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n 2111, \"Upgrade Policy - Maintenance Window Time Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n ];\n let EventFieldsLookupMachineActivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_machineactivity: string,\n EventSubType_machineactivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 52, \"User Approved Agent Uninstall Request\", \"Other\", \"Approve\", \"Success\", \"Agent\", \"Service\",\n 53, \"User Rejected Agent Uninstall Request\", \"Other\", \"Reject\", \"Failure\", \"Agent\", \"Service\",\n 54, \"User Decommissioned Agent\", \"Disable\", \"\", \"Success\", \"Agent\", \"Service\",\n 55, \"User Recommissioned Agent\", \"Enable\", \"\", \"Success\", \"Agent\", \"Service\",\n 61, \"User Disconnected Agent From Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 62, \"User Reconnected Agent to Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 63, \"User Shutdown Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 93, \"User Reset Agent's Local Config\", \"Set\", \"\", \"Success\", \"Local config\", \"Configuration Atom\",\n 95, \"User Moved Agent to Group\", \"Other\", \"Move\", \"Success\", \"Agent\", \"Service\",\n 117, \"User Disabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 118, \"User Enabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 4100, \"User Marked Deep Visibility Event As Threat\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n 4101, \"User Marked Deep Visibility Event As Suspicious\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n ];\n let EventFieldsLookupAccountActivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_accountactivity: string,\n EventSubType_accountactivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 130, \"Opt-in To EA program\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 131, \"Opt-out From EA Program\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5040, \"Account Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5041, \"Account Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5042, \"Account Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5044, \"Account Policy Reverted\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 7200, \"Add cloud account\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 7201, \"Disable cloud Account\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n 7202, \"Enable cloud Account\", \"Enable\", \"\", \"Success\", \"\", \"Other\"\n ];\n let EventFieldsLookup_useractivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_useractivity: string,\n EventSubType_useractivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 88, \"User Remote Shell Modified\", \"\", \"\", \"Success\", \"Remote Shell\", \"Configuration Atom\",\n 114, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\"\n ];\n let EventFieldsLookup_otheractivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_otheractivity: string,\n EventSubType_otheractivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 2, \"Hash Defined as Malicious By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 40, \"Cloud Intelligence Settings Modified\", \"\", \"\", \"Success\", \"Cloud Intelligence Settings\", \"Policy Rule\",\n 58, \"Notification Option Level Modified\", \"Set\", \"\", \"Success\", \"Notification Level\", \"Service\",\n 59, \"Event Severity Level Modified\", \"Set\", \"\", \"Success\", \"EventSeverity Level\", \"Other\",\n 60, \"Notification - Recipients Configuration Modified\", \"Set\", \"\", \"Success\", \"Recipients configuration\", \"Policy Rule\",\n 101, \"User Changed Agent's Customer Identifier\", \"Set\", \"\", \"Success\", \"Customer Identifier string\", \"Configuration Atom\",\n 106, \"User Commanded Agents To Move To Another Console\", \"Execute\", \"\", \"Failure\", \"Agents\", \"Service\",\n 107, \"User Created RBAC Role\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 108, \"User Edited RBAC Role\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 109, \"User Deleted RBAC Role\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 112, \"API token Generated\", \"Create\", \"\", \"Success\", \"API Token\", \"Service\",\n 113, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\",\n 129, \"Allowed Domains Settings Changed\", \"Set\", \"\", \"Success\", \"User Domain Setting\", \"Other\",\n 1501, \"Location Created\", \"Create\", \"\", \"Success\", \"\", \"Service\",\n 1502, \"Location Copied\", \"Set\", \"Copy\", \"Success\", \"\", \"Service\",\n 1503, \"Location Modified\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n 1504, \"Location Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Service\",\n 2011, \"User Issued Kill Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2012, \"User Issued Remediate Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2013, \"User Issued Rollback Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2014, \"User Issued Quarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2015, \"User Issued Unquarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2016, \"User Marked Application As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2028, \"Threat Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2029, \"Ticket Number Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2030, \"Analyst Verdict Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2036, \"Threat Confidence Level Changed By Agent\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2037, \"Threat Confidence Level Changed By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 3001, \"User Added Hash Exclusion\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n 3002, \"User Added Blocklist Hash\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n 3008, \"New Path Exclusion\", \"Create\", \"\", \"Success\", \"Path\", \"Other\",\n 3009, \"New Signer Identity Exclusion\", \"Create\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3010, \"New File Type Exclusion\", \"Create\", \"\", \"Success\", \"File Type\", \"Other\",\n 3011, \"New Browser Type Exclusion\", \"Create\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3012, \"Path Exclusion Modified\", \"Set\", \"\", \"Success\", \"Path\", \"Other\",\n 3013, \"Signer Identity Exclusion Modified\", \"Set\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3014, \"File Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"File Type\", \"Other\",\n 3015, \"Browser Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3016, \"Path Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Path\", \"Other\",\n 3017, \"Signer Identity Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3018, \"File Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"File Type\", \"Other\",\n 3019, \"Browser Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3020, \"User Deleted Hash From Blocklist\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n 3021, \"User Deleted Hash Exclusion\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n 3100, \"User Added Package\", \"Create\", \"\", \"Success\", \"Package\", \"Other\",\n 3101, \"User Modified Package\", \"Set\", \"\", \"Success\", \"Package\", \"Other\",\n 3102, \"User Deleted Package\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n 3103, \"Package Deleted By System - Too Many Packages\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n 3500, \"User Toggled Ranger Status\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Other\",\n 3501, \"Ranger Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Configuration Atom\",\n 3502, \"Ranger Network Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Network Setting\", \"Other\",\n 3506, \"Ranger - Device Review Modified\", \"Set\", \"\", \"Success\", \"Device Review\", \"Other\",\n 3507, \"Ranger - Device Tag Modified On Host\", \"Set\", \"\", \"Success\", \"Device Tag\", \"Other\",\n 3521, \"Ranger Deploy Initiated\", \"Initialize\", \"\", \"Success\", \"Ranger Deploy\", \"Other\",\n 3525, \"Ranger Deploy - Credential Created\", \"Create\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3526, \"Ranger Deploy - Credential Deleted\", \"Delete\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3527, \"Ranger Deploy - Credential Overridden\", \"Set\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3530, \"Ranger Labels Updated\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n 3531, \"Ranger labels reverted\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n 3600, \"Custom Rules - User Created A Rule\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3601, \"Custom Rules - User Changed A Rule\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3602, \"Custom Rules - User Deleted A Rule\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3603, \"Custom Rules - Rule Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3604, \"Custom Rules - Rule Status Change Failed\", \"Set\", \"\", \"Failure\", \"\", \"Policy Rule\",\n 3626, \"User 2FA Email Verification Changed\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n 3628, \"2FA Code Verification\", \"Set\", \"\", \"Success\", \"2FA\", \"Service\",\n 3641, \"Ranger self Provisioning Default Features Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 3650, \"Tag Manager - User Created New Tag\", \"Create\", \"\", \"Success\", \"Tag\", \"Other\",\n 3651, \"Tag Manager - User Modified Tag\", \"Set\", \"\", \"Success\", \"Tag\", \"Other\",\n 3652, \"Tag Manager - User Deleted Tag\", \"Delete\", \"\", \"Success\", \"Tag\", \"Other\",\n 3653, \"Tag Manager - User Attached Tag\", \"Other\", \"Attach\", \"Success\", \"Tags\", \"Other\",\n 3654, \"Tag Manager - User Detached Tag\", \"Detach\", \"\", \"Success\", \"Tags\", \"Other\", \n 3750, \"Auto-Upgrade Policy Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3751, \"Auto-Upgrade Policy Disabled\", \"Disable\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3752, \"Auto-Upgrade Policy Activated\", \"Enable\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3753, \"Auto-Upgrade Policy Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3754, \"Auto-Upgrade Policy Reordered\", \"Other\", \"Reorder\", \"Success\", \"\", \"Policy Rule\",\n 3755, \"Upgrade Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Upgrade Policy\", \"Policy Rule\",\n 3756, \"Auto-Upgrade Policy Edited\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3767, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3768, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3769, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3770, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3771, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3772, \"Local Upgrade Unauthorized\", \"Other\", \"Unauthorize\", \"Failure\", \"Local Upgrade Authorization\", \"Service\",\n 3773, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3774, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 4001, \"Suspicious Threat Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4002, \"Suspicious Threat Was Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4006, \"Remember Me Length Modified\", \"Set\", \"\", \"Success\", \"Stay Sign in Duration\", \"Policy Rule\",\n 4007, \"Suspicious Threat Was Marked As Benign\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4008, \"Threat Mitigation Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4009, \"Process Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4011, \"Suspicious Threat Was Unresolved\", \"Set\", \"\", \"Failure\", \"\", \"Other\",\n 4012, \"UI Inactivity Timeout Modified\", \"Set\", \"\", \"Success\", \"Inactivity timeout\", \"Configuration Atom\",\n 5242, \"Ranger - Device Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5243, \"Ranger - Device Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5244, \"Ranger - Device Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5250, \"Firewall Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5251, \"Firewall Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5252, \"Firewall Control Tag Updated\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5253, \"Network Quarantine Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5254, \"Network Quarantine Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5255, \"Network Quarantine Control Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5256, \"Firewall Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5257, \"Firewall Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Firewall Control tags\", \"Other\",\n 5258, \"Network Quarantine Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5259, \"Network Quarantine Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Network Quarantine Control Tag\", \"Other\",\n 7500, \"Remote Ops Password Configured\", \"Set\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n 7501, \"Remote Ops Password Deleted\", \"Delete\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n 7602, \"User Edited Run Script Guardrails\", \"Set\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 7603, \"User Enabled Run Script Guardrails\", \"Enable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 7604, \"User Disabled Run Script Guardrails\", \"Disable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 5120, \"Device Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5121, \"Device Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5122, \"Device Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5123, \"Device Rules Reordered\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5124, \"Device Rules Settings Modified\", \"Set\", \"\", \"Success\", \"Device Control settings\", \"Policy Rule\",\n 5129, \"Device Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5220, \"Firewall Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5221, \"Firewall Rule Modified\", \"Set/Other\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5222, \"Firewall Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5225, \"Firewall Control Settings Modified\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n 5226, \"Firewall Rules Reordered\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n 5231, \"Firewall Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5234, \"Network Quarantine Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5235, \"Network Quarantine Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5236, \"Network Quarantine Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5237, \"Network Quarantine Control Settings Modified\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n 5238, \"Network Quarantine Rules Reordered\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n 5241, \"Network Quarantine Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 6030, \"Mobile Device Updated\", \"Other\", \"\", \"Success\", \"Device\", \"Other\",\n 6053, \"Mobile Incident Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 6054, \"Mobile Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 6055, \"Mobile Incident Analyst Verdict Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\"\n ];\n let EventTypeLookup_onoff = datatable(\n field: string,\n EventType_field: string,\n NewValue_field: string\n )\n [\n \"true\", \"Enable\", \"on\",\n \"false\", \"Disable\", \"off\"\n ];\n let EventTypeLookup_enableddisabled = datatable(\n field: string,\n EventType_fieldenableddisabled: string,\n NewValue_fieldenableddisabled: string\n )\n [\n \"true\", \"Enable\", \"enabled\",\n \"false\", \"Disable\", \"disabled\"\n ];\n let EventSeverityLookup = datatable (EventResult: string, EventSeverity_lookup: string)\n [\n \"Success\", \"Informational\",\n \"Failure\", \"Low\"\n ];\n let EventSeverityLookup_activity = datatable (activityType_d: real, EventSeverity_activity: string)\n [\n 4100, \"Medium\",\n 4101, \"High\",\n 2016, \"Medium\",\n 2028, \"Low\",\n 4001, \"Medium\",\n 4002, \"Low\",\n 4007, \"Low\",\n 4008, \"Medium\",\n 4009, \"Medium\",\n 4011, \"High\",\n 2, \"Medium\",\n 2011, \"Low\",\n 2012, \"Low\",\n 2013, \"Medium\",\n 2014, \"Low\",\n 2015, \"Low\",\n 4002, \"Low\",\n 4104, \"High\",\n 4105, \"Medium\"\n ];\n let ThreatConfidenceLookup_undefined = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n )\n [\n \"false_positive\", 5,\n \"undefined\", 15,\n \"suspicious\", 25,\n \"true_positive\", 33 \n ];\n let ThreatConfidenceLookup_suspicious = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n )\n [\n \"false_positive\", 40,\n \"undefined\", 50,\n \"suspicious\", 60,\n \"true_positive\", 67 \n ];\n let ThreatConfidenceLookup_malicious = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n )\n [\n \"false_positive\", 75,\n \"undefined\", 80,\n \"suspicious\", 90,\n \"true_positive\", 100 \n ];\n let parser = (disabled: bool=false) {\n let RawGroupSiteActivityIds = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111]);\n let RawOtherActivityIds = dynamic([2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);\n let activitydata = SentinelOne_CL\n | where not(disabled) and event_name_s == \"Activities.\"\n | project-away\n threatInfo_confidenceLevel_s,\n threatInfo_analystVerdict_s,\n threatInfo_threatName_s,\n threatInfo_incidentStatus_s,\n threatInfo_identifiedAt_t,\n threatInfo_updatedAt_t,\n threatInfo_threatId_s,\n mitigationStatus_s;\n let rawgroupsiteactivitydata = activitydata\n | where activityType_d in (RawGroupSiteActivityIds)\n | parse-kv DataFields_s as (username: string, userName: string, userFullName: string, newValue: string, policyEnabled: string, siteName: string, oldValue: string, ipAddress: string, oldSiteName: string, policy: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | parse-kv policy as (id: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | project-rename ObjectId = id\n | lookup EventFieldsLookup on activityType_d;\n let groupsiteactivitydata_onoff = rawgroupsiteactivitydata\n | where activityType_d in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150)\n | lookup EventTypeLookup_onoff on $left.newValue == $right.field\n | lookup EventTypeLookup_onoff on $left.policyEnabled == $right.field\n | extend\n EventType = coalesce(EventType_field, EventType_field1),\n NewValue = coalesce(NewValue_field, NewValue_field1);\n let groupsiteactivitydata_enabledisabled = rawgroupsiteactivitydata\n | where activityType_d in (70, 82, 83, 201)\n | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n | extend\n EventType = EventType_fieldenableddisabled,\n NewValue = NewValue_fieldenableddisabled;\n let groupsiteactivitydata_other = rawgroupsiteactivitydata\n | where activityType_d !in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150, 70, 82, 83, 201)\n | extend EventType = EventType_activity;\n let groupsiteactivitydata = union\n groupsiteactivitydata_onoff,\n groupsiteactivitydata_enabledisabled,\n groupsiteactivitydata_other\n | extend\n ActorUsername = coalesce(username, userName, userFullName),\n Object = coalesce(Object, siteName, oldSiteName),\n NewValue = coalesce(NewValue, newValue),\n OldValue = oldValue;\n let machineactivitydata = activitydata\n | where activityType_d in (52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101)\n | parse-kv DataFields_s as (username: string, userName: string, computerName: string, threatClassification: string, ipAddress: string, groupName: string, targetGroupName: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookupMachineActivity on activityType_d\n | extend\n EventType = EventType_machineactivity,\n EventSubType = EventSubType_machineactivity,\n ThreatCategory_datafields = threatClassification,\n OldValue = groupName,\n NewValue = targetGroupName,\n ObjectId = agentId_s\n | extend ActorUsername = coalesce(username, userName)\n | invoke _ASIM_ResolveDvcFQDN('computerName');\n let accountactivitydata = activitydata\n | where activityType_d in (130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203)\n | parse-kv DataFields_s as (username: string, accountName: string, cloudProviderAccountName: string, ipAddress: string, accountId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookupAccountActivity on activityType_d\n | extend\n EventType = EventType_accountactivity,\n EventSubType = EventSubType_accountactivity,\n Object = coalesce(accountName, cloudProviderAccountName),\n ObjectId = accountId;\n let useractivitydata = activitydata\n | where activityType_d in (88, 114)\n | parse-kv DataFields_s as (username: string, byUser: string, newValue: string, ipAddress: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup_useractivity on activityType_d\n | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n | extend\n ActorUsername = byUser,\n EventType = coalesce(EventType_useractivity, EventType_fieldenableddisabled),\n EventSubType = EventSubType_useractivity,\n NewValue = NewValue_fieldenableddisabled;\n let rawotheractivitydata = activitydata\n | where activityType_d in (RawOtherActivityIds)\n | parse-kv DataFields_s as (username: string, userName: string, email: string, globalTwoFaEnabled: string, cloudIntelligenceOn: string, fileDisplayName: string, roleName: string, oldIncidentStatusTitle: string, oldTicketId: string, oldAnalystVerdictTitle: string, oldConfidenceLevel: string, previous: string, oldStatus: string, oldTagName: string, oldTagDescription: string, newIncidentStatusTitle: string, newTicketId: string, newAnalystVerdictTitle: string, newConfidenceLevel: string, newStatus: string, current: string, Status: string, newTagName: string, newTagDescription: string, value: string, rulesAdded: string, rulesRemoved: string, tagsAdded: string, tagsRemoved: string, incidentName: string, ruleName: string, deviceId: string, ip: string, externalIp: string, affectedDevices: string, featureValue: string, featureName: string, recoveryEmail: string, policyName: string, tagName: string, gatewayExternalIp: string, gatewayMac: string, threatClassification: string, ipAddress: string, applicationPath: string, externalId: string, consoleUrl: string, ruleId: string, policyId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup_otheractivity on activityType_d\n | lookup EventTypeLookup_onoff on $left.cloudIntelligenceOn == $right.field\n | lookup EventTypeLookup_onoff on $left.globalTwoFaEnabled == $right.field\n | extend\n ActorUsername = coalesce(username, userName),\n EventType = coalesce(EventType_otheractivity, EventType_field, EventType_field1),\n EventSubType = EventSubType_otheractivity,\n Object = coalesce(Object, fileDisplayName, applicationPath, roleName, ruleName, incidentName, recoveryEmail, featureName, policyName, tagName),\n NewValue = coalesce(newIncidentStatusTitle, newTicketId, newAnalystVerdictTitle, newConfidenceLevel, newStatus, current, Status, newTagName, newTagDescription, featureValue),\n OldValue = coalesce(oldIncidentStatusTitle, oldTicketId, oldAnalystVerdictTitle, oldConfidenceLevel, oldStatus, previous, oldTagName, oldTagDescription),\n TargetIpAddr = coalesce(externalIp, ip, gatewayExternalIp),\n ThreatCategory_datafields = threatClassification,\n RuleName = ruleName,\n TargetDvcId = deviceId,\n ObjectId = coalesce(ruleId, policyId, externalId, deviceId)\n | invoke _ASIM_ResolveDstFQDN('affectedDevices')\n | project-rename\n TargetHostname = DstHostname,\n TargetDomain = DstDomain,\n TargetDomainType = DstDomainType,\n TargetFQDN = DstFQDN,\n TargetUrl = consoleUrl;\n let parsedotheractivitydata_eventtype = rawotheractivitydata\n | where activityType_d in (5256, 5258)\n | extend EventType = case(\n isnotempty(rulesAdded) or isnotempty(tagsAdded),\n \"Create\",\n isnotempty(rulesRemoved) or isnotempty(tagsRemoved),\n \"Delete\",\n \"Set\"\n );\n let parsedotheractivitydata_objectvalue = rawotheractivitydata\n | where activityType_d in (3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3650, 3651, 3652, 3653, 3654)\n | extend Object = strcat(Object, ' ', value);\n let parsedotheractivitydata_severity = rawotheractivitydata\n | where activityType_d in (2036, 2037, 2030)\n | extend EventSeverity_specific = case(\n primaryDescription_s has_any (\"to malicious\", \"to True positive\"),\n \"High\", \n primaryDescription_s has_any (\"to suspicious\", \"to Undefined\"),\n \"Medium\",\n primaryDescription_s has \"to False positive\",\n \"Low\",\n \"Informational\"\n );\n let ParsedActivitydata = union\n groupsiteactivitydata,\n machineactivitydata,\n accountactivitydata,\n useractivitydata,\n rawotheractivitydata,\n parsedotheractivitydata_eventtype,\n parsedotheractivitydata_objectvalue\n | where activityType_d !in(2030, 2036, 2037)\n | lookup EventSeverityLookup on EventResult\n | lookup EventSeverityLookup_activity on activityType_d;\n let UnParsedActivitydatawithThreat = union ParsedActivitydata, parsedotheractivitydata_severity\n | where isnotempty(threatId_s)\n | join kind=inner (SentinelOne_CL\n | where event_name_s == \"Threats.\"\n | project\n TimeGenerated,\n threatInfo_confidenceLevel_s,\n threatInfo_analystVerdict_s,\n threatInfo_threatName_s,\n threatInfo_incidentStatus_s,\n threatInfo_identifiedAt_t,\n threatInfo_updatedAt_t,\n threatInfo_threatId_s,\n mitigationStatus_s)\n on $left.threatId_s == $right.threatInfo_threatId_s\n | where TimeGenerated1 >= TimeGenerated\n | summarize arg_min(TimeGenerated1, *) by activityType_d, threatId_s, createdAt_t, TimeGenerated;\n let undefineddata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"Undefined\"\n | lookup ThreatConfidenceLookup_undefined on threatInfo_analystVerdict_s;\n let suspiciousdata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on threatInfo_analystVerdict_s;\n let maliciousdata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"malicious\"\n | lookup ThreatConfidenceLookup_malicious on threatInfo_analystVerdict_s;\n let ParsedActivitydatawithThreat = union undefineddata, suspiciousdata, maliciousdata\n | extend\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\n AdditionalFields = bag_pack(\n \"threatUpdatedAt\",\n threatInfo_updatedAt_t,\n \"threatAnalystVerdict\",\n threatInfo_analystVerdict_s,\n \"threatIncidentStatus\",\n threatInfo_incidentStatus_s,\n \"mitigationStatus\",\n mitigationStatus_s\n )\n | project-rename\n ThreatId = threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatCategory_threats = threatInfo_classification_s,\n ThreatOriginalConfidence = threatInfo_confidenceLevel_s;\n let ParsedActivitydatawithoutThreat = ParsedActivitydata\n | where isempty(threatId_s);\n union ParsedActivitydatawithThreat, ParsedActivitydatawithoutThreat\n | extend \n EventSeverity = coalesce(EventSeverity_specific, EventSeverity_activity, EventSeverity_lookup),\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventCount = toint(1),\n AdditionalFields = bag_merge(AdditionalFields, todynamic(DataFields_s)),\n EventOriginalType = tostring(toint(activityType_d)),\n SrcIpAddr = iff(ipAddress != \"null\", ipAddress, \"\"),\n DvcAction = iff(EventResult == \"Success\", \"Allow\", \"Deny\"),\n ThreatCategory = coalesce(ThreatCategory_datafields, ThreatCategory_threats)\n | project-rename\n EventStartTime = createdAt_t,\n EventUid = _ItemId,\n EventMessage = primaryDescription_s,\n ActorUserId = userId_s,\n DvcId = agentId_s,\n EventOriginalUid = activityUuid_g\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\n | extend\n EventEndTime = EventStartTime,\n User = ActorUsername,\n IpAddr = SrcIpAddr,\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\n Dst = coalesce(TargetHostname, TargetIpAddr),\n Src = SrcIpAddr,\n Rule = RuleName,\n Value = NewValue\n | project-away\n *_d,\n *_s,\n *_t,\n *_g,\n *_b,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n username,\n userName,\n userFullName,\n newValue,\n policyEnabled,\n siteName,\n oldValue,\n computerName,\n accountName,\n cloudProviderAccountName,\n email,\n globalTwoFaEnabled,\n cloudIntelligenceOn,\n fileDisplayName,\n roleName,\n oldIncidentStatusTitle,\n oldTicketId,\n oldAnalystVerdictTitle,\n oldConfidenceLevel,\n previous,\n oldStatus,\n oldTagName,\n oldTagDescription,\n newIncidentStatusTitle,\n newTicketId,\n newAnalystVerdictTitle,\n newConfidenceLevel,\n newStatus,\n current,\n Status,\n newTagName,\n newTagDescription,\n value,\n rulesAdded,\n rulesRemoved,\n tagsAdded,\n tagsRemoved,\n incidentName,\n ruleName,\n deviceId,\n ip,\n externalIp,\n affectedDevices,\n featureValue,\n featureName,\n recoveryEmail,\n policyName,\n policy,\n tagName,\n gatewayExternalIp,\n gatewayMac,\n threatClassification,\n applicationPath,\n externalId,\n groupName,\n oldSiteName,\n targetGroupName,\n ipAddress,\n EventType_*,\n EventSubType_*,\n EventSeverity_*,\n NewValue_*,\n _ResourceId,\n TimeGenerated1,\n ThreatCategory_*,\n ThreatConfidence_*,\n accountId,\n policyId,\n ruleId,\n byUser\n };\n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventVMwareCarbonBlackCloud/ASimAuditEventVMwareCarbonBlackCloud.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventVMwareCarbonBlackCloud/ASimAuditEventVMwareCarbonBlackCloud.json index 877acdb8692..01f0ed391b8 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventVMwareCarbonBlackCloud/ASimAuditEventVMwareCarbonBlackCloud.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventVMwareCarbonBlackCloud/ASimAuditEventVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventVMwareCarbonBlackCloud", - "query": "let EventTypeLookup = datatable(temp_type: string, EventType: string)[\n\"created\", \"Create\",\n\"updated\", \"Set\",\n\"deleted\", \"Delete\",\n\"added\", \"Create\",\n\"modified\", \"Set\"\n];\nlet parser = (disabled: bool=false) {\n let allData = CarbonBlackAuditLogs_CL\n | where not(disabled)\n | where not(description_s has_any (\"logged in\", \"login\"));\n let Enabled = allData\n | where description_s has_cs \"Enabled\"\n | parse description_s with \"Enabled \" temp_object1: string \" in policy \" temp_restmessage1: string\n | parse description_s with \"Enabled \" temp_object2: string \" with \" temp_restmessage2: string\n | parse description_s with temp_object3: string \" Enabled \" temp_restmessage3: string\n | extend\n EventType = \"Enable\",\n Operation = description_s,\n Object = coalesce(temp_object1, temp_object2, temp_object3),\n ObjectType = iff(description_s has \"policy\", \"Policy Rule\", \"Configuration Atom\"),\n EventSeverity1 = iff(description_s has \"Sensor Bypass\", \"Low\", \"Informational\");\n let Set = allData\n | where description_s startswith \"Set\"\n | parse description_s with \"Set \" temp_field_s: string \" to \" NewValue: string \" for device(s): \" temp_deviceid_s: string\n | parse temp_deviceid_s with TargetFQDN: string \" (ID: \" TargetDvcId: string \")\" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n Object = temp_field_s,\n EventType = \"Set\",\n Operation = strcat(\"Set \", temp_field_s, \" to \", NewValue),\n ObjectType = \"Configuration Atom\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s);\n let AlertNotify = allData\n | where description_s has \"alert notification\"\n | parse-kv description_s as (name: string) with (pair_delimiter=\" \", kv_delimiter=\":\")\n | parse description_s with temp_type: string \" alert notification \" temp_restmessage: string\n | extend\n Operation = strcat(temp_type, \" alert notification\"),\n temp_type = tolower(temp_type),\n Object = coalesce(name, \"alert notification\"),\n ObjectType = \"Service\"\n | lookup EventTypeLookup on temp_type;\n let CustomRole = allData\n | where description_s has \"custom role\"\n | parse description_s with temp_type1: string \" custom role \" temp_rolename1: string \" (psc:role:\" temp_roleid1: string \")\" temp_restmessage1: string \n | parse description_s with * \" role \" temp_rolename2: string \" (psc:role:\" temp_roleid2: string \") \" temp_type2: string \" with\" temp_restmessage2: string\n | extend\n temp_type = tolower(coalesce(temp_type1, temp_type2)),\n Object = coalesce(temp_rolename1, temp_rolename2),\n ObjectType = \"Other\"\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = strcat(temp_type, \" custom role \", Object),\n AdditionalFields = bag_pack(\"role id\", coalesce(temp_roleid1, temp_roleid2));\n let Policy = allData\n | where description_s startswith \"Policy\"\n | parse description_s with \"Policy \" temp_policyname1: string \" (ID: \" temp_policyid1 \") \" temp_type1: string \" successfully\"\n | parse description_s with \"Policy \" temp_policyname2: string \" (ID: \" temp_policyid2: string \") \" temp_type2: string \" and renamed to \" NewValue: string \" (ID: \" temp_restmessage2: string\n | parse description_s with \"Policy \" temp_policyname3: string \" (ID: \" temp_policyid3 \") \" temp_type3: string\n | extend\n Object = coalesce(temp_policyname1, temp_policyname2, temp_policyname3),\n ObjectType = \"Policy Rule\",\n temp_type = replace_regex(coalesce(temp_type1, temp_type2, temp_type3), @'[is,was]* (\\S+)', @'\\1'),\n OldValue = temp_policyname2,\n AdditionalFields = bag_pack(\"policy id\", coalesce(temp_policyid1, temp_policyid2, temp_policyid3))\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = iff(isnotempty(temp_type2), strcat(\"Policy \", Object, \" \", temp_type, \" and renamed to \", NewValue), strcat(\"Policy \", Object, \" \", temp_type));\n let Changed = allData\n | where description_s startswith \"Changed policy\"\n | parse description_s with temp_operation_s: string \" to \" NewValue: string \")\" * \"device(s): \" temp_deviceid_s: string \n | extend\n EventType = \"Set\",\n Operation = strcat(temp_operation_s, \" to \", NewValue),\n Object = NewValue,\n ObjectType = \"Policy Rule\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s),\n TargetDvcId = iff(temp_deviceid_s contains ',', split(temp_deviceid_s, ',', 0), temp_deviceid_s);\n let ParamsUpdated = allData\n | where description_s startswith \"Parameters updated\"\n | parse description_s with \"Parameters updated for \" temp_config1: string \" (ID: \" temp_configid1: string \") for policy \" temp_policyname1: string \" (ID: \" temp_policyid1: string \")\" temp_restmessage1: string\n | parse description_s with \"Parameters updated for \" temp_config2: string \" (ID: \" temp_configid2: string \") for policy with ID \" temp_policyid2: string\n | extend\n temp_operation = coalesce(temp_config1, temp_config2),\n temp_configid = coalesce(temp_configid1, temp_configid2)\n | extend\n EventType = \"Set\", \n Operation = strcat(\"Parameters updated for \", temp_operation, \" for policy \", temp_policyname1, tostring(split(temp_policyid2, \"{\")[0])),\n Object = strcat(\"Policy \", coalesce(temp_policyname1, temp_policyid2)),\n ObjectType = \"Policy Rule\",\n AdditionalFields = bag_pack(\"config id\", temp_configid);\n let Reputation = allData\n | where description_s has_cs \"Reputation\"\n | parse description_s with \"User \" * \" \" temp_type1: string \" Reputation\" * \" for Organization ID \" temp_orgid1: string \" of type \" temp_reptype1: string \" to \" temp_list1: string \" with content: \" temp_content1: string \" | \" temp_restmessage1: string\n | parse description_s with \"User \" * \" \" temp_type2: string \" Reputation\" * \" for Organization ID \" temp_orgid2: string \": \" temp_content2: string \" | \" temp_restmessage2: string\n | extend\n temp_type = coalesce(temp_type1, temp_type2),\n Object = iff(isnotempty(temp_reptype1), strcat(\"Reputation Override of type \", temp_reptype1), \"Reputation Override\"),\n ObjectType = \"Configuration Atom\"\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = strcat(temp_type, \" \", Object),\n ActorScopeId = coalesce(temp_orgid1, temp_orgid2),\n AdditionalFields = bag_pack(\"reputation value\", coalesce(temp_content1, temp_content2));\n let PolicyUpdateApplied = allData\n | where description_s has \"Policy update applied\"\n | parse description_s with * \"policy to \" Object: string\n | extend\n EventType = \"Set\",\n Operation = \"Policy update applied\",\n ObjectType = \"Policy Rule\",\n OriginalObjectType = \"Policy\"\n ;\n let auto_deletion = allData\n | where description_s has_all (\"auto-deletion\", \"devices\")\n | parse description_s with TargetFQDN: string \" \" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Delete\",\n Operation = \"auto-deletion\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let Hash_Deleted = allData\n | where description_s startswith \"Hash - \"\n | parse description_s with \"Hash - \" HashName_s: string \" \" * \"on device \" TargetFQDN: string\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Delete\",\n Operation = \"Delete Request\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\";\n let Failure_Deleting_Hash = allData\n | where description_s startswith \"Failure deleting hash\"\n | parse description_s with \"Failure deleting hash '\" HashName_s: string \"'\" * \"device '\" TargetDvcId: string \"'\" * \"Reason: \" EventResultDetails: string\n | extend\n EventType = \"Delete\",\n Operation = \"Deleting hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n EventResult = \"Failure\";\n let Delete_Hash = allData\n | where description_s startswith \"Delete Hash\"\n | parse description_s with \"Delete Hash \" HashName_s: string \" \" * \"device(s): \" temp_deviceid_s: string\n | extend\n EventType = \"Delete\",\n Operation = \"Delete Hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s),\n TargetDvcId = iff(temp_deviceid_s contains ',', split(temp_deviceid_s, ',', 0), temp_deviceid_s);\n let Success_Deleting_Hash = allData\n | where description_s startswith \"Success deleting hash\"\n | parse description_s with \"Success deleting hash '\" HashName_s: string \"'\" * \"device '\" TargetDvcId: string \"'\" * \"Reason: \" EventResultDetails: string\n | extend\n EventType = \"Delete\",\n Operation = \"Deleting hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n EventResult = \"Success\";\n let DeviceUninstalled = allData\n | where description_s has_all (\"Device\", \"uninstalled\")\n | parse description_s with \"Device \" TargetFQDN: string \" with deviceId \" TargetDvcId: string \" \" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Uninstall\",\n Operation = \"Uninstall\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let DeviceReset = allData\n | where description_s startswith (\"Device reset requested\")\n | parse description_s with \"Device reset requested on device \" TargetDvcId: string\n | extend \n EventType = \"Set\",\n Operation = \"Device reset\",\n Object = TargetDvcId,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let CreateOrModifyPolicy = allData\n | where description_s startswith \"Request received to\"\n | parse description_s with * \"policy \" Object: string\n | extend\n EventType = case(\n description_s has \"modify policy\",\n \"Set\", \n description_s has \"create new policy\",\n \"Create\",\n \"\"\n ),\n Operation = case(\n description_s has \"modify policy\",\n \"modify policy\", \n description_s has \"create new policy\",\n \"create new policy\",\n \"\"\n ),\n Object = replace_string(Object, \"- \", \"\"),\n ObjectType = \"Policy Rule\",\n OriginalObjectType = \"Policy\";\n let LogsRequested = allData\n | where description_s startswith (\"Logs requested\")\n | parse description_s with \"Logs requested for device \" TargetDvcId: string\n | extend \n EventType = \"Read\",\n Operation = \"Logs requested\",\n Object = TargetDvcId,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let Re_Registration = allData\n | where description_s startswith \"Re-registration of device\"\n | parse description_s with \"Re-registration of device\" TargetFQDN: string \" of \" TargetDvcId: string \" device completed\" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Enable\",\n Operation = \"Re-registration of device\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n union\n Enabled,\n Set,\n AlertNotify,\n CustomRole,\n Policy,\n Changed,\n ParamsUpdated,\n Reputation,\n PolicyUpdateApplied,\n auto_deletion,\n Hash_Deleted,\n Failure_Deleting_Hash,\n Delete_Hash,\n Success_Deleting_Hash,\n DeviceUninstalled,\n DeviceReset,\n CreateOrModifyPolicy,\n LogsRequested,\n Re_Registration\n | extend\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n EventSeverity = coalesce(EventSeverity1, \"Informational\"),\n AdditionalFields = bag_merge(AdditionalFields, bag_pack(\"flagged\", flagged_b, \"request url\", requestUrl_s))\n | extend\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventVendor = \"VMware\",\n EventResult = iif(isnotempty(EventResult), EventResult, \"Success\"),\n EventCount = int(1)\n | project-rename\n ActorUsername = loginName_s,\n EventUid = _ItemId,\n SrcIpAddr = clientIp_s,\n EventMessage = description_s,\n EventOriginalUid = eventId_g,\n ActorScope = orgName_s\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\n EventEndTime = EventStartTime,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n User = ActorUsername,\n Value = NewValue,\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\n | project-away \n *_s,\n *_d,\n *_b,\n temp*,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n _ResourceId,\n name,\n EventSeverity1\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventVMwareCarbonBlackCloud", + "query": "let EventTypeLookup = datatable(temp_type: string, EventType: string)[\n\"created\", \"Create\",\n\"updated\", \"Set\",\n\"deleted\", \"Delete\",\n\"added\", \"Create\",\n\"modified\", \"Set\"\n];\nlet parser = (disabled: bool=false) {\n let allData = CarbonBlackAuditLogs_CL\n | where not(disabled)\n | where not(description_s has_any (\"logged in\", \"login\"));\n let Enabled = allData\n | where description_s has_cs \"Enabled\"\n | parse description_s with \"Enabled \" temp_object1: string \" in policy \" temp_restmessage1: string\n | parse description_s with \"Enabled \" temp_object2: string \" with \" temp_restmessage2: string\n | parse description_s with temp_object3: string \" Enabled \" temp_restmessage3: string\n | extend\n EventType = \"Enable\",\n Operation = description_s,\n Object = coalesce(temp_object1, temp_object2, temp_object3),\n ObjectType = iff(description_s has \"policy\", \"Policy Rule\", \"Configuration Atom\"),\n EventSeverity1 = iff(description_s has \"Sensor Bypass\", \"Low\", \"Informational\");\n let Set = allData\n | where description_s startswith \"Set\"\n | parse description_s with \"Set \" temp_field_s: string \" to \" NewValue: string \" for device(s): \" temp_deviceid_s: string\n | parse temp_deviceid_s with TargetFQDN: string \" (ID: \" TargetDvcId: string \")\" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n Object = temp_field_s,\n EventType = \"Set\",\n Operation = strcat(\"Set \", temp_field_s, \" to \", NewValue),\n ObjectType = \"Configuration Atom\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s);\n let AlertNotify = allData\n | where description_s has \"alert notification\"\n | parse-kv description_s as (name: string) with (pair_delimiter=\" \", kv_delimiter=\":\")\n | parse description_s with temp_type: string \" alert notification \" temp_restmessage: string\n | extend\n Operation = strcat(temp_type, \" alert notification\"),\n temp_type = tolower(temp_type),\n Object = coalesce(name, \"alert notification\"),\n ObjectType = \"Service\"\n | lookup EventTypeLookup on temp_type;\n let CustomRole = allData\n | where description_s has \"custom role\"\n | parse description_s with temp_type1: string \" custom role \" temp_rolename1: string \" (psc:role:\" temp_roleid1: string \")\" temp_restmessage1: string \n | parse description_s with * \" role \" temp_rolename2: string \" (psc:role:\" temp_roleid2: string \") \" temp_type2: string \" with\" temp_restmessage2: string\n | extend\n temp_type = tolower(coalesce(temp_type1, temp_type2)),\n Object = coalesce(temp_rolename1, temp_rolename2),\n ObjectType = \"Other\"\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = strcat(temp_type, \" custom role \", Object),\n AdditionalFields = bag_pack(\"role id\", coalesce(temp_roleid1, temp_roleid2));\n let Policy = allData\n | where description_s startswith \"Policy\"\n | parse description_s with \"Policy \" temp_policyname1: string \" (ID: \" temp_policyid1 \") \" temp_type1: string \" successfully\"\n | parse description_s with \"Policy \" temp_policyname2: string \" (ID: \" temp_policyid2: string \") \" temp_type2: string \" and renamed to \" NewValue: string \" (ID: \" temp_restmessage2: string\n | parse description_s with \"Policy \" temp_policyname3: string \" (ID: \" temp_policyid3 \") \" temp_type3: string\n | extend\n Object = coalesce(temp_policyname1, temp_policyname2, temp_policyname3),\n ObjectType = \"Policy Rule\",\n temp_type = replace_regex(coalesce(temp_type1, temp_type2, temp_type3), @'[is,was]* (\\S+)', @'\\1'),\n OldValue = temp_policyname2,\n AdditionalFields = bag_pack(\"policy id\", coalesce(temp_policyid1, temp_policyid2, temp_policyid3))\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = iff(isnotempty(temp_type2), strcat(\"Policy \", Object, \" \", temp_type, \" and renamed to \", NewValue), strcat(\"Policy \", Object, \" \", temp_type));\n let Changed = allData\n | where description_s startswith \"Changed policy\"\n | parse description_s with temp_operation_s: string \" to \" NewValue: string \")\" * \"device(s): \" temp_deviceid_s: string \n | extend\n EventType = \"Set\",\n Operation = strcat(temp_operation_s, \" to \", NewValue),\n Object = NewValue,\n ObjectType = \"Policy Rule\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s),\n TargetDvcId = iff(temp_deviceid_s contains ',', split(temp_deviceid_s, ',', 0), temp_deviceid_s);\n let ParamsUpdated = allData\n | where description_s startswith \"Parameters updated\"\n | parse description_s with \"Parameters updated for \" temp_config1: string \" (ID: \" temp_configid1: string \") for policy \" temp_policyname1: string \" (ID: \" temp_policyid1: string \")\" temp_restmessage1: string\n | parse description_s with \"Parameters updated for \" temp_config2: string \" (ID: \" temp_configid2: string \") for policy with ID \" temp_policyid2: string\n | extend\n temp_operation = coalesce(temp_config1, temp_config2),\n temp_configid = coalesce(temp_configid1, temp_configid2)\n | extend\n EventType = \"Set\", \n Operation = strcat(\"Parameters updated for \", temp_operation, \" for policy \", temp_policyname1, tostring(split(temp_policyid2, \"{\")[0])),\n Object = strcat(\"Policy \", coalesce(temp_policyname1, temp_policyid2)),\n ObjectType = \"Policy Rule\",\n AdditionalFields = bag_pack(\"config id\", temp_configid);\n let Reputation = allData\n | where description_s has_cs \"Reputation\"\n | parse description_s with \"User \" * \" \" temp_type1: string \" Reputation\" * \" for Organization ID \" temp_orgid1: string \" of type \" temp_reptype1: string \" to \" temp_list1: string \" with content: \" temp_content1: string \" | \" temp_restmessage1: string\n | parse description_s with \"User \" * \" \" temp_type2: string \" Reputation\" * \" for Organization ID \" temp_orgid2: string \": \" temp_content2: string \" | \" temp_restmessage2: string\n | extend\n temp_type = coalesce(temp_type1, temp_type2),\n Object = iff(isnotempty(temp_reptype1), strcat(\"Reputation Override of type \", temp_reptype1), \"Reputation Override\"),\n ObjectType = \"Configuration Atom\"\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = strcat(temp_type, \" \", Object),\n ActorScopeId = coalesce(temp_orgid1, temp_orgid2),\n AdditionalFields = bag_pack(\"reputation value\", coalesce(temp_content1, temp_content2));\n let PolicyUpdateApplied = allData\n | where description_s has \"Policy update applied\"\n | parse description_s with * \"policy to \" Object: string\n | extend\n EventType = \"Set\",\n Operation = \"Policy update applied\",\n ObjectType = \"Policy Rule\",\n OriginalObjectType = \"Policy\"\n ;\n let auto_deletion = allData\n | where description_s has_all (\"auto-deletion\", \"devices\")\n | parse description_s with TargetFQDN: string \" \" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Delete\",\n Operation = \"auto-deletion\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let Hash_Deleted = allData\n | where description_s startswith \"Hash - \"\n | parse description_s with \"Hash - \" HashName_s: string \" \" * \"on device \" TargetFQDN: string\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Delete\",\n Operation = \"Delete Request\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\";\n let Failure_Deleting_Hash = allData\n | where description_s startswith \"Failure deleting hash\"\n | parse description_s with \"Failure deleting hash '\" HashName_s: string \"'\" * \"device '\" TargetDvcId: string \"'\" * \"Reason: \" EventResultDetails: string\n | extend\n EventType = \"Delete\",\n Operation = \"Deleting hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n EventResult = \"Failure\";\n let Delete_Hash = allData\n | where description_s startswith \"Delete Hash\"\n | parse description_s with \"Delete Hash \" HashName_s: string \" \" * \"device(s): \" temp_deviceid_s: string\n | extend\n EventType = \"Delete\",\n Operation = \"Delete Hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s),\n TargetDvcId = iff(temp_deviceid_s contains ',', split(temp_deviceid_s, ',', 0), temp_deviceid_s);\n let Success_Deleting_Hash = allData\n | where description_s startswith \"Success deleting hash\"\n | parse description_s with \"Success deleting hash '\" HashName_s: string \"'\" * \"device '\" TargetDvcId: string \"'\" * \"Reason: \" EventResultDetails: string\n | extend\n EventType = \"Delete\",\n Operation = \"Deleting hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n EventResult = \"Success\";\n let DeviceUninstalled = allData\n | where description_s has_all (\"Device\", \"uninstalled\")\n | parse description_s with \"Device \" TargetFQDN: string \" with deviceId \" TargetDvcId: string \" \" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Uninstall\",\n Operation = \"Uninstall\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let DeviceReset = allData\n | where description_s startswith (\"Device reset requested\")\n | parse description_s with \"Device reset requested on device \" TargetDvcId: string\n | extend \n EventType = \"Set\",\n Operation = \"Device reset\",\n Object = TargetDvcId,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let CreateOrModifyPolicy = allData\n | where description_s startswith \"Request received to\"\n | parse description_s with * \"policy \" Object: string\n | extend\n EventType = case(\n description_s has \"modify policy\",\n \"Set\", \n description_s has \"create new policy\",\n \"Create\",\n \"\"\n ),\n Operation = case(\n description_s has \"modify policy\",\n \"modify policy\", \n description_s has \"create new policy\",\n \"create new policy\",\n \"\"\n ),\n Object = replace_string(Object, \"- \", \"\"),\n ObjectType = \"Policy Rule\",\n OriginalObjectType = \"Policy\";\n let LogsRequested = allData\n | where description_s startswith (\"Logs requested\")\n | parse description_s with \"Logs requested for device \" TargetDvcId: string\n | extend \n EventType = \"Read\",\n Operation = \"Logs requested\",\n Object = TargetDvcId,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let Re_Registration = allData\n | where description_s startswith \"Re-registration of device\"\n | parse description_s with \"Re-registration of device\" TargetFQDN: string \" of \" TargetDvcId: string \" device completed\" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Enable\",\n Operation = \"Re-registration of device\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n union\n Enabled,\n Set,\n AlertNotify,\n CustomRole,\n Policy,\n Changed,\n ParamsUpdated,\n Reputation,\n PolicyUpdateApplied,\n auto_deletion,\n Hash_Deleted,\n Failure_Deleting_Hash,\n Delete_Hash,\n Success_Deleting_Hash,\n DeviceUninstalled,\n DeviceReset,\n CreateOrModifyPolicy,\n LogsRequested,\n Re_Registration\n | extend\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n EventSeverity = coalesce(EventSeverity1, \"Informational\"),\n AdditionalFields = bag_merge(AdditionalFields, bag_pack(\"flagged\", flagged_b, \"request url\", requestUrl_s))\n | extend\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventVendor = \"VMware\",\n EventResult = iif(isnotempty(EventResult), EventResult, \"Success\"),\n EventCount = int(1)\n | project-rename\n ActorUsername = loginName_s,\n EventUid = _ItemId,\n SrcIpAddr = clientIp_s,\n EventMessage = description_s,\n EventOriginalUid = eventId_g,\n ActorScope = orgName_s\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\n EventEndTime = EventStartTime,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n User = ActorUsername,\n Value = NewValue,\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\n | project-away \n *_s,\n *_d,\n *_b,\n temp*,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n _ResourceId,\n name,\n EventSeverity1\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json index 1cac4446d1a..da4763366fa 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuditEventVectraXDRAudit')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuditEventVectraXDRAudit", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Vectra XDR Audit Logs Event", - "category": "ASIM", - "FunctionAlias": "ASimAuditEventVectraXDRAudit", - "query": "let parser = (disabled:bool = false)\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s !in (\"login\",\"logout\")\n | extend\n EventEndTime = event_timestamp_t,\n EventProduct = 'XDR',\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventStartTime = event_timestamp_t,\n EventType = \"Other\",\n EventVendor = 'Vectra',\n Type = \"Audit Log\",\n EventUid = tostring(toint(id_d)),\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"UID\",\n ActorUsernameType = \"UPN\",\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\")\n | project-rename\n Dvc = source_ip_s,\n Operation = event_action_s,\n ActorUsername = username_s,\n Object = event_object_s,\n ActorOriginalUserType = user_type_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | extend User = ActorUsername\n | project-away\n id_d, user_id_d, user_role_s, result_status_s,event_timestamp_t, event_data_s, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Vectra XDR Audit Logs Event", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventVectraXDRAudit", + "query": "let parser = (disabled:bool = false)\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s !in (\"login\",\"logout\")\n | extend\n EventEndTime = event_timestamp_t,\n EventProduct = 'XDR',\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventStartTime = event_timestamp_t,\n EventType = \"Other\",\n EventVendor = 'Vectra',\n Type = \"Audit Log\",\n EventUid = tostring(toint(id_d)),\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"UID\",\n ActorUsernameType = \"UPN\",\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\")\n | project-rename\n Dvc = source_ip_s,\n Operation = event_action_s,\n ActorUsername = username_s,\n Object = event_object_s,\n ActorOriginalUserType = user_type_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | extend User = ActorUsername\n | project-away\n id_d, user_id_d, user_role_s, result_status_s,event_timestamp_t, event_data_s, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json b/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json index 312bc6857ec..68deeacbfbb 100644 --- a/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json +++ b/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json @@ -178,6 +178,46 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuditEventIllumioSaaSCore", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/ASimAuditEventIllumioSaaSCore.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuditEventInfobloxBloxOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/ASimAuditEventInfobloxBloxOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -498,6 +538,46 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuditEventIllumioSaaSCore", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/vimAuditEventIllumioSaaSCore.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuditEventInfobloxBloxOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/vimAuditEventInfobloxBloxOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json b/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json index 25f572416b7..a7956316c4d 100644 --- a/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json +++ b/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imAuditEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imAuditEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit event ASIM filtering parser.", - "category": "ASIM", - "FunctionAlias": "imAuditEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludevimAuditEvent')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludevimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty,\n vimAuditEventMicrosoftExchangeAdmin365 (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers)))),\n vimAuditEventMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftWindowsEvents' in (DisabledParsers)))),\n vimAuditEventMicrosoftSecurityEvents (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftSecurityEvents' in (DisabledParsers)))),\n vimAuditEventMicrosoftEvent (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftEvents' in (DisabledParsers)))),\n vimAuditEventAzureActivity (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers)))),\n vimAuditEventCiscoMeraki (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoMeraki' in (DisabledParsers)))),\n vimAuditEventCiscoMerakiSyslog (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoMerakiSyslog' in (DisabledParsers)))),\n vimAuditEventBarracudaWAF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, operation_has_any=operation_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventBarracudaWAF' in (DisabledParsers)))),\n vimAuditEventBarracudaCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, operation_has_any=operation_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventBarracudaCEF' in (DisabledParsers)))),\n vimAuditEventCiscoISE (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoISE' in (DisabledParsers)))),\n vimAuditEventVectraXDRAudit (starttime=starttime, endtime=endtime, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVectraXDRAudit' in (DisabledParsers)))),\n vimAuditEventSentinelOne (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventSentinelOne' in (DisabledParsers)))),\n vimAuditEventCrowdStrikeFalconHost(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCrowdStrikeFalconHost' in (DisabledParsers)))),\n vimAuditEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))))\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit event ASIM filtering parser.", + "category": "ASIM", + "FunctionAlias": "imAuditEvent", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludevimAuditEvent')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludevimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty,\n vimAuditEventMicrosoftExchangeAdmin365 (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers)))),\n vimAuditEventMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftWindowsEvents' in (DisabledParsers)))),\n vimAuditEventMicrosoftSecurityEvents (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftSecurityEvents' in (DisabledParsers)))),\n vimAuditEventMicrosoftEvent (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftEvents' in (DisabledParsers)))),\n vimAuditEventAzureActivity (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers)))),\n vimAuditEventCiscoMeraki (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoMeraki' in (DisabledParsers)))),\n vimAuditEventCiscoMerakiSyslog (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoMerakiSyslog' in (DisabledParsers)))),\n vimAuditEventBarracudaWAF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, operation_has_any=operation_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventBarracudaWAF' in (DisabledParsers)))),\n vimAuditEventBarracudaCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, operation_has_any=operation_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventBarracudaCEF' in (DisabledParsers)))),\n vimAuditEventCiscoISE (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoISE' in (DisabledParsers)))),\n vimAuditEventVectraXDRAudit (starttime=starttime, endtime=endtime, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVectraXDRAudit' in (DisabledParsers)))),\n vimAuditEventSentinelOne (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventSentinelOne' in (DisabledParsers)))),\n vimAuditEventCrowdStrikeFalconHost(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCrowdStrikeFalconHost' in (DisabledParsers)))),\n vimAuditEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers)))),\n vimAuditEventInfbloxBloxOne(starttime=starttime, endtime=endtime, eventresult=eventresult,operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventInfbloxBloxOne' in (DisabledParsers)))),\n vimAuditEventIllumioSaaSCore(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventIllumioSaaSCore' in (DisabledParsers))))\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventAzureAdminActivity/vimAuditEventAzureAdminActivity.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventAzureAdminActivity/vimAuditEventAzureAdminActivity.json index 8858e09deff..c47a9bac814 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventAzureAdminActivity/vimAuditEventAzureAdminActivity.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventAzureAdminActivity/vimAuditEventAzureAdminActivity.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventAzureActivity')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventAzureActivity", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM filtering parser for Azure administrative activity", - "category": "ASIM", - "FunctionAlias": "vimAuditEventAzureActivity", - "query": "let parser= (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n eventresult:string='*',\n actorusername_has_any:dynamic=dynamic([]),\n eventtype_in:dynamic=dynamic([]),\n operation_has_any:dynamic=dynamic([]),\n object_has_any:dynamic=dynamic([]),\n newvalue_has_any:dynamic=dynamic([]),\n disabled:bool = false\n ){\n let AzureActivityOperationLookup = datatable (op:string, EventType:string) \n [\n 'ACTION', 'Execute',\n 'WRITE', 'Set',\n 'DELETE', 'Delete'\n ];\n let AzureActivityStatusLookup = datatable (ActivityStatusValue:string, ActivitySubstatusValue:string, EventResult:string, EventResultDetails:string) \n [\n \"Accept\",\"Accepted\",\"Success\",\"\",\n \"Accept\",\"Created\",\"Success\",\"\",\n \"Accept\",\"OK\",\"Success\",\"\",\n \"Accept\",\"\",\"Success\",\"\",\n \"Accepted\",\"\",\"Success\",\"\",\n \"Active\",\"\",\"Success\",\"Active\",\n \"Failed\",\"\",\"Failure\",\"\",\n \"Failure\",\"BadRequest\",\"Failure\",\"Bad Request\",\n \"Failure\",\"Conflict\",\"Failure\",\"Bad Request\",\n \"Failure\",\"Forbidden\",\"Failure\",\"Unauthorized\",\n \"Failure\",\"InternalServerError\",\"Failure\",\"Internal error\",\n \"Failure\",\"MethodNotAllowed\",\"Failure\",\"Bad Request\",\n \"Failure\",\"NotFound\",\"Failure\",\"Not found\",\n \"Failure\",\"Unauthorized\",\"Failure\",\"Unauthorized\",\n \"Failure\",\"\",\"Failure\",\"\",\n \"In Progress\",\"\",\"Success\",\"In Progress\",\n \"Resolved\",\"\",\"Success\",\"\",\n \"Start\",\"\",\"Success\",\"Start\",\n \"Started\",\"\",\"Success\",\"Start\",\n \"Succeeded\",\"\",\"Success\",\"\",\n \"Success\",\"Created\",\"Success\",\"\",\n \"Success\",\"NoContent\",\"Success\",\"\",\n \"Success\",\"OK\",\"Success\",\"\",\n \"Success\",\"\",\"Success\",\"\",\n \"Updated\",\"\",\"Success\",\"\",\n \"Succeeded\",\"OK\",\"Success\",\"\",\n \"Accepted\",\"Accepted\",\"Success\",\"\",\n \"Accepted\",\"OK\",\"Success\",\"\",\n \"Failed\",\"Forbidden\",\"Failure\",\"Unauthorized\",\n \"Succeeded\",\"Created\",\"Success\",\"\",\n \"Failed\",\"BadRequest\",\"Failure\",\"Bad request\",\n \"Accepted\",\"Created\",\"Success\",\"\",\n \"Failed\",\"Conflict\",\"Failure\",\"Bad request\",\n \"Failed\",\"MethodNotAllowed\",\"Failure\",\"Bad request\",\n \"Failure\",\"BadGateway\",\"Failure\",\"Bad request\",\n \"Succeeded\",\"NoContent\",\"Success\",\"\",\n \"Failure\",\"ServiceUnavailable\",\"Failure\",\"Internal error\",\n \"Failure\",\"GatewayTimeout\",\"Failure\",\"Internal error\",\n \"Failed\",\"NotFound\",\"Failure\",\"Not found\",\n \"Failed\",\"BadGateway\",\"Failure\",\"Bad request\",\n \"Failure\",\"UnsupportedMediaType\",\"Failure\",\"Bad request\",\n \"Failed\",\"Unauthorized\",\"Failure\",\"Unauthorized\",\n \"Cancel\",\"\",\"Failure\",\"Cancelled\"\n ];\n AzureActivity \n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(newvalue_has_any) == 0)\n | where CategoryValue == \"Administrative\"\n | project-away HTTPRequest, Level, SourceSystem, EventSubmissionTimestamp, TenantId, OperationId, Hierarchy, Category, ResourceId, ResourceProvider, Resource\n | where \n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(CallerIpAddress,srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or Caller has_any (actorusername_has_any))\n and (array_length(operation_has_any) == 0 or OperationNameValue has_any (operation_has_any))\n and (array_length(object_has_any) == 0 or Properties has_any (object_has_any))\n // --\n // Calculate and filter by EventType\n | extend op = toupper(tostring(split(OperationNameValue,\"/\")[-1]))\n | lookup AzureActivityOperationLookup on op\n | extend EventType = iff (EventType == \"\", \"Other\", EventType)\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\n | project-away op\n // --\n // Calculate EventResult, EventResultDetails, and EventResultOriginalDetails\n | extend\n EventOriginalResultDetails = strcat (\n ActivityStatusValue, \n iff (ActivitySubstatusValue !=\"\", strcat(' [', ActivitySubstatusValue, ']'), \"\")\n )\n | extend \n ActivitySubstatusValue = iff (ActivitySubstatusValue matches regex \"\\\\d+\", \"\", ActivitySubstatusValue)\n | lookup AzureActivityStatusLookup on ActivityStatusValue, ActivitySubstatusValue\n | extend EventResult = iff(EventResult == \"\", \"Other\", EventResult)\n | where eventresult == \"*\" or (EventResult == eventresult) // Not optimized\n | extend EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\n | project-away ActivityStatus*, ActivitySubstatus* // \n | project-rename \n Operation = OperationNameValue,\n SrcIpAddr = CallerIpAddress,\n EventOriginalUid = EventDataId,\n ActorSessionId = CorrelationId,\n EventOriginalType = CategoryValue\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Azure',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n ObjectType = \"Cloud Resource\",\n TargetAppName = \"Azure\",\n TargetAppType = \"CSP\"\n // --\n // Calculate Actor\n | extend \n Caller = iff(Caller == \"Microsoft.RecoveryServices\", \"\", Caller)\n | extend \n ActorUsernameType = iff (Caller has \"@\", \"UPN\", \"\")\n | extend \n ActorUsername = iff (ActorUsernameType == \"UPN\", Caller, \"\"),\n ActorUserId = iff (ActorUsernameType != \"UPN\", Caller, \"\")\n | extend\n ActorUserIdType = iff (ActorUserId != \"\", \"AADID\", \"\")\n | project-away Caller\n // --\n // Calculate Object\n | extend \n entity = tostring(Properties_d.entity), \n resource = tostring(Properties_d.resource),\n entity_name = tostring(Properties_d.[\"Entity Name\"])\n | extend Object = case ( \n entity != \"\", entity,\n strcat (\"/subscriptions/\", SubscriptionId, \"/resourceGroups/\", ResourceGroup, \"/providers/\", ResourceProviderValue, \"/\",resource, iff (entity_name != \"\", strcat(\"/\", entity_name), \"\"))\n )\n | project-away entity, resource,entity_name, _SubscriptionId, SubscriptionId, ResourceGroup, ResourceProviderValue\n // Aliases\n | extend AdditionalFields = pack_dictionary(\"Authorization\", Authorization_d, \"Claims\", Claims_d, \"Error\", Properties_d.statusMessage)\n // -- Aliases\n | extend \n IpAddr = SrcIpAddr,\n User = ActorUsername,\n Application = TargetAppName,\n Dst = TargetAppName,\n Src = SrcIpAddr,\n // -- Entity identifier explicit aliases\n ActorUserUpn = ActorUsername,\n ActorUserAadId = ActorUserId\n | project-away OperationName, Properties*, Authorization*, Claims*\n // -- Properties*\n};\nparser\n(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Azure administrative activity", + "category": "ASIM", + "FunctionAlias": "vimAuditEventAzureActivity", + "query": "let parser= (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n eventresult:string='*',\n actorusername_has_any:dynamic=dynamic([]),\n eventtype_in:dynamic=dynamic([]),\n operation_has_any:dynamic=dynamic([]),\n object_has_any:dynamic=dynamic([]),\n newvalue_has_any:dynamic=dynamic([]),\n disabled:bool = false\n ){\n let AzureActivityOperationLookup = datatable (op:string, EventType:string) \n [\n 'ACTION', 'Execute',\n 'WRITE', 'Set',\n 'DELETE', 'Delete'\n ];\n let AzureActivityStatusLookup = datatable (ActivityStatusValue:string, ActivitySubstatusValue:string, EventResult:string, EventResultDetails:string) \n [\n \"Accept\",\"Accepted\",\"Success\",\"\",\n \"Accept\",\"Created\",\"Success\",\"\",\n \"Accept\",\"OK\",\"Success\",\"\",\n \"Accept\",\"\",\"Success\",\"\",\n \"Accepted\",\"\",\"Success\",\"\",\n \"Active\",\"\",\"Success\",\"Active\",\n \"Failed\",\"\",\"Failure\",\"\",\n \"Failure\",\"BadRequest\",\"Failure\",\"Bad Request\",\n \"Failure\",\"Conflict\",\"Failure\",\"Bad Request\",\n \"Failure\",\"Forbidden\",\"Failure\",\"Unauthorized\",\n \"Failure\",\"InternalServerError\",\"Failure\",\"Internal error\",\n \"Failure\",\"MethodNotAllowed\",\"Failure\",\"Bad Request\",\n \"Failure\",\"NotFound\",\"Failure\",\"Not found\",\n \"Failure\",\"Unauthorized\",\"Failure\",\"Unauthorized\",\n \"Failure\",\"\",\"Failure\",\"\",\n \"In Progress\",\"\",\"Success\",\"In Progress\",\n \"Resolved\",\"\",\"Success\",\"\",\n \"Start\",\"\",\"Success\",\"Start\",\n \"Started\",\"\",\"Success\",\"Start\",\n \"Succeeded\",\"\",\"Success\",\"\",\n \"Success\",\"Created\",\"Success\",\"\",\n \"Success\",\"NoContent\",\"Success\",\"\",\n \"Success\",\"OK\",\"Success\",\"\",\n \"Success\",\"\",\"Success\",\"\",\n \"Updated\",\"\",\"Success\",\"\",\n \"Succeeded\",\"OK\",\"Success\",\"\",\n \"Accepted\",\"Accepted\",\"Success\",\"\",\n \"Accepted\",\"OK\",\"Success\",\"\",\n \"Failed\",\"Forbidden\",\"Failure\",\"Unauthorized\",\n \"Succeeded\",\"Created\",\"Success\",\"\",\n \"Failed\",\"BadRequest\",\"Failure\",\"Bad request\",\n \"Accepted\",\"Created\",\"Success\",\"\",\n \"Failed\",\"Conflict\",\"Failure\",\"Bad request\",\n \"Failed\",\"MethodNotAllowed\",\"Failure\",\"Bad request\",\n \"Failure\",\"BadGateway\",\"Failure\",\"Bad request\",\n \"Succeeded\",\"NoContent\",\"Success\",\"\",\n \"Failure\",\"ServiceUnavailable\",\"Failure\",\"Internal error\",\n \"Failure\",\"GatewayTimeout\",\"Failure\",\"Internal error\",\n \"Failed\",\"NotFound\",\"Failure\",\"Not found\",\n \"Failed\",\"BadGateway\",\"Failure\",\"Bad request\",\n \"Failure\",\"UnsupportedMediaType\",\"Failure\",\"Bad request\",\n \"Failed\",\"Unauthorized\",\"Failure\",\"Unauthorized\",\n \"Cancel\",\"\",\"Failure\",\"Cancelled\"\n ];\n AzureActivity \n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(newvalue_has_any) == 0)\n | where CategoryValue == \"Administrative\"\n | project-away HTTPRequest, Level, SourceSystem, EventSubmissionTimestamp, TenantId, OperationId, Hierarchy, Category, ResourceId, ResourceProvider, Resource\n | where \n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(CallerIpAddress,srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or Caller has_any (actorusername_has_any))\n and (array_length(operation_has_any) == 0 or OperationNameValue has_any (operation_has_any))\n and (array_length(object_has_any) == 0 or Properties has_any (object_has_any))\n // --\n // Calculate and filter by EventType\n | extend op = toupper(tostring(split(OperationNameValue,\"/\")[-1]))\n | lookup AzureActivityOperationLookup on op\n | extend EventType = iff (EventType == \"\", \"Other\", EventType)\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\n | project-away op\n // --\n // Calculate EventResult, EventResultDetails, and EventResultOriginalDetails\n | extend\n EventOriginalResultDetails = strcat (\n ActivityStatusValue, \n iff (ActivitySubstatusValue !=\"\", strcat(' [', ActivitySubstatusValue, ']'), \"\")\n )\n | extend \n ActivitySubstatusValue = iff (ActivitySubstatusValue matches regex \"\\\\d+\", \"\", ActivitySubstatusValue)\n | lookup AzureActivityStatusLookup on ActivityStatusValue, ActivitySubstatusValue\n | extend EventResult = iff(EventResult == \"\", \"Other\", EventResult)\n | where eventresult == \"*\" or (EventResult == eventresult) // Not optimized\n | extend EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\n | project-away ActivityStatus*, ActivitySubstatus* // \n | project-rename \n Operation = OperationNameValue,\n SrcIpAddr = CallerIpAddress,\n EventOriginalUid = EventDataId,\n ActorSessionId = CorrelationId,\n EventOriginalType = CategoryValue\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Azure',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n ObjectType = \"Cloud Resource\",\n TargetAppName = \"Azure\",\n TargetAppType = \"CSP\"\n // --\n // Calculate Actor\n | extend \n Caller = iff(Caller == \"Microsoft.RecoveryServices\", \"\", Caller)\n | extend \n ActorUsernameType = iff (Caller has \"@\", \"UPN\", \"\")\n | extend \n ActorUsername = iff (ActorUsernameType == \"UPN\", Caller, \"\"),\n ActorUserId = iff (ActorUsernameType != \"UPN\", Caller, \"\")\n | extend\n ActorUserIdType = iff (ActorUserId != \"\", \"AADID\", \"\")\n | project-away Caller\n // --\n // Calculate Object\n | extend \n entity = tostring(Properties_d.entity), \n resource = tostring(Properties_d.resource),\n entity_name = tostring(Properties_d.[\"Entity Name\"])\n | extend Object = case ( \n entity != \"\", entity,\n strcat (\"/subscriptions/\", SubscriptionId, \"/resourceGroups/\", ResourceGroup, \"/providers/\", ResourceProviderValue, \"/\",resource, iff (entity_name != \"\", strcat(\"/\", entity_name), \"\"))\n )\n | project-away entity, resource,entity_name, _SubscriptionId, SubscriptionId, ResourceGroup, ResourceProviderValue\n // Aliases\n | extend AdditionalFields = pack_dictionary(\"Authorization\", Authorization_d, \"Claims\", Claims_d, \"Error\", Properties_d.statusMessage)\n // -- Aliases\n | extend \n IpAddr = SrcIpAddr,\n User = ActorUsername,\n Application = TargetAppName,\n Dst = TargetAppName,\n Src = SrcIpAddr,\n // -- Entity identifier explicit aliases\n ActorUserUpn = ActorUsername,\n ActorUserAadId = ActorUserId\n | project-away OperationName, Properties*, Authorization*, Claims*\n // -- Properties*\n};\nparser\n(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaCEF/vimAuditEventBarracudaCEF.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaCEF/vimAuditEventBarracudaCEF.json index 127468691a6..bfbbf59444d 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaCEF/vimAuditEventBarracudaCEF.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaCEF/vimAuditEventBarracudaCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventBarracudaCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventBarracudaCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "vimAuditEventBarracudaCEF", - "query": "let EventTypeLookup = datatable (\n ChangeType_s: string,\n EventType_lookup: string\n)\n [\n \"SET\", \"Set\",\n \"ADD\", \"Create\",\n \"DEL\", \"Delete\",\n \"NONE\", \"Other\",\n \"\", \"Other\"\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\n \"global\", \"Other\",\n \"Services\", \"Service\",\n \"web_firewall_policy\", \"Policy Rule\",\n \"service\", \"Service\",\n \"json_url_profile\", \"Other\",\n \"server\", \"Service\",\n \"header_acl\", \"Directory Service Object\",\n \"virtual_ip_config_address\", \"Configuration Atom\",\n \"aps_req_rewrite_policy\", \"Policy Rule\",\n \"aps_url_acl\", \"Directory Service Object\",\n \"websocket_security_policy\", \"Policy Rule\",\n \"aps_ftp_acl\", \"Directory Service Object\",\n \"user_system_ip\", \"Configuration Atom\",\n \"syslog_server\", \"Service\",\n \"attack_action\", \"Configuration Atom\",\n \"global_adr\", \"Configuration Atom\",\n \"aps_content_protection\", \"Other\"\n];\nlet parser = (\n disabled: bool=false,\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n eventresult: string='*',\n newvalue_has_any: dynamic=dynamic([]),\n operation_has_any: dynamic=dynamic([]))\n {\n let BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\" \n and (toupper(ProcessName) !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n | extend\n Operation = ProcessName,\n EventResult = \"Success\"\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or DeviceCustomString1 has_any (newvalue_has_any))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason:string \n | extend Reason = trim(@'(\")', Reason)\n | extend \n EventResultDetails = Reason\n | lookup EventTypeLookup on $left.EventOutcome == $right.ChangeType_s\n | extend EventType = EventType_lookup\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\n | extend \n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | lookup ObjectTypeLookup on $left.FileType == $right.ObjectType_s\n | extend\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n Dvc = DeviceName, \n Operation = ProcessName,\n DvcIpAddr = DeviceAddress,\n NewValue = DeviceCustomString1,\n SrcIpAddr = SourceIP,\n EventMessage = Message,\n OldValue = DeviceCustomString2,\n DvcHostname = DeviceName,\n ActorUsername = DestinationUserName,\n Object = FileName,\n EventUid = _ItemId,\n ThreatConfidence = toint(ThreatConfidence),\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend\n Src = SrcIpAddr,\n ActorUsernameType = iff(isnotempty(ActorUsername),\"Simple\",\"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue,\n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value),\"Other\",\"\")\n | project-away\n EventType_lookup,\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,CollectorHostName,\n _ItemId;\n BarracudaCEF\n };\n parser(\n disabled=disabled,\n starttime=starttime,\n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n eventtype_in=eventtype_in,\n eventresult=eventresult,\n newvalue_has_any=newvalue_has_any,\n operation_has_any=operation_has_any\n )", - "version": 1, - "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',newvalue_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([])" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "vimAuditEventBarracudaCEF", + "query": "let EventTypeLookup = datatable (\n ChangeType_s: string,\n EventType_lookup: string\n)\n [\n \"SET\", \"Set\",\n \"ADD\", \"Create\",\n \"DEL\", \"Delete\",\n \"NONE\", \"Other\",\n \"\", \"Other\"\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\n \"global\", \"Other\",\n \"Services\", \"Service\",\n \"web_firewall_policy\", \"Policy Rule\",\n \"service\", \"Service\",\n \"json_url_profile\", \"Other\",\n \"server\", \"Service\",\n \"header_acl\", \"Directory Service Object\",\n \"virtual_ip_config_address\", \"Configuration Atom\",\n \"aps_req_rewrite_policy\", \"Policy Rule\",\n \"aps_url_acl\", \"Directory Service Object\",\n \"websocket_security_policy\", \"Policy Rule\",\n \"aps_ftp_acl\", \"Directory Service Object\",\n \"user_system_ip\", \"Configuration Atom\",\n \"syslog_server\", \"Service\",\n \"attack_action\", \"Configuration Atom\",\n \"global_adr\", \"Configuration Atom\",\n \"aps_content_protection\", \"Other\"\n];\nlet parser = (\n disabled: bool=false,\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n eventresult: string='*',\n newvalue_has_any: dynamic=dynamic([]),\n operation_has_any: dynamic=dynamic([]))\n {\n let BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\" \n and (toupper(ProcessName) !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n | extend\n Operation = ProcessName,\n EventResult = \"Success\"\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or DeviceCustomString1 has_any (newvalue_has_any))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason:string \n | extend Reason = trim(@'(\")', Reason)\n | extend \n EventResultDetails = Reason\n | lookup EventTypeLookup on $left.EventOutcome == $right.ChangeType_s\n | extend EventType = EventType_lookup\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\n | extend \n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | lookup ObjectTypeLookup on $left.FileType == $right.ObjectType_s\n | extend\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n Dvc = DeviceName, \n Operation = ProcessName,\n DvcIpAddr = DeviceAddress,\n NewValue = DeviceCustomString1,\n SrcIpAddr = SourceIP,\n EventMessage = Message,\n OldValue = DeviceCustomString2,\n DvcHostname = DeviceName,\n ActorUsername = DestinationUserName,\n Object = FileName,\n EventUid = _ItemId,\n ThreatConfidence = toint(ThreatConfidence),\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend\n Src = SrcIpAddr,\n ActorUsernameType = iff(isnotempty(ActorUsername),\"Simple\",\"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue,\n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value),\"Other\",\"\")\n | project-away\n EventType_lookup,\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,CollectorHostName,\n _ItemId;\n BarracudaCEF\n };\n parser(\n disabled=disabled,\n starttime=starttime,\n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n eventtype_in=eventtype_in,\n eventresult=eventresult,\n newvalue_has_any=newvalue_has_any,\n operation_has_any=operation_has_any\n )", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',newvalue_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([])" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaWAF/vimAuditEventBarracudaWAF.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaWAF/vimAuditEventBarracudaWAF.json index c966eb9b2f0..7e4ef8ccfc2 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaWAF/vimAuditEventBarracudaWAF.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaWAF/vimAuditEventBarracudaWAF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventBarracudaWAF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventBarracudaWAF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "vimAuditEventBarracudaWAF", - "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n ChangeType_s: string,\n CommandName_s: string,\n Severity_s: string,\n LoginIP_s: string,\n NewValue_s: string,\n HostIP_s: string,\n host_s: string,\n OldValue_s: string,\n EventMessage_s: string,\n AdminName_s: string,\n ObjectType_s: string,\n ObjectName_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string,\n TimeGenerated: datetime\n)[];\nlet EventTypeLookup = datatable (\n ChangeType_s: string,\n EventType_lookup: string\n)\n [\n \"SET\", \"Set\",\n \"ADD\", \"Create\",\n \"DEL\", \"Delete\",\n \"NONE\", \"Other\",\n \"\", \"Other\"\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\n \"global\", \"Other\",\n \"Services\", \"Service\",\n \"web_firewall_policy\", \"Policy Rule\",\n \"service\", \"Service\",\n \"json_url_profile\", \"Other\",\n \"server\", \"Service\",\n \"header_acl\", \"Directory Service Object\",\n \"virtual_ip_config_address\", \"Configuration Atom\",\n \"aps_req_rewrite_policy\", \"Policy Rule\",\n \"aps_url_acl\", \"Directory Service Object\",\n \"websocket_security_policy\", \"Policy Rule\",\n \"aps_ftp_acl\", \"Directory Service Object\",\n \"user_system_ip\", \"Configuration Atom\",\n \"syslog_server\", \"Service\",\n \"attack_action\", \"Configuration Atom\",\n \"global_adr\", \"Configuration Atom\",\n \"aps_content_protection\", \"Other\"\n];\nlet parser = (\n disabled: bool=false,\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n eventresult: string='*',\n newvalue_has_any: dynamic=dynamic([]),\n operation_has_any: dynamic=dynamic([]))\n {\n let BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) \n | where LogType_s == \"AUDIT\" and EventName_s !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\")\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(LoginIP_s, srcipaddr_has_any_prefix))\n | extend\n Operation = CommandName_s,\n EventResult = \"Success\"\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or NewValue_s has_any (newvalue_has_any))\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | extend\n EventResultDetails = Reason\n | lookup EventTypeLookup on ChangeType_s\n | extend EventType = EventType_lookup\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\n | extend \n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | lookup ObjectTypeLookup on ObjectType_s\n | extend\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n Dvc = UnitName_s,\n DvcIpAddr = HostIP_s,\n NewValue = NewValue_s,\n SrcIpAddr = LoginIP_s,\n EventMessage = EventMessage_s,\n OldValue = OldValue_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s,\n Object = ObjectName_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n | extend\n Src = SrcIpAddr,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue,\n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value),\"Other\",\"\")\n | project-away\n *_d,\n *_s,\n EventType_lookup,\n Reason,\n _ResourceId,\n severity,\n RawData,\n SourceIP,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem;\n BarracudaCustom\n };\n parser(\n disabled=disabled,\n starttime=starttime,\n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n eventtype_in=eventtype_in,\n eventresult=eventresult,\n newvalue_has_any=newvalue_has_any,\n operation_has_any=operation_has_any\n )", - "version": 1, - "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',newvalue_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([])" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "vimAuditEventBarracudaWAF", + "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n ChangeType_s: string,\n CommandName_s: string,\n Severity_s: string,\n LoginIP_s: string,\n NewValue_s: string,\n HostIP_s: string,\n host_s: string,\n OldValue_s: string,\n EventMessage_s: string,\n AdminName_s: string,\n ObjectType_s: string,\n ObjectName_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string,\n TimeGenerated: datetime\n)[];\nlet EventTypeLookup = datatable (\n ChangeType_s: string,\n EventType_lookup: string\n)\n [\n \"SET\", \"Set\",\n \"ADD\", \"Create\",\n \"DEL\", \"Delete\",\n \"NONE\", \"Other\",\n \"\", \"Other\"\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\n \"global\", \"Other\",\n \"Services\", \"Service\",\n \"web_firewall_policy\", \"Policy Rule\",\n \"service\", \"Service\",\n \"json_url_profile\", \"Other\",\n \"server\", \"Service\",\n \"header_acl\", \"Directory Service Object\",\n \"virtual_ip_config_address\", \"Configuration Atom\",\n \"aps_req_rewrite_policy\", \"Policy Rule\",\n \"aps_url_acl\", \"Directory Service Object\",\n \"websocket_security_policy\", \"Policy Rule\",\n \"aps_ftp_acl\", \"Directory Service Object\",\n \"user_system_ip\", \"Configuration Atom\",\n \"syslog_server\", \"Service\",\n \"attack_action\", \"Configuration Atom\",\n \"global_adr\", \"Configuration Atom\",\n \"aps_content_protection\", \"Other\"\n];\nlet parser = (\n disabled: bool=false,\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n eventresult: string='*',\n newvalue_has_any: dynamic=dynamic([]),\n operation_has_any: dynamic=dynamic([]))\n {\n let BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) \n | where LogType_s == \"AUDIT\" and EventName_s !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\")\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(LoginIP_s, srcipaddr_has_any_prefix))\n | extend\n Operation = CommandName_s,\n EventResult = \"Success\"\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or NewValue_s has_any (newvalue_has_any))\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | extend\n EventResultDetails = Reason\n | lookup EventTypeLookup on ChangeType_s\n | extend EventType = EventType_lookup\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\n | extend \n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | lookup ObjectTypeLookup on ObjectType_s\n | extend\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n Dvc = UnitName_s,\n DvcIpAddr = HostIP_s,\n NewValue = NewValue_s,\n SrcIpAddr = LoginIP_s,\n EventMessage = EventMessage_s,\n OldValue = OldValue_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s,\n Object = ObjectName_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n | extend\n Src = SrcIpAddr,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue,\n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value),\"Other\",\"\")\n | project-away\n *_d,\n *_s,\n EventType_lookup,\n Reason,\n _ResourceId,\n severity,\n RawData,\n SourceIP,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem;\n BarracudaCustom\n };\n parser(\n disabled=disabled,\n starttime=starttime,\n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n eventtype_in=eventtype_in,\n eventresult=eventresult,\n newvalue_has_any=newvalue_has_any,\n operation_has_any=operation_has_any\n )", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',newvalue_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([])" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoISE/vimAuditEventCiscoISE.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoISE/vimAuditEventCiscoISE.json index 67a6342fc9d..44a72b29fa0 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoISE/vimAuditEventCiscoISE.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoISE/vimAuditEventCiscoISE.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventCiscoISE')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventCiscoISE", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM filtering parser for Cisco ISE", - "category": "ASIM", - "FunctionAlias": "vimAuditEventCiscoISE", - "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventType: string,\nEventResult: string,\nEventOriginalSeverity: string,\nEventSeverity: string,\nObject: string,\nOperation: string,\nEventMessage: string\n)[\n\"52000\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Added configuration\", \"Added configuration\",\n\"52001\", \"Set\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Changed configuration\", \"Changed configuration\",\n\"52002\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deleted configuration\", \"Deleted configuration\",\n\"52003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deregister Node\", \"One of the ISE instances in the deployment has been de-registered.\",\n\"52004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Register Node\", \"A new ISE instance has been registered and has joined the deployment.\",\n\"52005\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Activate Node\", \"An ISE instance has been activated to receive updates from the Primary node.\",\n\"52006\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deactivate ISE Node\", \"An ISE instance has been deactivated and will no longer receive updates from the Primary node.\",\n\"52007\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Force Full replication\", \"A Force Full replication has been issued for an ISE instance.\",\n\"52008\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Replacement Register Handler\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52009\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Promote Node\", \"A Secondary node has been promoted to be the Primary node of the deployment.\",\n\"52013\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Hardware Replacement\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52015\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Target\", \"Enable LogCollector Target\", \"Enable the deployment Log Collector target.\",\n\"52016\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Node\", \"Select LogCollector Node\", \"The Log Collector node for the deployment has been selected.\",\n\"52017\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Apply software update\", \"Apply a software update to the selected ISE instances.\",\n\"52030\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Full replication succeeded\", \"Full replication was completed successfully\",\n\"52031\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Full replication failed\", \"Failed to complete full replication\",\n\"52033\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"Registration with the primary node was completed successfully\",\n\"52035\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"Failed to perform the full replication requested by the primary instance\",\n\"52038\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"The ISE instance was successfully joined to a distributed ISE deployment\",\n\"52039\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"The ISE instance was unable to join a distributed deployment\",\n\"52042\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Primary instance\", \"Demotion succeeded\", \"Demotion of the existing primary instance was completed successfully\",\n\"52043\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Primary instance\", \"Demotion failed\", \"Demotion of the existing primary instance failed\",\n\"52045\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Secondary instance\", \"Promotion succeeded\", \"Promotion of the secondary instance was completed successfully\",\n\"52046\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Secondary instance\", \"Promotion failed\", \"Promotion of a secondary instance failed\",\n\"52072\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deregister succeeded\", \"Deregistration was completed successfully\",\n\"52073\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Deregister failed\", \"Deregistration failed\",\n\"52078\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the deployment\",\n\"52079\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary instance\", \"Delete node succeeded\", \"The ISE primary instance successfully deleted the secondary instance in inactive mode\",\n\"52080\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the primary instance\",\n\"52082\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Backup failed\", \"An immediate backup for the secondary instance failed\",\n\"52084\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE primary instance\", \"Backup succeeded\", \"An immediate backup for the primary instance was completed successfully\",\n\"52085\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE primary instance\", \"Backup failed\", \"An immediate backup for the primary failed\",\n\"52091\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Update bundle\", \"Software update failed\", \"Software update download of update bundle failed\",\n\"52092\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Software update succeeded\", \"The software update was completed successfully\",\n\"52093\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Software update failed\", \"The software update failed\",\n\"57000\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Log file(s)\", \"Deleted rolled-over local log file(s)\", \"Deleted rolled-over local log file(s)\",\n\"58001\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process started\", \"An ISE process has started\",\n\"58002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process stopped\", \"An ISE process has stopped\",\n\"58003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes started\", \"All ISE processes have started\",\n\"58004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes stopped\", \"All ISE processes have stopped\",\n\"58005\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process was restarted by watchdog service\", \"The watchdog service has restarted an ISE process\",\n\"60000\", \"Install\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch installation completed successfully on the node\", \"Patch installation completed successfully on the node\",\n\"60001\", \"Install\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch installation failed on the node\", \"Patch installation failed on the node\",\n\"60002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch rollback completed successfully on the node\", \"Patch rollback completed successfully on the node\",\n\"60003\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch rollback failed on the node\", \"Patch rollback failed on the node\",\n\"60050\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node added to deployment successfully\", \"Node added to deployment successfully\",\n\"60051\", \"Create\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to add node to deployment\", \"Failed to add node to deployment\",\n\"60052\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node removed from deployment\", \"Node removed from deployment\",\n\"60053\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to remove node from deployment\", \"Failed to remove node from deployment\",\n\"60054\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node updated successfully\", \"Node updated successfully\",\n\"60055\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to update node\", \"Failed to update node\",\n\"60056\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Cluster\", \"The runtime status of the node group has changed\", \"There is a change in the cluster state\",\n\"60057\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"PSN node\", \"A PSN node went down\", \"One of the PSN nodes in the node group has gone down\",\n\"60058\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Heartbeat System\", \"The initial status of the heartbeat system\", \"The initial status of the heartbeat system\",\n\"60059\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node has successfully registered with MnT\", \"Node has successfully registered with MnT\",\n\"60060\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\", \"The ISE Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\",\n\"60061\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"OCSP Clear Cache operation completed successfully\", \"OCSP Clear Cache operation completed successfully on all Policy Service nodes\",\n\"60062\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Policy Service nodes\", \"OCSP Clear Cache operation terminated with error\", \"OCSP Clear Cache clear operation terminated with error on one or more Policy Service nodes\",\n\"60063\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary node\", \"Replication to node completed successfully\", \"Replication of data to secondary node completed successfully\",\n\"60064\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary node\", \"Replication to node failed\", \"Replication of data to secondary node failed\",\n\"60068\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - manual download initiated\", \"The Profiler Feed Service has begun the check and download of new and/or updated Profiles in response to Administrator's request\",\n\"60069\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - Profiles Downloaded\", \"The Profiler Feed Service has downloaded new and/or updated Profiles\",\n\"60070\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - No Profiles Downloaded\", \"The Profiler Feed Service found no new and/or updated Profiles to download\",\n\"60083\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"Syslog Server\", \"Syslog Server configuration change\", \"Syslog Server configuration change has occurred\",\n\"60084\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI user\", \"ADEOS CLI user configuration change\", \"Configuration change occurred for ADEOS CLI user\",\n\"60085\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Repository\", \"ADEOS Repository configuration change\", \"Configuration change occurred for ADEOS repository\",\n\"60086\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SSH Service\", \"ADEOS SSH Service configuration change\", \"Configuration change occurred for ADEOS SSH Service\",\n\"60087\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Maximum SSH CLI sessions\", \"ADEOS Maximum SSH CLI sessions configuration change\", \"Configuration change occurred for ADEOS Maximum CLI sessions\",\n\"60088\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SNMP agent\", \"ADEOS SNMP agent configuration change\", \"Configuration change occurred for ADEOS SNMP agent\",\n\"60089\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler policy configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler policy\",\n\"60090\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler occurence configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler occurence\",\n\"60091\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI pre-login banner\", \"ADEOS CLI pre-login banner configuration change\", \"Configuration change occurred for ADEOS CLI pre-login banner\",\n\"60092\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI post-login banner\", \"ADEOS CLI post-login banner configuration change\", \"Configuration change occurred for ADEOS CLI post-login banner\",\n\"60094\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Backup has completed successfully\", \"ISE Backup has completed successfully\",\n\"60095\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Backup has failed\", \"ISE Backup has failed\",\n\"60097\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Log Backup has completed successfully\", \"ISE Log Backup has completed successfully\",\n\"60098\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Log Backup has failed\", \"ISE Log Backup has failed\",\n\"60100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Restore has completed successfully\", \"ISE Restore has completed successfully\",\n\"60101\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Restore has failed\", \"ISE Restore has failed\",\n\"60102\", \"Install\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application installation completed successfully\", \"Application installation completed successfully\",\n\"60103\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application installation failed\", \"Application installation failed\",\n\"60105\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application remove completed successfully\", \"Application remove completed successfully\",\n\"60106\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application remove failed\", \"Application remove failed\",\n\"60107\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application upgrade failed\", \"Application upgrade failed\",\n\"60111\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application patch remove has completed successfully\", \"Application patch remove has completed successfully\",\n\"60112\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch remove has failed\", \"Application patch remove has failed\",\n\"60113\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server reload has been initiated\", \"ISE server reload has been initiated\",\n\"60114\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server shutdown has been initiated\", \"ISE server shutdown has been initiated\",\n\"60118\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used delete CLI to delete file\", \"ADEOS CLI user has used delete CLI to delete file\",\n\"60119\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used copy CLI to copy file\", \"ADEOS CLI user has used copy CLI to copy file\",\n\"60120\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"Directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\",\n\"60121\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied out running system configuration\", \"ADEOS CLI user has copied out running system configuration\",\n\"60122\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied in system configuration\", \"ADEOS CLI user has copied in system configuration\",\n\"60123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has saved running system configuration\", \"ADEOS CLI user has saved running system configuration\",\n\"60126\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch installation failed\", \"Application patch installation failed\",\n\"60128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file in from ADEOS CLI\", \"Failure occurred trying to copy file in from ADEOS CLI\",\n\"60129\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file out from ADEOS CLI\", \"Failure occurred trying to copy file out from ADEOS CLI\",\n\"60130\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE Backup\", \"ISE Scheduled Backup has been configured\", \"ISE Scheduled Backup has been configured\",\n\"60131\", \"Create\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been created from web UI\", \"ISE Support bundle has been created from web UI\",\n\"60132\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been deleted from web UI\", \"ISE Support bundle has been deleted from web UI\",\n\"60133\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE Support bundle\", \"ISE Support bundle generation from web UI has failed\", \"ISE Support bundle generation from web UI has failed\",\n\"60153\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Certificate\", \"Certificate has been exported\", \"Certificate has been exported\",\n\"60166\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate will expire soon\", \"Certificate Expiration warning\",\n\"60167\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate has expired\", \"Certificate has expired\",\n\"60172\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Alarm(s) has/have been acknowledged\", \"These alarms are acknowledged and will not be displayed on the Dashboard\",\n\"60173\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Outdated alarms are purged\", \"Only latest 15000 alarms would be retained and rest of them are purged\",\n\"60187\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application upgrade succeeded\", \"Application upgrade succeeded\",\n\"60189\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Terminal Session timeout has been modified\", \"Configuration change occurred for ADEOS CLI Terminal Session timeout\",\n\"60193\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"RSA key configuration has been modified\", \"Configuration change occurred for ADEOS CLI RSA key\",\n\"60194\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Host key configuration has been modified\", \"Configuration change occurred for ADEOS CLI host key\",\n\"60197\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Certificate\", \"Revoked ISE CA issued Certificate.\", \"Certificate issued to Endpoint by ISE CA is revoked by Administrator\",\n\"60198\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"MnT\", \"MnT purge event occurred\", \"MnT purge event occurred\",\n\"60199\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"An IP-SGT mapping was deployed successfully\", \"An IP-SGT mapping was deployed successfully to a TrustSec device\",\n\"60200\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"An IP-SGT mapping has failed deploying\", \"An IP-SGT mapping has failed deploying to a TrustSec device\",\n\"60201\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"IP-SGT deployment to TrustSec device was successful\", \"IP-SGT deployment to TrustSec device was successful\",\n\"60202\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"IP-SGT deployment to TrustSec device failed\", \"IP-SGT deployment to TrustSec device failed\",\n\"60207\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Logging loglevel configuration has been modified\", \"Configuration change occurred for ADEOS CLI logging loglevel\",\n\"60208\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Root CA certificate has been replaced\", \"Root CA certificate has been replaced\",\n\"60209\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service enabled\", \"CA service enabled\",\n\"60210\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service disabled\", \"CA service disabled\",\n\"60213\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were replaced by import operation\", \"CA keys were replaced by import operation\",\n\"60214\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were exported\", \"CA keys were exported\",\n\"60215\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were marked expired\", \"Endpoint certs were marked expired by daily scheduled job\",\n\"60216\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were purged\", \"Endpoint certs were purged by daily scheduled job\",\n\"60451\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is enabled on this deployment\", \"Telemetry is enabled on this deployment\",\n\"60452\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is disabled on this deployment\", \"Telemetry is disabled on this deployment\",\n\"61002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SGT from IEPG\", \"ISE has learned a new SGT from IEPG\",\n\"61003\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new EEPG to APIC\", \"ISE has propagated a new EEPG to APIC.\",\n\"61004\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SXP mapping from APIC endpoint\", \"ISE has learned a new SXP mapping from APIC endpoint\",\n\"61005\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\",\n\"61006\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SGT\", \"ISE has removed an SGT due to deleted IEPG\", \"ISE has removed an SGT due to deleted IEPG\",\n\"61007\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed EEPG from APIC due to SGT deletion\", \"ISE has removed EEPG from APIC due to SGT deletion\",\n\"61008\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\",\n\"61009\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\",\n\"61016\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EPG subscriber against APIC\", \"ISE failed to refresh EPG subscriber against APIC\",\n\"61017\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh endpoint subscriber against APIC\", \"ISE failed to refresh endpoint subscriber against APIC\",\n\"61018\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EEPG subscriber against APIC\", \"ISE failed to refresh EEPG subscriber against APIC\",\n\"61020\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\",\n\"61022\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to propagate SGT to EEPG\", \"ISE has failed to propagate SGT to EEPG\",\n\"61023\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to learn IEPG from APIC\", \"ISE has failed to learn IEPG from APIC\",\n\"61024\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to parse VRF for EPG\", \"ISE has failed to parse VRF for EPG\",\n\"61030\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"TrustSec deploy verification was canceled.\", \"TrustSec deployment verification process was canceled as a new TrustSec deploy started.\",\n\"61033\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"TrustSec deployment verification process succeeded.\", \"ISE trustsec configuration was successfully deployed to all network access devices.\",\n\"61034\", \"Other\", \"\", \"INFO\", \"Low\", \"ISE instance\", \"Maximum resource limit reached.\", \"Maximum resource limit reached.\",\n\"61051\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Synflood-limit configured\", \"Synflood-limit configured\",\n\"61052\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Rate-limit configured\", \"Rate-limit configured\",\n\"61100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from ACI\", \"ISE has learned a new tenant from ACI\",\n\"61101\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"ISE has removed ACI tenant\", \"ISE has removed ACI tenant\",\n\"61102\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn new tenant from ACI in ISE\", \"Failed to learn new tenant from ACI in ISE\",\n\"61103\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to remove ACI tenant in ISE\", \"Failed to remove ACI tenant in ISE\",\n\"61104\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from SDA\", \"ISE has learned a new tenant from SDA\",\n\"61105\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new VN info\", \"IISE has learned a new VN info\",\n\"61106\", \"Create\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to create VN info in ISE\", \"Failed to create VN info in ISE\",\n\"61107\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"VN info is updated in ISE\", \"VN info is updated in ISE\",\n\"61108\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to update VN info in ISE\", \"Failed to update VN info in ISE\",\n\"61109\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"VN info is deleted in ISE\", \"VN info is deleted in ISE\",\n\"61110\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to deleted VN info in ISE\", \"Failed to deleted VN info in ISE\",\n\"61111\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration process failed\", \"Domain registration process failed\",\n\"61114\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Domain registration completed successfully\", \"Domain registration completed successfully\",\n\"61115\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration failed\", \"Domain registration failed\",\n\"61116\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Unable to store ACI certificate\", \"Unable to store ACI certificate\",\n\"61117\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI connector\", \"ACI connector started successfully\", \"ACI connector started successfully\",\n\"61118\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI connector\", \"Failed to start ACI connector\", \"Failed to start ACI connector\",\n\"61120\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI certificate\", \"Successfully deleted ACI certificate from ISE\", \"Successfully deleted ACI certificate from ISE\",\n\"61121\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Failed to delete ACI certificate from ISE\", \"Failed to delete ACI certificate from ISE\",\n\"61122\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI keystore\", \"Failed to delete ACI keystore\", \"Failed to delete ACI keystore\",\n\"61123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new ACI domain\", \"ISE has learned a new ACI domain\",\n\"61124\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new ACI domain\", \"Failed to learn a new ACI domain\",\n\"61125\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI domain\", \"ISE has removed ACI domain\", \"ISE has removed ACI domain\",\n\"61126\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI domain\", \"Failed to remove ACI domain\", \"Failed to remove ACI domain\",\n\"61127\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SDA domain\", \"ISE has learned a new SDA domain\",\n\"61128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new SDA domain\", \"Failed to learn a new SDA domain\",\n\"61129\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SDA domain\", \"ISE has removed SDA domain\", \"ISE has removed SDA domain\",\n\"61130\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"SDA domain\", \"Failed to remove SDA domain\", \"Failed to remove SDA domain\",\n\"61158\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed in receiving SDA SXP configuration\", \"ISE failed in receiving SDA SXP configuration\",\n\"61160\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed to publish Gateway advertisement message to ACI\", \"ISE failed to publish Gateway advertisement message to ACI\",\n\"61161\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE learned new SXP Listener\", \"ISE learned new SXP Listener\",\n\"61162\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates VN defined for SXP Listener\", \"ISE updates VN defined for SXP Listener\",\n\"61163\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE learned new VN defined for SXP Listener\", \"ISE learned new VN defined for SXP Listener\",\n\"61164\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates SXP Listener\", \"ISE updates SXP Listener\",\n\"61165\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\",\n\"61166\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI\", \"ACI published Gateway advertisement message to SDA\", \"ACI published Gateway advertisement message to SDA\",\n\"61167\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Send ACI Gateway advertisement message to ISE\", \"Send ACI Gateway advertisement message to ISE\",\n\"61168\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to send ACI Gateway advertisement message to ISE\", \"Failed to send ACI Gateway advertisement message to ISE/SDA\",\n\"61169\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Successfully Send ACI Gateway advertisement message\", \"Successfully Send ACI Gateway advertisement message\",\n\"61234\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE instance\", \"Got event with unknown properties\", \"Got event with unknown properties\",\n\"62000\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script execute completed\", \"Agentless script execute completed\",\n\"62001\", \"Execute\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script execute failed\", \"Agentless script execute failed\",\n\"62002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script upload completed\", \"Agentless script upload completed\",\n\"62003\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script upload failed\", \"Agentless script upload failed\",\n\"61300\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Network Access policy request\", \"Network Access policy request\",\n\"61301\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Device Admin policy request\", \"Device Admin policy request\",\n\"61302\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Policy component request\", \"Policy component request\",\n\"60467\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"OCSP Certificate renewal failed\", \"OCSP Certificate renewal failed.\",\n\"60468\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Root CA Regeneration failed\", \"Regeneration of Root CA failed.\",\n\"62008\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service starts\", \"Meraki connector sync service starts\",\n\"62009\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service stops\", \"Meraki connector sync service stops\",\n\"62010\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync service failure\", \"Meraki connector sync service failure\",\n\"62011\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle starts\", \"Meraki connector sync cycle starts\",\n\"62012\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle stops\", \"Meraki connector sync cycle stops\",\n\"62013\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync cycle failure\", \"Meraki connector sync cycle failure\",\n\"62014\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync operation success\", \"Meraki connector sync operation success\",\n\"62015\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync operation failure\", \"Meraki connector sync operation failure\",\n\"62016\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Port 2484 opened for Data Connect\", \"Port 2484 opened for Data Connect\",\n\"62017\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Data Connect port 2484 closed\", \"Data Connect port 2484 closed\"\n];\nlet CiscoISEAuditParser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n eventresult: string='*',\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n operation_has_any: dynamic=dynamic([]),\n object_has_any: dynamic=dynamic([]),\n newvalue_has_any: dynamic=dynamic([]),\n disabled: bool = false\n) {\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | where (eventresult == \"*\" or eventresult == EventResult)\n and (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | summarize make_set(EventOriginalType));\nSyslog\n| where not(disabled)\n//***************************** **************************\n| where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n//***************************** *************************\n| where ProcessName has_any (\"CISE\", \"CSCO\")\n| parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n| where EventOriginalType in (EventOriginalTypeList)\n| where \n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or SyslogMessage has_any (actorusername_has_any))\n and (array_length(operation_has_any) == 0 or SyslogMessage has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or SyslogMessage has_any (newvalue_has_any))\n| project\n TimeGenerated,\n EventTime,\n EventOriginalType,\n Computer,\n HostName,\n HostIP,\n SyslogMessage\n| lookup EventFieldsLookup on EventOriginalType\n| parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n| project-rename\n SrcIpAddr=['Remote-Address']\n , TargetIpAddr =['Device IP Address']\n| where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n| extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n| extend ActorUsername = coalesce(['User-Name'], UserName, User)\n| extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \n| where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n| extend \n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer)) \n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"AuditEvent\"\n , EventSchemaVersion = \"0.1.0\"\n , ObjectType = \"Configuration Atom\"\n , TargetAppName = \"ISE\"\n , TargetAppType = \"Service\"\n// ***************** ********************\n| extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n , Application = TargetAppName\n , IpAddr = coalesce(SrcIpAddr, TargetIpAddr)\n , Dst = TargetIpAddr\n , Src = SrcIpAddr\n , User = ActorUsername\n// ***************** *******************\n| project-away\n EventTime,\n Computer,\n HostName,\n SyslogMessage,\n NetworkDeviceName,\n ['User-Name'],\n UserName\n};\nCiscoISEAuditParser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "vimAuditEventCiscoISE", + "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventType: string,\nEventResult: string,\nEventOriginalSeverity: string,\nEventSeverity: string,\nObject: string,\nOperation: string,\nEventMessage: string\n)[\n\"52000\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Added configuration\", \"Added configuration\",\n\"52001\", \"Set\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Changed configuration\", \"Changed configuration\",\n\"52002\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deleted configuration\", \"Deleted configuration\",\n\"52003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deregister Node\", \"One of the ISE instances in the deployment has been de-registered.\",\n\"52004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Register Node\", \"A new ISE instance has been registered and has joined the deployment.\",\n\"52005\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Activate Node\", \"An ISE instance has been activated to receive updates from the Primary node.\",\n\"52006\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deactivate ISE Node\", \"An ISE instance has been deactivated and will no longer receive updates from the Primary node.\",\n\"52007\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Force Full replication\", \"A Force Full replication has been issued for an ISE instance.\",\n\"52008\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Replacement Register Handler\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52009\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Promote Node\", \"A Secondary node has been promoted to be the Primary node of the deployment.\",\n\"52013\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Hardware Replacement\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52015\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Target\", \"Enable LogCollector Target\", \"Enable the deployment Log Collector target.\",\n\"52016\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Node\", \"Select LogCollector Node\", \"The Log Collector node for the deployment has been selected.\",\n\"52017\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Apply software update\", \"Apply a software update to the selected ISE instances.\",\n\"52030\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Full replication succeeded\", \"Full replication was completed successfully\",\n\"52031\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Full replication failed\", \"Failed to complete full replication\",\n\"52033\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"Registration with the primary node was completed successfully\",\n\"52035\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"Failed to perform the full replication requested by the primary instance\",\n\"52038\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"The ISE instance was successfully joined to a distributed ISE deployment\",\n\"52039\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"The ISE instance was unable to join a distributed deployment\",\n\"52042\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Primary instance\", \"Demotion succeeded\", \"Demotion of the existing primary instance was completed successfully\",\n\"52043\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Primary instance\", \"Demotion failed\", \"Demotion of the existing primary instance failed\",\n\"52045\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Secondary instance\", \"Promotion succeeded\", \"Promotion of the secondary instance was completed successfully\",\n\"52046\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Secondary instance\", \"Promotion failed\", \"Promotion of a secondary instance failed\",\n\"52072\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deregister succeeded\", \"Deregistration was completed successfully\",\n\"52073\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Deregister failed\", \"Deregistration failed\",\n\"52078\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the deployment\",\n\"52079\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary instance\", \"Delete node succeeded\", \"The ISE primary instance successfully deleted the secondary instance in inactive mode\",\n\"52080\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the primary instance\",\n\"52082\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Backup failed\", \"An immediate backup for the secondary instance failed\",\n\"52084\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE primary instance\", \"Backup succeeded\", \"An immediate backup for the primary instance was completed successfully\",\n\"52085\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE primary instance\", \"Backup failed\", \"An immediate backup for the primary failed\",\n\"52091\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Update bundle\", \"Software update failed\", \"Software update download of update bundle failed\",\n\"52092\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Software update succeeded\", \"The software update was completed successfully\",\n\"52093\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Software update failed\", \"The software update failed\",\n\"57000\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Log file(s)\", \"Deleted rolled-over local log file(s)\", \"Deleted rolled-over local log file(s)\",\n\"58001\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process started\", \"An ISE process has started\",\n\"58002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process stopped\", \"An ISE process has stopped\",\n\"58003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes started\", \"All ISE processes have started\",\n\"58004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes stopped\", \"All ISE processes have stopped\",\n\"58005\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process was restarted by watchdog service\", \"The watchdog service has restarted an ISE process\",\n\"60000\", \"Install\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch installation completed successfully on the node\", \"Patch installation completed successfully on the node\",\n\"60001\", \"Install\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch installation failed on the node\", \"Patch installation failed on the node\",\n\"60002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch rollback completed successfully on the node\", \"Patch rollback completed successfully on the node\",\n\"60003\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch rollback failed on the node\", \"Patch rollback failed on the node\",\n\"60050\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node added to deployment successfully\", \"Node added to deployment successfully\",\n\"60051\", \"Create\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to add node to deployment\", \"Failed to add node to deployment\",\n\"60052\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node removed from deployment\", \"Node removed from deployment\",\n\"60053\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to remove node from deployment\", \"Failed to remove node from deployment\",\n\"60054\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node updated successfully\", \"Node updated successfully\",\n\"60055\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to update node\", \"Failed to update node\",\n\"60056\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Cluster\", \"The runtime status of the node group has changed\", \"There is a change in the cluster state\",\n\"60057\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"PSN node\", \"A PSN node went down\", \"One of the PSN nodes in the node group has gone down\",\n\"60058\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Heartbeat System\", \"The initial status of the heartbeat system\", \"The initial status of the heartbeat system\",\n\"60059\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node has successfully registered with MnT\", \"Node has successfully registered with MnT\",\n\"60060\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\", \"The ISE Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\",\n\"60061\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"OCSP Clear Cache operation completed successfully\", \"OCSP Clear Cache operation completed successfully on all Policy Service nodes\",\n\"60062\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Policy Service nodes\", \"OCSP Clear Cache operation terminated with error\", \"OCSP Clear Cache clear operation terminated with error on one or more Policy Service nodes\",\n\"60063\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary node\", \"Replication to node completed successfully\", \"Replication of data to secondary node completed successfully\",\n\"60064\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary node\", \"Replication to node failed\", \"Replication of data to secondary node failed\",\n\"60068\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - manual download initiated\", \"The Profiler Feed Service has begun the check and download of new and/or updated Profiles in response to Administrator's request\",\n\"60069\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - Profiles Downloaded\", \"The Profiler Feed Service has downloaded new and/or updated Profiles\",\n\"60070\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - No Profiles Downloaded\", \"The Profiler Feed Service found no new and/or updated Profiles to download\",\n\"60083\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"Syslog Server\", \"Syslog Server configuration change\", \"Syslog Server configuration change has occurred\",\n\"60084\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI user\", \"ADEOS CLI user configuration change\", \"Configuration change occurred for ADEOS CLI user\",\n\"60085\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Repository\", \"ADEOS Repository configuration change\", \"Configuration change occurred for ADEOS repository\",\n\"60086\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SSH Service\", \"ADEOS SSH Service configuration change\", \"Configuration change occurred for ADEOS SSH Service\",\n\"60087\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Maximum SSH CLI sessions\", \"ADEOS Maximum SSH CLI sessions configuration change\", \"Configuration change occurred for ADEOS Maximum CLI sessions\",\n\"60088\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SNMP agent\", \"ADEOS SNMP agent configuration change\", \"Configuration change occurred for ADEOS SNMP agent\",\n\"60089\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler policy configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler policy\",\n\"60090\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler occurence configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler occurence\",\n\"60091\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI pre-login banner\", \"ADEOS CLI pre-login banner configuration change\", \"Configuration change occurred for ADEOS CLI pre-login banner\",\n\"60092\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI post-login banner\", \"ADEOS CLI post-login banner configuration change\", \"Configuration change occurred for ADEOS CLI post-login banner\",\n\"60094\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Backup has completed successfully\", \"ISE Backup has completed successfully\",\n\"60095\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Backup has failed\", \"ISE Backup has failed\",\n\"60097\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Log Backup has completed successfully\", \"ISE Log Backup has completed successfully\",\n\"60098\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Log Backup has failed\", \"ISE Log Backup has failed\",\n\"60100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Restore has completed successfully\", \"ISE Restore has completed successfully\",\n\"60101\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Restore has failed\", \"ISE Restore has failed\",\n\"60102\", \"Install\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application installation completed successfully\", \"Application installation completed successfully\",\n\"60103\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application installation failed\", \"Application installation failed\",\n\"60105\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application remove completed successfully\", \"Application remove completed successfully\",\n\"60106\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application remove failed\", \"Application remove failed\",\n\"60107\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application upgrade failed\", \"Application upgrade failed\",\n\"60111\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application patch remove has completed successfully\", \"Application patch remove has completed successfully\",\n\"60112\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch remove has failed\", \"Application patch remove has failed\",\n\"60113\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server reload has been initiated\", \"ISE server reload has been initiated\",\n\"60114\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server shutdown has been initiated\", \"ISE server shutdown has been initiated\",\n\"60118\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used delete CLI to delete file\", \"ADEOS CLI user has used delete CLI to delete file\",\n\"60119\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used copy CLI to copy file\", \"ADEOS CLI user has used copy CLI to copy file\",\n\"60120\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"Directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\",\n\"60121\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied out running system configuration\", \"ADEOS CLI user has copied out running system configuration\",\n\"60122\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied in system configuration\", \"ADEOS CLI user has copied in system configuration\",\n\"60123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has saved running system configuration\", \"ADEOS CLI user has saved running system configuration\",\n\"60126\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch installation failed\", \"Application patch installation failed\",\n\"60128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file in from ADEOS CLI\", \"Failure occurred trying to copy file in from ADEOS CLI\",\n\"60129\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file out from ADEOS CLI\", \"Failure occurred trying to copy file out from ADEOS CLI\",\n\"60130\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE Backup\", \"ISE Scheduled Backup has been configured\", \"ISE Scheduled Backup has been configured\",\n\"60131\", \"Create\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been created from web UI\", \"ISE Support bundle has been created from web UI\",\n\"60132\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been deleted from web UI\", \"ISE Support bundle has been deleted from web UI\",\n\"60133\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE Support bundle\", \"ISE Support bundle generation from web UI has failed\", \"ISE Support bundle generation from web UI has failed\",\n\"60153\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Certificate\", \"Certificate has been exported\", \"Certificate has been exported\",\n\"60166\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate will expire soon\", \"Certificate Expiration warning\",\n\"60167\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate has expired\", \"Certificate has expired\",\n\"60172\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Alarm(s) has/have been acknowledged\", \"These alarms are acknowledged and will not be displayed on the Dashboard\",\n\"60173\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Outdated alarms are purged\", \"Only latest 15000 alarms would be retained and rest of them are purged\",\n\"60187\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application upgrade succeeded\", \"Application upgrade succeeded\",\n\"60189\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Terminal Session timeout has been modified\", \"Configuration change occurred for ADEOS CLI Terminal Session timeout\",\n\"60193\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"RSA key configuration has been modified\", \"Configuration change occurred for ADEOS CLI RSA key\",\n\"60194\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Host key configuration has been modified\", \"Configuration change occurred for ADEOS CLI host key\",\n\"60197\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Certificate\", \"Revoked ISE CA issued Certificate.\", \"Certificate issued to Endpoint by ISE CA is revoked by Administrator\",\n\"60198\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"MnT\", \"MnT purge event occurred\", \"MnT purge event occurred\",\n\"60199\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"An IP-SGT mapping was deployed successfully\", \"An IP-SGT mapping was deployed successfully to a TrustSec device\",\n\"60200\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"An IP-SGT mapping has failed deploying\", \"An IP-SGT mapping has failed deploying to a TrustSec device\",\n\"60201\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"IP-SGT deployment to TrustSec device was successful\", \"IP-SGT deployment to TrustSec device was successful\",\n\"60202\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"IP-SGT deployment to TrustSec device failed\", \"IP-SGT deployment to TrustSec device failed\",\n\"60207\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Logging loglevel configuration has been modified\", \"Configuration change occurred for ADEOS CLI logging loglevel\",\n\"60208\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Root CA certificate has been replaced\", \"Root CA certificate has been replaced\",\n\"60209\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service enabled\", \"CA service enabled\",\n\"60210\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service disabled\", \"CA service disabled\",\n\"60213\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were replaced by import operation\", \"CA keys were replaced by import operation\",\n\"60214\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were exported\", \"CA keys were exported\",\n\"60215\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were marked expired\", \"Endpoint certs were marked expired by daily scheduled job\",\n\"60216\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were purged\", \"Endpoint certs were purged by daily scheduled job\",\n\"60451\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is enabled on this deployment\", \"Telemetry is enabled on this deployment\",\n\"60452\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is disabled on this deployment\", \"Telemetry is disabled on this deployment\",\n\"61002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SGT from IEPG\", \"ISE has learned a new SGT from IEPG\",\n\"61003\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new EEPG to APIC\", \"ISE has propagated a new EEPG to APIC.\",\n\"61004\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SXP mapping from APIC endpoint\", \"ISE has learned a new SXP mapping from APIC endpoint\",\n\"61005\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\",\n\"61006\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SGT\", \"ISE has removed an SGT due to deleted IEPG\", \"ISE has removed an SGT due to deleted IEPG\",\n\"61007\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed EEPG from APIC due to SGT deletion\", \"ISE has removed EEPG from APIC due to SGT deletion\",\n\"61008\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\",\n\"61009\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\",\n\"61016\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EPG subscriber against APIC\", \"ISE failed to refresh EPG subscriber against APIC\",\n\"61017\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh endpoint subscriber against APIC\", \"ISE failed to refresh endpoint subscriber against APIC\",\n\"61018\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EEPG subscriber against APIC\", \"ISE failed to refresh EEPG subscriber against APIC\",\n\"61020\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\",\n\"61022\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to propagate SGT to EEPG\", \"ISE has failed to propagate SGT to EEPG\",\n\"61023\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to learn IEPG from APIC\", \"ISE has failed to learn IEPG from APIC\",\n\"61024\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to parse VRF for EPG\", \"ISE has failed to parse VRF for EPG\",\n\"61030\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"TrustSec deploy verification was canceled.\", \"TrustSec deployment verification process was canceled as a new TrustSec deploy started.\",\n\"61033\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"TrustSec deployment verification process succeeded.\", \"ISE trustsec configuration was successfully deployed to all network access devices.\",\n\"61034\", \"Other\", \"\", \"INFO\", \"Low\", \"ISE instance\", \"Maximum resource limit reached.\", \"Maximum resource limit reached.\",\n\"61051\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Synflood-limit configured\", \"Synflood-limit configured\",\n\"61052\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Rate-limit configured\", \"Rate-limit configured\",\n\"61100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from ACI\", \"ISE has learned a new tenant from ACI\",\n\"61101\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"ISE has removed ACI tenant\", \"ISE has removed ACI tenant\",\n\"61102\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn new tenant from ACI in ISE\", \"Failed to learn new tenant from ACI in ISE\",\n\"61103\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to remove ACI tenant in ISE\", \"Failed to remove ACI tenant in ISE\",\n\"61104\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from SDA\", \"ISE has learned a new tenant from SDA\",\n\"61105\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new VN info\", \"IISE has learned a new VN info\",\n\"61106\", \"Create\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to create VN info in ISE\", \"Failed to create VN info in ISE\",\n\"61107\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"VN info is updated in ISE\", \"VN info is updated in ISE\",\n\"61108\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to update VN info in ISE\", \"Failed to update VN info in ISE\",\n\"61109\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"VN info is deleted in ISE\", \"VN info is deleted in ISE\",\n\"61110\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to deleted VN info in ISE\", \"Failed to deleted VN info in ISE\",\n\"61111\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration process failed\", \"Domain registration process failed\",\n\"61114\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Domain registration completed successfully\", \"Domain registration completed successfully\",\n\"61115\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration failed\", \"Domain registration failed\",\n\"61116\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Unable to store ACI certificate\", \"Unable to store ACI certificate\",\n\"61117\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI connector\", \"ACI connector started successfully\", \"ACI connector started successfully\",\n\"61118\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI connector\", \"Failed to start ACI connector\", \"Failed to start ACI connector\",\n\"61120\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI certificate\", \"Successfully deleted ACI certificate from ISE\", \"Successfully deleted ACI certificate from ISE\",\n\"61121\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Failed to delete ACI certificate from ISE\", \"Failed to delete ACI certificate from ISE\",\n\"61122\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI keystore\", \"Failed to delete ACI keystore\", \"Failed to delete ACI keystore\",\n\"61123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new ACI domain\", \"ISE has learned a new ACI domain\",\n\"61124\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new ACI domain\", \"Failed to learn a new ACI domain\",\n\"61125\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI domain\", \"ISE has removed ACI domain\", \"ISE has removed ACI domain\",\n\"61126\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI domain\", \"Failed to remove ACI domain\", \"Failed to remove ACI domain\",\n\"61127\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SDA domain\", \"ISE has learned a new SDA domain\",\n\"61128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new SDA domain\", \"Failed to learn a new SDA domain\",\n\"61129\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SDA domain\", \"ISE has removed SDA domain\", \"ISE has removed SDA domain\",\n\"61130\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"SDA domain\", \"Failed to remove SDA domain\", \"Failed to remove SDA domain\",\n\"61158\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed in receiving SDA SXP configuration\", \"ISE failed in receiving SDA SXP configuration\",\n\"61160\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed to publish Gateway advertisement message to ACI\", \"ISE failed to publish Gateway advertisement message to ACI\",\n\"61161\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE learned new SXP Listener\", \"ISE learned new SXP Listener\",\n\"61162\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates VN defined for SXP Listener\", \"ISE updates VN defined for SXP Listener\",\n\"61163\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE learned new VN defined for SXP Listener\", \"ISE learned new VN defined for SXP Listener\",\n\"61164\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates SXP Listener\", \"ISE updates SXP Listener\",\n\"61165\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\",\n\"61166\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI\", \"ACI published Gateway advertisement message to SDA\", \"ACI published Gateway advertisement message to SDA\",\n\"61167\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Send ACI Gateway advertisement message to ISE\", \"Send ACI Gateway advertisement message to ISE\",\n\"61168\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to send ACI Gateway advertisement message to ISE\", \"Failed to send ACI Gateway advertisement message to ISE/SDA\",\n\"61169\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Successfully Send ACI Gateway advertisement message\", \"Successfully Send ACI Gateway advertisement message\",\n\"61234\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE instance\", \"Got event with unknown properties\", \"Got event with unknown properties\",\n\"62000\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script execute completed\", \"Agentless script execute completed\",\n\"62001\", \"Execute\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script execute failed\", \"Agentless script execute failed\",\n\"62002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script upload completed\", \"Agentless script upload completed\",\n\"62003\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script upload failed\", \"Agentless script upload failed\",\n\"61300\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Network Access policy request\", \"Network Access policy request\",\n\"61301\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Device Admin policy request\", \"Device Admin policy request\",\n\"61302\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Policy component request\", \"Policy component request\",\n\"60467\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"OCSP Certificate renewal failed\", \"OCSP Certificate renewal failed.\",\n\"60468\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Root CA Regeneration failed\", \"Regeneration of Root CA failed.\",\n\"62008\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service starts\", \"Meraki connector sync service starts\",\n\"62009\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service stops\", \"Meraki connector sync service stops\",\n\"62010\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync service failure\", \"Meraki connector sync service failure\",\n\"62011\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle starts\", \"Meraki connector sync cycle starts\",\n\"62012\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle stops\", \"Meraki connector sync cycle stops\",\n\"62013\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync cycle failure\", \"Meraki connector sync cycle failure\",\n\"62014\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync operation success\", \"Meraki connector sync operation success\",\n\"62015\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync operation failure\", \"Meraki connector sync operation failure\",\n\"62016\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Port 2484 opened for Data Connect\", \"Port 2484 opened for Data Connect\",\n\"62017\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Data Connect port 2484 closed\", \"Data Connect port 2484 closed\"\n];\nlet CiscoISEAuditParser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n eventresult: string='*',\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n operation_has_any: dynamic=dynamic([]),\n object_has_any: dynamic=dynamic([]),\n newvalue_has_any: dynamic=dynamic([]),\n disabled: bool = false\n) {\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | where (eventresult == \"*\" or eventresult == EventResult)\n and (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | summarize make_set(EventOriginalType));\nSyslog\n| where not(disabled)\n//***************************** **************************\n| where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n//***************************** *************************\n| where ProcessName has_any (\"CISE\", \"CSCO\")\n| parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n| where EventOriginalType in (EventOriginalTypeList)\n| where \n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or SyslogMessage has_any (actorusername_has_any))\n and (array_length(operation_has_any) == 0 or SyslogMessage has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or SyslogMessage has_any (newvalue_has_any))\n| project\n TimeGenerated,\n EventTime,\n EventOriginalType,\n Computer,\n HostName,\n HostIP,\n SyslogMessage\n| lookup EventFieldsLookup on EventOriginalType\n| parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n| project-rename\n SrcIpAddr=['Remote-Address']\n , TargetIpAddr =['Device IP Address']\n| where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n| extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n| extend ActorUsername = coalesce(['User-Name'], UserName, User)\n| extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \n| where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n| extend \n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer)) \n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"AuditEvent\"\n , EventSchemaVersion = \"0.1.0\"\n , ObjectType = \"Configuration Atom\"\n , TargetAppName = \"ISE\"\n , TargetAppType = \"Service\"\n// ***************** ********************\n| extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n , Application = TargetAppName\n , IpAddr = coalesce(SrcIpAddr, TargetIpAddr)\n , Dst = TargetIpAddr\n , Src = SrcIpAddr\n , User = ActorUsername\n// ***************** *******************\n| project-away\n EventTime,\n Computer,\n HostName,\n SyslogMessage,\n NetworkDeviceName,\n ['User-Name'],\n UserName\n};\nCiscoISEAuditParser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMeraki/vimAuditEventCiscoMeraki.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMeraki/vimAuditEventCiscoMeraki.json index 5e2892d8927..ea949b61d9b 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMeraki/vimAuditEventCiscoMeraki.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMeraki/vimAuditEventCiscoMeraki.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventCiscoMeraki')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventCiscoMeraki", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "vimAuditEventCiscoMeraki", - "query": "let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\n[\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\n \"port status change\", \"Port status change\", \"\", \"\"\n];\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\n \"Success\", \"Informational\",\n \"Partial\", \"Informational\",\n \"Failure\", \"Low\"\n];\nlet parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\nlet allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n );\nlet PreFilteredData = allData\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and array_length(newvalue_has_any) == 0\n and array_length(object_has_any) == 0\n and array_length(actorusername_has_any) == 0\n and LogMessage has \"events\"\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\";\nlet SiteToSiteData = PreFilteredData\n | where Substring has_cs \"Site-to-site\";\nlet SiteToSite_deleted = SiteToSiteData\n | where Substring has \"ISAKMP-SA deleted\"\n | extend TempOperation = \"ISAKMP-SA deleted\"\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_deletedSrcIp,\n temp_targetipport = temp_deletedTargetIp;\nlet SiteToSite_negotiation = SiteToSiteData\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"<=>\" temp_negotiationTargetIp:string\n | extend temp_srcipport = temp_negotiationSrcIp,\n temp_targetipport = temp_negotiationTargetIp;\nlet SiteToSite_ESP = SiteToSiteData\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\n | extend temp_srcipport = temp_espSrcIp,\n temp_targetipport = temp_espTargetIp;\nlet SiteToSite_tunnel = SiteToSiteData\n | where Substring has \"IPsec-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_tunnelSrcIp,\n temp_targetipport = temp_tunnelTargetIp;\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\n | where Substring has \"ISAKMP-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\n temp_srcipport = temp_estSrcIp,\n temp_targetipport = temp_estTargetIp;\nlet SiteToSite_IPsecSArequest = SiteToSiteData\n | where Substring has \"IPsec-SA request\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\n | extend temp_targetipport = temp_forTaregtSrcIp;\nlet SiteToSite_purging = SiteToSiteData\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\nlet SiteToSite_failed = SiteToSiteData\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\nlet VPNConnectivityChangeData = PreFilteredData\n | where Substring has \"vpn_connectivity_change\"\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend type = trim('\"', type),\n connectivity = trim('\"', connectivity)\n | extend TempOperation = type,\n temp_srcipport = peer_contact;\nlet StatusChangedData = PreFilteredData\n | where Substring has \"status changed\"\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\n | extend TempOperation = \"port status change\";\nlet PortData = PreFilteredData\n | where Substring has_cs \"Port\"\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\n | extend Port = coalesce(Port1,Port2)\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\nlet VRRPData = PreFilteredData\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\n | extend TempOperation = \"VRRP transition\";\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\n | lookup EventFieldsLookup on TempOperation\n | where (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n | extend EventResult = case(\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\n \"Success\",\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\n \"Failure\",\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\n \"Partial\",\n EventResult\n )\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\n EventType\n )\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | extend \n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\n | extend \n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\n | extend\n temp_srcipport = trim(\"'\", temp_srcipport),\n temp_targetipport = trim(\"'\", temp_targetipport)\n | extend \n temp_srcipport = trim('\"', temp_srcipport),\n temp_targetipport = trim('\"', temp_targetipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\n | extend\n temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or temp_SrcMatch)\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\n | extend SrcPortNumber = case(\n isnotempty(temp_srcipport),\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\n Substring has_cs \"Port\",\n toint(Port),\n Operation == \"Port status change\",\n toint(port),\n int(null)\n )\n | lookup EventSeverityLookup on EventResult\n | extend\n EventResultDetails = case(\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\n Substring\n ),\n EventMessage = Substring,\n EventOriginalType = LogType,\n EventUid = _ResourceId\n | extend Device = tostring(Parser[1])\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime, \n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n TempOperation*,\n temp*,\n STPMac,\n peer_contact,\n connectivity,\n Port*,\n port,\n portnextpart,\n LogType,\n type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData\n};\nparser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)", - "version": 1, - "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([])" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "vimAuditEventCiscoMeraki", + "query": "let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\n[\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\n \"port status change\", \"Port status change\", \"\", \"\"\n];\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\n \"Success\", \"Informational\",\n \"Partial\", \"Informational\",\n \"Failure\", \"Low\"\n];\nlet parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\nlet allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n );\nlet PreFilteredData = allData\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and array_length(newvalue_has_any) == 0\n and array_length(object_has_any) == 0\n and array_length(actorusername_has_any) == 0\n and LogMessage has \"events\"\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\";\nlet SiteToSiteData = PreFilteredData\n | where Substring has_cs \"Site-to-site\";\nlet SiteToSite_deleted = SiteToSiteData\n | where Substring has \"ISAKMP-SA deleted\"\n | extend TempOperation = \"ISAKMP-SA deleted\"\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_deletedSrcIp,\n temp_targetipport = temp_deletedTargetIp;\nlet SiteToSite_negotiation = SiteToSiteData\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"<=>\" temp_negotiationTargetIp:string\n | extend temp_srcipport = temp_negotiationSrcIp,\n temp_targetipport = temp_negotiationTargetIp;\nlet SiteToSite_ESP = SiteToSiteData\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\n | extend temp_srcipport = temp_espSrcIp,\n temp_targetipport = temp_espTargetIp;\nlet SiteToSite_tunnel = SiteToSiteData\n | where Substring has \"IPsec-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_tunnelSrcIp,\n temp_targetipport = temp_tunnelTargetIp;\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\n | where Substring has \"ISAKMP-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\n temp_srcipport = temp_estSrcIp,\n temp_targetipport = temp_estTargetIp;\nlet SiteToSite_IPsecSArequest = SiteToSiteData\n | where Substring has \"IPsec-SA request\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\n | extend temp_targetipport = temp_forTaregtSrcIp;\nlet SiteToSite_purging = SiteToSiteData\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\nlet SiteToSite_failed = SiteToSiteData\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\nlet VPNConnectivityChangeData = PreFilteredData\n | where Substring has \"vpn_connectivity_change\"\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend type = trim('\"', type),\n connectivity = trim('\"', connectivity)\n | extend TempOperation = type,\n temp_srcipport = peer_contact;\nlet StatusChangedData = PreFilteredData\n | where Substring has \"status changed\"\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\n | extend TempOperation = \"port status change\";\nlet PortData = PreFilteredData\n | where Substring has_cs \"Port\"\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\n | extend Port = coalesce(Port1,Port2)\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\nlet VRRPData = PreFilteredData\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\n | extend TempOperation = \"VRRP transition\";\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\n | lookup EventFieldsLookup on TempOperation\n | where (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n | extend EventResult = case(\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\n \"Success\",\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\n \"Failure\",\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\n \"Partial\",\n EventResult\n )\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\n EventType\n )\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | extend \n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\n | extend \n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\n | extend\n temp_srcipport = trim(\"'\", temp_srcipport),\n temp_targetipport = trim(\"'\", temp_targetipport)\n | extend \n temp_srcipport = trim('\"', temp_srcipport),\n temp_targetipport = trim('\"', temp_targetipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\n | extend\n temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or temp_SrcMatch)\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\n | extend SrcPortNumber = case(\n isnotempty(temp_srcipport),\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\n Substring has_cs \"Port\",\n toint(Port),\n Operation == \"Port status change\",\n toint(port),\n int(null)\n )\n | lookup EventSeverityLookup on EventResult\n | extend\n EventResultDetails = case(\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\n Substring\n ),\n EventMessage = Substring,\n EventOriginalType = LogType,\n EventUid = _ResourceId\n | extend Device = tostring(Parser[1])\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime, \n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n TempOperation*,\n temp*,\n STPMac,\n peer_contact,\n connectivity,\n Port*,\n port,\n portnextpart,\n LogType,\n type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData\n};\nparser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([])" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMerakiSyslog/vimAuditEventCiscoMerakiSyslog.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMerakiSyslog/vimAuditEventCiscoMerakiSyslog.json index ea10486a776..9f941a8e541 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMerakiSyslog/vimAuditEventCiscoMerakiSyslog.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMerakiSyslog/vimAuditEventCiscoMerakiSyslog.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventCiscoMerakiSyslog')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventCiscoMerakiSyslog", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "vimAuditEventCiscoMerakiSyslog", - "query": "let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\n[\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\n \"port status change\", \"Port status change\", \"\", \"\"\n];\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\n \"Success\", \"Informational\",\n \"Partial\", \"Informational\",\n \"Failure\", \"Low\"\n];\nlet parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\nlet allData = union isfuzzy=true\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\nlet PreFilteredData = allData\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and array_length(newvalue_has_any) == 0\n and array_length(object_has_any) == 0\n and array_length(actorusername_has_any) == 0\n and LogMessage has \"events\"\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\";\nlet SiteToSiteData = PreFilteredData\n | where Substring has_cs \"Site-to-site\";\nlet SiteToSite_deleted = SiteToSiteData\n | where Substring has \"ISAKMP-SA deleted\"\n | extend TempOperation = \"ISAKMP-SA deleted\"\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_deletedSrcIp,\n temp_targetipport = temp_deletedTargetIp;\nlet SiteToSite_negotiation = SiteToSiteData\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"<=>\" temp_negotiationTargetIp:string\n | extend temp_srcipport = temp_negotiationSrcIp,\n temp_targetipport = temp_negotiationTargetIp;\nlet SiteToSite_ESP = SiteToSiteData\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\n | extend temp_srcipport = temp_espSrcIp,\n temp_targetipport = temp_espTargetIp;\nlet SiteToSite_tunnel = SiteToSiteData\n | where Substring has \"IPsec-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_tunnelSrcIp,\n temp_targetipport = temp_tunnelTargetIp;\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\n | where Substring has \"ISAKMP-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\n temp_srcipport = temp_estSrcIp,\n temp_targetipport = temp_estTargetIp;\nlet SiteToSite_IPsecSArequest = SiteToSiteData\n | where Substring has \"IPsec-SA request\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\n | extend temp_targetipport = temp_forTaregtSrcIp;\nlet SiteToSite_purging = SiteToSiteData\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\nlet SiteToSite_failed = SiteToSiteData\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\nlet VPNConnectivityChangeData = PreFilteredData\n | where Substring has \"vpn_connectivity_change\"\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend type = trim('\"', type),\n connectivity = trim('\"', connectivity)\n | extend TempOperation = type,\n temp_srcipport = peer_contact;\nlet StatusChangedData = PreFilteredData\n | where Substring has \"status changed\"\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\n | extend TempOperation = \"port status change\";\nlet PortData = PreFilteredData\n | where Substring has_cs \"Port\"\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\n | extend Port = coalesce(Port1,Port2)\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\nlet VRRPData = PreFilteredData\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\n | extend TempOperation = \"VRRP transition\";\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\n | lookup EventFieldsLookup on TempOperation\n | where (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n | extend EventResult = case(\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\n \"Success\",\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\n \"Failure\",\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\n \"Partial\",\n EventResult\n )\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\n EventType\n )\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | extend \n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\n | extend \n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\n | extend\n temp_srcipport = trim(\"'\", temp_srcipport),\n temp_targetipport = trim(\"'\", temp_targetipport)\n | extend \n temp_srcipport = trim('\"', temp_srcipport),\n temp_targetipport = trim('\"', temp_targetipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\n | extend\n temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or temp_SrcMatch)\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\n | extend SrcPortNumber = case(\n isnotempty(temp_srcipport),\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\n Substring has_cs \"Port\",\n toint(Port),\n Operation == \"Port status change\",\n toint(port),\n int(null)\n )\n | lookup EventSeverityLookup on EventResult\n | extend\n EventResultDetails = case(\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\n Substring\n ),\n EventMessage = Substring,\n EventOriginalType = LogType,\n EventUid = _ResourceId\n | extend Device = tostring(Parser[1])\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime, \n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n TempOperation*,\n temp*,\n STPMac,\n peer_contact,\n connectivity,\n Port*,\n port,\n portnextpart,\n LogType,\n type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,CollectorHostName\n};\nparser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)", - "version": 1, - "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([])" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "vimAuditEventCiscoMerakiSyslog", + "query": "let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\n[\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\n \"port status change\", \"Port status change\", \"\", \"\"\n];\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\n \"Success\", \"Informational\",\n \"Partial\", \"Informational\",\n \"Failure\", \"Low\"\n];\nlet parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\nlet allData = union isfuzzy=true\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\nlet PreFilteredData = allData\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and array_length(newvalue_has_any) == 0\n and array_length(object_has_any) == 0\n and array_length(actorusername_has_any) == 0\n and LogMessage has \"events\"\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\";\nlet SiteToSiteData = PreFilteredData\n | where Substring has_cs \"Site-to-site\";\nlet SiteToSite_deleted = SiteToSiteData\n | where Substring has \"ISAKMP-SA deleted\"\n | extend TempOperation = \"ISAKMP-SA deleted\"\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_deletedSrcIp,\n temp_targetipport = temp_deletedTargetIp;\nlet SiteToSite_negotiation = SiteToSiteData\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"<=>\" temp_negotiationTargetIp:string\n | extend temp_srcipport = temp_negotiationSrcIp,\n temp_targetipport = temp_negotiationTargetIp;\nlet SiteToSite_ESP = SiteToSiteData\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\n | extend temp_srcipport = temp_espSrcIp,\n temp_targetipport = temp_espTargetIp;\nlet SiteToSite_tunnel = SiteToSiteData\n | where Substring has \"IPsec-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_tunnelSrcIp,\n temp_targetipport = temp_tunnelTargetIp;\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\n | where Substring has \"ISAKMP-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\n temp_srcipport = temp_estSrcIp,\n temp_targetipport = temp_estTargetIp;\nlet SiteToSite_IPsecSArequest = SiteToSiteData\n | where Substring has \"IPsec-SA request\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\n | extend temp_targetipport = temp_forTaregtSrcIp;\nlet SiteToSite_purging = SiteToSiteData\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\nlet SiteToSite_failed = SiteToSiteData\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\nlet VPNConnectivityChangeData = PreFilteredData\n | where Substring has \"vpn_connectivity_change\"\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend type = trim('\"', type),\n connectivity = trim('\"', connectivity)\n | extend TempOperation = type,\n temp_srcipport = peer_contact;\nlet StatusChangedData = PreFilteredData\n | where Substring has \"status changed\"\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\n | extend TempOperation = \"port status change\";\nlet PortData = PreFilteredData\n | where Substring has_cs \"Port\"\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\n | extend Port = coalesce(Port1,Port2)\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\nlet VRRPData = PreFilteredData\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\n | extend TempOperation = \"VRRP transition\";\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\n | lookup EventFieldsLookup on TempOperation\n | where (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n | extend EventResult = case(\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\n \"Success\",\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\n \"Failure\",\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\n \"Partial\",\n EventResult\n )\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\n EventType\n )\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | extend \n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\n | extend \n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\n | extend\n temp_srcipport = trim(\"'\", temp_srcipport),\n temp_targetipport = trim(\"'\", temp_targetipport)\n | extend \n temp_srcipport = trim('\"', temp_srcipport),\n temp_targetipport = trim('\"', temp_targetipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\n | extend\n temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or temp_SrcMatch)\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\n | extend SrcPortNumber = case(\n isnotempty(temp_srcipport),\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\n Substring has_cs \"Port\",\n toint(Port),\n Operation == \"Port status change\",\n toint(port),\n int(null)\n )\n | lookup EventSeverityLookup on EventResult\n | extend\n EventResultDetails = case(\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\n Substring\n ),\n EventMessage = Substring,\n EventOriginalType = LogType,\n EventUid = _ResourceId\n | extend Device = tostring(Parser[1])\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime, \n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n TempOperation*,\n temp*,\n STPMac,\n peer_contact,\n connectivity,\n Port*,\n port,\n portnextpart,\n LogType,\n type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,CollectorHostName\n};\nparser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([])" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventCrowdStrikeFalconHost/vimAuditEventCrowdStrikeFalconHost.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventCrowdStrikeFalconHost/vimAuditEventCrowdStrikeFalconHost.json index cbec74f8dcf..1a8f88a04a5 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventCrowdStrikeFalconHost/vimAuditEventCrowdStrikeFalconHost.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventCrowdStrikeFalconHost/vimAuditEventCrowdStrikeFalconHost.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventCrowdStrikeFalconHost')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventCrowdStrikeFalconHost", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for CrowdStrike Falcon Endpoint Protection", - "category": "ASIM", - "FunctionAlias": "vimAuditEventCrowdStrikeFalconHost", - "query": "let EventFieldsLookup = datatable(\n Activity: string,\n Operation: string,\n EventType_lookup: string,\n EventSubType: string,\n Object: string,\n ObjectType: string\n) \n [\n \"delete_report_execution\", \"Delete Report Execution\", \"Delete\", \"\", \"Report Execution\", \"Scheduled Task\",\n \"delete_scheduled_report\", \"Delete Scheduled Report\", \"Delete\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"update_scheduled_report\", \"Update Scheduled Report\", \"Set\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"create_scheduled_report\", \"Create Scheduled Report\", \"Create\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"update_class_action\", \"Update Class Action\", \"Set\", \"\", \"Class Action\", \"Other\",\n \"update_policy\", \"Update Policy\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\n \"enable_policy\", \"Enable Policy\", \"Enable\", \"\", \"Policy\", \"Policy Rule\",\n \"create_policy\", \"Create Policy\", \"Create\", \"\", \"Policy\", \"Policy Rule\",\n \"remove_rule_group\", \"Remove Rule Group\", \"Other\", \"Remove\", \"Rule Group\", \"Service\",\n \"create_rule_group\", \"Create Rule Group\", \"Create\", \"\", \"Rule Group\", \"Service\",\n \"delete_rule_group\", \"Delete Rule Group\", \"Delete\", \"\", \"Rule Group\", \"Service\",\n \"add_rule_group\", \"Add Rule Group\", \"Other\", \"Add\", \"Rule Group\", \"Service\",\n \"delete_rule\", \"Delete Rule\", \"Delete\", \"\", \"Rule\", \"Policy Rule\",\n \"update_rule\", \"Update Rule\", \"Set\", \"\", \"Rule\", \"Policy Rule\",\n \"create_rule\", \"Create Rule\", \"Create\", \"\", \"Rule\", \"Policy Rule\",\n \"disable_policy\", \"Disable Policy\", \"Disable\", \"\", \"Policy\", \"Policy Rule\",\n \"delete_policy\", \"Delete Policy\", \"Delete\", \"\", \"Policy\", \"Policy Rule\",\n \"update_priority\", \"Update Priority\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\n \"assign_policy\", \"Assign Policy\", \"Other\", \"Assign\", \"Policy\", \"Policy Rule\",\n \"remove_policy\", \"Remove Policy\", \"Other\", \"Remove\", \"Policy\", \"Policy Rule\",\n \"ip_rules_added\", \"IP Rules Added\", \"Create\", \"\", \"Rule\", \"Other\",\n \"ip_rules_removed\", \"IP Rules Removed\", \"Delete\", \"\", \"Rule\", \"Other\",\n \"hide_host_requested\", \"Hide Host Requested\", \"Delete\", \"\", \"Host\", \"Other\",\n \"mobile_hide_host_requested\", \"Mobile Hide Host Requested\", \"Delete\", \"\", \"Mobile Host\", \"Other\",\n \"CreateAPIClient\", \"Create API Client\", \"Create\", \"\", \"API Client\", \"Service\",\n \"UpdateAPIClient\", \"Update API Client\", \"Set\", \"\", \"API Client\", \"Service\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet UserAuditActivities = dynamic([\"delete_report_execution\", \"delete_scheduled_report\", \"update_scheduled_report\", \"create_scheduled_report\", \"update_class_action\", \"update_policy\", \"enable_policy\", \"create_policy\", \"remove_rule_group\", \"create_rule_group\", \"delete_rule_group\", \"add_rule_group\", \"delete_rule\", \"update_rule\", \"create_rule\", \"disable_policy\", \"delete_policy\", \"update_priority\", \"assign_policy\", \"remove_policy\", \"ip_rules_added\", \"ip_rules_removed\", \"hide_host_requested\", \"mobile_hide_host_requested\"]);\nlet AuthAuditActivities = dynamic([\"CreateAPIClient\", \"UpdateAPIClient\"]);\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n eventtype_in: dynamic=dynamic([]), \n eventresult: string='*', \n actorusername_has_any: dynamic=dynamic([]), \n operation_has_any: dynamic=dynamic([]), \n object_has_any: dynamic=dynamic([]), \n newvalue_has_any: dynamic=dynamic([]), \n disabled: bool = false\n ) {\n CommonSecurityLog\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)) \n | where (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n | where (DeviceEventClassID == \"UserActivityAuditEvent\" and Activity in (UserAuditActivities)) or (DeviceEventCategory == \"AuthActivityAuditEvent\" and Activity in (AuthAuditActivities))\n | where array_length(newvalue_has_any) == 0 \n and array_length(srcipaddr_has_any_prefix) == 0\n and (array_length(actorusername_has_any) == 0 or DestinationUserName has_any (actorusername_has_any))\n and (array_length(object_has_any) == 0 or Activity has_any (object_has_any))\n | lookup EventFieldsLookup on Activity\n | lookup EventSeverityLookup on LogSeverity\n | extend EventType = EventType_lookup\n | where (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n | extend \n EventStartTime = case(\n DeviceEventClassID == \"UserActivityAuditEvent\",\n unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\n DeviceEventCategory == \"AuthActivityAuditEvent\",\n todatetime(DeviceCustomDate1),\n datetime(null)\n ),\n EventOriginalType = case(\n DeviceEventClassID == \"UserActivityAuditEvent\",\n DeviceEventClassID,\n DeviceEventCategory == \"AuthActivityAuditEvent\",\n DeviceEventCategory,\n \"\"\n ),\n EventResult = iff(EventOutcome == \"false\", \"Failure\", \"Success\"),\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventCount = int(1),\n DvcAction = \"Allowed\",\n EventProduct = \"FalconHost\",\n EventVendor = \"CrowdStrike\"\n | project-rename\n ActorUsername = DestinationUserName,\n EventUid = _ItemId,\n DvcIpAddr = DestinationTranslatedAddress,\n EventOriginalSeverity = LogSeverity,\n EventProductVersion = DeviceVersion,\n TargetAppName = ProcessName,\n EventOriginalResultDetails = EventOutcome,\n EventOriginalSubType = Activity\n | extend\n EventEndTime = EventStartTime,\n Application = TargetAppName,\n TargetIpAddr = DvcIpAddr,\n User = ActorUsername,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\")\n | extend\n Dvc = coalesce(DvcIpAddr, EventProduct),\n Dst = TargetIpAddr\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n IndicatorThreatType,\n EventType_*\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n eventtype_in=eventtype_in, \n eventresult=eventresult, \n actorusername_has_any=actorusername_has_any, \n operation_has_any=operation_has_any, \n object_has_any=object_has_any, \n newvalue_has_any=newvalue_has_any, \n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for CrowdStrike Falcon Endpoint Protection", + "category": "ASIM", + "FunctionAlias": "vimAuditEventCrowdStrikeFalconHost", + "query": "let EventFieldsLookup = datatable(\n Activity: string,\n Operation: string,\n EventType_lookup: string,\n EventSubType: string,\n Object: string,\n ObjectType: string\n) \n [\n \"delete_report_execution\", \"Delete Report Execution\", \"Delete\", \"\", \"Report Execution\", \"Scheduled Task\",\n \"delete_scheduled_report\", \"Delete Scheduled Report\", \"Delete\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"update_scheduled_report\", \"Update Scheduled Report\", \"Set\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"create_scheduled_report\", \"Create Scheduled Report\", \"Create\", \"\", \"Scheduled Report\", \"Scheduled Task\",\n \"update_class_action\", \"Update Class Action\", \"Set\", \"\", \"Class Action\", \"Other\",\n \"update_policy\", \"Update Policy\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\n \"enable_policy\", \"Enable Policy\", \"Enable\", \"\", \"Policy\", \"Policy Rule\",\n \"create_policy\", \"Create Policy\", \"Create\", \"\", \"Policy\", \"Policy Rule\",\n \"remove_rule_group\", \"Remove Rule Group\", \"Other\", \"Remove\", \"Rule Group\", \"Service\",\n \"create_rule_group\", \"Create Rule Group\", \"Create\", \"\", \"Rule Group\", \"Service\",\n \"delete_rule_group\", \"Delete Rule Group\", \"Delete\", \"\", \"Rule Group\", \"Service\",\n \"add_rule_group\", \"Add Rule Group\", \"Other\", \"Add\", \"Rule Group\", \"Service\",\n \"delete_rule\", \"Delete Rule\", \"Delete\", \"\", \"Rule\", \"Policy Rule\",\n \"update_rule\", \"Update Rule\", \"Set\", \"\", \"Rule\", \"Policy Rule\",\n \"create_rule\", \"Create Rule\", \"Create\", \"\", \"Rule\", \"Policy Rule\",\n \"disable_policy\", \"Disable Policy\", \"Disable\", \"\", \"Policy\", \"Policy Rule\",\n \"delete_policy\", \"Delete Policy\", \"Delete\", \"\", \"Policy\", \"Policy Rule\",\n \"update_priority\", \"Update Priority\", \"Set\", \"\", \"Policy\", \"Policy Rule\",\n \"assign_policy\", \"Assign Policy\", \"Other\", \"Assign\", \"Policy\", \"Policy Rule\",\n \"remove_policy\", \"Remove Policy\", \"Other\", \"Remove\", \"Policy\", \"Policy Rule\",\n \"ip_rules_added\", \"IP Rules Added\", \"Create\", \"\", \"Rule\", \"Other\",\n \"ip_rules_removed\", \"IP Rules Removed\", \"Delete\", \"\", \"Rule\", \"Other\",\n \"hide_host_requested\", \"Hide Host Requested\", \"Delete\", \"\", \"Host\", \"Other\",\n \"mobile_hide_host_requested\", \"Mobile Hide Host Requested\", \"Delete\", \"\", \"Mobile Host\", \"Other\",\n \"CreateAPIClient\", \"Create API Client\", \"Create\", \"\", \"API Client\", \"Service\",\n \"UpdateAPIClient\", \"Update API Client\", \"Set\", \"\", \"API Client\", \"Service\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet UserAuditActivities = dynamic([\"delete_report_execution\", \"delete_scheduled_report\", \"update_scheduled_report\", \"create_scheduled_report\", \"update_class_action\", \"update_policy\", \"enable_policy\", \"create_policy\", \"remove_rule_group\", \"create_rule_group\", \"delete_rule_group\", \"add_rule_group\", \"delete_rule\", \"update_rule\", \"create_rule\", \"disable_policy\", \"delete_policy\", \"update_priority\", \"assign_policy\", \"remove_policy\", \"ip_rules_added\", \"ip_rules_removed\", \"hide_host_requested\", \"mobile_hide_host_requested\"]);\nlet AuthAuditActivities = dynamic([\"CreateAPIClient\", \"UpdateAPIClient\"]);\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n eventtype_in: dynamic=dynamic([]), \n eventresult: string='*', \n actorusername_has_any: dynamic=dynamic([]), \n operation_has_any: dynamic=dynamic([]), \n object_has_any: dynamic=dynamic([]), \n newvalue_has_any: dynamic=dynamic([]), \n disabled: bool = false\n ) {\n CommonSecurityLog\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)) \n | where (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n | where (DeviceEventClassID == \"UserActivityAuditEvent\" and Activity in (UserAuditActivities)) or (DeviceEventCategory == \"AuthActivityAuditEvent\" and Activity in (AuthAuditActivities))\n | where array_length(newvalue_has_any) == 0 \n and array_length(srcipaddr_has_any_prefix) == 0\n and (array_length(actorusername_has_any) == 0 or DestinationUserName has_any (actorusername_has_any))\n and (array_length(object_has_any) == 0 or Activity has_any (object_has_any))\n | lookup EventFieldsLookup on Activity\n | lookup EventSeverityLookup on LogSeverity\n | extend EventType = EventType_lookup\n | where (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n | extend \n EventStartTime = case(\n DeviceEventClassID == \"UserActivityAuditEvent\",\n unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\n DeviceEventCategory == \"AuthActivityAuditEvent\",\n todatetime(DeviceCustomDate1),\n datetime(null)\n ),\n EventOriginalType = case(\n DeviceEventClassID == \"UserActivityAuditEvent\",\n DeviceEventClassID,\n DeviceEventCategory == \"AuthActivityAuditEvent\",\n DeviceEventCategory,\n \"\"\n ),\n EventResult = iff(EventOutcome == \"false\", \"Failure\", \"Success\"),\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventCount = int(1),\n DvcAction = \"Allowed\",\n EventProduct = \"FalconHost\",\n EventVendor = \"CrowdStrike\"\n | project-rename\n ActorUsername = DestinationUserName,\n EventUid = _ItemId,\n DvcIpAddr = DestinationTranslatedAddress,\n EventOriginalSeverity = LogSeverity,\n EventProductVersion = DeviceVersion,\n TargetAppName = ProcessName,\n EventOriginalResultDetails = EventOutcome,\n EventOriginalSubType = Activity\n | extend\n EventEndTime = EventStartTime,\n Application = TargetAppName,\n TargetIpAddr = DvcIpAddr,\n User = ActorUsername,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\")\n | extend\n Dvc = coalesce(DvcIpAddr, EventProduct),\n Dst = TargetIpAddr\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n IndicatorThreatType,\n EventType_*\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n eventtype_in=eventtype_in, \n eventresult=eventresult, \n actorusername_has_any=actorusername_has_any, \n operation_has_any=operation_has_any, \n object_has_any=object_has_any, \n newvalue_has_any=newvalue_has_any, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventEmpty/vimAuditEventEmpty.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventEmpty/vimAuditEventEmpty.json index 7aeb9107ea1..3e52575bfc7 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventEmpty/vimAuditEventEmpty.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventEmpty/vimAuditEventEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit event ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimAuditEventEmpty", - "query": "let EmptyAuditEvents =datatable (\n ActorUserType:string,\n ActorUsernameType:string,\n ActorUserIdType:string,\n EventResult:string,\n EventType:string,\n EventSchema:string,\n ValueType:string,\n EventSeverity:string,\n EventVendor:string,\n EventProduct:string,\n SrcDvcIdType:string,\n TargetDvcIdType:string,\n SrcDomainType:string,\n TargetDomainType:string,\n SrcDeviceType:string,\n TargetDeviceType:string,\n ObjectType:string,\n OriginalObjectType:string,\n TargetAppType:string,\n TargetOriginalAppType:string,\n ActingAppType:string,\n ActingOriginalAppType:string,\n ThreatConfidence:int,\n SrcGeoCountry:string,\n TargetGeoCountry:string,\n EventSubType:string,\n EventResultDetails:string,\n SrcHostname:string,\n TargetHostname:string,\n SrcIpAddr:string,\n TargetIpAddr:string,\n SrcGeoRegion:string,\n SrcGeoCity:string,\n TargetGeoRegion:string,\n TargetGeoCity:string,\n ThreatRiskLevel:int,\n EventSchemaVersion:string,\n EventReportUrl:string,\n User:string,\n ActorUsername:string,\n Application:string,\n Process:string,\n Operation:string,\n Object:string,\n ObjectId:string,\n OldValue:string,\n NewValue:string,\n Value:string,\n TimeGenerated:datetime,\n _ResourceId:string,\n Type:string,\n AdditionalFields:dynamic,\n EventMessage:string,\n EventCount:int,\n EventStartTime:datetime,\n EventEndTime:datetime,\n EventOriginalUid:string,\n EventOriginalType:string,\n EventOriginalSubType:string,\n EventOriginalResultDetails:string,\n EventOriginalSeverity:string,\n EventProductVersion:string,\n EventOwner:string,\n Rule:string,\n RuleName:string,\n RuleNumber:int,\n ThreatId:string,\n ThreatName:string,\n ThreatCategory:string,\n ThreatOriginalRiskLevel:string,\n ThreatOriginalConfidence:string,\n ThreatIsActive:bool,\n ThreatIpAddr:string,\n ThreatField:string,\n ThreatFirstReportedTime:datetime,\n ThreatLastReportedTime:datetime,\n ActorUserId:string,\n ActorScopeId:string,\n ActorScope:string,\n ActorOriginalUserType:string,\n ActorSessionId:string,\n TargetAppId:string,\n TargetAppName:string,\n TargetUrl:string,\n ActingAppId:string,\n ActingAppName:string,\n HttpUserAgent:string,\n Src:string,\n SrcPortNumber:int,\n SrcDomain:string,\n SrcFQDN:string,\n SrcDvcDescription:string,\n SrcDvcId:string,\n SrcDvcScopeId:string,\n SrcDvcScope:string,\n SrcGeoLatitude:real,\n SrcGeoLongitude:real,\n Dst:string,\n TargetPortNumber:int,\n TargetDomain:string,\n TargetFQDN:string,\n TargetDvcDescription:string,\n TargetDvcId:string,\n TargetDvcScopeId:string,\n TargetDvcScope:string,\n TargetGeoLatitude:real,\n TargetGeoLongitude:real\n , Dvc: string\t\n , DvcId: string\n , DvcIpAddr: string\t\n , DvcHostname: string\n , DvcDomain:string\n , DvcDomainType:string\n , DvcFQDN:string\n , DvcDescription:string\n , DvcIdType:string\n , DvcMacAddr:string\n , DvcZone:string\n , DvcOs:string\n , DvcOsVersion:string\n , DvcAction:string\n , DvcOriginalAction:string\n , DvcScope:string\n , DvcScopeOd:string\n)[];\nEmptyAuditEvents", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit event ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimAuditEventEmpty", + "query": "let EmptyAuditEvents =datatable (\n ActorUserType:string,\n ActorUsernameType:string,\n ActorUserIdType:string,\n EventResult:string,\n EventType:string,\n EventSchema:string,\n ValueType:string,\n EventSeverity:string,\n EventVendor:string,\n EventProduct:string,\n SrcDvcIdType:string,\n TargetDvcIdType:string,\n SrcDomainType:string,\n TargetDomainType:string,\n SrcDeviceType:string,\n TargetDeviceType:string,\n ObjectType:string,\n OriginalObjectType:string,\n TargetAppType:string,\n TargetOriginalAppType:string,\n ActingAppType:string,\n ActingOriginalAppType:string,\n ThreatConfidence:int,\n SrcGeoCountry:string,\n TargetGeoCountry:string,\n EventSubType:string,\n EventResultDetails:string,\n SrcHostname:string,\n TargetHostname:string,\n SrcIpAddr:string,\n TargetIpAddr:string,\n SrcGeoRegion:string,\n SrcGeoCity:string,\n TargetGeoRegion:string,\n TargetGeoCity:string,\n ThreatRiskLevel:int,\n EventSchemaVersion:string,\n EventReportUrl:string,\n User:string,\n ActorUsername:string,\n Application:string,\n Process:string,\n Operation:string,\n Object:string,\n ObjectId:string,\n OldValue:string,\n NewValue:string,\n Value:string,\n TimeGenerated:datetime,\n _ResourceId:string,\n Type:string,\n AdditionalFields:dynamic,\n EventMessage:string,\n EventCount:int,\n EventStartTime:datetime,\n EventEndTime:datetime,\n EventOriginalUid:string,\n EventOriginalType:string,\n EventOriginalSubType:string,\n EventOriginalResultDetails:string,\n EventOriginalSeverity:string,\n EventProductVersion:string,\n EventOwner:string,\n Rule:string,\n RuleName:string,\n RuleNumber:int,\n ThreatId:string,\n ThreatName:string,\n ThreatCategory:string,\n ThreatOriginalRiskLevel:string,\n ThreatOriginalConfidence:string,\n ThreatIsActive:bool,\n ThreatIpAddr:string,\n ThreatField:string,\n ThreatFirstReportedTime:datetime,\n ThreatLastReportedTime:datetime,\n ActorUserId:string,\n ActorScopeId:string,\n ActorScope:string,\n ActorOriginalUserType:string,\n ActorSessionId:string,\n TargetAppId:string,\n TargetAppName:string,\n TargetUrl:string,\n ActingAppId:string,\n ActingAppName:string,\n HttpUserAgent:string,\n Src:string,\n SrcPortNumber:int,\n SrcDomain:string,\n SrcFQDN:string,\n SrcDvcDescription:string,\n SrcDvcId:string,\n SrcDvcScopeId:string,\n SrcDvcScope:string,\n SrcGeoLatitude:real,\n SrcGeoLongitude:real,\n Dst:string,\n TargetPortNumber:int,\n TargetDomain:string,\n TargetFQDN:string,\n TargetDvcDescription:string,\n TargetDvcId:string,\n TargetDvcScopeId:string,\n TargetDvcScope:string,\n TargetGeoLatitude:real,\n TargetGeoLongitude:real\n , Dvc: string\t\n , DvcId: string\n , DvcIpAddr: string\t\n , DvcHostname: string\n , DvcDomain:string\n , DvcDomainType:string\n , DvcFQDN:string\n , DvcDescription:string\n , DvcIdType:string\n , DvcMacAddr:string\n , DvcZone:string\n , DvcOs:string\n , DvcOsVersion:string\n , DvcAction:string\n , DvcOriginalAction:string\n , DvcScope:string\n , DvcScopeOd:string\n)[];\nEmptyAuditEvents", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/README.md b/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/README.md new file mode 100644 index 00000000000..3ba1867f7d5 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/README.md @@ -0,0 +1,18 @@ +# Illumio Core ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Illumio Core. + +This ASIM parser supports normalizing Illumio Core audit events logs ingested in 'Illumio_Auditable_Events_CL' table to the ASIM Audit Event schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventIllumioSaaSCore%2FvimAuditEventIllumioSaaSCore.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventIllumioSaaSCore%2FvimAuditEventIllumioSaaSCore.json) diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/vimAuditEventIllumioSaaSCore.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/vimAuditEventIllumioSaaSCore.json new file mode 100644 index 00000000000..eb9b91471d3 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/vimAuditEventIllumioSaaSCore.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventIllumioSaaSCore')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Illumio SaaS Core audit events", + "category": "ASIM", + "FunctionAlias": "vimAuditEventIllumioSaaSCore", + "query": "let EventTypeLookup = datatable(\n event_type: string, // what Illumio sends\n Operation: string,\n ObjectType:string, // an enumerated list [ Configuration Atom, Policy Rule, Cloud Resource, Other],\n Object:string,\n EventType: string, // an enumerated list [ Set, Read, Create, Delete, Execute, Install, Clear, Enable, Disable, Other ] event type\n) \n[\n 'access_restriction.create', 'Access restriction created', 'Cloud Resource', 'Access_restriction', 'Create',\n 'access_restriction.delete', 'Access restriction deleted', 'Cloud Resource', 'Access_restriction', 'Delete',\n 'access_restriction.update', 'Access restriction updated', 'Cloud Resource', 'Access_restriction', 'Set',\n 'agent.activate', 'Agent paired', 'Cloud Resource', 'Agent', 'Other',\n 'agent.activate_clone', 'Agent clone activated', 'Cloud Resource', 'Agent', 'Other',\n 'agent.clone_detected', 'Agent clone detected', 'Cloud Resource', 'Agent', 'Other',\n 'agent.deactivate', 'Agent unpaired', 'Cloud Resource', 'Agent', 'Other',\n 'agent.generate_maintenance_token', 'Generate maintenance token for any agent', 'Cloud Resource', 'Agent', 'Other',\n 'agent.goodbye', 'Agent disconnected', 'Cloud Resource', 'Agent', 'Other',\n 'agent.machine_identifier', 'Agent machine identifiers updated', 'Cloud Resource', 'Agent', 'Other',\n 'agent.refresh_token', 'Agent refreshed token', 'Cloud Resource', 'Agent', 'Other',\n 'agent.refresh_policy', 'Success or failure to apply policy on VEN', 'Cloud Resource', 'Agent', 'Other',\n 'agent.request_upgrade', 'VEN upgrade request sent', 'Cloud Resource', 'Agent', 'Other',\n 'agent.service_not_available', 'Agent reported a service not running', 'Cloud Resource', 'Agent', 'Other',\n 'agent.suspend', 'Agent suspended', 'Cloud Resource', 'Agent', 'Other',\n 'agent.tampering', 'Agent firewall tampered', 'Cloud Resource', 'Agent', 'Other',\n 'agent.unsuspend', 'Agent unsuspended', 'Cloud Resource', 'Agent', 'Other',\n 'agent.update', 'Agent properties updated.', 'Cloud Resource', 'Agent', 'Set',\n 'agent.update_interactive_users', 'Agent interactive users updated', 'Cloud Resource', 'Agent', 'Set',\n 'agent.update_iptables_href', 'Agent updated existing iptables href', 'Cloud Resource', 'Agent', 'Set',\n 'agent.update_running_containers', 'Agent updated existing containers', 'Cloud Resource', 'Agent', 'Set',\n 'agent.upload_existing_ip_table_rules', 'Agent existing IP tables uploaded', 'Cloud Resource', 'Agent', 'Other',\n 'agent.upload_support_report', 'Agent support report uploaded', 'Cloud Resource', 'Agent', 'Other',\n 'agent_support_report_request.create', 'Agent support report request created', 'Cloud Resource', 'Agent_support_report_request', 'Create',\n 'agent_support_report_request.delete', 'Agent support report request deleted', 'Cloud Resource', 'Agent_support_report_request', 'Delete',\n 'agents.clear_conditions', 'Condition cleared from a list of VENs', 'Cloud Resource', 'Agents', 'Other',\n 'agents.unpair', 'Multiple agents unpaired', 'Cloud Resource', 'Agents', 'Other',\n 'api_key.create', 'API key created', 'Cloud Resource', 'Api_key', 'Create',\n 'api_key.delete', 'API key deleted', 'Cloud Resource', 'Api_key', 'Delete',\n 'api_key.update', 'API key updated', 'Cloud Resource', 'Api_key', 'Set',\n 'auth_security_principal.create', 'RBAC auth security principal created', 'Cloud Resource', 'Auth_security_principal', 'Create',\n 'auth_security_principal.delete', 'RBAC auth security principal deleted', 'Cloud Resource', 'Auth_security_principal', 'Delete',\n 'auth_security_principal.update', 'RBAC auth security principal updated', 'Cloud Resource', 'Auth_security_principal', 'Set',\n 'authentication_settings.update', 'Authentication settings updated', 'Other', 'Authentication_settings', 'Set',\n 'cluster.create', 'PCE cluster created', 'Cloud Resource', 'Cluster', 'Create',\n 'cluster.delete', 'PCE cluster deleted', 'Cloud Resource', 'Cluster', 'Delete',\n 'cluster.update', 'PCE cluster updated', 'Cloud Resource', 'Cluster', 'Set',\n 'container_workload.update', 'Container workload updated', 'Cloud Resource', 'Container_workload', 'Set',\n 'container_cluster.create', 'Container cluster created', 'Cloud Resource', 'Container_cluster', 'Create',\n 'container_cluster.delete', 'Container cluster deleted', 'Cloud Resource', 'Container_cluster', 'Delete',\n 'container_cluster.update', 'Container cluster updated', 'Cloud Resource', 'Container_cluster', 'Set',\n 'container_cluster.update_label_map', 'Container cluster label mappings updated all at once', 'Cloud Resource', 'Container_cluster', 'Set',\n 'container_cluster.update_services', 'Container cluster services updated, created, or deleted by Kubelink', 'Cloud Resource', 'Container_cluster', 'Set',\n 'container_workload_profile.create', 'Container workload profile created', 'Cloud Resource', 'Container_workload_profile', 'Create',\n 'container_workload_profile.delete', 'Container workload profile deleted', 'Cloud Resource', 'Container_workload_profile', 'Delete',\n 'container_workload_profile.update', 'Container workload profile updated', 'Cloud Resource', 'Container_workload_profile', 'Set',\n 'database.temp_table_autocleanup_started', 'DB temp table cleanup started', 'Other', 'Database', 'Other',\n 'database.temp_table_autocleanup_completed', 'DB temp table cleanup completed', 'Other', 'Database', 'Other',\n 'domain.create', 'Domain created', 'Other', 'Domain', 'Create',\n 'domain.delete', 'Domain deleted', 'Other', 'Domain', 'Delete',\n 'domain.update', 'Domain updated', 'Other', 'Domain', 'Set',\n 'enforcement_boundary.create', 'Enforcement boundary created', 'Cloud Resource', 'Enforcement_boundary', 'Create',\n 'enforcement_boundary.delete', 'Enforcement boundary deleted', 'Cloud Resource', 'Enforcement_boundary', 'Delete',\n 'enforcement_boundary.update', 'Enforcement boundary updated', 'Cloud Resource', 'Enforcement_boundary', 'Set',\n 'event_settings.update', 'Event settings updated', 'Other', 'Event_settings', 'Set',\n 'firewall_settings.update', 'Global policy settings updated', 'Other', 'Firewall_settings', 'Set',\n 'group.create', 'Group created', 'Other', 'Group', 'Create',\n 'group.update', 'Group updated', 'Other', 'Group', 'Set',\n 'ip_list.create', 'IP list created', 'Cloud Resource', 'Ip_list', 'Create',\n 'ip_list.delete', 'IP list deleted', 'Cloud Resource', 'Ip_list', 'Delete',\n 'ip_list.update', 'IP list updated', 'Cloud Resource', 'Ip_list', 'Set',\n 'ip_lists.delete', 'IP lists deleted', 'Cloud Resource', 'Ip_lists', 'Delete',\n 'ip_tables_rule.create', 'IP tables rules created', 'Cloud Resource', 'Ip_tables_rule', 'Create',\n 'ip_tables_rule.delete', 'IP tables rules deleted', 'Cloud Resource', 'Ip_tables_rule', 'Delete',\n 'ip_tables_rule.update', 'IP tables rules updated', 'Cloud Resource', 'Ip_tables_rule', 'Set',\n 'job.delete', 'Job deleted', 'Other', 'Job', 'Delete',\n 'label.create', 'Label created', 'Cloud Resource', 'Label', 'Create',\n 'label.delete', 'Label deleted', 'Cloud Resource', 'Label', 'Delete',\n 'label.update', 'Label updated', 'Cloud Resource', 'Label', 'Set',\n 'label_group.create', 'Label group created', 'Cloud Resource', 'Label_group', 'Create',\n 'label_group.delete', 'Label group deleted', 'Cloud Resource', 'Label_group', 'Delete',\n 'label_group.update', 'Label group updated', 'Cloud Resource', 'Label_group', 'Set',\n 'labels.delete', 'Labels deleted', 'Cloud Resource', 'Labels', 'Delete',\n 'ldap_config.create', 'LDAP configuration created', 'Other', 'Ldap_config', 'Create',\n 'ldap_config.delete', 'LDAP configuration deleted', 'Other', 'Ldap_config', 'Delete',\n 'ldap_config.update', 'LDAP configuration updated', 'Other', 'Ldap_config', 'Set',\n 'ldap_config.verify_connection', 'LDAP server connection verified', 'Other', 'Ldap_config', 'Other',\n 'license.delete', 'License deleted', 'Other', 'License', 'Delete',\n 'license.update', 'License updated', 'Other', 'License', 'Set',\n 'login_proxy_ldap_config.create', 'Interservice call to login service to create LDAP config', 'Other', 'Login_proxy_ldap_config', 'Create',\n 'login_proxy_ldap_config.delete', 'Interservice call to login service to delete LDAP config', 'Other', 'Login_proxy_ldap_config', 'Delete',\n 'login_proxy_ldap_config.update', 'Interservice call to login service to update LDAP config', 'Other', 'Login_proxy_ldap_config', 'Set',\n 'login_proxy_ldap_config.verify_connection', 'Interservice call to login service to verify connection to the LDAP server', 'Other', 'Login_proxy_ldap_config', 'Other',\n 'login_proxy_msp_tenants.create', 'New MSP tenant created', 'Other', 'Login_proxy_msp_tenants', 'Create',\n 'login_proxy_msp_tenants.delete', 'MSP tenant deleted', 'Other', 'Login_proxy_msp_tenants', 'Delete',\n 'login_proxy_msp_tenants.update', 'MSP tenant updated', 'Other', 'Login_proxy_msp_tenants', 'Set',\n 'login_proxy_orgs.create', 'New managed organization created', 'Other', 'Login_proxy_orgs', 'Create',\n 'login_proxy_orgs.delete', 'Managed organization deleted', 'Other', 'Login_proxy_orgs', 'Delete',\n 'login_proxy_orgs.update', 'Managed organization updated', 'Other', 'Login_proxy_orgs', 'Set',\n 'lost_agent.found', 'Lost agent found', 'Cloud Resource', 'Lost_agent', 'Other',\n 'network.create', 'Network created', 'Cloud Resource', 'Network', 'Create',\n 'network.delete', 'Network deleted', 'Cloud Resource', 'Network', 'Delete',\n 'network.update', 'Network updated', 'Cloud Resource', 'Network', 'Set',\n 'network_device.ack_enforcement_instructions_applied', 'Enforcement instruction applied to a network device', 'Cloud Resource', 'Network_device', 'Other',\n 'network_device.assign_workload', 'Existing or new unmanaged workload assigned to a network device', 'Cloud Resource', 'Network_device', 'Other',\n 'network_device.create', 'Network device created', 'Cloud Resource', 'Network_device', 'Create',\n 'network_device.delete', 'Network device deleted', 'Cloud Resource', 'Network_device', 'Delete',\n 'network_device.update', 'Network device updated', 'Cloud Resource', 'Network_device', 'Set',\n 'network_devices.ack_multi_enforcement_instructions_applied', 'Enforcement instructions applied to multiple network devices', 'Cloud Resource', 'Network_devices', 'Other',\n 'network_endpoint.create', 'Network endpoint created', 'Cloud Resource', 'Network_endpoint', 'Create',\n 'network_endpoint.delete', 'Network endpoint deleted', 'Cloud Resource', 'Network_endpoint', 'Delete',\n 'network_endpoint.update', 'Network endpoint updated', 'Cloud Resource', 'Network_endpoint', 'Set',\n 'network_enforcement_node.activate', 'Network enforcement node activated', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.clear_conditions', 'Network enforcement node conditions cleared', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.deactivate', 'Network enforcement node deactivated', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.degraded', 'Network enforcement node failed or primary lost connectivity to secondary', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.missed_heartbeats', 'Network enforcement node did not heartbeat for more than 15 minutes', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.missed_heartbeats_check', 'Network enforcement node missed heartbeats check', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.network_devices_network_endpoints_workloads', 'Workload added to network endpoint', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.policy_ack', 'Network enforcement node acknowledgment of policy', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.request_policy', 'Network enforcement node policy requested', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.update_status', 'Network enforcement node reports when switches are not reachable', 'Cloud Resource', 'Network_enforcement_node', 'Set',\n 'network_enforcement_nodes.clear_conditions', 'A condition was cleared from a list of network enforcement nodes', 'Cloud Resource', 'Network_enforcement_nodes', 'Other',\n 'nfc.activate', 'Network function controller created', 'Other', 'Nfc', 'Other',\n 'nfc.delete', 'Network function controller deleted', 'Other', 'Nfc', 'Delete',\n 'nfc.update_discovered_virtual_servers', 'Network function controller virtual servers discovered', 'Cloud Resource', 'Nfc', 'Set',\n 'nfc.update_policy_status', 'Network function controller policy status', 'Other', 'Nfc', 'Set',\n 'nfc.update_slb_state', 'Network function controller SLB state updated', 'Other', 'Nfc', 'Set',\n 'org.create', 'Organization created', 'Other', 'Org', 'Create',\n 'org.recalc_rules', 'Rules for organization recalculated', 'Other', 'Org', 'Other',\n 'org.update', 'Organization information updated', 'Other', 'Org', 'Set',\n 'pairing_profile.create', 'Pairing profile created', 'Cloud Resource', 'Pairing_profile', 'Create',\n 'pairing_profile.create_pairing_key', 'Pairing profile pairing key created', 'Cloud Resource', 'Pairing_profile', 'Create',\n 'pairing_profile.delete', 'Pairing profile deleted', 'Cloud Resource', 'Pairing_profile', 'Delete',\n 'pairing_profile.update', 'Pairing profile updated', 'Cloud Resource', 'Pairing_profile', 'Set',\n 'pairing_profile.delete_all_pairing_keys', 'Pairing keys deleted from pairing profile', 'Cloud Resource', 'Pairing_profile', 'Delete',\n 'pairing_profiles.delete', 'Pairing profiles deleted', 'Cloud Resource', 'Pairing_profiles', 'Delete',\n 'password_policy.create', 'Password policy created', 'Cloud Resource', 'Password_policy', 'Create',\n 'password_policy.delete', 'Password policy deleted', 'Cloud Resource', 'Password_policy', 'Delete',\n 'password_policy.update', 'Password policy updated', 'Cloud Resource', 'Password_policy', 'Set',\n 'permission.create', 'RBAC permission created', 'Cloud Resource', 'Permission', 'Create',\n 'permission.delete', 'RBAC permission deleted', 'Cloud Resource', 'Permission', 'Delete',\n 'permission.update', 'RBAC permission updated', 'Cloud Resource', 'Permission', 'Set',\n 'radius_config.create', 'Create domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Create',\n 'radius_config.delete', 'Delete domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Delete',\n 'radius_config.update', 'Update domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Set',\n 'radius_config.verify_shared_secret', 'Verify RADIUS shared secret', 'Cloud Resource', 'Radius_config', 'Other',\n 'request.authentication_failed', 'API request authentication failed', 'Other', 'Request', 'Other',\n 'request.authorization_failed', 'API request authorization failed', 'Other', 'Request', 'Other',\n 'request.internal_server_error', 'API request failed due to internal server error', 'Other', 'Request', 'Other',\n 'request.service_unavailable', 'API request failed due to unavailable service', 'Other', 'Request', 'Other',\n 'request.unknown_server_error', 'API request failed due to unknown server error', 'Other', 'Request', 'Other',\n 'resource.create', 'Login resource created', 'Other', 'Resource', 'Create',\n 'resource.delete', 'Login resource deleted', 'Other', 'Resource', 'Delete',\n 'resource.update', 'Login resource updated', 'Other', 'Resource', 'Set',\n 'rule_set.create', 'Rule set created', 'Policy Rule', 'Rule_set', 'Create',\n 'rule_set.delete', 'Rule set deleted', 'Policy Rule', 'Rule_set', 'Delete',\n 'rule_set.update', 'Rule set updated', 'Policy Rule', 'Rule_set', 'Set',\n 'rule_sets.delete', 'Rule sets deleted', 'Policy Rule', 'Rule_sets', 'Delete',\n 'saml_acs.update', 'SAML assertion consumer services updated', 'Other', 'Saml_acs', 'Set',\n 'saml_config.create', 'SAML configuration created', 'Cloud Resource', 'Saml_config', 'Create',\n 'saml_config.delete', 'SAML configuration deleted', 'Cloud Resource', 'Saml_config', 'Delete',\n 'saml_config.pce_signing_cert', 'Generate a new cert for signing SAML AuthN requests', 'Cloud Resource', 'Saml_config', 'Other',\n 'saml_config.update', 'SAML configuration updated', 'Cloud Resource', 'Saml_config', 'Set',\n 'saml_sp_config.create', 'SAML Service Provider created', 'Cloud Resource', 'Saml_sp_config', 'Create',\n 'saml_sp_config.delete', 'SAML Service Provider deleted', 'Cloud Resource', 'Saml_sp_config', 'Delete',\n 'saml_sp_config.update', 'SAML Service Provider updated', 'Cloud Resource', 'Saml_sp_config', 'Set',\n 'sec_policy.create', 'Security policy created', 'Other', 'Sec_policy', 'Create',\n 'sec_policy_pending.delete', 'Pending security policy deleted', 'Other', 'Sec_policy_pending', 'Delete',\n 'sec_policy.restore', 'Security policy restored', 'Other', 'Sec_policy', 'Other',\n 'sec_rule.create', 'Security policy rules created', 'Policy Rule', 'Sec_rule', 'Create',\n 'sec_rule.delete', 'Security policy rules deleted', 'Policy Rule', 'Sec_rule', 'Delete',\n 'sec_rule.update', 'Security policy rules updated', 'Policy Rule', 'Sec_rule', 'Set',\n 'secure_connect_gateway.create', 'SecureConnect gateway created', 'Other', 'Secure_connect_gateway', 'Create',\n 'secure_connect_gateway.delete', 'SecureConnect gateway deleted', 'Other', 'Secure_connect_gateway', 'Delete',\n 'secure_connect_gateway.update', 'SecureConnect gateway updated', 'Other', 'Secure_connect_gateway', 'Set',\n 'security_principal.create', 'RBAC security principal created', 'Other', 'Security_principal', 'Create',\n 'security_principal.delete', 'RBAC security principal bulk deleted', 'Other', 'Security_principal', 'Delete',\n 'security_principal.update', 'RBAC security principal bulk updated', 'Other', 'Security_principal', 'Set',\n 'security_principals.bulk_create', 'RBAC security principals bulk created', 'Other', 'Security_principals', 'Other',\n 'service.create', 'Service created', 'Other', 'Service', 'Create',\n 'service.delete', 'Service deleted', 'Other', 'Service', 'Delete',\n 'service.update', 'Service updated', 'Other', 'Service', 'Set',\n 'service_account.create', 'Service account created', 'Other', 'Service_account', 'Create',\n 'service_account.delete', 'Service account deleted', 'Other', 'Service_account', 'Delete',\n 'service_account.update', 'Service account updated', 'Other', 'Service_account', 'Set',\n 'service_binding.create', 'Service binding created', 'Other', 'Service_binding', 'Create',\n 'service_binding.delete', 'Service binding created', 'Other', 'Service_binding', 'Delete',\n 'service_bindings.delete', 'Service bindings deleted', 'Other', 'Service_bindings', 'Delete',\n 'service_bindings.delete', 'Service binding deleted', 'Other', 'Service_bindings', 'Delete',\n 'services.delete', 'Services deleted', 'Other', 'Services', 'Delete',\n 'settings.update', 'Explorer settings updated', 'Other', 'Settings', 'Set',\n 'slb.create', 'Server load balancer created', 'Other', 'Slb', 'Create',\n 'slb.delete', 'Server load balancer deleted', 'Other', 'Slb', 'Delete',\n 'slb.update', 'Server load balancer updated', 'Other', 'Slb', 'Set',\n 'support_report.upload', 'Support report uploaded', 'Other', 'Support_report', 'Other',\n 'syslog_destination.create', 'syslog remote destination created', 'Other', 'Syslog_destination', 'Create',\n 'syslog_destination.delete', 'syslog remote destination deleted', 'Other', 'Syslog_destination', 'Delete',\n 'syslog_destination.update', 'syslog remote destination updated', 'Other', 'Syslog_destination', 'Set',\n 'system_task.agent_missed_heartbeats_check', 'Agent missed heartbeats', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_missing_heartbeats_after_upgrade', 'VEN missing heartbeat after upgrade', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_offline_check', 'Agents marked offline', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_self_signed_certs_check', 'VEN self signed certificate housekeeping check', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_settings_invalidation_error_state_check', 'VEN settings invalidation error state check', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_uninstall_timeout', 'VEN uninstall timeout', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.clear_auth_recover_condition', 'Clear VEN authentication recovery condition', 'Other', 'System_task', 'Other',\n 'system_task.compute_policy_for_unmanaged_workloads', 'Compute policy for unmanaged workloads', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.delete_expired_service_account_api_keys', 'An expired service account api_key was successfully deleted', 'Cloud Resource', 'System_task', 'Delete',\n 'system_task.delete_old_cached_perspectives', 'Delete old cached perspectives', 'Other', 'System_task', 'Delete',\n 'system_task.endpoint_offline_check', 'Endpoint marked offline', 'Other', 'System_task', 'Other',\n 'system_task.provision_container_cluster_services', 'Container cluster services provisioned', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.prune_old_log_events', 'Event pruning completed', 'Other', 'System_task', 'Other',\n 'system_task.remove_stale_zone_subsets', 'Stale zone subnets removed', 'Other', 'System_task', 'Other',\n 'system_task.set_server_sync_check', 'Set server synced', 'Other', 'System_task', 'Other',\n 'system_task.vacuum_deactivated_agent_and_deleted_workloads', 'Deactivated and deleted workloads have been vacuumed', 'Cloud Resource', 'System_task', 'Other',\n 'traffic_collector_setting.create', 'Traffic collector setting created', 'Other', 'Traffic_collector_setting', 'Create',\n 'traffic_collector_setting.delete', 'Traffic collector setting deleted', 'Other', 'Traffic_collector_setting', 'Delete',\n 'traffic_collector_setting.update', 'Traffic collector setting updated', 'Other', 'Traffic_collector_setting', 'Set',\n 'trusted_proxy_ips.update', 'Trusted proxy IPs created or updated', 'Other', 'Trusted_proxy_ips', 'Set',\n 'user.accept_invitation', 'User invitation accepted', 'Cloud Resource', 'User', 'Other',\n 'user.authenticate', 'User authenticated', 'Cloud Resource', 'User', 'Other',\n 'user.create', 'User created', 'Cloud Resource', 'User', 'Create',\n 'user.delete', 'User deleted', 'Cloud Resource', 'User', 'Delete',\n 'user.invite', 'User invited', 'Cloud Resource', 'User', 'Other',\n 'user.update', 'User information updated', 'Cloud Resource', 'User', 'Set', \n 'user.reset_password', 'User password reset', 'Cloud Resource', 'User', 'Other',\n 'user.pce_session_terminated', 'User session terminated', 'Cloud Resource', 'User', 'Other',\n 'user.login_session_terminated', 'User login session terminated', 'Cloud Resource', 'User', 'Other',\n 'user.reset_password', 'User password reset', 'Cloud Resource', 'User', 'Other',\n 'user.update', 'User information updated', 'Cloud Resource', 'User', 'Set',\n 'user.update_password', 'User password updated', 'Cloud Resource', 'User', 'Set',\n 'user.use_expired_password', 'User entered expired password', 'Cloud Resource', 'User', 'Other',\n 'user.verify_mfa', 'User verified MFA', 'Cloud Resource', 'User', 'Other',\n 'users.auth_token', 'Auth token returned for user authentication on PCE', 'Other', 'Users', 'Other',\n 'user_local_profile.create', 'User local profile created', 'Other', 'User_local_profile', 'Create',\n 'user_local_profile.delete', 'User local profile deleted', 'Other', 'User_local_profile', 'Delete',\n 'user_local_profile.reinvite', 'User local profile reinvited', 'Other', 'User_local_profile', 'Other',\n 'user_local_profile.update_password', 'User local password updated', 'Other', 'User_local_profile', 'Set',\n 'ven_settings.update', 'VEN settings updated', 'Other', 'Ven_settings', 'Set',\n 'ven_software.upgrade', 'VEN software release upgraded', 'Other', 'Ven_software', 'Set',\n 'ven_software_release.create', 'VEN software release created', 'Other', 'Ven_software_release', 'Create',\n 'ven_software_release.delete', 'VEN software release deleted', 'Other', 'Ven_software_release', 'Delete',\n 'ven_software_release.deploy', 'VEN software release deployed', 'Other', 'Ven_software_release', 'Other',\n 'ven_software_release.update', 'VEN software release updated', 'Other', 'Ven_software_release', 'Set',\n 'ven_software_releases.set_default_version', 'Default VEN software version set', 'Other', 'Ven_software_releases', 'Other',\n 'virtual_server.create', 'Virtual server created', 'Cloud Resource', 'Virtual_server', 'Create',\n 'virtual_server.delete', 'Virtual server created', 'Cloud Resource', 'Virtual_server', 'Delete',\n 'virtual_server.update', 'Virtual server updated', 'Cloud Resource', 'Virtual_server', 'Set',\n 'virtual_service.create', 'Virtual service created', 'Cloud Resource', 'Virtual_service', 'Create',\n 'virtual_service.delete', 'Virtual service deleted', 'Cloud Resource', 'Virtual_service', 'Delete',\n 'virtual_service.update', 'Virtual service updated', 'Cloud Resource', 'Virtual_service', 'Set',\n 'virtual_services.bulk_create', 'Virtual services created in bulk', 'Cloud Resource', 'Virtual_services', 'Other',\n 'virtual_services.bulk_update', 'Virtual services updated in bulk', 'Cloud Resource', 'Virtual_services', 'Other',\n 'vulnerability.create', 'Vulnerability record created', 'Other', 'Vulnerability', 'Create',\n 'vulnerability.delete', 'Vulnerability record deleted', 'Other', 'Vulnerability', 'Delete',\n 'vulnerability.update', 'Vulnerability record updated', 'Other', 'Vulnerability', 'Set',\n 'vulnerability_report.delete', 'Vulnerability report deleted', 'Other', 'Vulnerability_report', 'Delete',\n 'vulnerability_report.update', 'Vulnerability report updated', 'Other', 'Vulnerability_report', 'Set',\n 'workload.create', 'Workload created', 'Cloud Resource', 'Workload', 'Create',\n 'workload.delete', 'Workload deleted', 'Cloud Resource', 'Workload', 'Delete',\n 'workload.online', 'Workload online', 'Cloud Resource', 'Workload', 'Other',\n 'workload.recalc_rules', 'Workload policy recalculated', 'Cloud Resource', 'Workload', 'Other',\n 'workload.redetect_network', 'Workload network redetected', 'Cloud Resource', 'Workload', 'Other',\n 'workload.undelete', 'Workload undeleted', 'Cloud Resource', 'Workload', 'Other',\n 'workload.update', 'Workload settings updated', 'Cloud Resource', 'Workload', 'Set',\n 'workload.upgrade', 'Workload upgraded', 'Cloud Resource', 'Workload', 'Set',\n 'workload_interface.create', 'Workload interface created', 'Cloud Resource', 'Workload_interface', 'Create',\n 'workload_interface.delete', 'Workload interface deleted', 'Cloud Resource', 'Workload_interface', 'Delete',\n 'workload_interface.update', 'Workload interface updated', 'Cloud Resource', 'Workload_interface', 'Set',\n 'workload_interfaces.update', 'Workload interfaces updated', 'Cloud Resource', 'Workload_interfaces', 'Set',\n '', 'For example, IP address changes, new interface added, and interface shut down.', 'Other', '', 'Other',\n 'workload_service_report.update', 'Workload service report updated', 'Cloud Resource', 'Workload_service_report', 'Set',\n 'workload_settings.update', 'Workload settings updated', 'Cloud Resource', 'Workload_settings', 'Set',\n 'workloads.apply_policy', 'Workloads policies applied', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.bulk_create', 'Workloads created in bulk', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.bulk_delete', 'Workloads deleted in bulk', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.bulk_update', 'Workloads updated in bulk', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.remove_labels', 'Workloads labels removed', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.set_flow_reporting_frequency', 'Workload flow reporting frequency changed', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.set_labels', 'Workload labels applied', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.unpair', 'Workloads unpaired', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.update', 'Workloads updated', 'Cloud Resource', 'Workloads', 'Set'\n];\nlet EventSeverityLookup = datatable(\n severity: string,\n EventSeverity: string\n)\n [\n \"err\", \"High\",\n \"info\", \"Informational\",\n \"warning\", \"Medium\"\n];\nlet EventResultLookup = datatable(\n status: string,\n EventResult: string\n)\n [\n \"success\", \"Success\",\n \"failure\", \"Failure\",\n \"\", \"NA\"\n];\nlet parser= (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n eventresult:string='*',\n actorusername_has_any:dynamic=dynamic([]),\n eventtype_in:dynamic=dynamic([]),\n operation_has_any:dynamic=dynamic([]), // not sure if this is required\n object_has_any:dynamic=dynamic([]), // not sure if this is required\n newvalue_has_any:dynamic=dynamic([]), // not mapped yet\n disabled:bool = false\n ){\n Illumio_Auditable_Events_CL \n | where not(disabled) and (event_type !startswith \"user\") // filter out user auth events\n and ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)) \n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(action.src_ip, srcipaddr_has_any_prefix))\n | lookup EventTypeLookup on event_type // fetch Object, ObjectType,EventType, Operation from lookup\n | lookup EventSeverityLookup on severity // fetch EventSeverity from lookup\n | lookup EventResultLookup on status // fetch EventResult from lookup\n | extend temp_resource_changes = parse_json(resource_changes) \n | extend temp_notifications = parse_json(notifications)\n | extend\n NewValue = iff(isnotnull(temp_resource_changes), temp_resource_changes[0].changes, ''),\n EventMessage = iff(isnotnull(temp_resource_changes), temp_resource_changes[0].resource, ''), \n SrcIpAddr = iff(action.src_ip == 'FILTERED', \"\", action.src_ip)\n | extend \n ActorUsername = case(\n isnotnull(created_by.system), \"System\",\n isnotnull(created_by.user), created_by.user.username,\n isnotnull(created_by.agent), created_by.agent.hostname,\n \"Unknown\"\n ) \n | extend ActorUsernameType = \"Simple\" \n // ***** parser filter params *****\n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in)) \n and (eventresult == \"*\" or EventResult =~ eventresult) and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any)) \n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n and (array_length(newvalue_has_any) == 0)\n // ***** parser filter params *****\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Core',\n EventVendor = 'Illumio',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n Dvc = pce_fqdn,\n EventType = iff(isnull(EventType), event_type, EventType),\n EventOriginalUid = href,\n EventUid = _ItemId\n //aliases\n | extend \n IpAddr = SrcIpAddr,\n User = ActorUsername,\n Value = NewValue \n | project-away \n event_type, // used by EventType \n severity, // used by EventSeverity \n temp_*, \n resource_changes, // used by NewValue and EventMessage\n notifications,\n version, // simply drop version, no need to translate\n action, //used by src_ip\n status, // used by EventResult\n created_by, // used by ActorUsername and ActorType\n pce_fqdn, // used by Dvc\n href, // used by EventOriginalUid\n TenantId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/README.md b/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/README.md new file mode 100644 index 00000000000..47dd35ce110 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/README.md @@ -0,0 +1,18 @@ +# Infoblox BloxOne ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Infoblox BloxOne. + +This ASIM parser supports normalizing AuditEvent logs from Infoblox BloxOne to the ASIM AuditEvent normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventInfobloxBloxOne%2FvimAuditEventInfobloxBloxOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventInfobloxBloxOne%2FvimAuditEventInfobloxBloxOne.json) diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/vimAuditEventInfobloxBloxOne.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/vimAuditEventInfobloxBloxOne.json new file mode 100644 index 00000000000..e50e55aead5 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/vimAuditEventInfobloxBloxOne.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventInfbloxBloxOne')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "AuditEvent ASIM parser for Infoblox BloxOne", + "category": "ASIM", + "FunctionAlias": "vimAuditEventInfbloxBloxOne", + "query": "let EventSeverityLookup = datatable (LogSeverity:string, EventSeverity:string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet OperationLookup = datatable (DeviceAction:string, Object:string, ObjectType:string)\n[\n \"CreateSecurityPolicy\", \"Security Policy\", \"Policy Role\",\n \"UpdateSecurityPolicy\", \"Security Policy\", \"Policy\",\n \"Create\", \"Network Resource\", \"Service\",\n \"Update\", \"Network Resource\", \"Service\",\n \"Restore\", \"Infoblox Resource\", \"Service\",\n \"CreateOrGetDoHFQDN\", \"DOHFQDN\", \"Service\",\n \"CreateOrUpdateDfpService\", \"Dfp Service\", \"Service\",\n \"MoveToRecyclebin\", \"Recyclebin\", \"Other\",\n \"CreateCategoryFilter\", \"Category Filter\", \"Other\",\n \"GetLookalikeThreatCounts\", \"Lookalike Threat Counts\", \"Other\",\n \"GetLookalikeDomainCounts\", \"Lookalike Domain Counts\", \"Other\",\n \"CreateRoamingDeviceGroup\", \"Roaming Device Group\", \"Configuration Atom\",\n \"UpdatePartialRoamingDeviceGroup\", \"Partial Roaming Device Group\", \"Configuration Atom\"\n];\nlet parser = (disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\n CommonSecurityLog\n | where not(disabled) \n and (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and DeviceVendor == \"Infoblox\"\n and DeviceEventClassID has \"AUDIT\"\n and (eventresult == \"*\" or EventOutcome =~ eventresult)\n and (array_length(operation_has_any) == 0 or DeviceAction has_any (operation_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or SourceUserName has_any (actorusername_has_any))\n and array_length(newvalue_has_any) == 0\n | parse-kv AdditionalExtensions as (InfobloxHTTPReqBody:string, InfobloxHTTPRespBody:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend EventType = case(\n DeviceAction has_any (\"update\", \"upsert\"),\n \"Set\", \n DeviceAction has \"create\",\n \"Create\",\n DeviceAction has \"delete\",\n \"Delete\",\n \"Other\"\n )\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | lookup EventSeverityLookup on LogSeverity\n | lookup OperationLookup on DeviceAction\n | extend Object = iff(isempty(Object), \"Infoblox Network Resource\", Object),\n ObjectType = iff(isempty(ObjectType), \"Service\", ObjectType)\n | where (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | invoke _ASIM_ResolveDvcFQDN('CollectorHostName')\n | project-rename\n EventResult = EventOutcome,\n Operation = DeviceAction,\n ActorUsername = SourceUserName,\n SrcIpAddr = SourceIP,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message,\n EventOriginalType = DeviceEventClassID,\n EventUid = _ItemId\n | extend\n Dvc = DvcHostname,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n Src = SrcIpAddr,\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n AdditionalFields = bag_pack(\n \"InfobloxHTTPReqBody\",\n InfobloxHTTPReqBody,\n \"InfobloxHTTPRespBody\",\n InfobloxHTTPRespBody\n ),\n User = ActorUsername,\n IpAddr = SrcIpAddr,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | extend\n EventCount = toint(1),\n EventProduct = \"BloxOne\",\n EventVendor = \"Infoblox\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Protocol,\n SimplifiedDeviceAction,\n ExternalID,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity,\n Computer,\n ApplicationProtocol,\n ExtID,\n Reason,\n Activity,\n Infoblox*\n};\nparser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)\n", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([])" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftEvent/vimAuditEventMicrosoftEvent.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftEvent/vimAuditEventMicrosoftEvent.json index 7474e0a6d19..8f4cadc29cb 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftEvent/vimAuditEventMicrosoftEvent.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftEvent/vimAuditEventMicrosoftEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventMicrosoftEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventMicrosoftEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM filtering parser for Microsoft Windows Events audit events", - "category": "ASIM", - "FunctionAlias": "vimAuditEventMicrosoftEvent", - "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \neventtype_in: dynamic=dynamic([]),\neventresult: string='*',\nactorusername_has_any: dynamic=dynamic([]),\noperation_has_any: dynamic=dynamic([]),\nobject_has_any: dynamic=dynamic([]),\nnewvalue_has_any: dynamic=dynamic([]),\ndisabled: bool = false\n) {\n// Parsed Events Ids\nlet ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n// Eventlog Event Ids\nlet EventlogEventIds = dynamic([1102]);\n// Scheduled Task Event Ids\nlet ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n// Active Directory Replica Source Naming Context Event Ids\nlet ActiveDirectoryReplicaIds = dynamic([4929]);\n// Firewall Event Ids\nlet FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n// Service Event Ids\nlet ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n// EventID Lookup\n// Directory Service Object Ids\nlet DirectoryServiceIds = dynamic([5136]);\n// Clear Audit Log Event\nlet AuditLogClearedEventID = dynamic([1102]); \nlet EventIDLookup = datatable(\nEventID: int,\nOperation: string,\nEventType: string,\nObject: string,\nObjectType: string,\nEventResult: string\n)\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n];\n let FilteredEventIds = toscalar(EventIDLookup \n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (eventresult == '*' or EventResult == eventresult)\n and EventID != 1102 // Exclude this EventID, we have separate section for including EventID 1102\n | summarize make_set(EventID)\n );\n let ParsedEvents =\n (\n Event\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventID in(FilteredEventIds)\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n | extend Operation=EventLevelName\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | parse-kv EventData as \n (\n SubjectUserSid: string,\n SubjectUserName: string,\n SubjectDomainName: string,\n SubjectLogonId: string,\n TaskName: string,\n TaskContent: string,\n TaskContentNew: string,\n ClientProcessId: string,\n DestinationDRA: string,\n SourceDRA: string,\n SourceAddr: string,\n ObjectDN: string,\n AttributeValue: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectDomainName has_any (actorusername_has_any)\n | project-away EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any))\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any))\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any))\n | extend\n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer,NewValue,ObjectType,Object,OldValue,Value\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Microsoft Windows Events audit events", + "category": "ASIM", + "FunctionAlias": "vimAuditEventMicrosoftEvent", + "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \neventtype_in: dynamic=dynamic([]),\neventresult: string='*',\nactorusername_has_any: dynamic=dynamic([]),\noperation_has_any: dynamic=dynamic([]),\nobject_has_any: dynamic=dynamic([]),\nnewvalue_has_any: dynamic=dynamic([]),\ndisabled: bool = false\n) {\n// Parsed Events Ids\nlet ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n// Eventlog Event Ids\nlet EventlogEventIds = dynamic([1102]);\n// Scheduled Task Event Ids\nlet ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n// Active Directory Replica Source Naming Context Event Ids\nlet ActiveDirectoryReplicaIds = dynamic([4929]);\n// Firewall Event Ids\nlet FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n// Service Event Ids\nlet ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n// EventID Lookup\n// Directory Service Object Ids\nlet DirectoryServiceIds = dynamic([5136]);\n// Clear Audit Log Event\nlet AuditLogClearedEventID = dynamic([1102]); \nlet EventIDLookup = datatable(\nEventID: int,\nOperation: string,\nEventType: string,\nObject: string,\nObjectType: string,\nEventResult: string\n)\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n];\n let FilteredEventIds = toscalar(EventIDLookup \n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (eventresult == '*' or EventResult == eventresult)\n and EventID != 1102 // Exclude this EventID, we have separate section for including EventID 1102\n | summarize make_set(EventID)\n );\n let ParsedEvents =\n (\n Event\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventID in(FilteredEventIds)\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n | extend Operation=EventLevelName\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | parse-kv EventData as \n (\n SubjectUserSid: string,\n SubjectUserName: string,\n SubjectDomainName: string,\n SubjectLogonId: string,\n TaskName: string,\n TaskContent: string,\n TaskContentNew: string,\n ClientProcessId: string,\n DestinationDRA: string,\n SourceDRA: string,\n SourceAddr: string,\n ObjectDN: string,\n AttributeValue: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectDomainName has_any (actorusername_has_any)\n | project-away EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any))\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any))\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any))\n | extend\n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer,NewValue,ObjectType,Object,OldValue,Value\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftExchangeAdmin365/vimAuditEventMicrosoftExchangeAdmin365.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftExchangeAdmin365/vimAuditEventMicrosoftExchangeAdmin365.json index ec5a0d0eeb5..de7b60a0d76 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftExchangeAdmin365/vimAuditEventMicrosoftExchangeAdmin365.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftExchangeAdmin365/vimAuditEventMicrosoftExchangeAdmin365.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventMicrosoftExchangeAdmin365')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventMicrosoftExchangeAdmin365", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM filtering parser for Microsoft Exchange 365 administrative activity", - "category": "ASIM", - "FunctionAlias": "vimAuditEventMicrosoftExchangeAdmin365", - "query": "let usertypes=datatable (ActorOriginalUserType:string, ActorUserType:string)\n[\n // Regular, Regular\n \"Admin\", \"Admin\"\n , \"DcAdmin\", \"Admin\"\n , \"System\", \"System\"\n , \"Application\", \"Application\"\n , \"ServicePrincipal\", \"Service Principal\"\n , \"CustomPolicy\", \"Other\"\n , \"SystemPolicy\", \"Other\"\n , \"Reserved\", \"Other\"\n];\nlet eventtypes=datatable (op:string, EventType:string)\n[\n \"Remove\", \"Delete\",\n \"New\", \"Create\",\n \"Add\", \"Create\",\n \"Enable\", \"Enable\",\n \"Install\", \"Install\",\n \"Set\", \"Set\",\n \"Disable\", \"Disable\",\n \"disable\", \"Disable\"\n];\n let parser= (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n eventresult:string='*',\n actorusername_has_any:dynamic=dynamic([]),\n eventtype_in:dynamic=dynamic([]),\n operation_has_any:dynamic=dynamic([]),\n object_has_any:dynamic=dynamic([]),\n newvalue_has_any:dynamic=dynamic([]),\n disabled:bool = false\n ){\n OfficeActivity\n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where RecordType in ('ExchangeAdmin')\n | where \n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ClientIP,srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or UserId has_any (actorusername_has_any))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(object_has_any) == 0 or OfficeObjectId has_any (object_has_any))\n and (array_length(newvalue_has_any) == 0 or Parameters has_any (newvalue_has_any))\n | project Operation, ResultStatus, Parameters, OrganizationName, OrganizationId, OfficeObjectId, ClientIP, UserId, UserKey, UserAgent, UserType, TimeGenerated, OriginatingServer, SourceRecordId, Type, _ResourceId\n // --\n // Calculate and filter result\n | where (eventresult == \"*\" or (eventresult == \"Success\" and ResultStatus == \"True\"))\n | extend EventResult = iff(ResultStatus == \"True\", \"Success\", \"Failure\")\n // --\n // -- Calculate and filter operation and event type\n | extend \n SplitOp = split (Operation,\"-\")\n | extend\n op=tostring(SplitOp[0])\n | lookup eventtypes on op\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\n | project-away op \n // --\n // Calculate and post-filter source IP address and port\n | extend \n SplitIpAddr = extract_all(@'^\\[?(.*?)\\]?:(\\d+)$', ClientIP)[0]\n | extend \n SrcIpAddr = iff (SplitIpAddr[1] == \"\", ClientIP, SplitIpAddr[0]),\n SrcPortNumber = toint(iff (SplitIpAddr[1] == \"\", \"\", SplitIpAddr[1]))\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix))\n // --\n /// Calculate and post filter actor and acting app\n | parse UserId with ActorUsername \" (\" ActingAppName \")\"\n | extend \n ActorUsernameType = iff (ActorUsername == \"\", \"UPN\", \"Windows\"),\n ActorUsername = iff (ActorUsername == \"\", UserId, ActorUsername),\n ActingAppType = iff (ActingAppName == \"\", \"\", \"Process\")\n | where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n // --\n // Calculate Object\n | extend\n SplitObject = extract_all(@'^(.*?)[\\\\/](.*)$', OfficeObjectId)[0]\n | extend \n Object = case (\n SplitObject[0] == OrganizationName, SplitObject[1], \n OfficeObjectId == \"\", SplitOp[1],\n OfficeObjectId\n )\n | project-away SplitOp, OfficeObjectId\n // --\n | project-rename\n SrcDescription = OriginatingServer,\n NewValue = Parameters \n | project-away SplitObject, UserKey, SplitIpAddr, ClientIP, UserId\n | project-rename\n HttpUserAgent = UserAgent, \n ActorOriginalUserType = UserType,\n ActorScopeId = OrganizationId,\n ActorScope = OrganizationName,\n EventOriginalUid = SourceRecordId\n | lookup usertypes on ActorOriginalUserType\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Exchange 365',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n TargetAppName = 'Exchange 365',\n TargetAppType = 'SaaS application'\n | project-away \n ResultStatus\n | extend\n EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\n // -- Aliases\n | extend \n User=ActorUsername,\n IpAddr = SrcIpAddr,\n Value = NewValue,\n Application = TargetAppName,\n Dst = TargetAppName,\n Src = coalesce (SrcIpAddr, SrcDescription),\n Dvc = TargetAppName,\n // -- Entity identifier explicit aliases\n ActorUserUpn = iif (ActorUsernameType == \"UPN\", ActorUsername, \"\"),\n ActorWindowsUsername = iif (ActorUsernameType == \"Windows\", ActorUsername, \"\")\n };\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Microsoft Exchange 365 administrative activity", + "category": "ASIM", + "FunctionAlias": "vimAuditEventMicrosoftExchangeAdmin365", + "query": "let usertypes=datatable (ActorOriginalUserType:string, ActorUserType:string)\n[\n // Regular, Regular\n \"Admin\", \"Admin\"\n , \"DcAdmin\", \"Admin\"\n , \"System\", \"System\"\n , \"Application\", \"Application\"\n , \"ServicePrincipal\", \"Service Principal\"\n , \"CustomPolicy\", \"Other\"\n , \"SystemPolicy\", \"Other\"\n , \"Reserved\", \"Other\"\n];\nlet eventtypes=datatable (op:string, EventType:string)\n[\n \"Remove\", \"Delete\",\n \"New\", \"Create\",\n \"Add\", \"Create\",\n \"Enable\", \"Enable\",\n \"Install\", \"Install\",\n \"Set\", \"Set\",\n \"Disable\", \"Disable\",\n \"disable\", \"Disable\"\n];\n let parser= (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n eventresult:string='*',\n actorusername_has_any:dynamic=dynamic([]),\n eventtype_in:dynamic=dynamic([]),\n operation_has_any:dynamic=dynamic([]),\n object_has_any:dynamic=dynamic([]),\n newvalue_has_any:dynamic=dynamic([]),\n disabled:bool = false\n ){\n OfficeActivity\n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where RecordType in ('ExchangeAdmin')\n | where \n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ClientIP,srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or UserId has_any (actorusername_has_any))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(object_has_any) == 0 or OfficeObjectId has_any (object_has_any))\n and (array_length(newvalue_has_any) == 0 or Parameters has_any (newvalue_has_any))\n | project Operation, ResultStatus, Parameters, OrganizationName, OrganizationId, OfficeObjectId, ClientIP, UserId, UserKey, UserAgent, UserType, TimeGenerated, OriginatingServer, SourceRecordId, Type, _ResourceId\n // --\n // Calculate and filter result\n | where (eventresult == \"*\" or (eventresult == \"Success\" and ResultStatus == \"True\"))\n | extend EventResult = iff(ResultStatus == \"True\", \"Success\", \"Failure\")\n // --\n // -- Calculate and filter operation and event type\n | extend \n SplitOp = split (Operation,\"-\")\n | extend\n op=tostring(SplitOp[0])\n | lookup eventtypes on op\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\n | project-away op \n // --\n // Calculate and post-filter source IP address and port\n | extend \n SplitIpAddr = extract_all(@'^\\[?(.*?)\\]?:(\\d+)$', ClientIP)[0]\n | extend \n SrcIpAddr = iff (SplitIpAddr[1] == \"\", ClientIP, SplitIpAddr[0]),\n SrcPortNumber = toint(iff (SplitIpAddr[1] == \"\", \"\", SplitIpAddr[1]))\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix))\n // --\n /// Calculate and post filter actor and acting app\n | parse UserId with ActorUsername \" (\" ActingAppName \")\"\n | extend \n ActorUsernameType = iff (ActorUsername == \"\", \"UPN\", \"Windows\"),\n ActorUsername = iff (ActorUsername == \"\", UserId, ActorUsername),\n ActingAppType = iff (ActingAppName == \"\", \"\", \"Process\")\n | where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n // --\n // Calculate Object\n | extend\n SplitObject = extract_all(@'^(.*?)[\\\\/](.*)$', OfficeObjectId)[0]\n | extend \n Object = case (\n SplitObject[0] == OrganizationName, SplitObject[1], \n OfficeObjectId == \"\", SplitOp[1],\n OfficeObjectId\n )\n | project-away SplitOp, OfficeObjectId\n // --\n | project-rename\n SrcDescription = OriginatingServer,\n NewValue = Parameters \n | project-away SplitObject, UserKey, SplitIpAddr, ClientIP, UserId\n | project-rename\n HttpUserAgent = UserAgent, \n ActorOriginalUserType = UserType,\n ActorScopeId = OrganizationId,\n ActorScope = OrganizationName,\n EventOriginalUid = SourceRecordId\n | lookup usertypes on ActorOriginalUserType\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Exchange 365',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n TargetAppName = 'Exchange 365',\n TargetAppType = 'SaaS application'\n | project-away \n ResultStatus\n | extend\n EventSeverity = iff(EventResult == \"Failure\", \"Low\", \"Informational\")\n // -- Aliases\n | extend \n User=ActorUsername,\n IpAddr = SrcIpAddr,\n Value = NewValue,\n Application = TargetAppName,\n Dst = TargetAppName,\n Src = coalesce (SrcIpAddr, SrcDescription),\n Dvc = TargetAppName,\n // -- Entity identifier explicit aliases\n ActorUserUpn = iif (ActorUsernameType == \"UPN\", ActorUsername, \"\"),\n ActorWindowsUsername = iif (ActorUsernameType == \"Windows\", ActorUsername, \"\")\n };\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftSecurityEvents/vimAuditEventMicrosoftSecurityEvents.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftSecurityEvents/vimAuditEventMicrosoftSecurityEvents.json index 5d1d6e660b5..4bcc414ee88 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftSecurityEvents/vimAuditEventMicrosoftSecurityEvents.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftSecurityEvents/vimAuditEventMicrosoftSecurityEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventMicrosoftSecurityEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventMicrosoftSecurityEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM filtering parser for Microsoft Windows Events audit events", - "category": "ASIM", - "FunctionAlias": "vimAuditEventMicrosoftSecurityEvents", - "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \neventtype_in: dynamic=dynamic([]),\neventresult: string='*',\nactorusername_has_any: dynamic=dynamic([]),\noperation_has_any: dynamic=dynamic([]),\nobject_has_any: dynamic=dynamic([]),\nnewvalue_has_any: dynamic=dynamic([]),\ndisabled: bool = false\n) {\n// Parsed Events Ids\nlet ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n// Eventlog Event Ids\nlet EventlogEventIds = dynamic([1102]);\n// Scheduled Task Event Ids\nlet ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n// Active Directory Replica Source Naming Context Event Ids\nlet ActiveDirectoryReplicaIds = dynamic([4929]);\n// Firewall Event Ids\nlet FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n// Service Event Ids\nlet ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n// EventID Lookup\n// Directory Service Object Ids\nlet DirectoryServiceIds = dynamic([5136]);\n// Clear Audit Log Event\nlet AuditLogClearedEventID = dynamic([1102]); \nlet EventIDLookup = datatable(\nEventID: int,\nOperation: string,\nEventType: string,\nObject: string,\nObjectType: string,\nEventResult: string\n)\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n];\n let FilteredEventIds = toscalar(EventIDLookup \n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (eventresult == '*' or EventResult == eventresult)\n and EventID != 1102 // Exclude this EventID, we have separate section for including EventID 1102\n | summarize make_set(EventID)\n );\n let ParsedEvents =\n union\n (\n // SecurityEvents\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventID in(FilteredEventIds)\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any)) \n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | parse-kv EventData as \n (\n SubjectUserSid: string,\n SubjectUserName: string,\n SubjectDomainName: string,\n SubjectLogonId: string,\n TaskName: string,\n TaskContent: string,\n TaskContentNew: string,\n ClientProcessId: string,\n DestinationDRA: string,\n SourceDRA: string,\n SourceAddr: string,\n ObjectDN: string,\n AttributeValue: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectDomainName has_any (actorusername_has_any)\n | project-away EventData\n ),\n //Section for SecurityEvent(1102)\n (\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in (AuditLogClearedEventID) and EventSourceName == \"Microsoft-Windows-Eventlog\"\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n and (array_length(eventtype_in) == 0 or 'Delete' in (eventtype_in))\n and (array_length(operation_has_any) == 0 or 'Delete Logs' has_any (operation_has_any))\n and (eventresult == '*' or 'Success' =~ eventresult)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend Parsed_EventData = parse_xml(EventData)\n | extend\n SubjectUserSid = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserSid),\n SubjectUserName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserName),\n SubjectDomainName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectDomainName),\n SubjectLogonId = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectLogonId)\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectDomainName has_any (actorusername_has_any)\n or (strcat(SubjectDomainName, '\\\\', SubjectUserName)) has_any (actorusername_has_any)\n | project-away EventData, Parsed_EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any))\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any))\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any))\n | extend\n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer,NewValue,ObjectType,Object,OldValue,Value\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Microsoft Windows Events audit events", + "category": "ASIM", + "FunctionAlias": "vimAuditEventMicrosoftSecurityEvents", + "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \neventtype_in: dynamic=dynamic([]),\neventresult: string='*',\nactorusername_has_any: dynamic=dynamic([]),\noperation_has_any: dynamic=dynamic([]),\nobject_has_any: dynamic=dynamic([]),\nnewvalue_has_any: dynamic=dynamic([]),\ndisabled: bool = false\n) {\n// Parsed Events Ids\nlet ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n// Eventlog Event Ids\nlet EventlogEventIds = dynamic([1102]);\n// Scheduled Task Event Ids\nlet ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n// Active Directory Replica Source Naming Context Event Ids\nlet ActiveDirectoryReplicaIds = dynamic([4929]);\n// Firewall Event Ids\nlet FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n// Service Event Ids\nlet ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n// EventID Lookup\n// Directory Service Object Ids\nlet DirectoryServiceIds = dynamic([5136]);\n// Clear Audit Log Event\nlet AuditLogClearedEventID = dynamic([1102]); \nlet EventIDLookup = datatable(\nEventID: int,\nOperation: string,\nEventType: string,\nObject: string,\nObjectType: string,\nEventResult: string\n)\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n];\n let FilteredEventIds = toscalar(EventIDLookup \n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (eventresult == '*' or EventResult == eventresult)\n and EventID != 1102 // Exclude this EventID, we have separate section for including EventID 1102\n | summarize make_set(EventID)\n );\n let ParsedEvents =\n union\n (\n // SecurityEvents\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventID in(FilteredEventIds)\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any)) \n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | parse-kv EventData as \n (\n SubjectUserSid: string,\n SubjectUserName: string,\n SubjectDomainName: string,\n SubjectLogonId: string,\n TaskName: string,\n TaskContent: string,\n TaskContentNew: string,\n ClientProcessId: string,\n DestinationDRA: string,\n SourceDRA: string,\n SourceAddr: string,\n ObjectDN: string,\n AttributeValue: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectDomainName has_any (actorusername_has_any)\n | project-away EventData\n ),\n //Section for SecurityEvent(1102)\n (\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in (AuditLogClearedEventID) and EventSourceName == \"Microsoft-Windows-Eventlog\"\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n and (array_length(eventtype_in) == 0 or 'Delete' in (eventtype_in))\n and (array_length(operation_has_any) == 0 or 'Delete Logs' has_any (operation_has_any))\n and (eventresult == '*' or 'Success' =~ eventresult)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend Parsed_EventData = parse_xml(EventData)\n | extend\n SubjectUserSid = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserSid),\n SubjectUserName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectUserName),\n SubjectDomainName = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectDomainName),\n SubjectLogonId = tostring(Parsed_EventData.UserData.LogFileCleared.SubjectLogonId)\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectDomainName has_any (actorusername_has_any)\n or (strcat(SubjectDomainName, '\\\\', SubjectUserName)) has_any (actorusername_has_any)\n | project-away EventData, Parsed_EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any))\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any))\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any))\n | extend\n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer,NewValue,ObjectType,Object,OldValue,Value\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftWindowsEvents/vimAuditEventMicrosoftWindowsEvents.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftWindowsEvents/vimAuditEventMicrosoftWindowsEvents.json index beee6baaff6..accc280c47a 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftWindowsEvents/vimAuditEventMicrosoftWindowsEvents.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftWindowsEvents/vimAuditEventMicrosoftWindowsEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventMicrosoftWindowsEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventMicrosoftWindowsEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM filtering parser for Microsoft Windows Events audit events", - "category": "ASIM", - "FunctionAlias": "vimAuditEventMicrosoftWindowsEvents", - "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \neventtype_in: dynamic=dynamic([]),\neventresult: string='*',\nactorusername_has_any: dynamic=dynamic([]),\noperation_has_any: dynamic=dynamic([]),\nobject_has_any: dynamic=dynamic([]),\nnewvalue_has_any: dynamic=dynamic([]),\ndisabled: bool = false\n) {\n// Parsed Events Ids\nlet ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n// Eventlog Event Ids\nlet EventlogEventIds = dynamic([1102]);\n// Scheduled Task Event Ids\nlet ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n// Active Directory Replica Source Naming Context Event Ids\nlet ActiveDirectoryReplicaIds = dynamic([4929]);\n// Firewall Event Ids\nlet FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n// Service Event Ids\nlet ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n// EventID Lookup\n// Directory Service Object Ids\nlet DirectoryServiceIds = dynamic([5136]);\n// Clear Audit Log Event\nlet AuditLogClearedEventID = dynamic([1102]); \nlet EventIDLookup = datatable(\nEventID: int,\nOperation: string,\nEventType: string,\nObject: string,\nObjectType: string,\nEventResult: string\n)\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n];\n let FilteredEventIds = toscalar(EventIDLookup \n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (eventresult == '*' or EventResult == eventresult)\n and EventID != 1102 // Exclude this EventID, we have separate section for including EventID 1102\n | summarize make_set(EventID)\n );\n let ParsedEvents =\n union\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventID in(FilteredEventIds)\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any)) \n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId),\n TaskName = tostring(EventData.TaskName),\n TaskContent = tostring(EventData.TaskContent),\n TaskContentNew = tostring(EventData.TaskContentNew),\n ClientProcessId = tostring(EventData.ClientProcessId),\n DestinationDRA = tostring(EventData.DestinationDRA),\n SourceDRA = tostring(EventData.SourceDRA),\n SourceAddr = tostring(EventData.SourceAddr),\n ObjectDN = tostring(EventData.ObjectDN),\n AttributeValue = tostring(EventData.AttributeValue)\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectUserName has_any (actorusername_has_any) \n | project-away EventData\n ),\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in (AuditLogClearedEventID) and Provider == \"Microsoft-Windows-Eventlog\"\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n and (array_length(eventtype_in) == 0 or 'Delete' in (eventtype_in))\n and (array_length(operation_has_any) == 0 or 'Delete Logs' has_any (operation_has_any))\n and (eventresult == '*' or 'Success' =~ eventresult)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId)\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectDomainName has_any (actorusername_has_any)\n or (strcat(SubjectDomainName, '\\\\', SubjectUserName)) has_any (actorusername_has_any)\n | project-away EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any))\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any))\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any))\n | extend\n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Microsoft Windows Events audit events", + "category": "ASIM", + "FunctionAlias": "vimAuditEventMicrosoftWindowsEvents", + "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \neventtype_in: dynamic=dynamic([]),\neventresult: string='*',\nactorusername_has_any: dynamic=dynamic([]),\noperation_has_any: dynamic=dynamic([]),\nobject_has_any: dynamic=dynamic([]),\nnewvalue_has_any: dynamic=dynamic([]),\ndisabled: bool = false\n) {\n// Parsed Events Ids\nlet ParsedEventIds = dynamic([4698, 4699, 4700, 4701, 4702, 4929, 5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037, 7035, 7036, 7040, 7045, 2009, 5136]);\n// Eventlog Event Ids\nlet EventlogEventIds = dynamic([1102]);\n// Scheduled Task Event Ids\nlet ScheduledTaskEventIds = dynamic([4698, 4699, 4700, 4701, 4702]);\n// Active Directory Replica Source Naming Context Event Ids\nlet ActiveDirectoryReplicaIds = dynamic([4929]);\n// Firewall Event Ids\nlet FirewallEventIds = dynamic([5025, 5027, 5028, 5029, 5030, 5034, 5035, 5037]);\n// Service Event Ids\nlet ServiceEventIds = dynamic([7035, 7036, 7040, 7045, 2009]); \n// EventID Lookup\n// Directory Service Object Ids\nlet DirectoryServiceIds = dynamic([5136]);\n// Clear Audit Log Event\nlet AuditLogClearedEventID = dynamic([1102]); \nlet EventIDLookup = datatable(\nEventID: int,\nOperation: string,\nEventType: string,\nObject: string,\nObjectType: string,\nEventResult: string\n)\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n];\n let FilteredEventIds = toscalar(EventIDLookup \n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (eventresult == '*' or EventResult == eventresult)\n and EventID != 1102 // Exclude this EventID, we have separate section for including EventID 1102\n | summarize make_set(EventID)\n );\n let ParsedEvents =\n union\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventID in(FilteredEventIds)\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any)) \n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId),\n TaskName = tostring(EventData.TaskName),\n TaskContent = tostring(EventData.TaskContent),\n TaskContentNew = tostring(EventData.TaskContentNew),\n ClientProcessId = tostring(EventData.ClientProcessId),\n DestinationDRA = tostring(EventData.DestinationDRA),\n SourceDRA = tostring(EventData.SourceDRA),\n SourceAddr = tostring(EventData.SourceAddr),\n ObjectDN = tostring(EventData.ObjectDN),\n AttributeValue = tostring(EventData.AttributeValue)\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectUserName has_any (actorusername_has_any) \n | project-away EventData\n ),\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in (AuditLogClearedEventID) and Provider == \"Microsoft-Windows-Eventlog\"\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n and (array_length(eventtype_in) == 0 or 'Delete' in (eventtype_in))\n and (array_length(operation_has_any) == 0 or 'Delete Logs' has_any (operation_has_any))\n and (eventresult == '*' or 'Success' =~ eventresult)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId)\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectDomainName has_any (actorusername_has_any)\n or (strcat(SubjectDomainName, '\\\\', SubjectUserName)) has_any (actorusername_has_any)\n | project-away EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any))\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any))\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any))\n | extend\n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union\n EventLog,\n ScheduledTask,\n ActiveDirectoryReplica,\n WindowsFirewall,\n ServiceEvent,\n DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Security Events',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\", \"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventSentinelOne/vimAuditEventSentinelOne.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventSentinelOne/vimAuditEventSentinelOne.json index c95fc8b1a7a..c0c0af86efc 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventSentinelOne/vimAuditEventSentinelOne.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventSentinelOne/vimAuditEventSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "vimAuditEventSentinelOne", - "query": "let EventFieldsLookup = datatable(\n activityType_d: real,\n Operation: string,\n EventType_activity: string,\n EventSubType: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 39, \"Research Settings Modified\", \"\", \"\", \"Success\", \"Research Settings\", \"Policy Rule\",\n 41, \"Learning Mode Settings Modified\", \"Set\", \"\", \"Success\", \"Mitigation policy\", \"Policy Rule\",\n 44, \"Auto decommission On\", \"Enable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 45, \"Auto decommission Off\", \"Disable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 46, \"Auto Decommission Period Modified\", \"Set\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 56, \"Auto Mitigation Actions Modified\", \"Set\", \"\", \"Success\", \"Mitigation action\", \"Other\",\n 57, \"Quarantine Network Settings Modified\", \"\", \"\", \"Success\", \"NetworkSettings\", \"Configuration Atom\",\n 68, \"Engine Modified In Policy\", \"Set\", \"\", \"Success\", \"Engine Policy\", \"Policy Rule\",\n 69, \"Mitigation Policy Modified\", \"Set\", \"\", \"Success\", \"Threat Mitigation Policy\", \"Policy Rule\",\n 70, \"Policy Setting - Agent Notification On Suspicious Modified\", \"\", \"\", \"Success\", \"Agent notification\", \"Service\",\n 82, \"Monitor On Execute\", \"\", \"\", \"Success\", \"On execute setting\", \"Configuration Atom\",\n 83, \"Monitor On Write\", \"\", \"\", \"Success\", \"On write setting\", \"Configuration Atom\",\n 105, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility Setting\", \"Configuration Atom\",\n 116, \"Policy Settings Modified\", \"Disable\", \"\", \"Success\", \"Policy Settings\", \"Policy Rule\",\n 150, \"Live Security Updates Policy Modified\", \"\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n 151, \"Live Security Updates Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n 200, \"File Upload Settings Modified\", \"Set\", \"\", \"Success\", \"Binary Vault Settings\", \"Configuration Atom\",\n 201, \"File Upload Enabled/Disabled\", \"\", \"\", \"Success\", \"Binary Vault\", \"Policy Rule\",\n 4004, \"Policy Setting - Show Suspicious Activities Configuration Enabled\", \"Enable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n 4005, \"Policy Setting - Show Suspicious Activities Configuration Disabled\", \"Disable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n 4104, \"STAR Manual Response Marked Event As Malicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n 4105, \"STAR Manual Response Marked Event As Suspicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n 5012, \"Group Token Regenerated\", \"Create\", \"\", \"Success\", \"Token\", \"Policy Rule\",\n 5020, \"Site Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5021, \"Site Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5022, \"Site Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5024, \"Site Policy Reverted\", \"\", \"\", \"Success\", \"\", \"Other\",\n 5025, \"Site Marked As Expired\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n 5026, \"Site Duplicated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5027, \"Site Token Regenerated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 6000, \"Mobile Policy updated\", \"Set\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6001, \"Mobile Policy created\", \"Create\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6002, \"Mobile Policy removed\", \"Delete\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6010, \"UEM Connection created\", \"Create\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 6011, \"UEM Connection updated\", \"Set\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 6012, \"UEM Connection Removed\", \"Delete\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 73, \"Scan New Agents Changed\", \"\", \"\", \"Success\", \"Scan new agents Setting\", \"Configuration Atom\",\n 76, \"Anti Tampering Modified\", \"\", \"\", \"Success\", \"Anti tampering setting\", \"Configuration Atom\",\n 77, \"Agent UI Settings Modified\", \"Set \", \"\", \"Success\", \"Agent UI setting\", \"Configuration Atom\",\n 78, \"Snapshots Settings Modified\", \"\", \"\", \"Success\", \"Snapshots setting\", \"Configuration Atom\",\n 79, \"Agent Logging Modified\", \"\", \"\", \"Success\", \"Agent logging setting\", \"Configuration Atom\",\n 84, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility setting\", \"Configuration Atom\",\n 87, \"Remote Shell Settings Modified\", \"\", \"\", \"Success\", \"Remote Shell Settings\", \"Configuration Atom\",\n 2100, \"Upgrade Policy - Concurrency Limit Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n 2101, \"Upgrade Policy - Concurrency Limit Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n 2111, \"Upgrade Policy - Maintenance Window Time Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n ];\n let EventFieldsLookupMachineActivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_machineactivity: string,\n EventSubType_machineactivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 52, \"User Approved Agent Uninstall Request\", \"Other\", \"Approve\", \"Success\", \"Agent\", \"Service\",\n 53, \"User Rejected Agent Uninstall Request\", \"Other\", \"Reject\", \"Failure\", \"Agent\", \"Service\",\n 54, \"User Decommissioned Agent\", \"Disable\", \"\", \"Success\", \"Agent\", \"Service\",\n 55, \"User Recommissioned Agent\", \"Enable\", \"\", \"Success\", \"Agent\", \"Service\",\n 61, \"User Disconnected Agent From Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 62, \"User Reconnected Agent to Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 63, \"User Shutdown Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 93, \"User Reset Agent's Local Config\", \"Set\", \"\", \"Success\", \"Local config\", \"Configuration Atom\",\n 95, \"User Moved Agent to Group\", \"Other\", \"Move\", \"Success\", \"Agent\", \"Service\",\n 117, \"User Disabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 118, \"User Enabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 4100, \"User Marked Deep Visibility Event As Threat\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n 4101, \"User Marked Deep Visibility Event As Suspicious\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n ];\n let EventFieldsLookupAccountActivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_accountactivity: string,\n EventSubType_accountactivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 130, \"Opt-in To EA program\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 131, \"Opt-out From EA Program\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5040, \"Account Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5041, \"Account Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5042, \"Account Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5044, \"Account Policy Reverted\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 7200, \"Add cloud account\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 7201, \"Disable cloud Account\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n 7202, \"Enable cloud Account\", \"Enable\", \"\", \"Success\", \"\", \"Other\"\n ];\n let EventFieldsLookup_useractivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_useractivity: string,\n EventSubType_useractivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 88, \"User Remote Shell Modified\", \"\", \"\", \"Success\", \"Remote Shell\", \"Configuration Atom\",\n 114, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\"\n ];\n let EventFieldsLookup_otheractivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_otheractivity: string,\n EventSubType_otheractivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 2, \"Hash Defined as Malicious By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 40, \"Cloud Intelligence Settings Modified\", \"\", \"\", \"Success\", \"Cloud Intelligence Settings\", \"Policy Rule\",\n 58, \"Notification Option Level Modified\", \"Set\", \"\", \"Success\", \"Notification Level\", \"Service\",\n 59, \"Event Severity Level Modified\", \"Set\", \"\", \"Success\", \"EventSeverity Level\", \"Other\",\n 60, \"Notification - Recipients Configuration Modified\", \"Set\", \"\", \"Success\", \"Recipients configuration\", \"Policy Rule\",\n 101, \"User Changed Agent's Customer Identifier\", \"Set\", \"\", \"Success\", \"Customer Identifier string\", \"Configuration Atom\",\n 106, \"User Commanded Agents To Move To Another Console\", \"Execute\", \"\", \"Failure\", \"Agents\", \"Service\",\n 107, \"User Created RBAC Role\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 108, \"User Edited RBAC Role\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 109, \"User Deleted RBAC Role\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 112, \"API token Generated\", \"Create\", \"\", \"Success\", \"API Token\", \"Service\",\n 113, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\",\n 129, \"Allowed Domains Settings Changed\", \"Set\", \"\", \"Success\", \"User Domain Setting\", \"Other\",\n 1501, \"Location Created\", \"Create\", \"\", \"Success\", \"\", \"Service\",\n 1502, \"Location Copied\", \"Set\", \"Copy\", \"Success\", \"\", \"Service\",\n 1503, \"Location Modified\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n 1504, \"Location Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Service\",\n 2011, \"User Issued Kill Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2012, \"User Issued Remediate Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2013, \"User Issued Rollback Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2014, \"User Issued Quarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2015, \"User Issued Unquarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2016, \"User Marked Application As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2028, \"Threat Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2029, \"Ticket Number Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2030, \"Analyst Verdict Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2036, \"Threat Confidence Level Changed By Agent\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2037, \"Threat Confidence Level Changed By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 3001, \"User Added Hash Exclusion\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n 3002, \"User Added Blocklist Hash\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n 3008, \"New Path Exclusion\", \"Create\", \"\", \"Success\", \"Path\", \"Other\",\n 3009, \"New Signer Identity Exclusion\", \"Create\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3010, \"New File Type Exclusion\", \"Create\", \"\", \"Success\", \"File Type\", \"Other\",\n 3011, \"New Browser Type Exclusion\", \"Create\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3012, \"Path Exclusion Modified\", \"Set\", \"\", \"Success\", \"Path\", \"Other\",\n 3013, \"Signer Identity Exclusion Modified\", \"Set\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3014, \"File Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"File Type\", \"Other\",\n 3015, \"Browser Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3016, \"Path Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Path\", \"Other\",\n 3017, \"Signer Identity Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3018, \"File Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"File Type\", \"Other\",\n 3019, \"Browser Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3020, \"User Deleted Hash From Blocklist\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n 3021, \"User Deleted Hash Exclusion\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n 3100, \"User Added Package\", \"Create\", \"\", \"Success\", \"Package\", \"Other\",\n 3101, \"User Modified Package\", \"Set\", \"\", \"Success\", \"Package\", \"Other\",\n 3102, \"User Deleted Package\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n 3103, \"Package Deleted By System - Too Many Packages\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n 3500, \"User Toggled Ranger Status\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Other\",\n 3501, \"Ranger Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Configuration Atom\",\n 3502, \"Ranger Network Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Network Setting\", \"Other\",\n 3506, \"Ranger - Device Review Modified\", \"Set\", \"\", \"Success\", \"Device Review\", \"Other\",\n 3507, \"Ranger - Device Tag Modified On Host\", \"Set\", \"\", \"Success\", \"Device Tag\", \"Other\",\n 3521, \"Ranger Deploy Initiated\", \"Initialize\", \"\", \"Success\", \"Ranger Deploy\", \"Other\",\n 3525, \"Ranger Deploy - Credential Created\", \"Create\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3526, \"Ranger Deploy - Credential Deleted\", \"Delete\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3527, \"Ranger Deploy - Credential Overridden\", \"Set\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3530, \"Ranger Labels Updated\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n 3531, \"Ranger labels reverted\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n 3600, \"Custom Rules - User Created A Rule\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3601, \"Custom Rules - User Changed A Rule\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3602, \"Custom Rules - User Deleted A Rule\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3603, \"Custom Rules - Rule Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3604, \"Custom Rules - Rule Status Change Failed\", \"Set\", \"\", \"Failure\", \"\", \"Policy Rule\",\n 3626, \"User 2FA Email Verification Changed\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n 3628, \"2FA Code Verification\", \"Set\", \"\", \"Success\", \"2FA\", \"Service\",\n 3641, \"Ranger self Provisioning Default Features Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 3650, \"Tag Manager - User Created New Tag\", \"Create\", \"\", \"Success\", \"Tag\", \"Other\",\n 3651, \"Tag Manager - User Modified Tag\", \"Set\", \"\", \"Success\", \"Tag\", \"Other\",\n 3652, \"Tag Manager - User Deleted Tag\", \"Delete\", \"\", \"Success\", \"Tag\", \"Other\",\n 3653, \"Tag Manager - User Attached Tag\", \"Other\", \"Attach\", \"Success\", \"Tags\", \"Other\",\n 3654, \"Tag Manager - User Detached Tag\", \"Detach\", \"\", \"Success\", \"Tags\", \"Other\", \n 3750, \"Auto-Upgrade Policy Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3751, \"Auto-Upgrade Policy Disabled\", \"Disable\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3752, \"Auto-Upgrade Policy Activated\", \"Enable\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3753, \"Auto-Upgrade Policy Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3754, \"Auto-Upgrade Policy Reordered\", \"Other\", \"Reorder\", \"Success\", \"\", \"Policy Rule\",\n 3755, \"Upgrade Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Upgrade Policy\", \"Policy Rule\",\n 3756, \"Auto-Upgrade Policy Edited\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3767, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3768, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3769, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3770, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3771, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3772, \"Local Upgrade Unauthorized\", \"Other\", \"Unauthorize\", \"Failure\", \"Local Upgrade Authorization\", \"Service\",\n 3773, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3774, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 4001, \"Suspicious Threat Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4002, \"Suspicious Threat Was Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4006, \"Remember Me Length Modified\", \"Set\", \"\", \"Success\", \"Stay Sign in Duration\", \"Policy Rule\",\n 4007, \"Suspicious Threat Was Marked As Benign\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4008, \"Threat Mitigation Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4009, \"Process Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4011, \"Suspicious Threat Was Unresolved\", \"Set\", \"\", \"Failure\", \"\", \"Other\",\n 4012, \"UI Inactivity Timeout Modified\", \"Set\", \"\", \"Success\", \"Inactivity timeout\", \"Configuration Atom\",\n 5242, \"Ranger - Device Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5243, \"Ranger - Device Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5244, \"Ranger - Device Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5250, \"Firewall Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5251, \"Firewall Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5252, \"Firewall Control Tag Updated\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5253, \"Network Quarantine Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5254, \"Network Quarantine Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5255, \"Network Quarantine Control Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5256, \"Firewall Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5257, \"Firewall Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Firewall Control tags\", \"Other\",\n 5258, \"Network Quarantine Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5259, \"Network Quarantine Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Network Quarantine Control Tag\", \"Other\",\n 7500, \"Remote Ops Password Configured\", \"Set\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n 7501, \"Remote Ops Password Deleted\", \"Delete\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n 7602, \"User Edited Run Script Guardrails\", \"Set\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 7603, \"User Enabled Run Script Guardrails\", \"Enable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 7604, \"User Disabled Run Script Guardrails\", \"Disable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 5120, \"Device Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5121, \"Device Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5122, \"Device Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5123, \"Device Rules Reordered\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5124, \"Device Rules Settings Modified\", \"Set\", \"\", \"Success\", \"Device Control settings\", \"Policy Rule\",\n 5129, \"Device Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5220, \"Firewall Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5221, \"Firewall Rule Modified\", \"Set/Other\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5222, \"Firewall Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5225, \"Firewall Control Settings Modified\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n 5226, \"Firewall Rules Reordered\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n 5231, \"Firewall Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5234, \"Network Quarantine Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5235, \"Network Quarantine Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5236, \"Network Quarantine Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5237, \"Network Quarantine Control Settings Modified\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n 5238, \"Network Quarantine Rules Reordered\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n 5241, \"Network Quarantine Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 6030, \"Mobile Device Updated\", \"Other\", \"\", \"Success\", \"Device\", \"Other\",\n 6053, \"Mobile Incident Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 6054, \"Mobile Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 6055, \"Mobile Incident Analyst Verdict Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\"\n ];\n let EventTypeLookup_onoff = datatable(\n field: string,\n EventType_field: string,\n NewValue_field: string\n )\n [\n \"true\", \"Enable\", \"on\",\n \"false\", \"Disable\", \"off\"\n ];\n let EventTypeLookup_enableddisabled = datatable(\n field: string,\n EventType_fieldenableddisabled: string,\n NewValue_fieldenableddisabled: string\n )\n [\n \"true\", \"Enable\", \"enabled\",\n \"false\", \"Disable\", \"disabled\"\n ];\n let EventSeverityLookup = datatable (EventResult: string, EventSeverity_lookup: string)\n [\n \"Success\", \"Informational\",\n \"Failure\", \"Low\"\n ];\n let EventSeverityLookup_activity = datatable (activityType_d: real, EventSeverity_activity: string)\n [\n 4100, \"Medium\",\n 4101, \"High\",\n 2016, \"Medium\",\n 2028, \"Low\",\n 4001, \"Medium\",\n 4002, \"Low\",\n 4007, \"Low\",\n 4008, \"Medium\",\n 4009, \"Medium\",\n 4011, \"High\",\n 2, \"Medium\",\n 2011, \"Low\",\n 2012, \"Low\",\n 2013, \"Medium\",\n 2014, \"Low\",\n 2015, \"Low\",\n 4002, \"Low\",\n 4104, \"High\",\n 4105, \"Medium\"\n ];\n let ThreatConfidenceLookup_undefined = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n )\n [\n \"false_positive\", 5,\n \"undefined\", 15,\n \"suspicious\", 25,\n \"true_positive\", 33 \n ];\n let ThreatConfidenceLookup_suspicious = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n )\n [\n \"false_positive\", 40,\n \"undefined\", 50,\n \"suspicious\", 60,\n \"true_positive\", 67 \n ];\n let ThreatConfidenceLookup_malicious = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n )\n [\n \"false_positive\", 75,\n \"undefined\", 80,\n \"suspicious\", 90,\n \"true_positive\", 100 \n ];\n let parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\n let AllActivityIdsForAudit = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111, 52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101, 130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203, 2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);\n let RawOtherActivityIds = dynamic([2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);\n let activitydata = SentinelOne_CL\n | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) \n and event_name_s == \"Activities.\" \n and activityType_d in (AllActivityIdsForAudit)\n and (array_length(actorusername_has_any) == 0 or primaryDescription_s has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or primaryDescription_s has_any (newvalue_has_any) or DataFields_s has_any (newvalue_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix))\n | project-away\n threatInfo_confidenceLevel_s,\n threatInfo_analystVerdict_s,\n threatInfo_threatName_s,\n threatInfo_incidentStatus_s,\n threatInfo_identifiedAt_t,\n threatInfo_updatedAt_t,\n threatInfo_threatId_s,\n mitigationStatus_s;\n let rawgroupsiteactivitydata = activitydata\n | where activityType_d in (39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111)\n | parse-kv DataFields_s as (username: string, userName: string, userFullName: string, newValue: string, policyEnabled: string, siteName: string, oldValue: string, ipAddress: string, oldSiteName: string, policy: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | parse-kv policy as (id: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | project-rename ObjectId = id\n | lookup EventFieldsLookup on activityType_d;\n let groupsiteactivitydata_onoff = rawgroupsiteactivitydata\n | where activityType_d in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150)\n | lookup EventTypeLookup_onoff on $left.newValue == $right.field\n | lookup EventTypeLookup_onoff on $left.policyEnabled == $right.field\n | extend\n EventType = coalesce(EventType_field, EventType_field1),\n NewValue = coalesce(NewValue_field, NewValue_field1);\n let groupsiteactivitydata_enabledisabled = rawgroupsiteactivitydata\n | where activityType_d in (70, 82, 83, 201)\n | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n | extend\n EventType = EventType_fieldenableddisabled,\n NewValue = NewValue_fieldenableddisabled;\n let groupsiteactivitydata_other = rawgroupsiteactivitydata\n | where activityType_d !in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150, 70, 82, 83, 201)\n | extend EventType = EventType_activity;\n let groupsiteactivitydata = union\n groupsiteactivitydata_onoff,\n groupsiteactivitydata_enabledisabled,\n groupsiteactivitydata_other\n | extend\n ActorUsername = coalesce(username, userName, userFullName),\n Object = coalesce(Object, siteName, oldSiteName),\n NewValue = coalesce(NewValue, newValue),\n OldValue = oldValue;\n let machineactivitydata = activitydata\n | where activityType_d in (52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101)\n | parse-kv DataFields_s as (username: string, userName: string, computerName: string, threatClassification: string, ipAddress: string, groupName: string, targetGroupName: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookupMachineActivity on activityType_d\n | extend\n EventType = EventType_machineactivity,\n EventSubType = EventSubType_machineactivity,\n ThreatCategory = threatClassification,\n OldValue = groupName,\n NewValue = targetGroupName,\n ObjectId = agentId_s\n | extend ActorUsername = coalesce(username, userName)\n | invoke _ASIM_ResolveDvcFQDN('computerName');\n let accountactivitydata = activitydata\n | where activityType_d in (130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203)\n | parse-kv DataFields_s as (username: string, accountName: string, cloudProviderAccountName: string, ipAddress: string, accountId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookupAccountActivity on activityType_d\n | extend\n EventType = EventType_accountactivity,\n EventSubType = EventSubType_accountactivity,\n Object = coalesce(accountName, cloudProviderAccountName),\n ObjectId = accountId;\n let useractivitydata = activitydata\n | where activityType_d in (88, 114)\n | parse-kv DataFields_s as (username: string, byUser: string, newValue: string, ipAddress: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup_useractivity on activityType_d\n | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n | extend\n ActorUsername = byUser,\n EventType = coalesce(EventType_useractivity, EventType_fieldenableddisabled),\n EventSubType = EventSubType_useractivity,\n NewValue = NewValue_fieldenableddisabled;\n let rawotheractivitydata = activitydata\n | where activityType_d in (RawOtherActivityIds)\n | parse-kv DataFields_s as (username: string, userName: string, email: string, globalTwoFaEnabled: string, cloudIntelligenceOn: string, fileDisplayName: string, roleName: string, oldIncidentStatusTitle: string, oldTicketId: string, oldAnalystVerdictTitle: string, oldConfidenceLevel: string, previous: string, oldStatus: string, oldTagName: string, oldTagDescription: string, newIncidentStatusTitle: string, newTicketId: string, newAnalystVerdictTitle: string, newConfidenceLevel: string, newStatus: string, current: string, Status: string, newTagName: string, newTagDescription: string, value: string, rulesAdded: string, rulesRemoved: string, tagsAdded: string, tagsRemoved: string, incidentName: string, ruleName: string, deviceId: string, ip: string, externalIp: string, affectedDevices: string, featureValue: string, featureName: string, recoveryEmail: string, policyName: string, tagName: string, gatewayExternalIp: string, gatewayMac: string, threatClassification: string, ipAddress: string, applicationPath: string, externalId: string, consoleUrl: string, ruleId: string, policyId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup_otheractivity on activityType_d\n | lookup EventTypeLookup_onoff on $left.cloudIntelligenceOn == $right.field\n | lookup EventTypeLookup_onoff on $left.globalTwoFaEnabled == $right.field\n | extend\n ActorUsername = coalesce(username, userName),\n EventType = coalesce(EventType_otheractivity, EventType_field, EventType_field1),\n EventSubType = EventSubType_otheractivity,\n Object = coalesce(Object, fileDisplayName, applicationPath, roleName, ruleName, incidentName, recoveryEmail, featureName, policyName, tagName),\n NewValue = coalesce(newIncidentStatusTitle, newTicketId, newAnalystVerdictTitle, newConfidenceLevel, newStatus, current, Status, newTagName, newTagDescription, featureValue),\n OldValue = coalesce(oldIncidentStatusTitle, oldTicketId, oldAnalystVerdictTitle, oldConfidenceLevel, oldStatus, previous, oldTagName, oldTagDescription),\n TargetIpAddr = coalesce(externalIp, ip, gatewayExternalIp),\n ThreatCategory = threatClassification,\n RuleName = ruleName,\n TargetDvcId = deviceId,\n ObjectId = coalesce(ruleId, policyId, externalId, deviceId)\n | invoke _ASIM_ResolveDstFQDN('affectedDevices')\n | project-rename\n TargetHostname = DstHostname,\n TargetDomain = DstDomain,\n TargetDomainType = DstDomainType,\n TargetFQDN = DstFQDN,\n TargetUrl = consoleUrl;\n let parsedotheractivitydata_eventtype = rawotheractivitydata\n | where activityType_d in (5256, 5258)\n | extend EventType = case(\n isnotempty(rulesAdded) or isnotempty(tagsAdded),\n \"Create\",\n isnotempty(rulesRemoved) or isnotempty(tagsRemoved),\n \"Delete\",\n \"Set\"\n );\n let parsedotheractivitydata_objectvalue = rawotheractivitydata\n | where activityType_d in (3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3650, 3651, 3652, 3653, 3654)\n | extend Object = strcat(Object, ' ', value);\n let parsedotheractivitydata_severity = rawotheractivitydata\n | where activityType_d in (2036, 2037, 2030)\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix))\n | extend EventSeverity_specific = case(\n primaryDescription_s has_any (\"to malicious\", \"to True positive\"),\n \"High\", \n primaryDescription_s has_any (\"to suspicious\", \"to Undefined\"),\n \"Medium\",\n primaryDescription_s has \"to False positive\",\n \"Low\",\n \"Informational\"\n );\n let ParsedActivitydata = union\n groupsiteactivitydata,\n machineactivitydata,\n accountactivitydata,\n useractivitydata,\n rawotheractivitydata,\n parsedotheractivitydata_eventtype,\n parsedotheractivitydata_objectvalue\n | where activityType_d !in(2030, 2036, 2037)\n | lookup EventSeverityLookup on EventResult\n | lookup EventSeverityLookup_activity on activityType_d\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix));\n let UnParsedActivitydatawithThreat = union ParsedActivitydata, parsedotheractivitydata_severity\n | where isnotempty(threatId_s)\n | join kind=inner (SentinelOne_CL\n | where event_name_s == \"Threats.\"\n | project\n TimeGenerated,\n threatInfo_confidenceLevel_s,\n threatInfo_analystVerdict_s,\n threatInfo_threatName_s,\n threatInfo_incidentStatus_s,\n threatInfo_identifiedAt_t,\n threatInfo_updatedAt_t,\n threatInfo_threatId_s,\n mitigationStatus_s)\n on $left.threatId_s == $right.threatInfo_threatId_s\n | where TimeGenerated1 >= TimeGenerated\n | summarize arg_min(TimeGenerated1, *) by activityType_d, threatId_s, createdAt_t, TimeGenerated;\n let undefineddata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"Undefined\"\n | lookup ThreatConfidenceLookup_undefined on threatInfo_analystVerdict_s;\n let suspiciousdata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on threatInfo_analystVerdict_s;\n let maliciousdata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"malicious\"\n | lookup ThreatConfidenceLookup_malicious on threatInfo_analystVerdict_s;\n let ParsedActivitydatawithThreat = union undefineddata, suspiciousdata, maliciousdata\n | extend\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\n AdditionalFields = bag_pack(\n \"threatUpdatedAt\",\n threatInfo_updatedAt_t,\n \"threatAnalystVerdict\",\n threatInfo_analystVerdict_s,\n \"threatIncidentStatus\",\n threatInfo_incidentStatus_s,\n \"mitigationStatus\",\n mitigationStatus_s\n )\n | project-rename\n ThreatId = threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatCategory_threats = threatInfo_classification_s,\n ThreatOriginalConfidence = threatInfo_confidenceLevel_s;\n let ParsedActivitydatawithoutThreat = ParsedActivitydata\n | where isempty(threatId_s);\n union ParsedActivitydatawithThreat, ParsedActivitydatawithoutThreat\n | extend \n EventSeverity = coalesce(EventSeverity_specific, EventSeverity_activity, EventSeverity_lookup),\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventCount = toint(1),\n AdditionalFields = bag_merge(AdditionalFields, todynamic(DataFields_s)),\n EventOriginalType = tostring(toint(activityType_d)),\n SrcIpAddr = iff(ipAddress != \"null\", ipAddress, \"\"),\n DvcAction = iff(EventResult == \"Success\", \"Allow\", \"Deny\")\n | project-rename\n EventStartTime = createdAt_t,\n EventUid = _ItemId,\n EventMessage = primaryDescription_s,\n ActorUserId = userId_s,\n DvcId = agentId_s,\n EventOriginalUid = activityUuid_g\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\n | extend\n EventEndTime = EventStartTime,\n User = ActorUsername,\n IpAddr = SrcIpAddr,\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\n Dst = coalesce(TargetHostname, TargetIpAddr),\n Src = SrcIpAddr,\n Rule = RuleName,\n Value = NewValue\n | project-away\n *_d,\n *_s,\n *_t,\n *_g,\n *_b,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n username,\n userName,\n userFullName,\n newValue,\n policyEnabled,\n siteName,\n oldValue,\n computerName,\n accountName,\n cloudProviderAccountName,\n email,\n globalTwoFaEnabled,\n cloudIntelligenceOn,\n fileDisplayName,\n roleName,\n oldIncidentStatusTitle,\n oldTicketId,\n oldAnalystVerdictTitle,\n oldConfidenceLevel,\n previous,\n oldStatus,\n oldTagName,\n oldTagDescription,\n newIncidentStatusTitle,\n newTicketId,\n newAnalystVerdictTitle,\n newConfidenceLevel,\n newStatus,\n current,\n Status,\n newTagName,\n newTagDescription,\n value,\n rulesAdded,\n rulesRemoved,\n tagsAdded,\n tagsRemoved,\n incidentName,\n ruleName,\n deviceId,\n ip,\n externalIp,\n affectedDevices,\n featureValue,\n featureName,\n recoveryEmail,\n policyName,\n policy,\n tagName,\n gatewayExternalIp,\n gatewayMac,\n threatClassification,\n applicationPath,\n externalId,\n groupName,\n oldSiteName,\n targetGroupName,\n ipAddress,\n EventType_*,\n EventSubType_*,\n EventSeverity_*,\n NewValue_*,\n _ResourceId,\n TimeGenerated1,\n ThreatCategory_*,\n ThreatConfidence_*,\n accountId,\n policyId,\n ruleId,\n byUser\n };\n parser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)", - "version": 1, - "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([])" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "vimAuditEventSentinelOne", + "query": "let EventFieldsLookup = datatable(\n activityType_d: real,\n Operation: string,\n EventType_activity: string,\n EventSubType: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 39, \"Research Settings Modified\", \"\", \"\", \"Success\", \"Research Settings\", \"Policy Rule\",\n 41, \"Learning Mode Settings Modified\", \"Set\", \"\", \"Success\", \"Mitigation policy\", \"Policy Rule\",\n 44, \"Auto decommission On\", \"Enable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 45, \"Auto decommission Off\", \"Disable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 46, \"Auto Decommission Period Modified\", \"Set\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n 56, \"Auto Mitigation Actions Modified\", \"Set\", \"\", \"Success\", \"Mitigation action\", \"Other\",\n 57, \"Quarantine Network Settings Modified\", \"\", \"\", \"Success\", \"NetworkSettings\", \"Configuration Atom\",\n 68, \"Engine Modified In Policy\", \"Set\", \"\", \"Success\", \"Engine Policy\", \"Policy Rule\",\n 69, \"Mitigation Policy Modified\", \"Set\", \"\", \"Success\", \"Threat Mitigation Policy\", \"Policy Rule\",\n 70, \"Policy Setting - Agent Notification On Suspicious Modified\", \"\", \"\", \"Success\", \"Agent notification\", \"Service\",\n 82, \"Monitor On Execute\", \"\", \"\", \"Success\", \"On execute setting\", \"Configuration Atom\",\n 83, \"Monitor On Write\", \"\", \"\", \"Success\", \"On write setting\", \"Configuration Atom\",\n 105, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility Setting\", \"Configuration Atom\",\n 116, \"Policy Settings Modified\", \"Disable\", \"\", \"Success\", \"Policy Settings\", \"Policy Rule\",\n 150, \"Live Security Updates Policy Modified\", \"\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n 151, \"Live Security Updates Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n 200, \"File Upload Settings Modified\", \"Set\", \"\", \"Success\", \"Binary Vault Settings\", \"Configuration Atom\",\n 201, \"File Upload Enabled/Disabled\", \"\", \"\", \"Success\", \"Binary Vault\", \"Policy Rule\",\n 4004, \"Policy Setting - Show Suspicious Activities Configuration Enabled\", \"Enable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n 4005, \"Policy Setting - Show Suspicious Activities Configuration Disabled\", \"Disable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n 4104, \"STAR Manual Response Marked Event As Malicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n 4105, \"STAR Manual Response Marked Event As Suspicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n 5012, \"Group Token Regenerated\", \"Create\", \"\", \"Success\", \"Token\", \"Policy Rule\",\n 5020, \"Site Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5021, \"Site Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5022, \"Site Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5024, \"Site Policy Reverted\", \"\", \"\", \"Success\", \"\", \"Other\",\n 5025, \"Site Marked As Expired\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n 5026, \"Site Duplicated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5027, \"Site Token Regenerated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 6000, \"Mobile Policy updated\", \"Set\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6001, \"Mobile Policy created\", \"Create\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6002, \"Mobile Policy removed\", \"Delete\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n 6010, \"UEM Connection created\", \"Create\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 6011, \"UEM Connection updated\", \"Set\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 6012, \"UEM Connection Removed\", \"Delete\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n 73, \"Scan New Agents Changed\", \"\", \"\", \"Success\", \"Scan new agents Setting\", \"Configuration Atom\",\n 76, \"Anti Tampering Modified\", \"\", \"\", \"Success\", \"Anti tampering setting\", \"Configuration Atom\",\n 77, \"Agent UI Settings Modified\", \"Set \", \"\", \"Success\", \"Agent UI setting\", \"Configuration Atom\",\n 78, \"Snapshots Settings Modified\", \"\", \"\", \"Success\", \"Snapshots setting\", \"Configuration Atom\",\n 79, \"Agent Logging Modified\", \"\", \"\", \"Success\", \"Agent logging setting\", \"Configuration Atom\",\n 84, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility setting\", \"Configuration Atom\",\n 87, \"Remote Shell Settings Modified\", \"\", \"\", \"Success\", \"Remote Shell Settings\", \"Configuration Atom\",\n 2100, \"Upgrade Policy - Concurrency Limit Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n 2101, \"Upgrade Policy - Concurrency Limit Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n 2111, \"Upgrade Policy - Maintenance Window Time Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n ];\n let EventFieldsLookupMachineActivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_machineactivity: string,\n EventSubType_machineactivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 52, \"User Approved Agent Uninstall Request\", \"Other\", \"Approve\", \"Success\", \"Agent\", \"Service\",\n 53, \"User Rejected Agent Uninstall Request\", \"Other\", \"Reject\", \"Failure\", \"Agent\", \"Service\",\n 54, \"User Decommissioned Agent\", \"Disable\", \"\", \"Success\", \"Agent\", \"Service\",\n 55, \"User Recommissioned Agent\", \"Enable\", \"\", \"Success\", \"Agent\", \"Service\",\n 61, \"User Disconnected Agent From Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 62, \"User Reconnected Agent to Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 63, \"User Shutdown Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 93, \"User Reset Agent's Local Config\", \"Set\", \"\", \"Success\", \"Local config\", \"Configuration Atom\",\n 95, \"User Moved Agent to Group\", \"Other\", \"Move\", \"Success\", \"Agent\", \"Service\",\n 117, \"User Disabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 118, \"User Enabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n 4100, \"User Marked Deep Visibility Event As Threat\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n 4101, \"User Marked Deep Visibility Event As Suspicious\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n ];\n let EventFieldsLookupAccountActivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_accountactivity: string,\n EventSubType_accountactivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 130, \"Opt-in To EA program\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 131, \"Opt-out From EA Program\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5040, \"Account Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5041, \"Account Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5042, \"Account Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5044, \"Account Policy Reverted\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 7200, \"Add cloud account\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 7201, \"Disable cloud Account\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n 7202, \"Enable cloud Account\", \"Enable\", \"\", \"Success\", \"\", \"Other\"\n ];\n let EventFieldsLookup_useractivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_useractivity: string,\n EventSubType_useractivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 88, \"User Remote Shell Modified\", \"\", \"\", \"Success\", \"Remote Shell\", \"Configuration Atom\",\n 114, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\"\n ];\n let EventFieldsLookup_otheractivity = datatable(\n activityType_d: real,\n Operation: string,\n EventType_otheractivity: string,\n EventSubType_otheractivity: string,\n EventResult: string,\n Object: string,\n ObjectType: string\n )\n [\n 2, \"Hash Defined as Malicious By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 40, \"Cloud Intelligence Settings Modified\", \"\", \"\", \"Success\", \"Cloud Intelligence Settings\", \"Policy Rule\",\n 58, \"Notification Option Level Modified\", \"Set\", \"\", \"Success\", \"Notification Level\", \"Service\",\n 59, \"Event Severity Level Modified\", \"Set\", \"\", \"Success\", \"EventSeverity Level\", \"Other\",\n 60, \"Notification - Recipients Configuration Modified\", \"Set\", \"\", \"Success\", \"Recipients configuration\", \"Policy Rule\",\n 101, \"User Changed Agent's Customer Identifier\", \"Set\", \"\", \"Success\", \"Customer Identifier string\", \"Configuration Atom\",\n 106, \"User Commanded Agents To Move To Another Console\", \"Execute\", \"\", \"Failure\", \"Agents\", \"Service\",\n 107, \"User Created RBAC Role\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 108, \"User Edited RBAC Role\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 109, \"User Deleted RBAC Role\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 112, \"API token Generated\", \"Create\", \"\", \"Success\", \"API Token\", \"Service\",\n 113, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\",\n 129, \"Allowed Domains Settings Changed\", \"Set\", \"\", \"Success\", \"User Domain Setting\", \"Other\",\n 1501, \"Location Created\", \"Create\", \"\", \"Success\", \"\", \"Service\",\n 1502, \"Location Copied\", \"Set\", \"Copy\", \"Success\", \"\", \"Service\",\n 1503, \"Location Modified\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n 1504, \"Location Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Service\",\n 2011, \"User Issued Kill Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2012, \"User Issued Remediate Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2013, \"User Issued Rollback Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2014, \"User Issued Quarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2015, \"User Issued Unquarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n 2016, \"User Marked Application As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2028, \"Threat Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2029, \"Ticket Number Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2030, \"Analyst Verdict Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2036, \"Threat Confidence Level Changed By Agent\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 2037, \"Threat Confidence Level Changed By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 3001, \"User Added Hash Exclusion\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n 3002, \"User Added Blocklist Hash\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n 3008, \"New Path Exclusion\", \"Create\", \"\", \"Success\", \"Path\", \"Other\",\n 3009, \"New Signer Identity Exclusion\", \"Create\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3010, \"New File Type Exclusion\", \"Create\", \"\", \"Success\", \"File Type\", \"Other\",\n 3011, \"New Browser Type Exclusion\", \"Create\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3012, \"Path Exclusion Modified\", \"Set\", \"\", \"Success\", \"Path\", \"Other\",\n 3013, \"Signer Identity Exclusion Modified\", \"Set\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3014, \"File Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"File Type\", \"Other\",\n 3015, \"Browser Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3016, \"Path Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Path\", \"Other\",\n 3017, \"Signer Identity Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n 3018, \"File Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"File Type\", \"Other\",\n 3019, \"Browser Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Browser Type\", \"Other\",\n 3020, \"User Deleted Hash From Blocklist\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n 3021, \"User Deleted Hash Exclusion\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n 3100, \"User Added Package\", \"Create\", \"\", \"Success\", \"Package\", \"Other\",\n 3101, \"User Modified Package\", \"Set\", \"\", \"Success\", \"Package\", \"Other\",\n 3102, \"User Deleted Package\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n 3103, \"Package Deleted By System - Too Many Packages\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n 3500, \"User Toggled Ranger Status\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Other\",\n 3501, \"Ranger Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Configuration Atom\",\n 3502, \"Ranger Network Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Network Setting\", \"Other\",\n 3506, \"Ranger - Device Review Modified\", \"Set\", \"\", \"Success\", \"Device Review\", \"Other\",\n 3507, \"Ranger - Device Tag Modified On Host\", \"Set\", \"\", \"Success\", \"Device Tag\", \"Other\",\n 3521, \"Ranger Deploy Initiated\", \"Initialize\", \"\", \"Success\", \"Ranger Deploy\", \"Other\",\n 3525, \"Ranger Deploy - Credential Created\", \"Create\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3526, \"Ranger Deploy - Credential Deleted\", \"Delete\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3527, \"Ranger Deploy - Credential Overridden\", \"Set\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n 3530, \"Ranger Labels Updated\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n 3531, \"Ranger labels reverted\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n 3600, \"Custom Rules - User Created A Rule\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3601, \"Custom Rules - User Changed A Rule\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3602, \"Custom Rules - User Deleted A Rule\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3603, \"Custom Rules - Rule Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3604, \"Custom Rules - Rule Status Change Failed\", \"Set\", \"\", \"Failure\", \"\", \"Policy Rule\",\n 3626, \"User 2FA Email Verification Changed\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n 3628, \"2FA Code Verification\", \"Set\", \"\", \"Success\", \"2FA\", \"Service\",\n 3641, \"Ranger self Provisioning Default Features Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 3650, \"Tag Manager - User Created New Tag\", \"Create\", \"\", \"Success\", \"Tag\", \"Other\",\n 3651, \"Tag Manager - User Modified Tag\", \"Set\", \"\", \"Success\", \"Tag\", \"Other\",\n 3652, \"Tag Manager - User Deleted Tag\", \"Delete\", \"\", \"Success\", \"Tag\", \"Other\",\n 3653, \"Tag Manager - User Attached Tag\", \"Other\", \"Attach\", \"Success\", \"Tags\", \"Other\",\n 3654, \"Tag Manager - User Detached Tag\", \"Detach\", \"\", \"Success\", \"Tags\", \"Other\", \n 3750, \"Auto-Upgrade Policy Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3751, \"Auto-Upgrade Policy Disabled\", \"Disable\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3752, \"Auto-Upgrade Policy Activated\", \"Enable\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3753, \"Auto-Upgrade Policy Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3754, \"Auto-Upgrade Policy Reordered\", \"Other\", \"Reorder\", \"Success\", \"\", \"Policy Rule\",\n 3755, \"Upgrade Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Upgrade Policy\", \"Policy Rule\",\n 3756, \"Auto-Upgrade Policy Edited\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 3767, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3768, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3769, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3770, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3771, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3772, \"Local Upgrade Unauthorized\", \"Other\", \"Unauthorize\", \"Failure\", \"Local Upgrade Authorization\", \"Service\",\n 3773, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 3774, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n 4001, \"Suspicious Threat Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4002, \"Suspicious Threat Was Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4006, \"Remember Me Length Modified\", \"Set\", \"\", \"Success\", \"Stay Sign in Duration\", \"Policy Rule\",\n 4007, \"Suspicious Threat Was Marked As Benign\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4008, \"Threat Mitigation Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4009, \"Process Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 4011, \"Suspicious Threat Was Unresolved\", \"Set\", \"\", \"Failure\", \"\", \"Other\",\n 4012, \"UI Inactivity Timeout Modified\", \"Set\", \"\", \"Success\", \"Inactivity timeout\", \"Configuration Atom\",\n 5242, \"Ranger - Device Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5243, \"Ranger - Device Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5244, \"Ranger - Device Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5250, \"Firewall Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5251, \"Firewall Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5252, \"Firewall Control Tag Updated\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5253, \"Network Quarantine Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n 5254, \"Network Quarantine Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 5255, \"Network Quarantine Control Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n 5256, \"Firewall Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5257, \"Firewall Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Firewall Control tags\", \"Other\",\n 5258, \"Network Quarantine Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5259, \"Network Quarantine Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Network Quarantine Control Tag\", \"Other\",\n 7500, \"Remote Ops Password Configured\", \"Set\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n 7501, \"Remote Ops Password Deleted\", \"Delete\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n 7602, \"User Edited Run Script Guardrails\", \"Set\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 7603, \"User Enabled Run Script Guardrails\", \"Enable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 7604, \"User Disabled Run Script Guardrails\", \"Disable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n 5120, \"Device Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5121, \"Device Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5122, \"Device Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5123, \"Device Rules Reordered\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5124, \"Device Rules Settings Modified\", \"Set\", \"\", \"Success\", \"Device Control settings\", \"Policy Rule\",\n 5129, \"Device Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5220, \"Firewall Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5221, \"Firewall Rule Modified\", \"Set/Other\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5222, \"Firewall Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5225, \"Firewall Control Settings Modified\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n 5226, \"Firewall Rules Reordered\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n 5231, \"Firewall Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5234, \"Network Quarantine Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5235, \"Network Quarantine Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5236, \"Network Quarantine Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n 5237, \"Network Quarantine Control Settings Modified\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n 5238, \"Network Quarantine Rules Reordered\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n 5241, \"Network Quarantine Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n 6030, \"Mobile Device Updated\", \"Other\", \"\", \"Success\", \"Device\", \"Other\",\n 6053, \"Mobile Incident Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 6054, \"Mobile Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n 6055, \"Mobile Incident Analyst Verdict Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\"\n ];\n let EventTypeLookup_onoff = datatable(\n field: string,\n EventType_field: string,\n NewValue_field: string\n )\n [\n \"true\", \"Enable\", \"on\",\n \"false\", \"Disable\", \"off\"\n ];\n let EventTypeLookup_enableddisabled = datatable(\n field: string,\n EventType_fieldenableddisabled: string,\n NewValue_fieldenableddisabled: string\n )\n [\n \"true\", \"Enable\", \"enabled\",\n \"false\", \"Disable\", \"disabled\"\n ];\n let EventSeverityLookup = datatable (EventResult: string, EventSeverity_lookup: string)\n [\n \"Success\", \"Informational\",\n \"Failure\", \"Low\"\n ];\n let EventSeverityLookup_activity = datatable (activityType_d: real, EventSeverity_activity: string)\n [\n 4100, \"Medium\",\n 4101, \"High\",\n 2016, \"Medium\",\n 2028, \"Low\",\n 4001, \"Medium\",\n 4002, \"Low\",\n 4007, \"Low\",\n 4008, \"Medium\",\n 4009, \"Medium\",\n 4011, \"High\",\n 2, \"Medium\",\n 2011, \"Low\",\n 2012, \"Low\",\n 2013, \"Medium\",\n 2014, \"Low\",\n 2015, \"Low\",\n 4002, \"Low\",\n 4104, \"High\",\n 4105, \"Medium\"\n ];\n let ThreatConfidenceLookup_undefined = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n )\n [\n \"false_positive\", 5,\n \"undefined\", 15,\n \"suspicious\", 25,\n \"true_positive\", 33 \n ];\n let ThreatConfidenceLookup_suspicious = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n )\n [\n \"false_positive\", 40,\n \"undefined\", 50,\n \"suspicious\", 60,\n \"true_positive\", 67 \n ];\n let ThreatConfidenceLookup_malicious = datatable(\n threatInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n )\n [\n \"false_positive\", 75,\n \"undefined\", 80,\n \"suspicious\", 90,\n \"true_positive\", 100 \n ];\n let parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\n let AllActivityIdsForAudit = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111, 52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101, 130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203, 2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);\n let RawOtherActivityIds = dynamic([2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);\n let activitydata = SentinelOne_CL\n | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) \n and event_name_s == \"Activities.\" \n and activityType_d in (AllActivityIdsForAudit)\n and (array_length(actorusername_has_any) == 0 or primaryDescription_s has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or primaryDescription_s has_any (newvalue_has_any) or DataFields_s has_any (newvalue_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix))\n | project-away\n threatInfo_confidenceLevel_s,\n threatInfo_analystVerdict_s,\n threatInfo_threatName_s,\n threatInfo_incidentStatus_s,\n threatInfo_identifiedAt_t,\n threatInfo_updatedAt_t,\n threatInfo_threatId_s,\n mitigationStatus_s;\n let rawgroupsiteactivitydata = activitydata\n | where activityType_d in (39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111)\n | parse-kv DataFields_s as (username: string, userName: string, userFullName: string, newValue: string, policyEnabled: string, siteName: string, oldValue: string, ipAddress: string, oldSiteName: string, policy: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | parse-kv policy as (id: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | project-rename ObjectId = id\n | lookup EventFieldsLookup on activityType_d;\n let groupsiteactivitydata_onoff = rawgroupsiteactivitydata\n | where activityType_d in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150)\n | lookup EventTypeLookup_onoff on $left.newValue == $right.field\n | lookup EventTypeLookup_onoff on $left.policyEnabled == $right.field\n | extend\n EventType = coalesce(EventType_field, EventType_field1),\n NewValue = coalesce(NewValue_field, NewValue_field1);\n let groupsiteactivitydata_enabledisabled = rawgroupsiteactivitydata\n | where activityType_d in (70, 82, 83, 201)\n | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n | extend\n EventType = EventType_fieldenableddisabled,\n NewValue = NewValue_fieldenableddisabled;\n let groupsiteactivitydata_other = rawgroupsiteactivitydata\n | where activityType_d !in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150, 70, 82, 83, 201)\n | extend EventType = EventType_activity;\n let groupsiteactivitydata = union\n groupsiteactivitydata_onoff,\n groupsiteactivitydata_enabledisabled,\n groupsiteactivitydata_other\n | extend\n ActorUsername = coalesce(username, userName, userFullName),\n Object = coalesce(Object, siteName, oldSiteName),\n NewValue = coalesce(NewValue, newValue),\n OldValue = oldValue;\n let machineactivitydata = activitydata\n | where activityType_d in (52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101)\n | parse-kv DataFields_s as (username: string, userName: string, computerName: string, threatClassification: string, ipAddress: string, groupName: string, targetGroupName: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookupMachineActivity on activityType_d\n | extend\n EventType = EventType_machineactivity,\n EventSubType = EventSubType_machineactivity,\n ThreatCategory = threatClassification,\n OldValue = groupName,\n NewValue = targetGroupName,\n ObjectId = agentId_s\n | extend ActorUsername = coalesce(username, userName)\n | invoke _ASIM_ResolveDvcFQDN('computerName');\n let accountactivitydata = activitydata\n | where activityType_d in (130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203)\n | parse-kv DataFields_s as (username: string, accountName: string, cloudProviderAccountName: string, ipAddress: string, accountId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookupAccountActivity on activityType_d\n | extend\n EventType = EventType_accountactivity,\n EventSubType = EventSubType_accountactivity,\n Object = coalesce(accountName, cloudProviderAccountName),\n ObjectId = accountId;\n let useractivitydata = activitydata\n | where activityType_d in (88, 114)\n | parse-kv DataFields_s as (username: string, byUser: string, newValue: string, ipAddress: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup_useractivity on activityType_d\n | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n | extend\n ActorUsername = byUser,\n EventType = coalesce(EventType_useractivity, EventType_fieldenableddisabled),\n EventSubType = EventSubType_useractivity,\n NewValue = NewValue_fieldenableddisabled;\n let rawotheractivitydata = activitydata\n | where activityType_d in (RawOtherActivityIds)\n | parse-kv DataFields_s as (username: string, userName: string, email: string, globalTwoFaEnabled: string, cloudIntelligenceOn: string, fileDisplayName: string, roleName: string, oldIncidentStatusTitle: string, oldTicketId: string, oldAnalystVerdictTitle: string, oldConfidenceLevel: string, previous: string, oldStatus: string, oldTagName: string, oldTagDescription: string, newIncidentStatusTitle: string, newTicketId: string, newAnalystVerdictTitle: string, newConfidenceLevel: string, newStatus: string, current: string, Status: string, newTagName: string, newTagDescription: string, value: string, rulesAdded: string, rulesRemoved: string, tagsAdded: string, tagsRemoved: string, incidentName: string, ruleName: string, deviceId: string, ip: string, externalIp: string, affectedDevices: string, featureValue: string, featureName: string, recoveryEmail: string, policyName: string, tagName: string, gatewayExternalIp: string, gatewayMac: string, threatClassification: string, ipAddress: string, applicationPath: string, externalId: string, consoleUrl: string, ruleId: string, policyId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup_otheractivity on activityType_d\n | lookup EventTypeLookup_onoff on $left.cloudIntelligenceOn == $right.field\n | lookup EventTypeLookup_onoff on $left.globalTwoFaEnabled == $right.field\n | extend\n ActorUsername = coalesce(username, userName),\n EventType = coalesce(EventType_otheractivity, EventType_field, EventType_field1),\n EventSubType = EventSubType_otheractivity,\n Object = coalesce(Object, fileDisplayName, applicationPath, roleName, ruleName, incidentName, recoveryEmail, featureName, policyName, tagName),\n NewValue = coalesce(newIncidentStatusTitle, newTicketId, newAnalystVerdictTitle, newConfidenceLevel, newStatus, current, Status, newTagName, newTagDescription, featureValue),\n OldValue = coalesce(oldIncidentStatusTitle, oldTicketId, oldAnalystVerdictTitle, oldConfidenceLevel, oldStatus, previous, oldTagName, oldTagDescription),\n TargetIpAddr = coalesce(externalIp, ip, gatewayExternalIp),\n ThreatCategory = threatClassification,\n RuleName = ruleName,\n TargetDvcId = deviceId,\n ObjectId = coalesce(ruleId, policyId, externalId, deviceId)\n | invoke _ASIM_ResolveDstFQDN('affectedDevices')\n | project-rename\n TargetHostname = DstHostname,\n TargetDomain = DstDomain,\n TargetDomainType = DstDomainType,\n TargetFQDN = DstFQDN,\n TargetUrl = consoleUrl;\n let parsedotheractivitydata_eventtype = rawotheractivitydata\n | where activityType_d in (5256, 5258)\n | extend EventType = case(\n isnotempty(rulesAdded) or isnotempty(tagsAdded),\n \"Create\",\n isnotempty(rulesRemoved) or isnotempty(tagsRemoved),\n \"Delete\",\n \"Set\"\n );\n let parsedotheractivitydata_objectvalue = rawotheractivitydata\n | where activityType_d in (3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3650, 3651, 3652, 3653, 3654)\n | extend Object = strcat(Object, ' ', value);\n let parsedotheractivitydata_severity = rawotheractivitydata\n | where activityType_d in (2036, 2037, 2030)\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix))\n | extend EventSeverity_specific = case(\n primaryDescription_s has_any (\"to malicious\", \"to True positive\"),\n \"High\", \n primaryDescription_s has_any (\"to suspicious\", \"to Undefined\"),\n \"Medium\",\n primaryDescription_s has \"to False positive\",\n \"Low\",\n \"Informational\"\n );\n let ParsedActivitydata = union\n groupsiteactivitydata,\n machineactivitydata,\n accountactivitydata,\n useractivitydata,\n rawotheractivitydata,\n parsedotheractivitydata_eventtype,\n parsedotheractivitydata_objectvalue\n | where activityType_d !in(2030, 2036, 2037)\n | lookup EventSeverityLookup on EventResult\n | lookup EventSeverityLookup_activity on activityType_d\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix));\n let UnParsedActivitydatawithThreat = union ParsedActivitydata, parsedotheractivitydata_severity\n | where isnotempty(threatId_s)\n | join kind=inner (SentinelOne_CL\n | where event_name_s == \"Threats.\"\n | project\n TimeGenerated,\n threatInfo_confidenceLevel_s,\n threatInfo_analystVerdict_s,\n threatInfo_threatName_s,\n threatInfo_incidentStatus_s,\n threatInfo_identifiedAt_t,\n threatInfo_updatedAt_t,\n threatInfo_threatId_s,\n mitigationStatus_s)\n on $left.threatId_s == $right.threatInfo_threatId_s\n | where TimeGenerated1 >= TimeGenerated\n | summarize arg_min(TimeGenerated1, *) by activityType_d, threatId_s, createdAt_t, TimeGenerated;\n let undefineddata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"Undefined\"\n | lookup ThreatConfidenceLookup_undefined on threatInfo_analystVerdict_s;\n let suspiciousdata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on threatInfo_analystVerdict_s;\n let maliciousdata = UnParsedActivitydatawithThreat\n | where threatInfo_confidenceLevel_s == \"malicious\"\n | lookup ThreatConfidenceLookup_malicious on threatInfo_analystVerdict_s;\n let ParsedActivitydatawithThreat = union undefineddata, suspiciousdata, maliciousdata\n | extend\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\n AdditionalFields = bag_pack(\n \"threatUpdatedAt\",\n threatInfo_updatedAt_t,\n \"threatAnalystVerdict\",\n threatInfo_analystVerdict_s,\n \"threatIncidentStatus\",\n threatInfo_incidentStatus_s,\n \"mitigationStatus\",\n mitigationStatus_s\n )\n | project-rename\n ThreatId = threatId_s,\n ThreatName = threatInfo_threatName_s,\n ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n ThreatCategory_threats = threatInfo_classification_s,\n ThreatOriginalConfidence = threatInfo_confidenceLevel_s;\n let ParsedActivitydatawithoutThreat = ParsedActivitydata\n | where isempty(threatId_s);\n union ParsedActivitydatawithThreat, ParsedActivitydatawithoutThreat\n | extend \n EventSeverity = coalesce(EventSeverity_specific, EventSeverity_activity, EventSeverity_lookup),\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventCount = toint(1),\n AdditionalFields = bag_merge(AdditionalFields, todynamic(DataFields_s)),\n EventOriginalType = tostring(toint(activityType_d)),\n SrcIpAddr = iff(ipAddress != \"null\", ipAddress, \"\"),\n DvcAction = iff(EventResult == \"Success\", \"Allow\", \"Deny\")\n | project-rename\n EventStartTime = createdAt_t,\n EventUid = _ItemId,\n EventMessage = primaryDescription_s,\n ActorUserId = userId_s,\n DvcId = agentId_s,\n EventOriginalUid = activityUuid_g\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\n | extend\n EventEndTime = EventStartTime,\n User = ActorUsername,\n IpAddr = SrcIpAddr,\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\n Dst = coalesce(TargetHostname, TargetIpAddr),\n Src = SrcIpAddr,\n Rule = RuleName,\n Value = NewValue\n | project-away\n *_d,\n *_s,\n *_t,\n *_g,\n *_b,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n username,\n userName,\n userFullName,\n newValue,\n policyEnabled,\n siteName,\n oldValue,\n computerName,\n accountName,\n cloudProviderAccountName,\n email,\n globalTwoFaEnabled,\n cloudIntelligenceOn,\n fileDisplayName,\n roleName,\n oldIncidentStatusTitle,\n oldTicketId,\n oldAnalystVerdictTitle,\n oldConfidenceLevel,\n previous,\n oldStatus,\n oldTagName,\n oldTagDescription,\n newIncidentStatusTitle,\n newTicketId,\n newAnalystVerdictTitle,\n newConfidenceLevel,\n newStatus,\n current,\n Status,\n newTagName,\n newTagDescription,\n value,\n rulesAdded,\n rulesRemoved,\n tagsAdded,\n tagsRemoved,\n incidentName,\n ruleName,\n deviceId,\n ip,\n externalIp,\n affectedDevices,\n featureValue,\n featureName,\n recoveryEmail,\n policyName,\n policy,\n tagName,\n gatewayExternalIp,\n gatewayMac,\n threatClassification,\n applicationPath,\n externalId,\n groupName,\n oldSiteName,\n targetGroupName,\n ipAddress,\n EventType_*,\n EventSubType_*,\n EventSeverity_*,\n NewValue_*,\n _ResourceId,\n TimeGenerated1,\n ThreatCategory_*,\n ThreatConfidence_*,\n accountId,\n policyId,\n ruleId,\n byUser\n };\n parser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([])" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventVMwareCarbonBlackCloud/vimAuditEventVMwareCarbonBlackCloud.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventVMwareCarbonBlackCloud/vimAuditEventVMwareCarbonBlackCloud.json index 3599c51469e..233bb45d9b3 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventVMwareCarbonBlackCloud/vimAuditEventVMwareCarbonBlackCloud.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventVMwareCarbonBlackCloud/vimAuditEventVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "vimAuditEventVMwareCarbonBlackCloud", - "query": "let EventTypeLookup = datatable(temp_type: string, EventType: string)[\n \"created\", \"Create\",\n \"updated\", \"Set\",\n \"deleted\", \"Delete\",\n \"added\", \"Create\",\n \"modified\", \"Set\"\n];\nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n eventtype_in: dynamic=dynamic([]), \n eventresult: string='*', \n actorusername_has_any: dynamic=dynamic([]), \n operation_has_any: dynamic=dynamic([]), \n object_has_any: dynamic=dynamic([]), \n newvalue_has_any: dynamic=dynamic([]), \n disabled: bool = false\n ) {\n let allData = CarbonBlackAuditLogs_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime))\n and not(description_s has_any (\"logged in\", \"login\"))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(clientIp_s, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or loginName_s has_any (actorusername_has_any))\n and (array_length(object_has_any) == 0 or description_s has_any (object_has_any))\n and (array_length(newvalue_has_any) == 0 or description_s has_any (newvalue_has_any))\n and (array_length(operation_has_any) == 0 or description_s has_any (operation_has_any));\n let Enabled = allData\n | where description_s has_cs \"Enabled\"\n | parse description_s with \"Enabled \" temp_object1: string \" in policy \" temp_restmessage1: string\n | parse description_s with \"Enabled \" temp_object2: string \" with \" temp_restmessage2: string\n | parse description_s with temp_object3: string \" Enabled \" temp_restmessage3: string\n | extend\n EventType = \"Enable\",\n Operation = description_s,\n Object = coalesce(temp_object1, temp_object2, temp_object3),\n ObjectType = iff(description_s has \"policy\", \"Policy Rule\", \"Configuration Atom\"),\n EventSeverity1 = iff(description_s has \"Sensor Bypass\", \"Low\", \"Informational\");\n let Set = allData\n | where description_s startswith \"Set\"\n | parse description_s with \"Set \" temp_field_s: string \" to \" NewValue: string \" for device(s): \" temp_deviceid_s: string\n | parse temp_deviceid_s with TargetFQDN: string \" (ID: \" TargetDvcId: string \")\" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n Object = temp_field_s,\n EventType = \"Set\",\n Operation = strcat(\"Set \", temp_field_s, \" to \", NewValue),\n ObjectType = \"Configuration Atom\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s);\n let AlertNotify = allData\n | where description_s has \"alert notification\"\n | parse-kv description_s as (name: string) with (pair_delimiter=\" \", kv_delimiter=\":\")\n | parse description_s with temp_type: string \" alert notification \" temp_restmessage: string\n | extend\n Operation = strcat(temp_type, \" alert notification\"),\n temp_type = tolower(temp_type),\n Object = coalesce(name, \"alert notification\"),\n ObjectType = \"Service\"\n | lookup EventTypeLookup on temp_type;\n let CustomRole = allData\n | where description_s has \"custom role\"\n | parse description_s with temp_type1: string \" custom role \" temp_rolename1: string \" (psc:role:\" temp_roleid1: string \")\" temp_restmessage1: string \n | parse description_s with * \" role \" temp_rolename2: string \" (psc:role:\" temp_roleid2: string \") \" temp_type2: string \" with\" temp_restmessage2: string\n | extend\n temp_type = tolower(coalesce(temp_type1, temp_type2)),\n Object = coalesce(temp_rolename1, temp_rolename2),\n ObjectType = \"Other\"\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = strcat(temp_type, \" custom role \", Object),\n AdditionalFields = bag_pack(\"role id\", coalesce(temp_roleid1, temp_roleid2));\n let Policy = allData\n | where description_s startswith \"Policy\"\n | parse description_s with \"Policy \" temp_policyname1: string \" (ID: \" temp_policyid1 \") \" temp_type1: string \" successfully\"\n | parse description_s with \"Policy \" temp_policyname2: string \" (ID: \" temp_policyid2: string \") \" temp_type2: string \" and renamed to \" NewValue: string \" (ID: \" temp_restmessage2: string\n | parse description_s with \"Policy \" temp_policyname3: string \" (ID: \" temp_policyid3 \") \" temp_type3: string\n | extend\n Object = coalesce(temp_policyname1, temp_policyname2, temp_policyname3),\n ObjectType = \"Policy Rule\",\n temp_type = replace_regex(coalesce(temp_type1, temp_type2, temp_type3), @'[is,was]* (\\S+)', @'\\1'),\n OldValue = temp_policyname2,\n AdditionalFields = bag_pack(\"policy id\", coalesce(temp_policyid1, temp_policyid2, temp_policyid3))\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = iff(isnotempty(temp_type2), strcat(\"Policy \", Object, \" \", temp_type, \" and renamed to \", NewValue), strcat(\"Policy \", Object, \" \", temp_type));\n let Changed = allData\n | where description_s startswith \"Changed policy\"\n | parse description_s with temp_operation_s: string \" to \" NewValue: string \")\" * \"device(s): \" temp_deviceid_s: string \n | extend\n EventType = \"Set\",\n Operation = strcat(temp_operation_s, \" to \", NewValue),\n Object = NewValue,\n ObjectType = \"Policy Rule\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s),\n TargetDvcId = iff(temp_deviceid_s contains ',', split(temp_deviceid_s, ',', 0), temp_deviceid_s);\n let ParamsUpdated = allData\n | where description_s startswith \"Parameters updated\"\n | parse description_s with \"Parameters updated for \" temp_config1: string \" (ID: \" temp_configid1: string \") for policy \" temp_policyname1: string \" (ID: \" temp_policyid1: string \")\" temp_restmessage1: string\n | parse description_s with \"Parameters updated for \" temp_config2: string \" (ID: \" temp_configid2: string \") for policy with ID \" temp_policyid2: string\n | extend\n temp_operation = coalesce(temp_config1, temp_config2),\n temp_configid = coalesce(temp_configid1, temp_configid2)\n | extend\n EventType = \"Set\", \n Operation = strcat(\"Parameters updated for \", temp_operation, \" for policy \", temp_policyname1, tostring(split(temp_policyid2, \"{\")[0])),\n Object = strcat(\"Policy \", coalesce(temp_policyname1, temp_policyid2)),\n ObjectType = \"Policy Rule\",\n AdditionalFields = bag_pack(\"config id\", temp_configid);\n let Reputation = allData\n | where description_s has_cs \"Reputation\"\n | parse description_s with \"User \" * \" \" temp_type1: string \" Reputation\" * \" for Organization ID \" temp_orgid1: string \" of type \" temp_reptype1: string \" to \" temp_list1: string \" with content: \" temp_content1: string \" | \" temp_restmessage1: string\n | parse description_s with \"User \" * \" \" temp_type2: string \" Reputation\" * \" for Organization ID \" temp_orgid2: string \": \" temp_content2: string \" | \" temp_restmessage2: string\n | extend\n temp_type = coalesce(temp_type1, temp_type2),\n Object = iff(isnotempty(temp_reptype1), strcat(\"Reputation Override of type \", temp_reptype1), \"Reputation Override\"),\n ObjectType = \"Configuration Atom\"\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = strcat(temp_type, \" \", Object),\n ActorScopeId = coalesce(temp_orgid1, temp_orgid2),\n AdditionalFields = bag_pack(\"reputation value\", coalesce(temp_content1, temp_content2));\n let PolicyUpdateApplied = allData\n | where description_s has \"Policy update applied\"\n | parse description_s with * \"policy to \" Object: string\n | extend\n EventType = \"Set\",\n Operation = \"Policy update applied\",\n ObjectType = \"Policy Rule\",\n OriginalObjectType = \"Policy\"\n ;\n let auto_deletion = allData\n | where description_s has_all (\"auto-deletion\", \"devices\")\n | parse description_s with TargetFQDN: string \" \" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Delete\",\n Operation = \"auto-deletion\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let Hash_Deleted = allData\n | where description_s startswith \"Hash - \"\n | parse description_s with \"Hash - \" HashName_s: string \" \" * \"on device \" TargetFQDN: string\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Delete\",\n Operation = \"Delete Request\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\";\n let Failure_Deleting_Hash = allData\n | where description_s startswith \"Failure deleting hash\"\n | parse description_s with \"Failure deleting hash '\" HashName_s: string \"'\" * \"device '\" TargetDvcId: string \"'\" * \"Reason: \" EventResultDetails: string\n | extend\n EventType = \"Delete\",\n Operation = \"Deleting hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n EventResult = \"Failure\";\n let Delete_Hash = allData\n | where description_s startswith \"Delete Hash\"\n | parse description_s with \"Delete Hash \" HashName_s: string \" \" * \"device(s): \" temp_deviceid_s: string\n | extend\n EventType = \"Delete\",\n Operation = \"Delete Hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s),\n TargetDvcId = iff(temp_deviceid_s contains ',', split(temp_deviceid_s, ',', 0), temp_deviceid_s);\n let Success_Deleting_Hash = allData\n | where description_s startswith \"Success deleting hash\"\n | parse description_s with \"Success deleting hash '\" HashName_s: string \"'\" * \"device '\" TargetDvcId: string \"'\" * \"Reason: \" EventResultDetails: string\n | extend\n EventType = \"Delete\",\n Operation = \"Deleting hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n EventResult = \"Success\";\n let DeviceUninstalled = allData\n | where description_s has_all (\"Device\", \"uninstalled\")\n | parse description_s with \"Device \" TargetFQDN: string \" with deviceId \" TargetDvcId: string \" \" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Uninstall\",\n Operation = \"Uninstall\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let DeviceReset = allData\n | where description_s startswith (\"Device reset requested\")\n | parse description_s with \"Device reset requested on device \" TargetDvcId: string\n | extend \n EventType = \"Set\",\n Operation = \"Device reset\",\n Object = TargetDvcId,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let CreateOrModifyPolicy = allData\n | where description_s startswith \"Request received to\"\n | parse description_s with * \"policy \" Object: string\n | extend\n EventType = case(\n description_s has \"modify policy\",\n \"Set\", \n description_s has \"create new policy\",\n \"Create\",\n \"\"\n ),\n Operation = case(\n description_s has \"modify policy\",\n \"modify policy\", \n description_s has \"create new policy\",\n \"create new policy\",\n \"\"\n ),\n Object = replace_string(Object, \"- \", \"\"),\n ObjectType = \"Policy Rule\",\n OriginalObjectType = \"Policy\";\n let LogsRequested = allData\n | where description_s startswith (\"Logs requested\")\n | parse description_s with \"Logs requested for device \" TargetDvcId: string\n | extend \n EventType = \"Read\",\n Operation = \"Logs requested\",\n Object = TargetDvcId,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let Re_Registration = allData\n | where description_s startswith \"Re-registration of device\"\n | parse description_s with \"Re-registration of device\" TargetFQDN: string \" of \" TargetDvcId: string \" device completed\" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Enable\",\n Operation = \"Re-registration of device\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n union\n Enabled,\n Set,\n AlertNotify,\n CustomRole,\n Policy,\n Changed,\n ParamsUpdated,\n Reputation,\n PolicyUpdateApplied,\n auto_deletion,\n Hash_Deleted,\n Failure_Deleting_Hash,\n Delete_Hash,\n Success_Deleting_Hash,\n DeviceUninstalled,\n DeviceReset,\n CreateOrModifyPolicy,\n LogsRequested,\n Re_Registration\n | extend EventResult = iif(isnotempty(EventResult), EventResult, \"Success\")\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | extend\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n EventSeverity = coalesce(EventSeverity1, \"Informational\"),\n AdditionalFields = bag_merge(AdditionalFields, bag_pack(\"flagged\", flagged_b, \"request url\", requestUrl_s))\n | extend\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventVendor = \"VMware\",\n EventCount = int(1)\n | project-rename\n ActorUsername = loginName_s,\n EventUid = _ItemId,\n SrcIpAddr = clientIp_s,\n EventMessage = description_s,\n EventOriginalUid = eventId_g,\n ActorScope = orgName_s\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\n EventEndTime = EventStartTime,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n User = ActorUsername,\n Value = NewValue,\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\n | project-away \n *_s,\n *_d,\n *_b,\n temp*,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n _ResourceId,\n name,\n EventSeverity1\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n eventtype_in=eventtype_in, \n eventresult=eventresult, \n actorusername_has_any=actorusername_has_any, \n operation_has_any=operation_has_any, \n object_has_any=object_has_any, \n newvalue_has_any=newvalue_has_any, \n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimAuditEventVMwareCarbonBlackCloud", + "query": "let EventTypeLookup = datatable(temp_type: string, EventType: string)[\n \"created\", \"Create\",\n \"updated\", \"Set\",\n \"deleted\", \"Delete\",\n \"added\", \"Create\",\n \"modified\", \"Set\"\n];\nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n eventtype_in: dynamic=dynamic([]), \n eventresult: string='*', \n actorusername_has_any: dynamic=dynamic([]), \n operation_has_any: dynamic=dynamic([]), \n object_has_any: dynamic=dynamic([]), \n newvalue_has_any: dynamic=dynamic([]), \n disabled: bool = false\n ) {\n let allData = CarbonBlackAuditLogs_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime))\n and not(description_s has_any (\"logged in\", \"login\"))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(clientIp_s, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or loginName_s has_any (actorusername_has_any))\n and (array_length(object_has_any) == 0 or description_s has_any (object_has_any))\n and (array_length(newvalue_has_any) == 0 or description_s has_any (newvalue_has_any))\n and (array_length(operation_has_any) == 0 or description_s has_any (operation_has_any));\n let Enabled = allData\n | where description_s has_cs \"Enabled\"\n | parse description_s with \"Enabled \" temp_object1: string \" in policy \" temp_restmessage1: string\n | parse description_s with \"Enabled \" temp_object2: string \" with \" temp_restmessage2: string\n | parse description_s with temp_object3: string \" Enabled \" temp_restmessage3: string\n | extend\n EventType = \"Enable\",\n Operation = description_s,\n Object = coalesce(temp_object1, temp_object2, temp_object3),\n ObjectType = iff(description_s has \"policy\", \"Policy Rule\", \"Configuration Atom\"),\n EventSeverity1 = iff(description_s has \"Sensor Bypass\", \"Low\", \"Informational\");\n let Set = allData\n | where description_s startswith \"Set\"\n | parse description_s with \"Set \" temp_field_s: string \" to \" NewValue: string \" for device(s): \" temp_deviceid_s: string\n | parse temp_deviceid_s with TargetFQDN: string \" (ID: \" TargetDvcId: string \")\" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n Object = temp_field_s,\n EventType = \"Set\",\n Operation = strcat(\"Set \", temp_field_s, \" to \", NewValue),\n ObjectType = \"Configuration Atom\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s);\n let AlertNotify = allData\n | where description_s has \"alert notification\"\n | parse-kv description_s as (name: string) with (pair_delimiter=\" \", kv_delimiter=\":\")\n | parse description_s with temp_type: string \" alert notification \" temp_restmessage: string\n | extend\n Operation = strcat(temp_type, \" alert notification\"),\n temp_type = tolower(temp_type),\n Object = coalesce(name, \"alert notification\"),\n ObjectType = \"Service\"\n | lookup EventTypeLookup on temp_type;\n let CustomRole = allData\n | where description_s has \"custom role\"\n | parse description_s with temp_type1: string \" custom role \" temp_rolename1: string \" (psc:role:\" temp_roleid1: string \")\" temp_restmessage1: string \n | parse description_s with * \" role \" temp_rolename2: string \" (psc:role:\" temp_roleid2: string \") \" temp_type2: string \" with\" temp_restmessage2: string\n | extend\n temp_type = tolower(coalesce(temp_type1, temp_type2)),\n Object = coalesce(temp_rolename1, temp_rolename2),\n ObjectType = \"Other\"\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = strcat(temp_type, \" custom role \", Object),\n AdditionalFields = bag_pack(\"role id\", coalesce(temp_roleid1, temp_roleid2));\n let Policy = allData\n | where description_s startswith \"Policy\"\n | parse description_s with \"Policy \" temp_policyname1: string \" (ID: \" temp_policyid1 \") \" temp_type1: string \" successfully\"\n | parse description_s with \"Policy \" temp_policyname2: string \" (ID: \" temp_policyid2: string \") \" temp_type2: string \" and renamed to \" NewValue: string \" (ID: \" temp_restmessage2: string\n | parse description_s with \"Policy \" temp_policyname3: string \" (ID: \" temp_policyid3 \") \" temp_type3: string\n | extend\n Object = coalesce(temp_policyname1, temp_policyname2, temp_policyname3),\n ObjectType = \"Policy Rule\",\n temp_type = replace_regex(coalesce(temp_type1, temp_type2, temp_type3), @'[is,was]* (\\S+)', @'\\1'),\n OldValue = temp_policyname2,\n AdditionalFields = bag_pack(\"policy id\", coalesce(temp_policyid1, temp_policyid2, temp_policyid3))\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = iff(isnotempty(temp_type2), strcat(\"Policy \", Object, \" \", temp_type, \" and renamed to \", NewValue), strcat(\"Policy \", Object, \" \", temp_type));\n let Changed = allData\n | where description_s startswith \"Changed policy\"\n | parse description_s with temp_operation_s: string \" to \" NewValue: string \")\" * \"device(s): \" temp_deviceid_s: string \n | extend\n EventType = \"Set\",\n Operation = strcat(temp_operation_s, \" to \", NewValue),\n Object = NewValue,\n ObjectType = \"Policy Rule\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s),\n TargetDvcId = iff(temp_deviceid_s contains ',', split(temp_deviceid_s, ',', 0), temp_deviceid_s);\n let ParamsUpdated = allData\n | where description_s startswith \"Parameters updated\"\n | parse description_s with \"Parameters updated for \" temp_config1: string \" (ID: \" temp_configid1: string \") for policy \" temp_policyname1: string \" (ID: \" temp_policyid1: string \")\" temp_restmessage1: string\n | parse description_s with \"Parameters updated for \" temp_config2: string \" (ID: \" temp_configid2: string \") for policy with ID \" temp_policyid2: string\n | extend\n temp_operation = coalesce(temp_config1, temp_config2),\n temp_configid = coalesce(temp_configid1, temp_configid2)\n | extend\n EventType = \"Set\", \n Operation = strcat(\"Parameters updated for \", temp_operation, \" for policy \", temp_policyname1, tostring(split(temp_policyid2, \"{\")[0])),\n Object = strcat(\"Policy \", coalesce(temp_policyname1, temp_policyid2)),\n ObjectType = \"Policy Rule\",\n AdditionalFields = bag_pack(\"config id\", temp_configid);\n let Reputation = allData\n | where description_s has_cs \"Reputation\"\n | parse description_s with \"User \" * \" \" temp_type1: string \" Reputation\" * \" for Organization ID \" temp_orgid1: string \" of type \" temp_reptype1: string \" to \" temp_list1: string \" with content: \" temp_content1: string \" | \" temp_restmessage1: string\n | parse description_s with \"User \" * \" \" temp_type2: string \" Reputation\" * \" for Organization ID \" temp_orgid2: string \": \" temp_content2: string \" | \" temp_restmessage2: string\n | extend\n temp_type = coalesce(temp_type1, temp_type2),\n Object = iff(isnotempty(temp_reptype1), strcat(\"Reputation Override of type \", temp_reptype1), \"Reputation Override\"),\n ObjectType = \"Configuration Atom\"\n | lookup EventTypeLookup on temp_type\n | extend\n Operation = strcat(temp_type, \" \", Object),\n ActorScopeId = coalesce(temp_orgid1, temp_orgid2),\n AdditionalFields = bag_pack(\"reputation value\", coalesce(temp_content1, temp_content2));\n let PolicyUpdateApplied = allData\n | where description_s has \"Policy update applied\"\n | parse description_s with * \"policy to \" Object: string\n | extend\n EventType = \"Set\",\n Operation = \"Policy update applied\",\n ObjectType = \"Policy Rule\",\n OriginalObjectType = \"Policy\"\n ;\n let auto_deletion = allData\n | where description_s has_all (\"auto-deletion\", \"devices\")\n | parse description_s with TargetFQDN: string \" \" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Delete\",\n Operation = \"auto-deletion\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let Hash_Deleted = allData\n | where description_s startswith \"Hash - \"\n | parse description_s with \"Hash - \" HashName_s: string \" \" * \"on device \" TargetFQDN: string\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Delete\",\n Operation = \"Delete Request\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\";\n let Failure_Deleting_Hash = allData\n | where description_s startswith \"Failure deleting hash\"\n | parse description_s with \"Failure deleting hash '\" HashName_s: string \"'\" * \"device '\" TargetDvcId: string \"'\" * \"Reason: \" EventResultDetails: string\n | extend\n EventType = \"Delete\",\n Operation = \"Deleting hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n EventResult = \"Failure\";\n let Delete_Hash = allData\n | where description_s startswith \"Delete Hash\"\n | parse description_s with \"Delete Hash \" HashName_s: string \" \" * \"device(s): \" temp_deviceid_s: string\n | extend\n EventType = \"Delete\",\n Operation = \"Delete Hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n AdditionalFields = bag_pack(\"devices\", temp_deviceid_s),\n TargetDvcId = iff(temp_deviceid_s contains ',', split(temp_deviceid_s, ',', 0), temp_deviceid_s);\n let Success_Deleting_Hash = allData\n | where description_s startswith \"Success deleting hash\"\n | parse description_s with \"Success deleting hash '\" HashName_s: string \"'\" * \"device '\" TargetDvcId: string \"'\" * \"Reason: \" EventResultDetails: string\n | extend\n EventType = \"Delete\",\n Operation = \"Deleting hash\",\n Object = HashName_s,\n ObjectType = \"Configuration Atom\",\n OriginalObjectType = \"Hash\",\n EventResult = \"Success\";\n let DeviceUninstalled = allData\n | where description_s has_all (\"Device\", \"uninstalled\")\n | parse description_s with \"Device \" TargetFQDN: string \" with deviceId \" TargetDvcId: string \" \" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Uninstall\",\n Operation = \"Uninstall\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let DeviceReset = allData\n | where description_s startswith (\"Device reset requested\")\n | parse description_s with \"Device reset requested on device \" TargetDvcId: string\n | extend \n EventType = \"Set\",\n Operation = \"Device reset\",\n Object = TargetDvcId,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let CreateOrModifyPolicy = allData\n | where description_s startswith \"Request received to\"\n | parse description_s with * \"policy \" Object: string\n | extend\n EventType = case(\n description_s has \"modify policy\",\n \"Set\", \n description_s has \"create new policy\",\n \"Create\",\n \"\"\n ),\n Operation = case(\n description_s has \"modify policy\",\n \"modify policy\", \n description_s has \"create new policy\",\n \"create new policy\",\n \"\"\n ),\n Object = replace_string(Object, \"- \", \"\"),\n ObjectType = \"Policy Rule\",\n OriginalObjectType = \"Policy\";\n let LogsRequested = allData\n | where description_s startswith (\"Logs requested\")\n | parse description_s with \"Logs requested for device \" TargetDvcId: string\n | extend \n EventType = \"Read\",\n Operation = \"Logs requested\",\n Object = TargetDvcId,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n let Re_Registration = allData\n | where description_s startswith \"Re-registration of device\"\n | parse description_s with \"Re-registration of device\" TargetFQDN: string \" of \" TargetDvcId: string \" device completed\" *\n | invoke _ASIM_ResolveFQDN (\"TargetFQDN\")\n | extend\n EventType = \"Enable\",\n Operation = \"Re-registration of device\",\n Object = TargetFQDN,\n ObjectType = \"Directory Service Object\",\n OriginalObjectType = \"Device\";\n union\n Enabled,\n Set,\n AlertNotify,\n CustomRole,\n Policy,\n Changed,\n ParamsUpdated,\n Reputation,\n PolicyUpdateApplied,\n auto_deletion,\n Hash_Deleted,\n Failure_Deleting_Hash,\n Delete_Hash,\n Success_Deleting_Hash,\n DeviceUninstalled,\n DeviceReset,\n CreateOrModifyPolicy,\n LogsRequested,\n Re_Registration\n | extend EventResult = iif(isnotempty(EventResult), EventResult, \"Success\")\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | extend\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n EventSeverity = coalesce(EventSeverity1, \"Informational\"),\n AdditionalFields = bag_merge(AdditionalFields, bag_pack(\"flagged\", flagged_b, \"request url\", requestUrl_s))\n | extend\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\",\n EventVendor = \"VMware\",\n EventCount = int(1)\n | project-rename\n ActorUsername = loginName_s,\n EventUid = _ItemId,\n SrcIpAddr = clientIp_s,\n EventMessage = description_s,\n EventOriginalUid = eventId_g,\n ActorScope = orgName_s\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\n EventEndTime = EventStartTime,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n User = ActorUsername,\n Value = NewValue,\n ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\n | project-away \n *_s,\n *_d,\n *_b,\n temp*,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n _ResourceId,\n name,\n EventSeverity1\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n eventtype_in=eventtype_in, \n eventresult=eventresult, \n actorusername_has_any=actorusername_has_any, \n operation_has_any=operation_has_any, \n object_has_any=object_has_any, \n newvalue_has_any=newvalue_has_any, \n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/vimAuditEventVectraXDRAudit.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/vimAuditEventVectraXDRAudit.json index 941440de568..fc13fdae89d 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/vimAuditEventVectraXDRAudit.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/vimAuditEventVectraXDRAudit.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuditEventVectraXDRAudit')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuditEventVectraXDRAudit", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Audit Event ASIM filtering parser for Vectra XDR Audit Logs Event", - "category": "ASIM", - "FunctionAlias": "vimAuditEventVectraXDRAudit", - "query": "let parser = (disabled:bool = false, eventresult:string='*', starttime:datetime=datetime(null), endtime:datetime=datetime(null), actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]))\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s !in (\"login\",\"logout\")\n | where (isnull(starttime) or event_timestamp_t >= starttime) and (isnull(endtime) or event_timestamp_t <= endtime) and (array_length(actorusername_has_any) == 0 or tostring(toint(user_id_d)) has_any (actorusername_has_any)) or (array_length(actorusername_has_any) == 0 or username_s has_any (actorusername_has_any)) and (array_length(operation_has_any) == 0 or event_action_s has_any (operation_has_any)) and (array_length(object_has_any) == 0 or event_object_s has_any (object_has_any))\n | extend\n EventEndTime = event_timestamp_t,\n EventProduct = 'XDR',\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventStartTime = event_timestamp_t,\n EventType = 'Other',\n EventVendor = 'Vectra',\n Type = \"Audit Log\",\n EventUid = tostring(toint(id_d)),\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"UID\",\n ActorUsernameType = \"UPN\",\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\")\n | project-rename\n Dvc = source_ip_s,\n Operation = event_action_s,\n ActorUsername = username_s,\n Object = event_object_s,\n ActorOriginalUserType = user_type_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | where ('*' in (eventresult) or EventResult in (eventresult))\n | extend User = ActorUsername\n | project-away\n id_d, user_id_d, user_role_s, result_status_s,event_timestamp_t, event_data_s, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled, eventresult=eventresult, starttime=starttime, endtime=endtime, actorusername_has_any=actorusername_has_any,operation_has_any=operation_has_any,object_has_any=object_has_any)", - "version": 1, - "functionParameters": "disabled:bool=False,eventresult:string='*',starttime:datetime=datetime(null),endtime:datetime=datetime(null),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([])" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Vectra XDR Audit Logs Event", + "category": "ASIM", + "FunctionAlias": "vimAuditEventVectraXDRAudit", + "query": "let parser = (disabled:bool = false, eventresult:string='*', starttime:datetime=datetime(null), endtime:datetime=datetime(null), actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]))\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s !in (\"login\",\"logout\")\n | where (isnull(starttime) or event_timestamp_t >= starttime) and (isnull(endtime) or event_timestamp_t <= endtime) and (array_length(actorusername_has_any) == 0 or tostring(toint(user_id_d)) has_any (actorusername_has_any)) or (array_length(actorusername_has_any) == 0 or username_s has_any (actorusername_has_any)) and (array_length(operation_has_any) == 0 or event_action_s has_any (operation_has_any)) and (array_length(object_has_any) == 0 or event_object_s has_any (object_has_any))\n | extend\n EventEndTime = event_timestamp_t,\n EventProduct = 'XDR',\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventStartTime = event_timestamp_t,\n EventType = 'Other',\n EventVendor = 'Vectra',\n Type = \"Audit Log\",\n EventUid = tostring(toint(id_d)),\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"UID\",\n ActorUsernameType = \"UPN\",\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\")\n | project-rename\n Dvc = source_ip_s,\n Operation = event_action_s,\n ActorUsername = username_s,\n Object = event_object_s,\n ActorOriginalUserType = user_type_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | where ('*' in (eventresult) or EventResult in (eventresult))\n | extend User = ActorUsername\n | project-away\n id_d, user_id_d, user_role_s, result_status_s,event_timestamp_t, event_data_s, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled, eventresult=eventresult, starttime=starttime, endtime=endtime, actorusername_has_any=actorusername_has_any,operation_has_any=operation_has_any,object_has_any=object_has_any)", + "version": 1, + "functionParameters": "disabled:bool=False,eventresult:string='*',starttime:datetime=datetime(null),endtime:datetime=datetime(null),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([])" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml index eac7faf071b..2abafc2be82 100644 --- a/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml +++ b/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml @@ -59,4 +59,3 @@ ParserQuery: | ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))), ASimAuditEventInfobloxBloxOne(BuiltInDisabled or ('ExcludeASimAuditEventInfobloxBloxOne' in (DisabledParsers))), ASimAuditEventIllumioSaaSCore(BuiltInDisabled or ('ExcludeASimAuditEventIllumioSaaSCore' in (DisabledParsers))) - diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json index c0911648d32..c953560b0d2 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthentication')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthentication", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimAuthentication", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationCiscoMerakiSyslog (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) ))\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimAuthentication", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationCiscoMerakiSyslog (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) ))\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json index a187c48c35e..024ae7cdead 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationAADManagedIdentitySignInLogs')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationAADManagedIdentitySignInLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Microsoft Entra ID managed identity sign-in logs", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationAADManagedIdentitySignInLogs", - "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails),\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult),\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity),\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n};\nlet parser = (disabled:bool=false) {\n AADManagedIdentitySignInLogs \n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId,\n EventOriginalUid = Id,\n EventProductVersion = OperationVersion,\n EventUid = _ItemId,\n SrcIpAddr = IPAddress,\n TargetAppId = ResourceIdentity,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = ServicePrincipalId,\n TargetUsername = ServicePrincipalName\n | extend \n Dvc = 'Microsft/Entra ID',\n EventCount = int(1),\n EventProduct = 'Entra ID',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventVendor = 'Microsoft',\n LogonMethod = \"Managed Identity\",\n TargetAppType = \"Resource\",\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'Simple',\n TargetUserType = 'Service'\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n Application = TargetAppName,\n Dst = TargetAppName,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n IpAddr = SrcIpAddr,\n LogonTarget = TargetAppName,\n Src = SrcIpAddr,\n TargetSimpleUsername = TargetUsername,\n TargetUserAadId = TargetUserId,\n User = TargetUsername\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Microsoft Entra ID managed identity sign-in logs", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationAADManagedIdentitySignInLogs", + "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails),\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult),\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity),\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n};\nlet parser = (disabled:bool=false) {\n AADManagedIdentitySignInLogs \n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId,\n EventOriginalUid = Id,\n EventProductVersion = OperationVersion,\n EventUid = _ItemId,\n SrcIpAddr = IPAddress,\n TargetAppId = ResourceIdentity,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = ServicePrincipalId,\n TargetUsername = ServicePrincipalName\n | extend \n Dvc = 'Microsft/Entra ID',\n EventCount = int(1),\n EventProduct = 'Entra ID',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventVendor = 'Microsoft',\n LogonMethod = \"Managed Identity\",\n TargetAppType = \"Resource\",\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'Simple',\n TargetUserType = 'Service'\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n Application = TargetAppName,\n Dst = TargetAppName,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n IpAddr = SrcIpAddr,\n LogonTarget = TargetAppName,\n Src = SrcIpAddr,\n TargetSimpleUsername = TargetUsername,\n TargetUserAadId = TargetUserId,\n User = TargetUsername\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json index f3196240ba2..dd4e4545638 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationAADNonInteractiveUserSignInLogs')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationAADNonInteractiveUserSignInLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Microsoft Entra ID non-interactive sign-in logs", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationAADNonInteractiveUserSignInLogs", - "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '50005', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50020', 'Logon violates policy',\n '50034', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50059', 'No such user or password',\n '50064', 'No such user or password',\n '50072', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '51004', 'No such user or password',\n '53003', 'Logon violates policy',\n '70008', 'Password expired',\n '80012', 'Logon violates policy',\n '500011', 'No such user or password' ,\n '700016', 'No such user or password'\n ];\nlet parser=(disabled:bool=false){\n AADNonInteractiveUserSignInLogs \n | where not(disabled)\n | extend\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n EventProduct = 'Entra ID',\n EventResult = iff (ResultType ==0, 'Success', 'Failure'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventSubType = 'NonInteractive',\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n Location = todynamic(LocationDetails),\n SrcDvcHostname = tostring(todynamic(DeviceDetail).displayName),\n SrcDvcId = tostring(todynamic(DeviceDetail).deviceId),\n SrcDvcOs = tostring(todynamic(DeviceDetail).operatingSystem),\n TargetAppId = ResourceIdentity ,\n TargetAppName = ResourceDisplayName,\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'UPN'\n | extend\n SrcGeoCity = tostring(Location.city),\n SrcGeoCountry = tostring(Location.countryOrRegion),\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid = Id,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n LogonMethod = AuthenticationRequirement,\n SrcDvcIpAddr = IPAddress,\n TargetSessionId = CorrelationId,\n TargetUserId = UserId,\n TargetUsername = UserPrincipalName\n | lookup FailedReason on ResultType\n // -- Aliases\n | extend \n Dvc = EventVendor,\n LogonTarget = ResourceIdentity,\n User = TargetUsername,\n // -- Entity identifier explicit aliases\n TargetUserAadId = TargetUserId,\n TargetUserUpn = TargetUsername\n};\nparser \n (\n disabled = disabled\n )", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Microsoft Entra ID non-interactive sign-in logs", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationAADNonInteractiveUserSignInLogs", + "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '50005', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50020', 'Logon violates policy',\n '50034', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50059', 'No such user or password',\n '50064', 'No such user or password',\n '50072', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '51004', 'No such user or password',\n '53003', 'Logon violates policy',\n '70008', 'Password expired',\n '80012', 'Logon violates policy',\n '500011', 'No such user or password' ,\n '700016', 'No such user or password'\n ];\nlet parser=(disabled:bool=false){\n AADNonInteractiveUserSignInLogs \n | where not(disabled)\n | extend\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n EventProduct = 'Entra ID',\n EventResult = iff (ResultType ==0, 'Success', 'Failure'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventSubType = 'NonInteractive',\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n Location = todynamic(LocationDetails),\n SrcDvcHostname = tostring(todynamic(DeviceDetail).displayName),\n SrcDvcId = tostring(todynamic(DeviceDetail).deviceId),\n SrcDvcOs = tostring(todynamic(DeviceDetail).operatingSystem),\n TargetAppId = ResourceIdentity ,\n TargetAppName = ResourceDisplayName,\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'UPN'\n | extend\n SrcGeoCity = tostring(Location.city),\n SrcGeoCountry = tostring(Location.countryOrRegion),\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid = Id,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n LogonMethod = AuthenticationRequirement,\n SrcDvcIpAddr = IPAddress,\n TargetSessionId = CorrelationId,\n TargetUserId = UserId,\n TargetUsername = UserPrincipalName\n | lookup FailedReason on ResultType\n // -- Aliases\n | extend \n Dvc = EventVendor,\n LogonTarget = ResourceIdentity,\n User = TargetUsername,\n // -- Entity identifier explicit aliases\n TargetUserAadId = TargetUserId,\n TargetUserUpn = TargetUsername\n};\nparser \n (\n disabled = disabled\n )", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json index 8053067d7ed..f4df060c3ba 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationAADServicePrincipalSignInLogs')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationAADServicePrincipalSignInLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Microsoft Entra ID service principal sign-in logs", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationAADServicePrincipalSignInLogs", - "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"70021\", \"No such user\" ,\"Logon\" ,\"Failure\" ,\"70021 - No matching federated identity record found for presented assertion\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"90024\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\",\n \"90033\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90033 - A transient error has occurred\", \"Informational\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"500341\", \"User disabled\" ,\"Logon\" ,\"Failure\" ,\"500341 - The user account has been deleted from the directory\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"1002016\", \"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\n \"7000215\", \"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"7000215 - Invalid client secret is provided\", \"Low\",\n \"7000222\", \"Session expired\" ,\"Logon\" ,\"Failure\" ,\"7000222 - The provided client secret keys are expired\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails),\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult),\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity),\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n};\nlet parser = (\n disabled:bool=false\n ) {\n AADServicePrincipalSignInLogs\n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId,\n EventOriginalUid = Id,\n EventProductVersion = OperationVersion,\n EventUid = _ItemId,\n SrcIpAddr = IPAddress,\n TargetAppId = ResourceIdentity ,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = ServicePrincipalId,\n TargetUsername = ServicePrincipalName\n | extend \n Dvc = 'Microsft/Entra ID',\n EventCount = int(1),\n EventProduct = 'Entra ID',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventVendor = 'Microsoft',\n LogonMethod = \"Service Principal\",\n LocationDetails = todynamic(LocationDetails),\n TargetAppType = \"Resource\",\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'Simple',\n TargetUserType = 'Service'\n | extend\n SrcGeoCity = tostring(LocationDetails.city),\n SrcGeoCountry = Location,\n SrcGeoLatitude = toreal(LocationDetails.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(LocationDetails.geoCoordinates.longitude),\n SrcGeoRegion = tostring(LocationDetails.state)\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n Application = TargetAppName,\n Dst = TargetAppName,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n IpAddr = SrcIpAddr,\n LogonTarget = TargetAppName,\n Src = SrcIpAddr,\n TargetSimpleUsername = TargetUsername,\n TargetUserAadId = TargetUserId,\n User = TargetUsername\n};\nparser \n(\n disabled = disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Microsoft Entra ID service principal sign-in logs", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationAADServicePrincipalSignInLogs", + "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"70021\", \"No such user\" ,\"Logon\" ,\"Failure\" ,\"70021 - No matching federated identity record found for presented assertion\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"90024\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\",\n \"90033\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90033 - A transient error has occurred\", \"Informational\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"500341\", \"User disabled\" ,\"Logon\" ,\"Failure\" ,\"500341 - The user account has been deleted from the directory\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"1002016\", \"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\n \"7000215\", \"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"7000215 - Invalid client secret is provided\", \"Low\",\n \"7000222\", \"Session expired\" ,\"Logon\" ,\"Failure\" ,\"7000222 - The provided client secret keys are expired\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails),\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult),\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity),\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n};\nlet parser = (\n disabled:bool=false\n ) {\n AADServicePrincipalSignInLogs\n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId,\n EventOriginalUid = Id,\n EventProductVersion = OperationVersion,\n EventUid = _ItemId,\n SrcIpAddr = IPAddress,\n TargetAppId = ResourceIdentity ,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = ServicePrincipalId,\n TargetUsername = ServicePrincipalName\n | extend \n Dvc = 'Microsft/Entra ID',\n EventCount = int(1),\n EventProduct = 'Entra ID',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventVendor = 'Microsoft',\n LogonMethod = \"Service Principal\",\n LocationDetails = todynamic(LocationDetails),\n TargetAppType = \"Resource\",\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'Simple',\n TargetUserType = 'Service'\n | extend\n SrcGeoCity = tostring(LocationDetails.city),\n SrcGeoCountry = Location,\n SrcGeoLatitude = toreal(LocationDetails.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(LocationDetails.geoCoordinates.longitude),\n SrcGeoRegion = tostring(LocationDetails.state)\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n Application = TargetAppName,\n Dst = TargetAppName,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n IpAddr = SrcIpAddr,\n LogonTarget = TargetAppName,\n Src = SrcIpAddr,\n TargetSimpleUsername = TargetUsername,\n TargetUserAadId = TargetUserId,\n User = TargetUsername\n};\nparser \n(\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json index dc0fd8883da..5fe295558c4 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationSigninLogs')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationSigninLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Microsoft Entra ID interactive sign-in logs", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationSigninLogs", - "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '50005', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50020', 'Logon violates policy',\n '50034', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50059', 'No such user or password',\n '50064', 'No such user or password',\n '50072', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '51004', 'No such user or password',\n '53003', 'Logon violates policy',\n '70008', 'Password expired',\n '80012', 'Logon violates policy',\n '500011', 'No such user or password',\n '700016', 'No such user or password', \n ];\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\n 'Guest','Guest', \n 'Member', 'Regular',\n '',''\n];\nlet parser=(disabled:bool=false){\nSigninLogs \n| where not(disabled)\n| extend\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n EventProduct = 'Entra ID',\n EventResult = iff (ResultType ==0, 'Success', 'Failure'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventSubType = 'Interactive',\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n Location = todynamic(LocationDetails),\n SrcHostname = tostring(DeviceDetail.displayName),\n SrcDvcId = tostring(DeviceDetail.deviceId),\n SrcIpAddr = IPAddress,\n SrcDvcOs = tostring(DeviceDetail.operatingSystem),\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'UPN'\n| extend\n SrcGeoCity = tostring(Location.city),\n SrcGeoCountry = tostring(Location.countryOrRegion),\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n | project-rename\n EventOriginalUid = Id,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n LogonMethod = AuthenticationRequirement,\n TargetAppId = ResourceIdentity,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = UserId,\n TargetUsername = UserPrincipalName\n //\n | lookup UserTypeLookup on UserType\n | project-away UserType\n // ** Aliases\n | extend \n Dvc = EventVendor,\n LogonTarget = TargetAppName,\n User = TargetUsername,\n // -- Entity identifier explicit aliases\n TargetUserAadId = TargetUserId,\n TargetUserUpn = TargetUsername\n };\n parser \n (\n disabled = disabled\n )", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Microsoft Entra ID interactive sign-in logs", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationSigninLogs", + "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '50005', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50020', 'Logon violates policy',\n '50034', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50059', 'No such user or password',\n '50064', 'No such user or password',\n '50072', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '51004', 'No such user or password',\n '53003', 'Logon violates policy',\n '70008', 'Password expired',\n '80012', 'Logon violates policy',\n '500011', 'No such user or password',\n '700016', 'No such user or password', \n ];\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\n 'Guest','Guest', \n 'Member', 'Regular',\n '',''\n];\nlet parser=(disabled:bool=false){\nSigninLogs \n| where not(disabled)\n| extend\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n EventProduct = 'Entra ID',\n EventResult = iff (ResultType ==0, 'Success', 'Failure'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventSubType = 'Interactive',\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n Location = todynamic(LocationDetails),\n SrcHostname = tostring(DeviceDetail.displayName),\n SrcDvcId = tostring(DeviceDetail.deviceId),\n SrcIpAddr = IPAddress,\n SrcDvcOs = tostring(DeviceDetail.operatingSystem),\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'UPN'\n| extend\n SrcGeoCity = tostring(Location.city),\n SrcGeoCountry = tostring(Location.countryOrRegion),\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n | project-rename\n EventOriginalUid = Id,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n LogonMethod = AuthenticationRequirement,\n TargetAppId = ResourceIdentity,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = UserId,\n TargetUsername = UserPrincipalName\n //\n | lookup UserTypeLookup on UserType\n | project-away UserType\n // ** Aliases\n | extend \n Dvc = EventVendor,\n LogonTarget = TargetAppName,\n User = TargetUsername,\n // -- Entity identifier explicit aliases\n TargetUserAadId = TargetUserId,\n TargetUserUpn = TargetUsername\n };\n parser \n (\n disabled = disabled\n )", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json index ef59fc9cb07..d9fd5480e92 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationAWSCloudTrail')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationAWSCloudTrail", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for AWS sign-in logs", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationAWSCloudTrail", - "query": "// -- Refer to https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html for details\nlet usertype_lookup = datatable (TargetOriginalUserType:string, TargetUserType:string) [\n // -- For console login, only IAMUser, Root and AssumedRole are relevant\n 'Root', 'Admin', \n 'IAMUser', 'Regular', \n 'AssumedRole', 'Service', \n 'Role' ,'Service', \n 'FederatedUser', 'Regular',\n 'Directory','Other',\n 'AWSAccount','Guest',\n 'AWSService', 'Application',\n 'Unknown', 'Other',\n];\nlet eventresultdetails_lookup = datatable (EventOriginalResultDetails:string, EventOriginalDetails:string) [\n 'No username found in supplied account', 'No such user',\n 'Failed authentication', ''\n];\nlet ASIM_GetUsernameType = (username:string) { \n case ( \n username contains \"@\" , \"UPN\",\n username contains \"\\\\\", \"Windows\",\n (username has \"CN=\" or username has \"OU=\" or username has \"DC=\"), \"DN\",\n isempty(username), \"\",\n \"Simple\"\n )\n};\nlet parser=(disabled:bool=false){\n AWSCloudTrail \n | where not(disabled)\n | where EventName == 'ConsoleLogin'\n | project-rename\n EventOriginalResultDetails = ErrorMessage,\n EventOriginalUid = AwsEventId,\n EventProductVersion = EventVersion,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n SrcIpAddr = SourceIpAddress,\n TargeCloudRegion = AWSRegion,\n TargetOriginalUserType = UserIdentityType,\n TargetUserScopeId = UserIdentityAccountId\n | extend\n Dvc = 'AWS',\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'CloudTrail',\n EventResult = iff (ResponseElements has 'Success', 'Success', 'Failure'),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventSubType = 'Interactive',\n EventType = 'Logon',\n EventVendor = 'AWS',\n LogonMethod = iff (AdditionalEventData has '\"MFAUsed\": \"Yes\"', 'MFA',''),\n LogonProtocol = 'HTTPS',\n SrcDeviceType = iff (AdditionalEventData has '\"MobileVersion\":\"Yes\"', 'Mobile Device', 'Computer'),\n TargetUserId = tostring(split(UserIdentityPrincipalid, ':')[0]),\n TargetUserIdType = 'AWSId',\n TargetUsername = case (\n UserIdentityUserName == \"HIDDEN_DUE_TO_SECURITY_REASONS\", \"\",\n TargetOriginalUserType == 'IAMUser' , UserIdentityUserName,\n TargetOriginalUserType == 'Root' , 'root',\n TargetOriginalUserType == 'AssumedRole' , tostring(split(UserIdentityArn, '/')[-1]), // -- This is the AssuderRole session name, which typically represents a user. \n UserIdentityUserName\n )\n | extend\n TargetUsernameType = ASIM_GetUsernameType (TargetUsername)\n | parse AdditionalEventData with * '\"LoginTo\":\"' TargetUrl:string '\"' *\n | lookup eventresultdetails_lookup on EventOriginalResultDetails\n | lookup usertype_lookup on TargetOriginalUserType \n | extend \n EventSeverity = iff(EventResult == 'Failure', 'Low','Informational'),\n LogonTarget=tostring(split(TargetUrl,'?')[0]),\n // -- Specific identifier aliases\n TargetUserAWSId = TargetUserId\n // -- Aliases\n | extend\n Dst = LogonTarget,\n Dvc = EventVendor,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n User = TargetUsername\n | project-away EventSource, EventTypeName, EventName, ResponseElements, AdditionalEventData, Session*, Category, ErrorCode, Aws*, ManagementEvent, OperationName, ReadOnly, RequestParameters, Resources, ServiceEventDetails, SharedEventId, SourceSystem, UserIdentity*, VpcEndpointId, APIVersion, RecipientAccountId, TenantId, EC2RoleDelivery\n };\n parser \n (\n disabled = disabled\n )", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for AWS sign-in logs", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationAWSCloudTrail", + "query": "// -- Refer to https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html for details\nlet usertype_lookup = datatable (TargetOriginalUserType:string, TargetUserType:string) [\n // -- For console login, only IAMUser, Root and AssumedRole are relevant\n 'Root', 'Admin', \n 'IAMUser', 'Regular', \n 'AssumedRole', 'Service', \n 'Role' ,'Service', \n 'FederatedUser', 'Regular',\n 'Directory','Other',\n 'AWSAccount','Guest',\n 'AWSService', 'Application',\n 'Unknown', 'Other',\n];\nlet eventresultdetails_lookup = datatable (EventOriginalResultDetails:string, EventOriginalDetails:string) [\n 'No username found in supplied account', 'No such user',\n 'Failed authentication', ''\n];\nlet ASIM_GetUsernameType = (username:string) { \n case ( \n username contains \"@\" , \"UPN\",\n username contains \"\\\\\", \"Windows\",\n (username has \"CN=\" or username has \"OU=\" or username has \"DC=\"), \"DN\",\n isempty(username), \"\",\n \"Simple\"\n )\n};\nlet parser=(disabled:bool=false){\n AWSCloudTrail \n | where not(disabled)\n | where EventName == 'ConsoleLogin'\n | project-rename\n EventOriginalResultDetails = ErrorMessage,\n EventOriginalUid = AwsEventId,\n EventProductVersion = EventVersion,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n SrcIpAddr = SourceIpAddress,\n TargeCloudRegion = AWSRegion,\n TargetOriginalUserType = UserIdentityType,\n TargetUserScopeId = UserIdentityAccountId\n | extend\n Dvc = 'AWS',\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'CloudTrail',\n EventResult = iff (ResponseElements has 'Success', 'Success', 'Failure'),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventSubType = 'Interactive',\n EventType = 'Logon',\n EventVendor = 'AWS',\n LogonMethod = iff (AdditionalEventData has '\"MFAUsed\": \"Yes\"', 'MFA',''),\n LogonProtocol = 'HTTPS',\n SrcDeviceType = iff (AdditionalEventData has '\"MobileVersion\":\"Yes\"', 'Mobile Device', 'Computer'),\n TargetUserId = tostring(split(UserIdentityPrincipalid, ':')[0]),\n TargetUserIdType = 'AWSId',\n TargetUsername = case (\n UserIdentityUserName == \"HIDDEN_DUE_TO_SECURITY_REASONS\", \"\",\n TargetOriginalUserType == 'IAMUser' , UserIdentityUserName,\n TargetOriginalUserType == 'Root' , 'root',\n TargetOriginalUserType == 'AssumedRole' , tostring(split(UserIdentityArn, '/')[-1]), // -- This is the AssuderRole session name, which typically represents a user. \n UserIdentityUserName\n )\n | extend\n TargetUsernameType = ASIM_GetUsernameType (TargetUsername)\n | parse AdditionalEventData with * '\"LoginTo\":\"' TargetUrl:string '\"' *\n | lookup eventresultdetails_lookup on EventOriginalResultDetails\n | lookup usertype_lookup on TargetOriginalUserType \n | extend \n EventSeverity = iff(EventResult == 'Failure', 'Low','Informational'),\n LogonTarget=tostring(split(TargetUrl,'?')[0]),\n // -- Specific identifier aliases\n TargetUserAWSId = TargetUserId\n // -- Aliases\n | extend\n Dst = LogonTarget,\n Dvc = EventVendor,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n User = TargetUsername\n | project-away EventSource, EventTypeName, EventName, ResponseElements, AdditionalEventData, Session*, Category, ErrorCode, Aws*, ManagementEvent, OperationName, ReadOnly, RequestParameters, Resources, ServiceEventDetails, SharedEventId, SourceSystem, UserIdentity*, VpcEndpointId, APIVersion, RecipientAccountId, TenantId, EC2RoleDelivery\n };\n parser \n (\n disabled = disabled\n )", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json index 070f3cfe65f..3af334356a7 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationBarracudaWAF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationBarracudaWAF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationBarracudaWAF", - "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n HostIP_s: string,\n host_s: string,\n LoginIP_s: string,\n Severity_s: string,\n LoginPort_d: real,\n AdminName_s: string,\n EventMessage_s: string,\n TimeTaken_d: real,\n TenantId: string,\n Message: string,\n SourceSystem: string,\n _ResourceId: string,\n RawData: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n SourceIP: string\n)[];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventTypeLookup = datatable (\n EventName_s: string,\n EventType_lookup: string,\n EventResult: string\n)\n [\n \"LOGIN\", \"Logon\", \"Success\",\n \"UNSUCCESSFUL_LOGIN\", \"Logoff\", \"Failure\",\n \"LOGOUT\", \"Logoff\", \"Success\"\n];\nlet EventResultDetailsLookup = datatable (\n Reason: string,\n EventResultDetails: string\n)\n [\n \"Invalid Username/Password\", \"Incorrect password\",\n \"Account Lockout\", \"User locked\",\n \"Expired or Disabled Accounts\", \"User disabled\",\n \"IP Blocking\", \"Logon violates policy\",\n \"Session Timeouts\", \"Session expired\",\n \"CAPTCHA Verification\", \"Other\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n and (LogType_s == \"AUDIT\")\n and (EventName_s in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | lookup EventTypeLookup on EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | extend\n Dvc = UnitName_s,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n SrcPortNumber = toint(LoginPort_d),\n DvcIpAddr = HostIP_s,\n SrcIpAddr = LoginIP_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\")\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime\n | project-away\n *_s,\n *_d,\n severity,\n EventType_lookup,\n TenantId,\n Message,\n SourceSystem,\n _ResourceId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceIP,\n Reason;\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\"\n and (toupper(ProcessName) in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | extend ProcessName = toupper(ProcessName)\n | lookup EventTypeLookup on $left.ProcessName == $right.EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dvc = DeviceName,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n SrcPortNumber = toint(SourcePort),\n DvcIpAddr = DeviceAddress,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n ActorUsername= DestinationUserName\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\")\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime\n | project-away\n ThreatConfidence,\n EventType_lookup,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId;\nunion isfuzzy = true \n BarracudaCustom,\n BarracudaCEF\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationBarracudaWAF", + "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n HostIP_s: string,\n host_s: string,\n LoginIP_s: string,\n Severity_s: string,\n LoginPort_d: real,\n AdminName_s: string,\n EventMessage_s: string,\n TimeTaken_d: real,\n TenantId: string,\n Message: string,\n SourceSystem: string,\n _ResourceId: string,\n RawData: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n SourceIP: string\n)[];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventTypeLookup = datatable (\n EventName_s: string,\n EventType_lookup: string,\n EventResult: string\n)\n [\n \"LOGIN\", \"Logon\", \"Success\",\n \"UNSUCCESSFUL_LOGIN\", \"Logoff\", \"Failure\",\n \"LOGOUT\", \"Logoff\", \"Success\"\n];\nlet EventResultDetailsLookup = datatable (\n Reason: string,\n EventResultDetails: string\n)\n [\n \"Invalid Username/Password\", \"Incorrect password\",\n \"Account Lockout\", \"User locked\",\n \"Expired or Disabled Accounts\", \"User disabled\",\n \"IP Blocking\", \"Logon violates policy\",\n \"Session Timeouts\", \"Session expired\",\n \"CAPTCHA Verification\", \"Other\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n and (LogType_s == \"AUDIT\")\n and (EventName_s in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | lookup EventTypeLookup on EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | extend\n Dvc = UnitName_s,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n SrcPortNumber = toint(LoginPort_d),\n DvcIpAddr = HostIP_s,\n SrcIpAddr = LoginIP_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\")\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime\n | project-away\n *_s,\n *_d,\n severity,\n EventType_lookup,\n TenantId,\n Message,\n SourceSystem,\n _ResourceId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceIP,\n Reason;\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\"\n and (toupper(ProcessName) in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | extend ProcessName = toupper(ProcessName)\n | lookup EventTypeLookup on $left.ProcessName == $right.EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dvc = DeviceName,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n SrcPortNumber = toint(SourcePort),\n DvcIpAddr = DeviceAddress,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n ActorUsername= DestinationUserName\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\")\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime\n | project-away\n ThreatConfidence,\n EventType_lookup,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId;\nunion isfuzzy = true \n BarracudaCustom,\n BarracudaCEF\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json index 0777b3bdadc..a1e4d0f7ac9 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationCiscoASA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationCiscoASA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Cisco Device Logon Events", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationCiscoASA", - "query": "let parser = (\n disabled:bool=false\n){\n let DeviceEventClassIDLookup = datatable (DeviceEventClassID:string, EventResultDetails:string, EventType:string, EventResult:string, DvcAction:string, EventSubType:string)\n [\n \"113004\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113005\", \"Incorrect password\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113006\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113008\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113010\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113012\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113019\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"113039\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"315011\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"502103\", \"\", \"Elevate\", \"Success\", \"Allowed\", \"AssumeRole\",\n \"605004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"605005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611101\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611102\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"611103\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"713198\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716002\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"716038\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"716039\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716040\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"722022\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"722023\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722028\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722037\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"772002\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772003\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772006\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\"\n ];\n let FilteredDeviceEventClassID = toscalar(\n DeviceEventClassIDLookup \n | summarize make_set(DeviceEventClassID)\n );\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n [\n \"1\", \"High\", // Alert,\n \"2\", \"High\", // Critical\n \"3\", \"Medium\", // Error\n \"4\", \"Low\", // Warning\n \"5\", \"Informational\", // Notification\n \"6\", \"Informational\", // Information\n \"7\", \"Informational\", // Debug\n ];\n let LogMessages = \n CommonSecurityLog\n | where not(disabled) \n | where DeviceVendor =~ \"Cisco\"\n | where DeviceProduct == \"ASA\"\n | where DeviceEventClassID in(FilteredDeviceEventClassID)\n | extend EventOriginalSeverity = tostring(split(Message,\"-\",1)[0])\n | lookup SeverityLookup on EventOriginalSeverity\n | project TimeGenerated, Type, Computer, _ItemId, DeviceEventClassID, Message, DeviceAddress,EventOriginalSeverity, EventSeverity\n | lookup DeviceEventClassIDLookup on DeviceEventClassID;\n union \n (\n LogMessages\n | where DeviceEventClassID == 113005\n | parse Message with * 'reason = ' EventOriginalResultDetails ' : server = ' TargetIpAddr ' ' * 'user = ' TargetUsername ' ' * 'user IP = ' SrcIpAddr\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 502103\n | parse Message with * \"Uname: \" TargetUsername \" \" *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(605004,605005)\n | parse Message with * 'from ' SrcIpAddr '/' SrcPortNumber:int \" to \" * \":\" TargetIpAddr '/' * 'user \"' TargetUsername '\"'\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(611101,611102)\n | parse Message with * 'IP address: ' SrcIpAddr ', Uname: ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 611103\n | parse Message with * ' Uname: ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113004\n | parse Message with * 'server = ' TargetIpAddr ' ' * 'user = ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113008,113012)\n | parse Message with * 'user = ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113019\n | parse Message with * 'Username = ' TargetUsername ', IP = ' SrcIpAddr ',' * \n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113039,716002,716039,722022,722023,722028,722037)\n | parse Message with * '> User <' TargetUsername \"> IP <\" SrcIpAddr \">\" *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 315011\n | parse Message with * 'from ' SrcIpAddr ' ' * 'user \"' TargetUsername '\" ' * ' reason: \"' EventOriginalResultDetails '\" ' *\n | extend EventResultDetails = iif(EventOriginalResultDetails == \"Internal error\", \"Other\", EventResultDetails)\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113010\n | parse Message with * 'user ' TargetUsername ' from server' SrcIpAddr\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113006\n | parse Message with * 'User ' TargetUsername ' locked' *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716040\n | parse Message with * 'Denied ' TargetUsername ' login' *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 713198\n | parse Message with * 'Failed: ' TargetUsername ' User' *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716038\n | parse Message with * 'User ' TargetUsername ' IP ' SrcIpAddr ' Authentication'*\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772002)\n | parse Message with * 'user ' TargetUsername ', cause: ' EventOriginalResultDetails\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772003,772004)\n | parse Message with * 'user ' TargetUsername ', IP ' SrcIpAddr ', cause: ' EventOriginalResultDetails\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772005)\n | parse Message with * 'user ' TargetUsername ' passed'\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772006)\n | parse Message with * 'user ' TargetUsername ' failed'\n | project-away Message\n ) \n | project-rename \n DvcHostname = Computer,\n EventUid = _ItemId,\n EventOriginalType = DeviceEventClassID,\n DvcIpAddr = DeviceAddress\n | extend \n EventSchemaVersion = \"0.1.3\",\n EventSchema = \"Authentication\",\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n Dvc = DvcHostname,\n User = TargetUsername,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dst = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n EventResultDetails = iif(TargetUsername == \"*****\", \"No such user or password\", EventResultDetails)\n};\nparser (\n disabled = disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Cisco Device Logon Events", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationCiscoASA", + "query": "let parser = (\n disabled:bool=false\n){\n let DeviceEventClassIDLookup = datatable (DeviceEventClassID:string, EventResultDetails:string, EventType:string, EventResult:string, DvcAction:string, EventSubType:string)\n [\n \"113004\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113005\", \"Incorrect password\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113006\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113008\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113010\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113012\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113019\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"113039\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"315011\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"502103\", \"\", \"Elevate\", \"Success\", \"Allowed\", \"AssumeRole\",\n \"605004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"605005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611101\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611102\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"611103\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"713198\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716002\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"716038\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"716039\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716040\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"722022\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"722023\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722028\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722037\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"772002\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772003\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772006\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\"\n ];\n let FilteredDeviceEventClassID = toscalar(\n DeviceEventClassIDLookup \n | summarize make_set(DeviceEventClassID)\n );\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n [\n \"1\", \"High\", // Alert,\n \"2\", \"High\", // Critical\n \"3\", \"Medium\", // Error\n \"4\", \"Low\", // Warning\n \"5\", \"Informational\", // Notification\n \"6\", \"Informational\", // Information\n \"7\", \"Informational\", // Debug\n ];\n let LogMessages = \n CommonSecurityLog\n | where not(disabled) \n | where DeviceVendor =~ \"Cisco\"\n | where DeviceProduct == \"ASA\"\n | where DeviceEventClassID in(FilteredDeviceEventClassID)\n | extend EventOriginalSeverity = tostring(split(Message,\"-\",1)[0])\n | lookup SeverityLookup on EventOriginalSeverity\n | project TimeGenerated, Type, Computer, _ItemId, DeviceEventClassID, Message, DeviceAddress,EventOriginalSeverity, EventSeverity\n | lookup DeviceEventClassIDLookup on DeviceEventClassID;\n union \n (\n LogMessages\n | where DeviceEventClassID == 113005\n | parse Message with * 'reason = ' EventOriginalResultDetails ' : server = ' TargetIpAddr ' ' * 'user = ' TargetUsername ' ' * 'user IP = ' SrcIpAddr\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 502103\n | parse Message with * \"Uname: \" TargetUsername \" \" *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(605004,605005)\n | parse Message with * 'from ' SrcIpAddr '/' SrcPortNumber:int \" to \" * \":\" TargetIpAddr '/' * 'user \"' TargetUsername '\"'\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(611101,611102)\n | parse Message with * 'IP address: ' SrcIpAddr ', Uname: ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 611103\n | parse Message with * ' Uname: ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113004\n | parse Message with * 'server = ' TargetIpAddr ' ' * 'user = ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113008,113012)\n | parse Message with * 'user = ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113019\n | parse Message with * 'Username = ' TargetUsername ', IP = ' SrcIpAddr ',' * \n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113039,716002,716039,722022,722023,722028,722037)\n | parse Message with * '> User <' TargetUsername \"> IP <\" SrcIpAddr \">\" *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 315011\n | parse Message with * 'from ' SrcIpAddr ' ' * 'user \"' TargetUsername '\" ' * ' reason: \"' EventOriginalResultDetails '\" ' *\n | extend EventResultDetails = iif(EventOriginalResultDetails == \"Internal error\", \"Other\", EventResultDetails)\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113010\n | parse Message with * 'user ' TargetUsername ' from server' SrcIpAddr\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113006\n | parse Message with * 'User ' TargetUsername ' locked' *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716040\n | parse Message with * 'Denied ' TargetUsername ' login' *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 713198\n | parse Message with * 'Failed: ' TargetUsername ' User' *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716038\n | parse Message with * 'User ' TargetUsername ' IP ' SrcIpAddr ' Authentication'*\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772002)\n | parse Message with * 'user ' TargetUsername ', cause: ' EventOriginalResultDetails\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772003,772004)\n | parse Message with * 'user ' TargetUsername ', IP ' SrcIpAddr ', cause: ' EventOriginalResultDetails\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772005)\n | parse Message with * 'user ' TargetUsername ' passed'\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772006)\n | parse Message with * 'user ' TargetUsername ' failed'\n | project-away Message\n ) \n | project-rename \n DvcHostname = Computer,\n EventUid = _ItemId,\n EventOriginalType = DeviceEventClassID,\n DvcIpAddr = DeviceAddress\n | extend \n EventSchemaVersion = \"0.1.3\",\n EventSchema = \"Authentication\",\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n Dvc = DvcHostname,\n User = TargetUsername,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dst = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n EventResultDetails = iif(TargetUsername == \"*****\", \"No such user or password\", EventResultDetails)\n};\nparser (\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json index 4511c0681c7..056a53d4d7d 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationCiscoISE')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationCiscoISE", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Cisco ISE", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationCiscoISE", - "query": "let EventFieldsLookup=datatable(\n EventOriginalType: string,\n EventType: string,\n EventOriginalSeverity: string,\n EventResult: string,\n EventSeverity: string,\n EventResultDetails: string,\n EventMessage: string,\n EventOriginalResultDetails: string\n)[\n \"25104\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external REST ID store server succeeded\", \"Plain text password authentication in external REST ID store server succeeded\",\n \"25105\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external REST ID store server failed\", \"Plain text password authentication in external REST ID store server failed\",\n \"25106\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST ID Store server indicated plain text password authentication failure\", \"REST ID store server indicated plain text password authentication failure\",\n \"25112\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST database indicated plain text password authentication failure\", \"REST database indicated plain text password authentication failure\",\n \"51000\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"51001\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator authentication succeeded\", \"Administrator authentication succeeded\",\n \"51002\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator logged off\", \"Administrator logged off\",\n \"51003\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"Session expired\", \"Session Timeout\", \"Administrator had a session timeout\",\n \"51004\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Rejected administrator session from unauthorized client IP address\", \"An attempt to start an administration session from an unauthorized client IP address was rejected. Check the client's administration access setting.\",\n \"51005\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Administrator account is disabled\", \"Administrator authentication failed. Administrator account is disabled.\",\n \"51006\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Account is disabled due to inactivity\", \"Administrator authentication failed. Account is disabled due to inactivity.\",\n \"51007\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Authentication failed. Account is disabled due to password expiration\", \"Authentication failed. Account is disabled due to password expiration\",\n \"51008\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts.\",\n \"51009\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed. ISE Runtime is not running\", \"Authentication failed. ISE Runtime is not running\",\n \"51020\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user\", \"Administrator authentication failed. Login username does not exist.\", \"Administrator authentication failed. Login username does not exist.\",\n \"51021\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Incorrect password\", \"Administrator authentication failed. Wrong password.\", \"Administrator authentication failed. Wrong password.\",\n \"51022\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed. System Error\", \"Administrator authentication failed. System Error\",\n \"51106\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"60075\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Sponsor has successfully authenticated\", \"Sponsor has successfully authenticated\",\n \"60076\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Sponsor authentication has failed\", \"Sponsor authentication has failed; please see Failure Code for more details\",\n \"60077\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MyDevices user authentication has failed\", \"MyDevices user authentication has failed\",\n \"60078\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices user has successfully authenticated\", \"MyDevices user has successfully authenticated\",\n \"60080\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A SSH CLI user has successfully logged in\", \"A SSH CLI User has successfully logged in\",\n \"60081\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"A SSH CLI user has attempted unsuccessfully to login\", \"A SSH CLI user has attempted unsuccessfully to login\",\n \"60082\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User locked\", \"A SSH CLI user has attempted to login, however account is locked out\", \"A SSH CLI user has attempted to login, however account is locked out\",\n \"60135\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"MyDevices user SSO logout has failed\", \"MyDevices user SSO logout has failed\",\n \"60136\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Sponsor user SSO logout has failed\", \"Sponsor user SSO logout has failed\",\n \"60204\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"System root CLI account has successfully logged in\", \"System root CLI account has successfully logged in\",\n \"60205\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged in from console\", \"A CLI user has logged in from console\",\n \"60206\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged out from console\", \"A CLI user has logged out from console\",\n \"61012\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has authenticated against APIC successfully\", \"ISE has authenticated against APIC successfully\",\n \"61013\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to authenticate against APIC\", \"ISE failed to authenticate against APIC\",\n \"61014\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has refreshed authentication against APIC successfully\", \"ISE has refreshed authentication against APIC successfully\",\n \"61015\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to refresh authenticate against APIC\", \"ISE failed to refresh authenticate against APIC\",\n \"60507\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"ERS request rejected due to unauthorized user.\", \"ERS request was rejected because the user who sent the request is unauthorized.\",\n \"51025\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"61076\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"Sponsor has been successfully logged out\", \"Sponsor has been successfully logged out\",\n \"61077\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices has been successfully logged out\", \"MyDevices has been successfully logged out\",\n \"10003\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"Internal error: Administrator authentication received blank Administrator name\", \"Internal error: AAC RT component received Administrator authentication request\",\n \"10004\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Incorrect password\", \"Internal error: Administrator authentication received blank Administrator password\", \"Internal error: AAC RT component received an Administrator authentication request with blank admin password\",\n \"10005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Administrator authenticated successfully\", \"Administrator authenticated successfully\",\n \"10006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"10007\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed - DB Error\", \"Administrator authentication failed - DB Error\",\n \"22000\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication resulted in internal error\", \"Authentication resulted in internal error\",\n \"22004\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password\", \"Wrong password\",\n \"22028\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Authentication failed and the advanced options are ignored\", \"Authentication of the user failed and the advanced option settings specified in the identity portion of the relevant authentication policy were ignored. For PEAP, LEAP, EAP-FAST or RADIUS MSCHAP authentications, when authentication fails, ISE stops processing the request.\",\n \"22037\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Passed\", \"Authentication Passed, Skipping Attribute Retrieval\",\n \"22040\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password or invalid shared secret\", \"Wrong password or invalid shared secret\",\n \"22091\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level.\",\n \"5400\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5401\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5412\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"TACACS+ authentication request ended with error\", \"TACACS+ authentication request ended with an error\",\n \"5418\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Guest Authentication Failed\", \"Guest Authentication failed; please see Failure code for more details\",\n \"5447\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"MDM Authentication Passed\", \"MDM Authentication passed\",\n \"5448\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MDM Authentication Failed\", \"MDM Authentication failed; please see Failure code for more details\",\n \"86010\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Guest user authentication failed\", \"Guest user authentication failed. Please check your password and account permission\",\n \"86011\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"Guest user is not enabled\", \"Guest user authentication failed. User is not enabled. Please contact your system administrator\",\n \"86014\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"User is suspended\", \"User authentication failed. User account is suspended\",\n \"86020\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Guest Unknown Error\", \"User authentication failed. Please contact your System Administrator\",\n \"24015\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authenticating user against LDAP Server\", \"Authenticating user against LDAP Server\",\n \"24020\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against the LDAP Server failed\", \"User authentication against the LDAP Server failed. The user entered the wrong password or the user record in the LDAP Server is disabled or expired\",\n \"24021\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"User authentication ended with an error\", \"User authentication against LDAP Server ended with an error\",\n \"24022\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication succeeded\", \"User authentication against LDAP Server succeeded\",\n \"24050\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate with LDAP Identity Store because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"24054\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired\", \"The password has expired but there are remaining grace authentications. The user needs to change it\",\n \"24055\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that the user is authenticating for the first time after the password administrator set the password\", \"The user needs to change his password immediately\",\n \"24056\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired and there are no more grace authentications\", \"The user needs to contact the password administrator in order to have its password reset\",\n \"24057\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against LDAP server detected that the password failure limit has been reached and the account is locked\", \"The user needs to retry later or contact the password administrator to reset the password\",\n \"24337\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Ticket (TGT) request succeeded\", \"Authentication Ticket (TGT) request succeeded\",\n \"24338\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication Ticket (TGT) request failed\", \"Authentication Ticket (TGT) request failed\",\n \"24402\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"User authentication against Active Directory succeeded\", \"User authentication against Active Directory succeeded\",\n \"24403\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User authentication against Active Directory failed\", \"User authentication against Active Directory failed\",\n \"24406\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"User authentication against Active Directory failed since user has invalid credentials\", \"User authentication against Active Directory failed since user has invalid credentials\",\n \"24407\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against Active Directory failed since user is required to change his password\", \"User authentication against Active Directory failed since user is required to change his password\",\n \"24408\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against Active Directory failed since user has entered the wrong password\", \"User authentication against Active Directory failed since user has entered the wrong password\",\n \"24409\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"User authentication against Active Directory failed since the user's account is disabled\", \"User authentication against Active Directory failed since the user's account is disabled\",\n \"24410\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\",\n \"24414\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"User authentication against Active Directory failed since the user's account has expired\", \"User authentication against Active Directory failed since the user's account has expired\",\n \"24415\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"User authentication against Active Directory failed since user's account is locked out\", \"User authentication against Active Directory failed since user's account is locked out\",\n \"24418\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since it is disabled in configuration\", \"Machine authentication against Active Directory failed since it is disabled in configuration\",\n \"24454\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Session expired\", \"User authentication against Active Directory failed because of a timeout error\", \"User authentication against Active Directory failed because of a timeout error\",\n \"24470\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Machine authentication against Active Directory is successful\", \"Machine authentication against Active Directory is successful.\",\n \"24484\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired.\",\n \"24485\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Machine authentication against Active Directory has failed because of wrong password\", \"Machine authentication against Active Directory has failed because of wrong password.\",\n \"24486\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled.\",\n \"24487\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\",\n \"24489\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired.\",\n \"24490\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"Machine authentication against Active Directory has failed because the machine's account is locked out\", \"Machine authentication against Active Directory has failed because the machine's account is locked out.\",\n \"24491\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials.\",\n \"24492\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed\", \"Machine authentication against Active Directory has failed.\",\n \"24496\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication rejected due to a white or black list restriction\", \"Authentication rejected due to a white or black list restriction\",\n \"24505\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication has succeeded\", \"User authentication against the RSA SecurID Server has succeeded.\",\n \"24508\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication failed\", \"User authentication against RSA SecurID Server failed\",\n \"24518\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"User canceled New PIN operation; User authentication against RSA SecurIDServer failed\", \"User canceled New PIN operation; User authentication against RSA SecurID Server failed\",\n \"24547\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Session expired\", \"RSA request timeout expired. RSA authentication session cancelled\", \"RSA request timeout expired. RSA authentication session cancelled.\",\n \"24612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Authentication against the RADIUS token server succeeded\", \"Authentication against the RADIUS token server succeeded.\",\n \"24613\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication against the RADIUS token server failed\", \"Authentication against the RADIUS token server failed.\",\n \"24614\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user\", \"RADIUS token server authentication failure is translated as Unknown user failure\", \"RADIUS token server authentication failure is translated as Unknown user failure.\",\n \"24639\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication passed via Passcode cache\", \"User record was found in Passcode cache, passcode matches the passcode on the authentication request. Authentication passed via Passcode cache.\",\n \"24704\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because identity credentials are ambiguous\", \"Authentication found several accounts matching to the given credentials (i.e identity name and password)\",\n \"24705\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because ISE server is not joined to required domains\", \"Authentication failed because ISE server is not joined to required domains\",\n \"24706\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because NTLM was blocked\", \"Authentication failed because NTLM was blocked\",\n \"24707\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because all identity names have been rejected\", \"Authentication failed all identity names has been rejected according AD Identity Store Advanced Settings\",\n \"24708\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"User not found in Active Directory. Some authentication domains were not available\", \"User not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24709\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"Host not found in Active Directory. Some authentication domains were not available\", \"Host not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24712\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because domain trust is restricted\", \"Authentication failed because domain trust is restricted\",\n \"24814\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"The responding provider was unable to successfully authenticate the principal\", \"The responding provider was unable to successfully authenticate the principal\",\n \"24853\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external ODBC database succeeded\", \"Plain text password authentication in external ODBC database succeeded\",\n \"24854\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external ODBC database failed\", \"Plain text password authentication in external ODBC database failed\",\n \"24860\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"ODBC database indicated plain text password authentication failure\", \"ODBC database indicated plain text password authentication failure\",\n \"24890\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Social Login operation failed\", \"Social Login operation failed. Check the message details for more information\",\n \"24716\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Active Directory Kerberos ticket authentication succeeded\", \"Active Directory Kerberos ticket authentication succeeded\",\n \"24717\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Active Directory Kerberos ticket authentication failed\", \"Active Directory Kerberos ticket authentication failed\",\n \"24719\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\",\n \"89157\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"CMCS authentication failure\", \"ISE is unable to authenticate with the Cisco MDM Cloud Service\",\n \"89159\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"APNS authentication failure\", \"ISE is unable to authenticate with the Apple Push Notification System (APNS)\",\n \"89160\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MDM User Authentication completed\", \"The User Authentication part of mobile device enrollment has completed\",\n \"33102\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Successful user login to ISE configuration mode\", \"ISE administrator logged in to ISE configuration mode\",\n \"33103\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User login to ISE configuration mode failed\", \"Login to ISE configuration mode failed\",\n \"5200\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5201\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5231\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Guest Authentication Passed\", \"Guest Authentication Passed\",\n \"11002\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Returned RADIUS Access-Accept\", \"Returned RADIUS Access-Accept - authentication succeeded\",\n \"11003\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Returned RADIUS Access-Reject\", \"Returned RADIUS Access-Reject - authentication failed\",\n \"11039\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"RADIUS authentication request rejected due to critical logging error\", \"A RADIUS authentication request was rejected due to a critical logging error.\",\n \"11052\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication request dropped due to unsupported port number\", \"An authentication request was dropped because it was received through an unsupported port number.\",\n \"11812\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication succeeded.\",\n \"11813\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication failed.\",\n \"11814\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication for the inner EAP method succeeded.\",\n \"11815\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication for the inner EAP method failed.\",\n \"11823\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication attempt failed\", \"EAP-MSCHAP authentication attempt failed.\",\n \"11824\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication attempt passed\", \"EAP-MSCHAP authentication attempt passed.\",\n \"12005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MD5 authentication succeeded\", \"EAP-MD5 authentication succeeded.\",\n \"12006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MD5 authentication failed\", \"EAP-MD5 authentication failed.\",\n \"12208\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Client certificate was received but authentication failed\", \"ISE received client certificate during tunnel establishment or inside the tunnel but the authentication failed.\",\n \"12306\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"PEAP authentication succeeded\", \"PEAP authentication succeeded.\",\n \"12307\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"PEAP authentication failed\", \"PEAP authentication failed.\",\n \"12308\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Client sent Result TLV indicating failure\", \"Internal error, possibly in the supplicant: PEAP v0 authentication failed because client sent Result TLV indicating failure. Client indicates that it does not support Crypto-Binding TLV\",\n \"12506\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TLS authentication succeeded\", \"EAP-TLS authentication succeeded.\",\n \"12507\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TLS authentication failed\", \"EAP-TLS authentication failed.\",\n \"12528\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-TLS authentication succeeded\", \"EAP-TLS authentication for the inner EAP method succeeded.\",\n \"12529\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-TLS authentication failed\", \"EAP-TLS authentication for the inner EAP method failed.\",\n \"12612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication succeeded\", \"EAP-GTC authentication has succeeded.\",\n \"12613\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication failed\", \"EAP-GTC authentication has failed.\",\n \"12614\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-GTC authentication succeeded\", \"EAP-GTC authentication for the inner EAP method has succeeded.\",\n \"12615\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-GTC authentication failed\", \"EAP-GTC authentication for the inner EAP method has failed.\",\n \"12623\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication attempt failed\", \"The EAP-GTC authentication attempt has failed.\",\n \"12624\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication attempt passed\", \"The EAP-GTC authentication attempt has passed.\",\n \"12705\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"LEAP authentication passed; Continuing protocol\", \"LEAP authentication passed. Continue LEAP protocol.\",\n \"12706\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication failed; Finishing protocol\", \"LEAP authentication has failed. Protocol finished with a failure.\",\n \"12707\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication error; Finishing protocol\", \"A LEAP authentication error has occurred. Protocol finished with an error.\",\n \"12854\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"12975\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TTLS authentication succeeded\", \"EAP-TTLS authentication succeeded.\",\n \"12976\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TTLS authentication failed\", \"EAP-TTLS authentication failed.\",\n \"11700\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"5G AKA Authentication succeeded\", \"5G AKA Authentication succeeded.\"\n ];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEAuthParser=(disabled: bool=false) {\n Syslog\n | where not(disabled)\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType \n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, Protocol: string, DestinationIPAddress: string, DestinationPort: int, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string, ['Device Port']: int, ['cisco-av-pair=audit-session-id']: string, ['Caller-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n LogonProtocol=Protocol\n , TargetIpAddr=DestinationIPAddress\n , TargetPortNumber=DestinationPort\n , TargetSessionId=[\"cisco-av-pair=audit-session-id\"]\n , SrcPortNumber=['Device Port']\n | invoke _ASIM_ResolveSrcFQDN(\"['Caller-Station-ID']\")\n | extend\n EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n | extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend TargetUsername = coalesce(['User-Name'], UserName, User)\n | extend\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n , SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], tostring(extract(@\"Caller-Station-ID=(\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)), \"\")\n | extend EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n | extend DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n | extend \n EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"Authentication\"\n , EventSchemaVersion = \"0.1.3\"\n // **************** *****************\n | extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n , IpAddr = SrcIpAddr\n , Dst = TargetIpAddr\n , Src = SrcIpAddr\n , User = TargetUsername\n // **************** ****************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n User,\n ['Remote-Address'],\n ['Device IP Address'],\n ['Caller-Station-ID']\n};\nCiscoISEAuthParser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationCiscoISE", + "query": "let EventFieldsLookup=datatable(\n EventOriginalType: string,\n EventType: string,\n EventOriginalSeverity: string,\n EventResult: string,\n EventSeverity: string,\n EventResultDetails: string,\n EventMessage: string,\n EventOriginalResultDetails: string\n)[\n \"25104\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external REST ID store server succeeded\", \"Plain text password authentication in external REST ID store server succeeded\",\n \"25105\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external REST ID store server failed\", \"Plain text password authentication in external REST ID store server failed\",\n \"25106\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST ID Store server indicated plain text password authentication failure\", \"REST ID store server indicated plain text password authentication failure\",\n \"25112\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST database indicated plain text password authentication failure\", \"REST database indicated plain text password authentication failure\",\n \"51000\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"51001\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator authentication succeeded\", \"Administrator authentication succeeded\",\n \"51002\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator logged off\", \"Administrator logged off\",\n \"51003\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"Session expired\", \"Session Timeout\", \"Administrator had a session timeout\",\n \"51004\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Rejected administrator session from unauthorized client IP address\", \"An attempt to start an administration session from an unauthorized client IP address was rejected. Check the client's administration access setting.\",\n \"51005\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Administrator account is disabled\", \"Administrator authentication failed. Administrator account is disabled.\",\n \"51006\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Account is disabled due to inactivity\", \"Administrator authentication failed. Account is disabled due to inactivity.\",\n \"51007\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Authentication failed. Account is disabled due to password expiration\", \"Authentication failed. Account is disabled due to password expiration\",\n \"51008\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts.\",\n \"51009\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed. ISE Runtime is not running\", \"Authentication failed. ISE Runtime is not running\",\n \"51020\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user\", \"Administrator authentication failed. Login username does not exist.\", \"Administrator authentication failed. Login username does not exist.\",\n \"51021\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Incorrect password\", \"Administrator authentication failed. Wrong password.\", \"Administrator authentication failed. Wrong password.\",\n \"51022\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed. System Error\", \"Administrator authentication failed. System Error\",\n \"51106\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"60075\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Sponsor has successfully authenticated\", \"Sponsor has successfully authenticated\",\n \"60076\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Sponsor authentication has failed\", \"Sponsor authentication has failed; please see Failure Code for more details\",\n \"60077\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MyDevices user authentication has failed\", \"MyDevices user authentication has failed\",\n \"60078\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices user has successfully authenticated\", \"MyDevices user has successfully authenticated\",\n \"60080\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A SSH CLI user has successfully logged in\", \"A SSH CLI User has successfully logged in\",\n \"60081\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"A SSH CLI user has attempted unsuccessfully to login\", \"A SSH CLI user has attempted unsuccessfully to login\",\n \"60082\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User locked\", \"A SSH CLI user has attempted to login, however account is locked out\", \"A SSH CLI user has attempted to login, however account is locked out\",\n \"60135\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"MyDevices user SSO logout has failed\", \"MyDevices user SSO logout has failed\",\n \"60136\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Sponsor user SSO logout has failed\", \"Sponsor user SSO logout has failed\",\n \"60204\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"System root CLI account has successfully logged in\", \"System root CLI account has successfully logged in\",\n \"60205\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged in from console\", \"A CLI user has logged in from console\",\n \"60206\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged out from console\", \"A CLI user has logged out from console\",\n \"61012\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has authenticated against APIC successfully\", \"ISE has authenticated against APIC successfully\",\n \"61013\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to authenticate against APIC\", \"ISE failed to authenticate against APIC\",\n \"61014\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has refreshed authentication against APIC successfully\", \"ISE has refreshed authentication against APIC successfully\",\n \"61015\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to refresh authenticate against APIC\", \"ISE failed to refresh authenticate against APIC\",\n \"60507\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"ERS request rejected due to unauthorized user.\", \"ERS request was rejected because the user who sent the request is unauthorized.\",\n \"51025\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"61076\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"Sponsor has been successfully logged out\", \"Sponsor has been successfully logged out\",\n \"61077\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices has been successfully logged out\", \"MyDevices has been successfully logged out\",\n \"10003\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"Internal error: Administrator authentication received blank Administrator name\", \"Internal error: AAC RT component received Administrator authentication request\",\n \"10004\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Incorrect password\", \"Internal error: Administrator authentication received blank Administrator password\", \"Internal error: AAC RT component received an Administrator authentication request with blank admin password\",\n \"10005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Administrator authenticated successfully\", \"Administrator authenticated successfully\",\n \"10006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"10007\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed - DB Error\", \"Administrator authentication failed - DB Error\",\n \"22000\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication resulted in internal error\", \"Authentication resulted in internal error\",\n \"22004\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password\", \"Wrong password\",\n \"22028\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Authentication failed and the advanced options are ignored\", \"Authentication of the user failed and the advanced option settings specified in the identity portion of the relevant authentication policy were ignored. For PEAP, LEAP, EAP-FAST or RADIUS MSCHAP authentications, when authentication fails, ISE stops processing the request.\",\n \"22037\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Passed\", \"Authentication Passed, Skipping Attribute Retrieval\",\n \"22040\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password or invalid shared secret\", \"Wrong password or invalid shared secret\",\n \"22091\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level.\",\n \"5400\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5401\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5412\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"TACACS+ authentication request ended with error\", \"TACACS+ authentication request ended with an error\",\n \"5418\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Guest Authentication Failed\", \"Guest Authentication failed; please see Failure code for more details\",\n \"5447\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"MDM Authentication Passed\", \"MDM Authentication passed\",\n \"5448\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MDM Authentication Failed\", \"MDM Authentication failed; please see Failure code for more details\",\n \"86010\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Guest user authentication failed\", \"Guest user authentication failed. Please check your password and account permission\",\n \"86011\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"Guest user is not enabled\", \"Guest user authentication failed. User is not enabled. Please contact your system administrator\",\n \"86014\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"User is suspended\", \"User authentication failed. User account is suspended\",\n \"86020\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Guest Unknown Error\", \"User authentication failed. Please contact your System Administrator\",\n \"24015\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authenticating user against LDAP Server\", \"Authenticating user against LDAP Server\",\n \"24020\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against the LDAP Server failed\", \"User authentication against the LDAP Server failed. The user entered the wrong password or the user record in the LDAP Server is disabled or expired\",\n \"24021\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"User authentication ended with an error\", \"User authentication against LDAP Server ended with an error\",\n \"24022\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication succeeded\", \"User authentication against LDAP Server succeeded\",\n \"24050\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate with LDAP Identity Store because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"24054\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired\", \"The password has expired but there are remaining grace authentications. The user needs to change it\",\n \"24055\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that the user is authenticating for the first time after the password administrator set the password\", \"The user needs to change his password immediately\",\n \"24056\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired and there are no more grace authentications\", \"The user needs to contact the password administrator in order to have its password reset\",\n \"24057\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against LDAP server detected that the password failure limit has been reached and the account is locked\", \"The user needs to retry later or contact the password administrator to reset the password\",\n \"24337\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Ticket (TGT) request succeeded\", \"Authentication Ticket (TGT) request succeeded\",\n \"24338\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication Ticket (TGT) request failed\", \"Authentication Ticket (TGT) request failed\",\n \"24402\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"User authentication against Active Directory succeeded\", \"User authentication against Active Directory succeeded\",\n \"24403\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User authentication against Active Directory failed\", \"User authentication against Active Directory failed\",\n \"24406\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"User authentication against Active Directory failed since user has invalid credentials\", \"User authentication against Active Directory failed since user has invalid credentials\",\n \"24407\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against Active Directory failed since user is required to change his password\", \"User authentication against Active Directory failed since user is required to change his password\",\n \"24408\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against Active Directory failed since user has entered the wrong password\", \"User authentication against Active Directory failed since user has entered the wrong password\",\n \"24409\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"User authentication against Active Directory failed since the user's account is disabled\", \"User authentication against Active Directory failed since the user's account is disabled\",\n \"24410\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\",\n \"24414\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"User authentication against Active Directory failed since the user's account has expired\", \"User authentication against Active Directory failed since the user's account has expired\",\n \"24415\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"User authentication against Active Directory failed since user's account is locked out\", \"User authentication against Active Directory failed since user's account is locked out\",\n \"24418\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since it is disabled in configuration\", \"Machine authentication against Active Directory failed since it is disabled in configuration\",\n \"24454\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Session expired\", \"User authentication against Active Directory failed because of a timeout error\", \"User authentication against Active Directory failed because of a timeout error\",\n \"24470\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Machine authentication against Active Directory is successful\", \"Machine authentication against Active Directory is successful.\",\n \"24484\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired.\",\n \"24485\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Machine authentication against Active Directory has failed because of wrong password\", \"Machine authentication against Active Directory has failed because of wrong password.\",\n \"24486\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled.\",\n \"24487\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\",\n \"24489\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired.\",\n \"24490\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"Machine authentication against Active Directory has failed because the machine's account is locked out\", \"Machine authentication against Active Directory has failed because the machine's account is locked out.\",\n \"24491\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials.\",\n \"24492\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed\", \"Machine authentication against Active Directory has failed.\",\n \"24496\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication rejected due to a white or black list restriction\", \"Authentication rejected due to a white or black list restriction\",\n \"24505\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication has succeeded\", \"User authentication against the RSA SecurID Server has succeeded.\",\n \"24508\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication failed\", \"User authentication against RSA SecurID Server failed\",\n \"24518\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"User canceled New PIN operation; User authentication against RSA SecurIDServer failed\", \"User canceled New PIN operation; User authentication against RSA SecurID Server failed\",\n \"24547\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Session expired\", \"RSA request timeout expired. RSA authentication session cancelled\", \"RSA request timeout expired. RSA authentication session cancelled.\",\n \"24612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Authentication against the RADIUS token server succeeded\", \"Authentication against the RADIUS token server succeeded.\",\n \"24613\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication against the RADIUS token server failed\", \"Authentication against the RADIUS token server failed.\",\n \"24614\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user\", \"RADIUS token server authentication failure is translated as Unknown user failure\", \"RADIUS token server authentication failure is translated as Unknown user failure.\",\n \"24639\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication passed via Passcode cache\", \"User record was found in Passcode cache, passcode matches the passcode on the authentication request. Authentication passed via Passcode cache.\",\n \"24704\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because identity credentials are ambiguous\", \"Authentication found several accounts matching to the given credentials (i.e identity name and password)\",\n \"24705\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because ISE server is not joined to required domains\", \"Authentication failed because ISE server is not joined to required domains\",\n \"24706\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because NTLM was blocked\", \"Authentication failed because NTLM was blocked\",\n \"24707\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because all identity names have been rejected\", \"Authentication failed all identity names has been rejected according AD Identity Store Advanced Settings\",\n \"24708\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"User not found in Active Directory. Some authentication domains were not available\", \"User not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24709\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"Host not found in Active Directory. Some authentication domains were not available\", \"Host not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24712\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because domain trust is restricted\", \"Authentication failed because domain trust is restricted\",\n \"24814\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"The responding provider was unable to successfully authenticate the principal\", \"The responding provider was unable to successfully authenticate the principal\",\n \"24853\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external ODBC database succeeded\", \"Plain text password authentication in external ODBC database succeeded\",\n \"24854\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external ODBC database failed\", \"Plain text password authentication in external ODBC database failed\",\n \"24860\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"ODBC database indicated plain text password authentication failure\", \"ODBC database indicated plain text password authentication failure\",\n \"24890\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Social Login operation failed\", \"Social Login operation failed. Check the message details for more information\",\n \"24716\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Active Directory Kerberos ticket authentication succeeded\", \"Active Directory Kerberos ticket authentication succeeded\",\n \"24717\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Active Directory Kerberos ticket authentication failed\", \"Active Directory Kerberos ticket authentication failed\",\n \"24719\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\",\n \"89157\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"CMCS authentication failure\", \"ISE is unable to authenticate with the Cisco MDM Cloud Service\",\n \"89159\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"APNS authentication failure\", \"ISE is unable to authenticate with the Apple Push Notification System (APNS)\",\n \"89160\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MDM User Authentication completed\", \"The User Authentication part of mobile device enrollment has completed\",\n \"33102\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Successful user login to ISE configuration mode\", \"ISE administrator logged in to ISE configuration mode\",\n \"33103\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User login to ISE configuration mode failed\", \"Login to ISE configuration mode failed\",\n \"5200\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5201\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5231\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Guest Authentication Passed\", \"Guest Authentication Passed\",\n \"11002\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Returned RADIUS Access-Accept\", \"Returned RADIUS Access-Accept - authentication succeeded\",\n \"11003\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Returned RADIUS Access-Reject\", \"Returned RADIUS Access-Reject - authentication failed\",\n \"11039\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"RADIUS authentication request rejected due to critical logging error\", \"A RADIUS authentication request was rejected due to a critical logging error.\",\n \"11052\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication request dropped due to unsupported port number\", \"An authentication request was dropped because it was received through an unsupported port number.\",\n \"11812\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication succeeded.\",\n \"11813\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication failed.\",\n \"11814\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication for the inner EAP method succeeded.\",\n \"11815\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication for the inner EAP method failed.\",\n \"11823\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication attempt failed\", \"EAP-MSCHAP authentication attempt failed.\",\n \"11824\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication attempt passed\", \"EAP-MSCHAP authentication attempt passed.\",\n \"12005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MD5 authentication succeeded\", \"EAP-MD5 authentication succeeded.\",\n \"12006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MD5 authentication failed\", \"EAP-MD5 authentication failed.\",\n \"12208\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Client certificate was received but authentication failed\", \"ISE received client certificate during tunnel establishment or inside the tunnel but the authentication failed.\",\n \"12306\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"PEAP authentication succeeded\", \"PEAP authentication succeeded.\",\n \"12307\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"PEAP authentication failed\", \"PEAP authentication failed.\",\n \"12308\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Client sent Result TLV indicating failure\", \"Internal error, possibly in the supplicant: PEAP v0 authentication failed because client sent Result TLV indicating failure. Client indicates that it does not support Crypto-Binding TLV\",\n \"12506\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TLS authentication succeeded\", \"EAP-TLS authentication succeeded.\",\n \"12507\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TLS authentication failed\", \"EAP-TLS authentication failed.\",\n \"12528\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-TLS authentication succeeded\", \"EAP-TLS authentication for the inner EAP method succeeded.\",\n \"12529\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-TLS authentication failed\", \"EAP-TLS authentication for the inner EAP method failed.\",\n \"12612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication succeeded\", \"EAP-GTC authentication has succeeded.\",\n \"12613\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication failed\", \"EAP-GTC authentication has failed.\",\n \"12614\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-GTC authentication succeeded\", \"EAP-GTC authentication for the inner EAP method has succeeded.\",\n \"12615\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-GTC authentication failed\", \"EAP-GTC authentication for the inner EAP method has failed.\",\n \"12623\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication attempt failed\", \"The EAP-GTC authentication attempt has failed.\",\n \"12624\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication attempt passed\", \"The EAP-GTC authentication attempt has passed.\",\n \"12705\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"LEAP authentication passed; Continuing protocol\", \"LEAP authentication passed. Continue LEAP protocol.\",\n \"12706\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication failed; Finishing protocol\", \"LEAP authentication has failed. Protocol finished with a failure.\",\n \"12707\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication error; Finishing protocol\", \"A LEAP authentication error has occurred. Protocol finished with an error.\",\n \"12854\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"12975\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TTLS authentication succeeded\", \"EAP-TTLS authentication succeeded.\",\n \"12976\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TTLS authentication failed\", \"EAP-TTLS authentication failed.\",\n \"11700\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"5G AKA Authentication succeeded\", \"5G AKA Authentication succeeded.\"\n ];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEAuthParser=(disabled: bool=false) {\n Syslog\n | where not(disabled)\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType \n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, Protocol: string, DestinationIPAddress: string, DestinationPort: int, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string, ['Device Port']: int, ['cisco-av-pair=audit-session-id']: string, ['Caller-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n LogonProtocol=Protocol\n , TargetIpAddr=DestinationIPAddress\n , TargetPortNumber=DestinationPort\n , TargetSessionId=[\"cisco-av-pair=audit-session-id\"]\n , SrcPortNumber=['Device Port']\n | invoke _ASIM_ResolveSrcFQDN(\"['Caller-Station-ID']\")\n | extend\n EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n | extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend TargetUsername = coalesce(['User-Name'], UserName, User)\n | extend\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n , SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], tostring(extract(@\"Caller-Station-ID=(\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)), \"\")\n | extend EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n | extend DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n | extend \n EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"Authentication\"\n , EventSchemaVersion = \"0.1.3\"\n // **************** *****************\n | extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n , IpAddr = SrcIpAddr\n , Dst = TargetIpAddr\n , Src = SrcIpAddr\n , User = TargetUsername\n // **************** ****************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n User,\n ['Remote-Address'],\n ['Device IP Address'],\n ['Caller-Station-ID']\n};\nCiscoISEAuthParser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json index e1710a8945f..0b0ed9ec457 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationCiscoMeraki')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationCiscoMeraki", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationCiscoMeraki", - "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (disabled: bool=false) {\n (\n meraki_CL\n | project-rename LogMessage = Message\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all(\"disassociation\",\"auth_neg_failed\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType:string \" \" restOfMessage:string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n TargetUsername = identity,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n TargetUsername = trim('\"', TargetUsername),\n reason = trim('\"', reason)\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\")\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationCiscoMeraki", + "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (disabled: bool=false) {\n (\n meraki_CL\n | project-rename LogMessage = Message\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all(\"disassociation\",\"auth_neg_failed\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType:string \" \" restOfMessage:string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n TargetUsername = identity,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n TargetUsername = trim('\"', TargetUsername),\n reason = trim('\"', reason)\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\")\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMerakiSyslog/ASimAuthenticationCiscoMerakiSyslog.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMerakiSyslog/ASimAuthenticationCiscoMerakiSyslog.json index 5ff08c67f09..1cbed1b42ae 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMerakiSyslog/ASimAuthenticationCiscoMerakiSyslog.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMerakiSyslog/ASimAuthenticationCiscoMerakiSyslog.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationCiscoMerakiSyslog')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationCiscoMerakiSyslog", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationCiscoMerakiSyslog", - "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (disabled: bool=false) {\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all(\"disassociation\",\"auth_neg_failed\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType:string \" \" restOfMessage:string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n TargetUsername = identity,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n TargetUsername = trim('\"', TargetUsername),\n reason = trim('\"', reason)\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\")\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,\n CollectorHostName\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationCiscoMerakiSyslog", + "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (disabled: bool=false) {\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all(\"disassociation\",\"auth_neg_failed\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType:string \" \" restOfMessage:string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n TargetUsername = identity,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n TargetUsername = trim('\"', TargetUsername),\n reason = trim('\"', reason)\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\")\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,\n CollectorHostName\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/ASimAuthenticationCrowdStrikeFalconHost.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/ASimAuthenticationCrowdStrikeFalconHost.json index c1a489f023d..64553522c0d 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/ASimAuthenticationCrowdStrikeFalconHost.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/ASimAuthenticationCrowdStrikeFalconHost.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationCrowdStrikeFalconHost')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationCrowdStrikeFalconHost", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for CrowdStrike Falcon Endpoint Protection", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationCrowdStrikeFalconHost", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n | where (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n | where DeviceEventCategory == \"AuthActivityAuditEvent\" and DeviceEventClassID in (\"userAuthenticate\", \"twoFactorAuthenticate\")\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventResult = iff(EventOutcome == \"true\", \"Success\", \"Failure\"),\n EventStartTime = todatetime(DeviceCustomDate1),\n EventCount = int(1),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventType = \"Logon\",\n EventProduct = \"FalconHost\",\n EventVendor = \"CrowdStrike\"\n | project-rename\n TargetIpAddr = DestinationTranslatedAddress,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n EventOriginalSubType = DeviceEventClassID,\n EventOriginalType = DeviceEventCategory,\n EventProductVersion = DeviceVersion,\n EventOriginalResultDetails = EventOutcome,\n TargetUsername = DestinationUserName,\n TargetAppName = ProcessName\n | extend\n EventEndTime = EventStartTime,\n DvcIpAddr = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\"),\n LogonMethod = iff(EventOriginalSubType =~ \"userAuthenticate\", \"Username and Password\", \"Two Factor Authentication\")\n | extend\n User = TargetUsername,\n Dst = TargetIpAddr,\n Dvc = coalesce(DvcIpAddr, EventProduct),\n Application = TargetAppName\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n IndicatorThreatType,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for CrowdStrike Falcon Endpoint Protection", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationCrowdStrikeFalconHost", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n | where (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n | where DeviceEventCategory == \"AuthActivityAuditEvent\" and DeviceEventClassID in (\"userAuthenticate\", \"twoFactorAuthenticate\")\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventResult = iff(EventOutcome == \"true\", \"Success\", \"Failure\"),\n EventStartTime = todatetime(DeviceCustomDate1),\n EventCount = int(1),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventType = \"Logon\",\n EventProduct = \"FalconHost\",\n EventVendor = \"CrowdStrike\"\n | project-rename\n TargetIpAddr = DestinationTranslatedAddress,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n EventOriginalSubType = DeviceEventClassID,\n EventOriginalType = DeviceEventCategory,\n EventProductVersion = DeviceVersion,\n EventOriginalResultDetails = EventOutcome,\n TargetUsername = DestinationUserName,\n TargetAppName = ProcessName\n | extend\n EventEndTime = EventStartTime,\n DvcIpAddr = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\"),\n LogonMethod = iff(EventOriginalSubType =~ \"userAuthenticate\", \"Username and Password\", \"Two Factor Authentication\")\n | extend\n User = TargetUsername,\n Dst = TargetIpAddr,\n Dvc = coalesce(DvcIpAddr, EventProduct),\n Application = TargetAppName\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n IndicatorThreatType,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationGoogleWorkspace/ASimAuthenticationGoogleWorkspace.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationGoogleWorkspace/ASimAuthenticationGoogleWorkspace.json index 56a20abee31..3697fa5d2a7 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationGoogleWorkspace/ASimAuthenticationGoogleWorkspace.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationGoogleWorkspace/ASimAuthenticationGoogleWorkspace.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationGoogleWorkspace')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationGoogleWorkspace", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for Google Workspace", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationGoogleWorkspace", - "query": "let parser = (\n disabled: bool = false\n ) {\n let GoogleWorkspaceSchema = datatable (\n event_name_s: string,\n event_type_s: string,\n id_uniqueQualifier_s: string,\n actor_email_s: string,\n actor_profileId_s: string,\n IPAddress: string,\n login_challenge_method_s: string,\n id_applicationName_s: string,\n affected_email_address_s: string,\n is_suspicious_b: bool,\n is_second_factor_b: bool,\n login_type_s: string,\n sensitive_action_name_s: string,\n login_challenge_status_s: string,\n TimeGenerated: datetime,\n _ItemId: string,\n _ResourceId: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n RawData: string,\n SourceSystem: string,\n TenantId: string\n)[];\n let EventFieldsLookup = datatable (\n EventOriginalSubType: string,\n EventType: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"login_success\", \"Logon\", \"Success\", \"Allowed\",\n \"login_failure\", \"Logon\", \"Failure\", \"Blocked\",\n \"login_challenge\", \"Logon\", \"\", \"\",\n \"login_verification\", \"Logon\", \"\", \"\",\n \"risky_sensitive_action_blocked\", \"Logon\", \"Failure\", \"Blocked\",\n \"riskay_sensitive_action_allowed\", \"Logon\", \"Success\", \"Allowed\",\n \"logout\", \"Logoff\", \"Success\", \"Allowed\",\n \"suspicious_login\", \"Logon\", \"Failure\", \"Blocked\",\n \"suspicious_login_less_secure_app\", \"Logon\", \"Failure\", \"Blocked\",\n \"suspicious_programmatic_login\", \"Logon\", \"Failure\", \"Blocked\",\n \"user_signed_out_due_to_suspicious_session_cookie\", \"Logoff\", \"Success\", \"Allowed\"\n];\n let ThreatEventTypes = dynamic(['suspicious_login', 'suspicious_login_less_secure_app', 'suspicious_programmatic_login', 'user_signed_out_due_to_suspicious_session_cookie']);\n let SupportedEventNames = EventFieldsLookup\n | project EventOriginalSubType;\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_login_CL\n | where not(disabled)\n | where event_name_s in (SupportedEventNames)\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\n | project-rename\n TargetUsername = actor_email_s,\n TargetUserId = actor_profileId_s,\n SrcIpAddr = IPAddress,\n LogonMethod = login_challenge_method_s,\n EventOriginalType = event_type_s,\n EventOriginalUid = id_uniqueQualifier_s\n | extend\n TargetUsername = iif(event_name_s in (ThreatEventTypes), affected_email_address_s, TargetUsername),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserIdType = iif(isnotempty(TargetUserId), \"GWorkspaceProfileID\", \"\"),\n EventSeverity = iif(event_name_s in (ThreatEventTypes), \"High\", \"Informational\")\n | extend \n AdditionalFields = bag_pack(\n \"Is_Suspicious\",\n is_suspicious_b,\n \"Is_Second_Factor_b\",\n is_second_factor_b,\n \"Logon_Type\",\n login_type_s,\n \"Sensitive_Action_Name\",\n sensitive_action_name_s\n ),\n EventResult = case(\n event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"passed\",\n \"Success\",\n event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"incorrect_answer_entered\",\n \"Failure\",\n EventResult\n ),\n EventResultDetails = iif(event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"incorrect_answer_entered\", \"MFA not satisfied\", \"\"),\n RuleName = case(\n event_name_s == 'suspicious_login',\n \"Google has detected a suspicious login for TargetUSerName\",\n event_name_s == 'suspicious_login_less_secure_app',\n \"Google has detected a suspicious login for TargetUSerName from a less secure app\",\n event_name_s == 'suspicious_programmatic_login',\n \"Google has detected a suspicious programmatic login for TargetUserName\",\n event_name_s == 'user_signed_out_due_to_suspicious_session_cookie',\n \"Suspicious session cookie detected for user TargetUserName\",\n \"\"\n ),\n ThreatField = iif(event_name_s in (ThreatEventTypes), \"TargetUserName\", \"\"),\n ThreatFirstReportedTime = iif(event_name_s in (ThreatEventTypes), TimeGenerated, datetime(null)),\n ThreatLastReportedTime = iif(event_name_s in (ThreatEventTypes), TimeGenerated, datetime(null))\n | extend\n EventOriginalSubType = event_name_s,\n TargetAppName = \"Google Workspace - login\",\n Dst = \"Google Workspace\",\n Application = \"Google Workspace\",\n TargetAppType = \"SaaS application\",\n IpAddr = SrcIpAddr,\n User = TargetUsername,\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventProduct = \"Workspace\",\n EventVendor = \"Google\",\n Dvc=\"Workspace\",\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventUid = _ItemId\n | project-away \n *_s,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser (disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Google Workspace", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationGoogleWorkspace", + "query": "let parser = (\n disabled: bool = false\n ) {\n let GoogleWorkspaceSchema = datatable (\n event_name_s: string,\n event_type_s: string,\n id_uniqueQualifier_s: string,\n actor_email_s: string,\n actor_profileId_s: string,\n IPAddress: string,\n login_challenge_method_s: string,\n id_applicationName_s: string,\n affected_email_address_s: string,\n is_suspicious_b: bool,\n is_second_factor_b: bool,\n login_type_s: string,\n sensitive_action_name_s: string,\n login_challenge_status_s: string,\n TimeGenerated: datetime,\n _ItemId: string,\n _ResourceId: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n RawData: string,\n SourceSystem: string,\n TenantId: string\n)[];\n let EventFieldsLookup = datatable (\n EventOriginalSubType: string,\n EventType: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"login_success\", \"Logon\", \"Success\", \"Allowed\",\n \"login_failure\", \"Logon\", \"Failure\", \"Blocked\",\n \"login_challenge\", \"Logon\", \"\", \"\",\n \"login_verification\", \"Logon\", \"\", \"\",\n \"risky_sensitive_action_blocked\", \"Logon\", \"Failure\", \"Blocked\",\n \"riskay_sensitive_action_allowed\", \"Logon\", \"Success\", \"Allowed\",\n \"logout\", \"Logoff\", \"Success\", \"Allowed\",\n \"suspicious_login\", \"Logon\", \"Failure\", \"Blocked\",\n \"suspicious_login_less_secure_app\", \"Logon\", \"Failure\", \"Blocked\",\n \"suspicious_programmatic_login\", \"Logon\", \"Failure\", \"Blocked\",\n \"user_signed_out_due_to_suspicious_session_cookie\", \"Logoff\", \"Success\", \"Allowed\"\n];\n let ThreatEventTypes = dynamic(['suspicious_login', 'suspicious_login_less_secure_app', 'suspicious_programmatic_login', 'user_signed_out_due_to_suspicious_session_cookie']);\n let SupportedEventNames = EventFieldsLookup\n | project EventOriginalSubType;\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_login_CL\n | where not(disabled)\n | where event_name_s in (SupportedEventNames)\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\n | project-rename\n TargetUsername = actor_email_s,\n TargetUserId = actor_profileId_s,\n SrcIpAddr = IPAddress,\n LogonMethod = login_challenge_method_s,\n EventOriginalType = event_type_s,\n EventOriginalUid = id_uniqueQualifier_s\n | extend\n TargetUsername = iif(event_name_s in (ThreatEventTypes), affected_email_address_s, TargetUsername),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserIdType = iif(isnotempty(TargetUserId), \"GWorkspaceProfileID\", \"\"),\n EventSeverity = iif(event_name_s in (ThreatEventTypes), \"High\", \"Informational\")\n | extend \n AdditionalFields = bag_pack(\n \"Is_Suspicious\",\n is_suspicious_b,\n \"Is_Second_Factor_b\",\n is_second_factor_b,\n \"Logon_Type\",\n login_type_s,\n \"Sensitive_Action_Name\",\n sensitive_action_name_s\n ),\n EventResult = case(\n event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"passed\",\n \"Success\",\n event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"incorrect_answer_entered\",\n \"Failure\",\n EventResult\n ),\n EventResultDetails = iif(event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"incorrect_answer_entered\", \"MFA not satisfied\", \"\"),\n RuleName = case(\n event_name_s == 'suspicious_login',\n \"Google has detected a suspicious login for TargetUSerName\",\n event_name_s == 'suspicious_login_less_secure_app',\n \"Google has detected a suspicious login for TargetUSerName from a less secure app\",\n event_name_s == 'suspicious_programmatic_login',\n \"Google has detected a suspicious programmatic login for TargetUserName\",\n event_name_s == 'user_signed_out_due_to_suspicious_session_cookie',\n \"Suspicious session cookie detected for user TargetUserName\",\n \"\"\n ),\n ThreatField = iif(event_name_s in (ThreatEventTypes), \"TargetUserName\", \"\"),\n ThreatFirstReportedTime = iif(event_name_s in (ThreatEventTypes), TimeGenerated, datetime(null)),\n ThreatLastReportedTime = iif(event_name_s in (ThreatEventTypes), TimeGenerated, datetime(null))\n | extend\n EventOriginalSubType = event_name_s,\n TargetAppName = \"Google Workspace - login\",\n Dst = \"Google Workspace\",\n Application = \"Google Workspace\",\n TargetAppType = \"SaaS application\",\n IpAddr = SrcIpAddr,\n User = TargetUsername,\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventProduct = \"Workspace\",\n EventVendor = \"Google\",\n Dvc=\"Workspace\",\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventUid = _ItemId\n | project-away \n *_s,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser (disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/ASimAuthenticationIllumioSaaSCore.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/ASimAuthenticationIllumioSaaSCore.json new file mode 100644 index 00000000000..5f9b3c20cf7 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/ASimAuthenticationIllumioSaaSCore.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationIllumioSaaSCore')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Illumio SaaS Core", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationIllumioSaaSCore", + "query": "let EventTypeLookup = datatable(\n event_type: string, // what Illumio sends\n EventType: string, // an enumerated list [ Logon, Logoff, Elevate ] event type\n EventResultDetails: string,\n EventResult: string\n)\n[\n 'user.authenticate', 'Logon', 'Other', 'Success',\n 'user.login', 'Logon', 'Other', 'Success',\n 'user.logout', 'Logoff', 'Other', 'Success',\n 'user.sign_in', 'Logon', 'Other', 'Success',\n 'user.sign_out', 'Logoff', 'Other', 'Success',\n 'user.use_expired_password', 'Logon', 'Password expired', 'Success'\n];\nlet user_events = dynamic(['user.sigin', 'user.login', 'user.sign_out', 'user.logout', 'user.authenticate', 'user.use_expired_password']);\nlet parser=(disabled: bool=false) {\n Illumio_Auditable_Events_CL\n | where not(disabled) and event_type in (user_events) // limited to user signin, login, logoff, signoff events only\n | extend \n EventProduct='Core'\n ,\n EventVendor='Illumio'\n ,\n EventSchema = 'Authentication'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.3'\n , \n EventOriginalUid = href\n | lookup EventTypeLookup on event_type //fetch EventType, EventResultDetails, EventResult\n | extend \n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n , \n TargetUsername = case( \n isnotnull(created_by.user), created_by.user.username, \n \"Unknown\"\n ),\n TargetUsernameType = \"Simple\",\n EventUid = _ItemId,\n SrcIpAddr = iff(action.src_ip == 'FILTERED', \"\", action.src_ip)\n // ** Aliases\n | extend \n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n ,\n User = TargetUsername\n | project-away \n TenantId,\n href,\n pce_fqdn,\n created_by,\n event_type,\n status,\n severity,\n action,\n resource_changes,\n notifications,\n version \n };\n parser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/README.md new file mode 100644 index 00000000000..88fc55eabe8 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/README.md @@ -0,0 +1,18 @@ +# Illumio ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Illumio. + +This ASIM parser supports normalizing Illumio sign in logs, stored in the Illumio_Auditable_Events_CL table, to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationIllumioSaaSCore%2FASimAuthenticationIllumioSaaSCore.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationIllumioSaaSCore%2FASimAuthenticationIllumioSaaSCore.json) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json index ad62a970a48..98e8ae1fd41 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationM365Defender')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationM365Defender", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for M365 Defender Device Logon Events", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationM365Defender", - "query": "let EventResultDetailsLookup=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n];\nlet EventSubTypeLookup = datatable (EventOriginalType:string, EventSubType:string) [ \n 'Batch', 'Service',\n 'CachedInteractive', 'Interactive',\n 'Interactive', 'Interactive',\n 'Network', 'Remote',\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\n 'RemoteInteractive', 'RemoteInteractive',\n 'Service', 'Service',\n 'Unknown', ''\n];\nlet EventResultLookup = datatable (ActionType:string, EventResult:string) [ \n 'LogonAttempted', 'NA',\n 'LogonFailed', 'Failure',\n 'LogonSuccess', 'Success'\n];\nlet parser = (\n disabled:bool=false\n){\n let UnixDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath startswith \"/\"\n | extend \n ActorUsernameType = \"Simple\",\n TargetDvcOs = \"Linux\",\n TargetUsernameType = \"Simple\"\n | project-rename \n ActingProcessName = InitiatingProcessFolderPath,\n ActorUsername = InitiatingProcessAccountName,\n TargetUsername = AccountName\n | project-away \n InitiatingProcessAccountSid, AccountDomain, InitiatingProcessAccountDomain, InitiatingProcessFileName, AccountSid\n };\n let WindowsDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath !startswith \"/\"\n | extend \n ActingProcessName = strcat (InitiatingProcessFolderPath,'\\\\',InitiatingProcessFileName),\n ActorUserIdType = 'SID',\n ActorUsername = case (\n isempty(InitiatingProcessAccountName), \"\",\n isempty(InitiatingProcessAccountDomain), InitiatingProcessAccountName,\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\n ),\n ActorUsernameType = iff (\n InitiatingProcessAccountDomain == '','Simple',\n 'Windows'\n ),\n TargetDvcOs = \"Windows\",\n TargetUserIdType = 'SID',\n TargetUsername = iff (\n isempty(AccountDomain), AccountName,\n strcat(AccountDomain, '\\\\', AccountName)\n ),\n TargetUsernameType = iff (AccountDomain == '','Simple', 'Windows')\n | project-rename \n ActorUserId = InitiatingProcessAccountSid,\n TargetUserId = AccountSid\n // -- Specific identifiers aliases\n | extend \n TargetUserSid = TargetUserId,\n ActorUserSid = ActorUserId,\n TargetWindowsUsername = TargetUsername,\n ActorWindowsUsername = ActorUsername,\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n | extend \n TargetUserType = iff(IsLocalAdmin, \n 'Admin',\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\n )\n | project-away InitiatingProcessAccountName, InitiatingProcessAccountDomain, AccountDomain, AccountName, InitiatingProcessFolderPath, InitiatingProcessFileName\n };\n union \n WindowsDeviceLogonEvents (disabled=disabled),\n UnixDeviceLogonEvents (disabled=disabled)\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\n | project-rename \n ActingProcessCommandLine = InitiatingProcessCommandLine,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessMD5 = InitiatingProcessMD5,\n ActingProcessSHA1 = InitiatingProcessSHA1 ,\n ActingProcessSHA256 = InitiatingProcessSHA256,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n EventOriginalResultDetails = FailureReason,\n EventOriginalType = LogonType,\n EventUid = _ItemId,\n LogonProtocol = Protocol,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n ParentProcessName = InitiatingProcessParentFileName,\n SrcHostname = RemoteDeviceName,\n SrcPortNumber = RemotePort,\n TargetDvcId = DeviceId\n | extend \n ActingProcessId = tostring (InitiatingProcessId),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalUid = tostring (ReportId),\n EventProduct = 'M365 Defender for EndPoint',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n ParentProcessId = tostring (InitiatingProcessParentId),\n SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP),\n TargetDvcIdType = 'MDEid',\n TargetSessionId = tostring (LogonId)\n | extend\n Hash = coalesce(\n ActingProcessMD5,\n ActingProcessSHA1,\n ActingProcessSHA256\n )\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5),Hash)]) \n | invoke _ASIM_ResolveFQDN('DeviceName')\n | project-rename \n TargetDomain = Domain, \n TargetDomainType = DomainType,\n TargetFQDN = FQDN,\n TargetHostname = ExtractedHostname\n | project-away DeviceName\n | lookup EventResultDetailsLookup on EventOriginalResultDetails \n | lookup EventSubTypeLookup on EventOriginalType\n | lookup EventResultLookup on ActionType\n | extend\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\n // -- Specific identifiers aliases\n | extend\n DvcMDEid = TargetDvcId,\n TargetDvcMDEid = TargetDvcId\n // -- Aliases\n | extend \n ActingAppName = ActingProcessName,\n ActingAppType = \"Process\",\n Dvc = coalesce (TargetFQDN, TargetHostname),\n IpAddr = SrcIpAddr,\n Prcess = ActingProcessName,\n Src = coalesce (SrcIpAddr, SrcHostname),\n User = TargetUsername,\n // -- Alias Dvc to Target,\n DvcDomain = TargetDomain,\n DvcDomainType = TargetDomainType,\n DvcFQDN = TargetFQDN,\n DvcHostname = TargetHostname,\n DvcId = TargetDvcId,\n DvcIdType = TargetDvcIdType,\n DvcOs = TargetDvcOs\n | extend \n Dst = Dvc,\n LogonTarget = Dvc\n | project-away ReportId, LogonId, InitiatingProcessId, InitiatingProcessParentId, ActionType, InitiatingProcessFileSize, InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoFileDescription, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoProductVersion, AppGuardContainerId, RemoteIPType, IsLocalAdmin, RemoteIP\n};\nparser (\n disabled = disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for M365 Defender Device Logon Events", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationM365Defender", + "query": "let EventResultDetailsLookup=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n];\nlet EventSubTypeLookup = datatable (EventOriginalType:string, EventSubType:string) [ \n 'Batch', 'Service',\n 'CachedInteractive', 'Interactive',\n 'Interactive', 'Interactive',\n 'Network', 'Remote',\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\n 'RemoteInteractive', 'RemoteInteractive',\n 'Service', 'Service',\n 'Unknown', ''\n];\nlet EventResultLookup = datatable (ActionType:string, EventResult:string) [ \n 'LogonAttempted', 'NA',\n 'LogonFailed', 'Failure',\n 'LogonSuccess', 'Success'\n];\nlet parser = (\n disabled:bool=false\n){\n let UnixDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath startswith \"/\"\n | extend \n ActorUsernameType = \"Simple\",\n TargetDvcOs = \"Linux\",\n TargetUsernameType = \"Simple\"\n | project-rename \n ActingProcessName = InitiatingProcessFolderPath,\n ActorUsername = InitiatingProcessAccountName,\n TargetUsername = AccountName\n | project-away \n InitiatingProcessAccountSid, AccountDomain, InitiatingProcessAccountDomain, InitiatingProcessFileName, AccountSid\n };\n let WindowsDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath !startswith \"/\"\n | extend \n ActingProcessName = strcat (InitiatingProcessFolderPath,'\\\\',InitiatingProcessFileName),\n ActorUserIdType = 'SID',\n ActorUsername = case (\n isempty(InitiatingProcessAccountName), \"\",\n isempty(InitiatingProcessAccountDomain), InitiatingProcessAccountName,\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\n ),\n ActorUsernameType = iff (\n InitiatingProcessAccountDomain == '','Simple',\n 'Windows'\n ),\n TargetDvcOs = \"Windows\",\n TargetUserIdType = 'SID',\n TargetUsername = iff (\n isempty(AccountDomain), AccountName,\n strcat(AccountDomain, '\\\\', AccountName)\n ),\n TargetUsernameType = iff (AccountDomain == '','Simple', 'Windows')\n | project-rename \n ActorUserId = InitiatingProcessAccountSid,\n TargetUserId = AccountSid\n // -- Specific identifiers aliases\n | extend \n TargetUserSid = TargetUserId,\n ActorUserSid = ActorUserId,\n TargetWindowsUsername = TargetUsername,\n ActorWindowsUsername = ActorUsername,\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n | extend \n TargetUserType = iff(IsLocalAdmin, \n 'Admin',\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\n )\n | project-away InitiatingProcessAccountName, InitiatingProcessAccountDomain, AccountDomain, AccountName, InitiatingProcessFolderPath, InitiatingProcessFileName\n };\n union \n WindowsDeviceLogonEvents (disabled=disabled),\n UnixDeviceLogonEvents (disabled=disabled)\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\n | project-rename \n ActingProcessCommandLine = InitiatingProcessCommandLine,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessMD5 = InitiatingProcessMD5,\n ActingProcessSHA1 = InitiatingProcessSHA1 ,\n ActingProcessSHA256 = InitiatingProcessSHA256,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n EventOriginalResultDetails = FailureReason,\n EventOriginalType = LogonType,\n EventUid = _ItemId,\n LogonProtocol = Protocol,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n ParentProcessName = InitiatingProcessParentFileName,\n SrcHostname = RemoteDeviceName,\n SrcPortNumber = RemotePort,\n TargetDvcId = DeviceId\n | extend \n ActingProcessId = tostring (InitiatingProcessId),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalUid = tostring (ReportId),\n EventProduct = 'M365 Defender for EndPoint',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n ParentProcessId = tostring (InitiatingProcessParentId),\n SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP),\n TargetDvcIdType = 'MDEid',\n TargetSessionId = tostring (LogonId)\n | extend\n Hash = coalesce(\n ActingProcessMD5,\n ActingProcessSHA1,\n ActingProcessSHA256\n )\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5),Hash)]) \n | invoke _ASIM_ResolveFQDN('DeviceName')\n | project-rename \n TargetDomain = Domain, \n TargetDomainType = DomainType,\n TargetFQDN = FQDN,\n TargetHostname = ExtractedHostname\n | project-away DeviceName\n | lookup EventResultDetailsLookup on EventOriginalResultDetails \n | lookup EventSubTypeLookup on EventOriginalType\n | lookup EventResultLookup on ActionType\n | extend\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\n // -- Specific identifiers aliases\n | extend\n DvcMDEid = TargetDvcId,\n TargetDvcMDEid = TargetDvcId\n // -- Aliases\n | extend \n ActingAppName = ActingProcessName,\n ActingAppType = \"Process\",\n Dvc = coalesce (TargetFQDN, TargetHostname),\n IpAddr = SrcIpAddr,\n Prcess = ActingProcessName,\n Src = coalesce (SrcIpAddr, SrcHostname),\n User = TargetUsername,\n // -- Alias Dvc to Target,\n DvcDomain = TargetDomain,\n DvcDomainType = TargetDomainType,\n DvcFQDN = TargetFQDN,\n DvcHostname = TargetHostname,\n DvcId = TargetDvcId,\n DvcIdType = TargetDvcIdType,\n DvcOs = TargetDvcOs\n | extend \n Dst = Dvc,\n LogonTarget = Dvc\n | project-away ReportId, LogonId, InitiatingProcessId, InitiatingProcessParentId, ActionType, InitiatingProcessFileSize, InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoFileDescription, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoProductVersion, AppGuardContainerId, RemoteIPType, IsLocalAdmin, RemoteIP\n};\nparser (\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json index 1e3a7d8b4a2..d5a61c3d1b0 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationMD4IoT')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationMD4IoT", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Microsoft Defender for IoT endpoint logs", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationMD4IoT", - "query": "let parser=(disabled:bool=false)\n{\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"Login\" \n | project-rename EventUid = _ItemId\n | extend\n EventDetails = todynamic(EventDetails)\n | extend\n EventCount = int(1),\n EventEndTime = todatetime(TimeGenerated), \n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Microsoft Defender for IoT',\n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success'), \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventVendor = 'Microsoft'\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n SrcIpAddr = tostring(EventDetails.RemoteAddress), \n TargetUsername = tostring(EventDetails.UserName),\n TargetUsernameType = \"Simple\"\n | project-rename\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion // -- Not available in Windows\n // -- aliases\n | extend \n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Process = ActingProcessName, \n SrcDvcIpAddr = SrcIpAddr,\n User = TargetUsername\n };\n parser (\n disabled = disabled\n )", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Microsoft Defender for IoT endpoint logs", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationMD4IoT", + "query": "let parser=(disabled:bool=false)\n{\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"Login\" \n | project-rename EventUid = _ItemId\n | extend\n EventDetails = todynamic(EventDetails)\n | extend\n EventCount = int(1),\n EventEndTime = todatetime(TimeGenerated), \n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Microsoft Defender for IoT',\n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success'), \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventVendor = 'Microsoft'\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n SrcIpAddr = tostring(EventDetails.RemoteAddress), \n TargetUsername = tostring(EventDetails.UserName),\n TargetUsernameType = \"Simple\"\n | project-rename\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion // -- Not available in Windows\n // -- aliases\n | extend \n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Process = ActingProcessName, \n SrcDvcIpAddr = SrcIpAddr,\n User = TargetUsername\n };\n parser (\n disabled = disabled\n )", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json index b5a1546bf08..958b051f666 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationMicrosoftWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationMicrosoftWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Windows Security Events", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationMicrosoftWindowsEvent", - "query": "let LogonEvents=dynamic([4624,4625]);\nlet LogoffEvents=dynamic([4634,4647]);\nlet LogonTypes=datatable(LogonType:int, EventSubType:string)[\n 2, 'Interactive',\n 3, 'Network',\n 4, 'Batch',\n 5, 'Service',\n 7, 'Unlock',\n 8, 'NetworkCleartext',\n 9, 'NewCredentials',\n 10, 'RemoteInteractive',\n 11, 'CachedInteractive'];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n (EventStatus:string,EventOriginalResultDetails:string, EventResultDetails:string)[\n '0x80090325', 'SEC_E_UNTRUSTED_ROOT','Other',\n '0xc0000064', 'STATUS_NO_SUCH_USER','No such user or password',\n '0xc000006f', 'STATUS_INVALID_LOGON_HOURS','Logon violates policy',\n '0xc0000070', 'STATUS_INVALID_WORKSTATION','Logon violates policy',\n '0xc0000071', 'STATUS_PASSWORD_EXPIRED','Password expired',\n '0xc0000072', 'STATUS_ACCOUNT_DISABLED','User disabled',\n '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC','Other',\n '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE','Other',\n '0xc0000193', 'STATUS_ACCOUNT_EXPIRED','Account expired',\n '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN','Other',\n '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED','Other',\n '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED','Other',\n '0xc0000383', 'STATUS_SMARTCARD_NO_CARD','Other',\n '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER','Other',\n '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE','Other',\n '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET','Other',\n '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR','Other',\n '0xc0000388', 'STATUS_DOWNGRADE_DETECTED','Other',\n '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED','Other',\n '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION','Other',\n '0x80090308', 'SEC_E_INVALID_TOKEN','Other',\n '0x8009030e', 'SEC_E_NO_CREDENTIALS','Other',\n '0xc0000008', 'STATUS_INVALID_HANDLE','Other',\n '0xc0000017', 'STATUS_NO_MEMORY','Other',\n '0xc0000022', 'STATUS_ACCESS_DENIED','Other',\n '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND','Other',\n '0xc000005e', 'STATUS_NO_LOGON_SERVERS','Other',\n '0xc000006a', 'STATUS_WRONG_PASSWORD','Incorrect password',\n '0xc000006d', 'STATUS_LOGON_FAILURE','Other',\n '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION','Logon violates policy',\n '0xc0000073', 'STATUS_NONE_MAPPED','Other',\n '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE','Other',\n '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES','Other',\n '0xc00000dc', 'STATUS_INVALID_SERVER_STATE','Other',\n '0xc0000106', 'STATUS_NAME_TOO_LONG','Other',\n '0xc000010b', 'STATUS_INVALID_LOGON_TYPE','Logon violates policy',\n '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED','Logon violates policy',\n '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT','Logon violates policy',\n '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE','Other',\n '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT','User locked',\n '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED','Other'];\nlet WinLogon=(disabled:bool=false){ \n WindowsEvent \n | where not(disabled)\n | where Provider == 'Microsoft-Windows-Security-Auditing'\n | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n | extend \n ActingProcessCreationTime = EventData.ProcessCreationTime,\n ActingProcessId = tostring(toint(EventData.ProcessId)),\n ActingProcessName = tostring(EventData.ProcessName),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-',''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\" , EventData.SubjectUserName))),\n EventProduct = \"Security Events\",\n LogonGuid = tostring(EventData.LogonGuid),\n LogonProtocol = tostring(EventData.AuthenticationPackageName),\n LogonType = toint(EventData.LogonType),\n SrcDvcHostname = tostring(EventData.WorkstationName),\n SrcDvcIpAddr = tostring(EventData.IpAddress),\n Status = tostring(EventData.Status),\n SubStatus = tostring(EventData.SubStatus),\n TargetDomainName = tostring(EventData.TargetDomainName),\n TargetPortNumber = toint(EventData.IpPort),\n TargetSessionId = tostring(EventData.TargetLogonId),\n TargetUserId = tostring(EventData.TargetUserSid),\n TargetUsername = tostring(iff (EventData.TargetDomainName in ('-',''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\" , EventData.TargetUserName)))\n | extend \n EventStatus = iff(SubStatus=='0x0',Status,SubStatus)\n // -- creating EventMessage matching EventMessage in SecurityEvent table\n | extend \n EventMessage = case(\n EventID == 4624 ,\"4624 - An account was successfully logged on.\",\n EventID == 4625, \"4625 - An account failed to log on.\",\n EventID == 4634, \"4634 - An account was logged off.\", \n \"4647 - User initiated logoff.\"),\n EventResult = iff(EventID == 4625, 'Failure', 'Success')\n | project-rename \n EventOriginalType = EventID,\n EventOriginalUid = EventOriginId, \n EventUid = _ItemId, \n TargetDvcHostname = Computer\n | extend \n ActorUserIdType = 'SID',\n ActorUsernameType = iff(EventData.SubjectDomainName in ('-',''),'Simple', 'Windows' ),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventStatus = iff(SubStatus=='0x0',Status,SubStatus),\n EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n EventVendor = 'Microsoft',\n SrcDvcOs = 'Windows',\n TargetUserIdType = 'SID',\n TargetUsernameType = iff(TargetDomainName in ('-',''), 'Simple', 'Windows')\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n Dvc = SrcDvcHostname,\n LogonTarget = TargetDvcHostname,\n User = TargetUsername\n};\nlet SecEventLogon=(disabled:bool=false){\n SecurityEvent \n | where not(disabled)\n | where EventID in (LogonEvents) or \n EventID in (LogoffEvents)\n | project-rename \n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n EventMessage = Activity,\n EventOriginalType = EventID,\n EventOriginalUid = EventOriginId,\n LogonProtocol = AuthenticationPackageName,\n SrcDvcHostname = WorkstationName,\n SrcDvcIpAddr = IpAddress,\n TargetDvcHostname = Computer,\n TargetSessionId = TargetLogonId,\n TargetUserId = TargetUserSid\n | extend \n ActorUserIdType = 'SID',\n ActorUsername = iff (SubjectDomainName in ('-',''), SubjectUserName, SubjectAccount),\n ActorUsernameType = iff(SubjectDomainName in ('-',''), 'Simple', 'Windows' ),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Security Events\",\n EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventStatus = iff(SubStatus=='0x0',Status,SubStatus),\n EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n EventVendor = 'Microsoft',\n SrcDvcOs = 'Windows',\n TargetUserIdType = 'SID',\n TargetUsername = iff (TargetDomainName in ('-',''), trim(@'\\\\',TargetUserName), trim(@'\\\\',TargetAccount)),\n TargetUsernameType = iff (TargetDomainName in ('-',''), 'Simple', 'Windows')\n | project-away TargetUserName, AccountType\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n Dvc = SrcDvcHostname,\n LogonTarget = TargetDvcHostname,\n User = TargetUsername\n };\nunion isfuzzy=true \n SecEventLogon(disabled=disabled), \n WinLogon(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Windows Security Events", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationMicrosoftWindowsEvent", + "query": "let LogonEvents=dynamic([4624, 4625]);\nlet LogoffEvents=dynamic([4634, 4647]);\nlet LogonTypes=datatable(LogonType: int, EventSubType: string)[\n 2, 'Interactive',\n 3, 'Remote',\n 4, 'System',\n 5, 'Service',\n 7, 'Interactive',\n 8, 'NetworkCleartext',\n 9, 'AssumeRole',\n 10, 'RemoteInteractive',\n 11, 'Interactive'\n];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n (\n EventStatus: string,\n EventOriginalResultDetails: string,\n EventResultDetails: string\n)[\n '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other',\n '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password',\n '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy',\n '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy',\n '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired',\n '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled',\n '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other',\n '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other',\n '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired',\n '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other',\n '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other',\n '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other',\n '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other',\n '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other',\n '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other',\n '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other',\n '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other',\n '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other',\n '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other',\n '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other',\n '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other',\n '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other',\n '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other',\n '0xc0000017', 'STATUS_NO_MEMORY', 'Other',\n '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other',\n '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other',\n '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other',\n '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password',\n '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other',\n '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy',\n '0xc0000073', 'STATUS_NONE_MAPPED', 'Other',\n '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other',\n '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other',\n '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other',\n '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other',\n '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy',\n '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy',\n '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy',\n '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other',\n '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked',\n '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other'\n];\nlet WinLogon=(disabled: bool=false) { \n WindowsEvent \n | where not(disabled)\n | where Provider == 'Microsoft-Windows-Security-Auditing'\n | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n | project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type\n | extend \n ActingProcessCreationTime = EventData.ProcessCreationTime,\n ActingProcessId = tostring(toint(EventData.ProcessId)),\n ActingProcessName = tostring(EventData.ProcessName),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\", EventData.SubjectUserName))),\n EventProduct = \"Security Events\",\n LogonGuid = tostring(EventData.LogonGuid),\n LogonProtocol = tostring(EventData.AuthenticationPackageName),\n LogonType = toint(EventData.LogonType),\n SrcHostname = tostring(EventData.WorkstationName),\n SrcIpAddr = tostring(EventData.IpAddress),\n Status = tostring(EventData.Status),\n SubStatus = tostring(EventData.SubStatus),\n TargetDomainName = tostring(EventData.TargetDomainName),\n TargetPortNumber = toint(EventData.IpPort),\n TargetSessionId = tostring(EventData.TargetLogonId),\n TargetUserId = tostring(EventData.TargetUserSid),\n TargetUsername = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\", EventData.TargetUserName)))\n | extend \n EventStatus = iff(SubStatus == '0x0', Status, SubStatus)\n // -- creating EventMessage matching EventMessage in SecurityEvent table\n | extend \n EventMessage = case(\n EventID == 4624,\n \"4624 - An account was successfully logged on.\",\n EventID == 4625,\n \"4625 - An account failed to log on.\",\n EventID == 4634,\n \"4634 - An account was logged off.\", \n \"4647 - User initiated logoff.\"\n ),\n EventResult = iff(EventID == 4625, 'Failure', 'Success')\n | project-rename \n EventOriginalType = EventID,\n EventOriginalUid = EventOriginId, \n EventUid = _ItemId, \n TargetDvcHostname = Computer\n | extend \n ActorUserIdType = 'SID',\n ActorUsernameType = iff(EventData.SubjectDomainName in ('-', ''), 'Simple', 'Windows'),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventStatus = iff(SubStatus == '0x0', Status, SubStatus),\n EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n EventVendor = 'Microsoft',\n SrcDvcOs = 'Windows',\n TargetUserIdType = 'SID',\n TargetUsernameType = iff(TargetDomainName in ('-', ''), 'Simple', 'Windows')\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId),\n EventOriginalType = tostring(EventOriginalType)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n Dvc = SrcHostname,\n LogonTarget = TargetDvcHostname,\n User = TargetUsername,\n IpAddr = SrcIpAddr\n | project-away\n EventData,\n LogonGuid,\n EventStatus,\n LogonType,\n Status,\n SubStatus,\n TargetDomainName,\n TargetDvcHostname\n};\nlet SecEventLogon=(disabled: bool=false) {\n SecurityEvent \n | where not(disabled)\n | where EventID in (LogonEvents) or \n EventID in (LogoffEvents)\n | project\n SubjectLogonId,\n SubjectUserSid,\n Activity,\n EventID,\n EventOriginId,\n AuthenticationPackageName,\n WorkstationName,\n IpAddress,\n Computer,\n TargetLogonId,\n TargetUserSid,\n SubjectDomainName,\n SubjectUserName,\n SubjectAccount,\n TimeGenerated,\n SubStatus,\n TargetDomainName,\n TargetUserName,\n AccountType,\n TargetAccount,\n Status,\n LogonType,\n Type\n | project-rename \n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n EventMessage = Activity,\n EventOriginalType = EventID,\n EventOriginalUid = EventOriginId,\n LogonProtocol = AuthenticationPackageName,\n SrcHostname = WorkstationName,\n SrcIpAddr = IpAddress,\n TargetDvcHostname = Computer,\n TargetSessionId = TargetLogonId,\n TargetUserId = TargetUserSid\n | extend \n ActorUserIdType = 'SID',\n ActorUsername = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount),\n ActorUsernameType = iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows'),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Security Events\",\n EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success'),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventStatus = iff(SubStatus == '0x0', Status, SubStatus),\n EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n EventVendor = 'Microsoft',\n SrcDvcOs = 'Windows',\n TargetUserIdType = 'SID',\n TargetUsername = iff (TargetDomainName in ('-', ''), trim(@'\\\\', TargetUserName), trim(@'\\\\', TargetAccount)),\n TargetUsernameType = iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\n | project-away TargetUserName, AccountType\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId),\n EventOriginalType = tostring(EventOriginalType)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n Dvc = SrcHostname,\n LogonTarget = TargetDvcHostname,\n User = TargetUsername,\n IpAddr = SrcIpAddr\n | project-away\n EventStatus,\n LogonType,\n Status,\n SubStatus,\n SubjectAccount,\n SubjectDomainName,\n SubjectUserName,\n EventStatus,\n TargetAccount,\n TargetDomainName,\n TargetDvcHostname\n};\nunion isfuzzy=true \n SecEventLogon(disabled=disabled), \n WinLogon(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json index 6d5a591b5df..899a6b5ee95 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationOktaSSO')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationOktaSSO", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Okta", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationOktaSSO", - "query": "let parser=(disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctV1Table = datatable(TimeGenerated:datetime)[];\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n let OktaV1 = union isfuzzy=true emptyOctV1Table, Okta_CL \n | where not(disabled)\n | extend\n outcome_result_s=column_ifexists('outcome_result_s', \"\")\n ,\n eventType_s=column_ifexists('eventType_s', \"\")\n ,\n legacyEventType_s=column_ifexists('legacyEventType_s', \"\")\n ,\n client_geographicalContext_geolocation_lat_d=column_ifexists('client_geographicalContext_geolocation_lat_d', \"\")\n ,\n client_geographicalContext_geolocation_lon_d=column_ifexists('client_geographicalContext_geolocation_lon_d', \"\")\n | where eventType_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n ,\n EventVendor='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial')\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n ,\n EventSubType=legacyEventType_s\n ,\n EventMessage=column_ifexists('displayMessage_s', \"\")\n ,\n EventOriginalResultDetails=column_ifexists('outcome_reason_s', \"\")\n ,\n EventOriginalUid = column_ifexists('uuid_g', \"\")\n ,\n TargetUserIdType='OktaId'\n ,\n TargetUsernameType='UPN'\n ,\n TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', \"\")\n ,\n TargetUserId=column_ifexists('actor_id_s', \"\")\n ,\n TargetUsername=column_ifexists('actor_alternateId_s', \"\")\n ,\n TargetUserType=column_ifexists('actor_type_s', \"\")\n ,\n SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n ,\n SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n ,\n SrcDvcOs=column_ifexists('client_userAgent_os_s', \"\")\n ,\n SrcIsp=column_ifexists('securityContext_isp_s', \"\")\n ,\n SrcGeoCity=column_ifexists('client_geographicalContext_city_s', \"\")\n ,\n SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', \"\")\n ,\n SrcIpAddr = column_ifexists('client_ipAddress_s', \"\")\n ,\n ActingAppName=column_ifexists('client_userAgent_browser_s', \"\")\n ,\n ActingAppType=\"Browser\"\n ,\n LogonMethod=column_ifexists('authenticationContext_credentialType_s', \"\")\n ,\n HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', \"\")\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away *_s, *_d, *_b, *_g, *_t;\n OktaV1\n};\nparser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Okta", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationOktaSSO", + "query": "let parser=(disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctV1Table = datatable(TimeGenerated:datetime)[];\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n let OktaV1 = union isfuzzy=true emptyOctV1Table, Okta_CL \n | where not(disabled)\n | extend\n outcome_result_s=column_ifexists('outcome_result_s', \"\")\n ,\n eventType_s=column_ifexists('eventType_s', \"\")\n ,\n legacyEventType_s=column_ifexists('legacyEventType_s', \"\")\n ,\n client_geographicalContext_geolocation_lat_d=column_ifexists('client_geographicalContext_geolocation_lat_d', \"\")\n ,\n client_geographicalContext_geolocation_lon_d=column_ifexists('client_geographicalContext_geolocation_lon_d', \"\")\n | where eventType_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n ,\n EventVendor='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial')\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n ,\n EventSubType=legacyEventType_s\n ,\n EventMessage=column_ifexists('displayMessage_s', \"\")\n ,\n EventOriginalResultDetails=column_ifexists('outcome_reason_s', \"\")\n ,\n EventOriginalUid = column_ifexists('uuid_g', \"\")\n ,\n TargetUserIdType='OktaId'\n ,\n TargetUsernameType='UPN'\n ,\n TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', \"\")\n ,\n TargetUserId=column_ifexists('actor_id_s', \"\")\n ,\n TargetUsername=column_ifexists('actor_alternateId_s', \"\")\n ,\n TargetUserType=column_ifexists('actor_type_s', \"\")\n ,\n SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n ,\n SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n ,\n SrcDvcOs=column_ifexists('client_userAgent_os_s', \"\")\n ,\n SrcIsp=column_ifexists('securityContext_isp_s', \"\")\n ,\n SrcGeoCity=column_ifexists('client_geographicalContext_city_s', \"\")\n ,\n SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', \"\")\n ,\n SrcIpAddr = column_ifexists('client_ipAddress_s', \"\")\n ,\n ActingAppName=column_ifexists('client_userAgent_browser_s', \"\")\n ,\n ActingAppType=\"Browser\"\n ,\n LogonMethod=column_ifexists('authenticationContext_credentialType_s', \"\")\n ,\n HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', \"\")\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away *_s, *_d, *_b, *_g, *_t;\n OktaV1\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaV2/ASimAuthenticationOktaV2.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaV2/ASimAuthenticationOktaV2.json index c31a5b84a18..672fa3081ce 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaV2/ASimAuthenticationOktaV2.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaV2/ASimAuthenticationOktaV2.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationOktaV2')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationOktaV2", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for OktaV2", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationOktaV2", - "query": "let parser=(disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctaV2Table = datatable(\n TimeGenerated: datetime,\n ActorDetailEntry: dynamic,\n ActorDisplayName: string,\n AuthenticationContext: string,\n AuthenticationProvider: string,\n AuthenticationStep: string,\n AuthenticationContextAuthenticationProvider: string,\n AuthenticationContextAuthenticationStep: int,\n AuthenticationContextCredentialProvider: string,\n AuthenticationContextInterface: string,\n AuthenticationContextIssuerId: string,\n AuthenticationContextIssuerType: string,\n DebugData: dynamic,\n DvcAction: string,\n EventResult:string,\n OriginalActorAlternateId: string,\n OriginalClientDevice: string,\n OriginalOutcomeResult: string,\n OriginalSeverity: string,\n OriginalTarget: dynamic,\n OriginalUserId: string,\n OriginalUserType: string,\n Request: dynamic,\n SecurityContextAsNumber: int,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SecurityContextIsProxy: bool,\n TransactionDetail: dynamic,\n TransactionId: string,\n TransactionType: string\n)[];\n let OktaV2 = union isfuzzy=true emptyOctaV2Table, OktaV2_CL\n | where not(disabled) \n | extend\n EventOriginalType=column_ifexists('EventOriginalType', \"\") \n ,\n OriginalActorAlternateId = column_ifexists('OriginalActorAlternateId', \"\")\n ,\n ActorUsername=column_ifexists('ActorUsername', \"\")\n ,\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n | where EventOriginalType in (OktaSigninEvents)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | extend \n EventProduct='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventVendor='Okta'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') \n ,\n TargetSessionId=column_ifexists('ActorSessionId', \"\")\n ,\n TargetUserId= column_ifexists('ActorUserId', \"\")\n ,\n TargetUsername=column_ifexists('ActorUsername', \"\")\n ,\n TargetUserType=column_ifexists('ActorUserType', \"\")\n ,\n TargetUserIdType=column_ifexists('ActorUserIdType', \"\")\n ,\n TargetUsernameType=column_ifexists('ActorUsernameType', \"\")\n ,\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n //** extend non-normalized fields to be projected-away \n ,\n ActorDetailEntry,\n ActorDisplayName,\n AuthenticationContextAuthenticationProvider,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider,\n AuthenticationContextInterface,\n AuthenticationContextIssuerId,\n AuthenticationContextIssuerType\n ,\n DebugData,\n DvcAction,\n OriginalActorAlternateId,\n OriginalClientDevice,\n OriginalOutcomeResult,\n OriginalSeverity,\n OriginalTarget,\n OriginalUserId,\n OriginalUserType,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg,\n SecurityContextDomain,\n SecurityContextIsProxy\n ,\n TransactionDetail,\n TransactionId,\n TransactionType\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away\n ActorDetailEntry,\n ActorDisplayName,\n AuthenticationContextAuthenticationProvider,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider,\n AuthenticationContextInterface,\n AuthenticationContextIssuerId,\n AuthenticationContextIssuerType,\n DebugData,\n DvcAction,\n OriginalActorAlternateId,\n OriginalClientDevice,\n OriginalOutcomeResult,\n OriginalSeverity,\n OriginalTarget,\n OriginalUserId,\n OriginalUserType,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg,\n SecurityContextDomain,\n SecurityContextIsProxy,\n TransactionId,\n TransactionType;\n OktaV2\n};\nparser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for OktaV2", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationOktaV2", + "query": "let parser=(disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctaV2Table = datatable(\n TimeGenerated: datetime,\n ActorDetailEntry: dynamic,\n ActorDisplayName: string,\n AuthenticationContext: string,\n AuthenticationProvider: string,\n AuthenticationStep: string,\n AuthenticationContextAuthenticationProvider: string,\n AuthenticationContextAuthenticationStep: int,\n AuthenticationContextCredentialProvider: string,\n AuthenticationContextInterface: string,\n AuthenticationContextIssuerId: string,\n AuthenticationContextIssuerType: string,\n DebugData: dynamic,\n DvcAction: string,\n EventResult:string,\n OriginalActorAlternateId: string,\n OriginalClientDevice: string,\n OriginalOutcomeResult: string,\n OriginalSeverity: string,\n OriginalTarget: dynamic,\n OriginalUserId: string,\n OriginalUserType: string,\n Request: dynamic,\n SecurityContextAsNumber: int,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SecurityContextIsProxy: bool,\n TransactionDetail: dynamic,\n TransactionId: string,\n TransactionType: string\n)[];\n let OktaV2 = union isfuzzy=true emptyOctaV2Table, OktaV2_CL\n | where not(disabled) \n | extend\n EventOriginalType=column_ifexists('EventOriginalType', \"\") \n ,\n OriginalActorAlternateId = column_ifexists('OriginalActorAlternateId', \"\")\n ,\n ActorUsername=column_ifexists('ActorUsername', \"\")\n ,\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n | where EventOriginalType in (OktaSigninEvents)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | extend \n EventProduct='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventVendor='Okta'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') \n ,\n TargetSessionId=column_ifexists('ActorSessionId', \"\")\n ,\n TargetUserId= column_ifexists('ActorUserId', \"\")\n ,\n TargetUsername=column_ifexists('ActorUsername', \"\")\n ,\n TargetUserType=column_ifexists('ActorUserType', \"\")\n ,\n TargetUserIdType=column_ifexists('ActorUserIdType', \"\")\n ,\n TargetUsernameType=column_ifexists('ActorUsernameType', \"\")\n ,\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n //** extend non-normalized fields to be projected-away \n ,\n ActorDetailEntry,\n ActorDisplayName,\n AuthenticationContextAuthenticationProvider,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider,\n AuthenticationContextInterface,\n AuthenticationContextIssuerId,\n AuthenticationContextIssuerType\n ,\n DebugData,\n DvcAction,\n OriginalActorAlternateId,\n OriginalClientDevice,\n OriginalOutcomeResult,\n OriginalSeverity,\n OriginalTarget,\n OriginalUserId,\n OriginalUserType,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg,\n SecurityContextDomain,\n SecurityContextIsProxy\n ,\n TransactionDetail,\n TransactionId,\n TransactionType\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away\n ActorDetailEntry,\n ActorDisplayName,\n AuthenticationContextAuthenticationProvider,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider,\n AuthenticationContextInterface,\n AuthenticationContextIssuerId,\n AuthenticationContextIssuerType,\n DebugData,\n DvcAction,\n OriginalActorAlternateId,\n OriginalClientDevice,\n OriginalOutcomeResult,\n OriginalSeverity,\n OriginalTarget,\n OriginalUserId,\n OriginalUserType,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg,\n SecurityContextDomain,\n SecurityContextIsProxy,\n TransactionId,\n TransactionType;\n OktaV2\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json index 41c1bbc7b6d..c963395d981 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationPaloAltoCortexDataLake')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationPaloAltoCortexDataLake", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Palo Alto Cortex Data Lake", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationPaloAltoCortexDataLake", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"AUTH\"\n | parse-kv AdditionalExtensions as (PanOSSourceDeviceHost: string, PanOSSourceDeviceOSFamily: string, PanOSAuthenticationProtocol: string, PanOSAuthenticatedUserDomain: string, PanOSAuthenticatedUserName: string, PanOSAuthenticatedUserUUID: string, start: string, PanOSLogSource: string, PanOSRuleMatchedUUID: string, PanOSAuthenticationDescription: string, PanOSClientTypeName: string, PanOSConfigVersion: string, PanOSMFAVendor: string, PanOSSourceDeviceCategory: string, PanOSSourceDeviceModel: string, PanOSSourceDeviceProfile: string, PanOSSourceDeviceVendor: string, PanOSUserAgentString: string, PanOSCortexDataLakeTenantID: string, PanOSSessionID: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventStartTime = todatetime(start),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n TargetIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventMessage = Message,\n LogonMethod = case(\n FieldDeviceCustomNumber1 == 1, \"Username & Password\",\n FieldDeviceCustomNumber1 == 2, \"Multi factor authentication\",\n FieldDeviceCustomNumber1 == 3, \"Multi factor authentication\",\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"FileName\",\n FileName,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSRuleMatchedUUID\",\n PanOSRuleMatchedUUID,\n DeviceCustomNumber1Label,\n FieldDeviceCustomNumber1, \n DeviceCustomNumber2Label,\n FieldDeviceCustomNumber2,\n DeviceCustomString3Label,\n DeviceCustomString3,\n DeviceCustomString4Label,\n DeviceCustomString4,\n DeviceCustomString5Label,\n DeviceCustomString5,\n DeviceCustomString6Label,\n DeviceCustomString6,\n \"PanOSAuthenticationDescription\",\n PanOSAuthenticationDescription,\n \"PanOSClientTypeName\",\n PanOSClientTypeName,\n \"PanOSConfigVersion\",\n PanOSConfigVersion,\n \"PanOSMFAVendor\",\n PanOSMFAVendor,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSSourceDeviceModel\",\n PanOSSourceDeviceModel,\n \"PanOSSourceDeviceProfile\",\n PanOSSourceDeviceProfile,\n \"PanOSSourceDeviceVendor\",\n PanOSSourceDeviceVendor\n )\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DvcId = DeviceExternalID,\n EventOriginalResultDetails = Message,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n LogonProtocol = PanOSAuthenticationProtocol,\n SrcDvcOs = PanOSSourceDeviceOSFamily,\n TargetUsername = PanOSAuthenticatedUserName,\n TargetUserId = PanOSAuthenticatedUserUUID,\n TargetDomain = PanOSAuthenticatedUserDomain,\n EventOriginalSubType = Activity,\n HttpUserAgent = PanOSUserAgentString,\n TargetDvcScopeId = PanOSCortexDataLakeTenantID,\n TargetSessionId = PanOSSessionID,\n TargetDvc = DeviceCustomString1\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n EventResult = iff(EventMessage has \"Invalid Certificate\", \"Failure\", \"Success\"),\n Dst = TargetIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n User = TargetUsername,\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetDomainType = case(\n array_length(split(DestinationUserName, \".\")) > 1, \"FQDN\",\n array_length(split(DestinationUserName, \"\\\\\")) > 1, \"Windows\",\n \"\"\n ),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n | extend\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventType = \"Logon\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n start,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n Indicator*,\n _ResourceId\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Palo Alto Cortex Data Lake", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationPaloAltoCortexDataLake", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"AUTH\"\n | parse-kv AdditionalExtensions as (PanOSSourceDeviceHost: string, PanOSSourceDeviceOSFamily: string, PanOSAuthenticationProtocol: string, PanOSAuthenticatedUserDomain: string, PanOSAuthenticatedUserName: string, PanOSAuthenticatedUserUUID: string, start: string, PanOSLogSource: string, PanOSRuleMatchedUUID: string, PanOSAuthenticationDescription: string, PanOSClientTypeName: string, PanOSConfigVersion: string, PanOSMFAVendor: string, PanOSSourceDeviceCategory: string, PanOSSourceDeviceModel: string, PanOSSourceDeviceProfile: string, PanOSSourceDeviceVendor: string, PanOSUserAgentString: string, PanOSCortexDataLakeTenantID: string, PanOSSessionID: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventStartTime = todatetime(start),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n TargetIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventMessage = Message,\n LogonMethod = case(\n FieldDeviceCustomNumber1 == 1, \"Username & Password\",\n FieldDeviceCustomNumber1 == 2, \"Multi factor authentication\",\n FieldDeviceCustomNumber1 == 3, \"Multi factor authentication\",\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"FileName\",\n FileName,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSRuleMatchedUUID\",\n PanOSRuleMatchedUUID,\n DeviceCustomNumber1Label,\n FieldDeviceCustomNumber1, \n DeviceCustomNumber2Label,\n FieldDeviceCustomNumber2,\n DeviceCustomString3Label,\n DeviceCustomString3,\n DeviceCustomString4Label,\n DeviceCustomString4,\n DeviceCustomString5Label,\n DeviceCustomString5,\n DeviceCustomString6Label,\n DeviceCustomString6,\n \"PanOSAuthenticationDescription\",\n PanOSAuthenticationDescription,\n \"PanOSClientTypeName\",\n PanOSClientTypeName,\n \"PanOSConfigVersion\",\n PanOSConfigVersion,\n \"PanOSMFAVendor\",\n PanOSMFAVendor,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSSourceDeviceModel\",\n PanOSSourceDeviceModel,\n \"PanOSSourceDeviceProfile\",\n PanOSSourceDeviceProfile,\n \"PanOSSourceDeviceVendor\",\n PanOSSourceDeviceVendor\n )\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DvcId = DeviceExternalID,\n EventOriginalResultDetails = Message,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n LogonProtocol = PanOSAuthenticationProtocol,\n SrcDvcOs = PanOSSourceDeviceOSFamily,\n TargetUsername = PanOSAuthenticatedUserName,\n TargetUserId = PanOSAuthenticatedUserUUID,\n TargetDomain = PanOSAuthenticatedUserDomain,\n EventOriginalSubType = Activity,\n HttpUserAgent = PanOSUserAgentString,\n TargetDvcScopeId = PanOSCortexDataLakeTenantID,\n TargetSessionId = PanOSSessionID,\n TargetDvc = DeviceCustomString1\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n EventResult = iff(EventMessage has \"Invalid Certificate\", \"Failure\", \"Success\"),\n Dst = TargetIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n User = TargetUsername,\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetDomainType = case(\n array_length(split(DestinationUserName, \".\")) > 1, \"FQDN\",\n array_length(split(DestinationUserName, \"\\\\\")) > 1, \"Windows\",\n \"\"\n ),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n | extend\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventType = \"Logon\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n start,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n Indicator*,\n _ResourceId\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json index 9520256bcd0..cc368e11f20 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationPostgreSQL')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationPostgreSQL", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for PostgreSQL", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationPostgreSQL", - "query": "let PostgreSQLSignInAuthorized=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has 'connection authorized'\n| project-rename \n EventUid = _ItemId\n| extend\n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'Connection authorized',\n EventProduct = 'PostgreSQL',\n EventResult = 'Success',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc=Computer,\n User=TargetUsername\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLAuthFailure1=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has 'authentication failed'\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User authentication failed',\n EventProduct = 'PostgreSQL',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n TargetUsername = extract(@'for user\\s\"(.*?)\"', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nlet PostgreSQLAuthFailure2=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has_all ('role', 'does', 'not', 'exist')\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'Role does not exist',\n EventProduct = 'PostgreSQL',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n TargetUsername = extract(@'role\\s\"(.*?)\"\\sdoes', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nlet PostgreSQLAuthFailure3=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has_all ('no', 'entry', 'user')\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'No entry for user',\n EventProduct = 'PostgreSQL',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n SrcIpAddr = extract(@'host\\s\"(.*?)\",', 1, RawData),\n TargetUsername = extract(@'user\\s\"(.*?)\",', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nlet PostgreSQLDisconnect=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has 'disconnection'\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User session closed',\n EventProduct = 'PostgreSQL',\n EventResult = 'Success',\n EventResultDetails = 'Session expired',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logoff',\n EventVendor = 'PostgreSQL',\n SrcIpAddr = extract(@'host=([\\d.]+)', 1, RawData),\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nunion isfuzzy=false \n PostgreSQLSignInAuthorized(disabled = disabled), \n PostgreSQLAuthFailure1(disabled = disabled), \n PostgreSQLAuthFailure2(disabled = disabled), \n PostgreSQLAuthFailure3(disabled = disabled), \n PostgreSQLDisconnect(disabled = disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for PostgreSQL", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationPostgreSQL", + "query": "let PostgreSQLSignInAuthorized=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has 'connection authorized'\n| project-rename \n EventUid = _ItemId\n| extend\n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'Connection authorized',\n EventProduct = 'PostgreSQL',\n EventResult = 'Success',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc=Computer,\n User=TargetUsername\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLAuthFailure1=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has 'authentication failed'\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User authentication failed',\n EventProduct = 'PostgreSQL',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n TargetUsername = extract(@'for user\\s\"(.*?)\"', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nlet PostgreSQLAuthFailure2=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has_all ('role', 'does', 'not', 'exist')\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'Role does not exist',\n EventProduct = 'PostgreSQL',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n TargetUsername = extract(@'role\\s\"(.*?)\"\\sdoes', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nlet PostgreSQLAuthFailure3=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has_all ('no', 'entry', 'user')\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'No entry for user',\n EventProduct = 'PostgreSQL',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n SrcIpAddr = extract(@'host\\s\"(.*?)\",', 1, RawData),\n TargetUsername = extract(@'user\\s\"(.*?)\",', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nlet PostgreSQLDisconnect=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has 'disconnection'\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User session closed',\n EventProduct = 'PostgreSQL',\n EventResult = 'Success',\n EventResultDetails = 'Session expired',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logoff',\n EventVendor = 'PostgreSQL',\n SrcIpAddr = extract(@'host=([\\d.]+)', 1, RawData),\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nunion isfuzzy=false \n PostgreSQLSignInAuthorized(disabled = disabled), \n PostgreSQLAuthFailure1(disabled = disabled), \n PostgreSQLAuthFailure2(disabled = disabled), \n PostgreSQLAuthFailure3(disabled = disabled), \n PostgreSQLDisconnect(disabled = disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json index d2500cda5a3..532bc513756 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationSalesforceSC')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationSalesforceSC", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Salesforce Service Cloud", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationSalesforceSC", - "query": "let parser = (\ndisabled: bool=false\n) {\nlet SalesforceSchema = datatable(\napi_version_s: string,\nbrowser_type_s: string,\ncipher_suite_s: string,\nclient_ip_s: string,\ndelegated_user_id_s: string,\ndelegated_user_name_s: string,\nevent_type_s: string,\nlogin_key_s: string,\nlogin_status_s: string,\nlogin_type_s: string,\nlogin_sub_type_s: string,\norganization_id_s: string,\nplatform_type_s: string,\nrequest_id_s: string,\nrequest_status_s: string,\nsession_key_s: string,\nsource_ip_s: string,\ntimestamp_s: string,\ntls_protocol_s: string,\nuri_s: string,\nuser_id_s: string,\nuser_name_s: string,\nuser_type_s: string,\nwave_session_id_g: string\n)[];\n let EventResultLookup = datatable (\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n)[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n)[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n | where event_type_s in~ (SalesforceEventType)\n | extend TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0]))\n | extend LoginType_s = login_type_s, LoginSubType_s = login_sub_type_s\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n EventVendor = 'Salesforce',\n EventProduct='Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n TargetAppType = \"SaaS application\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s,\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s)\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | project-away\n *_s,\n *_t,\n *_g,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Salesforce Service Cloud", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationSalesforceSC", + "query": "let parser = (\ndisabled: bool=false\n) {\nlet SalesforceSchema = datatable(\napi_version_s: string,\nbrowser_type_s: string,\ncipher_suite_s: string,\nclient_ip_s: string,\ndelegated_user_id_s: string,\ndelegated_user_name_s: string,\nevent_type_s: string,\nlogin_key_s: string,\nlogin_status_s: string,\nlogin_type_s: string,\nlogin_sub_type_s: string,\norganization_id_s: string,\nplatform_type_s: string,\nrequest_id_s: string,\nrequest_status_s: string,\nsession_key_s: string,\nsource_ip_s: string,\ntimestamp_s: string,\ntls_protocol_s: string,\nuri_s: string,\nuser_id_s: string,\nuser_name_s: string,\nuser_type_s: string,\nwave_session_id_g: string\n)[];\n let EventResultLookup = datatable (\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n)[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n)[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n | where event_type_s in~ (SalesforceEventType)\n | extend TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0]))\n | extend LoginType_s = login_type_s, LoginSubType_s = login_sub_type_s\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n EventVendor = 'Salesforce',\n EventProduct='Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n TargetAppType = \"SaaS application\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s,\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s)\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | project-away\n *_s,\n *_t,\n *_g,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/ASimAuthenticationSentinelOne.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/ASimAuthenticationSentinelOne.json index ef11843ceeb..3ffed72291b 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/ASimAuthenticationSentinelOne.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/ASimAuthenticationSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationSentinelOne", - "query": "let EventResultDetailsLookup = datatable (comments_s: string, EventResultDetails: string)\n [\n \"invalid 2FA code\", \"Incorrect password\",\n \"IP/User mismatch\", \"No such user or password\",\n \"invalid password\", \"Incorrect password\",\n \"user temporarily locked 2FA attempt\", \"User locked\",\n \"no active site\", \"Other\"\n ];\n let EventFieldsLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string\n )\n [\n 27, \"Logon\", \"Success\", \"User Logged In\",\n 33, \"Logoff\", \"Success\", \"User Logged Out\",\n 133, \"Logon\", \"Failure\", \"Existing User Login Failure\",\n 134, \"Logon\", \"Failure\", \"Unknown User Login\",\n 139, \"Logon\", \"Failure\", \"User Failed to Start an Unrestricted Session\",\n 3629, \"Logon\", \"Success\", \"Login Using Saved 2FA Recovery Code\"\n ];\n let EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"WINLOGONATTEMPT\", \"Logon\",\n \"WINLOGOFFATTEMPT\", \"Logoff\"\n ];\n let EventSubTypeLookup = datatable (alertInfo_loginType_s: string, EventSubType: string)\n [\n \"BATCH\", \"System\",\n \"CACHED_INTERACTIVE\", \"Interactive\",\n \"CACHED_REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"CACHED_UNLOCK\", \"System\",\n \"INTERACTIVE\", \"Interactive\",\n \"NETWORK_CLEAR_TEXT\", \"Remote\",\n \"NETWORK_CREDENTIALS\", \"Remote\",\n \"NETWORK\", \"Remote\",\n \"REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"SERVICE\", \"Service\",\n \"SYSTEM\", \"System\",\n \"UNLOCK\", \"System\"\n ];\n let DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n )\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n ];\n let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n )\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n ];\n let ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n )\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n ];\n let ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n )\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n ];\n let TargetUserTypesList = dynamic([\"Regular\", \"Machine\", \"Admin\", \"System\", \"Application\", \"Service Principal\", \"Service\", \"Anonymous\"]);\n let parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled);\n let activitydata = alldata\n | where event_name_s == \"Activities.\"\n and activityType_d in (27, 33, 133, 134, 139, 3629)\n | parse-kv DataFields_s as (ipAddress: string, username: string, userScope: string, accountName: string, fullScopeDetails: string, fullScopeDetailsPath: string, role: string, scopeLevel: string, source: string, sourceType: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup on activityType_d\n | lookup EventResultDetailsLookup on comments_s\n | extend \n SrcIpAddr = iff(ipAddress == \"null\", \"\", ipAddress),\n EventOriginalType = tostring(toint(activityType_d)),\n TargetUsername = username,\n TargetUserScope = userScope,\n AdditionalFields = bag_pack(\n \"accountName\", accountName,\n \"fullScopeDetails\", fullScopeDetails,\n \"fullScopeDetailsPath\", fullScopeDetailsPath,\n \"scopeLevel\", scopeLevel,\n \"source\", source,\n \"sourceType\", sourceType\n ),\n TargetOriginalUserType = role,\n TargetUserType = case(\n role in (TargetUserTypesList), role,\n role == \"null\", \"\",\n \"Other\"\n )\n | project-rename\n EventStartTime = createdAt_t,\n TargetUserId = userId_s,\n EventOriginalUid = activityUuid_g,\n EventMessage = primaryDescription_s\n | extend TargetUserIdType = iff(isnotempty(TargetUserId), \"Other\", \"\");\n let alertdata = alldata\n | where event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in (\"WINLOGONATTEMPT\", \"WINLOGOFFATTEMPT\")\n | lookup EventTypeLookup on alertInfo_eventType_s\n | lookup EventSubTypeLookup on alertInfo_loginType_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s;\n let undefineddata = alertdata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n let alertdatawiththreatfield = union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | invoke _ASIM_ResolveSrcFQDN('alertInfo_loginAccountDomain_s')\n | extend\n EventResult = iff(alertInfo_loginIsSuccessful_s == \"true\", \"Success\", \"Failure\"),\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = alertInfo_createdAt_t,\n SrcIpAddr = alertInfo_srcMachineIp_s,\n ActingAppName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSubType = alertInfo_loginType_s,\n RuleName = ruleInfo_name_s,\n TargetUserId = alertInfo_loginAccountSid_s,\n TargetUsername = alertInfo_loginsUserName_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n Rule = RuleName,\n ActingAppType = iff(isnotempty(ActingAppName), \"Process\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SID\", \"\");\n union activitydata, alertdatawiththreatfield\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"Authentication\"\n | extend\n Dvc = coalesce(DvcHostname, EventProduct),\n EventEndTime = EventStartTime,\n EventUid = _ItemId,\n User = TargetUsername\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n ipAddress,\n username,\n accountName,\n fullScopeDetails,\n fullScopeDetailsPath,\n role,\n scopeLevel,\n source,\n sourceType,\n userScope,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n _ItemId,\n _ResourceId,\n ThreatConfidence_*\n };\n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationSentinelOne", + "query": "let EventResultDetailsLookup = datatable (comments_s: string, EventResultDetails: string)\n [\n \"invalid 2FA code\", \"Incorrect password\",\n \"IP/User mismatch\", \"No such user or password\",\n \"invalid password\", \"Incorrect password\",\n \"user temporarily locked 2FA attempt\", \"User locked\",\n \"no active site\", \"Other\"\n ];\n let EventFieldsLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string\n )\n [\n 27, \"Logon\", \"Success\", \"User Logged In\",\n 33, \"Logoff\", \"Success\", \"User Logged Out\",\n 133, \"Logon\", \"Failure\", \"Existing User Login Failure\",\n 134, \"Logon\", \"Failure\", \"Unknown User Login\",\n 139, \"Logon\", \"Failure\", \"User Failed to Start an Unrestricted Session\",\n 3629, \"Logon\", \"Success\", \"Login Using Saved 2FA Recovery Code\"\n ];\n let EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"WINLOGONATTEMPT\", \"Logon\",\n \"WINLOGOFFATTEMPT\", \"Logoff\"\n ];\n let EventSubTypeLookup = datatable (alertInfo_loginType_s: string, EventSubType: string)\n [\n \"BATCH\", \"System\",\n \"CACHED_INTERACTIVE\", \"Interactive\",\n \"CACHED_REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"CACHED_UNLOCK\", \"System\",\n \"INTERACTIVE\", \"Interactive\",\n \"NETWORK_CLEAR_TEXT\", \"Remote\",\n \"NETWORK_CREDENTIALS\", \"Remote\",\n \"NETWORK\", \"Remote\",\n \"REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"SERVICE\", \"Service\",\n \"SYSTEM\", \"System\",\n \"UNLOCK\", \"System\"\n ];\n let DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n )\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n ];\n let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n )\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n ];\n let ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n )\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n ];\n let ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n )\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n ];\n let TargetUserTypesList = dynamic([\"Regular\", \"Machine\", \"Admin\", \"System\", \"Application\", \"Service Principal\", \"Service\", \"Anonymous\"]);\n let parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled);\n let activitydata = alldata\n | where event_name_s == \"Activities.\"\n and activityType_d in (27, 33, 133, 134, 139, 3629)\n | parse-kv DataFields_s as (ipAddress: string, username: string, userScope: string, accountName: string, fullScopeDetails: string, fullScopeDetailsPath: string, role: string, scopeLevel: string, source: string, sourceType: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup on activityType_d\n | lookup EventResultDetailsLookup on comments_s\n | extend \n SrcIpAddr = iff(ipAddress == \"null\", \"\", ipAddress),\n EventOriginalType = tostring(toint(activityType_d)),\n TargetUsername = username,\n TargetUserScope = userScope,\n AdditionalFields = bag_pack(\n \"accountName\", accountName,\n \"fullScopeDetails\", fullScopeDetails,\n \"fullScopeDetailsPath\", fullScopeDetailsPath,\n \"scopeLevel\", scopeLevel,\n \"source\", source,\n \"sourceType\", sourceType\n ),\n TargetOriginalUserType = role,\n TargetUserType = case(\n role in (TargetUserTypesList), role,\n role == \"null\", \"\",\n \"Other\"\n )\n | project-rename\n EventStartTime = createdAt_t,\n TargetUserId = userId_s,\n EventOriginalUid = activityUuid_g,\n EventMessage = primaryDescription_s\n | extend TargetUserIdType = iff(isnotempty(TargetUserId), \"Other\", \"\");\n let alertdata = alldata\n | where event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in (\"WINLOGONATTEMPT\", \"WINLOGOFFATTEMPT\")\n | lookup EventTypeLookup on alertInfo_eventType_s\n | lookup EventSubTypeLookup on alertInfo_loginType_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s;\n let undefineddata = alertdata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n let alertdatawiththreatfield = union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | invoke _ASIM_ResolveSrcFQDN('alertInfo_loginAccountDomain_s')\n | extend\n EventResult = iff(alertInfo_loginIsSuccessful_s == \"true\", \"Success\", \"Failure\"),\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = alertInfo_createdAt_t,\n SrcIpAddr = alertInfo_srcMachineIp_s,\n ActingAppName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSubType = alertInfo_loginType_s,\n RuleName = ruleInfo_name_s,\n TargetUserId = alertInfo_loginAccountSid_s,\n TargetUsername = alertInfo_loginsUserName_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n Rule = RuleName,\n ActingAppType = iff(isnotempty(ActingAppName), \"Process\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SID\", \"\");\n union activitydata, alertdatawiththreatfield\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"Authentication\"\n | extend\n Dvc = coalesce(DvcHostname, EventProduct),\n EventEndTime = EventStartTime,\n EventUid = _ItemId,\n User = TargetUsername\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n ipAddress,\n username,\n accountName,\n fullScopeDetails,\n fullScopeDetailsPath,\n role,\n scopeLevel,\n source,\n sourceType,\n userScope,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n _ItemId,\n _ResourceId,\n ThreatConfidence_*\n };\n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json index a370118546f..459c848a9a9 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationSshd')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationSshd", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for OpenSSH sshd", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationSshd", - "query": "let parser = (disabled:bool=false) {\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\n //\n // -- Successful login\n let SSHDAccepted=(disabled:bool=false) { \n // -- Parse events with the format \"Accepted password for from port ssh2\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | parse SyslogMessage with \"Accepted password for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logon'\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled:bool=false) {\n // -- Parse events with the format \"Failed (password|none|publickey) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | parse SyslogMessage with * \"Failed \" * \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \n | extend\n EventCount = toint(coalesce(EventCount,1)),\n EventResult = 'Failure',\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'),\n EventSeverity = 'Low' ,\n EventType = 'Logon',\n LogonMethod = iff (SyslogMessage has 'publickey', 'PKI', 'Username & password')\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled:bool=false) {\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | parse-where SyslogMessage with * \"user \" TargetUsername:string \" \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled:bool=false) {\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\n | extend\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'No such user',\n EventSeverity = 'Low',\n EventType = 'Logon',\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser),\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser\n };\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled:bool=false) {\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Reverse mapping failed\", \n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptMappingMismatch=(disabled:bool=false) {\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | parse SyslogMessage with \"Address \" SrcIpAddr:string \" maps to \" Src:string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Address to host to address mapping does not map back to address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptNastyPtr=(disabled:bool=false) {\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | parse SyslogMessage with * \"set up for \" SrcIpAddr:string \", ignoring\"\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Nasty PTR record set for IP Address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SSHDAccepted (disabled=disabled),\n SSHDFailed (disabled=disabled),\n SSHDInvalidUser (disabled=disabled),\n SSHDTimeout (disabled=disabled),\n SSHDABreakInAttemptMappingFailed (disabled=disabled),\n SSHDABreakInAttemptMappingMismatch (disabled=disabled),\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventEndTime = TimeGenerated,\n EventProduct = 'OpenSSH',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.2',\n EventStartTime = TimeGenerated,\n EventSubType = 'Remote',\n EventVendor = 'OpenBSD',\n LogonProtocol = 'ssh',\n TargetAppId = tostring(ProcessID),\n TargetAppName = 'sshd',\n TargetAppType = 'Service',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple'\n | project-away Computer, ProcessID\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n Dvc = DvcHostname,\n IpAddr = DvcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcDomainType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername\n };\n parser (\n disabled=disabled\n )", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for OpenSSH sshd", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationSshd", + "query": "let parser = (disabled:bool=false) {\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\n //\n // -- Successful login\n let SSHDAccepted=(disabled:bool=false) { \n // -- Parse events with the format \"Accepted password for from port ssh2\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | parse SyslogMessage with \"Accepted password for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logon'\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled:bool=false) {\n // -- Parse events with the format \"Failed (password|none|publickey) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | parse SyslogMessage with * \"Failed \" * \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \n | extend\n EventCount = toint(coalesce(EventCount,1)),\n EventResult = 'Failure',\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'),\n EventSeverity = 'Low' ,\n EventType = 'Logon',\n LogonMethod = iff (SyslogMessage has 'publickey', 'PKI', 'Username & password')\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled:bool=false) {\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | parse-where SyslogMessage with * \"user \" TargetUsername:string \" \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled:bool=false) {\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\n | extend\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'No such user',\n EventSeverity = 'Low',\n EventType = 'Logon',\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser),\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser\n };\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled:bool=false) {\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Reverse mapping failed\", \n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptMappingMismatch=(disabled:bool=false) {\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | parse SyslogMessage with \"Address \" SrcIpAddr:string \" maps to \" Src:string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Address to host to address mapping does not map back to address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptNastyPtr=(disabled:bool=false) {\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | parse SyslogMessage with * \"set up for \" SrcIpAddr:string \", ignoring\"\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Nasty PTR record set for IP Address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SSHDAccepted (disabled=disabled),\n SSHDFailed (disabled=disabled),\n SSHDInvalidUser (disabled=disabled),\n SSHDTimeout (disabled=disabled),\n SSHDABreakInAttemptMappingFailed (disabled=disabled),\n SSHDABreakInAttemptMappingMismatch (disabled=disabled),\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventEndTime = TimeGenerated,\n EventProduct = 'OpenSSH',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.2',\n EventStartTime = TimeGenerated,\n EventSubType = 'Remote',\n EventVendor = 'OpenBSD',\n LogonProtocol = 'ssh',\n TargetAppId = tostring(ProcessID),\n TargetAppName = 'sshd',\n TargetAppType = 'Service',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple'\n | project-away Computer, ProcessID\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n Dvc = DvcHostname,\n IpAddr = DvcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcDomainType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername\n };\n parser (\n disabled=disabled\n )", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json index e98e448189d..a02544c60b8 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationSu')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationSu", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Linux su", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationSu", - "query": "let parser = (disabled: bool=false)\n{\n let SyslogProjects = Syslog\n | project\n TimeGenerated,\n Computer,\n SyslogMessage,\n ProcessName,\n ProcessID,\n HostIP,\n Type,\n _ItemId,\n _ResourceId,\n _SubscriptionId;\n //\n // -- Successful SU\n // Parses the event \"Successful su for by \"\n let SuSignInAuthorized=(disabled: bool=false)\n{\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\n | parse SyslogMessage with * \"for \" TargetUsername: string \" by \" ActorUsername: string\n | extend\n EventType = 'Elevation'\n | project-away SyslogMessage, ProcessName\n};\n // \n // -- SU end\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user \"\n let SuDisconnect=(disabled: bool=false)\n{\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\n | parse SyslogMessage with * \"for user \" TargetUsername: string\n | extend\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n};\n union isfuzzy=false \n SuDisconnect(disabled = disabled),\n SuSignInAuthorized (disabled = disabled)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend\n ActingAppId = tostring(ProcessID),\n ActingAppType = 'Process',\n ActorUsernameType = 'Simple',\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'su',\n EventResult = 'Success',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.2',\n EventSeverity = 'Informational',\n EventStartTime = TimeGenerated,\n EventVendor = 'Linux',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple'\n | project-away Computer, ProcessID\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n Dvc = DvcHostname,\n IpAddr = DvcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcDomainType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername\n};\nparser\n(\n disabled=disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Linux su", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationSu", + "query": "let parser = (disabled: bool=false)\n{\n let SyslogProjects = Syslog\n | project\n TimeGenerated,\n Computer,\n SyslogMessage,\n ProcessName,\n ProcessID,\n HostIP,\n Type,\n _ItemId,\n _ResourceId,\n _SubscriptionId;\n //\n // -- Successful SU\n // Parses the event \"Successful su for by \"\n let SuSignInAuthorized=(disabled: bool=false)\n{\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\n | parse SyslogMessage with * \"for \" TargetUsername: string \" by \" ActorUsername: string\n | extend\n EventType = 'Elevation'\n | project-away SyslogMessage, ProcessName\n};\n // \n // -- SU end\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user \"\n let SuDisconnect=(disabled: bool=false)\n{\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\n | parse SyslogMessage with * \"for user \" TargetUsername: string\n | extend\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n};\n union isfuzzy=false \n SuDisconnect(disabled = disabled),\n SuSignInAuthorized (disabled = disabled)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend\n ActingAppId = tostring(ProcessID),\n ActingAppType = 'Process',\n ActorUsernameType = 'Simple',\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'su',\n EventResult = 'Success',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.2',\n EventSeverity = 'Informational',\n EventStartTime = TimeGenerated,\n EventVendor = 'Linux',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple'\n | project-away Computer, ProcessID\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n Dvc = DvcHostname,\n IpAddr = DvcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcDomainType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername\n};\nparser\n(\n disabled=disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json index 787a1217f61..3b711fb19b8 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationSudo')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationSudo", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Syslog sudo", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationSudo", - "query": "let SudoSignInAuthorized=(disabled:bool=false){\nSyslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'TTY=' and \n SyslogMessage has 'USER=' and\n SyslogMessage has 'COMMAND='\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename TargetUsername = USER\n | extend\n EventVendor = 'sudo',\n EventProduct = 'sudo',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventResult = 'Success',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n DvcHostname = Computer,\n ActorUsernameType = 'Simple',\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n TargetUsernameType = 'Simple',\n EventResultDetails = 'Other',\n EventOriginalRestultDetails = 'Connection authorized'\n// ************************\n// \n// ************************\n | extend\n User = TargetUsername,\n Dvc = Computer\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoAuthFailure1=(disabled:bool=false){\nSyslog | where not(disabled)\n | where ProcessName == \"sudo\" and (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename \n EventUid = _ItemId,\n TargetUsername = USER\n | extend\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n ActorUsernameType = 'Simple',\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User authentication failed',\n EventProduct = 'sudo',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'sudo',\n TargetUsernameType = 'Simple'\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoDisconnect=(disabled:bool=false){\n Syslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'session closed for user '\n | parse SyslogMessage with * \"for user \" TargetUsername:string\n | extend\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User session closed',\n EventProduct = 'sudo',\n EventResult = 'Success',\n EventResultDetails = 'Other',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logoff',\n EventVendor = 'sudo',\n TargetUsernameType = 'Simple'\n// ************************\n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nunion isfuzzy=false \n SudoSignInAuthorized(disabled = disabled), \n SudoAuthFailure1(disabled = disabled), \n SudoDisconnect(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Syslog sudo", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationSudo", + "query": "let SudoSignInAuthorized=(disabled:bool=false){\nSyslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'TTY=' and \n SyslogMessage has 'USER=' and\n SyslogMessage has 'COMMAND='\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename TargetUsername = USER\n | extend\n EventVendor = 'sudo',\n EventProduct = 'sudo',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventResult = 'Success',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n DvcHostname = Computer,\n ActorUsernameType = 'Simple',\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n TargetUsernameType = 'Simple',\n EventResultDetails = 'Other',\n EventOriginalRestultDetails = 'Connection authorized'\n// ************************\n// \n// ************************\n | extend\n User = TargetUsername,\n Dvc = Computer\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoAuthFailure1=(disabled:bool=false){\nSyslog | where not(disabled)\n | where ProcessName == \"sudo\" and (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename \n EventUid = _ItemId,\n TargetUsername = USER\n | extend\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n ActorUsernameType = 'Simple',\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User authentication failed',\n EventProduct = 'sudo',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'sudo',\n TargetUsernameType = 'Simple'\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoDisconnect=(disabled:bool=false){\n Syslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'session closed for user '\n | parse SyslogMessage with * \"for user \" TargetUsername:string\n | extend\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User session closed',\n EventProduct = 'sudo',\n EventResult = 'Success',\n EventResultDetails = 'Other',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logoff',\n EventVendor = 'sudo',\n TargetUsernameType = 'Simple'\n// ************************\n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nunion isfuzzy=false \n SudoSignInAuthorized(disabled = disabled), \n SudoAuthFailure1(disabled = disabled), \n SudoDisconnect(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json index cfd10c5c9e3..a116ee78fbc 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationVMwareCarbonBlackCloud", - "query": "let parser = (disabled: bool=false) {\n CarbonBlackAuditLogs_CL\n | where not(disabled)\n | where description_s has_any (\"logged in\", \"login\",\"second factor authentication\") and description_s !has \"connector\"\n | extend\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n EventResult = iff(description_s has \"successfully\", \"Success\", \"Failure\"),\n AdditionalFields = bag_pack(\"flagged\", flagged_b),\n EventSeverity = iff(flagged_b == true, \"Low\", \"Informational\")\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"VMware\",\n EventType = \"Logon\",\n EventResultDetails = case(\n EventResult == \"Failure\" and description_s has (\"locked\"),\n \"User locked\",\n EventResult == \"Failure\" and description_s has_any (\"logged in\", \"login\"),\n \"Incorrect password\",\n EventResult == \"Failure\" and description_s has (\"second factor authentication\"),\n \"MFA not satisfied\",\n \"\"\n ),\n EventOriginalResultDetails = iff(EventResult == \"Failure\", tostring(split(description_s, ';')[1]), \"\")\n | project-rename\n EventMessage = description_s,\n EventOriginalUid = eventId_g,\n TargetUsername = loginName_s,\n SrcIpAddr = clientIp_s,\n EventUid=_ItemId,\n EventOwner = orgName_s\n | extend\n IpAddr = SrcIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n User = TargetUsername,\n Src = SrcIpAddr\n | project-away\n *_s,\n *_d,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId \n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationVMwareCarbonBlackCloud", + "query": "let parser = (disabled: bool=false) {\n CarbonBlackAuditLogs_CL\n | where not(disabled)\n | where description_s has_any (\"logged in\", \"login\",\"second factor authentication\") and description_s !has \"connector\"\n | extend\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n EventResult = iff(description_s has \"successfully\", \"Success\", \"Failure\"),\n AdditionalFields = bag_pack(\"flagged\", flagged_b),\n EventSeverity = iff(flagged_b == true, \"Low\", \"Informational\")\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"VMware\",\n EventType = \"Logon\",\n EventResultDetails = case(\n EventResult == \"Failure\" and description_s has (\"locked\"),\n \"User locked\",\n EventResult == \"Failure\" and description_s has_any (\"logged in\", \"login\"),\n \"Incorrect password\",\n EventResult == \"Failure\" and description_s has (\"second factor authentication\"),\n \"MFA not satisfied\",\n \"\"\n ),\n EventOriginalResultDetails = iff(EventResult == \"Failure\", tostring(split(description_s, ';')[1]), \"\")\n | project-rename\n EventMessage = description_s,\n EventOriginalUid = eventId_g,\n TargetUsername = loginName_s,\n SrcIpAddr = clientIp_s,\n EventUid=_ItemId,\n EventOwner = orgName_s\n | extend\n IpAddr = SrcIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n User = TargetUsername,\n Src = SrcIpAddr\n | project-away\n *_s,\n *_d,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId \n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json index 1d1acc98e3a..3edcdb6a2e7 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationVectraXDRAudit')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimAuthenticationVectraXDRAudit", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Vectra XDR Audit Logs Event", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationVectraXDRAudit", - "query": "let parser = (disabled:bool = false)\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s in (\"login\",\"logout\")\n | extend\n EventCount = int(1),\n EventEndTime = event_timestamp_t,\n EventProduct = 'Vectra XDR',\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\"),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventStartTime = event_timestamp_t,\n EventType = case(event_action_s==\"login\", \"Logon\", event_action_s==\"logout\", \"Logoff\",\"\"),\n EventVendor = 'Vectra',\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"VectraUserId\",\n ActorUsernameType = \"UPN\",\n EventUid = tostring(toint(id_d))\n | project-rename\n DvcIpAddr = source_ip_s,\n ActorOriginalUserType = user_type_s,\n ActorUsername = username_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | extend\n User = ActorUsername,\n Dvc = DvcIpAddr\n | project-away\n *_d, *_s, event_timestamp_t, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Vectra XDR Audit Logs Event", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationVectraXDRAudit", + "query": "let parser = (disabled:bool = false)\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s in (\"login\",\"logout\")\n | extend\n EventCount = int(1),\n EventEndTime = event_timestamp_t,\n EventProduct = 'Vectra XDR',\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\"),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventStartTime = event_timestamp_t,\n EventType = case(event_action_s==\"login\", \"Logon\", event_action_s==\"logout\", \"Logoff\",\"\"),\n EventVendor = 'Vectra',\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"VectraUserId\",\n ActorUsernameType = \"UPN\",\n EventUid = tostring(toint(id_d))\n | project-rename\n DvcIpAddr = source_ip_s,\n ActorOriginalUserType = user_type_s,\n ActorUsername = username_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | extend\n User = ActorUsername,\n Dvc = DvcIpAddr\n | project-away\n *_d, *_s, event_timestamp_t, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json index 44182cceee9..91294129c1f 100644 --- a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json @@ -278,6 +278,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationIllumioSaaSCore", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/ASimAuthenticationIllumioSaaSCore.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -838,6 +858,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationIllumioSaaSCore", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/vimAuthenticationIllumioSaaSCore.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json index 491e586aa80..1a2e8bf4b44 100644 --- a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imAuthentication')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imAuthentication", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser", - "category": "ASIM", - "FunctionAlias": "imAuthentication", - "query": "let Generic=(starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', pack: bool=false) {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationBuiltInDisabled=toscalar('ExcludeimAuthenticationBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled = (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationOktaV2 (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaV2' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationSudo (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSudo' in (DisabledParsers) )))\n , vimAuthenticationCiscoASA (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) )))\n , vimAuthenticationCiscoMeraki (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n , vimAuthenticationCiscoMerakiSyslog (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )))\n , vimAuthenticationCiscoISE (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n , vimAuthenticationBarracudaWAF (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n , vimAuthenticationVectraXDRAudit (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n , vimAuthenticationGoogleWorkspace (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationGoogleWorkspace' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n , vimAuthenticationPaloAltoCortexDataLake (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )))\n , vimAuthenticationSentinelOne (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))\n , vimAuthenticationCrowdStrikeFalconHost (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCrowdStrikeFalconHost' in (DisabledParsers) )))\n , vimAuthenticationVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )))\n};\nGeneric(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser", + "category": "ASIM", + "FunctionAlias": "imAuthentication", + "query": "let Generic=(starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', pack: bool=false) {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationBuiltInDisabled=toscalar('ExcludeimAuthenticationBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled = (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationOktaV2 (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaV2' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationSudo (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSudo' in (DisabledParsers) )))\n , vimAuthenticationCiscoASA (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) )))\n , vimAuthenticationCiscoMeraki (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n , vimAuthenticationCiscoMerakiSyslog (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )))\n , vimAuthenticationCiscoISE (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n , vimAuthenticationBarracudaWAF (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n , vimAuthenticationVectraXDRAudit (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n , vimAuthenticationGoogleWorkspace (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationGoogleWorkspace' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n , vimAuthenticationPaloAltoCortexDataLake (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )))\n , vimAuthenticationSentinelOne (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))\n , vimAuthenticationCrowdStrikeFalconHost (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCrowdStrikeFalconHost' in (DisabledParsers) )))\n , vimAuthenticationVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )))\n , vimAuthenticationIllumioSaaSCore (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationIllumioSaaS' in (DisabledParsers) )))\n};\nGeneric(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json index 8722f71293a..27831bbafe5 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationAADManagedIdentitySignInLogs')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationAADManagedIdentitySignInLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Microsoft Entra ID managed identity sign-in logs", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationAADManagedIdentitySignInLogs", - "query": "let AADResultTypes = (T: (ResultType: string))\n{\n let AADResultTypesLookup = datatable\n(\n ResultType: string,\n EventResultDetails: string,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string,\n EventSeverity: string\n)\n[\n \"0\", \"\", \"Logon\", \"Success\", \"\", \"Informational\",\n \"53003\", \"Logon violates policy\", \"Logon\", \"Failure\", \"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\", \"No such user\", \"Logon\", \"Failure\", \"50034 - UserAccountNotFound\", \"Low\",\n \"50059\", \"No such user\", \"Logon\", \"Failure\", \"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\", \"User locked\", \"Logon\", \"Failure\", \"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\", \"Password expired\", \"Logon\", \"Failure\", \"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\", \"Incorrect password\", \"Logon\", \"Failure\", \"50056 - Invalid or null password\", \"Low\",\n \"50057\", \"User disabled\", \"Logon\", \"Failure\", \"50057 - UserDisabled\", \"Low\",\n \"50058\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\", \"No such user or password\", \"Logon\", \"Failure\", \"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\", \"No such user or password\", \"Logon\", \"Failure\", \"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\", \"Password expired\", \"Logon\", \"Failure\", \"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\", \"Password expired\", \"Logon\", \"Failure\", \"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\", \"Password expired\", \"Logon\", \"Failure\", \"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\", \"Session expired\", \"Logon\", \"Failure\", \"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\", \"Logon violates policy\", \"Logon\", \"Failure\", \"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\", \"No such user\", \"Logon\", \"Failure\", \"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50005 - DevicePolicyError\", \"Low\",\n \"50020\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50020 - UserUnauthorized\", \"Low\",\n \"50074\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\", \"Session expired\", \"Logon\", \"Failure\", \"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\", \"No such user\", \"Logon\", \"Failure\", \"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\", \"No such user\", \"Logon\", \"Failure\", \"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\", \"Incorrect key\", \"Logon\", \"Failure\", \"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\", \"Other\", \"Logon\", \"Failure\", \"100003\", \"Low\",\n \"700082\", \"Session expired\", \"Logon\", \"Failure\", \"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\", \"\", \"Logoff\", \"Failure\", \"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\", \"\", \"Logoff\", \"Failure\", \"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50078 - UserStrongAuthExpired\", \"Low\"\n];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n ,\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n ,\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n ,\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n};\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n AADManagedIdentitySignInLogs\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or ServicePrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n | invoke AADResultTypes()\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | project-rename\n ActingAppId = AppId\n ,\n TargetAppId = ResourceIdentity \n ,\n TargetAppName = ResourceDisplayName\n ,\n TargetUsername = ServicePrincipalName\n ,\n TargetUserId = ServicePrincipalId\n ,\n EventOriginalUid = Id\n ,\n TargetSessionId = CorrelationId\n ,\n SrcIpAddr = IPAddress\n ,\n EventUid = _ItemId\n ,\n EventProductVersion = OperationVersion\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend \n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.3'\n ,\n Dvc = 'Microsft/Entra ID'\n ,\n LogonMethod = \"Managed Identity\"\n ,\n TargetAppType = \"Resource\"\n ,\n EventCount = int(1)\n ,\n TargetUserType = 'Application'\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUserIdType = 'EntraID'\n | project-away\n OperationName,\n Category,\n Result*,\n ServicePrincipal*,\n SourceSystem,\n DurationMs,\n Resource*,\n Location*,\n UniqueTokenIdentifier,\n FederatedCredentialId,\n Conditional*,\n Authentication*,\n Identity,\n Level,\n TenantId,\n temp*\n // \n // -- Aliases\n | extend \n User = TargetUsername\n ,\n LogonTarget = TargetAppName\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n Application = TargetAppName\n ,\n Dst = TargetAppName\n ,\n Src = SrcIpAddr\n ,\n IpAddr = SrcIpAddr\n ,\n TargetSimpleUsername = TargetUsername\n ,\n TargetUserAadId = TargetUserId\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Microsoft Entra ID managed identity sign-in logs", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationAADManagedIdentitySignInLogs", + "query": "let AADResultTypes = (T: (ResultType: string))\n{\n let AADResultTypesLookup = datatable\n(\n ResultType: string,\n EventResultDetails: string,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string,\n EventSeverity: string\n)\n[\n \"0\", \"\", \"Logon\", \"Success\", \"\", \"Informational\",\n \"53003\", \"Logon violates policy\", \"Logon\", \"Failure\", \"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\", \"No such user\", \"Logon\", \"Failure\", \"50034 - UserAccountNotFound\", \"Low\",\n \"50059\", \"No such user\", \"Logon\", \"Failure\", \"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\", \"User locked\", \"Logon\", \"Failure\", \"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\", \"Password expired\", \"Logon\", \"Failure\", \"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\", \"Incorrect password\", \"Logon\", \"Failure\", \"50056 - Invalid or null password\", \"Low\",\n \"50057\", \"User disabled\", \"Logon\", \"Failure\", \"50057 - UserDisabled\", \"Low\",\n \"50058\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\", \"No such user or password\", \"Logon\", \"Failure\", \"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\", \"No such user or password\", \"Logon\", \"Failure\", \"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\", \"Password expired\", \"Logon\", \"Failure\", \"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\", \"Password expired\", \"Logon\", \"Failure\", \"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\", \"Password expired\", \"Logon\", \"Failure\", \"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\", \"Session expired\", \"Logon\", \"Failure\", \"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\", \"Logon violates policy\", \"Logon\", \"Failure\", \"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\", \"No such user\", \"Logon\", \"Failure\", \"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50005 - DevicePolicyError\", \"Low\",\n \"50020\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50020 - UserUnauthorized\", \"Low\",\n \"50074\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\", \"Session expired\", \"Logon\", \"Failure\", \"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\", \"No such user\", \"Logon\", \"Failure\", \"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\", \"No such user\", \"Logon\", \"Failure\", \"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\", \"Incorrect key\", \"Logon\", \"Failure\", \"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\", \"Other\", \"Logon\", \"Failure\", \"100003\", \"Low\",\n \"700082\", \"Session expired\", \"Logon\", \"Failure\", \"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\", \"\", \"Logoff\", \"Failure\", \"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\", \"\", \"Logoff\", \"Failure\", \"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50078 - UserStrongAuthExpired\", \"Low\"\n];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n ,\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n ,\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n ,\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n};\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n AADManagedIdentitySignInLogs\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or ServicePrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n | invoke AADResultTypes()\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | project-rename\n ActingAppId = AppId\n ,\n TargetAppId = ResourceIdentity \n ,\n TargetAppName = ResourceDisplayName\n ,\n TargetUsername = ServicePrincipalName\n ,\n TargetUserId = ServicePrincipalId\n ,\n EventOriginalUid = Id\n ,\n TargetSessionId = CorrelationId\n ,\n SrcIpAddr = IPAddress\n ,\n EventUid = _ItemId\n ,\n EventProductVersion = OperationVersion\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend \n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.3'\n ,\n Dvc = 'Microsft/Entra ID'\n ,\n LogonMethod = \"Managed Identity\"\n ,\n TargetAppType = \"Resource\"\n ,\n EventCount = int(1)\n ,\n TargetUserType = 'Application'\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUserIdType = 'EntraID'\n | project-away\n OperationName,\n Category,\n Result*,\n ServicePrincipal*,\n SourceSystem,\n DurationMs,\n Resource*,\n Location*,\n UniqueTokenIdentifier,\n FederatedCredentialId,\n Conditional*,\n Authentication*,\n Identity,\n Level,\n TenantId,\n temp*\n // \n // -- Aliases\n | extend \n User = TargetUsername\n ,\n LogonTarget = TargetAppName\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n Application = TargetAppName\n ,\n Dst = TargetAppName\n ,\n Src = SrcIpAddr\n ,\n IpAddr = SrcIpAddr\n ,\n TargetSimpleUsername = TargetUsername\n ,\n TargetUserAadId = TargetUserId\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json index 5e200c0f92b..0ba0304ae2a 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationAADNonInteractiveUserSignInLogs')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationAADNonInteractiveUserSignInLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Microsoft Entra ID non-interactive sign-in logs", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationAADNonInteractiveUserSignInLogs", - "query": "let FailedReason=datatable(ResultType: string, EventResultDetails: string)[\n '0', 'Success',\n '53003', 'Logon violates policy',\n '50034', 'No such user or password',\n '50059', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50064', 'No such user or password',\n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '80012', 'Logon violates policy',\n '51004', 'No such user or password',\n '50072', 'Logon violates policy',\n '50005', 'Logon violates policy',\n '50020', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '70008', 'Password expired',\n '700016', 'No such user or password', \n '500011', 'No such user or password' \n];\nlet AADNIAuthentication=(starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n AADNonInteractiveUserSignInLogs\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or UserPrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0 or tostring(todynamic(DeviceDetail).displayName) has_any (srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventCount=int(1)\n ,\n EventResult = iff (ResultType == 0, 'Success', 'Failure')\n ,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime= TimeGenerated\n ,\n EventType= 'Logon'\n ,\n SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\n ,\n SrcHostname =tostring(todynamic(DeviceDetail).displayName)\n ,\n SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\n ,\n Location = todynamic(LocationDetails)\n ,\n TargetAppId = ResourceIdentity \n ,\n EventSubType = 'NonInteractive'\n ,\n TargetUsernameType='UPN'\n ,\n TargetUserIdType='EntraID'\n ,\n TargetAppName=ResourceDisplayName\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n SrcGeoCity=tostring(Location.city)\n ,\n SrcGeoCountry=tostring(Location.countryOrRegion)\n ,\n SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n ,\n SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n ,\n LogonMethod = AuthenticationRequirement\n ,\n HttpUserAgent=UserAgent\n ,\n TargetSessionId=CorrelationId\n ,\n TargetUserId = UserId\n ,\n TargetUsername=UserPrincipalName\n ,\n SrcIpAddr = IPAddress\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | lookup FailedReason on ResultType\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend\n User=TargetUsername\n ,\n LogonTarget=ResourceIdentity\n ,\n Dvc=EventVendor\n // -- Entity identifier explicit aliases\n ,\n TargetUserUpn = TargetUsername\n ,\n TargetUserAadId = TargetUserId\n};\nAADNIAuthentication(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Microsoft Entra ID non-interactive sign-in logs", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationAADNonInteractiveUserSignInLogs", + "query": "let FailedReason=datatable(ResultType: string, EventResultDetails: string)[\n '0', 'Success',\n '53003', 'Logon violates policy',\n '50034', 'No such user or password',\n '50059', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50064', 'No such user or password',\n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '80012', 'Logon violates policy',\n '51004', 'No such user or password',\n '50072', 'Logon violates policy',\n '50005', 'Logon violates policy',\n '50020', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '70008', 'Password expired',\n '700016', 'No such user or password', \n '500011', 'No such user or password' \n];\nlet AADNIAuthentication=(starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n AADNonInteractiveUserSignInLogs\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or UserPrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0 or tostring(todynamic(DeviceDetail).displayName) has_any (srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventCount=int(1)\n ,\n EventResult = iff (ResultType == 0, 'Success', 'Failure')\n ,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime= TimeGenerated\n ,\n EventType= 'Logon'\n ,\n SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\n ,\n SrcHostname =tostring(todynamic(DeviceDetail).displayName)\n ,\n SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\n ,\n Location = todynamic(LocationDetails)\n ,\n TargetAppId = ResourceIdentity \n ,\n EventSubType = 'NonInteractive'\n ,\n TargetUsernameType='UPN'\n ,\n TargetUserIdType='EntraID'\n ,\n TargetAppName=ResourceDisplayName\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n SrcGeoCity=tostring(Location.city)\n ,\n SrcGeoCountry=tostring(Location.countryOrRegion)\n ,\n SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n ,\n SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n ,\n LogonMethod = AuthenticationRequirement\n ,\n HttpUserAgent=UserAgent\n ,\n TargetSessionId=CorrelationId\n ,\n TargetUserId = UserId\n ,\n TargetUsername=UserPrincipalName\n ,\n SrcIpAddr = IPAddress\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | lookup FailedReason on ResultType\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend\n User=TargetUsername\n ,\n LogonTarget=ResourceIdentity\n ,\n Dvc=EventVendor\n // -- Entity identifier explicit aliases\n ,\n TargetUserUpn = TargetUsername\n ,\n TargetUserAadId = TargetUserId\n};\nAADNIAuthentication(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json index 55c5bb1a195..37eb5245a83 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationAADServicePrincipalSignInLogs')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationAADServicePrincipalSignInLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Microsoft Entra ID service principal sign-in logs", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationAADServicePrincipalSignInLogs", - "query": "let AADResultTypes = (T: (ResultType: string))\n{\n let AADResultTypesLookup = datatable\n(\n ResultType: string,\n EventResultDetails: string,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string,\n EventSeverity: string\n)\n[\n \"0\", \"\", \"Logon\", \"Success\", \"\", \"Informational\",\n \"53003\", \"Logon violates policy\", \"Logon\", \"Failure\", \"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\", \"No such user\", \"Logon\", \"Failure\", \"50034 - UserAccountNotFound\", \"Low\",\n \"50059\", \"No such user\", \"Logon\", \"Failure\", \"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\", \"User locked\", \"Logon\", \"Failure\", \"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\", \"Password expired\", \"Logon\", \"Failure\", \"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\", \"Incorrect password\", \"Logon\", \"Failure\", \"50056 - Invalid or null password\", \"Low\",\n \"50057\", \"User disabled\", \"Logon\", \"Failure\", \"50057 - UserDisabled\", \"Low\",\n \"50058\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\", \"No such user or password\", \"Logon\", \"Failure\", \"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\", \"No such user or password\", \"Logon\", \"Failure\", \"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\", \"Password expired\", \"Logon\", \"Failure\", \"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\", \"Password expired\", \"Logon\", \"Failure\", \"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\", \"Password expired\", \"Logon\", \"Failure\", \"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\", \"Session expired\", \"Logon\", \"Failure\", \"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\", \"Logon violates policy\", \"Logon\", \"Failure\", \"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\", \"No such user\", \"Logon\", \"Failure\", \"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50005 - DevicePolicyError\", \"Low\",\n \"50020\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50020 - UserUnauthorized\", \"Low\",\n \"50074\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\", \"Session expired\", \"Logon\", \"Failure\", \"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\", \"No such user\", \"Logon\", \"Failure\", \"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\", \"No such user\", \"Logon\", \"Failure\", \"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\", \"Incorrect key\", \"Logon\", \"Failure\", \"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\", \"Other\", \"Logon\", \"Failure\", \"100003\", \"Low\",\n \"700082\", \"Session expired\", \"Logon\", \"Failure\", \"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\", \"\", \"Logoff\", \"Failure\", \"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\", \"\", \"Logoff\", \"Failure\", \"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50078 - UserStrongAuthExpired\", \"Low\",\n \"7000222\", \"Session expired\", \"Logon\", \"Failure\", \"7000222 - The provided client secret keys are expired\", \"Low\",\n \"70021\", \"No such user\", \"Logon\", \"Failure\", \"70021 - No matching federated identity record found for presented assertion\", \"Low\",\n \"500341\", \"User disabled\", \"Logon\", \"Failure\", \"500341 - The user account has been deleted from the directory\", \"Low\",\n \"1002016\", \"Logon violates policy\", \"Logon\", \"Failure\", \"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\n \"7000215\", \"Incorrect password\", \"Logon\", \"Failure\", \"7000215 - Invalid client secret is provided\", \"Low\",\n \"90033\", \"Transient error\", \"Logon\", \"Failure\", \"90033 - A transient error has occurred\", \"Informational\",\n \"90024\", \"Transient error\", \"Logon\", \"Failure\", \"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\"\n];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n ,\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n ,\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n ,\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n};\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n AADServicePrincipalSignInLogs\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or ServicePrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n | invoke AADResultTypes()\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | project-rename\n ActingAppId = AppId\n ,\n TargetAppId = ResourceIdentity \n ,\n TargetAppName = ResourceDisplayName\n ,\n TargetUsername = ServicePrincipalName\n ,\n TargetUserId = ServicePrincipalId\n ,\n EventOriginalUid = Id\n ,\n TargetSessionId = CorrelationId\n ,\n SrcIpAddr = IPAddress\n ,\n EventUid = _ItemId\n ,\n EventProductVersion = OperationVersion\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend \n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.3'\n ,\n Dvc = 'Microsft/Entra ID'\n ,\n LogonMethod = \"Service Principal\"\n ,\n TargetAppType = \"Resource\"\n ,\n EventCount = int(1)\n ,\n TargetUserType = 'Service'\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUserIdType = 'EntraID'\n | extend\n LocationDetails = todynamic(LocationDetails)\n | extend\n SrcGeoCity = tostring(LocationDetails.city)\n ,\n SrcGeoCountry = Location\n ,\n SrcGeoLatitude = toreal(LocationDetails.geoCoordinates.latitude)\n ,\n SrcGeoLongitude = toreal(LocationDetails.geoCoordinates.longitude)\n ,\n SrcGeoRegion = tostring(LocationDetails.state)\n | project-away\n OperationName,\n Category,\n Result*,\n ServicePrincipal*,\n SourceSystem,\n DurationMs,\n Resource*,\n Location*,\n UniqueTokenIdentifier,\n FederatedCredentialId,\n Conditional*,\n Authentication*,\n Identity,\n Level,\n TenantId,\n temp*\n // \n // -- Aliases\n | extend \n User = TargetUsername\n ,\n LogonTarget = TargetAppName\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n Application = TargetAppName\n ,\n Dst = TargetAppName\n ,\n Src = SrcIpAddr\n ,\n IpAddr = SrcIpAddr\n ,\n TargetSimpleUsername = TargetUsername\n ,\n TargetUserAadId = TargetUserId\n};\nparser \n(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Microsoft Entra ID service principal sign-in logs", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationAADServicePrincipalSignInLogs", + "query": "let AADResultTypes = (T: (ResultType: string))\n{\n let AADResultTypesLookup = datatable\n(\n ResultType: string,\n EventResultDetails: string,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string,\n EventSeverity: string\n)\n[\n \"0\", \"\", \"Logon\", \"Success\", \"\", \"Informational\",\n \"53003\", \"Logon violates policy\", \"Logon\", \"Failure\", \"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\", \"No such user\", \"Logon\", \"Failure\", \"50034 - UserAccountNotFound\", \"Low\",\n \"50059\", \"No such user\", \"Logon\", \"Failure\", \"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\", \"User locked\", \"Logon\", \"Failure\", \"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\", \"Password expired\", \"Logon\", \"Failure\", \"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\", \"Incorrect password\", \"Logon\", \"Failure\", \"50056 - Invalid or null password\", \"Low\",\n \"50057\", \"User disabled\", \"Logon\", \"Failure\", \"50057 - UserDisabled\", \"Low\",\n \"50058\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\", \"No such user or password\", \"Logon\", \"Failure\", \"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\", \"No such user or password\", \"Logon\", \"Failure\", \"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\", \"Password expired\", \"Logon\", \"Failure\", \"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\", \"Password expired\", \"Logon\", \"Failure\", \"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\", \"Password expired\", \"Logon\", \"Failure\", \"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\", \"Session expired\", \"Logon\", \"Failure\", \"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\", \"Logon violates policy\", \"Logon\", \"Failure\", \"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\", \"No such user\", \"Logon\", \"Failure\", \"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50005 - DevicePolicyError\", \"Low\",\n \"50020\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50020 - UserUnauthorized\", \"Low\",\n \"50074\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\", \"Session expired\", \"Logon\", \"Failure\", \"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\", \"No such user\", \"Logon\", \"Failure\", \"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\", \"No such user\", \"Logon\", \"Failure\", \"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\", \"Incorrect key\", \"Logon\", \"Failure\", \"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\", \"Other\", \"Logon\", \"Failure\", \"100003\", \"Low\",\n \"700082\", \"Session expired\", \"Logon\", \"Failure\", \"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\", \"\", \"Logoff\", \"Failure\", \"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\", \"\", \"Logoff\", \"Failure\", \"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50078 - UserStrongAuthExpired\", \"Low\",\n \"7000222\", \"Session expired\", \"Logon\", \"Failure\", \"7000222 - The provided client secret keys are expired\", \"Low\",\n \"70021\", \"No such user\", \"Logon\", \"Failure\", \"70021 - No matching federated identity record found for presented assertion\", \"Low\",\n \"500341\", \"User disabled\", \"Logon\", \"Failure\", \"500341 - The user account has been deleted from the directory\", \"Low\",\n \"1002016\", \"Logon violates policy\", \"Logon\", \"Failure\", \"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\n \"7000215\", \"Incorrect password\", \"Logon\", \"Failure\", \"7000215 - Invalid client secret is provided\", \"Low\",\n \"90033\", \"Transient error\", \"Logon\", \"Failure\", \"90033 - A transient error has occurred\", \"Informational\",\n \"90024\", \"Transient error\", \"Logon\", \"Failure\", \"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\"\n];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n ,\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n ,\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n ,\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n};\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n AADServicePrincipalSignInLogs\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or ServicePrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n | invoke AADResultTypes()\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | project-rename\n ActingAppId = AppId\n ,\n TargetAppId = ResourceIdentity \n ,\n TargetAppName = ResourceDisplayName\n ,\n TargetUsername = ServicePrincipalName\n ,\n TargetUserId = ServicePrincipalId\n ,\n EventOriginalUid = Id\n ,\n TargetSessionId = CorrelationId\n ,\n SrcIpAddr = IPAddress\n ,\n EventUid = _ItemId\n ,\n EventProductVersion = OperationVersion\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend \n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.3'\n ,\n Dvc = 'Microsft/Entra ID'\n ,\n LogonMethod = \"Service Principal\"\n ,\n TargetAppType = \"Resource\"\n ,\n EventCount = int(1)\n ,\n TargetUserType = 'Service'\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUserIdType = 'EntraID'\n | extend\n LocationDetails = todynamic(LocationDetails)\n | extend\n SrcGeoCity = tostring(LocationDetails.city)\n ,\n SrcGeoCountry = Location\n ,\n SrcGeoLatitude = toreal(LocationDetails.geoCoordinates.latitude)\n ,\n SrcGeoLongitude = toreal(LocationDetails.geoCoordinates.longitude)\n ,\n SrcGeoRegion = tostring(LocationDetails.state)\n | project-away\n OperationName,\n Category,\n Result*,\n ServicePrincipal*,\n SourceSystem,\n DurationMs,\n Resource*,\n Location*,\n UniqueTokenIdentifier,\n FederatedCredentialId,\n Conditional*,\n Authentication*,\n Identity,\n Level,\n TenantId,\n temp*\n // \n // -- Aliases\n | extend \n User = TargetUsername\n ,\n LogonTarget = TargetAppName\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n Application = TargetAppName\n ,\n Dst = TargetAppName\n ,\n Src = SrcIpAddr\n ,\n IpAddr = SrcIpAddr\n ,\n TargetSimpleUsername = TargetUsername\n ,\n TargetUserAadId = TargetUserId\n};\nparser \n(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json index bdad4fa2c1d..4a9ed414f0b 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationSigninLogs')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationSigninLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Microsoft Entra ID interactive sign-in logs", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationSigninLogs", - "query": "let FailedReason=datatable(ResultType: string, EventResultDetails: string)[\n '0', 'Success',\n '53003', 'Logon violates policy',\n '50034', 'No such user or password',\n '50059', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50064', 'No such user or password',\n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '80012', 'Logon violates policy',\n '51004', 'No such user or password',\n '50072', 'Logon violates policy',\n '50005', 'Logon violates policy',\n '50020', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '70008', 'Password expired',\n '700016', 'No such user or password', \n '500011', 'No such user or password' \n];\nlet UserTypeLookup = datatable (UserType: string, TargetUserType: string) [\n 'Member', 'Regular',\n 'Guest', 'Guest', \n '', ''\n];\nlet AADSigninLogs=(starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n SigninLogs\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(username_has_any) == 0) or UserPrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0 or tostring(DeviceDetail.displayName) has_any (srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventResult = iff (ResultType == 0, 'Success', 'Failure')\n ,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime= TimeGenerated\n ,\n EventType= 'Logon'\n ,\n SrcDvcId=tostring(DeviceDetail.deviceId)\n ,\n SrcDvcHostname = tostring(DeviceDetail.displayName) // Backword Compatibility. Will be removed by July 2024\n ,\n SrcHostname = tostring(DeviceDetail.displayName)\n ,\n SrcDvcOs=tostring(DeviceDetail.operatingSystem)\n // , SrcBrowser= tostring(DeviceDetail.browser)\n ,\n Location = todynamic(LocationDetails)\n ,\n TargetUsernameType='Upn'\n ,\n TargetUserIdType='EntraID'\n ,\n SrcIpAddr = IPAddress\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n SrcGeoCity=tostring(Location.city)\n ,\n SrcGeoCountry=tostring(Location.countryOrRegion)\n ,\n SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n ,\n SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | project-rename\n EventOriginalUid =Id\n ,\n LogonMethod = AuthenticationRequirement\n ,\n HttpUserAgent=UserAgent\n ,\n TargetSessionId=CorrelationId\n ,\n TargetUserId = UserId\n ,\n TargetUsername=UserPrincipalName\n ,\n TargetAppId = ResourceIdentity\n ,\n TargetAppName=ResourceDisplayName\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | lookup UserTypeLookup on UserType\n | project-away UserType\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n LogonTarget=TargetAppName\n ,\n Dvc=EventVendor\n // -- Entity identifier explicit aliases\n ,\n TargetUserUpn = TargetUsername\n ,\n TargetUserAadId = TargetUserId \n};\nAADSigninLogs(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Microsoft Entra ID interactive sign-in logs", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationSigninLogs", + "query": "let FailedReason=datatable(ResultType: string, EventResultDetails: string)[\n '0', 'Success',\n '53003', 'Logon violates policy',\n '50034', 'No such user or password',\n '50059', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50064', 'No such user or password',\n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '80012', 'Logon violates policy',\n '51004', 'No such user or password',\n '50072', 'Logon violates policy',\n '50005', 'Logon violates policy',\n '50020', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '70008', 'Password expired',\n '700016', 'No such user or password', \n '500011', 'No such user or password' \n];\nlet UserTypeLookup = datatable (UserType: string, TargetUserType: string) [\n 'Member', 'Regular',\n 'Guest', 'Guest', \n '', ''\n];\nlet AADSigninLogs=(starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n SigninLogs\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(username_has_any) == 0) or UserPrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0 or tostring(DeviceDetail.displayName) has_any (srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventResult = iff (ResultType == 0, 'Success', 'Failure')\n ,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime= TimeGenerated\n ,\n EventType= 'Logon'\n ,\n SrcDvcId=tostring(DeviceDetail.deviceId)\n ,\n SrcDvcHostname = tostring(DeviceDetail.displayName) // Backword Compatibility. Will be removed by July 2024\n ,\n SrcHostname = tostring(DeviceDetail.displayName)\n ,\n SrcDvcOs=tostring(DeviceDetail.operatingSystem)\n // , SrcBrowser= tostring(DeviceDetail.browser)\n ,\n Location = todynamic(LocationDetails)\n ,\n TargetUsernameType='Upn'\n ,\n TargetUserIdType='EntraID'\n ,\n SrcIpAddr = IPAddress\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n SrcGeoCity=tostring(Location.city)\n ,\n SrcGeoCountry=tostring(Location.countryOrRegion)\n ,\n SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n ,\n SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | project-rename\n EventOriginalUid =Id\n ,\n LogonMethod = AuthenticationRequirement\n ,\n HttpUserAgent=UserAgent\n ,\n TargetSessionId=CorrelationId\n ,\n TargetUserId = UserId\n ,\n TargetUsername=UserPrincipalName\n ,\n TargetAppId = ResourceIdentity\n ,\n TargetAppName=ResourceDisplayName\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | lookup UserTypeLookup on UserType\n | project-away UserType\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n LogonTarget=TargetAppName\n ,\n Dvc=EventVendor\n // -- Entity identifier explicit aliases\n ,\n TargetUserUpn = TargetUsername\n ,\n TargetUserAadId = TargetUserId \n};\nAADSigninLogs(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json index e9237fa3110..bd4c03b6727 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationAWSCloudTrail')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationAWSCloudTrail", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for AWS sign-in logs", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationAWSCloudTrail", - "query": "// -- Refer to https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html for details\nlet usertype_lookup = datatable (TargetOriginalUserType: string, TargetUserType: string) [\n // -- For console login, only IAMUser, Root and AssumedRole are relevant\n 'Root', 'Admin', \n 'IAMUser', 'Regular', \n 'AssumedRole', 'Service', \n 'Role', 'Service', \n 'FederatedUser', 'Regular',\n 'Directory', 'Other',\n 'AWSAccount', 'Guest',\n 'AWSService', 'Application',\n 'Unknown', 'Other',\n];\nlet eventresultdetails_lookup = datatable (\n EventOriginalResultDetails: string,\n EventOriginalDetails: string\n) [\n 'No username found in supplied account', 'No such user',\n 'Failed authentication', ''\n];\nlet ASIM_GetUsernameType = (username: string) { \n case ( \n username contains \"@\",\n \"UPN\"\n ,\n username contains \"\\\\\",\n \"Windows\"\n ,\n (username has \"CN=\" or username has \"OU=\" or username has \"DC=\"),\n \"DN\"\n ,\n isempty(username),\n \"\"\n ,\n \"Simple\"\n)\n};\nlet parser= (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n AWSCloudTrail\n | where not(disabled)\n // -- Pre filtering\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventName == 'ConsoleLogin'\n and ((array_length(username_has_any) == 0) or (UserIdentityArn has_any (username_has_any)) or (UserIdentityUserName has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SourceIpAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n // -- end pre-filtering\n | project-rename\n EventOriginalUid = AwsEventId,\n EventOriginalResultDetails = ErrorMessage,\n TargetOriginalUserType = UserIdentityType,\n EventProductVersion = EventVersion,\n SrcIpAddr = SourceIpAddress,\n TargeCloudRegion = AWSRegion,\n TargetUserScopeId = UserIdentityAccountId,\n HttpUserAgent = UserAgent,\n EventUid = _ItemId\n | extend\n TargetUsername = case (\n UserIdentityUserName == \"HIDDEN_DUE_TO_SECURITY_REASONS\",\n \"\",\n TargetOriginalUserType == 'IAMUser',\n UserIdentityUserName,\n TargetOriginalUserType == 'Root',\n 'root',\n TargetOriginalUserType == 'AssumedRole',\n tostring(split(UserIdentityArn, '/')[-1]), // -- This is the AssuderRole session name, which typically represents a user. \n UserIdentityUserName\n )\n // Filtering on 'username_has_any'\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n EventVendor = 'AWS',\n Dvc = 'AWS',\n EventProduct = 'CloudTrail',\n EventCount = int(1),\n EventSchemaVersion = '0.1.3',\n EventSchema = 'Authentication',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n EventSubType = 'Interactive',\n TargetUserIdType = 'AWSId',\n LogonProtocol = 'HTTPS',\n TargetUserId = tostring(split(UserIdentityPrincipalid, ':')[0]),\n LogonMethod = iff (AdditionalEventData has '\"MFAUsed\": \"Yes\"', 'MFA', ''),\n SrcDeviceType = iff (AdditionalEventData has '\"MobileVersion\":\"Yes\"', 'Mobile Device', 'Computer'),\n EventResult = iff (ResponseElements has 'Success', 'Success', 'Failure')\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n TargetUsernameType = ASIM_GetUsernameType (TargetUsername)\n | parse AdditionalEventData with * '\"LoginTo\":\"' TargetUrl: string '\"' *\n | lookup eventresultdetails_lookup on EventOriginalResultDetails\n | lookup usertype_lookup on TargetOriginalUserType \n | extend \n LogonTarget=tostring(split(TargetUrl, '?')[0]),\n EventSeverity = iff(EventResult == 'Failure', 'Low', 'Informational')\n // -- Specific idetifier aliases\n | extend \n TargetUserAWSId = TargetUserId\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = EventVendor,\n Dst = LogonTarget,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n EventSource,\n EventTypeName,\n EventName,\n ResponseElements,\n AdditionalEventData,\n Session*,\n Category,\n ErrorCode,\n Aws*,\n ManagementEvent,\n OperationName,\n ReadOnly,\n RequestParameters,\n Resources,\n ServiceEventDetails,\n SharedEventId,\n SourceSystem,\n UserIdentity*,\n VpcEndpointId,\n APIVersion,\n RecipientAccountId,\n TenantId,\n EC2RoleDelivery,\n temp_*\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for AWS sign-in logs", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationAWSCloudTrail", + "query": "// -- Refer to https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html for details\nlet usertype_lookup = datatable (TargetOriginalUserType: string, TargetUserType: string) [\n // -- For console login, only IAMUser, Root and AssumedRole are relevant\n 'Root', 'Admin', \n 'IAMUser', 'Regular', \n 'AssumedRole', 'Service', \n 'Role', 'Service', \n 'FederatedUser', 'Regular',\n 'Directory', 'Other',\n 'AWSAccount', 'Guest',\n 'AWSService', 'Application',\n 'Unknown', 'Other',\n];\nlet eventresultdetails_lookup = datatable (\n EventOriginalResultDetails: string,\n EventOriginalDetails: string\n) [\n 'No username found in supplied account', 'No such user',\n 'Failed authentication', ''\n];\nlet ASIM_GetUsernameType = (username: string) { \n case ( \n username contains \"@\",\n \"UPN\"\n ,\n username contains \"\\\\\",\n \"Windows\"\n ,\n (username has \"CN=\" or username has \"OU=\" or username has \"DC=\"),\n \"DN\"\n ,\n isempty(username),\n \"\"\n ,\n \"Simple\"\n)\n};\nlet parser= (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n AWSCloudTrail\n | where not(disabled)\n // -- Pre filtering\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventName == 'ConsoleLogin'\n and ((array_length(username_has_any) == 0) or (UserIdentityArn has_any (username_has_any)) or (UserIdentityUserName has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SourceIpAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n // -- end pre-filtering\n | project-rename\n EventOriginalUid = AwsEventId,\n EventOriginalResultDetails = ErrorMessage,\n TargetOriginalUserType = UserIdentityType,\n EventProductVersion = EventVersion,\n SrcIpAddr = SourceIpAddress,\n TargeCloudRegion = AWSRegion,\n TargetUserScopeId = UserIdentityAccountId,\n HttpUserAgent = UserAgent,\n EventUid = _ItemId\n | extend\n TargetUsername = case (\n UserIdentityUserName == \"HIDDEN_DUE_TO_SECURITY_REASONS\",\n \"\",\n TargetOriginalUserType == 'IAMUser',\n UserIdentityUserName,\n TargetOriginalUserType == 'Root',\n 'root',\n TargetOriginalUserType == 'AssumedRole',\n tostring(split(UserIdentityArn, '/')[-1]), // -- This is the AssuderRole session name, which typically represents a user. \n UserIdentityUserName\n )\n // Filtering on 'username_has_any'\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n EventVendor = 'AWS',\n Dvc = 'AWS',\n EventProduct = 'CloudTrail',\n EventCount = int(1),\n EventSchemaVersion = '0.1.3',\n EventSchema = 'Authentication',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n EventSubType = 'Interactive',\n TargetUserIdType = 'AWSId',\n LogonProtocol = 'HTTPS',\n TargetUserId = tostring(split(UserIdentityPrincipalid, ':')[0]),\n LogonMethod = iff (AdditionalEventData has '\"MFAUsed\": \"Yes\"', 'MFA', ''),\n SrcDeviceType = iff (AdditionalEventData has '\"MobileVersion\":\"Yes\"', 'Mobile Device', 'Computer'),\n EventResult = iff (ResponseElements has 'Success', 'Success', 'Failure')\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n TargetUsernameType = ASIM_GetUsernameType (TargetUsername)\n | parse AdditionalEventData with * '\"LoginTo\":\"' TargetUrl: string '\"' *\n | lookup eventresultdetails_lookup on EventOriginalResultDetails\n | lookup usertype_lookup on TargetOriginalUserType \n | extend \n LogonTarget=tostring(split(TargetUrl, '?')[0]),\n EventSeverity = iff(EventResult == 'Failure', 'Low', 'Informational')\n // -- Specific idetifier aliases\n | extend \n TargetUserAWSId = TargetUserId\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = EventVendor,\n Dst = LogonTarget,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n EventSource,\n EventTypeName,\n EventName,\n ResponseElements,\n AdditionalEventData,\n Session*,\n Category,\n ErrorCode,\n Aws*,\n ManagementEvent,\n OperationName,\n ReadOnly,\n RequestParameters,\n Resources,\n ServiceEventDetails,\n SharedEventId,\n SourceSystem,\n UserIdentity*,\n VpcEndpointId,\n APIVersion,\n RecipientAccountId,\n TenantId,\n EC2RoleDelivery,\n temp_*\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json index f7ecd4a50fe..c129ab1db40 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationBarracudaWAF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationBarracudaWAF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationBarracudaWAF", - "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n HostIP_s: string,\n host_s: string,\n LoginIP_s: string,\n Severity_s: string,\n LoginPort_d: real,\n AdminName_s: string,\n EventMessage_s: string,\n TimeTaken_d: real,\n TenantId: string,\n Message: string,\n SourceSystem: string,\n _ResourceId: string,\n RawData: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n SourceIP: string,\n TimeGenerated: datetime\n )[];\n let SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n ];\n let EventTypeLookup = datatable (\n EventName_s: string,\n EventType_lookup: string,\n EventResult: string\n )\n [\n \"LOGIN\", \"Logon\", \"Success\",\n \"UNSUCCESSFUL_LOGIN\", \"Logoff\", \"Failure\",\n \"LOGOUT\", \"Logoff\", \"Success\"\n ];\n let EventResultDetailsLookup = datatable (\n Reason: string,\n EventResultDetails: string\n )\n [\n \"Invalid Username/Password\", \"Incorrect password\",\n \"Account Lockout\", \"User locked\",\n \"Expired or Disabled Accounts\", \"User disabled\",\n \"IP Blocking\", \"Logon violates policy\",\n \"Session Timeouts\", \"Session expired\",\n \"CAPTCHA Verification\", \"Other\"\n ];\n let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) { \n let BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n and (LogType_s == \"AUDIT\")\n and (EventName_s in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (AdminName_s has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(LoginIP_s, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // Filtering for eventtype_in done later in the parser\n // Filtering for eventresultdetails_in done later in the parser\n // Filtering for eventresult done later in the parser\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason: string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n // Filtering on eventresultdetails_in\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | lookup EventTypeLookup on EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(Severity_s)\n // Filtering on eventtype_in and eventresult\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | lookup SeverityLookup on severity\n | extend\n Dvc = UnitName_s,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n SrcPortNumber = toint(LoginPort_d),\n DvcIpAddr = HostIP_s,\n SrcIpAddr = LoginIP_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s) - tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n // TargetUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n *_s,\n *_d,\n temp_*,\n severity,\n EventType_lookup,\n TenantId,\n Message,\n SourceSystem,\n _ResourceId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceIP,\n Reason;\n let BarracudaCEF = \n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor startswith \"Barracuda\"\n and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\"\n and (toupper(ProcessName) in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (DestinationUserName has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // Filtering for eventtype_in done later in the parser\n // Filtering for eventresultdetails_in done later in the parser\n // Filtering for eventresult done later in the parser\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason: string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n // Filtering on eventresultdetails_in\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend ProcessName = toupper(ProcessName)\n | lookup EventTypeLookup on $left.ProcessName == $right.EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n // Filtering on eventtype_in and eventresult\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n | lookup SeverityLookup on severity\n | extend\n Dvc = DeviceName,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n SrcPortNumber = toint(SourcePort),\n DvcIpAddr = DeviceAddress,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n ActorUsername = DestinationUserName,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime) - tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n // TargetUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"), \n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n ThreatConfidence,\n EventType_lookup,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n temp_*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId;\n union isfuzzy = true \n BarracudaCustom,\n BarracudaCEF\n };\n parser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationBarracudaWAF", + "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n HostIP_s: string,\n host_s: string,\n LoginIP_s: string,\n Severity_s: string,\n LoginPort_d: real,\n AdminName_s: string,\n EventMessage_s: string,\n TimeTaken_d: real,\n TenantId: string,\n Message: string,\n SourceSystem: string,\n _ResourceId: string,\n RawData: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n SourceIP: string,\n TimeGenerated: datetime\n )[];\n let SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n ];\n let EventTypeLookup = datatable (\n EventName_s: string,\n EventType_lookup: string,\n EventResult: string\n )\n [\n \"LOGIN\", \"Logon\", \"Success\",\n \"UNSUCCESSFUL_LOGIN\", \"Logoff\", \"Failure\",\n \"LOGOUT\", \"Logoff\", \"Success\"\n ];\n let EventResultDetailsLookup = datatable (\n Reason: string,\n EventResultDetails: string\n )\n [\n \"Invalid Username/Password\", \"Incorrect password\",\n \"Account Lockout\", \"User locked\",\n \"Expired or Disabled Accounts\", \"User disabled\",\n \"IP Blocking\", \"Logon violates policy\",\n \"Session Timeouts\", \"Session expired\",\n \"CAPTCHA Verification\", \"Other\"\n ];\n let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) { \n let BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n and (LogType_s == \"AUDIT\")\n and (EventName_s in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (AdminName_s has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(LoginIP_s, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // Filtering for eventtype_in done later in the parser\n // Filtering for eventresultdetails_in done later in the parser\n // Filtering for eventresult done later in the parser\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason: string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n // Filtering on eventresultdetails_in\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | lookup EventTypeLookup on EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(Severity_s)\n // Filtering on eventtype_in and eventresult\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | lookup SeverityLookup on severity\n | extend\n Dvc = UnitName_s,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n SrcPortNumber = toint(LoginPort_d),\n DvcIpAddr = HostIP_s,\n SrcIpAddr = LoginIP_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s) - tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n // TargetUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n *_s,\n *_d,\n temp_*,\n severity,\n EventType_lookup,\n TenantId,\n Message,\n SourceSystem,\n _ResourceId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceIP,\n Reason;\n let BarracudaCEF = \n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor startswith \"Barracuda\"\n and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\"\n and (toupper(ProcessName) in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (DestinationUserName has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // Filtering for eventtype_in done later in the parser\n // Filtering for eventresultdetails_in done later in the parser\n // Filtering for eventresult done later in the parser\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason: string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n // Filtering on eventresultdetails_in\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend ProcessName = toupper(ProcessName)\n | lookup EventTypeLookup on $left.ProcessName == $right.EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n // Filtering on eventtype_in and eventresult\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n | lookup SeverityLookup on severity\n | extend\n Dvc = DeviceName,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n SrcPortNumber = toint(SourcePort),\n DvcIpAddr = DeviceAddress,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n ActorUsername = DestinationUserName,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime) - tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n // TargetUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"), \n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n ThreatConfidence,\n EventType_lookup,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n temp_*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId;\n union isfuzzy = true \n BarracudaCustom,\n BarracudaCEF\n };\n parser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json index f8d05114a53..7f66de9ad1c 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationCiscoASA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationCiscoASA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering for Cisco Device Logon Events", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationCiscoASA", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n let DeviceEventClassIDLookup = datatable (\n DeviceEventClassID: string,\n EventResultDetails: string,\n EventType: string,\n EventResult: string,\n DvcAction: string,\n EventSubType: string\n )\n [\n \"113004\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113005\", \"Incorrect password\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113006\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113008\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113010\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113012\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113019\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"113039\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"315011\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"502103\", \"\", \"Elevate\", \"Success\", \"Allowed\", \"AssumeRole\",\n \"605004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"605005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611101\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611102\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"611103\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"713198\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716002\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"716038\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"716039\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716040\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"722022\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"722023\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722028\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722037\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"772002\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772003\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772006\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\"\n ];\n let FilteredDeviceEventClassID = toscalar(\n DeviceEventClassIDLookup \n | summarize make_set(DeviceEventClassID)\n );\n let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity: string)\n [\n \"1\", \"High\", // Alert,\n \"2\", \"High\", // Critical\n \"3\", \"Medium\", // Error\n \"4\", \"Low\", // Warning\n \"5\", \"Informational\", // Notification\n \"6\", \"Informational\", // Information\n \"7\", \"Informational\", // Debug\n ];\n let LogMessages = \n CommonSecurityLog \n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) and\n (isnull(endtime) or TimeGenerated <= endtime) \n | where DeviceVendor =~ \"Cisco\"\n and DeviceProduct == \"ASA\"\n and DeviceEventClassID in(FilteredDeviceEventClassID)\n and ((array_length(username_has_any) == 0) or (Message has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(Message, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n | extend EventOriginalSeverity = tostring(split(Message, \"-\", 1)[0])\n | lookup SeverityLookup on EventOriginalSeverity\n | project\n TimeGenerated,\n Type,\n Computer,\n _ItemId,\n DeviceEventClassID,\n Message,\n DeviceAddress,\n EventOriginalSeverity,\n EventSeverity\n | lookup DeviceEventClassIDLookup on DeviceEventClassID\n // Filtering on eventtype_in and eventresult\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n and (eventresult == \"*\" or (EventResult == eventresult));\n union \n (\n LogMessages\n | where DeviceEventClassID == 113005\n | parse Message with * 'reason = ' EventOriginalResultDetails ' : server = ' TargetIpAddr ' ' * 'user = ' TargetUsername ' ' * 'user IP = ' SrcIpAddr\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 502103\n | parse Message with * \"Uname: \" TargetUsername \" \" *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(605004, 605005)\n | parse Message with * 'from ' SrcIpAddr '/' SrcPortNumber: int \" to \" * \":\" TargetIpAddr '/' * 'user \"' TargetUsername '\"'\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(611101, 611102)\n | parse Message with * 'IP address: ' SrcIpAddr ', Uname: ' TargetUsername\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 611103\n | parse Message with * ' Uname: ' TargetUsername\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113004\n | parse Message with * 'server = ' TargetIpAddr ' ' * 'user = ' TargetUsername\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113008, 113012)\n | parse Message with * 'user = ' TargetUsername\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113019\n | parse Message with * 'Username = ' TargetUsername ', IP = ' SrcIpAddr ',' * \n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113039, 716002, 716039, 722022, 722023, 722028, 722037)\n | parse Message with * '> User <' TargetUsername \"> IP <\" SrcIpAddr \">\" *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 315011\n | parse Message with * 'from ' SrcIpAddr ' ' * 'user \"' TargetUsername '\" ' * ' reason: \"' EventOriginalResultDetails '\" ' *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | extend EventResultDetails = iif(EventOriginalResultDetails == \"Internal error\", \"Other\", EventResultDetails)\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113010\n | parse Message with * 'user ' TargetUsername ' from server' SrcIpAddr\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113006\n | parse Message with * 'User ' TargetUsername ' locked' *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716040\n | parse Message with * 'Denied ' TargetUsername ' login' *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 713198\n | parse Message with * 'Failed: ' TargetUsername ' User' *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716038\n | parse Message with * 'User ' TargetUsername ' IP ' SrcIpAddr ' Authentication'*\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772002)\n | parse Message with * 'user ' TargetUsername ', cause: ' EventOriginalResultDetails\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772003, 772004)\n | parse Message with * 'user ' TargetUsername ', IP ' SrcIpAddr ', cause: ' EventOriginalResultDetails\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772005)\n | parse Message with * 'user ' TargetUsername ' passed'\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772006)\n | parse Message with * 'user ' TargetUsername ' failed'\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n )\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | project-rename \n DvcHostname = Computer,\n EventUid = _ItemId,\n EventOriginalType = DeviceEventClassID,\n DvcIpAddr = DeviceAddress\n | extend \n EventSchemaVersion = \"0.1.3\",\n EventSchema = \"Authentication\",\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n Dvc = DvcHostname,\n User = TargetUsername,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dst = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n EventResultDetails = iif(TargetUsername == \"*****\", \"No such user or password\", EventResultDetails)\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n };\n parser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n ) ", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering for Cisco Device Logon Events", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationCiscoASA", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n let DeviceEventClassIDLookup = datatable (\n DeviceEventClassID: string,\n EventResultDetails: string,\n EventType: string,\n EventResult: string,\n DvcAction: string,\n EventSubType: string\n )\n [\n \"113004\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113005\", \"Incorrect password\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113006\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113008\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113010\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113012\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113019\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"113039\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"315011\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"502103\", \"\", \"Elevate\", \"Success\", \"Allowed\", \"AssumeRole\",\n \"605004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"605005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611101\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611102\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"611103\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"713198\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716002\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"716038\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"716039\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716040\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"722022\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"722023\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722028\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722037\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"772002\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772003\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772006\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\"\n ];\n let FilteredDeviceEventClassID = toscalar(\n DeviceEventClassIDLookup \n | summarize make_set(DeviceEventClassID)\n );\n let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity: string)\n [\n \"1\", \"High\", // Alert,\n \"2\", \"High\", // Critical\n \"3\", \"Medium\", // Error\n \"4\", \"Low\", // Warning\n \"5\", \"Informational\", // Notification\n \"6\", \"Informational\", // Information\n \"7\", \"Informational\", // Debug\n ];\n let LogMessages = \n CommonSecurityLog \n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) and\n (isnull(endtime) or TimeGenerated <= endtime) \n | where DeviceVendor =~ \"Cisco\"\n and DeviceProduct == \"ASA\"\n and DeviceEventClassID in(FilteredDeviceEventClassID)\n and ((array_length(username_has_any) == 0) or (Message has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(Message, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n | extend EventOriginalSeverity = tostring(split(Message, \"-\", 1)[0])\n | lookup SeverityLookup on EventOriginalSeverity\n | project\n TimeGenerated,\n Type,\n Computer,\n _ItemId,\n DeviceEventClassID,\n Message,\n DeviceAddress,\n EventOriginalSeverity,\n EventSeverity\n | lookup DeviceEventClassIDLookup on DeviceEventClassID\n // Filtering on eventtype_in and eventresult\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n and (eventresult == \"*\" or (EventResult == eventresult));\n union \n (\n LogMessages\n | where DeviceEventClassID == 113005\n | parse Message with * 'reason = ' EventOriginalResultDetails ' : server = ' TargetIpAddr ' ' * 'user = ' TargetUsername ' ' * 'user IP = ' SrcIpAddr\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 502103\n | parse Message with * \"Uname: \" TargetUsername \" \" *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(605004, 605005)\n | parse Message with * 'from ' SrcIpAddr '/' SrcPortNumber: int \" to \" * \":\" TargetIpAddr '/' * 'user \"' TargetUsername '\"'\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(611101, 611102)\n | parse Message with * 'IP address: ' SrcIpAddr ', Uname: ' TargetUsername\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 611103\n | parse Message with * ' Uname: ' TargetUsername\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113004\n | parse Message with * 'server = ' TargetIpAddr ' ' * 'user = ' TargetUsername\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113008, 113012)\n | parse Message with * 'user = ' TargetUsername\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113019\n | parse Message with * 'Username = ' TargetUsername ', IP = ' SrcIpAddr ',' * \n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113039, 716002, 716039, 722022, 722023, 722028, 722037)\n | parse Message with * '> User <' TargetUsername \"> IP <\" SrcIpAddr \">\" *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 315011\n | parse Message with * 'from ' SrcIpAddr ' ' * 'user \"' TargetUsername '\" ' * ' reason: \"' EventOriginalResultDetails '\" ' *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | extend EventResultDetails = iif(EventOriginalResultDetails == \"Internal error\", \"Other\", EventResultDetails)\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113010\n | parse Message with * 'user ' TargetUsername ' from server' SrcIpAddr\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113006\n | parse Message with * 'User ' TargetUsername ' locked' *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716040\n | parse Message with * 'Denied ' TargetUsername ' login' *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 713198\n | parse Message with * 'Failed: ' TargetUsername ' User' *\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716038\n | parse Message with * 'User ' TargetUsername ' IP ' SrcIpAddr ' Authentication'*\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772002)\n | parse Message with * 'user ' TargetUsername ', cause: ' EventOriginalResultDetails\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772003, 772004)\n | parse Message with * 'user ' TargetUsername ', IP ' SrcIpAddr ', cause: ' EventOriginalResultDetails\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772005)\n | parse Message with * 'user ' TargetUsername ' passed'\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772006)\n | parse Message with * 'user ' TargetUsername ' failed'\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0))\n | project-away Message\n )\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | project-rename \n DvcHostname = Computer,\n EventUid = _ItemId,\n EventOriginalType = DeviceEventClassID,\n DvcIpAddr = DeviceAddress\n | extend \n EventSchemaVersion = \"0.1.3\",\n EventSchema = \"Authentication\",\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n Dvc = DvcHostname,\n User = TargetUsername,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dst = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n EventResultDetails = iif(TargetUsername == \"*****\", \"No such user or password\", EventResultDetails)\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n };\n parser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n ) ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json index 8a54df6685a..9f0e6492869 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationCiscoISE')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationCiscoISE", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Cisco ISE", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationCiscoISE", - "query": "let EventFieldsLookup=datatable(\n EventOriginalType: string,\n EventType: string,\n EventOriginalSeverity: string,\n EventResult: string,\n EventSeverity: string,\n EventResultDetails: string,\n EventMessage: string,\n EventOriginalResultDetails: string\n)[\n \"25104\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external REST ID store server succeeded\", \"Plain text password authentication in external REST ID store server succeeded\",\n \"25105\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external REST ID store server failed\", \"Plain text password authentication in external REST ID store server failed\",\n \"25106\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST ID Store server indicated plain text password authentication failure\", \"REST ID store server indicated plain text password authentication failure\",\n \"25112\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST database indicated plain text password authentication failure\", \"REST database indicated plain text password authentication failure\",\n \"51000\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"51001\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator authentication succeeded\", \"Administrator authentication succeeded\",\n \"51002\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator logged off\", \"Administrator logged off\",\n \"51003\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"Session expired\", \"Session Timeout\", \"Administrator had a session timeout\",\n \"51004\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Rejected administrator session from unauthorized client IP address\", \"An attempt to start an administration session from an unauthorized client IP address was rejected. Check the client's administration access setting.\",\n \"51005\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Administrator account is disabled\", \"Administrator authentication failed. Administrator account is disabled.\",\n \"51006\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Account is disabled due to inactivity\", \"Administrator authentication failed. Account is disabled due to inactivity.\",\n \"51007\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Authentication failed. Account is disabled due to password expiration\", \"Authentication failed. Account is disabled due to password expiration\",\n \"51008\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts.\",\n \"51009\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed. ISE Runtime is not running\", \"Authentication failed. ISE Runtime is not running\",\n \"51020\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user\", \"Administrator authentication failed. Login username does not exist.\", \"Administrator authentication failed. Login username does not exist.\",\n \"51021\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Incorrect password\", \"Administrator authentication failed. Wrong password.\", \"Administrator authentication failed. Wrong password.\",\n \"51022\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed. System Error\", \"Administrator authentication failed. System Error\",\n \"51106\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"60075\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Sponsor has successfully authenticated\", \"Sponsor has successfully authenticated\",\n \"60076\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Sponsor authentication has failed\", \"Sponsor authentication has failed; please see Failure Code for more details\",\n \"60077\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MyDevices user authentication has failed\", \"MyDevices user authentication has failed\",\n \"60078\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices user has successfully authenticated\", \"MyDevices user has successfully authenticated\",\n \"60080\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A SSH CLI user has successfully logged in\", \"A SSH CLI User has successfully logged in\",\n \"60081\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"A SSH CLI user has attempted unsuccessfully to login\", \"A SSH CLI user has attempted unsuccessfully to login\",\n \"60082\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User locked\", \"A SSH CLI user has attempted to login, however account is locked out\", \"A SSH CLI user has attempted to login, however account is locked out\",\n \"60135\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"MyDevices user SSO logout has failed\", \"MyDevices user SSO logout has failed\",\n \"60136\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Sponsor user SSO logout has failed\", \"Sponsor user SSO logout has failed\",\n \"60204\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"System root CLI account has successfully logged in\", \"System root CLI account has successfully logged in\",\n \"60205\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged in from console\", \"A CLI user has logged in from console\",\n \"60206\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged out from console\", \"A CLI user has logged out from console\",\n \"61012\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has authenticated against APIC successfully\", \"ISE has authenticated against APIC successfully\",\n \"61013\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to authenticate against APIC\", \"ISE failed to authenticate against APIC\",\n \"61014\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has refreshed authentication against APIC successfully\", \"ISE has refreshed authentication against APIC successfully\",\n \"61015\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to refresh authenticate against APIC\", \"ISE failed to refresh authenticate against APIC\",\n \"60507\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"ERS request rejected due to unauthorized user.\", \"ERS request was rejected because the user who sent the request is unauthorized.\",\n \"51025\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"61076\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"Sponsor has been successfully logged out\", \"Sponsor has been successfully logged out\",\n \"61077\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices has been successfully logged out\", \"MyDevices has been successfully logged out\",\n \"10003\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"Internal error: Administrator authentication received blank Administrator name\", \"Internal error: AAC RT component received Administrator authentication request\",\n \"10004\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Incorrect password\", \"Internal error: Administrator authentication received blank Administrator password\", \"Internal error: AAC RT component received an Administrator authentication request with blank admin password\",\n \"10005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Administrator authenticated successfully\", \"Administrator authenticated successfully\",\n \"10006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"10007\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed - DB Error\", \"Administrator authentication failed - DB Error\",\n \"22000\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication resulted in internal error\", \"Authentication resulted in internal error\",\n \"22004\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password\", \"Wrong password\",\n \"22028\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Authentication failed and the advanced options are ignored\", \"Authentication of the user failed and the advanced option settings specified in the identity portion of the relevant authentication policy were ignored. For PEAP, LEAP, EAP-FAST or RADIUS MSCHAP authentications, when authentication fails, ISE stops processing the request.\",\n \"22037\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Passed\", \"Authentication Passed, Skipping Attribute Retrieval\",\n \"22040\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password or invalid shared secret\", \"Wrong password or invalid shared secret\",\n \"22091\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level.\",\n \"5400\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5401\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5412\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"TACACS+ authentication request ended with error\", \"TACACS+ authentication request ended with an error\",\n \"5418\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Guest Authentication Failed\", \"Guest Authentication failed; please see Failure code for more details\",\n \"5447\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"MDM Authentication Passed\", \"MDM Authentication passed\",\n \"5448\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MDM Authentication Failed\", \"MDM Authentication failed; please see Failure code for more details\",\n \"86010\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Guest user authentication failed\", \"Guest user authentication failed. Please check your password and account permission\",\n \"86011\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"Guest user is not enabled\", \"Guest user authentication failed. User is not enabled. Please contact your system administrator\",\n \"86014\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"User is suspended\", \"User authentication failed. User account is suspended\",\n \"86020\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Guest Unknown Error\", \"User authentication failed. Please contact your System Administrator\",\n \"24015\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authenticating user against LDAP Server\", \"Authenticating user against LDAP Server\",\n \"24020\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against the LDAP Server failed\", \"User authentication against the LDAP Server failed. The user entered the wrong password or the user record in the LDAP Server is disabled or expired\",\n \"24021\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"User authentication ended with an error\", \"User authentication against LDAP Server ended with an error\",\n \"24022\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication succeeded\", \"User authentication against LDAP Server succeeded\",\n \"24050\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate with LDAP Identity Store because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"24054\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired\", \"The password has expired but there are remaining grace authentications. The user needs to change it\",\n \"24055\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that the user is authenticating for the first time after the password administrator set the password\", \"The user needs to change his password immediately\",\n \"24056\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired and there are no more grace authentications\", \"The user needs to contact the password administrator in order to have its password reset\",\n \"24057\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against LDAP server detected that the password failure limit has been reached and the account is locked\", \"The user needs to retry later or contact the password administrator to reset the password\",\n \"24337\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Ticket (TGT) request succeeded\", \"Authentication Ticket (TGT) request succeeded\",\n \"24338\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication Ticket (TGT) request failed\", \"Authentication Ticket (TGT) request failed\",\n \"24402\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"User authentication against Active Directory succeeded\", \"User authentication against Active Directory succeeded\",\n \"24403\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User authentication against Active Directory failed\", \"User authentication against Active Directory failed\",\n \"24406\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"User authentication against Active Directory failed since user has invalid credentials\", \"User authentication against Active Directory failed since user has invalid credentials\",\n \"24407\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against Active Directory failed since user is required to change his password\", \"User authentication against Active Directory failed since user is required to change his password\",\n \"24408\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against Active Directory failed since user has entered the wrong password\", \"User authentication against Active Directory failed since user has entered the wrong password\",\n \"24409\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"User authentication against Active Directory failed since the user's account is disabled\", \"User authentication against Active Directory failed since the user's account is disabled\",\n \"24410\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\",\n \"24414\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"User authentication against Active Directory failed since the user's account has expired\", \"User authentication against Active Directory failed since the user's account has expired\",\n \"24415\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"User authentication against Active Directory failed since user's account is locked out\", \"User authentication against Active Directory failed since user's account is locked out\",\n \"24418\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since it is disabled in configuration\", \"Machine authentication against Active Directory failed since it is disabled in configuration\",\n \"24454\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Session expired\", \"User authentication against Active Directory failed because of a timeout error\", \"User authentication against Active Directory failed because of a timeout error\",\n \"24470\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Machine authentication against Active Directory is successful\", \"Machine authentication against Active Directory is successful.\",\n \"24484\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired.\",\n \"24485\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Machine authentication against Active Directory has failed because of wrong password\", \"Machine authentication against Active Directory has failed because of wrong password.\",\n \"24486\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled.\",\n \"24487\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\",\n \"24489\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired.\",\n \"24490\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"Machine authentication against Active Directory has failed because the machine's account is locked out\", \"Machine authentication against Active Directory has failed because the machine's account is locked out.\",\n \"24491\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials.\",\n \"24492\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed\", \"Machine authentication against Active Directory has failed.\",\n \"24496\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication rejected due to a white or black list restriction\", \"Authentication rejected due to a white or black list restriction\",\n \"24505\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication has succeeded\", \"User authentication against the RSA SecurID Server has succeeded.\",\n \"24508\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication failed\", \"User authentication against RSA SecurID Server failed\",\n \"24518\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"User canceled New PIN operation; User authentication against RSA SecurIDServer failed\", \"User canceled New PIN operation; User authentication against RSA SecurID Server failed\",\n \"24547\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Session expired\", \"RSA request timeout expired. RSA authentication session cancelled\", \"RSA request timeout expired. RSA authentication session cancelled.\",\n \"24612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Authentication against the RADIUS token server succeeded\", \"Authentication against the RADIUS token server succeeded.\",\n \"24613\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication against the RADIUS token server failed\", \"Authentication against the RADIUS token server failed.\",\n \"24614\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user\", \"RADIUS token server authentication failure is translated as Unknown user failure\", \"RADIUS token server authentication failure is translated as Unknown user failure.\",\n \"24639\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication passed via Passcode cache\", \"User record was found in Passcode cache, passcode matches the passcode on the authentication request. Authentication passed via Passcode cache.\",\n \"24704\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because identity credentials are ambiguous\", \"Authentication found several accounts matching to the given credentials (i.e identity name and password)\",\n \"24705\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because ISE server is not joined to required domains\", \"Authentication failed because ISE server is not joined to required domains\",\n \"24706\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because NTLM was blocked\", \"Authentication failed because NTLM was blocked\",\n \"24707\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because all identity names have been rejected\", \"Authentication failed all identity names has been rejected according AD Identity Store Advanced Settings\",\n \"24708\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"User not found in Active Directory. Some authentication domains were not available\", \"User not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24709\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"Host not found in Active Directory. Some authentication domains were not available\", \"Host not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24712\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because domain trust is restricted\", \"Authentication failed because domain trust is restricted\",\n \"24814\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"The responding provider was unable to successfully authenticate the principal\", \"The responding provider was unable to successfully authenticate the principal\",\n \"24853\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external ODBC database succeeded\", \"Plain text password authentication in external ODBC database succeeded\",\n \"24854\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external ODBC database failed\", \"Plain text password authentication in external ODBC database failed\",\n \"24860\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"ODBC database indicated plain text password authentication failure\", \"ODBC database indicated plain text password authentication failure\",\n \"24890\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Social Login operation failed\", \"Social Login operation failed. Check the message details for more information\",\n \"24716\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Active Directory Kerberos ticket authentication succeeded\", \"Active Directory Kerberos ticket authentication succeeded\",\n \"24717\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Active Directory Kerberos ticket authentication failed\", \"Active Directory Kerberos ticket authentication failed\",\n \"24719\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\",\n \"89157\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"CMCS authentication failure\", \"ISE is unable to authenticate with the Cisco MDM Cloud Service\",\n \"89159\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"APNS authentication failure\", \"ISE is unable to authenticate with the Apple Push Notification System (APNS)\",\n \"89160\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MDM User Authentication completed\", \"The User Authentication part of mobile device enrollment has completed\",\n \"33102\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Successful user login to ISE configuration mode\", \"ISE administrator logged in to ISE configuration mode\",\n \"33103\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User login to ISE configuration mode failed\", \"Login to ISE configuration mode failed\",\n \"5200\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5201\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5231\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Guest Authentication Passed\", \"Guest Authentication Passed\",\n \"11002\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Returned RADIUS Access-Accept\", \"Returned RADIUS Access-Accept - authentication succeeded\",\n \"11003\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Returned RADIUS Access-Reject\", \"Returned RADIUS Access-Reject - authentication failed\",\n \"11039\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"RADIUS authentication request rejected due to critical logging error\", \"A RADIUS authentication request was rejected due to a critical logging error.\",\n \"11052\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication request dropped due to unsupported port number\", \"An authentication request was dropped because it was received through an unsupported port number.\",\n \"11812\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication succeeded.\",\n \"11813\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication failed.\",\n \"11814\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication for the inner EAP method succeeded.\",\n \"11815\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication for the inner EAP method failed.\",\n \"11823\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication attempt failed\", \"EAP-MSCHAP authentication attempt failed.\",\n \"11824\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication attempt passed\", \"EAP-MSCHAP authentication attempt passed.\",\n \"12005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MD5 authentication succeeded\", \"EAP-MD5 authentication succeeded.\",\n \"12006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MD5 authentication failed\", \"EAP-MD5 authentication failed.\",\n \"12208\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Client certificate was received but authentication failed\", \"ISE received client certificate during tunnel establishment or inside the tunnel but the authentication failed.\",\n \"12306\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"PEAP authentication succeeded\", \"PEAP authentication succeeded.\",\n \"12307\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"PEAP authentication failed\", \"PEAP authentication failed.\",\n \"12308\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Client sent Result TLV indicating failure\", \"Internal error, possibly in the supplicant: PEAP v0 authentication failed because client sent Result TLV indicating failure. Client indicates that it does not support Crypto-Binding TLV\",\n \"12506\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TLS authentication succeeded\", \"EAP-TLS authentication succeeded.\",\n \"12507\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TLS authentication failed\", \"EAP-TLS authentication failed.\",\n \"12528\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-TLS authentication succeeded\", \"EAP-TLS authentication for the inner EAP method succeeded.\",\n \"12529\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-TLS authentication failed\", \"EAP-TLS authentication for the inner EAP method failed.\",\n \"12612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication succeeded\", \"EAP-GTC authentication has succeeded.\",\n \"12613\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication failed\", \"EAP-GTC authentication has failed.\",\n \"12614\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-GTC authentication succeeded\", \"EAP-GTC authentication for the inner EAP method has succeeded.\",\n \"12615\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-GTC authentication failed\", \"EAP-GTC authentication for the inner EAP method has failed.\",\n \"12623\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication attempt failed\", \"The EAP-GTC authentication attempt has failed.\",\n \"12624\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication attempt passed\", \"The EAP-GTC authentication attempt has passed.\",\n \"12705\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"LEAP authentication passed; Continuing protocol\", \"LEAP authentication passed. Continue LEAP protocol.\",\n \"12706\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication failed; Finishing protocol\", \"LEAP authentication has failed. Protocol finished with a failure.\",\n \"12707\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication error; Finishing protocol\", \"A LEAP authentication error has occurred. Protocol finished with an error.\",\n \"12854\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"12975\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TTLS authentication succeeded\", \"EAP-TTLS authentication succeeded.\",\n \"12976\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TTLS authentication failed\", \"EAP-TTLS authentication failed.\",\n \"11700\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"5G AKA Authentication succeeded\", \"5G AKA Authentication succeeded.\"\n];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEAuthParser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n // ************************** ******************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (SyslogMessage has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************** *****************************\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType\n // Filtering on eventtype_in, eventresultdetails_in and eventresult\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n and ((array_length(eventresultdetails_in) == 0) or (EventResultDetails in~ (eventresultdetails_in)))\n and ((eventresult == \"*\") or (EventResult == eventresult))\n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, Protocol: string, DestinationIPAddress: string, DestinationPort: int, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string, ['Device Port']: int, ['cisco-av-pair=audit-session-id']: string, ['Caller-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n LogonProtocol=Protocol\n ,\n TargetIpAddr=DestinationIPAddress\n ,\n TargetPortNumber=DestinationPort\n ,\n TargetSessionId=[\"cisco-av-pair=audit-session-id\"]\n ,\n SrcPortNumber=['Device Port']\n | invoke _ASIM_ResolveSrcFQDN(\"['Caller-Station-ID']\")\n | extend\n EventStartTime = coalesce(EventTime, TimeGenerated)\n ,\n EventEndTime = coalesce(EventTime, TimeGenerated)\n | extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend TargetUsername = coalesce(['User-Name'], UserName, User)\n | extend\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n ,\n SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], tostring(extract(@\"Caller-Station-ID=(\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)), \"\")\n | extend EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n | extend DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend \n EventVendor = \"Cisco\"\n ,\n EventProduct = \"ISE\"\n ,\n EventProductVersion = \"3.2\"\n ,\n EventCount = int(1)\n ,\n EventSchema = \"Authentication\"\n ,\n EventSchemaVersion = \"0.1.3\" \n // ************************* **********************\n | extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n ,\n IpAddr = SrcIpAddr\n ,\n Dst = TargetIpAddr\n ,\n Src = SrcIpAddr\n ,\n User = TargetUsername\n // ************************* ******************** \n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n User,\n ['Remote-Address'],\n ['Device IP Address'],\n ['Caller-Station-ID']\n};\nCiscoISEAuthParser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationCiscoISE", + "query": "let EventFieldsLookup=datatable(\n EventOriginalType: string,\n EventType: string,\n EventOriginalSeverity: string,\n EventResult: string,\n EventSeverity: string,\n EventResultDetails: string,\n EventMessage: string,\n EventOriginalResultDetails: string\n)[\n \"25104\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external REST ID store server succeeded\", \"Plain text password authentication in external REST ID store server succeeded\",\n \"25105\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external REST ID store server failed\", \"Plain text password authentication in external REST ID store server failed\",\n \"25106\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST ID Store server indicated plain text password authentication failure\", \"REST ID store server indicated plain text password authentication failure\",\n \"25112\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST database indicated plain text password authentication failure\", \"REST database indicated plain text password authentication failure\",\n \"51000\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"51001\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator authentication succeeded\", \"Administrator authentication succeeded\",\n \"51002\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator logged off\", \"Administrator logged off\",\n \"51003\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"Session expired\", \"Session Timeout\", \"Administrator had a session timeout\",\n \"51004\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Rejected administrator session from unauthorized client IP address\", \"An attempt to start an administration session from an unauthorized client IP address was rejected. Check the client's administration access setting.\",\n \"51005\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Administrator account is disabled\", \"Administrator authentication failed. Administrator account is disabled.\",\n \"51006\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Account is disabled due to inactivity\", \"Administrator authentication failed. Account is disabled due to inactivity.\",\n \"51007\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Authentication failed. Account is disabled due to password expiration\", \"Authentication failed. Account is disabled due to password expiration\",\n \"51008\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts.\",\n \"51009\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed. ISE Runtime is not running\", \"Authentication failed. ISE Runtime is not running\",\n \"51020\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user\", \"Administrator authentication failed. Login username does not exist.\", \"Administrator authentication failed. Login username does not exist.\",\n \"51021\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Incorrect password\", \"Administrator authentication failed. Wrong password.\", \"Administrator authentication failed. Wrong password.\",\n \"51022\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed. System Error\", \"Administrator authentication failed. System Error\",\n \"51106\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"60075\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Sponsor has successfully authenticated\", \"Sponsor has successfully authenticated\",\n \"60076\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Sponsor authentication has failed\", \"Sponsor authentication has failed; please see Failure Code for more details\",\n \"60077\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MyDevices user authentication has failed\", \"MyDevices user authentication has failed\",\n \"60078\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices user has successfully authenticated\", \"MyDevices user has successfully authenticated\",\n \"60080\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A SSH CLI user has successfully logged in\", \"A SSH CLI User has successfully logged in\",\n \"60081\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"A SSH CLI user has attempted unsuccessfully to login\", \"A SSH CLI user has attempted unsuccessfully to login\",\n \"60082\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User locked\", \"A SSH CLI user has attempted to login, however account is locked out\", \"A SSH CLI user has attempted to login, however account is locked out\",\n \"60135\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"MyDevices user SSO logout has failed\", \"MyDevices user SSO logout has failed\",\n \"60136\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Sponsor user SSO logout has failed\", \"Sponsor user SSO logout has failed\",\n \"60204\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"System root CLI account has successfully logged in\", \"System root CLI account has successfully logged in\",\n \"60205\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged in from console\", \"A CLI user has logged in from console\",\n \"60206\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged out from console\", \"A CLI user has logged out from console\",\n \"61012\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has authenticated against APIC successfully\", \"ISE has authenticated against APIC successfully\",\n \"61013\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to authenticate against APIC\", \"ISE failed to authenticate against APIC\",\n \"61014\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has refreshed authentication against APIC successfully\", \"ISE has refreshed authentication against APIC successfully\",\n \"61015\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to refresh authenticate against APIC\", \"ISE failed to refresh authenticate against APIC\",\n \"60507\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"ERS request rejected due to unauthorized user.\", \"ERS request was rejected because the user who sent the request is unauthorized.\",\n \"51025\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"61076\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"Sponsor has been successfully logged out\", \"Sponsor has been successfully logged out\",\n \"61077\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices has been successfully logged out\", \"MyDevices has been successfully logged out\",\n \"10003\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"Internal error: Administrator authentication received blank Administrator name\", \"Internal error: AAC RT component received Administrator authentication request\",\n \"10004\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Incorrect password\", \"Internal error: Administrator authentication received blank Administrator password\", \"Internal error: AAC RT component received an Administrator authentication request with blank admin password\",\n \"10005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Administrator authenticated successfully\", \"Administrator authenticated successfully\",\n \"10006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"10007\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed - DB Error\", \"Administrator authentication failed - DB Error\",\n \"22000\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication resulted in internal error\", \"Authentication resulted in internal error\",\n \"22004\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password\", \"Wrong password\",\n \"22028\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Authentication failed and the advanced options are ignored\", \"Authentication of the user failed and the advanced option settings specified in the identity portion of the relevant authentication policy were ignored. For PEAP, LEAP, EAP-FAST or RADIUS MSCHAP authentications, when authentication fails, ISE stops processing the request.\",\n \"22037\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Passed\", \"Authentication Passed, Skipping Attribute Retrieval\",\n \"22040\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password or invalid shared secret\", \"Wrong password or invalid shared secret\",\n \"22091\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level.\",\n \"5400\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5401\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5412\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"TACACS+ authentication request ended with error\", \"TACACS+ authentication request ended with an error\",\n \"5418\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Guest Authentication Failed\", \"Guest Authentication failed; please see Failure code for more details\",\n \"5447\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"MDM Authentication Passed\", \"MDM Authentication passed\",\n \"5448\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MDM Authentication Failed\", \"MDM Authentication failed; please see Failure code for more details\",\n \"86010\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Guest user authentication failed\", \"Guest user authentication failed. Please check your password and account permission\",\n \"86011\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"Guest user is not enabled\", \"Guest user authentication failed. User is not enabled. Please contact your system administrator\",\n \"86014\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"User is suspended\", \"User authentication failed. User account is suspended\",\n \"86020\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Guest Unknown Error\", \"User authentication failed. Please contact your System Administrator\",\n \"24015\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authenticating user against LDAP Server\", \"Authenticating user against LDAP Server\",\n \"24020\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against the LDAP Server failed\", \"User authentication against the LDAP Server failed. The user entered the wrong password or the user record in the LDAP Server is disabled or expired\",\n \"24021\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"User authentication ended with an error\", \"User authentication against LDAP Server ended with an error\",\n \"24022\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication succeeded\", \"User authentication against LDAP Server succeeded\",\n \"24050\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate with LDAP Identity Store because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"24054\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired\", \"The password has expired but there are remaining grace authentications. The user needs to change it\",\n \"24055\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that the user is authenticating for the first time after the password administrator set the password\", \"The user needs to change his password immediately\",\n \"24056\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired and there are no more grace authentications\", \"The user needs to contact the password administrator in order to have its password reset\",\n \"24057\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against LDAP server detected that the password failure limit has been reached and the account is locked\", \"The user needs to retry later or contact the password administrator to reset the password\",\n \"24337\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Ticket (TGT) request succeeded\", \"Authentication Ticket (TGT) request succeeded\",\n \"24338\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication Ticket (TGT) request failed\", \"Authentication Ticket (TGT) request failed\",\n \"24402\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"User authentication against Active Directory succeeded\", \"User authentication against Active Directory succeeded\",\n \"24403\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User authentication against Active Directory failed\", \"User authentication against Active Directory failed\",\n \"24406\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"User authentication against Active Directory failed since user has invalid credentials\", \"User authentication against Active Directory failed since user has invalid credentials\",\n \"24407\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against Active Directory failed since user is required to change his password\", \"User authentication against Active Directory failed since user is required to change his password\",\n \"24408\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against Active Directory failed since user has entered the wrong password\", \"User authentication against Active Directory failed since user has entered the wrong password\",\n \"24409\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"User authentication against Active Directory failed since the user's account is disabled\", \"User authentication against Active Directory failed since the user's account is disabled\",\n \"24410\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\",\n \"24414\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"User authentication against Active Directory failed since the user's account has expired\", \"User authentication against Active Directory failed since the user's account has expired\",\n \"24415\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"User authentication against Active Directory failed since user's account is locked out\", \"User authentication against Active Directory failed since user's account is locked out\",\n \"24418\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since it is disabled in configuration\", \"Machine authentication against Active Directory failed since it is disabled in configuration\",\n \"24454\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Session expired\", \"User authentication against Active Directory failed because of a timeout error\", \"User authentication against Active Directory failed because of a timeout error\",\n \"24470\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Machine authentication against Active Directory is successful\", \"Machine authentication against Active Directory is successful.\",\n \"24484\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired.\",\n \"24485\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Machine authentication against Active Directory has failed because of wrong password\", \"Machine authentication against Active Directory has failed because of wrong password.\",\n \"24486\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled.\",\n \"24487\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\",\n \"24489\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired.\",\n \"24490\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"Machine authentication against Active Directory has failed because the machine's account is locked out\", \"Machine authentication against Active Directory has failed because the machine's account is locked out.\",\n \"24491\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials.\",\n \"24492\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed\", \"Machine authentication against Active Directory has failed.\",\n \"24496\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication rejected due to a white or black list restriction\", \"Authentication rejected due to a white or black list restriction\",\n \"24505\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication has succeeded\", \"User authentication against the RSA SecurID Server has succeeded.\",\n \"24508\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication failed\", \"User authentication against RSA SecurID Server failed\",\n \"24518\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"User canceled New PIN operation; User authentication against RSA SecurIDServer failed\", \"User canceled New PIN operation; User authentication against RSA SecurID Server failed\",\n \"24547\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Session expired\", \"RSA request timeout expired. RSA authentication session cancelled\", \"RSA request timeout expired. RSA authentication session cancelled.\",\n \"24612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Authentication against the RADIUS token server succeeded\", \"Authentication against the RADIUS token server succeeded.\",\n \"24613\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication against the RADIUS token server failed\", \"Authentication against the RADIUS token server failed.\",\n \"24614\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user\", \"RADIUS token server authentication failure is translated as Unknown user failure\", \"RADIUS token server authentication failure is translated as Unknown user failure.\",\n \"24639\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication passed via Passcode cache\", \"User record was found in Passcode cache, passcode matches the passcode on the authentication request. Authentication passed via Passcode cache.\",\n \"24704\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because identity credentials are ambiguous\", \"Authentication found several accounts matching to the given credentials (i.e identity name and password)\",\n \"24705\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because ISE server is not joined to required domains\", \"Authentication failed because ISE server is not joined to required domains\",\n \"24706\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because NTLM was blocked\", \"Authentication failed because NTLM was blocked\",\n \"24707\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because all identity names have been rejected\", \"Authentication failed all identity names has been rejected according AD Identity Store Advanced Settings\",\n \"24708\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"User not found in Active Directory. Some authentication domains were not available\", \"User not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24709\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"Host not found in Active Directory. Some authentication domains were not available\", \"Host not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24712\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because domain trust is restricted\", \"Authentication failed because domain trust is restricted\",\n \"24814\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"The responding provider was unable to successfully authenticate the principal\", \"The responding provider was unable to successfully authenticate the principal\",\n \"24853\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external ODBC database succeeded\", \"Plain text password authentication in external ODBC database succeeded\",\n \"24854\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external ODBC database failed\", \"Plain text password authentication in external ODBC database failed\",\n \"24860\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"ODBC database indicated plain text password authentication failure\", \"ODBC database indicated plain text password authentication failure\",\n \"24890\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Social Login operation failed\", \"Social Login operation failed. Check the message details for more information\",\n \"24716\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Active Directory Kerberos ticket authentication succeeded\", \"Active Directory Kerberos ticket authentication succeeded\",\n \"24717\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Active Directory Kerberos ticket authentication failed\", \"Active Directory Kerberos ticket authentication failed\",\n \"24719\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\",\n \"89157\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"CMCS authentication failure\", \"ISE is unable to authenticate with the Cisco MDM Cloud Service\",\n \"89159\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"APNS authentication failure\", \"ISE is unable to authenticate with the Apple Push Notification System (APNS)\",\n \"89160\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MDM User Authentication completed\", \"The User Authentication part of mobile device enrollment has completed\",\n \"33102\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Successful user login to ISE configuration mode\", \"ISE administrator logged in to ISE configuration mode\",\n \"33103\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User login to ISE configuration mode failed\", \"Login to ISE configuration mode failed\",\n \"5200\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5201\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5231\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Guest Authentication Passed\", \"Guest Authentication Passed\",\n \"11002\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Returned RADIUS Access-Accept\", \"Returned RADIUS Access-Accept - authentication succeeded\",\n \"11003\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Returned RADIUS Access-Reject\", \"Returned RADIUS Access-Reject - authentication failed\",\n \"11039\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"RADIUS authentication request rejected due to critical logging error\", \"A RADIUS authentication request was rejected due to a critical logging error.\",\n \"11052\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication request dropped due to unsupported port number\", \"An authentication request was dropped because it was received through an unsupported port number.\",\n \"11812\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication succeeded.\",\n \"11813\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication failed.\",\n \"11814\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication for the inner EAP method succeeded.\",\n \"11815\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication for the inner EAP method failed.\",\n \"11823\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication attempt failed\", \"EAP-MSCHAP authentication attempt failed.\",\n \"11824\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication attempt passed\", \"EAP-MSCHAP authentication attempt passed.\",\n \"12005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MD5 authentication succeeded\", \"EAP-MD5 authentication succeeded.\",\n \"12006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MD5 authentication failed\", \"EAP-MD5 authentication failed.\",\n \"12208\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Client certificate was received but authentication failed\", \"ISE received client certificate during tunnel establishment or inside the tunnel but the authentication failed.\",\n \"12306\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"PEAP authentication succeeded\", \"PEAP authentication succeeded.\",\n \"12307\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"PEAP authentication failed\", \"PEAP authentication failed.\",\n \"12308\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Client sent Result TLV indicating failure\", \"Internal error, possibly in the supplicant: PEAP v0 authentication failed because client sent Result TLV indicating failure. Client indicates that it does not support Crypto-Binding TLV\",\n \"12506\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TLS authentication succeeded\", \"EAP-TLS authentication succeeded.\",\n \"12507\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TLS authentication failed\", \"EAP-TLS authentication failed.\",\n \"12528\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-TLS authentication succeeded\", \"EAP-TLS authentication for the inner EAP method succeeded.\",\n \"12529\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-TLS authentication failed\", \"EAP-TLS authentication for the inner EAP method failed.\",\n \"12612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication succeeded\", \"EAP-GTC authentication has succeeded.\",\n \"12613\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication failed\", \"EAP-GTC authentication has failed.\",\n \"12614\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-GTC authentication succeeded\", \"EAP-GTC authentication for the inner EAP method has succeeded.\",\n \"12615\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-GTC authentication failed\", \"EAP-GTC authentication for the inner EAP method has failed.\",\n \"12623\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication attempt failed\", \"The EAP-GTC authentication attempt has failed.\",\n \"12624\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication attempt passed\", \"The EAP-GTC authentication attempt has passed.\",\n \"12705\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"LEAP authentication passed; Continuing protocol\", \"LEAP authentication passed. Continue LEAP protocol.\",\n \"12706\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication failed; Finishing protocol\", \"LEAP authentication has failed. Protocol finished with a failure.\",\n \"12707\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication error; Finishing protocol\", \"A LEAP authentication error has occurred. Protocol finished with an error.\",\n \"12854\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"12975\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TTLS authentication succeeded\", \"EAP-TTLS authentication succeeded.\",\n \"12976\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TTLS authentication failed\", \"EAP-TTLS authentication failed.\",\n \"11700\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"5G AKA Authentication succeeded\", \"5G AKA Authentication succeeded.\"\n];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEAuthParser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n // ************************** ******************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (SyslogMessage has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************** *****************************\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType\n // Filtering on eventtype_in, eventresultdetails_in and eventresult\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n and ((array_length(eventresultdetails_in) == 0) or (EventResultDetails in~ (eventresultdetails_in)))\n and ((eventresult == \"*\") or (EventResult == eventresult))\n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, Protocol: string, DestinationIPAddress: string, DestinationPort: int, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string, ['Device Port']: int, ['cisco-av-pair=audit-session-id']: string, ['Caller-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n LogonProtocol=Protocol\n ,\n TargetIpAddr=DestinationIPAddress\n ,\n TargetPortNumber=DestinationPort\n ,\n TargetSessionId=[\"cisco-av-pair=audit-session-id\"]\n ,\n SrcPortNumber=['Device Port']\n | invoke _ASIM_ResolveSrcFQDN(\"['Caller-Station-ID']\")\n | extend\n EventStartTime = coalesce(EventTime, TimeGenerated)\n ,\n EventEndTime = coalesce(EventTime, TimeGenerated)\n | extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend TargetUsername = coalesce(['User-Name'], UserName, User)\n | extend\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n ,\n SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], tostring(extract(@\"Caller-Station-ID=(\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)), \"\")\n | extend EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n | extend DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend \n EventVendor = \"Cisco\"\n ,\n EventProduct = \"ISE\"\n ,\n EventProductVersion = \"3.2\"\n ,\n EventCount = int(1)\n ,\n EventSchema = \"Authentication\"\n ,\n EventSchemaVersion = \"0.1.3\" \n // ************************* **********************\n | extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n ,\n IpAddr = SrcIpAddr\n ,\n Dst = TargetIpAddr\n ,\n Src = SrcIpAddr\n ,\n User = TargetUsername\n // ************************* ******************** \n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n User,\n ['Remote-Address'],\n ['Device IP Address'],\n ['Caller-Station-ID']\n};\nCiscoISEAuthParser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json index 301eae01b10..c532545e5fe 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationCiscoMeraki')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationCiscoMeraki", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationCiscoMeraki", - "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n (\n meraki_CL\n | project-rename LogMessage = Message\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all (\"disassociation\", \"auth_neg_failed\"))\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or LogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LogMessage, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType: string \" \" restOfMessage: string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend TargetUsername = identity\n | extend TargetUsername = trim('\"', TargetUsername)\n // post-filtering username_has_any\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n reason = trim('\"', reason)\n // post-filtering srcipaddr_has_any_prefix\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n // Filtering on eventtype_in, eventresultdetails_in and eventresult\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationCiscoMeraki", + "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n (\n meraki_CL\n | project-rename LogMessage = Message\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all (\"disassociation\", \"auth_neg_failed\"))\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or LogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LogMessage, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType: string \" \" restOfMessage: string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend TargetUsername = identity\n | extend TargetUsername = trim('\"', TargetUsername)\n // post-filtering username_has_any\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n reason = trim('\"', reason)\n // post-filtering srcipaddr_has_any_prefix\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n // Filtering on eventtype_in, eventresultdetails_in and eventresult\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMerakiSyslog/vimAuthenticationCiscoMerakiSyslog.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMerakiSyslog/vimAuthenticationCiscoMerakiSyslog.json index 4f613d7fcb5..4bc127598cc 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMerakiSyslog/vimAuthenticationCiscoMerakiSyslog.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMerakiSyslog/vimAuthenticationCiscoMerakiSyslog.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationCiscoMerakiSyslog')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationCiscoMerakiSyslog", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationCiscoMerakiSyslog", - "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all (\"disassociation\", \"auth_neg_failed\"))\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or LogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LogMessage, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType: string \" \" restOfMessage: string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend TargetUsername = identity\n | extend TargetUsername = trim('\"', TargetUsername)\n // post-filtering username_has_any\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n reason = trim('\"', reason)\n // post-filtering srcipaddr_has_any_prefix\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n // Filtering on eventtype_in, eventresultdetails_in and eventresult\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,ASimMatchingUsername,CollectorHostName,temp_isMatchTargetUsername\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationCiscoMerakiSyslog", + "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all (\"disassociation\", \"auth_neg_failed\"))\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or LogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LogMessage, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType: string \" \" restOfMessage: string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend TargetUsername = identity\n | extend TargetUsername = trim('\"', TargetUsername)\n // post-filtering username_has_any\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n reason = trim('\"', reason)\n // post-filtering srcipaddr_has_any_prefix\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n // Filtering on eventtype_in, eventresultdetails_in and eventresult\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,ASimMatchingUsername,CollectorHostName,temp_isMatchTargetUsername\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/vimAuthenticationCrowdStrikeFalconHost.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/vimAuthenticationCrowdStrikeFalconHost.json index b6d0da4265a..173c6524ef2 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/vimAuthenticationCrowdStrikeFalconHost.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/vimAuthenticationCrowdStrikeFalconHost.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationCrowdStrikeFalconHost')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationCrowdStrikeFalconHost", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for CrowdStrike Falcon Endpoint Protection", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationCrowdStrikeFalconHost", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet parser = ( \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n and (DeviceEventCategory == \"AuthActivityAuditEvent\" and DeviceEventClassID in (\"userAuthenticate\", \"twoFactorAuthenticate\"))\n and ((array_length(username_has_any) == 0) or DestinationUserName has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0 or ProcessName has_any (targetappname_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n and array_length(eventresultdetails_in) == 0 // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n | extend\n EventResult = iff(EventOutcome == \"true\", \"Success\", \"Failure\"),\n EventType = \"Logon\"\n | where (eventresult == '*' or eventresult =~ EventResult)\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventStartTime = todatetime(DeviceCustomDate1),\n EventCount = int(1),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventProduct = \"FalconHost\",\n EventVendor = \"CrowdStrike\"\n | project-rename \n TargetIpAddr = DestinationTranslatedAddress,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n EventOriginalSubType = DeviceEventClassID,\n EventOriginalType = DeviceEventCategory,\n EventProductVersion = DeviceVersion,\n EventOriginalResultDetails = EventOutcome,\n TargetUsername = DestinationUserName,\n TargetAppName = ProcessName\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n EventEndTime = EventStartTime,\n DvcIpAddr = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\"),\n LogonMethod = iff(EventOriginalSubType =~ \"userAuthenticate\", \"Username and Password\", \"Two Factor Authentication\")\n | extend\n User = TargetUsername,\n Dst = TargetIpAddr,\n Dvc = coalesce(DvcIpAddr, EventProduct),\n Application = TargetAppName\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n IndicatorThreatType,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n temp_*\n};\nparser(\n starttime=datetime(null),\n endtime=datetime(null),\n username_has_any=dynamic([]),\n targetappname_has_any=dynamic([]),\n srcipaddr_has_any_prefix=dynamic([]),\n srchostname_has_any=dynamic([]),\n eventtype_in=dynamic([]),\n eventresultdetails_in=dynamic([]),\n eventresult=dynamic([]),\n disabled=false\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for CrowdStrike Falcon Endpoint Protection", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationCrowdStrikeFalconHost", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet parser = ( \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n and (DeviceEventCategory == \"AuthActivityAuditEvent\" and DeviceEventClassID in (\"userAuthenticate\", \"twoFactorAuthenticate\"))\n and ((array_length(username_has_any) == 0) or DestinationUserName has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0 or ProcessName has_any (targetappname_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n and array_length(eventresultdetails_in) == 0 // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n | extend\n EventResult = iff(EventOutcome == \"true\", \"Success\", \"Failure\"),\n EventType = \"Logon\"\n | where (eventresult == '*' or eventresult =~ EventResult)\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventStartTime = todatetime(DeviceCustomDate1),\n EventCount = int(1),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventProduct = \"FalconHost\",\n EventVendor = \"CrowdStrike\"\n | project-rename \n TargetIpAddr = DestinationTranslatedAddress,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n EventOriginalSubType = DeviceEventClassID,\n EventOriginalType = DeviceEventCategory,\n EventProductVersion = DeviceVersion,\n EventOriginalResultDetails = EventOutcome,\n TargetUsername = DestinationUserName,\n TargetAppName = ProcessName\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n EventEndTime = EventStartTime,\n DvcIpAddr = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\"),\n LogonMethod = iff(EventOriginalSubType =~ \"userAuthenticate\", \"Username and Password\", \"Two Factor Authentication\")\n | extend\n User = TargetUsername,\n Dst = TargetIpAddr,\n Dvc = coalesce(DvcIpAddr, EventProduct),\n Application = TargetAppName\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n IndicatorThreatType,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n temp_*\n};\nparser(\n starttime=datetime(null),\n endtime=datetime(null),\n username_has_any=dynamic([]),\n targetappname_has_any=dynamic([]),\n srcipaddr_has_any_prefix=dynamic([]),\n srchostname_has_any=dynamic([]),\n eventtype_in=dynamic([]),\n eventresultdetails_in=dynamic([]),\n eventresult=dynamic([]),\n disabled=false\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json index db7650c0abd..21b838f848b 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationEmpty", - "query": "let EmptyAuthenticationTable=datatable(\n EventProduct:string\n , EventProductVersion: string\n , EventVendor:string\n , EventCount:int\n , EventReportUrl:string\n , EventSchemaVersion:string\n , EventSchema:string\n , TimeGenerated:datetime\n , EventOriginalUid:string\n , EventOriginalType:string\n , EventOriginalSubType:string\n , EventMessage:string\n , EventResult:string\n , EventResultDetails:string\n , EventOriginalResultDetails:string\n , EventStartTime:datetime\n , EventEndTime:datetime\n , EventType:string\n , EventSubType:string\n , EventUid:string\n , EventSeverity:string\n , EventOriginalSeverity:string\n , EventOwner:string\n , ActorSessionId:string\n , TargetSessionId:string\n , ActorUserId:string\n , ActorUsername:string\n , ActorUserType:string\n , ActorUserIdType:string\n , ActorUsernameType:string\n , ActorScopeId:string\n , ActorOriginalUserType:string\n , TargetUserId:string\n , TargetUsername:string\n , TargetUserType:string\n , SrcDvcId:string\n , SrcDvcIdType:string\n , SrcDeviceType:string\n , SrcDvcOs:string\n , HttpUserAgent:string\n , SrcIsp:string\n , SrcGeoCity:string\n , SrcGeoCountry:string\n , SrcGeoRegion:string\n , SrcGeoLatitude:real\n , SrcGeoLongitude:real\n , SrcIpAddr:string\n , SrcPortNumber:string\n , SrcHostname:string\n , SrcDomain:string\n , SrcDomainType:string\n , SrcFQDN:string\n , SrcDescription:string\n , SrcDvcScopeId:string\n , SrcRiskLevel:int\n , SrcOriginalRiskLevel:string\n , ActingAppId:string\n , ActingAppName:string\n , ActingAppType:string\n , ActingOriginalAppType:string\n , TargetAppId:string\n , TargetAppName:string\n , TargetAppType:string\n , TargetOriginalAppType:string\n , TargetDvcId:string\n , TargetDvcIdType:string\n , TargetHostname:string\n , TargetDomain:string\n , TargetDomainType:string\n , TargetFQDN:string\n , TargetDescription:string\n , TargetDeviceType:string\n , TargetIpAddr:string\n , TargetDvcOs:string\n , TargetUrl:string\n , TargetPortNumber:int\n , TargetDvcScope:string\n , TargetDvcScopeId:string\n , TargetGeoCity:string\n , TargetGeoCountry:string\n , TargetGeoRegion:string\n , TargetGeoLatitude:real\n , TargetGeoLongitude:real\n , LogonMethod: string\t\n , LogonProtocol: string\t\n , TargetUserIdType: string\t\n , TargetUsernameType: string\t\n , UserScope:string\n , UserScopeId:string\n , TargetOriginalUserType:string\n , TargetUserSessionId:string\n , User: string\t\n , IpAddr: string\n , SrcDvcHostnameType: string\t\n , LogonTarget: string\n , Dvc: string\t\n , DvcId: string\n , DvcIpAddr: string\t\n , DvcHostname: string\n , DvcDomain:string\n , DvcDomainType:string\n , DvcFQDN:string\n , DvcDescription:string\n , DvcIdType:string\n , DvcMacAddr:string\n , DvcZone:string\n , DvcOs:string\n , DvcOsVersion:string\n , DvcAction:string\n , DvcOriginalAction:string\n , DvcScope:string\n , DvcScopeOd:string\n , AdditionalFields:dynamic\n , Type:string\n , Src:string\n , Dst:string\n , Rule:string\n , RuleName:string\n , RuleNumber:int\n , ThreatId:string\n , ThreatName:string\n , ThreatCategory:string\n , ThreatOriginalRiskLevel:string\n , ThreatOriginalConfidence:string\n , ThreatIsActive:bool\n , ThreatField:string\n , ThreatConfidence:int\n , ThreatRiskLevel:string\n , ThreatFirstReportedTime:datetime\n , ThreatLastReportedTime:datetime\n , Application:string\n )[];\nEmptyAuthenticationTable", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationEmpty", + "query": "let EmptyAuthenticationTable=datatable(\n EventProduct:string\n , EventProductVersion: string\n , EventVendor:string\n , EventCount:int\n , EventReportUrl:string\n , EventSchemaVersion:string\n , EventSchema:string\n , TimeGenerated:datetime\n , EventOriginalUid:string\n , EventOriginalType:string\n , EventOriginalSubType:string\n , EventMessage:string\n , EventResult:string\n , EventResultDetails:string\n , EventOriginalResultDetails:string\n , EventStartTime:datetime\n , EventEndTime:datetime\n , EventType:string\n , EventSubType:string\n , EventUid:string\n , EventSeverity:string\n , EventOriginalSeverity:string\n , EventOwner:string\n , ActorSessionId:string\n , TargetSessionId:string\n , ActorUserId:string\n , ActorUsername:string\n , ActorUserType:string\n , ActorUserIdType:string\n , ActorUsernameType:string\n , ActorScopeId:string\n , ActorOriginalUserType:string\n , TargetUserId:string\n , TargetUsername:string\n , TargetUserType:string\n , SrcDvcId:string\n , SrcDvcIdType:string\n , SrcDeviceType:string\n , SrcDvcOs:string\n , HttpUserAgent:string\n , SrcIsp:string\n , SrcGeoCity:string\n , SrcGeoCountry:string\n , SrcGeoRegion:string\n , SrcGeoLatitude:real\n , SrcGeoLongitude:real\n , SrcIpAddr:string\n , SrcPortNumber:string\n , SrcHostname:string\n , SrcDomain:string\n , SrcDomainType:string\n , SrcFQDN:string\n , SrcDescription:string\n , SrcDvcScopeId:string\n , SrcRiskLevel:int\n , SrcOriginalRiskLevel:string\n , ActingAppId:string\n , ActingAppName:string\n , ActingAppType:string\n , ActingOriginalAppType:string\n , TargetAppId:string\n , TargetAppName:string\n , TargetAppType:string\n , TargetOriginalAppType:string\n , TargetDvcId:string\n , TargetDvcIdType:string\n , TargetHostname:string\n , TargetDomain:string\n , TargetDomainType:string\n , TargetFQDN:string\n , TargetDescription:string\n , TargetDeviceType:string\n , TargetIpAddr:string\n , TargetDvcOs:string\n , TargetUrl:string\n , TargetPortNumber:int\n , TargetDvcScope:string\n , TargetDvcScopeId:string\n , TargetGeoCity:string\n , TargetGeoCountry:string\n , TargetGeoRegion:string\n , TargetGeoLatitude:real\n , TargetGeoLongitude:real\n , LogonMethod: string\t\n , LogonProtocol: string\t\n , TargetUserIdType: string\t\n , TargetUsernameType: string\t\n , UserScope:string\n , UserScopeId:string\n , TargetOriginalUserType:string\n , TargetUserSessionId:string\n , User: string\t\n , IpAddr: string\n , SrcDvcHostnameType: string\t\n , LogonTarget: string\n , Dvc: string\t\n , DvcId: string\n , DvcIpAddr: string\t\n , DvcHostname: string\n , DvcDomain:string\n , DvcDomainType:string\n , DvcFQDN:string\n , DvcDescription:string\n , DvcIdType:string\n , DvcMacAddr:string\n , DvcZone:string\n , DvcOs:string\n , DvcOsVersion:string\n , DvcAction:string\n , DvcOriginalAction:string\n , DvcScope:string\n , DvcScopeOd:string\n , AdditionalFields:dynamic\n , Type:string\n , Src:string\n , Dst:string\n , Rule:string\n , RuleName:string\n , RuleNumber:int\n , ThreatId:string\n , ThreatName:string\n , ThreatCategory:string\n , ThreatOriginalRiskLevel:string\n , ThreatOriginalConfidence:string\n , ThreatIsActive:bool\n , ThreatField:string\n , ThreatConfidence:int\n , ThreatRiskLevel:string\n , ThreatFirstReportedTime:datetime\n , ThreatLastReportedTime:datetime\n , Application:string\n )[];\nEmptyAuthenticationTable", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationGoogleWorkspace/vimAuthenticationGoogleWorkspace.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationGoogleWorkspace/vimAuthenticationGoogleWorkspace.json index ddc8d23c6ec..f073b9a025d 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationGoogleWorkspace/vimAuthenticationGoogleWorkspace.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationGoogleWorkspace/vimAuthenticationGoogleWorkspace.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationGoogleWorkspace')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationGoogleWorkspace", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Google Workspace", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationGoogleWorkspace", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let GoogleWorkspaceSchema = datatable\n(\n event_name_s: string,\n event_type_s: string,\n id_uniqueQualifier_s: string,\n actor_email_s: string,\n actor_profileId_s: string,\n IPAddress: string,\n login_challenge_method_s: string,\n id_applicationName_s: string,\n affected_email_address_s: string,\n is_suspicious_b: bool,\n is_second_factor_b: bool,\n login_type_s: string,\n sensitive_action_name_s: string,\n login_challenge_status_s: string,\n TimeGenerated: datetime,\n _ItemId: string,\n _ResourceId: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n RawData: string,\n SourceSystem: string,\n TenantId: string\n)[];\n let EventFieldsLookup = datatable\n(\n EventOriginalSubType: string,\n EventType: string,\n EventResult: string,\n DvcAction: string\n)\n[\n \"login_success\", \"Logon\", \"Success\", \"Allowed\",\n \"login_failure\", \"Logon\", \"Failure\", \"Blocked\",\n \"login_challenge\", \"Logon\", \"\", \"\",\n \"login_verification\", \"Logon\", \"\", \"\",\n \"risky_sensitive_action_blocked\", \"Logon\", \"Failure\", \"Blocked\",\n \"riskay_sensitive_action_allowed\", \"Logon\", \"Success\", \"Allowed\",\n \"logout\", \"Logoff\", \"Success\", \"Allowed\",\n \"suspicious_login\", \"Logon\", \"Failure\", \"Blocked\",\n \"suspicious_login_less_secure_app\", \"Logon\", \"Failure\", \"Blocked\",\n \"suspicious_programmatic_login\", \"Logon\", \"Failure\", \"Blocked\",\n \"user_signed_out_due_to_suspicious_session_cookie\", \"Logoff\", \"Success\", \"Allowed\"\n];\n let ThreatEventTypes = dynamic(['suspicious_login', 'suspicious_login_less_secure_app', 'suspicious_programmatic_login', 'user_signed_out_due_to_suspicious_session_cookie']);\n let SupportedEventNames = EventFieldsLookup\n | project EventOriginalSubType;\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_login_CL\n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or actor_email_s has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or 'Google Workspace - login' in~ (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or (\"Logon\" in~ (eventtype_in)) or (\"Logoff\" in~ (eventtype_in)))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n and event_name_s in (SupportedEventNames)\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\n // Filtering on 'eventresult' and eventtype_in\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n | project-rename\n TargetUsername = actor_email_s,\n TargetUserId = actor_profileId_s,\n SrcIpAddr = IPAddress,\n LogonMethod = login_challenge_method_s,\n EventOriginalType = event_type_s,\n EventOriginalUid = id_uniqueQualifier_s\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n TargetUsername = iif(event_name_s in (ThreatEventTypes), affected_email_address_s, TargetUsername),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserIdType = iif(isnotempty(TargetUserId), \"GWorkspaceProfileID\", \"\"),\n EventSeverity = iif(event_name_s in (ThreatEventTypes), \"High\", \"Informational\")\n | extend \n AdditionalFields = bag_pack\n (\n \"Is_Suspicious\",\n is_suspicious_b,\n \"Is_Second_Factor_b\",\n is_second_factor_b,\n \"Logon_Type\",\n login_type_s,\n \"Sensitive_Action_Name\",\n sensitive_action_name_s\n ),\n EventResult = case\n (\n event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"passed\",\n \"Success\",\n event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"incorrect_answer_entered\",\n \"Failure\",\n EventResult\n ),\n EventResultDetails = iif(event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"incorrect_answer_entered\", \"MFA not satisfied\", \"\"),\n RuleName = case\n (\n event_name_s == 'suspicious_login',\n \"Google has detected a suspicious login for TargetUSerName\",\n event_name_s == 'suspicious_login_less_secure_app',\n \"Google has detected a suspicious login for TargetUSerName from a less secure app\",\n event_name_s == 'suspicious_programmatic_login',\n \"Google has detected a suspicious programmatic login for TargetUserName\",\n event_name_s == 'user_signed_out_due_to_suspicious_session_cookie',\n \"Suspicious session cookie detected for user TargetUserName\",\n \"\"\n ),\n ThreatField = iif(event_name_s in (ThreatEventTypes), \"TargetUserName\", \"\"),\n ThreatFirstReportedTime = iif(event_name_s in (ThreatEventTypes), TimeGenerated, datetime(null)),\n ThreatLastReportedTime = iif(event_name_s in (ThreatEventTypes), TimeGenerated, datetime(null))\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend\n EventOriginalSubType = event_name_s,\n TargetAppName = \"Google Workspace - login\",\n Dst = \"Google Workspace\",\n Application = \"Google Workspace\",\n TargetAppType = \"SaaS application\",\n IpAddr = SrcIpAddr,\n User = TargetUsername,\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventProduct = \"Workspace\",\n EventVendor = \"Google\",\n Dvc=\"Workspace\",\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventUid = _ItemId\n | project-away \n *_s,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n temp*\n};\nparser\n(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Google Workspace", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationGoogleWorkspace", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let GoogleWorkspaceSchema = datatable\n(\n event_name_s: string,\n event_type_s: string,\n id_uniqueQualifier_s: string,\n actor_email_s: string,\n actor_profileId_s: string,\n IPAddress: string,\n login_challenge_method_s: string,\n id_applicationName_s: string,\n affected_email_address_s: string,\n is_suspicious_b: bool,\n is_second_factor_b: bool,\n login_type_s: string,\n sensitive_action_name_s: string,\n login_challenge_status_s: string,\n TimeGenerated: datetime,\n _ItemId: string,\n _ResourceId: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n RawData: string,\n SourceSystem: string,\n TenantId: string\n)[];\n let EventFieldsLookup = datatable\n(\n EventOriginalSubType: string,\n EventType: string,\n EventResult: string,\n DvcAction: string\n)\n[\n \"login_success\", \"Logon\", \"Success\", \"Allowed\",\n \"login_failure\", \"Logon\", \"Failure\", \"Blocked\",\n \"login_challenge\", \"Logon\", \"\", \"\",\n \"login_verification\", \"Logon\", \"\", \"\",\n \"risky_sensitive_action_blocked\", \"Logon\", \"Failure\", \"Blocked\",\n \"riskay_sensitive_action_allowed\", \"Logon\", \"Success\", \"Allowed\",\n \"logout\", \"Logoff\", \"Success\", \"Allowed\",\n \"suspicious_login\", \"Logon\", \"Failure\", \"Blocked\",\n \"suspicious_login_less_secure_app\", \"Logon\", \"Failure\", \"Blocked\",\n \"suspicious_programmatic_login\", \"Logon\", \"Failure\", \"Blocked\",\n \"user_signed_out_due_to_suspicious_session_cookie\", \"Logoff\", \"Success\", \"Allowed\"\n];\n let ThreatEventTypes = dynamic(['suspicious_login', 'suspicious_login_less_secure_app', 'suspicious_programmatic_login', 'user_signed_out_due_to_suspicious_session_cookie']);\n let SupportedEventNames = EventFieldsLookup\n | project EventOriginalSubType;\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_login_CL\n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or actor_email_s has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or 'Google Workspace - login' in~ (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or (\"Logon\" in~ (eventtype_in)) or (\"Logoff\" in~ (eventtype_in)))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n and event_name_s in (SupportedEventNames)\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\n // Filtering on 'eventresult' and eventtype_in\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n | project-rename\n TargetUsername = actor_email_s,\n TargetUserId = actor_profileId_s,\n SrcIpAddr = IPAddress,\n LogonMethod = login_challenge_method_s,\n EventOriginalType = event_type_s,\n EventOriginalUid = id_uniqueQualifier_s\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n TargetUsername = iif(event_name_s in (ThreatEventTypes), affected_email_address_s, TargetUsername),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserIdType = iif(isnotempty(TargetUserId), \"GWorkspaceProfileID\", \"\"),\n EventSeverity = iif(event_name_s in (ThreatEventTypes), \"High\", \"Informational\")\n | extend \n AdditionalFields = bag_pack\n (\n \"Is_Suspicious\",\n is_suspicious_b,\n \"Is_Second_Factor_b\",\n is_second_factor_b,\n \"Logon_Type\",\n login_type_s,\n \"Sensitive_Action_Name\",\n sensitive_action_name_s\n ),\n EventResult = case\n (\n event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"passed\",\n \"Success\",\n event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"incorrect_answer_entered\",\n \"Failure\",\n EventResult\n ),\n EventResultDetails = iif(event_name_s in ('login_challenge', 'login_verification') and login_challenge_status_s == \"incorrect_answer_entered\", \"MFA not satisfied\", \"\"),\n RuleName = case\n (\n event_name_s == 'suspicious_login',\n \"Google has detected a suspicious login for TargetUSerName\",\n event_name_s == 'suspicious_login_less_secure_app',\n \"Google has detected a suspicious login for TargetUSerName from a less secure app\",\n event_name_s == 'suspicious_programmatic_login',\n \"Google has detected a suspicious programmatic login for TargetUserName\",\n event_name_s == 'user_signed_out_due_to_suspicious_session_cookie',\n \"Suspicious session cookie detected for user TargetUserName\",\n \"\"\n ),\n ThreatField = iif(event_name_s in (ThreatEventTypes), \"TargetUserName\", \"\"),\n ThreatFirstReportedTime = iif(event_name_s in (ThreatEventTypes), TimeGenerated, datetime(null)),\n ThreatLastReportedTime = iif(event_name_s in (ThreatEventTypes), TimeGenerated, datetime(null))\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend\n EventOriginalSubType = event_name_s,\n TargetAppName = \"Google Workspace - login\",\n Dst = \"Google Workspace\",\n Application = \"Google Workspace\",\n TargetAppType = \"SaaS application\",\n IpAddr = SrcIpAddr,\n User = TargetUsername,\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventProduct = \"Workspace\",\n EventVendor = \"Google\",\n Dvc=\"Workspace\",\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventUid = _ItemId\n | project-away \n *_s,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n temp*\n};\nparser\n(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/README.md new file mode 100644 index 00000000000..7d5aaee7882 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/README.md @@ -0,0 +1,18 @@ +# Illumio ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Illumio. + +This ASIM parser supports normalizing Illumio sign in logs, stored in the Illumio_Auditable_Events_CL table, to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationIllumioSaaSCore%2FvimAuthenticationIllumioSaaSCore.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationIllumioSaaSCore%2FvimAuthenticationIllumioSaaSCore.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/vimAuthenticationIllumioSaaSCore.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/vimAuthenticationIllumioSaaSCore.json new file mode 100644 index 00000000000..635ceefbaa0 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/vimAuthenticationIllumioSaaSCore.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationIllumioSaaSCore')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Illumio SaaS Core", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationIllumioSaaSCore", + "query": "let EventTypeLookup = datatable(\n event_type: string, // what Illumio sends\n EventType: string, // an enumerated list [ Logon, Logoff, Elevate ] event type\n EventResultDetails: string,\n EventResult: string\n)\n[\n 'user.authenticate', 'Logon', 'Other', 'Success',\n 'user.login', 'Logon', 'Other', 'Success',\n 'user.logout', 'Logoff', 'Other', 'Success',\n 'user.sign_in', 'Logon', 'Other', 'Success',\n 'user.sign_out', 'Logoff', 'Other', 'Success',\n 'user.use_expired_password', 'Logon', 'Password expired', 'Success'\n];\nlet user_events = dynamic(['user.sigin', 'user.login', 'user.sign_out', 'user.logout', 'user.authenticate', 'user.use_expired_password']); \nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n) {\n Illumio_Auditable_Events_CL\n | where not(disabled) and event_type in (user_events) // limited to user signin, login, logoff, signoff events only\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srchostname_has_any) == 0) // srchostname_has_any not available in source \n | extend \n EventProduct='Core'\n ,\n EventVendor='Illumio'\n ,\n EventSchema = 'Authentication'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.3' \n ,\n EventOriginalUid = href\n | lookup EventTypeLookup on event_type //fetch EventType, EventResultDetails, EventResult\n | where\n (eventresult == \"*\" or (EventResult == eventresult)) \n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend \n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n , \n TargetUsername = case( \n isnotnull(created_by.user), created_by.user.username, \n \"Unknown\"\n ),\n TargetUsernameType = \"Simple\",\n EventUid = _ItemId,\n SrcIpAddr = iff(action.src_ip == 'FILTERED', \"\", action.src_ip) \n // * prefiltering \n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n and ((array_length(eventtype_in) == 0) or EventType has_any (eventtype_in))\n // * prefiltering\n // ** Aliases\n | extend \n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n ,\n User = TargetUsername\n | project-away \n TenantId,\n href,\n pce_fqdn,\n created_by,\n event_type,\n status,\n severity,\n action,\n resource_changes,\n notifications,\n version \n };\n parser(starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } + } + ] +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json index 6d61ce80dea..b14b9bdfcb5 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationM365Defender')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationM365Defender", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for M365 Defender Device Logon Events", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationM365Defender", - "query": "let EventResultDetailsLookup=datatable\n(\n EventOriginalResultDetails: string,\n EventResultDetails: string\n)\n[\n 'InvalidUserNameOrPassword', 'No such user or password'\n];\nlet EventSubTypeLookup = datatable (EventOriginalType: string, EventSubType: string)\n[ \n 'Interactive', 'Interactive',\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\n 'Network', 'Remote',\n 'Batch', 'Service',\n 'Service', 'Service',\n 'Unknown', '',\n 'RemoteInteractive', 'RemoteInteractive',\n 'CachedInteractive', 'Interactive'\n];\nlet EventResultLookup = datatable (ActionType: string, EventResult: string)\n[ \n 'LogonSuccess', 'Success',\n 'LogonFailed', 'Failure',\n 'LogonAttempted', 'NA'\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let UnixDeviceLogonEvents = (disabled: bool=false)\n{\n DeviceLogonEvents \n | where not(disabled)\n // -- prefilter\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(username_has_any) == 0) or (InitiatingProcessAccountName has_any (username_has_any)) or AccountName has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RemoteIP, srcipaddr_has_any_prefix))\n and ((array_length(srchostname_has_any) == 0) or (RemoteDeviceName has_any (srchostname_has_any)))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // -- end prefilter\n | where InitiatingProcessFolderPath startswith \"/\"\n | extend \n TargetDvcOs = \"Linux\"\n ,\n ActorUsernameType = \"Simple\"\n ,\n TargetUsernameType = \"Simple\"\n | project-rename \n ActorUsername = InitiatingProcessAccountName\n ,\n ActingProcessName = InitiatingProcessFolderPath\n ,\n TargetUsername = AccountName\n | project-away \n InitiatingProcessAccountSid,\n AccountDomain,\n InitiatingProcessAccountDomain,\n InitiatingProcessFileName,\n AccountSid\n};\n let WindowsDeviceLogonEvents = (disabled: bool=false)\n{\n DeviceLogonEvents \n | where not(disabled)\n // -- prefilter\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(username_has_any) == 0) or (AccountName has_any (username_has_any)) or (AccountDomain has_any (username_has_any)) or (strcat(AccountDomain, '\\\\', AccountName) has_any (username_has_any)) or (InitiatingProcessAccountName has_any (username_has_any)) or (InitiatingProcessAccountDomain has_any (username_has_any)) or (strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName) has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RemoteIP, srcipaddr_has_any_prefix))\n and ((array_length(srchostname_has_any) == 0) or (RemoteDeviceName has_any (srchostname_has_any)))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // -- end prefilter\n | where InitiatingProcessFolderPath !startswith \"/\"\n | extend \n TargetDvcOs = \"Windows\"\n ,\n TargetUserIdType = 'SID'\n ,\n ActorUserIdType = 'SID'\n ,\n ActorUsername = case\n (\n isempty(InitiatingProcessAccountName),\n \"\",\n isempty(InitiatingProcessAccountDomain),\n InitiatingProcessAccountName,\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\n )\n ,\n TargetUsername = iff\n (\n isempty(AccountDomain),\n AccountName,\n strcat(AccountDomain, '\\\\', AccountName)\n ) \n ,\n TargetUsernameType = iff (AccountDomain == '', 'Simple', 'Windows')\n ,\n ActorUsernameType = iff (InitiatingProcessAccountDomain == '', 'Simple', 'Windows')\n ,\n ActingProcessName = strcat (InitiatingProcessFolderPath, '\\\\', InitiatingProcessFileName)\n | project-rename \n ActorUserId = InitiatingProcessAccountSid\n ,\n TargetUserId = AccountSid\n // -- Specific identifiers aliases\n | extend \n TargetUserSid = TargetUserId\n ,\n ActorUserSid = ActorUserId\n ,\n TargetWindowsUsername = TargetUsername\n ,\n ActorWindowsUsername = ActorUsername\n ,\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n | extend \n TargetUserType = iff\n (\n IsLocalAdmin, \n 'Admin',\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\n )\n | project-away\n InitiatingProcessAccountName,\n InitiatingProcessAccountDomain,\n AccountDomain,\n AccountName,\n InitiatingProcessFolderPath,\n InitiatingProcessFileName\n};\n union \n WindowsDeviceLogonEvents (disabled=disabled),\n UnixDeviceLogonEvents (disabled=disabled)\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | project-rename \n EventOriginalResultDetails = FailureReason \n ,\n EventOriginalType = LogonType\n ,\n EventUid = _ItemId\n ,\n LogonProtocol = Protocol\n ,\n TargetDvcId = DeviceId\n ,\n SrcHostname = RemoteDeviceName\n ,\n ActingProcessCommandLine = InitiatingProcessCommandLine\n ,\n ActingProcessCreationTime = InitiatingProcessCreationTime\n ,\n ActingProcessMD5 = InitiatingProcessMD5\n ,\n ActingProcessSHA1 = InitiatingProcessSHA1 \n ,\n ActingProcessSHA256 = InitiatingProcessSHA256\n ,\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel\n ,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation\n ,\n ParentProcessName = InitiatingProcessParentFileName\n ,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n //??, ActingProcessName = InitiatingProcessFolderPath \n ,\n ActorUserUpn = InitiatingProcessAccountUpn\n ,\n ActorUserAadId = InitiatingProcessAccountObjectId\n ,\n SrcPortNumber = RemotePort\n | extend \n EventCount = int(1)\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventSchemaVersion = '0.1.3'\n ,\n EventType = 'Logon'\n ,\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'M365 Defender for EndPoint'\n ,\n EventSchema = 'Authentication'\n ,\n TargetDvcIdType = 'MDEid'\n ,\n ActingProcessId = tostring (InitiatingProcessId)\n ,\n ParentProcessId = tostring (InitiatingProcessParentId)\n ,\n EventOriginalUid = tostring (ReportId)\n ,\n TargetSessionId = tostring (LogonId)\n ,\n SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP)\n | extend\n Hash = coalesce\n (\n ActingProcessSHA256\n ,\n ActingProcessSHA1\n ,\n ActingProcessMD5\n )\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5), Hash)]) \n | invoke _ASIM_ResolveFQDN('DeviceName')\n | project-rename \n TargetFQDN = FQDN\n ,\n TargetHostname = ExtractedHostname\n ,\n TargetDomainType = DomainType\n ,\n TargetDomain = Domain \n | project-away DeviceName\n | lookup EventResultDetailsLookup on EventOriginalResultDetails\n // filtering on 'eventresultdetails_in', 'TargetUsername' and 'ActorUsername'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n | lookup EventSubTypeLookup on EventOriginalType\n | lookup EventResultLookup on ActionType\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\n // -- Specific identifiers aliases\n | extend\n TargetDvcMDEid = TargetDvcId\n ,\n DvcMDEid = TargetDvcId\n // -- Aliases\n | extend \n User = TargetUsername \n ,\n Prcess = ActingProcessName\n ,\n IpAddr = SrcIpAddr\n ,\n ActingAppName = ActingProcessName\n ,\n ActingAppType = \"Process\"\n ,\n Dvc = coalesce (TargetFQDN, TargetHostname)\n ,\n Src = coalesce (SrcIpAddr, SrcHostname)\n // -- Alias Dvc to Target\n ,\n DvcFQDN = TargetFQDN\n ,\n DvcHostname = TargetHostname\n ,\n DvcDomain = TargetDomain\n ,\n DvcDomainType = TargetDomainType\n ,\n DvcId = TargetDvcId\n ,\n DvcIdType = TargetDvcIdType\n ,\n DvcOs = TargetDvcOs\n | extend \n LogonTarget = Dvc\n ,\n Dst = Dvc\n | project-away\n ReportId,\n LogonId,\n InitiatingProcessId,\n InitiatingProcessParentId,\n ActionType,\n InitiatingProcessFileSize,\n InitiatingProcessVersionInfoCompanyName,\n InitiatingProcessVersionInfoFileDescription,\n InitiatingProcessVersionInfoInternalFileName,\n InitiatingProcessVersionInfoOriginalFileName,\n InitiatingProcessVersionInfoProductName,\n InitiatingProcessVersionInfoProductVersion,\n AppGuardContainerId,\n RemoteIPType,\n IsLocalAdmin,\n RemoteIP,\n temp*\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n) ", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for M365 Defender Device Logon Events", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationM365Defender", + "query": "let EventResultDetailsLookup=datatable\n(\n EventOriginalResultDetails: string,\n EventResultDetails: string\n)\n[\n 'InvalidUserNameOrPassword', 'No such user or password'\n];\nlet EventSubTypeLookup = datatable (EventOriginalType: string, EventSubType: string)\n[ \n 'Interactive', 'Interactive',\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\n 'Network', 'Remote',\n 'Batch', 'Service',\n 'Service', 'Service',\n 'Unknown', '',\n 'RemoteInteractive', 'RemoteInteractive',\n 'CachedInteractive', 'Interactive'\n];\nlet EventResultLookup = datatable (ActionType: string, EventResult: string)\n[ \n 'LogonSuccess', 'Success',\n 'LogonFailed', 'Failure',\n 'LogonAttempted', 'NA'\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let UnixDeviceLogonEvents = (disabled: bool=false)\n{\n DeviceLogonEvents \n | where not(disabled)\n // -- prefilter\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(username_has_any) == 0) or (InitiatingProcessAccountName has_any (username_has_any)) or AccountName has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RemoteIP, srcipaddr_has_any_prefix))\n and ((array_length(srchostname_has_any) == 0) or (RemoteDeviceName has_any (srchostname_has_any)))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // -- end prefilter\n | where InitiatingProcessFolderPath startswith \"/\"\n | extend \n TargetDvcOs = \"Linux\"\n ,\n ActorUsernameType = \"Simple\"\n ,\n TargetUsernameType = \"Simple\"\n | project-rename \n ActorUsername = InitiatingProcessAccountName\n ,\n ActingProcessName = InitiatingProcessFolderPath\n ,\n TargetUsername = AccountName\n | project-away \n InitiatingProcessAccountSid,\n AccountDomain,\n InitiatingProcessAccountDomain,\n InitiatingProcessFileName,\n AccountSid\n};\n let WindowsDeviceLogonEvents = (disabled: bool=false)\n{\n DeviceLogonEvents \n | where not(disabled)\n // -- prefilter\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(username_has_any) == 0) or (AccountName has_any (username_has_any)) or (AccountDomain has_any (username_has_any)) or (strcat(AccountDomain, '\\\\', AccountName) has_any (username_has_any)) or (InitiatingProcessAccountName has_any (username_has_any)) or (InitiatingProcessAccountDomain has_any (username_has_any)) or (strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName) has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RemoteIP, srcipaddr_has_any_prefix))\n and ((array_length(srchostname_has_any) == 0) or (RemoteDeviceName has_any (srchostname_has_any)))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // -- end prefilter\n | where InitiatingProcessFolderPath !startswith \"/\"\n | extend \n TargetDvcOs = \"Windows\"\n ,\n TargetUserIdType = 'SID'\n ,\n ActorUserIdType = 'SID'\n ,\n ActorUsername = case\n (\n isempty(InitiatingProcessAccountName),\n \"\",\n isempty(InitiatingProcessAccountDomain),\n InitiatingProcessAccountName,\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\n )\n ,\n TargetUsername = iff\n (\n isempty(AccountDomain),\n AccountName,\n strcat(AccountDomain, '\\\\', AccountName)\n ) \n ,\n TargetUsernameType = iff (AccountDomain == '', 'Simple', 'Windows')\n ,\n ActorUsernameType = iff (InitiatingProcessAccountDomain == '', 'Simple', 'Windows')\n ,\n ActingProcessName = strcat (InitiatingProcessFolderPath, '\\\\', InitiatingProcessFileName)\n | project-rename \n ActorUserId = InitiatingProcessAccountSid\n ,\n TargetUserId = AccountSid\n // -- Specific identifiers aliases\n | extend \n TargetUserSid = TargetUserId\n ,\n ActorUserSid = ActorUserId\n ,\n TargetWindowsUsername = TargetUsername\n ,\n ActorWindowsUsername = ActorUsername\n ,\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n | extend \n TargetUserType = iff\n (\n IsLocalAdmin, \n 'Admin',\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\n )\n | project-away\n InitiatingProcessAccountName,\n InitiatingProcessAccountDomain,\n AccountDomain,\n AccountName,\n InitiatingProcessFolderPath,\n InitiatingProcessFileName\n};\n union \n WindowsDeviceLogonEvents (disabled=disabled),\n UnixDeviceLogonEvents (disabled=disabled)\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | project-rename \n EventOriginalResultDetails = FailureReason \n ,\n EventOriginalType = LogonType\n ,\n EventUid = _ItemId\n ,\n LogonProtocol = Protocol\n ,\n TargetDvcId = DeviceId\n ,\n SrcHostname = RemoteDeviceName\n ,\n ActingProcessCommandLine = InitiatingProcessCommandLine\n ,\n ActingProcessCreationTime = InitiatingProcessCreationTime\n ,\n ActingProcessMD5 = InitiatingProcessMD5\n ,\n ActingProcessSHA1 = InitiatingProcessSHA1 \n ,\n ActingProcessSHA256 = InitiatingProcessSHA256\n ,\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel\n ,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation\n ,\n ParentProcessName = InitiatingProcessParentFileName\n ,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n //??, ActingProcessName = InitiatingProcessFolderPath \n ,\n ActorUserUpn = InitiatingProcessAccountUpn\n ,\n ActorUserAadId = InitiatingProcessAccountObjectId\n ,\n SrcPortNumber = RemotePort\n | extend \n EventCount = int(1)\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventSchemaVersion = '0.1.3'\n ,\n EventType = 'Logon'\n ,\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'M365 Defender for EndPoint'\n ,\n EventSchema = 'Authentication'\n ,\n TargetDvcIdType = 'MDEid'\n ,\n ActingProcessId = tostring (InitiatingProcessId)\n ,\n ParentProcessId = tostring (InitiatingProcessParentId)\n ,\n EventOriginalUid = tostring (ReportId)\n ,\n TargetSessionId = tostring (LogonId)\n ,\n SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP)\n | extend\n Hash = coalesce\n (\n ActingProcessSHA256\n ,\n ActingProcessSHA1\n ,\n ActingProcessMD5\n )\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5), Hash)]) \n | invoke _ASIM_ResolveFQDN('DeviceName')\n | project-rename \n TargetFQDN = FQDN\n ,\n TargetHostname = ExtractedHostname\n ,\n TargetDomainType = DomainType\n ,\n TargetDomain = Domain \n | project-away DeviceName\n | lookup EventResultDetailsLookup on EventOriginalResultDetails\n // filtering on 'eventresultdetails_in', 'TargetUsername' and 'ActorUsername'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n | lookup EventSubTypeLookup on EventOriginalType\n | lookup EventResultLookup on ActionType\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\n // -- Specific identifiers aliases\n | extend\n TargetDvcMDEid = TargetDvcId\n ,\n DvcMDEid = TargetDvcId\n // -- Aliases\n | extend \n User = TargetUsername \n ,\n Prcess = ActingProcessName\n ,\n IpAddr = SrcIpAddr\n ,\n ActingAppName = ActingProcessName\n ,\n ActingAppType = \"Process\"\n ,\n Dvc = coalesce (TargetFQDN, TargetHostname)\n ,\n Src = coalesce (SrcIpAddr, SrcHostname)\n // -- Alias Dvc to Target\n ,\n DvcFQDN = TargetFQDN\n ,\n DvcHostname = TargetHostname\n ,\n DvcDomain = TargetDomain\n ,\n DvcDomainType = TargetDomainType\n ,\n DvcId = TargetDvcId\n ,\n DvcIdType = TargetDvcIdType\n ,\n DvcOs = TargetDvcOs\n | extend \n LogonTarget = Dvc\n ,\n Dst = Dvc\n | project-away\n ReportId,\n LogonId,\n InitiatingProcessId,\n InitiatingProcessParentId,\n ActionType,\n InitiatingProcessFileSize,\n InitiatingProcessVersionInfoCompanyName,\n InitiatingProcessVersionInfoFileDescription,\n InitiatingProcessVersionInfoInternalFileName,\n InitiatingProcessVersionInfoOriginalFileName,\n InitiatingProcessVersionInfoProductName,\n InitiatingProcessVersionInfoProductVersion,\n AppGuardContainerId,\n RemoteIPType,\n IsLocalAdmin,\n RemoteIP,\n temp*\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n) ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json index b07d0b1520c..83501502b45 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationMD4IoT')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationMD4IoT", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Microsoft Defender for IoT endpoint logs", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationMD4IoT", - "query": "let Authentication_MD4IoT=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n SecurityIoTRawEvent\n | where not(disabled)\n | where RawEventName == \"Login\"\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or EventDetails has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(EventDetails, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // Filtering for eventtype_in done later in the parser\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // Filtering for eventresult done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | extend\n EventDetails = todynamic(EventDetails)\n //\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Microsoft Defender for IoT',\n EventCount=int(1),\n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success') \n // Filtering on 'eventtype_in' and 'eventresult'\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n TargetUsernameType = \"Simple\",\n TargetUsername = tostring(EventDetails.UserName)\n | extend SrcIpAddr = tostring(EventDetails.RemoteAddress)\n // Post-filtering on username_has_any and srcipaddr_has_any_prefix\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | project-rename\n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion, // -- Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n //\n // -- aliases\n | extend \n User = TargetUsername, \n Process = ActingProcessName, \n Dvc = DvcHostname,\n SrcDvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr\n};\n Authentication_MD4IoT(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Microsoft Defender for IoT endpoint logs", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationMD4IoT", + "query": "let Authentication_MD4IoT=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n SecurityIoTRawEvent\n | where not(disabled)\n | where RawEventName == \"Login\"\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or EventDetails has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(EventDetails, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // Filtering for eventtype_in done later in the parser\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // Filtering for eventresult done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | extend\n EventDetails = todynamic(EventDetails)\n //\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Microsoft Defender for IoT',\n EventCount=int(1),\n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success') \n // Filtering on 'eventtype_in' and 'eventresult'\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n TargetUsernameType = \"Simple\",\n TargetUsername = tostring(EventDetails.UserName)\n | extend SrcIpAddr = tostring(EventDetails.RemoteAddress)\n // Post-filtering on username_has_any and srcipaddr_has_any_prefix\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | project-rename\n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion, // -- Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n //\n // -- aliases\n | extend \n User = TargetUsername, \n Process = ActingProcessName, \n Dvc = DvcHostname,\n SrcDvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr\n};\n Authentication_MD4IoT(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json index 8a6b7608c5e..58322140a30 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationMicrosoftWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationMicrosoftWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Windows Security Events", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationMicrosoftWindowsEvent", - "query": "let LogonEvents=dynamic([4624, 4625]);\nlet LogoffEvents=dynamic([4634, 4647]);\nlet LogonTypes=datatable(LogonType: int, EventSubType: string)\n[\n 2, 'Interactive',\n 3, 'Network',\n 4, 'Batch',\n 5, 'Service',\n 7, 'Unlock',\n 8, 'NetworkCleartext',\n 9, 'NewCredentials',\n 10, 'RemoteInteractive',\n 11, 'CachedInteractive'\n];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n(\n EventStatus: string,\n EventOriginalResultDetails: string,\n EventResultDetails: string\n)\n[\n '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other',\n '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password',\n '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy',\n '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy',\n '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired',\n '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled',\n '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other',\n '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other',\n '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired',\n '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other',\n '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other',\n '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other',\n '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other',\n '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other',\n '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other',\n '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other',\n '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other',\n '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other',\n '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other',\n '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other',\n '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other',\n '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other',\n '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other',\n '0xc0000017', 'STATUS_NO_MEMORY', 'Other',\n '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other',\n '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other',\n '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other',\n '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password',\n '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other',\n '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy',\n '0xc0000073', 'STATUS_NONE_MAPPED', 'Other',\n '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other',\n '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other',\n '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other',\n '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other',\n '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy',\n '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy',\n '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy',\n '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other',\n '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked',\n '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other'\n];\nlet WinLogon=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false)\n{ \n WindowsEvent\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (tostring(EventData.TargetUserName) has_any (username_has_any)) or (tostring(EventData.TargetDomainName) has_any (username_has_any)) or (strcat(tostring(EventData.TargetDomainName), '\\\\', tostring(EventData.TargetUserName)) has_any (username_has_any)) or (tostring(EventData.SubjectUserName) has_any (username_has_any)) or (tostring(EventData.SubjectDomainName) has_any (username_has_any)) or (strcat(tostring(EventData.SubjectDomainName), '\\\\', tostring(EventData.SubjectUserName)) has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(tostring(EventData.IpAddress), srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0 or tostring(EventData.WorkstationName) has_any (srchostname_has_any))\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | where Provider == 'Microsoft-Windows-Security-Auditing'\n | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n | extend\n LogonProtocol = tostring(EventData.AuthenticationPackageName),\n SrcDvcIpAddr = tostring(EventData.IpAddress), // Backword Compatibility. Will be removed by July 2024\n SrcIpAddr = tostring(EventData.IpAddress),\n TargetPortNumber = toint(EventData.IpPort),\n LogonGuid = tostring(EventData.LogonGuid),\n LogonType = toint(EventData.LogonType),\n ActingProcessCreationTime = EventData.ProcessCreationTime,\n ActingProcessId = tostring(toint(EventData.ProcessId)),\n ActingProcessName = tostring(EventData.ProcessName),\n Status = tostring(EventData.Status),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\", EventData.SubjectUserName))),\n ActorUserId = tostring(EventData.SubjectUserSid),\n SubStatus = tostring(EventData.SubStatus),\n TargetDomainName = tostring(EventData.TargetDomainName),\n TargetSessionId = tostring(EventData.TargetLogonId),\n TargetUserId = tostring(EventData.TargetUserSid),\n TargetUsername = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\", EventData.TargetUserName)))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend \n SrcDvcHostname = tostring(EventData.WorkstationName), // Backword Compatibility. Will be removed by July 2024\n SrcHostname = tostring(EventData.WorkstationName),\n EventProduct = \"Security Events\"\n | extend EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\n // -- creating EventMessage matching EventMessage in SecurityEvent table\n | extend\n EventMessage = case\n (\n EventID == 4634,\n \"4634 - An account was logged off.\", \n EventID == 4625,\n \"4625 - An account failed to log on.\",\n EventID == 4624,\n \"4624 - An account was successfully logged on.\",\n \"4647 - User initiated logoff.\"\n ),\n EventResult = iff(EventID == 4625, 'Failure', 'Success')\n // Filtering on 'eventresult' and 'username_has_any'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n | project-rename \n TargetDvcHostname = Computer\n ,\n EventOriginalUid = EventOriginId\n ,\n EventOriginalType=EventID\n | extend\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.3'\n ,\n ActorUserIdType='SID'\n ,\n TargetUserIdType='SID'\n ,\n EventVendor='Microsoft' \n ,\n EventStartTime =TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon') \n ,\n ActorUsernameType= iff(EventData.SubjectDomainName in ('-', ''), 'Simple', 'Windows') \n ,\n TargetUsernameType=iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\n ,\n SrcDvcOs = 'Windows'\n ,\n EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\n // filtering on 'eventtype_in'\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n ,\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n | lookup LogonStatus on EventStatus\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n User=TargetUsername\n ,\n LogonTarget=TargetDvcHostname\n ,\n Dvc=SrcHostname\n};\nlet SecEventLogon =(starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false)\n{\n SecurityEvent\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (TargetUserName has_any (username_has_any)) or (TargetDomainName has_any (username_has_any)) or (strcat(TargetDomainName, '\\\\', TargetUserName) has_any (username_has_any)) or (SubjectUserName has_any (username_has_any)) or (SubjectDomainName has_any (username_has_any)) or (strcat(SubjectDomainName, '\\\\', SubjectUserName) has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(IpAddress, srcipaddr_has_any_prefix))\n and ((array_length(srchostname_has_any) == 0) or (WorkstationName has_any (srchostname_has_any)))\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | where EventID in (LogonEvents) or \n EventID in (LogoffEvents)\n | project-rename \n EventMessage = Activity\n ,\n ActorSessionId=SubjectLogonId\n ,\n TargetSessionId=TargetLogonId\n ,\n ActorUserId=SubjectUserSid\n ,\n TargetUserId =TargetUserSid\n ,\n SrcDvcHostname = WorkstationName // Backword Compatibility. Will be removed by July 2024\n ,\n TargetDvcHostname = Computer\n ,\n EventOriginalUid = EventOriginId\n ,\n LogonProtocol=AuthenticationPackageName\n ,\n SrcDvcIpAddr=IpAddress // Backword Compatibility. Will be removed by July 2024\n ,\n EventOriginalType=EventID\n | extend\n EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success')\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventProduct = \"Security Events\"\n ,\n ActorUserIdType='SID'\n ,\n TargetUserIdType='SID'\n ,\n EventVendor='Microsoft' \n ,\n EventStartTime =TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon')\n ,\n ActorUsername = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount)\n ,\n ActorUsernameType= iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows')\n ,\n TargetUsername = iff (TargetDomainName in ('-', ''), trim(@'\\\\', TargetUserName), trim(@'\\\\', TargetAccount))\n ,\n TargetUsernameType=iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\n ,\n SrcDvcOs = 'Windows'\n ,\n EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\n ,\n SrcHostname = SrcDvcHostname // Backword Compatibility. Will be removed by July 2024\n ,\n SrcIpAddr = SrcDvcIpAddr // Backword Compatibility. Will be removed by July 2024\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n // filtering on 'eventtype_in', 'eventresult', 'TargetUsername' and 'ActorUsername'\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n | project-away TargetUserName, AccountType\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n ,\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n | lookup LogonStatus on EventStatus\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n User=TargetUsername\n ,\n LogonTarget=TargetDvcHostname\n ,\n Dvc=SrcDvcHostname\n};\nunion isfuzzy=true SecEventLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , WinLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Windows Security Events", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationMicrosoftWindowsEvent", + "query": "let LogonEvents=dynamic([4624, 4625]);\nlet LogoffEvents=dynamic([4634, 4647]);\nlet LogonTypes=datatable(LogonType: int, EventSubType: string)\n[\n 2, 'Interactive',\n 3, 'Remote',\n 4, 'System',\n 5, 'Service',\n 7, 'Interactive',\n 8, 'NetworkCleartext',\n 9, 'AssumeRole',\n 10, 'RemoteInteractive',\n 11, 'Interactive'\n];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n(\n EventStatus: string,\n EventOriginalResultDetails: string,\n EventResultDetails: string\n)\n[\n '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other',\n '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password',\n '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy',\n '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy',\n '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired',\n '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled',\n '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other',\n '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other',\n '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired',\n '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other',\n '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other',\n '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other',\n '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other',\n '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other',\n '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other',\n '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other',\n '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other',\n '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other',\n '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other',\n '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other',\n '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other',\n '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other',\n '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other',\n '0xc0000017', 'STATUS_NO_MEMORY', 'Other',\n '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other',\n '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other',\n '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other',\n '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password',\n '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other',\n '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy',\n '0xc0000073', 'STATUS_NONE_MAPPED', 'Other',\n '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other',\n '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other',\n '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other',\n '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other',\n '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy',\n '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy',\n '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy',\n '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other',\n '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked',\n '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other'\n];\nlet WinLogon=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false)\n{ \n WindowsEvent\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (tostring(EventData.TargetUserName) has_any (username_has_any)) or (tostring(EventData.TargetDomainName) has_any (username_has_any)) or (strcat(tostring(EventData.TargetDomainName), '\\\\', tostring(EventData.TargetUserName)) has_any (username_has_any)) or (tostring(EventData.SubjectUserName) has_any (username_has_any)) or (tostring(EventData.SubjectDomainName) has_any (username_has_any)) or (strcat(tostring(EventData.SubjectDomainName), '\\\\', tostring(EventData.SubjectUserName)) has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(tostring(EventData.IpAddress), srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0 or tostring(EventData.WorkstationName) has_any (srchostname_has_any))\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | where Provider == 'Microsoft-Windows-Security-Auditing'\n | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n | project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type\n | extend\n LogonProtocol = tostring(EventData.AuthenticationPackageName),\n SrcIpAddr = tostring(EventData.IpAddress),\n TargetPortNumber = toint(EventData.IpPort),\n LogonGuid = tostring(EventData.LogonGuid),\n LogonType = toint(EventData.LogonType),\n ActingProcessCreationTime = EventData.ProcessCreationTime,\n ActingProcessId = tostring(toint(EventData.ProcessId)),\n ActingProcessName = tostring(EventData.ProcessName),\n Status = tostring(EventData.Status),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\", EventData.SubjectUserName))),\n ActorUserId = tostring(EventData.SubjectUserSid),\n SubStatus = tostring(EventData.SubStatus),\n TargetDomainName = tostring(EventData.TargetDomainName),\n TargetSessionId = tostring(EventData.TargetLogonId),\n TargetUserId = tostring(EventData.TargetUserSid),\n TargetUsername = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\", EventData.TargetUserName)))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend \n SrcHostname = tostring(EventData.WorkstationName),\n EventProduct = \"Security Events\"\n | extend EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\n // -- creating EventMessage matching EventMessage in SecurityEvent table\n | extend\n EventMessage = case\n (\n EventID == 4634,\n \"4634 - An account was logged off.\", \n EventID == 4625,\n \"4625 - An account failed to log on.\",\n EventID == 4624,\n \"4624 - An account was successfully logged on.\",\n \"4647 - User initiated logoff.\"\n ),\n EventResult = iff(EventID == 4625, 'Failure', 'Success')\n // Filtering on 'eventresult' and 'username_has_any'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n | project-rename \n TargetDvcHostname = Computer\n ,\n EventOriginalUid = EventOriginId\n ,\n EventOriginalType=EventID\n | extend\n EventCount=int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion='0.1.3'\n ,\n ActorUserIdType='SID'\n ,\n TargetUserIdType='SID'\n ,\n EventVendor='Microsoft' \n ,\n EventStartTime =TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon') \n ,\n ActorUsernameType= iff(EventData.SubjectDomainName in ('-', ''), 'Simple', 'Windows') \n ,\n TargetUsernameType=iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\n ,\n SrcDvcOs = 'Windows'\n ,\n EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\n // filtering on 'eventtype_in'\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n ,\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n ,\n EventOriginalType = tostring(EventOriginalType)\n | lookup LogonStatus on EventStatus\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n User=TargetUsername\n ,\n LogonTarget=TargetDvcHostname\n ,\n Dvc=SrcHostname\n ,\n IpAddr=SrcIpAddr\n | project-away\n EventData,\n LogonGuid,\n EventStatus,\n LogonType,\n Status,\n SubStatus,\n TargetDomainName,\n TargetDvcHostname\n};\nlet SecEventLogon =(starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false)\n{\n SecurityEvent\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (TargetUserName has_any (username_has_any)) or (TargetDomainName has_any (username_has_any)) or (strcat(TargetDomainName, '\\\\', TargetUserName) has_any (username_has_any)) or (SubjectUserName has_any (username_has_any)) or (SubjectDomainName has_any (username_has_any)) or (strcat(SubjectDomainName, '\\\\', SubjectUserName) has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(IpAddress, srcipaddr_has_any_prefix))\n and ((array_length(srchostname_has_any) == 0) or (WorkstationName has_any (srchostname_has_any)))\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | where EventID in (LogonEvents) or \n EventID in (LogoffEvents)\n | project\n SubjectLogonId,\n SubjectUserSid,\n Activity,\n EventID,\n EventOriginId,\n AuthenticationPackageName,\n WorkstationName,\n IpAddress,\n Computer,\n TargetLogonId,\n TargetUserSid,\n SubjectDomainName,\n SubjectUserName,\n SubjectAccount,\n TimeGenerated,\n SubStatus,\n TargetDomainName,\n TargetUserName,\n AccountType,\n TargetAccount,\n Status,\n LogonType,\n Type\n | project-rename \n EventMessage = Activity\n ,\n ActorSessionId=SubjectLogonId\n ,\n TargetSessionId=TargetLogonId\n ,\n ActorUserId=SubjectUserSid\n ,\n TargetUserId =TargetUserSid\n ,\n SrcHostname = WorkstationName\n ,\n TargetDvcHostname = Computer\n ,\n EventOriginalUid = EventOriginId\n ,\n LogonProtocol=AuthenticationPackageName\n ,\n SrcIpAddr=IpAddress\n ,\n EventOriginalType=EventID\n | extend\n EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success')\n ,\n EventCount=int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion='0.1.3'\n ,\n EventProduct = \"Security Events\"\n ,\n ActorUserIdType='SID'\n ,\n TargetUserIdType='SID'\n ,\n EventVendor='Microsoft' \n ,\n EventStartTime =TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon')\n ,\n ActorUsername = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount)\n ,\n ActorUsernameType= iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows')\n ,\n TargetUsername = iff (TargetDomainName in ('-', ''), trim(@'\\\\', TargetUserName), trim(@'\\\\', TargetAccount))\n ,\n TargetUsernameType=iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\n ,\n SrcDvcOs = 'Windows'\n ,\n EventStatus= iff(SubStatus == '0x0', Status, SubStatus)\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n // filtering on 'eventtype_in', 'eventresult', 'TargetUsername' and 'ActorUsername'\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n | project-away TargetUserName, AccountType\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n ,\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n ,\n EventOriginalType = tostring(EventOriginalType)\n | lookup LogonStatus on EventStatus\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n User=TargetUsername\n ,\n LogonTarget=TargetDvcHostname\n ,\n Dvc=SrcHostname\n ,\n IpAddr=SrcIpAddr\n | project-away\n EventStatus,\n LogonType,\n Status,\n SubStatus,\n SubjectAccount,\n SubjectDomainName,\n SubjectUserName,\n EventStatus,\n TargetAccount,\n TargetDomainName,\n TargetDvcHostname\n};\nunion isfuzzy=true SecEventLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , WinLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json index afe262b6357..d43e4d61b3e 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationOktaSSO')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationOktaSSO", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Okta", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationOktaSSO", - "query": "let OktaSignin = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctV1Table = datatable(TimeGenerated: datetime)[];\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n let OktaV1 = union isfuzzy=true emptyOctV1Table, Okta_CL \n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | extend \n outcome_result_s=column_ifexists('outcome_result_s', \"\"),\n eventType_s=column_ifexists('eventType_s', \"\"),\n legacyEventType_s=column_ifexists('legacyEventType_s', \"\"),\n client_geographicalContext_geolocation_lat_d = column_ifexists('client_geographicalContext_geolocation_lat_d', \"\"),\n client_geographicalContext_geolocation_lon_d = column_ifexists('client_geographicalContext_geolocation_lon_d', \"\"),\n actor_alternateId_s = column_ifexists('actor_alternateId_s', \"\"),\n client_ipAddress_s = column_ifexists('client_ipAddress_s', \"\")\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or actor_alternateId_s has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(client_ipAddress_s, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | where eventType_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n ,\n EventVendor='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial')\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n ,\n EventSubType=legacyEventType_s\n ,\n EventMessage=column_ifexists('displayMessage_s', \"\")\n ,\n EventOriginalResultDetails=column_ifexists('outcome_reason_s', \"\")\n ,\n EventOriginalUid = column_ifexists('uuid_g', \"\")\n ,\n TargetUserIdType='OktaId'\n ,\n TargetUsernameType='UPN'\n ,\n TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', \"\")\n ,\n TargetUserId=column_ifexists('actor_id_s', \"\")\n ,\n TargetUsername=column_ifexists('actor_alternateId_s', \"\")\n ,\n TargetUserType=column_ifexists('actor_type_s', \"\")\n ,\n SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n ,\n SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n ,\n SrcDvcOs=column_ifexists('client_userAgent_os_s', \"\")\n ,\n SrcIsp=column_ifexists('securityContext_isp_s', \"\")\n ,\n SrcGeoCity=column_ifexists('client_geographicalContext_city_s', \"\")\n ,\n SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', \"\")\n ,\n SrcIpAddr = column_ifexists('client_ipAddress_s', \"\")\n ,\n ActingAppName=column_ifexists('client_userAgent_browser_s', \"\")\n ,\n ActingAppType=\"Browser\"\n ,\n LogonMethod=column_ifexists('authenticationContext_credentialType_s', \"\")\n ,\n HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', \"\")\n // Filtering on 'eventresult' and 'eventtype_in'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away *_s, *_d, *_b, *_g, *_t;\n OktaV1\n};\nOktaSignin (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Okta", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationOktaSSO", + "query": "let OktaSignin = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctV1Table = datatable(TimeGenerated: datetime)[];\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n let OktaV1 = union isfuzzy=true emptyOctV1Table, Okta_CL \n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | extend \n outcome_result_s=column_ifexists('outcome_result_s', \"\"),\n eventType_s=column_ifexists('eventType_s', \"\"),\n legacyEventType_s=column_ifexists('legacyEventType_s', \"\"),\n client_geographicalContext_geolocation_lat_d = column_ifexists('client_geographicalContext_geolocation_lat_d', \"\"),\n client_geographicalContext_geolocation_lon_d = column_ifexists('client_geographicalContext_geolocation_lon_d', \"\"),\n actor_alternateId_s = column_ifexists('actor_alternateId_s', \"\"),\n client_ipAddress_s = column_ifexists('client_ipAddress_s', \"\")\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or actor_alternateId_s has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(client_ipAddress_s, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | where eventType_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n ,\n EventVendor='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial')\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n ,\n EventSubType=legacyEventType_s\n ,\n EventMessage=column_ifexists('displayMessage_s', \"\")\n ,\n EventOriginalResultDetails=column_ifexists('outcome_reason_s', \"\")\n ,\n EventOriginalUid = column_ifexists('uuid_g', \"\")\n ,\n TargetUserIdType='OktaId'\n ,\n TargetUsernameType='UPN'\n ,\n TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', \"\")\n ,\n TargetUserId=column_ifexists('actor_id_s', \"\")\n ,\n TargetUsername=column_ifexists('actor_alternateId_s', \"\")\n ,\n TargetUserType=column_ifexists('actor_type_s', \"\")\n ,\n SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n ,\n SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n ,\n SrcDvcOs=column_ifexists('client_userAgent_os_s', \"\")\n ,\n SrcIsp=column_ifexists('securityContext_isp_s', \"\")\n ,\n SrcGeoCity=column_ifexists('client_geographicalContext_city_s', \"\")\n ,\n SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', \"\")\n ,\n SrcIpAddr = column_ifexists('client_ipAddress_s', \"\")\n ,\n ActingAppName=column_ifexists('client_userAgent_browser_s', \"\")\n ,\n ActingAppType=\"Browser\"\n ,\n LogonMethod=column_ifexists('authenticationContext_credentialType_s', \"\")\n ,\n HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', \"\")\n // Filtering on 'eventresult' and 'eventtype_in'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away *_s, *_d, *_b, *_g, *_t;\n OktaV1\n};\nOktaSignin (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaV2/vimAuthenticationOktaV2.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaV2/vimAuthenticationOktaV2.json index c9526004712..49461af15b2 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaV2/vimAuthenticationOktaV2.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaV2/vimAuthenticationOktaV2.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationOktaV2')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationOktaV2", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Okta", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationOktaV2", - "query": "let OktaSignin = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctaV2Table = datatable(\n TimeGenerated: datetime,\n ActorDetailEntry: dynamic,\n ActorDisplayName: string,\n AuthenticationContext: string,\n AuthenticationProvider: string,\n AuthenticationStep: string,\n AuthenticationContextAuthenticationProvider: string,\n AuthenticationContextAuthenticationStep: int,\n AuthenticationContextCredentialProvider: string,\n AuthenticationContextInterface: string,\n AuthenticationContextIssuerId: string,\n AuthenticationContextIssuerType: string,\n DebugData: dynamic,\n DvcAction: string,\n EventResult:string,\n OriginalActorAlternateId: string,\n OriginalClientDevice: string,\n OriginalOutcomeResult: string,\n OriginalSeverity: string,\n OriginalTarget: dynamic,\n OriginalUserId: string,\n OriginalUserType: string,\n Request: dynamic,\n SecurityContextAsNumber: int,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SecurityContextIsProxy: bool,\n TransactionDetail: dynamic,\n TransactionId: string,\n TransactionType: string\n)[];\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n let OktaV2 = union isfuzzy=true emptyOctaV2Table, OktaV2_CL\n | where not(disabled) \n | extend\n EventOriginalType=column_ifexists('EventOriginalType', \"\") \n ,\n OriginalActorAlternateId = column_ifexists('OriginalActorAlternateId', \"\")\n ,\n ActorUsername=column_ifexists('ActorUsername', \"\")\n ,\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or ActorUsername has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | where EventOriginalType in (OktaSigninEvents)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | extend \n EventProduct='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventVendor='Okta'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') \n ,\n TargetSessionId=column_ifexists('ActorSessionId', \"\")\n ,\n TargetUserId= column_ifexists('ActorUserId', \"\")\n ,\n TargetUsername=ActorUsername\n ,\n TargetUserType=column_ifexists('ActorUserType', \"\")\n ,\n TargetUserIdType=column_ifexists('ActorUserIdType', \"\")\n ,\n TargetUsernameType=column_ifexists('ActorUsernameType', \"\")\n //** extend non-normalized fields to be projected-away \n ,\n //\n ActorDetailEntry,\n ActorDisplayName\n ,\n AuthenticationContextAuthenticationProvider\n ,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider\n ,\n AuthenticationContextInterface\n ,\n AuthenticationContextIssuerId\n ,\n AuthenticationContextIssuerType\n ,\n DebugData,\n DvcAction\n ,\n OriginalActorAlternateId\n ,\n OriginalClientDevice\n ,\n OriginalOutcomeResult\n ,\n OriginalSeverity\n ,\n OriginalTarget,\n OriginalUserId\n ,\n OriginalUserType\n ,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg\n ,\n SecurityContextDomain\n ,\n SecurityContextIsProxy\n ,\n TransactionDetail,\n TransactionId\n ,\n TransactionType\n // Filtering on 'eventresult' and 'eventtype_in'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away\n ActorDetailEntry,\n ActorDisplayName\n ,\n AuthenticationContextAuthenticationProvider\n ,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider\n ,\n AuthenticationContextInterface\n ,\n AuthenticationContextIssuerId\n ,\n AuthenticationContextIssuerType\n ,\n DebugData,\n DvcAction\n ,\n OriginalActorAlternateId\n ,\n OriginalClientDevice\n ,\n OriginalOutcomeResult\n ,\n OriginalSeverity\n ,\n OriginalTarget,\n OriginalUserId\n ,\n OriginalUserType\n ,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg\n ,\n SecurityContextDomain\n ,\n SecurityContextIsProxy\n ,\n TransactionDetail,\n TransactionId\n ,\n TransactionType;\n OktaV2\n};\nOktaSignin (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Okta", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationOktaV2", + "query": "let OktaSignin = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyOctaV2Table = datatable(\n TimeGenerated: datetime,\n ActorDetailEntry: dynamic,\n ActorDisplayName: string,\n AuthenticationContext: string,\n AuthenticationProvider: string,\n AuthenticationStep: string,\n AuthenticationContextAuthenticationProvider: string,\n AuthenticationContextAuthenticationStep: int,\n AuthenticationContextCredentialProvider: string,\n AuthenticationContextInterface: string,\n AuthenticationContextIssuerId: string,\n AuthenticationContextIssuerType: string,\n DebugData: dynamic,\n DvcAction: string,\n EventResult:string,\n OriginalActorAlternateId: string,\n OriginalClientDevice: string,\n OriginalOutcomeResult: string,\n OriginalSeverity: string,\n OriginalTarget: dynamic,\n OriginalUserId: string,\n OriginalUserType: string,\n Request: dynamic,\n SecurityContextAsNumber: int,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SecurityContextIsProxy: bool,\n TransactionDetail: dynamic,\n TransactionId: string,\n TransactionType: string\n)[];\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n let OktaV2 = union isfuzzy=true emptyOctaV2Table, OktaV2_CL\n | where not(disabled) \n | extend\n EventOriginalType=column_ifexists('EventOriginalType', \"\") \n ,\n OriginalActorAlternateId = column_ifexists('OriginalActorAlternateId', \"\")\n ,\n ActorUsername=column_ifexists('ActorUsername', \"\")\n ,\n SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or ActorUsername has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | where EventOriginalType in (OktaSigninEvents)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | extend \n EventProduct='Okta'\n ,\n EventSchema = 'Authentication'\n ,\n EventVendor='Okta'\n ,\n EventCount=int(1)\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') \n ,\n TargetSessionId=column_ifexists('ActorSessionId', \"\")\n ,\n TargetUserId= column_ifexists('ActorUserId', \"\")\n ,\n TargetUsername=ActorUsername\n ,\n TargetUserType=column_ifexists('ActorUserType', \"\")\n ,\n TargetUserIdType=column_ifexists('ActorUserIdType', \"\")\n ,\n TargetUsernameType=column_ifexists('ActorUsernameType', \"\")\n //** extend non-normalized fields to be projected-away \n ,\n //\n ActorDetailEntry,\n ActorDisplayName\n ,\n AuthenticationContextAuthenticationProvider\n ,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider\n ,\n AuthenticationContextInterface\n ,\n AuthenticationContextIssuerId\n ,\n AuthenticationContextIssuerType\n ,\n DebugData,\n DvcAction\n ,\n OriginalActorAlternateId\n ,\n OriginalClientDevice\n ,\n OriginalOutcomeResult\n ,\n OriginalSeverity\n ,\n OriginalTarget,\n OriginalUserId\n ,\n OriginalUserType\n ,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg\n ,\n SecurityContextDomain\n ,\n SecurityContextIsProxy\n ,\n TransactionDetail,\n TransactionId\n ,\n TransactionType\n // Filtering on 'eventresult' and 'eventtype_in'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n // ** Aliases\n | extend \n User=TargetUsername\n ,\n Dvc=EventVendor\n ,\n IpAddr=SrcIpAddr\n | project-away\n ActorDetailEntry,\n ActorDisplayName\n ,\n AuthenticationContextAuthenticationProvider\n ,\n AuthenticationContextAuthenticationStep,\n AuthenticationContextCredentialProvider\n ,\n AuthenticationContextInterface\n ,\n AuthenticationContextIssuerId\n ,\n AuthenticationContextIssuerType\n ,\n DebugData,\n DvcAction\n ,\n OriginalActorAlternateId\n ,\n OriginalClientDevice\n ,\n OriginalOutcomeResult\n ,\n OriginalSeverity\n ,\n OriginalTarget,\n OriginalUserId\n ,\n OriginalUserType\n ,\n Request,\n SecurityContextAsNumber,\n SecurityContextAsOrg\n ,\n SecurityContextDomain\n ,\n SecurityContextIsProxy\n ,\n TransactionDetail,\n TransactionId\n ,\n TransactionType;\n OktaV2\n};\nOktaSignin (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json index 312210516d6..7832389409e 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationPaloAltoCortexDataLake')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationPaloAltoCortexDataLake", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for Palo Alto Cortex Data Lake", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationPaloAltoCortexDataLake", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Palo Alto Networks\"\n and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"AUTH\"\n and ((array_length(username_has_any) == 0) or (AdditionalExtensions has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0 or AdditionalExtensions has_any(srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n | extend\n EventResult = iff(Message has \"Invalid Certificate\", \"Failure\", \"Success\"),\n EventType = \"Logon\"\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (eventresult == '*' or EventResult has eventresult)\n | parse-kv AdditionalExtensions as (PanOSSourceDeviceHost: string, PanOSSourceDeviceOSFamily: string, PanOSAuthenticationProtocol: string, PanOSAuthenticatedUserDomain: string, PanOSAuthenticatedUserName: string, PanOSAuthenticatedUserUUID: string, start: string, PanOSLogSource: string, PanOSRuleMatchedUUID: string, PanOSAuthenticationDescription: string, PanOSClientTypeName: string, PanOSConfigVersion: string, PanOSMFAVendor: string, PanOSSourceDeviceCategory: string, PanOSSourceDeviceModel: string, PanOSSourceDeviceProfile: string, PanOSSourceDeviceVendor: string, PanOSUserAgentString: string, PanOSCortexDataLakeTenantID: string, PanOSSessionID: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | where ((array_length(username_has_any) == 0) or (PanOSAuthenticatedUserName has_any (username_has_any)))\n and (array_length(srchostname_has_any) == 0 or PanOSSourceDeviceHost has_any(srchostname_has_any))\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventStartTime = todatetime(start),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n TargetIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventMessage = Message,\n LogonMethod = case(\n FieldDeviceCustomNumber1 == 1,\n \"Username & Password\",\n FieldDeviceCustomNumber1 == 2,\n \"Multi factor authentication\",\n FieldDeviceCustomNumber1 == 3,\n \"Multi factor authentication\",\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"FileName\",\n FileName,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSRuleMatchedUUID\",\n PanOSRuleMatchedUUID,\n DeviceCustomNumber1Label,\n FieldDeviceCustomNumber1, \n DeviceCustomNumber2Label,\n FieldDeviceCustomNumber2,\n DeviceCustomString3Label,\n DeviceCustomString3,\n DeviceCustomString4Label,\n DeviceCustomString4,\n DeviceCustomString5Label,\n DeviceCustomString5,\n DeviceCustomString6Label,\n DeviceCustomString6,\n \"PanOSAuthenticationDescription\",\n PanOSAuthenticationDescription,\n \"PanOSClientTypeName\",\n PanOSClientTypeName,\n \"PanOSConfigVersion\",\n PanOSConfigVersion,\n \"PanOSMFAVendor\",\n PanOSMFAVendor,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSSourceDeviceModel\",\n PanOSSourceDeviceModel,\n \"PanOSSourceDeviceProfile\",\n PanOSSourceDeviceProfile,\n \"PanOSSourceDeviceVendor\",\n PanOSSourceDeviceVendor\n )\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DvcId = DeviceExternalID,\n EventOriginalResultDetails = Message,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n LogonProtocol = PanOSAuthenticationProtocol,\n SrcDvcOs = PanOSSourceDeviceOSFamily,\n TargetUsername = PanOSAuthenticatedUserName,\n TargetUserId = PanOSAuthenticatedUserUUID,\n TargetDomain = PanOSAuthenticatedUserDomain,\n EventOriginalSubType = Activity,\n HttpUserAgent = PanOSUserAgentString,\n TargetDvcScopeId = PanOSCortexDataLakeTenantID,\n TargetSessionId = PanOSSessionID,\n TargetDvc = DeviceCustomString1\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = TargetIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n User = TargetUsername,\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetDomainType = case(\n array_length(split(DestinationUserName, \".\")) > 1,\n \"FQDN\",\n array_length(split(DestinationUserName, \"\\\\\")) > 1,\n \"Windows\",\n \"\"\n ),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n | extend\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n start,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n Indicator*,\n _ResourceId,\n temp_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Palo Alto Cortex Data Lake", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationPaloAltoCortexDataLake", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Palo Alto Networks\"\n and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"AUTH\"\n and ((array_length(username_has_any) == 0) or (AdditionalExtensions has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0 or AdditionalExtensions has_any(srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n | extend\n EventResult = iff(Message has \"Invalid Certificate\", \"Failure\", \"Success\"),\n EventType = \"Logon\"\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (eventresult == '*' or EventResult has eventresult)\n | parse-kv AdditionalExtensions as (PanOSSourceDeviceHost: string, PanOSSourceDeviceOSFamily: string, PanOSAuthenticationProtocol: string, PanOSAuthenticatedUserDomain: string, PanOSAuthenticatedUserName: string, PanOSAuthenticatedUserUUID: string, start: string, PanOSLogSource: string, PanOSRuleMatchedUUID: string, PanOSAuthenticationDescription: string, PanOSClientTypeName: string, PanOSConfigVersion: string, PanOSMFAVendor: string, PanOSSourceDeviceCategory: string, PanOSSourceDeviceModel: string, PanOSSourceDeviceProfile: string, PanOSSourceDeviceVendor: string, PanOSUserAgentString: string, PanOSCortexDataLakeTenantID: string, PanOSSessionID: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | where ((array_length(username_has_any) == 0) or (PanOSAuthenticatedUserName has_any (username_has_any)))\n and (array_length(srchostname_has_any) == 0 or PanOSSourceDeviceHost has_any(srchostname_has_any))\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventStartTime = todatetime(start),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n TargetIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventMessage = Message,\n LogonMethod = case(\n FieldDeviceCustomNumber1 == 1,\n \"Username & Password\",\n FieldDeviceCustomNumber1 == 2,\n \"Multi factor authentication\",\n FieldDeviceCustomNumber1 == 3,\n \"Multi factor authentication\",\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"FileName\",\n FileName,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSRuleMatchedUUID\",\n PanOSRuleMatchedUUID,\n DeviceCustomNumber1Label,\n FieldDeviceCustomNumber1, \n DeviceCustomNumber2Label,\n FieldDeviceCustomNumber2,\n DeviceCustomString3Label,\n DeviceCustomString3,\n DeviceCustomString4Label,\n DeviceCustomString4,\n DeviceCustomString5Label,\n DeviceCustomString5,\n DeviceCustomString6Label,\n DeviceCustomString6,\n \"PanOSAuthenticationDescription\",\n PanOSAuthenticationDescription,\n \"PanOSClientTypeName\",\n PanOSClientTypeName,\n \"PanOSConfigVersion\",\n PanOSConfigVersion,\n \"PanOSMFAVendor\",\n PanOSMFAVendor,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSSourceDeviceModel\",\n PanOSSourceDeviceModel,\n \"PanOSSourceDeviceProfile\",\n PanOSSourceDeviceProfile,\n \"PanOSSourceDeviceVendor\",\n PanOSSourceDeviceVendor\n )\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DvcId = DeviceExternalID,\n EventOriginalResultDetails = Message,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n LogonProtocol = PanOSAuthenticationProtocol,\n SrcDvcOs = PanOSSourceDeviceOSFamily,\n TargetUsername = PanOSAuthenticatedUserName,\n TargetUserId = PanOSAuthenticatedUserUUID,\n TargetDomain = PanOSAuthenticatedUserDomain,\n EventOriginalSubType = Activity,\n HttpUserAgent = PanOSUserAgentString,\n TargetDvcScopeId = PanOSCortexDataLakeTenantID,\n TargetSessionId = PanOSSessionID,\n TargetDvc = DeviceCustomString1\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = TargetIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n User = TargetUsername,\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetDomainType = case(\n array_length(split(DestinationUserName, \".\")) > 1,\n \"FQDN\",\n array_length(split(DestinationUserName, \"\\\\\")) > 1,\n \"Windows\",\n \"\"\n ),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n | extend\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n start,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n Indicator*,\n _ResourceId,\n temp_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json index 68abe3e892f..e6237d18a30 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationPostgreSQL')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationPostgreSQL", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for PostgreSQL", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationPostgreSQL", - "query": "let PostgreSQLSignInAuthorized=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n and (eventresult == \"*\" or ('Success' == eventresult))\n // ************************************************************************* \n // \n // ************************************************************************* \n | where RawData has 'connection authorized'\n | extend\n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Success'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logon'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData)\n ,\n EventOriginalRestultDetails = 'Connection authorized'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n let PostgreSQLAuthFailure1=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'No such user or password' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Failure' == eventresult))\n // ************************************************************************* \n // \n // *************************************************************************\n | where RawData has 'authentication failed'\n | extend \n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Failure'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logon'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'for user\\s\"(.*?)\"', 1, RawData)\n ,\n EventResultDetails = 'No such user or password'\n ,\n EventOriginalRestultDetails = 'User authentication failed'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n let PostgreSQLAuthFailure2=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'No such user or password' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Failure' == eventresult))\n // ************************************************************************* \n // \n // *************************************************************************\n | where RawData has_all ('role', 'does', 'not', 'exist')\n | extend \n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Failure'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logon'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'role\\s\"(.*?)\"\\sdoes', 1, RawData)\n ,\n EventResultDetails = 'No such user or password'\n ,\n EventOriginalRestultDetails = 'Role does not exist'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n let PostgreSQLAuthFailure3=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'No such user or password' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Failure' == eventresult))\n // ************************************************************************* \n // \n // *************************************************************************\n | where RawData has_all ('no', 'entry', 'user')\n | extend \n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Failure'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logon'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'user\\s\"(.*?)\",', 1, RawData)\n ,\n SrcIpAddr = extract(@'host\\s\"(.*?)\",', 1, RawData)\n ,\n EventResultDetails = 'No such user or password'\n ,\n EventOriginalRestultDetails = 'No entry for user'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n let PostgreSQLDisconnect=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logoff\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'Session expired' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Success' == eventresult))\n // ************************************************************************* \n // \n // *************************************************************************\n | where RawData has 'disconnection'\n | extend \n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Success'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logoff'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData)\n ,\n SrcIpAddr = extract(@'host=([\\d.]+)', 1, RawData)\n ,\n EventResultDetails = 'Session expired'\n ,\n EventOriginalRestultDetails = 'User session closed'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n union isfuzzy=false PostgreSQLSignInAuthorized(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , PostgreSQLAuthFailure1(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , PostgreSQLAuthFailure2(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , PostgreSQLAuthFailure3(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , PostgreSQLDisconnect(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for PostgreSQL", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationPostgreSQL", + "query": "let PostgreSQLSignInAuthorized=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n and (eventresult == \"*\" or ('Success' == eventresult))\n // ************************************************************************* \n // \n // ************************************************************************* \n | where RawData has 'connection authorized'\n | extend\n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Success'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logon'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData)\n ,\n EventOriginalRestultDetails = 'Connection authorized'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n let PostgreSQLAuthFailure1=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'No such user or password' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Failure' == eventresult))\n // ************************************************************************* \n // \n // *************************************************************************\n | where RawData has 'authentication failed'\n | extend \n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Failure'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logon'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'for user\\s\"(.*?)\"', 1, RawData)\n ,\n EventResultDetails = 'No such user or password'\n ,\n EventOriginalRestultDetails = 'User authentication failed'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n let PostgreSQLAuthFailure2=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'No such user or password' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Failure' == eventresult))\n // ************************************************************************* \n // \n // *************************************************************************\n | where RawData has_all ('role', 'does', 'not', 'exist')\n | extend \n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Failure'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logon'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'role\\s\"(.*?)\"\\sdoes', 1, RawData)\n ,\n EventResultDetails = 'No such user or password'\n ,\n EventOriginalRestultDetails = 'Role does not exist'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n let PostgreSQLAuthFailure3=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'No such user or password' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Failure' == eventresult))\n // ************************************************************************* \n // \n // *************************************************************************\n | where RawData has_all ('no', 'entry', 'user')\n | extend \n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Failure'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logon'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'user\\s\"(.*?)\",', 1, RawData)\n ,\n SrcIpAddr = extract(@'host\\s\"(.*?)\",', 1, RawData)\n ,\n EventResultDetails = 'No such user or password'\n ,\n EventOriginalRestultDetails = 'No entry for user'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n let PostgreSQLDisconnect=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n PostgreSQL_CL\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or RawData has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logoff\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'Session expired' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Success' == eventresult))\n // ************************************************************************* \n // \n // *************************************************************************\n | where RawData has 'disconnection'\n | extend \n EventVendor = 'PostgreSQL'\n ,\n EventProduct = 'PostgreSQL'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.1'\n ,\n EventResult = 'Success'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventType = 'Logoff'\n ,\n DvcHostname = Computer\n ,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUsername = extract(@'user=([^\\s,]+)', 1, RawData)\n ,\n SrcIpAddr = extract(@'host=([\\d.]+)', 1, RawData)\n ,\n EventResultDetails = 'Session expired'\n ,\n EventOriginalRestultDetails = 'User session closed'\n // ********************** **********************************\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n // ********************** *********************************\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ************************ \n // \n // ************************\n | extend\n User=TargetUsername\n ,\n Dvc=Computer\n // ************************ \n // \n // ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\n union isfuzzy=false PostgreSQLSignInAuthorized(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , PostgreSQLAuthFailure1(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , PostgreSQLAuthFailure2(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , PostgreSQLAuthFailure3(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n , PostgreSQLDisconnect(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json index 570a1319836..8d13a801033 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationSalesforceSC')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationSalesforceSC", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication filtering parser for Salesforce Service Cloud", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationSalesforceSC", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let SalesforceSchema = datatable\n(\n api_version_s: string,\n browser_type_s: string,\n cipher_suite_s: string,\n client_ip_s: string,\n delegated_user_id_s: string,\n delegated_user_name_s: string,\n event_type_s: string,\n login_key_s: string,\n login_status_s: string,\n login_type_s: string,\n login_sub_type_s: string,\n organization_id_s: string,\n platform_type_s: string,\n request_id_s: string,\n request_status_s: string,\n session_key_s: string,\n source_ip_s: string,\n timestamp_s: string,\n tls_protocol_s: string,\n uri_s: string,\n user_id_s: string,\n user_name_s: string,\n user_type_s: string,\n wave_session_id_g: string\n)[];\n let EventResultLookup = datatable\n(\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)\n[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)\n[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable\n(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)\n[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable\n(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n)\n[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n];\n let LogonProtocolLookup = datatable\n(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n)\n[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)\n[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)\n[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n | extend TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0]))\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (user_name_s has_any (username_has_any)) or (delegated_user_name_s has_any (username_has_any)))\n and ((array_length(targetappname_has_any) == 0) or ('Salesforce Dot Com(SFDC)' in~ (targetappname_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(source_ip_s, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=user_name_s has_any(username_has_any)\n ,\n temp_isMatchActorUsername=delegated_user_name_s has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend LoginType_s = login_type_s, LoginSubType_s = login_sub_type_s\n | lookup EventResultLookup on login_status_s\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | lookup EventTypeLookup on event_type_s\n // Filtering on eventtype_in\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n | extend\n EventVendor = 'Salesforce',\n EventProduct='Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n TargetAppType = \"SaaS application\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s,\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s)\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | project-away\n *_s,\n *_t,\n *_g,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n temp*\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication filtering parser for Salesforce Service Cloud", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationSalesforceSC", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let SalesforceSchema = datatable\n(\n api_version_s: string,\n browser_type_s: string,\n cipher_suite_s: string,\n client_ip_s: string,\n delegated_user_id_s: string,\n delegated_user_name_s: string,\n event_type_s: string,\n login_key_s: string,\n login_status_s: string,\n login_type_s: string,\n login_sub_type_s: string,\n organization_id_s: string,\n platform_type_s: string,\n request_id_s: string,\n request_status_s: string,\n session_key_s: string,\n source_ip_s: string,\n timestamp_s: string,\n tls_protocol_s: string,\n uri_s: string,\n user_id_s: string,\n user_name_s: string,\n user_type_s: string,\n wave_session_id_g: string\n)[];\n let EventResultLookup = datatable\n(\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)\n[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)\n[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable\n(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)\n[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable\n(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n)\n[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n];\n let LogonProtocolLookup = datatable\n(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n)\n[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)\n[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)\n[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n | extend TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0]))\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or (user_name_s has_any (username_has_any)) or (delegated_user_name_s has_any (username_has_any)))\n and ((array_length(targetappname_has_any) == 0) or ('Salesforce Dot Com(SFDC)' in~ (targetappname_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(source_ip_s, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n // eventtype_in filtering done later in the parser\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=user_name_s has_any(username_has_any)\n ,\n temp_isMatchActorUsername=delegated_user_name_s has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend LoginType_s = login_type_s, LoginSubType_s = login_sub_type_s\n | lookup EventResultLookup on login_status_s\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | lookup EventTypeLookup on event_type_s\n // Filtering on eventtype_in\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n | extend\n EventVendor = 'Salesforce',\n EventProduct='Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n TargetAppType = \"SaaS application\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s,\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s)\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | project-away\n *_s,\n *_t,\n *_g,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n temp*\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/vimAuthenticationSentinelOne.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/vimAuthenticationSentinelOne.json index 1307258243d..7fbb93b589b 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/vimAuthenticationSentinelOne.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/vimAuthenticationSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationSentinelOne", - "query": "let EventResultDetailsLookup = datatable (comments_s: string, EventResultDetails: string)\n[\n\"invalid 2FA code\", \"Incorrect password\",\n\"IP/User mismatch\", \"No such user or password\",\n\"invalid password\", \"Incorrect password\",\n\"user temporarily locked 2FA attempt\", \"User locked\",\n\"no active site\", \"Other\"\n];\nlet EventFieldsLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string\n)\n [\n 27, \"Logon\", \"Success\", \"User Logged In\",\n 33, \"Logoff\", \"Success\", \"User Logged Out\",\n 133, \"Logon\", \"Failure\", \"Existing User Login Failure\",\n 134, \"Logon\", \"Failure\", \"Unknown User Login\",\n 139, \"Logon\", \"Failure\", \"User Failed to Start an Unrestricted Session\",\n 3629, \"Logon\", \"Success\", \"Login Using Saved 2FA Recovery Code\"\n];\nlet EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"WINLOGONATTEMPT\", \"Logon\",\n \"WINLOGOFFATTEMPT\", \"Logoff\"\n];\nlet EventSubTypeLookup = datatable (alertInfo_loginType_s: string, EventSubType: string)\n [\n \"BATCH\", \"System\",\n \"CACHED_INTERACTIVE\", \"Interactive\",\n \"CACHED_REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"CACHED_UNLOCK\", \"System\",\n \"INTERACTIVE\", \"Interactive\",\n \"NETWORK_CLEAR_TEXT\", \"Remote\",\n \"NETWORK_CREDENTIALS\", \"Remote\",\n \"NETWORK\", \"Remote\",\n \"REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"SERVICE\", \"Service\",\n \"SYSTEM\", \"System\",\n \"UNLOCK\", \"System\"\n];\nlet DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n)\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33\n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100\n];\nlet TargetUserTypesList = dynamic([\"Regular\", \"Machine\", \"Admin\", \"System\", \"Application\", \"Service Principal\", \"Service\", \"Anonymous\"]);\nlet parser=(\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null), \nusername_has_any: dynamic = dynamic([]),\ntargetappname_has_any: dynamic = dynamic([]),\nsrcipaddr_has_any_prefix: dynamic = dynamic([]),\nsrchostname_has_any: dynamic = dynamic([]),\neventtype_in: dynamic = dynamic([]),\neventresultdetails_in: dynamic = dynamic([]),\neventresult: string = '*',\ndisabled: bool=false\n) {\nlet alldata = SentinelOne_CL\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or DataFields_s has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix)))\n and ((array_length(srchostname_has_any) == 0) or (alertInfo_loginAccountDomain_s has_any (srchostname_has_any)))\n// Filtering for eventtype_in done later in the parser\n// Filtering for eventresultdetails_in done later in the parser\n// Filtering for eventresult done later in the parser\n;\nlet activitydata = alldata\n | where event_name_s == \"Activities.\"\n and activityType_d in (27, 33, 133, 134, 139, 3629)\n | parse-kv DataFields_s as (ipAddress: string, username: string, userScope: string, accountName: string, fullScopeDetails: string, fullScopeDetailsPath: string, role: string, scopeLevel: string, source: string, sourceType: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup on activityType_d\n | lookup EventResultDetailsLookup on comments_s\n // Filtering on eventtype_in, eventresultdetails_in and eventresult\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails has_any (eventresultdetails_in))\n and (eventresult == '*' or EventResult has eventresult)\n | extend \n SrcIpAddr = iff(ipAddress == \"null\", \"\", ipAddress),\n EventOriginalType = tostring(toint(activityType_d)),\n TargetUsername = username,\n TargetUserScope = userScope,\n AdditionalFields = bag_pack(\n \"accountName\",\n accountName,\n \"fullScopeDetails\",\n fullScopeDetails,\n \"fullScopeDetailsPath\",\n fullScopeDetailsPath,\n \"scopeLevel\",\n scopeLevel,\n \"source\",\n source,\n \"sourceType\",\n sourceType\n ),\n TargetOriginalUserType = role,\n TargetUserType = case(\n role in (TargetUserTypesList),\n role,\n role == \"null\",\n \"\",\n \"Other\"\n )\n // Post-filtering on srcipaddr_has_any_prefix and username_has_any\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and ((array_length(username_has_any) == 0) or DataFields_s has_any (username_has_any))\n | project-rename\n EventStartTime = createdAt_t,\n TargetUserId = userId_s,\n EventOriginalUid = activityUuid_g,\n EventMessage = primaryDescription_s\n | extend TargetUserIdType = iff(isnotempty(TargetUserId), \"Other\", \"\");\nlet alertdata = alldata\n | where event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in (\"WINLOGONATTEMPT\", \"WINLOGOFFATTEMPT\")\n and array_length(eventresultdetails_in) == 0 // EventResultDetails not available in this event\n and ((array_length(username_has_any) == 0) or alertInfo_loginsUserName_s has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(alertInfo_srcMachineIp_s, srcipaddr_has_any_prefix))\n and ((array_length(srchostname_has_any) == 0) or (alertInfo_loginAccountDomain_s has_any (srchostname_has_any)))\n | lookup EventTypeLookup on alertInfo_eventType_s\n // Filtering on eventtype_in\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | lookup EventSubTypeLookup on alertInfo_loginType_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s\n | extend EventResult = iff(alertInfo_loginIsSuccessful_s == \"true\", \"Success\", \"Failure\")\n // Filtering on eventresult\n | where (eventresult == '*' or EventResult has eventresult);\nlet undefineddata = alertdata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\nlet suspiciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\nlet maliciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\nlet alertdatawiththreatfield = union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | invoke _ASIM_ResolveSrcFQDN('alertInfo_loginAccountDomain_s')\n // Post-filtering on srchostname_has_any\n | where ((array_length(srchostname_has_any) == 0) or (SrcHostname has_any (srchostname_has_any)))\n | extend\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = alertInfo_createdAt_t,\n SrcIpAddr = alertInfo_srcMachineIp_s,\n ActingAppName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSubType = alertInfo_loginType_s,\n RuleName = ruleInfo_name_s,\n TargetUserId = alertInfo_loginAccountSid_s,\n TargetUsername = alertInfo_loginsUserName_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n Rule = RuleName,\n ActingAppType = iff(isnotempty(ActingAppName), \"Process\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SID\", \"\");\nunion activitydata, alertdatawiththreatfield\n// mapping ASimMatchingUsername\n| extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n// ActorUsername not coming from source. Hence, not mapped.\n| extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n| extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"Authentication\"\n| extend\n Dvc = coalesce(DvcHostname, EventProduct),\n EventEndTime = EventStartTime,\n EventUid = _ItemId,\n User = TargetUsername\n| extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n| project-away\n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n ipAddress,\n username,\n accountName,\n fullScopeDetails,\n fullScopeDetailsPath,\n role,\n scopeLevel,\n source,\n sourceType,\n userScope,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n _ItemId,\n _ResourceId,\n ThreatConfidence_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationSentinelOne", + "query": "let EventResultDetailsLookup = datatable (comments_s: string, EventResultDetails: string)\n[\n\"invalid 2FA code\", \"Incorrect password\",\n\"IP/User mismatch\", \"No such user or password\",\n\"invalid password\", \"Incorrect password\",\n\"user temporarily locked 2FA attempt\", \"User locked\",\n\"no active site\", \"Other\"\n];\nlet EventFieldsLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string\n)\n [\n 27, \"Logon\", \"Success\", \"User Logged In\",\n 33, \"Logoff\", \"Success\", \"User Logged Out\",\n 133, \"Logon\", \"Failure\", \"Existing User Login Failure\",\n 134, \"Logon\", \"Failure\", \"Unknown User Login\",\n 139, \"Logon\", \"Failure\", \"User Failed to Start an Unrestricted Session\",\n 3629, \"Logon\", \"Success\", \"Login Using Saved 2FA Recovery Code\"\n];\nlet EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"WINLOGONATTEMPT\", \"Logon\",\n \"WINLOGOFFATTEMPT\", \"Logoff\"\n];\nlet EventSubTypeLookup = datatable (alertInfo_loginType_s: string, EventSubType: string)\n [\n \"BATCH\", \"System\",\n \"CACHED_INTERACTIVE\", \"Interactive\",\n \"CACHED_REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"CACHED_UNLOCK\", \"System\",\n \"INTERACTIVE\", \"Interactive\",\n \"NETWORK_CLEAR_TEXT\", \"Remote\",\n \"NETWORK_CREDENTIALS\", \"Remote\",\n \"NETWORK\", \"Remote\",\n \"REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"SERVICE\", \"Service\",\n \"SYSTEM\", \"System\",\n \"UNLOCK\", \"System\"\n];\nlet DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n)\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33\n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100\n];\nlet TargetUserTypesList = dynamic([\"Regular\", \"Machine\", \"Admin\", \"System\", \"Application\", \"Service Principal\", \"Service\", \"Anonymous\"]);\nlet parser=(\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null), \nusername_has_any: dynamic = dynamic([]),\ntargetappname_has_any: dynamic = dynamic([]),\nsrcipaddr_has_any_prefix: dynamic = dynamic([]),\nsrchostname_has_any: dynamic = dynamic([]),\neventtype_in: dynamic = dynamic([]),\neventresultdetails_in: dynamic = dynamic([]),\neventresult: string = '*',\ndisabled: bool=false\n) {\nlet alldata = SentinelOne_CL\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or DataFields_s has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix)))\n and ((array_length(srchostname_has_any) == 0) or (alertInfo_loginAccountDomain_s has_any (srchostname_has_any)))\n// Filtering for eventtype_in done later in the parser\n// Filtering for eventresultdetails_in done later in the parser\n// Filtering for eventresult done later in the parser\n;\nlet activitydata = alldata\n | where event_name_s == \"Activities.\"\n and activityType_d in (27, 33, 133, 134, 139, 3629)\n | parse-kv DataFields_s as (ipAddress: string, username: string, userScope: string, accountName: string, fullScopeDetails: string, fullScopeDetailsPath: string, role: string, scopeLevel: string, source: string, sourceType: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup on activityType_d\n | lookup EventResultDetailsLookup on comments_s\n // Filtering on eventtype_in, eventresultdetails_in and eventresult\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails has_any (eventresultdetails_in))\n and (eventresult == '*' or EventResult has eventresult)\n | extend \n SrcIpAddr = iff(ipAddress == \"null\", \"\", ipAddress),\n EventOriginalType = tostring(toint(activityType_d)),\n TargetUsername = username,\n TargetUserScope = userScope,\n AdditionalFields = bag_pack(\n \"accountName\",\n accountName,\n \"fullScopeDetails\",\n fullScopeDetails,\n \"fullScopeDetailsPath\",\n fullScopeDetailsPath,\n \"scopeLevel\",\n scopeLevel,\n \"source\",\n source,\n \"sourceType\",\n sourceType\n ),\n TargetOriginalUserType = role,\n TargetUserType = case(\n role in (TargetUserTypesList),\n role,\n role == \"null\",\n \"\",\n \"Other\"\n )\n // Post-filtering on srcipaddr_has_any_prefix and username_has_any\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and ((array_length(username_has_any) == 0) or DataFields_s has_any (username_has_any))\n | project-rename\n EventStartTime = createdAt_t,\n TargetUserId = userId_s,\n EventOriginalUid = activityUuid_g,\n EventMessage = primaryDescription_s\n | extend TargetUserIdType = iff(isnotempty(TargetUserId), \"Other\", \"\");\nlet alertdata = alldata\n | where event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in (\"WINLOGONATTEMPT\", \"WINLOGOFFATTEMPT\")\n and array_length(eventresultdetails_in) == 0 // EventResultDetails not available in this event\n and ((array_length(username_has_any) == 0) or alertInfo_loginsUserName_s has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(alertInfo_srcMachineIp_s, srcipaddr_has_any_prefix))\n and ((array_length(srchostname_has_any) == 0) or (alertInfo_loginAccountDomain_s has_any (srchostname_has_any)))\n | lookup EventTypeLookup on alertInfo_eventType_s\n // Filtering on eventtype_in\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | lookup EventSubTypeLookup on alertInfo_loginType_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s\n | extend EventResult = iff(alertInfo_loginIsSuccessful_s == \"true\", \"Success\", \"Failure\")\n // Filtering on eventresult\n | where (eventresult == '*' or EventResult has eventresult);\nlet undefineddata = alertdata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\nlet suspiciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\nlet maliciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\nlet alertdatawiththreatfield = union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | invoke _ASIM_ResolveSrcFQDN('alertInfo_loginAccountDomain_s')\n // Post-filtering on srchostname_has_any\n | where ((array_length(srchostname_has_any) == 0) or (SrcHostname has_any (srchostname_has_any)))\n | extend\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = alertInfo_createdAt_t,\n SrcIpAddr = alertInfo_srcMachineIp_s,\n ActingAppName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSubType = alertInfo_loginType_s,\n RuleName = ruleInfo_name_s,\n TargetUserId = alertInfo_loginAccountSid_s,\n TargetUsername = alertInfo_loginsUserName_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n Rule = RuleName,\n ActingAppType = iff(isnotempty(ActingAppName), \"Process\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SID\", \"\");\nunion activitydata, alertdatawiththreatfield\n// mapping ASimMatchingUsername\n| extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n// ActorUsername not coming from source. Hence, not mapped.\n| extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n| extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"Authentication\"\n| extend\n Dvc = coalesce(DvcHostname, EventProduct),\n EventEndTime = EventStartTime,\n EventUid = _ItemId,\n User = TargetUsername\n| extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n| project-away\n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n ipAddress,\n username,\n accountName,\n fullScopeDetails,\n fullScopeDetailsPath,\n role,\n scopeLevel,\n source,\n sourceType,\n userScope,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n _ItemId,\n _ResourceId,\n ThreatConfidence_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json index 29b39a6a406..e5e88a4a890 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationSshd')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationSshd", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for OpenSSH sshd", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationSshd", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let prefilter = (T: (SyslogMessage: string, TimeGenerated: datetime))\n{\n T\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or 'sshd' in~ (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in) or \"Logoff\" in~ (eventtype_in))\n// eventresultdetails_in filtering done later in the parser\n// eventresult filtering done later in the parser\n};\n let SyslogProjects = Syslog\n | project\n TimeGenerated,\n Computer,\n SyslogMessage,\n ProcessName,\n ProcessID,\n HostIP,\n Type,\n _ItemId,\n _ResourceId,\n _SubscriptionId;\n //\n // -- Successful login\n let SSHDAccepted=(disabled: bool=false)\n{ \n // -- Parse events with the format \"Accepted password for from port ssh2\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | invoke prefilter()\n | parse SyslogMessage with \"Accepted password for \" TargetUsername: string \" from \" SrcIpAddr: string \" port\" SrcPortNumber: int *\n | extend\n EventResult = 'Success'\n ,\n EventSeverity = 'Informational'\n ,\n EventType = 'Logon'\n ,\n EventCount = int(1)\n | project-away SyslogMessage, ProcessName\n};\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled: bool=false)\n{\n // -- Parse events with the format Failed (password|none|publickey) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | invoke prefilter()\n | parse SyslogMessage with * \"Failed \" * \" for \" TargetUsername: string \" from \" SrcIpAddr: string \" port\" SrcPortNumber: int *\n | parse SyslogMessage with \"message repeated\" EventCount: int \" times:\" * \n | extend\n EventResult = 'Failure'\n ,\n EventSeverity = 'Low' \n ,\n EventType = 'Logon'\n ,\n LogonMethod = iff (SyslogMessage has 'publickey', 'PKI', 'Username & password')\n ,\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password')\n ,\n EventCount = toint(coalesce(EventCount, 1))\n | project-away SyslogMessage, ProcessName\n};\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled: bool=false)\n{\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | invoke prefilter()\n | parse-where SyslogMessage with * \"user \" TargetUsername: string \" \" SrcIpAddr: string \" port \" SrcPortNumber: int\n | extend\n EventSeverity = 'Informational'\n ,\n EventType = 'Logoff'\n ,\n EventResult = 'Success'\n ,\n EventCount = int(1)\n | project-away SyslogMessage, ProcessName\n};\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled: bool=false)\n{\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | invoke prefilter()\n | parse SyslogMessage with \"Invalid user \" TargetUsername: string \" from \" SrcIpAddr: string \" port \" SrcPortNumber: int\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser: string \" port \" SrcPortNumberNoUser: int\n | extend\n EventResult = 'Failure'\n ,\n EventSeverity = 'Low'\n ,\n EventType = 'Logon'\n ,\n EventResultDetails = 'No such user'\n ,\n EventCount = int(1)\n ,\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser)\n ,\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser\n};\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled: bool=false)\n{\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | invoke prefilter()\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n EventResult = 'Failure'\n ,\n EventType = 'Logon'\n ,\n DvcAction = 'Block'\n ,\n TargetUsername = ''\n ,\n EventSeverity = 'Medium'\n ,\n EventCount = int(1)\n ,\n EventResultDetails = 'Logon violates policy'\n ,\n RuleName = \"Reverse mapping failed\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n};\n let SSHDABreakInAttemptMappingMismatch=(disabled: bool=false)\n{\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | invoke prefilter()\n | parse SyslogMessage with \"Address \" SrcIpAddr: string \" maps to \" Src: string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n EventResult = 'Failure'\n ,\n EventType = 'Logon'\n ,\n DvcAction = 'Block'\n ,\n TargetUsername = ''\n ,\n EventSeverity = 'Medium'\n ,\n EventCount = int(1)\n ,\n EventResultDetails = 'Logon violates policy'\n ,\n RuleName = \"Address to host to address mapping does not map back to address\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n};\n let SSHDABreakInAttemptNastyPtr=(disabled: bool=false)\n{\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | invoke prefilter()\n | parse SyslogMessage with * \"set up for \" SrcIpAddr: string \", ignoring\"\n | extend\n EventResult = 'Failure'\n ,\n EventType = 'Logon'\n ,\n DvcAction = 'Block'\n ,\n TargetUsername = ''\n ,\n EventSeverity = 'Medium'\n ,\n EventCount = int(1)\n ,\n EventResultDetails = 'Logon violates policy'\n ,\n RuleName = \"Nasty PTR record set for IP Address\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n};\n union isfuzzy=false \n SSHDAccepted (disabled=disabled)\n ,\n SSHDFailed (disabled=disabled)\n ,\n SSHDInvalidUser (disabled=disabled)\n ,\n SSHDTimeout (disabled=disabled)\n ,\n SSHDABreakInAttemptMappingFailed (disabled=disabled)\n ,\n SSHDABreakInAttemptMappingMismatch (disabled=disabled)\n ,\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\n // Post-filtering\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n EventVendor = 'OpenBSD'\n ,\n EventProduct = 'OpenSSH'\n ,\n DvcOs = 'Linux'\n ,\n TargetDvcOs = 'Linux'\n ,\n LogonProtocol = 'ssh'\n ,\n TargetAppName = 'sshd'\n ,\n TargetAppType = 'Service'\n ,\n EventSubType = 'Remote'\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.2'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n TargetUsernameType = 'Simple'\n ,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\")\n ,\n TargetAppId = tostring(ProcessID)\n | project-away Computer, ProcessID, temp*\n | project-rename \n EventUid = _ItemId\n ,\n DvcScopeId = _SubscriptionId\n ,\n DvcId = _ResourceId\n ,\n DvcIpAddr = HostIP\n //\n // -- Aliases\n | extend\n User = TargetUsername\n ,\n Dvc = DvcHostname\n ,\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr)\n ,\n TargetDomain = DvcDomain\n ,\n TargetFQDN = DvcFQDN\n ,\n TargetDomainType = DvcDomainType\n ,\n TargetHostname = DvcHostname\n ,\n TargetDvcId = DvcId\n ,\n TargetDvcScopeId = DvcScopeId\n ,\n TargetDvcIdType = DvcDomainType\n ,\n IpAddr = DvcIpAddr\n ,\n TargetIpAddr = DvcIpAddr\n};\n parser\n (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for OpenSSH sshd", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationSshd", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let prefilter = (T: (SyslogMessage: string, TimeGenerated: datetime))\n{\n T\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or 'sshd' in~ (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in) or \"Logoff\" in~ (eventtype_in))\n// eventresultdetails_in filtering done later in the parser\n// eventresult filtering done later in the parser\n};\n let SyslogProjects = Syslog\n | project\n TimeGenerated,\n Computer,\n SyslogMessage,\n ProcessName,\n ProcessID,\n HostIP,\n Type,\n _ItemId,\n _ResourceId,\n _SubscriptionId;\n //\n // -- Successful login\n let SSHDAccepted=(disabled: bool=false)\n{ \n // -- Parse events with the format \"Accepted password for from port ssh2\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | invoke prefilter()\n | parse SyslogMessage with \"Accepted password for \" TargetUsername: string \" from \" SrcIpAddr: string \" port\" SrcPortNumber: int *\n | extend\n EventResult = 'Success'\n ,\n EventSeverity = 'Informational'\n ,\n EventType = 'Logon'\n ,\n EventCount = int(1)\n | project-away SyslogMessage, ProcessName\n};\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled: bool=false)\n{\n // -- Parse events with the format Failed (password|none|publickey) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | invoke prefilter()\n | parse SyslogMessage with * \"Failed \" * \" for \" TargetUsername: string \" from \" SrcIpAddr: string \" port\" SrcPortNumber: int *\n | parse SyslogMessage with \"message repeated\" EventCount: int \" times:\" * \n | extend\n EventResult = 'Failure'\n ,\n EventSeverity = 'Low' \n ,\n EventType = 'Logon'\n ,\n LogonMethod = iff (SyslogMessage has 'publickey', 'PKI', 'Username & password')\n ,\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password')\n ,\n EventCount = toint(coalesce(EventCount, 1))\n | project-away SyslogMessage, ProcessName\n};\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled: bool=false)\n{\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | invoke prefilter()\n | parse-where SyslogMessage with * \"user \" TargetUsername: string \" \" SrcIpAddr: string \" port \" SrcPortNumber: int\n | extend\n EventSeverity = 'Informational'\n ,\n EventType = 'Logoff'\n ,\n EventResult = 'Success'\n ,\n EventCount = int(1)\n | project-away SyslogMessage, ProcessName\n};\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled: bool=false)\n{\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | invoke prefilter()\n | parse SyslogMessage with \"Invalid user \" TargetUsername: string \" from \" SrcIpAddr: string \" port \" SrcPortNumber: int\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser: string \" port \" SrcPortNumberNoUser: int\n | extend\n EventResult = 'Failure'\n ,\n EventSeverity = 'Low'\n ,\n EventType = 'Logon'\n ,\n EventResultDetails = 'No such user'\n ,\n EventCount = int(1)\n ,\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser)\n ,\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser\n};\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled: bool=false)\n{\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | invoke prefilter()\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n EventResult = 'Failure'\n ,\n EventType = 'Logon'\n ,\n DvcAction = 'Block'\n ,\n TargetUsername = ''\n ,\n EventSeverity = 'Medium'\n ,\n EventCount = int(1)\n ,\n EventResultDetails = 'Logon violates policy'\n ,\n RuleName = \"Reverse mapping failed\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n};\n let SSHDABreakInAttemptMappingMismatch=(disabled: bool=false)\n{\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | invoke prefilter()\n | parse SyslogMessage with \"Address \" SrcIpAddr: string \" maps to \" Src: string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n EventResult = 'Failure'\n ,\n EventType = 'Logon'\n ,\n DvcAction = 'Block'\n ,\n TargetUsername = ''\n ,\n EventSeverity = 'Medium'\n ,\n EventCount = int(1)\n ,\n EventResultDetails = 'Logon violates policy'\n ,\n RuleName = \"Address to host to address mapping does not map back to address\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n};\n let SSHDABreakInAttemptNastyPtr=(disabled: bool=false)\n{\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | invoke prefilter()\n | parse SyslogMessage with * \"set up for \" SrcIpAddr: string \", ignoring\"\n | extend\n EventResult = 'Failure'\n ,\n EventType = 'Logon'\n ,\n DvcAction = 'Block'\n ,\n TargetUsername = ''\n ,\n EventSeverity = 'Medium'\n ,\n EventCount = int(1)\n ,\n EventResultDetails = 'Logon violates policy'\n ,\n RuleName = \"Nasty PTR record set for IP Address\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n};\n union isfuzzy=false \n SSHDAccepted (disabled=disabled)\n ,\n SSHDFailed (disabled=disabled)\n ,\n SSHDInvalidUser (disabled=disabled)\n ,\n SSHDTimeout (disabled=disabled)\n ,\n SSHDABreakInAttemptMappingFailed (disabled=disabled)\n ,\n SSHDABreakInAttemptMappingMismatch (disabled=disabled)\n ,\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\n // Post-filtering\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n EventVendor = 'OpenBSD'\n ,\n EventProduct = 'OpenSSH'\n ,\n DvcOs = 'Linux'\n ,\n TargetDvcOs = 'Linux'\n ,\n LogonProtocol = 'ssh'\n ,\n TargetAppName = 'sshd'\n ,\n TargetAppType = 'Service'\n ,\n EventSubType = 'Remote'\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.2'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n TargetUsernameType = 'Simple'\n ,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\")\n ,\n TargetAppId = tostring(ProcessID)\n | project-away Computer, ProcessID, temp*\n | project-rename \n EventUid = _ItemId\n ,\n DvcScopeId = _SubscriptionId\n ,\n DvcId = _ResourceId\n ,\n DvcIpAddr = HostIP\n //\n // -- Aliases\n | extend\n User = TargetUsername\n ,\n Dvc = DvcHostname\n ,\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr)\n ,\n TargetDomain = DvcDomain\n ,\n TargetFQDN = DvcFQDN\n ,\n TargetDomainType = DvcDomainType\n ,\n TargetHostname = DvcHostname\n ,\n TargetDvcId = DvcId\n ,\n TargetDvcScopeId = DvcScopeId\n ,\n TargetDvcIdType = DvcDomainType\n ,\n IpAddr = DvcIpAddr\n ,\n TargetIpAddr = DvcIpAddr\n};\n parser\n (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json index c086b304b0f..88f49e5de0e 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationSu')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationSu", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Linux su", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationSu", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let prefilter = (T: (SyslogMessage: string, TimeGenerated: datetime))\n{\n T\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or ('Logoff' in~ (eventtype_in)) or ('Elevation' in~ (eventtype_in)))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n and (eventresult == \"*\" or (eventresult == \"Success\"))\n};\n let SyslogProjects = Syslog\n | project\n TimeGenerated,\n Computer,\n SyslogMessage,\n ProcessName,\n ProcessID,\n HostIP,\n Type,\n _ItemId,\n _ResourceId,\n _SubscriptionId;\n //\n // -- Sucessful SU\n // Parses the event \"Successful su for by \"\n let SuSignInAuthorized=(disabled: bool=false)\n{\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\n | invoke prefilter()\n | parse SyslogMessage with * \"for \" TargetUsername: string \" by \" ActorUsername: string\n | extend\n EventType = 'Elevation'\n | project-away SyslogMessage, ProcessName\n};\n // \n // -- SU end\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user \"\n let SuDisconnect=(disabled: bool=false)\n{\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\n | invoke prefilter()\n | parse SyslogMessage with * \"for user \" TargetUsername: string\n | extend\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n};\n union isfuzzy=false \n SuSignInAuthorized (disabled = disabled)\n ,\n SuDisconnect(disabled = disabled)\n // Post-filtering\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n and (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend\n EventVendor = 'Linux'\n ,\n EventProduct = 'su'\n ,\n DvcOs = 'Linux'\n ,\n TargetDvcOs = 'Linux'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.2'\n ,\n EventResult = 'Success'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n ActorUsernameType = 'Simple'\n ,\n TargetUsernameType = 'Simple'\n ,\n EventSeverity = 'Informational'\n ,\n ActingAppType = 'Process'\n ,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\")\n ,\n ActingAppId = tostring(ProcessID)\n | project-away Computer, ProcessID, temp*\n | project-rename \n EventUid = _ItemId\n ,\n DvcScopeId = _SubscriptionId\n ,\n DvcId = _ResourceId\n ,\n DvcIpAddr = HostIP\n //\n // -- Aliases\n | extend\n User = TargetUsername\n ,\n Dvc = DvcHostname\n ,\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr)\n ,\n TargetDomain = DvcDomain\n ,\n TargetFQDN = DvcFQDN\n ,\n TargetDomainType = DvcDomainType\n ,\n TargetHostname = DvcHostname\n ,\n TargetDvcId = DvcId\n ,\n TargetDvcScopeId = DvcScopeId\n ,\n TargetDvcIdType = DvcDomainType\n ,\n IpAddr = DvcIpAddr\n ,\n TargetIpAddr = DvcIpAddr\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Linux su", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationSu", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n let prefilter = (T: (SyslogMessage: string, TimeGenerated: datetime))\n{\n T\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or ('Logoff' in~ (eventtype_in)) or ('Elevation' in~ (eventtype_in)))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n and (eventresult == \"*\" or (eventresult == \"Success\"))\n};\n let SyslogProjects = Syslog\n | project\n TimeGenerated,\n Computer,\n SyslogMessage,\n ProcessName,\n ProcessID,\n HostIP,\n Type,\n _ItemId,\n _ResourceId,\n _SubscriptionId;\n //\n // -- Sucessful SU\n // Parses the event \"Successful su for by \"\n let SuSignInAuthorized=(disabled: bool=false)\n{\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\n | invoke prefilter()\n | parse SyslogMessage with * \"for \" TargetUsername: string \" by \" ActorUsername: string\n | extend\n EventType = 'Elevation'\n | project-away SyslogMessage, ProcessName\n};\n // \n // -- SU end\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user \"\n let SuDisconnect=(disabled: bool=false)\n{\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\n | invoke prefilter()\n | parse SyslogMessage with * \"for user \" TargetUsername: string\n | extend\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n};\n union isfuzzy=false \n SuSignInAuthorized (disabled = disabled)\n ,\n SuDisconnect(disabled = disabled)\n // Post-filtering\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n and (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend\n EventVendor = 'Linux'\n ,\n EventProduct = 'su'\n ,\n DvcOs = 'Linux'\n ,\n TargetDvcOs = 'Linux'\n ,\n EventCount = int(1)\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.2'\n ,\n EventResult = 'Success'\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n ActorUsernameType = 'Simple'\n ,\n TargetUsernameType = 'Simple'\n ,\n EventSeverity = 'Informational'\n ,\n ActingAppType = 'Process'\n ,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\")\n ,\n ActingAppId = tostring(ProcessID)\n | project-away Computer, ProcessID, temp*\n | project-rename \n EventUid = _ItemId\n ,\n DvcScopeId = _SubscriptionId\n ,\n DvcId = _ResourceId\n ,\n DvcIpAddr = HostIP\n //\n // -- Aliases\n | extend\n User = TargetUsername\n ,\n Dvc = DvcHostname\n ,\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr)\n ,\n TargetDomain = DvcDomain\n ,\n TargetFQDN = DvcFQDN\n ,\n TargetDomainType = DvcDomainType\n ,\n TargetHostname = DvcHostname\n ,\n TargetDvcId = DvcId\n ,\n TargetDvcScopeId = DvcScopeId\n ,\n TargetDvcIdType = DvcDomainType\n ,\n IpAddr = DvcIpAddr\n ,\n TargetIpAddr = DvcIpAddr\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSudo/vimAuthenticationSudo.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSudo/vimAuthenticationSudo.json index 28000e1a39c..1b20464099f 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSudo/vimAuthenticationSudo.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSudo/vimAuthenticationSudo.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationSudo')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationSudo", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Syslog sudo", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationSudo", - "query": "let SudoSignInAuthorized=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Syslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'TTY=' and \n SyslogMessage has 'USER=' and\n SyslogMessage has 'COMMAND='\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0)) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'Other' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Success' == eventresult))\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename TargetUsername = USER\n | extend\n EventVendor = 'Linux',\n EventProduct = 'sudo',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventResult = 'Success',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n DvcHostname = Computer,\n ActorUsernameType = 'Simple',\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n TargetUsernameType = 'Simple',\n EventResultDetails = 'Other',\n EventOriginalRestultDetails = 'Connection authorized'\n // Post-filtering on username_has_any\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n // ************************\n // \n // ************************\n | extend\n User = TargetUsername,\n Dvc = Computer\n // ************************\n // \n // ************************\n | project-away Computer, MG, SourceSystem, TenantId, temp_*\n};\nlet SudoAuthFailure1=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n | where ProcessName == \"sudo\" and (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0)) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'No such user or password' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Failure' == eventresult))\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename \n EventUid = _ItemId,\n TargetUsername = USER\n | extend\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n ActorUsernameType = 'Simple',\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User authentication failed',\n EventProduct = 'sudo',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'Linux',\n TargetUsernameType = 'Simple'\n // Post-filtering on username_has_any\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | project-away Computer, MG, SourceSystem, TenantId, temp_*\n};\nlet SudoDisconnect=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Syslog \n | where not(disabled)\n | where ProcessName == \"sudo\"\n and SyslogMessage has 'session closed for user '\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0)) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logoff\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'Other' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Success' == eventresult))\n | parse SyslogMessage with * \"for user \" TargetUsername: string\n // Post-filtering on username_has_any\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User session closed',\n EventProduct = 'sudo',\n EventResult = 'Success',\n EventResultDetails = 'Other',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logoff',\n EventVendor = 'Linux',\n TargetUsernameType = 'Simple'\n // ************************\n // \n // ************************\n | extend\n Dvc = Computer,\n User = TargetUsername\n // ************************\n // \n // ************************\n | project-away Computer, MG, SourceSystem, TenantId, temp_*\n};\nunion isfuzzy=false \n SudoSignInAuthorized(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled), \n SudoAuthFailure1(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled), \n SudoDisconnect(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Syslog sudo", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationSudo", + "query": "let SudoSignInAuthorized=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Syslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'TTY=' and \n SyslogMessage has 'USER=' and\n SyslogMessage has 'COMMAND='\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0)) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'Other' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Success' == eventresult))\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename TargetUsername = USER\n | extend\n EventVendor = 'Linux',\n EventProduct = 'sudo',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventResult = 'Success',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n DvcHostname = Computer,\n ActorUsernameType = 'Simple',\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n TargetUsernameType = 'Simple',\n EventResultDetails = 'Other',\n EventOriginalRestultDetails = 'Connection authorized'\n // Post-filtering on username_has_any\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n // ************************\n // \n // ************************\n | extend\n User = TargetUsername,\n Dvc = Computer\n // ************************\n // \n // ************************\n | project-away Computer, MG, SourceSystem, TenantId, temp_*\n};\nlet SudoAuthFailure1=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n | where ProcessName == \"sudo\" and (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0)) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'No such user or password' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Failure' == eventresult))\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename \n EventUid = _ItemId,\n TargetUsername = USER\n | extend\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n ActorUsernameType = 'Simple',\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User authentication failed',\n EventProduct = 'sudo',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'Linux',\n TargetUsernameType = 'Simple'\n // Post-filtering on username_has_any\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n ,\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername,\n \"Both\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | project-away Computer, MG, SourceSystem, TenantId, temp_*\n};\nlet SudoDisconnect=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Syslog \n | where not(disabled)\n | where ProcessName == \"sudo\"\n and SyslogMessage has 'session closed for user '\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0)) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or \"Logoff\" in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or 'Other' in~ (eventresultdetails_in))\n and (eventresult == \"*\" or ('Success' == eventresult))\n | parse SyslogMessage with * \"for user \" TargetUsername: string\n // Post-filtering on username_has_any\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User session closed',\n EventProduct = 'sudo',\n EventResult = 'Success',\n EventResultDetails = 'Other',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logoff',\n EventVendor = 'Linux',\n TargetUsernameType = 'Simple'\n // ************************\n // \n // ************************\n | extend\n Dvc = Computer,\n User = TargetUsername\n // ************************\n // \n // ************************\n | project-away Computer, MG, SourceSystem, TenantId, temp_*\n};\nunion isfuzzy=false \n SudoSignInAuthorized(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled), \n SudoAuthFailure1(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled), \n SudoDisconnect(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json index adda7275bf8..b043e73d08b 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationVMwareCarbonBlackCloud", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n CarbonBlackAuditLogs_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (description_s has_any (\"logged in\", \"login\", \"second factor authentication\") and description_s !has \"connector\")\n and ((array_length(username_has_any) == 0) or (loginName_s has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(clientIp_s, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and (array_length(eventtype_in) == 0 or 'Logon' has_any (eventtype_in))\n // Filtering for eventresultdetails_in done later in the parser\n // Filtering for eventresult done later in the parser\n | extend\n EventResult = iff(description_s has \"successfully\", \"Success\", \"Failure\"),\n EventType = \"Logon\"\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (eventresult == '*' or EventResult has eventresult)\n | extend EventResultDetails = case(\n EventResult == \"Failure\" and description_s has (\"locked\"),\n \"User locked\",\n EventResult == \"Failure\" and description_s has_any (\"logged in\", \"login\"),\n \"Incorrect password\",\n EventResult == \"Failure\" and description_s has (\"second factor authentication\"),\n \"MFA not satisfied\",\n \"\"\n )\n // Filtering on eventresultdetails_in\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails has_any (eventresultdetails_in))\n | extend\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n AdditionalFields = bag_pack(\"flagged\", flagged_b),\n EventSeverity = iff(flagged_b == true, \"Low\", \"Informational\"),\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"VMware\",\n EventOriginalResultDetails = iff(EventResult == \"Failure\", tostring(split(description_s, ';')[1]), \"\")\n | project-rename\n EventMessage = description_s,\n EventOriginalUid = eventId_g,\n TargetUsername = loginName_s,\n SrcIpAddr = clientIp_s,\n EventUid=_ItemId,\n EventOwner = orgName_s\n | extend\n IpAddr = SrcIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n User = TargetUsername,\n Src = SrcIpAddr\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | project-away\n *_s,\n *_d,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n temp_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationVMwareCarbonBlackCloud", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n CarbonBlackAuditLogs_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (description_s has_any (\"logged in\", \"login\", \"second factor authentication\") and description_s !has \"connector\")\n and ((array_length(username_has_any) == 0) or (loginName_s has_any (username_has_any)))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(clientIp_s, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and (array_length(eventtype_in) == 0 or 'Logon' has_any (eventtype_in))\n // Filtering for eventresultdetails_in done later in the parser\n // Filtering for eventresult done later in the parser\n | extend\n EventResult = iff(description_s has \"successfully\", \"Success\", \"Failure\"),\n EventType = \"Logon\"\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (eventresult == '*' or EventResult has eventresult)\n | extend EventResultDetails = case(\n EventResult == \"Failure\" and description_s has (\"locked\"),\n \"User locked\",\n EventResult == \"Failure\" and description_s has_any (\"logged in\", \"login\"),\n \"Incorrect password\",\n EventResult == \"Failure\" and description_s has (\"second factor authentication\"),\n \"MFA not satisfied\",\n \"\"\n )\n // Filtering on eventresultdetails_in\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails has_any (eventresultdetails_in))\n | extend\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n AdditionalFields = bag_pack(\"flagged\", flagged_b),\n EventSeverity = iff(flagged_b == true, \"Low\", \"Informational\"),\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"VMware\",\n EventOriginalResultDetails = iff(EventResult == \"Failure\", tostring(split(description_s, ';')[1]), \"\")\n | project-rename\n EventMessage = description_s,\n EventOriginalUid = eventId_g,\n TargetUsername = loginName_s,\n SrcIpAddr = clientIp_s,\n EventUid=_ItemId,\n EventOwner = orgName_s\n | extend\n IpAddr = SrcIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n User = TargetUsername,\n Src = SrcIpAddr\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | project-away\n *_s,\n *_d,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n temp_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json index 896f4c2868d..83339a1ab48 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationVectraXDRAudit')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationVectraXDRAudit", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Vectra XDR Audit Logs Event", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationVectraXDRAudit", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Audits_Data_CL\n | where not(disabled)\n and event_action_s in (\"login\", \"logout\")\n and (isnull(starttime) or event_timestamp_t >= starttime)\n and (isnull(endtime) or event_timestamp_t <= endtime)\n and ((array_length(username_has_any) == 0) or username_s has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or (\"Logon\" in~ (eventtype_in)) or (\"Logoff\" in~ (eventtype_in)))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n | extend\n EventCount = int(1),\n EventEndTime = event_timestamp_t,\n EventProduct = 'Vectra XDR',\n EventResult = case(result_status_s == \"success\", \"Success\", result_status_s == \"failure\", \"Failure\", \"NA\"),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventStartTime = event_timestamp_t,\n EventType = case(event_action_s == \"login\", \"Logon\", event_action_s == \"logout\", \"Logoff\", \"\"),\n EventVendor = 'Vectra',\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"VectraUserId\",\n ActorUsernameType = \"UPN\",\n EventUid = tostring(toint(id_d))\n // Post-filtering on eventtype_in and eventresult\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n and ((eventresult == \"*\") or (EventResult == eventresult))\n | project-rename\n DvcIpAddr = source_ip_s,\n ActorOriginalUserType = user_type_s,\n ActorUsername = username_s,\n EventMessage = Message,\n EventProductVersion = version_s\n // mapping ASimMatchingUsername\n | extend temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n // TargetUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend\n User = ActorUsername,\n Dvc = DvcIpAddr\n | project-away\n *_d,\n *_s,\n event_timestamp_t,\n api_client_id_g,\n TenantId,\n _ResourceId,\n RawData,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Vectra XDR Audit Logs Event", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationVectraXDRAudit", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n ) {\n Audits_Data_CL\n | where not(disabled)\n and event_action_s in (\"login\", \"logout\")\n and (isnull(starttime) or event_timestamp_t >= starttime)\n and (isnull(endtime) or event_timestamp_t <= endtime)\n and ((array_length(username_has_any) == 0) or username_s has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and (array_length(srcipaddr_has_any_prefix) == 0) // SrcIpAddr not available in source\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or (\"Logon\" in~ (eventtype_in)) or (\"Logoff\" in~ (eventtype_in)))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n // eventresult filtering done later in the parser\n | extend\n EventCount = int(1),\n EventEndTime = event_timestamp_t,\n EventProduct = 'Vectra XDR',\n EventResult = case(result_status_s == \"success\", \"Success\", result_status_s == \"failure\", \"Failure\", \"NA\"),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventStartTime = event_timestamp_t,\n EventType = case(event_action_s == \"login\", \"Logon\", event_action_s == \"logout\", \"Logoff\", \"\"),\n EventVendor = 'Vectra',\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"VectraUserId\",\n ActorUsernameType = \"UPN\",\n EventUid = tostring(toint(id_d))\n // Post-filtering on eventtype_in and eventresult\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n and ((eventresult == \"*\") or (EventResult == eventresult))\n | project-rename\n DvcIpAddr = source_ip_s,\n ActorOriginalUserType = user_type_s,\n ActorUsername = username_s,\n EventMessage = Message,\n EventProductVersion = version_s\n // mapping ASimMatchingUsername\n | extend temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n // TargetUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchActorUsername,\n \"ActorUsername\",\n \"No match\"\n )\n | extend\n User = ActorUsername,\n Dvc = DvcIpAddr\n | project-away\n *_d,\n *_s,\n event_timestamp_t,\n api_client_id_g,\n TenantId,\n _ResourceId,\n RawData,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationMicrosoftWindowsEvent.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationMicrosoftWindowsEvent.yaml index 2bd4daeccac..c0f8027f9ff 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationMicrosoftWindowsEvent.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationMicrosoftWindowsEvent.yaml @@ -1,17 +1,17 @@ Parser: Title: Authentication ASIM parser for Windows Security Events Version: '0.2.1' - LastUpdated: 21 Jul 2023 + LastUpdated: Oct 15, 2024 Product: Name: Windows Security Events Normalization: Schema: Authentication - Version: '0.1.0' + Version: '0.1.3' References: - Title: ASIM Authentication Schema Link: https://aka.ms/ASimAuthenticationDoc - Title: ASIM - Link: https:/aka.ms/AboutASIM + Link: https://aka.ms/AboutASIM Description: | This ASIM parser supports normalizing Windows Authentication events (4624, 4625, 4634, and 4647), collected either by the Log Analytics Agent or the Azure Monitor Agent, into either the WindowsEvent (WEF) or SecurityEvent tables, to the ASIM Authentication schema. ParserName: ASimAuthenticationMicrosoftWindowsEvent @@ -21,96 +21,107 @@ ParserParams: Type: bool Default: false ParserQuery: | - let LogonEvents=dynamic([4624,4625]); - let LogoffEvents=dynamic([4634,4647]); - let LogonTypes=datatable(LogonType:int, EventSubType:string)[ + let LogonEvents=dynamic([4624, 4625]); + let LogoffEvents=dynamic([4634, 4647]); + let LogonTypes=datatable(LogonType: int, EventSubType: string)[ 2, 'Interactive', - 3, 'Network', - 4, 'Batch', + 3, 'Remote', + 4, 'System', 5, 'Service', - 7, 'Unlock', + 7, 'Interactive', 8, 'NetworkCleartext', - 9, 'NewCredentials', + 9, 'AssumeRole', 10, 'RemoteInteractive', - 11, 'CachedInteractive']; + 11, 'Interactive' + ]; // https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000 let LogonStatus=datatable - (EventStatus:string,EventOriginalResultDetails:string, EventResultDetails:string)[ - '0x80090325', 'SEC_E_UNTRUSTED_ROOT','Other', - '0xc0000064', 'STATUS_NO_SUCH_USER','No such user or password', - '0xc000006f', 'STATUS_INVALID_LOGON_HOURS','Logon violates policy', - '0xc0000070', 'STATUS_INVALID_WORKSTATION','Logon violates policy', - '0xc0000071', 'STATUS_PASSWORD_EXPIRED','Password expired', - '0xc0000072', 'STATUS_ACCOUNT_DISABLED','User disabled', - '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC','Other', - '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE','Other', - '0xc0000193', 'STATUS_ACCOUNT_EXPIRED','Account expired', - '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN','Other', - '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED','Other', - '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED','Other', - '0xc0000383', 'STATUS_SMARTCARD_NO_CARD','Other', - '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER','Other', - '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE','Other', - '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET','Other', - '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR','Other', - '0xc0000388', 'STATUS_DOWNGRADE_DETECTED','Other', - '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED','Other', - '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION','Other', - '0x80090308', 'SEC_E_INVALID_TOKEN','Other', - '0x8009030e', 'SEC_E_NO_CREDENTIALS','Other', - '0xc0000008', 'STATUS_INVALID_HANDLE','Other', - '0xc0000017', 'STATUS_NO_MEMORY','Other', - '0xc0000022', 'STATUS_ACCESS_DENIED','Other', - '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND','Other', - '0xc000005e', 'STATUS_NO_LOGON_SERVERS','Other', - '0xc000006a', 'STATUS_WRONG_PASSWORD','Incorrect password', - '0xc000006d', 'STATUS_LOGON_FAILURE','Other', - '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION','Logon violates policy', - '0xc0000073', 'STATUS_NONE_MAPPED','Other', - '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE','Other', - '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES','Other', - '0xc00000dc', 'STATUS_INVALID_SERVER_STATE','Other', - '0xc0000106', 'STATUS_NAME_TOO_LONG','Other', - '0xc000010b', 'STATUS_INVALID_LOGON_TYPE','Logon violates policy', - '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED','Logon violates policy', - '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT','Logon violates policy', - '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE','Other', - '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT','User locked', - '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED','Other']; - let WinLogon=(disabled:bool=false){ + ( + EventStatus: string, + EventOriginalResultDetails: string, + EventResultDetails: string + )[ + '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other', + '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password', + '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy', + '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy', + '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired', + '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled', + '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other', + '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other', + '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired', + '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other', + '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other', + '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other', + '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other', + '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other', + '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other', + '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other', + '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other', + '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other', + '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other', + '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other', + '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other', + '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other', + '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other', + '0xc0000017', 'STATUS_NO_MEMORY', 'Other', + '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other', + '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other', + '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other', + '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password', + '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other', + '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy', + '0xc0000073', 'STATUS_NONE_MAPPED', 'Other', + '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other', + '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other', + '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other', + '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other', + '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy', + '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy', + '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy', + '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other', + '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked', + '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other' + ]; + let WinLogon=(disabled: bool=false) { WindowsEvent | where not(disabled) | where Provider == 'Microsoft-Windows-Security-Auditing' | where EventID in (LogonEvents) or EventID in (LogoffEvents) + | project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type | extend ActingProcessCreationTime = EventData.ProcessCreationTime, ActingProcessId = tostring(toint(EventData.ProcessId)), ActingProcessName = tostring(EventData.ProcessName), ActorSessionId = tostring(EventData.SubjectLogonId), ActorUserId = tostring(EventData.SubjectUserSid), - ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-',''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @"\" , EventData.SubjectUserName))), + ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @"\", EventData.SubjectUserName))), EventProduct = "Security Events", LogonGuid = tostring(EventData.LogonGuid), LogonProtocol = tostring(EventData.AuthenticationPackageName), LogonType = toint(EventData.LogonType), - SrcDvcHostname = tostring(EventData.WorkstationName), - SrcDvcIpAddr = tostring(EventData.IpAddress), + SrcHostname = tostring(EventData.WorkstationName), + SrcIpAddr = tostring(EventData.IpAddress), Status = tostring(EventData.Status), SubStatus = tostring(EventData.SubStatus), TargetDomainName = tostring(EventData.TargetDomainName), TargetPortNumber = toint(EventData.IpPort), TargetSessionId = tostring(EventData.TargetLogonId), TargetUserId = tostring(EventData.TargetUserSid), - TargetUsername = tostring(iff (EventData.TargetDomainName in ('-',''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @"\" , EventData.TargetUserName))) + TargetUsername = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @"\", EventData.TargetUserName))) | extend - EventStatus = iff(SubStatus=='0x0',Status,SubStatus) + EventStatus = iff(SubStatus == '0x0', Status, SubStatus) // -- creating EventMessage matching EventMessage in SecurityEvent table | extend EventMessage = case( - EventID == 4624 ,"4624 - An account was successfully logged on.", - EventID == 4625, "4625 - An account failed to log on.", - EventID == 4634, "4634 - An account was logged off.", - "4647 - User initiated logoff."), + EventID == 4624, + "4624 - An account was successfully logged on.", + EventID == 4625, + "4625 - An account failed to log on.", + EventID == 4634, + "4634 - An account was logged off.", + "4647 - User initiated logoff." + ), EventResult = iff(EventID == 4625, 'Failure', 'Success') | project-rename EventOriginalType = EventID, @@ -119,74 +130,125 @@ ParserQuery: | TargetDvcHostname = Computer | extend ActorUserIdType = 'SID', - ActorUsernameType = iff(EventData.SubjectDomainName in ('-',''),'Simple', 'Windows' ), + ActorUsernameType = iff(EventData.SubjectDomainName in ('-', ''), 'Simple', 'Windows'), EventCount = int(1), EventEndTime = TimeGenerated, - EventSchemaVersion = '0.1.0', + EventSchema = 'Authentication', + EventSchemaVersion = '0.1.3', EventStartTime = TimeGenerated, - EventStatus = iff(SubStatus=='0x0',Status,SubStatus), + EventStatus = iff(SubStatus == '0x0', Status, SubStatus), EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'), EventVendor = 'Microsoft', SrcDvcOs = 'Windows', TargetUserIdType = 'SID', - TargetUsernameType = iff(TargetDomainName in ('-',''), 'Simple', 'Windows') + TargetUsernameType = iff(TargetDomainName in ('-', ''), 'Simple', 'Windows') | extend ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId), - TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId) + TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId), + EventOriginalType = tostring(EventOriginalType) + | lookup LogonStatus on EventStatus + | lookup LogonTypes on LogonType + /// ** Aliases + | extend + Dvc = SrcHostname, + LogonTarget = TargetDvcHostname, + User = TargetUsername, + IpAddr = SrcIpAddr + | project-away + EventData, + LogonGuid, + EventStatus, + LogonType, + Status, + SubStatus, + TargetDomainName, + TargetDvcHostname + }; + let SecEventLogon=(disabled: bool=false) { + SecurityEvent + | where not(disabled) + | where EventID in (LogonEvents) or + EventID in (LogoffEvents) + | project + SubjectLogonId, + SubjectUserSid, + Activity, + EventID, + EventOriginId, + AuthenticationPackageName, + WorkstationName, + IpAddress, + Computer, + TargetLogonId, + TargetUserSid, + SubjectDomainName, + SubjectUserName, + SubjectAccount, + TimeGenerated, + SubStatus, + TargetDomainName, + TargetUserName, + AccountType, + TargetAccount, + Status, + LogonType, + Type + | project-rename + ActorSessionId = SubjectLogonId, + ActorUserId = SubjectUserSid, + EventMessage = Activity, + EventOriginalType = EventID, + EventOriginalUid = EventOriginId, + LogonProtocol = AuthenticationPackageName, + SrcHostname = WorkstationName, + SrcIpAddr = IpAddress, + TargetDvcHostname = Computer, + TargetSessionId = TargetLogonId, + TargetUserId = TargetUserSid + | extend + ActorUserIdType = 'SID', + ActorUsername = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount), + ActorUsernameType = iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows'), + EventCount = int(1), + EventEndTime = TimeGenerated, + EventProduct = "Security Events", + EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success'), + EventSchema = 'Authentication', + EventSchemaVersion = '0.1.0', + EventStartTime = TimeGenerated, + EventStatus = iff(SubStatus == '0x0', Status, SubStatus), + EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'), + EventVendor = 'Microsoft', + SrcDvcOs = 'Windows', + TargetUserIdType = 'SID', + TargetUsername = iff (TargetDomainName in ('-', ''), trim(@'\\', TargetUserName), trim(@'\\', TargetAccount)), + TargetUsernameType = iff (TargetDomainName in ('-', ''), 'Simple', 'Windows') + | project-away TargetUserName, AccountType + | extend + ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId), + TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId), + EventOriginalType = tostring(EventOriginalType) | lookup LogonStatus on EventStatus | lookup LogonTypes on LogonType /// ** Aliases | extend - Dvc = SrcDvcHostname, + Dvc = SrcHostname, LogonTarget = TargetDvcHostname, - User = TargetUsername + User = TargetUsername, + IpAddr = SrcIpAddr + | project-away + EventStatus, + LogonType, + Status, + SubStatus, + SubjectAccount, + SubjectDomainName, + SubjectUserName, + EventStatus, + TargetAccount, + TargetDomainName, + TargetDvcHostname }; - let SecEventLogon=(disabled:bool=false){ - SecurityEvent - | where not(disabled) - | where EventID in (LogonEvents) or - EventID in (LogoffEvents) - | project-rename - ActorSessionId = SubjectLogonId, - ActorUserId = SubjectUserSid, - EventMessage = Activity, - EventOriginalType = EventID, - EventOriginalUid = EventOriginId, - LogonProtocol = AuthenticationPackageName, - SrcDvcHostname = WorkstationName, - SrcDvcIpAddr = IpAddress, - TargetDvcHostname = Computer, - TargetSessionId = TargetLogonId, - TargetUserId = TargetUserSid - | extend - ActorUserIdType = 'SID', - ActorUsername = iff (SubjectDomainName in ('-',''), SubjectUserName, SubjectAccount), - ActorUsernameType = iff(SubjectDomainName in ('-',''), 'Simple', 'Windows' ), - EventCount = int(1), - EventEndTime = TimeGenerated, - EventProduct = "Security Events", - EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success'), - EventSchemaVersion = '0.1.0', - EventStartTime = TimeGenerated, - EventStatus = iff(SubStatus=='0x0',Status,SubStatus), - EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'), - EventVendor = 'Microsoft', - SrcDvcOs = 'Windows', - TargetUserIdType = 'SID', - TargetUsername = iff (TargetDomainName in ('-',''), trim(@'\\',TargetUserName), trim(@'\\',TargetAccount)), - TargetUsernameType = iff (TargetDomainName in ('-',''), 'Simple', 'Windows') - | project-away TargetUserName, AccountType - | extend - ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId), - TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId) - | lookup LogonStatus on EventStatus - | lookup LogonTypes on LogonType - /// ** Aliases - | extend - Dvc = SrcDvcHostname, - LogonTarget = TargetDvcHostname, - User = TargetUsername - }; union isfuzzy=true - SecEventLogon(disabled=disabled), - WinLogon(disabled=disabled) + SecEventLogon(disabled=disabled), + WinLogon(disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationMicrosoftWindowsEvent.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationMicrosoftWindowsEvent.yaml index 861b785dae8..acbe17dfef0 100644 --- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationMicrosoftWindowsEvent.yaml +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationMicrosoftWindowsEvent.yaml @@ -1,7 +1,7 @@ Parser: Title: Authentication ASIM filtering parser for Windows Security Events - Version: '0.3.0' - LastUpdated: Mar 12, 2024 + Version: '0.3.1' + LastUpdated: Oct 15, 2024 Product: Name: Windows Security Events Normalization: @@ -11,7 +11,7 @@ References: - Title: ASIM Authentication Schema Link: https://aka.ms/ASimAuthenticationDoc - Title: ASIM - Link: https:/aka.ms/AboutASIM + Link: https://aka.ms/AboutASIM Description: | This ASIM parser supports filtering and normalizing Windows Authentication events (4624, 4625, 4634, and 4647), collected either by the Log Analytics Agent or the Azure Monitor Agent, into either the WindowsEvent (WEF) or SecurityEvent tables, to the ASIM Authentication schema. ParserName: vimAuthenticationMicrosoftWindowsEvent @@ -53,14 +53,14 @@ ParserQuery: | let LogonTypes=datatable(LogonType: int, EventSubType: string) [ 2, 'Interactive', - 3, 'Network', - 4, 'Batch', + 3, 'Remote', + 4, 'System', 5, 'Service', - 7, 'Unlock', + 7, 'Interactive', 8, 'NetworkCleartext', - 9, 'NewCredentials', + 9, 'AssumeRole', 10, 'RemoteInteractive', - 11, 'CachedInteractive' + 11, 'Interactive' ]; // https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000 let LogonStatus=datatable @@ -144,9 +144,9 @@ ParserQuery: | // ************************************************************************* | where Provider == 'Microsoft-Windows-Security-Auditing' | where EventID in (LogonEvents) or EventID in (LogoffEvents) + | project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type | extend LogonProtocol = tostring(EventData.AuthenticationPackageName), - SrcDvcIpAddr = tostring(EventData.IpAddress), // Backword Compatibility. Will be removed by July 2024 SrcIpAddr = tostring(EventData.IpAddress), TargetPortNumber = toint(EventData.IpPort), LogonGuid = tostring(EventData.LogonGuid), @@ -181,7 +181,6 @@ ParserQuery: | "No match" ) | extend - SrcDvcHostname = tostring(EventData.WorkstationName), // Backword Compatibility. Will be removed by July 2024 SrcHostname = tostring(EventData.WorkstationName), EventProduct = "Security Events" | extend EventStatus= iff(SubStatus == '0x0', Status, SubStatus) @@ -210,6 +209,8 @@ ParserQuery: | | extend EventCount=int(1) , + EventSchema = 'Authentication' + , EventSchemaVersion='0.1.3' , ActorUserIdType='SID' @@ -237,6 +238,8 @@ ParserQuery: | ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId) , TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId) + , + EventOriginalType = tostring(EventOriginalType) | lookup LogonStatus on EventStatus // filtering on 'eventresultdetails_in' | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in)) @@ -248,6 +251,17 @@ ParserQuery: | LogonTarget=TargetDvcHostname , Dvc=SrcHostname + , + IpAddr=SrcIpAddr + | project-away + EventData, + LogonGuid, + EventStatus, + LogonType, + Status, + SubStatus, + TargetDomainName, + TargetDvcHostname }; let SecEventLogon =(starttime: datetime=datetime(null), endtime: datetime=datetime(null), @@ -280,6 +294,30 @@ ParserQuery: | // ************************************************************************* | where EventID in (LogonEvents) or EventID in (LogoffEvents) + | project + SubjectLogonId, + SubjectUserSid, + Activity, + EventID, + EventOriginId, + AuthenticationPackageName, + WorkstationName, + IpAddress, + Computer, + TargetLogonId, + TargetUserSid, + SubjectDomainName, + SubjectUserName, + SubjectAccount, + TimeGenerated, + SubStatus, + TargetDomainName, + TargetUserName, + AccountType, + TargetAccount, + Status, + LogonType, + Type | project-rename EventMessage = Activity , @@ -291,7 +329,7 @@ ParserQuery: | , TargetUserId =TargetUserSid , - SrcDvcHostname = WorkstationName // Backword Compatibility. Will be removed by July 2024 + SrcHostname = WorkstationName , TargetDvcHostname = Computer , @@ -299,7 +337,7 @@ ParserQuery: | , LogonProtocol=AuthenticationPackageName , - SrcDvcIpAddr=IpAddress // Backword Compatibility. Will be removed by July 2024 + SrcIpAddr=IpAddress , EventOriginalType=EventID | extend @@ -307,7 +345,9 @@ ParserQuery: | , EventCount=int(1) , - EventSchemaVersion='0.1.0' + EventSchema = 'Authentication' + , + EventSchemaVersion='0.1.3' , EventProduct = "Security Events" , @@ -334,10 +374,6 @@ ParserQuery: | SrcDvcOs = 'Windows' , EventStatus= iff(SubStatus == '0x0', Status, SubStatus) - , - SrcHostname = SrcDvcHostname // Backword Compatibility. Will be removed by July 2024 - , - SrcIpAddr = SrcDvcIpAddr // Backword Compatibility. Will be removed by July 2024 // mapping ASimMatchingUsername | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any) @@ -364,6 +400,8 @@ ParserQuery: | ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId) , TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId) + , + EventOriginalType = tostring(EventOriginalType) | lookup LogonStatus on EventStatus // filtering on 'eventresultdetails_in' | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in)) @@ -374,7 +412,21 @@ ParserQuery: | , LogonTarget=TargetDvcHostname , - Dvc=SrcDvcHostname + Dvc=SrcHostname + , + IpAddr=SrcIpAddr + | project-away + EventStatus, + LogonType, + Status, + SubStatus, + SubjectAccount, + SubjectDomainName, + SubjectUserName, + EventStatus, + TargetAccount, + TargetDomainName, + TargetDvcHostname }; union isfuzzy=true SecEventLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled) - , WinLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled) + , WinLogon(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimDhcpEvent/ARM/ASimDhcpEvent/ASimDhcpEvent.json b/Parsers/ASimDhcpEvent/ARM/ASimDhcpEvent/ASimDhcpEvent.json index b2026dda558..70671a450cb 100644 --- a/Parsers/ASimDhcpEvent/ARM/ASimDhcpEvent/ASimDhcpEvent.json +++ b/Parsers/ASimDhcpEvent/ARM/ASimDhcpEvent/ASimDhcpEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDhcpEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDhcpEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Dhcp event ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimDhcpEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimDhcpEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimDhcpEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimDhcpEventEmpty,\n ASimDhcpEventNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimDhcpEventNative' in (DisabledParsers))))\n}; \nparser (pack=pack)\n", - "version": 1, - "functionParameters": "pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Dhcp event ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimDhcpEvent", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimDhcpEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimDhcpEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimDhcpEventEmpty,\n ASimDhcpEventNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimDhcpEventNative' in (DisabledParsers)))),\n ASimDhcpEventInfobloxBloxOne (disabled=(ASimBuiltInDisabled or ('ExcludeASimDhcpInfobloxBloxOne' in (DisabledParsers))))\n}; \nparser (pack=pack)\n", + "version": 1, + "functionParameters": "pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventInfobloxBloxOne/ASimDhcpEventInfobloxBloxOne.json b/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventInfobloxBloxOne/ASimDhcpEventInfobloxBloxOne.json new file mode 100644 index 00000000000..e185af5d191 --- /dev/null +++ b/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventInfobloxBloxOne/ASimDhcpEventInfobloxBloxOne.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDhcpEventInfobloxBloxOne')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "DhcpEvent ASIM parser for Infoblox BloxOne", + "category": "ASIM", + "FunctionAlias": "ASimDhcpEventInfobloxBloxOne", + "query": "let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string) [ \"0\", \"Low\", \"1\", \"Low\", \"2\", \"Low\", \"3\", \"Low\", \"4\", \"Medium\", \"5\", \"Medium\", \"6\", \"Medium\", \"7\", \"High\", \"8\", \"High\", \"9\", \"High\", \"10\", \"High\" ]; let parser = (disabled:bool=false) { CommonSecurityLog | where not(disabled) and DeviceVendor == \"Infoblox\" and DeviceEventClassID has \"DHCP\" and ApplicationProtocol == \"DHCP\" | parse-kv AdditionalExtensions as (InfoBloxLifeTime:int, InfoBloxClientId:string, InfobloxHost:string, InfobloxIPSpace:string, InfobloxSubnet:string, InfobloxRangeStart:string, InfobloxRangeEnd:string, InfobloxLeaseOp:string, InfobloxClientID:string, InfobloxDUID:string, InfobloxLeaseUUID:string, InfobloxFingerprintPr:string, InfobloxFingerprint:string, InfobloxDHCPOptions:string) with (pair_delimiter=\";\", kv_delimiter=\"=\") | lookup EventSeverityLookup on LogSeverity | invoke _ASIM_ResolveSrcFQDN('SourceHostName') | invoke _ASIM_ResolveDvcFQDN('InfobloxHost') | project-rename SrcIpAddr = SourceIP, SrcMacAddr = SourceMACAddress, DhcpLeaseDuration = InfoBloxLifeTime, DhcpSrcDHCId = InfoBloxClientId, EventOriginalSeverity = LogSeverity, EventOriginalType = DeviceEventClassID, EventUid = _ItemId | extend EventEndTime = TimeGenerated, EventStartTime = TimeGenerated, EventType = iff(Activity has_any (\"Abandon\", \"Delete\"), \"Release\", \"Assign\"), AdditionalFields = bag_pack( \"InfobloxIPSpace\", InfobloxIPSpace, \"InfobloxSubnet\", InfobloxSubnet, \"InfobloxRangeStart\", InfobloxRangeStart, \"InfobloxRangeEnd\", InfobloxRangeEnd, \"InfobloxLeaseOp\", InfobloxLeaseOp, \"InfobloxClientID\", InfobloxClientID, \"InfobloxDUID\", InfobloxDUID, \"InfobloxLeaseUUID\", InfobloxLeaseUUID, \"InfobloxFingerprintPr\", InfobloxFingerprintPr, \"InfobloxFingerprint\", InfobloxFingerprint, \"InfobloxDHCPOptions\", InfobloxDHCPOptions ), Duration = DhcpLeaseDuration, IpAddr = SrcIpAddr | extend EventCount = toint(1), EventProduct = \"BloxOne\", EventVendor = \"Infoblox\", EventResult = \"Success\", EventSchema = \"DhcpEvent\", EventSchemaVersion = \"0.1\" | project-away Source*, Destination*, Device*, AdditionalExtensions, CommunicationDirection, EventOutcome, Protocol, SimplifiedDeviceAction, ExternalID, EndTime, FieldDevice*, Flex*, File*, Old*, MaliciousIP*, OriginalLogSeverity, Process*, ReceivedBytes, SentBytes, Remote*, Request*, StartTime, TenantId, ReportReferenceLink, ReceiptTime, Indicator*, _ResourceId, ThreatConfidence, ThreatDescription, ThreatSeverity, Computer, ApplicationProtocol, CollectorHostName, ExtID, Reason, Message, Activity, Infoblox* }; parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventInfobloxBloxOne/README.md b/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventInfobloxBloxOne/README.md new file mode 100644 index 00000000000..0eb72074d0e --- /dev/null +++ b/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventInfobloxBloxOne/README.md @@ -0,0 +1,18 @@ +# Infoblox BloxOne ASIM DhcpEvent Normalization Parser + +ARM template for ASIM DhcpEvent schema parser for Infoblox BloxOne. + +This ASIM parser supports normalizing Dhcp logs from Infoblox BloxOne to the ASIM DhcpEvent normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM DhcpEvent normalization schema reference](https://aka.ms/ASimDhcpEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDhcpEvent%2FARM%2FASimDhcpEventInfobloxBloxOne%2FASimDhcpEventInfobloxBloxOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDhcpEvent%2FARM%2FASimDhcpEventInfobloxBloxOne%2FASimDhcpEventInfobloxBloxOne.json) diff --git a/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventNative/ASimDhcpEventNative.json b/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventNative/ASimDhcpEventNative.json index 14f9d6f02da..cccf65dc751 100644 --- a/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventNative/ASimDhcpEventNative.json +++ b/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventNative/ASimDhcpEventNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDhcpEventNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDhcpEventNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Dhcp Event ASIM parser for Microsoft Sentinel native Dhcp Event table", - "category": "ASIM", - "FunctionAlias": "ASimDhcpEventNative", - "query": "let parser = (\n disabled:bool = false\n)\n{\n ASimDhcpEventLogs\n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"DhcpEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n SessionId = DhcpSessionId,\n Duration = DhcpSessionDuration,\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Hostname = SrcHostname\n};\nparser (disabled = disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Dhcp Event ASIM parser for Microsoft Sentinel native Dhcp Event table", + "category": "ASIM", + "FunctionAlias": "ASimDhcpEventNative", + "query": "let parser = (\n disabled:bool = false\n)\n{\n ASimDhcpEventLogs\n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"DhcpEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n SessionId = DhcpSessionId,\n Duration = DhcpSessionDuration,\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Hostname = SrcHostname\n};\nparser (disabled = disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDhcpEvent/ARM/FullDeploymentDhcpEvent.json b/Parsers/ASimDhcpEvent/ARM/FullDeploymentDhcpEvent.json index df82214d729..34b36498c33 100644 --- a/Parsers/ASimDhcpEvent/ARM/FullDeploymentDhcpEvent.json +++ b/Parsers/ASimDhcpEvent/ARM/FullDeploymentDhcpEvent.json @@ -38,6 +38,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimDhcpEventInfobloxBloxOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDhcpEvent/ARM/ASimDhcpEventInfobloxBloxOne/ASimDhcpEventInfobloxBloxOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -98,6 +118,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimDhcpEventInfobloxBloxOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDhcpEvent/ARM/vimDhcpEventInfobloxBloxOne/vimDhcpEventInfobloxBloxOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimDhcpEvent/ARM/imDhcpEvent/imDhcpEvent.json b/Parsers/ASimDhcpEvent/ARM/imDhcpEvent/imDhcpEvent.json index ec494cc7d56..5a56351b6bd 100644 --- a/Parsers/ASimDhcpEvent/ARM/imDhcpEvent/imDhcpEvent.json +++ b/Parsers/ASimDhcpEvent/ARM/imDhcpEvent/imDhcpEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imDhcpEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imDhcpEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Dhcp event ASIM filtering parser", - "category": "ASIM", - "FunctionAlias": "imDhcpEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimDhcpEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimDhcpEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n srchostname_has_any:dynamic=dynamic([]),\n srcusername_has_any:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimDhcpEventEmpty,\n vimDhcpEventNative (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, srcusername_has_any=srcusername_has_any, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimDhcpEventNative' in (DisabledParsers))))\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, srcusername_has_any=srcusername_has_any, eventresult=eventresult, pack=pack)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),srcusername_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False,pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Dhcp event ASIM filtering parser", + "category": "ASIM", + "FunctionAlias": "imDhcpEvent", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimDhcpEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimDhcpEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n srchostname_has_any:dynamic=dynamic([]),\n srcusername_has_any:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimDhcpEventEmpty,\n vimDhcpEventNative (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, srcusername_has_any=srcusername_has_any, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimDhcpEventNative' in (DisabledParsers)))),\n vimDhcpEventInfobloxBloxOne (starttime = starttime, endtime = endtime, srcipaddr_has_any_prefix = srcipaddr_has_any_prefix, srchostname_has_any = srchostname_has_any, srcusername_has_any = , eventresult = eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimDhcpEventInfobloxBloxOne' in (DisabledParsers))))\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, srcusername_has_any=srcusername_has_any, eventresult=eventresult, pack=pack)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),srcusername_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False,pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDhcpEvent/ARM/vimDhcpEventEmpty/vimDhcpEventEmpty.json b/Parsers/ASimDhcpEvent/ARM/vimDhcpEventEmpty/vimDhcpEventEmpty.json index d8a09bd3efc..14952ca93a0 100644 --- a/Parsers/ASimDhcpEvent/ARM/vimDhcpEventEmpty/vimDhcpEventEmpty.json +++ b/Parsers/ASimDhcpEvent/ARM/vimDhcpEventEmpty/vimDhcpEventEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDhcpEventEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDhcpEventEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Dhcp event ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimDhcpEventEmpty", - "query": "let EmptyDhcpEvents =datatable (\n TimeGenerated:datetime\n, _ResourceId:string\n, Type:string\n// ****** Event fields ******\n, EventType:string\n, EventProduct:string\n, EventProductVersion:string\n, EventCount:int\n, EventMessage:string\n, EventVendor:string\n, EventSchema:string\n, EventSchemaVersion:string\n, EventSeverity:string\n, EventSubType:string\n, EventOriginalUid:string\n, EventOriginalType:string\n, EventOriginalResultDetails:string\n, EventOriginalSeverity:string\n, EventOriginalSubType:string\n, EventStartTime:datetime\n, EventEndTime:datetime\n, EventReportUrl:string\n, EventResult: string\n, EventResultDetails: string\n, AdditionalFields:dynamic\n, EventOwner:string\n// ****** Device fields ******\n, DvcId:string\n, DvcHostname:string\n, DvcDomain:string\n, DvcDomainType:string\n, DvcFQDN:string\n, DvcIpAddr:string\n, DvcOs:string\n, DvcOsVersion:string\n, DvcMacAddr:string\n, DvcAction:string\n, DvcOriginalAction:string\n, DvcDescription: string\n, DvcIdType: string\n, DvcInterface: string\n, DvcZone: string\n, DvcScopeId:string\n, DvcScope:string\n// ****** Source User fields ******\n, SrcUserId:string\n, SrcUserUid:string\n, SrcUserIdType:string\n, SrcUserScopeId:string\n, SrcUserScope:string\n, SrcUsername:string\n, SrcUsernameType:string\n, SrcUserType:string\n, SrcOriginalUserType:string\n, SrcUserSessionId:string\n// ****** Source System fields ******\n, SrcIpAddr: string\n, SrcPortNumber:int\n, SrcHostname:string\n, SrcMacAddr:string\n, SrcDomain:string\n, SrcDomainType:string\n, SrcFQDN:string\n, SrcDescription:string\n, SrcDvcId:string\n, SrcDvcIdType:string\n, SrcDvcScopeId:string\n, SrcDvcScope:string\n, SrcDeviceType:string\n, SrcGeoCountry:string\n, SrcGeoLatitude:real\n, SrcGeoLongitude:real\n, SrcGeoRegion:string\n, SrcGeoCity:string\n, SrcRiskLevel:int\n, SrcOriginalRiskLevel:string\n// ****** Dhcp Event Fields ******\n, RequestedIpAddr:string //Optional\n, DhcpLeaseDuration:int\n, DhcpSessionId:string\n, DhcpSessionDuration:int\n, DhcpSrcDHCId:string\n, DhcpCircuitId:string\n, DhcpSubscriberId:string\n, DhcpVendorClassId:string\n, DhcpVendorClass:string\n, DhcpUserClassId:string\n, DhcpUserClass:string\n// ****** aliases ******\n, SessionId:string\n, Duration:int\n, Src: string\n, Dst: string\n, User: string\n, IpAddr:string\n, Hostname:string\n//****** Inspection fields ******\n, RuleName:string\n, RuleNumber:int\n, ThreatId:string\n, ThreatName:string\n, ThreatCategory:string\n, ThreatRiskLevel:int\n, ThreatOriginalRiskLevel:string\n, ThreatConfidence:int\n, ThreatOriginalConfidence:string\n, ThreatIsActive:bool\n, ThreatFirstReportedTime:datetime\n, ThreatLastReportedTime:datetime\n, ThreatField:string\n)[];\nEmptyDhcpEvents", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Dhcp event ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimDhcpEventEmpty", + "query": "let EmptyDhcpEvents =datatable (\n TimeGenerated:datetime\n, _ResourceId:string\n, Type:string\n// ****** Event fields ******\n, EventType:string\n, EventProduct:string\n, EventProductVersion:string\n, EventCount:int\n, EventMessage:string\n, EventVendor:string\n, EventSchema:string\n, EventSchemaVersion:string\n, EventSeverity:string\n, EventSubType:string\n, EventOriginalUid:string\n, EventOriginalType:string\n, EventOriginalResultDetails:string\n, EventOriginalSeverity:string\n, EventOriginalSubType:string\n, EventStartTime:datetime\n, EventEndTime:datetime\n, EventReportUrl:string\n, EventResult: string\n, EventResultDetails: string\n, AdditionalFields:dynamic\n, EventOwner:string\n// ****** Device fields ******\n, DvcId:string\n, DvcHostname:string\n, DvcDomain:string\n, DvcDomainType:string\n, DvcFQDN:string\n, DvcIpAddr:string\n, DvcOs:string\n, DvcOsVersion:string\n, DvcMacAddr:string\n, DvcAction:string\n, DvcOriginalAction:string\n, DvcDescription: string\n, DvcIdType: string\n, DvcInterface: string\n, DvcZone: string\n, DvcScopeId:string\n, DvcScope:string\n// ****** Source User fields ******\n, SrcUserId:string\n, SrcUserUid:string\n, SrcUserIdType:string\n, SrcUserScopeId:string\n, SrcUserScope:string\n, SrcUsername:string\n, SrcUsernameType:string\n, SrcUserType:string\n, SrcOriginalUserType:string\n, SrcUserSessionId:string\n// ****** Source System fields ******\n, SrcIpAddr: string\n, SrcPortNumber:int\n, SrcHostname:string\n, SrcMacAddr:string\n, SrcDomain:string\n, SrcDomainType:string\n, SrcFQDN:string\n, SrcDescription:string\n, SrcDvcId:string\n, SrcDvcIdType:string\n, SrcDvcScopeId:string\n, SrcDvcScope:string\n, SrcDeviceType:string\n, SrcGeoCountry:string\n, SrcGeoLatitude:real\n, SrcGeoLongitude:real\n, SrcGeoRegion:string\n, SrcGeoCity:string\n, SrcRiskLevel:int\n, SrcOriginalRiskLevel:string\n// ****** Dhcp Event Fields ******\n, RequestedIpAddr:string //Optional\n, DhcpLeaseDuration:int\n, DhcpSessionId:string\n, DhcpSessionDuration:int\n, DhcpSrcDHCId:string\n, DhcpCircuitId:string\n, DhcpSubscriberId:string\n, DhcpVendorClassId:string\n, DhcpVendorClass:string\n, DhcpUserClassId:string\n, DhcpUserClass:string\n// ****** aliases ******\n, SessionId:string\n, Duration:int\n, Src: string\n, Dst: string\n, User: string\n, IpAddr:string\n, Hostname:string\n//****** Inspection fields ******\n, RuleName:string\n, RuleNumber:int\n, ThreatId:string\n, ThreatName:string\n, ThreatCategory:string\n, ThreatRiskLevel:int\n, ThreatOriginalRiskLevel:string\n, ThreatConfidence:int\n, ThreatOriginalConfidence:string\n, ThreatIsActive:bool\n, ThreatFirstReportedTime:datetime\n, ThreatLastReportedTime:datetime\n, ThreatField:string\n)[];\nEmptyDhcpEvents", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDhcpEvent/ARM/vimDhcpEventInfobloxBloxOne/README.md b/Parsers/ASimDhcpEvent/ARM/vimDhcpEventInfobloxBloxOne/README.md new file mode 100644 index 00000000000..a9014dad510 --- /dev/null +++ b/Parsers/ASimDhcpEvent/ARM/vimDhcpEventInfobloxBloxOne/README.md @@ -0,0 +1,18 @@ +# Infoblox BloxOne ASIM DhcpEvent Normalization Parser + +ARM template for ASIM DhcpEvent schema parser for Infoblox BloxOne. + +This ASIM parser supports normalizing DhcpEvent logs from Infoblox BloxOne to the ASIM DhcpEvent normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM DhcpEvent normalization schema reference](https://aka.ms/ASimDhcpEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDhcpEvent%2FARM%2FvimDhcpEventInfobloxBloxOne%2FvimDhcpEventInfobloxBloxOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDhcpEvent%2FARM%2FvimDhcpEventInfobloxBloxOne%2FvimDhcpEventInfobloxBloxOne.json) diff --git a/Parsers/ASimDhcpEvent/ARM/vimDhcpEventInfobloxBloxOne/vimDhcpEventInfobloxBloxOne.json b/Parsers/ASimDhcpEvent/ARM/vimDhcpEventInfobloxBloxOne/vimDhcpEventInfobloxBloxOne.json new file mode 100644 index 00000000000..2e932dfbf52 --- /dev/null +++ b/Parsers/ASimDhcpEvent/ARM/vimDhcpEventInfobloxBloxOne/vimDhcpEventInfobloxBloxOne.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDhcpEventInfobloxBloxOne')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "DhcpEvent ASIM parser for Infoblox BloxOne", + "category": "ASIM", + "FunctionAlias": "vimDhcpEventInfobloxBloxOne", + "query": "let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n srchostname_has_any:dynamic=dynamic([]),\n srcusername_has_any:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n ) {\n CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Infoblox\"\n and DeviceEventClassID has \"DHCP\"\n and ApplicationProtocol == \"DHCP\"\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0 or (SourceHostName has_any (srchostname_has_any)))\n and array_length(srcusername_has_any) == 0\n and ((eventresult == \"*\") or (eventresult == \"Success\"))\n | parse-kv AdditionalExtensions as (InfoBloxLifeTime:int, InfoBloxClientId:string, InfobloxHost:string, InfobloxIPSpace:string, InfobloxSubnet:string, InfobloxRangeStart:string, InfobloxRangeEnd:string, InfobloxLeaseOp:string, InfobloxClientID:string, InfobloxDUID:string, InfobloxLeaseUUID:string, InfobloxFingerprintPr:string, InfobloxFingerprint:string, InfobloxDHCPOptions:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | lookup EventSeverityLookup on LogSeverity\n | invoke _ASIM_ResolveSrcFQDN('SourceHostName')\n | invoke _ASIM_ResolveDvcFQDN('InfobloxHost')\n | project-rename\n SrcIpAddr = SourceIP,\n SrcMacAddr = SourceMACAddress,\n DhcpLeaseDuration = InfoBloxLifeTime,\n DhcpSrcDHCId = InfoBloxClientId,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventUid = _ItemId\n | extend\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventType = iff(Activity has_any (\"Abandon\", \"Delete\"), \"Release\", \"Assign\"),\n AdditionalFields = bag_pack(\n \"InfobloxIPSpace\",\n InfobloxIPSpace,\n \"InfobloxSubnet\",\n InfobloxSubnet,\n \"InfobloxRangeStart\",\n InfobloxRangeStart,\n \"InfobloxRangeEnd\",\n InfobloxRangeEnd,\n \"InfobloxLeaseOp\",\n InfobloxLeaseOp,\n \"InfobloxClientID\",\n InfobloxClientID,\n \"InfobloxDUID\",\n InfobloxDUID,\n \"InfobloxLeaseUUID\",\n InfobloxLeaseUUID,\n \"InfobloxFingerprintPr\",\n InfobloxFingerprintPr,\n \"InfobloxFingerprint\",\n InfobloxFingerprint,\n \"InfobloxDHCPOptions\",\n InfobloxDHCPOptions\n ),\n Duration = DhcpLeaseDuration,\n IpAddr = SrcIpAddr\n | extend\n EventCount = toint(1),\n EventProduct = \"BloxOne\",\n EventVendor = \"Infoblox\",\n EventResult = \"Success\",\n EventSchema = \"DhcpEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n Protocol,\n SimplifiedDeviceAction,\n ExternalID,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity,\n Computer,\n ApplicationProtocol,\n CollectorHostName,\n ExtID,\n Reason,\n Message,\n Activity,\n Infoblox*\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n srchostname_has_any = srchostname_has_any,\n srcusername_has_any = srcusername_has_any,\n eventresult = eventresult,\n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),srcusername_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimDhcpEvent/ARM/vimDhcpEventNative/vimDhcpEventNative.json b/Parsers/ASimDhcpEvent/ARM/vimDhcpEventNative/vimDhcpEventNative.json index 2e774e95d43..1bd1b3c6a28 100644 --- a/Parsers/ASimDhcpEvent/ARM/vimDhcpEventNative/vimDhcpEventNative.json +++ b/Parsers/ASimDhcpEvent/ARM/vimDhcpEventNative/vimDhcpEventNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDhcpEventNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDhcpEventNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Dhcp Event ASIM filtering parser for Microsoft Sentinel native Dhcp Event table", - "category": "ASIM", - "FunctionAlias": "vimDhcpEventNative", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n srchostname_has_any:dynamic=dynamic([]),\n srcusername_has_any:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n)\n{\n ASimDhcpEventLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0 or (SrcHostname has_any (srchostname_has_any)))\n and (array_length(srcusername_has_any) == 0 or (SrcUsername has_any (srcusername_has_any)))\n and ((eventresult == \"*\") or (EventResult == eventresult))\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"DhcpEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n SessionId = DhcpSessionId,\n Duration = DhcpSessionDuration,\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Hostname = SrcHostname\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n srchostname_has_any = srchostname_has_any,\n srcusername_has_any = srcusername_has_any,\n eventresult = eventresult,\n disabled = disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),srcusername_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Dhcp Event ASIM filtering parser for Microsoft Sentinel native Dhcp Event table", + "category": "ASIM", + "FunctionAlias": "vimDhcpEventNative", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n srchostname_has_any:dynamic=dynamic([]),\n srcusername_has_any:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n)\n{\n ASimDhcpEventLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0 or (SrcHostname has_any (srchostname_has_any)))\n and (array_length(srcusername_has_any) == 0 or (SrcUsername has_any (srcusername_has_any)))\n and ((eventresult == \"*\") or (EventResult == eventresult))\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"DhcpEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n SessionId = DhcpSessionId,\n Duration = DhcpSessionDuration,\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Hostname = SrcHostname\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n srchostname_has_any = srchostname_has_any,\n srcusername_has_any = srcusername_has_any,\n eventresult = eventresult,\n disabled = disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),srcusername_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDns/ASimDns.json b/Parsers/ASimDns/ARM/ASimDns/ASimDns.json index fa7e18a9dec..88b3ce1a72c 100644 --- a/Parsers/ASimDns/ARM/ASimDns/ASimDns.json +++ b/Parsers/ASimDns/ARM/ASimDns/ASimDns.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDns')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDns", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimDns", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimDns') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imDnsBuiltInDisabled=toscalar('ExcludeASimDnsBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimDnsEmpty,\n ASimDnsAzureFirewall (imDnsBuiltInDisabled or ('ExcludeASimASimDnsAzureFirewall' in (DisabledParsers) )),\n ASimDnsCiscoUmbrella (imDnsBuiltInDisabled or ('ExcludeASimDnsCiscoUmbrella' in (DisabledParsers) )),\n ASimDnsCorelightZeek (imDnsBuiltInDisabled or ('ExcludeASimDnsCorelightZeek' in (DisabledParsers) )),\n ASimDnsFortinetFortiGate (imDnsBuiltInDisabled or ('ExcludeASimDnsFortinetFortiGate' in (DisabledParsers) )),\n ASimDnsGcp (imDnsBuiltInDisabled or ('ExcludeASimDnsDnsGcp' in (DisabledParsers) )),\n ASimDnsInfobloxNIOS (imDnsBuiltInDisabled or ('ExcludeASimDnsInfobloxNIOS' in (DisabledParsers) )),\n ASimDnsMicrosoftNXlog (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftNXlog' in (DisabledParsers) )),\n ASimDnsMicrosoftOMS (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftOMS' in (DisabledParsers) )),\n ASimDnsMicrosoftSysmon (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftSysmon' in (DisabledParsers) )),\n ASimDnsMicrosoftSysmonWindowsEvent (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftSysmonWindowsEvent' in (DisabledParsers) )),\n ASimDnsNative (imDnsBuiltInDisabled or ('ExcludeASimDnsNative' in (DisabledParsers) )),\n ASimDnsSentinelOne (imDnsBuiltInDisabled or ('ExcludeASimDnsSentinelOne' in (DisabledParsers) )),\n ASimDnsVectraAI (imDnsBuiltInDisabled or ('ExcludeASimDnsVectraAI' in (DisabledParsers) )),\n ASimDnsZscalerZIA (imDnsBuiltInDisabled or ('ExcludeASimDnsZscalerZIA' in (DisabledParsers) ))", - "version": 1, - "functionParameters": "pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimDns", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimDns') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imDnsBuiltInDisabled=toscalar('ExcludeASimDnsBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimDnsEmpty,\n ASimDnsAzureFirewall (imDnsBuiltInDisabled or ('ExcludeASimASimDnsAzureFirewall' in (DisabledParsers) )),\n ASimDnsCiscoUmbrella (imDnsBuiltInDisabled or ('ExcludeASimDnsCiscoUmbrella' in (DisabledParsers) )),\n ASimDnsCorelightZeek (imDnsBuiltInDisabled or ('ExcludeASimDnsCorelightZeek' in (DisabledParsers) )),\n ASimDnsFortinetFortiGate (imDnsBuiltInDisabled or ('ExcludeASimDnsFortinetFortiGate' in (DisabledParsers) )),\n ASimDnsGcp (imDnsBuiltInDisabled or ('ExcludeASimDnsDnsGcp' in (DisabledParsers) )),\n ASimDnsInfobloxNIOS (imDnsBuiltInDisabled or ('ExcludeASimDnsInfobloxNIOS' in (DisabledParsers) )),\n ASimDnsMicrosoftNXlog (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftNXlog' in (DisabledParsers) )),\n ASimDnsMicrosoftOMS (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftOMS' in (DisabledParsers) )),\n ASimDnsMicrosoftSysmon (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftSysmon' in (DisabledParsers) )),\n ASimDnsMicrosoftSysmonWindowsEvent (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftSysmonWindowsEvent' in (DisabledParsers) )),\n ASimDnsNative (imDnsBuiltInDisabled or ('ExcludeASimDnsNative' in (DisabledParsers) )),\n ASimDnsSentinelOne (imDnsBuiltInDisabled or ('ExcludeASimDnsSentinelOne' in (DisabledParsers) )),\n ASimDnsVectraAI (imDnsBuiltInDisabled or ('ExcludeASimDnsVectraAI' in (DisabledParsers) )),\n ASimDnsZscalerZIA (imDnsBuiltInDisabled or ('ExcludeASimDnsZscalerZIA' in (DisabledParsers) )),\n ASimDnsInfobloxBloxOne (imDnsBuiltInDisabled or ('ExcludeASimDnsInfobloxBloxOne' in (DisabledParsers) ))", + "version": 1, + "functionParameters": "pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsAzureFirewall/ASimDnsAzureFirewall.json b/Parsers/ASimDns/ARM/ASimDnsAzureFirewall/ASimDnsAzureFirewall.json index 0be62cfe0d3..4b8eabb7ecd 100644 --- a/Parsers/ASimDns/ARM/ASimDnsAzureFirewall/ASimDnsAzureFirewall.json +++ b/Parsers/ASimDns/ARM/ASimDnsAzureFirewall/ASimDnsAzureFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsAzureFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsAzureFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Azure Firewall", - "category": "ASIM", - "FunctionAlias": "ASimDnsAzureFirewall", - "query": "let DNS_query=(disabled:bool=false){\n AzureDiagnostics | where not(disabled)\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\n | where Category == \"AzureFirewallDnsProxy\"\n | where msg_s startswith \"DNS Request:\"\n | project msg_s, TimeGenerated, ResourceId\n | parse msg_s with\n \"DNS Request: \" \n SrcIpAddr:string \":\" SrcPortNumber:int \n \" - \" EventOriginalUid:string \n \" \" DnsQueryTypeName:string \n \" \" DnsQueryClassName:string\n \" \" DnsQuery:string\n \". \" NetworkProtocol:string \n \" \" SrcBytes:int \n \" \" DnsDNSSECflag:bool \n \" \" DnsDNSSECBufferSize:int \n \" \" EventResultDetails:string \n \" \" DnsFlags:string\n \" \" DstBytes:int\n \" \" DnsNetworkDuration:double\n \"s\"\n | project-away msg_s\n | extend\n EventResult = iff (EventResultDetails == \"NOERROR\", \"Success\", \"Failure\"),\n EventSubType = \"response\",\n DnsNetworkDuration = toint(DnsNetworkDuration*1000) \n};\nlet DNS_error=(disabled:bool=false) {\n AzureDiagnostics | where not(disabled)\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\n | where Category == \"AzureFirewallDnsProxy\"\n | project msg_s, TimeGenerated, ResourceId\n | where msg_s startswith \" Error:\"\n | parse msg_s with \n \" Error: \" nu:string \n \" \" DnsQuery:string \n \". \" DnsQueryTypeName:string \n \": \" op:string \n \" \" NetworkProtocol:string\n \" \" SrcIpAddr:string \":\" SrcPortNumber:int \n \"->\" DstIpAddr:string \":\" DstPortNumber:int \n \": \" EventResultOriginalDetails:string\n | project-away msg_s\n | extend \n EventResult = \"Failure\",\n EventSubType = \"request\"\n};\nlet DNS = (disabled:bool=false) {\n union DNS_query(disabled), DNS_error(disabled)\n | extend\n NetworkProtocol = toupper(NetworkProtocol)\n | project-rename\n DvcId = ResourceId\n | extend\n DvcIdType = \"AzureResourceId\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"Azure Firewall\",\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.3\",\n EventEndTime = TimeGenerated, \n EventType = 'Query',\n DnsFlagsAuthenticated = DnsFlags has \"aa\",\n DnsFlagsAuthoritative = DnsFlags has \"ad\",\n DnsFlagsCheckingDisabled = DnsFlags has \"cd\",\n DnsFlagsRecursionAvailable = DnsFlags has \"ra\",\n DnsFlagsRecursionDesired = DnsFlags has \"rd\",\n DnsFlagsTruncates = DnsFlags has \"tc\"\n | extend\n // -- Aliases\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Dst=DstIpAddr,\n Duration = DnsNetworkDuration,\n Dvc=DvcId\n | extend\n // -- Backward Compatibility\n Query = DnsQuery,\n QueryTypeName = DnsQueryTypeName,\n ResponseCodeName = DnsResponseCodeName,\n Flags = DnsFlags\n};\nDNS(disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Azure Firewall", + "category": "ASIM", + "FunctionAlias": "ASimDnsAzureFirewall", + "query": "let DNS_query=(disabled:bool=false){\n AzureDiagnostics | where not(disabled)\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\n | where Category == \"AzureFirewallDnsProxy\"\n | where msg_s startswith \"DNS Request:\"\n | project msg_s, TimeGenerated, ResourceId\n | parse msg_s with\n \"DNS Request: \" \n SrcIpAddr:string \":\" SrcPortNumber:int \n \" - \" EventOriginalUid:string \n \" \" DnsQueryTypeName:string \n \" \" DnsQueryClassName:string\n \" \" DnsQuery:string\n \". \" NetworkProtocol:string \n \" \" SrcBytes:int \n \" \" DnsDNSSECflag:bool \n \" \" DnsDNSSECBufferSize:int \n \" \" EventResultDetails:string \n \" \" DnsFlags:string\n \" \" DstBytes:int\n \" \" DnsNetworkDuration:double\n \"s\"\n | project-away msg_s\n | extend\n EventResult = iff (EventResultDetails == \"NOERROR\", \"Success\", \"Failure\"),\n EventSubType = \"response\",\n DnsNetworkDuration = toint(DnsNetworkDuration*1000) \n};\nlet DNS_error=(disabled:bool=false) {\n AzureDiagnostics | where not(disabled)\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\n | where Category == \"AzureFirewallDnsProxy\"\n | project msg_s, TimeGenerated, ResourceId\n | where msg_s startswith \" Error:\"\n | parse msg_s with \n \" Error: \" nu:string \n \" \" DnsQuery:string \n \". \" DnsQueryTypeName:string \n \": \" op:string \n \" \" NetworkProtocol:string\n \" \" SrcIpAddr:string \":\" SrcPortNumber:int \n \"->\" DstIpAddr:string \":\" DstPortNumber:int \n \": \" EventResultOriginalDetails:string\n | project-away msg_s\n | extend \n EventResult = \"Failure\",\n EventSubType = \"request\"\n};\nlet DNS = (disabled:bool=false) {\n union DNS_query(disabled), DNS_error(disabled)\n | extend\n NetworkProtocol = toupper(NetworkProtocol)\n | project-rename\n DvcId = ResourceId\n | extend\n DvcIdType = \"AzureResourceId\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"Azure Firewall\",\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.3\",\n EventEndTime = TimeGenerated, \n EventType = 'Query',\n DnsFlagsAuthenticated = DnsFlags has \"aa\",\n DnsFlagsAuthoritative = DnsFlags has \"ad\",\n DnsFlagsCheckingDisabled = DnsFlags has \"cd\",\n DnsFlagsRecursionAvailable = DnsFlags has \"ra\",\n DnsFlagsRecursionDesired = DnsFlags has \"rd\",\n DnsFlagsTruncates = DnsFlags has \"tc\"\n | extend\n // -- Aliases\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Dst=DstIpAddr,\n Duration = DnsNetworkDuration,\n Dvc=DvcId\n | extend\n // -- Backward Compatibility\n Query = DnsQuery,\n QueryTypeName = DnsQueryTypeName,\n ResponseCodeName = DnsResponseCodeName,\n Flags = DnsFlags\n};\nDNS(disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsCiscoUmbrella/ASimDnsCiscoUmbrella.json b/Parsers/ASimDns/ARM/ASimDnsCiscoUmbrella/ASimDnsCiscoUmbrella.json index 99a22f585be..565b58e3eae 100644 --- a/Parsers/ASimDns/ARM/ASimDnsCiscoUmbrella/ASimDnsCiscoUmbrella.json +++ b/Parsers/ASimDns/ARM/ASimDnsCiscoUmbrella/ASimDnsCiscoUmbrella.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsCiscoUmbrella')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsCiscoUmbrella", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Cisco Umbrella", - "category": "ASIM", - "FunctionAlias": "ASimDnsCiscoUmbrella", - "query": "let DNSQuery_CiscoUmbrella=(disabled:bool=false){\n Cisco_Umbrella_dns_CL | where not(disabled)\n // \n // *********** Parsing\n | parse QueryType_s with DnsQueryType:int \" (\"DnsQueryTypeName:string \")\"\n //\n | project \n //\n // ******************* Mandatory\n EventCount=int(1),\n EventStartTime= column_ifexists(\"Timestamp_t\", todatetime(column_ifexists(\"Timestamp_s\",\"\"))),\n EventProduct=\"Umbrella\",\n EventVendor=\"Cisco\",\n EventSchema=\"Dns\",\n EventSchemaVersion=\"0.1.3\",\n Dvc=\"CiscoUmbrella\",\n EventType=\"Query\",\n EventResult=iff(ResponseCode_s=~'NOERROR','Success','Failure'),\n EventResultDetails=ResponseCode_s, // => ResponseCodeNames\n //\n TimeGenerated, // not handled by schema, but we need to preserve it\n SrcIpAddr=column_ifexists('InternalIp_s', ''),\n EventSubType='response',\n // ********** Renamed columns\n UrlCategory=column_ifexists('Categories_s', ''),\n DnsQuery=trim_end(@'\\.',column_ifexists('Domain_s', '')) , \n ThreatCategory=column_ifexists('Blocked_Categories_s', ''),\n SrcNatIpAddr=column_ifexists('ExternalIp_s', ''),\n DvcAction=column_ifexists('Action_s', ''),\n EventEndTime=todatetime(column_ifexists('Timestamp_t', column_ifexists('Timestamp_s',\"\") )), \n //\n // *************** keep Parsed data\n DnsQueryType, DnsQueryTypeName\n // **************Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n DomainCategory=UrlCategory,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr\n };\nDNSQuery_CiscoUmbrella(disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Cisco Umbrella", + "category": "ASIM", + "FunctionAlias": "ASimDnsCiscoUmbrella", + "query": "let DNSQuery_CiscoUmbrella=(disabled:bool=false){\n Cisco_Umbrella_dns_CL | where not(disabled)\n // \n // *********** Parsing\n | parse QueryType_s with DnsQueryType:int \" (\"DnsQueryTypeName:string \")\"\n //\n | project \n //\n // ******************* Mandatory\n EventCount=int(1),\n EventStartTime= column_ifexists(\"Timestamp_t\", todatetime(column_ifexists(\"Timestamp_s\",\"\"))),\n EventProduct=\"Umbrella\",\n EventVendor=\"Cisco\",\n EventSchema=\"Dns\",\n EventSchemaVersion=\"0.1.3\",\n Dvc=\"CiscoUmbrella\",\n EventType=\"Query\",\n EventResult=iff(ResponseCode_s=~'NOERROR','Success','Failure'),\n EventResultDetails=ResponseCode_s, // => ResponseCodeNames\n //\n TimeGenerated, // not handled by schema, but we need to preserve it\n SrcIpAddr=column_ifexists('InternalIp_s', ''),\n EventSubType='response',\n // ********** Renamed columns\n UrlCategory=column_ifexists('Categories_s', ''),\n DnsQuery=trim_end(@'\\.',column_ifexists('Domain_s', '')) , \n ThreatCategory=column_ifexists('Blocked_Categories_s', ''),\n SrcNatIpAddr=column_ifexists('ExternalIp_s', ''),\n DvcAction=column_ifexists('Action_s', ''),\n EventEndTime=todatetime(column_ifexists('Timestamp_t', column_ifexists('Timestamp_s',\"\") )), \n //\n // *************** keep Parsed data\n DnsQueryType, DnsQueryTypeName\n // **************Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n DomainCategory=UrlCategory,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr\n };\nDNSQuery_CiscoUmbrella(disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsCorelightZeek/ASimDnsCorelightZeek.json b/Parsers/ASimDns/ARM/ASimDnsCorelightZeek/ASimDnsCorelightZeek.json index 58405966c07..5cefc725d39 100644 --- a/Parsers/ASimDns/ARM/ASimDnsCorelightZeek/ASimDnsCorelightZeek.json +++ b/Parsers/ASimDns/ARM/ASimDnsCorelightZeek/ASimDnsCorelightZeek.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsCorelightZeek')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsCorelightZeek", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Corelight Zeek", - "category": "ASIM", - "FunctionAlias": "ASimDnsCorelightZeek", - "query": "let query_type_lookup=datatable(DnsQueryType:int,DnsQueryTypeName:string)[\n 0, \"Reserved\",\n 1, \"A\",\n 2, \"NS\",\n 3, \"MD\",\n 4, \"MF\",\n 5, \"CNAME\",\n 6, \"SOA\",\n 7, \"MB\",\n 8, \"MG\",\n 9, \"MR\",\n 10, \"NULL\",\n 11, \"WKS\",\n 12, \"PTR\",\n 13, \"HINFO\",\n 14, \"MINFO\",\n 15, \"MX\",\n 16, \"TXT\",\n 17, \"RP\",\n 18, \"AFSDB\",\n 19, \"X25\",\n 20, \"ISDN\",\n 21, \"RT\",\n 22, \"NSAP\",\n 23, \"NSAP-PTR\",\n 24, \"SIG\",\n 25, \"KEY\",\n 26, \"PX\",\n 27, \"GPOS\",\n 28, \"AAAA\",\n 29, \"LOC\",\n 30, \"NXT\",\n 31, \"EID\",\n 32, \"NIMLOC\",\n 33, \"SRV\",\n 34, \"ATMA\",\n 35, \"NAPTR\",\n 36, \"KX\",\n 37, \"CERT\",\n 38, \"A6\",\n 39, \"DNAME\",\n 40, \"SINK\",\n 41, \"OPT\",\n 42, \"APL\",\n 43, \"DS\",\n 44, \"SSHFP\",\n 45, \"IPSECKEY\",\n 46, \"RRSIG\",\n 47, \"NSEC\",\n 48, \"DNSKEY\",\n 49, \"DHCID\",\n 50, \"NSEC3\",\n 51, \"NSEC3PARAM\",\n 52, \"TLSA\",\n 53, \"SMIMEA\",\n 54, \"Unassigned\",\n 55, \"HIP\",\n 56, \"NINFO\",\n 57, \"RKEY\",\n 58, \"TALINK\",\n 59, \"CDS\",\n 60, \"CDNSKEY\",\n 61, \"OPENPGPKEY\",\n 62, \"CSYNC\",\n 99, \"SPF\",\n 100, \"UINFO\",\n 101, \"UID\",\n 102, \"GID\",\n 103, \"UNSPEC\",\n 104, \"NID\",\n 105, \"L32\",\n 106, \"L64\",\n 107, \"LP\",\n 108, \"EUI48\",\n 109, \"EUI64\",\n 249, \"TKEY\",\n 250, \"TSIG\",\n 251, \"IXFR\",\n 252, \"AXFR\",\n 253, \"MAILB\",\n 254, \"MAILA\",\n 255, \"ANY\",\n 256, \"URI\",\n 257, \"CAA\",\n 258, \"AVC\",\n 259, \"DOA\",\n 32768, \"TA\",\n 32769, \"DLV\"];\nlet class_lookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\n 0, 'Reserved',\n 1, 'IN',\n 2, 'Unassigned',\n 3, 'CH',\n 4, 'HS',\n 254, 'None',\n 255, 'Any'];\nlet parser=(disabled:bool=false){\n Corelight_CL | where not(disabled)\n | project Message, TimeGenerated\n | where Message has '\"_path\":\"dns\"' or Message has '\"_path\":\"dns_red\"'\n | parse-kv Message as (\n ['\"_system_name\"']:string,\n ['\"_write_ts\"']:datetime,\n ['\"ts\"']:datetime,\n ['\"uid\"']:string,\n ['\"id.orig_h\"']:string,\n ['\"id.orig_p\"']:int,\n ['\"id.resp_h\"']:string,\n ['\"id.resp_p\"']:int,\n ['\"proto\"']:string,\n ['\"trans_id\"']:int,\n ['\"query\"']:string,\n ['\"qclass\"']:int,\n ['\"qtype\"']:int,\n ['\"AA\"']:bool,\n ['\"TC\"']:bool,\n ['\"CD\"']:bool,\n ['\"RD\"']:bool,\n ['\"RA\"']:bool,\n ['\"Z\"']:int,\n ['\"rejected\"']:bool,\n ['\"rcode\"']:int,\n ['\"rcode_name\"']:string,\n ['\"rtt\"']:real,\n ) \n with (quote = '\"')\n | parse Message with * '\"answers\":' answers:string ',\"TTLs\":' TTLs:string ',\"rejected\"' *\n | extend \n EventCount=int(1),\n EventProduct=\"Zeek\",\n EventVendor=\"Corelight\",\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.4\",\n EventType=\"Query\"\n | project-rename\n EventStartTime= ['\"ts\"'],\n EventEndTime = ['\"_write_ts\"'],\n EventOriginalUid = ['\"uid\"'],\n SrcIpAddr = ['\"id.orig_h\"'],\n SrcPortNumber = ['\"id.orig_p\"'],\n DstIpAddr = ['\"id.resp_h\"'],\n DstPortNumber = ['\"id.resp_p\"'],\n NetworkProtocol = ['\"proto\"'],\n DnsQuery = ['\"query\"'],\n DnsResponseCode = ['\"rcode\"'],\n EventResultDetails = ['\"rcode_name\"'],\n DnsFlagsAuthoritative = ['\"AA\"'],\n DnsFlagsTruncated = ['\"TC\"'],\n DnsFlagsRecursionDesired = ['\"RD\"'],\n DnsFlagsCheckingDisabled = ['\"CD\"'],\n DnsFlagsRecursionAvailable = ['\"RA\"'],\n DnsQueryClass = ['\"qclass\"'],\n DnsQueryType = ['\"qtype\"'],\n rtt = ['\"rtt\"'],\n Z = ['\"Z\"'],\n trans_id = ['\"trans_id\"'],\n rejected = ['\"rejected\"'],\n Dvc = ['\"_system_name\"']\n | lookup query_type_lookup on DnsQueryType\n | lookup class_lookup on DnsQueryClass\n | extend\n EventSubType=iff(isnull(DnsResponseCode),'request','response'),\n DnsNetworkDuration = toint(rtt*1000),\n EventResult = iff (EventResultDetails!~'NOERROR' or rejected,'Failure','Success'),\n DnsQueryTypeName = case (DnsQueryTypeName == \"\" and not(isnull(DnsQueryType)), strcat(\"TYPE\", DnsQueryType), DnsQueryTypeName),\n DnsQueryClassName = case (DnsQueryClassName == \"\" and not(isnull(DnsQueryClass)), strcat(\"CLASS\", DnsQueryClass), DnsQueryClassName),\n TransactionIdHex = tohex(toint(trans_id)),\n DnsFlagsZ = (Z != 0),\n DnsResponseName = tostring(pack ('answers', answers, 'ttls', TTLs)) // support of auth & addl to be added.\n | project-away rtt\n // Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=DnsNetworkDuration,\n Dst=DstIpAddr\n | project-away Message, Z, TTLs, answers, trans_id, rejected\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Corelight Zeek", + "category": "ASIM", + "FunctionAlias": "ASimDnsCorelightZeek", + "query": "let query_type_lookup=datatable(DnsQueryType:int,DnsQueryTypeName:string)[\n 0, \"Reserved\",\n 1, \"A\",\n 2, \"NS\",\n 3, \"MD\",\n 4, \"MF\",\n 5, \"CNAME\",\n 6, \"SOA\",\n 7, \"MB\",\n 8, \"MG\",\n 9, \"MR\",\n 10, \"NULL\",\n 11, \"WKS\",\n 12, \"PTR\",\n 13, \"HINFO\",\n 14, \"MINFO\",\n 15, \"MX\",\n 16, \"TXT\",\n 17, \"RP\",\n 18, \"AFSDB\",\n 19, \"X25\",\n 20, \"ISDN\",\n 21, \"RT\",\n 22, \"NSAP\",\n 23, \"NSAP-PTR\",\n 24, \"SIG\",\n 25, \"KEY\",\n 26, \"PX\",\n 27, \"GPOS\",\n 28, \"AAAA\",\n 29, \"LOC\",\n 30, \"NXT\",\n 31, \"EID\",\n 32, \"NIMLOC\",\n 33, \"SRV\",\n 34, \"ATMA\",\n 35, \"NAPTR\",\n 36, \"KX\",\n 37, \"CERT\",\n 38, \"A6\",\n 39, \"DNAME\",\n 40, \"SINK\",\n 41, \"OPT\",\n 42, \"APL\",\n 43, \"DS\",\n 44, \"SSHFP\",\n 45, \"IPSECKEY\",\n 46, \"RRSIG\",\n 47, \"NSEC\",\n 48, \"DNSKEY\",\n 49, \"DHCID\",\n 50, \"NSEC3\",\n 51, \"NSEC3PARAM\",\n 52, \"TLSA\",\n 53, \"SMIMEA\",\n 54, \"Unassigned\",\n 55, \"HIP\",\n 56, \"NINFO\",\n 57, \"RKEY\",\n 58, \"TALINK\",\n 59, \"CDS\",\n 60, \"CDNSKEY\",\n 61, \"OPENPGPKEY\",\n 62, \"CSYNC\",\n 99, \"SPF\",\n 100, \"UINFO\",\n 101, \"UID\",\n 102, \"GID\",\n 103, \"UNSPEC\",\n 104, \"NID\",\n 105, \"L32\",\n 106, \"L64\",\n 107, \"LP\",\n 108, \"EUI48\",\n 109, \"EUI64\",\n 249, \"TKEY\",\n 250, \"TSIG\",\n 251, \"IXFR\",\n 252, \"AXFR\",\n 253, \"MAILB\",\n 254, \"MAILA\",\n 255, \"ANY\",\n 256, \"URI\",\n 257, \"CAA\",\n 258, \"AVC\",\n 259, \"DOA\",\n 32768, \"TA\",\n 32769, \"DLV\"];\nlet class_lookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\n 0, 'Reserved',\n 1, 'IN',\n 2, 'Unassigned',\n 3, 'CH',\n 4, 'HS',\n 254, 'None',\n 255, 'Any'];\nlet parser=(disabled:bool=false){\n Corelight_CL | where not(disabled)\n | project Message, TimeGenerated\n | where Message has '\"_path\":\"dns\"' or Message has '\"_path\":\"dns_red\"'\n | parse-kv Message as (\n ['\"_system_name\"']:string,\n ['\"_write_ts\"']:datetime,\n ['\"ts\"']:datetime,\n ['\"uid\"']:string,\n ['\"id.orig_h\"']:string,\n ['\"id.orig_p\"']:int,\n ['\"id.resp_h\"']:string,\n ['\"id.resp_p\"']:int,\n ['\"proto\"']:string,\n ['\"trans_id\"']:int,\n ['\"query\"']:string,\n ['\"qclass\"']:int,\n ['\"qtype\"']:int,\n ['\"AA\"']:bool,\n ['\"TC\"']:bool,\n ['\"CD\"']:bool,\n ['\"RD\"']:bool,\n ['\"RA\"']:bool,\n ['\"Z\"']:int,\n ['\"rejected\"']:bool,\n ['\"rcode\"']:int,\n ['\"rcode_name\"']:string,\n ['\"rtt\"']:real,\n ) \n with (quote = '\"')\n | parse Message with * '\"answers\":' answers:string ',\"TTLs\":' TTLs:string ',\"rejected\"' *\n | extend \n EventCount=int(1),\n EventProduct=\"Zeek\",\n EventVendor=\"Corelight\",\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.4\",\n EventType=\"Query\"\n | project-rename\n EventStartTime= ['\"ts\"'],\n EventEndTime = ['\"_write_ts\"'],\n EventOriginalUid = ['\"uid\"'],\n SrcIpAddr = ['\"id.orig_h\"'],\n SrcPortNumber = ['\"id.orig_p\"'],\n DstIpAddr = ['\"id.resp_h\"'],\n DstPortNumber = ['\"id.resp_p\"'],\n NetworkProtocol = ['\"proto\"'],\n DnsQuery = ['\"query\"'],\n DnsResponseCode = ['\"rcode\"'],\n EventResultDetails = ['\"rcode_name\"'],\n DnsFlagsAuthoritative = ['\"AA\"'],\n DnsFlagsTruncated = ['\"TC\"'],\n DnsFlagsRecursionDesired = ['\"RD\"'],\n DnsFlagsCheckingDisabled = ['\"CD\"'],\n DnsFlagsRecursionAvailable = ['\"RA\"'],\n DnsQueryClass = ['\"qclass\"'],\n DnsQueryType = ['\"qtype\"'],\n rtt = ['\"rtt\"'],\n Z = ['\"Z\"'],\n trans_id = ['\"trans_id\"'],\n rejected = ['\"rejected\"'],\n Dvc = ['\"_system_name\"']\n | lookup query_type_lookup on DnsQueryType\n | lookup class_lookup on DnsQueryClass\n | extend\n EventSubType=iff(isnull(DnsResponseCode),'request','response'),\n DnsNetworkDuration = toint(rtt*1000),\n EventResult = iff (EventResultDetails!~'NOERROR' or rejected,'Failure','Success'),\n DnsQueryTypeName = case (DnsQueryTypeName == \"\" and not(isnull(DnsQueryType)), strcat(\"TYPE\", DnsQueryType), DnsQueryTypeName),\n DnsQueryClassName = case (DnsQueryClassName == \"\" and not(isnull(DnsQueryClass)), strcat(\"CLASS\", DnsQueryClass), DnsQueryClassName),\n TransactionIdHex = tohex(toint(trans_id)),\n DnsFlagsZ = (Z != 0),\n DnsResponseName = tostring(pack ('answers', answers, 'ttls', TTLs)) // support of auth & addl to be added.\n | project-away rtt\n // Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=DnsNetworkDuration,\n Dst=DstIpAddr\n | project-away Message, Z, TTLs, answers, trans_id, rejected\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsFortinetFortigate/ASimDnsFortinetFortigate.json b/Parsers/ASimDns/ARM/ASimDnsFortinetFortigate/ASimDnsFortinetFortigate.json index dada136cb5e..93423e4e572 100644 --- a/Parsers/ASimDns/ARM/ASimDnsFortinetFortigate/ASimDnsFortinetFortigate.json +++ b/Parsers/ASimDns/ARM/ASimDnsFortinetFortigate/ASimDnsFortinetFortigate.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsFortinetFortiGate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsFortinetFortiGate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Fortinet FortiGate", - "category": "ASIM", - "FunctionAlias": "ASimDnsFortinetFortiGate", - "query": "let Parser = (disabled:bool=false) {\n let DeviceEventClassIDLookup = datatable(EventOriginalSubType:string,EventSubType:string, EventSeverity:string, DvcAction:string, ThreatCategory:string, ThreatField:string)[\n \"54000\", \"request\", \"Informational\", \"\", \"\", \"\",\n \"54200\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54400\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\n \"54401\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54600\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"DstIpAddr\",\n \"54601\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"Domain\",\n \"54800\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54801\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54802\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54803\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\n \"54804\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54805\", \"response\", \"Informational\", \"\", \"\", \"\",\n ];\n let EventOriginalResultDetailsLookup = datatable(EventOriginalResultDetails:string, EventResultDetails:string, EventResult:string)[\n \"\", \"NOERROR\", \"Success\",\n \"0\", \"NOERROR\", \"Success\",\n \"1\", \"FORMERR\", \"Failure\",\n \"2\", \"SERVFAIL\", \"Failure\",\n \"3\", \"NXDOMAIN\", \"Failure\",\n \"4\", \"NOTIMP\", \"Failure\",\n \"5\", \"REFUSED\", \"Failure\",\n \"6\", \"YXDOMAIN\", \"Failure\",\n \"7\", \"YXRRSET\", \"Failure\",\n \"8\", \"NXRRSET\", \"Failure\",\n \"9\", \"NOTAUTH\", \"Failure\",\n \"10\", \"NOTZONE\", \"Failure\",\n \"11\", \"DSOTYPENI\", \"Failure\",\n \"16\", \"BADVERS\", \"Failure\",\n \"16\", \"BADSIG\", \"Failure\",\n \"17\", \"BADKEY\", \"Failure\",\n \"18\", \"BADTIME\", \"Failure\",\n \"19\", \"BADMODE\", \"Failure\",\n \"20\", \"BADNAME\", \"Failure\",\n \"21\", \"BADALG\", \"Failure\",\n \"22\", \"BADTRUNC\", \"Failure\",\n \"23\", \"BADCOOKIE\", \"Failure\"\n ];\n let DnsQueryTypeLookup = datatable(DnsQueryType:int, DnsQueryTypeName:string)[\n 0, \"Reserved\",\n 1, \"A\",\n 2, \"NS\",\n 3, \"MD\",\n 4, \"MF\",\n 5, \"CNAME\",\n 6, \"SOA\",\n 7, \"MB\",\n 8, \"MG\",\n 9, \"MR\",\n 10, \"NULL\",\n 11, \"WKS\",\n 12, \"PTR\",\n 13, \"HINFO\",\n 14, \"MINFO\",\n 15, \"MX\",\n 16, \"TXT\",\n 17, \"RP\",\n 18, \"AFSDB\",\n 19, \"X25\",\n 20, \"ISDN\",\n 21, \"RT\",\n 22, \"NSAP\",\n 23, \"NSAP-PTR\",\n 24, \"SIG\",\n 25, \"KEY\",\n 26, \"PX\",\n 27, \"GPOS\",\n 28, \"AAAA\",\n 29, \"LOC\",\n 30, \"NXT\",\n 31, \"EID\",\n 32, \"NIMLOC\",\n 33, \"SRV\",\n 34, \"ATMA\",\n 35, \"NAPTR\",\n 36, \"KX\",\n 37, \"CERT\",\n 38, \"A6\",\n 39, \"DNAME\",\n 40, \"SINK\",\n 41, \"OPT\",\n 42, \"APL\",\n 43, \"DS\",\n 44, \"SSHFP\",\n 45, \"IPSECKEY\",\n 46, \"RRSIG\",\n 47, \"NSEC\",\n 48, \"DNSKEY\",\n 49, \"DHCID\",\n 50, \"NSEC3\",\n 51, \"NSEC3PARAM\",\n 52, \"TLSA\",\n 53, \"SMIMEA\",\n 55, \"HIP\",\n 56, \"NINFO\",\n 57, \"RKEY\",\n 58, \"TALINK\",\n 59, \"CDS\",\n 60, \"CDNSKEY\",\n 61, \"OPENPGPKEY\",\n 62, \"CSYNC\",\n 63, \"ZONEMD\",\n 64, \"SVCB\",\n 65, \"HTTPS\",\n 99, \"SPF\",\n 100, \"UINFO\",\n 101, \"UID\",\n 102, \"GID\",\n 103, \"UNSPEC\",\n 104, \"NID\",\n 105, \"L32\",\n 106, \"L64\",\n 107, \"LP\",\n 108, \"EUI48\",\n 109, \"EUI64\",\n 249, \"TKEY\",\n 250, \"TSIG\",\n 251, \"IXFR\",\n 252, \"AXFR\",\n 253, \"MAILB\",\n 254, \"MAILA\",\n 255, \"*\",\n 256, \"URI\",\n 257, \"CAA\",\n 258, \"AVC\",\n 259, \"DOA\",\n 32768, \"TA\",\n 32769, \"DLV\"\n ];\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Fortinet\" and \n DeviceProduct == \"Fortigate\"\n | where DeviceEventClassID in(54000,54200,54400,54401,54600,54601,54800,54801,54802,54803,54804,54805)\n | project TimeGenerated, EventOriginalSubType = DeviceEventClassID, AdditionalExtensions, EventUid = _ItemId, EventOriginalSeverity = LogSeverity, EventProductVersion = DeviceVersion ,Computer, Type, SrcIpAddr = SourceIP, SrcPortNumber = SourcePort, DstIpAddr = DestinationIP, DstPortNumber = DestinationPort, EventMessage = Message, NetworkProtocolNumber = Protocol, DvcId = DeviceExternalID, DnsSessionId = ExtID\n | lookup DeviceEventClassIDLookup on EventOriginalSubType\n | parse-kv AdditionalExtensions as (FTNTFGTlogid:string, FTNTFGTsubtype:string, FTNTFGTsrccountry:string, FTNTFGTdstcountry:string,FTNTFGTsrcintfrole:string, FTNTFGTrcode:string, FTNTFGTqname:string, FTNTFGTqtype:string, FTNTFGTxid:string, FTNTFGTqtypeval:int, FTNTFGTqclass:string, FTNTFGTcatdesc:string, FTNTFGTipaddr:string, FTNTFGTunauthuser:string, FTNTFGTuser:string, FTNTFGTbotnetip:string, sessionid:int) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | project-rename \n EventOriginalResultDetails = FTNTFGTrcode,\n EventOriginalUid = FTNTFGTlogid,\n DvcZone = FTNTFGTsrcintfrole,\n EventOriginalType = FTNTFGTsubtype,\n SrcGeoCountry = FTNTFGTsrccountry,\n DstGeoCountry = FTNTFGTdstcountry,\n DnsQuery = FTNTFGTqname,\n DnsQueryTypeName = FTNTFGTqtype,\n TransactionIdHex = FTNTFGTxid,\n DnsQueryClass = FTNTFGTqtypeval,\n DnsQueryClassName = FTNTFGTqclass,\n UrlCategory = FTNTFGTcatdesc,\n DnsResponseName = FTNTFGTipaddr,\n ThreatIpAddr = FTNTFGTbotnetip\n | extend \n DnsQueryTypeName = case(\n DnsQueryTypeName == \"Unknown\",\"\",\n DnsQueryTypeName\n )\n | lookup EventOriginalResultDetailsLookup on EventOriginalResultDetails\n | lookup DnsQueryTypeLookup on DnsQueryTypeName\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | invoke _ASIM_ResolveNetworkProtocol(\"NetworkProtocolNumber\")\n | extend \n SrcUsername = coalesce(FTNTFGTuser, FTNTFGTunauthuser),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcHostname,\n DnsResponseCodeName = EventResultDetails,\n EventType = \"Query\",\n EventSchemaVersion = \"0.1.7\",\n EventSchema = \"Dns\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventVendor = \"Fortinet\",\n EventProduct = \"FortiGate\",\n Domain = DnsQuery,\n DomainCategory = UrlCategory,\n SessionId = DnsSessionId\n | extend \n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | project-away FTNTFGTuser, FTNTFGTunauthuser, AdditionalExtensions, Computer, NetworkProtocolNumber\n};\nParser(\n disabled = disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Fortinet FortiGate", + "category": "ASIM", + "FunctionAlias": "ASimDnsFortinetFortiGate", + "query": "let Parser = (disabled:bool=false) {\n let DeviceEventClassIDLookup = datatable(EventOriginalSubType:string,EventSubType:string, EventSeverity:string, DvcAction:string, ThreatCategory:string, ThreatField:string)[\n \"54000\", \"request\", \"Informational\", \"\", \"\", \"\",\n \"54200\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54400\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\n \"54401\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54600\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"DstIpAddr\",\n \"54601\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"Domain\",\n \"54800\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54801\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54802\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54803\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\n \"54804\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54805\", \"response\", \"Informational\", \"\", \"\", \"\",\n ];\n let EventOriginalResultDetailsLookup = datatable(EventOriginalResultDetails:string, EventResultDetails:string, EventResult:string)[\n \"\", \"NOERROR\", \"Success\",\n \"0\", \"NOERROR\", \"Success\",\n \"1\", \"FORMERR\", \"Failure\",\n \"2\", \"SERVFAIL\", \"Failure\",\n \"3\", \"NXDOMAIN\", \"Failure\",\n \"4\", \"NOTIMP\", \"Failure\",\n \"5\", \"REFUSED\", \"Failure\",\n \"6\", \"YXDOMAIN\", \"Failure\",\n \"7\", \"YXRRSET\", \"Failure\",\n \"8\", \"NXRRSET\", \"Failure\",\n \"9\", \"NOTAUTH\", \"Failure\",\n \"10\", \"NOTZONE\", \"Failure\",\n \"11\", \"DSOTYPENI\", \"Failure\",\n \"16\", \"BADVERS\", \"Failure\",\n \"16\", \"BADSIG\", \"Failure\",\n \"17\", \"BADKEY\", \"Failure\",\n \"18\", \"BADTIME\", \"Failure\",\n \"19\", \"BADMODE\", \"Failure\",\n \"20\", \"BADNAME\", \"Failure\",\n \"21\", \"BADALG\", \"Failure\",\n \"22\", \"BADTRUNC\", \"Failure\",\n \"23\", \"BADCOOKIE\", \"Failure\"\n ];\n let DnsQueryTypeLookup = datatable(DnsQueryType:int, DnsQueryTypeName:string)[\n 0, \"Reserved\",\n 1, \"A\",\n 2, \"NS\",\n 3, \"MD\",\n 4, \"MF\",\n 5, \"CNAME\",\n 6, \"SOA\",\n 7, \"MB\",\n 8, \"MG\",\n 9, \"MR\",\n 10, \"NULL\",\n 11, \"WKS\",\n 12, \"PTR\",\n 13, \"HINFO\",\n 14, \"MINFO\",\n 15, \"MX\",\n 16, \"TXT\",\n 17, \"RP\",\n 18, \"AFSDB\",\n 19, \"X25\",\n 20, \"ISDN\",\n 21, \"RT\",\n 22, \"NSAP\",\n 23, \"NSAP-PTR\",\n 24, \"SIG\",\n 25, \"KEY\",\n 26, \"PX\",\n 27, \"GPOS\",\n 28, \"AAAA\",\n 29, \"LOC\",\n 30, \"NXT\",\n 31, \"EID\",\n 32, \"NIMLOC\",\n 33, \"SRV\",\n 34, \"ATMA\",\n 35, \"NAPTR\",\n 36, \"KX\",\n 37, \"CERT\",\n 38, \"A6\",\n 39, \"DNAME\",\n 40, \"SINK\",\n 41, \"OPT\",\n 42, \"APL\",\n 43, \"DS\",\n 44, \"SSHFP\",\n 45, \"IPSECKEY\",\n 46, \"RRSIG\",\n 47, \"NSEC\",\n 48, \"DNSKEY\",\n 49, \"DHCID\",\n 50, \"NSEC3\",\n 51, \"NSEC3PARAM\",\n 52, \"TLSA\",\n 53, \"SMIMEA\",\n 55, \"HIP\",\n 56, \"NINFO\",\n 57, \"RKEY\",\n 58, \"TALINK\",\n 59, \"CDS\",\n 60, \"CDNSKEY\",\n 61, \"OPENPGPKEY\",\n 62, \"CSYNC\",\n 63, \"ZONEMD\",\n 64, \"SVCB\",\n 65, \"HTTPS\",\n 99, \"SPF\",\n 100, \"UINFO\",\n 101, \"UID\",\n 102, \"GID\",\n 103, \"UNSPEC\",\n 104, \"NID\",\n 105, \"L32\",\n 106, \"L64\",\n 107, \"LP\",\n 108, \"EUI48\",\n 109, \"EUI64\",\n 249, \"TKEY\",\n 250, \"TSIG\",\n 251, \"IXFR\",\n 252, \"AXFR\",\n 253, \"MAILB\",\n 254, \"MAILA\",\n 255, \"*\",\n 256, \"URI\",\n 257, \"CAA\",\n 258, \"AVC\",\n 259, \"DOA\",\n 32768, \"TA\",\n 32769, \"DLV\"\n ];\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Fortinet\" and \n DeviceProduct == \"Fortigate\"\n | where DeviceEventClassID in(54000,54200,54400,54401,54600,54601,54800,54801,54802,54803,54804,54805)\n | project TimeGenerated, EventOriginalSubType = DeviceEventClassID, AdditionalExtensions, EventUid = _ItemId, EventOriginalSeverity = LogSeverity, EventProductVersion = DeviceVersion ,Computer, Type, SrcIpAddr = SourceIP, SrcPortNumber = SourcePort, DstIpAddr = DestinationIP, DstPortNumber = DestinationPort, EventMessage = Message, NetworkProtocolNumber = Protocol, DvcId = DeviceExternalID, DnsSessionId = ExtID\n | lookup DeviceEventClassIDLookup on EventOriginalSubType\n | parse-kv AdditionalExtensions as (FTNTFGTlogid:string, FTNTFGTsubtype:string, FTNTFGTsrccountry:string, FTNTFGTdstcountry:string,FTNTFGTsrcintfrole:string, FTNTFGTrcode:string, FTNTFGTqname:string, FTNTFGTqtype:string, FTNTFGTxid:string, FTNTFGTqtypeval:int, FTNTFGTqclass:string, FTNTFGTcatdesc:string, FTNTFGTipaddr:string, FTNTFGTunauthuser:string, FTNTFGTuser:string, FTNTFGTbotnetip:string, sessionid:int) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | project-rename \n EventOriginalResultDetails = FTNTFGTrcode,\n EventOriginalUid = FTNTFGTlogid,\n DvcZone = FTNTFGTsrcintfrole,\n EventOriginalType = FTNTFGTsubtype,\n SrcGeoCountry = FTNTFGTsrccountry,\n DstGeoCountry = FTNTFGTdstcountry,\n DnsQuery = FTNTFGTqname,\n DnsQueryTypeName = FTNTFGTqtype,\n TransactionIdHex = FTNTFGTxid,\n DnsQueryClass = FTNTFGTqtypeval,\n DnsQueryClassName = FTNTFGTqclass,\n UrlCategory = FTNTFGTcatdesc,\n DnsResponseName = FTNTFGTipaddr,\n ThreatIpAddr = FTNTFGTbotnetip\n | extend \n DnsQueryTypeName = case(\n DnsQueryTypeName == \"Unknown\",\"\",\n DnsQueryTypeName\n )\n | lookup EventOriginalResultDetailsLookup on EventOriginalResultDetails\n | lookup DnsQueryTypeLookup on DnsQueryTypeName\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | invoke _ASIM_ResolveNetworkProtocol(\"NetworkProtocolNumber\")\n | extend \n SrcUsername = coalesce(FTNTFGTuser, FTNTFGTunauthuser),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcHostname,\n DnsResponseCodeName = EventResultDetails,\n EventType = \"Query\",\n EventSchemaVersion = \"0.1.7\",\n EventSchema = \"Dns\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventVendor = \"Fortinet\",\n EventProduct = \"FortiGate\",\n Domain = DnsQuery,\n DomainCategory = UrlCategory,\n SessionId = DnsSessionId\n | extend \n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | project-away FTNTFGTuser, FTNTFGTunauthuser, AdditionalExtensions, Computer, NetworkProtocolNumber\n};\nParser(\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsGcp/ASimDnsGcp.json b/Parsers/ASimDns/ARM/ASimDnsGcp/ASimDnsGcp.json index 351dcc6e736..5c14d318a61 100644 --- a/Parsers/ASimDns/ARM/ASimDnsGcp/ASimDnsGcp.json +++ b/Parsers/ASimDns/ARM/ASimDnsGcp/ASimDnsGcp.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsGcp')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsGcp", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for GCP", - "category": "ASIM", - "FunctionAlias": "ASimDnsGcp", - "query": "// https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry\nlet GCPSeverityTable=datatable(severity_s:string,EventSeverity:string)\n[\"DEFAULT\",\"Informational\",\n\"DEBUG\",\"Informational\",\n\"INFO\",\"Informational\",\n\"NOTICE\",\"Medium\",\n\"WARNING\",\"Medium\",\n\"ERROR\",\"High\",\n\"CRITICAL\",\"High\",\n\"ALERT\",\"High\",\n\"EMERGENCY\",\"High\"\n];\nlet DNSQuery_GcpDns=(disabled:bool=false){\n GCP_DNS_CL | where not(disabled)\n | project-away MG, ManagementGroupName, RawData, SourceSystem, Computer\n | where resource_type_s == \"dns_query\"\n | lookup GCPSeverityTable on severity_s\n | project-rename\n DnsQueryTypeName=payload_queryType_s,\n DnsResponseName=payload_rdata_s, \n EventResultDetails=payload_responseCode_s,\n NetworkProtocol=payload_protocol_s, \n SrcIpAddr=payload_sourceIP_s,\n EventOriginalUid=insert_id_s,\n EventOriginalSeverity=severity_s \n | extend\n DnsQuery=trim_end(@'\\.',payload_queryName_s), \n EventCount=int(1),\n EventProduct='Cloud DNS',\n EventVendor='GCP',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.3\",\n Dvc=\"GCPDNS\" ,\n EventType = iif (resource_type_s == \"dns_query\", \"Query\", resource_type_s),\n EventResult=iff(EventResultDetails=~'NOERROR','Success','Failure'),\n EventSubType='response',\n EventEndTime=todatetime(timestamp_t)\n | extend\n EventStartTime = EventEndTime,\n EventResult = iff (EventResultDetails=~'NOERROR','Success','Failure')\n // -- Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr\n // Backward Computability\n | project-away *_s, *_d, *_b, *_t\n };\n DNSQuery_GcpDns(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for GCP", + "category": "ASIM", + "FunctionAlias": "ASimDnsGcp", + "query": "// https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry\nlet GCPSeverityTable=datatable(severity_s:string,EventSeverity:string)\n[\"DEFAULT\",\"Informational\",\n\"DEBUG\",\"Informational\",\n\"INFO\",\"Informational\",\n\"NOTICE\",\"Medium\",\n\"WARNING\",\"Medium\",\n\"ERROR\",\"High\",\n\"CRITICAL\",\"High\",\n\"ALERT\",\"High\",\n\"EMERGENCY\",\"High\"\n];\nlet DNSQuery_GcpDns=(disabled:bool=false){\n GCP_DNS_CL | where not(disabled)\n | project-away MG, ManagementGroupName, RawData, SourceSystem, Computer\n | where resource_type_s == \"dns_query\"\n | lookup GCPSeverityTable on severity_s\n | project-rename\n DnsQueryTypeName=payload_queryType_s,\n DnsResponseName=payload_rdata_s, \n EventResultDetails=payload_responseCode_s,\n NetworkProtocol=payload_protocol_s, \n SrcIpAddr=payload_sourceIP_s,\n EventOriginalUid=insert_id_s,\n EventOriginalSeverity=severity_s \n | extend\n DnsQuery=trim_end(@'\\.',payload_queryName_s), \n EventCount=int(1),\n EventProduct='Cloud DNS',\n EventVendor='GCP',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.3\",\n Dvc=\"GCPDNS\" ,\n EventType = iif (resource_type_s == \"dns_query\", \"Query\", resource_type_s),\n EventResult=iff(EventResultDetails=~'NOERROR','Success','Failure'),\n EventSubType='response',\n EventEndTime=todatetime(timestamp_t)\n | extend\n EventStartTime = EventEndTime,\n EventResult = iff (EventResultDetails=~'NOERROR','Success','Failure')\n // -- Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr\n // Backward Computability\n | project-away *_s, *_d, *_b, *_t\n };\n DNSQuery_GcpDns(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsInfobloxBloxOne/ASimDnsInfobloxBloxOne.json b/Parsers/ASimDns/ARM/ASimDnsInfobloxBloxOne/ASimDnsInfobloxBloxOne.json new file mode 100644 index 00000000000..e4e50655a58 --- /dev/null +++ b/Parsers/ASimDns/ARM/ASimDnsInfobloxBloxOne/ASimDnsInfobloxBloxOne.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsInfobloxBloxOne')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "Dns ASIM parser for Infoblox BloxOne", + "category": "ASIM", + "FunctionAlias": "ASimDnsInfobloxBloxOne", + "query": "let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string) [ \"0\", \"Low\", \"1\", \"Low\", \"2\", \"Low\", \"3\", \"Low\", \"4\", \"Medium\", \"5\", \"Medium\", \"6\", \"Medium\", \"7\", \"High\", \"8\", \"High\", \"9\", \"High\", \"10\", \"High\" ]; let DnsQueryTypeLookup = datatable(DnsQueryTypeName:string, DnsQueryType:int) [ \"A\", 1, \"NS\", 2, \"MD\", 3, \"MF\", 4, \"CNAME\", 5, \"SOA\", 6, \"MB\", 7, \"MG\", 8, \"MR\", 9, \"NULL\", 10, \"WKS\", 11, \"PTR\", 12, \"HINFO\", 13, \"MINFO\", 14, \"MX\", 15, \"TXT\", 16, \"RP\", 17, \"AFSDB\", 18, \"X25\", 19, \"ISDN\", 20, \"RT\", 21, \"NSAP\", 22, \"NSAPPTR\", 23, \"SIG\", 24, \"KEY\", 25, \"PX\", 26, \"GPOS\", 27, \"AAAA\", 28, \"LOC\", 29, \"NXT\", 30, \"EID\", 31, \"NIMLOC\", 32, \"SRV\", 33, \"ATMA\", 34, \"NAPTR\", 35, \"KX\", 36, \"CERT\", 37, \"A6\", 38, \"DNAME\", 39, \"SINK\", 40, \"OPT\", 41, \"APL\", 42, \"DS\", 43, \"SSHFP\", 44, \"IPSECKEY\", 45, \"RRSIG\", 46, \"NSEC\", 47, \"DNSKEY\", 48, \"DHCID\", 49, \"NSEC3\", 50, \"NSEC3PARAM\", 51, \"TLSA\", 52, \"SMIMEA\", 53, \"HIP\", 55, \"NINFO\", 56, \"RKEY\", 57, \"TALINK\", 58, \"CDS\", 59, \"CDNSKEY\", 60, \"OPENPGPKEY\", 61, \"CSYNC\", 62, \"ZONEMD\", 63, \"SVCB\", 64, \"HTTPS\", 65, \"SPF\", 99, \"UINFO\", 100, \"UID\", 101, \"GID\", 102, \"UNSPEC\", 103, \"TKEY\", 249, \"TSIG\", 250, \"IXFR\", 251, \"MAILB\", 253, \"MAILA\", 254, \"ANY\", 255, \"URI\", 256, \"CAA\", 257, \"TA\", 32768, \"DLV\", 32769 ]; let DnsResponseCodeLookup = datatable(EventResultDetails:string, DnsResponseCode:int) [ \"NOERROR\", 0, \"FORMERR\", 1, \"SERVFAIL\", 2, \"NXDOMAIN\", 3, \"NOTIMPL\", 4, \"REFUSED\", 5, \"YXDOMAIN\", 6, \"YXRRSET\", 7, \"NXRRSET\", 8, \"NOTAUTH\", 9, \"NOTZONE\", 10, \"DSOTYPENI\", 11, \"RESERVED12\", 12, \"RESERVED13\", 13, \"RESERVED14\", 14, \"RESERVED15\", 15, \"BADVERS\", 16, \"BADKEY\", 17, \"BADTIME\", 18, \"BADMODE\", 19, \"BADNAME\", 20, \"BADALG\", 21, \"BADTRUNC\", 22, \"BADCOOKIE\", 23, ]; let parser = (disabled:bool=false) { CommonSecurityLog | where not(disabled) and DeviceVendor == \"Infoblox\" and DeviceEventClassID has \"DNS\" | parse-kv AdditionalExtensions as (InfobloxDNSRCode:string, InfobloxDNSQType:string, InfobloxDNSQFlags:string) with (pair_delimiter=\";\", kv_delimiter=\"=\") | project-rename EventResultDetails = InfobloxDNSRCode, DnsQueryTypeName = InfobloxDNSQType, DnsFlags = InfobloxDNSQFlags | extend DnsQueryTypeName = tostring(split(DnsQueryTypeName, ' ')[0]) | lookup EventSeverityLookup on LogSeverity | lookup DnsQueryTypeLookup on DnsQueryTypeName | lookup DnsResponseCodeLookup on EventResultDetails | invoke _ASIM_ResolveDvcFQDN('DeviceName') | project-rename DnsQuery = DestinationDnsDomain, DvcIpAddr = DeviceAddress, SrcIpAddr = SourceIP, EventMessage = Message, EventOriginalSeverity = LogSeverity, EventOriginalType = DeviceEventClassID, SrcUsername = SourceUserName, SrcPortNumber = SourcePort, EventUid = _ItemId | extend Dvc = coalesce(DvcHostname, DvcIpAddr), EventEndTime = TimeGenerated, EventResult = iff(EventResultDetails == \"NOERROR\", \"Success\", \"Failure\"), DnsQuery = iff(substring(DnsQuery, strlen(DnsQuery) - 1, 1) == \".\", substring(DnsQuery, 0, strlen(DnsQuery) - 1), DnsQuery), EventStartTime = TimeGenerated, Src = SrcIpAddr, SrcUsernameType = _ASIM_GetUsernameType(SrcUsername), DnsResponseCodeName = EventResultDetails, IpAddr = SrcIpAddr, User = SrcUsername | extend Domain = DnsQuery | extend EventCount = toint(1), EventSchema = \"Dns\", EventSchemaVersion = \"0.1.7\", EventProduct = \"BloxOne\", EventVendor = \"Infoblox\", EventType = \"Query\", DnsQueryClass = toint(1), DnsQueryClassName = \"IN\" | project-away Source*, Destination*, Device*, AdditionalExtensions, CommunicationDirection, EventOutcome, Protocol, SimplifiedDeviceAction, ExternalID, EndTime, FieldDevice*, Flex*, File*, Old*, MaliciousIP*, OriginalLogSeverity, Process*, ReceivedBytes, SentBytes, Remote*, Request*, StartTime, TenantId, ReportReferenceLink, ReceiptTime, Indicator*, _ResourceId, ThreatConfidence, ThreatDescription, ThreatSeverity, Computer, ApplicationProtocol, ExtID, Reason }; parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimDns/ARM/ASimDnsInfobloxBloxOne/README.md b/Parsers/ASimDns/ARM/ASimDnsInfobloxBloxOne/README.md new file mode 100644 index 00000000000..5b396c81f87 --- /dev/null +++ b/Parsers/ASimDns/ARM/ASimDnsInfobloxBloxOne/README.md @@ -0,0 +1,18 @@ +# Infoblox BloxOne ASIM Dns Normalization Parser + +ARM template for ASIM Dns schema parser for Infoblox BloxOne. + +This ASIM parser supports normalizing Dns logs from Infoblox BloxOne to the ASIM Dns normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Dns normalization schema reference](https://aka.ms/ASimDnsDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDns%2FARM%2FASimDnsInfobloxBloxOne%2FASimDnsInfobloxBloxOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDns%2FARM%2FASimDnsInfobloxBloxOne%2FASimDnsInfobloxBloxOne.json) diff --git a/Parsers/ASimDns/ARM/ASimDnsInfobloxNIOS/ASimDnsInfobloxNIOS.json b/Parsers/ASimDns/ARM/ASimDnsInfobloxNIOS/ASimDnsInfobloxNIOS.json index f5cb5db9c21..017ce804bfa 100644 --- a/Parsers/ASimDns/ARM/ASimDnsInfobloxNIOS/ASimDnsInfobloxNIOS.json +++ b/Parsers/ASimDns/ARM/ASimDnsInfobloxNIOS/ASimDnsInfobloxNIOS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsInfobloxNIOS')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsInfobloxNIOS", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Infoblox NIOS", - "category": "ASIM", - "FunctionAlias": "ASimDnsInfobloxNIOS", - "query": "let SyslogProjected = Syslog | project SyslogMessage, ProcessName, TimeGenerated, Computer, HostIP;\nlet response = (disabled: boolean=false) {\n SyslogProjected\n | where not(disabled)\n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\", \"response:\")\n | parse SyslogMessage with *\n \"client \" SrcIpAddr: string\n \"#\" SrcPortNumber: string\n \" \" NetworkProtocol: string\n \": query: \" DnsQuery: string\n \" \" DnsQueryClassName: string\n \" \" DnsQueryTypeName: string\n \" response: \" DnsResponseCodeName: string\n \" \" DnsFlags: string\n | extend DnsResponseNameIndex= indexof(DnsFlags, \" \")\n | extend DnsResponseName =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, DnsResponseNameIndex+1), \"\")\n | extend DnsFlags =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, 0, DnsResponseNameIndex), DnsFlags)\n | extend SrcPortNumber = iif(SrcPortNumber has ':',replace_string(SrcPortNumber,':',''),SrcPortNumber)\n | extend SrcPortNumber = toint(SrcPortNumber)\n | extend EventSubType = \"response\"\n | project-away SyslogMessage, ProcessName, DnsResponseNameIndex\n };\n let request = (disabled: boolean=false) {\n SyslogProjected \n | where not(disabled)\n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\n | extend SyslogMessage = (split(SyslogMessage,\"client \"))[1]\n | extend SyslogMessage = iif(SyslogMessage startswith \"@\", (substring(SyslogMessage, indexof(SyslogMessage, \" \")+1)), SyslogMessage)\n | extend SyslogMessage = replace_string(SyslogMessage,\"\\\\ \",\"@@@\")\n | parse SyslogMessage with \n SrcIpAddr: string\n \"#\" SrcPortNumber: int *\n \"query: \" DnsQuery: string\n \" \" DnsQueryClassName: string\n \" \" DnsQueryTypeName: string\n \" \" DnsFlags: string\n | extend DnsQuery = replace_string (DnsQuery, '@@@', ' ')\n | extend DnsFlags= tostring((split(DnsFlags,\" \"))[0])\n | extend \n EventSubType = \"request\",\n DnsResponseCodeName = \"NA\"\n | project-away SyslogMessage, ProcessName\n };\n let parser = (disabled:boolean=false) {\n union response (disabled), request (disabled)\n | extend\n EventCount=int(1),\n EventStartTime=todatetime(TimeGenerated),\n EventEndTime=todatetime(TimeGenerated),\n EventProduct=\"NIOS\",\n EventVendor=\"Infoblox\",\n EventSchema=\"Dns\",\n EventSchemaVersion=\"0.1.3\",\n EventType=\"Query\", \n EventResult=iff(EventSubType==\"request\" or DnsResponseCodeName==\"NOERROR\",\"Success\",\"Failure\"),\n DvcIpAddr=iff (HostIP == \"Unknown IP\", \"\", HostIP)\n // -- Aliases\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | project-away Computer\n | extend\n Dvc=DvcHostname,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n EventResultDetails = DnsResponseCodeName\n | project-away HostIP\n };\n parser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Infoblox NIOS", + "category": "ASIM", + "FunctionAlias": "ASimDnsInfobloxNIOS", + "query": "let SyslogProjected = Syslog | project SyslogMessage, ProcessName, TimeGenerated, Computer, HostIP;\nlet response = (disabled: boolean=false) {\n SyslogProjected\n | where not(disabled)\n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\", \"response:\")\n | parse SyslogMessage with *\n \"client \" SrcIpAddr: string\n \"#\" SrcPortNumber: string\n \" \" NetworkProtocol: string\n \": query: \" DnsQuery: string\n \" \" DnsQueryClassName: string\n \" \" DnsQueryTypeName: string\n \" response: \" DnsResponseCodeName: string\n \" \" DnsFlags: string\n | extend DnsResponseNameIndex= indexof(DnsFlags, \" \")\n | extend DnsResponseName =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, DnsResponseNameIndex+1), \"\")\n | extend DnsFlags =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, 0, DnsResponseNameIndex), DnsFlags)\n | extend SrcPortNumber = iif(SrcPortNumber has ':',replace_string(SrcPortNumber,':',''),SrcPortNumber)\n | extend SrcPortNumber = toint(SrcPortNumber)\n | extend EventSubType = \"response\"\n | project-away SyslogMessage, ProcessName, DnsResponseNameIndex\n };\n let request = (disabled: boolean=false) {\n SyslogProjected \n | where not(disabled)\n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\n | extend SyslogMessage = (split(SyslogMessage,\"client \"))[1]\n | extend SyslogMessage = iif(SyslogMessage startswith \"@\", (substring(SyslogMessage, indexof(SyslogMessage, \" \")+1)), SyslogMessage)\n | extend SyslogMessage = replace_string(SyslogMessage,\"\\\\ \",\"@@@\")\n | parse SyslogMessage with \n SrcIpAddr: string\n \"#\" SrcPortNumber: int *\n \"query: \" DnsQuery: string\n \" \" DnsQueryClassName: string\n \" \" DnsQueryTypeName: string\n \" \" DnsFlags: string\n | extend DnsQuery = replace_string (DnsQuery, '@@@', ' ')\n | extend DnsFlags= tostring((split(DnsFlags,\" \"))[0])\n | extend \n EventSubType = \"request\",\n DnsResponseCodeName = \"NA\"\n | project-away SyslogMessage, ProcessName\n };\n let parser = (disabled:boolean=false) {\n union response (disabled), request (disabled)\n | extend\n EventCount=int(1),\n EventStartTime=todatetime(TimeGenerated),\n EventEndTime=todatetime(TimeGenerated),\n EventProduct=\"NIOS\",\n EventVendor=\"Infoblox\",\n EventSchema=\"Dns\",\n EventSchemaVersion=\"0.1.3\",\n EventType=\"Query\", \n EventResult=iff(EventSubType==\"request\" or DnsResponseCodeName==\"NOERROR\",\"Success\",\"Failure\"),\n DvcIpAddr=iff (HostIP == \"Unknown IP\", \"\", HostIP)\n // -- Aliases\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | project-away Computer\n | extend\n Dvc=DvcHostname,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n EventResultDetails = DnsResponseCodeName\n | project-away HostIP\n };\n parser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsMicrosoftNXlog/ASimDnsMicrosoftNXlog.json b/Parsers/ASimDns/ARM/ASimDnsMicrosoftNXlog/ASimDnsMicrosoftNXlog.json index b8523ebd8f1..043717497be 100644 --- a/Parsers/ASimDns/ARM/ASimDnsMicrosoftNXlog/ASimDnsMicrosoftNXlog.json +++ b/Parsers/ASimDns/ARM/ASimDnsMicrosoftNXlog/ASimDnsMicrosoftNXlog.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsMicrosoftNXlog')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsMicrosoftNXlog", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Microsoft DNS logs collected using NXlog", - "category": "ASIM", - "FunctionAlias": "ASimDnsMicrosoftNXlog", - "query": "let ASimDnsMicrosoftNXLog = (disabled:bool=false) {\nlet EventTypeTable=datatable(EventOriginalType:real,EventType:string)[\n 256, 'Query'\n , 257, 'Query'\n , 258, 'Query'\n , 259, 'Query'\n , 260, 'Query'\n , 261, 'Query'\n , 262, 'Query'\n , 263, 'Dynamic update'\n , 264, 'Dynamic update'\n , 265, 'Zone XFR'\n , 266, 'Zone XFR'\n , 267, 'Zone XFR'\n , 268, 'Zone XFR'\n , 269, 'Zone XFR'\n , 270, 'Zone XFR'\n , 271, 'Zone XFR'\n , 272, 'Zone XFR'\n , 273, 'Zone XFR'\n , 274, 'Zone XFR'\n , 275, 'Zone XFR'\n , 276, 'Zone XFR'\n , 277, 'Dynamic update'\n , 278, 'Dynamic update'\n , 279, 'Query'\n , 280, 'Query'\n];\nlet EventSubTypeTable=datatable(EventOriginalType:real,EventSubType:string)[\n 256, 'request'\n, 257, 'response'\n, 258, 'response'\n, 259, 'response'\n, 260, 'request'\n, 261, 'response'\n, 262, 'response'\n, 263, 'request'\n, 264, 'response'\n, 265, 'request'\n, 266, 'request'\n, 267, 'response'\n, 268, 'response'\n, 269, 'request'\n, 270, 'request'\n, 271, 'response'\n, 272, 'response'\n, 273, 'request'\n, 274, 'request'\n, 275, 'response'\n, 276, 'response'\n, 277, 'request'\n, 278, 'response'\n, 279, 'response'\n, 280, 'response'\n];\nlet EventResultTable=datatable(EventOriginalType:real,EventResult:string)[\n 256, 'NA'\n , 257, 'Success'\n , 258, 'Failure'\n , 259, 'Failure'\n , 260, 'NA'\n , 261, 'NA'\n , 262, 'Failure'\n , 263, 'NA'\n , 264, 'Based on RCODE'\n , 265, 'NA'\n , 266, 'NA'\n , 267, 'Based on RCODE'\n , 268, 'Based on RCODE'\n , 269, 'NA'\n , 270, 'NA'\n , 271, 'Based on RCODE'\n , 272, 'Based on RCODE'\n , 273, 'NA'\n , 274, 'NA'\n , 275, 'Success'\n , 276, 'Success'\n , 277, 'NA'\n , 278, 'Based on RCODE'\n , 279, 'NA'\n , 280, 'NA'\n];\nlet RCodeTable=datatable(DnsResponseCode:int,ResponseCodeName:string)[\n 0,'NOERROR'\n , 1,'FORMERR'\n , 2,'SERVFAIL'\n , 3,'NXDOMAIN'\n , 4,'NOTIMP'\n , 5,'REFUSED'\n , 6,'YXDOMAIN'\n , 7,'YXRRSET'\n , 8,'NXRRSET'\n , 9,'NOTAUTH'\n , 10,'NOTZONE'\n , 11,'DSOTYPENI'\n , 16,'BADVERS'\n , 16,'BADSIG'\n , 17,'BADKEY'\n , 18,'BADTIME'\n , 19,'BADMODE'\n , 20,'BADNAME'\n , 21,'BADALG'\n , 22,'BADTRUNC'\n , 23,'BADCOOKIE'\n];\nlet QTypeTable=datatable(DnsQueryType:int,QTypeName:string)[\n 0, 'Reserved'\n , 1, 'A'\n , 2, 'NS'\n , 3, 'MD'\n , 4, 'MF'\n , 5, 'CNAME'\n , 6, 'SOA'\n , 7, 'MB'\n , 8 ,'MG'\n , 9 ,'MR'\n , 10,'NULL'\n , 11,'WKS'\n , 12,'PTR'\n , 13,'HINFO'\n , 14,'MINFO'\n , 15,'MX'\n , 16,'TXT'\n , 17,'RP'\n , 18,'AFSDB'\n , 19,'X25'\n , 20,'ISDN'\n , 21,'RT'\n , 22,'NSAP'\n , 23,'NSAP-PTR'\n , 24,'SIG'\n , 25,'KEY'\n , 26,'PX'\n , 27,'GPOS'\n , 28,'AAAA'\n , 29,'LOC'\n , 30,'NXT'\n , 31,'EID'\n , 32,'NIMLOC'\n , 33,'SRV'\n , 34,'ATMA'\n , 35,'NAPTR'\n , 36,'KX'\n , 37,'CERT'\n , 38,'A6'\n , 39,'DNAME'\n , 40,'SINK'\n , 41,'OPT'\n , 42,'APL'\n , 43,'DS'\n , 44,'SSHFP'\n , 45,'IPSECKEY'\n , 46,'RRSIG'\n , 47,'NSEC'\n , 48,'DNSKEY'\n , 49,'DHCID'\n , 50,'NSEC3'\n , 51,'NSEC3PARAM'\n , 52,'TLSA'\n , 53,'SMIMEA'\n , 55,'HIP'\n , 56,'NINFO'\n , 57,'RKEY'\n , 58,'TALINK'\n , 59,'CDS'\n , 60,'CDNSKEY'\n , 61,'OPENPGPKEY'\n , 62,'CSYNC'\n , 63,'ZONEMD'\n , 64,'SVCB'\n , 65,'HTTPS'\n , 99,'SPF'\n , 100,'UINFO'\n , 101,'UID'\n , 102,'GID'\n , 103,'UNSPEC'\n , 104,'NID'\n , 105,'L32'\n , 106,'L64'\n , 107,'LP'\n , 108,'EUI48'\n , 109,'EUI64'\n , 249,'TKEY'\n , 250,'TSIG'\n , 251,'IXFR'\n , 252,'AXFR'\n , 253,'MAILB'\n , 254,'MAILA'\n , 255,'*'\n , 256,'URI'\n , 257,'CAA'\n , 258,'AVC'\n , 259,'DOA'\n , 32768,'TA'\n , 32769,'DLV'\n];\nNXLog_DNS_Server_CL | where not(disabled)\n| where EventID_d < 281\n| project-rename\n DnsFlags=Flags_s,\n DnsQuery=QNAME_s,\n DnsQueryType=QTYPE_s,\n DnsResponseCode=RCODE_s,\n DnsResponseName=PacketData_s,\n Dvc=Hostname_s,\n EventOriginalType=EventID_d,\n EventOriginalUid=GUID_g,\n EventStartTime=EventTime_t,\n SrcIpAddr=Source_s,\n EventUid=_ItemId\n| extend\n DnsQuery=trim_end(\".\",DnsQuery),\n DnsQueryType=toint(DnsQueryType),\n DnsResponseCode=toint(DnsResponseCode),\n SrcPortNumber=toint(Port_s),\n DvcHostname=Dvc,\n DvcIpAddr=HostIP_s,\n EventEndTime=EventStartTime,\n EventProduct = \"DNS Server\",\n EventSchemaVersion = \"0.1.7\",\n EventVendor = \"Microsoft\",\n EventSchema = \"Dns\",\n EventCount = int(1),\n NetworkProtocol=iff(TCP_s == \"0\",\"UDP\",\"TCP\"),\n TransactionIdHex=tohex(toint(XID_s)),\n DnsFlagsAuthenticated = tobool(AD_s),\n DnsFlagsAuthoritative = tobool(AA_s),\n DnsFlagsRecursionDesired = tobool(RD_s)\n| lookup EventTypeTable on EventOriginalType\n| lookup EventSubTypeTable on EventOriginalType\n| lookup EventResultTable on EventOriginalType\n| lookup RCodeTable on DnsResponseCode\n| lookup QTypeTable on DnsQueryType\n| extend\n EventResultDetails = case (isnotempty(ResponseCodeName), ResponseCodeName\n , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'\n , 'Unassigned'),\n EventOriginalType = tostring(EventOriginalType)\n| extend\n Domain=DnsQuery,\n DnsResponseCodeName=EventResultDetails,\n DnsQueryTypeName = case (isnotempty(QTypeName), QTypeName\n , DnsQueryType between (66 .. 98), 'Unassigned'\n , DnsQueryType between (110 .. 248), 'Unassigned'\n , DnsQueryType between (261 .. 32767), 'Unassigned'\n , 'Unassigned'),\n EventResult=iff (EventResult == \"Based on RCODE\", iff(DnsResponseCode == 0, \"Success\", \"Failure\"),EventResult)\n | extend\n // Aliases\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n| project-away\n *_s, *_d, QTypeName, TenantId, SourceSystem, MG, ManagementGroupName, Computer, RawData, ResponseCodeName, EventReceivedTime_t, ProviderGuid_g, _ResourceId\n};\nASimDnsMicrosoftNXLog(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Microsoft DNS logs collected using NXlog", + "category": "ASIM", + "FunctionAlias": "ASimDnsMicrosoftNXlog", + "query": "let ASimDnsMicrosoftNXLog = (disabled:bool=false) {\nlet EventTypeTable=datatable(EventOriginalType:real,EventType:string)[\n 256, 'Query'\n , 257, 'Query'\n , 258, 'Query'\n , 259, 'Query'\n , 260, 'Query'\n , 261, 'Query'\n , 262, 'Query'\n , 263, 'Dynamic update'\n , 264, 'Dynamic update'\n , 265, 'Zone XFR'\n , 266, 'Zone XFR'\n , 267, 'Zone XFR'\n , 268, 'Zone XFR'\n , 269, 'Zone XFR'\n , 270, 'Zone XFR'\n , 271, 'Zone XFR'\n , 272, 'Zone XFR'\n , 273, 'Zone XFR'\n , 274, 'Zone XFR'\n , 275, 'Zone XFR'\n , 276, 'Zone XFR'\n , 277, 'Dynamic update'\n , 278, 'Dynamic update'\n , 279, 'Query'\n , 280, 'Query'\n];\nlet EventSubTypeTable=datatable(EventOriginalType:real,EventSubType:string)[\n 256, 'request'\n, 257, 'response'\n, 258, 'response'\n, 259, 'response'\n, 260, 'request'\n, 261, 'response'\n, 262, 'response'\n, 263, 'request'\n, 264, 'response'\n, 265, 'request'\n, 266, 'request'\n, 267, 'response'\n, 268, 'response'\n, 269, 'request'\n, 270, 'request'\n, 271, 'response'\n, 272, 'response'\n, 273, 'request'\n, 274, 'request'\n, 275, 'response'\n, 276, 'response'\n, 277, 'request'\n, 278, 'response'\n, 279, 'response'\n, 280, 'response'\n];\nlet EventResultTable=datatable(EventOriginalType:real,EventResult:string)[\n 256, 'NA'\n , 257, 'Success'\n , 258, 'Failure'\n , 259, 'Failure'\n , 260, 'NA'\n , 261, 'NA'\n , 262, 'Failure'\n , 263, 'NA'\n , 264, 'Based on RCODE'\n , 265, 'NA'\n , 266, 'NA'\n , 267, 'Based on RCODE'\n , 268, 'Based on RCODE'\n , 269, 'NA'\n , 270, 'NA'\n , 271, 'Based on RCODE'\n , 272, 'Based on RCODE'\n , 273, 'NA'\n , 274, 'NA'\n , 275, 'Success'\n , 276, 'Success'\n , 277, 'NA'\n , 278, 'Based on RCODE'\n , 279, 'NA'\n , 280, 'NA'\n];\nlet RCodeTable=datatable(DnsResponseCode:int,ResponseCodeName:string)[\n 0,'NOERROR'\n , 1,'FORMERR'\n , 2,'SERVFAIL'\n , 3,'NXDOMAIN'\n , 4,'NOTIMP'\n , 5,'REFUSED'\n , 6,'YXDOMAIN'\n , 7,'YXRRSET'\n , 8,'NXRRSET'\n , 9,'NOTAUTH'\n , 10,'NOTZONE'\n , 11,'DSOTYPENI'\n , 16,'BADVERS'\n , 16,'BADSIG'\n , 17,'BADKEY'\n , 18,'BADTIME'\n , 19,'BADMODE'\n , 20,'BADNAME'\n , 21,'BADALG'\n , 22,'BADTRUNC'\n , 23,'BADCOOKIE'\n];\nlet QTypeTable=datatable(DnsQueryType:int,QTypeName:string)[\n 0, 'Reserved'\n , 1, 'A'\n , 2, 'NS'\n , 3, 'MD'\n , 4, 'MF'\n , 5, 'CNAME'\n , 6, 'SOA'\n , 7, 'MB'\n , 8 ,'MG'\n , 9 ,'MR'\n , 10,'NULL'\n , 11,'WKS'\n , 12,'PTR'\n , 13,'HINFO'\n , 14,'MINFO'\n , 15,'MX'\n , 16,'TXT'\n , 17,'RP'\n , 18,'AFSDB'\n , 19,'X25'\n , 20,'ISDN'\n , 21,'RT'\n , 22,'NSAP'\n , 23,'NSAP-PTR'\n , 24,'SIG'\n , 25,'KEY'\n , 26,'PX'\n , 27,'GPOS'\n , 28,'AAAA'\n , 29,'LOC'\n , 30,'NXT'\n , 31,'EID'\n , 32,'NIMLOC'\n , 33,'SRV'\n , 34,'ATMA'\n , 35,'NAPTR'\n , 36,'KX'\n , 37,'CERT'\n , 38,'A6'\n , 39,'DNAME'\n , 40,'SINK'\n , 41,'OPT'\n , 42,'APL'\n , 43,'DS'\n , 44,'SSHFP'\n , 45,'IPSECKEY'\n , 46,'RRSIG'\n , 47,'NSEC'\n , 48,'DNSKEY'\n , 49,'DHCID'\n , 50,'NSEC3'\n , 51,'NSEC3PARAM'\n , 52,'TLSA'\n , 53,'SMIMEA'\n , 55,'HIP'\n , 56,'NINFO'\n , 57,'RKEY'\n , 58,'TALINK'\n , 59,'CDS'\n , 60,'CDNSKEY'\n , 61,'OPENPGPKEY'\n , 62,'CSYNC'\n , 63,'ZONEMD'\n , 64,'SVCB'\n , 65,'HTTPS'\n , 99,'SPF'\n , 100,'UINFO'\n , 101,'UID'\n , 102,'GID'\n , 103,'UNSPEC'\n , 104,'NID'\n , 105,'L32'\n , 106,'L64'\n , 107,'LP'\n , 108,'EUI48'\n , 109,'EUI64'\n , 249,'TKEY'\n , 250,'TSIG'\n , 251,'IXFR'\n , 252,'AXFR'\n , 253,'MAILB'\n , 254,'MAILA'\n , 255,'*'\n , 256,'URI'\n , 257,'CAA'\n , 258,'AVC'\n , 259,'DOA'\n , 32768,'TA'\n , 32769,'DLV'\n];\nNXLog_DNS_Server_CL | where not(disabled)\n| where EventID_d < 281\n| project-rename\n DnsFlags=Flags_s,\n DnsQuery=QNAME_s,\n DnsQueryType=QTYPE_s,\n DnsResponseCode=RCODE_s,\n DnsResponseName=PacketData_s,\n Dvc=Hostname_s,\n EventOriginalType=EventID_d,\n EventOriginalUid=GUID_g,\n EventStartTime=EventTime_t,\n SrcIpAddr=Source_s,\n EventUid=_ItemId\n| extend\n DnsQuery=trim_end(\".\",DnsQuery),\n DnsQueryType=toint(DnsQueryType),\n DnsResponseCode=toint(DnsResponseCode),\n SrcPortNumber=toint(Port_s),\n DvcHostname=Dvc,\n DvcIpAddr=HostIP_s,\n EventEndTime=EventStartTime,\n EventProduct = \"DNS Server\",\n EventSchemaVersion = \"0.1.7\",\n EventVendor = \"Microsoft\",\n EventSchema = \"Dns\",\n EventCount = int(1),\n NetworkProtocol=iff(TCP_s == \"0\",\"UDP\",\"TCP\"),\n TransactionIdHex=tohex(toint(XID_s)),\n DnsFlagsAuthenticated = tobool(AD_s),\n DnsFlagsAuthoritative = tobool(AA_s),\n DnsFlagsRecursionDesired = tobool(RD_s)\n| lookup EventTypeTable on EventOriginalType\n| lookup EventSubTypeTable on EventOriginalType\n| lookup EventResultTable on EventOriginalType\n| lookup RCodeTable on DnsResponseCode\n| lookup QTypeTable on DnsQueryType\n| extend\n EventResultDetails = case (isnotempty(ResponseCodeName), ResponseCodeName\n , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'\n , 'Unassigned'),\n EventOriginalType = tostring(EventOriginalType)\n| extend\n Domain=DnsQuery,\n DnsResponseCodeName=EventResultDetails,\n DnsQueryTypeName = case (isnotempty(QTypeName), QTypeName\n , DnsQueryType between (66 .. 98), 'Unassigned'\n , DnsQueryType between (110 .. 248), 'Unassigned'\n , DnsQueryType between (261 .. 32767), 'Unassigned'\n , 'Unassigned'),\n EventResult=iff (EventResult == \"Based on RCODE\", iff(DnsResponseCode == 0, \"Success\", \"Failure\"),EventResult)\n | extend\n // Aliases\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n| project-away\n *_s, *_d, QTypeName, TenantId, SourceSystem, MG, ManagementGroupName, Computer, RawData, ResponseCodeName, EventReceivedTime_t, ProviderGuid_g, _ResourceId\n};\nASimDnsMicrosoftNXLog(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsMicrosoftOMS/ASimDnsMicrosoftOMS.json b/Parsers/ASimDns/ARM/ASimDnsMicrosoftOMS/ASimDnsMicrosoftOMS.json index 297c6b9eb83..b02704155d0 100644 --- a/Parsers/ASimDns/ARM/ASimDnsMicrosoftOMS/ASimDnsMicrosoftOMS.json +++ b/Parsers/ASimDns/ARM/ASimDnsMicrosoftOMS/ASimDnsMicrosoftOMS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsMicrosoftOMS')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsMicrosoftOMS", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Windows DNS log collected using the Log Analytics agent", - "category": "ASIM", - "FunctionAlias": "ASimDnsMicrosoftOMS", - "query": "let EventTypeTable=datatable(EventOriginalType:int,EventType:string,EventSubType:string, EventResult:string)[\n 256, 'Query', 'request', 'NA'\n, 257, 'Query', 'response', 'Success'\n, 258, 'Query', 'response', 'Based on RCODE'\n, 259, 'Query', 'response', 'Based on RCODE'\n, 260, 'Query', 'request', 'NA'\n, 261, 'Query', 'response', 'NA'\n, 262, 'Query', 'response', 'Based on RCODE'\n, 263, 'Update', 'request', 'NA'\n, 264, 'Update', 'response', 'Based on RCODE'\n, 265, 'XFR', 'request', 'NA' \n, 266, 'XFR', 'request', 'NA'\n, 267, 'XFR', 'response', 'Based on RCODE'\n, 268, 'XFR', 'response', 'Based on RCODE'\n, 269, 'XFR', 'request', 'NA'\n, 270, 'XFR', 'request', 'NA'\n, 271, 'XFR', 'response', 'Based on RCODE'\n, 272, 'XFR', 'response', 'Based on RCODE'\n, 273, 'XFR', 'request', 'NA'\n, 274, 'XFR', 'request', 'NA'\n, 275, 'XFR', 'response', 'Success'\n, 276, 'XFR', 'response', 'Success'\n, 277, 'Update', 'request', 'NA'\n, 278, 'Update', 'response', 'Based on RCODE'\n, 279, 'Query', 'NA', 'NA'\n, 280, 'Query', 'NA', 'NA'\n];\nlet RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n 0, 'NOERROR'\n , 1, \"FORMERR\"\n , 2,\"SERVFAIL\"\n , 3,'NXDOMAIN'\n , 4,'NOTIMP'\n , 5,'REFUSED'\n , 6,'YXDOMAIN'\n , 7,'YXRRSET'\n , 8,'NXRRSET'\n , 9,'NOTAUTH'\n , 10,'NOTZONE'\n , 11,'DSOTYPENI'\n , 16,'BADVERS'\n , 16,'BADSIG'\n , 17,'BADKEY'\n , 18,'BADTIME'\n , 19,'BADMODE'\n , 20,'BADNAME'\n , 21,'BADALG'\n , 22,'BADTRUNC'\n , 23,'BADCOOKIE'];\nlet QueryTypeSymbols=datatable(QTypeSeq:string,QTypeName:string)[\n\"0\", \"Reserved\",\n\"1\", \"A\",\n\"2\", \"NS\",\n\"3\", \"MD\",\n\"4\", \"MF\",\n\"5\", \"CNAME\",\n\"6\", \"SOA\",\n\"7\", \"MB\",\n\"8\", \"MG\",\n\"9\", \"MR\",\n\"10\", \"NULL\",\n\"11\", \"WKS\",\n\"12\", \"PTR\",\n\"13\", \"HINFO\",\n\"14\", \"MINFO\",\n\"15\", \"MX\",\n\"16\", \"TXT\",\n\"17\", \"RP\",\n\"18\", \"AFSDB\",\n\"19\", \"X25\",\n\"20\", \"ISDN\",\n\"21\", \"RT\",\n\"22\", \"NSAP\",\n\"23\", \"NSAP-PTR\",\n\"24\", \"SIG\",\n\"25\", \"KEY\",\n\"26\", \"PX\",\n\"27\", \"GPOS\",\n\"28\", \"AAAA\",\n\"29\", \"LOC\",\n\"30\", \"NXT\",\n\"31\", \"EID\",\n\"32\", \"NIMLOC\",\n\"33\", \"SRV\",\n\"34\", \"ATMA\",\n\"35\", \"NAPTR\",\n\"36\", \"KX\",\n\"37\", \"CERT\",\n\"38\", \"A6\",\n\"39\", \"DNAME\",\n\"40\", \"SINK\",\n\"41\", \"OPT\",\n\"42\", \"APL\",\n\"43\", \"DS\",\n\"44\", \"SSHFP\",\n\"45\", \"IPSECKEY\",\n\"46\", \"RRSIG\",\n\"47\", \"NSEC\",\n\"48\", \"DNSKEY\",\n\"49\", \"DHCID\",\n\"50\", \"NSEC3\",\n\"51\", \"NSEC3PARAM\",\n\"52\", \"TLSA\",\n\"53\", \"SMIMEA\",\n\"54\", \"Unassigned\",\n\"55\", \"HIP\",\n\"56\", \"NINFO\",\n\"57\", \"RKEY\",\n\"58\", \"TALINK\",\n\"59\", \"CDS\",\n\"60\", \"CDNSKEY\",\n\"61\", \"OPENPGPKEY\",\n\"62\", \"CSYNC\",\n\"99\", \"SPF\",\n\"100\", \"UINFO\",\n\"101\", \"UID\",\n\"102\", \"GID\",\n\"103\", \"UNSPEC\",\n\"104\", \"NID\",\n\"105\", \"L32\",\n\"106\", \"L64\",\n\"107\", \"LP\",\n\"108\", \"EUI48\",\n\"109\", \"EUI64\",\n\"249\", \"TKEY\",\n\"250\", \"TSIG\",\n\"251\", \"IXFR\",\n\"252\", \"AXFR\",\n\"253\", \"MAILB\",\n\"254\", \"MAILA\",\n\"255\", \"All\",\n\"256\", \"URI\",\n\"257\", \"CAA\",\n\"258\", \"AVC\",\n\"259\", \"DOA\",\n\"32768\", \"TA\",\n\"32769\", \"DLV\"];\nlet DNSQuery_MS=(disabled:bool=false){\n DnsEvents | where not(disabled)\n| where EventId < 500\n| lookup QueryTypeSymbols on $left.QueryType == $right.QTypeSeq\n| extend DnsQueryTypeName=coalesce(QTypeName, QueryType)\n| project-rename\n Dvc=Computer ,\n SrcIpAddr = ClientIP,\n EventMessage = Message,\n EventOriginalType = EventId,\n EventReportUrl = ReportReferenceLink,\n DnsResponseName = IPAddresses,\n DnsQuery = Name,\n DnsResponseCode = ResultCode\n| extend hostelements=split(Dvc,'.')\n| extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n , DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n| extend DvcDomainType=iff(DvcFQDN !=\"\",\"FQDN\",\"\" )\n| project-away hostelements\n| extend\n EventCount=int(1),\n EventStartTime=TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"DNS Server\",\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\",\n EventEndTime=TimeGenerated,\n EventSeverity = tostring(Severity)\n | lookup RCodeTable on DnsResponseCode\n | lookup EventTypeTable on EventOriginalType\n | extend EventResultDetails = case (isnotempty(DnsResponseCodeName), DnsResponseCodeName\n , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'\n , 'Unassigned'),\n EventResult = iff (EventResult == \"Based on RCODE\", iff(DnsResponseCode == 0, \"Success\", \"Failure\"),EventResult)\n// **************Aliases\n | extend\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n EventOriginalType=tostring(EventOriginalType)\n | project-away \n SubType, QTypeName, QueryType, SourceSystem, TaskCategory, Remote*, Severity, Result, Confidence, Description, IndicatorThreatType, MaliciousIP\n };\nDNSQuery_MS (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Windows DNS log collected using the Log Analytics agent", + "category": "ASIM", + "FunctionAlias": "ASimDnsMicrosoftOMS", + "query": "let EventTypeTable=datatable(EventOriginalType:int,EventType:string,EventSubType:string, EventResult:string)[\n 256, 'Query', 'request', 'NA'\n, 257, 'Query', 'response', 'Success'\n, 258, 'Query', 'response', 'Based on RCODE'\n, 259, 'Query', 'response', 'Based on RCODE'\n, 260, 'Query', 'request', 'NA'\n, 261, 'Query', 'response', 'NA'\n, 262, 'Query', 'response', 'Based on RCODE'\n, 263, 'Update', 'request', 'NA'\n, 264, 'Update', 'response', 'Based on RCODE'\n, 265, 'XFR', 'request', 'NA' \n, 266, 'XFR', 'request', 'NA'\n, 267, 'XFR', 'response', 'Based on RCODE'\n, 268, 'XFR', 'response', 'Based on RCODE'\n, 269, 'XFR', 'request', 'NA'\n, 270, 'XFR', 'request', 'NA'\n, 271, 'XFR', 'response', 'Based on RCODE'\n, 272, 'XFR', 'response', 'Based on RCODE'\n, 273, 'XFR', 'request', 'NA'\n, 274, 'XFR', 'request', 'NA'\n, 275, 'XFR', 'response', 'Success'\n, 276, 'XFR', 'response', 'Success'\n, 277, 'Update', 'request', 'NA'\n, 278, 'Update', 'response', 'Based on RCODE'\n, 279, 'Query', 'NA', 'NA'\n, 280, 'Query', 'NA', 'NA'\n];\nlet RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n 0, 'NOERROR'\n , 1, \"FORMERR\"\n , 2,\"SERVFAIL\"\n , 3,'NXDOMAIN'\n , 4,'NOTIMP'\n , 5,'REFUSED'\n , 6,'YXDOMAIN'\n , 7,'YXRRSET'\n , 8,'NXRRSET'\n , 9,'NOTAUTH'\n , 10,'NOTZONE'\n , 11,'DSOTYPENI'\n , 16,'BADVERS'\n , 16,'BADSIG'\n , 17,'BADKEY'\n , 18,'BADTIME'\n , 19,'BADMODE'\n , 20,'BADNAME'\n , 21,'BADALG'\n , 22,'BADTRUNC'\n , 23,'BADCOOKIE'];\nlet QueryTypeSymbols=datatable(QTypeSeq:string,QTypeName:string)[\n\"0\", \"Reserved\",\n\"1\", \"A\",\n\"2\", \"NS\",\n\"3\", \"MD\",\n\"4\", \"MF\",\n\"5\", \"CNAME\",\n\"6\", \"SOA\",\n\"7\", \"MB\",\n\"8\", \"MG\",\n\"9\", \"MR\",\n\"10\", \"NULL\",\n\"11\", \"WKS\",\n\"12\", \"PTR\",\n\"13\", \"HINFO\",\n\"14\", \"MINFO\",\n\"15\", \"MX\",\n\"16\", \"TXT\",\n\"17\", \"RP\",\n\"18\", \"AFSDB\",\n\"19\", \"X25\",\n\"20\", \"ISDN\",\n\"21\", \"RT\",\n\"22\", \"NSAP\",\n\"23\", \"NSAP-PTR\",\n\"24\", \"SIG\",\n\"25\", \"KEY\",\n\"26\", \"PX\",\n\"27\", \"GPOS\",\n\"28\", \"AAAA\",\n\"29\", \"LOC\",\n\"30\", \"NXT\",\n\"31\", \"EID\",\n\"32\", \"NIMLOC\",\n\"33\", \"SRV\",\n\"34\", \"ATMA\",\n\"35\", \"NAPTR\",\n\"36\", \"KX\",\n\"37\", \"CERT\",\n\"38\", \"A6\",\n\"39\", \"DNAME\",\n\"40\", \"SINK\",\n\"41\", \"OPT\",\n\"42\", \"APL\",\n\"43\", \"DS\",\n\"44\", \"SSHFP\",\n\"45\", \"IPSECKEY\",\n\"46\", \"RRSIG\",\n\"47\", \"NSEC\",\n\"48\", \"DNSKEY\",\n\"49\", \"DHCID\",\n\"50\", \"NSEC3\",\n\"51\", \"NSEC3PARAM\",\n\"52\", \"TLSA\",\n\"53\", \"SMIMEA\",\n\"54\", \"Unassigned\",\n\"55\", \"HIP\",\n\"56\", \"NINFO\",\n\"57\", \"RKEY\",\n\"58\", \"TALINK\",\n\"59\", \"CDS\",\n\"60\", \"CDNSKEY\",\n\"61\", \"OPENPGPKEY\",\n\"62\", \"CSYNC\",\n\"99\", \"SPF\",\n\"100\", \"UINFO\",\n\"101\", \"UID\",\n\"102\", \"GID\",\n\"103\", \"UNSPEC\",\n\"104\", \"NID\",\n\"105\", \"L32\",\n\"106\", \"L64\",\n\"107\", \"LP\",\n\"108\", \"EUI48\",\n\"109\", \"EUI64\",\n\"249\", \"TKEY\",\n\"250\", \"TSIG\",\n\"251\", \"IXFR\",\n\"252\", \"AXFR\",\n\"253\", \"MAILB\",\n\"254\", \"MAILA\",\n\"255\", \"All\",\n\"256\", \"URI\",\n\"257\", \"CAA\",\n\"258\", \"AVC\",\n\"259\", \"DOA\",\n\"32768\", \"TA\",\n\"32769\", \"DLV\"];\nlet DNSQuery_MS=(disabled:bool=false){\n DnsEvents | where not(disabled)\n| where EventId < 500\n| lookup QueryTypeSymbols on $left.QueryType == $right.QTypeSeq\n| extend DnsQueryTypeName=coalesce(QTypeName, QueryType)\n| project-rename\n Dvc=Computer ,\n SrcIpAddr = ClientIP,\n EventMessage = Message,\n EventOriginalType = EventId,\n EventReportUrl = ReportReferenceLink,\n DnsResponseName = IPAddresses,\n DnsQuery = Name,\n DnsResponseCode = ResultCode\n| extend hostelements=split(Dvc,'.')\n| extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n , DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n| extend DvcDomainType=iff(DvcFQDN !=\"\",\"FQDN\",\"\" )\n| project-away hostelements\n| extend\n EventCount=int(1),\n EventStartTime=TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"DNS Server\",\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\",\n EventEndTime=TimeGenerated,\n EventSeverity = tostring(Severity)\n | lookup RCodeTable on DnsResponseCode\n | lookup EventTypeTable on EventOriginalType\n | extend EventResultDetails = case (isnotempty(DnsResponseCodeName), DnsResponseCodeName\n , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'\n , 'Unassigned'),\n EventResult = iff (EventResult == \"Based on RCODE\", iff(DnsResponseCode == 0, \"Success\", \"Failure\"),EventResult)\n// **************Aliases\n | extend\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n EventOriginalType=tostring(EventOriginalType)\n | project-away \n SubType, QTypeName, QueryType, SourceSystem, TaskCategory, Remote*, Severity, Result, Confidence, Description, IndicatorThreatType, MaliciousIP\n };\nDNSQuery_MS (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmon/ASimDnsMicrosoftSysmon.json b/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmon/ASimDnsMicrosoftSysmon.json index 76103c2736c..82f221e3f57 100644 --- a/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmon/ASimDnsMicrosoftSysmon.json +++ b/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmon/ASimDnsMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Sysmon for Windows", - "category": "ASIM", - "FunctionAlias": "ASimDnsMicrosoftSysmon", - "query": "let parser = (disabled:bool=false) {\nlet RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n // See https://docs.microsoft.com/windows/win32/debug/system-error-codes--9000-11999-\n 0, 'NOERROR'\n , 9001, \"FORMERR\"\n , 9002,\"SERVFAIL\"\n , 9003,'NXDOMAIN'\n , 9004,'NOTIMP'\n , 9005,'REFUSED'\n , 9006,'YXDOMAIN'\n , 9007,'YXRRSET'\n , 9008,'NXRRSET'\n , 9009,'NOTAUTH'\n , 9010,'NOTZONE'\n , 9011,'DSOTYPENI'\n , 9016,'BADVERS'\n , 9016,'BADSIG'\n , 9017,'BADKEY'\n , 9018,'BADTIME'\n , 9019,'BADMODE'\n , 9020,'BADNAME'\n , 9021,'BADALG'\n , 9022,'BADTRUNC'\n , 9023,'BADCOOKIE'\n , 1460, 'TIMEOUT'\n ];\nlet ParsedDnsEvent_Event =(disabled:bool=false) {\n Event | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Source, Type , _ItemId \n | where Source == \"Microsoft-Windows-Sysmon\" and EventID==22\n | project-away Source, EventID\n | parse-kv EventData as (\n RuleName:string,\n UtcTime:datetime, \n ProcessGuid:string,\n ProcessId:string,\n QueryName:string,\n QueryStatus:int,\n QueryResults:string,\n Image:string,\n User:string\n )\n with (regex=@'{?([^<]*?)}?')\n | project-rename \n EventEndTime = UtcTime,\n SrcProcessId = ProcessId,\n SrcProcessGuid = ProcessGuid,\n DnsQuery = QueryName,\n DnsResponseCode = QueryStatus,\n DnsResponseName = QueryResults,\n SrcProcessName = Image,\n SrcUsername = User\n | project-away EventData\n};\nParsedDnsEvent_Event(disabled)\n | lookup RCodeTable on DnsResponseCode\n | project-rename \n DvcHostname = Computer,\n // EventUid = _ItemId, \n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventOriginalType = '22',\n EventCount=int(1),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.6\",\n EventType = 'Query',\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\n EventStartTime = EventEndTime,\n EventSubType= 'response',\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\n SrcUsernameType = 'Windows',\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventUid = _ItemId\n // -- Aliases\n | extend \n EventResultDetails = DnsResponseCodeName,\n Domain = DnsQuery,\n Dvc = DvcHostname,\n SrcHostname = DvcHostname,\n Hostname=DvcHostname,\n Src = DvcHostname,\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)),\n User = SrcUsername,\n Process = SrcProcessName,\n Rule = RuleName,\n DvcAzureResourceId = DvcId\n | project-away DvcAzureResourceId\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Sysmon for Windows", + "category": "ASIM", + "FunctionAlias": "ASimDnsMicrosoftSysmon", + "query": "let parser = (disabled:bool=false) {\nlet RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n // See https://docs.microsoft.com/windows/win32/debug/system-error-codes--9000-11999-\n 0, 'NOERROR'\n , 9001, \"FORMERR\"\n , 9002,\"SERVFAIL\"\n , 9003,'NXDOMAIN'\n , 9004,'NOTIMP'\n , 9005,'REFUSED'\n , 9006,'YXDOMAIN'\n , 9007,'YXRRSET'\n , 9008,'NXRRSET'\n , 9009,'NOTAUTH'\n , 9010,'NOTZONE'\n , 9011,'DSOTYPENI'\n , 9016,'BADVERS'\n , 9016,'BADSIG'\n , 9017,'BADKEY'\n , 9018,'BADTIME'\n , 9019,'BADMODE'\n , 9020,'BADNAME'\n , 9021,'BADALG'\n , 9022,'BADTRUNC'\n , 9023,'BADCOOKIE'\n , 1460, 'TIMEOUT'\n ];\nlet ParsedDnsEvent_Event =(disabled:bool=false) {\n Event | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Source, Type , _ItemId \n | where Source == \"Microsoft-Windows-Sysmon\" and EventID==22\n | project-away Source, EventID\n | parse-kv EventData as (\n RuleName:string,\n UtcTime:datetime, \n ProcessGuid:string,\n ProcessId:string,\n QueryName:string,\n QueryStatus:int,\n QueryResults:string,\n Image:string,\n User:string\n )\n with (regex=@'{?([^<]*?)}?')\n | project-rename \n EventEndTime = UtcTime,\n SrcProcessId = ProcessId,\n SrcProcessGuid = ProcessGuid,\n DnsQuery = QueryName,\n DnsResponseCode = QueryStatus,\n DnsResponseName = QueryResults,\n SrcProcessName = Image,\n SrcUsername = User\n | project-away EventData\n};\nParsedDnsEvent_Event(disabled)\n | lookup RCodeTable on DnsResponseCode\n | project-rename \n DvcHostname = Computer,\n // EventUid = _ItemId, \n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventOriginalType = '22',\n EventCount=int(1),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.6\",\n EventType = 'Query',\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\n EventStartTime = EventEndTime,\n EventSubType= 'response',\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\n SrcUsernameType = 'Windows',\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventUid = _ItemId\n // -- Aliases\n | extend \n EventResultDetails = DnsResponseCodeName,\n Domain = DnsQuery,\n Dvc = DvcHostname,\n SrcHostname = DvcHostname,\n Hostname=DvcHostname,\n Src = DvcHostname,\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)),\n User = SrcUsername,\n Process = SrcProcessName,\n Rule = RuleName,\n DvcAzureResourceId = DvcId\n | project-away DvcAzureResourceId\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmonWindowsEvent/ASimDnsMicrosoftSysmonWindowsEvent.json b/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmonWindowsEvent/ASimDnsMicrosoftSysmonWindowsEvent.json index 7fe54114e67..3adfdd3731d 100644 --- a/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmonWindowsEvent/ASimDnsMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimDns/ARM/ASimDnsMicrosoftSysmonWindowsEvent/ASimDnsMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Sysmon for Windows", - "category": "ASIM", - "FunctionAlias": "ASimDnsMicrosoftSysmonWindowsEvent", - "query": "let parser = (disabled:bool=false) {\nlet RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n // See https://docs.microsoft.com/windows/win32/debug/system-error-codes--9000-11999-\n 0, 'NOERROR'\n , 9001, \"FORMERR\"\n , 9002,\"SERVFAIL\"\n , 9003,'NXDOMAIN'\n , 9004,'NOTIMP'\n , 9005,'REFUSED'\n , 9006,'YXDOMAIN'\n , 9007,'YXRRSET'\n , 9008,'NXRRSET'\n , 9009,'NOTAUTH'\n , 9010,'NOTZONE'\n , 9011,'DSOTYPENI'\n , 9016,'BADVERS'\n , 9016,'BADSIG'\n , 9017,'BADKEY'\n , 9018,'BADTIME'\n , 9019,'BADMODE'\n , 9020,'BADNAME'\n , 9021,'BADALG'\n , 9022,'BADTRUNC'\n , 9023,'BADCOOKIE'\n , 1460, 'TIMEOUT'\n ];\nlet ParsedDnsEvent_WindowsEvent =(disabled:bool=false) {\n WindowsEvent | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type , _ItemId \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 22\n | project-away Provider, EventID \n | extend \n RuleName = tostring(EventData.RuleName),\n EventEndTime = todatetime(EventData.UtcTime),\n SrcProcessGuid = tostring(EventData.ProcessGuid),\n // extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\n SrcProcessId = tostring(EventData.ProcessId), \n DnsQuery = tostring(EventData.QueryName),\n DnsResponseCode = toint(EventData.QueryStatus),\n DnsResponseName = tostring(EventData.QueryResults),\n SrcProcessName = tostring(EventData.Image),\n SrcUsername = tostring(EventData.User)\n | project-away EventData\n | parse SrcProcessGuid with '{' SrcProcessGuid '}'\n};\nParsedDnsEvent_WindowsEvent(disabled)\n | lookup RCodeTable on DnsResponseCode\n | project-rename \n DvcHostname = Computer,\n // EventUid = _ItemId, \n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventOriginalType = '22',\n EventCount=int(1),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.6\",\n EventType = 'Query',\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\n EventStartTime = EventEndTime,\n EventSubType= 'response',\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\n SrcUsernameType = 'Windows',\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventUid = _ItemId\n // -- Aliases\n | extend \n EventResultDetails = DnsResponseCodeName,\n Domain = DnsQuery,\n Dvc = DvcHostname,\n SrcHostname = DvcHostname,\n Hostname=DvcHostname,\n Src = DvcHostname,\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)),\n User = SrcUsername,\n Process = SrcProcessName,\n Rule = RuleName,\n DvcAzureResourceId = DvcId\n | project-away DvcAzureResourceId\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Sysmon for Windows", + "category": "ASIM", + "FunctionAlias": "ASimDnsMicrosoftSysmonWindowsEvent", + "query": "let parser = (disabled:bool=false) {\nlet RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n // See https://docs.microsoft.com/windows/win32/debug/system-error-codes--9000-11999-\n 0, 'NOERROR'\n , 9001, \"FORMERR\"\n , 9002,\"SERVFAIL\"\n , 9003,'NXDOMAIN'\n , 9004,'NOTIMP'\n , 9005,'REFUSED'\n , 9006,'YXDOMAIN'\n , 9007,'YXRRSET'\n , 9008,'NXRRSET'\n , 9009,'NOTAUTH'\n , 9010,'NOTZONE'\n , 9011,'DSOTYPENI'\n , 9016,'BADVERS'\n , 9016,'BADSIG'\n , 9017,'BADKEY'\n , 9018,'BADTIME'\n , 9019,'BADMODE'\n , 9020,'BADNAME'\n , 9021,'BADALG'\n , 9022,'BADTRUNC'\n , 9023,'BADCOOKIE'\n , 1460, 'TIMEOUT'\n ];\nlet ParsedDnsEvent_WindowsEvent =(disabled:bool=false) {\n WindowsEvent | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type , _ItemId \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 22\n | project-away Provider, EventID \n | extend \n RuleName = tostring(EventData.RuleName),\n EventEndTime = todatetime(EventData.UtcTime),\n SrcProcessGuid = tostring(EventData.ProcessGuid),\n // extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\n SrcProcessId = tostring(EventData.ProcessId), \n DnsQuery = tostring(EventData.QueryName),\n DnsResponseCode = toint(EventData.QueryStatus),\n DnsResponseName = tostring(EventData.QueryResults),\n SrcProcessName = tostring(EventData.Image),\n SrcUsername = tostring(EventData.User)\n | project-away EventData\n | parse SrcProcessGuid with '{' SrcProcessGuid '}'\n};\nParsedDnsEvent_WindowsEvent(disabled)\n | lookup RCodeTable on DnsResponseCode\n | project-rename \n DvcHostname = Computer,\n // EventUid = _ItemId, \n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventOriginalType = '22',\n EventCount=int(1),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.6\",\n EventType = 'Query',\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\n EventStartTime = EventEndTime,\n EventSubType= 'response',\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\n SrcUsernameType = 'Windows',\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventUid = _ItemId\n // -- Aliases\n | extend \n EventResultDetails = DnsResponseCodeName,\n Domain = DnsQuery,\n Dvc = DvcHostname,\n SrcHostname = DvcHostname,\n Hostname=DvcHostname,\n Src = DvcHostname,\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)),\n User = SrcUsername,\n Process = SrcProcessName,\n Rule = RuleName,\n DvcAzureResourceId = DvcId\n | project-away DvcAzureResourceId\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json b/Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json index 3e0c49e7abc..f708ebdfc78 100644 --- a/Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json +++ b/Parsers/ASimDns/ARM/ASimDnsNative/ASimDnsNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Microsoft Sentinel native DNS table", - "category": "ASIM", - "FunctionAlias": "ASimDnsNative", - "query": "let parser=(disabled:bool=false) \n{\n ASimDnsActivityLogs | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n Dvc = coalesce (Dvc, DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n EventSchema = \"Dns\"\n // -- Type fixes\n | extend\n ThreatConfidence = toint(ThreatConfidence),\n ThreatFirstReportedTime = todatetime(ThreatFirstReportedTime),\n ThreatIsActive = tobool(ThreatIsActive),\n ThreatLastReportedTime = todatetime(ThreatLastReportedTime),\n ThreatOriginalRiskLevel = tostring(ThreatOriginalRiskLevel),\n ThreatRiskLevel = toint(ThreatRiskLevel) \n // -- Aliases\n | extend\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Duration = DnsNetworkDuration,\n Process = SrcProcessName,\n SessionId = DnsSessionId,\n User = SrcUsername,\n Hostname = SrcHostname,\n DvcScopeId = coalesce(DvcScopeId,_SubscriptionId)\n | project-away\n TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser (disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Microsoft Sentinel native DNS table", + "category": "ASIM", + "FunctionAlias": "ASimDnsNative", + "query": "let parser=(disabled:bool=false) \n{\n ASimDnsActivityLogs | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n Dvc = coalesce (Dvc, DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n EventSchema = \"Dns\"\n // -- Type fixes\n | extend\n ThreatConfidence = toint(ThreatConfidence),\n ThreatFirstReportedTime = todatetime(ThreatFirstReportedTime),\n ThreatIsActive = tobool(ThreatIsActive),\n ThreatLastReportedTime = todatetime(ThreatLastReportedTime),\n ThreatOriginalRiskLevel = tostring(ThreatOriginalRiskLevel),\n ThreatRiskLevel = toint(ThreatRiskLevel) \n // -- Aliases\n | extend\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Duration = DnsNetworkDuration,\n Process = SrcProcessName,\n SessionId = DnsSessionId,\n User = SrcUsername,\n Hostname = SrcHostname,\n DvcScopeId = coalesce(DvcScopeId,_SubscriptionId)\n | project-away\n TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser (disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsSentinelOne/ASimDnsSentinelOne.json b/Parsers/ASimDns/ARM/ASimDnsSentinelOne/ASimDnsSentinelOne.json index 96902f26f79..232491360bf 100644 --- a/Parsers/ASimDns/ARM/ASimDnsSentinelOne/ASimDnsSentinelOne.json +++ b/Parsers/ASimDns/ARM/ASimDnsSentinelOne/ASimDnsSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "ASimDnsSentinelOne", - "query": "let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n[\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n[\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n[\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled)\n and event_name_s == \"Alerts.\" \n and alertInfo_eventType_s == \"DNS\"\n | parse alertInfo_dnsResponse_s with * \"type: \" DnsQueryType: int \" \" RestMessage;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend \n DnsResponseCode = case(\n alertInfo_dnsResponse_s has \"NoError\" or alertInfo_dnsResponse_s has \"No Error\",\n int(0),\n alertInfo_dnsResponse_s has \"FormErr\" or alertInfo_dnsResponse_s has \"Format Error\",\n int(1),\n alertInfo_dnsResponse_s has \"ServFail\" or alertInfo_dnsResponse_s has \"Server Failure\",\n int(2),\n alertInfo_dnsResponse_s has \"NXDomain\" or alertInfo_dnsResponse_s has \"Non-Existent Domain\",\n int(3),\n alertInfo_dnsResponse_s has \"NotImp\" or alertInfo_dnsResponse_s has \"Not Implemented\",\n int(4),\n alertInfo_dnsResponse_s has \"Refused\" or alertInfo_dnsResponse_s has \"Query Refused\",\n int(5),\n alertInfo_dnsResponse_s has \"YXDomain\" or alertInfo_dnsResponse_s has \"Name Exists when it should not\",\n int(6),\n alertInfo_dnsResponse_s has \"YXRRSet\" or alertInfo_dnsResponse_s has \"RR Set Exists when it should not\",\n int(7),\n alertInfo_dnsResponse_s has \"NXRRSet\" or alertInfo_dnsResponse_s has \"RR Set that should exist does not\",\n int(8),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Server Not Authoritative for zone\",\n int(9),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Not Authorized\",\n int(9),\n alertInfo_dnsResponse_s has \"NotZone\" or alertInfo_dnsResponse_s has \"Name not contained in zone\",\n int(10),\n alertInfo_dnsResponse_s has \"DSOTYPENI\" or alertInfo_dnsResponse_s has \"DSO-TYPE Not Implemented\",\n int(11),\n alertInfo_dnsResponse_s has \"Unassigned\",\n int(12),\n alertInfo_dnsResponse_s has \"BADVERS\" or alertInfo_dnsResponse_s has \"Bad OPT Version\",\n int(16),\n alertInfo_dnsResponse_s has \"BADSIG\" or alertInfo_dnsResponse_s has \"TSIG Signature Failure\",\n int(16),\n alertInfo_dnsResponse_s has \"BADKEY\" or alertInfo_dnsResponse_s has \"Key not recognized\",\n int(17),\n alertInfo_dnsResponse_s has \"BADTIME\" or alertInfo_dnsResponse_s has \"Signature out of time window\",\n int(18),\n alertInfo_dnsResponse_s has \"BADMODE\" or alertInfo_dnsResponse_s has \"Bad TKEY Mode\",\n int(19),\n alertInfo_dnsResponse_s has \"BADNAME\" or alertInfo_dnsResponse_s has \"Duplicate key name\",\n int(20),\n alertInfo_dnsResponse_s has \"BADALG\" or alertInfo_dnsResponse_s has \"Algorithm not supported\",\n int(21),\n alertInfo_dnsResponse_s has \"BADTRUNC\" or alertInfo_dnsResponse_s has \"Bad Truncation\",\n int(22),\n alertInfo_dnsResponse_s has \"BADCOOKIE\" or alertInfo_dnsResponse_s has \"Bad/missing Server Cookie\",\n int(23),\n int(0)\n ),\n AdditionalFields = bag_pack(\n \"MachineType\",\n agentDetectionInfo_machineType_s,\n \"OsRevision\",\n agentDetectionInfo_osRevision_s\n )\n | extend \n DnsQueryType = iff(isempty(DnsQueryType) and DnsResponseCode == 0, int(1), DnsQueryType),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DnsQuery = alertInfo_dnsRequest_s,\n EventUid = _ItemId,\n DnsResponseName = alertInfo_dnsResponse_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n EventResult = iff(DnsResponseCode == 0, \"Success\", \"Failure\"),\n EventResultDetails = _ASIM_LookupDnsResponseCode(DnsResponseCode),\n EventSubType = iff(isnotempty(DnsResponseName), \"Response\", \"Request\"),\n EventOriginalResultDetails = DnsResponseCode,\n DnsQueryTypeName = _ASIM_LookupDnsQueryType(DnsQueryType),\n Rule = RuleName,\n SrcDvcId = DvcId,\n SrcHostname = DvcHostname,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n Domain = DnsQuery,\n Process = SrcProcessName,\n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend \n Src = SrcHostname,\n Hostname = SrcHostname,\n DnsResponseCodeName = EventResultDetails,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\")\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.7\",\n EventType = \"Query\",\n EventVendor = \"SentinelOne\",\n DnsQueryClassName = \"IN\",\n DnsQueryClass = int(1)\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n RestMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "ASimDnsSentinelOne", + "query": "let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n[\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n[\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n[\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled)\n and event_name_s == \"Alerts.\" \n and alertInfo_eventType_s == \"DNS\"\n | parse alertInfo_dnsResponse_s with * \"type: \" DnsQueryType: int \" \" RestMessage;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend \n DnsResponseCode = case(\n alertInfo_dnsResponse_s has \"NoError\" or alertInfo_dnsResponse_s has \"No Error\",\n int(0),\n alertInfo_dnsResponse_s has \"FormErr\" or alertInfo_dnsResponse_s has \"Format Error\",\n int(1),\n alertInfo_dnsResponse_s has \"ServFail\" or alertInfo_dnsResponse_s has \"Server Failure\",\n int(2),\n alertInfo_dnsResponse_s has \"NXDomain\" or alertInfo_dnsResponse_s has \"Non-Existent Domain\",\n int(3),\n alertInfo_dnsResponse_s has \"NotImp\" or alertInfo_dnsResponse_s has \"Not Implemented\",\n int(4),\n alertInfo_dnsResponse_s has \"Refused\" or alertInfo_dnsResponse_s has \"Query Refused\",\n int(5),\n alertInfo_dnsResponse_s has \"YXDomain\" or alertInfo_dnsResponse_s has \"Name Exists when it should not\",\n int(6),\n alertInfo_dnsResponse_s has \"YXRRSet\" or alertInfo_dnsResponse_s has \"RR Set Exists when it should not\",\n int(7),\n alertInfo_dnsResponse_s has \"NXRRSet\" or alertInfo_dnsResponse_s has \"RR Set that should exist does not\",\n int(8),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Server Not Authoritative for zone\",\n int(9),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Not Authorized\",\n int(9),\n alertInfo_dnsResponse_s has \"NotZone\" or alertInfo_dnsResponse_s has \"Name not contained in zone\",\n int(10),\n alertInfo_dnsResponse_s has \"DSOTYPENI\" or alertInfo_dnsResponse_s has \"DSO-TYPE Not Implemented\",\n int(11),\n alertInfo_dnsResponse_s has \"Unassigned\",\n int(12),\n alertInfo_dnsResponse_s has \"BADVERS\" or alertInfo_dnsResponse_s has \"Bad OPT Version\",\n int(16),\n alertInfo_dnsResponse_s has \"BADSIG\" or alertInfo_dnsResponse_s has \"TSIG Signature Failure\",\n int(16),\n alertInfo_dnsResponse_s has \"BADKEY\" or alertInfo_dnsResponse_s has \"Key not recognized\",\n int(17),\n alertInfo_dnsResponse_s has \"BADTIME\" or alertInfo_dnsResponse_s has \"Signature out of time window\",\n int(18),\n alertInfo_dnsResponse_s has \"BADMODE\" or alertInfo_dnsResponse_s has \"Bad TKEY Mode\",\n int(19),\n alertInfo_dnsResponse_s has \"BADNAME\" or alertInfo_dnsResponse_s has \"Duplicate key name\",\n int(20),\n alertInfo_dnsResponse_s has \"BADALG\" or alertInfo_dnsResponse_s has \"Algorithm not supported\",\n int(21),\n alertInfo_dnsResponse_s has \"BADTRUNC\" or alertInfo_dnsResponse_s has \"Bad Truncation\",\n int(22),\n alertInfo_dnsResponse_s has \"BADCOOKIE\" or alertInfo_dnsResponse_s has \"Bad/missing Server Cookie\",\n int(23),\n int(0)\n ),\n AdditionalFields = bag_pack(\n \"MachineType\",\n agentDetectionInfo_machineType_s,\n \"OsRevision\",\n agentDetectionInfo_osRevision_s\n )\n | extend \n DnsQueryType = iff(isempty(DnsQueryType) and DnsResponseCode == 0, int(1), DnsQueryType),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DnsQuery = alertInfo_dnsRequest_s,\n EventUid = _ItemId,\n DnsResponseName = alertInfo_dnsResponse_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n EventResult = iff(DnsResponseCode == 0, \"Success\", \"Failure\"),\n EventResultDetails = _ASIM_LookupDnsResponseCode(DnsResponseCode),\n EventSubType = iff(isnotempty(DnsResponseName), \"Response\", \"Request\"),\n EventOriginalResultDetails = DnsResponseCode,\n DnsQueryTypeName = _ASIM_LookupDnsQueryType(DnsQueryType),\n Rule = RuleName,\n SrcDvcId = DvcId,\n SrcHostname = DvcHostname,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n Domain = DnsQuery,\n Process = SrcProcessName,\n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend \n Src = SrcHostname,\n Hostname = SrcHostname,\n DnsResponseCodeName = EventResultDetails,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\")\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.7\",\n EventType = \"Query\",\n EventVendor = \"SentinelOne\",\n DnsQueryClassName = \"IN\",\n DnsQueryClass = int(1)\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n RestMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsVectraAI/ASimDnsVectraAI.json b/Parsers/ASimDns/ARM/ASimDnsVectraAI/ASimDnsVectraAI.json index 57e95cc4479..d10e484f8fc 100644 --- a/Parsers/ASimDns/ARM/ASimDnsVectraAI/ASimDnsVectraAI.json +++ b/Parsers/ASimDns/ARM/ASimDnsVectraAI/ASimDnsVectraAI.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsVectraAI')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsVectraAI", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS ASIM parser for Vectra AI Steams", - "category": "ASIM", - "FunctionAlias": "ASimDnsVectraAI", - "query": "let parser = (disabled:bool=false) {\n let NetworkProtocolLookup = datatable(proto_d:real, NetworkProtocol:string)[\n 6, 'TCP',\n 17, 'UDP'];\n let DnsClassLookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\n 0, 'Reserved',\n 1, 'IN',\n 2, 'Unassigned',\n 3, 'CH',\n 4, 'HS',\n 254, 'None',\n 255, 'Any'\n ];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n VectraStream_CL\n | project-away MG, ManagementGroupName, RawData, SourceSystem, Computer\n | where metadata_type_s == 'metadata_dns'\n | project-rename\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n DnsFlagsAuthoritative = AA_b,\n DnsFlagsRecursionAvailable = RA_b,\n DnsFlagsRecursionDesired = RD_b,\n DnsFlagsTruncated = TC_b,\n DnsResponseName = answers_s,\n DnsQuery = query_s,\n DnsQueryTypeName = qtype_name_s,\n DstIpAddr = id_resp_h_s,\n DnsSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n DstDvcId = resp_huid_s,\n SrcDvcId = orig_huid_s,\n DvcId = sensor_uid_s,\n EventOriginalUid = uid_s,\n SrcSessionId = orig_sluid_s,\n DstSessionId = resp_sluid_s\n | extend\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n NetworkProtocolVersion = toupper(id_ip_ver_s),\n DnsResponseCode = toint(rcode_d),\n DnsResponseCodeName = toupper(rcode_name_s),\n DnsQueryClass = toint(qclass_d),\n DnsQueryType = toint(qtype_d),\n DstPortNumber = toint(id_resp_p_d),\n EventCount = toint(1),\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResult = case(tolong(rcode_d) > 0, \"Failure\", \"Success\"),\n EventSchema = 'Dns', \n EventSchemaVersion='0.1.3',\n EventType = 'Query',\n EventVendor = 'Vectra AI',\n SrcDvcIdType = 'VectraId',\n DstDvcIdType = 'VectraId',\n DvcIdType = 'VectraId',\n SrcPortNumber = toint(id_orig_p_d),\n TransactionIdHex = tostring(toint(trans_id_d)),\n EventSubType = iff (saw_reply_b, \"response\", \"request\")\n | lookup DnsClassLookup on DnsQueryClass\n | lookup NetworkProtocolLookup on proto_d\n | extend\n EventResultDetails = DnsResponseCodeName,\n EventStartTime = EventEndTime,\n SessionId = DnsSessionId,\n Domain = DnsQuery,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Dvc = coalesce (DvcId, DvcDescription),\n Src = SrcIpAddr,\n Dst = DstIpAddr\n | project-away\n *_d, *_s, *_b, *_g\n };\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS ASIM parser for Vectra AI Steams", + "category": "ASIM", + "FunctionAlias": "ASimDnsVectraAI", + "query": "let parser = (disabled:bool=false) {\n let NetworkProtocolLookup = datatable(proto_d:real, NetworkProtocol:string)[\n 6, 'TCP',\n 17, 'UDP'];\n let DnsClassLookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\n 0, 'Reserved',\n 1, 'IN',\n 2, 'Unassigned',\n 3, 'CH',\n 4, 'HS',\n 254, 'None',\n 255, 'Any'\n ];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n VectraStream_CL\n | project-away MG, ManagementGroupName, RawData, SourceSystem, Computer\n | where metadata_type_s == 'metadata_dns'\n | project-rename\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n DnsFlagsAuthoritative = AA_b,\n DnsFlagsRecursionAvailable = RA_b,\n DnsFlagsRecursionDesired = RD_b,\n DnsFlagsTruncated = TC_b,\n DnsResponseName = answers_s,\n DnsQuery = query_s,\n DnsQueryTypeName = qtype_name_s,\n DstIpAddr = id_resp_h_s,\n DnsSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n DstDvcId = resp_huid_s,\n SrcDvcId = orig_huid_s,\n DvcId = sensor_uid_s,\n EventOriginalUid = uid_s,\n SrcSessionId = orig_sluid_s,\n DstSessionId = resp_sluid_s\n | extend\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n NetworkProtocolVersion = toupper(id_ip_ver_s),\n DnsResponseCode = toint(rcode_d),\n DnsResponseCodeName = toupper(rcode_name_s),\n DnsQueryClass = toint(qclass_d),\n DnsQueryType = toint(qtype_d),\n DstPortNumber = toint(id_resp_p_d),\n EventCount = toint(1),\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResult = case(tolong(rcode_d) > 0, \"Failure\", \"Success\"),\n EventSchema = 'Dns', \n EventSchemaVersion='0.1.3',\n EventType = 'Query',\n EventVendor = 'Vectra AI',\n SrcDvcIdType = 'VectraId',\n DstDvcIdType = 'VectraId',\n DvcIdType = 'VectraId',\n SrcPortNumber = toint(id_orig_p_d),\n TransactionIdHex = tostring(toint(trans_id_d)),\n EventSubType = iff (saw_reply_b, \"response\", \"request\")\n | lookup DnsClassLookup on DnsQueryClass\n | lookup NetworkProtocolLookup on proto_d\n | extend\n EventResultDetails = DnsResponseCodeName,\n EventStartTime = EventEndTime,\n SessionId = DnsSessionId,\n Domain = DnsQuery,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Dvc = coalesce (DvcId, DvcDescription),\n Src = SrcIpAddr,\n Dst = DstIpAddr\n | project-away\n *_d, *_s, *_b, *_g\n };\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/ASimDnsZscalerZIA/ASimDnsZscalerZIA.json b/Parsers/ASimDns/ARM/ASimDnsZscalerZIA/ASimDnsZscalerZIA.json index d1d724c9161..8d651820ae8 100644 --- a/Parsers/ASimDns/ARM/ASimDnsZscalerZIA/ASimDnsZscalerZIA.json +++ b/Parsers/ASimDns/ARM/ASimDnsZscalerZIA/ASimDnsZscalerZIA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimDnsZscalerZIA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimDnsZscalerZIA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Zscaler ZIA", - "category": "ASIM", - "FunctionAlias": "ASimDnsZscalerZIA", - "query": "let ZscalerDNSevents=(disabled:bool=false){\n CommonSecurityLog \n | where not(disabled)\n | where DeviceProduct == \"NSSDNSlog\" \n | project-rename\n Dvc=Computer , \n SrcIpAddr = SourceIP, \n SrcUsername = SourceUserName, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n EventProductVersion = DeviceVersion, \n DnsQueryTypeName = DeviceCustomString4, \n DnsQuery = DeviceCustomString5, \n SrcUserDepartment = DeviceCustomString1, // Not part of the standard schema\n reqaction = DeviceCustomString2, \n resaction = DeviceCustomString3, \n DvcUsername = SourceUserID,\n DvcZone = SourceUserPrivileges,\n SrcHostname = DeviceName,\n NetworkProtocol = Protocol,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n | extend\n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA DNS\", \n EventSchema = \"Dns\", \n EventSchemaVersion=\"0.1.3\", \n EventEndTime=TimeGenerated, \n SrcUsernameType = \"UPN\", \n EventSubType = iff(resaction == 'None', 'request', 'response'), \n DvcAction = iff(resaction == 'None', reqaction, resaction), \n EventResultDetails = iff (DeviceCustomString6 matches regex @'^([A-Z_]+)$', DeviceCustomString6, 'NOERROR'), \n EventType = 'Query', \n RuleName = strcat (FlexString1, \" / \", FlexString2),\n // -- Adjustment to support both old and new CSL fields.\n UrlCategory = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"), extract(\"cat=(.*)\", 1, AdditionalExtensions), \"\"), \n DnsNetworkDuration = coalesce(\n toint(column_ifexists (\"FieldDeviceCustomNumber1\", int(null))), \n toint(column_ifexists (\"DeviceCustomNumber1\",int(null)))\n )\n | extend \n EventResult = case (\n EventSubType == 'request', 'NA', \n EventResultDetails == 'NOERROR', 'Success',\n 'Failure'),\n DnsResponseName = iff (EventResultDetails == 'NOERROR', DeviceCustomString6, '')\n // -- Aliases\n | extend\n DnsResponseCodeName = EventResultDetails,\n Domain = DnsQuery,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Hostname = SrcHostname,\n Dst = DstIpAddr,\n DvcHostname = Dvc,\n Duration = DnsNetworkDuration,\n User = SrcUsername,\n // -- Entity identifier explicit aliases\n SrcUserUpn = SrcUsername\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink, Activity, resaction, reqaction\n };\nZscalerDNSevents (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Zscaler ZIA", + "category": "ASIM", + "FunctionAlias": "ASimDnsZscalerZIA", + "query": "let ZscalerDNSevents=(disabled:bool=false){\n CommonSecurityLog \n | where not(disabled)\n | where DeviceProduct == \"NSSDNSlog\" \n | project-rename\n Dvc=Computer , \n SrcIpAddr = SourceIP, \n SrcUsername = SourceUserName, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n EventProductVersion = DeviceVersion, \n DnsQueryTypeName = DeviceCustomString4, \n DnsQuery = DeviceCustomString5, \n SrcUserDepartment = DeviceCustomString1, // Not part of the standard schema\n reqaction = DeviceCustomString2, \n resaction = DeviceCustomString3, \n DvcUsername = SourceUserID,\n DvcZone = SourceUserPrivileges,\n SrcHostname = DeviceName,\n NetworkProtocol = Protocol,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n | extend\n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA DNS\", \n EventSchema = \"Dns\", \n EventSchemaVersion=\"0.1.3\", \n EventEndTime=TimeGenerated, \n SrcUsernameType = \"UPN\", \n EventSubType = iff(resaction == 'None', 'request', 'response'), \n DvcAction = iff(resaction == 'None', reqaction, resaction), \n EventResultDetails = iff (DeviceCustomString6 matches regex @'^([A-Z_]+)$', DeviceCustomString6, 'NOERROR'), \n EventType = 'Query', \n RuleName = strcat (FlexString1, \" / \", FlexString2),\n // -- Adjustment to support both old and new CSL fields.\n UrlCategory = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"), extract(\"cat=(.*)\", 1, AdditionalExtensions), \"\"), \n DnsNetworkDuration = coalesce(\n toint(column_ifexists (\"FieldDeviceCustomNumber1\", int(null))), \n toint(column_ifexists (\"DeviceCustomNumber1\",int(null)))\n )\n | extend \n EventResult = case (\n EventSubType == 'request', 'NA', \n EventResultDetails == 'NOERROR', 'Success',\n 'Failure'),\n DnsResponseName = iff (EventResultDetails == 'NOERROR', DeviceCustomString6, '')\n // -- Aliases\n | extend\n DnsResponseCodeName = EventResultDetails,\n Domain = DnsQuery,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Hostname = SrcHostname,\n Dst = DstIpAddr,\n DvcHostname = Dvc,\n Duration = DnsNetworkDuration,\n User = SrcUsername,\n // -- Entity identifier explicit aliases\n SrcUserUpn = SrcUsername\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink, Activity, resaction, reqaction\n };\nZscalerDNSevents (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/FullDeploymentDns.json b/Parsers/ASimDns/ARM/FullDeploymentDns.json index 4bcbceae23e..1f305b78c7d 100644 --- a/Parsers/ASimDns/ARM/FullDeploymentDns.json +++ b/Parsers/ASimDns/ARM/FullDeploymentDns.json @@ -138,6 +138,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimDnsInfobloxBloxOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/ASimDnsInfobloxBloxOne/ASimDnsInfobloxBloxOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -458,6 +478,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimDnsInfobloxBloxOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimDns/ARM/vimDnsInfobloxBloxOne/vimDnsInfobloxBloxOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimDns/ARM/imDns/imDns.json b/Parsers/ASimDns/ARM/imDns/imDns.json index 3b3577558e9..da9957c2626 100644 --- a/Parsers/ASimDns/ARM/imDns/imDns.json +++ b/Parsers/ASimDns/ARM/imDns/imDns.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imDns')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imDns", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser.", - "category": "ASIM", - "FunctionAlias": "imDns", - "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null) , srcipaddr:string='*' , domain_has_any:dynamic=dynamic([]) , responsecodename:string='*', response_has_ipv4:string='*' , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup', pack:bool=false ){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimDns') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imDnsBuiltInDisabled=toscalar('ExcludeimDnsBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimDnsEmpty,\n vimDnsAzureFirewall ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsAzureFirewall' in (DisabledParsers) ))),\n vimDnsCiscoUmbrella ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsCiscoUmbrella' in (DisabledParsers) ))),\n vimDnsCorelightZeek ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsCorelightZeek' in (DisabledParsers) ))),\n vimDnsFortinetFortiGate ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsFortinetFortiGate' in (DisabledParsers) ))),\n vimDnsGcp ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsDnsGcp' in (DisabledParsers) ))),\n vimDnsInfobloxNIOS ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsInfobloxNIOS' in (DisabledParsers) ))),\n vimDnsMicrosoftNXlog ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftNXlog' in (DisabledParsers) ))),\n vimDnsMicrosoftOMS ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftOMS' in (DisabledParsers) ))),\n vimDnsMicrosoftSysmon ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftSysmon' in (DisabledParsers) ))),\n vimDnsMicrosoftSysmonWindowsEvent ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftSysmonWindowsevent' in (DisabledParsers) ))),\n vimDnsNative ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsNative' in (DisabledParsers) ))),\n vimDnsSentinelOne ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsSentinelOne' in (DisabledParsers) ))),\n vimDnsVectraAI ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsVectraAI' in (DisabledParsers) ))),\n vimDnsZscalerZIA ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsZscalerZIA' in (DisabledParsers) )))\n };\nGeneric( starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, pack=pack)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='lookup',pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser.", + "category": "ASIM", + "FunctionAlias": "imDns", + "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null) , srcipaddr:string='*' , domain_has_any:dynamic=dynamic([]) , responsecodename:string='*', response_has_ipv4:string='*' , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup', pack:bool=false ){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimDns') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imDnsBuiltInDisabled=toscalar('ExcludeimDnsBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimDnsEmpty,\n vimDnsAzureFirewall ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsAzureFirewall' in (DisabledParsers) ))),\n vimDnsCiscoUmbrella ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsCiscoUmbrella' in (DisabledParsers) ))),\n vimDnsCorelightZeek ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsCorelightZeek' in (DisabledParsers) ))),\n vimDnsFortinetFortiGate ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsFortinetFortiGate' in (DisabledParsers) ))),\n vimDnsGcp ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsDnsGcp' in (DisabledParsers) ))),\n vimDnsInfobloxNIOS ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsInfobloxNIOS' in (DisabledParsers) ))),\n vimDnsMicrosoftNXlog ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftNXlog' in (DisabledParsers) ))),\n vimDnsMicrosoftOMS ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftOMS' in (DisabledParsers) ))),\n vimDnsMicrosoftSysmon ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftSysmon' in (DisabledParsers) ))),\n vimDnsMicrosoftSysmonWindowsEvent ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftSysmonWindowsevent' in (DisabledParsers) ))),\n vimDnsNative ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsNative' in (DisabledParsers) ))),\n vimDnsSentinelOne ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsSentinelOne' in (DisabledParsers) ))),\n vimDnsVectraAI ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsVectraAI' in (DisabledParsers) ))),\n vimDnsZscalerZIA ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsZscalerZIA' in (DisabledParsers) ))),\n vimDnsInfobloxBloxOne ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsInfobloxBloxOne' in (DisabledParsers) )))\n };\nGeneric( starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, pack=pack)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='lookup',pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsAzureFirewall/vimDnsAzureFirewall.json b/Parsers/ASimDns/ARM/vimDnsAzureFirewall/vimDnsAzureFirewall.json index ffe674b6e5e..ede9b49614b 100644 --- a/Parsers/ASimDns/ARM/vimDnsAzureFirewall/vimDnsAzureFirewall.json +++ b/Parsers/ASimDns/ARM/vimDnsAzureFirewall/vimDnsAzureFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsAzureFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsAzureFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Azure Firewall", - "category": "ASIM", - "FunctionAlias": "vimDnsAzureFirewall", - "query": "let DNS_query=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n ){\n AzureDiagnostics | where not(disabled)\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\n | where Category == \"AzureFirewallDnsProxy\"\n | project msg_s, TimeGenerated, ResourceId\n | where msg_s startswith \"DNS Request:\"\n // --Pre-parsing filtering:\n | where\n // Return empty list if response IPs are passed\n (response_has_ipv4=='*')\n and (array_length(response_has_any_prefix) ==0) \n and (eventtype=='*' or eventtype in (\"Query\", \"lookup\")) // -- support both legacy and standard value \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and (srcipaddr=='*' or has_ipv4(msg_s, srcipaddr))\n and (array_length(domain_has_any) ==0 or msg_s has_any (domain_has_any))\n and (responsecodename=='*' or msg_s has(responsecodename))\n // --\n | parse msg_s with\n \"DNS Request: \" \n SrcIpAddr:string \":\" SrcPortNumber:int \n \" - \" EventOriginalUid:string \n \" \" DnsQueryTypeName:string \n \" \" DnsQueryClassName:string\n \" \" DnsQuery:string\n \". \" NetworkProtocol:string \n \" \" SrcBytes:int \n \" \" DnsDNSSECflag:bool \n \" \" DnsDNSSECBufferSize:int \n \" \" EventResultDetails:string \n \" \" DnsFlags:string\n \" \" DstBytes:int\n \" \" DnsNetworkDuration:double\n \"s\"\n // -- Post-filtering accurately now that message is parsed\n | where\n (srcipaddr==\"*\" or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n and (responsecodename==\"*\" or EventResultDetails has responsecodename)\n | project-away msg_s\n | extend\n EventResult = iff (EventResultDetails == \"NOERROR\", \"Success\", \"Failure\"),\n EventSubType = \"response\",\n DnsNetworkDuration = toint(DnsNetworkDuration*1000) \n};\nlet DNS_error=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n ) {\n AzureDiagnostics\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\n | where Category == \"AzureFirewallDnsProxy\"\n | project msg_s, TimeGenerated, ResourceId\n | where msg_s startswith \" Error:\"\n // --Pre-parsing filtering:\n | where\n (response_has_ipv4=='*') // Return empty list if response IPs are passed\n and (array_length(response_has_any_prefix) ==0) // Return empty list if response IPs are passed\n and (eventtype=='*' or eventtype in (\"Query\", \"lookup\")) // -- support both legacy and standard value \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and (srcipaddr=='*' or has_ipv4(msg_s, srcipaddr))\n and (array_length(domain_has_any) ==0 or msg_s has_any (domain_has_any))\n and (responsecodename=='*') // Return empty list if response code is passed\n // --\n | parse msg_s with \n \" Error: \" nu:string \n \" \" DnsQuery:string \n \". \" DnsQueryTypeName:string \n \": \" op:string \n \" \" NetworkProtocol:string\n \" \" SrcIpAddr:string \":\" SrcPortNumber:int \n \"->\" DstIpAddr:string \":\" DstPortNumber:int \n \": \" EventResultOriginalDetails:string\n // -- Post-filtering accurately now that message is parsed\n | where\n (srcipaddr==\"*\" or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n | project-away msg_s\n | extend \n EventResult = \"Failure\",\n EventSubType = \"request\"\n};\nlet DNS = (\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n ) {\n union \n DNS_query (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled),\n DNS_error (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n | extend\n NetworkProtocol = toupper(NetworkProtocol)\n | project-rename\n DvcId = ResourceId\n | extend\n DvcIdType = \"AzureResourceId\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"Azure Firewall\",\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.3\",\n EventEndTime = TimeGenerated, \n EventType = 'Query',\n DnsFlagsAuthenticated = DnsFlags has \"aa\",\n DnsFlagsAuthoritative = DnsFlags has \"ad\",\n DnsFlagsCheckingDisabled = DnsFlags has \"cd\",\n DnsFlagsRecursionAvailable = DnsFlags has \"ra\",\n DnsFlagsRecursionDesired = DnsFlags has \"rd\",\n DnsFlagsTruncates = DnsFlags has \"tc\"\n | extend\n // -- Aliases\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Dst=DstIpAddr,\n Duration = DnsNetworkDuration,\n Dvc=DvcId\n | extend\n // -- Backward Compatibility\n Query = DnsQuery,\n QueryTypeName = DnsQueryTypeName,\n ResponseCodeName = DnsResponseCodeName,\n Flags = DnsFlags\n};\nDNS (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Azure Firewall", + "category": "ASIM", + "FunctionAlias": "vimDnsAzureFirewall", + "query": "let DNS_query=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n ){\n AzureDiagnostics | where not(disabled)\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\n | where Category == \"AzureFirewallDnsProxy\"\n | project msg_s, TimeGenerated, ResourceId\n | where msg_s startswith \"DNS Request:\"\n // --Pre-parsing filtering:\n | where\n // Return empty list if response IPs are passed\n (response_has_ipv4=='*')\n and (array_length(response_has_any_prefix) ==0) \n and (eventtype=='*' or eventtype in (\"Query\", \"lookup\")) // -- support both legacy and standard value \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and (srcipaddr=='*' or has_ipv4(msg_s, srcipaddr))\n and (array_length(domain_has_any) ==0 or msg_s has_any (domain_has_any))\n and (responsecodename=='*' or msg_s has(responsecodename))\n // --\n | parse msg_s with\n \"DNS Request: \" \n SrcIpAddr:string \":\" SrcPortNumber:int \n \" - \" EventOriginalUid:string \n \" \" DnsQueryTypeName:string \n \" \" DnsQueryClassName:string\n \" \" DnsQuery:string\n \". \" NetworkProtocol:string \n \" \" SrcBytes:int \n \" \" DnsDNSSECflag:bool \n \" \" DnsDNSSECBufferSize:int \n \" \" EventResultDetails:string \n \" \" DnsFlags:string\n \" \" DstBytes:int\n \" \" DnsNetworkDuration:double\n \"s\"\n // -- Post-filtering accurately now that message is parsed\n | where\n (srcipaddr==\"*\" or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n and (responsecodename==\"*\" or EventResultDetails has responsecodename)\n | project-away msg_s\n | extend\n EventResult = iff (EventResultDetails == \"NOERROR\", \"Success\", \"Failure\"),\n EventSubType = \"response\",\n DnsNetworkDuration = toint(DnsNetworkDuration*1000) \n};\nlet DNS_error=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n ) {\n AzureDiagnostics\n // | where ResourceType == \"AZUREFIREWALLS\" -- Implicit in the next line\n | where Category == \"AzureFirewallDnsProxy\"\n | project msg_s, TimeGenerated, ResourceId\n | where msg_s startswith \" Error:\"\n // --Pre-parsing filtering:\n | where\n (response_has_ipv4=='*') // Return empty list if response IPs are passed\n and (array_length(response_has_any_prefix) ==0) // Return empty list if response IPs are passed\n and (eventtype=='*' or eventtype in (\"Query\", \"lookup\")) // -- support both legacy and standard value \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and (srcipaddr=='*' or has_ipv4(msg_s, srcipaddr))\n and (array_length(domain_has_any) ==0 or msg_s has_any (domain_has_any))\n and (responsecodename=='*') // Return empty list if response code is passed\n // --\n | parse msg_s with \n \" Error: \" nu:string \n \" \" DnsQuery:string \n \". \" DnsQueryTypeName:string \n \": \" op:string \n \" \" NetworkProtocol:string\n \" \" SrcIpAddr:string \":\" SrcPortNumber:int \n \"->\" DstIpAddr:string \":\" DstPortNumber:int \n \": \" EventResultOriginalDetails:string\n // -- Post-filtering accurately now that message is parsed\n | where\n (srcipaddr==\"*\" or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n | project-away msg_s\n | extend \n EventResult = \"Failure\",\n EventSubType = \"request\"\n};\nlet DNS = (\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n ) {\n union \n DNS_query (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled),\n DNS_error (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n | extend\n NetworkProtocol = toupper(NetworkProtocol)\n | project-rename\n DvcId = ResourceId\n | extend\n DvcIdType = \"AzureResourceId\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"Azure Firewall\",\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.3\",\n EventEndTime = TimeGenerated, \n EventType = 'Query',\n DnsFlagsAuthenticated = DnsFlags has \"aa\",\n DnsFlagsAuthoritative = DnsFlags has \"ad\",\n DnsFlagsCheckingDisabled = DnsFlags has \"cd\",\n DnsFlagsRecursionAvailable = DnsFlags has \"ra\",\n DnsFlagsRecursionDesired = DnsFlags has \"rd\",\n DnsFlagsTruncates = DnsFlags has \"tc\"\n | extend\n // -- Aliases\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Dst=DstIpAddr,\n Duration = DnsNetworkDuration,\n Dvc=DvcId\n | extend\n // -- Backward Compatibility\n Query = DnsQuery,\n QueryTypeName = DnsQueryTypeName,\n ResponseCodeName = DnsResponseCodeName,\n Flags = DnsFlags\n};\nDNS (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsCiscoUmbrella/vimDnsCiscoUmbrella.json b/Parsers/ASimDns/ARM/vimDnsCiscoUmbrella/vimDnsCiscoUmbrella.json index 2f475b1d65a..44d3b6c3e60 100644 --- a/Parsers/ASimDns/ARM/vimDnsCiscoUmbrella/vimDnsCiscoUmbrella.json +++ b/Parsers/ASimDns/ARM/vimDnsCiscoUmbrella/vimDnsCiscoUmbrella.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsCiscoUmbrella')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsCiscoUmbrella", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Cisco Umbrella", - "category": "ASIM", - "FunctionAlias": "vimDnsCiscoUmbrella", - "query": "let DNSQuery_CiscoUmbrella=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*'\n , response_has_ipv4:string='*' , response_has_any_prefix:dynamic=dynamic([])\n , eventtype:string='Query'\n , disabled:bool=false\n ){\n Cisco_Umbrella_dns_CL | where not(disabled)\n // ******************************************************************\n // Pre-parsing filterring:\n | where\n // Return empty list if response IPs are passed\n (eventtype in~ ('lookup','Query'))\n and (response_has_ipv4=='*')\n and (array_length(response_has_any_prefix) ==0) \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and (srcipaddr=='*' or InternalIp_s==srcipaddr)\n and (array_length(domain_has_any) ==0 or Domain_s has_any (domain_has_any))\n and (responsecodename=='*' or ResponseCode_s=~responsecodename)\n // *****************************************************************\n | parse QueryType_s with DnsQueryType:int \" (\"DnsQueryTypeName:string \")\"\n //\n | project \n //\n // ******************* Mandatory\n EventCount=int(1),\n EventStartTime=todatetime(column_ifexists('Timestamp_t',column_ifexists('Timestamp_s',''))),\n EventProduct=\"Umbrella\",\n EventVendor=\"Cisco\",\n EventSchema=\"Dns\",\n EventSchemaVersion=\"0.1.3\",\n Dvc=\"CiscoUmbrella\" ,\n EventType=\"Query\",\n EventResult=iff(ResponseCode_s=~'NOERROR','Success','Failure'),\n EventResultDetails=ResponseCode_s, // => ResponseCodeNames\n //\n TimeGenerated, // not handled by schema, but we need to preserve it\n SrcIpAddr=column_ifexists('InternalIp_s', ''),\n EventSubType='response',\n // ********** Renamed columns\n UrlCategory=column_ifexists('Categories_s', ''),\n DnsQuery=trim_end(@'\\.',column_ifexists('Domain_s', '')) , \n ThreatCategory=column_ifexists('Blocked_Categories_s', ''),\n SrcNatIpAddr=column_ifexists('ExternalIp_s', ''),\n DvcAction=column_ifexists('Action_s', ''),\n EventEndTime=todatetime(column_ifexists('Timestamp_t', column_ifexists('Timestamp_s',\"\") )),\n //\n // *************** keep Parsed data\n DnsQueryType, DnsQueryTypeName\n // **************Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n DomainCategory=UrlCategory,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr\n };\nDNSQuery_CiscoUmbrella( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Cisco Umbrella", + "category": "ASIM", + "FunctionAlias": "vimDnsCiscoUmbrella", + "query": "let DNSQuery_CiscoUmbrella=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*'\n , response_has_ipv4:string='*' , response_has_any_prefix:dynamic=dynamic([])\n , eventtype:string='Query'\n , disabled:bool=false\n ){\n Cisco_Umbrella_dns_CL | where not(disabled)\n // ******************************************************************\n // Pre-parsing filterring:\n | where\n // Return empty list if response IPs are passed\n (eventtype in~ ('lookup','Query'))\n and (response_has_ipv4=='*')\n and (array_length(response_has_any_prefix) ==0) \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and (srcipaddr=='*' or InternalIp_s==srcipaddr)\n and (array_length(domain_has_any) ==0 or Domain_s has_any (domain_has_any))\n and (responsecodename=='*' or ResponseCode_s=~responsecodename)\n // *****************************************************************\n | parse QueryType_s with DnsQueryType:int \" (\"DnsQueryTypeName:string \")\"\n //\n | project \n //\n // ******************* Mandatory\n EventCount=int(1),\n EventStartTime=todatetime(column_ifexists('Timestamp_t',column_ifexists('Timestamp_s',''))),\n EventProduct=\"Umbrella\",\n EventVendor=\"Cisco\",\n EventSchema=\"Dns\",\n EventSchemaVersion=\"0.1.3\",\n Dvc=\"CiscoUmbrella\" ,\n EventType=\"Query\",\n EventResult=iff(ResponseCode_s=~'NOERROR','Success','Failure'),\n EventResultDetails=ResponseCode_s, // => ResponseCodeNames\n //\n TimeGenerated, // not handled by schema, but we need to preserve it\n SrcIpAddr=column_ifexists('InternalIp_s', ''),\n EventSubType='response',\n // ********** Renamed columns\n UrlCategory=column_ifexists('Categories_s', ''),\n DnsQuery=trim_end(@'\\.',column_ifexists('Domain_s', '')) , \n ThreatCategory=column_ifexists('Blocked_Categories_s', ''),\n SrcNatIpAddr=column_ifexists('ExternalIp_s', ''),\n DvcAction=column_ifexists('Action_s', ''),\n EventEndTime=todatetime(column_ifexists('Timestamp_t', column_ifexists('Timestamp_s',\"\") )),\n //\n // *************** keep Parsed data\n DnsQueryType, DnsQueryTypeName\n // **************Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n DomainCategory=UrlCategory,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr\n };\nDNSQuery_CiscoUmbrella( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsCorelightZeek/vimDnsCorelightZeek.json b/Parsers/ASimDns/ARM/vimDnsCorelightZeek/vimDnsCorelightZeek.json index b8f48958d25..92b6f4e8d8f 100644 --- a/Parsers/ASimDns/ARM/vimDnsCorelightZeek/vimDnsCorelightZeek.json +++ b/Parsers/ASimDns/ARM/vimDnsCorelightZeek/vimDnsCorelightZeek.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsCorelightZeek')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsCorelightZeek", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Corelight Zeek", - "category": "ASIM", - "FunctionAlias": "vimDnsCorelightZeek", - "query": "let query_type_lookup=datatable(DnsQueryType:int,DnsQueryTypeName:string)[\n 0, \"Reserved\",\n 1, \"A\",\n 2, \"NS\",\n 3, \"MD\",\n 4, \"MF\",\n 5, \"CNAME\",\n 6, \"SOA\",\n 7, \"MB\",\n 8, \"MG\",\n 9, \"MR\",\n 10, \"NULL\",\n 11, \"WKS\",\n 12, \"PTR\",\n 13, \"HINFO\",\n 14, \"MINFO\",\n 15, \"MX\",\n 16, \"TXT\",\n 17, \"RP\",\n 18, \"AFSDB\",\n 19, \"X25\",\n 20, \"ISDN\",\n 21, \"RT\",\n 22, \"NSAP\",\n 23, \"NSAP-PTR\",\n 24, \"SIG\",\n 25, \"KEY\",\n 26, \"PX\",\n 27, \"GPOS\",\n 28, \"AAAA\",\n 29, \"LOC\",\n 30, \"NXT\",\n 31, \"EID\",\n 32, \"NIMLOC\",\n 33, \"SRV\",\n 34, \"ATMA\",\n 35, \"NAPTR\",\n 36, \"KX\",\n 37, \"CERT\",\n 38, \"A6\",\n 39, \"DNAME\",\n 40, \"SINK\",\n 41, \"OPT\",\n 42, \"APL\",\n 43, \"DS\",\n 44, \"SSHFP\",\n 45, \"IPSECKEY\",\n 46, \"RRSIG\",\n 47, \"NSEC\",\n 48, \"DNSKEY\",\n 49, \"DHCID\",\n 50, \"NSEC3\",\n 51, \"NSEC3PARAM\",\n 52, \"TLSA\",\n 53, \"SMIMEA\",\n 54, \"Unassigned\",\n 55, \"HIP\",\n 56, \"NINFO\",\n 57, \"RKEY\",\n 58, \"TALINK\",\n 59, \"CDS\",\n 60, \"CDNSKEY\",\n 61, \"OPENPGPKEY\",\n 62, \"CSYNC\",\n 99, \"SPF\",\n 100, \"UINFO\",\n 101, \"UID\",\n 102, \"GID\",\n 103, \"UNSPEC\",\n 104, \"NID\",\n 105, \"L32\",\n 106, \"L64\",\n 107, \"LP\",\n 108, \"EUI48\",\n 109, \"EUI64\",\n 249, \"TKEY\",\n 250, \"TSIG\",\n 251, \"IXFR\",\n 252, \"AXFR\",\n 253, \"MAILB\",\n 254, \"MAILA\",\n 255, \"ANY\",\n 256, \"URI\",\n 257, \"CAA\",\n 258, \"AVC\",\n 259, \"DOA\",\n 32768, \"TA\",\n 32769, \"DLV\"];\nlet class_lookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\n 0, 'Reserved',\n 1, 'IN',\n 2, 'Unassigned',\n 3, 'CH',\n 4, 'HS',\n 254, 'None',\n 255, 'Any'];\nlet parser=(\n starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*'\n , response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([])\n , eventtype:string='Query'\n , disabled:bool=false\n ){\n Corelight_CL | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (eventtype in~ ('lookup', 'Query'))\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (Message has '\"_path\":\"dns\"' or Message has '\"_path\":\"dns_red\"')\n and (srcipaddr=='*' or has_ipv4(Message, srcipaddr))\n and (array_length(domain_has_any) ==0 or Message has_any (domain_has_any))\n and (responsecodename=='*' or Message has responsecodename)\n and (response_has_ipv4=='*' or has_ipv4(Message,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(Message, response_has_any_prefix))\n // --\n | project Message, TimeGenerated\n | parse-kv Message as (\n ['\"_system_name\"']:string,\n ['\"_write_ts\"']:datetime,\n ['\"ts\"']:datetime,\n ['\"uid\"']:string,\n ['\"id.orig_h\"']:string,\n ['\"id.orig_p\"']:int,\n ['\"id.resp_h\"']:string,\n ['\"id.resp_p\"']:int,\n ['\"proto\"']:string,\n ['\"trans_id\"']:int,\n ['\"query\"']:string,\n ['\"qclass\"']:int,\n ['\"qtype\"']:int,\n ['\"AA\"']:bool,\n ['\"TC\"']:bool,\n ['\"CD\"']:bool,\n ['\"RD\"']:bool,\n ['\"RA\"']:bool,\n ['\"Z\"']:int,\n ['\"rejected\"']:bool,\n ['\"rcode\"']:int,\n ['\"rcode_name\"']:string,\n ['\"rtt\"']:real,\n ) \n with (quote = '\"')\n | parse Message with * '\"answers\":' answers:string ',\"TTLs\":' TTLs:string ',\"rejected\"' *\n // -- Post-filtering accurately now that message is parsed\n | where\n (srcipaddr==\"*\" or srcipaddr==['\"id.orig_h\"'])\n and (array_length(domain_has_any) ==0 or ['\"query\"'] has_any (domain_has_any))\n and (responsecodename==\"*\" or ['\"rcode_name\"'] has responsecodename)\n and (response_has_ipv4=='*' or has_ipv4(answers,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(answers, response_has_any_prefix))\n | extend \n EventCount=int(1),\n EventProduct=\"Zeek\",\n EventVendor=\"Corelight\",\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.4\",\n EventType=\"Query\"\n | project-rename\n EventStartTime= ['\"ts\"'],\n EventEndTime = ['\"_write_ts\"'],\n EventOriginalUid = ['\"uid\"'],\n SrcIpAddr = ['\"id.orig_h\"'],\n SrcPortNumber = ['\"id.orig_p\"'],\n DstIpAddr = ['\"id.resp_h\"'],\n DstPortNumber = ['\"id.resp_p\"'],\n NetworkProtocol = ['\"proto\"'],\n DnsQuery = ['\"query\"'],\n DnsResponseCode = ['\"rcode\"'],\n EventResultDetails = ['\"rcode_name\"'],\n DnsFlagsAuthoritative = ['\"AA\"'],\n DnsFlagsTruncated = ['\"TC\"'],\n DnsFlagsRecursionDesired = ['\"RD\"'],\n DnsFlagsCheckingDisabled = ['\"CD\"'],\n DnsFlagsRecursionAvailable = ['\"RA\"'],\n DnsQueryClass = ['\"qclass\"'],\n DnsQueryType = ['\"qtype\"'],\n rtt = ['\"rtt\"'],\n Z = ['\"Z\"'],\n trans_id = ['\"trans_id\"'],\n rejected = ['\"rejected\"'],\n Dvc = ['\"_system_name\"']\n | lookup query_type_lookup on DnsQueryType\n | lookup class_lookup on DnsQueryClass\n | extend\n EventSubType=iff(isnull(DnsResponseCode),'request','response'),\n DnsNetworkDuration = toint(rtt*1000),\n EventResult = iff (EventResultDetails!~'NOERROR' or rejected,'Failure','Success'),\n DnsQueryTypeName = case (DnsQueryTypeName == \"\" and not(isnull(DnsQueryType)), strcat(\"TYPE\", DnsQueryType), DnsQueryTypeName),\n DnsQueryClassName = case (DnsQueryClassName == \"\" and not(isnull(DnsQueryClass)), strcat(\"CLASS\", DnsQueryClass), DnsQueryClassName),\n TransactionIdHex = tohex(toint(trans_id)),\n DnsFlagsZ = (Z != 0),\n DnsResponseName = tostring(pack ('answers', answers, 'ttls', TTLs)) // support of auth & addl to be added.\n | project-away rtt\n // Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=DnsNetworkDuration,\n Dst=DstIpAddr\n | project-away Message, Z, TTLs, answers, trans_id, rejected\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Corelight Zeek", + "category": "ASIM", + "FunctionAlias": "vimDnsCorelightZeek", + "query": "let query_type_lookup=datatable(DnsQueryType:int,DnsQueryTypeName:string)[\n 0, \"Reserved\",\n 1, \"A\",\n 2, \"NS\",\n 3, \"MD\",\n 4, \"MF\",\n 5, \"CNAME\",\n 6, \"SOA\",\n 7, \"MB\",\n 8, \"MG\",\n 9, \"MR\",\n 10, \"NULL\",\n 11, \"WKS\",\n 12, \"PTR\",\n 13, \"HINFO\",\n 14, \"MINFO\",\n 15, \"MX\",\n 16, \"TXT\",\n 17, \"RP\",\n 18, \"AFSDB\",\n 19, \"X25\",\n 20, \"ISDN\",\n 21, \"RT\",\n 22, \"NSAP\",\n 23, \"NSAP-PTR\",\n 24, \"SIG\",\n 25, \"KEY\",\n 26, \"PX\",\n 27, \"GPOS\",\n 28, \"AAAA\",\n 29, \"LOC\",\n 30, \"NXT\",\n 31, \"EID\",\n 32, \"NIMLOC\",\n 33, \"SRV\",\n 34, \"ATMA\",\n 35, \"NAPTR\",\n 36, \"KX\",\n 37, \"CERT\",\n 38, \"A6\",\n 39, \"DNAME\",\n 40, \"SINK\",\n 41, \"OPT\",\n 42, \"APL\",\n 43, \"DS\",\n 44, \"SSHFP\",\n 45, \"IPSECKEY\",\n 46, \"RRSIG\",\n 47, \"NSEC\",\n 48, \"DNSKEY\",\n 49, \"DHCID\",\n 50, \"NSEC3\",\n 51, \"NSEC3PARAM\",\n 52, \"TLSA\",\n 53, \"SMIMEA\",\n 54, \"Unassigned\",\n 55, \"HIP\",\n 56, \"NINFO\",\n 57, \"RKEY\",\n 58, \"TALINK\",\n 59, \"CDS\",\n 60, \"CDNSKEY\",\n 61, \"OPENPGPKEY\",\n 62, \"CSYNC\",\n 99, \"SPF\",\n 100, \"UINFO\",\n 101, \"UID\",\n 102, \"GID\",\n 103, \"UNSPEC\",\n 104, \"NID\",\n 105, \"L32\",\n 106, \"L64\",\n 107, \"LP\",\n 108, \"EUI48\",\n 109, \"EUI64\",\n 249, \"TKEY\",\n 250, \"TSIG\",\n 251, \"IXFR\",\n 252, \"AXFR\",\n 253, \"MAILB\",\n 254, \"MAILA\",\n 255, \"ANY\",\n 256, \"URI\",\n 257, \"CAA\",\n 258, \"AVC\",\n 259, \"DOA\",\n 32768, \"TA\",\n 32769, \"DLV\"];\nlet class_lookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\n 0, 'Reserved',\n 1, 'IN',\n 2, 'Unassigned',\n 3, 'CH',\n 4, 'HS',\n 254, 'None',\n 255, 'Any'];\nlet parser=(\n starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*'\n , response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([])\n , eventtype:string='Query'\n , disabled:bool=false\n ){\n Corelight_CL | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (eventtype in~ ('lookup', 'Query'))\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (Message has '\"_path\":\"dns\"' or Message has '\"_path\":\"dns_red\"')\n and (srcipaddr=='*' or has_ipv4(Message, srcipaddr))\n and (array_length(domain_has_any) ==0 or Message has_any (domain_has_any))\n and (responsecodename=='*' or Message has responsecodename)\n and (response_has_ipv4=='*' or has_ipv4(Message,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(Message, response_has_any_prefix))\n // --\n | project Message, TimeGenerated\n | parse-kv Message as (\n ['\"_system_name\"']:string,\n ['\"_write_ts\"']:datetime,\n ['\"ts\"']:datetime,\n ['\"uid\"']:string,\n ['\"id.orig_h\"']:string,\n ['\"id.orig_p\"']:int,\n ['\"id.resp_h\"']:string,\n ['\"id.resp_p\"']:int,\n ['\"proto\"']:string,\n ['\"trans_id\"']:int,\n ['\"query\"']:string,\n ['\"qclass\"']:int,\n ['\"qtype\"']:int,\n ['\"AA\"']:bool,\n ['\"TC\"']:bool,\n ['\"CD\"']:bool,\n ['\"RD\"']:bool,\n ['\"RA\"']:bool,\n ['\"Z\"']:int,\n ['\"rejected\"']:bool,\n ['\"rcode\"']:int,\n ['\"rcode_name\"']:string,\n ['\"rtt\"']:real,\n ) \n with (quote = '\"')\n | parse Message with * '\"answers\":' answers:string ',\"TTLs\":' TTLs:string ',\"rejected\"' *\n // -- Post-filtering accurately now that message is parsed\n | where\n (srcipaddr==\"*\" or srcipaddr==['\"id.orig_h\"'])\n and (array_length(domain_has_any) ==0 or ['\"query\"'] has_any (domain_has_any))\n and (responsecodename==\"*\" or ['\"rcode_name\"'] has responsecodename)\n and (response_has_ipv4=='*' or has_ipv4(answers,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(answers, response_has_any_prefix))\n | extend \n EventCount=int(1),\n EventProduct=\"Zeek\",\n EventVendor=\"Corelight\",\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.4\",\n EventType=\"Query\"\n | project-rename\n EventStartTime= ['\"ts\"'],\n EventEndTime = ['\"_write_ts\"'],\n EventOriginalUid = ['\"uid\"'],\n SrcIpAddr = ['\"id.orig_h\"'],\n SrcPortNumber = ['\"id.orig_p\"'],\n DstIpAddr = ['\"id.resp_h\"'],\n DstPortNumber = ['\"id.resp_p\"'],\n NetworkProtocol = ['\"proto\"'],\n DnsQuery = ['\"query\"'],\n DnsResponseCode = ['\"rcode\"'],\n EventResultDetails = ['\"rcode_name\"'],\n DnsFlagsAuthoritative = ['\"AA\"'],\n DnsFlagsTruncated = ['\"TC\"'],\n DnsFlagsRecursionDesired = ['\"RD\"'],\n DnsFlagsCheckingDisabled = ['\"CD\"'],\n DnsFlagsRecursionAvailable = ['\"RA\"'],\n DnsQueryClass = ['\"qclass\"'],\n DnsQueryType = ['\"qtype\"'],\n rtt = ['\"rtt\"'],\n Z = ['\"Z\"'],\n trans_id = ['\"trans_id\"'],\n rejected = ['\"rejected\"'],\n Dvc = ['\"_system_name\"']\n | lookup query_type_lookup on DnsQueryType\n | lookup class_lookup on DnsQueryClass\n | extend\n EventSubType=iff(isnull(DnsResponseCode),'request','response'),\n DnsNetworkDuration = toint(rtt*1000),\n EventResult = iff (EventResultDetails!~'NOERROR' or rejected,'Failure','Success'),\n DnsQueryTypeName = case (DnsQueryTypeName == \"\" and not(isnull(DnsQueryType)), strcat(\"TYPE\", DnsQueryType), DnsQueryTypeName),\n DnsQueryClassName = case (DnsQueryClassName == \"\" and not(isnull(DnsQueryClass)), strcat(\"CLASS\", DnsQueryClass), DnsQueryClassName),\n TransactionIdHex = tohex(toint(trans_id)),\n DnsFlagsZ = (Z != 0),\n DnsResponseName = tostring(pack ('answers', answers, 'ttls', TTLs)) // support of auth & addl to be added.\n | project-away rtt\n // Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=DnsNetworkDuration,\n Dst=DstIpAddr\n | project-away Message, Z, TTLs, answers, trans_id, rejected\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsEmpty/vimDnsEmpty.json b/Parsers/ASimDns/ARM/vimDnsEmpty/vimDnsEmpty.json index d4444e4f9f4..d5018ae68b0 100644 --- a/Parsers/ASimDns/ARM/vimDnsEmpty/vimDnsEmpty.json +++ b/Parsers/ASimDns/ARM/vimDnsEmpty/vimDnsEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimDnsEmpty", - "query": "let EmptyNewDnsEvents=datatable(\n _ResourceId: string,\n AdditionalFields: dynamic,\n DnsFlags: string,\n DnsFlagsAuthenticated: bool,\n DnsFlagsAuthoritative: bool,\n DnsFlagsCheckingDisabled: bool,\n DnsFlagsRecursionAvailable: bool,\n DnsFlagsRecursionDesired: bool,\n DnsFlagsTruncated: bool,\n DnsFlagsZ: bool,\n DnsNetworkDuration: int,\n DnsQuery: string,\n DnsQueryClass: int,\n DnsQueryClassName: string,\n DnsQueryType: int,\n DnsQueryTypeName: string,\n DnsResponseCode: int,\n DnsResponseCodeName: string,\n DnsResponseIpCity: string,\n DnsResponseIpCountry: string,\n DnsResponseIpLatitude: real,\n DnsResponseIpLongitude: real,\n DnsResponseIpRegion: string,\n DnsResponseName: string,\n DnsSessionId: string,\n Domain: string,\n DomainCategory: string,\n Dst: string,\n DstDescription: string,\n DstDeviceType: string,\n DstDomain: string,\n DstDomainType: string,\n DstDvcId: string,\n DstDvcIdType: string,\n DstDvcScopeId: string,\n DstDvcScope: string,\n DstFQDN: string,\n DstGeoCity: string,\n DstGeoCountry: string,\n DstGeoLatitude: real,\n DstGeoLongitude: real,\n DstGeoRegion: string,\n DstHostname: string,\n DstIpAddr: string,\n DstPortNumber: int,\n DstRiskLevel: int,\n DstOriginalRiskLevel: string,\n Duration: int,\n Dvc: string,\n DvcAction: string,\n DvcDescription: string,\n DvcDomain: string,\n DvcDomainType: string,\n DvcFQDN: string,\n DvcHostname: string,\n DvcId: string,\n DvcIdType: string,\n DvcInterface: string,\n DvcIpAddr: string,\n DvcMacAddr: string,\n DvcOriginalAction: string,\n DvcOs: string,\n DvcOsVersion: string,\n DvcScope: string,\n DvcScopeId: string,\n DvcZone: string,\n EventCount: int,\n EventEndTime: datetime,\n EventMessage: string,\n EventOriginalSeverity: string,\n EventOriginalSubType: string,\n EventOriginalType: string,\n EventOriginalUid: string,\n EventOwner: string,\n EventProduct: string,\n EventProductVersion: string,\n EventReportUrl: string,\n EventResult: string,\n EventResultDetails: string,\n EventSchema: string,\n EventSchemaVersion: string,\n EventSeverity: string,\n EventStartTime: datetime,\n EventSubType: string,\n EventType: string,\n EventUid: string,\n EventVendor: string,\n Hostname: string,\n IpAddr: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string,\n Process: string,\n Rule: string,\n RuleName: string,\n RuleNumber: int,\n SessionId: string,\n Src: string,\n SrcDescription: string,\n SrcDeviceType: string,\n SrcDomain: string,\n SrcDomainType: string,\n SrcDvcId: string,\n SrcDvcIdType: string,\n SrcDvcScope: string,\n SrcDvcScopeId: string,\n SrcFQDN: string,\n SrcGeoCity: string,\n SrcGeoCountry: string,\n SrcGeoLatitude: real,\n SrcGeoLongitude: real,\n SrcGeoRegion: string,\n SrcHostname: string,\n SrcIpAddr: string,\n SrcOriginalRiskLevel: string,\n SrcOriginalUserType: string,\n SrcPortNumber: int,\n SrcProcessGuid: string,\n SrcProcessId: string,\n SrcProcessName: string,\n SrcRiskLevel: int,\n SrcUserId: string,\n SrcUserAadId: string,\n SrcUserSid: string,\n SrcUserAWSId: string,\n SrcUserOktaId: string,\n SrcUserUid: string,\n SrcUserIdType: string,\n SrcUserScope: string,\n SrcUserScopeId: string,\n SrcUsername: string,\n SrcUsernameType: string,\n SrcUserType: string,\n SrcUserSessionId: string,\n TenantId: string,\n ThreatCategory: string,\n ThreatConfidence: int,\n ThreatField: string,\n ThreatFirstReportedTime: datetime,\n ThreatId: string,\n ThreatIpAddr: string,\n ThreatIsActive: bool,\n ThreatLastReportedTime: datetime,\n ThreatName: string,\n ThreatOriginalConfidence: string,\n ThreatOriginalRiskLevel: string,\n ThreatRiskLevel: int,\n TimeGenerated: datetime,\n TransactionIdHex: string,\n Type: string,\n UrlCategory: string,\n User: string\n)[];\nEmptyNewDnsEvents \n", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimDnsEmpty", + "query": "let EmptyNewDnsEvents=datatable(\n _ResourceId: string,\n AdditionalFields: dynamic,\n DnsFlags: string,\n DnsFlagsAuthenticated: bool,\n DnsFlagsAuthoritative: bool,\n DnsFlagsCheckingDisabled: bool,\n DnsFlagsRecursionAvailable: bool,\n DnsFlagsRecursionDesired: bool,\n DnsFlagsTruncated: bool,\n DnsFlagsZ: bool,\n DnsNetworkDuration: int,\n DnsQuery: string,\n DnsQueryClass: int,\n DnsQueryClassName: string,\n DnsQueryType: int,\n DnsQueryTypeName: string,\n DnsResponseCode: int,\n DnsResponseCodeName: string,\n DnsResponseIpCity: string,\n DnsResponseIpCountry: string,\n DnsResponseIpLatitude: real,\n DnsResponseIpLongitude: real,\n DnsResponseIpRegion: string,\n DnsResponseName: string,\n DnsSessionId: string,\n Domain: string,\n DomainCategory: string,\n Dst: string,\n DstDescription: string,\n DstDeviceType: string,\n DstDomain: string,\n DstDomainType: string,\n DstDvcId: string,\n DstDvcIdType: string,\n DstDvcScopeId: string,\n DstDvcScope: string,\n DstFQDN: string,\n DstGeoCity: string,\n DstGeoCountry: string,\n DstGeoLatitude: real,\n DstGeoLongitude: real,\n DstGeoRegion: string,\n DstHostname: string,\n DstIpAddr: string,\n DstPortNumber: int,\n DstRiskLevel: int,\n DstOriginalRiskLevel: string,\n Duration: int,\n Dvc: string,\n DvcAction: string,\n DvcDescription: string,\n DvcDomain: string,\n DvcDomainType: string,\n DvcFQDN: string,\n DvcHostname: string,\n DvcId: string,\n DvcIdType: string,\n DvcInterface: string,\n DvcIpAddr: string,\n DvcMacAddr: string,\n DvcOriginalAction: string,\n DvcOs: string,\n DvcOsVersion: string,\n DvcScope: string,\n DvcScopeId: string,\n DvcZone: string,\n EventCount: int,\n EventEndTime: datetime,\n EventMessage: string,\n EventOriginalSeverity: string,\n EventOriginalSubType: string,\n EventOriginalType: string,\n EventOriginalUid: string,\n EventOwner: string,\n EventProduct: string,\n EventProductVersion: string,\n EventReportUrl: string,\n EventResult: string,\n EventResultDetails: string,\n EventSchema: string,\n EventSchemaVersion: string,\n EventSeverity: string,\n EventStartTime: datetime,\n EventSubType: string,\n EventType: string,\n EventUid: string,\n EventVendor: string,\n Hostname: string,\n IpAddr: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string,\n Process: string,\n Rule: string,\n RuleName: string,\n RuleNumber: int,\n SessionId: string,\n Src: string,\n SrcDescription: string,\n SrcDeviceType: string,\n SrcDomain: string,\n SrcDomainType: string,\n SrcDvcId: string,\n SrcDvcIdType: string,\n SrcDvcScope: string,\n SrcDvcScopeId: string,\n SrcFQDN: string,\n SrcGeoCity: string,\n SrcGeoCountry: string,\n SrcGeoLatitude: real,\n SrcGeoLongitude: real,\n SrcGeoRegion: string,\n SrcHostname: string,\n SrcIpAddr: string,\n SrcOriginalRiskLevel: string,\n SrcOriginalUserType: string,\n SrcPortNumber: int,\n SrcProcessGuid: string,\n SrcProcessId: string,\n SrcProcessName: string,\n SrcRiskLevel: int,\n SrcUserId: string,\n SrcUserAadId: string,\n SrcUserSid: string,\n SrcUserAWSId: string,\n SrcUserOktaId: string,\n SrcUserUid: string,\n SrcUserIdType: string,\n SrcUserScope: string,\n SrcUserScopeId: string,\n SrcUsername: string,\n SrcUsernameType: string,\n SrcUserType: string,\n SrcUserSessionId: string,\n TenantId: string,\n ThreatCategory: string,\n ThreatConfidence: int,\n ThreatField: string,\n ThreatFirstReportedTime: datetime,\n ThreatId: string,\n ThreatIpAddr: string,\n ThreatIsActive: bool,\n ThreatLastReportedTime: datetime,\n ThreatName: string,\n ThreatOriginalConfidence: string,\n ThreatOriginalRiskLevel: string,\n ThreatRiskLevel: int,\n TimeGenerated: datetime,\n TransactionIdHex: string,\n Type: string,\n UrlCategory: string,\n User: string\n)[];\nEmptyNewDnsEvents \n", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsFortinetFortigate/vimDnsFortinetFortigate.json b/Parsers/ASimDns/ARM/vimDnsFortinetFortigate/vimDnsFortinetFortigate.json index a3d00632d29..418312c8234 100644 --- a/Parsers/ASimDns/ARM/vimDnsFortinetFortigate/vimDnsFortinetFortigate.json +++ b/Parsers/ASimDns/ARM/vimDnsFortinetFortigate/vimDnsFortinetFortigate.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsFortinetFortiGate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsFortinetFortiGate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for Fortinet FortiGate", - "category": "ASIM", - "FunctionAlias": "vimDnsFortinetFortiGate", - "query": "let Parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr: string='*', \n domain_has_any: dynamic=dynamic([]),\n responsecodename: string='*',\n response_has_ipv4: string='*',\n response_has_any_prefix: dynamic=dynamic([]),\n eventtype: string='Query',\n disabled: bool=false\n ) {\n let DeviceEventClassIDLookup = datatable(EventOriginalSubType:string,EventSubType:string, EventSeverity:string, DvcAction:string, ThreatCategory:string, ThreatField:string)[\n \"54000\", \"request\", \"Informational\", \"\", \"\", \"\",\n \"54200\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54400\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\n \"54401\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54600\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"DstIpAddr\",\n \"54601\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"Domain\",\n \"54800\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54801\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54802\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54803\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\n \"54804\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54805\", \"response\", \"Informational\", \"\", \"\", \"\",\n ];\n let EventOriginalResultDetailsLookup = datatable(EventOriginalResultDetails:string, EventResultDetails:string, EventResult:string)[\n \"\", \"NOERROR\", \"Success\",\n \"0\", \"NOERROR\", \"Success\",\n \"1\", \"FORMERR\", \"Failure\",\n \"2\", \"SERVFAIL\", \"Failure\",\n \"3\", \"NXDOMAIN\", \"Failure\",\n \"4\", \"NOTIMP\", \"Failure\",\n \"5\", \"REFUSED\", \"Failure\",\n \"6\", \"YXDOMAIN\", \"Failure\",\n \"7\", \"YXRRSET\", \"Failure\",\n \"8\", \"NXRRSET\", \"Failure\",\n \"9\", \"NOTAUTH\", \"Failure\",\n \"10\", \"NOTZONE\", \"Failure\",\n \"11\", \"DSOTYPENI\", \"Failure\",\n \"16\", \"BADVERS\", \"Failure\",\n \"16\", \"BADSIG\", \"Failure\",\n \"17\", \"BADKEY\", \"Failure\",\n \"18\", \"BADTIME\", \"Failure\",\n \"19\", \"BADMODE\", \"Failure\",\n \"20\", \"BADNAME\", \"Failure\",\n \"21\", \"BADALG\", \"Failure\",\n \"22\", \"BADTRUNC\", \"Failure\",\n \"23\", \"BADCOOKIE\", \"Failure\"\n ];\n let DnsResponseCodeNameLookup = toscalar(\n EventOriginalResultDetailsLookup\n | where not(disabled)\n | where (responsecodename == '*' or EventResultDetails =~ responsecodename)\n | project EventOriginalResultDetails\n );\n let DnsQueryTypeLookup = datatable(DnsQueryType:int, DnsQueryTypeName:string)[\n 0, \"Reserved\",\n 1, \"A\",\n 2, \"NS\",\n 3, \"MD\",\n 4, \"MF\",\n 5, \"CNAME\",\n 6, \"SOA\",\n 7, \"MB\",\n 8, \"MG\",\n 9, \"MR\",\n 10, \"NULL\",\n 11, \"WKS\",\n 12, \"PTR\",\n 13, \"HINFO\",\n 14, \"MINFO\",\n 15, \"MX\",\n 16, \"TXT\",\n 17, \"RP\",\n 18, \"AFSDB\",\n 19, \"X25\",\n 20, \"ISDN\",\n 21, \"RT\",\n 22, \"NSAP\",\n 23, \"NSAP-PTR\",\n 24, \"SIG\",\n 25, \"KEY\",\n 26, \"PX\",\n 27, \"GPOS\",\n 28, \"AAAA\",\n 29, \"LOC\",\n 30, \"NXT\",\n 31, \"EID\",\n 32, \"NIMLOC\",\n 33, \"SRV\",\n 34, \"ATMA\",\n 35, \"NAPTR\",\n 36, \"KX\",\n 37, \"CERT\",\n 38, \"A6\",\n 39, \"DNAME\",\n 40, \"SINK\",\n 41, \"OPT\",\n 42, \"APL\",\n 43, \"DS\",\n 44, \"SSHFP\",\n 45, \"IPSECKEY\",\n 46, \"RRSIG\",\n 47, \"NSEC\",\n 48, \"DNSKEY\",\n 49, \"DHCID\",\n 50, \"NSEC3\",\n 51, \"NSEC3PARAM\",\n 52, \"TLSA\",\n 53, \"SMIMEA\",\n 55, \"HIP\",\n 56, \"NINFO\",\n 57, \"RKEY\",\n 58, \"TALINK\",\n 59, \"CDS\",\n 60, \"CDNSKEY\",\n 61, \"OPENPGPKEY\",\n 62, \"CSYNC\",\n 63, \"ZONEMD\",\n 64, \"SVCB\",\n 65, \"HTTPS\",\n 99, \"SPF\",\n 100, \"UINFO\",\n 101, \"UID\",\n 102, \"GID\",\n 103, \"UNSPEC\",\n 104, \"NID\",\n 105, \"L32\",\n 106, \"L64\",\n 107, \"LP\",\n 108, \"EUI48\",\n 109, \"EUI64\",\n 249, \"TKEY\",\n 250, \"TSIG\",\n 251, \"IXFR\",\n 252, \"AXFR\",\n 253, \"MAILB\",\n 254, \"MAILA\",\n 255, \"*\",\n 256, \"URI\",\n 257, \"CAA\",\n 258, \"AVC\",\n 259, \"DOA\",\n 32768, \"TA\",\n 32769, \"DLV\"\n ];\n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and\n (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Fortinet\" and \n DeviceProduct == \"Fortigate\"\n | where DeviceEventClassID in(54000,54200,54400,54401,54600,54601,54800,54801,54802,54803,54804,54805)\n | where (srcipaddr == \"*\" or SourceIP == srcipaddr) and\n (array_length(domain_has_any) == 0 or AdditionalExtensions has_any (domain_has_any)) and\n (responsecodename == '*' or AdditionalExtensions has DnsResponseCodeNameLookup) and\n (response_has_ipv4 == '*' or has_ipv4(AdditionalExtensions, response_has_ipv4)) and \n (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(AdditionalExtensions, response_has_any_prefix)) and\n (eventtype=='*' or eventtype in (\"Query\", \"lookup\")) // -- support both legacy and standard value \n | project TimeGenerated, EventOriginalSubType = DeviceEventClassID, AdditionalExtensions, EventUid = _ItemId, EventOriginalSeverity = LogSeverity, EventProductVersion = DeviceVersion ,Computer, Type, SrcIpAddr = SourceIP, SrcPortNumber = SourcePort, DstIpAddr = DestinationIP, DstPortNumber = DestinationPort, EventMessage = Message, NetworkProtocolNumber = Protocol, DvcId = DeviceExternalID, DnsSessionId = ExtID\n | lookup DeviceEventClassIDLookup on EventOriginalSubType\n | parse-kv AdditionalExtensions as (FTNTFGTlogid:string, FTNTFGTsubtype:string, FTNTFGTsrccountry:string, FTNTFGTdstcountry:string,FTNTFGTsrcintfrole:string, FTNTFGTrcode:string, FTNTFGTqname:string, FTNTFGTqtype:string, FTNTFGTxid:string, FTNTFGTqtypeval:int, FTNTFGTqclass:string, FTNTFGTcatdesc:string, FTNTFGTipaddr:string, FTNTFGTunauthuser:string, FTNTFGTuser:string, FTNTFGTbotnetip:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | where (array_length(domain_has_any) == 0 or FTNTFGTqname has_any (domain_has_any)) and\n (responsecodename == '*' or FTNTFGTrcode == DnsResponseCodeNameLookup) and\n (response_has_ipv4 == '*' or has_ipv4(FTNTFGTipaddr, response_has_ipv4)) and\n (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(FTNTFGTipaddr, response_has_any_prefix))\n | project-rename \n EventOriginalResultDetails = FTNTFGTrcode,\n EventOriginalUid = FTNTFGTlogid,\n DvcZone = FTNTFGTsrcintfrole,\n EventOriginalType = FTNTFGTsubtype,\n SrcGeoCountry = FTNTFGTsrccountry,\n DstGeoCountry = FTNTFGTdstcountry,\n DnsQuery = FTNTFGTqname,\n DnsQueryTypeName = FTNTFGTqtype,\n TransactionIdHex = FTNTFGTxid,\n DnsQueryClass = FTNTFGTqtypeval,\n DnsQueryClassName = FTNTFGTqclass,\n UrlCategory = FTNTFGTcatdesc,\n DnsResponseName = FTNTFGTipaddr,\n ThreatIpAddr = FTNTFGTbotnetip\n | extend \n DnsQueryTypeName = case(\n DnsQueryTypeName == \"Unknown\",\"\",\n DnsQueryTypeName\n )\n | lookup EventOriginalResultDetailsLookup on EventOriginalResultDetails\n | lookup DnsQueryTypeLookup on DnsQueryTypeName\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | invoke _ASIM_ResolveNetworkProtocol(\"NetworkProtocolNumber\")\n | extend \n SrcUsername = coalesce(FTNTFGTuser, FTNTFGTunauthuser),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcHostname,\n DnsResponseCodeName = EventResultDetails,\n EventType = \"Query\",\n EventSchemaVersion = \"0.1.7\",\n EventSchema = \"Dns\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventVendor = \"Fortinet\",\n EventProduct = \"FortiGate\",\n Domain = DnsQuery,\n DomainCategory = UrlCategory\n | extend \n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | project-away FTNTFGTuser, FTNTFGTunauthuser, AdditionalExtensions, Computer, NetworkProtocolNumber\n};\nParser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr = srcipaddr,\n domain_has_any = domain_has_any,\n responsecodename = responsecodename, \n response_has_ipv4 = response_has_ipv4, \n response_has_any_prefix = response_has_any_prefix, \n eventtype = eventtype, \n disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for Fortinet FortiGate", + "category": "ASIM", + "FunctionAlias": "vimDnsFortinetFortiGate", + "query": "let Parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr: string='*', \n domain_has_any: dynamic=dynamic([]),\n responsecodename: string='*',\n response_has_ipv4: string='*',\n response_has_any_prefix: dynamic=dynamic([]),\n eventtype: string='Query',\n disabled: bool=false\n ) {\n let DeviceEventClassIDLookup = datatable(EventOriginalSubType:string,EventSubType:string, EventSeverity:string, DvcAction:string, ThreatCategory:string, ThreatField:string)[\n \"54000\", \"request\", \"Informational\", \"\", \"\", \"\",\n \"54200\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54400\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\n \"54401\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54600\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"DstIpAddr\",\n \"54601\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"Domain\",\n \"54800\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54801\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54802\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54803\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\n \"54804\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54805\", \"response\", \"Informational\", \"\", \"\", \"\",\n ];\n let EventOriginalResultDetailsLookup = datatable(EventOriginalResultDetails:string, EventResultDetails:string, EventResult:string)[\n \"\", \"NOERROR\", \"Success\",\n \"0\", \"NOERROR\", \"Success\",\n \"1\", \"FORMERR\", \"Failure\",\n \"2\", \"SERVFAIL\", \"Failure\",\n \"3\", \"NXDOMAIN\", \"Failure\",\n \"4\", \"NOTIMP\", \"Failure\",\n \"5\", \"REFUSED\", \"Failure\",\n \"6\", \"YXDOMAIN\", \"Failure\",\n \"7\", \"YXRRSET\", \"Failure\",\n \"8\", \"NXRRSET\", \"Failure\",\n \"9\", \"NOTAUTH\", \"Failure\",\n \"10\", \"NOTZONE\", \"Failure\",\n \"11\", \"DSOTYPENI\", \"Failure\",\n \"16\", \"BADVERS\", \"Failure\",\n \"16\", \"BADSIG\", \"Failure\",\n \"17\", \"BADKEY\", \"Failure\",\n \"18\", \"BADTIME\", \"Failure\",\n \"19\", \"BADMODE\", \"Failure\",\n \"20\", \"BADNAME\", \"Failure\",\n \"21\", \"BADALG\", \"Failure\",\n \"22\", \"BADTRUNC\", \"Failure\",\n \"23\", \"BADCOOKIE\", \"Failure\"\n ];\n let DnsResponseCodeNameLookup = toscalar(\n EventOriginalResultDetailsLookup\n | where not(disabled)\n | where (responsecodename == '*' or EventResultDetails =~ responsecodename)\n | project EventOriginalResultDetails\n );\n let DnsQueryTypeLookup = datatable(DnsQueryType:int, DnsQueryTypeName:string)[\n 0, \"Reserved\",\n 1, \"A\",\n 2, \"NS\",\n 3, \"MD\",\n 4, \"MF\",\n 5, \"CNAME\",\n 6, \"SOA\",\n 7, \"MB\",\n 8, \"MG\",\n 9, \"MR\",\n 10, \"NULL\",\n 11, \"WKS\",\n 12, \"PTR\",\n 13, \"HINFO\",\n 14, \"MINFO\",\n 15, \"MX\",\n 16, \"TXT\",\n 17, \"RP\",\n 18, \"AFSDB\",\n 19, \"X25\",\n 20, \"ISDN\",\n 21, \"RT\",\n 22, \"NSAP\",\n 23, \"NSAP-PTR\",\n 24, \"SIG\",\n 25, \"KEY\",\n 26, \"PX\",\n 27, \"GPOS\",\n 28, \"AAAA\",\n 29, \"LOC\",\n 30, \"NXT\",\n 31, \"EID\",\n 32, \"NIMLOC\",\n 33, \"SRV\",\n 34, \"ATMA\",\n 35, \"NAPTR\",\n 36, \"KX\",\n 37, \"CERT\",\n 38, \"A6\",\n 39, \"DNAME\",\n 40, \"SINK\",\n 41, \"OPT\",\n 42, \"APL\",\n 43, \"DS\",\n 44, \"SSHFP\",\n 45, \"IPSECKEY\",\n 46, \"RRSIG\",\n 47, \"NSEC\",\n 48, \"DNSKEY\",\n 49, \"DHCID\",\n 50, \"NSEC3\",\n 51, \"NSEC3PARAM\",\n 52, \"TLSA\",\n 53, \"SMIMEA\",\n 55, \"HIP\",\n 56, \"NINFO\",\n 57, \"RKEY\",\n 58, \"TALINK\",\n 59, \"CDS\",\n 60, \"CDNSKEY\",\n 61, \"OPENPGPKEY\",\n 62, \"CSYNC\",\n 63, \"ZONEMD\",\n 64, \"SVCB\",\n 65, \"HTTPS\",\n 99, \"SPF\",\n 100, \"UINFO\",\n 101, \"UID\",\n 102, \"GID\",\n 103, \"UNSPEC\",\n 104, \"NID\",\n 105, \"L32\",\n 106, \"L64\",\n 107, \"LP\",\n 108, \"EUI48\",\n 109, \"EUI64\",\n 249, \"TKEY\",\n 250, \"TSIG\",\n 251, \"IXFR\",\n 252, \"AXFR\",\n 253, \"MAILB\",\n 254, \"MAILA\",\n 255, \"*\",\n 256, \"URI\",\n 257, \"CAA\",\n 258, \"AVC\",\n 259, \"DOA\",\n 32768, \"TA\",\n 32769, \"DLV\"\n ];\n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and\n (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Fortinet\" and \n DeviceProduct == \"Fortigate\"\n | where DeviceEventClassID in(54000,54200,54400,54401,54600,54601,54800,54801,54802,54803,54804,54805)\n | where (srcipaddr == \"*\" or SourceIP == srcipaddr) and\n (array_length(domain_has_any) == 0 or AdditionalExtensions has_any (domain_has_any)) and\n (responsecodename == '*' or AdditionalExtensions has DnsResponseCodeNameLookup) and\n (response_has_ipv4 == '*' or has_ipv4(AdditionalExtensions, response_has_ipv4)) and \n (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(AdditionalExtensions, response_has_any_prefix)) and\n (eventtype=='*' or eventtype in (\"Query\", \"lookup\")) // -- support both legacy and standard value \n | project TimeGenerated, EventOriginalSubType = DeviceEventClassID, AdditionalExtensions, EventUid = _ItemId, EventOriginalSeverity = LogSeverity, EventProductVersion = DeviceVersion ,Computer, Type, SrcIpAddr = SourceIP, SrcPortNumber = SourcePort, DstIpAddr = DestinationIP, DstPortNumber = DestinationPort, EventMessage = Message, NetworkProtocolNumber = Protocol, DvcId = DeviceExternalID, DnsSessionId = ExtID\n | lookup DeviceEventClassIDLookup on EventOriginalSubType\n | parse-kv AdditionalExtensions as (FTNTFGTlogid:string, FTNTFGTsubtype:string, FTNTFGTsrccountry:string, FTNTFGTdstcountry:string,FTNTFGTsrcintfrole:string, FTNTFGTrcode:string, FTNTFGTqname:string, FTNTFGTqtype:string, FTNTFGTxid:string, FTNTFGTqtypeval:int, FTNTFGTqclass:string, FTNTFGTcatdesc:string, FTNTFGTipaddr:string, FTNTFGTunauthuser:string, FTNTFGTuser:string, FTNTFGTbotnetip:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | where (array_length(domain_has_any) == 0 or FTNTFGTqname has_any (domain_has_any)) and\n (responsecodename == '*' or FTNTFGTrcode == DnsResponseCodeNameLookup) and\n (response_has_ipv4 == '*' or has_ipv4(FTNTFGTipaddr, response_has_ipv4)) and\n (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(FTNTFGTipaddr, response_has_any_prefix))\n | project-rename \n EventOriginalResultDetails = FTNTFGTrcode,\n EventOriginalUid = FTNTFGTlogid,\n DvcZone = FTNTFGTsrcintfrole,\n EventOriginalType = FTNTFGTsubtype,\n SrcGeoCountry = FTNTFGTsrccountry,\n DstGeoCountry = FTNTFGTdstcountry,\n DnsQuery = FTNTFGTqname,\n DnsQueryTypeName = FTNTFGTqtype,\n TransactionIdHex = FTNTFGTxid,\n DnsQueryClass = FTNTFGTqtypeval,\n DnsQueryClassName = FTNTFGTqclass,\n UrlCategory = FTNTFGTcatdesc,\n DnsResponseName = FTNTFGTipaddr,\n ThreatIpAddr = FTNTFGTbotnetip\n | extend \n DnsQueryTypeName = case(\n DnsQueryTypeName == \"Unknown\",\"\",\n DnsQueryTypeName\n )\n | lookup EventOriginalResultDetailsLookup on EventOriginalResultDetails\n | lookup DnsQueryTypeLookup on DnsQueryTypeName\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | invoke _ASIM_ResolveNetworkProtocol(\"NetworkProtocolNumber\")\n | extend \n SrcUsername = coalesce(FTNTFGTuser, FTNTFGTunauthuser),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcHostname,\n DnsResponseCodeName = EventResultDetails,\n EventType = \"Query\",\n EventSchemaVersion = \"0.1.7\",\n EventSchema = \"Dns\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventVendor = \"Fortinet\",\n EventProduct = \"FortiGate\",\n Domain = DnsQuery,\n DomainCategory = UrlCategory\n | extend \n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | project-away FTNTFGTuser, FTNTFGTunauthuser, AdditionalExtensions, Computer, NetworkProtocolNumber\n};\nParser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr = srcipaddr,\n domain_has_any = domain_has_any,\n responsecodename = responsecodename, \n response_has_ipv4 = response_has_ipv4, \n response_has_any_prefix = response_has_any_prefix, \n eventtype = eventtype, \n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsGcp/vimDnsGcp.json b/Parsers/ASimDns/ARM/vimDnsGcp/vimDnsGcp.json index ba8ace4a43a..302acb70cf1 100644 --- a/Parsers/ASimDns/ARM/vimDnsGcp/vimDnsGcp.json +++ b/Parsers/ASimDns/ARM/vimDnsGcp/vimDnsGcp.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsGcp')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsGcp", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for GCP", - "category": "ASIM", - "FunctionAlias": "vimDnsGcp", - "query": "// https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry\nlet GCPSeverityTable=datatable(severity_s:string,EventSeverity:string)\n[\"DEFAULT\",\"Informational\",\n\"DEBUG\",\"Informational\",\n\"INFO\",\"Informational\",\n\"NOTICE\",\"Medium\",\n\"WARNING\",\"Medium\",\n\"ERROR\",\"High\",\n\"CRITICAL\",\"High\",\n\"ALERT\",\"High\",\n\"EMERGENCY\",\"High\"\n];\nlet DNSQuery_GcpDns=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n){\n GCP_DNS_CL | where not(disabled)\n | project-away MG, ManagementGroupName, RawData, SourceSystem, Computer\n | where resource_type_s == \"dns_query\"\n // Pre-parsing filtering:\n | where\n (eventtype in ('lookup', 'Query')) // -- for now we support only lookup events\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (srcipaddr=='*' or has_ipv4(payload_sourceIP_s, srcipaddr))\n and (array_length(domain_has_any) ==0 or payload_queryName_s has_any (domain_has_any))\n and (responsecodename=='*' or payload_responseCode_s == responsecodename)\n and (response_has_ipv4=='*' or has_ipv4(payload_rdata_s,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(payload_rdata_s, response_has_any_prefix))\n // *****************************************************************\n | lookup GCPSeverityTable on severity_s\n | project-rename\n DnsQueryTypeName=payload_queryType_s,\n DnsResponseName=payload_rdata_s, \n EventResultDetails=payload_responseCode_s,\n NetworkProtocol=payload_protocol_s, \n SrcIpAddr=payload_sourceIP_s,\n EventOriginalUid=insert_id_s,\n EventOriginalSeverity=severity_s \n | extend\n DnsQuery=trim_end(@'\\.',payload_queryName_s), \n EventCount=int(1),\n EventProduct='Cloud DNS',\n EventVendor='GCP',\n EventSchema='Dns',\n EventSchemaVersion=\"0.1.3\",\n Dvc=\"GCPDNS\" ,\n EventType = iif (resource_type_s == \"dns_query\", \"Query\", resource_type_s),\n EventResult=iff(EventResultDetails=~'NOERROR','Success','Failure'),\n EventSubType='response',\n EventEndTime=todatetime(timestamp_t)\n | extend\n EventStartTime = EventEndTime,\n EventResult = iff (EventResultDetails=~'NOERROR','Success','Failure')\n // -- Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr\n | project-away *_s, *_d, *_b, *_t\n };\n DNSQuery_GcpDns (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for GCP", + "category": "ASIM", + "FunctionAlias": "vimDnsGcp", + "query": "// https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry\nlet GCPSeverityTable=datatable(severity_s:string,EventSeverity:string)\n[\"DEFAULT\",\"Informational\",\n\"DEBUG\",\"Informational\",\n\"INFO\",\"Informational\",\n\"NOTICE\",\"Medium\",\n\"WARNING\",\"Medium\",\n\"ERROR\",\"High\",\n\"CRITICAL\",\"High\",\n\"ALERT\",\"High\",\n\"EMERGENCY\",\"High\"\n];\nlet DNSQuery_GcpDns=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n){\n GCP_DNS_CL | where not(disabled)\n | project-away MG, ManagementGroupName, RawData, SourceSystem, Computer\n | where resource_type_s == \"dns_query\"\n // Pre-parsing filtering:\n | where\n (eventtype in ('lookup', 'Query')) // -- for now we support only lookup events\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (srcipaddr=='*' or has_ipv4(payload_sourceIP_s, srcipaddr))\n and (array_length(domain_has_any) ==0 or payload_queryName_s has_any (domain_has_any))\n and (responsecodename=='*' or payload_responseCode_s == responsecodename)\n and (response_has_ipv4=='*' or has_ipv4(payload_rdata_s,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(payload_rdata_s, response_has_any_prefix))\n // *****************************************************************\n | lookup GCPSeverityTable on severity_s\n | project-rename\n DnsQueryTypeName=payload_queryType_s,\n DnsResponseName=payload_rdata_s, \n EventResultDetails=payload_responseCode_s,\n NetworkProtocol=payload_protocol_s, \n SrcIpAddr=payload_sourceIP_s,\n EventOriginalUid=insert_id_s,\n EventOriginalSeverity=severity_s \n | extend\n DnsQuery=trim_end(@'\\.',payload_queryName_s), \n EventCount=int(1),\n EventProduct='Cloud DNS',\n EventVendor='GCP',\n EventSchema='Dns',\n EventSchemaVersion=\"0.1.3\",\n Dvc=\"GCPDNS\" ,\n EventType = iif (resource_type_s == \"dns_query\", \"Query\", resource_type_s),\n EventResult=iff(EventResultDetails=~'NOERROR','Success','Failure'),\n EventSubType='response',\n EventEndTime=todatetime(timestamp_t)\n | extend\n EventStartTime = EventEndTime,\n EventResult = iff (EventResultDetails=~'NOERROR','Success','Failure')\n // -- Aliases\n | extend \n DnsResponseCodeName=EventResultDetails, \n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr\n | project-away *_s, *_d, *_b, *_t\n };\n DNSQuery_GcpDns (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsInfobloxBloxOne/README.md b/Parsers/ASimDns/ARM/vimDnsInfobloxBloxOne/README.md new file mode 100644 index 00000000000..627180a82f4 --- /dev/null +++ b/Parsers/ASimDns/ARM/vimDnsInfobloxBloxOne/README.md @@ -0,0 +1,18 @@ +# Infoblox BloxOne ASIM Dns Normalization Parser + +ARM template for ASIM Dns schema parser for Infoblox BloxOne. + +This ASIM parser supports normalizing Dns logs from Infoblox BloxOne to the ASIM Dns normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Dns normalization schema reference](https://aka.ms/ASimDnsDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDns%2FARM%2FvimDnsInfobloxBloxOne%2FvimDnsInfobloxBloxOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDns%2FARM%2FvimDnsInfobloxBloxOne%2FvimDnsInfobloxBloxOne.json) diff --git a/Parsers/ASimDns/ARM/vimDnsInfobloxBloxOne/vimDnsInfobloxBloxOne.json b/Parsers/ASimDns/ARM/vimDnsInfobloxBloxOne/vimDnsInfobloxBloxOne.json new file mode 100644 index 00000000000..3e704cde7c5 --- /dev/null +++ b/Parsers/ASimDns/ARM/vimDnsInfobloxBloxOne/vimDnsInfobloxBloxOne.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsInfobloxBloxOne')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "Dns ASIM parser for Infoblox BloxOne", + "category": "ASIM", + "FunctionAlias": "vimDnsInfobloxBloxOne", + "query": "let EventSeverityLookup = datatable(LogSeverity:string, EventSeverity:string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet DnsQueryTypeLookup = datatable(DnsQueryTypeName:string, DnsQueryType:int)\n [\n \"A\", 1,\n \"NS\", 2,\n \"MD\", 3,\n \"MF\", 4,\n \"CNAME\", 5,\n \"SOA\", 6,\n \"MB\", 7,\n \"MG\", 8,\n \"MR\", 9,\n \"NULL\", 10,\n \"WKS\", 11,\n \"PTR\", 12,\n \"HINFO\", 13,\n \"MINFO\", 14,\n \"MX\", 15,\n \"TXT\", 16,\n \"RP\", 17,\n \"AFSDB\", 18,\n \"X25\", 19,\n \"ISDN\", 20, \n \"RT\", 21, \n \"NSAP\", 22, \n \"NSAPPTR\", 23, \n \"SIG\", 24, \n \"KEY\", 25, \n \"PX\", 26, \n \"GPOS\", 27, \n \"AAAA\", 28, \n \"LOC\", 29, \n \"NXT\", 30, \n \"EID\", 31, \n \"NIMLOC\", 32, \n \"SRV\", 33, \n \"ATMA\", 34, \n \"NAPTR\", 35, \n \"KX\", 36, \n \"CERT\", 37, \n \"A6\", 38, \n \"DNAME\", 39, \n \"SINK\", 40, \n \"OPT\", 41, \n \"APL\", 42, \n \"DS\", 43, \n \"SSHFP\", 44, \n \"IPSECKEY\", 45, \n \"RRSIG\", 46, \n \"NSEC\", 47, \n \"DNSKEY\", 48, \n \"DHCID\", 49, \n \"NSEC3\", 50, \n \"NSEC3PARAM\", 51, \n \"TLSA\", 52, \n \"SMIMEA\", 53, \n \"HIP\", 55, \n \"NINFO\", 56, \n \"RKEY\", 57, \n \"TALINK\", 58, \n \"CDS\", 59, \n \"CDNSKEY\", 60, \n \"OPENPGPKEY\", 61, \n \"CSYNC\", 62, \n \"ZONEMD\", 63, \n \"SVCB\", 64, \n \"HTTPS\", 65, \n \"SPF\", 99, \n \"UINFO\", 100, \n \"UID\", 101, \n \"GID\", 102, \n \"UNSPEC\", 103, \n \"TKEY\", 249, \n \"TSIG\", 250, \n \"IXFR\", 251, \n \"MAILB\", 253, \n \"MAILA\", 254, \n \"ANY\", 255, \n \"URI\", 256, \n \"CAA\", 257, \n \"TA\", 32768, \n \"DLV\", 32769 \n];\nlet DnsResponseCodeLookup = datatable(EventResultDetails:string, DnsResponseCode:int)\n [\n \"NOERROR\", 0, \n \"FORMERR\", 1, \n \"SERVFAIL\", 2, \n \"NXDOMAIN\", 3, \n \"NOTIMPL\", 4, \n \"REFUSED\", 5, \n \"YXDOMAIN\", 6, \n \"YXRRSET\", 7, \n \"NXRRSET\", 8, \n \"NOTAUTH\", 9, \n \"NOTZONE\", 10, \n \"DSOTYPENI\", 11, \n \"RESERVED12\", 12,\n \"RESERVED13\", 13,\n \"RESERVED14\", 14,\n \"RESERVED15\", 15,\n \"BADVERS\", 16, \n \"BADKEY\", 17, \n \"BADTIME\", 18, \n \"BADMODE\", 19, \n \"BADNAME\", 20, \n \"BADALG\", 21, \n \"BADTRUNC\", 22, \n \"BADCOOKIE\", 23, \n ];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr: string='*', \n domain_has_any: dynamic=dynamic([]),\n responsecodename: string='*',\n response_has_ipv4: string='*',\n response_has_any_prefix: dynamic=dynamic([]),\n eventtype: string='Query',\n disabled: bool=false\n ) {\n CommonSecurityLog\n | where not(disabled)\n and (eventtype == '*' or eventtype == \"Query\")\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Infoblox\" \n and DeviceEventClassID has \"DNS\"\n and (srcipaddr==\"*\" or has_ipv4(SourceIP, srcipaddr))\n and response_has_ipv4 == '*'\n and array_length(response_has_any_prefix) == 0\n | project-rename \n DnsQuery = DestinationDnsDomain\n | extend\n DnsQuery = iff(substring(DnsQuery, strlen(DnsQuery) - 1, 1) == \".\", substring(DnsQuery, 0, strlen(DnsQuery) - 1), DnsQuery)\n | where array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any)\n | parse-kv AdditionalExtensions as (InfobloxDNSRCode:string, InfobloxDNSQType:string, InfobloxDNSQFlags:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | where responsecodename == '*' or (InfobloxDNSRCode =~ responsecodename)\n | project-rename \n EventResultDetails = InfobloxDNSRCode,\n DnsQueryTypeName = InfobloxDNSQType,\n DnsFlags = InfobloxDNSQFlags\n | extend DnsQueryTypeName = tostring(split(DnsQueryTypeName, ' ')[0])\n | lookup EventSeverityLookup on LogSeverity\n | lookup DnsQueryTypeLookup on DnsQueryTypeName\n | lookup DnsResponseCodeLookup on EventResultDetails\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename \n DvcIpAddr = DeviceAddress,\n SrcIpAddr = SourceIP,\n EventMessage = Message,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n SrcUsername = SourceUserName,\n SrcPortNumber = SourcePort,\n EventUid = _ItemId\n | extend\n Dvc = coalesce(DvcHostname, DvcIpAddr),\n EventEndTime = TimeGenerated,\n EventResult = iff(EventResultDetails == \"NOERROR\", \"Success\", \"Failure\"),\n EventStartTime = TimeGenerated,\n Src = SrcIpAddr,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n DnsResponseCodeName = EventResultDetails,\n IpAddr = SrcIpAddr,\n User = SrcUsername\n | extend Domain = DnsQuery\n | extend\n EventCount = toint(1),\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.7\",\n EventProduct = \"BloxOne\",\n EventVendor = \"Infoblox\",\n EventType = \"Query\",\n DnsQueryClass = toint(1),\n DnsQueryClassName = \"IN\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n Protocol,\n SimplifiedDeviceAction,\n ExternalID,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity,\n Computer,\n ApplicationProtocol,\n ExtID,\n Reason\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename, \n response_has_ipv4=response_has_ipv4, \n response_has_any_prefix=response_has_any_prefix, \n eventtype=eventtype, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimDns/ARM/vimDnsInfobloxNIOS/vimDnsInfobloxNIOS.json b/Parsers/ASimDns/ARM/vimDnsInfobloxNIOS/vimDnsInfobloxNIOS.json index 7de97e43273..22e97b15aef 100644 --- a/Parsers/ASimDns/ARM/vimDnsInfobloxNIOS/vimDnsInfobloxNIOS.json +++ b/Parsers/ASimDns/ARM/vimDnsInfobloxNIOS/vimDnsInfobloxNIOS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsInfobloxNIOS')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsInfobloxNIOS", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Infoblox NIOS", - "category": "ASIM", - "FunctionAlias": "vimDnsInfobloxNIOS", - "query": "let SyslogProjected = Syslog | project SyslogMessage, ProcessName, TimeGenerated, Computer, HostIP;\nlet response = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr:string=\"*\", \n domain_has_any:dynamic=dynamic([]), \n responsecodename:string=\"*\", \n response_has_ipv4:string=\"*\",\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string=\"Query\",\n disabled:bool=false\n) \n{\n SyslogProjected\n | where not(disabled)\n and (eventtype in~ ('lookup', 'Query'))\n // -- Pre filtering\n | where\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\", \"response:\")\n | where \n (srcipaddr==\"*\" or has_ipv4(SyslogMessage, srcipaddr))\n and (array_length(domain_has_any) == 0 or SyslogMessage has_any (domain_has_any))\n and (responsecodename==\"*\" or SyslogMessage has responsecodename)\n and (array_length(response_has_any_prefix)==0 or has_any_ipv4_prefix(SyslogMessage, response_has_any_prefix))\n and (response_has_ipv4=='*' or has_ipv4(SyslogMessage,response_has_ipv4))\n | parse SyslogMessage with *\n \"client \" SrcIpAddr: string\n \"#\" SrcPortNumber: string\n \" \" NetworkProtocol: string\n \": query: \" DnsQuery: string\n \" \" DnsQueryClassName: string\n \" \" DnsQueryTypeName: string\n \" response: \" DnsResponseCodeName: string\n \" \" DnsFlags: string\n | extend DnsResponseNameIndex= indexof(DnsFlags, \" \")\n | extend DnsResponseName =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, DnsResponseNameIndex+1), \"\")\n | extend DnsFlags =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, 0, DnsResponseNameIndex), DnsFlags)\n | extend SrcPortNumber = iif(SrcPortNumber has ':',replace_string(SrcPortNumber,':',''),SrcPortNumber)\n | extend SrcPortNumber = toint(SrcPortNumber)\n | extend EventSubType = \"response\"\n | project-away SyslogMessage, ProcessName, DnsResponseNameIndex\n};\nlet request =(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr:string=\"*\", \n domain_has_any:dynamic=dynamic([]), \n responsecodename:string=\"*\", \n response_has_ipv4:string=\"*\",\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string=\"Query\",\n disabled:bool=false\n) \n{\n SyslogProjected \n | where not(disabled)\n // -- Pre filtering\n and (eventtype in~ ('lookup', 'Query'))\n and (responsecodename==\"*\")\n and (array_length(response_has_any_prefix)==0)\n and (response_has_ipv4=='*')\n | where\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\n | where \n (srcipaddr==\"*\" or has_ipv4(SyslogMessage, srcipaddr))\n and (array_length(domain_has_any) == 0 or SyslogMessage has_any (domain_has_any))\n | extend SyslogMessage = (split(SyslogMessage,\"client \"))[1]\n | extend SyslogMessage = iif(SyslogMessage startswith \"@\", (substring(SyslogMessage, indexof(SyslogMessage, \" \")+1)), SyslogMessage)\n | extend SyslogMessage = replace_string(SyslogMessage,\"\\\\ \",\"@@@\")\n | parse SyslogMessage with \n SrcIpAddr: string\n \"#\" SrcPortNumber: int *\n \"query: \" DnsQuery: string\n \" \" DnsQueryClassName: string\n \" \" DnsQueryTypeName: string\n \" \" DnsFlags: string\n | extend DnsQuery = replace_string (DnsQuery, '@@@', ' ')\n | extend DnsFlags= tostring((split(DnsFlags,\" \"))[0])\n | extend \n EventSubType = \"request\",\n DnsResponseCodeName = \"NA\"\n | project-away SyslogMessage, ProcessName\n};\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr:string=\"*\", \n domain_has_any:dynamic=dynamic([]), \n responsecodename:string=\"*\", \n response_has_ipv4:string=\"*\",\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string=\"Query\",\n disabled:bool=false\n) \n{\n union \n response (\n starttime=starttime, \n endtime=endtime, \n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename, \n response_has_ipv4=response_has_ipv4, \n response_has_any_prefix=response_has_any_prefix, \n eventtype=eventtype, \n disabled=disabled\n ),\n request (\n starttime=starttime, \n endtime=endtime, \n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename, \n response_has_ipv4=response_has_ipv4, \n response_has_any_prefix=response_has_any_prefix, \n eventtype=eventtype, \n disabled=disabled\n ) \n // -- Post-filtering\n | where\n (srcipaddr==\"*\" or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n and (responsecodename==\"*\" or DnsResponseCodeName has responsecodename)\n and (array_length(response_has_any_prefix) ==0 or has_any_ipv4_prefix(DnsResponseName, response_has_any_prefix))\n and (response_has_ipv4 == '*' or has_ipv4(DnsResponseName,response_has_ipv4))\n | extend\n EventCount=int(1),\n EventStartTime=todatetime(TimeGenerated),\n EventEndTime=todatetime(TimeGenerated),\n EventProduct=\"NIOS\",\n EventVendor=\"Infoblox\",\n EventSchema=\"Dns\",\n EventSchemaVersion=\"0.1.3\",\n EventType=\"Query\", \n EventResult=iff(EventSubType==\"request\" or DnsResponseCodeName==\"NOERROR\",\"Success\",\"Failure\"),\n DvcIpAddr=iff (HostIP == \"Unknown IP\", \"\", HostIP)\n // -- Aliases\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | project-away Computer\n | extend\n Dvc=DvcHostname,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n EventResultDetails = DnsResponseCodeName\n | project-away HostIP\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename, \n response_has_ipv4=response_has_ipv4, \n response_has_any_prefix=response_has_any_prefix, \n eventtype=eventtype, \n disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Infoblox NIOS", + "category": "ASIM", + "FunctionAlias": "vimDnsInfobloxNIOS", + "query": "let SyslogProjected = Syslog | project SyslogMessage, ProcessName, TimeGenerated, Computer, HostIP;\nlet response = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr:string=\"*\", \n domain_has_any:dynamic=dynamic([]), \n responsecodename:string=\"*\", \n response_has_ipv4:string=\"*\",\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string=\"Query\",\n disabled:bool=false\n) \n{\n SyslogProjected\n | where not(disabled)\n and (eventtype in~ ('lookup', 'Query'))\n // -- Pre filtering\n | where\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\", \"response:\")\n | where \n (srcipaddr==\"*\" or has_ipv4(SyslogMessage, srcipaddr))\n and (array_length(domain_has_any) == 0 or SyslogMessage has_any (domain_has_any))\n and (responsecodename==\"*\" or SyslogMessage has responsecodename)\n and (array_length(response_has_any_prefix)==0 or has_any_ipv4_prefix(SyslogMessage, response_has_any_prefix))\n and (response_has_ipv4=='*' or has_ipv4(SyslogMessage,response_has_ipv4))\n | parse SyslogMessage with *\n \"client \" SrcIpAddr: string\n \"#\" SrcPortNumber: string\n \" \" NetworkProtocol: string\n \": query: \" DnsQuery: string\n \" \" DnsQueryClassName: string\n \" \" DnsQueryTypeName: string\n \" response: \" DnsResponseCodeName: string\n \" \" DnsFlags: string\n | extend DnsResponseNameIndex= indexof(DnsFlags, \" \")\n | extend DnsResponseName =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, DnsResponseNameIndex+1), \"\")\n | extend DnsFlags =iif(DnsResponseNameIndex != \"-1\", substring(DnsFlags, 0, DnsResponseNameIndex), DnsFlags)\n | extend SrcPortNumber = iif(SrcPortNumber has ':',replace_string(SrcPortNumber,':',''),SrcPortNumber)\n | extend SrcPortNumber = toint(SrcPortNumber)\n | extend EventSubType = \"response\"\n | project-away SyslogMessage, ProcessName, DnsResponseNameIndex\n};\nlet request =(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr:string=\"*\", \n domain_has_any:dynamic=dynamic([]), \n responsecodename:string=\"*\", \n response_has_ipv4:string=\"*\",\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string=\"Query\",\n disabled:bool=false\n) \n{\n SyslogProjected \n | where not(disabled)\n // -- Pre filtering\n and (eventtype in~ ('lookup', 'Query'))\n and (responsecodename==\"*\")\n and (array_length(response_has_any_prefix)==0)\n and (response_has_ipv4=='*')\n | where\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n | where ProcessName == \"named\" and SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\n | where \n (srcipaddr==\"*\" or has_ipv4(SyslogMessage, srcipaddr))\n and (array_length(domain_has_any) == 0 or SyslogMessage has_any (domain_has_any))\n | extend SyslogMessage = (split(SyslogMessage,\"client \"))[1]\n | extend SyslogMessage = iif(SyslogMessage startswith \"@\", (substring(SyslogMessage, indexof(SyslogMessage, \" \")+1)), SyslogMessage)\n | extend SyslogMessage = replace_string(SyslogMessage,\"\\\\ \",\"@@@\")\n | parse SyslogMessage with \n SrcIpAddr: string\n \"#\" SrcPortNumber: int *\n \"query: \" DnsQuery: string\n \" \" DnsQueryClassName: string\n \" \" DnsQueryTypeName: string\n \" \" DnsFlags: string\n | extend DnsQuery = replace_string (DnsQuery, '@@@', ' ')\n | extend DnsFlags= tostring((split(DnsFlags,\" \"))[0])\n | extend \n EventSubType = \"request\",\n DnsResponseCodeName = \"NA\"\n | project-away SyslogMessage, ProcessName\n};\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr:string=\"*\", \n domain_has_any:dynamic=dynamic([]), \n responsecodename:string=\"*\", \n response_has_ipv4:string=\"*\",\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string=\"Query\",\n disabled:bool=false\n) \n{\n union \n response (\n starttime=starttime, \n endtime=endtime, \n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename, \n response_has_ipv4=response_has_ipv4, \n response_has_any_prefix=response_has_any_prefix, \n eventtype=eventtype, \n disabled=disabled\n ),\n request (\n starttime=starttime, \n endtime=endtime, \n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename, \n response_has_ipv4=response_has_ipv4, \n response_has_any_prefix=response_has_any_prefix, \n eventtype=eventtype, \n disabled=disabled\n ) \n // -- Post-filtering\n | where\n (srcipaddr==\"*\" or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n and (responsecodename==\"*\" or DnsResponseCodeName has responsecodename)\n and (array_length(response_has_any_prefix) ==0 or has_any_ipv4_prefix(DnsResponseName, response_has_any_prefix))\n and (response_has_ipv4 == '*' or has_ipv4(DnsResponseName,response_has_ipv4))\n | extend\n EventCount=int(1),\n EventStartTime=todatetime(TimeGenerated),\n EventEndTime=todatetime(TimeGenerated),\n EventProduct=\"NIOS\",\n EventVendor=\"Infoblox\",\n EventSchema=\"Dns\",\n EventSchemaVersion=\"0.1.3\",\n EventType=\"Query\", \n EventResult=iff(EventSubType==\"request\" or DnsResponseCodeName==\"NOERROR\",\"Success\",\"Failure\"),\n DvcIpAddr=iff (HostIP == \"Unknown IP\", \"\", HostIP)\n // -- Aliases\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | project-away Computer\n | extend\n Dvc=DvcHostname,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n EventResultDetails = DnsResponseCodeName\n | project-away HostIP\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename, \n response_has_ipv4=response_has_ipv4, \n response_has_any_prefix=response_has_any_prefix, \n eventtype=eventtype, \n disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsMicrosoftNXlog/vimDnsMicrosoftNXlog.json b/Parsers/ASimDns/ARM/vimDnsMicrosoftNXlog/vimDnsMicrosoftNXlog.json index d5a9ef9261a..28934315d71 100644 --- a/Parsers/ASimDns/ARM/vimDnsMicrosoftNXlog/vimDnsMicrosoftNXlog.json +++ b/Parsers/ASimDns/ARM/vimDnsMicrosoftNXlog/vimDnsMicrosoftNXlog.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsMicrosoftNXlog')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsMicrosoftNXlog", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Microsoft DNS logs collected using NXlog", - "category": "ASIM", - "FunctionAlias": "vimDnsMicrosoftNXlog", - "query": "let ASimDnsMicrosoftNXLog = (\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n ){\nlet EventTypeTable=datatable(EventOriginalType:real,EventType:string)[\n 256, 'Query'\n , 257, 'Query'\n , 258, 'Query'\n , 259, 'Query'\n , 260, 'Query'\n , 261, 'Query'\n , 262, 'Query'\n , 263, 'Dynamic update'\n , 264, 'Dynamic update'\n , 265, 'Zone XFR'\n , 266, 'Zone XFR'\n , 267, 'Zone XFR'\n , 268, 'Zone XFR'\n , 269, 'Zone XFR'\n , 270, 'Zone XFR'\n , 271, 'Zone XFR'\n , 272, 'Zone XFR'\n , 273, 'Zone XFR'\n , 274, 'Zone XFR'\n , 275, 'Zone XFR'\n , 276, 'Zone XFR'\n , 277, 'Dynamic update'\n , 278, 'Dynamic update'\n , 279, 'Query'\n , 280, 'Query'\n];\nlet EventSubTypeTable=datatable(EventOriginalType:real,EventSubType:string)[\n 256, 'request'\n, 257, 'response'\n, 258, 'response'\n, 259, 'response'\n, 260, 'request'\n, 261, 'response'\n, 262, 'response'\n, 263, 'request'\n, 264, 'response'\n, 265, 'request'\n, 266, 'request'\n, 267, 'response'\n, 268, 'response'\n, 269, 'request'\n, 270, 'request'\n, 271, 'response'\n, 272, 'response'\n, 273, 'request'\n, 274, 'request'\n, 275, 'response'\n, 276, 'response'\n, 277, 'request'\n, 278, 'response'\n, 279, 'response'\n, 280, 'response'\n];\nlet EventResultTable=datatable(EventOriginalType:real,EventResult:string)[\n 256, 'NA'\n , 257, 'Success'\n , 258, 'Failure'\n , 259, 'Failure'\n , 260, 'NA'\n , 261, 'NA'\n , 262, 'Failure'\n , 263, 'NA'\n , 264, 'Based on RCODE'\n , 265, 'NA'\n , 266, 'NA'\n , 267, 'Based on RCODE'\n , 268, 'Based on RCODE'\n , 269, 'NA'\n , 270, 'NA'\n , 271, 'Based on RCODE'\n , 272, 'Based on RCODE'\n , 273, 'NA'\n , 274, 'NA'\n , 275, 'Success'\n , 276, 'Success'\n , 277, 'NA'\n , 278, 'Based on RCODE'\n , 279, 'NA'\n , 280, 'NA'\n];\nlet RCodeTable=datatable(DnsResponseCode:int,ResponseCodeName:string)[\n 0,'NOERROR'\n , 1,'FORMERR'\n , 2,'SERVFAIL'\n , 3,'NXDOMAIN'\n , 4,'NOTIMP'\n , 5,'REFUSED'\n , 6,'YXDOMAIN'\n , 7,'YXRRSET'\n , 8,'NXRRSET'\n , 9,'NOTAUTH'\n , 10,'NOTZONE'\n , 11,'DSOTYPENI'\n , 16,'BADVERS'\n , 16,'BADSIG'\n , 17,'BADKEY'\n , 18,'BADTIME'\n , 19,'BADMODE'\n , 20,'BADNAME'\n , 21,'BADALG'\n , 22,'BADTRUNC'\n , 23,'BADCOOKIE'\n];\nlet QTypeTable=datatable(DnsQueryType:int,QTypeName:string)[\n 0, 'Reserved'\n , 1, 'A'\n , 2, 'NS'\n , 3, 'MD'\n , 4, 'MF'\n , 5, 'CNAME'\n , 6, 'SOA'\n , 7, 'MB'\n , 8 ,'MG'\n , 9 ,'MR'\n , 10,'NULL'\n , 11,'WKS'\n , 12,'PTR'\n , 13,'HINFO'\n , 14,'MINFO'\n , 15,'MX'\n , 16,'TXT'\n , 17,'RP'\n , 18,'AFSDB'\n , 19,'X25'\n , 20,'ISDN'\n , 21,'RT'\n , 22,'NSAP'\n , 23,'NSAP-PTR'\n , 24,'SIG'\n , 25,'KEY'\n , 26,'PX'\n , 27,'GPOS'\n , 28,'AAAA'\n , 29,'LOC'\n , 30,'NXT'\n , 31,'EID'\n , 32,'NIMLOC'\n , 33,'SRV'\n , 34,'ATMA'\n , 35,'NAPTR'\n , 36,'KX'\n , 37,'CERT'\n , 38,'A6'\n , 39,'DNAME'\n , 40,'SINK'\n , 41,'OPT'\n , 42,'APL'\n , 43,'DS'\n , 44,'SSHFP'\n , 45,'IPSECKEY'\n , 46,'RRSIG'\n , 47,'NSEC'\n , 48,'DNSKEY'\n , 49,'DHCID'\n , 50,'NSEC3'\n , 51,'NSEC3PARAM'\n , 52,'TLSA'\n , 53,'SMIMEA'\n , 55,'HIP'\n , 56,'NINFO'\n , 57,'RKEY'\n , 58,'TALINK'\n , 59,'CDS'\n , 60,'CDNSKEY'\n , 61,'OPENPGPKEY'\n , 62,'CSYNC'\n , 63,'ZONEMD'\n , 64,'SVCB'\n , 65,'HTTPS'\n , 99,'SPF'\n , 100,'UINFO'\n , 101,'UID'\n , 102,'GID'\n , 103,'UNSPEC'\n , 104,'NID'\n , 105,'L32'\n , 106,'L64'\n , 107,'LP'\n , 108,'EUI48'\n , 109,'EUI64'\n , 249,'TKEY'\n , 250,'TSIG'\n , 251,'IXFR'\n , 252,'AXFR'\n , 253,'MAILB'\n , 254,'MAILA'\n , 255,'*'\n , 256,'URI'\n , 257,'CAA'\n , 258,'AVC'\n , 259,'DOA'\n , 32768,'TA'\n , 32769,'DLV'\n];\nNXLog_DNS_Server_CL | where not(disabled)\n| where EventID_d < 281\n| project-rename \n EventOriginalType=EventID_d\n| lookup EventTypeTable on EventOriginalType\n| extend\n eventtype = iff (eventtype == \"lookup\", \"Query\", eventtype)\n// Pre-parsing filtering:\n | where\n // Return empty list if response IPs are passed\n (response_has_ipv4=='*')\n and (array_length(response_has_any_prefix) ==0) \n and (eventtype=='*' or EventType == eventtype) \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and (srcipaddr=='*' or Source_s==srcipaddr)\n and (array_length(domain_has_any) ==0 or QNAME_s has_any (domain_has_any))\n and (responsecodename=='*' or RCODE_s=~responsecodename)\n// --\n| project-rename\n DnsFlags=Flags_s,\n DnsQuery=QNAME_s,\n DnsQueryType=QTYPE_s,\n DnsResponseCode=RCODE_s,\n DnsResponseName=PacketData_s,\n Dvc=Hostname_s,\n EventOriginalUid=GUID_g,\n EventStartTime=EventTime_t,\n SrcIpAddr=Source_s,\n EventUid=_ItemId\n| extend\n DnsQuery=trim_end(\".\",DnsQuery),\n DnsQueryType=toint(DnsQueryType),\n DnsResponseCode=toint(DnsResponseCode),\n SrcPortNumber=toint(Port_s),\n DvcHostname=Dvc,\n DvcIpAddr=HostIP_s,\n EventEndTime=EventStartTime,\n EventProduct = \"DNS Server\",\n EventSchemaVersion = \"0.1.7\",\n EventVendor = \"Microsoft\",\n EventSchema = \"Dns\",\n EventCount = int(1),\n NetworkProtocol=iff(TCP_s == \"0\",\"UDP\",\"TCP\"),\n TransactionIdHex=tohex(toint(XID_s)),\n DnsFlagsAuthenticated = tobool(AD_s),\n DnsFlagsAuthoritative = tobool(AA_s),\n DnsFlagsRecursionDesired = tobool(RD_s)\n| lookup EventSubTypeTable on EventOriginalType\n| lookup EventResultTable on EventOriginalType\n| lookup RCodeTable on DnsResponseCode\n| lookup QTypeTable on DnsQueryType\n| extend\n EventResultDetails = case (isnotempty(ResponseCodeName), ResponseCodeName\n , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'\n , 'Unassigned'),\n EventOriginalType = tostring(EventOriginalType)\n| extend\n Domain=DnsQuery,\n DnsResponseCodeName=EventResultDetails,\n DnsQueryTypeName = case (isnotempty(QTypeName), QTypeName\n , DnsQueryType between (66 .. 98), 'Unassigned'\n , DnsQueryType between (110 .. 248), 'Unassigned'\n , DnsQueryType between (261 .. 32767), 'Unassigned'\n , 'Unassigned'),\n EventResult=iff (EventResult == \"Based on RCODE\", iff(DnsResponseCode == 0, \"Success\", \"Failure\"),EventResult)\n| extend\n // Aliases\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n| project-away\n *_s, *_d, QTypeName, TenantId, SourceSystem, MG, ManagementGroupName, Computer, RawData, ResponseCodeName, EventReceivedTime_t, ProviderGuid_g, _ResourceId, eventtype\n};\nASimDnsMicrosoftNXLog (\n starttime=starttime,\n endtime=endtime,\n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename,\n response_has_ipv4=response_has_ipv4,\n response_has_any_prefix=response_has_any_prefix,\n eventtype=eventtype,\n disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Microsoft DNS logs collected using NXlog", + "category": "ASIM", + "FunctionAlias": "vimDnsMicrosoftNXlog", + "query": "let ASimDnsMicrosoftNXLog = (\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n ){\nlet EventTypeTable=datatable(EventOriginalType:real,EventType:string)[\n 256, 'Query'\n , 257, 'Query'\n , 258, 'Query'\n , 259, 'Query'\n , 260, 'Query'\n , 261, 'Query'\n , 262, 'Query'\n , 263, 'Dynamic update'\n , 264, 'Dynamic update'\n , 265, 'Zone XFR'\n , 266, 'Zone XFR'\n , 267, 'Zone XFR'\n , 268, 'Zone XFR'\n , 269, 'Zone XFR'\n , 270, 'Zone XFR'\n , 271, 'Zone XFR'\n , 272, 'Zone XFR'\n , 273, 'Zone XFR'\n , 274, 'Zone XFR'\n , 275, 'Zone XFR'\n , 276, 'Zone XFR'\n , 277, 'Dynamic update'\n , 278, 'Dynamic update'\n , 279, 'Query'\n , 280, 'Query'\n];\nlet EventSubTypeTable=datatable(EventOriginalType:real,EventSubType:string)[\n 256, 'request'\n, 257, 'response'\n, 258, 'response'\n, 259, 'response'\n, 260, 'request'\n, 261, 'response'\n, 262, 'response'\n, 263, 'request'\n, 264, 'response'\n, 265, 'request'\n, 266, 'request'\n, 267, 'response'\n, 268, 'response'\n, 269, 'request'\n, 270, 'request'\n, 271, 'response'\n, 272, 'response'\n, 273, 'request'\n, 274, 'request'\n, 275, 'response'\n, 276, 'response'\n, 277, 'request'\n, 278, 'response'\n, 279, 'response'\n, 280, 'response'\n];\nlet EventResultTable=datatable(EventOriginalType:real,EventResult:string)[\n 256, 'NA'\n , 257, 'Success'\n , 258, 'Failure'\n , 259, 'Failure'\n , 260, 'NA'\n , 261, 'NA'\n , 262, 'Failure'\n , 263, 'NA'\n , 264, 'Based on RCODE'\n , 265, 'NA'\n , 266, 'NA'\n , 267, 'Based on RCODE'\n , 268, 'Based on RCODE'\n , 269, 'NA'\n , 270, 'NA'\n , 271, 'Based on RCODE'\n , 272, 'Based on RCODE'\n , 273, 'NA'\n , 274, 'NA'\n , 275, 'Success'\n , 276, 'Success'\n , 277, 'NA'\n , 278, 'Based on RCODE'\n , 279, 'NA'\n , 280, 'NA'\n];\nlet RCodeTable=datatable(DnsResponseCode:int,ResponseCodeName:string)[\n 0,'NOERROR'\n , 1,'FORMERR'\n , 2,'SERVFAIL'\n , 3,'NXDOMAIN'\n , 4,'NOTIMP'\n , 5,'REFUSED'\n , 6,'YXDOMAIN'\n , 7,'YXRRSET'\n , 8,'NXRRSET'\n , 9,'NOTAUTH'\n , 10,'NOTZONE'\n , 11,'DSOTYPENI'\n , 16,'BADVERS'\n , 16,'BADSIG'\n , 17,'BADKEY'\n , 18,'BADTIME'\n , 19,'BADMODE'\n , 20,'BADNAME'\n , 21,'BADALG'\n , 22,'BADTRUNC'\n , 23,'BADCOOKIE'\n];\nlet QTypeTable=datatable(DnsQueryType:int,QTypeName:string)[\n 0, 'Reserved'\n , 1, 'A'\n , 2, 'NS'\n , 3, 'MD'\n , 4, 'MF'\n , 5, 'CNAME'\n , 6, 'SOA'\n , 7, 'MB'\n , 8 ,'MG'\n , 9 ,'MR'\n , 10,'NULL'\n , 11,'WKS'\n , 12,'PTR'\n , 13,'HINFO'\n , 14,'MINFO'\n , 15,'MX'\n , 16,'TXT'\n , 17,'RP'\n , 18,'AFSDB'\n , 19,'X25'\n , 20,'ISDN'\n , 21,'RT'\n , 22,'NSAP'\n , 23,'NSAP-PTR'\n , 24,'SIG'\n , 25,'KEY'\n , 26,'PX'\n , 27,'GPOS'\n , 28,'AAAA'\n , 29,'LOC'\n , 30,'NXT'\n , 31,'EID'\n , 32,'NIMLOC'\n , 33,'SRV'\n , 34,'ATMA'\n , 35,'NAPTR'\n , 36,'KX'\n , 37,'CERT'\n , 38,'A6'\n , 39,'DNAME'\n , 40,'SINK'\n , 41,'OPT'\n , 42,'APL'\n , 43,'DS'\n , 44,'SSHFP'\n , 45,'IPSECKEY'\n , 46,'RRSIG'\n , 47,'NSEC'\n , 48,'DNSKEY'\n , 49,'DHCID'\n , 50,'NSEC3'\n , 51,'NSEC3PARAM'\n , 52,'TLSA'\n , 53,'SMIMEA'\n , 55,'HIP'\n , 56,'NINFO'\n , 57,'RKEY'\n , 58,'TALINK'\n , 59,'CDS'\n , 60,'CDNSKEY'\n , 61,'OPENPGPKEY'\n , 62,'CSYNC'\n , 63,'ZONEMD'\n , 64,'SVCB'\n , 65,'HTTPS'\n , 99,'SPF'\n , 100,'UINFO'\n , 101,'UID'\n , 102,'GID'\n , 103,'UNSPEC'\n , 104,'NID'\n , 105,'L32'\n , 106,'L64'\n , 107,'LP'\n , 108,'EUI48'\n , 109,'EUI64'\n , 249,'TKEY'\n , 250,'TSIG'\n , 251,'IXFR'\n , 252,'AXFR'\n , 253,'MAILB'\n , 254,'MAILA'\n , 255,'*'\n , 256,'URI'\n , 257,'CAA'\n , 258,'AVC'\n , 259,'DOA'\n , 32768,'TA'\n , 32769,'DLV'\n];\nNXLog_DNS_Server_CL | where not(disabled)\n| where EventID_d < 281\n| project-rename \n EventOriginalType=EventID_d\n| lookup EventTypeTable on EventOriginalType\n| extend\n eventtype = iff (eventtype == \"lookup\", \"Query\", eventtype)\n// Pre-parsing filtering:\n | where\n // Return empty list if response IPs are passed\n (response_has_ipv4=='*')\n and (array_length(response_has_any_prefix) ==0) \n and (eventtype=='*' or EventType == eventtype) \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and (srcipaddr=='*' or Source_s==srcipaddr)\n and (array_length(domain_has_any) ==0 or QNAME_s has_any (domain_has_any))\n and (responsecodename=='*' or RCODE_s=~responsecodename)\n// --\n| project-rename\n DnsFlags=Flags_s,\n DnsQuery=QNAME_s,\n DnsQueryType=QTYPE_s,\n DnsResponseCode=RCODE_s,\n DnsResponseName=PacketData_s,\n Dvc=Hostname_s,\n EventOriginalUid=GUID_g,\n EventStartTime=EventTime_t,\n SrcIpAddr=Source_s,\n EventUid=_ItemId\n| extend\n DnsQuery=trim_end(\".\",DnsQuery),\n DnsQueryType=toint(DnsQueryType),\n DnsResponseCode=toint(DnsResponseCode),\n SrcPortNumber=toint(Port_s),\n DvcHostname=Dvc,\n DvcIpAddr=HostIP_s,\n EventEndTime=EventStartTime,\n EventProduct = \"DNS Server\",\n EventSchemaVersion = \"0.1.7\",\n EventVendor = \"Microsoft\",\n EventSchema = \"Dns\",\n EventCount = int(1),\n NetworkProtocol=iff(TCP_s == \"0\",\"UDP\",\"TCP\"),\n TransactionIdHex=tohex(toint(XID_s)),\n DnsFlagsAuthenticated = tobool(AD_s),\n DnsFlagsAuthoritative = tobool(AA_s),\n DnsFlagsRecursionDesired = tobool(RD_s)\n| lookup EventSubTypeTable on EventOriginalType\n| lookup EventResultTable on EventOriginalType\n| lookup RCodeTable on DnsResponseCode\n| lookup QTypeTable on DnsQueryType\n| extend\n EventResultDetails = case (isnotempty(ResponseCodeName), ResponseCodeName\n , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'\n , 'Unassigned'),\n EventOriginalType = tostring(EventOriginalType)\n| extend\n Domain=DnsQuery,\n DnsResponseCodeName=EventResultDetails,\n DnsQueryTypeName = case (isnotempty(QTypeName), QTypeName\n , DnsQueryType between (66 .. 98), 'Unassigned'\n , DnsQueryType between (110 .. 248), 'Unassigned'\n , DnsQueryType between (261 .. 32767), 'Unassigned'\n , 'Unassigned'),\n EventResult=iff (EventResult == \"Based on RCODE\", iff(DnsResponseCode == 0, \"Success\", \"Failure\"),EventResult)\n| extend\n // Aliases\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n| project-away\n *_s, *_d, QTypeName, TenantId, SourceSystem, MG, ManagementGroupName, Computer, RawData, ResponseCodeName, EventReceivedTime_t, ProviderGuid_g, _ResourceId, eventtype\n};\nASimDnsMicrosoftNXLog (\n starttime=starttime,\n endtime=endtime,\n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename,\n response_has_ipv4=response_has_ipv4,\n response_has_any_prefix=response_has_any_prefix,\n eventtype=eventtype,\n disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsMicrosoftOMS/vimDnsMicrosoftOMS.json b/Parsers/ASimDns/ARM/vimDnsMicrosoftOMS/vimDnsMicrosoftOMS.json index a13a4892cc5..e468e41c4f7 100644 --- a/Parsers/ASimDns/ARM/vimDnsMicrosoftOMS/vimDnsMicrosoftOMS.json +++ b/Parsers/ASimDns/ARM/vimDnsMicrosoftOMS/vimDnsMicrosoftOMS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsMicrosoftOMS')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsMicrosoftOMS", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Windows DNS log collected using the Log Analytics agent", - "category": "ASIM", - "FunctionAlias": "vimDnsMicrosoftOMS", - "query": "let EventTypeTable=datatable(EventId:int,EventType:string,EventSubType:string, EventResult:string)[\n 256, 'Query', 'request', 'NA'\n , 257, 'Query', 'response', 'Success'\n , 258, 'Query', 'response', 'Based on RCODE'\n , 259, 'Query', 'response', 'Based on RCODE'\n , 260, 'Query', 'request', 'NA'\n , 261, 'Query', 'response', 'NA'\n , 262, 'Query', 'response', 'Based on RCODE'\n , 263, 'Update', 'request', 'NA'\n , 264, 'Update', 'response', 'Based on RCODE'\n , 265, 'XFR', 'request', 'NA' \n , 266, 'XFR', 'request', 'NA'\n , 267, 'XFR', 'response', 'Based on RCODE'\n , 268, 'XFR', 'response', 'Based on RCODE'\n , 269, 'XFR', 'request', 'NA'\n , 270, 'XFR', 'request', 'NA'\n , 271, 'XFR', 'response', 'Based on RCODE'\n , 272, 'XFR', 'response', 'Based on RCODE'\n , 273, 'XFR', 'request', 'NA'\n , 274, 'XFR', 'request', 'NA'\n , 275, 'XFR', 'response', 'Success'\n , 276, 'XFR', 'response', 'Success'\n , 277, 'Update', 'request', 'NA'\n , 278, 'Update', 'response', 'Based on RCODE'\n , 279, 'Query', 'NA', 'NA'\n , 280, 'Query', 'NA', 'NA'\n ];\n let RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n 0, 'NOERROR'\n , 1, \"FORMERR\"\n , 2,\"SERVFAIL\"\n , 3,'NXDOMAIN'\n , 4,'NOTIMP'\n , 5,'REFUSED'\n , 6,'YXDOMAIN'\n , 7,'YXRRSET'\n , 8,'NXRRSET'\n , 9,'NOTAUTH'\n , 10,'NOTZONE'\n , 11,'DSOTYPENI'\n , 16,'BADVERS'\n , 16,'BADSIG'\n , 17,'BADKEY'\n , 18,'BADTIME'\n , 19,'BADMODE'\n , 20,'BADNAME'\n , 21,'BADALG'\n , 22,'BADTRUNC'\n , 23,'BADCOOKIE'];\n let QueryTypeSymbols=datatable(QTypeSeq:string,QTypeName:string)[\n \"0\", \"Reserved\",\n \"1\", \"A\",\n \"2\", \"NS\",\n \"3\", \"MD\",\n \"4\", \"MF\",\n \"5\", \"CNAME\",\n \"6\", \"SOA\",\n \"7\", \"MB\",\n \"8\", \"MG\",\n \"9\", \"MR\",\n \"10\", \"NULL\",\n \"11\", \"WKS\",\n \"12\", \"PTR\",\n \"13\", \"HINFO\",\n \"14\", \"MINFO\",\n \"15\", \"MX\",\n \"16\", \"TXT\",\n \"17\", \"RP\",\n \"18\", \"AFSDB\",\n \"19\", \"X25\",\n \"20\", \"ISDN\",\n \"21\", \"RT\",\n \"22\", \"NSAP\",\n \"23\", \"NSAP-PTR\",\n \"24\", \"SIG\",\n \"25\", \"KEY\",\n \"26\", \"PX\",\n \"27\", \"GPOS\",\n \"28\", \"AAAA\",\n \"29\", \"LOC\",\n \"30\", \"NXT\",\n \"31\", \"EID\",\n \"32\", \"NIMLOC\",\n \"33\", \"SRV\",\n \"34\", \"ATMA\",\n \"35\", \"NAPTR\",\n \"36\", \"KX\",\n \"37\", \"CERT\",\n \"38\", \"A6\",\n \"39\", \"DNAME\",\n \"40\", \"SINK\",\n \"41\", \"OPT\",\n \"42\", \"APL\",\n \"43\", \"DS\",\n \"44\", \"SSHFP\",\n \"45\", \"IPSECKEY\",\n \"46\", \"RRSIG\",\n \"47\", \"NSEC\",\n \"48\", \"DNSKEY\",\n \"49\", \"DHCID\",\n \"50\", \"NSEC3\",\n \"51\", \"NSEC3PARAM\",\n \"52\", \"TLSA\",\n \"53\", \"SMIMEA\",\n \"54\", \"Unassigned\",\n \"55\", \"HIP\",\n \"56\", \"NINFO\",\n \"57\", \"RKEY\",\n \"58\", \"TALINK\",\n \"59\", \"CDS\",\n \"60\", \"CDNSKEY\",\n \"61\", \"OPENPGPKEY\",\n \"62\", \"CSYNC\",\n \"99\", \"SPF\",\n \"100\", \"UINFO\",\n \"101\", \"UID\",\n \"102\", \"GID\",\n \"103\", \"UNSPEC\",\n \"104\", \"NID\",\n \"105\", \"L32\",\n \"106\", \"L64\",\n \"107\", \"LP\",\n \"108\", \"EUI48\",\n \"109\", \"EUI64\",\n \"249\", \"TKEY\",\n \"250\", \"TSIG\",\n \"251\", \"IXFR\",\n \"252\", \"AXFR\",\n \"253\", \"MAILB\",\n \"254\", \"MAILA\",\n \"255\", \"All\",\n \"256\", \"URI\",\n \"257\", \"CAA\",\n \"258\", \"AVC\",\n \"259\", \"DOA\",\n \"32768\", \"TA\",\n \"32769\", \"DLV\"];\n let DNSQuery_MS=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n ){\n let rcodenames=toscalar(RCodeTable | where DnsResponseCodeName == responsecodename | project DnsResponseCode);\n DnsEvents | where not(disabled)\n // ******************************************************************\n // Pre-parsing filtering:\n | where\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (srcipaddr=='*' or ClientIP==srcipaddr)\n and (array_length(domain_has_any) ==0 or Name has_any (domain_has_any))\n and (responsecodename=='*' or ResultCode == rcodenames)\n and (response_has_ipv4=='*' or has_ipv4(IPAddresses,response_has_ipv4) )\n and (array_length(response_has_any_prefix) ==0 or has_any_ipv4_prefix(IPAddresses, response_has_any_prefix) )\n // *****************************************************************\n | where EventId < 500\n | lookup QueryTypeSymbols on $left.QueryType == $right.QTypeSeq\n | extend DnsQueryTypeName=coalesce(QTypeName, QueryType)\n | lookup EventTypeTable on EventId\n // late filtering:\n | extend\n eventtype = iff (eventtype == \"lookup\", \"Query\", eventtype)\n | where (eventtype == \"*\" or eventtype == EventType)\n | project-rename\n Dvc=Computer ,\n SrcIpAddr = ClientIP,\n // DnsQueryTypeName=QueryType,\n EventMessage = Message,\n EventReportUrl = ReportReferenceLink,\n DnsResponseName = IPAddresses,\n DnsQuery = Name,\n DnsResponseCode = ResultCode\n | extend hostelements=split(Dvc,'.')\n | extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n , DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n | extend DvcDomainType=iff(DvcFQDN !=\"\",\"FQDN\",\"\" )\n | project-away hostelements\n | extend\n EventCount=int(1),\n EventStartTime=TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"DNS Server\",\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\",\n EventEndTime=TimeGenerated,\n EventSeverity = tostring(Severity),\n EventOriginalType = tostring(EventId)\n | lookup RCodeTable on DnsResponseCode\n | extend EventResultDetails = case (isnotempty(DnsResponseCodeName), DnsResponseCodeName\n , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'\n , 'Unassigned'),\n EventResult = iff (EventResult == \"Based on RCODE\", iff(DnsResponseCode == 0, \"Success\", \"Failure\"),EventResult)\n // **************Aliases\n | extend\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=srcipaddr\n | project-away \n SubType, QTypeName, QueryType, SourceSystem, TaskCategory, Remote*, Severity, Result, Confidence, Description, IndicatorThreatType, MaliciousIP, eventtype, EventId\n };\n DNSQuery_MS (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Windows DNS log collected using the Log Analytics agent", + "category": "ASIM", + "FunctionAlias": "vimDnsMicrosoftOMS", + "query": "let EventTypeTable=datatable(EventId:int,EventType:string,EventSubType:string, EventResult:string)[\n 256, 'Query', 'request', 'NA'\n , 257, 'Query', 'response', 'Success'\n , 258, 'Query', 'response', 'Based on RCODE'\n , 259, 'Query', 'response', 'Based on RCODE'\n , 260, 'Query', 'request', 'NA'\n , 261, 'Query', 'response', 'NA'\n , 262, 'Query', 'response', 'Based on RCODE'\n , 263, 'Update', 'request', 'NA'\n , 264, 'Update', 'response', 'Based on RCODE'\n , 265, 'XFR', 'request', 'NA' \n , 266, 'XFR', 'request', 'NA'\n , 267, 'XFR', 'response', 'Based on RCODE'\n , 268, 'XFR', 'response', 'Based on RCODE'\n , 269, 'XFR', 'request', 'NA'\n , 270, 'XFR', 'request', 'NA'\n , 271, 'XFR', 'response', 'Based on RCODE'\n , 272, 'XFR', 'response', 'Based on RCODE'\n , 273, 'XFR', 'request', 'NA'\n , 274, 'XFR', 'request', 'NA'\n , 275, 'XFR', 'response', 'Success'\n , 276, 'XFR', 'response', 'Success'\n , 277, 'Update', 'request', 'NA'\n , 278, 'Update', 'response', 'Based on RCODE'\n , 279, 'Query', 'NA', 'NA'\n , 280, 'Query', 'NA', 'NA'\n ];\n let RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n 0, 'NOERROR'\n , 1, \"FORMERR\"\n , 2,\"SERVFAIL\"\n , 3,'NXDOMAIN'\n , 4,'NOTIMP'\n , 5,'REFUSED'\n , 6,'YXDOMAIN'\n , 7,'YXRRSET'\n , 8,'NXRRSET'\n , 9,'NOTAUTH'\n , 10,'NOTZONE'\n , 11,'DSOTYPENI'\n , 16,'BADVERS'\n , 16,'BADSIG'\n , 17,'BADKEY'\n , 18,'BADTIME'\n , 19,'BADMODE'\n , 20,'BADNAME'\n , 21,'BADALG'\n , 22,'BADTRUNC'\n , 23,'BADCOOKIE'];\n let QueryTypeSymbols=datatable(QTypeSeq:string,QTypeName:string)[\n \"0\", \"Reserved\",\n \"1\", \"A\",\n \"2\", \"NS\",\n \"3\", \"MD\",\n \"4\", \"MF\",\n \"5\", \"CNAME\",\n \"6\", \"SOA\",\n \"7\", \"MB\",\n \"8\", \"MG\",\n \"9\", \"MR\",\n \"10\", \"NULL\",\n \"11\", \"WKS\",\n \"12\", \"PTR\",\n \"13\", \"HINFO\",\n \"14\", \"MINFO\",\n \"15\", \"MX\",\n \"16\", \"TXT\",\n \"17\", \"RP\",\n \"18\", \"AFSDB\",\n \"19\", \"X25\",\n \"20\", \"ISDN\",\n \"21\", \"RT\",\n \"22\", \"NSAP\",\n \"23\", \"NSAP-PTR\",\n \"24\", \"SIG\",\n \"25\", \"KEY\",\n \"26\", \"PX\",\n \"27\", \"GPOS\",\n \"28\", \"AAAA\",\n \"29\", \"LOC\",\n \"30\", \"NXT\",\n \"31\", \"EID\",\n \"32\", \"NIMLOC\",\n \"33\", \"SRV\",\n \"34\", \"ATMA\",\n \"35\", \"NAPTR\",\n \"36\", \"KX\",\n \"37\", \"CERT\",\n \"38\", \"A6\",\n \"39\", \"DNAME\",\n \"40\", \"SINK\",\n \"41\", \"OPT\",\n \"42\", \"APL\",\n \"43\", \"DS\",\n \"44\", \"SSHFP\",\n \"45\", \"IPSECKEY\",\n \"46\", \"RRSIG\",\n \"47\", \"NSEC\",\n \"48\", \"DNSKEY\",\n \"49\", \"DHCID\",\n \"50\", \"NSEC3\",\n \"51\", \"NSEC3PARAM\",\n \"52\", \"TLSA\",\n \"53\", \"SMIMEA\",\n \"54\", \"Unassigned\",\n \"55\", \"HIP\",\n \"56\", \"NINFO\",\n \"57\", \"RKEY\",\n \"58\", \"TALINK\",\n \"59\", \"CDS\",\n \"60\", \"CDNSKEY\",\n \"61\", \"OPENPGPKEY\",\n \"62\", \"CSYNC\",\n \"99\", \"SPF\",\n \"100\", \"UINFO\",\n \"101\", \"UID\",\n \"102\", \"GID\",\n \"103\", \"UNSPEC\",\n \"104\", \"NID\",\n \"105\", \"L32\",\n \"106\", \"L64\",\n \"107\", \"LP\",\n \"108\", \"EUI48\",\n \"109\", \"EUI64\",\n \"249\", \"TKEY\",\n \"250\", \"TSIG\",\n \"251\", \"IXFR\",\n \"252\", \"AXFR\",\n \"253\", \"MAILB\",\n \"254\", \"MAILA\",\n \"255\", \"All\",\n \"256\", \"URI\",\n \"257\", \"CAA\",\n \"258\", \"AVC\",\n \"259\", \"DOA\",\n \"32768\", \"TA\",\n \"32769\", \"DLV\"];\n let DNSQuery_MS=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n ){\n let rcodenames=toscalar(RCodeTable | where DnsResponseCodeName == responsecodename | project DnsResponseCode);\n DnsEvents | where not(disabled)\n // ******************************************************************\n // Pre-parsing filtering:\n | where\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (srcipaddr=='*' or ClientIP==srcipaddr)\n and (array_length(domain_has_any) ==0 or Name has_any (domain_has_any))\n and (responsecodename=='*' or ResultCode == rcodenames)\n and (response_has_ipv4=='*' or has_ipv4(IPAddresses,response_has_ipv4) )\n and (array_length(response_has_any_prefix) ==0 or has_any_ipv4_prefix(IPAddresses, response_has_any_prefix) )\n // *****************************************************************\n | where EventId < 500\n | lookup QueryTypeSymbols on $left.QueryType == $right.QTypeSeq\n | extend DnsQueryTypeName=coalesce(QTypeName, QueryType)\n | lookup EventTypeTable on EventId\n // late filtering:\n | extend\n eventtype = iff (eventtype == \"lookup\", \"Query\", eventtype)\n | where (eventtype == \"*\" or eventtype == EventType)\n | project-rename\n Dvc=Computer ,\n SrcIpAddr = ClientIP,\n // DnsQueryTypeName=QueryType,\n EventMessage = Message,\n EventReportUrl = ReportReferenceLink,\n DnsResponseName = IPAddresses,\n DnsQuery = Name,\n DnsResponseCode = ResultCode\n | extend hostelements=split(Dvc,'.')\n | extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n , DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n | extend DvcDomainType=iff(DvcFQDN !=\"\",\"FQDN\",\"\" )\n | project-away hostelements\n | extend\n EventCount=int(1),\n EventStartTime=TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"DNS Server\",\n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\",\n EventEndTime=TimeGenerated,\n EventSeverity = tostring(Severity),\n EventOriginalType = tostring(EventId)\n | lookup RCodeTable on DnsResponseCode\n | extend EventResultDetails = case (isnotempty(DnsResponseCodeName), DnsResponseCodeName\n , DnsResponseCode between (3841 .. 4095), 'Reserved for Private Use'\n , 'Unassigned'),\n EventResult = iff (EventResult == \"Based on RCODE\", iff(DnsResponseCode == 0, \"Success\", \"Failure\"),EventResult)\n // **************Aliases\n | extend\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n Src=srcipaddr\n | project-away \n SubType, QTypeName, QueryType, SourceSystem, TaskCategory, Remote*, Severity, Result, Confidence, Description, IndicatorThreatType, MaliciousIP, eventtype, EventId\n };\n DNSQuery_MS (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmon/vimDnsMicrosoftSysmon.json b/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmon/vimDnsMicrosoftSysmon.json index 934a79b7b7f..cb4712b9cfd 100644 --- a/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmon/vimDnsMicrosoftSysmon.json +++ b/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmon/vimDnsMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Sysmon for Windows", - "category": "ASIM", - "FunctionAlias": "vimDnsMicrosoftSysmon", - "query": "let RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n // See https://docs.microsoft.com/windows/win32/debug/system-error-codes--9000-11999-\n 0, 'NOERROR'\n, 9001, \"FORMERR\"\n, 9002,\"SERVFAIL\"\n, 9003,'NXDOMAIN'\n, 9004,'NOTIMP'\n, 9005,'REFUSED'\n, 9006,'YXDOMAIN'\n, 9007,'YXRRSET'\n, 9008,'NXRRSET'\n, 9009,'NOTAUTH'\n, 9010,'NOTZONE'\n, 9011,'DSOTYPENI'\n, 9016,'BADVERS'\n, 9016,'BADSIG'\n, 9017,'BADKEY'\n, 9018,'BADTIME'\n, 9019,'BADMODE'\n, 9020,'BADNAME'\n, 9021,'BADALG'\n, 9022,'BADTRUNC'\n, 9023,'BADCOOKIE'\n, 1460, 'TIMEOUT'\n];\nlet ParsedDnsEvent_Event =(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n) \n{\n Event | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Source, Type , _ItemId \n | where Source == \"Microsoft-Windows-Sysmon\" and EventID==22\n | project-away Source, EventID\n // -- Pre-parsing filtering (srcipaddr not available, responsecodename not optimizable)\n | where\n (eventtype in~ ('Query', 'lookup'))\n and (srcipaddr=='*')\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(domain_has_any) ==0 or EventData has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(EventData,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(EventData, response_has_any_prefix))\n // --\n | parse-kv EventData as (\n RuleName:string,\n UtcTime:datetime, \n ProcessGuid:string,\n ProcessId:string,\n QueryName:string,\n QueryStatus:int,\n QueryResults:string,\n Image:string,\n User:string\n )\n with (regex=@'{?([^<]*?)}?')\n | project-rename \n EventEndTime = UtcTime,\n SrcProcessId = ProcessId,\n SrcProcessGuid = ProcessGuid,\n DnsQuery = QueryName,\n DnsResponseCode = QueryStatus,\n DnsResponseName = QueryResults,\n SrcProcessName = Image,\n SrcUsername = User\n | project-away EventData \n // -- Post-filtering tests differnt for Event and WindowsEvent\n | lookup RCodeTable on DnsResponseCode\n | where (responsecodename==\"*\" or DnsResponseCodeName has responsecodename) // -- filter is not optimized\n // --\n };\nlet ParsedDnsEvent=(\n starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*'\n , response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) \n , eventtype:string='lookup'\n , disabled:bool=false\n) \n{\n ParsedDnsEvent_Event (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n// -- Post-filtering accurately now that message is parsed\n| where\n (array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(DnsResponseName,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(DnsResponseName, response_has_any_prefix))\n// --\n| project-rename \n DvcHostname = Computer,\n //EventUid = _ItemId,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n| extend\n EventOriginalType = '22',\n EventCount=int(1),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.6\",\n EventType = 'Query',\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\n EventStartTime = EventEndTime,\n EventSubType= 'response',\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\n SrcUsernameType = 'Windows',\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventUid = _ItemId\n// -- Aliases\n| extend \n EventResultDetails = DnsResponseCodeName,\n Domain = DnsQuery,\n Dvc = DvcHostname,\n SrcHostname = DvcHostname,\n Src = DvcHostname,\n Hostname=DvcHostname,\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)),\n User = SrcUsername,\n Process = SrcProcessName,\n Rule = RuleName,\n DvcAzureResourceId = DvcId\n | project-away DvcAzureResourceId\n};\nParsedDnsEvent (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Sysmon for Windows", + "category": "ASIM", + "FunctionAlias": "vimDnsMicrosoftSysmon", + "query": "let RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n // See https://docs.microsoft.com/windows/win32/debug/system-error-codes--9000-11999-\n 0, 'NOERROR'\n, 9001, \"FORMERR\"\n, 9002,\"SERVFAIL\"\n, 9003,'NXDOMAIN'\n, 9004,'NOTIMP'\n, 9005,'REFUSED'\n, 9006,'YXDOMAIN'\n, 9007,'YXRRSET'\n, 9008,'NXRRSET'\n, 9009,'NOTAUTH'\n, 9010,'NOTZONE'\n, 9011,'DSOTYPENI'\n, 9016,'BADVERS'\n, 9016,'BADSIG'\n, 9017,'BADKEY'\n, 9018,'BADTIME'\n, 9019,'BADMODE'\n, 9020,'BADNAME'\n, 9021,'BADALG'\n, 9022,'BADTRUNC'\n, 9023,'BADCOOKIE'\n, 1460, 'TIMEOUT'\n];\nlet ParsedDnsEvent_Event =(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n) \n{\n Event | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Source, Type , _ItemId \n | where Source == \"Microsoft-Windows-Sysmon\" and EventID==22\n | project-away Source, EventID\n // -- Pre-parsing filtering (srcipaddr not available, responsecodename not optimizable)\n | where\n (eventtype in~ ('Query', 'lookup'))\n and (srcipaddr=='*')\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(domain_has_any) ==0 or EventData has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(EventData,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(EventData, response_has_any_prefix))\n // --\n | parse-kv EventData as (\n RuleName:string,\n UtcTime:datetime, \n ProcessGuid:string,\n ProcessId:string,\n QueryName:string,\n QueryStatus:int,\n QueryResults:string,\n Image:string,\n User:string\n )\n with (regex=@'{?([^<]*?)}?')\n | project-rename \n EventEndTime = UtcTime,\n SrcProcessId = ProcessId,\n SrcProcessGuid = ProcessGuid,\n DnsQuery = QueryName,\n DnsResponseCode = QueryStatus,\n DnsResponseName = QueryResults,\n SrcProcessName = Image,\n SrcUsername = User\n | project-away EventData \n // -- Post-filtering tests differnt for Event and WindowsEvent\n | lookup RCodeTable on DnsResponseCode\n | where (responsecodename==\"*\" or DnsResponseCodeName has responsecodename) // -- filter is not optimized\n // --\n };\nlet ParsedDnsEvent=(\n starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*'\n , response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) \n , eventtype:string='lookup'\n , disabled:bool=false\n) \n{\n ParsedDnsEvent_Event (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n// -- Post-filtering accurately now that message is parsed\n| where\n (array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(DnsResponseName,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(DnsResponseName, response_has_any_prefix))\n// --\n| project-rename \n DvcHostname = Computer,\n //EventUid = _ItemId,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n| extend\n EventOriginalType = '22',\n EventCount=int(1),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.6\",\n EventType = 'Query',\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\n EventStartTime = EventEndTime,\n EventSubType= 'response',\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\n SrcUsernameType = 'Windows',\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventUid = _ItemId\n// -- Aliases\n| extend \n EventResultDetails = DnsResponseCodeName,\n Domain = DnsQuery,\n Dvc = DvcHostname,\n SrcHostname = DvcHostname,\n Src = DvcHostname,\n Hostname=DvcHostname,\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)),\n User = SrcUsername,\n Process = SrcProcessName,\n Rule = RuleName,\n DvcAzureResourceId = DvcId\n | project-away DvcAzureResourceId\n};\nParsedDnsEvent (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmonWindowsEvent/vimDnsMicrosoftSysmonWindowsEvent.json b/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmonWindowsEvent/vimDnsMicrosoftSysmonWindowsEvent.json index cf7354bb805..ea7cffaa16c 100644 --- a/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmonWindowsEvent/vimDnsMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimDns/ARM/vimDnsMicrosoftSysmonWindowsEvent/vimDnsMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Sysmon for Windows", - "category": "ASIM", - "FunctionAlias": "vimDnsMicrosoftSysmonWindowsEvent", - "query": "let RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n // See https://docs.microsoft.com/windows/win32/debug/system-error-codes--9000-11999-\n 0, 'NOERROR'\n, 9001, \"FORMERR\"\n, 9002,\"SERVFAIL\"\n, 9003,'NXDOMAIN'\n, 9004,'NOTIMP'\n, 9005,'REFUSED'\n, 9006,'YXDOMAIN'\n, 9007,'YXRRSET'\n, 9008,'NXRRSET'\n, 9009,'NOTAUTH'\n, 9010,'NOTZONE'\n, 9011,'DSOTYPENI'\n, 9016,'BADVERS'\n, 9016,'BADSIG'\n, 9017,'BADKEY'\n, 9018,'BADTIME'\n, 9019,'BADMODE'\n, 9020,'BADNAME'\n, 9021,'BADALG'\n, 9022,'BADTRUNC'\n, 9023,'BADCOOKIE'\n, 1460, 'TIMEOUT'\n];\nlet ParsedDnsEvent_WindowsEvent =(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup'\n , disabled:bool=false\n) \n{\n WindowsEvent | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type , _ItemId \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 22\n | project-away Provider, EventID\n // -- Pre-parsing filtering (srcipaddr not available)\n | where\n (eventtype=='lookup')\n and (srcipaddr=='*')\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(domain_has_any) ==0 or EventData has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(EventData,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(EventData, response_has_any_prefix))\n | extend DnsResponseCode = toint(EventData.QueryStatus)\n | lookup RCodeTable on DnsResponseCode\n | where (responsecodename==\"*\" or DnsResponseCodeName has responsecodename) // -- filter is not optimized\n // --\n | extend \n RuleName = tostring(EventData.RuleName),\n EventEndTime = todatetime(EventData.UtcTime),\n SrcProcessGuid = tostring(EventData.ProcessGuid),\n SrcProcessId = tostring(EventData.ProcessId), \n DnsQuery = tostring(EventData.QueryName),\n DnsResponseName = tostring(EventData.QueryResults),\n SrcProcessName = tostring(EventData.Image),\n SrcUsername = tostring(EventData.User),\n EventUid = _ItemId\n | project-away EventData\n | parse SrcProcessGuid with '{' SrcProcessGuid '}'\n};\nlet ParsedDnsEvent=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup'\n , disabled:bool=false\n) \n{\n ParsedDnsEvent_WindowsEvent (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n// -- Post-filtering accurately now that message is parsed\n| where\n (array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(DnsResponseName,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(DnsResponseName, response_has_any_prefix))\n// --\n| project-rename \n DvcHostname = Computer,\n //EventUid = _ItemId,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n| extend\n EventOriginalType = '22',\n EventCount=int(1),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.6\",\n EventType = 'Query',\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\n EventStartTime = EventEndTime,\n EventSubType= 'response',\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\n SrcUsernameType = 'Windows',\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\")\n// -- Aliases\n| extend \n EventResultDetails = DnsResponseCodeName,\n Domain = DnsQuery,\n Dvc = DvcHostname,\n SrcHostname = DvcHostname,\n Src = DvcHostname,\n Hostname=DvcHostname,\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)),\n User = SrcUsername,\n Process = SrcProcessName,\n Rule = RuleName,\n DvcAzureResourceId = DvcId\n | project-away DvcAzureResourceId\n};\nParsedDnsEvent (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Sysmon for Windows", + "category": "ASIM", + "FunctionAlias": "vimDnsMicrosoftSysmonWindowsEvent", + "query": "let RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n // See https://docs.microsoft.com/windows/win32/debug/system-error-codes--9000-11999-\n 0, 'NOERROR'\n, 9001, \"FORMERR\"\n, 9002,\"SERVFAIL\"\n, 9003,'NXDOMAIN'\n, 9004,'NOTIMP'\n, 9005,'REFUSED'\n, 9006,'YXDOMAIN'\n, 9007,'YXRRSET'\n, 9008,'NXRRSET'\n, 9009,'NOTAUTH'\n, 9010,'NOTZONE'\n, 9011,'DSOTYPENI'\n, 9016,'BADVERS'\n, 9016,'BADSIG'\n, 9017,'BADKEY'\n, 9018,'BADTIME'\n, 9019,'BADMODE'\n, 9020,'BADNAME'\n, 9021,'BADALG'\n, 9022,'BADTRUNC'\n, 9023,'BADCOOKIE'\n, 1460, 'TIMEOUT'\n];\nlet ParsedDnsEvent_WindowsEvent =(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup'\n , disabled:bool=false\n) \n{\n WindowsEvent | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type , _ItemId \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 22\n | project-away Provider, EventID\n // -- Pre-parsing filtering (srcipaddr not available)\n | where\n (eventtype=='lookup')\n and (srcipaddr=='*')\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(domain_has_any) ==0 or EventData has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(EventData,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(EventData, response_has_any_prefix))\n | extend DnsResponseCode = toint(EventData.QueryStatus)\n | lookup RCodeTable on DnsResponseCode\n | where (responsecodename==\"*\" or DnsResponseCodeName has responsecodename) // -- filter is not optimized\n // --\n | extend \n RuleName = tostring(EventData.RuleName),\n EventEndTime = todatetime(EventData.UtcTime),\n SrcProcessGuid = tostring(EventData.ProcessGuid),\n SrcProcessId = tostring(EventData.ProcessId), \n DnsQuery = tostring(EventData.QueryName),\n DnsResponseName = tostring(EventData.QueryResults),\n SrcProcessName = tostring(EventData.Image),\n SrcUsername = tostring(EventData.User),\n EventUid = _ItemId\n | project-away EventData\n | parse SrcProcessGuid with '{' SrcProcessGuid '}'\n};\nlet ParsedDnsEvent=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup'\n , disabled:bool=false\n) \n{\n ParsedDnsEvent_WindowsEvent (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n// -- Post-filtering accurately now that message is parsed\n| where\n (array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(DnsResponseName,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(DnsResponseName, response_has_any_prefix))\n// --\n| project-rename \n DvcHostname = Computer,\n //EventUid = _ItemId,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n| extend\n EventOriginalType = '22',\n EventCount=int(1),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.6\",\n EventType = 'Query',\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\n EventStartTime = EventEndTime,\n EventSubType= 'response',\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\n SrcUsernameType = 'Windows',\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n DnsResponseName = iff (DnsResponseName == \"-\", \"\", DnsResponseName),\n DnsResponseCodeName = iff (DnsResponseCodeName == \"\", \"NA\", DnsResponseCodeName),\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\")\n// -- Aliases\n| extend \n EventResultDetails = DnsResponseCodeName,\n Domain = DnsQuery,\n Dvc = DvcHostname,\n SrcHostname = DvcHostname,\n Src = DvcHostname,\n Hostname=DvcHostname,\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)),\n User = SrcUsername,\n Process = SrcProcessName,\n Rule = RuleName,\n DvcAzureResourceId = DvcId\n | project-away DvcAzureResourceId\n};\nParsedDnsEvent (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json b/Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json index 4f8f1e332ff..046ee3c427d 100644 --- a/Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json +++ b/Parsers/ASimDns/ARM/vimDnsNative/vimDnsNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Microsoft Sentinel native DNS table", - "category": "ASIM", - "FunctionAlias": "vimDnsNative", - "query": "let parser=\n(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n)\n{\n ASimDnsActivityLogs | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (response_has_ipv4=='*') and (array_length(response_has_any_prefix) == 0) // -- Check that unsupported filters are set to default\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (srcipaddr=='*' or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n and (responsecodename=='*' or EventResultDetails == responsecodename)\n and (eventtype == \"*\" or eventtype == EventType or (eventtype == \"lookup\" and EventType == \"Query\")) // -- Support \"lookup\" as value for backward compatibility\n // --\n | project-rename\n EventUid = _ItemId\n | extend\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n Dvc = coalesce (Dvc, DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n EventSchema = \"Dns\"\n // -- Type fixes\n | extend\n ThreatConfidence = toint(ThreatConfidence),\n ThreatFirstReportedTime = todatetime(ThreatFirstReportedTime),\n ThreatIsActive = tobool(ThreatIsActive),\n ThreatLastReportedTime = todatetime(ThreatLastReportedTime),\n ThreatOriginalRiskLevel = tostring(ThreatOriginalRiskLevel),\n ThreatRiskLevel = toint(ThreatRiskLevel)\n // -- Aliases here\n | extend\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n SessionId=DnsSessionId,\n Duration = DnsNetworkDuration,\n Process = SrcProcessName,\n User = SrcUsername,\n Hostname = SrcHostname,\n DvcScopeId = coalesce(DvcScopeId,_SubscriptionId)\n | project-away\n TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Microsoft Sentinel native DNS table", + "category": "ASIM", + "FunctionAlias": "vimDnsNative", + "query": "let parser=\n(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n)\n{\n ASimDnsActivityLogs | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (response_has_ipv4=='*') and (array_length(response_has_any_prefix) == 0) // -- Check that unsupported filters are set to default\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (srcipaddr=='*' or SrcIpAddr==srcipaddr)\n and (array_length(domain_has_any) ==0 or DnsQuery has_any (domain_has_any))\n and (responsecodename=='*' or EventResultDetails == responsecodename)\n and (eventtype == \"*\" or eventtype == EventType or (eventtype == \"lookup\" and EventType == \"Query\")) // -- Support \"lookup\" as value for backward compatibility\n // --\n | project-rename\n EventUid = _ItemId\n | extend\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n Dvc = coalesce (Dvc, DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n EventSchema = \"Dns\"\n // -- Type fixes\n | extend\n ThreatConfidence = toint(ThreatConfidence),\n ThreatFirstReportedTime = todatetime(ThreatFirstReportedTime),\n ThreatIsActive = tobool(ThreatIsActive),\n ThreatLastReportedTime = todatetime(ThreatLastReportedTime),\n ThreatOriginalRiskLevel = tostring(ThreatOriginalRiskLevel),\n ThreatRiskLevel = toint(ThreatRiskLevel)\n // -- Aliases here\n | extend\n DnsResponseCodeName=EventResultDetails,\n Domain=DnsQuery,\n IpAddr=SrcIpAddr,\n SessionId=DnsSessionId,\n Duration = DnsNetworkDuration,\n Process = SrcProcessName,\n User = SrcUsername,\n Hostname = SrcHostname,\n DvcScopeId = coalesce(DvcScopeId,_SubscriptionId)\n | project-away\n TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsSentinelOne/vimDnsSentinelOne.json b/Parsers/ASimDns/ARM/vimDnsSentinelOne/vimDnsSentinelOne.json index 5466c32b384..35a5d3f2824 100644 --- a/Parsers/ASimDns/ARM/vimDnsSentinelOne/vimDnsSentinelOne.json +++ b/Parsers/ASimDns/ARM/vimDnsSentinelOne/vimDnsSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "vimDnsSentinelOne", - "query": "let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr: string='*', \n domain_has_any: dynamic=dynamic([]),\n responsecodename: string='*',\n response_has_ipv4: string='*',\n response_has_any_prefix: dynamic=dynamic([]),\n eventtype: string='Query',\n disabled: bool=false\n ) {\n let alldata = SentinelOne_CL\n | where not(disabled)\n and (eventtype == '*' or eventtype == \"Query\")\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and event_name_s == \"Alerts.\" \n and alertInfo_eventType_s == \"DNS\"\n and srcipaddr == '*'\n and (array_length(domain_has_any) == 0 or alertInfo_dnsRequest_s has_any (domain_has_any))\n and (response_has_ipv4 == '*' or has_ipv4(alertInfo_dnsResponse_s, response_has_ipv4))\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(alertInfo_dnsResponse_s, response_has_any_prefix))\n | parse alertInfo_dnsResponse_s with * \"type: \" DnsQueryType: int \" \" RestMessage;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend \n DnsResponseCode = case(\n alertInfo_dnsResponse_s has \"NoError\" or alertInfo_dnsResponse_s has \"No Error\",\n int(0),\n alertInfo_dnsResponse_s has \"FormErr\" or alertInfo_dnsResponse_s has \"Format Error\",\n int(1),\n alertInfo_dnsResponse_s has \"ServFail\" or alertInfo_dnsResponse_s has \"Server Failure\",\n int(2),\n alertInfo_dnsResponse_s has \"NXDomain\" or alertInfo_dnsResponse_s has \"Non-Existent Domain\",\n int(3),\n alertInfo_dnsResponse_s has \"NotImp\" or alertInfo_dnsResponse_s has \"Not Implemented\",\n int(4),\n alertInfo_dnsResponse_s has \"Refused\" or alertInfo_dnsResponse_s has \"Query Refused\",\n int(5),\n alertInfo_dnsResponse_s has \"YXDomain\" or alertInfo_dnsResponse_s has \"Name Exists when it should not\",\n int(6),\n alertInfo_dnsResponse_s has \"YXRRSet\" or alertInfo_dnsResponse_s has \"RR Set Exists when it should not\",\n int(7),\n alertInfo_dnsResponse_s has \"NXRRSet\" or alertInfo_dnsResponse_s has \"RR Set that should exist does not\",\n int(8),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Server Not Authoritative for zone\",\n int(9),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Not Authorized\",\n int(9),\n alertInfo_dnsResponse_s has \"NotZone\" or alertInfo_dnsResponse_s has \"Name not contained in zone\",\n int(10),\n alertInfo_dnsResponse_s has \"DSOTYPENI\" or alertInfo_dnsResponse_s has \"DSO-TYPE Not Implemented\",\n int(11),\n alertInfo_dnsResponse_s has \"Unassigned\",\n int(12),\n alertInfo_dnsResponse_s has \"BADVERS\" or alertInfo_dnsResponse_s has \"Bad OPT Version\",\n int(16),\n alertInfo_dnsResponse_s has \"BADSIG\" or alertInfo_dnsResponse_s has \"TSIG Signature Failure\",\n int(16),\n alertInfo_dnsResponse_s has \"BADKEY\" or alertInfo_dnsResponse_s has \"Key not recognized\",\n int(17),\n alertInfo_dnsResponse_s has \"BADTIME\" or alertInfo_dnsResponse_s has \"Signature out of time window\",\n int(18),\n alertInfo_dnsResponse_s has \"BADMODE\" or alertInfo_dnsResponse_s has \"Bad TKEY Mode\",\n int(19),\n alertInfo_dnsResponse_s has \"BADNAME\" or alertInfo_dnsResponse_s has \"Duplicate key name\",\n int(20),\n alertInfo_dnsResponse_s has \"BADALG\" or alertInfo_dnsResponse_s has \"Algorithm not supported\",\n int(21),\n alertInfo_dnsResponse_s has \"BADTRUNC\" or alertInfo_dnsResponse_s has \"Bad Truncation\",\n int(22),\n alertInfo_dnsResponse_s has \"BADCOOKIE\" or alertInfo_dnsResponse_s has \"Bad/missing Server Cookie\",\n int(23),\n int(0)\n ),\n AdditionalFields = bag_pack(\n \"MachineType\",\n agentDetectionInfo_machineType_s,\n \"OsRevision\",\n agentDetectionInfo_osRevision_s\n )\n | extend EventResultDetails = _ASIM_LookupDnsResponseCode(DnsResponseCode)\n | where (responsecodename == '*' or EventResultDetails =~ responsecodename)\n | extend \n DnsQueryType = iff(isempty(DnsQueryType) and DnsResponseCode == 0, int(1), DnsQueryType),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DnsQuery = alertInfo_dnsRequest_s,\n EventUid = _ItemId,\n DnsResponseName = alertInfo_dnsResponse_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n EventResult = iff(DnsResponseCode == 0, \"Success\", \"Failure\"),\n EventSubType = iff(isnotempty(DnsResponseName), \"Response\", \"Request\"),\n EventOriginalResultDetails = DnsResponseCode,\n DnsQueryTypeName = _ASIM_LookupDnsQueryType(DnsQueryType),\n Rule = RuleName,\n SrcDvcId = DvcId,\n SrcHostname = DvcHostname,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n Domain = DnsQuery,\n Process = SrcProcessName,\n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend \n Src = SrcHostname,\n Hostname = SrcHostname,\n DnsResponseCodeName = EventResultDetails,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\")\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.7\",\n EventType = \"Query\",\n EventVendor = \"SentinelOne\",\n DnsQueryClassName = \"IN\",\n DnsQueryClass = int(1)\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n RestMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename, \n response_has_ipv4=response_has_ipv4, \n response_has_any_prefix=response_has_any_prefix, \n eventtype=eventtype, \n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "vimDnsSentinelOne", + "query": "let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr: string='*', \n domain_has_any: dynamic=dynamic([]),\n responsecodename: string='*',\n response_has_ipv4: string='*',\n response_has_any_prefix: dynamic=dynamic([]),\n eventtype: string='Query',\n disabled: bool=false\n ) {\n let alldata = SentinelOne_CL\n | where not(disabled)\n and (eventtype == '*' or eventtype == \"Query\")\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and event_name_s == \"Alerts.\" \n and alertInfo_eventType_s == \"DNS\"\n and srcipaddr == '*'\n and (array_length(domain_has_any) == 0 or alertInfo_dnsRequest_s has_any (domain_has_any))\n and (response_has_ipv4 == '*' or has_ipv4(alertInfo_dnsResponse_s, response_has_ipv4))\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(alertInfo_dnsResponse_s, response_has_any_prefix))\n | parse alertInfo_dnsResponse_s with * \"type: \" DnsQueryType: int \" \" RestMessage;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend \n DnsResponseCode = case(\n alertInfo_dnsResponse_s has \"NoError\" or alertInfo_dnsResponse_s has \"No Error\",\n int(0),\n alertInfo_dnsResponse_s has \"FormErr\" or alertInfo_dnsResponse_s has \"Format Error\",\n int(1),\n alertInfo_dnsResponse_s has \"ServFail\" or alertInfo_dnsResponse_s has \"Server Failure\",\n int(2),\n alertInfo_dnsResponse_s has \"NXDomain\" or alertInfo_dnsResponse_s has \"Non-Existent Domain\",\n int(3),\n alertInfo_dnsResponse_s has \"NotImp\" or alertInfo_dnsResponse_s has \"Not Implemented\",\n int(4),\n alertInfo_dnsResponse_s has \"Refused\" or alertInfo_dnsResponse_s has \"Query Refused\",\n int(5),\n alertInfo_dnsResponse_s has \"YXDomain\" or alertInfo_dnsResponse_s has \"Name Exists when it should not\",\n int(6),\n alertInfo_dnsResponse_s has \"YXRRSet\" or alertInfo_dnsResponse_s has \"RR Set Exists when it should not\",\n int(7),\n alertInfo_dnsResponse_s has \"NXRRSet\" or alertInfo_dnsResponse_s has \"RR Set that should exist does not\",\n int(8),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Server Not Authoritative for zone\",\n int(9),\n alertInfo_dnsResponse_s has \"NotAuth\" or alertInfo_dnsResponse_s has \"Not Authorized\",\n int(9),\n alertInfo_dnsResponse_s has \"NotZone\" or alertInfo_dnsResponse_s has \"Name not contained in zone\",\n int(10),\n alertInfo_dnsResponse_s has \"DSOTYPENI\" or alertInfo_dnsResponse_s has \"DSO-TYPE Not Implemented\",\n int(11),\n alertInfo_dnsResponse_s has \"Unassigned\",\n int(12),\n alertInfo_dnsResponse_s has \"BADVERS\" or alertInfo_dnsResponse_s has \"Bad OPT Version\",\n int(16),\n alertInfo_dnsResponse_s has \"BADSIG\" or alertInfo_dnsResponse_s has \"TSIG Signature Failure\",\n int(16),\n alertInfo_dnsResponse_s has \"BADKEY\" or alertInfo_dnsResponse_s has \"Key not recognized\",\n int(17),\n alertInfo_dnsResponse_s has \"BADTIME\" or alertInfo_dnsResponse_s has \"Signature out of time window\",\n int(18),\n alertInfo_dnsResponse_s has \"BADMODE\" or alertInfo_dnsResponse_s has \"Bad TKEY Mode\",\n int(19),\n alertInfo_dnsResponse_s has \"BADNAME\" or alertInfo_dnsResponse_s has \"Duplicate key name\",\n int(20),\n alertInfo_dnsResponse_s has \"BADALG\" or alertInfo_dnsResponse_s has \"Algorithm not supported\",\n int(21),\n alertInfo_dnsResponse_s has \"BADTRUNC\" or alertInfo_dnsResponse_s has \"Bad Truncation\",\n int(22),\n alertInfo_dnsResponse_s has \"BADCOOKIE\" or alertInfo_dnsResponse_s has \"Bad/missing Server Cookie\",\n int(23),\n int(0)\n ),\n AdditionalFields = bag_pack(\n \"MachineType\",\n agentDetectionInfo_machineType_s,\n \"OsRevision\",\n agentDetectionInfo_osRevision_s\n )\n | extend EventResultDetails = _ASIM_LookupDnsResponseCode(DnsResponseCode)\n | where (responsecodename == '*' or EventResultDetails =~ responsecodename)\n | extend \n DnsQueryType = iff(isempty(DnsQueryType) and DnsResponseCode == 0, int(1), DnsQueryType),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DnsQuery = alertInfo_dnsRequest_s,\n EventUid = _ItemId,\n DnsResponseName = alertInfo_dnsResponse_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n EventResult = iff(DnsResponseCode == 0, \"Success\", \"Failure\"),\n EventSubType = iff(isnotempty(DnsResponseName), \"Response\", \"Request\"),\n EventOriginalResultDetails = DnsResponseCode,\n DnsQueryTypeName = _ASIM_LookupDnsQueryType(DnsQueryType),\n Rule = RuleName,\n SrcDvcId = DvcId,\n SrcHostname = DvcHostname,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n Domain = DnsQuery,\n Process = SrcProcessName,\n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend \n Src = SrcHostname,\n Hostname = SrcHostname,\n DnsResponseCodeName = EventResultDetails,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\")\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchema = \"Dns\",\n EventSchemaVersion = \"0.1.7\",\n EventType = \"Query\",\n EventVendor = \"SentinelOne\",\n DnsQueryClassName = \"IN\",\n DnsQueryClass = int(1)\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n RestMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n srcipaddr=srcipaddr,\n domain_has_any=domain_has_any,\n responsecodename=responsecodename, \n response_has_ipv4=response_has_ipv4, \n response_has_any_prefix=response_has_any_prefix, \n eventtype=eventtype, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsVectraAI/vimDnsVectraAI.json b/Parsers/ASimDns/ARM/vimDnsVectraAI/vimDnsVectraAI.json index bb811883333..1e1bfbfd363 100644 --- a/Parsers/ASimDns/ARM/vimDnsVectraAI/vimDnsVectraAI.json +++ b/Parsers/ASimDns/ARM/vimDnsVectraAI/vimDnsVectraAI.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsVectraAI')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsVectraAI", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS ASIM parser for Vectra AI Steams", - "category": "ASIM", - "FunctionAlias": "vimDnsVectraAI", - "query": "let parser=\n(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n) \n{\n let NetworkProtocolLookup = datatable(proto_d:real, NetworkProtocol:string)[\n 6, 'TCP',\n 17, 'UDP'];\n let DnsClassLookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\n 0, 'Reserved',\n 1, 'IN',\n 2, 'Unassigned',\n 3, 'CH',\n 4, 'HS',\n 254, 'None',\n 255, 'Any'\n ];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n VectraStream_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | project-away MG, ManagementGroupName, RawData, SourceSystem, Computer\n | where metadata_type_s == 'metadata_dns'\n | where (srcipaddr == '*' or id_orig_h_s == srcipaddr)\n | where (array_length(domain_has_any) == 0 or query_s has_any(domain_has_any))\n | where (responsecodename == '*' or rcode_name_s =~ responsecodename)\n | where (response_has_ipv4 == '*' or has_ipv4(answers_s, response_has_ipv4))\n | where (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(answers_s, response_has_any_prefix))\n | where (eventtype == '*' or eventtype in~ ('Query', 'lookup'))\n | project-rename\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n DnsFlagsAuthoritative = AA_b,\n DnsFlagsRecursionAvailable = RA_b,\n DnsFlagsRecursionDesired = RD_b,\n DnsFlagsTruncated = TC_b,\n DnsResponseName = answers_s,\n DnsQuery = query_s,\n DnsQueryTypeName = qtype_name_s,\n DstIpAddr = id_resp_h_s,\n DnsSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n DstDvcId = resp_huid_s,\n SrcDvcId = orig_huid_s,\n DvcId = sensor_uid_s,\n EventOriginalUid = uid_s\n | extend\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n NetworkProtocolVersion = toupper(id_ip_ver_s),\n DnsResponseCode = toint(rcode_d),\n DnsResponseCodeName = toupper(rcode_name_s),\n DnsQueryClass = toint(qclass_d),\n DnsQueryType = toint(qtype_d),\n DstPortNumber = toint(id_resp_p_d),\n EventCount = toint(1),\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResult = case(tolong(rcode_d) > 0, \"Failure\", \"Success\"),\n EventSchema = 'Dns', \n EventSchemaVersion='0.1.3',\n EventType = 'Query',\n EventVendor = 'Vectra AI',\n SrcDvcIdType = 'VectraId',\n DstDvcIdType = 'VectraId',\n DvcIdType = 'VectraId',\n SrcPortNumber = toint(id_orig_p_d),\n TransactionIdHex = tostring(toint(trans_id_d)),\n EventSubType = iff (saw_reply_b, \"response\", \"request\")\n | lookup DnsClassLookup on DnsQueryClass\n | lookup NetworkProtocolLookup on proto_d\n | extend\n EventResultDetails = DnsResponseCodeName,\n EventStartTime = EventEndTime,\n SessionId = DnsSessionId,\n Domain = DnsQuery,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Dvc = coalesce (DvcId, DvcDescription),\n Src = SrcIpAddr,\n Dst = DstIpAddr\n | project-away\n *_d, *_s, *_b, *_g\n };\nparser(starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS ASIM parser for Vectra AI Steams", + "category": "ASIM", + "FunctionAlias": "vimDnsVectraAI", + "query": "let parser=\n(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr:string='*',\n domain_has_any:dynamic=dynamic([]),\n responsecodename:string='*', \n response_has_ipv4:string='*',\n response_has_any_prefix:dynamic=dynamic([]),\n eventtype:string='Query',\n disabled:bool=false\n) \n{\n let NetworkProtocolLookup = datatable(proto_d:real, NetworkProtocol:string)[\n 6, 'TCP',\n 17, 'UDP'];\n let DnsClassLookup = datatable(DnsQueryClass:int, DnsQueryClassName: string)[\n 0, 'Reserved',\n 1, 'IN',\n 2, 'Unassigned',\n 3, 'CH',\n 4, 'HS',\n 254, 'None',\n 255, 'Any'\n ];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n VectraStream_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | project-away MG, ManagementGroupName, RawData, SourceSystem, Computer\n | where metadata_type_s == 'metadata_dns'\n | where (srcipaddr == '*' or id_orig_h_s == srcipaddr)\n | where (array_length(domain_has_any) == 0 or query_s has_any(domain_has_any))\n | where (responsecodename == '*' or rcode_name_s =~ responsecodename)\n | where (response_has_ipv4 == '*' or has_ipv4(answers_s, response_has_ipv4))\n | where (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(answers_s, response_has_any_prefix))\n | where (eventtype == '*' or eventtype in~ ('Query', 'lookup'))\n | project-rename\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n DnsFlagsAuthoritative = AA_b,\n DnsFlagsRecursionAvailable = RA_b,\n DnsFlagsRecursionDesired = RD_b,\n DnsFlagsTruncated = TC_b,\n DnsResponseName = answers_s,\n DnsQuery = query_s,\n DnsQueryTypeName = qtype_name_s,\n DstIpAddr = id_resp_h_s,\n DnsSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n DstDvcId = resp_huid_s,\n SrcDvcId = orig_huid_s,\n DvcId = sensor_uid_s,\n EventOriginalUid = uid_s\n | extend\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n NetworkProtocolVersion = toupper(id_ip_ver_s),\n DnsResponseCode = toint(rcode_d),\n DnsResponseCodeName = toupper(rcode_name_s),\n DnsQueryClass = toint(qclass_d),\n DnsQueryType = toint(qtype_d),\n DstPortNumber = toint(id_resp_p_d),\n EventCount = toint(1),\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResult = case(tolong(rcode_d) > 0, \"Failure\", \"Success\"),\n EventSchema = 'Dns', \n EventSchemaVersion='0.1.3',\n EventType = 'Query',\n EventVendor = 'Vectra AI',\n SrcDvcIdType = 'VectraId',\n DstDvcIdType = 'VectraId',\n DvcIdType = 'VectraId',\n SrcPortNumber = toint(id_orig_p_d),\n TransactionIdHex = tostring(toint(trans_id_d)),\n EventSubType = iff (saw_reply_b, \"response\", \"request\")\n | lookup DnsClassLookup on DnsQueryClass\n | lookup NetworkProtocolLookup on proto_d\n | extend\n EventResultDetails = DnsResponseCodeName,\n EventStartTime = EventEndTime,\n SessionId = DnsSessionId,\n Domain = DnsQuery,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Dvc = coalesce (DvcId, DvcDescription),\n Src = SrcIpAddr,\n Dst = DstIpAddr\n | project-away\n *_d, *_s, *_b, *_g\n };\nparser(starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimDns/ARM/vimDnsZscalerZIA/vimDnsZscalerZIA.json b/Parsers/ASimDns/ARM/vimDnsZscalerZIA/vimDnsZscalerZIA.json index 7f3dadca516..4e7d3c0d9ea 100644 --- a/Parsers/ASimDns/ARM/vimDnsZscalerZIA/vimDnsZscalerZIA.json +++ b/Parsers/ASimDns/ARM/vimDnsZscalerZIA/vimDnsZscalerZIA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimDnsZscalerZIA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimDnsZscalerZIA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "DNS activity ASIM filtering parser for Zscaler ZIA", - "category": "ASIM", - "FunctionAlias": "vimDnsZscalerZIA", - "query": "let ZscalerDNSevents=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n){\n CommonSecurityLog \n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n | where not(disabled)\n | where DeviceProduct == \"NSSDNSlog\"\n // -- Pre-parsing filtering\n | where\n (eventtype in~ ('lookup', 'Query')\n and (srcipaddr=='*' or SourceIP==srcipaddr)\n and (array_length(domain_has_any) == 0 or DeviceCustomString5 has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(DeviceCustomString6,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(DeviceCustomString6, response_has_any_prefix))\n and (responsecodename in ('*', 'NOERROR') or DeviceCustomString6 =~ responsecodename)) // NOERROR is determined only later\n | extend\n EventResultDetails = iff (DeviceCustomString6 matches regex @'^([A-Z_]+)$', DeviceCustomString6, 'NOERROR')\n | where\n (responsecodename=='*' or EventResultDetails =~ responsecodename)\n // --\n | project-rename\n Dvc=Computer , \n SrcIpAddr = SourceIP, \n SrcUsername = SourceUserName,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n EventProductVersion = DeviceVersion, \n DnsQueryTypeName = DeviceCustomString4, \n DnsQuery = DeviceCustomString5, \n SrcUserDepartment = DeviceCustomString1, // Not part of the standard schema\n reqaction = DeviceCustomString2, \n resaction = DeviceCustomString3, \n DvcUsername = SourceUserID,\n DvcZone = SourceUserPrivileges,\n SrcHostname = DeviceName,\n NetworkProtocol = Protocol,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n | extend\n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA DNS\", \n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\", \n EventEndTime=TimeGenerated, \n SrcUsernameType = \"UPN\",\n EventSubType = iff(resaction == 'None', 'request', 'response'), \n DvcAction = iff(resaction == 'None', reqaction, resaction), \n EventType = 'Query', \n RuleName = strcat (FlexString1, \" / \", FlexString2),\n // -- Adjustment to support both old and new CSL fields.\n UrlCategory = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"), extract(\"cat=(.*)\", 1, AdditionalExtensions), \"\"), \n DnsNetworkDuration = coalesce(\n toint(column_ifexists (\"FieldDeviceCustomNumber1\", int(null))), \n toint(column_ifexists (\"DeviceCustomNumber1\",int(null)))\n )\n | extend \n EventResult = case (\n EventSubType == 'request', 'NA', \n EventResultDetails == 'NOERROR', 'Success',\n 'Failure'),\n DnsResponseName = iff (EventResultDetails == 'NOERROR', DeviceCustomString6, '')\n // -- Aliases\n | extend\n DnsResponseCodeName = EventResultDetails,\n Domain = DnsQuery,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Hostname = SrcHostname,\n Dst = DstIpAddr,\n DvcHostname = Dvc,\n Duration = DnsNetworkDuration,\n User = SrcUsername,\n // -- Entity identifier explicit aliases\n SrcUserUpn = SrcUsername\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink, Activity, resaction, reqaction\n };\nZscalerDNSevents (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "DNS activity ASIM filtering parser for Zscaler ZIA", + "category": "ASIM", + "FunctionAlias": "vimDnsZscalerZIA", + "query": "let ZscalerDNSevents=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n){\n CommonSecurityLog \n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n | where not(disabled)\n | where DeviceProduct == \"NSSDNSlog\"\n // -- Pre-parsing filtering\n | where\n (eventtype in~ ('lookup', 'Query')\n and (srcipaddr=='*' or SourceIP==srcipaddr)\n and (array_length(domain_has_any) == 0 or DeviceCustomString5 has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(DeviceCustomString6,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(DeviceCustomString6, response_has_any_prefix))\n and (responsecodename in ('*', 'NOERROR') or DeviceCustomString6 =~ responsecodename)) // NOERROR is determined only later\n | extend\n EventResultDetails = iff (DeviceCustomString6 matches regex @'^([A-Z_]+)$', DeviceCustomString6, 'NOERROR')\n | where\n (responsecodename=='*' or EventResultDetails =~ responsecodename)\n // --\n | project-rename\n Dvc=Computer , \n SrcIpAddr = SourceIP, \n SrcUsername = SourceUserName,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n EventProductVersion = DeviceVersion, \n DnsQueryTypeName = DeviceCustomString4, \n DnsQuery = DeviceCustomString5, \n SrcUserDepartment = DeviceCustomString1, // Not part of the standard schema\n reqaction = DeviceCustomString2, \n resaction = DeviceCustomString3, \n DvcUsername = SourceUserID,\n DvcZone = SourceUserPrivileges,\n SrcHostname = DeviceName,\n NetworkProtocol = Protocol,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n | extend\n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA DNS\", \n EventSchema = \"Dns\",\n EventSchemaVersion=\"0.1.3\", \n EventEndTime=TimeGenerated, \n SrcUsernameType = \"UPN\",\n EventSubType = iff(resaction == 'None', 'request', 'response'), \n DvcAction = iff(resaction == 'None', reqaction, resaction), \n EventType = 'Query', \n RuleName = strcat (FlexString1, \" / \", FlexString2),\n // -- Adjustment to support both old and new CSL fields.\n UrlCategory = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"), extract(\"cat=(.*)\", 1, AdditionalExtensions), \"\"), \n DnsNetworkDuration = coalesce(\n toint(column_ifexists (\"FieldDeviceCustomNumber1\", int(null))), \n toint(column_ifexists (\"DeviceCustomNumber1\",int(null)))\n )\n | extend \n EventResult = case (\n EventSubType == 'request', 'NA', \n EventResultDetails == 'NOERROR', 'Success',\n 'Failure'),\n DnsResponseName = iff (EventResultDetails == 'NOERROR', DeviceCustomString6, '')\n // -- Aliases\n | extend\n DnsResponseCodeName = EventResultDetails,\n Domain = DnsQuery,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Hostname = SrcHostname,\n Dst = DstIpAddr,\n DvcHostname = Dvc,\n Duration = DnsNetworkDuration,\n User = SrcUsername,\n // -- Entity identifier explicit aliases\n SrcUserUpn = SrcUsername\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink, Activity, resaction, reqaction\n };\nZscalerDNSevents (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json b/Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json index 1dfda1eab21..e455ffbddea 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File event ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimFileEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimFile') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimFileEventEmpty,\n ASimFileEventLinuxSysmonFileCreated(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileCreated' in (DisabledParsers) ))),\n ASimFileEventLinuxSysmonFileDeleted(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileDeleted' in (DisabledParsers) ))),\n ASimFileEventAzureBlobStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureBlobStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoft365D(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoft365D' in (DisabledParsers) ))),\n ASimFileEventAzureFileStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureFileStorage' in (DisabledParsers) ))),\n ASimFileEventAzureQueueStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureQueueStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSharePoint(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSharePoint' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSysmon(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSysmon' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSysmonWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n ASimFileEventAzureTableStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureTableStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoftWindowsEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftWindowsEvents' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSecurityEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSecurityEvents' in (DisabledParsers) ))),\n ASimFileEventNative(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventNative' in (DisabledParsers) ))),\n ASimFileEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventSentinelOne' in (DisabledParsers) ))),\n ASimFileEventVMwareCarbonBlackCloud(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n ASimFileEventGoogleWorkspace(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventGoogleWorkspace' in (DisabledParsers) )))\n };\n parser (pack=pack)\n", - "version": 1, - "functionParameters": "pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File event ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimFileEvent", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimFile') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimFileEventEmpty,\n ASimFileEventLinuxSysmonFileCreated(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileCreated' in (DisabledParsers) ))),\n ASimFileEventLinuxSysmonFileDeleted(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileDeleted' in (DisabledParsers) ))),\n ASimFileEventAzureBlobStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureBlobStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoft365D(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoft365D' in (DisabledParsers) ))),\n ASimFileEventAzureFileStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureFileStorage' in (DisabledParsers) ))),\n ASimFileEventAzureQueueStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureQueueStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSharePoint(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSharePoint' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSysmon(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSysmon' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSysmonWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n ASimFileEventAzureTableStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureTableStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoftWindowsEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftWindowsEvents' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSecurityEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSecurityEvents' in (DisabledParsers) ))),\n ASimFileEventNative(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventNative' in (DisabledParsers) ))),\n ASimFileEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventSentinelOne' in (DisabledParsers) ))),\n ASimFileEventVMwareCarbonBlackCloud(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n ASimFileEventGoogleWorkspace(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventGoogleWorkspace' in (DisabledParsers) )))\n };\n parser (pack=pack)\n", + "version": 1, + "functionParameters": "pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureBlobStorage/ASimFileEventAzureBlobStorage.json b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureBlobStorage/ASimFileEventAzureBlobStorage.json index c3d5f4a32c8..d552ccaef2a 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureBlobStorage/ASimFileEventAzureBlobStorage.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureBlobStorage/ASimFileEventAzureBlobStorage.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventAzureBlobStorage')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventAzureBlobStorage", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM parser for Azure Blob Storage", - "category": "ASIM", - "FunctionAlias": "ASimFileEventAzureBlobStorage", - "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled: bool=false)\n{\n let bloboperations=datatable(OperationName: string, EventType: string)\n[\n \"PutBlock\", \"FileCreated\",\n \"PutBlob\", \"FileCreated\",\n \"PutPage\", \"FileCreated\",\n \"CreateContainer\", \"FolderCreated\",\n \"CopyBlob\", \"FileCopied\",\n \"QueryBlobContents\", \"FileAccessed\",\n \"GetBlob\", \"FileAccessed\",\n \"AppendBlock\", \"FileModified\",\n \"ClearPage\", \"FileModified\",\n \"PutBlockFromURL\", \"FileModified\",\n \"DeleteBlob\", \"FileDeleted\",\n \"DeleteContainer\", \"FolderDeleted\"\n];\n StorageBlobLogs\n | where not(disabled)\n // **** relevant data filtering;\n | where OperationName in (bloboperations)\n //\n | lookup bloboperations on OperationName\n | project-rename \n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n HttpUserAgent=UserAgentHeader\n ,\n TargetUrl=Uri\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(TargetUrl, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[1])\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser (disabled = disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM parser for Azure Blob Storage", + "category": "ASIM", + "FunctionAlias": "ASimFileEventAzureBlobStorage", + "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled: bool=false)\n{\n let bloboperations=datatable(OperationName: string, EventType: string)\n[\n \"PutBlock\", \"FileCreated\",\n \"PutBlob\", \"FileCreated\",\n \"PutPage\", \"FileCreated\",\n \"CreateContainer\", \"FolderCreated\",\n \"CopyBlob\", \"FileCopied\",\n \"QueryBlobContents\", \"FileAccessed\",\n \"GetBlob\", \"FileAccessed\",\n \"AppendBlock\", \"FileModified\",\n \"ClearPage\", \"FileModified\",\n \"PutBlockFromURL\", \"FileModified\",\n \"DeleteBlob\", \"FileDeleted\",\n \"DeleteContainer\", \"FolderDeleted\"\n];\n StorageBlobLogs\n | where not(disabled)\n // **** relevant data filtering;\n | where OperationName in (bloboperations)\n //\n | lookup bloboperations on OperationName\n | project-rename \n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n HttpUserAgent=UserAgentHeader\n ,\n TargetUrl=Uri\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(TargetUrl, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[1])\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser (disabled = disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureFileStorage/ASimFileEventAzureFileStorage.json b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureFileStorage/ASimFileEventAzureFileStorage.json index d66a6c84c8b..cae7100caa6 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureFileStorage/ASimFileEventAzureFileStorage.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureFileStorage/ASimFileEventAzureFileStorage.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventAzureFileStorage')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventAzureFileStorage", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM parser for Azure File Storage", - "category": "ASIM", - "FunctionAlias": "ASimFileEventAzureFileStorage", - "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled:bool=false){\nlet fileoperations=datatable(OperationName:string, EventType:string)[\n\"DeleteFile\", \"FileDeleted\"\n, \"DeleteDirectory\", \"FolderDeleted\"\n, \"GetFile\", \"FileAccessed\"\n, \"CopyFile\", \"FileCopied\"\n, \"CreateFileSnapshot\", \"FileCreated\"\n, \"CreateDirectory\", \"FolderCreated\"\n, \"CreateFile\", \"FileCreated\"\n, \"CreateShare\", \"FolderCreated\"\n, \"DeleteShare\", \"FileDeleted\"\n, \"PutRange\", \"FileModified\"\n, \"CopyFileDestination\", \"FileCopied\"\n, \"CopyFileSource\", \"FileCopied\"\n];\nStorageFileLogs\n| where not(disabled)\n// **** relevant data filtering;\n| where OperationName in (fileoperations)\n//\n| extend \n EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n//\t, EventType :string ---> see lookup below\n , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n \t, EventOriginalUid = CorrelationId\n , EventOriginalType=OperationName\n , EventProduct='Azure File Storage' \n , EventVendor='Microsoft'\n , EventSchemaVersion='0.1.0'\n\t, TargetFilePath=tostring(split(Uri,'?')[0]) \n\t, TargetFilePathType='URL'\n \t, TargetUrl=Uri\n , SrcIpAddr=tostring(split(CallerIpAddress,':')[0])\n , SrcPortNumber=tostring(split(CallerIpAddress,':')[0])\n \t, HttpUserAgent=UserAgentHeader\n| extend TargetFileName=tostring(split(TargetFilePath,'/')[-1])\n| lookup fileoperations on OperationName\n// Aliases\n| extend \n FilePath=TargetFilePath\n };\nparser (disabled = disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM parser for Azure File Storage", + "category": "ASIM", + "FunctionAlias": "ASimFileEventAzureFileStorage", + "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled:bool=false){\nlet fileoperations=datatable(OperationName:string, EventType:string)[\n\"DeleteFile\", \"FileDeleted\"\n, \"DeleteDirectory\", \"FolderDeleted\"\n, \"GetFile\", \"FileAccessed\"\n, \"CopyFile\", \"FileCopied\"\n, \"CreateFileSnapshot\", \"FileCreated\"\n, \"CreateDirectory\", \"FolderCreated\"\n, \"CreateFile\", \"FileCreated\"\n, \"CreateShare\", \"FolderCreated\"\n, \"DeleteShare\", \"FileDeleted\"\n, \"PutRange\", \"FileModified\"\n, \"CopyFileDestination\", \"FileCopied\"\n, \"CopyFileSource\", \"FileCopied\"\n];\nStorageFileLogs\n| where not(disabled)\n// **** relevant data filtering;\n| where OperationName in (fileoperations)\n//\n| extend \n EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n//\t, EventType :string ---> see lookup below\n , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n \t, EventOriginalUid = CorrelationId\n , EventOriginalType=OperationName\n , EventProduct='Azure File Storage' \n , EventVendor='Microsoft'\n , EventSchemaVersion='0.1.0'\n\t, TargetFilePath=tostring(split(Uri,'?')[0]) \n\t, TargetFilePathType='URL'\n \t, TargetUrl=Uri\n , SrcIpAddr=tostring(split(CallerIpAddress,':')[0])\n , SrcPortNumber=tostring(split(CallerIpAddress,':')[0])\n \t, HttpUserAgent=UserAgentHeader\n| extend TargetFileName=tostring(split(TargetFilePath,'/')[-1])\n| lookup fileoperations on OperationName\n// Aliases\n| extend \n FilePath=TargetFilePath\n };\nparser (disabled = disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureQueueStorage/ASimFileEventAzureQueueStorage.json b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureQueueStorage/ASimFileEventAzureQueueStorage.json index 8c06b130232..966e33d2762 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureQueueStorage/ASimFileEventAzureQueueStorage.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureQueueStorage/ASimFileEventAzureQueueStorage.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventAzureQueueStorage')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventAzureQueueStorage", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM parser for Azure Queue Storage", - "category": "ASIM", - "FunctionAlias": "ASimFileEventAzureQueueStorage", - "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled: bool=false)\n{\n let queueoperations=datatable(OperationName: string, EventType: string)\n[\n \"ClearMessages\", \"FileDeleted\"\n ,\n \"CreateQueue\", \"FileCreated\"\n ,\n \"DeleteQueue\", \"FileDeleted\"\n ,\n \"DeleteMessage\", \"FileDeleted\"\n ,\n \"GetQueue\", \"FileAccessed\"\n ,\n \"GetMessage\", \"FileAccessed\"\n ,\n \"GetMessages\", \"FileAccessed\"\n ,\n \"PeekMessage\", \"FileAccessed\"\n ,\n \"PeekMessages\", \"FileAccessed\"\n ,\n \"PutMessage\", \"FileCreated\"\n ,\n \"UpdateMessage\", \"FileModified\" \n];\n StorageQueueLogs\n | where not(disabled)\n // **** relevant data filtering;\n | where OperationName in (queueoperations)\n //\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(Uri, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n TargetUrl=Uri\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\n ,\n HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n | lookup queueoperations on OperationName\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser (disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM parser for Azure Queue Storage", + "category": "ASIM", + "FunctionAlias": "ASimFileEventAzureQueueStorage", + "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled: bool=false)\n{\n let queueoperations=datatable(OperationName: string, EventType: string)\n[\n \"ClearMessages\", \"FileDeleted\"\n ,\n \"CreateQueue\", \"FileCreated\"\n ,\n \"DeleteQueue\", \"FileDeleted\"\n ,\n \"DeleteMessage\", \"FileDeleted\"\n ,\n \"GetQueue\", \"FileAccessed\"\n ,\n \"GetMessage\", \"FileAccessed\"\n ,\n \"GetMessages\", \"FileAccessed\"\n ,\n \"PeekMessage\", \"FileAccessed\"\n ,\n \"PeekMessages\", \"FileAccessed\"\n ,\n \"PutMessage\", \"FileCreated\"\n ,\n \"UpdateMessage\", \"FileModified\" \n];\n StorageQueueLogs\n | where not(disabled)\n // **** relevant data filtering;\n | where OperationName in (queueoperations)\n //\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(Uri, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n TargetUrl=Uri\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\n ,\n HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n | lookup queueoperations on OperationName\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser (disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureTableStorage/ASimFileEventAzureTableStorage.json b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureTableStorage/ASimFileEventAzureTableStorage.json index f9c39d9f89d..b2721b7104d 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventAzureTableStorage/ASimFileEventAzureTableStorage.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventAzureTableStorage/ASimFileEventAzureTableStorage.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventAzureTableStorage')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventAzureTableStorage", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM parser for Azure Table Storage", - "category": "ASIM", - "FunctionAlias": "ASimFileEventAzureTableStorage", - "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled:bool=false){\nlet tableoperations=datatable(OperationName:string, EventType:string)[\n, \"CreateTable\", \"FileCreated\"\n, \"DeleteTable\", \"FileDeleted\"\n, \"DeleteEntity\", \"FileModified\"\n, \"InsertEntity\", \"FileModified\"\n, \"InsertOrMergeEntity\", \"FileModified\"\n, \"InsertOrReplaceEntity\", \"FileModified\"\n, \"QueryEntity\", \"FileAccessed\"\n, \"QueryEntities\", \"FileAccessed\"\n, \"QueryTable\", \"FileAccessed\"\n, \"QueryTables\", \"FileAccessed\"\n, \"UpdateEntity\", \"FileModified\"\n, \"MergeEntity\", \"FileModified\"\n ];\n StorageTableLogs\n | where not(disabled)\n // **** relevant data filtering;\n | where OperationName in (tableoperations)\n //\n | extend \n EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n , EventOriginalUid = CorrelationId\n , EventOriginalType=OperationName\n , EventProduct='Azure File Storage' \n , EventVendor='Microsoft'\n , EventSchemaVersion='0.1.0'\n , TargetFilePath=tostring(split(Uri,'?')[0]) \n , TargetFilePathType='URL'\n , TargetUrl=Uri\n , SrcIpAddr=tostring(split(CallerIpAddress,':')[0])\n , SrcPortNumber=tostring(split(CallerIpAddress,':')[0])\n , HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath,'/')['-1'])\n | lookup tableoperations on OperationName\n // Aliases\n | extend \n FilePath=TargetFilePath\n };\n parser (disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM parser for Azure Table Storage", + "category": "ASIM", + "FunctionAlias": "ASimFileEventAzureTableStorage", + "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(disabled:bool=false){\nlet tableoperations=datatable(OperationName:string, EventType:string)[\n, \"CreateTable\", \"FileCreated\"\n, \"DeleteTable\", \"FileDeleted\"\n, \"DeleteEntity\", \"FileModified\"\n, \"InsertEntity\", \"FileModified\"\n, \"InsertOrMergeEntity\", \"FileModified\"\n, \"InsertOrReplaceEntity\", \"FileModified\"\n, \"QueryEntity\", \"FileAccessed\"\n, \"QueryEntities\", \"FileAccessed\"\n, \"QueryTable\", \"FileAccessed\"\n, \"QueryTables\", \"FileAccessed\"\n, \"UpdateEntity\", \"FileModified\"\n, \"MergeEntity\", \"FileModified\"\n ];\n StorageTableLogs\n | where not(disabled)\n // **** relevant data filtering;\n | where OperationName in (tableoperations)\n //\n | extend \n EventCount=int(1)\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n , EventOriginalUid = CorrelationId\n , EventOriginalType=OperationName\n , EventProduct='Azure File Storage' \n , EventVendor='Microsoft'\n , EventSchemaVersion='0.1.0'\n , TargetFilePath=tostring(split(Uri,'?')[0]) \n , TargetFilePathType='URL'\n , TargetUrl=Uri\n , SrcIpAddr=tostring(split(CallerIpAddress,':')[0])\n , SrcPortNumber=tostring(split(CallerIpAddress,':')[0])\n , HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath,'/')['-1'])\n | lookup tableoperations on OperationName\n // Aliases\n | extend \n FilePath=TargetFilePath\n };\n parser (disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventGoogleWorkspace/ASimFileEventGoogleWorkspace.json b/Parsers/ASimFileEvent/ARM/ASimFileEventGoogleWorkspace/ASimFileEventGoogleWorkspace.json index 9e9bbc90481..5c915d28366 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventGoogleWorkspace/ASimFileEventGoogleWorkspace.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventGoogleWorkspace/ASimFileEventGoogleWorkspace.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventGoogleWorkspace')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventGoogleWorkspace", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File events ASIM parser for Google Workspace", - "category": "ASIM", - "FunctionAlias": "ASimFileEventGoogleWorkspace", - "query": "let parser = (\n disabled: bool = false\n ) {\n let GoogleWorkspaceSchema = datatable (\n event_name_s: string,\n event_type_s: string,\n id_uniqueQualifier_s: string,\n actor_email_s: string,\n actor_profileId_s: string,\n IPAddress: string,\n doc_type_s: string,\n doc_title_s: string,\n originating_app_id_s: string,\n id_applicationName_s: string,\n old_value_s: string,\n new_value_s: string,\n destination_folder_title_s: string,\n source_folder_title_s: string,\n copy_type_s: string,\n target_user_s: string,\n doc_id_s: string,\n primary_event_b: bool,\n billable_b: bool,\n owner_s: string,\n owner_is_shared_drive_b: bool,\n is_encrypted_b: bool,\n visibility_s: string,\n shared_drive_id_s: string,\n destination_folder_id_s: string,\n source_folder_id_s: string,\n TimeGenerated: datetime,\n _ResourceId: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n RawData: string,\n SourceSystem: string,\n TenantId: string,\n _ItemId: string\n)[];\n let EventFieldsLookup = datatable (\n EventOriginalSubType: string,\n EventType: string,\n EventSubType: string\n)\n [\n \"download\", \"FileAccessed\", \"Download\",\n \"edit\", \"FileModified\", \"Checkin\",\n \"upload\", \"FileCreated\", \"Upload\",\n \"create\", \"FileCreated\", \"Checkin\",\n \"rename\", \"FileRenamed\", \"\",\n \"view\", \"FileAccessed\", \"Preview\",\n \"preview\", \"FileAccessed\", \"Preview\",\n \"copy\", \"FileCopied\", \"\",\n \"source_copy\", \"FileCopied\", \"\",\n \"delete\", \"FileDeleted\", \"\",\n \"trash\", \"FileDeleted\", \"Recycle\",\n \"move\", \"FileMoved\", \"\",\n \"untrash\", \"FileCreatedOrModified\", \"Checkin\",\n \"deny_access_request\", \"FileAccessed\", \"Preview\",\n \"expire_access_request\", \"FileAccessed\", \"Preview\",\n \"request_access\", \"FileAccessed\", \"Preview\",\n \"add_to_folder\", \"FileCreated\", \"Checkin\",\n \"approval_canceled\", \"FileAccessed\", \"\",\n \"approval_comment_added\", \"FileAccessed\", \"\",\n \"approval_completed\", \"FileAccessed\", \"Preview\",\n \"approval_decisions_reset\", \"FileAccessed\", \"\",\n \"approval_due_time_change\", \"FileAccessed\", \"\",\n \"approval_requested\", \"FileAccessed\", \"Preview\",\n \"approval_reviewer_change\", \"FileAccessed\", \"\",\n \"approval_reviewer_responded\", \"FileAccessed\", \"\",\n \"create_comment\", \"FileModified\", \"Checkin\",\n \"delete_comment\", \"FileModified\", \"Checkin\",\n \"edit_comment\", \"FileModified\", \"Checkin\",\n \"reassign_comment\", \"FileModified\", \"Checkin\",\n \"reopen_comment\", \"FileModified\", \"Checkin\",\n \"resolve_comment\", \"FileModified\", \"Checkin\",\n \"add_lock\", \"FileModified\", \"\",\n \"print\", \"FileAccessed\", \"Print\",\n \"remove_from_folder\", \"FileDeleted\", \"\",\n \"remove_lock\", \"FileModified\", \"\",\n];\n let SupportedEventNames = EventFieldsLookup\n | project EventOriginalSubType;\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_drive_CL\n | where not(disabled)\n | where event_name_s in (SupportedEventNames)\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\n | project-rename \n EventOriginalUid = id_uniqueQualifier_s,\n ActorUsername = actor_email_s,\n ActorUserId = actor_profileId_s,\n SrcIpAddr = IPAddress,\n TargetFileMimeType = doc_type_s,\n TargetFilePath = doc_title_s,\n ActingAppId = originating_app_id_s,\n EventOriginalType=event_type_s\n | extend\n TargetAppName = iif(id_applicationName_s == 'drive', \"Google Workspace - Drive\", \"\"),\n TargetAppType = iif(id_applicationName_s == 'drive', \"SaaS application\", \"\"),\n ActorUserIdType = iif(isnotempty(ActorUserId), \"GWorkspaceProfileID\", \"\"),\n SrcFilePath = iif(event_name_s has_any ('rename', 'copy', 'source_copy'), old_value_s, \"\"),\n TargetFilePath = iif(event_name_s has ('source_copy'), new_value_s, TargetFilePath),\n TargetFileDirectory = iif(event_name_s has_any ('move'), destination_folder_title_s, \"\"),\n SrcFileDirectory = iif(event_name_s has_any ('move'), source_folder_title_s, \"\"),\n EventType = case(\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\n \"FolderCreated\",\n TargetFileMimeType == \"folder\" and event_name_s == \"rename\",\n \"FolderModified\",\n TargetFileMimeType == \"folder\" and event_name_s == \"delete\",\n \"FolderDeleted\",\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\n \"FolderDeleted\",\n TargetFileMimeType == \"folder\" and event_name_s == \"move\",\n \"FolderMoved\",\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\n \"FolderCreated\",\n EventType\n ),\n EventSubType = case(\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\n \"\",\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\n \"\",\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\n \"\",\n EventSubType\n ),\n EventMessage = case(\n event_name_s == 'download',\n strcat(ActorUsername, \" deleted an item\"),\n event_name_s == 'edit',\n strcat(ActorUsername, \" edited an item\"),\n event_name_s == 'upload',\n strcat(ActorUsername, \" uploaded an item\"),\n event_name_s == 'create',\n strcat(ActorUsername, \" created an item\"),\n event_name_s == 'rename',\n strcat(ActorUsername, \" renamed \", old_value_s, \" to \", TargetFilePath),\n event_name_s == 'view',\n strcat(ActorUsername, \" viewed an item\"),\n event_name_s == 'preview',\n strcat(ActorUsername, \" previewed an item\"),\n event_name_s == 'copy',\n strcat(ActorUsername, \" created a copy of original document \", old_value_s),\n event_name_s == 'delete',\n strcat(ActorUsername, \" deleted an item\"),\n event_name_s == 'trash',\n strcat(ActorUsername, \" trashed an item\"),\n event_name_s == 'move',\n strcat(ActorUsername, \" moved an item from \", source_folder_title_s, \" to \", destination_folder_title_s),\n event_name_s == 'untrash',\n strcat(ActorUsername, \" restored an item\"),\n event_name_s == 'source_copy',\n strcat(ActorUsername, \" copied this item, creating a new item \", copy_type_s, \" your organication \", new_value_s),\n event_name_s == 'deny_access_request',\n strcat(ActorUsername, \" denied an access request for \", target_user_s),\n event_name_s == 'expire_access_request',\n strcat(\"An access request for \", target_user_s, \" expired \"),\n event_name_s == 'request_access',\n strcat(ActorUsername, \" requested access to an item for \", target_user_s),\n event_name_s == 'add_to_folder',\n strcat(ActorUsername, \" added an item to \", destination_folder_title_s),\n event_name_s == 'approval_canceled',\n strcat(ActorUsername, \" canceled an approval on an item\"),\n event_name_s == 'approval_comment_added',\n strcat(ActorUsername, \" added a comment on an approval on an item\"),\n event_name_s == 'approval_completed',\n \"An approval was completed\",\n event_name_s == 'approval_decisions_reset',\n \"Approval decisions were reset\",\n event_name_s == 'approval_due_time_change',\n strcat(ActorUsername, \" requested a due time change on an approval\"),\n event_name_s == 'approval_requested',\n strcat(ActorUsername, \" requested approval on an item\"),\n event_name_s == 'approval_reviewer_change',\n strcat(ActorUsername, \" requested a reviewer change on an approval\"),\n event_name_s == 'approval_reviewer_responded',\n strcat(ActorUsername, \" reviewed an approval on an item\"),\n event_name_s == 'create_comment',\n strcat(ActorUsername, \" created a comment\"),\n event_name_s == 'delete_comment',\n strcat(ActorUsername, \" deleted a comment\"),\n event_name_s == 'edit_comment',\n strcat(ActorUsername, \" edited a comment\"),\n event_name_s == 'reassign_comment',\n strcat(ActorUsername, \" reassigned a comment\"),\n event_name_s == 'reopen_comment',\n strcat(ActorUsername, \" reopened a comment\"),\n event_name_s == 'resolve_comment',\n strcat(ActorUsername, \" resolved a comment\"),\n event_name_s == 'add_lock',\n strcat(ActorUsername, \" locked an item\"),\n event_name_s == 'print',\n strcat(ActorUsername, \" printed an item\"),\n event_name_s == 'remove_from_folder',\n strcat(ActorUsername, \" removed an item from from \", source_folder_title_s),\n event_name_s == 'remove_lock',\n strcat(ActorUsername, \" unlocked an item\"),\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"Doc_Id\",\n doc_id_s,\n \"Primary_Event\",\n primary_event_b,\n \"Billable\",\n billable_b,\n \"Owner\",\n owner_s,\n \"Owner_Is_Shared_Drive\",\n owner_is_shared_drive_b,\n \"Is_Encrypted\",\n is_encrypted_b,\n \"Visibility\",\n visibility_s,\n \"Copy_Type\",\n copy_type_s,\n \"Shared_Drive_Id\",\n shared_drive_id_s,\n \"Destination_Folder_Id\",\n destination_folder_id_s,\n \"Source_Folder_Id\",\n source_folder_id_s\n )\n | extend\n EventOriginalSubType = event_name_s,\n Application = TargetAppName,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n TargetFileName=TargetFilePath,\n FilePath = TargetFilePath,\n TargetFilePathType = iif(isnotempty(TargetFilePath), \"FileNameOnly\", \"\"),\n SrcFilePathType = iif(isnotempty(SrcFilePath), \"FileNameOnly\", \"\"),\n FileName = TargetFilePath,\n SrcFileName = SrcFilePath,\n User = ActorUsername,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventProduct = \"Workspace\",\n EventVendor = \"Google\",\n EventResult = \"Success\",\n EventSchemaVersion = \"0.2.1\",\n EventSchema = \"FileEvent\",\n EventUid = _ItemId,\n Dvc = \"Workspace\"\n | project-away \n *_s,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser (disabled = disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File events ASIM parser for Google Workspace", + "category": "ASIM", + "FunctionAlias": "ASimFileEventGoogleWorkspace", + "query": "let parser = (\n disabled: bool = false\n ) {\n let GoogleWorkspaceSchema = datatable (\n event_name_s: string,\n event_type_s: string,\n id_uniqueQualifier_s: string,\n actor_email_s: string,\n actor_profileId_s: string,\n IPAddress: string,\n doc_type_s: string,\n doc_title_s: string,\n originating_app_id_s: string,\n id_applicationName_s: string,\n old_value_s: string,\n new_value_s: string,\n destination_folder_title_s: string,\n source_folder_title_s: string,\n copy_type_s: string,\n target_user_s: string,\n doc_id_s: string,\n primary_event_b: bool,\n billable_b: bool,\n owner_s: string,\n owner_is_shared_drive_b: bool,\n is_encrypted_b: bool,\n visibility_s: string,\n shared_drive_id_s: string,\n destination_folder_id_s: string,\n source_folder_id_s: string,\n TimeGenerated: datetime,\n _ResourceId: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n RawData: string,\n SourceSystem: string,\n TenantId: string,\n _ItemId: string\n)[];\n let EventFieldsLookup = datatable (\n EventOriginalSubType: string,\n EventType: string,\n EventSubType: string\n)\n [\n \"download\", \"FileAccessed\", \"Download\",\n \"edit\", \"FileModified\", \"Checkin\",\n \"upload\", \"FileCreated\", \"Upload\",\n \"create\", \"FileCreated\", \"Checkin\",\n \"rename\", \"FileRenamed\", \"\",\n \"view\", \"FileAccessed\", \"Preview\",\n \"preview\", \"FileAccessed\", \"Preview\",\n \"copy\", \"FileCopied\", \"\",\n \"source_copy\", \"FileCopied\", \"\",\n \"delete\", \"FileDeleted\", \"\",\n \"trash\", \"FileDeleted\", \"Recycle\",\n \"move\", \"FileMoved\", \"\",\n \"untrash\", \"FileCreatedOrModified\", \"Checkin\",\n \"deny_access_request\", \"FileAccessed\", \"Preview\",\n \"expire_access_request\", \"FileAccessed\", \"Preview\",\n \"request_access\", \"FileAccessed\", \"Preview\",\n \"add_to_folder\", \"FileCreated\", \"Checkin\",\n \"approval_canceled\", \"FileAccessed\", \"\",\n \"approval_comment_added\", \"FileAccessed\", \"\",\n \"approval_completed\", \"FileAccessed\", \"Preview\",\n \"approval_decisions_reset\", \"FileAccessed\", \"\",\n \"approval_due_time_change\", \"FileAccessed\", \"\",\n \"approval_requested\", \"FileAccessed\", \"Preview\",\n \"approval_reviewer_change\", \"FileAccessed\", \"\",\n \"approval_reviewer_responded\", \"FileAccessed\", \"\",\n \"create_comment\", \"FileModified\", \"Checkin\",\n \"delete_comment\", \"FileModified\", \"Checkin\",\n \"edit_comment\", \"FileModified\", \"Checkin\",\n \"reassign_comment\", \"FileModified\", \"Checkin\",\n \"reopen_comment\", \"FileModified\", \"Checkin\",\n \"resolve_comment\", \"FileModified\", \"Checkin\",\n \"add_lock\", \"FileModified\", \"\",\n \"print\", \"FileAccessed\", \"Print\",\n \"remove_from_folder\", \"FileDeleted\", \"\",\n \"remove_lock\", \"FileModified\", \"\",\n];\n let SupportedEventNames = EventFieldsLookup\n | project EventOriginalSubType;\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_drive_CL\n | where not(disabled)\n | where event_name_s in (SupportedEventNames)\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\n | project-rename \n EventOriginalUid = id_uniqueQualifier_s,\n ActorUsername = actor_email_s,\n ActorUserId = actor_profileId_s,\n SrcIpAddr = IPAddress,\n TargetFileMimeType = doc_type_s,\n TargetFilePath = doc_title_s,\n ActingAppId = originating_app_id_s,\n EventOriginalType=event_type_s\n | extend\n TargetAppName = iif(id_applicationName_s == 'drive', \"Google Workspace - Drive\", \"\"),\n TargetAppType = iif(id_applicationName_s == 'drive', \"SaaS application\", \"\"),\n ActorUserIdType = iif(isnotempty(ActorUserId), \"GWorkspaceProfileID\", \"\"),\n SrcFilePath = iif(event_name_s has_any ('rename', 'copy', 'source_copy'), old_value_s, \"\"),\n TargetFilePath = iif(event_name_s has ('source_copy'), new_value_s, TargetFilePath),\n TargetFileDirectory = iif(event_name_s has_any ('move'), destination_folder_title_s, \"\"),\n SrcFileDirectory = iif(event_name_s has_any ('move'), source_folder_title_s, \"\"),\n EventType = case(\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\n \"FolderCreated\",\n TargetFileMimeType == \"folder\" and event_name_s == \"rename\",\n \"FolderModified\",\n TargetFileMimeType == \"folder\" and event_name_s == \"delete\",\n \"FolderDeleted\",\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\n \"FolderDeleted\",\n TargetFileMimeType == \"folder\" and event_name_s == \"move\",\n \"FolderMoved\",\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\n \"FolderCreated\",\n EventType\n ),\n EventSubType = case(\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\n \"\",\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\n \"\",\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\n \"\",\n EventSubType\n ),\n EventMessage = case(\n event_name_s == 'download',\n strcat(ActorUsername, \" deleted an item\"),\n event_name_s == 'edit',\n strcat(ActorUsername, \" edited an item\"),\n event_name_s == 'upload',\n strcat(ActorUsername, \" uploaded an item\"),\n event_name_s == 'create',\n strcat(ActorUsername, \" created an item\"),\n event_name_s == 'rename',\n strcat(ActorUsername, \" renamed \", old_value_s, \" to \", TargetFilePath),\n event_name_s == 'view',\n strcat(ActorUsername, \" viewed an item\"),\n event_name_s == 'preview',\n strcat(ActorUsername, \" previewed an item\"),\n event_name_s == 'copy',\n strcat(ActorUsername, \" created a copy of original document \", old_value_s),\n event_name_s == 'delete',\n strcat(ActorUsername, \" deleted an item\"),\n event_name_s == 'trash',\n strcat(ActorUsername, \" trashed an item\"),\n event_name_s == 'move',\n strcat(ActorUsername, \" moved an item from \", source_folder_title_s, \" to \", destination_folder_title_s),\n event_name_s == 'untrash',\n strcat(ActorUsername, \" restored an item\"),\n event_name_s == 'source_copy',\n strcat(ActorUsername, \" copied this item, creating a new item \", copy_type_s, \" your organication \", new_value_s),\n event_name_s == 'deny_access_request',\n strcat(ActorUsername, \" denied an access request for \", target_user_s),\n event_name_s == 'expire_access_request',\n strcat(\"An access request for \", target_user_s, \" expired \"),\n event_name_s == 'request_access',\n strcat(ActorUsername, \" requested access to an item for \", target_user_s),\n event_name_s == 'add_to_folder',\n strcat(ActorUsername, \" added an item to \", destination_folder_title_s),\n event_name_s == 'approval_canceled',\n strcat(ActorUsername, \" canceled an approval on an item\"),\n event_name_s == 'approval_comment_added',\n strcat(ActorUsername, \" added a comment on an approval on an item\"),\n event_name_s == 'approval_completed',\n \"An approval was completed\",\n event_name_s == 'approval_decisions_reset',\n \"Approval decisions were reset\",\n event_name_s == 'approval_due_time_change',\n strcat(ActorUsername, \" requested a due time change on an approval\"),\n event_name_s == 'approval_requested',\n strcat(ActorUsername, \" requested approval on an item\"),\n event_name_s == 'approval_reviewer_change',\n strcat(ActorUsername, \" requested a reviewer change on an approval\"),\n event_name_s == 'approval_reviewer_responded',\n strcat(ActorUsername, \" reviewed an approval on an item\"),\n event_name_s == 'create_comment',\n strcat(ActorUsername, \" created a comment\"),\n event_name_s == 'delete_comment',\n strcat(ActorUsername, \" deleted a comment\"),\n event_name_s == 'edit_comment',\n strcat(ActorUsername, \" edited a comment\"),\n event_name_s == 'reassign_comment',\n strcat(ActorUsername, \" reassigned a comment\"),\n event_name_s == 'reopen_comment',\n strcat(ActorUsername, \" reopened a comment\"),\n event_name_s == 'resolve_comment',\n strcat(ActorUsername, \" resolved a comment\"),\n event_name_s == 'add_lock',\n strcat(ActorUsername, \" locked an item\"),\n event_name_s == 'print',\n strcat(ActorUsername, \" printed an item\"),\n event_name_s == 'remove_from_folder',\n strcat(ActorUsername, \" removed an item from from \", source_folder_title_s),\n event_name_s == 'remove_lock',\n strcat(ActorUsername, \" unlocked an item\"),\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"Doc_Id\",\n doc_id_s,\n \"Primary_Event\",\n primary_event_b,\n \"Billable\",\n billable_b,\n \"Owner\",\n owner_s,\n \"Owner_Is_Shared_Drive\",\n owner_is_shared_drive_b,\n \"Is_Encrypted\",\n is_encrypted_b,\n \"Visibility\",\n visibility_s,\n \"Copy_Type\",\n copy_type_s,\n \"Shared_Drive_Id\",\n shared_drive_id_s,\n \"Destination_Folder_Id\",\n destination_folder_id_s,\n \"Source_Folder_Id\",\n source_folder_id_s\n )\n | extend\n EventOriginalSubType = event_name_s,\n Application = TargetAppName,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n TargetFileName=TargetFilePath,\n FilePath = TargetFilePath,\n TargetFilePathType = iif(isnotempty(TargetFilePath), \"FileNameOnly\", \"\"),\n SrcFilePathType = iif(isnotempty(SrcFilePath), \"FileNameOnly\", \"\"),\n FileName = TargetFilePath,\n SrcFileName = SrcFilePath,\n User = ActorUsername,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventProduct = \"Workspace\",\n EventVendor = \"Google\",\n EventResult = \"Success\",\n EventSchemaVersion = \"0.2.1\",\n EventSchema = \"FileEvent\",\n EventUid = _ItemId,\n Dvc = \"Workspace\"\n | project-away \n *_s,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser (disabled = disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventLinuxSysmonFileCreated/ASimFileEventLinuxSysmonFileCreated.json b/Parsers/ASimFileEvent/ARM/ASimFileEventLinuxSysmonFileCreated/ASimFileEventLinuxSysmonFileCreated.json index 433d75b8b3f..e01e8ea3e04 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventLinuxSysmonFileCreated/ASimFileEventLinuxSysmonFileCreated.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventLinuxSysmonFileCreated/ASimFileEventLinuxSysmonFileCreated.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventLinuxSysmonFileCreated')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventLinuxSysmonFileCreated", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File create Activity ASIM parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "ASimFileEventLinuxSysmonFileCreated", - "query": "let parser = (\n disabled: bool=false\n)\n{\nSyslog\n| where not(disabled)\n| where SyslogMessage has_all ('11')\n| parse SyslogMessage with *\n ''msgEventRecordID:string''\n *\n //''msgComputer:string''\n ''\n * \n ''msgProcessGuid:string''\n ''msgProcessId:string''\n ''msgImage:string''\n ''msgTargetFileName:string''\n ''msgCreationUtcTime:datetime''*\n| parse SyslogMessage with *''ActorUsername ''*\n| extend\n EventCount=int(1)\n , EventStartTime =TimeGenerated \n , EventEndTime=TimeGenerated\n , EventType = 'FileCreated'\n , EventResult ='Success'\n , EventOriginalType ='11' \n , EventProduct='Sysmon for Linux'\n , EventProductVersion='v13.22'\n , EventVendor ='Microsoft'\n , EventSchemaVersion ='0.1.0'\n , DvcOs = 'Linux'\n , TargetFilePathType='Unix'\n , ActorUserType = iff(isnotempty(ActorUsername),'Simple', '') // make sure user type is okay\n| project-rename\n DvcHostname=Computer\n , EventOriginalUid=msgEventRecordID\n , ActingProcessName =msgImage\n , ActingProcessId=msgProcessId\n , ActingProcessGuid=msgProcessGuid\n , TargetFilePath =msgTargetFileName\n , TargetFileCreationTime =msgCreationUtcTime\n // ------ Alias\n| extend\n Process=ActingProcessName\n , FilePath=TargetFilePath\n , Dvc = DvcHostname\n , User = ActorUsername\n| project-away SyslogMessage\n};\nparser (disabled = disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File create Activity ASIM parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "ASimFileEventLinuxSysmonFileCreated", + "query": "let parser = (\n disabled: bool=false\n)\n{\nSyslog\n| where not(disabled)\n| where SyslogMessage has_all ('11')\n| parse SyslogMessage with *\n ''msgEventRecordID:string''\n *\n //''msgComputer:string''\n ''\n * \n ''msgProcessGuid:string''\n ''msgProcessId:string''\n ''msgImage:string''\n ''msgTargetFileName:string''\n ''msgCreationUtcTime:datetime''*\n| parse SyslogMessage with *''ActorUsername ''*\n| extend\n EventCount=int(1)\n , EventStartTime =TimeGenerated \n , EventEndTime=TimeGenerated\n , EventType = 'FileCreated'\n , EventResult ='Success'\n , EventOriginalType ='11' \n , EventProduct='Sysmon for Linux'\n , EventProductVersion='v13.22'\n , EventVendor ='Microsoft'\n , EventSchemaVersion ='0.1.0'\n , DvcOs = 'Linux'\n , TargetFilePathType='Unix'\n , ActorUserType = iff(isnotempty(ActorUsername),'Simple', '') // make sure user type is okay\n| project-rename\n DvcHostname=Computer\n , EventOriginalUid=msgEventRecordID\n , ActingProcessName =msgImage\n , ActingProcessId=msgProcessId\n , ActingProcessGuid=msgProcessGuid\n , TargetFilePath =msgTargetFileName\n , TargetFileCreationTime =msgCreationUtcTime\n // ------ Alias\n| extend\n Process=ActingProcessName\n , FilePath=TargetFilePath\n , Dvc = DvcHostname\n , User = ActorUsername\n| project-away SyslogMessage\n};\nparser (disabled = disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventLinuxSysmonFileDeleted/ASimFileEventLinuxSysmonFileDeleted.json b/Parsers/ASimFileEvent/ARM/ASimFileEventLinuxSysmonFileDeleted/ASimFileEventLinuxSysmonFileDeleted.json index 1dc3ef2954f..8826b7fe75c 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventLinuxSysmonFileDeleted/ASimFileEventLinuxSysmonFileDeleted.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventLinuxSysmonFileDeleted/ASimFileEventLinuxSysmonFileDeleted.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventLinuxSysmonFileDeleted')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventLinuxSysmonFileDeleted", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File delete activity ASIM parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "ASimFileEventLinuxSysmonFileDeleted", - "query": "let parser = (\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n | where SyslogMessage has ('23', '26')\t\n | parse SyslogMessage with \n ''msgEventId: string''\n *\n ''msgEventRecordID: string''\n *\n ''msgComputer: string''\n ''\n *\n '{'msgProcessGuid: string'}'\n ''msgProcessId: string''\n ''msgUser: string''\n ''msgImage: string''\n ''msgTargetFilename: string''\n ''msgHashes: string'' *\t\n | extend\n EventCount=int(1)\n ,\n EventStartTime =TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType = 'FileDeleted'\n ,\n EventResult ='Success' \n ,\n EventProduct='Sysmon for Linux'\n ,\n EventProductVersion='v13.22' \n ,\n EventVendor ='Microsoft'\n ,\n EventSchemaVersion ='0.1.0'\n ,\n DvcOs = 'Linux'\n ,\n TargetFilePathType='Unix'\n ,\n ActorUsernameType='Simple'\n | project-rename\n DvcHostname=Computer\n ,\n EventOriginalUid=msgEventRecordID\n ,\n EventOriginalType =msgEventId \n ,\n ActorUsername=msgUser\n ,\n ActingProcessName =msgImage\n ,\n ActingProcessId=msgProcessId\n ,\n ActingProcessGuid=msgProcessGuid\n ,\n TargetFilePath =msgTargetFilename\n // ------ Alias\n | extend\n Process=ActingProcessName\n ,\n FilePath=TargetFilePath\n ,\n Dvc =DvcHostname\n ,\n User=ActorUsername\n | project-away SyslogMessage\n};\nparser (disabled = disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File delete activity ASIM parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "ASimFileEventLinuxSysmonFileDeleted", + "query": "let parser = (\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n | where SyslogMessage has ('23', '26')\t\n | parse SyslogMessage with \n ''msgEventId: string''\n *\n ''msgEventRecordID: string''\n *\n ''msgComputer: string''\n ''\n *\n '{'msgProcessGuid: string'}'\n ''msgProcessId: string''\n ''msgUser: string''\n ''msgImage: string''\n ''msgTargetFilename: string''\n ''msgHashes: string'' *\t\n | extend\n EventCount=int(1)\n ,\n EventStartTime =TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType = 'FileDeleted'\n ,\n EventResult ='Success' \n ,\n EventProduct='Sysmon for Linux'\n ,\n EventProductVersion='v13.22' \n ,\n EventVendor ='Microsoft'\n ,\n EventSchemaVersion ='0.1.0'\n ,\n DvcOs = 'Linux'\n ,\n TargetFilePathType='Unix'\n ,\n ActorUsernameType='Simple'\n | project-rename\n DvcHostname=Computer\n ,\n EventOriginalUid=msgEventRecordID\n ,\n EventOriginalType =msgEventId \n ,\n ActorUsername=msgUser\n ,\n ActingProcessName =msgImage\n ,\n ActingProcessId=msgProcessId\n ,\n ActingProcessGuid=msgProcessGuid\n ,\n TargetFilePath =msgTargetFilename\n // ------ Alias\n | extend\n Process=ActingProcessName\n ,\n FilePath=TargetFilePath\n ,\n Dvc =DvcHostname\n ,\n User=ActorUsername\n | project-away SyslogMessage\n};\nparser (disabled = disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoft365D/ASimFileEventMicrosoft365D.json b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoft365D/ASimFileEventMicrosoft365D.json index 844f2a4d1df..d3101e5376f 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoft365D/ASimFileEventMicrosoft365D.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoft365D/ASimFileEventMicrosoft365D.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventMicrosoft365D')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventMicrosoft365D", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM parser for Microsoft 365 Defender for Endpoint", - "category": "ASIM", - "FunctionAlias": "ASimFileEventMicrosoft365D", - "query": "let protocols = dynamic(['smb']);\nlet parser=(disabled:bool=false){\n let remote_events = \n DeviceFileEvents\n | where not(disabled)\n | where isnotempty(RequestAccountName)\n | project-rename \n SrcIpAddr = RequestSourceIP,\n ActorUserSid = RequestAccountSid,\n TargetUserSid = InitiatingProcessAccountSid,\n TargetUserAadId = InitiatingProcessAccountObjectId,\n TargetUserUpn = InitiatingProcessAccountUpn\n | extend\n ActorWindowsUsername = strcat(RequestAccountDomain,'\\\\', RequestAccountName),\n TargetWindowsUsername = strcat(InitiatingProcessAccountDomain,'\\\\', InitiatingProcessAccountName),\n ActorUserUpn = \"\",\n ActorUserAadId = \"\"\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid),\n TargetUserType = _ASIM_GetWindowsUserType(TargetWindowsUsername, TargetUserSid)\n | extend\n SrcPortNumber = toint(RequestSourcePort),\n TargetUsername = coalesce(TargetUserUpn, TargetWindowsUsername),\n TargetUsernameType = iff(isempty(TargetUserUpn), 'Windows', 'UPN'),\n TargetUserId = coalesce(TargetUserAadId, TargetUserSid), \n TargetUserIdType = iff(isempty(TargetUserSid),'AADID','SID'),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n ;\n let local_events = \n DeviceFileEvents\n | where not(disabled)\n | where isempty(RequestAccountName) \n | project-rename\n ActorUserSid = InitiatingProcessAccountSid,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn\n | extend \n ActorWindowsUsername = strcat(InitiatingProcessAccountDomain,'\\\\', InitiatingProcessAccountName) \n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid)\n | project-away RequestAccountSid, RequestSourceIP\n ;\n union \n remote_events\n , \n local_events\n | project-rename\n EventType = ActionType,\n DvcId = DeviceId,\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileSHA256 = SHA256,\n ActingProcessCommandLine = InitiatingProcessCommandLine,\n ActingProcessName =InitiatingProcessFolderPath,\n ActingProcessMD5 = InitiatingProcessMD5,\n ActingProcessSHA1 = InitiatingProcessSHA1,\n ActingProcessSHA256 = InitiatingProcessSHA256,\n ActingProcessParentFileName = InitiatingProcessParentFileName,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n ActingProcessParentCreationTime = InitiatingProcessParentCreationTime,\n TargetFileName = FileName,\n SrcFileName = PreviousFileName\n | extend\n DvcOs = iff(FolderPath startswith \"/\", \"Linux\", \"Windows\"),\n TargetFileSize = tolong(FileSize)\n | extend\n EventCount = int(1),\n EventOriginalUid = tostring(ReportId),\n ActingProcessId = tostring(InitiatingProcessId),\n EventStartTime = Timestamp, \n EventEndTime= Timestamp,\n EventResult = 'Success',\n EventProduct = 'M365 Defender for Endpoint',\n EventSchema = 'FileEvent',\n EventVendor = 'Microsoft',\n EventSeverity = 'Informational',\n EventSchemaVersion = '0.2.1',\n DvcIdType = \"MDEid\",\n ActorUsername = coalesce(ActorUserUpn, ActorWindowsUsername),\n ActorUsernameType = iff(isempty(ActorUserUpn), 'Windows', 'UPN'),\n ActorUserId = coalesce(ActorUserAadId, ActorUserSid), \n ActorUserIdType = iff(isempty(ActorUserSid),'AADID','SID'),\n TargetFilePath = strcat(FolderPath, iff(DvcOs == \"Linux\", \"/\", \"\\\\\"), TargetFileName),\n TargetFilePathType = iff(DvcOs == \"Linux\", \"Unix\", \"Windows Local\"),\n SrcFilePath = strcat(PreviousFolderPath, iff(DvcOs == \"Linux\", \"/\", \"\\\\\"), SrcFileName),\n SrcFilePathType = iff(DvcOs == \"Linux\", \"Unix\", \"Windows Local\"),\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5),\n NetworkApplicationProtocol = iff (RequestProtocol in (protocols), toupper(RequestProtocol), \"\")\n | invoke _ASIM_ResolveDvcFQDN ('DeviceName')\n | project-away DeviceName\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5),Hash)]) \n // ****** Aliases\n | extend \n User = ActorUsername,\n Dvc = coalesce(DvcFQDN, DvcHostname),\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n CommandLine = ActingProcessCommandLine,\n DvcMDEid = DvcId,\n FileName = TargetFileName\n | project-away MachineGroup, ReportId, SourceSystem, Initiating*, Timestamp, TenantId, Request*, PreviousFolderPath, FolderPath, AppGuardContainerId\n | project-away ShareName, IsAzureInfoProtectionApplied, FileOrigin*, Sensitivity*\n };\n parser (disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM parser for Microsoft 365 Defender for Endpoint", + "category": "ASIM", + "FunctionAlias": "ASimFileEventMicrosoft365D", + "query": "let protocols = dynamic(['smb']);\nlet parser=(disabled:bool=false){\n let remote_events = \n DeviceFileEvents\n | where not(disabled)\n | where isnotempty(RequestAccountName)\n | project-rename \n SrcIpAddr = RequestSourceIP,\n ActorUserSid = RequestAccountSid,\n TargetUserSid = InitiatingProcessAccountSid,\n TargetUserAadId = InitiatingProcessAccountObjectId,\n TargetUserUpn = InitiatingProcessAccountUpn\n | extend\n ActorWindowsUsername = strcat(RequestAccountDomain,'\\\\', RequestAccountName),\n TargetWindowsUsername = strcat(InitiatingProcessAccountDomain,'\\\\', InitiatingProcessAccountName),\n ActorUserUpn = \"\",\n ActorUserAadId = \"\"\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid),\n TargetUserType = _ASIM_GetWindowsUserType(TargetWindowsUsername, TargetUserSid)\n | extend\n SrcPortNumber = toint(RequestSourcePort),\n TargetUsername = coalesce(TargetUserUpn, TargetWindowsUsername),\n TargetUsernameType = iff(isempty(TargetUserUpn), 'Windows', 'UPN'),\n TargetUserId = coalesce(TargetUserAadId, TargetUserSid), \n TargetUserIdType = iff(isempty(TargetUserSid),'AADID','SID'),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n ;\n let local_events = \n DeviceFileEvents\n | where not(disabled)\n | where isempty(RequestAccountName) \n | project-rename\n ActorUserSid = InitiatingProcessAccountSid,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn\n | extend \n ActorWindowsUsername = strcat(InitiatingProcessAccountDomain,'\\\\', InitiatingProcessAccountName) \n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid)\n | project-away RequestAccountSid, RequestSourceIP\n ;\n union \n remote_events\n , \n local_events\n | project-rename\n EventType = ActionType,\n DvcId = DeviceId,\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileSHA256 = SHA256,\n ActingProcessCommandLine = InitiatingProcessCommandLine,\n ActingProcessName =InitiatingProcessFolderPath,\n ActingProcessMD5 = InitiatingProcessMD5,\n ActingProcessSHA1 = InitiatingProcessSHA1,\n ActingProcessSHA256 = InitiatingProcessSHA256,\n ActingProcessParentFileName = InitiatingProcessParentFileName,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n ActingProcessParentCreationTime = InitiatingProcessParentCreationTime,\n TargetFileName = FileName,\n SrcFileName = PreviousFileName\n | extend\n DvcOs = iff(FolderPath startswith \"/\", \"Linux\", \"Windows\"),\n TargetFileSize = tolong(FileSize)\n | extend\n EventCount = int(1),\n EventOriginalUid = tostring(ReportId),\n ActingProcessId = tostring(InitiatingProcessId),\n EventStartTime = Timestamp, \n EventEndTime= Timestamp,\n EventResult = 'Success',\n EventProduct = 'M365 Defender for Endpoint',\n EventSchema = 'FileEvent',\n EventVendor = 'Microsoft',\n EventSeverity = 'Informational',\n EventSchemaVersion = '0.2.1',\n DvcIdType = \"MDEid\",\n ActorUsername = coalesce(ActorUserUpn, ActorWindowsUsername),\n ActorUsernameType = iff(isempty(ActorUserUpn), 'Windows', 'UPN'),\n ActorUserId = coalesce(ActorUserAadId, ActorUserSid), \n ActorUserIdType = iff(isempty(ActorUserSid),'AADID','SID'),\n TargetFilePath = strcat(FolderPath, iff(DvcOs == \"Linux\", \"/\", \"\\\\\"), TargetFileName),\n TargetFilePathType = iff(DvcOs == \"Linux\", \"Unix\", \"Windows Local\"),\n SrcFilePath = strcat(PreviousFolderPath, iff(DvcOs == \"Linux\", \"/\", \"\\\\\"), SrcFileName),\n SrcFilePathType = iff(DvcOs == \"Linux\", \"Unix\", \"Windows Local\"),\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5),\n NetworkApplicationProtocol = iff (RequestProtocol in (protocols), toupper(RequestProtocol), \"\")\n | invoke _ASIM_ResolveDvcFQDN ('DeviceName')\n | project-away DeviceName\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5),Hash)]) \n // ****** Aliases\n | extend \n User = ActorUsername,\n Dvc = coalesce(DvcFQDN, DvcHostname),\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n CommandLine = ActingProcessCommandLine,\n DvcMDEid = DvcId,\n FileName = TargetFileName\n | project-away MachineGroup, ReportId, SourceSystem, Initiating*, Timestamp, TenantId, Request*, PreviousFolderPath, FolderPath, AppGuardContainerId\n | project-away ShareName, IsAzureInfoProtectionApplied, FileOrigin*, Sensitivity*\n };\n parser (disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSecurityEvents/ASimFileEventMicrosoftSecurityEvents.json b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSecurityEvents/ASimFileEventMicrosoftSecurityEvents.json index 8b66fdf35d3..7bb87089da5 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSecurityEvents/ASimFileEventMicrosoftSecurityEvents.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSecurityEvents/ASimFileEventMicrosoftSecurityEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventMicrosoftSecurityEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventMicrosoftSecurityEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM parser for Microsoft Windows Events", - "category": "ASIM", - "FunctionAlias": "ASimFileEventMicrosoftSecurityEvents", - "query": "let Parser=(disabled:bool=false)\n{\nlet EventTypeLookup = datatable (AccessMask:string,EventType:string)\n[\n \"0x1\", \"ObjectAccessed\"\n , \"0x10\", \"MetadataModified\"\n , \"0x100\", \"MetadataModified\"\n , \"0x10000\", \"ObjectDeleted\"\n , \"0x2\", \"ObjectModified\"\n , \"0x20000\", \"MetadataAccessed\"\n , \"0x4\", \"ObjectModified\"\n , \"0x40\", \"ObjectDeleted\"\n , \"0x40000\", \"MetadataModified\"\n , \"0x6\", \"ObjectModified\"\n , \"0x8\", \"MetadataAccessed\"\n , \"0x80\", \"MetadataAccessed\"\n , \"0x80000\", \"MetadataModified\"\n];\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n[\n 'User', 'Regular',\n 'Machine', 'Machine'\n]; \nlet KnownSIDs = datatable (sid:string, username:string, type:string)\n[\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n];\nSecurityEvent\n| where not(disabled)\n| where EventID == 4663 \n and ObjectType == \"File\"\n and ObjectName !startswith @\"\\Device\\\"\n| project TimeGenerated, EventID, AccessMask, ProcessName, SubjectUserSid, AccountType, Computer, ObjectName, ProcessId, SubjectUserName, SubjectAccount, SubjectLogonId, HandleId,Type\n| lookup EventTypeLookup on AccessMask\n| lookup UserTypeLookup on AccountType\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n| extend ActingProcessName = ProcessName\n , ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n , ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , TargetFilePath = ObjectName\n , TargetFilePathFormat = \"Windows Local\"\n , ActingProcessId = tostring(toint(ProcessId))\n , EventOriginalType = tostring(EventID)\n , ActorUserIdType=\"SID\"\n , TargetFilePathType=\"Windows Local\"\n| project-away EventID, ProcessId, AccountType, username\n| project-rename ActorUserId = SubjectUserSid\n , DvcHostname = Computer\n , Process = ProcessName\n , FilePath = ObjectName\n , ActorSessionId = SubjectLogonId\n , FileSessionId = HandleId\n| extend EventSchema = \"FileEvent\"\n , EventSchemaVersion = \"0.1.1\"\n , EventResult = \"Success\"\n , EventCount = int(1)\n , EventVendor = 'Microsoft'\n , EventProduct = 'Security Events'\n , Dvc = DvcHostname\n , ActorWindowsUsername = ActorUsername\n , User = ActorUsername\n , ActorUserSid = ActorUserId\n | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type\n};\nParser (disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM parser for Microsoft Windows Events", + "category": "ASIM", + "FunctionAlias": "ASimFileEventMicrosoftSecurityEvents", + "query": "let Parser=(disabled:bool=false)\n{\nlet EventTypeLookup = datatable (AccessMask:string,EventType:string)\n[\n \"0x1\", \"ObjectAccessed\"\n , \"0x10\", \"MetadataModified\"\n , \"0x100\", \"MetadataModified\"\n , \"0x10000\", \"ObjectDeleted\"\n , \"0x2\", \"ObjectModified\"\n , \"0x20000\", \"MetadataAccessed\"\n , \"0x4\", \"ObjectModified\"\n , \"0x40\", \"ObjectDeleted\"\n , \"0x40000\", \"MetadataModified\"\n , \"0x6\", \"ObjectModified\"\n , \"0x8\", \"MetadataAccessed\"\n , \"0x80\", \"MetadataAccessed\"\n , \"0x80000\", \"MetadataModified\"\n];\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n[\n 'User', 'Regular',\n 'Machine', 'Machine'\n]; \nlet KnownSIDs = datatable (sid:string, username:string, type:string)\n[\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n];\nSecurityEvent\n| where not(disabled)\n| where EventID == 4663 \n and ObjectType == \"File\"\n and ObjectName !startswith @\"\\Device\\\"\n| project TimeGenerated, EventID, AccessMask, ProcessName, SubjectUserSid, AccountType, Computer, ObjectName, ProcessId, SubjectUserName, SubjectAccount, SubjectLogonId, HandleId,Type\n| lookup EventTypeLookup on AccessMask\n| lookup UserTypeLookup on AccountType\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n| extend ActingProcessName = ProcessName\n , ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n , ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , TargetFilePath = ObjectName\n , TargetFilePathFormat = \"Windows Local\"\n , ActingProcessId = tostring(toint(ProcessId))\n , EventOriginalType = tostring(EventID)\n , ActorUserIdType=\"SID\"\n , TargetFilePathType=\"Windows Local\"\n| project-away EventID, ProcessId, AccountType, username\n| project-rename ActorUserId = SubjectUserSid\n , DvcHostname = Computer\n , Process = ProcessName\n , FilePath = ObjectName\n , ActorSessionId = SubjectLogonId\n , FileSessionId = HandleId\n| extend EventSchema = \"FileEvent\"\n , EventSchemaVersion = \"0.1.1\"\n , EventResult = \"Success\"\n , EventCount = int(1)\n , EventVendor = 'Microsoft'\n , EventProduct = 'Security Events'\n , Dvc = DvcHostname\n , ActorWindowsUsername = ActorUsername\n , User = ActorUsername\n , ActorUserSid = ActorUserId\n | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type\n};\nParser (disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSharePoint/ASimFileEventMicrosoftSharePoint.json b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSharePoint/ASimFileEventMicrosoftSharePoint.json index 219be7f1070..eb6a2dbbb96 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSharePoint/ASimFileEventMicrosoftSharePoint.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSharePoint/ASimFileEventMicrosoftSharePoint.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventMicrosoftSharePoint')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventMicrosoftSharePoint", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM parser for Sharepoint and OneDrive for business", - "category": "ASIM", - "FunctionAlias": "ASimFileEventMicrosoftSharePoint", - "query": "let _ASIM_ResolveActorUsername = (T:(*), UsernameField: string) { \n T\n | extend ActorUsername = column_ifexists(UsernameField,\"\")\n | extend windows = ActorUsername has '\\\\'\n | extend \n ActorUsernameType = iff (windows, \"Windows\", \"UPN\"),\n ActorUserUpn = iff (windows, \"\", ActorUsername),\n ActorWindowsUsername = iff (windows, ActorUsername, \"\")\n};\n let operations = datatable (Operation:string, EventType:string, EventSubType:string) [\n \"FileUploaded\", \"FileCreated\", \"Upload\",\n \"FileAccessedExtended\", \"FileAccessed\", \"Extended\",\n \"FileRecycled\", \"FileDeleted\", \"Recycle\",\n \"FileDeleted\", \"FileDeleted\", \"\",\n \"FileAccessed\", \"FileAccessed\", \"\",\n \"FolderCreated\", \"FolderCreated\", \"\",\n \"FilePreviewed\", \"FileAccessed\", \"Preview\",\n \"FileDownloaded\", \"FileAccessed\", \"Download\",\n \"FileSyncDownloadedFull\", \"FileAccessed\", \"Download\",\n \"FolderModified\", \"FolderModified\", \"\",\n \"FileModifiedExtended\", \"FolderModified\", \"Extended\",\n \"FileModified\", \"FolderModified\", \"\",\n \"FileVersionsAllDeleted\", \"FolderDeleted\", \"Versions\",\n \"FileSyncUploadedFull\", \"FileCreated\", \"Upload\",\n \"FileSensitivityLabelApplied\", \"FileAttributesUpdated\", \"\",\n \"FileSensitivityLabelChanged\", \"FileAttributesUpdated\", \"\",\n \"FileSensitivityLabelRemoved\", \"FileAttributesUpdated\", \"\",\n \"SiteDeleted\", \"FolderDeleted\", \"Site\",\n \"FileRenamed\", \"FileRenamed\", \"\",\n \"FileMoved\", \"FileMoved\", \"\",\n \"FileCopied\", \"FileCopied\", \"\",\n \"FolderCopied\", \"FolderCopied\", \"\",\n \"FolderMoved\", \"FolderMoved\", \"\",\n \"FolderRenamed\", \"FolderRenamed\", \"\",\n \"FolderRecycled\", \"FolderDeleted\", \"Recycle\",\n \"FolderDeleted\", \"FolderDeleted\", \"\",\n \"FileCheckedIn\", \"FileCreatedOrModified\", \"Checkin\",\n \"FileCheckedOut\", \"FileAccessed\", \"Checkout\"\n ];\n let multiple_file_operations = dynamic([\n \"FileRenamed\",\n \"FileMoved\",\n \"FileCopied\",\n \"FolderCopied\",\n \"FolderMoved\",\n \"FolderRenamed\"\n ]);\n let parser=(disabled:bool=false){\n let OfficeActivityProjected = \n OfficeActivity\n | where not(disabled)\n | where RecordType == \"SharePointFileOperation\" and Operation != \"FileMalwareDetected\"\n | project Operation, OrganizationId, OrganizationName, SourceRecordId, OfficeWorkload, UserId, ClientIP, UserAgent, Start_Time, TimeGenerated, Type, OfficeObjectId, SourceFileName, SourceFileExtension, DestinationFileName, DestinationFileExtension, Site_Url, DestinationRelativeUrl, UserKey, MachineDomainInfo, MachineId; // ,_ItemId \n let SingleFileOperationEvents = \n OfficeActivityProjected\n | where Operation !in (multiple_file_operations)\n | project-rename \n TargetFilePath = OfficeObjectId,\n TargetFileName = SourceFileName,\n TargetFileExtension = SourceFileExtension\n | extend \n TargetFilePathType = \"URL\"\n | project-away DestinationFileName, DestinationFileExtension, DestinationRelativeUrl\n ;\n // single in dest: SiteDeleted\n let MultipleFileOperationsEvents = \n OfficeActivityProjected\n | where Operation in (multiple_file_operations)\n | project-rename \n SrcFilePath = OfficeObjectId,\n TargetFileName = DestinationFileName,\n TargetFileExtension = DestinationFileExtension,\n SrcFileName = SourceFileName,\n SrcFileExtension = SourceFileExtension\n | extend \n TargetFilePath = strcat (Site_Url, DestinationRelativeUrl, \"/\", TargetFileName),\n TargetFilePathType = \"URL\",\n SrcFilePathType = \"URL\"\n | project-away DestinationRelativeUrl\n ;\n union SingleFileOperationEvents, MultipleFileOperationsEvents\n | lookup operations on Operation\n | invoke _ASIM_ResolveActorUsername('UserId')\n | project-away UserId\n | project-rename \n EventOriginalType = Operation,\n ActorScopeId = OrganizationId,\n ActorScope = OrganizationName,\n EventOriginalUid = SourceRecordId,\n EventProduct = OfficeWorkload,\n ActorUserId = UserKey,\n HttpUserAgent = UserAgent,\n SrcIpAddr = ClientIP,\n EventStartTime = Start_Time,\n // EvetUid = _ItemId,\n TargetUrl = Site_Url,\n SrcDvcId = MachineId,\n SrcDvcScopeId = MachineDomainInfo\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated,\n EventResult = \"Success\",\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.1',\n EventSchema = \"FileEvent\",\n ActorUserIdType = 'Other',\n SrcDvcIdType = 'Other',\n TargetAppName = EventProduct,\n TargetAppType = 'SaaS application',\n Dvc = strcat ('Microsoft ', EventProduct)\n // Aliases\n | extend \n User = ActorUsername,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Url = TargetUrl,\n Dvc = EventProduct,\n Application = EventProduct\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM parser for Sharepoint and OneDrive for business", + "category": "ASIM", + "FunctionAlias": "ASimFileEventMicrosoftSharePoint", + "query": "let _ASIM_ResolveActorUsername = (T:(*), UsernameField: string) { \n T\n | extend ActorUsername = column_ifexists(UsernameField,\"\")\n | extend windows = ActorUsername has '\\\\'\n | extend \n ActorUsernameType = iff (windows, \"Windows\", \"UPN\"),\n ActorUserUpn = iff (windows, \"\", ActorUsername),\n ActorWindowsUsername = iff (windows, ActorUsername, \"\")\n};\n let operations = datatable (Operation:string, EventType:string, EventSubType:string) [\n \"FileUploaded\", \"FileCreated\", \"Upload\",\n \"FileAccessedExtended\", \"FileAccessed\", \"Extended\",\n \"FileRecycled\", \"FileDeleted\", \"Recycle\",\n \"FileDeleted\", \"FileDeleted\", \"\",\n \"FileAccessed\", \"FileAccessed\", \"\",\n \"FolderCreated\", \"FolderCreated\", \"\",\n \"FilePreviewed\", \"FileAccessed\", \"Preview\",\n \"FileDownloaded\", \"FileAccessed\", \"Download\",\n \"FileSyncDownloadedFull\", \"FileAccessed\", \"Download\",\n \"FolderModified\", \"FolderModified\", \"\",\n \"FileModifiedExtended\", \"FolderModified\", \"Extended\",\n \"FileModified\", \"FolderModified\", \"\",\n \"FileVersionsAllDeleted\", \"FolderDeleted\", \"Versions\",\n \"FileSyncUploadedFull\", \"FileCreated\", \"Upload\",\n \"FileSensitivityLabelApplied\", \"FileAttributesUpdated\", \"\",\n \"FileSensitivityLabelChanged\", \"FileAttributesUpdated\", \"\",\n \"FileSensitivityLabelRemoved\", \"FileAttributesUpdated\", \"\",\n \"SiteDeleted\", \"FolderDeleted\", \"Site\",\n \"FileRenamed\", \"FileRenamed\", \"\",\n \"FileMoved\", \"FileMoved\", \"\",\n \"FileCopied\", \"FileCopied\", \"\",\n \"FolderCopied\", \"FolderCopied\", \"\",\n \"FolderMoved\", \"FolderMoved\", \"\",\n \"FolderRenamed\", \"FolderRenamed\", \"\",\n \"FolderRecycled\", \"FolderDeleted\", \"Recycle\",\n \"FolderDeleted\", \"FolderDeleted\", \"\",\n \"FileCheckedIn\", \"FileCreatedOrModified\", \"Checkin\",\n \"FileCheckedOut\", \"FileAccessed\", \"Checkout\"\n ];\n let multiple_file_operations = dynamic([\n \"FileRenamed\",\n \"FileMoved\",\n \"FileCopied\",\n \"FolderCopied\",\n \"FolderMoved\",\n \"FolderRenamed\"\n ]);\n let parser=(disabled:bool=false){\n let OfficeActivityProjected = \n OfficeActivity\n | where not(disabled)\n | where RecordType == \"SharePointFileOperation\" and Operation != \"FileMalwareDetected\"\n | project Operation, OrganizationId, OrganizationName, SourceRecordId, OfficeWorkload, UserId, ClientIP, UserAgent, Start_Time, TimeGenerated, Type, OfficeObjectId, SourceFileName, SourceFileExtension, DestinationFileName, DestinationFileExtension, Site_Url, DestinationRelativeUrl, UserKey, MachineDomainInfo, MachineId; // ,_ItemId \n let SingleFileOperationEvents = \n OfficeActivityProjected\n | where Operation !in (multiple_file_operations)\n | project-rename \n TargetFilePath = OfficeObjectId,\n TargetFileName = SourceFileName,\n TargetFileExtension = SourceFileExtension\n | extend \n TargetFilePathType = \"URL\"\n | project-away DestinationFileName, DestinationFileExtension, DestinationRelativeUrl\n ;\n // single in dest: SiteDeleted\n let MultipleFileOperationsEvents = \n OfficeActivityProjected\n | where Operation in (multiple_file_operations)\n | project-rename \n SrcFilePath = OfficeObjectId,\n TargetFileName = DestinationFileName,\n TargetFileExtension = DestinationFileExtension,\n SrcFileName = SourceFileName,\n SrcFileExtension = SourceFileExtension\n | extend \n TargetFilePath = strcat (Site_Url, DestinationRelativeUrl, \"/\", TargetFileName),\n TargetFilePathType = \"URL\",\n SrcFilePathType = \"URL\"\n | project-away DestinationRelativeUrl\n ;\n union SingleFileOperationEvents, MultipleFileOperationsEvents\n | lookup operations on Operation\n | invoke _ASIM_ResolveActorUsername('UserId')\n | project-away UserId\n | project-rename \n EventOriginalType = Operation,\n ActorScopeId = OrganizationId,\n ActorScope = OrganizationName,\n EventOriginalUid = SourceRecordId,\n EventProduct = OfficeWorkload,\n ActorUserId = UserKey,\n HttpUserAgent = UserAgent,\n SrcIpAddr = ClientIP,\n EventStartTime = Start_Time,\n // EvetUid = _ItemId,\n TargetUrl = Site_Url,\n SrcDvcId = MachineId,\n SrcDvcScopeId = MachineDomainInfo\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated,\n EventResult = \"Success\",\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.1',\n EventSchema = \"FileEvent\",\n ActorUserIdType = 'Other',\n SrcDvcIdType = 'Other',\n TargetAppName = EventProduct,\n TargetAppType = 'SaaS application',\n Dvc = strcat ('Microsoft ', EventProduct)\n // Aliases\n | extend \n User = ActorUsername,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Url = TargetUrl,\n Dvc = EventProduct,\n Application = EventProduct\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSysmon/ASimFileEventMicrosoftSysmon.json b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSysmon/ASimFileEventMicrosoftSysmon.json index 62a9b7eab55..d444c8e5934 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSysmon/ASimFileEventMicrosoftSysmon.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSysmon/ASimFileEventMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File event ASIM parser for Windows Sysmon", - "category": "ASIM", - "FunctionAlias": "ASimFileEventMicrosoftSysmon", - "query": "let parser = (disabled:bool=false) {\n // -- Event parser\n let EventParser = () {\n Event\n | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Source, Type , _ItemId \n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (11,23,26)\n | project-away Source\n | parse-kv EventData as (\n RuleName:string,\n UtcTime:datetime, \n ProcessGuid:string,\n ProcessId:string,\n Image:string,\n User:string,\n TargetFilename:string,\n Hashes:string,\n CreationUtcTime:datetime\n )\n with (regex=@'{?([^<]*?)}?')\n | project-rename \n ActingProcessGuid = ProcessGuid,\n ActingProcessId = ProcessId,\n ActorUsername = User,\n ActingProcessName = Image,\n TargetFileCreationTime=CreationUtcTime,\n TargetFilePath=TargetFilename,\n EventStartTime=UtcTime\n | project-away EventData\n };\n EventParser \n | project-rename\n DvcHostname = Computer,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs='Windows',\n TargetFilePathType = 'Windows',\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventCount = int(1),\n EventEndTime = EventStartTime,\n EventOriginalType = tostring(EventID),\n TargetFileName = tostring(split(TargetFilePath,'\\\\')[-1]),\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n EventUid = _ItemId\n | parse-kv Hashes as (\n MD5:string,\n SHA1:string,\n IMPHASH:string,\n SHA256:string\n )\n | project-rename\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileIMPHASH = IMPHASH,\n TargetFileSHA256 = SHA256\n | extend\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5,TargetFileIMPHASH),Hash)])\n // -- Typed entity identifiers\n | extend\n ActorWindowsUsername = ActorUsername\n // -- Aliases\n | extend\n Process = ActingProcessName,\n Dvc = DvcHostname,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n User = ActorUsername\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\n };\n parser(disabled=disabled) ", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File event ASIM parser for Windows Sysmon", + "category": "ASIM", + "FunctionAlias": "ASimFileEventMicrosoftSysmon", + "query": "let parser = (disabled:bool=false) {\n // -- Event parser\n let EventParser = () {\n Event\n | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Source, Type , _ItemId \n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (11,23,26)\n | project-away Source\n | parse-kv EventData as (\n RuleName:string,\n UtcTime:datetime, \n ProcessGuid:string,\n ProcessId:string,\n Image:string,\n User:string,\n TargetFilename:string,\n Hashes:string,\n CreationUtcTime:datetime\n )\n with (regex=@'{?([^<]*?)}?')\n | project-rename \n ActingProcessGuid = ProcessGuid,\n ActingProcessId = ProcessId,\n ActorUsername = User,\n ActingProcessName = Image,\n TargetFileCreationTime=CreationUtcTime,\n TargetFilePath=TargetFilename,\n EventStartTime=UtcTime\n | project-away EventData\n };\n EventParser \n | project-rename\n DvcHostname = Computer,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs='Windows',\n TargetFilePathType = 'Windows',\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventCount = int(1),\n EventEndTime = EventStartTime,\n EventOriginalType = tostring(EventID),\n TargetFileName = tostring(split(TargetFilePath,'\\\\')[-1]),\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n EventUid = _ItemId\n | parse-kv Hashes as (\n MD5:string,\n SHA1:string,\n IMPHASH:string,\n SHA256:string\n )\n | project-rename\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileIMPHASH = IMPHASH,\n TargetFileSHA256 = SHA256\n | extend\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5,TargetFileIMPHASH),Hash)])\n // -- Typed entity identifiers\n | extend\n ActorWindowsUsername = ActorUsername\n // -- Aliases\n | extend\n Process = ActingProcessName,\n Dvc = DvcHostname,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n User = ActorUsername\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\n };\n parser(disabled=disabled) ", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSysmonWindowsEvent/ASimFileEventMicrosoftSysmonWindowsEvent.json b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSysmonWindowsEvent/ASimFileEventMicrosoftSysmonWindowsEvent.json index 1fa16e76b5e..7e5bdf67eef 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSysmonWindowsEvent/ASimFileEventMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSysmonWindowsEvent/ASimFileEventMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File event ASIM parser for Windows Sysmon", - "category": "ASIM", - "FunctionAlias": "ASimFileEventMicrosoftSysmonWindowsEvent", - "query": "let parser = (disabled:bool=false) {\n //\n // -- WindowsEvent parser\n let WindowsEventParser=(){\n WindowsEvent \n | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type , _ItemId \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (11,23,26)\n | project-away Provider\n | extend \n TargetFileCreationTime=todatetime(EventData.CreationUtcTime),\n TargetFilePath=tostring(EventData.TargetFilename),\n ActingProcessName = tostring(EventData.Image),\n ActingProcessId = tostring(EventData.ProcessId),\n ActingProcessGuid = tostring(EventData.ProcessGuid),\n ActorUsername = tostring(EventData.User),\n EventStartTime = todatetime(EventData.UtcTime),\n RuleName = tostring(EventData.RuleName),\n Hashes = tostring(EventData.Hashes)\n | parse ActingProcessGuid with \"{\" ActingProcessGuid \"}\"\n | project-away EventData\n };\n WindowsEventParser\n | project-rename\n DvcHostname = Computer,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs='Windows',\n TargetFilePathType = 'Windows',\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventCount = int(1),\n EventEndTime = EventStartTime,\n EventOriginalType = tostring(EventID),\n TargetFileName = tostring(split(TargetFilePath,'\\\\')[-1]),\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n EventUid = _ItemId\n | parse-kv Hashes as (\n MD5:string,\n SHA1:string,\n IMPHASH:string,\n SHA256:string\n )\n | project-rename\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileIMPHASH = IMPHASH,\n TargetFileSHA256 = SHA256\n | extend\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5,TargetFileIMPHASH),Hash)])\n // -- Typed entity identifiers\n | extend\n ActorWindowsUsername = ActorUsername\n // -- Aliases\n | extend\n Process = ActingProcessName,\n Dvc = DvcHostname,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n User = ActorUsername\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\n }; \n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File event ASIM parser for Windows Sysmon", + "category": "ASIM", + "FunctionAlias": "ASimFileEventMicrosoftSysmonWindowsEvent", + "query": "let parser = (disabled:bool=false) {\n //\n // -- WindowsEvent parser\n let WindowsEventParser=(){\n WindowsEvent \n | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Provider, Type , _ItemId \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (11,23,26)\n | project-away Provider\n | extend \n TargetFileCreationTime=todatetime(EventData.CreationUtcTime),\n TargetFilePath=tostring(EventData.TargetFilename),\n ActingProcessName = tostring(EventData.Image),\n ActingProcessId = tostring(EventData.ProcessId),\n ActingProcessGuid = tostring(EventData.ProcessGuid),\n ActorUsername = tostring(EventData.User),\n EventStartTime = todatetime(EventData.UtcTime),\n RuleName = tostring(EventData.RuleName),\n Hashes = tostring(EventData.Hashes)\n | parse ActingProcessGuid with \"{\" ActingProcessGuid \"}\"\n | project-away EventData\n };\n WindowsEventParser\n | project-rename\n DvcHostname = Computer,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs='Windows',\n TargetFilePathType = 'Windows',\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventCount = int(1),\n EventEndTime = EventStartTime,\n EventOriginalType = tostring(EventID),\n TargetFileName = tostring(split(TargetFilePath,'\\\\')[-1]),\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n EventUid = _ItemId\n | parse-kv Hashes as (\n MD5:string,\n SHA1:string,\n IMPHASH:string,\n SHA256:string\n )\n | project-rename\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileIMPHASH = IMPHASH,\n TargetFileSHA256 = SHA256\n | extend\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5,TargetFileIMPHASH),Hash)])\n // -- Typed entity identifiers\n | extend\n ActorWindowsUsername = ActorUsername\n // -- Aliases\n | extend\n Process = ActingProcessName,\n Dvc = DvcHostname,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n User = ActorUsername\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\n }; \n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftWindowsEvents/ASimFileEventMicrosoftWindowsEvents.json b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftWindowsEvents/ASimFileEventMicrosoftWindowsEvents.json index 03164a16c14..391d74ec6c0 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftWindowsEvents/ASimFileEventMicrosoftWindowsEvents.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftWindowsEvents/ASimFileEventMicrosoftWindowsEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventMicrosoftWindowsEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventMicrosoftWindowsEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM parser for Microsoft Windows Events", - "category": "ASIM", - "FunctionAlias": "ASimFileEventMicrosoftWindowsEvents", - "query": "let Parser=(disabled:bool=false)\n{\nlet EventTypeLookup = datatable (AccessMask:string,EventType:string)\n[\n \"0x1\", \"ObjectAccessed\"\n , \"0x10\", \"MetadataModified\"\n , \"0x100\", \"MetadataModified\"\n , \"0x10000\", \"ObjectDeleted\"\n , \"0x2\", \"ObjectModified\"\n , \"0x20000\", \"MetadataAccessed\"\n , \"0x4\", \"ObjectModified\"\n , \"0x40\", \"ObjectDeleted\"\n , \"0x40000\", \"MetadataModified\"\n , \"0x6\", \"ObjectModified\"\n , \"0x8\", \"MetadataAccessed\"\n , \"0x80\", \"MetadataAccessed\"\n , \"0x80000\", \"MetadataModified\"\n];\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n[\n 'User', 'Regular',\n 'Machine', 'Machine'\n]; \nlet KnownSIDs = datatable (sid:string, username:string, type:string)\n[\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n];\nWindowsEvent\n| where EventID == 4663 \n and EventData.ObjectType == \"File\"\n and EventData.ObjectName !startswith @\"\\Device\\\"\n| project TimeGenerated\n , EventID, AccessMask = tostring(EventData.AccessMask)\n , ProcessName = tostring(EventData.ProcessName)\n , SubjectUserSid = tostring(EventData.SubjectUserSid)\n , AccountType = tostring(EventData.AccountType)\n , Computer = tostring(EventData.Computer)\n , ObjectName = tostring(EventData.ObjectName)\n , ProcessId = tostring(EventData.ProcessId)\n , SubjectUserName = tostring(EventData.SubjectUserName)\n , SubjectAccount = tostring(EventData.SubjectAccount)\n , SubjectLogonId = tostring(EventData.SubjectLogonId)\n , HandleId = tostring(EventData.HandleId)\n , Type\n| extend ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\n| lookup EventTypeLookup on AccessMask\n| lookup UserTypeLookup on AccountType\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n| extend ActingProcessName = ProcessName\n , ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n , ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , TargetFilePath = ObjectName\n , TargetFilePathFormat = \"Windows Local\"\n , ActingProcessId = tostring(toint(ProcessId))\n , EventOriginalType = tostring(EventID)\n| project-away EventID, ProcessId, AccountType, type, username\n| project-rename ActorUserId = SubjectUserSid\n , DvcHostname = Computer\n , Process = ProcessName\n , FilePath = ObjectName\n , ActorSessionId = SubjectLogonId\n , FileSessionId = HandleId\n| extend EventSchema = \"FileEvent\"\n , EventSchemaVersion = \"0.1.1\"\n , EventResult = \"Success\"\n , EventCount = int(1)\n , EventVendor = 'Microsoft'\n , EventProduct = 'Security Events'\n , Dvc = DvcHostname\n , ActorWindowsUsername = ActorUsername\n , User = ActorUsername\n , ActorUserSid = ActorUserId\n| project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat\n};\nParser (disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM parser for Microsoft Windows Events", + "category": "ASIM", + "FunctionAlias": "ASimFileEventMicrosoftWindowsEvents", + "query": "let Parser=(disabled:bool=false)\n{\nlet EventTypeLookup = datatable (AccessMask:string,EventType:string)\n[\n \"0x1\", \"ObjectAccessed\"\n , \"0x10\", \"MetadataModified\"\n , \"0x100\", \"MetadataModified\"\n , \"0x10000\", \"ObjectDeleted\"\n , \"0x2\", \"ObjectModified\"\n , \"0x20000\", \"MetadataAccessed\"\n , \"0x4\", \"ObjectModified\"\n , \"0x40\", \"ObjectDeleted\"\n , \"0x40000\", \"MetadataModified\"\n , \"0x6\", \"ObjectModified\"\n , \"0x8\", \"MetadataAccessed\"\n , \"0x80\", \"MetadataAccessed\"\n , \"0x80000\", \"MetadataModified\"\n];\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n[\n 'User', 'Regular',\n 'Machine', 'Machine'\n]; \nlet KnownSIDs = datatable (sid:string, username:string, type:string)\n[\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n];\nWindowsEvent\n| where EventID == 4663 \n and EventData.ObjectType == \"File\"\n and EventData.ObjectName !startswith @\"\\Device\\\"\n| project TimeGenerated\n , EventID, AccessMask = tostring(EventData.AccessMask)\n , ProcessName = tostring(EventData.ProcessName)\n , SubjectUserSid = tostring(EventData.SubjectUserSid)\n , AccountType = tostring(EventData.AccountType)\n , Computer = tostring(EventData.Computer)\n , ObjectName = tostring(EventData.ObjectName)\n , ProcessId = tostring(EventData.ProcessId)\n , SubjectUserName = tostring(EventData.SubjectUserName)\n , SubjectAccount = tostring(EventData.SubjectAccount)\n , SubjectLogonId = tostring(EventData.SubjectLogonId)\n , HandleId = tostring(EventData.HandleId)\n , Type\n| extend ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\n| lookup EventTypeLookup on AccessMask\n| lookup UserTypeLookup on AccountType\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n| extend ActingProcessName = ProcessName\n , ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n , ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , TargetFilePath = ObjectName\n , TargetFilePathFormat = \"Windows Local\"\n , ActingProcessId = tostring(toint(ProcessId))\n , EventOriginalType = tostring(EventID)\n| project-away EventID, ProcessId, AccountType, type, username\n| project-rename ActorUserId = SubjectUserSid\n , DvcHostname = Computer\n , Process = ProcessName\n , FilePath = ObjectName\n , ActorSessionId = SubjectLogonId\n , FileSessionId = HandleId\n| extend EventSchema = \"FileEvent\"\n , EventSchemaVersion = \"0.1.1\"\n , EventResult = \"Success\"\n , EventCount = int(1)\n , EventVendor = 'Microsoft'\n , EventProduct = 'Security Events'\n , Dvc = DvcHostname\n , ActorWindowsUsername = ActorUsername\n , User = ActorUsername\n , ActorUserSid = ActorUserId\n| project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat\n};\nParser (disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventNative/ASimFileEventNative.json b/Parsers/ASimFileEvent/ARM/ASimFileEventNative/ASimFileEventNative.json index 3817d04f36a..e81ee5a46d3 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventNative/ASimFileEventNative.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventNative/ASimFileEventNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM parser for Microsoft Sentinel native File Event table", - "category": "ASIM", - "FunctionAlias": "ASimFileEventNative", - "query": "let parser=(disabled: bool=false) {\n ASimFileEventLogs\n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"FileEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n Url = TargetUrl,\n Application = TargetAppName\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM parser for Microsoft Sentinel native File Event table", + "category": "ASIM", + "FunctionAlias": "ASimFileEventNative", + "query": "let parser=(disabled: bool=false) {\n ASimFileEventLogs\n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"FileEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n Url = TargetUrl,\n Application = TargetAppName\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventSentinelOne/ASimFileEventSentinelOne.json b/Parsers/ASimFileEvent/ARM/ASimFileEventSentinelOne/ASimFileEventSentinelOne.json index 4e83f753206..92e3dcac9c4 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventSentinelOne/ASimFileEventSentinelOne.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventSentinelOne/ASimFileEventSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM Parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "ASimFileEventSentinelOne", - "query": "let GetWindowsFilenamePart = (path: string) { tostring(split(path, @'\\')[-1]) };\nlet GetLinuxFilenamePart = (path: string) { tostring(split(path, @'/')[-1]) };\nlet EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"FILECREATION\", \"FileCreated\",\n \"FILEMODIFICATION\", \"FileModified\",\n \"FILEDELETION\", \"FileDeleted\",\n \"FILERENAME\", \"FileRenamed\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let allFileData = SentinelOne_CL\n | where not(disabled)\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in ('FILECREATION', 'FILEMODIFICATION', 'FILEDELETION', 'FILERENAME');\n let windowsFileData = allFileData\n | where agentDetectionInfo_osFamily_s == \"windows\"\n | extend\n TargetFilePathType = \"Windows Local\",\n TargetFileName = GetWindowsFilenamePart(targetProcessInfo_tgtFilePath_s),\n SrcFileName = GetWindowsFilenamePart(targetProcessInfo_tgtFileOldPath_s);\n let otherFileData = allFileData\n | where agentDetectionInfo_osFamily_s != \"windows\"\n | extend\n TargetFilePathType = \"Unix\",\n TargetFileName = GetLinuxFilenamePart(targetProcessInfo_tgtFilePath_s),\n SrcFileName = GetLinuxFilenamePart(targetProcessInfo_tgtFileOldPath_s);\n let parseddata = union windowsFileData, otherFileData\n | lookup EventTypeLookup on alertInfo_eventType_s;\n let undefineddata = parseddata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = parseddata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = parseddata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\n EventVendor = \"SentinelOne\",\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.2.1\",\n EventCount = toint(1),\n DvcAction = \"Allowed\",\n ActorUsername = sourceProcessInfo_user_s\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventUid = _ItemId,\n ActingProcessCommandLine = sourceProcessInfo_commandline_s,\n ActingProcessGuid = sourceProcessInfo_uniqueId_g,\n ActingProcessId = sourceProcessInfo_pid_s,\n ActingProcessName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n TargetFileCreationTime = targetProcessInfo_tgtFileCreatedAt_t,\n SrcFilePath = targetProcessInfo_tgtFileOldPath_s,\n TargetFilePath = targetProcessInfo_tgtFilePath_s,\n TargetFileSHA1 = targetProcessInfo_tgtFileHashSha1_s,\n TargetFileSHA256 = targetProcessInfo_tgtFileHashSha256_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\n EventEndTime = EventStartTime,\n Rule = RuleName,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n User = ActorUsername,\n Hash = coalesce(TargetFileSHA256, TargetFileSHA1)\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetFileSHA256),\n \"TargetFileSHA256\",\n isnotempty(Hash) and isnotempty(TargetFileSHA1),\n \"TargetFileSHA1\",\n \"\"\n ) \n | project-away \n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n ThreatConfidence_*\n};\nparser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM Parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "ASimFileEventSentinelOne", + "query": "let GetWindowsFilenamePart = (path: string) { tostring(split(path, @'\\')[-1]) };\nlet GetLinuxFilenamePart = (path: string) { tostring(split(path, @'/')[-1]) };\nlet EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"FILECREATION\", \"FileCreated\",\n \"FILEMODIFICATION\", \"FileModified\",\n \"FILEDELETION\", \"FileDeleted\",\n \"FILERENAME\", \"FileRenamed\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let allFileData = SentinelOne_CL\n | where not(disabled)\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in ('FILECREATION', 'FILEMODIFICATION', 'FILEDELETION', 'FILERENAME');\n let windowsFileData = allFileData\n | where agentDetectionInfo_osFamily_s == \"windows\"\n | extend\n TargetFilePathType = \"Windows Local\",\n TargetFileName = GetWindowsFilenamePart(targetProcessInfo_tgtFilePath_s),\n SrcFileName = GetWindowsFilenamePart(targetProcessInfo_tgtFileOldPath_s);\n let otherFileData = allFileData\n | where agentDetectionInfo_osFamily_s != \"windows\"\n | extend\n TargetFilePathType = \"Unix\",\n TargetFileName = GetLinuxFilenamePart(targetProcessInfo_tgtFilePath_s),\n SrcFileName = GetLinuxFilenamePart(targetProcessInfo_tgtFileOldPath_s);\n let parseddata = union windowsFileData, otherFileData\n | lookup EventTypeLookup on alertInfo_eventType_s;\n let undefineddata = parseddata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = parseddata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = parseddata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\n EventVendor = \"SentinelOne\",\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.2.1\",\n EventCount = toint(1),\n DvcAction = \"Allowed\",\n ActorUsername = sourceProcessInfo_user_s\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventUid = _ItemId,\n ActingProcessCommandLine = sourceProcessInfo_commandline_s,\n ActingProcessGuid = sourceProcessInfo_uniqueId_g,\n ActingProcessId = sourceProcessInfo_pid_s,\n ActingProcessName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n TargetFileCreationTime = targetProcessInfo_tgtFileCreatedAt_t,\n SrcFilePath = targetProcessInfo_tgtFileOldPath_s,\n TargetFilePath = targetProcessInfo_tgtFilePath_s,\n TargetFileSHA1 = targetProcessInfo_tgtFileHashSha1_s,\n TargetFileSHA256 = targetProcessInfo_tgtFileHashSha256_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\n EventEndTime = EventStartTime,\n Rule = RuleName,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n User = ActorUsername,\n Hash = coalesce(TargetFileSHA256, TargetFileSHA1)\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetFileSHA256),\n \"TargetFileSHA256\",\n isnotempty(Hash) and isnotempty(TargetFileSHA1),\n \"TargetFileSHA1\",\n \"\"\n ) \n | project-away \n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n ThreatConfidence_*\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventVMwareCarbonBlackCloud/ASimFileEventVMwareCarbonBlackCloud.json b/Parsers/ASimFileEvent/ARM/ASimFileEventVMwareCarbonBlackCloud/ASimFileEventVMwareCarbonBlackCloud.json index d2da0aaf948..b2920979c0d 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEventVMwareCarbonBlackCloud/ASimFileEventVMwareCarbonBlackCloud.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventVMwareCarbonBlackCloud/ASimFileEventVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimFileEventVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event Parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "ASimFileEventVMwareCarbonBlackCloud", - "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet EventTypeLookup = datatable(action_s: string, EventType: string)[\n \"ACTION_FILE_CREATE\", \"FileCreated\",\n \"ACTION_FILE_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_LAST_WRITE\", \"FileModified\",\n \"ACTION_FILE_LINK\", \"FileModified\",\n \"ACTION_FILE_READ\", \"FileAccessed\",\n \"ACTION_FILE_RENAME\", \"FileRenamed\",\n \"ACTION_FILE_WRITE\", \"FileModified\",\n \"ACTION_FILE_OPEN_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_OPEN_EXECUTE\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_SET_ATTRIBUTES\", \"FileAttributesUpdated\",\n \"ACTION_FILE_OPEN_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_TRUNCATE\", \"FileModified\",\n \"ACTION_FILE_OPEN_WRITE\", \"FileModified\",\n \"ACTION_FILE_MOD_OPEN\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_READ\", \"FileAccessed\"\n];\nlet parser = (disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where eventType_s == \"endpoint.event.filemod\" and isnotempty(filemod_name_s)\n | where action_s !in (\"ACTION_INVALID\", \"ACTION_FILE_UNDELETE\")\n | parse filemod_hash_s with * '[\"' TargetFileMD5: string '\",\"' TargetFileSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend temp_action = iff(action_s has \"|\", action_s, \"\")\n | lookup EventTypeLookup on action_s\n | extend EventType = case(\n isnotempty(EventType), EventType,\n temp_action has \"delete\", \"FileDeleted\",\n temp_action has \"link\", \"FileModified\",\n temp_action has \"rename\", \"FileRenamed\",\n temp_action has \"execute\", \"FileAccessed\",\n temp_action has_any (\"attributes\", \"security\"), \"FileAttributesUpdated\",\n temp_action has \"truncate\", \"FileModified\",\n temp_action has \"write\", \"FileModified\",\n temp_action has_any (\"read\", \"open\"), \"FileAccessed\",\n temp_action has \"create\", \"FileCreated\",\n \"\"\n )\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetFilePathType = case(\n device_os_s == \"WINDOWS\" and filemod_name_s startswith \"\\\\\", \"Windows Share\",\n device_os_s == \"WINDOWS\", \"Windows Local\",\n device_os_s in (\"MAC\", \"LINUX\"), \"Unix\",\n \"\"\n ),\n ActingProcessId = tostring(toint(process_pid_d)),\n TargetFileName = tostring(split(filemod_name_s, '\\\\')[-1]),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"process_publisher\", process_publisher_s,\n \"process_reputation\", process_reputation_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n TargetFilePath = filemod_name_s\n | extend \n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.2.1\",\n EventVendor = \"VMware\",\n EventCount = int(1),\n SrcIpAddr = DvcIpAddr\n | extend\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n User = ActorUsername,\n Hash = coalesce(TargetFileSHA256, TargetFileMD5)\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n HashType = case(\n isnotempty(TargetFileSHA256),\n \"TargetFileSHA256\",\n isnotempty(TargetFileMD5),\n \"TargetFileMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n temp_action\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event Parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimFileEventVMwareCarbonBlackCloud", + "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet EventTypeLookup = datatable(action_s: string, EventType: string)[\n \"ACTION_FILE_CREATE\", \"FileCreated\",\n \"ACTION_FILE_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_LAST_WRITE\", \"FileModified\",\n \"ACTION_FILE_LINK\", \"FileModified\",\n \"ACTION_FILE_READ\", \"FileAccessed\",\n \"ACTION_FILE_RENAME\", \"FileRenamed\",\n \"ACTION_FILE_WRITE\", \"FileModified\",\n \"ACTION_FILE_OPEN_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_OPEN_EXECUTE\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_SET_ATTRIBUTES\", \"FileAttributesUpdated\",\n \"ACTION_FILE_OPEN_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_TRUNCATE\", \"FileModified\",\n \"ACTION_FILE_OPEN_WRITE\", \"FileModified\",\n \"ACTION_FILE_MOD_OPEN\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_READ\", \"FileAccessed\"\n];\nlet parser = (disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where eventType_s == \"endpoint.event.filemod\" and isnotempty(filemod_name_s)\n | where action_s !in (\"ACTION_INVALID\", \"ACTION_FILE_UNDELETE\")\n | parse filemod_hash_s with * '[\"' TargetFileMD5: string '\",\"' TargetFileSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend temp_action = iff(action_s has \"|\", action_s, \"\")\n | lookup EventTypeLookup on action_s\n | extend EventType = case(\n isnotempty(EventType), EventType,\n temp_action has \"delete\", \"FileDeleted\",\n temp_action has \"link\", \"FileModified\",\n temp_action has \"rename\", \"FileRenamed\",\n temp_action has \"execute\", \"FileAccessed\",\n temp_action has_any (\"attributes\", \"security\"), \"FileAttributesUpdated\",\n temp_action has \"truncate\", \"FileModified\",\n temp_action has \"write\", \"FileModified\",\n temp_action has_any (\"read\", \"open\"), \"FileAccessed\",\n temp_action has \"create\", \"FileCreated\",\n \"\"\n )\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetFilePathType = case(\n device_os_s == \"WINDOWS\" and filemod_name_s startswith \"\\\\\", \"Windows Share\",\n device_os_s == \"WINDOWS\", \"Windows Local\",\n device_os_s in (\"MAC\", \"LINUX\"), \"Unix\",\n \"\"\n ),\n ActingProcessId = tostring(toint(process_pid_d)),\n TargetFileName = tostring(split(filemod_name_s, '\\\\')[-1]),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"process_publisher\", process_publisher_s,\n \"process_reputation\", process_reputation_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n TargetFilePath = filemod_name_s\n | extend \n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.2.1\",\n EventVendor = \"VMware\",\n EventCount = int(1),\n SrcIpAddr = DvcIpAddr\n | extend\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n User = ActorUsername,\n Hash = coalesce(TargetFileSHA256, TargetFileMD5)\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n HashType = case(\n isnotempty(TargetFileSHA256),\n \"TargetFileSHA256\",\n isnotempty(TargetFileMD5),\n \"TargetFileMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n temp_action\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/imFileEvent/imFileEvent.json b/Parsers/ASimFileEvent/ARM/imFileEvent/imFileEvent.json index 3aac32ebedd..d4ed864409c 100644 --- a/Parsers/ASimFileEvent/ARM/imFileEvent/imFileEvent.json +++ b/Parsers/ASimFileEvent/ARM/imFileEvent/imFileEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imFileEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imFileEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Source Agnostic File Events Parser", - "category": "ASIM", - "FunctionAlias": "imFileEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n| where SearchKey in ('Any', 'ExcludevimFile')\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n| distinct SourceSpecificParser\n| where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n pack: bool=false\n ) {\n union isfuzzy=true\n vimFileEventEmpty,\n vimFileEventLinuxSysmonFileCreated(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventLinuxSysmonFileCreated' in (DisabledParsers)))),\n vimFileEventLinuxSysmonFileDeleted(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventLinuxSysmonFileDeleted' in (DisabledParsers)))),\n vimFileEventAzureBlobStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureBlobStorage' in (DisabledParsers)))),\n vimFileEventMicrosoft365D(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoft365D' in (DisabledParsers)))),\n vimFileEventAzureFileStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureFileStorage' in (DisabledParsers)))),\n vimFileEventAzureQueueStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureQueueStorage' in (DisabledParsers)))),\n vimFileEventMicrosoftSharePoint(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSharePoint' in (DisabledParsers)))),\n vimFileEventMicrosoftSysmon(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSysmon' in (DisabledParsers)))),\n vimFileEventMicrosoftSysmonWindowsEvent(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSysmonWindowsEvent' in (DisabledParsers)))),\n vimFileEventAzureTableStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureTableStorage' in (DisabledParsers)))),\n vimFileEventMicrosoftWindowsEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftWindowsEvents' in (DisabledParsers)))),\n vimFileEventMicrosoftSecurityEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSecurityEvents' in (DisabledParsers)))),\n vimFileEventNative(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventNative' in (DisabledParsers)))),\n vimFileEventSentinelOne(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventSentinelOne' in (DisabledParsers)))),\n vimFileEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventVMwareCarbonBlackCloud' in (DisabledParsers)))),\n vimFileEventGoogleWorkspace(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventGoogleWorkspace' in (DisabledParsers))))\n};\nparser(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, pack=pack)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "ASIM Source Agnostic File Events Parser", + "category": "ASIM", + "FunctionAlias": "imFileEvent", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n| where SearchKey in ('Any', 'ExcludevimFile')\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n| distinct SourceSpecificParser\n| where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n pack: bool=false\n ) {\n union isfuzzy=true\n vimFileEventEmpty,\n vimFileEventLinuxSysmonFileCreated(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventLinuxSysmonFileCreated' in (DisabledParsers)))),\n vimFileEventLinuxSysmonFileDeleted(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventLinuxSysmonFileDeleted' in (DisabledParsers)))),\n vimFileEventAzureBlobStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureBlobStorage' in (DisabledParsers)))),\n vimFileEventMicrosoft365D(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoft365D' in (DisabledParsers)))),\n vimFileEventAzureFileStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureFileStorage' in (DisabledParsers)))),\n vimFileEventAzureQueueStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureQueueStorage' in (DisabledParsers)))),\n vimFileEventMicrosoftSharePoint(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSharePoint' in (DisabledParsers)))),\n vimFileEventMicrosoftSysmon(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSysmon' in (DisabledParsers)))),\n vimFileEventMicrosoftSysmonWindowsEvent(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSysmonWindowsEvent' in (DisabledParsers)))),\n vimFileEventAzureTableStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureTableStorage' in (DisabledParsers)))),\n vimFileEventMicrosoftWindowsEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftWindowsEvents' in (DisabledParsers)))),\n vimFileEventMicrosoftSecurityEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSecurityEvents' in (DisabledParsers)))),\n vimFileEventNative(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventNative' in (DisabledParsers)))),\n vimFileEventSentinelOne(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventSentinelOne' in (DisabledParsers)))),\n vimFileEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventVMwareCarbonBlackCloud' in (DisabledParsers)))),\n vimFileEventGoogleWorkspace(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventGoogleWorkspace' in (DisabledParsers))))\n};\nparser(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, pack=pack)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventAzureBlobStorage/vimFileEventAzureBlobStorage.json b/Parsers/ASimFileEvent/ARM/vimFileEventAzureBlobStorage/vimFileEventAzureBlobStorage.json index 7411833263b..1fbf3894987 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventAzureBlobStorage/vimFileEventAzureBlobStorage.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventAzureBlobStorage/vimFileEventAzureBlobStorage.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventAzureBlobStorage')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventAzureBlobStorage", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM filtering parser for Azure Blob Storage", - "category": "ASIM", - "FunctionAlias": "vimFileEventAzureBlobStorage", - "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n )\n{\n let bloboperations=datatable(OperationName: string, EventType: string)\n[\n \"PutBlock\", \"FileCreated\",\n \"PutBlob\", \"FileCreated\",\n \"PutPage\", \"FileCreated\",\n \"CreateContainer\", \"FolderCreated\",\n \"CopyBlob\", \"FileCopied\",\n \"QueryBlobContents\", \"FileAccessed\",\n \"GetBlob\", \"FileAccessed\",\n \"AppendBlock\", \"FileModified\",\n \"ClearPage\", \"FileModified\",\n \"PutBlockFromURL\", \"FileModified\",\n \"DeleteBlob\", \"FileDeleted\",\n \"DeleteContainer\", \"FolderDeleted\"\n];\n StorageBlobLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // **** relevant data filtering;\n | where OperationName in (bloboperations)\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(CallerIpAddress, srcipaddr_has_any_prefix))) and \n (array_length(actorusername_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (Uri has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0)\n //\n | lookup bloboperations on OperationName\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))) \n | project-rename \n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n HttpUserAgent=UserAgentHeader\n ,\n TargetUrl=Uri\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(TargetUrl, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[1])\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser\n(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM filtering parser for Azure Blob Storage", + "category": "ASIM", + "FunctionAlias": "vimFileEventAzureBlobStorage", + "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n )\n{\n let bloboperations=datatable(OperationName: string, EventType: string)\n[\n \"PutBlock\", \"FileCreated\",\n \"PutBlob\", \"FileCreated\",\n \"PutPage\", \"FileCreated\",\n \"CreateContainer\", \"FolderCreated\",\n \"CopyBlob\", \"FileCopied\",\n \"QueryBlobContents\", \"FileAccessed\",\n \"GetBlob\", \"FileAccessed\",\n \"AppendBlock\", \"FileModified\",\n \"ClearPage\", \"FileModified\",\n \"PutBlockFromURL\", \"FileModified\",\n \"DeleteBlob\", \"FileDeleted\",\n \"DeleteContainer\", \"FolderDeleted\"\n];\n StorageBlobLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // **** relevant data filtering;\n | where OperationName in (bloboperations)\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(CallerIpAddress, srcipaddr_has_any_prefix))) and \n (array_length(actorusername_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (Uri has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0)\n //\n | lookup bloboperations on OperationName\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))) \n | project-rename \n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n HttpUserAgent=UserAgentHeader\n ,\n TargetUrl=Uri\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(TargetUrl, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[1])\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser\n(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventAzureFileStorage/vimFileEventAzureFileStorage.json b/Parsers/ASimFileEvent/ARM/vimFileEventAzureFileStorage/vimFileEventAzureFileStorage.json index 2137ad76170..f34e86864f1 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventAzureFileStorage/vimFileEventAzureFileStorage.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventAzureFileStorage/vimFileEventAzureFileStorage.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventAzureFileStorage')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventAzureFileStorage", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM filtering parser for Azure File Storage", - "category": "ASIM", - "FunctionAlias": "vimFileEventAzureFileStorage", - "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let fileoperations=datatable(OperationName: string, EventType: string)[\n \"DeleteFile\", \"FileDeleted\"\n ,\n \"DeleteDirectory\", \"FolderDeleted\"\n ,\n \"GetFile\", \"FileAccessed\"\n ,\n \"CopyFile\", \"FileCopied\"\n ,\n \"CreateFileSnapshot\", \"FileCreated\"\n ,\n \"CreateDirectory\", \"FolderCreated\"\n ,\n \"CreateFile\", \"FileCreated\"\n ,\n \"CreateShare\", \"FolderCreated\"\n ,\n \"DeleteShare\", \"FileDeleted\"\n ,\n \"PutRange\", \"FileModified\"\n ,\n \"CopyFileDestination\", \"FileCopied\"\n ,\n \"CopyFileSource\", \"FileCopied\"\n];\n StorageFileLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // **** relevant data filtering;\n | where OperationName in (fileoperations)\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(CallerIpAddress, srcipaddr_has_any_prefix))) and \n (array_length(actorusername_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (Uri has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0)\n //\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(Uri, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n TargetUrl=Uri\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\n ,\n HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n | lookup fileoperations on OperationName\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))) \n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM filtering parser for Azure File Storage", + "category": "ASIM", + "FunctionAlias": "vimFileEventAzureFileStorage", + "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let fileoperations=datatable(OperationName: string, EventType: string)[\n \"DeleteFile\", \"FileDeleted\"\n ,\n \"DeleteDirectory\", \"FolderDeleted\"\n ,\n \"GetFile\", \"FileAccessed\"\n ,\n \"CopyFile\", \"FileCopied\"\n ,\n \"CreateFileSnapshot\", \"FileCreated\"\n ,\n \"CreateDirectory\", \"FolderCreated\"\n ,\n \"CreateFile\", \"FileCreated\"\n ,\n \"CreateShare\", \"FolderCreated\"\n ,\n \"DeleteShare\", \"FileDeleted\"\n ,\n \"PutRange\", \"FileModified\"\n ,\n \"CopyFileDestination\", \"FileCopied\"\n ,\n \"CopyFileSource\", \"FileCopied\"\n];\n StorageFileLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // **** relevant data filtering;\n | where OperationName in (fileoperations)\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(CallerIpAddress, srcipaddr_has_any_prefix))) and \n (array_length(actorusername_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (Uri has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0)\n //\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(Uri, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n TargetUrl=Uri\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\n ,\n HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n | lookup fileoperations on OperationName\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))) \n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventAzureQueueStorage/vimFileEventAzureQueueStorage.json b/Parsers/ASimFileEvent/ARM/vimFileEventAzureQueueStorage/vimFileEventAzureQueueStorage.json index 8453c58f402..42c23c44beb 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventAzureQueueStorage/vimFileEventAzureQueueStorage.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventAzureQueueStorage/vimFileEventAzureQueueStorage.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventAzureQueueStorage')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventAzureQueueStorage", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM filtering parser for Azure Queue Storage", - "category": "ASIM", - "FunctionAlias": "vimFileEventAzureQueueStorage", - "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n )\n{\n let queueoperations=datatable(OperationName: string, EventType: string)\n[\n \"ClearMessages\", \"FileDeleted\"\n ,\n \"CreateQueue\", \"FileCreated\"\n ,\n \"DeleteQueue\", \"FileDeleted\"\n ,\n \"DeleteMessage\", \"FileDeleted\"\n ,\n \"GetQueue\", \"FileAccessed\"\n ,\n \"GetMessage\", \"FileAccessed\"\n ,\n \"GetMessages\", \"FileAccessed\"\n ,\n \"PeekMessage\", \"FileAccessed\"\n ,\n \"PeekMessages\", \"FileAccessed\"\n ,\n \"PutMessage\", \"FileCreated\"\n ,\n \"UpdateMessage\", \"FileModified\" \n];\n StorageQueueLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // **** relevant data filtering;\n | where OperationName in (queueoperations)\n //\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(CallerIpAddress, srcipaddr_has_any_prefix))) and \n (array_length(actorusername_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (Uri has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0)\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(Uri, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n TargetUrl=Uri\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\n ,\n HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n | lookup queueoperations on OperationName\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser\n(\n starttime=datetime(null), \n endtime=datetime(null), \n eventtype_in=dynamic([]),\n srcipaddr_has_any_prefix=dynamic([]),\n actorusername_has_any=dynamic([]),\n targetfilepath_has_any=dynamic([]),\n srcfilepath_has_any=dynamic([]),\n hashes_has_any=dynamic([]),\n dvchostname_has_any=dynamic([]),\n disabled=false\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM filtering parser for Azure Queue Storage", + "category": "ASIM", + "FunctionAlias": "vimFileEventAzureQueueStorage", + "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n )\n{\n let queueoperations=datatable(OperationName: string, EventType: string)\n[\n \"ClearMessages\", \"FileDeleted\"\n ,\n \"CreateQueue\", \"FileCreated\"\n ,\n \"DeleteQueue\", \"FileDeleted\"\n ,\n \"DeleteMessage\", \"FileDeleted\"\n ,\n \"GetQueue\", \"FileAccessed\"\n ,\n \"GetMessage\", \"FileAccessed\"\n ,\n \"GetMessages\", \"FileAccessed\"\n ,\n \"PeekMessage\", \"FileAccessed\"\n ,\n \"PeekMessages\", \"FileAccessed\"\n ,\n \"PutMessage\", \"FileCreated\"\n ,\n \"UpdateMessage\", \"FileModified\" \n];\n StorageQueueLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // **** relevant data filtering;\n | where OperationName in (queueoperations)\n //\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(CallerIpAddress, srcipaddr_has_any_prefix))) and \n (array_length(actorusername_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (Uri has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0)\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(Uri, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n TargetUrl=Uri\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\n ,\n HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n | lookup queueoperations on OperationName\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser\n(\n starttime=datetime(null), \n endtime=datetime(null), \n eventtype_in=dynamic([]),\n srcipaddr_has_any_prefix=dynamic([]),\n actorusername_has_any=dynamic([]),\n targetfilepath_has_any=dynamic([]),\n srcfilepath_has_any=dynamic([]),\n hashes_has_any=dynamic([]),\n dvchostname_has_any=dynamic([]),\n disabled=false\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventAzureTableStorage/vimFileEventAzureTableStorage.json b/Parsers/ASimFileEvent/ARM/vimFileEventAzureTableStorage/vimFileEventAzureTableStorage.json index b1df578434c..1b9ce1e5ebb 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventAzureTableStorage/vimFileEventAzureTableStorage.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventAzureTableStorage/vimFileEventAzureTableStorage.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventAzureTableStorage')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventAzureTableStorage", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM filtering parser for Azure Table Storage", - "category": "ASIM", - "FunctionAlias": "vimFileEventAzureTableStorage", - "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n )\n{\n let tableoperations=datatable(OperationName: string, EventType: string)\n[\n ,\n \"CreateTable\", \"FileCreated\"\n ,\n \"DeleteTable\", \"FileDeleted\"\n ,\n \"DeleteEntity\", \"FileModified\"\n ,\n \"InsertEntity\", \"FileModified\"\n ,\n \"InsertOrMergeEntity\", \"FileModified\"\n ,\n \"InsertOrReplaceEntity\", \"FileModified\"\n ,\n \"QueryEntity\", \"FileAccessed\"\n ,\n \"QueryEntities\", \"FileAccessed\"\n ,\n \"QueryTable\", \"FileAccessed\"\n ,\n \"QueryTables\", \"FileAccessed\"\n ,\n \"UpdateEntity\", \"FileModified\"\n ,\n \"MergeEntity\", \"FileModified\"\n];\n StorageTableLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // **** relevant data filtering;\n | where OperationName in (tableoperations)\n //\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(CallerIpAddress, srcipaddr_has_any_prefix))) and \n (array_length(actorusername_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (Uri has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0)\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(Uri, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n TargetUrl=Uri\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\n ,\n HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n | lookup tableoperations on OperationName\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser\n(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM filtering parser for Azure Table Storage", + "category": "ASIM", + "FunctionAlias": "vimFileEventAzureTableStorage", + "query": "// https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n )\n{\n let tableoperations=datatable(OperationName: string, EventType: string)\n[\n ,\n \"CreateTable\", \"FileCreated\"\n ,\n \"DeleteTable\", \"FileDeleted\"\n ,\n \"DeleteEntity\", \"FileModified\"\n ,\n \"InsertEntity\", \"FileModified\"\n ,\n \"InsertOrMergeEntity\", \"FileModified\"\n ,\n \"InsertOrReplaceEntity\", \"FileModified\"\n ,\n \"QueryEntity\", \"FileAccessed\"\n ,\n \"QueryEntities\", \"FileAccessed\"\n ,\n \"QueryTable\", \"FileAccessed\"\n ,\n \"QueryTables\", \"FileAccessed\"\n ,\n \"UpdateEntity\", \"FileModified\"\n ,\n \"MergeEntity\", \"FileModified\"\n];\n StorageTableLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // **** relevant data filtering;\n | where OperationName in (tableoperations)\n //\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(CallerIpAddress, srcipaddr_has_any_prefix))) and \n (array_length(actorusername_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (Uri has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0)\n | extend \n EventCount=int(1)\n ,\n EventStartTime=TimeGenerated\n ,\n EventEndTime=TimeGenerated\n //\t, EventType :string ---> see lookup below\n ,\n EventResult=iff(StatusText == 'Success', 'Success', 'Failure') \n ,\n EventOriginalUid = CorrelationId\n ,\n EventOriginalType=OperationName\n ,\n EventProduct='Azure File Storage' \n ,\n EventVendor='Microsoft'\n ,\n EventSchemaVersion='0.1.0'\n ,\n TargetFilePath=tostring(split(Uri, '?')[0]) \n ,\n TargetFilePathType='URL'\n ,\n TargetUrl=Uri\n ,\n SrcIpAddr=tostring(split(CallerIpAddress, ':')[0])\n ,\n SrcPortNumber=tostring(split(CallerIpAddress, ':')[0])\n ,\n HttpUserAgent=UserAgentHeader\n | extend TargetFileName=tostring(split(TargetFilePath, '/')[-1])\n | lookup tableoperations on OperationName\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n // Aliases\n | extend \n FilePath=TargetFilePath\n};\nparser\n(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventEmpty/vimFileEventEmpty.json b/Parsers/ASimFileEvent/ARM/vimFileEventEmpty/vimFileEventEmpty.json index bf150354cfb..8bbc67d7e21 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventEmpty/vimFileEventEmpty.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventEmpty/vimFileEventEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimFileEventEmpty", - "query": "let FileEvent=datatable(\n _ResourceId:string,\n ActingProcessCommandLine:string,\n ActingProcessGuid:string,\n ActingProcessId:string,\n ActingProcessName:string,\n ActorOriginalUserType:string,\n ActorScope:string,\n ActorScopeId:string,\n ActorSessionId:string,\n ActorUserAadId:string,\n ActorUserId:string,\n ActorUserIdType:string,\n ActorUsername:string,\n ActorUsernameType:string,\n ActorUserSid:string,\n ActorUserType:string,\n AdditionalFields:dynamic,\n Application:string,\n Dvc:string,\n DvcAction:string,\n DvcDescription:string,\n DvcDomain:string,\n DvcDomainType:string,\n DvcFQDN:string,\n DvcHostname:string,\n DvcId:string,\n DvcIdType:string,\n DvcInterface:string,\n DvcIpAddr:string,\n DvcMacAddr:string,\n DvcOriginalAction:string,\n DvcOs:string,\n DvcOsVersion:string,\n DvcScopeId:string,\n DvcScope:string,\n DvcZone:string,\n EventCount:int,\n EventEndTime:datetime,\n EventMessage:string,\n EventOriginalResultDetails:string,\n EventOriginalSeverity:string,\n EventOriginalSubType:string,\n EventOriginalType:string,\n EventOriginalUid:string,\n EventOwner:string,\n EventProduct:string,\n EventProductVersion:string,\n EventReportUrl:string,\n EventResult:string,\n EventSchema:string,\n EventSchemaVersion:string,\n EventSeverity:string,\n EventStartTime:datetime,\n EventType:string,\n EventUid:string,\n EventVendor:string,\n EventSubType:string,\n EventResultDetails:string,\n FileName:string,\n FilePath:string,\n Hash:string,\n HashType:string,\n HttpUserAgent:string,\n IpAddr:string,\n NetworkApplicationProtocol:string,\n Process:string,\n Rule:string,\n RuleName:string,\n RuleNumber:int,\n Src:string,\n SrcDescription:string,\n SrcDeviceType:string,\n SrcDomain:string,\n SrcDomainType:string,\n SrcDvcId:string,\n SrcDvcIdType:string,\n SrcDvcScope:string,\n SrcDvcScopeId:string,\n SrcFileCreationTime:datetime,\n SrcFileDirectory:string,\n SrcFileExtension:string,\n SrcFileMD5:string,\n SrcFileMimeType:string,\n SrcFileName:string,\n SrcFilePath:string,\n SrcFilePathType:string,\n SrcFileSHA1:string,\n SrcFileSHA256:string,\n SrcFileSHA512:string,\n SrcFileSize:long,\n SrcFQDN:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude:real,\n SrcGeoLongitude:real,\n SrcGeoRegion:string,\n SrcHostname:string,\n SrcIpAddr:string,\n SrcPortNumber:int,\n SrcMacAddr:string,\n SrcRiskLevel:int,\n SrcOriginalRiskLevel:string,\n TargetAppId:string,\n TargetAppName:string,\n TargetAppType:string,\n TargetOriginalAppType:string,\n TargetFileCreationTime:datetime,\n TargetFileDirectory:string,\n TargetFileExtension:string,\n TargetFileMD5:string,\n TargetFileMimeType:string,\n TargetFileName:string,\n TargetFilePath:string,\n TargetFilePathType:string,\n TargetFileSHA1:string,\n TargetFileSHA256:string,\n TargetFileSHA512:string,\n TargetFileSize:long,\n TargetUrl:string,\n ThreatCategory:string,\n ThreatConfidence:int,\n ThreatField:string,\n ThreatFilePath:string,\n ThreatFirstReportedTime:datetime,\n ThreatId:string,\n ThreatIpAddr:string,\n ThreatIsActive:bool,\n ThreatLastReportedTime:datetime,\n ThreatName:string,\n ThreatOriginalConfidence:string,\n ThreatOriginalRiskLevel:string,\n ThreatRiskLevel:int,\n TimeGenerated:datetime,\n Type:string,\n Url:string,\n User:string,\n ActorUserPuid:string,\n ActorUpn:string,\n Dst:string\n)[];\nFileEvent", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimFileEventEmpty", + "query": "let FileEvent=datatable(\n _ResourceId:string,\n ActingProcessCommandLine:string,\n ActingProcessGuid:string,\n ActingProcessId:string,\n ActingProcessName:string,\n ActorOriginalUserType:string,\n ActorScope:string,\n ActorScopeId:string,\n ActorSessionId:string,\n ActorUserAadId:string,\n ActorUserId:string,\n ActorUserIdType:string,\n ActorUsername:string,\n ActorUsernameType:string,\n ActorUserSid:string,\n ActorUserType:string,\n AdditionalFields:dynamic,\n Application:string,\n Dvc:string,\n DvcAction:string,\n DvcDescription:string,\n DvcDomain:string,\n DvcDomainType:string,\n DvcFQDN:string,\n DvcHostname:string,\n DvcId:string,\n DvcIdType:string,\n DvcInterface:string,\n DvcIpAddr:string,\n DvcMacAddr:string,\n DvcOriginalAction:string,\n DvcOs:string,\n DvcOsVersion:string,\n DvcScopeId:string,\n DvcScope:string,\n DvcZone:string,\n EventCount:int,\n EventEndTime:datetime,\n EventMessage:string,\n EventOriginalResultDetails:string,\n EventOriginalSeverity:string,\n EventOriginalSubType:string,\n EventOriginalType:string,\n EventOriginalUid:string,\n EventOwner:string,\n EventProduct:string,\n EventProductVersion:string,\n EventReportUrl:string,\n EventResult:string,\n EventSchema:string,\n EventSchemaVersion:string,\n EventSeverity:string,\n EventStartTime:datetime,\n EventType:string,\n EventUid:string,\n EventVendor:string,\n EventSubType:string,\n EventResultDetails:string,\n FileName:string,\n FilePath:string,\n Hash:string,\n HashType:string,\n HttpUserAgent:string,\n IpAddr:string,\n NetworkApplicationProtocol:string,\n Process:string,\n Rule:string,\n RuleName:string,\n RuleNumber:int,\n Src:string,\n SrcDescription:string,\n SrcDeviceType:string,\n SrcDomain:string,\n SrcDomainType:string,\n SrcDvcId:string,\n SrcDvcIdType:string,\n SrcDvcScope:string,\n SrcDvcScopeId:string,\n SrcFileCreationTime:datetime,\n SrcFileDirectory:string,\n SrcFileExtension:string,\n SrcFileMD5:string,\n SrcFileMimeType:string,\n SrcFileName:string,\n SrcFilePath:string,\n SrcFilePathType:string,\n SrcFileSHA1:string,\n SrcFileSHA256:string,\n SrcFileSHA512:string,\n SrcFileSize:long,\n SrcFQDN:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude:real,\n SrcGeoLongitude:real,\n SrcGeoRegion:string,\n SrcHostname:string,\n SrcIpAddr:string,\n SrcPortNumber:int,\n SrcMacAddr:string,\n SrcRiskLevel:int,\n SrcOriginalRiskLevel:string,\n TargetAppId:string,\n TargetAppName:string,\n TargetAppType:string,\n TargetOriginalAppType:string,\n TargetFileCreationTime:datetime,\n TargetFileDirectory:string,\n TargetFileExtension:string,\n TargetFileMD5:string,\n TargetFileMimeType:string,\n TargetFileName:string,\n TargetFilePath:string,\n TargetFilePathType:string,\n TargetFileSHA1:string,\n TargetFileSHA256:string,\n TargetFileSHA512:string,\n TargetFileSize:long,\n TargetUrl:string,\n ThreatCategory:string,\n ThreatConfidence:int,\n ThreatField:string,\n ThreatFilePath:string,\n ThreatFirstReportedTime:datetime,\n ThreatId:string,\n ThreatIpAddr:string,\n ThreatIsActive:bool,\n ThreatLastReportedTime:datetime,\n ThreatName:string,\n ThreatOriginalConfidence:string,\n ThreatOriginalRiskLevel:string,\n ThreatRiskLevel:int,\n TimeGenerated:datetime,\n Type:string,\n Url:string,\n User:string,\n ActorUserPuid:string,\n ActorUpn:string,\n Dst:string\n)[];\nFileEvent", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventGoogleWorkspace/vimFileEventGoogleWorkspace.json b/Parsers/ASimFileEvent/ARM/vimFileEventGoogleWorkspace/vimFileEventGoogleWorkspace.json index 82219625764..56924c12d50 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventGoogleWorkspace/vimFileEventGoogleWorkspace.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventGoogleWorkspace/vimFileEventGoogleWorkspace.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventGoogleWorkspace')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventGoogleWorkspace", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File events ASIM filtering parser for Google Workspace", - "category": "ASIM", - "FunctionAlias": "vimFileEventGoogleWorkspace", - "query": "let parser = (\n starttime: datetime = datetime(null)\n , endtime: datetime = datetime(null)\n , eventtype_in: dynamic = dynamic([])\n , srcipaddr_has_any_prefix: dynamic = dynamic([])\n , actorusername_has_any: dynamic = dynamic([])\n , targetfilepath_has_any: dynamic = dynamic([])\n , srcfilepath_has_any: dynamic = dynamic([])\n , hashes_has_any: dynamic = dynamic([])\n , dvchostname_has_any: dynamic = dynamic([])\n , disabled: bool = false\n ) {\n let GoogleWorkspaceSchema = datatable (\n event_name_s: string,\n event_type_s: string,\n id_uniqueQualifier_s: string,\n actor_email_s: string,\n actor_profileId_s: string,\n IPAddress: string,\n doc_type_s: string,\n doc_title_s: string,\n originating_app_id_s: string,\n id_applicationName_s: string,\n old_value_s: string,\n new_value_s: string,\n destination_folder_title_s: string,\n source_folder_title_s: string,\n copy_type_s: string,\n target_user_s: string,\n doc_id_s: string,\n primary_event_b: bool,\n billable_b: bool,\n owner_s: string,\n owner_is_shared_drive_b: bool,\n is_encrypted_b: bool,\n visibility_s: string,\n shared_drive_id_s: string,\n destination_folder_id_s: string,\n source_folder_id_s: string,\n TimeGenerated: datetime,\n _ResourceId: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n RawData: string,\n SourceSystem: string,\n TenantId: string,\n _ItemId: string\n)[];\n let EventFieldsLookup = datatable (\n EventOriginalSubType: string,\n EventType: string,\n EventSubType: string\n)\n [\n \"download\", \"FileAccessed\", \"Download\",\n \"edit\", \"FileModified\", \"Checkin\",\n \"upload\", \"FileCreated\", \"Upload\",\n \"create\", \"FileCreated\", \"Checkin\",\n \"rename\", \"FileRenamed\", \"\",\n \"view\", \"FileAccessed\", \"Preview\",\n \"preview\", \"FileAccessed\", \"Preview\",\n \"copy\", \"FileCopied\", \"\",\n \"source_copy\", \"FileCopied\", \"\",\n \"delete\", \"FileDeleted\", \"\",\n \"trash\", \"FileDeleted\", \"Recycle\",\n \"move\", \"FileMoved\", \"\",\n \"untrash\", \"FileCreatedOrModified\", \"Checkin\",\n \"deny_access_request\", \"FileAccessed\", \"Preview\",\n \"expire_access_request\", \"FileAccessed\", \"Preview\",\n \"request_access\", \"FileAccessed\", \"Preview\",\n \"add_to_folder\", \"FileCreated\", \"Checkin\",\n \"approval_canceled\", \"FileAccessed\", \"\",\n \"approval_comment_added\", \"FileAccessed\", \"\",\n \"approval_completed\", \"FileAccessed\", \"Preview\",\n \"approval_decisions_reset\", \"FileAccessed\", \"\",\n \"approval_due_time_change\", \"FileAccessed\", \"\",\n \"approval_requested\", \"FileAccessed\", \"Preview\",\n \"approval_reviewer_change\", \"FileAccessed\", \"\",\n \"approval_reviewer_responded\", \"FileAccessed\", \"\",\n \"create_comment\", \"FileModified\", \"Checkin\",\n \"delete_comment\", \"FileModified\", \"Checkin\",\n \"edit_comment\", \"FileModified\", \"Checkin\",\n \"reassign_comment\", \"FileModified\", \"Checkin\",\n \"reopen_comment\", \"FileModified\", \"Checkin\",\n \"resolve_comment\", \"FileModified\", \"Checkin\",\n \"add_lock\", \"FileModified\", \"\",\n \"print\", \"FileAccessed\", \"Print\",\n \"remove_from_folder\", \"FileDeleted\", \"\",\n \"remove_lock\", \"FileModified\", \"\",\n];\n let SupportedEventNames = EventFieldsLookup\n | project EventOriginalSubType;\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_drive_CL\n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and ((array_length(actorusername_has_any) == 0) or (actor_email_s has_any (actorusername_has_any)))\n and ((array_length(targetfilepath_has_any) == 0) or (doc_title_s has_any (targetfilepath_has_any)))\n and (array_length(hashes_has_any) == 0)\n and (array_length(dvchostname_has_any) == 0)\n and event_name_s in (SupportedEventNames)\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n | project-rename \n EventOriginalUid = id_uniqueQualifier_s,\n ActorUsername = actor_email_s,\n ActorUserId = actor_profileId_s,\n SrcIpAddr = IPAddress,\n TargetFileMimeType = doc_type_s,\n TargetFilePath = doc_title_s,\n ActingAppId = originating_app_id_s,\n EventOriginalType=event_type_s\n | extend\n TargetAppName = iif(id_applicationName_s == 'drive', \"Google Workspace - Drive\", \"\"),\n TargetAppType = iif(id_applicationName_s == 'drive', \"SaaS application\", \"\"),\n ActorUserIdType = iif(isnotempty(ActorUserId), \"GWorkspaceProfileID\", \"\"),\n SrcFilePath = iif(event_name_s has_any ('rename', 'copy', 'source_copy'), old_value_s, \"\"),\n TargetFilePath = iif(event_name_s has ('source_copy'), new_value_s, TargetFilePath),\n TargetFileDirectory = iif(event_name_s has_any ('move'), destination_folder_title_s, \"\"),\n SrcFileDirectory = iif(event_name_s has_any ('move'), source_folder_title_s, \"\"),\n EventType = case(\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\n \"FolderCreated\",\n TargetFileMimeType == \"folder\" and event_name_s == \"rename\",\n \"FolderModified\",\n TargetFileMimeType == \"folder\" and event_name_s == \"delete\",\n \"FolderDeleted\",\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\n \"FolderDeleted\",\n TargetFileMimeType == \"folder\" and event_name_s == \"move\",\n \"FolderMoved\",\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\n \"FolderCreated\",\n EventType\n ),\n EventSubType = case(\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\n \"\",\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\n \"\",\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\n \"\",\n EventSubType\n ),\n EventMessage = case(\n event_name_s == 'download',\n strcat(ActorUsername, \" deleted an item\"),\n event_name_s == 'edit',\n strcat(ActorUsername, \" edited an item\"),\n event_name_s == 'upload',\n strcat(ActorUsername, \" uploaded an item\"),\n event_name_s == 'create',\n strcat(ActorUsername, \" created an item\"),\n event_name_s == 'rename',\n strcat(ActorUsername, \" renamed \", old_value_s, \" to \", TargetFilePath),\n event_name_s == 'view',\n strcat(ActorUsername, \" viewed an item\"),\n event_name_s == 'preview',\n strcat(ActorUsername, \" previewed an item\"),\n event_name_s == 'copy',\n strcat(ActorUsername, \" created a copy of original document \", old_value_s),\n event_name_s == 'delete',\n strcat(ActorUsername, \" deleted an item\"),\n event_name_s == 'trash',\n strcat(ActorUsername, \" trashed an item\"),\n event_name_s == 'move',\n strcat(ActorUsername, \" moved an item from \", source_folder_title_s, \" to \", destination_folder_title_s),\n event_name_s == 'untrash',\n strcat(ActorUsername, \" restored an item\"),\n event_name_s == 'source_copy',\n strcat(ActorUsername, \" copied this item, creating a new item \", copy_type_s, \" your organication \", new_value_s),\n event_name_s == 'deny_access_request',\n strcat(ActorUsername, \" denied an access request for \", target_user_s),\n event_name_s == 'expire_access_request',\n strcat(\"An access request for \", target_user_s, \" expired \"),\n event_name_s == 'request_access',\n strcat(ActorUsername, \" requested access to an item for \", target_user_s),\n event_name_s == 'add_to_folder',\n strcat(ActorUsername, \" added an item to \", destination_folder_title_s),\n event_name_s == 'approval_canceled',\n strcat(ActorUsername, \" canceled an approval on an item\"),\n event_name_s == 'approval_comment_added',\n strcat(ActorUsername, \" added a comment on an approval on an item\"),\n event_name_s == 'approval_completed',\n \"An approval was completed\",\n event_name_s == 'approval_decisions_reset',\n \"Approval decisions were reset\",\n event_name_s == 'approval_due_time_change',\n strcat(ActorUsername, \" requested a due time change on an approval\"),\n event_name_s == 'approval_requested',\n strcat(ActorUsername, \" requested approval on an item\"),\n event_name_s == 'approval_reviewer_change',\n strcat(ActorUsername, \" requested a reviewer change on an approval\"),\n event_name_s == 'approval_reviewer_responded',\n strcat(ActorUsername, \" reviewed an approval on an item\"),\n event_name_s == 'create_comment',\n strcat(ActorUsername, \" created a comment\"),\n event_name_s == 'delete_comment',\n strcat(ActorUsername, \" deleted a comment\"),\n event_name_s == 'edit_comment',\n strcat(ActorUsername, \" edited a comment\"),\n event_name_s == 'reassign_comment',\n strcat(ActorUsername, \" reassigned a comment\"),\n event_name_s == 'reopen_comment',\n strcat(ActorUsername, \" reopened a comment\"),\n event_name_s == 'resolve_comment',\n strcat(ActorUsername, \" resolved a comment\"),\n event_name_s == 'add_lock',\n strcat(ActorUsername, \" locked an item\"),\n event_name_s == 'print',\n strcat(ActorUsername, \" printed an item\"),\n event_name_s == 'remove_from_folder',\n strcat(ActorUsername, \" removed an item from from \", source_folder_title_s),\n event_name_s == 'remove_lock',\n strcat(ActorUsername, \" unlocked an item\"),\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"Doc_Id\",\n doc_id_s,\n \"Primary_Event\",\n primary_event_b,\n \"Billable\",\n billable_b,\n \"Owner\",\n owner_s,\n \"Owner_Is_Shared_Drive\",\n owner_is_shared_drive_b,\n \"Is_Encrypted\",\n is_encrypted_b,\n \"Visibility\",\n visibility_s,\n \"Copy_Type\",\n copy_type_s,\n \"Shared_Drive_Id\",\n shared_drive_id_s,\n \"Destination_Folder_Id\",\n destination_folder_id_s,\n \"Source_Folder_Id\",\n source_folder_id_s\n )\n | where ((array_length(srcfilepath_has_any) == 0) or (SrcFilePath has_any (srcfilepath_has_any)))\n | extend\n EventOriginalSubType = event_name_s,\n Application = TargetAppName,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n TargetFileName=TargetFilePath,\n FilePath = TargetFilePath,\n TargetFilePathType = iif(isnotempty(TargetFilePath), \"FileNameOnly\", \"\"),\n SrcFilePathType = iif(isnotempty(SrcFilePath), \"FileNameOnly\", \"\"),\n FileName = TargetFilePath,\n SrcFileName = SrcFilePath,\n User = ActorUsername,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventProduct = \"Workspace\",\n EventVendor = \"Google\",\n EventResult = \"Success\",\n EventSchemaVersion = \"0.2.1\",\n EventSchema = \"FileEvent\",\n EventUid = _ItemId,\n Dvc = \"Workspace\"\n | project-away \n *_s,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n targetfilepath_has_any = targetfilepath_has_any,\n srcfilepath_has_any = srcfilepath_has_any,\n hashes_has_any = hashes_has_any,\n dvchostname_has_any = dvchostname_has_any,\n disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File events ASIM filtering parser for Google Workspace", + "category": "ASIM", + "FunctionAlias": "vimFileEventGoogleWorkspace", + "query": "let parser = (\n starttime: datetime = datetime(null)\n , endtime: datetime = datetime(null)\n , eventtype_in: dynamic = dynamic([])\n , srcipaddr_has_any_prefix: dynamic = dynamic([])\n , actorusername_has_any: dynamic = dynamic([])\n , targetfilepath_has_any: dynamic = dynamic([])\n , srcfilepath_has_any: dynamic = dynamic([])\n , hashes_has_any: dynamic = dynamic([])\n , dvchostname_has_any: dynamic = dynamic([])\n , disabled: bool = false\n ) {\n let GoogleWorkspaceSchema = datatable (\n event_name_s: string,\n event_type_s: string,\n id_uniqueQualifier_s: string,\n actor_email_s: string,\n actor_profileId_s: string,\n IPAddress: string,\n doc_type_s: string,\n doc_title_s: string,\n originating_app_id_s: string,\n id_applicationName_s: string,\n old_value_s: string,\n new_value_s: string,\n destination_folder_title_s: string,\n source_folder_title_s: string,\n copy_type_s: string,\n target_user_s: string,\n doc_id_s: string,\n primary_event_b: bool,\n billable_b: bool,\n owner_s: string,\n owner_is_shared_drive_b: bool,\n is_encrypted_b: bool,\n visibility_s: string,\n shared_drive_id_s: string,\n destination_folder_id_s: string,\n source_folder_id_s: string,\n TimeGenerated: datetime,\n _ResourceId: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n RawData: string,\n SourceSystem: string,\n TenantId: string,\n _ItemId: string\n)[];\n let EventFieldsLookup = datatable (\n EventOriginalSubType: string,\n EventType: string,\n EventSubType: string\n)\n [\n \"download\", \"FileAccessed\", \"Download\",\n \"edit\", \"FileModified\", \"Checkin\",\n \"upload\", \"FileCreated\", \"Upload\",\n \"create\", \"FileCreated\", \"Checkin\",\n \"rename\", \"FileRenamed\", \"\",\n \"view\", \"FileAccessed\", \"Preview\",\n \"preview\", \"FileAccessed\", \"Preview\",\n \"copy\", \"FileCopied\", \"\",\n \"source_copy\", \"FileCopied\", \"\",\n \"delete\", \"FileDeleted\", \"\",\n \"trash\", \"FileDeleted\", \"Recycle\",\n \"move\", \"FileMoved\", \"\",\n \"untrash\", \"FileCreatedOrModified\", \"Checkin\",\n \"deny_access_request\", \"FileAccessed\", \"Preview\",\n \"expire_access_request\", \"FileAccessed\", \"Preview\",\n \"request_access\", \"FileAccessed\", \"Preview\",\n \"add_to_folder\", \"FileCreated\", \"Checkin\",\n \"approval_canceled\", \"FileAccessed\", \"\",\n \"approval_comment_added\", \"FileAccessed\", \"\",\n \"approval_completed\", \"FileAccessed\", \"Preview\",\n \"approval_decisions_reset\", \"FileAccessed\", \"\",\n \"approval_due_time_change\", \"FileAccessed\", \"\",\n \"approval_requested\", \"FileAccessed\", \"Preview\",\n \"approval_reviewer_change\", \"FileAccessed\", \"\",\n \"approval_reviewer_responded\", \"FileAccessed\", \"\",\n \"create_comment\", \"FileModified\", \"Checkin\",\n \"delete_comment\", \"FileModified\", \"Checkin\",\n \"edit_comment\", \"FileModified\", \"Checkin\",\n \"reassign_comment\", \"FileModified\", \"Checkin\",\n \"reopen_comment\", \"FileModified\", \"Checkin\",\n \"resolve_comment\", \"FileModified\", \"Checkin\",\n \"add_lock\", \"FileModified\", \"\",\n \"print\", \"FileAccessed\", \"Print\",\n \"remove_from_folder\", \"FileDeleted\", \"\",\n \"remove_lock\", \"FileModified\", \"\",\n];\n let SupportedEventNames = EventFieldsLookup\n | project EventOriginalSubType;\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_drive_CL\n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and ((array_length(actorusername_has_any) == 0) or (actor_email_s has_any (actorusername_has_any)))\n and ((array_length(targetfilepath_has_any) == 0) or (doc_title_s has_any (targetfilepath_has_any)))\n and (array_length(hashes_has_any) == 0)\n and (array_length(dvchostname_has_any) == 0)\n and event_name_s in (SupportedEventNames)\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n | project-rename \n EventOriginalUid = id_uniqueQualifier_s,\n ActorUsername = actor_email_s,\n ActorUserId = actor_profileId_s,\n SrcIpAddr = IPAddress,\n TargetFileMimeType = doc_type_s,\n TargetFilePath = doc_title_s,\n ActingAppId = originating_app_id_s,\n EventOriginalType=event_type_s\n | extend\n TargetAppName = iif(id_applicationName_s == 'drive', \"Google Workspace - Drive\", \"\"),\n TargetAppType = iif(id_applicationName_s == 'drive', \"SaaS application\", \"\"),\n ActorUserIdType = iif(isnotempty(ActorUserId), \"GWorkspaceProfileID\", \"\"),\n SrcFilePath = iif(event_name_s has_any ('rename', 'copy', 'source_copy'), old_value_s, \"\"),\n TargetFilePath = iif(event_name_s has ('source_copy'), new_value_s, TargetFilePath),\n TargetFileDirectory = iif(event_name_s has_any ('move'), destination_folder_title_s, \"\"),\n SrcFileDirectory = iif(event_name_s has_any ('move'), source_folder_title_s, \"\"),\n EventType = case(\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\n \"FolderCreated\",\n TargetFileMimeType == \"folder\" and event_name_s == \"rename\",\n \"FolderModified\",\n TargetFileMimeType == \"folder\" and event_name_s == \"delete\",\n \"FolderDeleted\",\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\n \"FolderDeleted\",\n TargetFileMimeType == \"folder\" and event_name_s == \"move\",\n \"FolderMoved\",\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\n \"FolderCreated\",\n EventType\n ),\n EventSubType = case(\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\n \"\",\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\n \"\",\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\n \"\",\n EventSubType\n ),\n EventMessage = case(\n event_name_s == 'download',\n strcat(ActorUsername, \" deleted an item\"),\n event_name_s == 'edit',\n strcat(ActorUsername, \" edited an item\"),\n event_name_s == 'upload',\n strcat(ActorUsername, \" uploaded an item\"),\n event_name_s == 'create',\n strcat(ActorUsername, \" created an item\"),\n event_name_s == 'rename',\n strcat(ActorUsername, \" renamed \", old_value_s, \" to \", TargetFilePath),\n event_name_s == 'view',\n strcat(ActorUsername, \" viewed an item\"),\n event_name_s == 'preview',\n strcat(ActorUsername, \" previewed an item\"),\n event_name_s == 'copy',\n strcat(ActorUsername, \" created a copy of original document \", old_value_s),\n event_name_s == 'delete',\n strcat(ActorUsername, \" deleted an item\"),\n event_name_s == 'trash',\n strcat(ActorUsername, \" trashed an item\"),\n event_name_s == 'move',\n strcat(ActorUsername, \" moved an item from \", source_folder_title_s, \" to \", destination_folder_title_s),\n event_name_s == 'untrash',\n strcat(ActorUsername, \" restored an item\"),\n event_name_s == 'source_copy',\n strcat(ActorUsername, \" copied this item, creating a new item \", copy_type_s, \" your organication \", new_value_s),\n event_name_s == 'deny_access_request',\n strcat(ActorUsername, \" denied an access request for \", target_user_s),\n event_name_s == 'expire_access_request',\n strcat(\"An access request for \", target_user_s, \" expired \"),\n event_name_s == 'request_access',\n strcat(ActorUsername, \" requested access to an item for \", target_user_s),\n event_name_s == 'add_to_folder',\n strcat(ActorUsername, \" added an item to \", destination_folder_title_s),\n event_name_s == 'approval_canceled',\n strcat(ActorUsername, \" canceled an approval on an item\"),\n event_name_s == 'approval_comment_added',\n strcat(ActorUsername, \" added a comment on an approval on an item\"),\n event_name_s == 'approval_completed',\n \"An approval was completed\",\n event_name_s == 'approval_decisions_reset',\n \"Approval decisions were reset\",\n event_name_s == 'approval_due_time_change',\n strcat(ActorUsername, \" requested a due time change on an approval\"),\n event_name_s == 'approval_requested',\n strcat(ActorUsername, \" requested approval on an item\"),\n event_name_s == 'approval_reviewer_change',\n strcat(ActorUsername, \" requested a reviewer change on an approval\"),\n event_name_s == 'approval_reviewer_responded',\n strcat(ActorUsername, \" reviewed an approval on an item\"),\n event_name_s == 'create_comment',\n strcat(ActorUsername, \" created a comment\"),\n event_name_s == 'delete_comment',\n strcat(ActorUsername, \" deleted a comment\"),\n event_name_s == 'edit_comment',\n strcat(ActorUsername, \" edited a comment\"),\n event_name_s == 'reassign_comment',\n strcat(ActorUsername, \" reassigned a comment\"),\n event_name_s == 'reopen_comment',\n strcat(ActorUsername, \" reopened a comment\"),\n event_name_s == 'resolve_comment',\n strcat(ActorUsername, \" resolved a comment\"),\n event_name_s == 'add_lock',\n strcat(ActorUsername, \" locked an item\"),\n event_name_s == 'print',\n strcat(ActorUsername, \" printed an item\"),\n event_name_s == 'remove_from_folder',\n strcat(ActorUsername, \" removed an item from from \", source_folder_title_s),\n event_name_s == 'remove_lock',\n strcat(ActorUsername, \" unlocked an item\"),\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"Doc_Id\",\n doc_id_s,\n \"Primary_Event\",\n primary_event_b,\n \"Billable\",\n billable_b,\n \"Owner\",\n owner_s,\n \"Owner_Is_Shared_Drive\",\n owner_is_shared_drive_b,\n \"Is_Encrypted\",\n is_encrypted_b,\n \"Visibility\",\n visibility_s,\n \"Copy_Type\",\n copy_type_s,\n \"Shared_Drive_Id\",\n shared_drive_id_s,\n \"Destination_Folder_Id\",\n destination_folder_id_s,\n \"Source_Folder_Id\",\n source_folder_id_s\n )\n | where ((array_length(srcfilepath_has_any) == 0) or (SrcFilePath has_any (srcfilepath_has_any)))\n | extend\n EventOriginalSubType = event_name_s,\n Application = TargetAppName,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n TargetFileName=TargetFilePath,\n FilePath = TargetFilePath,\n TargetFilePathType = iif(isnotempty(TargetFilePath), \"FileNameOnly\", \"\"),\n SrcFilePathType = iif(isnotempty(SrcFilePath), \"FileNameOnly\", \"\"),\n FileName = TargetFilePath,\n SrcFileName = SrcFilePath,\n User = ActorUsername,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventProduct = \"Workspace\",\n EventVendor = \"Google\",\n EventResult = \"Success\",\n EventSchemaVersion = \"0.2.1\",\n EventSchema = \"FileEvent\",\n EventUid = _ItemId,\n Dvc = \"Workspace\"\n | project-away \n *_s,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n targetfilepath_has_any = targetfilepath_has_any,\n srcfilepath_has_any = srcfilepath_has_any,\n hashes_has_any = hashes_has_any,\n dvchostname_has_any = dvchostname_has_any,\n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventLinuxSysmonFileCreated/vimFileEventLinuxSysmonFileCreated.json b/Parsers/ASimFileEvent/ARM/vimFileEventLinuxSysmonFileCreated/vimFileEventLinuxSysmonFileCreated.json index 452506ef637..1b907b28931 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventLinuxSysmonFileCreated/vimFileEventLinuxSysmonFileCreated.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventLinuxSysmonFileCreated/vimFileEventLinuxSysmonFileCreated.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventLinuxSysmonFileCreated')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventLinuxSysmonFileCreated", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File create Activity ASIM filtering parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "vimFileEventLinuxSysmonFileCreated", - "query": "let parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where SyslogMessage has_all ('11')\n // pre-filtering\n | where ((array_length(eventtype_in) == 0) or ('FileCreated' in~ (eventtype_in))) and\n (array_length(srcipaddr_has_any_prefix) == 0) and\n ((array_length(actorusername_has_any) == 0) or (SyslogMessage has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (SyslogMessage has_any (targetfilepath_has_any))) and\n ((array_length(srcfilepath_has_any) == 0)) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) \n | parse SyslogMessage with *\n ''msgEventRecordID: string''\n *\n //''msgComputer:string''\n ''\n * \n ''msgProcessGuid: string''\n ''msgProcessId: string''\n ''msgImage: string''\n ''msgTargetFileName: string''\n ''msgCreationUtcTime: datetime''*\n | where ((array_length(targetfilepath_has_any) == 0) or (msgTargetFileName has_any (targetfilepath_has_any)))\n | parse SyslogMessage with *''ActorUsername ''*\n | where ((array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any)))\n | extend\n EventCount=int(1)\n ,\n EventStartTime =TimeGenerated \n ,\n EventEndTime=TimeGenerated\n ,\n EventType = 'FileCreated'\n ,\n EventResult ='Success'\n ,\n EventOriginalType ='11' \n ,\n EventProduct='Sysmon for Linux'\n ,\n EventProductVersion='v13.22'\n ,\n EventVendor ='Microsoft'\n ,\n EventSchemaVersion ='0.1.0'\n ,\n DvcOs = 'Linux'\n ,\n TargetFilePathType='Unix'\n ,\n ActorUserType = iff(isnotempty(ActorUsername), 'Simple', '') // make sure user type is okay\n | project-rename\n DvcHostname=Computer\n ,\n EventOriginalUid=msgEventRecordID\n ,\n ActingProcessName =msgImage\n ,\n ActingProcessId=msgProcessId\n ,\n ActingProcessGuid=msgProcessGuid\n ,\n TargetFilePath =msgTargetFileName\n ,\n TargetFileCreationTime =msgCreationUtcTime\n // ------ Alias\n | extend\n Process=ActingProcessName\n ,\n FilePath=TargetFilePath\n ,\n Dvc = DvcHostname\n ,\n User = ActorUsername\n | project-away SyslogMessage\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File create Activity ASIM filtering parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "vimFileEventLinuxSysmonFileCreated", + "query": "let parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where SyslogMessage has_all ('11')\n // pre-filtering\n | where ((array_length(eventtype_in) == 0) or ('FileCreated' in~ (eventtype_in))) and\n (array_length(srcipaddr_has_any_prefix) == 0) and\n ((array_length(actorusername_has_any) == 0) or (SyslogMessage has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (SyslogMessage has_any (targetfilepath_has_any))) and\n ((array_length(srcfilepath_has_any) == 0)) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) \n | parse SyslogMessage with *\n ''msgEventRecordID: string''\n *\n //''msgComputer:string''\n ''\n * \n ''msgProcessGuid: string''\n ''msgProcessId: string''\n ''msgImage: string''\n ''msgTargetFileName: string''\n ''msgCreationUtcTime: datetime''*\n | where ((array_length(targetfilepath_has_any) == 0) or (msgTargetFileName has_any (targetfilepath_has_any)))\n | parse SyslogMessage with *''ActorUsername ''*\n | where ((array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any)))\n | extend\n EventCount=int(1)\n ,\n EventStartTime =TimeGenerated \n ,\n EventEndTime=TimeGenerated\n ,\n EventType = 'FileCreated'\n ,\n EventResult ='Success'\n ,\n EventOriginalType ='11' \n ,\n EventProduct='Sysmon for Linux'\n ,\n EventProductVersion='v13.22'\n ,\n EventVendor ='Microsoft'\n ,\n EventSchemaVersion ='0.1.0'\n ,\n DvcOs = 'Linux'\n ,\n TargetFilePathType='Unix'\n ,\n ActorUserType = iff(isnotempty(ActorUsername), 'Simple', '') // make sure user type is okay\n | project-rename\n DvcHostname=Computer\n ,\n EventOriginalUid=msgEventRecordID\n ,\n ActingProcessName =msgImage\n ,\n ActingProcessId=msgProcessId\n ,\n ActingProcessGuid=msgProcessGuid\n ,\n TargetFilePath =msgTargetFileName\n ,\n TargetFileCreationTime =msgCreationUtcTime\n // ------ Alias\n | extend\n Process=ActingProcessName\n ,\n FilePath=TargetFilePath\n ,\n Dvc = DvcHostname\n ,\n User = ActorUsername\n | project-away SyslogMessage\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventLinuxSysmonFileDeleted/vimFileEventLinuxSysmonFileDeleted.json b/Parsers/ASimFileEvent/ARM/vimFileEventLinuxSysmonFileDeleted/vimFileEventLinuxSysmonFileDeleted.json index ac4d4f1c4a3..11cb76edb25 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventLinuxSysmonFileDeleted/vimFileEventLinuxSysmonFileDeleted.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventLinuxSysmonFileDeleted/vimFileEventLinuxSysmonFileDeleted.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventLinuxSysmonFileDeleted')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventLinuxSysmonFileDeleted", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File delete activity ASIM filtering parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "vimFileEventLinuxSysmonFileDeleted", - "query": "let parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where SyslogMessage has ('23', '26')\n // pre-filtering\n | where ((array_length(eventtype_in) == 0) or ('FileDeleted' in~ (eventtype_in))) and\n (array_length(srcipaddr_has_any_prefix) == 0) and\n ((array_length(actorusername_has_any) == 0) or (SyslogMessage has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (SyslogMessage has_any (targetfilepath_has_any))) and\n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | parse SyslogMessage with \n ''msgEventId: string''\n *\n ''msgEventRecordID: string''\n *\n ''msgComputer: string''\n ''\n *\n '{'msgProcessGuid: string'}'\n ''msgProcessId: string''\n ''msgUser: string''\n ''msgImage: string''\n ''msgTargetFilename: string''\n ''msgHashes: string'' *\n // post-filtering\n | where ((array_length(actorusername_has_any) == 0) or (msgUser has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (msgTargetFilename has_any (targetfilepath_has_any)))\n | extend\n EventCount=int(1)\n ,\n EventStartTime =TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType = 'FileDeleted'\n ,\n EventResult ='Success' \n ,\n EventProduct='Sysmon for Linux'\n ,\n EventProductVersion='v13.22' \n ,\n EventVendor ='Microsoft'\n ,\n EventSchemaVersion ='0.1.0'\n ,\n DvcOs = 'Linux'\n ,\n TargetFilePathType='Unix'\n ,\n ActorUsernameType='Simple'\n | project-rename\n DvcHostname=Computer\n ,\n EventOriginalUid=msgEventRecordID\n ,\n EventOriginalType =msgEventId \n ,\n ActorUsername=msgUser\n ,\n ActingProcessName =msgImage\n ,\n ActingProcessId=msgProcessId\n ,\n ActingProcessGuid=msgProcessGuid\n ,\n TargetFilePath =msgTargetFilename\n // ------ Alias\n | extend\n Process=ActingProcessName\n ,\n FilePath=TargetFilePath\n ,\n Dvc =DvcHostname\n ,\n User=ActorUsername\n | project-away SyslogMessage\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File delete activity ASIM filtering parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "vimFileEventLinuxSysmonFileDeleted", + "query": "let parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where SyslogMessage has ('23', '26')\n // pre-filtering\n | where ((array_length(eventtype_in) == 0) or ('FileDeleted' in~ (eventtype_in))) and\n (array_length(srcipaddr_has_any_prefix) == 0) and\n ((array_length(actorusername_has_any) == 0) or (SyslogMessage has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (SyslogMessage has_any (targetfilepath_has_any))) and\n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | parse SyslogMessage with \n ''msgEventId: string''\n *\n ''msgEventRecordID: string''\n *\n ''msgComputer: string''\n ''\n *\n '{'msgProcessGuid: string'}'\n ''msgProcessId: string''\n ''msgUser: string''\n ''msgImage: string''\n ''msgTargetFilename: string''\n ''msgHashes: string'' *\n // post-filtering\n | where ((array_length(actorusername_has_any) == 0) or (msgUser has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (msgTargetFilename has_any (targetfilepath_has_any)))\n | extend\n EventCount=int(1)\n ,\n EventStartTime =TimeGenerated\n ,\n EventEndTime=TimeGenerated\n ,\n EventType = 'FileDeleted'\n ,\n EventResult ='Success' \n ,\n EventProduct='Sysmon for Linux'\n ,\n EventProductVersion='v13.22' \n ,\n EventVendor ='Microsoft'\n ,\n EventSchemaVersion ='0.1.0'\n ,\n DvcOs = 'Linux'\n ,\n TargetFilePathType='Unix'\n ,\n ActorUsernameType='Simple'\n | project-rename\n DvcHostname=Computer\n ,\n EventOriginalUid=msgEventRecordID\n ,\n EventOriginalType =msgEventId \n ,\n ActorUsername=msgUser\n ,\n ActingProcessName =msgImage\n ,\n ActingProcessId=msgProcessId\n ,\n ActingProcessGuid=msgProcessGuid\n ,\n TargetFilePath =msgTargetFilename\n // ------ Alias\n | extend\n Process=ActingProcessName\n ,\n FilePath=TargetFilePath\n ,\n Dvc =DvcHostname\n ,\n User=ActorUsername\n | project-away SyslogMessage\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventM365D/vimFileEventM365D.json b/Parsers/ASimFileEvent/ARM/vimFileEventM365D/vimFileEventM365D.json index 7bbf682c70f..d01fff06201 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventM365D/vimFileEventM365D.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventM365D/vimFileEventM365D.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventMicrosoft365D')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventMicrosoft365D", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM filtering parser for Microsoft 365 Defender for Endpoint", - "category": "ASIM", - "FunctionAlias": "vimFileEventMicrosoft365D", - "query": "let protocols = dynamic(['smb']);\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let remote_events = \n DeviceFileEvents\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where isnotempty(RequestAccountName)\n | where ((array_length(eventtype_in) == 0 or ActionType in~ (eventtype_in))) and\n ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(RequestSourceIP, srcipaddr_has_any_prefix))) and \n ((array_length(actorusername_has_any) == 0) or (RequestAccountName has_any (actorusername_has_any)) or (RequestAccountDomain has_any (actorusername_has_any)) or (strcat(RequestAccountDomain, '\\\\', RequestAccountName) has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (FileName has_any (targetfilepath_has_any)) or (FolderPath has_any (targetfilepath_has_any)) or (strcat(FolderPath, iff(FolderPath startswith \"/\", \"/\", \"\\\\\"), FileName) has_any (targetfilepath_has_any))) and \n ((array_length(srcfilepath_has_any) == 0) or (PreviousFileName has_any (srcfilepath_has_any)) or (PreviousFolderPath has_any (srcfilepath_has_any)) or (strcat(FolderPath, iff(PreviousFolderPath startswith \"/\", \"/\", \"\\\\\"), PreviousFileName) has_any (srcfilepath_has_any))) and\n ((array_length(hashes_has_any) == 0) or (SHA256 in (hashes_has_any)) or (SHA1 in (hashes_has_any)) or (MD5 in (hashes_has_any))) and \n (array_length(dvchostname_has_any) == 0 or DeviceName has_any (dvchostname_has_any))\n | project-rename \n SrcIpAddr = RequestSourceIP,\n ActorUserSid = RequestAccountSid,\n TargetUserSid = InitiatingProcessAccountSid,\n TargetUserAadId = InitiatingProcessAccountObjectId,\n TargetUserUpn = InitiatingProcessAccountUpn\n | extend\n ActorWindowsUsername = strcat(RequestAccountDomain, '\\\\', RequestAccountName),\n TargetWindowsUsername = strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName),\n ActorUserUpn = \"\",\n ActorUserAadId = \"\"\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid),\n TargetUserType = _ASIM_GetWindowsUserType(TargetWindowsUsername, TargetUserSid)\n | extend\n SrcPortNumber = toint(RequestSourcePort),\n TargetUsername = coalesce(TargetUserUpn, TargetWindowsUsername),\n TargetUsernameType = iff(isempty(TargetUserUpn), 'Windows', 'UPN'),\n TargetUserId = coalesce(TargetUserAadId, TargetUserSid), \n TargetUserIdType = iff(isempty(TargetUserSid), 'AADID', 'SID'),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n ;\n let local_events = \n DeviceFileEvents\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where isempty(RequestAccountName)\n | where ((array_length(eventtype_in) == 0 or ActionType in~ (eventtype_in))) and\n ((array_length(srcipaddr_has_any_prefix) == 0)) and \n ((array_length(actorusername_has_any) == 0) or (InitiatingProcessAccountDomain has_any (actorusername_has_any)) or (InitiatingProcessAccountName has_any (actorusername_has_any)) or (strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName) has_any (actorusername_has_any)) or (InitiatingProcessAccountUpn has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (FileName has_any (targetfilepath_has_any)) or (FolderPath has_any (targetfilepath_has_any)) or (strcat(FolderPath, iff(FolderPath startswith \"/\", \"/\", \"\\\\\"), FileName) has_any (targetfilepath_has_any))) and \n ((array_length(srcfilepath_has_any) == 0) or (PreviousFileName has_any (srcfilepath_has_any)) or (PreviousFolderPath has_any (srcfilepath_has_any)) or (strcat(FolderPath, iff(PreviousFolderPath startswith \"/\", \"/\", \"\\\\\"), PreviousFileName) has_any (srcfilepath_has_any))) and\n ((array_length(hashes_has_any) == 0) or (SHA256 in (hashes_has_any)) or (SHA1 in (hashes_has_any)) or (MD5 in (hashes_has_any))) and \n (array_length(dvchostname_has_any) == 0 or DeviceName has_any (dvchostname_has_any)) \n | project-rename\n ActorUserSid = InitiatingProcessAccountSid,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn\n | extend \n ActorWindowsUsername = strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName) \n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid)\n | project-away RequestAccountSid, RequestSourceIP\n ;\n union \n remote_events\n , \n local_events\n | project-rename\n EventType = ActionType,\n DvcId = DeviceId,\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileSHA256 = SHA256,\n ActingProcessCommandLine = InitiatingProcessCommandLine,\n ActingProcessName =InitiatingProcessFolderPath,\n ActingProcessMD5 = InitiatingProcessMD5,\n ActingProcessSHA1 = InitiatingProcessSHA1,\n ActingProcessSHA256 = InitiatingProcessSHA256,\n ActingProcessParentFileName = InitiatingProcessParentFileName,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n ActingProcessParentCreationTime = InitiatingProcessParentCreationTime,\n TargetFileName = FileName,\n SrcFileName = PreviousFileName\n | extend\n DvcOs = iff(FolderPath startswith \"/\", \"Linux\", \"Windows\"),\n TargetFileSize = tolong(FileSize)\n | extend\n EventCount = int(1),\n EventOriginalUid = tostring(ReportId),\n ActingProcessId = tostring(InitiatingProcessId),\n EventStartTime = Timestamp, \n EventEndTime= Timestamp,\n EventResult = 'Success',\n EventProduct = 'M365 Defender for Endpoint',\n EventSchema = 'FileEvent',\n EventVendor = 'Microsoft',\n EventSeverity = 'Informational',\n EventSchemaVersion = '0.2.1',\n DvcIdType = \"MDEid\",\n ActorUsername = coalesce(ActorUserUpn, ActorWindowsUsername),\n ActorUsernameType = iff(isempty(ActorUserUpn), 'Windows', 'UPN'),\n ActorUserId = coalesce(ActorUserAadId, ActorUserSid), \n ActorUserIdType = iff(isempty(ActorUserSid), 'AADID', 'SID'),\n TargetFilePath = strcat(FolderPath, iff(DvcOs == \"Linux\", \"/\", \"\\\\\"), TargetFileName),\n TargetFilePathType = iff(DvcOs == \"Linux\", \"Unix\", \"Windows Local\"),\n SrcFilePath = strcat(PreviousFolderPath, iff(DvcOs == \"Linux\", \"/\", \"\\\\\"), SrcFileName),\n SrcFilePathType = iff(DvcOs == \"Linux\", \"Unix\", \"Windows Local\"),\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5),\n NetworkApplicationProtocol = iff (RequestProtocol in (protocols), toupper(RequestProtocol), \"\")\n | invoke _ASIM_ResolveDvcFQDN ('DeviceName')\n | project-away DeviceName\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5), Hash)]) \n // ****** Aliases\n | extend \n User = ActorUsername,\n Dvc = coalesce(DvcFQDN, DvcHostname),\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n CommandLine = ActingProcessCommandLine,\n DvcMDEid = DvcId,\n FileName = TargetFileName\n | project-away\n MachineGroup,\n ReportId,\n SourceSystem,\n Initiating*,\n Timestamp,\n TenantId,\n Request*,\n PreviousFolderPath,\n FolderPath,\n AppGuardContainerId\n | project-away ShareName, IsAzureInfoProtectionApplied, FileOrigin*, Sensitivity*\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM filtering parser for Microsoft 365 Defender for Endpoint", + "category": "ASIM", + "FunctionAlias": "vimFileEventMicrosoft365D", + "query": "let protocols = dynamic(['smb']);\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let remote_events = \n DeviceFileEvents\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where isnotempty(RequestAccountName)\n | where ((array_length(eventtype_in) == 0 or ActionType in~ (eventtype_in))) and\n ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(RequestSourceIP, srcipaddr_has_any_prefix))) and \n ((array_length(actorusername_has_any) == 0) or (RequestAccountName has_any (actorusername_has_any)) or (RequestAccountDomain has_any (actorusername_has_any)) or (strcat(RequestAccountDomain, '\\\\', RequestAccountName) has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (FileName has_any (targetfilepath_has_any)) or (FolderPath has_any (targetfilepath_has_any)) or (strcat(FolderPath, iff(FolderPath startswith \"/\", \"/\", \"\\\\\"), FileName) has_any (targetfilepath_has_any))) and \n ((array_length(srcfilepath_has_any) == 0) or (PreviousFileName has_any (srcfilepath_has_any)) or (PreviousFolderPath has_any (srcfilepath_has_any)) or (strcat(FolderPath, iff(PreviousFolderPath startswith \"/\", \"/\", \"\\\\\"), PreviousFileName) has_any (srcfilepath_has_any))) and\n ((array_length(hashes_has_any) == 0) or (SHA256 in (hashes_has_any)) or (SHA1 in (hashes_has_any)) or (MD5 in (hashes_has_any))) and \n (array_length(dvchostname_has_any) == 0 or DeviceName has_any (dvchostname_has_any))\n | project-rename \n SrcIpAddr = RequestSourceIP,\n ActorUserSid = RequestAccountSid,\n TargetUserSid = InitiatingProcessAccountSid,\n TargetUserAadId = InitiatingProcessAccountObjectId,\n TargetUserUpn = InitiatingProcessAccountUpn\n | extend\n ActorWindowsUsername = strcat(RequestAccountDomain, '\\\\', RequestAccountName),\n TargetWindowsUsername = strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName),\n ActorUserUpn = \"\",\n ActorUserAadId = \"\"\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid),\n TargetUserType = _ASIM_GetWindowsUserType(TargetWindowsUsername, TargetUserSid)\n | extend\n SrcPortNumber = toint(RequestSourcePort),\n TargetUsername = coalesce(TargetUserUpn, TargetWindowsUsername),\n TargetUsernameType = iff(isempty(TargetUserUpn), 'Windows', 'UPN'),\n TargetUserId = coalesce(TargetUserAadId, TargetUserSid), \n TargetUserIdType = iff(isempty(TargetUserSid), 'AADID', 'SID'),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n ;\n let local_events = \n DeviceFileEvents\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where isempty(RequestAccountName)\n | where ((array_length(eventtype_in) == 0 or ActionType in~ (eventtype_in))) and\n ((array_length(srcipaddr_has_any_prefix) == 0)) and \n ((array_length(actorusername_has_any) == 0) or (InitiatingProcessAccountDomain has_any (actorusername_has_any)) or (InitiatingProcessAccountName has_any (actorusername_has_any)) or (strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName) has_any (actorusername_has_any)) or (InitiatingProcessAccountUpn has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (FileName has_any (targetfilepath_has_any)) or (FolderPath has_any (targetfilepath_has_any)) or (strcat(FolderPath, iff(FolderPath startswith \"/\", \"/\", \"\\\\\"), FileName) has_any (targetfilepath_has_any))) and \n ((array_length(srcfilepath_has_any) == 0) or (PreviousFileName has_any (srcfilepath_has_any)) or (PreviousFolderPath has_any (srcfilepath_has_any)) or (strcat(FolderPath, iff(PreviousFolderPath startswith \"/\", \"/\", \"\\\\\"), PreviousFileName) has_any (srcfilepath_has_any))) and\n ((array_length(hashes_has_any) == 0) or (SHA256 in (hashes_has_any)) or (SHA1 in (hashes_has_any)) or (MD5 in (hashes_has_any))) and \n (array_length(dvchostname_has_any) == 0 or DeviceName has_any (dvchostname_has_any)) \n | project-rename\n ActorUserSid = InitiatingProcessAccountSid,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn\n | extend \n ActorWindowsUsername = strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName) \n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorWindowsUsername, ActorUserSid)\n | project-away RequestAccountSid, RequestSourceIP\n ;\n union \n remote_events\n , \n local_events\n | project-rename\n EventType = ActionType,\n DvcId = DeviceId,\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileSHA256 = SHA256,\n ActingProcessCommandLine = InitiatingProcessCommandLine,\n ActingProcessName =InitiatingProcessFolderPath,\n ActingProcessMD5 = InitiatingProcessMD5,\n ActingProcessSHA1 = InitiatingProcessSHA1,\n ActingProcessSHA256 = InitiatingProcessSHA256,\n ActingProcessParentFileName = InitiatingProcessParentFileName,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n ActingProcessParentCreationTime = InitiatingProcessParentCreationTime,\n TargetFileName = FileName,\n SrcFileName = PreviousFileName\n | extend\n DvcOs = iff(FolderPath startswith \"/\", \"Linux\", \"Windows\"),\n TargetFileSize = tolong(FileSize)\n | extend\n EventCount = int(1),\n EventOriginalUid = tostring(ReportId),\n ActingProcessId = tostring(InitiatingProcessId),\n EventStartTime = Timestamp, \n EventEndTime= Timestamp,\n EventResult = 'Success',\n EventProduct = 'M365 Defender for Endpoint',\n EventSchema = 'FileEvent',\n EventVendor = 'Microsoft',\n EventSeverity = 'Informational',\n EventSchemaVersion = '0.2.1',\n DvcIdType = \"MDEid\",\n ActorUsername = coalesce(ActorUserUpn, ActorWindowsUsername),\n ActorUsernameType = iff(isempty(ActorUserUpn), 'Windows', 'UPN'),\n ActorUserId = coalesce(ActorUserAadId, ActorUserSid), \n ActorUserIdType = iff(isempty(ActorUserSid), 'AADID', 'SID'),\n TargetFilePath = strcat(FolderPath, iff(DvcOs == \"Linux\", \"/\", \"\\\\\"), TargetFileName),\n TargetFilePathType = iff(DvcOs == \"Linux\", \"Unix\", \"Windows Local\"),\n SrcFilePath = strcat(PreviousFolderPath, iff(DvcOs == \"Linux\", \"/\", \"\\\\\"), SrcFileName),\n SrcFilePathType = iff(DvcOs == \"Linux\", \"Unix\", \"Windows Local\"),\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5),\n NetworkApplicationProtocol = iff (RequestProtocol in (protocols), toupper(RequestProtocol), \"\")\n | invoke _ASIM_ResolveDvcFQDN ('DeviceName')\n | project-away DeviceName\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5), Hash)]) \n // ****** Aliases\n | extend \n User = ActorUsername,\n Dvc = coalesce(DvcFQDN, DvcHostname),\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n CommandLine = ActingProcessCommandLine,\n DvcMDEid = DvcId,\n FileName = TargetFileName\n | project-away\n MachineGroup,\n ReportId,\n SourceSystem,\n Initiating*,\n Timestamp,\n TenantId,\n Request*,\n PreviousFolderPath,\n FolderPath,\n AppGuardContainerId\n | project-away ShareName, IsAzureInfoProtectionApplied, FileOrigin*, Sensitivity*\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSecurityEvents/vimFileEventMicrosoftSecurityEvents.json b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSecurityEvents/vimFileEventMicrosoftSecurityEvents.json index e4b457bf3a3..90362ea7087 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSecurityEvents/vimFileEventMicrosoftSecurityEvents.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSecurityEvents/vimFileEventMicrosoftSecurityEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventMicrosoftSecurityEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventMicrosoftSecurityEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM filtering parser for Microsoft Windows Events", - "category": "ASIM", - "FunctionAlias": "vimFileEventMicrosoftSecurityEvents", - "query": "let Parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let EventTypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"ObjectAccessed\"\n ,\n \"0x10\", \"MetadataModified\"\n ,\n \"0x100\", \"MetadataModified\"\n ,\n \"0x10000\", \"ObjectDeleted\"\n ,\n \"0x2\", \"ObjectModified\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x4\", \"ObjectModified\"\n ,\n \"0x40\", \"ObjectDeleted\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x6\", \"ObjectModified\"\n ,\n \"0x8\", \"MetadataAccessed\"\n ,\n \"0x80\", \"MetadataAccessed\"\n ,\n \"0x80000\", \"MetadataModified\"\n];\n let UserTypeLookup = datatable (AccountType: string, ActorUserType: string)\n [\n 'User', 'Regular',\n 'Machine', 'Machine'\n]; \n let KnownSIDs = datatable (sid: string, username: string, type: string)\n [\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n];\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4663 \n and ObjectType == \"File\"\n and ObjectName !startswith @\"\\Device\\\"\n | where (array_length(srcipaddr_has_any_prefix) == 0) and \n ((array_length(targetfilepath_has_any) == 0) or (ObjectName has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | project\n TimeGenerated,\n EventID,\n AccessMask,\n ProcessName,\n SubjectUserSid,\n AccountType,\n Computer,\n ObjectName,\n ProcessId,\n SubjectUserName,\n SubjectAccount,\n SubjectLogonId,\n HandleId,\n Type\n | lookup EventTypeLookup on AccessMask\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n | lookup UserTypeLookup on AccountType\n | lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n | extend\n ActingProcessName = ProcessName\n ,\n ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n ,\n ActorUsernameType = iff(SubjectUserName == '-', type, 'Windows')\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n TargetFilePath = ObjectName\n ,\n TargetFilePathFormat = \"Windows Local\"\n ,\n ActingProcessId = tostring(toint(ProcessId))\n ,\n EventOriginalType = tostring(EventID)\n | where (array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))\n | project-away EventID, ProcessId, AccountType, username\n | project-rename\n ActorUserId = SubjectUserSid\n ,\n DvcHostname = Computer\n ,\n Process = ProcessName\n ,\n FilePath = ObjectName\n ,\n ActorSessionId = SubjectLogonId\n ,\n FileSessionId = HandleId\n | extend\n EventSchema = \"FileEvent\"\n ,\n EventSchemaVersion = \"0.1.1\"\n ,\n EventResult = \"Success\"\n ,\n EventCount = int(1)\n ,\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Security Events'\n ,\n Dvc = DvcHostname\n ,\n ActorWindowsUsername = ActorUsername\n ,\n User = ActorUsername\n ,\n ActorUserSid = ActorUserId,\n ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\n | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type\n};\nParser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM filtering parser for Microsoft Windows Events", + "category": "ASIM", + "FunctionAlias": "vimFileEventMicrosoftSecurityEvents", + "query": "let Parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let EventTypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"ObjectAccessed\"\n ,\n \"0x10\", \"MetadataModified\"\n ,\n \"0x100\", \"MetadataModified\"\n ,\n \"0x10000\", \"ObjectDeleted\"\n ,\n \"0x2\", \"ObjectModified\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x4\", \"ObjectModified\"\n ,\n \"0x40\", \"ObjectDeleted\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x6\", \"ObjectModified\"\n ,\n \"0x8\", \"MetadataAccessed\"\n ,\n \"0x80\", \"MetadataAccessed\"\n ,\n \"0x80000\", \"MetadataModified\"\n];\n let UserTypeLookup = datatable (AccountType: string, ActorUserType: string)\n [\n 'User', 'Regular',\n 'Machine', 'Machine'\n]; \n let KnownSIDs = datatable (sid: string, username: string, type: string)\n [\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n];\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4663 \n and ObjectType == \"File\"\n and ObjectName !startswith @\"\\Device\\\"\n | where (array_length(srcipaddr_has_any_prefix) == 0) and \n ((array_length(targetfilepath_has_any) == 0) or (ObjectName has_any (targetfilepath_has_any))) and \n (array_length(srcfilepath_has_any) == 0) and\n (array_length(hashes_has_any) == 0) and \n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | project\n TimeGenerated,\n EventID,\n AccessMask,\n ProcessName,\n SubjectUserSid,\n AccountType,\n Computer,\n ObjectName,\n ProcessId,\n SubjectUserName,\n SubjectAccount,\n SubjectLogonId,\n HandleId,\n Type\n | lookup EventTypeLookup on AccessMask\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n | lookup UserTypeLookup on AccountType\n | lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n | extend\n ActingProcessName = ProcessName\n ,\n ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n ,\n ActorUsernameType = iff(SubjectUserName == '-', type, 'Windows')\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n TargetFilePath = ObjectName\n ,\n TargetFilePathFormat = \"Windows Local\"\n ,\n ActingProcessId = tostring(toint(ProcessId))\n ,\n EventOriginalType = tostring(EventID)\n | where (array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))\n | project-away EventID, ProcessId, AccountType, username\n | project-rename\n ActorUserId = SubjectUserSid\n ,\n DvcHostname = Computer\n ,\n Process = ProcessName\n ,\n FilePath = ObjectName\n ,\n ActorSessionId = SubjectLogonId\n ,\n FileSessionId = HandleId\n | extend\n EventSchema = \"FileEvent\"\n ,\n EventSchemaVersion = \"0.1.1\"\n ,\n EventResult = \"Success\"\n ,\n EventCount = int(1)\n ,\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Security Events'\n ,\n Dvc = DvcHostname\n ,\n ActorWindowsUsername = ActorUsername\n ,\n User = ActorUsername\n ,\n ActorUserSid = ActorUserId,\n ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\n | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type\n};\nParser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSharePoint/vimFileEventMicrosoftSharePoint.json b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSharePoint/vimFileEventMicrosoftSharePoint.json index 0df7af3ba80..c41d572be36 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSharePoint/vimFileEventMicrosoftSharePoint.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSharePoint/vimFileEventMicrosoftSharePoint.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventMicrosoftSharePoint')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventMicrosoftSharePoint", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Activity ASIM filtering parser for Sharepoint and OneDrive for business", - "category": "ASIM", - "FunctionAlias": "vimFileEventMicrosoftSharePoint", - "query": "let _ASIM_ResolveActorUsername = (T: (*), UsernameField: string) { \n T\n | extend ActorUsername = column_ifexists(UsernameField, \"\")\n | extend windows = ActorUsername has '\\\\'\n | extend \n ActorUsernameType = iff (windows, \"Windows\", \"UPN\"),\n ActorUserUpn = iff (windows, \"\", ActorUsername),\n ActorWindowsUsername = iff (windows, ActorUsername, \"\")\n};\nlet operations = datatable (Operation: string, EventType: string, EventSubType: string) [\n \"FileUploaded\", \"FileCreated\", \"Upload\",\n \"FileAccessedExtended\", \"FileAccessed\", \"Extended\",\n \"FileRecycled\", \"FileDeleted\", \"Recycle\",\n \"FileDeleted\", \"FileDeleted\", \"\",\n \"FileAccessed\", \"FileAccessed\", \"\",\n \"FolderCreated\", \"FolderCreated\", \"\",\n \"FilePreviewed\", \"FileAccessed\", \"Preview\",\n \"FileDownloaded\", \"FileAccessed\", \"Download\",\n \"FileSyncDownloadedFull\", \"FileAccessed\", \"Download\",\n \"FolderModified\", \"FolderModified\", \"\",\n \"FileModifiedExtended\", \"FolderModified\", \"Extended\",\n \"FileModified\", \"FolderModified\", \"\",\n \"FileVersionsAllDeleted\", \"FolderDeleted\", \"Versions\",\n \"FileSyncUploadedFull\", \"FileCreated\", \"Upload\",\n \"FileSensitivityLabelApplied\", \"FileAttributesUpdated\", \"\",\n \"FileSensitivityLabelChanged\", \"FileAttributesUpdated\", \"\",\n \"FileSensitivityLabelRemoved\", \"FileAttributesUpdated\", \"\",\n \"SiteDeleted\", \"FolderDeleted\", \"Site\",\n \"FileRenamed\", \"FileRenamed\", \"\",\n \"FileMoved\", \"FileMoved\", \"\",\n \"FileCopied\", \"FileCopied\", \"\",\n \"FolderCopied\", \"FolderCopied\", \"\",\n \"FolderMoved\", \"FolderMoved\", \"\",\n \"FolderRenamed\", \"FolderRenamed\", \"\",\n \"FolderRecycled\", \"FolderDeleted\", \"Recycle\",\n \"FolderDeleted\", \"FolderDeleted\", \"\",\n \"FileCheckedIn\", \"FileCreatedOrModified\", \"Checkin\",\n \"FileCheckedOut\", \"FileAccessed\", \"Checkout\"\n];\nlet multiple_file_operations = dynamic([\n \"FileRenamed\",\n \"FileMoved\",\n \"FileCopied\",\n \"FolderCopied\",\n \"FolderMoved\",\n \"FolderRenamed\"\n ]);\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let OfficeActivityProjected = \n OfficeActivity\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where RecordType == \"SharePointFileOperation\" and Operation != \"FileMalwareDetected\"\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(ClientIP, srcipaddr_has_any_prefix))) and \n ((array_length(actorusername_has_any) == 0) or (UserId has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (OfficeObjectId has_any (targetfilepath_has_any)) or (strcat (Site_Url, DestinationRelativeUrl, \"/\", DestinationFileName) has_any (targetfilepath_has_any))) and\n ((array_length(srcfilepath_has_any) == 0) or (OfficeObjectId has_any (srcfilepath_has_any))) and\n (array_length(hashes_has_any) == 0) and\n (array_length(dvchostname_has_any) == 0)\n | project\n Operation,\n OrganizationId,\n OrganizationName,\n SourceRecordId,\n OfficeWorkload,\n UserId,\n ClientIP,\n UserAgent,\n Start_Time,\n TimeGenerated,\n Type,\n OfficeObjectId,\n SourceFileName,\n SourceFileExtension,\n DestinationFileName,\n DestinationFileExtension,\n Site_Url,\n DestinationRelativeUrl,\n UserKey,\n MachineDomainInfo,\n MachineId; // ,_ItemId \n let SingleFileOperationEvents = \n OfficeActivityProjected\n | where Operation !in (multiple_file_operations)\n | project-rename \n TargetFilePath = OfficeObjectId,\n TargetFileName = SourceFileName,\n TargetFileExtension = SourceFileExtension\n // Post-filtering\n | where (array_length(srcfilepath_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any)))\n | extend \n TargetFilePathType = \"URL\"\n | project-away DestinationFileName, DestinationFileExtension, DestinationRelativeUrl\n ;\n // single in dest: SiteDeleted\n let MultipleFileOperationsEvents = \n OfficeActivityProjected\n | where Operation in (multiple_file_operations)\n | project-rename \n SrcFilePath = OfficeObjectId,\n TargetFileName = DestinationFileName,\n TargetFileExtension = DestinationFileExtension,\n SrcFileName = SourceFileName,\n SrcFileExtension = SourceFileExtension\n | extend \n TargetFilePath = strcat (Site_Url, DestinationRelativeUrl, \"/\", TargetFileName),\n TargetFilePathType = \"URL\",\n SrcFilePathType = \"URL\"\n // Post-filtering\n | where ((array_length(srcfilepath_has_any) == 0) or (SrcFilePath has_any (srcfilepath_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any)))\n | project-away DestinationRelativeUrl\n ;\n union SingleFileOperationEvents, MultipleFileOperationsEvents\n | lookup operations on Operation\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | invoke _ASIM_ResolveActorUsername('UserId')\n | project-away UserId\n | project-rename \n EventOriginalType = Operation,\n ActorScopeId = OrganizationId,\n ActorScope = OrganizationName,\n EventOriginalUid = SourceRecordId,\n EventProduct = OfficeWorkload,\n ActorUserId = UserKey,\n HttpUserAgent = UserAgent,\n SrcIpAddr = ClientIP,\n EventStartTime = Start_Time,\n // EvetUid = _ItemId,\n TargetUrl = Site_Url,\n SrcDvcId = MachineId,\n SrcDvcScopeId = MachineDomainInfo\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated,\n EventResult = \"Success\",\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.1',\n EventSchema = \"FileEvent\",\n ActorUserIdType = 'Other',\n SrcDvcIdType = 'Other',\n TargetAppName = EventProduct,\n TargetAppType = 'SaaS application',\n Dvc = strcat ('Microsoft ', EventProduct)\n // Aliases\n | extend \n User = ActorUsername,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Url = TargetUrl,\n Dvc = EventProduct,\n Application = EventProduct\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Activity ASIM filtering parser for Sharepoint and OneDrive for business", + "category": "ASIM", + "FunctionAlias": "vimFileEventMicrosoftSharePoint", + "query": "let _ASIM_ResolveActorUsername = (T: (*), UsernameField: string) { \n T\n | extend ActorUsername = column_ifexists(UsernameField, \"\")\n | extend windows = ActorUsername has '\\\\'\n | extend \n ActorUsernameType = iff (windows, \"Windows\", \"UPN\"),\n ActorUserUpn = iff (windows, \"\", ActorUsername),\n ActorWindowsUsername = iff (windows, ActorUsername, \"\")\n};\nlet operations = datatable (Operation: string, EventType: string, EventSubType: string) [\n \"FileUploaded\", \"FileCreated\", \"Upload\",\n \"FileAccessedExtended\", \"FileAccessed\", \"Extended\",\n \"FileRecycled\", \"FileDeleted\", \"Recycle\",\n \"FileDeleted\", \"FileDeleted\", \"\",\n \"FileAccessed\", \"FileAccessed\", \"\",\n \"FolderCreated\", \"FolderCreated\", \"\",\n \"FilePreviewed\", \"FileAccessed\", \"Preview\",\n \"FileDownloaded\", \"FileAccessed\", \"Download\",\n \"FileSyncDownloadedFull\", \"FileAccessed\", \"Download\",\n \"FolderModified\", \"FolderModified\", \"\",\n \"FileModifiedExtended\", \"FolderModified\", \"Extended\",\n \"FileModified\", \"FolderModified\", \"\",\n \"FileVersionsAllDeleted\", \"FolderDeleted\", \"Versions\",\n \"FileSyncUploadedFull\", \"FileCreated\", \"Upload\",\n \"FileSensitivityLabelApplied\", \"FileAttributesUpdated\", \"\",\n \"FileSensitivityLabelChanged\", \"FileAttributesUpdated\", \"\",\n \"FileSensitivityLabelRemoved\", \"FileAttributesUpdated\", \"\",\n \"SiteDeleted\", \"FolderDeleted\", \"Site\",\n \"FileRenamed\", \"FileRenamed\", \"\",\n \"FileMoved\", \"FileMoved\", \"\",\n \"FileCopied\", \"FileCopied\", \"\",\n \"FolderCopied\", \"FolderCopied\", \"\",\n \"FolderMoved\", \"FolderMoved\", \"\",\n \"FolderRenamed\", \"FolderRenamed\", \"\",\n \"FolderRecycled\", \"FolderDeleted\", \"Recycle\",\n \"FolderDeleted\", \"FolderDeleted\", \"\",\n \"FileCheckedIn\", \"FileCreatedOrModified\", \"Checkin\",\n \"FileCheckedOut\", \"FileAccessed\", \"Checkout\"\n];\nlet multiple_file_operations = dynamic([\n \"FileRenamed\",\n \"FileMoved\",\n \"FileCopied\",\n \"FolderCopied\",\n \"FolderMoved\",\n \"FolderRenamed\"\n ]);\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let OfficeActivityProjected = \n OfficeActivity\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where RecordType == \"SharePointFileOperation\" and Operation != \"FileMalwareDetected\"\n | where ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(ClientIP, srcipaddr_has_any_prefix))) and \n ((array_length(actorusername_has_any) == 0) or (UserId has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (OfficeObjectId has_any (targetfilepath_has_any)) or (strcat (Site_Url, DestinationRelativeUrl, \"/\", DestinationFileName) has_any (targetfilepath_has_any))) and\n ((array_length(srcfilepath_has_any) == 0) or (OfficeObjectId has_any (srcfilepath_has_any))) and\n (array_length(hashes_has_any) == 0) and\n (array_length(dvchostname_has_any) == 0)\n | project\n Operation,\n OrganizationId,\n OrganizationName,\n SourceRecordId,\n OfficeWorkload,\n UserId,\n ClientIP,\n UserAgent,\n Start_Time,\n TimeGenerated,\n Type,\n OfficeObjectId,\n SourceFileName,\n SourceFileExtension,\n DestinationFileName,\n DestinationFileExtension,\n Site_Url,\n DestinationRelativeUrl,\n UserKey,\n MachineDomainInfo,\n MachineId; // ,_ItemId \n let SingleFileOperationEvents = \n OfficeActivityProjected\n | where Operation !in (multiple_file_operations)\n | project-rename \n TargetFilePath = OfficeObjectId,\n TargetFileName = SourceFileName,\n TargetFileExtension = SourceFileExtension\n // Post-filtering\n | where (array_length(srcfilepath_has_any) == 0) and\n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any)))\n | extend \n TargetFilePathType = \"URL\"\n | project-away DestinationFileName, DestinationFileExtension, DestinationRelativeUrl\n ;\n // single in dest: SiteDeleted\n let MultipleFileOperationsEvents = \n OfficeActivityProjected\n | where Operation in (multiple_file_operations)\n | project-rename \n SrcFilePath = OfficeObjectId,\n TargetFileName = DestinationFileName,\n TargetFileExtension = DestinationFileExtension,\n SrcFileName = SourceFileName,\n SrcFileExtension = SourceFileExtension\n | extend \n TargetFilePath = strcat (Site_Url, DestinationRelativeUrl, \"/\", TargetFileName),\n TargetFilePathType = \"URL\",\n SrcFilePathType = \"URL\"\n // Post-filtering\n | where ((array_length(srcfilepath_has_any) == 0) or (SrcFilePath has_any (srcfilepath_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any)))\n | project-away DestinationRelativeUrl\n ;\n union SingleFileOperationEvents, MultipleFileOperationsEvents\n | lookup operations on Operation\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | invoke _ASIM_ResolveActorUsername('UserId')\n | project-away UserId\n | project-rename \n EventOriginalType = Operation,\n ActorScopeId = OrganizationId,\n ActorScope = OrganizationName,\n EventOriginalUid = SourceRecordId,\n EventProduct = OfficeWorkload,\n ActorUserId = UserKey,\n HttpUserAgent = UserAgent,\n SrcIpAddr = ClientIP,\n EventStartTime = Start_Time,\n // EvetUid = _ItemId,\n TargetUrl = Site_Url,\n SrcDvcId = MachineId,\n SrcDvcScopeId = MachineDomainInfo\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated,\n EventResult = \"Success\",\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.1',\n EventSchema = \"FileEvent\",\n ActorUserIdType = 'Other',\n SrcDvcIdType = 'Other',\n TargetAppName = EventProduct,\n TargetAppType = 'SaaS application',\n Dvc = strcat ('Microsoft ', EventProduct)\n // Aliases\n | extend \n User = ActorUsername,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Url = TargetUrl,\n Dvc = EventProduct,\n Application = EventProduct\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSysmon/vimFileEventMicrosoftSysmon.json b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSysmon/vimFileEventMicrosoftSysmon.json index 11bc308f6cd..98d3a8ec848 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSysmon/vimFileEventMicrosoftSysmon.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSysmon/vimFileEventMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File event ASIM filtering parser for Windows Sysmon", - "category": "ASIM", - "FunctionAlias": "vimFileEventMicrosoftSysmon", - "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n // -- Event parser\n let EventParser = () {\n Event\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | project\n EventID,\n EventData,\n Computer,\n TimeGenerated,\n _ResourceId,\n _SubscriptionId,\n Source,\n Type, \n _ItemId \n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (11, 23, 26)\n | project-away Source\n // pre-filtering\n | where ((array_length(eventtype_in) == 0 or (iff (EventID == 11, 'FileCreated', 'FileDeleted') in~ (eventtype_in)))) and\n (array_length(srcipaddr_has_any_prefix) == 0) and\n ((array_length(srcfilepath_has_any) == 0)) and\n ((array_length(dvchostname_has_any) == 0) or Computer has_any (dvchostname_has_any))\n | parse-kv EventData as (\n RuleName: string,\n UtcTime: datetime, \n ProcessGuid: string,\n ProcessId: string,\n Image: string,\n User: string,\n TargetFilename: string,\n Hashes: string,\n CreationUtcTime: datetime\n )\n with (regex=@'{?([^<]*?)}?')\n | project-rename \n ActingProcessGuid = ProcessGuid,\n ActingProcessId = ProcessId,\n ActorUsername = User,\n ActingProcessName = Image,\n TargetFileCreationTime=CreationUtcTime,\n TargetFilePath=TargetFilename,\n EventStartTime=UtcTime\n // Filter for ActorUsername and TargetFilePath\n | where ((array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))) and \n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any)))\n | project-away EventData\n};\n EventParser \n | project-rename\n DvcHostname = Computer,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs='Windows',\n TargetFilePathType = 'Windows',\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventCount = int(1),\n EventEndTime = EventStartTime,\n EventOriginalType = tostring(EventID),\n TargetFileName = tostring(split(TargetFilePath, '\\\\')[-1]),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n EventUid = _ItemId\n | parse-kv Hashes as (\n MD5: string,\n SHA1: string,\n IMPHASH: string,\n SHA256: string\n )\n | project-rename\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileIMPHASH = IMPHASH,\n TargetFileSHA256 = SHA256\n // Filter for hash\n | where (array_length(hashes_has_any) == 0)\n or (TargetFileMD5 has_any (hashes_has_any))\n or (TargetFileSHA1 has_any (hashes_has_any))\n or (TargetFileIMPHASH has_any (hashes_has_any))\n or (TargetFileSHA256 has_any (hashes_has_any))\n | extend\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH), Hash)])\n // -- Typed entity identifiers\n | extend\n ActorWindowsUsername = ActorUsername\n // -- Aliases\n | extend\n Process = ActingProcessName,\n Dvc = DvcHostname,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n User = ActorUsername\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File event ASIM filtering parser for Windows Sysmon", + "category": "ASIM", + "FunctionAlias": "vimFileEventMicrosoftSysmon", + "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n // -- Event parser\n let EventParser = () {\n Event\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | project\n EventID,\n EventData,\n Computer,\n TimeGenerated,\n _ResourceId,\n _SubscriptionId,\n Source,\n Type, \n _ItemId \n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (11, 23, 26)\n | project-away Source\n // pre-filtering\n | where ((array_length(eventtype_in) == 0 or (iff (EventID == 11, 'FileCreated', 'FileDeleted') in~ (eventtype_in)))) and\n (array_length(srcipaddr_has_any_prefix) == 0) and\n ((array_length(srcfilepath_has_any) == 0)) and\n ((array_length(dvchostname_has_any) == 0) or Computer has_any (dvchostname_has_any))\n | parse-kv EventData as (\n RuleName: string,\n UtcTime: datetime, \n ProcessGuid: string,\n ProcessId: string,\n Image: string,\n User: string,\n TargetFilename: string,\n Hashes: string,\n CreationUtcTime: datetime\n )\n with (regex=@'{?([^<]*?)}?')\n | project-rename \n ActingProcessGuid = ProcessGuid,\n ActingProcessId = ProcessId,\n ActorUsername = User,\n ActingProcessName = Image,\n TargetFileCreationTime=CreationUtcTime,\n TargetFilePath=TargetFilename,\n EventStartTime=UtcTime\n // Filter for ActorUsername and TargetFilePath\n | where ((array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))) and \n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any)))\n | project-away EventData\n};\n EventParser \n | project-rename\n DvcHostname = Computer,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs='Windows',\n TargetFilePathType = 'Windows',\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventCount = int(1),\n EventEndTime = EventStartTime,\n EventOriginalType = tostring(EventID),\n TargetFileName = tostring(split(TargetFilePath, '\\\\')[-1]),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n EventUid = _ItemId\n | parse-kv Hashes as (\n MD5: string,\n SHA1: string,\n IMPHASH: string,\n SHA256: string\n )\n | project-rename\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileIMPHASH = IMPHASH,\n TargetFileSHA256 = SHA256\n // Filter for hash\n | where (array_length(hashes_has_any) == 0)\n or (TargetFileMD5 has_any (hashes_has_any))\n or (TargetFileSHA1 has_any (hashes_has_any))\n or (TargetFileIMPHASH has_any (hashes_has_any))\n or (TargetFileSHA256 has_any (hashes_has_any))\n | extend\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH), Hash)])\n // -- Typed entity identifiers\n | extend\n ActorWindowsUsername = ActorUsername\n // -- Aliases\n | extend\n Process = ActingProcessName,\n Dvc = DvcHostname,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n User = ActorUsername\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSysmonWindowsEvent/vimFileEventMicrosoftSysmonWindowsEvent.json b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSysmonWindowsEvent/vimFileEventMicrosoftSysmonWindowsEvent.json index fba3fb1b98b..84fc3bad991 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSysmonWindowsEvent/vimFileEventMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSysmonWindowsEvent/vimFileEventMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File event ASIM filtering parser for Windows Sysmon", - "category": "ASIM", - "FunctionAlias": "vimFileEventMicrosoftSysmonWindowsEvent", - "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n //\n // -- WindowsEvent parser\n let WindowsEventParser=() {\n WindowsEvent \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | project\n EventID,\n EventData,\n Computer,\n TimeGenerated,\n _ResourceId,\n _SubscriptionId,\n Provider,\n Type,\n _ItemId \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (11, 23, 26)\n | project-away Provider\n // pre-filtering\n | where ((array_length(eventtype_in) == 0 or (iff (EventID == 11, 'FileCreated', 'FileDeleted') in~ (eventtype_in)))) and\n (array_length(srcipaddr_has_any_prefix) == 0) and\n ((array_length(actorusername_has_any) == 0) or (tostring(EventData.User) has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (tostring(EventData.TargetFilename) has_any (targetfilepath_has_any))) and\n ((array_length(srcfilepath_has_any) == 0)) and\n ((array_length(dvchostname_has_any) == 0) or Computer has_any (dvchostname_has_any))\n | extend \n TargetFileCreationTime=todatetime(EventData.CreationUtcTime),\n TargetFilePath=tostring(EventData.TargetFilename),\n ActingProcessName = tostring(EventData.Image),\n ActingProcessId = tostring(EventData.ProcessId),\n ActingProcessGuid = tostring(EventData.ProcessGuid),\n ActorUsername = tostring(EventData.User),\n EventStartTime = todatetime(EventData.UtcTime),\n RuleName = tostring(EventData.RuleName),\n Hashes = tostring(EventData.Hashes)\n | parse ActingProcessGuid with \"{\" ActingProcessGuid \"}\"\n | project-away EventData\n};\n WindowsEventParser \n | project-rename\n DvcHostname = Computer,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs='Windows',\n TargetFilePathType = 'Windows',\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventCount = int(1),\n EventEndTime = EventStartTime,\n EventOriginalType = tostring(EventID),\n TargetFileName = tostring(split(TargetFilePath, '\\\\')[-1]),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n EventUid = _ItemId\n | parse-kv Hashes as (\n MD5: string,\n SHA1: string,\n IMPHASH: string,\n SHA256: string\n )\n | project-rename\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileIMPHASH = IMPHASH,\n TargetFileSHA256 = SHA256\n // Filter for hash\n | where (array_length(hashes_has_any) == 0)\n or (TargetFileMD5 has_any (hashes_has_any))\n or (TargetFileSHA1 has_any (hashes_has_any))\n or (TargetFileIMPHASH has_any (hashes_has_any))\n or (TargetFileSHA256 has_any (hashes_has_any))\n | extend\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH), Hash)])\n // -- Typed entity identifiers\n | extend\n ActorWindowsUsername = ActorUsername\n // -- Aliases\n | extend\n Process = ActingProcessName,\n Dvc = DvcHostname,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n User = ActorUsername\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File event ASIM filtering parser for Windows Sysmon", + "category": "ASIM", + "FunctionAlias": "vimFileEventMicrosoftSysmonWindowsEvent", + "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n //\n // -- WindowsEvent parser\n let WindowsEventParser=() {\n WindowsEvent \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | project\n EventID,\n EventData,\n Computer,\n TimeGenerated,\n _ResourceId,\n _SubscriptionId,\n Provider,\n Type,\n _ItemId \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (11, 23, 26)\n | project-away Provider\n // pre-filtering\n | where ((array_length(eventtype_in) == 0 or (iff (EventID == 11, 'FileCreated', 'FileDeleted') in~ (eventtype_in)))) and\n (array_length(srcipaddr_has_any_prefix) == 0) and\n ((array_length(actorusername_has_any) == 0) or (tostring(EventData.User) has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (tostring(EventData.TargetFilename) has_any (targetfilepath_has_any))) and\n ((array_length(srcfilepath_has_any) == 0)) and\n ((array_length(dvchostname_has_any) == 0) or Computer has_any (dvchostname_has_any))\n | extend \n TargetFileCreationTime=todatetime(EventData.CreationUtcTime),\n TargetFilePath=tostring(EventData.TargetFilename),\n ActingProcessName = tostring(EventData.Image),\n ActingProcessId = tostring(EventData.ProcessId),\n ActingProcessGuid = tostring(EventData.ProcessGuid),\n ActorUsername = tostring(EventData.User),\n EventStartTime = todatetime(EventData.UtcTime),\n RuleName = tostring(EventData.RuleName),\n Hashes = tostring(EventData.Hashes)\n | parse ActingProcessGuid with \"{\" ActingProcessGuid \"}\"\n | project-away EventData\n};\n WindowsEventParser \n | project-rename\n DvcHostname = Computer,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs='Windows',\n TargetFilePathType = 'Windows',\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventCount = int(1),\n EventEndTime = EventStartTime,\n EventOriginalType = tostring(EventID),\n TargetFileName = tostring(split(TargetFilePath, '\\\\')[-1]),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n EventUid = _ItemId\n | parse-kv Hashes as (\n MD5: string,\n SHA1: string,\n IMPHASH: string,\n SHA256: string\n )\n | project-rename\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileIMPHASH = IMPHASH,\n TargetFileSHA256 = SHA256\n // Filter for hash\n | where (array_length(hashes_has_any) == 0)\n or (TargetFileMD5 has_any (hashes_has_any))\n or (TargetFileSHA1 has_any (hashes_has_any))\n or (TargetFileIMPHASH has_any (hashes_has_any))\n or (TargetFileSHA256 has_any (hashes_has_any))\n | extend\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH), Hash)])\n // -- Typed entity identifiers\n | extend\n ActorWindowsUsername = ActorUsername\n // -- Aliases\n | extend\n Process = ActingProcessName,\n Dvc = DvcHostname,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n User = ActorUsername\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftWindowsEvents/vimFileEventMicrosoftWindowsEvents.json b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftWindowsEvents/vimFileEventMicrosoftWindowsEvents.json index a09511b2307..ce529cc1540 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftWindowsEvents/vimFileEventMicrosoftWindowsEvents.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftWindowsEvents/vimFileEventMicrosoftWindowsEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventMicrosoftWindowsEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventMicrosoftWindowsEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM filtering parser for Microsoft Windows Events", - "category": "ASIM", - "FunctionAlias": "vimFileEventMicrosoftWindowsEvents", - "query": "let Parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let EventTypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"ObjectAccessed\"\n ,\n \"0x10\", \"MetadataModified\"\n ,\n \"0x100\", \"MetadataModified\"\n ,\n \"0x10000\", \"ObjectDeleted\"\n ,\n \"0x2\", \"ObjectModified\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x4\", \"ObjectModified\"\n ,\n \"0x40\", \"ObjectDeleted\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x6\", \"ObjectModified\"\n ,\n \"0x8\", \"MetadataAccessed\"\n ,\n \"0x80\", \"MetadataAccessed\"\n ,\n \"0x80000\", \"MetadataModified\"\n];\n let UserTypeLookup = datatable (AccountType: string, ActorUserType: string)\n [\n 'User', 'Regular',\n 'Machine', 'Machine'\n]; \n let KnownSIDs = datatable (sid: string, username: string, type: string)\n [\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n];\n WindowsEvent\n | where EventID == 4663 \n and EventData.ObjectType == \"File\"\n and EventData.ObjectName !startswith @\"\\Device\\\"\n | extend ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\n | project\n TimeGenerated\n ,\n EventID,\n AccessMask = tostring(EventData.AccessMask)\n ,\n ProcessName = tostring(EventData.ProcessName)\n ,\n SubjectUserSid = tostring(EventData.SubjectUserSid)\n ,\n AccountType = tostring(EventData.AccountType)\n ,\n Computer = tostring(EventData.Computer)\n ,\n ObjectName = tostring(EventData.ObjectName)\n ,\n ProcessId = tostring(EventData.ProcessId)\n ,\n SubjectUserName = tostring(EventData.SubjectUserName)\n ,\n SubjectAccount = tostring(EventData.SubjectAccount)\n ,\n SubjectLogonId = tostring(EventData.SubjectLogonId)\n ,\n HandleId = tostring(EventData.HandleId)\n ,\n Type\n | lookup EventTypeLookup on AccessMask\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n | lookup UserTypeLookup on AccountType\n | lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n | extend\n ActingProcessName = ProcessName\n ,\n ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n ,\n ActorUsernameType = iff(SubjectUserName == '-', type, 'Windows')\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n TargetFilePath = ObjectName\n ,\n TargetFilePathFormat = \"Windows Local\"\n ,\n ActingProcessId = tostring(toint(ProcessId))\n ,\n EventOriginalType = tostring(EventID)\n | where (array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))\n | project-away EventID, ProcessId, AccountType, username\n | project-rename\n ActorUserId = SubjectUserSid\n ,\n DvcHostname = Computer\n ,\n Process = ProcessName\n ,\n FilePath = ObjectName\n ,\n ActorSessionId = SubjectLogonId\n ,\n FileSessionId = HandleId\n | extend\n EventSchema = \"FileEvent\"\n ,\n EventSchemaVersion = \"0.1.1\"\n ,\n EventResult = \"Success\"\n ,\n EventCount = int(1)\n ,\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Security Events'\n ,\n Dvc = DvcHostname\n ,\n ActorWindowsUsername = ActorUsername\n ,\n User = ActorUsername\n ,\n ActorUserSid = ActorUserId\n , ActorUserIdType=\"SID\"\n , TargetFilePathType=\"Windows Local\"\n | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type\n};\nParser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM filtering parser for Microsoft Windows Events", + "category": "ASIM", + "FunctionAlias": "vimFileEventMicrosoftWindowsEvents", + "query": "let Parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let EventTypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"ObjectAccessed\"\n ,\n \"0x10\", \"MetadataModified\"\n ,\n \"0x100\", \"MetadataModified\"\n ,\n \"0x10000\", \"ObjectDeleted\"\n ,\n \"0x2\", \"ObjectModified\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x4\", \"ObjectModified\"\n ,\n \"0x40\", \"ObjectDeleted\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x6\", \"ObjectModified\"\n ,\n \"0x8\", \"MetadataAccessed\"\n ,\n \"0x80\", \"MetadataAccessed\"\n ,\n \"0x80000\", \"MetadataModified\"\n];\n let UserTypeLookup = datatable (AccountType: string, ActorUserType: string)\n [\n 'User', 'Regular',\n 'Machine', 'Machine'\n]; \n let KnownSIDs = datatable (sid: string, username: string, type: string)\n [\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n];\n WindowsEvent\n | where EventID == 4663 \n and EventData.ObjectType == \"File\"\n and EventData.ObjectName !startswith @\"\\Device\\\"\n | extend ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\n | project\n TimeGenerated\n ,\n EventID,\n AccessMask = tostring(EventData.AccessMask)\n ,\n ProcessName = tostring(EventData.ProcessName)\n ,\n SubjectUserSid = tostring(EventData.SubjectUserSid)\n ,\n AccountType = tostring(EventData.AccountType)\n ,\n Computer = tostring(EventData.Computer)\n ,\n ObjectName = tostring(EventData.ObjectName)\n ,\n ProcessId = tostring(EventData.ProcessId)\n ,\n SubjectUserName = tostring(EventData.SubjectUserName)\n ,\n SubjectAccount = tostring(EventData.SubjectAccount)\n ,\n SubjectLogonId = tostring(EventData.SubjectLogonId)\n ,\n HandleId = tostring(EventData.HandleId)\n ,\n Type\n | lookup EventTypeLookup on AccessMask\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n | lookup UserTypeLookup on AccountType\n | lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n | extend\n ActingProcessName = ProcessName\n ,\n ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n ,\n ActorUsernameType = iff(SubjectUserName == '-', type, 'Windows')\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n TargetFilePath = ObjectName\n ,\n TargetFilePathFormat = \"Windows Local\"\n ,\n ActingProcessId = tostring(toint(ProcessId))\n ,\n EventOriginalType = tostring(EventID)\n | where (array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))\n | project-away EventID, ProcessId, AccountType, username\n | project-rename\n ActorUserId = SubjectUserSid\n ,\n DvcHostname = Computer\n ,\n Process = ProcessName\n ,\n FilePath = ObjectName\n ,\n ActorSessionId = SubjectLogonId\n ,\n FileSessionId = HandleId\n | extend\n EventSchema = \"FileEvent\"\n ,\n EventSchemaVersion = \"0.1.1\"\n ,\n EventResult = \"Success\"\n ,\n EventCount = int(1)\n ,\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Security Events'\n ,\n Dvc = DvcHostname\n ,\n ActorWindowsUsername = ActorUsername\n ,\n User = ActorUsername\n ,\n ActorUserSid = ActorUserId\n , ActorUserIdType=\"SID\"\n , TargetFilePathType=\"Windows Local\"\n | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type\n};\nParser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventNative/vimFileEventNative.json b/Parsers/ASimFileEvent/ARM/vimFileEventNative/vimFileEventNative.json index b871fe55022..f4bf45c8390 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventNative/vimFileEventNative.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventNative/vimFileEventNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM filtering parser for Microsoft Sentinel native File Event table", - "category": "ASIM", - "FunctionAlias": "vimFileEventNative", - "query": "let parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n ASimFileEventLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))) and\n ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))) and \n ((array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any))) and \n ((array_length(srcfilepath_has_any) == 0) or (SrcFilePath has_any (srcfilepath_has_any))) and\n ((array_length(hashes_has_any) == 0) or (TargetFileMD5 in (hashes_has_any)) or (TargetFileSHA1 in (hashes_has_any)) or (TargetFileSHA256 in (hashes_has_any)) or (TargetFileSHA512 in (hashes_has_any))) and \n (array_length(dvchostname_has_any) == 0 or DvcHostname has_any (dvchostname_has_any))\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"FileEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n Url = TargetUrl,\n Application = TargetAppName\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n )\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM filtering parser for Microsoft Sentinel native File Event table", + "category": "ASIM", + "FunctionAlias": "vimFileEventNative", + "query": "let parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n ASimFileEventLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))) and\n ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))) and \n ((array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))) and\n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any))) and \n ((array_length(srcfilepath_has_any) == 0) or (SrcFilePath has_any (srcfilepath_has_any))) and\n ((array_length(hashes_has_any) == 0) or (TargetFileMD5 in (hashes_has_any)) or (TargetFileSHA1 in (hashes_has_any)) or (TargetFileSHA256 in (hashes_has_any)) or (TargetFileSHA512 in (hashes_has_any))) and \n (array_length(dvchostname_has_any) == 0 or DvcHostname has_any (dvchostname_has_any))\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"FileEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n Url = TargetUrl,\n Application = TargetAppName\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n )\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventSentinelOne/vimFileEventSentinelOne.json b/Parsers/ASimFileEvent/ARM/vimFileEventSentinelOne/vimFileEventSentinelOne.json index f8c1cda8488..be0fe86895b 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventSentinelOne/vimFileEventSentinelOne.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventSentinelOne/vimFileEventSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event ASIM filtering Parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "vimFileEventSentinelOne", - "query": "let GetWindowsFilenamePart = (path: string) { tostring(split(path, @'\\')[-1]) };\nlet GetLinuxFilenamePart = (path: string) { tostring(split(path, @'/')[-1]) };\nlet EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"FILECREATION\", \"FileCreated\",\n \"FILEMODIFICATION\", \"FileModified\",\n \"FILEDELETION\", \"FileDeleted\",\n \"FILERENAME\", \"FileRenamed\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let allFileData = SentinelOne_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(srcipaddr_has_any_prefix) == 0)\n and ((array_length(actorusername_has_any) == 0) or (sourceProcessInfo_user_s has_any (actorusername_has_any)))\n and ((array_length(targetfilepath_has_any) == 0) or (targetProcessInfo_tgtFilePath_s has_any (targetfilepath_has_any)))\n and ((array_length(srcfilepath_has_any) == 0) or (targetProcessInfo_tgtFileOldPath_s has_any (srcfilepath_has_any)))\n and ((array_length(hashes_has_any) == 0) or (targetProcessInfo_tgtFileHashSha1_s in (hashes_has_any)) or (targetProcessInfo_tgtFileHashSha256_s in (hashes_has_any)))\n and (array_length(dvchostname_has_any) == 0 or agentDetectionInfo_name_s has_any (dvchostname_has_any))\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in ('FILECREATION', 'FILEMODIFICATION', 'FILEDELETION', 'FILERENAME');\n let windowsFileData = allFileData\n | where agentDetectionInfo_osFamily_s == \"windows\"\n | extend\n TargetFilePathType = \"Windows Local\",\n TargetFileName = GetWindowsFilenamePart(targetProcessInfo_tgtFilePath_s),\n SrcFileName = GetWindowsFilenamePart(targetProcessInfo_tgtFileOldPath_s);\n let otherFileData = allFileData\n | where agentDetectionInfo_osFamily_s != \"windows\"\n | extend\n TargetFilePathType = \"Unix\",\n TargetFileName = GetLinuxFilenamePart(targetProcessInfo_tgtFilePath_s),\n SrcFileName = GetLinuxFilenamePart(targetProcessInfo_tgtFileOldPath_s);\n let parseddata = union windowsFileData, otherFileData\n | lookup EventTypeLookup on alertInfo_eventType_s\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)));\n let undefineddata = parseddata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = parseddata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = parseddata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\n EventVendor = \"SentinelOne\",\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.2.1\",\n EventCount = toint(1),\n DvcAction = \"Allowed\",\n ActorUsername = sourceProcessInfo_user_s\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventUid = _ItemId,\n ActingProcessCommandLine = sourceProcessInfo_commandline_s,\n ActingProcessGuid = sourceProcessInfo_uniqueId_g,\n ActingProcessId = sourceProcessInfo_pid_s,\n ActingProcessName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n TargetFileCreationTime = targetProcessInfo_tgtFileCreatedAt_t,\n SrcFilePath = targetProcessInfo_tgtFileOldPath_s,\n TargetFilePath = targetProcessInfo_tgtFilePath_s,\n TargetFileSHA1 = targetProcessInfo_tgtFileHashSha1_s,\n TargetFileSHA256 = targetProcessInfo_tgtFileHashSha256_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\n EventEndTime = EventStartTime,\n Rule = RuleName,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n User = ActorUsername,\n Hash = coalesce(TargetFileSHA256, TargetFileSHA1)\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetFileSHA256),\n \"TargetFileSHA256\",\n isnotempty(Hash) and isnotempty(TargetFileSHA1),\n \"TargetFileSHA1\",\n \"\"\n ) \n | project-away \n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n ThreatConfidence_*\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event ASIM filtering Parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "vimFileEventSentinelOne", + "query": "let GetWindowsFilenamePart = (path: string) { tostring(split(path, @'\\')[-1]) };\nlet GetLinuxFilenamePart = (path: string) { tostring(split(path, @'/')[-1]) };\nlet EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"FILECREATION\", \"FileCreated\",\n \"FILEMODIFICATION\", \"FileModified\",\n \"FILEDELETION\", \"FileDeleted\",\n \"FILERENAME\", \"FileRenamed\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let allFileData = SentinelOne_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(srcipaddr_has_any_prefix) == 0)\n and ((array_length(actorusername_has_any) == 0) or (sourceProcessInfo_user_s has_any (actorusername_has_any)))\n and ((array_length(targetfilepath_has_any) == 0) or (targetProcessInfo_tgtFilePath_s has_any (targetfilepath_has_any)))\n and ((array_length(srcfilepath_has_any) == 0) or (targetProcessInfo_tgtFileOldPath_s has_any (srcfilepath_has_any)))\n and ((array_length(hashes_has_any) == 0) or (targetProcessInfo_tgtFileHashSha1_s in (hashes_has_any)) or (targetProcessInfo_tgtFileHashSha256_s in (hashes_has_any)))\n and (array_length(dvchostname_has_any) == 0 or agentDetectionInfo_name_s has_any (dvchostname_has_any))\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in ('FILECREATION', 'FILEMODIFICATION', 'FILEDELETION', 'FILERENAME');\n let windowsFileData = allFileData\n | where agentDetectionInfo_osFamily_s == \"windows\"\n | extend\n TargetFilePathType = \"Windows Local\",\n TargetFileName = GetWindowsFilenamePart(targetProcessInfo_tgtFilePath_s),\n SrcFileName = GetWindowsFilenamePart(targetProcessInfo_tgtFileOldPath_s);\n let otherFileData = allFileData\n | where agentDetectionInfo_osFamily_s != \"windows\"\n | extend\n TargetFilePathType = \"Unix\",\n TargetFileName = GetLinuxFilenamePart(targetProcessInfo_tgtFilePath_s),\n SrcFileName = GetLinuxFilenamePart(targetProcessInfo_tgtFileOldPath_s);\n let parseddata = union windowsFileData, otherFileData\n | lookup EventTypeLookup on alertInfo_eventType_s\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)));\n let undefineddata = parseddata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = parseddata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = parseddata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\n EventVendor = \"SentinelOne\",\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.2.1\",\n EventCount = toint(1),\n DvcAction = \"Allowed\",\n ActorUsername = sourceProcessInfo_user_s\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventUid = _ItemId,\n ActingProcessCommandLine = sourceProcessInfo_commandline_s,\n ActingProcessGuid = sourceProcessInfo_uniqueId_g,\n ActingProcessId = sourceProcessInfo_pid_s,\n ActingProcessName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n TargetFileCreationTime = targetProcessInfo_tgtFileCreatedAt_t,\n SrcFilePath = targetProcessInfo_tgtFileOldPath_s,\n TargetFilePath = targetProcessInfo_tgtFilePath_s,\n TargetFileSHA1 = targetProcessInfo_tgtFileHashSha1_s,\n TargetFileSHA256 = targetProcessInfo_tgtFileHashSha256_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n Dvc = coalesce(DvcHostname, DvcId, EventProduct),\n EventEndTime = EventStartTime,\n Rule = RuleName,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n User = ActorUsername,\n Hash = coalesce(TargetFileSHA256, TargetFileSHA1)\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetFileSHA256),\n \"TargetFileSHA256\",\n isnotempty(Hash) and isnotempty(TargetFileSHA1),\n \"TargetFileSHA1\",\n \"\"\n ) \n | project-away \n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n ThreatConfidence_*\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventVMwareCarbonBlackCloud/vimFileEventVMwareCarbonBlackCloud.json b/Parsers/ASimFileEvent/ARM/vimFileEventVMwareCarbonBlackCloud/vimFileEventVMwareCarbonBlackCloud.json index 17adb843bed..74e15e76f99 100644 --- a/Parsers/ASimFileEvent/ARM/vimFileEventVMwareCarbonBlackCloud/vimFileEventVMwareCarbonBlackCloud.json +++ b/Parsers/ASimFileEvent/ARM/vimFileEventVMwareCarbonBlackCloud/vimFileEventVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimFileEventVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "File Event Parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "vimFileEventVMwareCarbonBlackCloud", - "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet EventTypeLookup = datatable(action_s: string, EventType: string)[\n \"ACTION_FILE_CREATE\", \"FileCreated\",\n \"ACTION_FILE_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_LAST_WRITE\", \"FileModified\",\n \"ACTION_FILE_LINK\", \"FileModified\",\n \"ACTION_FILE_READ\", \"FileAccessed\",\n \"ACTION_FILE_RENAME\", \"FileRenamed\",\n \"ACTION_FILE_WRITE\", \"FileModified\",\n \"ACTION_FILE_OPEN_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_OPEN_EXECUTE\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_SET_ATTRIBUTES\", \"FileAttributesUpdated\",\n \"ACTION_FILE_OPEN_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_TRUNCATE\", \"FileModified\",\n \"ACTION_FILE_OPEN_WRITE\", \"FileModified\",\n \"ACTION_FILE_MOD_OPEN\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_READ\", \"FileAccessed\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventtype_in: dynamic=dynamic([]), \n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n actorusername_has_any: dynamic=dynamic([]), \n targetfilepath_has_any: dynamic=dynamic([]), \n srcfilepath_has_any: dynamic=dynamic([]), \n hashes_has_any: dynamic=dynamic([]), \n dvchostname_has_any: dynamic=dynamic([]), \n disabled: bool=false\n ) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)) \n | where eventType_s == \"endpoint.event.filemod\" and isnotempty(filemod_name_s)\n and action_s !in (\"ACTION_INVALID\", \"ACTION_FILE_UNDELETE\")\n | where array_length(srcfilepath_has_any) == 0\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(device_external_ip_s, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or process_username_s has_any (actorusername_has_any))\n and (array_length(targetfilepath_has_any) == 0 or filemod_name_s has_any (targetfilepath_has_any))\n and (array_length(hashes_has_any) == 0 or filemod_hash_s has_any (hashes_has_any))\n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n | parse filemod_hash_s with * '[\"' TargetFileMD5: string '\",\"' TargetFileSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend temp_action = iff(action_s has \"|\", action_s, \"\")\n | lookup EventTypeLookup on action_s\n | extend EventType = case(\n isnotempty(EventType), EventType,\n temp_action has \"delete\", \"FileDeleted\",\n temp_action has \"link\", \"FileModified\",\n temp_action has \"rename\", \"FileRenamed\",\n temp_action has \"execute\", \"FileAccessed\",\n temp_action has_any (\"attributes\", \"security\"), \"FileAttributesUpdated\",\n temp_action has \"truncate\", \"FileModified\",\n temp_action has \"write\", \"FileModified\",\n temp_action has_any (\"read\", \"open\"), \"FileAccessed\",\n temp_action has \"create\", \"FileCreated\",\n \"\"\n )\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetFilePathType = case(\n device_os_s == \"WINDOWS\" and filemod_name_s startswith \"\\\\\", \"Windows Share\",\n device_os_s == \"WINDOWS\", \"Windows Local\",\n device_os_s in (\"MAC\", \"LINUX\"), \"Unix\",\n \"\"\n ),\n ActingProcessId = tostring(toint(process_pid_d)),\n TargetFileName = tostring(split(filemod_name_s, '\\\\')[-1]),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"process_publisher\", process_publisher_s,\n \"process_reputation\", process_reputation_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n TargetFilePath = filemod_name_s\n | extend \n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.2.1\",\n EventVendor = \"VMware\",\n EventCount = int(1),\n SrcIpAddr = DvcIpAddr\n | extend\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n Src = SrcIpAddr,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n User = ActorUsername,\n Hash = coalesce(TargetFileSHA256, TargetFileMD5)\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n HashType = case(\n isnotempty(TargetFileSHA256),\n \"TargetFileSHA256\",\n isnotempty(TargetFileMD5),\n \"TargetFileMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n temp_action\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n actorusername_has_any=actorusername_has_any, \n targetfilepath_has_any=targetfilepath_has_any, \n srcfilepath_has_any=srcfilepath_has_any, \n hashes_has_any=hashes_has_any, \n dvchostname_has_any=dvchostname_has_any, \n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "File Event Parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimFileEventVMwareCarbonBlackCloud", + "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet EventTypeLookup = datatable(action_s: string, EventType: string)[\n \"ACTION_FILE_CREATE\", \"FileCreated\",\n \"ACTION_FILE_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_LAST_WRITE\", \"FileModified\",\n \"ACTION_FILE_LINK\", \"FileModified\",\n \"ACTION_FILE_READ\", \"FileAccessed\",\n \"ACTION_FILE_RENAME\", \"FileRenamed\",\n \"ACTION_FILE_WRITE\", \"FileModified\",\n \"ACTION_FILE_OPEN_DELETE\", \"FileDeleted\",\n \"ACTION_FILE_OPEN_EXECUTE\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_SET_ATTRIBUTES\", \"FileAttributesUpdated\",\n \"ACTION_FILE_OPEN_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_SET_SECURITY\", \"FileAttributesUpdated\",\n \"ACTION_FILE_TRUNCATE\", \"FileModified\",\n \"ACTION_FILE_OPEN_WRITE\", \"FileModified\",\n \"ACTION_FILE_MOD_OPEN\", \"FileAccessed\",\n \"ACTION_FILE_OPEN_READ\", \"FileAccessed\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventtype_in: dynamic=dynamic([]), \n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n actorusername_has_any: dynamic=dynamic([]), \n targetfilepath_has_any: dynamic=dynamic([]), \n srcfilepath_has_any: dynamic=dynamic([]), \n hashes_has_any: dynamic=dynamic([]), \n dvchostname_has_any: dynamic=dynamic([]), \n disabled: bool=false\n ) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)) \n | where eventType_s == \"endpoint.event.filemod\" and isnotempty(filemod_name_s)\n and action_s !in (\"ACTION_INVALID\", \"ACTION_FILE_UNDELETE\")\n | where array_length(srcfilepath_has_any) == 0\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(device_external_ip_s, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or process_username_s has_any (actorusername_has_any))\n and (array_length(targetfilepath_has_any) == 0 or filemod_name_s has_any (targetfilepath_has_any))\n and (array_length(hashes_has_any) == 0 or filemod_hash_s has_any (hashes_has_any))\n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n | parse filemod_hash_s with * '[\"' TargetFileMD5: string '\",\"' TargetFileSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend temp_action = iff(action_s has \"|\", action_s, \"\")\n | lookup EventTypeLookup on action_s\n | extend EventType = case(\n isnotempty(EventType), EventType,\n temp_action has \"delete\", \"FileDeleted\",\n temp_action has \"link\", \"FileModified\",\n temp_action has \"rename\", \"FileRenamed\",\n temp_action has \"execute\", \"FileAccessed\",\n temp_action has_any (\"attributes\", \"security\"), \"FileAttributesUpdated\",\n temp_action has \"truncate\", \"FileModified\",\n temp_action has \"write\", \"FileModified\",\n temp_action has_any (\"read\", \"open\"), \"FileAccessed\",\n temp_action has \"create\", \"FileCreated\",\n \"\"\n )\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetFilePathType = case(\n device_os_s == \"WINDOWS\" and filemod_name_s startswith \"\\\\\", \"Windows Share\",\n device_os_s == \"WINDOWS\", \"Windows Local\",\n device_os_s in (\"MAC\", \"LINUX\"), \"Unix\",\n \"\"\n ),\n ActingProcessId = tostring(toint(process_pid_d)),\n TargetFileName = tostring(split(filemod_name_s, '\\\\')[-1]),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"process_publisher\", process_publisher_s,\n \"process_reputation\", process_reputation_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n TargetFilePath = filemod_name_s\n | extend \n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.2.1\",\n EventVendor = \"VMware\",\n EventCount = int(1),\n SrcIpAddr = DvcIpAddr\n | extend\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n Src = SrcIpAddr,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Process = ActingProcessName,\n User = ActorUsername,\n Hash = coalesce(TargetFileSHA256, TargetFileMD5)\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n HashType = case(\n isnotempty(TargetFileSHA256),\n \"TargetFileSHA256\",\n isnotempty(TargetFileMD5),\n \"TargetFileMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n temp_action\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n actorusername_has_any=actorusername_has_any, \n targetfilepath_has_any=targetfilepath_has_any, \n srcfilepath_has_any=srcfilepath_has_any, \n hashes_has_any=hashes_has_any, \n dvchostname_has_any=dvchostname_has_any, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json index 2fd7557df8e..b88d559d872 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSession')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSession", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSession", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(pack:bool=false){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n \n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTSensor (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTSSensor' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTAgent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSecurityEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSecurityEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))\n , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , ASimNetworkSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) )))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMerakiSyslog (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMerakiSyslog' in (DisabledParsers) ))\n , ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , ASimNetworkSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , ASimNetworkSessionCorelightZeek (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , ASimNetworkSessionCheckPointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoASA (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , ASimNetworkSessionWatchGuardFirewareOS (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSysmonWindowsEvent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))\n , ASimNetworkSessionForcePointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionNative (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative' in (DisabledParsers) ))\n , ASimNetworkSessionSentinelOne (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoISE (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , ASimNetworkSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , ASimNetworkSessionBarracudaCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaCEF' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoFirepower (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , ASimNetworkSessionCrowdStrikeFalconHost (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , ASimNetworkSessionVMwareCarbonBlackCloud (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCortexDataLake (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCortexDataLake' in (DisabledParsers) ))\n , ASimNetworkSessionSonicWallFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSonicWallFirewall' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric (pack=pack)\n", - "version": 1, - "functionParameters": "pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSession", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(pack:bool=false){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTSensor (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTSSensor' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTAgent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSecurityEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSecurityEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))\n , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , ASimNetworkSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) )))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMerakiSyslog (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMerakiSyslog' in (DisabledParsers) ))\n , ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , ASimNetworkSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , ASimNetworkSessionCorelightZeek (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , ASimNetworkSessionCheckPointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoASA (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , ASimNetworkSessionWatchGuardFirewareOS (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSysmonWindowsEvent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))\n , ASimNetworkSessionForcePointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionNative (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative' in (DisabledParsers) ))\n , ASimNetworkSessionSentinelOne (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoISE (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , ASimNetworkSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , ASimNetworkSessionBarracudaCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaCEF' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoFirepower (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , ASimNetworkSessionCrowdStrikeFalconHost (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , ASimNetworkSessionVMwareCarbonBlackCloud (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCortexDataLake (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCortexDataLake' in (DisabledParsers) ))\n , ASimNetworkSessionSonicWallFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSonicWallFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionIllumioSaaSCore (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionIllumioSaaSCore' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric (pack=pack)\n", + "version": 1, + "functionParameters": "pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json index 80e2d8e5b37..71abd5f41a2 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionAWSVPC')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionAWSVPC", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for AWS VPC logs", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionAWSVPC", - "query": "let ProtocolLookup = datatable(Protocol:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n];\nlet DirectionLookup = datatable (FlowDirection:string, NetworkDirection:string) [\n 'ingress', 'Inbound',\n 'egress', 'Outbound'\n];\nlet ActionLookup = datatable (Action:string, DvcAction:string) [\n 'ACCEPT', 'Allow',\n 'REJECT', 'Deny'\n];\nlet parser = (disabled:bool=false){\nAWSVPCFlow | where not(disabled)\n| where LogStatus == \"OK\"\n| extend\n EventVendor=\"AWS\", \n EventProduct=\"VPC\",\n NetworkBytes = tolong(Bytes),\n NetworkPackets = tolong(Packets),\n EventProductVersion = tostring(Version),\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventResult = iff (Action==\"ACCEPT\",\"Success\",\"Failure\"),\n EventSeverity = iff (Action==\"ACCEPT\",\"Informational\",\"Low\"),\n EventSchemaVersion=\"0.2.2\",\n EventSchema=\"NetworkSession\",\n SrcAppType = iff (PktSrcAwsService != \"\", \"CloudService\", \"\"),\n DstAppType = iff (PktDstAwsService != \"\", \"CloudService\", \"\"),\n DvcIdType = \"AwsVpcId\"\n| lookup ProtocolLookup on Protocol\n| lookup ActionLookup on Action\n| lookup DirectionLookup on FlowDirection\n| project-rename\n DstIpAddr = DstAddr, \n DstPortNumber = DstPort, \n SrcNatIpAddr=PktSrcAddr, \n DstNatIpAddr=PktDstAddr, \n SrcPortNumber = SrcPort, \n SrcIpAddr = SrcAddr, \n EventEndTime = End, \n DvcInboundInterface = InterfaceId,\n DvcSubscriptionId = AccountId,\n DvcId = VpcId,\n NetworkProtocolVersion = TrafficType,\n EventOriginalResultDetails = LogStatus,\n SrcAppName = PktSrcAwsService,\n DstAppName = PktDstAwsService\n// -- Aliases\n| extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n DvcInterface = DvcInboundInterface\n| project-away Action, AzId, Bytes, FlowDirection, InstanceId, Packets, Protocol, Region, SourceSystem, SublocationId, SublocationType, SubnetId, TcpFlags, TenantId, TrafficPath, Version\n};\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for AWS VPC logs", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionAWSVPC", + "query": "let ProtocolLookup = datatable(Protocol:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n];\nlet DirectionLookup = datatable (FlowDirection:string, NetworkDirection:string) [\n 'ingress', 'Inbound',\n 'egress', 'Outbound'\n];\nlet ActionLookup = datatable (Action:string, DvcAction:string) [\n 'ACCEPT', 'Allow',\n 'REJECT', 'Deny'\n];\nlet parser = (disabled:bool=false){\nAWSVPCFlow | where not(disabled)\n| where LogStatus == \"OK\"\n| extend\n EventVendor=\"AWS\", \n EventProduct=\"VPC\",\n NetworkBytes = tolong(Bytes),\n NetworkPackets = tolong(Packets),\n EventProductVersion = tostring(Version),\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventResult = iff (Action==\"ACCEPT\",\"Success\",\"Failure\"),\n EventSeverity = iff (Action==\"ACCEPT\",\"Informational\",\"Low\"),\n EventSchemaVersion=\"0.2.2\",\n EventSchema=\"NetworkSession\",\n SrcAppType = iff (PktSrcAwsService != \"\", \"CloudService\", \"\"),\n DstAppType = iff (PktDstAwsService != \"\", \"CloudService\", \"\"),\n DvcIdType = \"AwsVpcId\"\n| lookup ProtocolLookup on Protocol\n| lookup ActionLookup on Action\n| lookup DirectionLookup on FlowDirection\n| project-rename\n DstIpAddr = DstAddr, \n DstPortNumber = DstPort, \n SrcNatIpAddr=PktSrcAddr, \n DstNatIpAddr=PktDstAddr, \n SrcPortNumber = SrcPort, \n SrcIpAddr = SrcAddr, \n EventEndTime = End, \n DvcInboundInterface = InterfaceId,\n DvcSubscriptionId = AccountId,\n DvcId = VpcId,\n NetworkProtocolVersion = TrafficType,\n EventOriginalResultDetails = LogStatus,\n SrcAppName = PktSrcAwsService,\n DstAppName = PktDstAwsService\n// -- Aliases\n| extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n DvcInterface = DvcInboundInterface\n| project-away Action, AzId, Bytes, FlowDirection, InstanceId, Packets, Protocol, Region, SourceSystem, SublocationId, SublocationType, SubnetId, TcpFlags, TenantId, TrafficPath, Version\n};\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json index e580604382d..824e0b9ab13 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionAppGateSDP')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionAppGateSDP", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for AppGate SDP", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionAppGateSDP", - "query": "let parser = (disabled:bool=false) \n{\n let DirectionLookup = datatable (direction:string, NetworkDirection:string) \n [\n 'up', 'Inbound',\n 'down', 'Outbound'\n ];\n let ActionLookup = datatable (DvcOriginalAction:string, DvcAction:string, EventSeverity:string, EventResult:string)\n [\n 'allow', 'Allow', 'Informational', 'Success',\n 'drop', 'Drop', 'Low', 'Failure',\n 'reject', 'Deny', 'Low', 'Failure',\n 'block', 'Deny', 'Low', 'Failure',\n 'block_report', 'Deny', 'Low', 'Failure',\n 'allow_report', 'Allow', 'Informational', 'Success'\n ];\n let tcpupd_success = Syslog\n | where \n ProcessName in (\"cz-sessiond\", \"cz-vpnd\")\n and SyslogMessage has_all (\"[AUDIT]\",\"ip_access\",'\"rule_name\"')\n and SyslogMessage has_any ('\"protocol\":\"UDP\"','\"protocol\":\"TCP\"') \n | project TimeGenerated, SyslogMessage, Computer\n | extend type = extract (@'\"event_type\"\\:\\\"(.*?)\\\"', 1, SyslogMessage)\n | where type == \"ip_access\"\n | parse-where SyslogMessage with \n *\n '\"action\":\"' DvcOriginalAction:string '\",' * \n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"destination_port\":' DstPortNumber:int ',' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' * \n '\"rule_name\":\"' NetworkRuleName:string '\",' * \n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"source_port\":' SrcNatPortNumber:int ',' * \n '\"version\":' EventProductVersion:string '}' *\n ;\n let tcpupd_fail = \n Syslog\n | where \n ProcessName in (\"cz-sessiond\", \"cz-vpnd\")\n and SyslogMessage has_all (\"[AUDIT]\",\"ip_access\",'\"drop-reason\"')\n and SyslogMessage has_any ('\"protocol\":\"UDP\"','\"protocol\":\"TCP\"') \n | project TimeGenerated, SyslogMessage, Computer\n | extend type = extract (@'\"event_type\"\\:\\\"(.*?)\\\"', 1, SyslogMessage)\n | where type == \"ip_access\"\n | parse-where SyslogMessage with \n *\n '\"action\":\"' DvcOriginalAction:string '\",' * \n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"destination_port\":' DstPortNumber:int ',' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"drop-reason\":\"' EventOriginalResultDetails:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' *\n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"source_port\":' SrcNatPortNumber:int ',' * \n '\"version\":' EventProductVersion:string '}' *\n ;\n let icmp_success = Syslog\n | where \n ProcessName in (\"cz-sessiond\", \"cz-vpnd\")\n and SyslogMessage has_all (\"[AUDIT]\",\"ip_access\",'\"protocol\":\"ICMP\"') \n | project TimeGenerated, SyslogMessage, Computer\n | extend type = extract (@'\"event_type\"\\:\\\"(.*?)\\\"', 1, SyslogMessage)\n | where type == \"ip_access\"\n | parse-where SyslogMessage with \n *\n '\"action\":\"' DvcOriginalAction:string '\",' * \n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"icmp_code\":' NetworkIcmpSubCode:int ',' *\n '\"icmp_type\":' NetworkIcmpCode:int ',' * \n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' * \n '\"rule_name\":\"' NetworkRuleName:string '\",' * \n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"version\":' EventProductVersion:string '}' *\n ;\n union tcpupd_success, tcpupd_fail, icmp_success \n | parse SyslogMessage with \n *\n '\"country_name\":\"' SrcGeoCountry:string '\",' *\n '\"lat\":' SrcGeoLatitude:real ',' * \n '\"lon\":' SrcGeoLongitude:real '}' *\n | parse SyslogMessage with \n *\n '\"city_name\":\"' SrcGeoCity:string '\",' *\n '\"region_name\":\"' SrcGeoRegion:string '\",' *\n | extend \n SrcDvcIdType = 'AppGateId',\n SrcUsernameType = 'UPN'\n // -- Event fields\n | project-rename \n DvcHostname = Computer\n | extend \n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.2.3',\n EventVendor = 'AppGate',\n EventProduct = 'SDP',\n EventType = 'NetworkSession'\n | lookup DirectionLookup on direction\n | lookup ActionLookup on DvcOriginalAction\n // -- Aliases\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcHostname,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n // -- Entity identifier explicit aliases\n SrcUserUpn = SrcUsername\n | project-away \n SyslogMessage, type, direction\n};\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for AppGate SDP", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionAppGateSDP", + "query": "let parser = (disabled:bool=false) \n{\n let DirectionLookup = datatable (direction:string, NetworkDirection:string) \n [\n 'up', 'Inbound',\n 'down', 'Outbound'\n ];\n let ActionLookup = datatable (DvcOriginalAction:string, DvcAction:string, EventSeverity:string, EventResult:string)\n [\n 'allow', 'Allow', 'Informational', 'Success',\n 'drop', 'Drop', 'Low', 'Failure',\n 'reject', 'Deny', 'Low', 'Failure',\n 'block', 'Deny', 'Low', 'Failure',\n 'block_report', 'Deny', 'Low', 'Failure',\n 'allow_report', 'Allow', 'Informational', 'Success'\n ];\n let tcpupd_success = Syslog\n | where \n ProcessName in (\"cz-sessiond\", \"cz-vpnd\")\n and SyslogMessage has_all (\"[AUDIT]\",\"ip_access\",'\"rule_name\"')\n and SyslogMessage has_any ('\"protocol\":\"UDP\"','\"protocol\":\"TCP\"') \n | project TimeGenerated, SyslogMessage, Computer\n | extend type = extract (@'\"event_type\"\\:\\\"(.*?)\\\"', 1, SyslogMessage)\n | where type == \"ip_access\"\n | parse-where SyslogMessage with \n *\n '\"action\":\"' DvcOriginalAction:string '\",' * \n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"destination_port\":' DstPortNumber:int ',' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' * \n '\"rule_name\":\"' NetworkRuleName:string '\",' * \n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"source_port\":' SrcNatPortNumber:int ',' * \n '\"version\":' EventProductVersion:string '}' *\n ;\n let tcpupd_fail = \n Syslog\n | where \n ProcessName in (\"cz-sessiond\", \"cz-vpnd\")\n and SyslogMessage has_all (\"[AUDIT]\",\"ip_access\",'\"drop-reason\"')\n and SyslogMessage has_any ('\"protocol\":\"UDP\"','\"protocol\":\"TCP\"') \n | project TimeGenerated, SyslogMessage, Computer\n | extend type = extract (@'\"event_type\"\\:\\\"(.*?)\\\"', 1, SyslogMessage)\n | where type == \"ip_access\"\n | parse-where SyslogMessage with \n *\n '\"action\":\"' DvcOriginalAction:string '\",' * \n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"destination_port\":' DstPortNumber:int ',' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"drop-reason\":\"' EventOriginalResultDetails:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' *\n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"source_port\":' SrcNatPortNumber:int ',' * \n '\"version\":' EventProductVersion:string '}' *\n ;\n let icmp_success = Syslog\n | where \n ProcessName in (\"cz-sessiond\", \"cz-vpnd\")\n and SyslogMessage has_all (\"[AUDIT]\",\"ip_access\",'\"protocol\":\"ICMP\"') \n | project TimeGenerated, SyslogMessage, Computer\n | extend type = extract (@'\"event_type\"\\:\\\"(.*?)\\\"', 1, SyslogMessage)\n | where type == \"ip_access\"\n | parse-where SyslogMessage with \n *\n '\"action\":\"' DvcOriginalAction:string '\",' * \n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"icmp_code\":' NetworkIcmpSubCode:int ',' *\n '\"icmp_type\":' NetworkIcmpCode:int ',' * \n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' * \n '\"rule_name\":\"' NetworkRuleName:string '\",' * \n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"version\":' EventProductVersion:string '}' *\n ;\n union tcpupd_success, tcpupd_fail, icmp_success \n | parse SyslogMessage with \n *\n '\"country_name\":\"' SrcGeoCountry:string '\",' *\n '\"lat\":' SrcGeoLatitude:real ',' * \n '\"lon\":' SrcGeoLongitude:real '}' *\n | parse SyslogMessage with \n *\n '\"city_name\":\"' SrcGeoCity:string '\",' *\n '\"region_name\":\"' SrcGeoRegion:string '\",' *\n | extend \n SrcDvcIdType = 'AppGateId',\n SrcUsernameType = 'UPN'\n // -- Event fields\n | project-rename \n DvcHostname = Computer\n | extend \n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.2.3',\n EventVendor = 'AppGate',\n EventProduct = 'SDP',\n EventType = 'NetworkSession'\n | lookup DirectionLookup on direction\n | lookup ActionLookup on DvcOriginalAction\n // -- Aliases\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcHostname,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n // -- Entity identifier explicit aliases\n SrcUserUpn = SrcUsername\n | project-away \n SyslogMessage, type, direction\n};\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json index 88c4d3e35ee..854d6af2ec9 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionAzureFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionAzureFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Azure Firewall logs", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionAzureFirewall", - "query": "let parser = (disabled:bool=false) {\n let AzureFirewallNetworkRuleLogs = \n AzureDiagnostics\n | where not(disabled)\n | where Category == \"AzureFirewallNetworkRule\"\n | where isnotempty(msg_s)\n | project msg_s, OperationName, SubscriptionId, ResourceId, TimeGenerated, Type, _ResourceId;\n let AzureFirewallSessionLogs = \n AzureFirewallNetworkRuleLogs\n | where OperationName in (\"AzureFirewallNetworkRuleLog\",\"AzureFirewallThreatIntelLog\")\n | parse-where\n msg_s with NetworkProtocol:string \n \" request from \" SrcIpAddr:string\n \":\" SrcPortNumber:int\n \" to \" DstIpAddr:string\n \":\" DstPortNumber:int\n \". Action: \" DvcAction:string\n \".\" *\n | project-away msg_s\n | extend NetworkIcmpCode = iff(NetworkProtocol startswith \"ICMP\", toint(extract (\"type=(\\\\d+)\",1,NetworkProtocol)), int(null))\n | extend NetworkIcmpType = iff(isnotnull(NetworkIcmpCode), _ASIM_LookupICMPType(NetworkIcmpCode), \"\")\n | extend NetworkProtocol = iff(NetworkProtocol startswith \"ICMP\", \"ICMP\", NetworkProtocol)\n | extend EventSeverity = case (\n OperationName == \"AzureFirewallThreatIntelLog\", \"Medium\",\n DvcAction == \"Deny\", \"Low\",\n \"Informational\")\n | extend EventResult = iff(DvcAction == \"Allow\", \"Success\", \"Failure\")\n ;\n let AzureFirewallNATLogs = \n AzureFirewallNetworkRuleLogs\n | where OperationName == \"AzureFirewallNatRuleLog\"\n | parse-where\n msg_s with NetworkProtocol:string \n \" request from \" SrcIpAddr:string\n \":\" SrcPortNumber:int\n \" to \" DstIpAddr:string\n \":\" DstPortNumber:int\n \" was DNAT'ed to \" DstNatIpAddr:string\n \":\" DstNatPortNumber:int\n | project-away msg_s\n | extend EventSeverity = \"Informational\"\n | extend EventResult = \"Success\"\n | extend DvcAction = \"Allow\"\n ;\n union AzureFirewallSessionLogs, AzureFirewallNATLogs\n | extend\n EventVendor=\"Microsoft\",\n EventProduct=\"Azure Firewall\",\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventSchemaVersion=\"0.2.2\",\n EventSchema=\"NetworkSession\",\n DvcIdType = \"AzureResourceId\"\n | project-rename\n DvcSubscriptionId = SubscriptionId,\n DvcId = ResourceId\n // -- Aliases\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | project-keep\n Src*,\n Dst*,\n Event*,\n Dvc*,\n Network*,\n IpAddr,\n Type,\n _ResourceId,\n TimeGenerated\n};\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Azure Firewall logs", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionAzureFirewall", + "query": "let parser = (disabled:bool=false) {\n let AzureFirewallNetworkRuleLogs = \n AzureDiagnostics\n | where not(disabled)\n | where Category == \"AzureFirewallNetworkRule\"\n | where isnotempty(msg_s)\n | project msg_s, OperationName, SubscriptionId, ResourceId, TimeGenerated, Type, _ResourceId;\n let AzureFirewallSessionLogs = \n AzureFirewallNetworkRuleLogs\n | where OperationName in (\"AzureFirewallNetworkRuleLog\",\"AzureFirewallThreatIntelLog\")\n | parse-where\n msg_s with NetworkProtocol:string \n \" request from \" SrcIpAddr:string\n \":\" SrcPortNumber:int\n \" to \" DstIpAddr:string\n \":\" DstPortNumber:int\n \". Action: \" DvcAction:string\n \".\" *\n | project-away msg_s\n | extend NetworkIcmpCode = iff(NetworkProtocol startswith \"ICMP\", toint(extract (\"type=(\\\\d+)\",1,NetworkProtocol)), int(null))\n | extend NetworkIcmpType = iff(isnotnull(NetworkIcmpCode), _ASIM_LookupICMPType(NetworkIcmpCode), \"\")\n | extend NetworkProtocol = iff(NetworkProtocol startswith \"ICMP\", \"ICMP\", NetworkProtocol)\n | extend EventSeverity = case (\n OperationName == \"AzureFirewallThreatIntelLog\", \"Medium\",\n DvcAction == \"Deny\", \"Low\",\n \"Informational\")\n | extend EventResult = iff(DvcAction == \"Allow\", \"Success\", \"Failure\")\n ;\n let AzureFirewallNATLogs = \n AzureFirewallNetworkRuleLogs\n | where OperationName == \"AzureFirewallNatRuleLog\"\n | parse-where\n msg_s with NetworkProtocol:string \n \" request from \" SrcIpAddr:string\n \":\" SrcPortNumber:int\n \" to \" DstIpAddr:string\n \":\" DstPortNumber:int\n \" was DNAT'ed to \" DstNatIpAddr:string\n \":\" DstNatPortNumber:int\n | project-away msg_s\n | extend EventSeverity = \"Informational\"\n | extend EventResult = \"Success\"\n | extend DvcAction = \"Allow\"\n ;\n union AzureFirewallSessionLogs, AzureFirewallNATLogs\n | extend\n EventVendor=\"Microsoft\",\n EventProduct=\"Azure Firewall\",\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventSchemaVersion=\"0.2.2\",\n EventSchema=\"NetworkSession\",\n DvcIdType = \"AzureResourceId\"\n | project-rename\n DvcSubscriptionId = SubscriptionId,\n DvcId = ResourceId\n // -- Aliases\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | project-keep\n Src*,\n Dst*,\n Event*,\n Dvc*,\n Network*,\n IpAddr,\n Type,\n _ResourceId,\n TimeGenerated\n};\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json index 8bd17642f7a..1b96d84e2aa 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionAzureNSG')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionAzureNSG", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Azure NSG flows", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionAzureNSG", - "query": "let DvcActionLookup = datatable(FlowStatus_s:string, DvcAction:string, EventResult:string) [\n 'A', 'Allow', 'Success',\n 'D', 'Deny', 'Failure',\n];\nlet NetworkDirectionLookup = datatable(FlowDirection_s:string, NetworkDirection:string, isOutBound:bool) [\n 'I', 'Inbound', false,\n 'O', 'Outbound', true\n];\nlet NetworkProtocolLookup = datatable(L4Protocol_s:string, NetworkProtocol:string)[\n 'T', 'TCP',\n 'U', 'UDP'\n];\nlet parser = (disabled:bool=false) \n{\n let AzureNetworkAnalytics = (FlowDirection: string) {\n AzureNetworkAnalytics_CL\n | where not(disabled) and isnotempty(FlowType_s)\n | where FlowDirection == FlowDirection_s\n | lookup NetworkDirectionLookup on FlowDirection_s\n };\n let AzureNetworkAnalyticsInbound =\n AzureNetworkAnalytics ('I')\n | where not(isOutBound)\n | project-rename\n DstMacAddr = MACAddress_s\n | extend\n DstBytes = tolong(OutboundBytes_d), // -- size fields seem not to be populated for inbound\n DstPackets = tolong(OutboundPackets_d),\n SrcBytes = tolong(InboundBytes_d),\n SrcPackets = tolong(InboundPackets_d),\n SrcInterfaceName = tostring(split(NIC_s, '/')[1]),\n SrcGeoCountry = toupper(Country_s)\n | extend hostelements=split(VM2_s,'/')\n | extend \n DstFQDN = strcat(hostelements[0], @\"\\\", hostelements[1]),\n DstHostname = tostring(hostelements[1]),\n DstDomain = tostring(hostelements[0]),\n DstDomainType = \"ResourceGroup\"\n | extend Hostname = DstHostname\n | project-away hostelements, isOutBound\n ; \n let AzureNetworkAnalyticsOutbound =\n AzureNetworkAnalytics ('O')\n | where isOutBound\n | project-rename\n SrcMacAddr = MACAddress_s\n | extend\n SrcBytes = tolong(OutboundBytes_d), \n SrcPackets = tolong(OutboundPackets_d),\n DstBytes = tolong(InboundBytes_d),\n DstPackets = tolong(InboundPackets_d),\n DstInterfaceName = tostring(split(NIC_s, '/')[1]),\n DstGeoCountry = toupper(Country_s)\n | extend hostelements=split(VM1_s,'/')\n | extend \n SrcFQDN = strcat(hostelements[0], @\"\\\", hostelements[1]),\n SrcHostname = tostring(hostelements[1]),\n SrcDomain = tostring(hostelements[0]),\n SrcDomainType = \"ResourceGroup\"\n | extend Hostname = SrcHostname\n | project-away hostelements, isOutBound\n ;\n union AzureNetworkAnalyticsInbound, AzureNetworkAnalyticsOutbound\n | project-rename\n Dvc = NSGList_s,\n DvcSubscriptionId = Subscription_g,\n EventEndTime = FlowEndTime_t,\n EventStartTime = FlowStartTime_t,\n NetworkApplicationProtocol = L7Protocol_s,\n NetworkRuleName = NSGRule_s,\n NetworkSessionId = ConnectionName_s,\n EventOriginalSubType = FlowType_s\n | extend\n DstPortNumber = toint(DestPort_d),\n EventProduct = 'NSGFlow',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.2',\n EventSeverity = 'Informational', //??\n EventType = 'Flow',\n EventVendor = 'Microsoft',\n EventCount = toint(AllowedInFlows_d+DeniedInFlows_d+AllowedOutFlows_d+DeniedOutFlows_d),\n NetworkDuration = toint((((EventEndTime - datetime(1970-01-01)) / 1s) - ((EventStartTime - datetime(1970-01-01)) / 1s )) * 1000),\n Rule = NetworkRuleName,\n SessionId = NetworkSessionId\n | lookup DvcActionLookup on FlowStatus_s\n | extend \n DstIpAddr = iff(isnotempty(DestIP_s),\n DestIP_s,\n split(DestPublicIPs_s, '|')[0]),\n Duration = NetworkDuration,\n NetworkBytes = tolong(DstBytes + SrcBytes),\n NetworkPackets = tolong(DstPackets + SrcPackets),\n SrcIpAddr = iff(isnotempty(SrcIP_s),\n SrcIP_s,\n split(SrcPublicIPs_s, '|')[0])\n | extend\n Dst = DstIpAddr,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | lookup NetworkProtocolLookup on L4Protocol_s\n | project-keep\n Src*,\n Dst*,\n Event*,\n Dvc*,\n Network*,\n IpAddr,\n Hostname,\n Type,\n Duration,\n SessionId,\n _ResourceId,\n TimeGenerated\n | project-away *_s\n };\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Azure NSG flows", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionAzureNSG", + "query": "let DvcActionLookup = datatable(FlowStatus_s:string, DvcAction:string, EventResult:string) [\n 'A', 'Allow', 'Success',\n 'D', 'Deny', 'Failure',\n];\nlet NetworkDirectionLookup = datatable(FlowDirection_s:string, NetworkDirection:string, isOutBound:bool) [\n 'I', 'Inbound', false,\n 'O', 'Outbound', true\n];\nlet NetworkProtocolLookup = datatable(L4Protocol_s:string, NetworkProtocol:string)[\n 'T', 'TCP',\n 'U', 'UDP'\n];\nlet parser = (disabled:bool=false) \n{\n let AzureNetworkAnalytics = (FlowDirection: string) {\n AzureNetworkAnalytics_CL\n | where not(disabled) and isnotempty(FlowType_s)\n | where FlowDirection == FlowDirection_s\n | lookup NetworkDirectionLookup on FlowDirection_s\n };\n let AzureNetworkAnalyticsInbound =\n AzureNetworkAnalytics ('I')\n | where not(isOutBound)\n | project-rename\n DstMacAddr = MACAddress_s\n | extend\n DstBytes = tolong(OutboundBytes_d), // -- size fields seem not to be populated for inbound\n DstPackets = tolong(OutboundPackets_d),\n SrcBytes = tolong(InboundBytes_d),\n SrcPackets = tolong(InboundPackets_d),\n SrcInterfaceName = tostring(split(NIC_s, '/')[1]),\n SrcGeoCountry = toupper(Country_s)\n | extend hostelements=split(VM2_s,'/')\n | extend \n DstFQDN = strcat(hostelements[0], @\"\\\", hostelements[1]),\n DstHostname = tostring(hostelements[1]),\n DstDomain = tostring(hostelements[0]),\n DstDomainType = \"ResourceGroup\"\n | extend Hostname = DstHostname\n | project-away hostelements, isOutBound\n ; \n let AzureNetworkAnalyticsOutbound =\n AzureNetworkAnalytics ('O')\n | where isOutBound\n | project-rename\n SrcMacAddr = MACAddress_s\n | extend\n SrcBytes = tolong(OutboundBytes_d), \n SrcPackets = tolong(OutboundPackets_d),\n DstBytes = tolong(InboundBytes_d),\n DstPackets = tolong(InboundPackets_d),\n DstInterfaceName = tostring(split(NIC_s, '/')[1]),\n DstGeoCountry = toupper(Country_s)\n | extend hostelements=split(VM1_s,'/')\n | extend \n SrcFQDN = strcat(hostelements[0], @\"\\\", hostelements[1]),\n SrcHostname = tostring(hostelements[1]),\n SrcDomain = tostring(hostelements[0]),\n SrcDomainType = \"ResourceGroup\"\n | extend Hostname = SrcHostname\n | project-away hostelements, isOutBound\n ;\n union AzureNetworkAnalyticsInbound, AzureNetworkAnalyticsOutbound\n | project-rename\n Dvc = NSGList_s,\n DvcSubscriptionId = Subscription_g,\n EventEndTime = FlowEndTime_t,\n EventStartTime = FlowStartTime_t,\n NetworkApplicationProtocol = L7Protocol_s,\n NetworkRuleName = NSGRule_s,\n NetworkSessionId = ConnectionName_s,\n EventOriginalSubType = FlowType_s\n | extend\n DstPortNumber = toint(DestPort_d),\n EventProduct = 'NSGFlow',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.2',\n EventSeverity = 'Informational', //??\n EventType = 'Flow',\n EventVendor = 'Microsoft',\n EventCount = toint(AllowedInFlows_d+DeniedInFlows_d+AllowedOutFlows_d+DeniedOutFlows_d),\n NetworkDuration = toint((((EventEndTime - datetime(1970-01-01)) / 1s) - ((EventStartTime - datetime(1970-01-01)) / 1s )) * 1000),\n Rule = NetworkRuleName,\n SessionId = NetworkSessionId\n | lookup DvcActionLookup on FlowStatus_s\n | extend \n DstIpAddr = iff(isnotempty(DestIP_s),\n DestIP_s,\n split(DestPublicIPs_s, '|')[0]),\n Duration = NetworkDuration,\n NetworkBytes = tolong(DstBytes + SrcBytes),\n NetworkPackets = tolong(DstPackets + SrcPackets),\n SrcIpAddr = iff(isnotempty(SrcIP_s),\n SrcIP_s,\n split(SrcPublicIPs_s, '|')[0])\n | extend\n Dst = DstIpAddr,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | lookup NetworkProtocolLookup on L4Protocol_s\n | project-keep\n Src*,\n Dst*,\n Event*,\n Dvc*,\n Network*,\n IpAddr,\n Hostname,\n Type,\n Duration,\n SessionId,\n _ResourceId,\n TimeGenerated\n | project-away *_s\n };\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaCEF/ASimNetworkSessionBarracudaCEF.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaCEF/ASimNetworkSessionBarracudaCEF.json index daabd50fc78..01205397b47 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaCEF/ASimNetworkSessionBarracudaCEF.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaCEF/ASimNetworkSessionBarracudaCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionBarracudaCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionBarracudaCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionBarracudaCEF", - "query": "let barracudaSchema = datatable(\n UnitName_s: string,\n DeviceReceiptTime_s: string,\n ActionID_s: string,\n DestinationIP_s: string,\n SourceIP: string,\n host_s: string,\n HostIP_s: string,\n Severity_s: string,\n LogType_s: string,\n DestinationPort_d: real,\n SourcePort_d: real,\n Protocol_s: string,\n DeviceVersion_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string\n)[];\nlet ProtocolLookup = datatable(\n Protocol_s: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string\n)[\n \"TCP\", \"TCP\", \"\",\n \"TCP/ip\", \"TCP\", \"\",\n \"UDP\", \"UDP\", \"\",\n \"UDP/ip\", \"UDP\", \"\",\n \"ICMP\", \"ICMP\", \"IPV4\",\n \"ICMPv6\", \"ICMP\", \"IPV6\",\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\",\n 1, \"High\",\n 2, \"High\",\n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\",\n 6, \"Informational\",\n 7, \"Informational\"\n];\nlet EventResultLookup = datatable (\n ActionID_s: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"ALLOW\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"NF\"\n | extend\n severity = toint(LogSeverity)\n | lookup EventResultLookup on $left.DeviceAction == $right.ActionID_s\n | lookup SeverityLookup on severity\n | lookup ProtocolLookup on $left.Protocol == $right.Protocol_s\n | extend\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = DeviceName,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n DstIpAddr = DestinationIP,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n DvcIpAddr = DestinationIP,\n DstPortNumber = toint(DestinationPort),\n SrcPortNumber = toint(SourcePort),\n EventUid = _ItemId,\n EventProductVersion = DeviceVersion\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n EventEndTime = EventStartTime\n | project-away\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,CollectorHostName;\nBarracudaCEF\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionBarracudaCEF", + "query": "let barracudaSchema = datatable(\n UnitName_s: string,\n DeviceReceiptTime_s: string,\n ActionID_s: string,\n DestinationIP_s: string,\n SourceIP: string,\n host_s: string,\n HostIP_s: string,\n Severity_s: string,\n LogType_s: string,\n DestinationPort_d: real,\n SourcePort_d: real,\n Protocol_s: string,\n DeviceVersion_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string\n)[];\nlet ProtocolLookup = datatable(\n Protocol_s: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string\n)[\n \"TCP\", \"TCP\", \"\",\n \"TCP/ip\", \"TCP\", \"\",\n \"UDP\", \"UDP\", \"\",\n \"UDP/ip\", \"UDP\", \"\",\n \"ICMP\", \"ICMP\", \"IPV4\",\n \"ICMPv6\", \"ICMP\", \"IPV6\",\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\",\n 1, \"High\",\n 2, \"High\",\n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\",\n 6, \"Informational\",\n 7, \"Informational\"\n];\nlet EventResultLookup = datatable (\n ActionID_s: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"ALLOW\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"NF\"\n | extend\n severity = toint(LogSeverity)\n | lookup EventResultLookup on $left.DeviceAction == $right.ActionID_s\n | lookup SeverityLookup on severity\n | lookup ProtocolLookup on $left.Protocol == $right.Protocol_s\n | extend\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = DeviceName,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n DstIpAddr = DestinationIP,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n DvcIpAddr = DestinationIP,\n DstPortNumber = toint(DestinationPort),\n SrcPortNumber = toint(SourcePort),\n EventUid = _ItemId,\n EventProductVersion = DeviceVersion\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n EventEndTime = EventStartTime\n | project-away\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,CollectorHostName;\nBarracudaCEF\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaWAF/ASimNetworkSessionBarracudaWAF.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaWAF/ASimNetworkSessionBarracudaWAF.json index bf18db4f28a..b02adbf39fe 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaWAF/ASimNetworkSessionBarracudaWAF.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaWAF/ASimNetworkSessionBarracudaWAF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionBarracudaWAF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionBarracudaWAF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionBarracudaWAF", - "query": "let barracudaSchema = datatable(\n UnitName_s: string,\n DeviceReceiptTime_s: string,\n ActionID_s: string,\n DestinationIP_s: string,\n SourceIP: string,\n host_s: string,\n HostIP_s: string,\n Severity_s: string,\n LogType_s: string,\n DestinationPort_d: real,\n SourcePort_d: real,\n Protocol_s: string,\n DeviceVersion_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string\n)[];\nlet ProtocolLookup = datatable(\n Protocol_s: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string\n)[\n \"TCP\", \"TCP\", \"\",\n \"TCP/ip\", \"TCP\", \"\",\n \"UDP\", \"UDP\", \"\",\n \"UDP/ip\", \"UDP\", \"\",\n \"ICMP\", \"ICMP\", \"IPV4\",\n \"ICMPv6\", \"ICMP\", \"IPV6\",\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\",\n 1, \"High\",\n 2, \"High\",\n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\",\n 6, \"Informational\",\n 7, \"Informational\"\n];\nlet EventResultLookup = datatable (\n ActionID_s: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"ALLOW\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled) and LogType_s == \"NF\"\n | extend\n severity = toint(Severity_s)\n | lookup EventResultLookup on ActionID_s\n | lookup SeverityLookup on severity\n | lookup ProtocolLookup on Protocol_s\n | extend\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = UnitName_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n DstIpAddr = DestinationIP_s,\n SrcIpAddr = SourceIP,\n DvcHostname = host_s,\n DvcIpAddr = HostIP_s,\n DstPortNumber = toint(DestinationPort_d),\n SrcPortNumber = toint(SourcePort_d),\n EventUid = _ItemId,\n EventProductVersion = DeviceVersion_s\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n EventEndTime = EventStartTime\n | project-away\n *_d,\n *_s,\n _ResourceId,\n severity,\n RawData,\n SourceIP,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem;\nBarracudaCustom\n };\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionBarracudaWAF", + "query": "let barracudaSchema = datatable(\n UnitName_s: string,\n DeviceReceiptTime_s: string,\n ActionID_s: string,\n DestinationIP_s: string,\n SourceIP: string,\n host_s: string,\n HostIP_s: string,\n Severity_s: string,\n LogType_s: string,\n DestinationPort_d: real,\n SourcePort_d: real,\n Protocol_s: string,\n DeviceVersion_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string\n)[];\nlet ProtocolLookup = datatable(\n Protocol_s: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string\n)[\n \"TCP\", \"TCP\", \"\",\n \"TCP/ip\", \"TCP\", \"\",\n \"UDP\", \"UDP\", \"\",\n \"UDP/ip\", \"UDP\", \"\",\n \"ICMP\", \"ICMP\", \"IPV4\",\n \"ICMPv6\", \"ICMP\", \"IPV6\",\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\",\n 1, \"High\",\n 2, \"High\",\n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\",\n 6, \"Informational\",\n 7, \"Informational\"\n];\nlet EventResultLookup = datatable (\n ActionID_s: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"ALLOW\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled) and LogType_s == \"NF\"\n | extend\n severity = toint(Severity_s)\n | lookup EventResultLookup on ActionID_s\n | lookup SeverityLookup on severity\n | lookup ProtocolLookup on Protocol_s\n | extend\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = UnitName_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n DstIpAddr = DestinationIP_s,\n SrcIpAddr = SourceIP,\n DvcHostname = host_s,\n DvcIpAddr = HostIP_s,\n DstPortNumber = toint(DestinationPort_d),\n SrcPortNumber = toint(SourcePort_d),\n EventUid = _ItemId,\n EventProductVersion = DeviceVersion_s\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n EventEndTime = EventStartTime\n | project-away\n *_d,\n *_s,\n _ResourceId,\n severity,\n RawData,\n SourceIP,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem;\nBarracudaCustom\n };\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckPointFirewall/ASimNetworkSessionCheckPointFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckPointFirewall/ASimNetworkSessionCheckPointFirewall.json index 6a27ceb12cb..a70c80413cf 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckPointFirewall/ASimNetworkSessionCheckPointFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckPointFirewall/ASimNetworkSessionCheckPointFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionCheckPointFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionCheckPointFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Check Point Firewall", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionCheckPointFirewall", - "query": "let ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)\n [\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"];\n let DirectionLookup=datatable(conn_direction:string,NetworkDirection:string)\n [\n \"Incoming\",\"Inbound\", \n \"Outgoing\",\"Outbound\", \n \"Internal\",\"Local\"];\n let ActionLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventSeverity:string)\n [\n \"Accept\",\"Allow\",\"Success\",\"Informational\",\n \"Allow\",\"Allow\",\"Success\",\"Informational\",\n \"Drop\",\"Drop\",\"Failure\",\"Low\",\n \"Reject\",\"Deny\",\"Failure\",\"Low\",\n \"Encrypt\",\"Encrypt\",\"Success\",\"Informational\",\n \"Decrypt\",\"Decrypt\",\"Success\",\"Informational\",\n \"Bypass\",\"Allow\",\"Success\",\"Informational\",\n \"Block\",\"Deny\",\"Failure\",\"Low\",\n \"\",\"\",\"NA\",\"Informational\"\n ];\n let NWParser=(disabled:bool=false)\n {\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor==\"Check Point\" and DeviceProduct==\"VPN-1 & FireWall-1\"\n | lookup ActionLookup on DeviceAction\n | lookup ProtocolLookup on Protocol\n | extend \n EventProduct = \"Firewall\",\n EventCount = toint(1),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\"\n | parse-kv AdditionalExtensions as (\n rule_uid:string,\n loguid:string,\n origin:string,\n originsicname:string,\n inzone:string,\n outzone:string,\n conn_direction:string,\n alert:string,\n inspection_category:string,\n inspection_item:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | extend\n ThreatCategory = coalesce(alert, inspection_category),\n NetworkRuleName = coalesce(DeviceCustomString2, rule_uid, Activity),\n EventStartTime = TimeGenerated\n | parse originsicname with \"CN\\\\=\" DvcHostname \",\" *\n | project-rename\n Dvc = origin, \n EventOriginalUid = loguid,\n ThreatName = inspection_item,\n EventVendor = DeviceVendor,\n DstPortNumber = DestinationPort,\n DstIpAddr = DestinationIP,\n SrcPortNumber = SourcePort,\n SrcIpAddr = SourceIP,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n EventProductVersion = DeviceVersion,\n EventOriginalSeverity = LogSeverity,\n Rule = NetworkRuleName,\n DvcOriginalAction = DeviceAction,\n DstAppName = Activity,\n EventMessage = Message\n | lookup DirectionLookup on conn_direction\n | extend \n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n NetworkDirection = case(\n isnotempty(NetworkDirection), NetworkDirection,\n inzone == \"Internal\" and (outzone == \"Internal\" or outzone == \"Local\"), \"Local\",\n (inzone == \"Internal\" or inzone == \"Local\") and outzone == \"External\", \"Outbound\",\n inzone == \"External\" and (outzone == \"Internal\" or outzone == \"Local\"), \"Inbound\",\n CommunicationDirection == \"0\", \"Inbound\",\n CommunicationDirection == \"1\", \"Outbound\",\n \"\"\n ),\n EventSeverity = iif(isnotempty(ThreatCategory),\"High\",EventSeverity),\n NetworkIcmpType = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n ),\n NetworkIcmpCode = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber3\", long(null))),\n toint(column_ifexists(\"DeviceCustomNumber3\",long(null)))\n )\n | project-away ApplicationProtocol, AdditionalExtensions, CommunicationDirection, Computer, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, ReceivedBytes, Remote*, ReportReferenceLink, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, rule_uid, originsicname, inzone, outzone, alert, conn_direction, inspection_category, ExtID, EventOutcome, FieldDevice*, Reason\n };\n NWParser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Check Point Firewall", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionCheckPointFirewall", + "query": "let ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)\n [\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"];\n let DirectionLookup=datatable(conn_direction:string,NetworkDirection:string)\n [\n \"Incoming\",\"Inbound\", \n \"Outgoing\",\"Outbound\", \n \"Internal\",\"Local\"];\n let ActionLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventSeverity:string)\n [\n \"Accept\",\"Allow\",\"Success\",\"Informational\",\n \"Allow\",\"Allow\",\"Success\",\"Informational\",\n \"Drop\",\"Drop\",\"Failure\",\"Low\",\n \"Reject\",\"Deny\",\"Failure\",\"Low\",\n \"Encrypt\",\"Encrypt\",\"Success\",\"Informational\",\n \"Decrypt\",\"Decrypt\",\"Success\",\"Informational\",\n \"Bypass\",\"Allow\",\"Success\",\"Informational\",\n \"Block\",\"Deny\",\"Failure\",\"Low\",\n \"\",\"\",\"NA\",\"Informational\"\n ];\n let NWParser=(disabled:bool=false)\n {\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor==\"Check Point\" and DeviceProduct==\"VPN-1 & FireWall-1\"\n | lookup ActionLookup on DeviceAction\n | lookup ProtocolLookup on Protocol\n | extend \n EventProduct = \"Firewall\",\n EventCount = toint(1),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\"\n | parse-kv AdditionalExtensions as (\n rule_uid:string,\n loguid:string,\n origin:string,\n originsicname:string,\n inzone:string,\n outzone:string,\n conn_direction:string,\n alert:string,\n inspection_category:string,\n inspection_item:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | extend\n ThreatCategory = coalesce(alert, inspection_category),\n NetworkRuleName = coalesce(DeviceCustomString2, rule_uid, Activity),\n EventStartTime = TimeGenerated\n | parse originsicname with \"CN\\\\=\" DvcHostname \",\" *\n | project-rename\n Dvc = origin, \n EventOriginalUid = loguid,\n ThreatName = inspection_item,\n EventVendor = DeviceVendor,\n DstPortNumber = DestinationPort,\n DstIpAddr = DestinationIP,\n SrcPortNumber = SourcePort,\n SrcIpAddr = SourceIP,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n EventProductVersion = DeviceVersion,\n EventOriginalSeverity = LogSeverity,\n Rule = NetworkRuleName,\n DvcOriginalAction = DeviceAction,\n DstAppName = Activity,\n EventMessage = Message\n | lookup DirectionLookup on conn_direction\n | extend \n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n NetworkDirection = case(\n isnotempty(NetworkDirection), NetworkDirection,\n inzone == \"Internal\" and (outzone == \"Internal\" or outzone == \"Local\"), \"Local\",\n (inzone == \"Internal\" or inzone == \"Local\") and outzone == \"External\", \"Outbound\",\n inzone == \"External\" and (outzone == \"Internal\" or outzone == \"Local\"), \"Inbound\",\n CommunicationDirection == \"0\", \"Inbound\",\n CommunicationDirection == \"1\", \"Outbound\",\n \"\"\n ),\n EventSeverity = iif(isnotempty(ThreatCategory),\"High\",EventSeverity),\n NetworkIcmpType = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n ),\n NetworkIcmpCode = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber3\", long(null))),\n toint(column_ifexists(\"DeviceCustomNumber3\",long(null)))\n )\n | project-away ApplicationProtocol, AdditionalExtensions, CommunicationDirection, Computer, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, ReceivedBytes, Remote*, ReportReferenceLink, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, rule_uid, originsicname, inzone, outzone, alert, conn_direction, inspection_category, ExtID, EventOutcome, FieldDevice*, Reason\n };\n NWParser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json index eaed5f9d603..be433d84792 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionCiscoASA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionCiscoASA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Cisco ASA", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionCiscoASA", - "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (disabled:bool=false)\n { \n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * ;\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, Device*\n };\n NWParser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Cisco ASA", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionCiscoASA", + "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (disabled:bool=false)\n { \n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * ;\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, Device*\n };\n NWParser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json index fd48752c1d3..5ba457c5767 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionCiscoFirepower')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionCiscoFirepower", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Cisco Firepower", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionCiscoFirepower", - "query": "let ActionLookup = datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"Blocked\", \"Deny\", \"Failure\",\n \"Alerted\", \"Allow\", \"Success\",\n \"Rewritten\", \"Allow\", \"Success\",\n \"Would be Rewritten\", \"Allow\", \"Partial\",\n \"Would be Blocked\", \"Deny\", \"Partial\",\n \"Would Be Blocked\", \"Deny\", \"Partial\",\n \"Dropped\", \"Drop\", \"Failure\",\n \"Would be Dropped\", \"Drop\", \"Partial\",\n \"Partially Dropped\", \"Drop\", \"Partial\",\n \"Would be Block\", \"Deny\", \"Partial\",\n \"Partial Blocked\", \"Deny\", \"Partial\",\n \"Rejected\", \"Deny\", \"Failure\",\n \"Would be Rejected\", \"Deny\", \"Partial\",\n \"Would Rejected\", \"Deny\", \"Partial\",\n \"Block\", \"Deny\", \"Failure\",\n \"Partial Block\", \"Deny\", \"Partial\",\n \"Drop\", \"Drop\", \"Failure\",\n \"Would Drop\", \"Drop\", \"Partial\",\n \"Reject\", \"Deny\", \"Failure\",\n \"Rewrite\", \"Allow\", \"Success\",\n \"Allow\", \"Allow\", \"Success\",\n \"Monitor\", \"Allow\", \"Success\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)\n [\n \"N/A\", \"NA\",\n \"IP Block\", \"Terminated\",\n \"IP Monitor\", \"Unknown\",\n \"User Bypass\", \"Unknown\",\n \"File Monitor\", \"Unknown\",\n \"File Block\", \"Terminated\",\n \"Intrusion Monitor\", \"Unknown\",\n \"Intrusion Block\", \"Terminated\",\n \"File Resume Block\", \"Terminated\",\n \"File Resume Allow\", \"Unknown\",\n \"File Custom Detection\", \"Unknown\"\n];\nlet parser = (disabled: bool=false) {\n let AllLogs = CommonSecurityLog\n | where not(disabled) \n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\n and DeviceEventClassID has_any(\"INTRUSION:400\", \"PV:112\", \"RNA:1003:1\")\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol);\n let Connection_Statistics_Events = AllLogs\n | where DeviceEventClassID has \"RNA:1003:1\"\n | parse-kv AdditionalExtensions as (\n start: long,\n end: long,\n bytesIn: long,\n bytesOut: long,\n )\n with (pair_delimiter=';', kv_delimiter='=')\n | lookup EventResultDetailsLookup on Reason\n | extend\n SrcBytes = bytesIn,\n DstBytes = bytesOut,\n EventOriginalResultDetails = Reason,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"instanceID\", ProcessID,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Intrusion_Events = AllLogs\n | where DeviceEventClassID has \"INTRUSION:400\"\n | parse-kv AdditionalExtensions as (\n start: long\n )\n with (pair_delimiter=';', kv_delimiter='=')\n | extend \n EventMessage = Activity,\n ThreatCategory = DeviceEventCategory,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"ipspolicy\", DeviceCustomString5,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Policy_Violation_Events = AllLogs\n | where DeviceEventClassID has \"PV:112\"\n | extend\n EventMessage = Message,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1)\n | project-rename DstUsername = DestinationUserName\n | extend\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\");\n union Connection_Statistics_Events, Intrusion_Events, Policy_Violation_Events\n | extend\n SrcPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), SourcePort),\n DstPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), DestinationPort),\n NetworkIcmpCode = iff(NetworkProtocol == \"ICMP\", DestinationPort, int(null)),\n NetworkIcmpType = iff(NetworkProtocol == \"ICMP\", tostring(SourcePort), \"\"),\n SrcZone = DeviceCustomString3,\n DstZone = DeviceCustomString4\n | lookup ActionLookup on DeviceAction\n | lookup EventSeverityLookup on LogSeverity\n | extend \n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventOriginalType = iff(DeviceEventClassID has \"INTRUSION:400\", \"INTRUSION EVENT\", Activity),\n SrcVlanId = tostring(DeviceCustomNumber1)\n | extend\n EventEndTime = coalesce(unixtime_milliseconds_todatetime(end), EventStartTime),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\",\n DstIpAddr contains \":\",\n \"IPv6\",\n \"\"\n )\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\n | extend\n DvcIpAddr = Ip_device,\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\n | extend host = coalesce(DeviceName, Computer)\n | invoke _ASIM_ResolveDvcFQDN('host')\n | invoke _ASIM_ResolveDstFQDN('DestinationDnsDomain')\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventCount = int(1)\n | project-rename \n EventProduct = DeviceProduct,\n EventVendor = DeviceVendor,\n SrcUsername = SourceUserName,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n EventOriginalSeverity = LogSeverity,\n DvcId = DeviceExternalID,\n NetworkApplicationProtocol = ApplicationProtocol,\n EventProductVersion = DeviceVersion,\n EventOriginalUid = ExtID,\n NetworkRuleName = DeviceCustomString2,\n EventUid = _ItemId,\n DvcOriginalAction = DeviceAction\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DvcIdType = \"Other\"\n | extend \n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = coalesce(DvcIpAddr, DvcHostname),\n Rule = NetworkRuleName,\n User = SrcUsername,\n Hostname = DstHostname\n | project-away\n bytesIn,\n bytesOut,\n start,\n end,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n ProcessID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n ThreatConfidence,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,\n Ip_*,\n host,\n NetworkProtocolNumber\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Cisco Firepower", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionCiscoFirepower", + "query": "let ActionLookup = datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"Blocked\", \"Deny\", \"Failure\",\n \"Alerted\", \"Allow\", \"Success\",\n \"Rewritten\", \"Allow\", \"Success\",\n \"Would be Rewritten\", \"Allow\", \"Partial\",\n \"Would be Blocked\", \"Deny\", \"Partial\",\n \"Would Be Blocked\", \"Deny\", \"Partial\",\n \"Dropped\", \"Drop\", \"Failure\",\n \"Would be Dropped\", \"Drop\", \"Partial\",\n \"Partially Dropped\", \"Drop\", \"Partial\",\n \"Would be Block\", \"Deny\", \"Partial\",\n \"Partial Blocked\", \"Deny\", \"Partial\",\n \"Rejected\", \"Deny\", \"Failure\",\n \"Would be Rejected\", \"Deny\", \"Partial\",\n \"Would Rejected\", \"Deny\", \"Partial\",\n \"Block\", \"Deny\", \"Failure\",\n \"Partial Block\", \"Deny\", \"Partial\",\n \"Drop\", \"Drop\", \"Failure\",\n \"Would Drop\", \"Drop\", \"Partial\",\n \"Reject\", \"Deny\", \"Failure\",\n \"Rewrite\", \"Allow\", \"Success\",\n \"Allow\", \"Allow\", \"Success\",\n \"Monitor\", \"Allow\", \"Success\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)\n [\n \"N/A\", \"NA\",\n \"IP Block\", \"Terminated\",\n \"IP Monitor\", \"Unknown\",\n \"User Bypass\", \"Unknown\",\n \"File Monitor\", \"Unknown\",\n \"File Block\", \"Terminated\",\n \"Intrusion Monitor\", \"Unknown\",\n \"Intrusion Block\", \"Terminated\",\n \"File Resume Block\", \"Terminated\",\n \"File Resume Allow\", \"Unknown\",\n \"File Custom Detection\", \"Unknown\"\n];\nlet parser = (disabled: bool=false) {\n let AllLogs = CommonSecurityLog\n | where not(disabled) \n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\n and DeviceEventClassID has_any(\"INTRUSION:400\", \"PV:112\", \"RNA:1003:1\")\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol);\n let Connection_Statistics_Events = AllLogs\n | where DeviceEventClassID has \"RNA:1003:1\"\n | parse-kv AdditionalExtensions as (\n start: long,\n end: long,\n bytesIn: long,\n bytesOut: long,\n )\n with (pair_delimiter=';', kv_delimiter='=')\n | lookup EventResultDetailsLookup on Reason\n | extend\n SrcBytes = bytesIn,\n DstBytes = bytesOut,\n EventOriginalResultDetails = Reason,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"instanceID\", ProcessID,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Intrusion_Events = AllLogs\n | where DeviceEventClassID has \"INTRUSION:400\"\n | parse-kv AdditionalExtensions as (\n start: long\n )\n with (pair_delimiter=';', kv_delimiter='=')\n | extend \n EventMessage = Activity,\n ThreatCategory = DeviceEventCategory,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"ipspolicy\", DeviceCustomString5,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Policy_Violation_Events = AllLogs\n | where DeviceEventClassID has \"PV:112\"\n | extend\n EventMessage = Message,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1)\n | project-rename DstUsername = DestinationUserName\n | extend\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\");\n union Connection_Statistics_Events, Intrusion_Events, Policy_Violation_Events\n | extend\n SrcPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), SourcePort),\n DstPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), DestinationPort),\n NetworkIcmpCode = iff(NetworkProtocol == \"ICMP\", DestinationPort, int(null)),\n NetworkIcmpType = iff(NetworkProtocol == \"ICMP\", tostring(SourcePort), \"\"),\n SrcZone = DeviceCustomString3,\n DstZone = DeviceCustomString4\n | lookup ActionLookup on DeviceAction\n | lookup EventSeverityLookup on LogSeverity\n | extend \n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventOriginalType = iff(DeviceEventClassID has \"INTRUSION:400\", \"INTRUSION EVENT\", Activity),\n SrcVlanId = tostring(DeviceCustomNumber1)\n | extend\n EventEndTime = coalesce(unixtime_milliseconds_todatetime(end), EventStartTime),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\",\n DstIpAddr contains \":\",\n \"IPv6\",\n \"\"\n )\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\n | extend\n DvcIpAddr = Ip_device,\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\n | extend host = coalesce(DeviceName, Computer)\n | invoke _ASIM_ResolveDvcFQDN('host')\n | invoke _ASIM_ResolveDstFQDN('DestinationDnsDomain')\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventCount = int(1)\n | project-rename \n EventProduct = DeviceProduct,\n EventVendor = DeviceVendor,\n SrcUsername = SourceUserName,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n EventOriginalSeverity = LogSeverity,\n DvcId = DeviceExternalID,\n NetworkApplicationProtocol = ApplicationProtocol,\n EventProductVersion = DeviceVersion,\n EventOriginalUid = ExtID,\n NetworkRuleName = DeviceCustomString2,\n EventUid = _ItemId,\n DvcOriginalAction = DeviceAction\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DvcIdType = \"Other\"\n | extend \n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = coalesce(DvcIpAddr, DvcHostname),\n Rule = NetworkRuleName,\n User = SrcUsername,\n Hostname = DstHostname\n | project-away\n bytesIn,\n bytesOut,\n start,\n end,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n ProcessID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n ThreatConfidence,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,\n Ip_*,\n host,\n NetworkProtocolNumber\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoISE/ASimNetworkSessionCiscoISE.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoISE/ASimNetworkSessionCiscoISE.json index 21147034153..991d5fe7c6f 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoISE/ASimNetworkSessionCiscoISE.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoISE/ASimNetworkSessionCiscoISE.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionCiscoISE')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionCiscoISE", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Cisco ISE", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionCiscoISE", - "query": "let EventFieldsLookup=datatable(\nEventOriginalType: string,\nEventResult: string,\nDvcAction: string,\nEventResultDetails: string,\nEventSubType: string,\nEventOriginalSeverity: string,\nEventSeverity: string,\nEventMessage: string,\nEventOriginalResultDetails: string\n)[\n\"60188\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"INFO\", \"Low\", \"An attempted SSH connection has failed\", \"An attempted SSH connection has failed\",\n\"60234\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"The SXP connection has been disconnected\", \"The SXP connection has been disconnected\",\n\"60235\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"SXP connection succeeded\", \"SXP connection succeeded\",\n\"60236\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"SXP connection failed\", \"SXP connection failed\",\n\"61010\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"ISE has established connection to APIC\", \"ISE has established connection to APIC\",\n\"61011\", \"Success\", \"Allow\", \"\", \"End\", \"INFO\", \"Informational\", \"ISE was disconnected from APIC\", \"ISE was disconnected from APIC\",\n\"61025\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Open secure connection with TLS peer\", \"Secure connection established with TLS peer\",\n\"61026\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Shutdown secure connection with TLS peer\", \"Secure connection with TLS peer shutdown\",\n\"60509\", \"Failure\", \"Deny\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"ERS request was denied as maximum possible connection was exceeded\", \"ERS request was denied as maximum possible connection was exceeded\",\n\"61231\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Kafka connection to ACI error while receiving message\", \"Kafka connection to ACI error while receiving message\",\n\"61232\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Kafka connection to ACI error while sending message\", \"Kafka connection to ACI error while sending message\",\n\"89003\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Failed to connect to MDM server\", \"Failed to connect to MDM server\",\n\"24000\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Connection established with LDAP server\", \"Connection established with LDAP server\",\n\"24001\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Cannot establish connection with LDAP server\", \"Cannot establish connection with LDAP server\",\n\"24019\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"LDAP connection error was encountered\", \"ISE cannot connect to LDAP external ID store\",\n\"24030\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"SSL connection error was encountered\", \"SSL connection error was encountered\",\n\"24400\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Connection to ISE Active Directory agent established successfully\", \"Connection to ISE Active Directory agent established successfully\",\n\"24401\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Could not establish connection with ISE Active Directory agent\", \"Could not establish connection with ISE Active Directory agent\",\n\"24428\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Connection related error has occurred in either LRPC, LDAP or KERBEROS\", \"This RPC connection problem may be because the stub received incorrect data\",\n\"24429\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Could not establish connection with Active Directory\", \"Could not establish connection with Active Directory\",\n\"24850\", \"Success\", \"Allow\", \"\", \"Start\", \"DEBUG\", \"Informational\", \"Successfully connected to external ODBC database\", \"ISE successfully established a new connection to external ODBC database\",\n\"24851\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"DEBUG\", \"Low\", \"Connection to external ODBC database failed\", \"ISE failed to establish a new connection to external ODBC database\",\n\"34120\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Profiler failed to get the connection to NAC Manager\", \"Profiler sends a notification event to NAC Manager, but the notification fails because could not connect to NAC Manager\",\n\"34147\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"JGroups TLS Handshake Failed\", \"JGroups TLS Handshake Failed\",\n\"34148\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"JGroups TLS Handshake Succeeded\", \"JGroups TLS Handshake Succeeded\",\n\"34149\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"HTTPS TLS Handshake Failed\", \"HTTPS TLS Handshake Failed\",\n\"34150\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"HTTPS TLS Handshake Succeeded\", \"HTTPS TLS Handshake Succeeded\",\n\"34159\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAPS connection established successfully\", \"LDAPS connection established successfully\",\n\"34160\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAPS connection terminated successfully\", \"LDAPS connection terminated successfully\",\n\"34161\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection establishment failed with SSL error\", \"LDAPS connection establishment failed with SSL error\",\n\"34162\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection terminated with SSL error\", \"LDAPS connection terminated with SSL error\",\n\"34163\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection establishment failed with non-SSL error\", \"LDAPS connection establishment failed with non-SSL error\",\n\"34164\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection terminated with non-SSL error\", \"LDAPS connection terminated with non-SSL error\",\n\"90062\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Cannot connect to Domain Controller\", \"Cannot connect to Domain Controller\",\n\"90063\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Successfully establish connection to Domain Controller\", \"Successfully establish connection to Domain Controller\",\n\"90066\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Lost connection with Domain Controller\", \"Lost connection with Domain Controller\",\n\"90078\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Closed connection to Domain Controller\", \"Closed connection to Domain Controller\",\n\"91082\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"RADIUS DTLS: Connection to OCSP server failed\", \"RADIUS DTLS: Connection attempt to OCSP server failed.\",\n\"11317\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"TrustSec SSH connection failed\", \"ISE failed to establish SSH connection to a network device. Verify network device SSH credentials in the Network Device page are similar to the credentials configured on the network device. Check network device enabled ssh connections from ISE (ip address)\",\n\"5405\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"NOTICE\", \"Low\", \"RADIUS Request dropped\", \"RADIUS request dropped\",\n\"5406\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"NOTICE\", \"Low\", \"TACACS+ Request dropped\", \"TACACS+ request dropped\"\n];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet GetSrcIpAddr = (src_ip: string) {\n case ( \n src_ip matches regex @\"\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\",\n src_ip,\n \"\"\n )\n};\nlet GetMacAddr = (mac: string) {\n case ( \n mac matches regex @\"[a-fA-F0-9\\-:]{17}\",\n mac,\n \"\"\n )\n};\nlet CiscoISENSParser=(disabled: bool=false) {\n Syslog\n | where not(disabled)\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, DestinationIPAddress: string, DestinationPort: int, ['Remote-Address']: string, ['Device IP Address']: string, ['User-Name']: string, UserName: string, User: string, ['Device Port']: int, Protocol: string, ['Calling-Station-ID']: string, ['Called-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n DstIpAddr=DestinationIPAddress\n , DstPortNumber=DestinationPort\n , SrcPortNumber=['Device Port']\n , NetworkApplicationProtocol=Protocol\n | invoke _ASIM_ResolveSrcFQDN(\"['Calling-Station-ID']\")\n | extend \n EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventType = \"NetworkSession\"\n , EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n , DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , DstMacAddr = GetMacAddr(['Called-Station-ID'])\n , SrcMacAddr = GetMacAddr(['Calling-Station-ID'])\n , DstUsername = coalesce(UserName, ['User-Name'], User)\n | extend\n DstUsernameType = _ASIM_GetUsernameType(DstUsername)\n , DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n , SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], GetSrcIpAddr(['Calling-Station-ID']))\n //********************** ************************\n | extend \n Dvc = coalesce(DvcHostname, DvcIpAddr)\n , IpAddr = SrcIpAddr\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , User = DstUsername\n //********************** ***********************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n ['Device IP Address'],\n ['Remote-Address'],\n ['Calling-Station-ID'],\n ['Called-Station-ID']\n};\nCiscoISENSParser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionCiscoISE", + "query": "let EventFieldsLookup=datatable(\nEventOriginalType: string,\nEventResult: string,\nDvcAction: string,\nEventResultDetails: string,\nEventSubType: string,\nEventOriginalSeverity: string,\nEventSeverity: string,\nEventMessage: string,\nEventOriginalResultDetails: string\n)[\n\"60188\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"INFO\", \"Low\", \"An attempted SSH connection has failed\", \"An attempted SSH connection has failed\",\n\"60234\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"The SXP connection has been disconnected\", \"The SXP connection has been disconnected\",\n\"60235\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"SXP connection succeeded\", \"SXP connection succeeded\",\n\"60236\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"SXP connection failed\", \"SXP connection failed\",\n\"61010\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"ISE has established connection to APIC\", \"ISE has established connection to APIC\",\n\"61011\", \"Success\", \"Allow\", \"\", \"End\", \"INFO\", \"Informational\", \"ISE was disconnected from APIC\", \"ISE was disconnected from APIC\",\n\"61025\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Open secure connection with TLS peer\", \"Secure connection established with TLS peer\",\n\"61026\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Shutdown secure connection with TLS peer\", \"Secure connection with TLS peer shutdown\",\n\"60509\", \"Failure\", \"Deny\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"ERS request was denied as maximum possible connection was exceeded\", \"ERS request was denied as maximum possible connection was exceeded\",\n\"61231\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Kafka connection to ACI error while receiving message\", \"Kafka connection to ACI error while receiving message\",\n\"61232\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Kafka connection to ACI error while sending message\", \"Kafka connection to ACI error while sending message\",\n\"89003\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Failed to connect to MDM server\", \"Failed to connect to MDM server\",\n\"24000\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Connection established with LDAP server\", \"Connection established with LDAP server\",\n\"24001\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Cannot establish connection with LDAP server\", \"Cannot establish connection with LDAP server\",\n\"24019\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"LDAP connection error was encountered\", \"ISE cannot connect to LDAP external ID store\",\n\"24030\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"SSL connection error was encountered\", \"SSL connection error was encountered\",\n\"24400\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Connection to ISE Active Directory agent established successfully\", \"Connection to ISE Active Directory agent established successfully\",\n\"24401\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Could not establish connection with ISE Active Directory agent\", \"Could not establish connection with ISE Active Directory agent\",\n\"24428\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Connection related error has occurred in either LRPC, LDAP or KERBEROS\", \"This RPC connection problem may be because the stub received incorrect data\",\n\"24429\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Could not establish connection with Active Directory\", \"Could not establish connection with Active Directory\",\n\"24850\", \"Success\", \"Allow\", \"\", \"Start\", \"DEBUG\", \"Informational\", \"Successfully connected to external ODBC database\", \"ISE successfully established a new connection to external ODBC database\",\n\"24851\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"DEBUG\", \"Low\", \"Connection to external ODBC database failed\", \"ISE failed to establish a new connection to external ODBC database\",\n\"34120\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Profiler failed to get the connection to NAC Manager\", \"Profiler sends a notification event to NAC Manager, but the notification fails because could not connect to NAC Manager\",\n\"34147\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"JGroups TLS Handshake Failed\", \"JGroups TLS Handshake Failed\",\n\"34148\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"JGroups TLS Handshake Succeeded\", \"JGroups TLS Handshake Succeeded\",\n\"34149\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"HTTPS TLS Handshake Failed\", \"HTTPS TLS Handshake Failed\",\n\"34150\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"HTTPS TLS Handshake Succeeded\", \"HTTPS TLS Handshake Succeeded\",\n\"34159\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAPS connection established successfully\", \"LDAPS connection established successfully\",\n\"34160\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAPS connection terminated successfully\", \"LDAPS connection terminated successfully\",\n\"34161\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection establishment failed with SSL error\", \"LDAPS connection establishment failed with SSL error\",\n\"34162\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection terminated with SSL error\", \"LDAPS connection terminated with SSL error\",\n\"34163\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection establishment failed with non-SSL error\", \"LDAPS connection establishment failed with non-SSL error\",\n\"34164\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection terminated with non-SSL error\", \"LDAPS connection terminated with non-SSL error\",\n\"90062\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Cannot connect to Domain Controller\", \"Cannot connect to Domain Controller\",\n\"90063\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Successfully establish connection to Domain Controller\", \"Successfully establish connection to Domain Controller\",\n\"90066\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Lost connection with Domain Controller\", \"Lost connection with Domain Controller\",\n\"90078\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Closed connection to Domain Controller\", \"Closed connection to Domain Controller\",\n\"91082\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"RADIUS DTLS: Connection to OCSP server failed\", \"RADIUS DTLS: Connection attempt to OCSP server failed.\",\n\"11317\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"TrustSec SSH connection failed\", \"ISE failed to establish SSH connection to a network device. Verify network device SSH credentials in the Network Device page are similar to the credentials configured on the network device. Check network device enabled ssh connections from ISE (ip address)\",\n\"5405\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"NOTICE\", \"Low\", \"RADIUS Request dropped\", \"RADIUS request dropped\",\n\"5406\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"NOTICE\", \"Low\", \"TACACS+ Request dropped\", \"TACACS+ request dropped\"\n];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet GetSrcIpAddr = (src_ip: string) {\n case ( \n src_ip matches regex @\"\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\",\n src_ip,\n \"\"\n )\n};\nlet GetMacAddr = (mac: string) {\n case ( \n mac matches regex @\"[a-fA-F0-9\\-:]{17}\",\n mac,\n \"\"\n )\n};\nlet CiscoISENSParser=(disabled: bool=false) {\n Syslog\n | where not(disabled)\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, DestinationIPAddress: string, DestinationPort: int, ['Remote-Address']: string, ['Device IP Address']: string, ['User-Name']: string, UserName: string, User: string, ['Device Port']: int, Protocol: string, ['Calling-Station-ID']: string, ['Called-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n DstIpAddr=DestinationIPAddress\n , DstPortNumber=DestinationPort\n , SrcPortNumber=['Device Port']\n , NetworkApplicationProtocol=Protocol\n | invoke _ASIM_ResolveSrcFQDN(\"['Calling-Station-ID']\")\n | extend \n EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventType = \"NetworkSession\"\n , EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n , DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , DstMacAddr = GetMacAddr(['Called-Station-ID'])\n , SrcMacAddr = GetMacAddr(['Calling-Station-ID'])\n , DstUsername = coalesce(UserName, ['User-Name'], User)\n | extend\n DstUsernameType = _ASIM_GetUsernameType(DstUsername)\n , DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n , SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], GetSrcIpAddr(['Calling-Station-ID']))\n //********************** ************************\n | extend \n Dvc = coalesce(DvcHostname, DvcIpAddr)\n , IpAddr = SrcIpAddr\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , User = DstUsername\n //********************** ***********************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n ['Device IP Address'],\n ['Remote-Address'],\n ['Calling-Station-ID'],\n ['Called-Station-ID']\n};\nCiscoISENSParser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json index 58d31aa854e..a7a06f3eaa6 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionCiscoMeraki')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionCiscoMeraki", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionCiscoMeraki", - "query": "let EventResultDetailsLookup = datatable(reason: string, EventResultDetails: string)\n[\n \"0\", \"Unknown\",\n \"1\", \"Unknown\",\n \"2\", \"Timeout\",\n \"3\", \"Terminated\",\n \"4\", \"Timeout\",\n \"5\", \"Transient error\",\n \"6\", \"Invalid Tunnel\",\n \"7\", \"Invalid Tunnel\",\n \"8\", \"Terminated\",\n \"9\", \"Invalid Tunnel\",\n \"10\", \"Unknown\",\n \"11\", \"Invalid TCP\",\n \"12\", \"Unknown\",\n \"13\", \"Invalid TCP\",\n \"14\", \"Invalid Tunnel\",\n \"15\", \"Invalid TCP\",\n \"16\", \"Timeout\",\n \"17\", \"Invalid Tunnel\",\n \"18\", \"Invalid TCP\",\n \"19\", \"Invalid TCP\",\n \"20\", \"Invalid TCP\",\n \"21\", \"Unknown\",\n \"22\", \"Invalid TCP\",\n \"23\", \"Invalid Tunnel\",\n \"24\", \"Invalid Tunnel\",\n \"32\", \"Unknown\",\n \"33\", \"Invalid TCP\",\n \"34\", \"Invalid TCP\",\n \"35\", \"Invalid TCP\",\n \"36\", \"Unknown\",\n \"37\", \"Unknown\",\n \"38\", \"Unknown\",\n \"39\", \"Timeout\",\n \"40\", \"Invalid TCP\",\n \"98\", \"Unknown\",\n \"99\", \"Unknown\"\n];\nlet NetworkIcmpTypeLookup=datatable(\n NetworkIcmpCode_lookup: int,\n NetworkIcmpType_lookup: string\n)\n [\n 0, \"Reserved\",\n 1, \"Destination Unreachable\",\n 2, \"Packet Too Big\",\n 3, \"Time Exceeded\",\n 4, \"Parameter Problem\",\n 100, \"Private experimentation\",\n 101, \"Private experimentation\",\n 127, \"Reserved for expansion of ICMPv6 error messages\",\n 128, \"Echo Request\",\n 129, \"Echo Reply\",\n 130, \"Multicast Listener Query\",\n 131, \"Multicast Listener Report\",\n 132, \"Multicast Listener Done\",\n 133, \"Router Solicitation\",\n 134, \"Router Advertisement\",\n 135, \"Neighbor Solicitation\",\n 136, \"Neighbor Advertisement\",\n 137, \"Redirect Message\",\n 138, \"Router Renumbering\",\n 139, \"ICMP Node Information Query\",\n 140, \"ICMP Node Information Response\",\n 141, \"Inverse Neighbor Discovery Solicitation Message\",\n 142, \"Inverse Neighbor Discovery Advertisement Message\",\n 143, \"Version 2 Multicast Listener Report\",\n 144, \"Home Agent Address Discovery Request Message\",\n 145, \"Home Agent Address Discovery Reply Message\",\n 146, \"Mobile Prefix Solicitation\",\n 147, \"Mobile Prefix Advertisement\",\n 148, \"Certification Path Solicitation Message\",\n 149, \"Certification Path Advertisement Message\",\n 150, \"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\n 151, \"Multicast Router Advertisement\",\n 152, \"Multicast Router Solicitation\",\n 153, \"Multicast Router Termination\",\n 154, \"FMIPv6 Messages\",\n 155, \"RPL Control Message\",\n 156, \"ILNPv6 Locator Update Message\",\n 157, \"Duplicate Address Request\",\n 158, \"Duplicate Address Confirmation\",\n 159, \"MPL Control Message\",\n 160, \"Extended Echo Request\",\n 161, \"Extended Echo Reply\",\n 200, \"Private experimentation\",\n 201, \"Private experimentation\",\n 255, \"Reserved for expansion of ICMPv6 informational messages\"\n];\nlet NetworkProtocolLookup=datatable(\n protocol: string,\n NetworkProtocol_lookup: string,\n NetworkProtocolVersion: string\n)[\n \"tcp\", \"TCP\", \"\",\n \"tcp/ip\", \"TCP\", \"\",\n \"udp\", \"UDP\", \"\",\n \"udp/ip\", \"UDP\", \"\",\n \"icmp\", \"ICMP\", \"IPV4\",\n \"icmp6\", \"ICMP\", \"IPV6\",\n];\nlet EventSeverityPriorityLookup=datatable(priority: string, EventSeverity: string)[\n \"1\", \"High\",\n \"2\", \"Medium\",\n \"3\", \"Low\",\n \"4\", \"Informational\"\n];\nlet EventSeverityDvcActionLookup=datatable(DvcAction: string, EventSeverity: string)[\n \"Allow\", \"Informational\",\n \"Deny\", \"Low\"\n];\nlet NetworkDirectionLookup=datatable(direction: string, NetworkDirection: string)[\n \"ingress\", \"Inbound\",\n \"egress\", \"Outbound\",\n \"Unknown\", \"NA\"\n];\nlet DvcActionLookup = datatable(pattern: string, DvcAction: string, EventResult: string)[\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"0\", \"Allow\", \"Success\",\n \"1\", \"Deny\", \"Failure\",\n \"Blocked\", \"Deny\", \"Failure\"\n];\nlet EventResultLookup = datatable(LogSubType: string, EventResult_type: string)[\n \"association\", \"Success\",\n \"disassociation\", \"Failure\",\n \"Virtual router collision\", \"Failure\",\n];\nlet parser=(disabled: bool=false) {\n let allData = (\n meraki_CL\n | project-rename LogMessage = Message\n );\n let PreFilteredData = allData\n | where not(disabled) and (LogMessage has_any(\"flows\", \"firewall\", \"ids-alerts\") or LogMessage has_all(\"security_event\", \"ids-alerted\") or (LogMessage has \"events\" and (LogMessage has_any (\"Blocked DHCP server response\", \"association\") or (LogMessage has \"VRRP packet\" and not(LogMessage has_any (\"VRRP passive\", \"VRRP active\"))) or (LogMessage has \"disassociation\" and not(LogMessage has_any (\"auth_neg_failed\", \"dhcp\"))))) or (LogMessage has \"airmarshal_events\" and LogMessage has_any(\"ssid_spoofing_detected\", \"rogue_ssid_detected\")))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3]);\n let FlowsFirewallData = PreFilteredData\n | where LogType in (\"flows\", \"firewall\", \"cellular_firewall\", \"vpn_firewall\")\n | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with pattern1: string \" src=\" temp_restmessage: string\n | parse Substring with * \"pattern: \" pattern2: string \" \" temp_restmessage: string\n | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))\n | extend type_icmp4 = iff(protocol == 'icmp', type, int(null))\n | lookup NetworkIcmpTypeLookup on NetworkIcmpCode_lookup\n | invoke _ASIM_ResolveICMPType('type_icmp4')\n | extend NetworkIcmpCode = coalesce(NetworkIcmpCode_lookup, NetworkIcmpCode)\n | extend NetworkIcmpType = iff(isnotempty(NetworkIcmpCode), coalesce(NetworkIcmpType_lookup, NetworkIcmpType), \"\")\n | extend pattern = coalesce(pattern1, pattern2)\n | lookup DvcActionLookup on pattern\n | extend direction = case(pattern has_any ('0','1'), 'ingress', pattern has_any ('allow','deny'), 'egress', 'unknown')\n | lookup NetworkDirectionLookup on direction\n | lookup EventSeverityDvcActionLookup on DvcAction\n | extend\n SrcMacAddr = trim('\"', mac),\n EventType = \"Flow\";\n let IDSAlertData = PreFilteredData\n | where LogType in (\"ids-alerts\", \"security_event\")\n | parse LogMessage with * \"security_event \" LogSubType: string \" \" * \"message: \" message: string \n | where LogType == \"security_event\" and LogSubType == \"ids-alerted\" or LogType == \"ids-alerts\"\n | parse-kv Substring as(priority: string, timestamp: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend EventResult = \"Success\"\n | extend\n priority = trim('\"', priority),\n direction = trim('\"', direction)\n | lookup EventSeverityPriorityLookup on priority\n | lookup NetworkDirectionLookup on direction\n | extend AdditionalFields = bag_pack(\n \"signature\", trim('\"', signature)\n )\n | extend\n SrcMacAddr = trim('\"', shost),\n DstMacAddr = trim('\"', dhost),\n EventMessage = trim('\"', message);\n let AirmarshalEvents = PreFilteredData\n | where LogType in (\"airmarshal_events\")\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | parse-kv temp_message as(src: string, dst: string, wired_mac: string, vlan_id: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n SrcMacAddr = trim('\"', src),\n DstMacAddr = trim('\"', dst),\n DvcMacAddr = trim('\"', wired_mac)\n | extend\n EventResult = \"Success\",\n EventSeverity = \"High\";\n let EventsData = PreFilteredData\n | where LogType == \"events\";\n let EventsData_associ = EventsData\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType == \"association\" or (LogSubType == \"disassociation\" and not(Substring has_any (\"auth_neg_failed\", \"dhcp\")))\n | parse-kv Substring as (last_known_client_ip: string, client_mac: string, identity: string, aid: string, duration: string, ip_src: string, dns_server: string, reason: string, rssi: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend AdditionalFields = bag_pack(\n \"aid\", aid,\n \"rssi\", rssi\n )\n | extend SrcMacAddr = trim('\"', client_mac)\n | lookup EventResultLookup on LogSubType\n | extend EventResult = EventResult_type\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff((toint(reason) >= 25 and toint(reason) <= 31) or (toint(reason) >= 25 and toint(reason) <= 31), \"Unknown\", EventResultDetails);\n let EventsData_space = EventsData\n | where Substring has \"Blocked DHCP server response\" or (Substring has \"VRRP packet\" and not(Substring in~ (\"VRRP passive\", \"VRRP active\"))) \n | parse Substring with LogSubType1: string \" from\" temp_addr1: string \" on VLAN \" vlan_id1: string \" \" restmessage\n | parse Substring with LogSubType2: string \" from\" temp_addr2: string \" on VLAN \" vlan_id2: string\n | extend LogSubType = coalesce(LogSubType1, LogSubType2)\n | extend LogSubType = iff(LogSubType has \"VRRP Packet\", \"Virtual router collision\", LogSubType)\n | extend pattern = iff(Substring has \"Blocked\", \"Blocked\", \"\")\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | lookup EventResultLookup on LogSubType\n | extend EventResult = coalesce(EventResult, EventResult_type)\n | extend temp_addr = coalesce(trim('\"', temp_addr1), trim('\"', temp_addr2))\n | extend vlan_id = coalesce(trim('\"', vlan_id1), trim('\"', vlan_id2))\n | extend SrcMacAddr = iff(temp_addr matches regex \"(([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}))\", temp_addr, \"\")\n | parse temp_addr with * \"[\" temp_ip \"]:\" temp_port \n | extend SrcIpAddr = case(\n temp_addr has \".\",\n split(temp_addr, \":\")[0],\n isnotempty(temp_ip),\n temp_ip,\n temp_addr\n )\n | extend SrcPortNumber = toint(case(\n isnotempty(temp_port),\n temp_port,\n temp_addr has \".\",\n split(temp_addr, \":\")[1],\n \"\"\n )\n )\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend EventMessage = Substring;\n union\n FlowsFirewallData,\n IDSAlertData,\n EventsData_associ,\n EventsData_space,\n AirmarshalEvents\n | lookup NetworkProtocolLookup on protocol\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkProtocol = iff(isempty(NetworkProtocolNumber), NetworkProtocol_lookup, NetworkProtocol)\n | extend \n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend\n Epoch = iff(isnotempty(column_ifexists(\"timestamp\", \"\")), timestamp, Epoch)\n | extend\n EpochTimestamp = split(Epoch, \".\")\n | extend\n EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend temp_srcipport= coalesce(src, ip_src, last_known_client_ip) \n | extend temp_srcipport = trim('\"', temp_srcipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = case(\n temp_srcipport has \".\",\n split(temp_srcipport, \":\")[0], \n isnotempty(SrcIpAddr),\n SrcIpAddr,\n coalesce(temp_srcip, temp_srcipport)\n )\n | extend SrcPortNumber = iff(isempty(SrcPortNumber), toint(coalesce(sport, temp_srcport)), SrcPortNumber)\n | extend SrcPortNumber = toint(iff(isempty(SrcPortNumber) and SrcIpAddr has \".\", split(temp_srcipport, \":\")[1], SrcPortNumber))\n | extend temp_dstipport = coalesce(dst, dns_server)\n | extend temp_dstipport = trim('\"', temp_dstipport)\n | parse temp_dstipport with * \"[\" temp_dstip \"]:\" temp_dstport\n | extend DstIpAddr = iff(temp_dstipport has \".\", split(temp_dstipport, \":\")[0], coalesce(temp_dstip, temp_dstipport))\n | extend DstPortNumber = toint(coalesce(dport, temp_dstport))\n | extend DstPortNumber = toint(iff(isempty(DstPortNumber) and DstIpAddr has \".\", split(temp_dstipport, \":\")[1], DstPortNumber))\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend DstIpAddr = iff(DstIpAddr == DstMacAddr, \"\", DstIpAddr)\n | extend \n EventMessage = iff(\n LogSubType has_any(\"Blocked DHCP server\", \"Virtual router collision\"),\n Substring,\n coalesce(message, \"\")\n ),\n SrcUsername = trim('\"', identity),\n SrcVlanId = trim('\"', vlan_id)\n | extend\n EventSeverity = case(\n isnotempty(EventSeverity),\n EventSeverity,\n EventResult == \"Failure\",\n \"Low\",\n \"Informational\"\n ),\n EventType = iff(isnotempty(EventType), EventType, \"NetworkSession\"),\n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n Src = coalesce(SrcIpAddr, SrcMacAddr),\n Dst = coalesce(DstIpAddr, DstMacAddr),\n NetworkDuration = toint(todouble(duration) * 1000)\n | project-rename\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType\n | extend\n EventEndTime = EventStartTime,\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n EventUid = _ResourceId\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n protocol,\n priority,\n reason,\n direction,\n duration,\n src,\n dst,\n dns_server,\n sport,\n dport,\n *_lookup,\n type*,\n pattern*,\n last_known_client_ip,\n ip_src,\n client_mac,\n mac,\n shost,\n dhost,\n wired_mac,\n identity,\n temp*,\n vlan_id*,\n LogSubType1,\n LogSubType2,\n restmessage*,\n message,\n rssi,\n aid,\n signature,\n timestamp,\n EventResult_type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionCiscoMeraki", + "query": "let EventResultDetailsLookup = datatable(reason: string, EventResultDetails: string)\n[\n \"0\", \"Unknown\",\n \"1\", \"Unknown\",\n \"2\", \"Timeout\",\n \"3\", \"Terminated\",\n \"4\", \"Timeout\",\n \"5\", \"Transient error\",\n \"6\", \"Invalid Tunnel\",\n \"7\", \"Invalid Tunnel\",\n \"8\", \"Terminated\",\n \"9\", \"Invalid Tunnel\",\n \"10\", \"Unknown\",\n \"11\", \"Invalid TCP\",\n \"12\", \"Unknown\",\n \"13\", \"Invalid TCP\",\n \"14\", \"Invalid Tunnel\",\n \"15\", \"Invalid TCP\",\n \"16\", \"Timeout\",\n \"17\", \"Invalid Tunnel\",\n \"18\", \"Invalid TCP\",\n \"19\", \"Invalid TCP\",\n \"20\", \"Invalid TCP\",\n \"21\", \"Unknown\",\n \"22\", \"Invalid TCP\",\n \"23\", \"Invalid Tunnel\",\n \"24\", \"Invalid Tunnel\",\n \"32\", \"Unknown\",\n \"33\", \"Invalid TCP\",\n \"34\", \"Invalid TCP\",\n \"35\", \"Invalid TCP\",\n \"36\", \"Unknown\",\n \"37\", \"Unknown\",\n \"38\", \"Unknown\",\n \"39\", \"Timeout\",\n \"40\", \"Invalid TCP\",\n \"98\", \"Unknown\",\n \"99\", \"Unknown\"\n];\nlet NetworkIcmpTypeLookup=datatable(\n NetworkIcmpCode_lookup: int,\n NetworkIcmpType_lookup: string\n)\n [\n 0, \"Reserved\",\n 1, \"Destination Unreachable\",\n 2, \"Packet Too Big\",\n 3, \"Time Exceeded\",\n 4, \"Parameter Problem\",\n 100, \"Private experimentation\",\n 101, \"Private experimentation\",\n 127, \"Reserved for expansion of ICMPv6 error messages\",\n 128, \"Echo Request\",\n 129, \"Echo Reply\",\n 130, \"Multicast Listener Query\",\n 131, \"Multicast Listener Report\",\n 132, \"Multicast Listener Done\",\n 133, \"Router Solicitation\",\n 134, \"Router Advertisement\",\n 135, \"Neighbor Solicitation\",\n 136, \"Neighbor Advertisement\",\n 137, \"Redirect Message\",\n 138, \"Router Renumbering\",\n 139, \"ICMP Node Information Query\",\n 140, \"ICMP Node Information Response\",\n 141, \"Inverse Neighbor Discovery Solicitation Message\",\n 142, \"Inverse Neighbor Discovery Advertisement Message\",\n 143, \"Version 2 Multicast Listener Report\",\n 144, \"Home Agent Address Discovery Request Message\",\n 145, \"Home Agent Address Discovery Reply Message\",\n 146, \"Mobile Prefix Solicitation\",\n 147, \"Mobile Prefix Advertisement\",\n 148, \"Certification Path Solicitation Message\",\n 149, \"Certification Path Advertisement Message\",\n 150, \"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\n 151, \"Multicast Router Advertisement\",\n 152, \"Multicast Router Solicitation\",\n 153, \"Multicast Router Termination\",\n 154, \"FMIPv6 Messages\",\n 155, \"RPL Control Message\",\n 156, \"ILNPv6 Locator Update Message\",\n 157, \"Duplicate Address Request\",\n 158, \"Duplicate Address Confirmation\",\n 159, \"MPL Control Message\",\n 160, \"Extended Echo Request\",\n 161, \"Extended Echo Reply\",\n 200, \"Private experimentation\",\n 201, \"Private experimentation\",\n 255, \"Reserved for expansion of ICMPv6 informational messages\"\n];\nlet NetworkProtocolLookup=datatable(\n protocol: string,\n NetworkProtocol_lookup: string,\n NetworkProtocolVersion: string\n)[\n \"tcp\", \"TCP\", \"\",\n \"tcp/ip\", \"TCP\", \"\",\n \"udp\", \"UDP\", \"\",\n \"udp/ip\", \"UDP\", \"\",\n \"icmp\", \"ICMP\", \"IPV4\",\n \"icmp6\", \"ICMP\", \"IPV6\",\n];\nlet EventSeverityPriorityLookup=datatable(priority: string, EventSeverity: string)[\n \"1\", \"High\",\n \"2\", \"Medium\",\n \"3\", \"Low\",\n \"4\", \"Informational\"\n];\nlet EventSeverityDvcActionLookup=datatable(DvcAction: string, EventSeverity: string)[\n \"Allow\", \"Informational\",\n \"Deny\", \"Low\"\n];\nlet NetworkDirectionLookup=datatable(direction: string, NetworkDirection: string)[\n \"ingress\", \"Inbound\",\n \"egress\", \"Outbound\",\n \"Unknown\", \"NA\"\n];\nlet DvcActionLookup = datatable(pattern: string, DvcAction: string, EventResult: string)[\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"0\", \"Allow\", \"Success\",\n \"1\", \"Deny\", \"Failure\",\n \"Blocked\", \"Deny\", \"Failure\"\n];\nlet EventResultLookup = datatable(LogSubType: string, EventResult_type: string)[\n \"association\", \"Success\",\n \"disassociation\", \"Failure\",\n \"Virtual router collision\", \"Failure\",\n];\nlet parser=(disabled: bool=false) {\n let allData = (\n meraki_CL\n | project-rename LogMessage = Message\n );\n let PreFilteredData = allData\n | where not(disabled) and (LogMessage has_any(\"flows\", \"firewall\", \"ids-alerts\") or LogMessage has_all(\"security_event\", \"ids-alerted\") or (LogMessage has \"events\" and (LogMessage has_any (\"Blocked DHCP server response\", \"association\") or (LogMessage has \"VRRP packet\" and not(LogMessage has_any (\"VRRP passive\", \"VRRP active\"))) or (LogMessage has \"disassociation\" and not(LogMessage has_any (\"auth_neg_failed\", \"dhcp\"))))) or (LogMessage has \"airmarshal_events\" and LogMessage has_any(\"ssid_spoofing_detected\", \"rogue_ssid_detected\")))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3]);\n let FlowsFirewallData = PreFilteredData\n | where LogType in (\"flows\", \"firewall\", \"cellular_firewall\", \"vpn_firewall\")\n | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with pattern1: string \" src=\" temp_restmessage: string\n | parse Substring with * \"pattern: \" pattern2: string \" \" temp_restmessage: string\n | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))\n | extend type_icmp4 = iff(protocol == 'icmp', type, int(null))\n | lookup NetworkIcmpTypeLookup on NetworkIcmpCode_lookup\n | invoke _ASIM_ResolveICMPType('type_icmp4')\n | extend NetworkIcmpCode = coalesce(NetworkIcmpCode_lookup, NetworkIcmpCode)\n | extend NetworkIcmpType = iff(isnotempty(NetworkIcmpCode), coalesce(NetworkIcmpType_lookup, NetworkIcmpType), \"\")\n | extend pattern = coalesce(pattern1, pattern2)\n | lookup DvcActionLookup on pattern\n | extend direction = case(pattern has_any ('0','1'), 'ingress', pattern has_any ('allow','deny'), 'egress', 'unknown')\n | lookup NetworkDirectionLookup on direction\n | lookup EventSeverityDvcActionLookup on DvcAction\n | extend\n SrcMacAddr = trim('\"', mac),\n EventType = \"Flow\";\n let IDSAlertData = PreFilteredData\n | where LogType in (\"ids-alerts\", \"security_event\")\n | parse LogMessage with * \"security_event \" LogSubType: string \" \" * \"message: \" message: string \n | where LogType == \"security_event\" and LogSubType == \"ids-alerted\" or LogType == \"ids-alerts\"\n | parse-kv Substring as(priority: string, timestamp: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend EventResult = \"Success\"\n | extend\n priority = trim('\"', priority),\n direction = trim('\"', direction)\n | lookup EventSeverityPriorityLookup on priority\n | lookup NetworkDirectionLookup on direction\n | extend AdditionalFields = bag_pack(\n \"signature\", trim('\"', signature)\n )\n | extend\n SrcMacAddr = trim('\"', shost),\n DstMacAddr = trim('\"', dhost),\n EventMessage = trim('\"', message);\n let AirmarshalEvents = PreFilteredData\n | where LogType in (\"airmarshal_events\")\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | parse-kv temp_message as(src: string, dst: string, wired_mac: string, vlan_id: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n SrcMacAddr = trim('\"', src),\n DstMacAddr = trim('\"', dst),\n DvcMacAddr = trim('\"', wired_mac)\n | extend\n EventResult = \"Success\",\n EventSeverity = \"High\";\n let EventsData = PreFilteredData\n | where LogType == \"events\";\n let EventsData_associ = EventsData\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType == \"association\" or (LogSubType == \"disassociation\" and not(Substring has_any (\"auth_neg_failed\", \"dhcp\")))\n | parse-kv Substring as (last_known_client_ip: string, client_mac: string, identity: string, aid: string, duration: string, ip_src: string, dns_server: string, reason: string, rssi: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend AdditionalFields = bag_pack(\n \"aid\", aid,\n \"rssi\", rssi\n )\n | extend SrcMacAddr = trim('\"', client_mac)\n | lookup EventResultLookup on LogSubType\n | extend EventResult = EventResult_type\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff((toint(reason) >= 25 and toint(reason) <= 31) or (toint(reason) >= 25 and toint(reason) <= 31), \"Unknown\", EventResultDetails);\n let EventsData_space = EventsData\n | where Substring has \"Blocked DHCP server response\" or (Substring has \"VRRP packet\" and not(Substring in~ (\"VRRP passive\", \"VRRP active\"))) \n | parse Substring with LogSubType1: string \" from\" temp_addr1: string \" on VLAN \" vlan_id1: string \" \" restmessage\n | parse Substring with LogSubType2: string \" from\" temp_addr2: string \" on VLAN \" vlan_id2: string\n | extend LogSubType = coalesce(LogSubType1, LogSubType2)\n | extend LogSubType = iff(LogSubType has \"VRRP Packet\", \"Virtual router collision\", LogSubType)\n | extend pattern = iff(Substring has \"Blocked\", \"Blocked\", \"\")\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | lookup EventResultLookup on LogSubType\n | extend EventResult = coalesce(EventResult, EventResult_type)\n | extend temp_addr = coalesce(trim('\"', temp_addr1), trim('\"', temp_addr2))\n | extend vlan_id = coalesce(trim('\"', vlan_id1), trim('\"', vlan_id2))\n | extend SrcMacAddr = iff(temp_addr matches regex \"(([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}))\", temp_addr, \"\")\n | parse temp_addr with * \"[\" temp_ip \"]:\" temp_port \n | extend SrcIpAddr = case(\n temp_addr has \".\",\n split(temp_addr, \":\")[0],\n isnotempty(temp_ip),\n temp_ip,\n temp_addr\n )\n | extend SrcPortNumber = toint(case(\n isnotempty(temp_port),\n temp_port,\n temp_addr has \".\",\n split(temp_addr, \":\")[1],\n \"\"\n )\n )\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend EventMessage = Substring;\n union\n FlowsFirewallData,\n IDSAlertData,\n EventsData_associ,\n EventsData_space,\n AirmarshalEvents\n | lookup NetworkProtocolLookup on protocol\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkProtocol = iff(isempty(NetworkProtocolNumber), NetworkProtocol_lookup, NetworkProtocol)\n | extend \n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend\n Epoch = iff(isnotempty(column_ifexists(\"timestamp\", \"\")), timestamp, Epoch)\n | extend\n EpochTimestamp = split(Epoch, \".\")\n | extend\n EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend temp_srcipport= coalesce(src, ip_src, last_known_client_ip) \n | extend temp_srcipport = trim('\"', temp_srcipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = case(\n temp_srcipport has \".\",\n split(temp_srcipport, \":\")[0], \n isnotempty(SrcIpAddr),\n SrcIpAddr,\n coalesce(temp_srcip, temp_srcipport)\n )\n | extend SrcPortNumber = iff(isempty(SrcPortNumber), toint(coalesce(sport, temp_srcport)), SrcPortNumber)\n | extend SrcPortNumber = toint(iff(isempty(SrcPortNumber) and SrcIpAddr has \".\", split(temp_srcipport, \":\")[1], SrcPortNumber))\n | extend temp_dstipport = coalesce(dst, dns_server)\n | extend temp_dstipport = trim('\"', temp_dstipport)\n | parse temp_dstipport with * \"[\" temp_dstip \"]:\" temp_dstport\n | extend DstIpAddr = iff(temp_dstipport has \".\", split(temp_dstipport, \":\")[0], coalesce(temp_dstip, temp_dstipport))\n | extend DstPortNumber = toint(coalesce(dport, temp_dstport))\n | extend DstPortNumber = toint(iff(isempty(DstPortNumber) and DstIpAddr has \".\", split(temp_dstipport, \":\")[1], DstPortNumber))\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend DstIpAddr = iff(DstIpAddr == DstMacAddr, \"\", DstIpAddr)\n | extend \n EventMessage = iff(\n LogSubType has_any(\"Blocked DHCP server\", \"Virtual router collision\"),\n Substring,\n coalesce(message, \"\")\n ),\n SrcUsername = trim('\"', identity),\n SrcVlanId = trim('\"', vlan_id)\n | extend\n EventSeverity = case(\n isnotempty(EventSeverity),\n EventSeverity,\n EventResult == \"Failure\",\n \"Low\",\n \"Informational\"\n ),\n EventType = iff(isnotempty(EventType), EventType, \"NetworkSession\"),\n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n Src = coalesce(SrcIpAddr, SrcMacAddr),\n Dst = coalesce(DstIpAddr, DstMacAddr),\n NetworkDuration = toint(todouble(duration) * 1000)\n | project-rename\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType\n | extend\n EventEndTime = EventStartTime,\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n EventUid = _ResourceId\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n protocol,\n priority,\n reason,\n direction,\n duration,\n src,\n dst,\n dns_server,\n sport,\n dport,\n *_lookup,\n type*,\n pattern*,\n last_known_client_ip,\n ip_src,\n client_mac,\n mac,\n shost,\n dhost,\n wired_mac,\n identity,\n temp*,\n vlan_id*,\n LogSubType1,\n LogSubType2,\n restmessage*,\n message,\n rssi,\n aid,\n signature,\n timestamp,\n EventResult_type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMerakiSyslog/ASimNetworkSessionCiscoMerakiSyslog.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMerakiSyslog/ASimNetworkSessionCiscoMerakiSyslog.json index 1a4f63ea1e3..c5cbba2a227 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMerakiSyslog/ASimNetworkSessionCiscoMerakiSyslog.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMerakiSyslog/ASimNetworkSessionCiscoMerakiSyslog.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionCiscoMerakiSyslog')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionCiscoMerakiSyslog", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionCiscoMerakiSyslog", - "query": "let EventResultDetailsLookup = datatable(reason: string, EventResultDetails: string)\n[\n \"0\", \"Unknown\",\n \"1\", \"Unknown\",\n \"2\", \"Timeout\",\n \"3\", \"Terminated\",\n \"4\", \"Timeout\",\n \"5\", \"Transient error\",\n \"6\", \"Invalid Tunnel\",\n \"7\", \"Invalid Tunnel\",\n \"8\", \"Terminated\",\n \"9\", \"Invalid Tunnel\",\n \"10\", \"Unknown\",\n \"11\", \"Invalid TCP\",\n \"12\", \"Unknown\",\n \"13\", \"Invalid TCP\",\n \"14\", \"Invalid Tunnel\",\n \"15\", \"Invalid TCP\",\n \"16\", \"Timeout\",\n \"17\", \"Invalid Tunnel\",\n \"18\", \"Invalid TCP\",\n \"19\", \"Invalid TCP\",\n \"20\", \"Invalid TCP\",\n \"21\", \"Unknown\",\n \"22\", \"Invalid TCP\",\n \"23\", \"Invalid Tunnel\",\n \"24\", \"Invalid Tunnel\",\n \"32\", \"Unknown\",\n \"33\", \"Invalid TCP\",\n \"34\", \"Invalid TCP\",\n \"35\", \"Invalid TCP\",\n \"36\", \"Unknown\",\n \"37\", \"Unknown\",\n \"38\", \"Unknown\",\n \"39\", \"Timeout\",\n \"40\", \"Invalid TCP\",\n \"98\", \"Unknown\",\n \"99\", \"Unknown\"\n];\nlet NetworkIcmpTypeLookup=datatable(\n NetworkIcmpCode_lookup: int,\n NetworkIcmpType_lookup: string\n)\n [\n 0, \"Reserved\",\n 1, \"Destination Unreachable\",\n 2, \"Packet Too Big\",\n 3, \"Time Exceeded\",\n 4, \"Parameter Problem\",\n 100, \"Private experimentation\",\n 101, \"Private experimentation\",\n 127, \"Reserved for expansion of ICMPv6 error messages\",\n 128, \"Echo Request\",\n 129, \"Echo Reply\",\n 130, \"Multicast Listener Query\",\n 131, \"Multicast Listener Report\",\n 132, \"Multicast Listener Done\",\n 133, \"Router Solicitation\",\n 134, \"Router Advertisement\",\n 135, \"Neighbor Solicitation\",\n 136, \"Neighbor Advertisement\",\n 137, \"Redirect Message\",\n 138, \"Router Renumbering\",\n 139, \"ICMP Node Information Query\",\n 140, \"ICMP Node Information Response\",\n 141, \"Inverse Neighbor Discovery Solicitation Message\",\n 142, \"Inverse Neighbor Discovery Advertisement Message\",\n 143, \"Version 2 Multicast Listener Report\",\n 144, \"Home Agent Address Discovery Request Message\",\n 145, \"Home Agent Address Discovery Reply Message\",\n 146, \"Mobile Prefix Solicitation\",\n 147, \"Mobile Prefix Advertisement\",\n 148, \"Certification Path Solicitation Message\",\n 149, \"Certification Path Advertisement Message\",\n 150, \"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\n 151, \"Multicast Router Advertisement\",\n 152, \"Multicast Router Solicitation\",\n 153, \"Multicast Router Termination\",\n 154, \"FMIPv6 Messages\",\n 155, \"RPL Control Message\",\n 156, \"ILNPv6 Locator Update Message\",\n 157, \"Duplicate Address Request\",\n 158, \"Duplicate Address Confirmation\",\n 159, \"MPL Control Message\",\n 160, \"Extended Echo Request\",\n 161, \"Extended Echo Reply\",\n 200, \"Private experimentation\",\n 201, \"Private experimentation\",\n 255, \"Reserved for expansion of ICMPv6 informational messages\"\n];\nlet NetworkProtocolLookup=datatable(\n protocol: string,\n NetworkProtocol_lookup: string,\n NetworkProtocolVersion: string\n)[\n \"tcp\", \"TCP\", \"\",\n \"tcp/ip\", \"TCP\", \"\",\n \"udp\", \"UDP\", \"\",\n \"udp/ip\", \"UDP\", \"\",\n \"icmp\", \"ICMP\", \"IPV4\",\n \"icmp6\", \"ICMP\", \"IPV6\",\n];\nlet EventSeverityPriorityLookup=datatable(priority: string, EventSeverity: string)[\n \"1\", \"High\",\n \"2\", \"Medium\",\n \"3\", \"Low\",\n \"4\", \"Informational\"\n];\nlet EventSeverityDvcActionLookup=datatable(DvcAction: string, EventSeverity: string)[\n \"Allow\", \"Informational\",\n \"Deny\", \"Low\"\n];\nlet NetworkDirectionLookup=datatable(direction: string, NetworkDirection: string)[\n \"ingress\", \"Inbound\",\n \"egress\", \"Outbound\",\n \"Unknown\", \"NA\"\n];\nlet DvcActionLookup = datatable(pattern: string, DvcAction: string, EventResult: string)[\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"Blocked\", \"Deny\", \"Failure\"\n];\nlet EventResultLookup = datatable(LogSubType: string, EventResult_type: string)[\n \"association\", \"Success\",\n \"disassociation\", \"Failure\",\n \"Virtual router collision\", \"Failure\",\n];\nlet parser=(disabled: bool=false) {\n let allData = (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\n let PreFilteredData = allData\n | where not(disabled) and (LogMessage has_any(\"flows\", \"firewall\", \"ids-alerts\") or LogMessage has_all(\"security_event\", \"ids-alerted\") or (LogMessage has \"events\" and (LogMessage has_any (\"Blocked DHCP server response\", \"association\") or (LogMessage has \"VRRP packet\" and not(LogMessage has_any (\"VRRP passive\", \"VRRP active\"))) or (LogMessage has \"disassociation\" and not(LogMessage has_any (\"auth_neg_failed\", \"dhcp\"))))) or (LogMessage has \"airmarshal_events\" and LogMessage has_any(\"ssid_spoofing_detected\", \"rogue_ssid_detected\")))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3]);\n let FlowsFirewallData = PreFilteredData\n | where LogType in (\"flows\", \"firewall\", \"cellular_firewall\", \"vpn_firewall\")\n | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with pattern1: string \" src=\" temp_restmessage: string\n | parse Substring with * \"pattern: \" pattern2: string \" \" temp_restmessage: string\n | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))\n | extend type_icmp4 = iff(protocol == 'icmp', type, int(null))\n | lookup NetworkIcmpTypeLookup on NetworkIcmpCode_lookup\n | invoke _ASIM_ResolveICMPType('type_icmp4')\n | extend NetworkIcmpCode = coalesce(NetworkIcmpCode_lookup, NetworkIcmpCode)\n | extend NetworkIcmpType = iff(isnotempty(NetworkIcmpCode), coalesce(NetworkIcmpType_lookup, NetworkIcmpType), \"\")\n | extend pattern = coalesce(pattern1, pattern2)\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | extend\n SrcMacAddr = trim('\"', mac),\n EventType = \"Flow\";\n let IDSAlertData = PreFilteredData\n | where LogType in (\"ids-alerts\", \"security_event\")\n | parse LogMessage with * \"security_event \" LogSubType: string \" \" * \"message: \" message: string \n | where LogType == \"security_event\" and LogSubType == \"ids-alerted\" or LogType == \"ids-alerts\"\n | parse-kv Substring as(priority: string, timestamp: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend EventResult = \"Success\"\n | extend\n priority = trim('\"', priority),\n direction = trim('\"', direction)\n | lookup EventSeverityPriorityLookup on priority\n | lookup NetworkDirectionLookup on direction\n | extend AdditionalFields = bag_pack(\n \"signature\", trim('\"', signature)\n )\n | extend\n SrcMacAddr = trim('\"', shost),\n DstMacAddr = trim('\"', dhost),\n EventMessage = trim('\"', message);\n let AirmarshalEvents = PreFilteredData\n | where LogType in (\"airmarshal_events\")\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | parse-kv temp_message as(src: string, dst: string, wired_mac: string, vlan_id: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n SrcMacAddr = trim('\"', src),\n DstMacAddr = trim('\"', dst),\n DvcMacAddr = trim('\"', wired_mac)\n | extend\n EventResult = \"Success\",\n EventSeverity = \"High\";\n let EventsData = PreFilteredData\n | where LogType == \"events\";\n let EventsData_associ = EventsData\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType == \"association\" or (LogSubType == \"disassociation\" and not(Substring has_any (\"auth_neg_failed\", \"dhcp\")))\n | parse-kv Substring as (last_known_client_ip: string, client_mac: string, identity: string, aid: string, duration: string, ip_src: string, dns_server: string, reason: string, rssi: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend AdditionalFields = bag_pack(\n \"aid\", aid,\n \"rssi\", rssi\n )\n | extend SrcMacAddr = trim('\"', client_mac)\n | lookup EventResultLookup on LogSubType\n | extend EventResult = EventResult_type\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff((toint(reason) >= 25 and toint(reason) <= 31) or (toint(reason) >= 25 and toint(reason) <= 31), \"Unknown\", EventResultDetails);\n let EventsData_space = EventsData\n | where Substring has \"Blocked DHCP server response\" or (Substring has \"VRRP packet\" and not(Substring in~ (\"VRRP passive\", \"VRRP active\"))) \n | parse Substring with LogSubType1: string \" from\" temp_addr1: string \" on VLAN \" vlan_id1: string \" \" restmessage\n | parse Substring with LogSubType2: string \" from\" temp_addr2: string \" on VLAN \" vlan_id2: string\n | extend LogSubType = coalesce(LogSubType1, LogSubType2)\n | extend LogSubType = iff(LogSubType has \"VRRP Packet\", \"Virtual router collision\", LogSubType)\n | extend pattern = iff(Substring has \"Blocked\", \"Blocked\", \"\")\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | lookup EventResultLookup on LogSubType\n | extend EventResult = coalesce(EventResult, EventResult_type)\n | extend temp_addr = coalesce(trim('\"', temp_addr1), trim('\"', temp_addr2))\n | extend vlan_id = coalesce(trim('\"', vlan_id1), trim('\"', vlan_id2))\n | extend SrcMacAddr = iff(temp_addr matches regex \"(([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}))\", temp_addr, \"\")\n | parse temp_addr with * \"[\" temp_ip \"]:\" temp_port \n | extend SrcIpAddr = case(\n temp_addr has \".\",\n split(temp_addr, \":\")[0],\n isnotempty(temp_ip),\n temp_ip,\n temp_addr\n )\n | extend SrcPortNumber = toint(case(\n isnotempty(temp_port),\n temp_port,\n temp_addr has \".\",\n split(temp_addr, \":\")[1],\n \"\"\n )\n )\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend EventMessage = Substring;\n union\n FlowsFirewallData,\n IDSAlertData,\n EventsData_associ,\n EventsData_space,\n AirmarshalEvents\n | lookup NetworkProtocolLookup on protocol\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkProtocol = iff(isempty(NetworkProtocolNumber), NetworkProtocol_lookup, NetworkProtocol)\n | extend \n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend\n Epoch = iff(isnotempty(column_ifexists(\"timestamp\", \"\")), timestamp, Epoch)\n | extend\n EpochTimestamp = split(Epoch, \".\")\n | extend\n EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend temp_srcipport= coalesce(src, ip_src, last_known_client_ip) \n | extend temp_srcipport = trim('\"', temp_srcipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = case(\n temp_srcipport has \".\",\n split(temp_srcipport, \":\")[0], \n isnotempty(SrcIpAddr),\n SrcIpAddr,\n coalesce(temp_srcip, temp_srcipport)\n )\n | extend SrcPortNumber = iff(isempty(SrcPortNumber), toint(coalesce(sport, temp_srcport)), SrcPortNumber)\n | extend SrcPortNumber = toint(iff(isempty(SrcPortNumber) and SrcIpAddr has \".\", split(temp_srcipport, \":\")[1], SrcPortNumber))\n | extend temp_dstipport = coalesce(dst, dns_server)\n | extend temp_dstipport = trim('\"', temp_dstipport)\n | parse temp_dstipport with * \"[\" temp_dstip \"]:\" temp_dstport\n | extend DstIpAddr = iff(temp_dstipport has \".\", split(temp_dstipport, \":\")[0], coalesce(temp_dstip, temp_dstipport))\n | extend DstPortNumber = toint(coalesce(dport, temp_dstport))\n | extend DstPortNumber = toint(iff(isempty(DstPortNumber) and DstIpAddr has \".\", split(temp_dstipport, \":\")[1], DstPortNumber))\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend DstIpAddr = iff(DstIpAddr == DstMacAddr, \"\", DstIpAddr)\n | extend \n EventMessage = iff(\n LogSubType has_any(\"Blocked DHCP server\", \"Virtual router collision\"),\n Substring,\n coalesce(message, \"\")\n ),\n SrcUsername = trim('\"', identity),\n SrcVlanId = trim('\"', vlan_id)\n | extend\n EventSeverity = case(\n isnotempty(EventSeverity),\n EventSeverity,\n EventResult == \"Failure\",\n \"Low\",\n \"Informational\"\n ),\n EventType = iff(isnotempty(EventType), EventType, \"NetworkSession\"),\n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n Src = coalesce(SrcIpAddr, SrcMacAddr),\n Dst = coalesce(DstIpAddr, DstMacAddr),\n NetworkDuration = toint(todouble(duration) * 1000)\n | project-rename\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType\n | extend\n EventEndTime = EventStartTime,\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n EventUid = _ResourceId\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n protocol,\n priority,\n reason,\n direction,\n duration,\n src,\n dst,\n dns_server,\n sport,\n dport,\n *_lookup,\n type*,\n pattern*,\n last_known_client_ip,\n ip_src,\n client_mac,\n mac,\n shost,\n dhost,\n wired_mac,\n identity,\n temp*,\n vlan_id*,\n LogSubType1,\n LogSubType2,\n restmessage*,\n message,\n rssi,\n aid,\n signature,\n timestamp,\n EventResult_type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,CollectorHostName,NetworkProtocolNumber\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionCiscoMerakiSyslog", + "query": "let EventResultDetailsLookup = datatable(reason: string, EventResultDetails: string)\n[\n \"0\", \"Unknown\",\n \"1\", \"Unknown\",\n \"2\", \"Timeout\",\n \"3\", \"Terminated\",\n \"4\", \"Timeout\",\n \"5\", \"Transient error\",\n \"6\", \"Invalid Tunnel\",\n \"7\", \"Invalid Tunnel\",\n \"8\", \"Terminated\",\n \"9\", \"Invalid Tunnel\",\n \"10\", \"Unknown\",\n \"11\", \"Invalid TCP\",\n \"12\", \"Unknown\",\n \"13\", \"Invalid TCP\",\n \"14\", \"Invalid Tunnel\",\n \"15\", \"Invalid TCP\",\n \"16\", \"Timeout\",\n \"17\", \"Invalid Tunnel\",\n \"18\", \"Invalid TCP\",\n \"19\", \"Invalid TCP\",\n \"20\", \"Invalid TCP\",\n \"21\", \"Unknown\",\n \"22\", \"Invalid TCP\",\n \"23\", \"Invalid Tunnel\",\n \"24\", \"Invalid Tunnel\",\n \"32\", \"Unknown\",\n \"33\", \"Invalid TCP\",\n \"34\", \"Invalid TCP\",\n \"35\", \"Invalid TCP\",\n \"36\", \"Unknown\",\n \"37\", \"Unknown\",\n \"38\", \"Unknown\",\n \"39\", \"Timeout\",\n \"40\", \"Invalid TCP\",\n \"98\", \"Unknown\",\n \"99\", \"Unknown\"\n];\nlet NetworkIcmpTypeLookup=datatable(\n NetworkIcmpCode_lookup: int,\n NetworkIcmpType_lookup: string\n)\n [\n 0, \"Reserved\",\n 1, \"Destination Unreachable\",\n 2, \"Packet Too Big\",\n 3, \"Time Exceeded\",\n 4, \"Parameter Problem\",\n 100, \"Private experimentation\",\n 101, \"Private experimentation\",\n 127, \"Reserved for expansion of ICMPv6 error messages\",\n 128, \"Echo Request\",\n 129, \"Echo Reply\",\n 130, \"Multicast Listener Query\",\n 131, \"Multicast Listener Report\",\n 132, \"Multicast Listener Done\",\n 133, \"Router Solicitation\",\n 134, \"Router Advertisement\",\n 135, \"Neighbor Solicitation\",\n 136, \"Neighbor Advertisement\",\n 137, \"Redirect Message\",\n 138, \"Router Renumbering\",\n 139, \"ICMP Node Information Query\",\n 140, \"ICMP Node Information Response\",\n 141, \"Inverse Neighbor Discovery Solicitation Message\",\n 142, \"Inverse Neighbor Discovery Advertisement Message\",\n 143, \"Version 2 Multicast Listener Report\",\n 144, \"Home Agent Address Discovery Request Message\",\n 145, \"Home Agent Address Discovery Reply Message\",\n 146, \"Mobile Prefix Solicitation\",\n 147, \"Mobile Prefix Advertisement\",\n 148, \"Certification Path Solicitation Message\",\n 149, \"Certification Path Advertisement Message\",\n 150, \"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\n 151, \"Multicast Router Advertisement\",\n 152, \"Multicast Router Solicitation\",\n 153, \"Multicast Router Termination\",\n 154, \"FMIPv6 Messages\",\n 155, \"RPL Control Message\",\n 156, \"ILNPv6 Locator Update Message\",\n 157, \"Duplicate Address Request\",\n 158, \"Duplicate Address Confirmation\",\n 159, \"MPL Control Message\",\n 160, \"Extended Echo Request\",\n 161, \"Extended Echo Reply\",\n 200, \"Private experimentation\",\n 201, \"Private experimentation\",\n 255, \"Reserved for expansion of ICMPv6 informational messages\"\n];\nlet NetworkProtocolLookup=datatable(\n protocol: string,\n NetworkProtocol_lookup: string,\n NetworkProtocolVersion: string\n)[\n \"tcp\", \"TCP\", \"\",\n \"tcp/ip\", \"TCP\", \"\",\n \"udp\", \"UDP\", \"\",\n \"udp/ip\", \"UDP\", \"\",\n \"icmp\", \"ICMP\", \"IPV4\",\n \"icmp6\", \"ICMP\", \"IPV6\",\n];\nlet EventSeverityPriorityLookup=datatable(priority: string, EventSeverity: string)[\n \"1\", \"High\",\n \"2\", \"Medium\",\n \"3\", \"Low\",\n \"4\", \"Informational\"\n];\nlet EventSeverityDvcActionLookup=datatable(DvcAction: string, EventSeverity: string)[\n \"Allow\", \"Informational\",\n \"Deny\", \"Low\"\n];\nlet NetworkDirectionLookup=datatable(direction: string, NetworkDirection: string)[\n \"ingress\", \"Inbound\",\n \"egress\", \"Outbound\",\n \"Unknown\", \"NA\"\n];\nlet DvcActionLookup = datatable(pattern: string, DvcAction: string, EventResult: string)[\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"Blocked\", \"Deny\", \"Failure\"\n];\nlet EventResultLookup = datatable(LogSubType: string, EventResult_type: string)[\n \"association\", \"Success\",\n \"disassociation\", \"Failure\",\n \"Virtual router collision\", \"Failure\",\n];\nlet parser=(disabled: bool=false) {\n let allData = (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\n let PreFilteredData = allData\n | where not(disabled) and (LogMessage has_any(\"flows\", \"firewall\", \"ids-alerts\") or LogMessage has_all(\"security_event\", \"ids-alerted\") or (LogMessage has \"events\" and (LogMessage has_any (\"Blocked DHCP server response\", \"association\") or (LogMessage has \"VRRP packet\" and not(LogMessage has_any (\"VRRP passive\", \"VRRP active\"))) or (LogMessage has \"disassociation\" and not(LogMessage has_any (\"auth_neg_failed\", \"dhcp\"))))) or (LogMessage has \"airmarshal_events\" and LogMessage has_any(\"ssid_spoofing_detected\", \"rogue_ssid_detected\")))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3]);\n let FlowsFirewallData = PreFilteredData\n | where LogType in (\"flows\", \"firewall\", \"cellular_firewall\", \"vpn_firewall\")\n | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with pattern1: string \" src=\" temp_restmessage: string\n | parse Substring with * \"pattern: \" pattern2: string \" \" temp_restmessage: string\n | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))\n | extend type_icmp4 = iff(protocol == 'icmp', type, int(null))\n | lookup NetworkIcmpTypeLookup on NetworkIcmpCode_lookup\n | invoke _ASIM_ResolveICMPType('type_icmp4')\n | extend NetworkIcmpCode = coalesce(NetworkIcmpCode_lookup, NetworkIcmpCode)\n | extend NetworkIcmpType = iff(isnotempty(NetworkIcmpCode), coalesce(NetworkIcmpType_lookup, NetworkIcmpType), \"\")\n | extend pattern = coalesce(pattern1, pattern2)\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | extend\n SrcMacAddr = trim('\"', mac),\n EventType = \"Flow\";\n let IDSAlertData = PreFilteredData\n | where LogType in (\"ids-alerts\", \"security_event\")\n | parse LogMessage with * \"security_event \" LogSubType: string \" \" * \"message: \" message: string \n | where LogType == \"security_event\" and LogSubType == \"ids-alerted\" or LogType == \"ids-alerts\"\n | parse-kv Substring as(priority: string, timestamp: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend EventResult = \"Success\"\n | extend\n priority = trim('\"', priority),\n direction = trim('\"', direction)\n | lookup EventSeverityPriorityLookup on priority\n | lookup NetworkDirectionLookup on direction\n | extend AdditionalFields = bag_pack(\n \"signature\", trim('\"', signature)\n )\n | extend\n SrcMacAddr = trim('\"', shost),\n DstMacAddr = trim('\"', dhost),\n EventMessage = trim('\"', message);\n let AirmarshalEvents = PreFilteredData\n | where LogType in (\"airmarshal_events\")\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | parse-kv temp_message as(src: string, dst: string, wired_mac: string, vlan_id: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n SrcMacAddr = trim('\"', src),\n DstMacAddr = trim('\"', dst),\n DvcMacAddr = trim('\"', wired_mac)\n | extend\n EventResult = \"Success\",\n EventSeverity = \"High\";\n let EventsData = PreFilteredData\n | where LogType == \"events\";\n let EventsData_associ = EventsData\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType == \"association\" or (LogSubType == \"disassociation\" and not(Substring has_any (\"auth_neg_failed\", \"dhcp\")))\n | parse-kv Substring as (last_known_client_ip: string, client_mac: string, identity: string, aid: string, duration: string, ip_src: string, dns_server: string, reason: string, rssi: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend AdditionalFields = bag_pack(\n \"aid\", aid,\n \"rssi\", rssi\n )\n | extend SrcMacAddr = trim('\"', client_mac)\n | lookup EventResultLookup on LogSubType\n | extend EventResult = EventResult_type\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff((toint(reason) >= 25 and toint(reason) <= 31) or (toint(reason) >= 25 and toint(reason) <= 31), \"Unknown\", EventResultDetails);\n let EventsData_space = EventsData\n | where Substring has \"Blocked DHCP server response\" or (Substring has \"VRRP packet\" and not(Substring in~ (\"VRRP passive\", \"VRRP active\"))) \n | parse Substring with LogSubType1: string \" from\" temp_addr1: string \" on VLAN \" vlan_id1: string \" \" restmessage\n | parse Substring with LogSubType2: string \" from\" temp_addr2: string \" on VLAN \" vlan_id2: string\n | extend LogSubType = coalesce(LogSubType1, LogSubType2)\n | extend LogSubType = iff(LogSubType has \"VRRP Packet\", \"Virtual router collision\", LogSubType)\n | extend pattern = iff(Substring has \"Blocked\", \"Blocked\", \"\")\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | lookup EventResultLookup on LogSubType\n | extend EventResult = coalesce(EventResult, EventResult_type)\n | extend temp_addr = coalesce(trim('\"', temp_addr1), trim('\"', temp_addr2))\n | extend vlan_id = coalesce(trim('\"', vlan_id1), trim('\"', vlan_id2))\n | extend SrcMacAddr = iff(temp_addr matches regex \"(([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}))\", temp_addr, \"\")\n | parse temp_addr with * \"[\" temp_ip \"]:\" temp_port \n | extend SrcIpAddr = case(\n temp_addr has \".\",\n split(temp_addr, \":\")[0],\n isnotempty(temp_ip),\n temp_ip,\n temp_addr\n )\n | extend SrcPortNumber = toint(case(\n isnotempty(temp_port),\n temp_port,\n temp_addr has \".\",\n split(temp_addr, \":\")[1],\n \"\"\n )\n )\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend EventMessage = Substring;\n union\n FlowsFirewallData,\n IDSAlertData,\n EventsData_associ,\n EventsData_space,\n AirmarshalEvents\n | lookup NetworkProtocolLookup on protocol\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkProtocol = iff(isempty(NetworkProtocolNumber), NetworkProtocol_lookup, NetworkProtocol)\n | extend \n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend\n Epoch = iff(isnotempty(column_ifexists(\"timestamp\", \"\")), timestamp, Epoch)\n | extend\n EpochTimestamp = split(Epoch, \".\")\n | extend\n EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend temp_srcipport= coalesce(src, ip_src, last_known_client_ip) \n | extend temp_srcipport = trim('\"', temp_srcipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = case(\n temp_srcipport has \".\",\n split(temp_srcipport, \":\")[0], \n isnotempty(SrcIpAddr),\n SrcIpAddr,\n coalesce(temp_srcip, temp_srcipport)\n )\n | extend SrcPortNumber = iff(isempty(SrcPortNumber), toint(coalesce(sport, temp_srcport)), SrcPortNumber)\n | extend SrcPortNumber = toint(iff(isempty(SrcPortNumber) and SrcIpAddr has \".\", split(temp_srcipport, \":\")[1], SrcPortNumber))\n | extend temp_dstipport = coalesce(dst, dns_server)\n | extend temp_dstipport = trim('\"', temp_dstipport)\n | parse temp_dstipport with * \"[\" temp_dstip \"]:\" temp_dstport\n | extend DstIpAddr = iff(temp_dstipport has \".\", split(temp_dstipport, \":\")[0], coalesce(temp_dstip, temp_dstipport))\n | extend DstPortNumber = toint(coalesce(dport, temp_dstport))\n | extend DstPortNumber = toint(iff(isempty(DstPortNumber) and DstIpAddr has \".\", split(temp_dstipport, \":\")[1], DstPortNumber))\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend DstIpAddr = iff(DstIpAddr == DstMacAddr, \"\", DstIpAddr)\n | extend \n EventMessage = iff(\n LogSubType has_any(\"Blocked DHCP server\", \"Virtual router collision\"),\n Substring,\n coalesce(message, \"\")\n ),\n SrcUsername = trim('\"', identity),\n SrcVlanId = trim('\"', vlan_id)\n | extend\n EventSeverity = case(\n isnotempty(EventSeverity),\n EventSeverity,\n EventResult == \"Failure\",\n \"Low\",\n \"Informational\"\n ),\n EventType = iff(isnotempty(EventType), EventType, \"NetworkSession\"),\n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n Src = coalesce(SrcIpAddr, SrcMacAddr),\n Dst = coalesce(DstIpAddr, DstMacAddr),\n NetworkDuration = toint(todouble(duration) * 1000)\n | project-rename\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType\n | extend\n EventEndTime = EventStartTime,\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n EventUid = _ResourceId\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n protocol,\n priority,\n reason,\n direction,\n duration,\n src,\n dst,\n dns_server,\n sport,\n dport,\n *_lookup,\n type*,\n pattern*,\n last_known_client_ip,\n ip_src,\n client_mac,\n mac,\n shost,\n dhost,\n wired_mac,\n identity,\n temp*,\n vlan_id*,\n LogSubType1,\n LogSubType2,\n restmessage*,\n message,\n rssi,\n aid,\n signature,\n timestamp,\n EventResult_type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,CollectorHostName,NetworkProtocolNumber\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCorelightZeek/ASimNetworkSessionCorelightZeek.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCorelightZeek/ASimNetworkSessionCorelightZeek.json index 902dd6a8627..e98be491da7 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCorelightZeek/ASimNetworkSessionCorelightZeek.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCorelightZeek/ASimNetworkSessionCorelightZeek.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionCorelightZeek')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionCorelightZeek", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Corelight Zeek", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionCorelightZeek", - "query": "let NetworkDirectionLookup = datatable(local_orig: bool, local_resp: bool, NetworkDirection: string)\n[\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'Local'\n];\nlet ResultLookup = datatable (conn_state:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string, EventSeverity:string)\n[ \n 'S0', 'Success', '', 'Connection attempt seen, no reply', 'Informational',\n 'S1', 'Success', '', 'Connection established, not terminated', 'Informational',\n 'SF', 'Success', 'Terminated', 'Normal establishment and termination', 'Informational', // Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be.\n 'REJ', 'Failure', 'Rejeced', 'Connection attempt rejected', 'Low',\n 'S2', 'Failure', 'Terminated', 'Connection established and close attempt by originator seen (but no reply from responder)', 'Low',\n 'S3', 'Failure', 'Terminated', 'Connection established and close attempt by responder seen (but no reply from originator)', 'Low',\n 'RSTO', 'Failure', 'Reset', 'Connection established, originator aborted (sent a RST)', 'Low',\n 'RSTR', 'Failure', 'Reset', 'Responder sent a RST', 'Low',\n 'RSTOS0', 'Failure', 'Reset', 'Originator sent a SYN followed by a RST, no SYN-ACK from the responder','Low',\n 'RSTRH', 'Failure', 'Reset', 'Responder sent a SYN ACK followed by a RST, no SYN from the originator','Low',\n 'SH', 'Failure', 'Timeout', 'Originator sent a SYN followed by a FIN, no SYN ACK from the responder', 'Low',\n 'SHR', 'Failure', 'Timeout', 'Responder sent a SYN ACK followed by a FIN, no SYN from the originator', 'Low',\n 'OTH', 'Success', '', 'No SYN seen, just midstream traffic', 'Informational'\n];\nlet parser=(disabled:bool=false){\n Corelight_CL | where not(disabled)\n | where (Message has '\"_path\":\"conn\"' or Message has '\"conn_red\"')\n | project Message\n | parse-kv Message as (\n ['\"_system_name\"']:string,\n ['\"_write_ts\"']:datetime,\n ['\"ts\"']:datetime,\n ['\"uid\"']:string,\n ['\"id.orig_h\"']:string,\n ['\"id.orig_p\"']:int,\n ['\"id.resp_h\"']:string,\n ['\"id.resp_p\"']:int,\n ['\"proto\"']:string,\n ['\"service\"']:string,\n ['\"duration\"']:int,\n ['\"orig_bytes\"']:long,\n ['\"resp_bytes\"']:long,\n ['\"local_orig\"']:bool,\n ['\"local_resp\"']:bool,\n ['\"missed_bytes\"']:long,\n ['\"history\"']:string,\n ['\"orig_pkts\"']:long,\n ['\"resp_pkts\"']:long,\n ['\"orig_l2_addr\"']:string,\n ['\"resp_l2_addr\"']:string,\n ['\"community_id']:string,\n ['\"conn_state\"']:string,\n ['\"vlan\"']:string,\n ['\"inner_vlan\"']:string\n ) \n with (quote = '\"')\n | extend \n EventCount=int(1),\n EventProduct=\"Zeek\",\n EventVendor=\"Corelight\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.4\",\n EventType=\"Flow\"\n | project-rename\n EventStartTime= ['\"ts\"'],\n EventEndTime = ['\"_write_ts\"'],\n EventOriginalUid = ['\"uid\"'],\n SrcIpAddr = ['\"id.orig_h\"'],\n SrcPortNumber = ['\"id.orig_p\"'],\n DstIpAddr = ['\"id.resp_h\"'],\n DstPortNumber = ['\"id.resp_p\"'],\n NetworkProtocol = ['\"proto\"'],\n NetworkApplicationProtocol = ['\"service\"'],\n NetworkDuration = ['\"duration\"'],\n SrcBytes = ['\"orig_bytes\"'],\n DstBytes = ['\"resp_bytes\"'],\n local_orig = ['\"local_orig\"'],\n local_resp = ['\"local_resp\"'],\n FlowMissedBytes = ['\"missed_bytes\"'],\n SrcPackets = ['\"orig_pkts\"'],\n DstPackets = ['\"resp_pkts\"'],\n SrcMacAddr = ['\"orig_l2_addr\"'],\n DstMacAddr = ['\"resp_l2_addr\"'],\n DstVlanId = ['\"vlan\"'],\n SrcVlanId = ['\"inner_vlan\"'], \n conn_state = ['\"conn_state\"'],\n FlowHistory = ['\"history\"'],\n NetworkSessionId = ['\"community_id'],\n Dvc = ['\"_system_name\"']\n | lookup NetworkDirectionLookup on local_orig, local_resp\n | lookup ResultLookup on conn_state\n | extend\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n NetworkProtocol = toupper(NetworkProtocol)\n // Aliases\n | extend \n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=NetworkDuration,\n SessionId = NetworkSessionId,\n InnerVlanId = SrcVlanId,\n OuterVlanId = DstVlanId,\n Dst=DstIpAddr\n | project-away Message, local_orig, local_resp, conn_state\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Corelight Zeek", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionCorelightZeek", + "query": "let NetworkDirectionLookup = datatable(local_orig: bool, local_resp: bool, NetworkDirection: string)\n[\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'Local'\n];\nlet ResultLookup = datatable (conn_state:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string, EventSeverity:string)\n[ \n 'S0', 'Success', '', 'Connection attempt seen, no reply', 'Informational',\n 'S1', 'Success', '', 'Connection established, not terminated', 'Informational',\n 'SF', 'Success', 'Terminated', 'Normal establishment and termination', 'Informational', // Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be.\n 'REJ', 'Failure', 'Rejeced', 'Connection attempt rejected', 'Low',\n 'S2', 'Failure', 'Terminated', 'Connection established and close attempt by originator seen (but no reply from responder)', 'Low',\n 'S3', 'Failure', 'Terminated', 'Connection established and close attempt by responder seen (but no reply from originator)', 'Low',\n 'RSTO', 'Failure', 'Reset', 'Connection established, originator aborted (sent a RST)', 'Low',\n 'RSTR', 'Failure', 'Reset', 'Responder sent a RST', 'Low',\n 'RSTOS0', 'Failure', 'Reset', 'Originator sent a SYN followed by a RST, no SYN-ACK from the responder','Low',\n 'RSTRH', 'Failure', 'Reset', 'Responder sent a SYN ACK followed by a RST, no SYN from the originator','Low',\n 'SH', 'Failure', 'Timeout', 'Originator sent a SYN followed by a FIN, no SYN ACK from the responder', 'Low',\n 'SHR', 'Failure', 'Timeout', 'Responder sent a SYN ACK followed by a FIN, no SYN from the originator', 'Low',\n 'OTH', 'Success', '', 'No SYN seen, just midstream traffic', 'Informational'\n];\nlet parser=(disabled:bool=false){\n Corelight_CL | where not(disabled)\n | where (Message has '\"_path\":\"conn\"' or Message has '\"conn_red\"')\n | project Message\n | parse-kv Message as (\n ['\"_system_name\"']:string,\n ['\"_write_ts\"']:datetime,\n ['\"ts\"']:datetime,\n ['\"uid\"']:string,\n ['\"id.orig_h\"']:string,\n ['\"id.orig_p\"']:int,\n ['\"id.resp_h\"']:string,\n ['\"id.resp_p\"']:int,\n ['\"proto\"']:string,\n ['\"service\"']:string,\n ['\"duration\"']:int,\n ['\"orig_bytes\"']:long,\n ['\"resp_bytes\"']:long,\n ['\"local_orig\"']:bool,\n ['\"local_resp\"']:bool,\n ['\"missed_bytes\"']:long,\n ['\"history\"']:string,\n ['\"orig_pkts\"']:long,\n ['\"resp_pkts\"']:long,\n ['\"orig_l2_addr\"']:string,\n ['\"resp_l2_addr\"']:string,\n ['\"community_id']:string,\n ['\"conn_state\"']:string,\n ['\"vlan\"']:string,\n ['\"inner_vlan\"']:string\n ) \n with (quote = '\"')\n | extend \n EventCount=int(1),\n EventProduct=\"Zeek\",\n EventVendor=\"Corelight\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.4\",\n EventType=\"Flow\"\n | project-rename\n EventStartTime= ['\"ts\"'],\n EventEndTime = ['\"_write_ts\"'],\n EventOriginalUid = ['\"uid\"'],\n SrcIpAddr = ['\"id.orig_h\"'],\n SrcPortNumber = ['\"id.orig_p\"'],\n DstIpAddr = ['\"id.resp_h\"'],\n DstPortNumber = ['\"id.resp_p\"'],\n NetworkProtocol = ['\"proto\"'],\n NetworkApplicationProtocol = ['\"service\"'],\n NetworkDuration = ['\"duration\"'],\n SrcBytes = ['\"orig_bytes\"'],\n DstBytes = ['\"resp_bytes\"'],\n local_orig = ['\"local_orig\"'],\n local_resp = ['\"local_resp\"'],\n FlowMissedBytes = ['\"missed_bytes\"'],\n SrcPackets = ['\"orig_pkts\"'],\n DstPackets = ['\"resp_pkts\"'],\n SrcMacAddr = ['\"orig_l2_addr\"'],\n DstMacAddr = ['\"resp_l2_addr\"'],\n DstVlanId = ['\"vlan\"'],\n SrcVlanId = ['\"inner_vlan\"'], \n conn_state = ['\"conn_state\"'],\n FlowHistory = ['\"history\"'],\n NetworkSessionId = ['\"community_id'],\n Dvc = ['\"_system_name\"']\n | lookup NetworkDirectionLookup on local_orig, local_resp\n | lookup ResultLookup on conn_state\n | extend\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n NetworkProtocol = toupper(NetworkProtocol)\n // Aliases\n | extend \n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=NetworkDuration,\n SessionId = NetworkSessionId,\n InnerVlanId = SrcVlanId,\n OuterVlanId = DstVlanId,\n Dst=DstIpAddr\n | project-away Message, local_orig, local_resp, conn_state\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json index 62cca46cbdf..ba8e05942e1 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionCrowdStrikeFalconHost')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionCrowdStrikeFalconHost", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "NetworkSession ASIM Parser for CrowdStrike Falcon Endpoint Protection", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionCrowdStrikeFalconHost", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet EventFieldsLookup = datatable (\n ruleAction: int,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n 0, \"invalid\", \"Deny\", \"Failure\",\n 1, \"allowed\", \"Allow\", \"Success\",\n 2, \"blocked\", \"Deny\", \"Failure\"\n];\n//ActionLokkup is prepapred by considering facts as below:\n//Response bit: KILL PROCESS, modifier bit: '', DvcAction: Deny\n//Response bit: KILL PROCESS, modifier bit: POLICY_DISABLED, DvcAction: Allow as here process would have been killed or blocked if policy was enabled so current event is not killed.\nlet ActionLookup = datatable (\n EventOutcome: string,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"0\", \"Detection\", \"Allow\", \"Success\",\n \"2\", \"Detection\", \"Allow\", \"Success\",\n \"16\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"128\", \"Quarantine\", \"Allow\", \"Success\",\n \"144\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"272\", \"Detection\", \"Allow\", \"Success\",\n \"400\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"512\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"640\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"768\", \"Detection\", \"Allow\", \"Success\", \n \"1024\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"1040\", \"Prevention-killed,blocked\", \"Deny\", \"Failure\",\n \"1152\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1168\", \"Prevention-killed,blocked,quarnatine\", \"Deny\", \"Failure\",\n \"1280\", \"Detection\", \"Allow\", \"Success\",\n \"1296\", \"Detection\", \"Allow\", \"Success\",\n \"2048\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2176\", \"Prevention-quarantine,blocked \", \"Deny\", \"Failure\",\n \"2304\", \"Detection\", \"Allow\", \"Success\",\n \"2432\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"4096\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4112\", \"Prevention-blocked,killed\", \"Deny\", \"Failure\",\n \"4224\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4240\", \"Prevention-killed,blocked,quarantine\", \"Deny\", \"Failure\",\n \"4352\", \"Detection\", \"Allow\", \"Success\",\n \"4368\", \"Detection\", \"Allow\", \"Success\",\n \"4638\", \"Detection\", \"Allow\", \"Success\",\n \"5120\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"8192\", \"Disabled\", \"Allow\", \"Success\",\n \"8208\", \"Detection\", \"Allow\", \"Success\",\n \"8320\", \"Detection-quarnatine\", \"Allow\", \"Success\",\n \"8704\", \"Detection\", \"Allow\", \"Success\",\n \"9216\", \"Detection\", \"Allow\", \"Success\",\n \"10240\", \"Detection\", \"Allow\", \"Success\",\n \"12304\", \"Detection\", \"Allow\", \"Success\",\n \"16400\", \"Killed\", \"Deny\", \"Failure\",\n \"32768\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"32896\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"33024\", \"Detection\", \"Allow\", \"Success\",\n \"65536\", \"Downgraded\", \"Allow\", \"Success\",\n \"65552\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"65792\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"65808\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73728\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73744\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"131088\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131216\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"131584\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131712\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"2099200\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2099328\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4196352\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4196480\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1048576\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"524288\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"262144\", \"Blocking Disabled\", \"Allow\", \"Success\",\n \"16384\", \"Safeguard Enabled\", \"Allow\", \"Success\",\n \"131072\", \"Kill Failed\", \"Deny\", \"Failure\",\n \"256\", \"Policy Disabled\", \"Allow\", \"Success\",\n \"2097152\", \"Response Action Already Applied\", \"Deny\", \"Failure\",\n \"4194304\", \"Response Failed\", \"Deny\", \"Failure\"\n];\nlet parser = (disabled: bool=false) {\n let alldata = CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"CrowdStrike\"\n and DeviceProduct == \"FalconHost\"\n | where DeviceEventClassID in (\"Network Access In A Detection Summary Event\", \"FirewallMatchEvent\");\n let firewalldata = alldata\n | where DeviceEventClassID == \"FirewallMatchEvent\"\n | parse-kv AdditionalExtensions as (deviceId: string, cmdLine: string, connectionDirection: int, eventType: string, hostName: string, icmpCode: int, icmpType: string, localAddress: string, localPort: int, matchCount: int, networkProfile: string, protocol: int, remoteAddress: string, remotePort: int, ruleAction: int, ruleDescription: string, ruleGroupName: string, ruleName: string, status: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend\n EventCount = matchCount,\n EventStartTime = unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\n NetworkDirection = case(\n connectionDirection == 1, \"Inbound\",\n connectionDirection == 2, \"Outbound\",\n \"\"\n ),\n SrcIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n SrcPortNumber = case(\n connectionDirection == 1, remotePort,\n connectionDirection == 2, localPort,\n int(null)\n ),\n DstIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n DstPortNumber = case(\n connectionDirection == 1, localPort,\n connectionDirection == 2, remotePort,\n int(null)\n ),\n deviceIp = iff(hostName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", hostName, \"\")\n | extend \n hostName = iff(isempty(deviceIp), hostName, \"\"),\n AdditionalFields = bag_pack(\n \"networkProfile\", networkProfile,\n \"ruleDescription\", ruleDescription,\n \"ruleGroupName\", ruleGroupName,\n \"cmdLine\", cmdLine\n ),\n NetworkIcmpCode = icmpCode\n | invoke _ASIM_ResolveDvcFQDN('hostName')\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkIcmpType = _ASIM_LookupICMPType('icmpType')\n | lookup EventFieldsLookup on ruleAction\n | project-rename\n DvcId = deviceId,\n DvcIpAddr = deviceIp,\n EventOriginalSubType = eventType,\n NetworkRuleName = ruleName\n | extend\n Rule = NetworkRuleName,\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr);\n let networkaccessdata = alldata\n | where DeviceEventClassID has \"Network Access In A Detection Summary Event\"\n | parse-kv AdditionalExtensions as (CSMTRPatternDisposition: string, tactic: string, technique: string, objective: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | lookup ActionLookup on EventOutcome\n | invoke _ASIM_ResolveSrcFQDN('DestinationHostName')\n | extend\n EventStartTime = todatetime(DeviceCustomDate1),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n EventCount = int(1),\n SrcDomain = coalesce(DestinationNTDomain, SrcDomain),\n EventOriginalResultDetails = CSMTRPatternDisposition,\n SrcProcessId = tostring(FieldDeviceCustomNumber2),\n SrcDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", SrcDomainType),\n AdditionalFields = bag_pack(\n \"CSMTRPatternDisposition\", CSMTRPatternDisposition, \n \"Tactic\", coalesce(tactic, Activity),\n \"Technique\", coalesce(technique, DeviceAction),\n \"Objective\", coalesce(objective, Reason),\n DeviceCustomString6Label, DeviceCustomString6\n )\n | project-rename\n DvcId = ExtID,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n SrcMacAddr = SourceMACAddress,\n SrcUsername = DestinationUserName,\n SrcProcessName = FileName\n | extend\n Dvc = DvcId,\n Hostname = SrcHostname,\n User = SrcUsername,\n SrcAppId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\",\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername);\n union firewalldata, networkaccessdata\n | lookup EventSeverityLookup on LogSeverity\n | extend NetworkProtocolVersion = case(\n DstIpAddr contains \".\", \"IPv4\",\n DstIpAddr contains \":\", \"IPv6\",\n \"\"\n )\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"CrowdStrike\",\n EventProduct = \"FalconHost\",\n EventType = \"EndpointNetworkSession\"\n | project-rename\n EventOriginalType = DeviceEventClassID,\n EventProductVersion = DeviceVersion,\n EventUid = _ItemId,\n EventOriginalSeverity= LogSeverity\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\")\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n EventOutcome,\n IndicatorThreatType,\n cmdLine,\n connectionDirection,\n hostName,\n matchCount,\n networkProfile,\n protocol,\n ruleAction,\n ruleDescription,\n ruleGroupName,\n icmpCode,\n icmpType,\n status,\n CSMTRPatternDisposition,\n NetworkProtocolNumber,\n localAddress,\n localPort,\n remoteAddress,\n remotePort\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "NetworkSession ASIM Parser for CrowdStrike Falcon Endpoint Protection", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionCrowdStrikeFalconHost", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet EventFieldsLookup = datatable (\n ruleAction: int,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n 0, \"invalid\", \"Deny\", \"Failure\",\n 1, \"allowed\", \"Allow\", \"Success\",\n 2, \"blocked\", \"Deny\", \"Failure\"\n];\n//ActionLokkup is prepapred by considering facts as below:\n//Response bit: KILL PROCESS, modifier bit: '', DvcAction: Deny\n//Response bit: KILL PROCESS, modifier bit: POLICY_DISABLED, DvcAction: Allow as here process would have been killed or blocked if policy was enabled so current event is not killed.\nlet ActionLookup = datatable (\n EventOutcome: string,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"0\", \"Detection\", \"Allow\", \"Success\",\n \"2\", \"Detection\", \"Allow\", \"Success\",\n \"16\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"128\", \"Quarantine\", \"Allow\", \"Success\",\n \"144\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"272\", \"Detection\", \"Allow\", \"Success\",\n \"400\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"512\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"640\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"768\", \"Detection\", \"Allow\", \"Success\", \n \"1024\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"1040\", \"Prevention-killed,blocked\", \"Deny\", \"Failure\",\n \"1152\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1168\", \"Prevention-killed,blocked,quarnatine\", \"Deny\", \"Failure\",\n \"1280\", \"Detection\", \"Allow\", \"Success\",\n \"1296\", \"Detection\", \"Allow\", \"Success\",\n \"2048\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2176\", \"Prevention-quarantine,blocked \", \"Deny\", \"Failure\",\n \"2304\", \"Detection\", \"Allow\", \"Success\",\n \"2432\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"4096\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4112\", \"Prevention-blocked,killed\", \"Deny\", \"Failure\",\n \"4224\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4240\", \"Prevention-killed,blocked,quarantine\", \"Deny\", \"Failure\",\n \"4352\", \"Detection\", \"Allow\", \"Success\",\n \"4368\", \"Detection\", \"Allow\", \"Success\",\n \"4638\", \"Detection\", \"Allow\", \"Success\",\n \"5120\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"8192\", \"Disabled\", \"Allow\", \"Success\",\n \"8208\", \"Detection\", \"Allow\", \"Success\",\n \"8320\", \"Detection-quarnatine\", \"Allow\", \"Success\",\n \"8704\", \"Detection\", \"Allow\", \"Success\",\n \"9216\", \"Detection\", \"Allow\", \"Success\",\n \"10240\", \"Detection\", \"Allow\", \"Success\",\n \"12304\", \"Detection\", \"Allow\", \"Success\",\n \"16400\", \"Killed\", \"Deny\", \"Failure\",\n \"32768\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"32896\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"33024\", \"Detection\", \"Allow\", \"Success\",\n \"65536\", \"Downgraded\", \"Allow\", \"Success\",\n \"65552\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"65792\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"65808\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73728\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73744\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"131088\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131216\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"131584\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131712\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"2099200\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2099328\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4196352\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4196480\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1048576\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"524288\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"262144\", \"Blocking Disabled\", \"Allow\", \"Success\",\n \"16384\", \"Safeguard Enabled\", \"Allow\", \"Success\",\n \"131072\", \"Kill Failed\", \"Deny\", \"Failure\",\n \"256\", \"Policy Disabled\", \"Allow\", \"Success\",\n \"2097152\", \"Response Action Already Applied\", \"Deny\", \"Failure\",\n \"4194304\", \"Response Failed\", \"Deny\", \"Failure\"\n];\nlet parser = (disabled: bool=false) {\n let alldata = CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"CrowdStrike\"\n and DeviceProduct == \"FalconHost\"\n | where DeviceEventClassID in (\"Network Access In A Detection Summary Event\", \"FirewallMatchEvent\");\n let firewalldata = alldata\n | where DeviceEventClassID == \"FirewallMatchEvent\"\n | parse-kv AdditionalExtensions as (deviceId: string, cmdLine: string, connectionDirection: int, eventType: string, hostName: string, icmpCode: int, icmpType: string, localAddress: string, localPort: int, matchCount: int, networkProfile: string, protocol: int, remoteAddress: string, remotePort: int, ruleAction: int, ruleDescription: string, ruleGroupName: string, ruleName: string, status: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend\n EventCount = matchCount,\n EventStartTime = unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\n NetworkDirection = case(\n connectionDirection == 1, \"Inbound\",\n connectionDirection == 2, \"Outbound\",\n \"\"\n ),\n SrcIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n SrcPortNumber = case(\n connectionDirection == 1, remotePort,\n connectionDirection == 2, localPort,\n int(null)\n ),\n DstIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n DstPortNumber = case(\n connectionDirection == 1, localPort,\n connectionDirection == 2, remotePort,\n int(null)\n ),\n deviceIp = iff(hostName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", hostName, \"\")\n | extend \n hostName = iff(isempty(deviceIp), hostName, \"\"),\n AdditionalFields = bag_pack(\n \"networkProfile\", networkProfile,\n \"ruleDescription\", ruleDescription,\n \"ruleGroupName\", ruleGroupName,\n \"cmdLine\", cmdLine\n ),\n NetworkIcmpCode = icmpCode\n | invoke _ASIM_ResolveDvcFQDN('hostName')\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkIcmpType = _ASIM_LookupICMPType('icmpType')\n | lookup EventFieldsLookup on ruleAction\n | project-rename\n DvcId = deviceId,\n DvcIpAddr = deviceIp,\n EventOriginalSubType = eventType,\n NetworkRuleName = ruleName\n | extend\n Rule = NetworkRuleName,\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr);\n let networkaccessdata = alldata\n | where DeviceEventClassID has \"Network Access In A Detection Summary Event\"\n | parse-kv AdditionalExtensions as (CSMTRPatternDisposition: string, tactic: string, technique: string, objective: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | lookup ActionLookup on EventOutcome\n | invoke _ASIM_ResolveSrcFQDN('DestinationHostName')\n | extend\n EventStartTime = todatetime(DeviceCustomDate1),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n EventCount = int(1),\n SrcDomain = coalesce(DestinationNTDomain, SrcDomain),\n EventOriginalResultDetails = CSMTRPatternDisposition,\n SrcProcessId = tostring(FieldDeviceCustomNumber2),\n SrcDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", SrcDomainType),\n AdditionalFields = bag_pack(\n \"CSMTRPatternDisposition\", CSMTRPatternDisposition, \n \"Tactic\", coalesce(tactic, Activity),\n \"Technique\", coalesce(technique, DeviceAction),\n \"Objective\", coalesce(objective, Reason),\n DeviceCustomString6Label, DeviceCustomString6\n )\n | project-rename\n DvcId = ExtID,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n SrcMacAddr = SourceMACAddress,\n SrcUsername = DestinationUserName,\n SrcProcessName = FileName\n | extend\n Dvc = DvcId,\n Hostname = SrcHostname,\n User = SrcUsername,\n SrcAppId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\",\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername);\n union firewalldata, networkaccessdata\n | lookup EventSeverityLookup on LogSeverity\n | extend NetworkProtocolVersion = case(\n DstIpAddr contains \".\", \"IPv4\",\n DstIpAddr contains \":\", \"IPv6\",\n \"\"\n )\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"CrowdStrike\",\n EventProduct = \"FalconHost\",\n EventType = \"EndpointNetworkSession\"\n | project-rename\n EventOriginalType = DeviceEventClassID,\n EventProductVersion = DeviceVersion,\n EventUid = _ItemId,\n EventOriginalSeverity= LogSeverity\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\")\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n EventOutcome,\n IndicatorThreatType,\n cmdLine,\n connectionDirection,\n hostName,\n matchCount,\n networkProfile,\n protocol,\n ruleAction,\n ruleDescription,\n ruleGroupName,\n icmpCode,\n icmpType,\n status,\n CSMTRPatternDisposition,\n NetworkProtocolNumber,\n localAddress,\n localPort,\n remoteAddress,\n remotePort\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionForcePointFirewall/ASimNetworkSessionForcePointFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionForcePointFirewall/ASimNetworkSessionForcePointFirewall.json index 2a79b11e4a3..fd2b6f4e703 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionForcePointFirewall/ASimNetworkSessionForcePointFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionForcePointFirewall/ASimNetworkSessionForcePointFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionForcePointFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionForcePointFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Force Point Firewall", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionForcePointFirewall", - "query": "let ApplicationProtocolLookup=datatable(ApplicationProtocol:string,NetworkApplicationProtocol:string)\n [\n \"HTTPS\",\"HTTPS\",\n \"HTTP-Over-QUIC\",\"HTTP\",\n \"HTTP\",\"HTTP\",\n \"DNS Over TLS\",\"DNS\",\n \"HTTP proxy\",\"HTTP\",\n \"IMAPS\",\"IMAPS\",\n \"SMTP\",\"SMTP\",\n \"IMAP\",\"IMAP\",\n \"POP3S\",\"POP3\",\n \"SMTP Submission Service\",\"SMTP\",\n \"X11\",\"X11\",\n \"RTSP\",\"RTSP\",\n \"Telnet\",\"TELNET\",\n \"NNTP\",\"NNTP\",\n \"ISAKMP\",\"ISAKMP\",\"ISAKMP\",\"ISAKMP\",\n \"POP3\",\"POP3\",\n \"BGP\",\"BGP\",\n \"FTP\",\"FTP\",\n \"RIP\",\"RIP\",\n \"Squid HTTP proxy\",\"HTTP\",\n \"TFTP\",\"TFTP\",\n \"QOTD\",\"QOTD\",\n \"SCCP\",\"SCCP\",\n \"Modbus\",\"MODBUS\",\n \"SVN\",\"SVN\",\n \"RADIUS (Accounting)\",\"RADIUS\",\n \"Kerberos\",\"KERBEROS\",\n \"GRE\",\"GRE\",\n \"UUCP-rlogin\",\"UUCP\",\n \"GTP User Data Tunneling\",\"GTP\",\n \"NNTPS\",\"NNTP\",\n \"GTP Control\",\"GTP\",\n \"IRC-default\",\"IRC\",\n \"FTPS (Control)\",\"FTPS\",\n \"ICCP\",\"ICCP\",\n \"IRCS\",\"IRC\",\n \"Telnets\",\"TELNET\",\n \"Finger\",\"FINGER\",\n \"ESP\",\"ESP\",\n \"Rlogin\",\"RLP\",\n \"IMAP3\",\"IMAP\",\n \"MGCP\",\"MGCP\",\n \"RADIUS Accounting (Old)\",\"RADIUS\",\n \"RADIUS (Old)\",\"RADIUS\",\n \"CVS\",\"CVS\",\n \"Ident\",\"IDENT\",\n \"Gopher\",\"GOPHER\",\n \"BGMP\",\"BGMP\",\n \"FTPS (Data)\",\"FTPS\",\n \"POP2\",\"POP\",\n \"TLISRV\",\"TLISRV\",\n \"INGRES-NET\",\"INGRES-NET\",\n \"IPIP\",\"IPIP\",\n \"XTP\",\"XTP\",\n \"UUCP\",\"UUCP\",\n \"IRC\",\"IRC\",\n \"Photuris (ICMP)\",\"ICMP\",\n \"TACACS-DS\",\"TACACS-DS\",\n \"WESP\",\"WESP\",\n \"EGP\",\"EGP\",\n \"WSN\",\"WSN\",\n \"XDMCP\",\"XDMCP\",\n \"Kerberos IV\",\"KERBEROS\",\n \"IRTP\",\"IRTP\",\n \"TTP\",\"TTP\",\n \"IRC-SERV\",\"IRC\",\n \"I-NLSP\",\"NLSP\",\n \"SNP\",\"SNP\",\n \"XNS-IDP\",\"XNS\",\n \"SECURE-VMTP\",\"VMTP\",\n \"VMTP\",\"VMTP\",\n \"IPLT\",\"IPLT\",\n \"GGP\",\"GGP\",\n \"MFE-NSP\",\"NSP\",\n \"HIP\",\"HIP\",\n \"MERIT-NSP\",\"NSP\",\n \"NSFNET-IGP\",\"IGP\",\n \"DCN-MEAS\",\"DCN\",\n \"STP\",\"STP\",\n \"SRP\",\"SRP\",\n \"HMP\",\"HMP\",\n \"XNET\",\"XNET\",\n \"VRRP\",\"VRRP\",\n \"ENCAP\",\"ENCAP\",\n \"CPNX\",\"CPNX\",\n \"PTP\",\"PTP\",\n \"SKIP\",\"SKIP\",\n \"SCPS\",\"SCPS\",\n \"Sprite-RPC\",\"RPC\",\n \"IPv6 ICMP\",\"ICMP\",\n \"MUX\",\"MUX\",\n \"CHAOS\",\"CHAOS\",\n \"SSCOPMCE\",\"SSCOPMCE\",\n \"CBT\",\"CBT\",\n \"SPS\",\"SPS\",\n \"ETHERIP\",\"ETHERIP\",\n \"MTP\",\"MTP\",\n \"ROHC\",\"ROHC\",\n \"CRTP\",\"CRTP\",\n \"PNNI\",\"PNNI\",\n \"NETBLT\",\"NETBLT\",\n \"TLSP\",\"TLSP\",\n \"IDPR\",\"IDPR\",\n \"DDX\",\"DDX\",\n \"PUP\",\"PUP\",\n \"DSR\",\"DSR\",\n \"NARP\",\"NARP\",\n \"CPHB\",\"CPHB\",\n \"SMP\",\"SMP\",\n \"L2TP\",\"L2TP\",\n \"IPv6 ICMP/143/0\",\"ICMP\",\n \"MICP\",\"MICP\",\n \"GMTP\",\"GMTP\",\n \"LARP\",\"LARP\",\n \"IFMP\",\"IFMP\",\n \"IGP\",\"IGP\",\n \"CFTP\",\"CFTP\",\n \"PGM\",\"PGM\",\n \"DDP\",\"DDP\",\n \"PIPE\",\"PIPE\",\n \"IATP\",\"IATP\",\n \"IGMP\",\"IGMP\",\n \"3PC\",\"3PC\",\n \"DGP\",\"DGP\",\n \"TCF\",\"TCF\",\n \"UTI\",\"UTI\",\n \"DCCP\",\"DCCP\",\n \"SWIPE\",\"SWIPE\",\n \"EMCON\",\"EMCON\",\n \"PIM\",\"PIM\",\n \"RVD\",\"RVD\",\n ];\n let ActionLookup=datatable(DeviceAction:string,DvcAction_ActionLookup:string,EventResult_ActionLookup:string,EventSeverity_ActionLookup:string)\n [\n \"Allow\",\"Allow\",\"Success\",\"Informational\", \n \"Discard\",\"Drop\",\"Failure\",\"Low\",\n \"Permit\",\"Allow\",\"Success\",\"Informational\", \n \"Refuse\",\"Deny\",\"Failure\",\"Low\",\n \"Terminate\",\"Reset Source\",\"Failure\",\"Low\", \n \"Terminate (failed)\",\"\",\"Failure\",\"Low\",\n \"Terminate (passive)\",\"Reset Destination\",\"Failure\",\"Low\", \n \"Terminate (reset)\",\"Reset\",\"Failure\",\"Low\",\n \"Wait for Authentication\",\"\",\"Success\",\"Informational\",\n \"Wait for Further Actions\",\"\",\"Success\",\"Informational\", \n \"Wait for RPC Reply\",\"\",\"Success\",\"Informational\"\n ];\n let DeviceEventClassIDLookup_Packet=datatable(DeviceEventClassID:string,EventSubType:string,DvcAction_DeviceEventClassIDLookup:string,EventResult_DeviceEventClassIDLookup:string,EventSeverity_DeviceEventClassIDLookup:string) //Add more codes if needed\n [\n \"70018\",\"Start\",\"Allow\",\"Success\",\"Informational\", // Connection_Allowed\n \"70019\",\"End\",\"Deny\",\"Failure\",\"Low\", // Connection_Discarded\n \"70021\",\"End\",\"Reset\",\"Failure\",\"Low\", // Connection_Closed\n \"70022\",\"End\",\"Reset\",\"Failure\",\"Low\", // Connection_Closed-Abnormally\n \"70026\",\"\",\"\",\"Success\",\"Informational\", // Connection_Progress\n ];\n let DeviceEventClassIDLookup_File=datatable(DeviceEventClassID:string,DvcAction_DeviceEventClassIDLookup:string,EventResult_DeviceEventClassIDLookup:string,EventSeverity_DeviceEventClassIDLookup:string)\n [\n \"76506\",\"Allow\",\"Success\",\"Informational\", // File_Allowed\n \"76508\",\"Deny\",\"Failure\",\"Low\", // File_Malware-Blocked\n \"76509\",\"\",\"Failure\",\"Low\" // File_Malware-Detected\n ];\n let MessageLookup = datatable (Message:string, DvcAction_MessageLookup:string, EventResult_MessageLookup:string, EventResultDetails:string, EventOriginalResultDetails:string) \n [\n \"Connection dropped\", \"Drop\", \"Failure\",\"Terminated\", \"Connection dropped\",\n \"Connection removed because NGFW Engine is low on memory.\",\"Drop\", \"Failure\",\"Terminated\",\"Connection removed because NGFW Engine is low on memory.\",\n \"Connection timeout in state TCP_CLOSE_WAIT\", \"\", \"Success\", \"Timeout\",\t\"One end of the Connection waits for the FIN packet (passive close).\",\n \"Connection timeout in state TCP_CLOSE_WAIT_ACK\", \"\", \"Success\", \"Timeout\", \"One end of the Connection waits for the FIN packet (passive close)\",\n \"Connection timeout in state TCP_CLOSING\", \"\", \"Success\", \"Timeout\", \"Closing packet (FIN) sent by one end of the Connection (simultaneous).\",\n \"Connection timeout in state TCP_CLOSING_ACK\", \"\", \"Success\", \"Timeout\", \"Waiting for ACK for the FIN before going to closing status (active close).\",\n \"Connection timeout in state TCP_ESTABLISHED\", \"\", \"Failure\", \"Timeout\", \"Normal status of TCP Connections for data transfer.\",\n \"Connection timeout in state TCP_FIN_WAIT_1\", \"\", \"Success\", \"Timeout\",\t\"One end of the Connection waits for sending the FIN packet (active close).\",\n \"Connection timeout in state TCP_FIN_WAIT_2\", \"\", \"Success\", \"Timeout\", \"One end of the Connection waits for receiving ACK packet.\",\n \"Connection timeout in state TCP_LAST_ACK\", \"\",\t\"Success\", \"Timeout\", \"One end of the Connection sent a FIN packet (passive close).\",\n \"Connection timeout in state TCP_LAST_ACK_WAIT\", \"\", \"Failure\",\t\"Timeout\", \"Waiting for the FIN packet to be acknowledged.\",\n \"Connection timeout in state TCP_SYN_ACK_SEEN\", \"\", \"Failure\",\t\"Timeout\", \"Second phase of the TCP three-way handshake, the server has replied to client sent SYN with SYN+ACK, next status will be established.\",\n \"Connection timeout in state TCP_SYN_FIN_SEEN\", \"\",\t\"Success\", \"Timeout\", \"T/TCP (Transactional TCP) Connection, RFC 1644.\",\n \"Connection timeout in state TCP_SYN_RETURN\", \"\", \"Failure\", \"Timeout\", \"Received simultaneous SYN from the other end (simultaneous open).\",\n \"Connection timeout in state TCP_SYN_SEEN\", \"\", \"Failure\", \"Timeout\", \"First packet sent by one end of the Connection.\",\n \"Connection timeout in state TCP_TIME_WAIT\", \"\", \"Success\", \"Timeout\", \"One end of the Connection acknowledged closing packet (FIN).\",\n \"Connection timeout in state TCP_TIME_WAIT_ACK\", \"\", \"Failure\",\t\"Timeout\", \"Waiting for ACK for the FIN status before going to time wait status (active close).\",\n \"Connection timeout in state ICMP_ECHO\", \"\", \"Failure\", \"Timeout\", \"Ping reply is expected.\",\n \"Connection timeout in state ICMP_REPLY_WAIT\", \"\", \"Failure\", \"Timeout\", \"Other ICMP request or reply types.\",\n \"Connection was reset by client\", \"Reset Source\", \"Failure\",\"Reset\", \"\",\n \"Connection was reset by server\", \"Reset Destination\", \"Failure\",\"Reset\", \"\",\n \"invalid packet (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [A] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [FA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [FPA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [PA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [RA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [SA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"TCP state violation\",\"Deny\",\"Failure\", \"Invalid TCP\", \"\",\n \"TCP state violation: Connection end-point replied with ACK to SYN-packet. Connection refused.\", \"Deny\", \"Failure\", \"Invalid TCP\", \"\",\n \"TSC error: Query timed out\", \"\", \"Failure\", \"Timeout\", \"\"\n ];\n let parser = (disabled:bool) { \n let ForcePointNetwork = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor==\"FORCEPOINT\" and DeviceProduct==\"Firewall\"\n | where DeviceFacility in~ (\"Inspection\",\"Packet Filtering\",\"File Filtering\") and isnotempty(DeviceEventClassID) and DeviceEventClassID != \"0\" \n ;\n let PacketFilteringData = ForcePointNetwork\n | where DeviceFacility == \"Packet Filtering\" and DeviceEventClassID !in (\"70383\",\"70393\",\"70734\",\"71009\",\"71040\")\n | lookup DeviceEventClassIDLookup_Packet on DeviceEventClassID\n | lookup MessageLookup on Message\n | extend DvcAction = coalesce(DvcAction_MessageLookup, DvcAction_DeviceEventClassIDLookup), \n EventResult = case (Message startswith \"Referred connection not known\", \"Failure\",\n coalesce(EventResult_MessageLookup, EventResult_DeviceEventClassIDLookup)), \n EventSeverity = case(Message startswith \"Referred connection not known\", \"Low\",\n EventSeverity_DeviceEventClassIDLookup),\n EventOriginalResultDetails = case(Message startswith \"Referred connection not known\", Message,\n EventOriginalResultDetails),\n EventType = \"NetworkSession\"\n | project-away DvcAction_*, EventResult_*, EventSeverity_DeviceEventClassIDLookup;\n let FileFilteringData = ForcePointNetwork\n | where DeviceFacility == \"File Filtering\"\n | lookup DeviceEventClassIDLookup_File on DeviceEventClassID\n | extend ThreatName = case (DeviceEventClassID in (\"76508\", \"76509\"), Activity,\n \"\")\n | project-rename DvcAction = DvcAction_DeviceEventClassIDLookup\n | extend EventResult = case(isnotempty(Message), \"Failure\",\n EventResult_DeviceEventClassIDLookup), \n EventSeverity = case(isnotempty(Message), \"Low\",\n EventSeverity_DeviceEventClassIDLookup),\n EventOriginalResultDetails = case(isnotempty(Message), Message,\n \"\"),\n EventType = \"NetworkSession\"\n | project-away *_DeviceEventClassIDLookup;\n let InspectionData = ForcePointNetwork\n | where DeviceFacility == \"Inspection\" or DeviceEventClassID == \"70734\"\n | extend MessageCode = toint(DeviceEventClassID)\n | extend EventSeverity = case (DeviceAction in~ (\"Allow\",\"Permit\"), \"Informational\",\n MessageCode >= 200000, \"High\",\n MessageCode < 200000, \"Low\",\n \"\"),\n EventType = case (MessageCode < 80000, \"NetworkSession\",\n \"IDS\")\n | extend ThreatName = Activity\n | project-away MessageCode;\n union PacketFilteringData, FileFilteringData, InspectionData\n | extend NetworkProtocol = _ASIM_LookupNetworkProtocol(Protocol)\n | lookup ActionLookup on DeviceAction\n | extend DvcAction = coalesce(DvcAction,DvcAction_ActionLookup), \n EventResult = coalesce(EventResult,EventResult_ActionLookup), \n EventSeverity = coalesce(EventSeverity, EventSeverity_ActionLookup)\n | project-away *_ActionLookup\n | lookup ApplicationProtocolLookup on ApplicationProtocol\n | extend \n EventCount = toint(1),\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Forcepoint\",\n EventProduct = \"Firewall\"\n | parse AdditionalExtensions with * \"requestURL=\" requestURL \n | project-rename\n EventOriginalType = DeviceEventClassID,\n DstPortNumber = DestinationPort,\n DstIpAddr = DestinationIP,\n SrcPortNumber = SourcePort,\n SrcIpAddr = SourceIP,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n EventProductVersion = DeviceVersion,\n EventMessage = Message,\n DvcOriginalAction = DeviceAction,\n SrcBytes = SentBytes,\n DstBytes = ReceivedBytes,\n EventOriginalSubType = DeviceFacility,\n DvcId = DeviceExternalID,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n DvcIpAddr = DeviceAddress,\n EventOriginalSeverity = LogSeverity,\n ThreatId = DeviceCustomString3\n | invoke _ASIM_ResolveDvcFQDN('Computer')\n | extend\n ThreatCategory = column_ifexists(\"DeviceEventCategory\",\"\"),\n EventStartTime = todatetime(ReceiptTime),\n EventEndTime = todatetime(ReceiptTime),\n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',requestURL)[0],\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',requestURL)[0],\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',requestURL)[0]\n | extend \n NetworkRuleName = case(isnotempty(DeviceCustomString2), strcat(DeviceCustomString1,',',DeviceCustomString2),\n DeviceCustomString1),\n DstDomainPart = tostring(host_parts[0]),\n DstIpAddr = coalesce(DstIpAddr, tostring(ipv4_parts[0]), tostring(ipv6_parts[0])),\n DstPortNumber = coalesce(DstPortNumber, toint(host_parts[1]), toint(ipv4_parts[1]), toint(ipv6_parts[1]))\n | invoke _ASIM_ResolveDstFQDN('DstDomainPart')\n | extend\n DvcIdType = case(isnotempty(DvcId), \"ForcepointId\",\n \"\"),\n DstPortNumber = case(\n isnotempty(DstPortNumber), DstPortNumber,\n ApplicationProtocol startswith \"TCP\", toint(split(ApplicationProtocol,'/')[1]),\n ApplicationProtocol startswith \"UDP\", toint(split(ApplicationProtocol,'/')[1]),\n int(null)),\n AdditionalFields = pack(iff(isnotempty(RequestMethod) and RequestMethod != \"UNKNOWN\", \"RequestMethod\", \"\"),RequestMethod,\n iff(isnotempty(DeviceCustomString4),\"VirusId\",\"\"),DeviceCustomString4),\n DstAppName = case(DestinationServiceName in~ (\"Generic-Web-HTTP\",\"Application-Unknown\",\"Unknown-Encrypted-Application\"), \"\",\n DestinationServiceName),\n DvcIpAddr = coalesce(DvcIpAddr,DeviceName)\n | extend\n Dvc = DvcIpAddr,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n DvcInterface = DvcInboundInterface,\n Hostname = DstHostname\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, Remote*, ReportReferenceLink, Request*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, ExtID, EventOutcome, FieldDevice*, Reason, ApplicationProtocol, Activity, requestURL, Computer, DstDomainPart, host_parts, ipv4_parts, ipv6_parts\n };\n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Force Point Firewall", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionForcePointFirewall", + "query": "let ApplicationProtocolLookup=datatable(ApplicationProtocol:string,NetworkApplicationProtocol:string)\n [\n \"HTTPS\",\"HTTPS\",\n \"HTTP-Over-QUIC\",\"HTTP\",\n \"HTTP\",\"HTTP\",\n \"DNS Over TLS\",\"DNS\",\n \"HTTP proxy\",\"HTTP\",\n \"IMAPS\",\"IMAPS\",\n \"SMTP\",\"SMTP\",\n \"IMAP\",\"IMAP\",\n \"POP3S\",\"POP3\",\n \"SMTP Submission Service\",\"SMTP\",\n \"X11\",\"X11\",\n \"RTSP\",\"RTSP\",\n \"Telnet\",\"TELNET\",\n \"NNTP\",\"NNTP\",\n \"ISAKMP\",\"ISAKMP\",\"ISAKMP\",\"ISAKMP\",\n \"POP3\",\"POP3\",\n \"BGP\",\"BGP\",\n \"FTP\",\"FTP\",\n \"RIP\",\"RIP\",\n \"Squid HTTP proxy\",\"HTTP\",\n \"TFTP\",\"TFTP\",\n \"QOTD\",\"QOTD\",\n \"SCCP\",\"SCCP\",\n \"Modbus\",\"MODBUS\",\n \"SVN\",\"SVN\",\n \"RADIUS (Accounting)\",\"RADIUS\",\n \"Kerberos\",\"KERBEROS\",\n \"GRE\",\"GRE\",\n \"UUCP-rlogin\",\"UUCP\",\n \"GTP User Data Tunneling\",\"GTP\",\n \"NNTPS\",\"NNTP\",\n \"GTP Control\",\"GTP\",\n \"IRC-default\",\"IRC\",\n \"FTPS (Control)\",\"FTPS\",\n \"ICCP\",\"ICCP\",\n \"IRCS\",\"IRC\",\n \"Telnets\",\"TELNET\",\n \"Finger\",\"FINGER\",\n \"ESP\",\"ESP\",\n \"Rlogin\",\"RLP\",\n \"IMAP3\",\"IMAP\",\n \"MGCP\",\"MGCP\",\n \"RADIUS Accounting (Old)\",\"RADIUS\",\n \"RADIUS (Old)\",\"RADIUS\",\n \"CVS\",\"CVS\",\n \"Ident\",\"IDENT\",\n \"Gopher\",\"GOPHER\",\n \"BGMP\",\"BGMP\",\n \"FTPS (Data)\",\"FTPS\",\n \"POP2\",\"POP\",\n \"TLISRV\",\"TLISRV\",\n \"INGRES-NET\",\"INGRES-NET\",\n \"IPIP\",\"IPIP\",\n \"XTP\",\"XTP\",\n \"UUCP\",\"UUCP\",\n \"IRC\",\"IRC\",\n \"Photuris (ICMP)\",\"ICMP\",\n \"TACACS-DS\",\"TACACS-DS\",\n \"WESP\",\"WESP\",\n \"EGP\",\"EGP\",\n \"WSN\",\"WSN\",\n \"XDMCP\",\"XDMCP\",\n \"Kerberos IV\",\"KERBEROS\",\n \"IRTP\",\"IRTP\",\n \"TTP\",\"TTP\",\n \"IRC-SERV\",\"IRC\",\n \"I-NLSP\",\"NLSP\",\n \"SNP\",\"SNP\",\n \"XNS-IDP\",\"XNS\",\n \"SECURE-VMTP\",\"VMTP\",\n \"VMTP\",\"VMTP\",\n \"IPLT\",\"IPLT\",\n \"GGP\",\"GGP\",\n \"MFE-NSP\",\"NSP\",\n \"HIP\",\"HIP\",\n \"MERIT-NSP\",\"NSP\",\n \"NSFNET-IGP\",\"IGP\",\n \"DCN-MEAS\",\"DCN\",\n \"STP\",\"STP\",\n \"SRP\",\"SRP\",\n \"HMP\",\"HMP\",\n \"XNET\",\"XNET\",\n \"VRRP\",\"VRRP\",\n \"ENCAP\",\"ENCAP\",\n \"CPNX\",\"CPNX\",\n \"PTP\",\"PTP\",\n \"SKIP\",\"SKIP\",\n \"SCPS\",\"SCPS\",\n \"Sprite-RPC\",\"RPC\",\n \"IPv6 ICMP\",\"ICMP\",\n \"MUX\",\"MUX\",\n \"CHAOS\",\"CHAOS\",\n \"SSCOPMCE\",\"SSCOPMCE\",\n \"CBT\",\"CBT\",\n \"SPS\",\"SPS\",\n \"ETHERIP\",\"ETHERIP\",\n \"MTP\",\"MTP\",\n \"ROHC\",\"ROHC\",\n \"CRTP\",\"CRTP\",\n \"PNNI\",\"PNNI\",\n \"NETBLT\",\"NETBLT\",\n \"TLSP\",\"TLSP\",\n \"IDPR\",\"IDPR\",\n \"DDX\",\"DDX\",\n \"PUP\",\"PUP\",\n \"DSR\",\"DSR\",\n \"NARP\",\"NARP\",\n \"CPHB\",\"CPHB\",\n \"SMP\",\"SMP\",\n \"L2TP\",\"L2TP\",\n \"IPv6 ICMP/143/0\",\"ICMP\",\n \"MICP\",\"MICP\",\n \"GMTP\",\"GMTP\",\n \"LARP\",\"LARP\",\n \"IFMP\",\"IFMP\",\n \"IGP\",\"IGP\",\n \"CFTP\",\"CFTP\",\n \"PGM\",\"PGM\",\n \"DDP\",\"DDP\",\n \"PIPE\",\"PIPE\",\n \"IATP\",\"IATP\",\n \"IGMP\",\"IGMP\",\n \"3PC\",\"3PC\",\n \"DGP\",\"DGP\",\n \"TCF\",\"TCF\",\n \"UTI\",\"UTI\",\n \"DCCP\",\"DCCP\",\n \"SWIPE\",\"SWIPE\",\n \"EMCON\",\"EMCON\",\n \"PIM\",\"PIM\",\n \"RVD\",\"RVD\",\n ];\n let ActionLookup=datatable(DeviceAction:string,DvcAction_ActionLookup:string,EventResult_ActionLookup:string,EventSeverity_ActionLookup:string)\n [\n \"Allow\",\"Allow\",\"Success\",\"Informational\", \n \"Discard\",\"Drop\",\"Failure\",\"Low\",\n \"Permit\",\"Allow\",\"Success\",\"Informational\", \n \"Refuse\",\"Deny\",\"Failure\",\"Low\",\n \"Terminate\",\"Reset Source\",\"Failure\",\"Low\", \n \"Terminate (failed)\",\"\",\"Failure\",\"Low\",\n \"Terminate (passive)\",\"Reset Destination\",\"Failure\",\"Low\", \n \"Terminate (reset)\",\"Reset\",\"Failure\",\"Low\",\n \"Wait for Authentication\",\"\",\"Success\",\"Informational\",\n \"Wait for Further Actions\",\"\",\"Success\",\"Informational\", \n \"Wait for RPC Reply\",\"\",\"Success\",\"Informational\"\n ];\n let DeviceEventClassIDLookup_Packet=datatable(DeviceEventClassID:string,EventSubType:string,DvcAction_DeviceEventClassIDLookup:string,EventResult_DeviceEventClassIDLookup:string,EventSeverity_DeviceEventClassIDLookup:string) //Add more codes if needed\n [\n \"70018\",\"Start\",\"Allow\",\"Success\",\"Informational\", // Connection_Allowed\n \"70019\",\"End\",\"Deny\",\"Failure\",\"Low\", // Connection_Discarded\n \"70021\",\"End\",\"Reset\",\"Failure\",\"Low\", // Connection_Closed\n \"70022\",\"End\",\"Reset\",\"Failure\",\"Low\", // Connection_Closed-Abnormally\n \"70026\",\"\",\"\",\"Success\",\"Informational\", // Connection_Progress\n ];\n let DeviceEventClassIDLookup_File=datatable(DeviceEventClassID:string,DvcAction_DeviceEventClassIDLookup:string,EventResult_DeviceEventClassIDLookup:string,EventSeverity_DeviceEventClassIDLookup:string)\n [\n \"76506\",\"Allow\",\"Success\",\"Informational\", // File_Allowed\n \"76508\",\"Deny\",\"Failure\",\"Low\", // File_Malware-Blocked\n \"76509\",\"\",\"Failure\",\"Low\" // File_Malware-Detected\n ];\n let MessageLookup = datatable (Message:string, DvcAction_MessageLookup:string, EventResult_MessageLookup:string, EventResultDetails:string, EventOriginalResultDetails:string) \n [\n \"Connection dropped\", \"Drop\", \"Failure\",\"Terminated\", \"Connection dropped\",\n \"Connection removed because NGFW Engine is low on memory.\",\"Drop\", \"Failure\",\"Terminated\",\"Connection removed because NGFW Engine is low on memory.\",\n \"Connection timeout in state TCP_CLOSE_WAIT\", \"\", \"Success\", \"Timeout\",\t\"One end of the Connection waits for the FIN packet (passive close).\",\n \"Connection timeout in state TCP_CLOSE_WAIT_ACK\", \"\", \"Success\", \"Timeout\", \"One end of the Connection waits for the FIN packet (passive close)\",\n \"Connection timeout in state TCP_CLOSING\", \"\", \"Success\", \"Timeout\", \"Closing packet (FIN) sent by one end of the Connection (simultaneous).\",\n \"Connection timeout in state TCP_CLOSING_ACK\", \"\", \"Success\", \"Timeout\", \"Waiting for ACK for the FIN before going to closing status (active close).\",\n \"Connection timeout in state TCP_ESTABLISHED\", \"\", \"Failure\", \"Timeout\", \"Normal status of TCP Connections for data transfer.\",\n \"Connection timeout in state TCP_FIN_WAIT_1\", \"\", \"Success\", \"Timeout\",\t\"One end of the Connection waits for sending the FIN packet (active close).\",\n \"Connection timeout in state TCP_FIN_WAIT_2\", \"\", \"Success\", \"Timeout\", \"One end of the Connection waits for receiving ACK packet.\",\n \"Connection timeout in state TCP_LAST_ACK\", \"\",\t\"Success\", \"Timeout\", \"One end of the Connection sent a FIN packet (passive close).\",\n \"Connection timeout in state TCP_LAST_ACK_WAIT\", \"\", \"Failure\",\t\"Timeout\", \"Waiting for the FIN packet to be acknowledged.\",\n \"Connection timeout in state TCP_SYN_ACK_SEEN\", \"\", \"Failure\",\t\"Timeout\", \"Second phase of the TCP three-way handshake, the server has replied to client sent SYN with SYN+ACK, next status will be established.\",\n \"Connection timeout in state TCP_SYN_FIN_SEEN\", \"\",\t\"Success\", \"Timeout\", \"T/TCP (Transactional TCP) Connection, RFC 1644.\",\n \"Connection timeout in state TCP_SYN_RETURN\", \"\", \"Failure\", \"Timeout\", \"Received simultaneous SYN from the other end (simultaneous open).\",\n \"Connection timeout in state TCP_SYN_SEEN\", \"\", \"Failure\", \"Timeout\", \"First packet sent by one end of the Connection.\",\n \"Connection timeout in state TCP_TIME_WAIT\", \"\", \"Success\", \"Timeout\", \"One end of the Connection acknowledged closing packet (FIN).\",\n \"Connection timeout in state TCP_TIME_WAIT_ACK\", \"\", \"Failure\",\t\"Timeout\", \"Waiting for ACK for the FIN status before going to time wait status (active close).\",\n \"Connection timeout in state ICMP_ECHO\", \"\", \"Failure\", \"Timeout\", \"Ping reply is expected.\",\n \"Connection timeout in state ICMP_REPLY_WAIT\", \"\", \"Failure\", \"Timeout\", \"Other ICMP request or reply types.\",\n \"Connection was reset by client\", \"Reset Source\", \"Failure\",\"Reset\", \"\",\n \"Connection was reset by server\", \"Reset Destination\", \"Failure\",\"Reset\", \"\",\n \"invalid packet (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [A] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [FA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [FPA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [PA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [RA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [SA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"TCP state violation\",\"Deny\",\"Failure\", \"Invalid TCP\", \"\",\n \"TCP state violation: Connection end-point replied with ACK to SYN-packet. Connection refused.\", \"Deny\", \"Failure\", \"Invalid TCP\", \"\",\n \"TSC error: Query timed out\", \"\", \"Failure\", \"Timeout\", \"\"\n ];\n let parser = (disabled:bool) { \n let ForcePointNetwork = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor==\"FORCEPOINT\" and DeviceProduct==\"Firewall\"\n | where DeviceFacility in~ (\"Inspection\",\"Packet Filtering\",\"File Filtering\") and isnotempty(DeviceEventClassID) and DeviceEventClassID != \"0\" \n ;\n let PacketFilteringData = ForcePointNetwork\n | where DeviceFacility == \"Packet Filtering\" and DeviceEventClassID !in (\"70383\",\"70393\",\"70734\",\"71009\",\"71040\")\n | lookup DeviceEventClassIDLookup_Packet on DeviceEventClassID\n | lookup MessageLookup on Message\n | extend DvcAction = coalesce(DvcAction_MessageLookup, DvcAction_DeviceEventClassIDLookup), \n EventResult = case (Message startswith \"Referred connection not known\", \"Failure\",\n coalesce(EventResult_MessageLookup, EventResult_DeviceEventClassIDLookup)), \n EventSeverity = case(Message startswith \"Referred connection not known\", \"Low\",\n EventSeverity_DeviceEventClassIDLookup),\n EventOriginalResultDetails = case(Message startswith \"Referred connection not known\", Message,\n EventOriginalResultDetails),\n EventType = \"NetworkSession\"\n | project-away DvcAction_*, EventResult_*, EventSeverity_DeviceEventClassIDLookup;\n let FileFilteringData = ForcePointNetwork\n | where DeviceFacility == \"File Filtering\"\n | lookup DeviceEventClassIDLookup_File on DeviceEventClassID\n | extend ThreatName = case (DeviceEventClassID in (\"76508\", \"76509\"), Activity,\n \"\")\n | project-rename DvcAction = DvcAction_DeviceEventClassIDLookup\n | extend EventResult = case(isnotempty(Message), \"Failure\",\n EventResult_DeviceEventClassIDLookup), \n EventSeverity = case(isnotempty(Message), \"Low\",\n EventSeverity_DeviceEventClassIDLookup),\n EventOriginalResultDetails = case(isnotempty(Message), Message,\n \"\"),\n EventType = \"NetworkSession\"\n | project-away *_DeviceEventClassIDLookup;\n let InspectionData = ForcePointNetwork\n | where DeviceFacility == \"Inspection\" or DeviceEventClassID == \"70734\"\n | extend MessageCode = toint(DeviceEventClassID)\n | extend EventSeverity = case (DeviceAction in~ (\"Allow\",\"Permit\"), \"Informational\",\n MessageCode >= 200000, \"High\",\n MessageCode < 200000, \"Low\",\n \"\"),\n EventType = case (MessageCode < 80000, \"NetworkSession\",\n \"IDS\")\n | extend ThreatName = Activity\n | project-away MessageCode;\n union PacketFilteringData, FileFilteringData, InspectionData\n | extend NetworkProtocol = _ASIM_LookupNetworkProtocol(Protocol)\n | lookup ActionLookup on DeviceAction\n | extend DvcAction = coalesce(DvcAction,DvcAction_ActionLookup), \n EventResult = coalesce(EventResult,EventResult_ActionLookup), \n EventSeverity = coalesce(EventSeverity, EventSeverity_ActionLookup)\n | project-away *_ActionLookup\n | lookup ApplicationProtocolLookup on ApplicationProtocol\n | extend \n EventCount = toint(1),\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Forcepoint\",\n EventProduct = \"Firewall\"\n | parse AdditionalExtensions with * \"requestURL=\" requestURL \n | project-rename\n EventOriginalType = DeviceEventClassID,\n DstPortNumber = DestinationPort,\n DstIpAddr = DestinationIP,\n SrcPortNumber = SourcePort,\n SrcIpAddr = SourceIP,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n EventProductVersion = DeviceVersion,\n EventMessage = Message,\n DvcOriginalAction = DeviceAction,\n SrcBytes = SentBytes,\n DstBytes = ReceivedBytes,\n EventOriginalSubType = DeviceFacility,\n DvcId = DeviceExternalID,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n DvcIpAddr = DeviceAddress,\n EventOriginalSeverity = LogSeverity,\n ThreatId = DeviceCustomString3\n | invoke _ASIM_ResolveDvcFQDN('Computer')\n | extend\n ThreatCategory = column_ifexists(\"DeviceEventCategory\",\"\"),\n EventStartTime = todatetime(ReceiptTime),\n EventEndTime = todatetime(ReceiptTime),\n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',requestURL)[0],\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',requestURL)[0],\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',requestURL)[0]\n | extend \n NetworkRuleName = case(isnotempty(DeviceCustomString2), strcat(DeviceCustomString1,',',DeviceCustomString2),\n DeviceCustomString1),\n DstDomainPart = tostring(host_parts[0]),\n DstIpAddr = coalesce(DstIpAddr, tostring(ipv4_parts[0]), tostring(ipv6_parts[0])),\n DstPortNumber = coalesce(DstPortNumber, toint(host_parts[1]), toint(ipv4_parts[1]), toint(ipv6_parts[1]))\n | invoke _ASIM_ResolveDstFQDN('DstDomainPart')\n | extend\n DvcIdType = case(isnotempty(DvcId), \"ForcepointId\",\n \"\"),\n DstPortNumber = case(\n isnotempty(DstPortNumber), DstPortNumber,\n ApplicationProtocol startswith \"TCP\", toint(split(ApplicationProtocol,'/')[1]),\n ApplicationProtocol startswith \"UDP\", toint(split(ApplicationProtocol,'/')[1]),\n int(null)),\n AdditionalFields = pack(iff(isnotempty(RequestMethod) and RequestMethod != \"UNKNOWN\", \"RequestMethod\", \"\"),RequestMethod,\n iff(isnotempty(DeviceCustomString4),\"VirusId\",\"\"),DeviceCustomString4),\n DstAppName = case(DestinationServiceName in~ (\"Generic-Web-HTTP\",\"Application-Unknown\",\"Unknown-Encrypted-Application\"), \"\",\n DestinationServiceName),\n DvcIpAddr = coalesce(DvcIpAddr,DeviceName)\n | extend\n Dvc = DvcIpAddr,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n DvcInterface = DvcInboundInterface,\n Hostname = DstHostname\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, Remote*, ReportReferenceLink, Request*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, ExtID, EventOutcome, FieldDevice*, Reason, ApplicationProtocol, Activity, requestURL, Computer, DstDomainPart, host_parts, ipv4_parts, ipv6_parts\n };\n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json index 676d4a0067e..fb7d186be97 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionFortinetFortiGate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionFortinetFortiGate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Fortinet FortiGate", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionFortinetFortiGate", - "query": "let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventResultDetails:string)\n[\n \"accept\",\"Allow\",\"Success\",\"\"\n , \"client-rst\",\"Reset Source\",\"Failure\",\"\"\n , \"close\",\"\",\"Success\",\"\"\n , \"deny\",\"Deny\",\"Failure\",\"\"\n , \"ip-conn\",\"\",\"Failure\",\"IP connection error\"\n , \"server-rst\",\"Reset Destination\",\"Failure\",\"\"\n , \"timeout\",\"\",\"Failure\",\"\"\n];\n// -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\nlet SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n[\n \"1\", \"Informational\", // Debug\n \"2\", \"Informational\", // Information\n \"3\", \"Informational\", // Notification\n \"4\", \"Low\", // Warning\n \"5\", \"Low\", // Error\n \"6\", \"Critical\", // High\n \"7\", \"Alert\", // Medium\n \"8\", \"High\" // Emergency\n];\nlet Parser=(disabled:bool=false){\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Fortinet\" and DeviceProduct startswith \"FortiGate\" and (column_ifexists(\"DeviceEventCategory\",\"\") has \"traffic\" or AdditionalExtensions has \"cat=traffic\")\n | where DeviceAction != \"dns\" and Activity !has \"dns\" \n | parse Activity with \"traffic:forward \" temp_DeviceAction:string \n | extend DeviceAction = coalesce(DeviceAction, temp_DeviceAction) \n | lookup EventLookup on DeviceAction \n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction\n | project-rename DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , Dvc = Computer\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , DvcId = DeviceExternalID\n , EventUid = _ItemId\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\n | project-rename DvcOriginalAction = DeviceAction\n | parse-kv AdditionalExtensions as (\n FortinetFortiGatestart:datetime,\n FortinetFortiGatesrcintfrole:string,\n FortinetFortiGatedstintfrole:string,\n FortinetFortiGateexternalID:string,\n FortinetFortiGatepolicyid:int,\n FortinetFortiGatedstcountry:string,\n FortinetFortiGatesrccountry:string,\n FortinetFortiGatecrscore:string,\n FortinetFortiGateduration:int,\n FortinetFortiGatesentpkt:long,\n FortinetFortiGatercvdpkt:long\n ) with (pair_delimiter=';', kv_delimiter='=')\n | project-rename\n EventStartTime = FortinetFortiGatestart,\n SrcZone = FortinetFortiGatesrcintfrole,\n DstZone = FortinetFortiGatedstintfrole,\n NetworkSessionId = FortinetFortiGateexternalID,\n NetworkRuleNumber = FortinetFortiGatepolicyid,\n NetworkDuration = FortinetFortiGateduration,\n DstGeoCountry = FortinetFortiGatedstcountry,\n SrcGeoCountry = FortinetFortiGatesrccountry,\n ThreatOriginalRiskLevel = FortinetFortiGatecrscore,\n SrcPackets = FortinetFortiGatesentpkt,\n DstPackets = FortinetFortiGatercvdpkt\n | extend EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.3\"\n , EventType = \"NetworkSession\"\n , EventVendor = \"Fortinet\"\n , DvcIdType = \"Other\"\n , NetworkBytes = DstBytes + SrcBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n | lookup SeverityLookup on EventOriginalSeverity\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration,\n Rule = tostring(NetworkRuleNumber)\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber\n};\nParser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Fortinet FortiGate", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionFortinetFortiGate", + "query": "let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventResultDetails:string)\n[\n \"accept\",\"Allow\",\"Success\",\"\"\n , \"client-rst\",\"Reset Source\",\"Failure\",\"\"\n , \"close\",\"\",\"Success\",\"\"\n , \"deny\",\"Deny\",\"Failure\",\"\"\n , \"ip-conn\",\"\",\"Failure\",\"IP connection error\"\n , \"server-rst\",\"Reset Destination\",\"Failure\",\"\"\n , \"timeout\",\"\",\"Failure\",\"\"\n];\n// -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\nlet SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n[\n \"1\", \"Informational\", // Debug\n \"2\", \"Informational\", // Information\n \"3\", \"Informational\", // Notification\n \"4\", \"Low\", // Warning\n \"5\", \"Low\", // Error\n \"6\", \"Critical\", // High\n \"7\", \"Alert\", // Medium\n \"8\", \"High\" // Emergency\n];\nlet Parser=(disabled:bool=false){\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Fortinet\" and DeviceProduct startswith \"FortiGate\" and (column_ifexists(\"DeviceEventCategory\",\"\") has \"traffic\" or AdditionalExtensions has \"cat=traffic\")\n | where DeviceAction != \"dns\" and Activity !has \"dns\" \n | parse Activity with \"traffic:forward \" temp_DeviceAction:string \n | extend DeviceAction = coalesce(DeviceAction, temp_DeviceAction) \n | lookup EventLookup on DeviceAction \n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction\n | project-rename DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , Dvc = Computer\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , DvcId = DeviceExternalID\n , EventUid = _ItemId\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\n | project-rename DvcOriginalAction = DeviceAction\n | parse-kv AdditionalExtensions as (\n FortinetFortiGatestart:datetime,\n FortinetFortiGatesrcintfrole:string,\n FortinetFortiGatedstintfrole:string,\n FortinetFortiGateexternalID:string,\n FortinetFortiGatepolicyid:int,\n FortinetFortiGatedstcountry:string,\n FortinetFortiGatesrccountry:string,\n FortinetFortiGatecrscore:string,\n FortinetFortiGateduration:int,\n FortinetFortiGatesentpkt:long,\n FortinetFortiGatercvdpkt:long\n ) with (pair_delimiter=';', kv_delimiter='=')\n | project-rename\n EventStartTime = FortinetFortiGatestart,\n SrcZone = FortinetFortiGatesrcintfrole,\n DstZone = FortinetFortiGatedstintfrole,\n NetworkSessionId = FortinetFortiGateexternalID,\n NetworkRuleNumber = FortinetFortiGatepolicyid,\n NetworkDuration = FortinetFortiGateduration,\n DstGeoCountry = FortinetFortiGatedstcountry,\n SrcGeoCountry = FortinetFortiGatesrccountry,\n ThreatOriginalRiskLevel = FortinetFortiGatecrscore,\n SrcPackets = FortinetFortiGatesentpkt,\n DstPackets = FortinetFortiGatercvdpkt\n | extend EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.3\"\n , EventType = \"NetworkSession\"\n , EventVendor = \"Fortinet\"\n , DvcIdType = \"Other\"\n , NetworkBytes = DstBytes + SrcBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n | lookup SeverityLookup on EventOriginalSeverity\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration,\n Rule = tostring(NetworkRuleNumber)\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber\n};\nParser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/ASimNetworkSessionIllumioSaaSCore.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/ASimNetworkSessionIllumioSaaSCore.json new file mode 100644 index 00000000000..91734f78179 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/ASimNetworkSessionIllumioSaaSCore.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionIllumioSaaSCore')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "NetworkSession ASIM Parser for Illumio SaaS Core", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionIllumioSaaSCore", + "query": "let ProtocolLookup = datatable(proto:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n ];\nlet NetworkProtocolVersionLookup = datatable(version: int, NetworkProtocolVersion: string)\n[\n 4,\"IPv4\",\n 6,\"IPv6\"\n];\nlet EventResultLookup = datatable(DvcAction: string, EventResult: string)\n[\n \"Deny\", \"Failure\",\n \"Allow\", \"Success\"\n];\nlet DvcActionLookup = datatable(pd: int, DvcAction: string)\n[\n// - Allow\n// - Deny\n// - Drop\n// - Drop ICMP\n// - Reset\n// - Reset Source\n// - Reset Destination\n// - Encrypt\n// - Decrypt\n// - VPNroute\n 2, \"Deny\",\n 1, \"Allow\",\n 0, \"Allow\"\n];\nlet ClassLookup = datatable(class: string, ClassDetail: string)\n[\n \"M\", \"Multicast\",\n \"B\", \"Broadcast\",\n \"U\", \"Unicast\"\n];\nlet parser=(disabled:bool=false){\n Illumio_Flow_Events_CL \n | where not(disabled)\n | lookup ProtocolLookup on proto\n | lookup NetworkProtocolVersionLookup on version\n | lookup DvcActionLookup on pd //set DvcAction\n | extend EventResult = iff(DvcAction == \"Deny\", \"Failure\", \"Success\")\n | lookup ClassLookup on class\n | extend\n EventCount = flow_count,\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventType = 'Flow',\n EventProduct = 'Core',\n EventVendor = 'Illumio',\n EventSchemaVersion = '0.2.6',\n EventSchema = 'NetworkSession',\n Dvc = pce_fqdn \n | extend NetworkDirection = case(\n dir=='I', 'Inbound',\n dir=='O', 'Outbound',\n 'Unknown'\n ),\n NetworkDuration = interval_sec,\n DstBytes = tolong(dst_dbo),\n SrcBytes = tolong(dst_dbi),\n DstIpAddr = dst_ip,\n SrcIpAddr = src_ip,\n DstPortNumber = dst_port,\n DstHostname = dst_hostname,\n SrcHostname = src_hostname,\n EventSeverity = case( \n DvcAction=='Deny', 'Low',\n 'Informational' \n )\n | extend \n SrcProcessName = iif(dir=='O', pn, ''),\n DstProcessName = iif(dir=='I', pn, ''),\n SrcUsername = iif(dir=='O', un, ''),\n DstUsername = iif(dir=='I', un, '')\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername)\n //Aliases\n | extend \n DvcIpAddr = SrcIpAddr,\n DvcHostname = SrcHostname\n | extend\n AdditionalFields = bag_pack(\"Class\", ClassDetail,\n \"Network\",network,\n \"Source_Labels\", src_labels,\n \"Dest_Labels\", dst_labels,\n \"Src_href\", src_href, // can this be stored in SrcId instead?\n \"Dst_href\", dst_href // can this be stored in DvcId instead?\n // need to add SN here\n )\n // aliases \n | extend\n Duration = NetworkDuration,\n User = DstUsername,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n EventUid = _ItemId\n | project-away \n code,\n icmp_type,\n dst_dbi,\n dst_dbo,\n dst_tbi,\n dst_tbo,\n pce_fqdn,\n proto,\n dst_port,\n src_ip,\n dst_ip,\n dst_hostname,\n src_hostname,\n dir,\n flow_count,\n src_href,\n dst_href,\n src_labels,\n dst_labels,\n network,\n class,\n org_id,\n state, // decide how to use this\n pd_qualifier, //decide how to use this\n interval_sec,\n version,\n ddms, // not needed\n tdms, // not needed\n pn, \n un,\n pd,\n ClassDetail,\n TenantId\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/README.md b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/README.md new file mode 100644 index 00000000000..444d4e5f443 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/README.md @@ -0,0 +1,18 @@ +# Illumio SaaS Core ASIM NetworkSession Normalization Parser + +ARM template for ASIM NetworkSession schema parser for Illumio SaaS Core. + +This ASIM parser supports normalizing Illumio SaaS Core logs to the ASIM Network Session normalized schema. These events are captured through Illumio Sentinel Integration data connector. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionIllumioSaaSCore%2FASimNetworkSessionIllumioSaaSCore.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionIllumioSaaSCore%2FASimNetworkSessionIllumioSaaSCore.json) diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTAgent/ASimNetworkSessionMD4IoTAgent.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTAgent/ASimNetworkSessionMD4IoTAgent.json index ff905bc427b..733271c404f 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTAgent/ASimNetworkSessionMD4IoTAgent.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTAgent/ASimNetworkSessionMD4IoTAgent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionMD4IoTAgent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionMD4IoTAgent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Microsoft Defender for IoT micro agent", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionMD4IoTAgent", - "query": "let DirectionNetworkEvents =\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"NetworkActivity\"\n | parse EventDetails with * ',\"LocalPort\":' LocalPort:int ',\"RemotePort\":' RemotePort:int ',' *\n | extend outbound = LocalPort > RemotePort\n;\nlet parser = (T: (EventDetails: string)) {\n T \n | parse EventDetails with \n '{\"LocalAddress\":\"' LocalAddress:string '\",'\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\n *\n '\"BytesIn\":' BytesIn:long ','\n '\"BytesOut\":' BytesOut:long ','\n '\"Protocol\":\"' Protocol:string '\",'\n '\"ProcessId\":' ProcessId:string ','\n '\"UserId\":' UserId:string ','\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\n '\"DeviceId\":\"' DeviceId:string '\",'\n '\"MessageSource\":\"' MessageSource:string '\",'\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\n *\n}\n; \nlet OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | project-rename\n SrcBytes = BytesOut,\n DstBytes = BytesIn,\n SrcPortNumber = LocalPort,\n DstIpAddr = RemoteAddress,\n DstPortNumber = RemotePort,\n SrcProcessId = ProcessId\n | extend\n SrcIpAddr = LocalAddress,\n SrcDvcIdType = \"MD4IoTid\",\n SrcUserId = UserId,\n SrcUserIdType = \"UID\",\n SrcDvcId = DeviceId,\n Process = SrcProcessId, // alias\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n;\nlet InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | project-rename\n DstBytes = BytesOut,\n SrcBytes = BytesIn,\n DstPortNumber = LocalPort,\n SrcIpAddr = RemoteAddress,\n SrcPortNumber = RemotePort,\n DstProcessId = ProcessId\n | extend\n DstIpAddr = LocalAddress,\n DstDvcIdType = \"MD4IoTid\",\n DstUserId = UserId,\n DstUserIdType = \"UID\",\n DstDvcId = DeviceId,\n Process = DstProcessId, // alias\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n;\nlet NetworkSessionMD4IoT = \n union InboundNetworkEvents, OutboundNetworkEvents\n | extend\n EventCount = int(1),\n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = \"NetworkSession\", \n EventType = 'NetworkSession',\n EventStartTime = TimeGenerated, // Open question about timestamps\n EventEndTime = TimeGenerated, // Open question about timestamps\n EventResult = 'Success',\n EventSeverity = 'Informational'\n | project-rename\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n EventOriginalUid = OriginalEventId, // OK pending question\n DvcOs = MessageSource,\n NetworkProtocol = Protocol,\n NetworkApplicationProtocol = ApplicationProtocol,\n DvcId = DeviceId,\n DvcIpAddr = LocalAddress\n | extend\n Dvc = DvcId,\n DvcIdType = \"MD4IoTid\",\n User = UserId,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n | project-away outbound\n;\nNetworkSessionMD4IoT\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Microsoft Defender for IoT micro agent", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionMD4IoTAgent", + "query": "let DirectionNetworkEvents =\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"NetworkActivity\"\n | parse EventDetails with * ',\"LocalPort\":' LocalPort:int ',\"RemotePort\":' RemotePort:int ',' *\n | extend outbound = LocalPort > RemotePort\n;\nlet parser = (T: (EventDetails: string)) {\n T \n | parse EventDetails with \n '{\"LocalAddress\":\"' LocalAddress:string '\",'\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\n *\n '\"BytesIn\":' BytesIn:long ','\n '\"BytesOut\":' BytesOut:long ','\n '\"Protocol\":\"' Protocol:string '\",'\n '\"ProcessId\":' ProcessId:string ','\n '\"UserId\":' UserId:string ','\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\n '\"DeviceId\":\"' DeviceId:string '\",'\n '\"MessageSource\":\"' MessageSource:string '\",'\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\n *\n}\n; \nlet OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | project-rename\n SrcBytes = BytesOut,\n DstBytes = BytesIn,\n SrcPortNumber = LocalPort,\n DstIpAddr = RemoteAddress,\n DstPortNumber = RemotePort,\n SrcProcessId = ProcessId\n | extend\n SrcIpAddr = LocalAddress,\n SrcDvcIdType = \"MD4IoTid\",\n SrcUserId = UserId,\n SrcUserIdType = \"UID\",\n SrcDvcId = DeviceId,\n Process = SrcProcessId, // alias\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n;\nlet InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | project-rename\n DstBytes = BytesOut,\n SrcBytes = BytesIn,\n DstPortNumber = LocalPort,\n SrcIpAddr = RemoteAddress,\n SrcPortNumber = RemotePort,\n DstProcessId = ProcessId\n | extend\n DstIpAddr = LocalAddress,\n DstDvcIdType = \"MD4IoTid\",\n DstUserId = UserId,\n DstUserIdType = \"UID\",\n DstDvcId = DeviceId,\n Process = DstProcessId, // alias\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n;\nlet NetworkSessionMD4IoT = \n union InboundNetworkEvents, OutboundNetworkEvents\n | extend\n EventCount = int(1),\n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = \"NetworkSession\", \n EventType = 'NetworkSession',\n EventStartTime = TimeGenerated, // Open question about timestamps\n EventEndTime = TimeGenerated, // Open question about timestamps\n EventResult = 'Success',\n EventSeverity = 'Informational'\n | project-rename\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n EventOriginalUid = OriginalEventId, // OK pending question\n DvcOs = MessageSource,\n NetworkProtocol = Protocol,\n NetworkApplicationProtocol = ApplicationProtocol,\n DvcId = DeviceId,\n DvcIpAddr = LocalAddress\n | extend\n Dvc = DvcId,\n DvcIdType = \"MD4IoTid\",\n User = UserId,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n | project-away outbound\n;\nNetworkSessionMD4IoT\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTSensor/ASimNetworkSessionMD4IoTSensor.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTSensor/ASimNetworkSessionMD4IoTSensor.json index 7b1cef01a9c..ea1d0f87e44 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTSensor/ASimNetworkSessionMD4IoTSensor.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTSensor/ASimNetworkSessionMD4IoTSensor.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionMD4IoTSensor')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionMD4IoTSensor", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Microsoft Defender for IoT sensor logs", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionMD4IoTSensor", - "query": "let parser = (disabled:bool=false) \n{\n DefenderIoTRawEvent\n | where RawEventName == \"NetworkConnectionData\"\n | project-rename \n DvcSubscriptionId = AzureSubscriptionId\n | extend \n Dvc = tostring(EventDetails.SourceId),\n DstDvcId = tostring(EventDetails.Destination.DeviceId),\n DstMacAddr = tostring(EventDetails.Destination.MacAddress),\n DstIpAddr = tostring(EventDetails.Destination.IPAddress),\n DstPortNumber = toint(EventDetails.Destination.Port),\n DstDescription = tostring(EventDetails.Destination.DeviceName),\n SrcDvcId = tostring(EventDetails.Source.DeviceId),\n SrcMacAddr = tostring(EventDetails.Source.MacAddress),\n SrcIpAddr = tostring(EventDetails.Source.IPAddress),\n SrcPortNumber = toint(EventDetails.Source.Port),\n SrcDescription = tostring(EventDetails.Source.DeviceName),\n EventOriginalUid = tostring(EventDetails.Id),\n EventEndTime = todatetime(EventDetails.LastSeen),\n EventStartTime = todatetime(EventDetails.StartTime),\n NetworkProtocol = tostring(EventDetails.TransportProtocol)\n | extend\n EventProduct = 'Defender for IoT',\n EventResult = 'Success',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.4',\n EventCount = toint(1),\n EventSeverity = 'Informational',\n EventType = iff(DstIpAddr=='' and SrcIpAddr == '','L2NetworkSession','NetworkSession'),\n NetworkDirection = iff(tobool(EventDetails.IsInternal), 'Local',''),\n EventVendor = 'Microsoft',\n DstDvcIdType = 'MD4IoTid',\n SrcDvcIdType = 'MD4IoTid'\n | extend // -- Aliases\n Dst = coalesce(DstIpAddr,DstMacAddr),\n Src = coalesce(SrcIpAddr,SrcMacAddr),\n IpAddr = SrcIpAddr,\n EventStartTime = EventEndTime\n | project-away \n RawEventCategory, RawEventName, RawEventType, SourceSystem, TenantId, AgentVersion, IoTRawEventId, IsEmpty, AgentId, DeviceId, TimeStamp\n | project-away EventDetails, AssociatedResourceId\n};\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Microsoft Defender for IoT sensor logs", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionMD4IoTSensor", + "query": "let parser = (disabled:bool=false) \n{\n DefenderIoTRawEvent\n | where RawEventName == \"NetworkConnectionData\"\n | project-rename \n DvcSubscriptionId = AzureSubscriptionId\n | extend \n Dvc = tostring(EventDetails.SourceId),\n DstDvcId = tostring(EventDetails.Destination.DeviceId),\n DstMacAddr = tostring(EventDetails.Destination.MacAddress),\n DstIpAddr = tostring(EventDetails.Destination.IPAddress),\n DstPortNumber = toint(EventDetails.Destination.Port),\n DstDescription = tostring(EventDetails.Destination.DeviceName),\n SrcDvcId = tostring(EventDetails.Source.DeviceId),\n SrcMacAddr = tostring(EventDetails.Source.MacAddress),\n SrcIpAddr = tostring(EventDetails.Source.IPAddress),\n SrcPortNumber = toint(EventDetails.Source.Port),\n SrcDescription = tostring(EventDetails.Source.DeviceName),\n EventOriginalUid = tostring(EventDetails.Id),\n EventEndTime = todatetime(EventDetails.LastSeen),\n EventStartTime = todatetime(EventDetails.StartTime),\n NetworkProtocol = tostring(EventDetails.TransportProtocol)\n | extend\n EventProduct = 'Defender for IoT',\n EventResult = 'Success',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.4',\n EventCount = toint(1),\n EventSeverity = 'Informational',\n EventType = iff(DstIpAddr=='' and SrcIpAddr == '','L2NetworkSession','NetworkSession'),\n NetworkDirection = iff(tobool(EventDetails.IsInternal), 'Local',''),\n EventVendor = 'Microsoft',\n DstDvcIdType = 'MD4IoTid',\n SrcDvcIdType = 'MD4IoTid'\n | extend // -- Aliases\n Dst = coalesce(DstIpAddr,DstMacAddr),\n Src = coalesce(SrcIpAddr,SrcMacAddr),\n IpAddr = SrcIpAddr,\n EventStartTime = EventEndTime\n | project-away \n RawEventCategory, RawEventName, RawEventType, SourceSystem, TenantId, AgentVersion, IoTRawEventId, IsEmpty, AgentId, DeviceId, TimeStamp\n | project-away EventDetails, AssociatedResourceId\n};\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json index fa6db466080..52ceae1f101 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionMicrosoft365Defender')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionMicrosoft365Defender", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for M365 Defender for Endpoint", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionMicrosoft365Defender", - "query": "let M365Defender=(disabled:bool=false){\n let DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\n 'ConnectionSuccess','Outbound', true\n ,'ConnectionFailed', 'Outbound', true\n ,'ConnectionRequest','Outbound', true\n ,'InboundConnectionAccepted', 'Inbound', false\n ,'ConnectionFound', 'Unknown', false\n ,'ListeningConnectionCreated', 'Listen', false \n ];\n // -- Common preprocessing to both input and outbound events\n let RawNetworkEvents = (select_outbound:boolean) {\n DeviceNetworkEvents | where not(disabled) \n | lookup DirectionLookup on ActionType\n | where Outbound == select_outbound\n | project-away AppGuardContainerId, LocalIPType, MachineGroup, RemoteIPType, Timestamp, Outbound //, SourceSystem, TenantId\n | extend\n // Event\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventResult = iff(ActionType=='ConnectionFailed','Failure','Success'),\n EventSeverity = \"Informational\",\n DvcIdType = 'MDEid'\n | project-away \n ReportId\n | project-rename \n EventOriginalResultDetails = ActionType\n | extend\n RemoteUrl = extract (@\"(?:https?://)?(.*)\", 1, RemoteUrl)\n | extend\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n SplitHostname = split(DeviceName,\".\"),\n SplitUrl = split(RemoteUrl,\".\"),\n NetworkProtocol = case (\n Protocol startswith \"Tcp\", \"TCP\",\n Protocol == \"Unknown\", \"\",\n toupper(Protocol)\n )\n | project-away Protocol\n | extend \n DvcHostname = tostring(SplitHostname[0]),\n DvcDomain = tostring(strcat_array(array_slice(SplitHostname, 1, -1), '.')),\n DvcFQDN = iif (DeviceName contains \".\", DeviceName, \"\"),\n UrlHostname = tostring(SplitUrl[0]),\n UrlDomain = tostring(strcat_array(array_slice(SplitUrl, 1, -1), '.')),\n UrlFQDN = iif(RemoteUrl contains \".\", RemoteUrl, \"\")\n | project-away RemoteUrl, DeviceName\n | extend\n DvcDomainType = iif(DvcFQDN != \"\", \"FQDN\", \"\"),\n UrlDomainType = iff(UrlFQDN != \"\", \"FQDN\", \"\"),\n DvcIpAddr = LocalIP\n | extend\n Dvc = DvcHostname \n | project-rename\n DvcId = DeviceId\n | project-away SplitUrl, SplitHostname\n };\n let OutboundNetworkEvents = \n RawNetworkEvents (true)\n | project-rename\n DstIpAddr = RemoteIP,\n SrcIpAddr = LocalIP,\n DstPortNumber = RemotePort,\n SrcPortNumber = LocalPort,\n SrcUsernameType = UsernameType,\n SrcUserAadId = InitiatingProcessAccountObjectId,\n SrcUserUpn = InitiatingProcessAccountUpn,\n SrcUserId = InitiatingProcessAccountSid\n | extend\n SrcUsername = User,\n SrcDvcId = DvcId,\n SrcDvcIdType = 'MDEid',\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstHostname = UrlHostname\n | project-rename\n DstDomain = UrlDomain,\n DstFQDN = UrlFQDN,\n DstDomainType = UrlDomainType\n | extend \n SrcHostname = DvcHostname,\n SrcDomain = DvcDomain,\n SrcFQDN = DvcDomain\n // Processes\n | extend\n SrcProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n SrcProcessName = InitiatingProcessFileName,\n SrcProcessCommandLine = InitiatingProcessCommandLine,\n SrcProcessCreationTime = InitiatingProcessCreationTime,\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = SrcProcessName,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\"\n ;\n let InboundNetworkEvents = \n RawNetworkEvents (false)\n | project-rename\n SrcIpAddr = RemoteIP,\n DstIpAddr = LocalIP,\n SrcPortNumber = RemotePort,\n DstPortNumber = LocalPort,\n DstUsernameType = UsernameType,\n DstUserAadId = InitiatingProcessAccountObjectId,\n DstUserId = InitiatingProcessAccountSid,\n DstUserUpn = InitiatingProcessAccountUpn\n | extend\n DstUsername = User,\n DstDvcId = DvcId,\n DstDvcIdType = 'MDEid',\n DstUserIdType = 'SID',\n SrcHostname = UrlHostname\n | project-rename\n SrcDomain = UrlDomain,\n SrcFQDN = UrlFQDN,\n SrcDomainType = UrlDomainType,\n DstHostname = DvcHostname,\n DstDomain = DvcDomain,\n DstFQDN = DvcFQDN\n // Processes\n | extend\n DstProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n DstProcessName = InitiatingProcessFileName,\n DstProcessCommandLine = InitiatingProcessCommandLine,\n DstProcessCreationTime = InitiatingProcessCreationTime,\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = DstProcessName,\n DstAppName = DstProcessName,\n DstAppType = \"Process\"\n ;\n union InboundNetworkEvents, OutboundNetworkEvents\n | project-rename \n Hostname = UrlHostname\n | extend // aliases\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n };\n M365Defender (disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for M365 Defender for Endpoint", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionMicrosoft365Defender", + "query": "let M365Defender=(disabled:bool=false){\n let DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\n 'ConnectionSuccess','Outbound', true\n ,'ConnectionFailed', 'Outbound', true\n ,'ConnectionRequest','Outbound', true\n ,'InboundConnectionAccepted', 'Inbound', false\n ,'ConnectionFound', 'Unknown', false\n ,'ListeningConnectionCreated', 'Listen', false \n ];\n // -- Common preprocessing to both input and outbound events\n let RawNetworkEvents = (select_outbound:boolean) {\n DeviceNetworkEvents | where not(disabled) \n | lookup DirectionLookup on ActionType\n | where Outbound == select_outbound\n | project-away AppGuardContainerId, LocalIPType, MachineGroup, RemoteIPType, Timestamp, Outbound //, SourceSystem, TenantId\n | extend\n // Event\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventResult = iff(ActionType=='ConnectionFailed','Failure','Success'),\n EventSeverity = \"Informational\",\n DvcIdType = 'MDEid'\n | project-away \n ReportId\n | project-rename \n EventOriginalResultDetails = ActionType\n | extend\n RemoteUrl = extract (@\"(?:https?://)?(.*)\", 1, RemoteUrl)\n | extend\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n SplitHostname = split(DeviceName,\".\"),\n SplitUrl = split(RemoteUrl,\".\"),\n NetworkProtocol = case (\n Protocol startswith \"Tcp\", \"TCP\",\n Protocol == \"Unknown\", \"\",\n toupper(Protocol)\n )\n | project-away Protocol\n | extend \n DvcHostname = tostring(SplitHostname[0]),\n DvcDomain = tostring(strcat_array(array_slice(SplitHostname, 1, -1), '.')),\n DvcFQDN = iif (DeviceName contains \".\", DeviceName, \"\"),\n UrlHostname = tostring(SplitUrl[0]),\n UrlDomain = tostring(strcat_array(array_slice(SplitUrl, 1, -1), '.')),\n UrlFQDN = iif(RemoteUrl contains \".\", RemoteUrl, \"\")\n | project-away RemoteUrl, DeviceName\n | extend\n DvcDomainType = iif(DvcFQDN != \"\", \"FQDN\", \"\"),\n UrlDomainType = iff(UrlFQDN != \"\", \"FQDN\", \"\"),\n DvcIpAddr = LocalIP\n | extend\n Dvc = DvcHostname \n | project-rename\n DvcId = DeviceId\n | project-away SplitUrl, SplitHostname\n };\n let OutboundNetworkEvents = \n RawNetworkEvents (true)\n | project-rename\n DstIpAddr = RemoteIP,\n SrcIpAddr = LocalIP,\n DstPortNumber = RemotePort,\n SrcPortNumber = LocalPort,\n SrcUsernameType = UsernameType,\n SrcUserAadId = InitiatingProcessAccountObjectId,\n SrcUserUpn = InitiatingProcessAccountUpn,\n SrcUserId = InitiatingProcessAccountSid\n | extend\n SrcUsername = User,\n SrcDvcId = DvcId,\n SrcDvcIdType = 'MDEid',\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstHostname = UrlHostname\n | project-rename\n DstDomain = UrlDomain,\n DstFQDN = UrlFQDN,\n DstDomainType = UrlDomainType\n | extend \n SrcHostname = DvcHostname,\n SrcDomain = DvcDomain,\n SrcFQDN = DvcDomain\n // Processes\n | extend\n SrcProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n SrcProcessName = InitiatingProcessFileName,\n SrcProcessCommandLine = InitiatingProcessCommandLine,\n SrcProcessCreationTime = InitiatingProcessCreationTime,\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = SrcProcessName,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\"\n ;\n let InboundNetworkEvents = \n RawNetworkEvents (false)\n | project-rename\n SrcIpAddr = RemoteIP,\n DstIpAddr = LocalIP,\n SrcPortNumber = RemotePort,\n DstPortNumber = LocalPort,\n DstUsernameType = UsernameType,\n DstUserAadId = InitiatingProcessAccountObjectId,\n DstUserId = InitiatingProcessAccountSid,\n DstUserUpn = InitiatingProcessAccountUpn\n | extend\n DstUsername = User,\n DstDvcId = DvcId,\n DstDvcIdType = 'MDEid',\n DstUserIdType = 'SID',\n SrcHostname = UrlHostname\n | project-rename\n SrcDomain = UrlDomain,\n SrcFQDN = UrlFQDN,\n SrcDomainType = UrlDomainType,\n DstHostname = DvcHostname,\n DstDomain = DvcDomain,\n DstFQDN = DvcFQDN\n // Processes\n | extend\n DstProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n DstProcessName = InitiatingProcessFileName,\n DstProcessCommandLine = InitiatingProcessCommandLine,\n DstProcessCreationTime = InitiatingProcessCreationTime,\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n // SrcProcessFileSize = InitiatingProcessFileSize,\n // SrcProcessCompany = InitiatingProcessVersionInfoCompanyName,\n // SrcProcessFileProduct = InitiatingProcessVersionInfoProductName,\n // SrcProcessFileVersion = InitiatingProcessVersionInfoProductVersion,\n // SrcProcessFileInternalName = InitiatingProcessVersionInfoInternalFileName,\n // SrcProcessFileOriginalName = InitiatingProcessVersionInfoOriginalFileName,\n // SrcProcessFileDescription = InitiatingProcessVersionInfoFileDescription\n | extend\n Process = DstProcessName,\n DstAppName = DstProcessName,\n DstAppType = \"Process\"\n ;\n union InboundNetworkEvents, OutboundNetworkEvents\n | project-rename \n Hostname = UrlHostname\n | extend // aliases\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n };\n M365Defender (disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json index 71385d160dc..794febb6565 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionLinuxSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionLinuxSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionLinuxSysmon", - "query": "let DirectionNetworkEvents =\n Syslog | where not(disabled)\n | project SyslogMessage, TimeGenerated, HostIP\n | where SyslogMessage has_all ('3')\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n ;\n let parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '' EventOriginalUid:string ''\n *\n '' SysmonComputer:string ''\n *\n '' RuleName:string ''\n '' EventEndTime:datetime ''\n '{' ProcessGuid:string '}'\n '' ProcessId:string ''\n '' Process:string ''\n '' User:string ''\n '' Protocol:string '' // -- source is lowercase\n '' Initiated:bool '' \n '' SourceIsIpv6:bool ''\t\t\n '' * ''\n '' SrcHostname:string ''\n '' SrcPortNumber:int ''\n '' SrcPortName:string ''\n '' DestinationIsIpv6:bool ''\n '' DstIpAddr:string ''\n '' DstHostname:string ''\n '' DstPortNumber:int ''\n '' DstPortName:string ''\n *\n | project-away DstPortName, DestinationIsIpv6, Initiated, SourceIsIpv6, SrcPortName, RuleName\n };\n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend\n SrcUsernameType = 'Simple',\n SrcAppType = 'Process'\n | project-rename \n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process\n | extend\n SrcAppName = SrcProcessName\n | project-away SyslogMessage\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | extend\n DstUsernameType = 'Simple',\n DstAppType = 'Process'\n | project-rename \n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process\n | extend\n DstAppName = DstProcessName\n | project-away SyslogMessage\n ; \n let SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon for Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n NetworkProtocol = toupper(Protocol),\n NetworkDirection = iff(outbound, \"Outbound\", \"Inbound\"),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-away\n outbound, Protocol\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n SysmonForLinuxNetwork", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionLinuxSysmon", + "query": "let DirectionNetworkEvents =\n Syslog | where not(disabled)\n | project SyslogMessage, TimeGenerated, HostIP\n | where SyslogMessage has_all ('3')\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n ;\n let parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '' EventOriginalUid:string ''\n *\n '' SysmonComputer:string ''\n *\n '' RuleName:string ''\n '' EventEndTime:datetime ''\n '{' ProcessGuid:string '}'\n '' ProcessId:string ''\n '' Process:string ''\n '' User:string ''\n '' Protocol:string '' // -- source is lowercase\n '' Initiated:bool '' \n '' SourceIsIpv6:bool ''\t\t\n '' * ''\n '' SrcHostname:string ''\n '' SrcPortNumber:int ''\n '' SrcPortName:string ''\n '' DestinationIsIpv6:bool ''\n '' DstIpAddr:string ''\n '' DstHostname:string ''\n '' DstPortNumber:int ''\n '' DstPortName:string ''\n *\n | project-away DstPortName, DestinationIsIpv6, Initiated, SourceIsIpv6, SrcPortName, RuleName\n };\n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend\n SrcUsernameType = 'Simple',\n SrcAppType = 'Process'\n | project-rename \n SrcUsername = User,\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process\n | extend\n SrcAppName = SrcProcessName\n | project-away SyslogMessage\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n | extend\n DstUsernameType = 'Simple',\n DstAppType = 'Process'\n | project-rename \n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process\n | extend\n DstAppName = DstProcessName\n | project-away SyslogMessage\n ; \n let SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.0',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon for Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n NetworkProtocol = toupper(Protocol),\n NetworkDirection = iff(outbound, \"Outbound\", \"Inbound\"),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-away\n outbound, Protocol\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n SysmonForLinuxNetwork", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSecurityEventFirewall/ASimNetworkSessionMicrosoftSecurityEventFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSecurityEventFirewall/ASimNetworkSessionMicrosoftSecurityEventFirewall.json index 56a3a8a5e44..5445e521a0c 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSecurityEventFirewall/ASimNetworkSessionMicrosoftSecurityEventFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSecurityEventFirewall/ASimNetworkSessionMicrosoftSecurityEventFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionMicrosoftSecurityEventFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionMicrosoftSecurityEventFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Microsoft Windows Firewall Events", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionMicrosoftSecurityEventFirewall", - "query": "// Data tables for mapping raw values into string\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n///////////////////////////////////////////////////////\n// this query extract data fields from EventData column from SecurityEvent table\n///////////////////////////////////////////////////////\nlet parser = (disabled: bool=false) {\nlet WindowsFirewall_SecurityEvent=(){ // Event IDs between (5151 .. 5159)\n// will be extracting Event specific fields from 'EventData' field\n let SecurityEventProjected =\n SecurityEvent\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\n ;\n let SecurityEvent_5152 = \n SecurityEventProjected | where not(disabled)\n | where EventID==5152\n | parse EventData with * ''ProcessId:string''\n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'DirectionCode''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'DstIpAddr:string''\n '\\x0d\\x0a 'DstPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n | project-away EventData;\n let SecurityEvent_5154_5155_5158_5159 =\n SecurityEventProjected | where not(disabled)\n | where EventID in (5154, 5155, 5158, 5159)\n | parse EventData with * ''ProcessId:string'' \n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n | extend DirectionCode = \"%%14609\"\n | project-away EventData;\n let SecurityEvent_5156_5157 =\n SecurityEventProjected | where not(disabled)\n | where EventID in (5156, 5157)\n | parse EventData with * ''ProcessId:string''\n '\\x0d\\x0a 'Application:string''\n '\\x0d\\x0a 'DirectionCode:string''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'DstIpAddr:string''\n '\\x0d\\x0a 'DstPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''\n '\\x0d\\x0a 'RemoteUserID''\n '\\x0d\\x0a 'RemoteMachineID''*\n | project-away EventData;\n union SecurityEvent_5152, SecurityEvent_5156_5157, SecurityEvent_5154_5155_5158_5159\n | lookup Directions on DirectionCode\n | project-rename DvcHostname = Computer\n | extend\n SrcAppName = iff(isOutBound, Application, \"\"),\n DstAppName = iff(not(isOutBound), Application, \"\"),\n SrcDvcId = iff(isOutBound, RemoteMachineID, \"\"),\n DstDvcId = iff(not(isOutBound), RemoteMachineID, \"\"),\n SrcProcessId = iff(isOutBound, tostring(ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(ProcessId), \"\"),\n DstUserId = iff(isOutBound, RemoteUserID, \"\"),\n SrcUserId = iff(not(isOutBound), RemoteUserID, \"\"),\n DstHostname = iff(isOutBound, \"\", DvcHostname),\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\n | project-away Application, RemoteMachineID, RemoteUserID, ProcessId\n};\nWindowsFirewall_SecurityEvent \n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstUserIdType = iff (DstUserId <> \"S-1-0-0\", \"SID\", \"\"),\n DstUserId = iff (DstUserId <> \"S-1-0-0\", DstUserId, \"\"),\n SrcAppType = \"Process\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.0\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Windows Firewall\",\n EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\"),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\"),\n EventOriginalType = tostring(EventID),\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\n // aliases\n | extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = tostring (NetworkRuleNumber)\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID, LayerRTID,_ResourceId,_SubscriptionId\n };\n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Microsoft Windows Firewall Events", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionMicrosoftSecurityEventFirewall", + "query": "// Data tables for mapping raw values into string\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n///////////////////////////////////////////////////////\n// this query extract data fields from EventData column from SecurityEvent table\n///////////////////////////////////////////////////////\nlet parser = (disabled: bool=false) {\nlet WindowsFirewall_SecurityEvent=(){ // Event IDs between (5151 .. 5159)\n// will be extracting Event specific fields from 'EventData' field\n let SecurityEventProjected =\n SecurityEvent\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\n ;\n let SecurityEvent_5152 = \n SecurityEventProjected | where not(disabled)\n | where EventID==5152\n | parse EventData with * ''ProcessId:string''\n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'DirectionCode''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'DstIpAddr:string''\n '\\x0d\\x0a 'DstPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n | project-away EventData;\n let SecurityEvent_5154_5155_5158_5159 =\n SecurityEventProjected | where not(disabled)\n | where EventID in (5154, 5155, 5158, 5159)\n | parse EventData with * ''ProcessId:string'' \n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n | extend DirectionCode = \"%%14609\"\n | project-away EventData;\n let SecurityEvent_5156_5157 =\n SecurityEventProjected | where not(disabled)\n | where EventID in (5156, 5157)\n | parse EventData with * ''ProcessId:string''\n '\\x0d\\x0a 'Application:string''\n '\\x0d\\x0a 'DirectionCode:string''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'DstIpAddr:string''\n '\\x0d\\x0a 'DstPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''\n '\\x0d\\x0a 'RemoteUserID''\n '\\x0d\\x0a 'RemoteMachineID''*\n | project-away EventData;\n union SecurityEvent_5152, SecurityEvent_5156_5157, SecurityEvent_5154_5155_5158_5159\n | lookup Directions on DirectionCode\n | project-rename DvcHostname = Computer\n | extend\n SrcAppName = iff(isOutBound, Application, \"\"),\n DstAppName = iff(not(isOutBound), Application, \"\"),\n SrcDvcId = iff(isOutBound, RemoteMachineID, \"\"),\n DstDvcId = iff(not(isOutBound), RemoteMachineID, \"\"),\n SrcProcessId = iff(isOutBound, tostring(ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(ProcessId), \"\"),\n DstUserId = iff(isOutBound, RemoteUserID, \"\"),\n SrcUserId = iff(not(isOutBound), RemoteUserID, \"\"),\n DstHostname = iff(isOutBound, \"\", DvcHostname),\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\n | project-away Application, RemoteMachineID, RemoteUserID, ProcessId\n};\nWindowsFirewall_SecurityEvent \n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstUserIdType = iff (DstUserId <> \"S-1-0-0\", \"SID\", \"\"),\n DstUserId = iff (DstUserId <> \"S-1-0-0\", DstUserId, \"\"),\n SrcAppType = \"Process\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.0\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Windows Firewall\",\n EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\"),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\"),\n EventOriginalType = tostring(EventID),\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\n // aliases\n | extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = tostring (NetworkRuleNumber)\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID, LayerRTID,_ResourceId,_SubscriptionId\n };\n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmon/ASimNetworkSessionMicrosoftSysmon.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmon/ASimNetworkSessionMicrosoftSysmon.json index cf727567889..b65dbd9550e 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmon/ASimNetworkSessionMicrosoftSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmon/ASimNetworkSessionMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session Event ASIM parser for Sysmon (Event 3)", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionMicrosoftSysmon", - "query": "let parser = (disabled:bool = false) {\n Event\n | where not(disabled)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID==3\n | parse-kv EventData as (\n SourceIp:string,\n DestinationIp:string,\n SourceHostname:string,\n DestinationHostname:string,\n Initiated:bool, // Initiated indicates the process initiated a connection (meaning outbound)\n RuleName:string,\n UtcTime:datetime,\n ProcessGuid:string,\n ProcessId:string,\n Image:string,\n User:string,\n Protocol:string,\n SourceIsIpv6:bool,\n SourcePort:int,\n SourcePortName:string,\n DestinationIsIpv6:bool,\n DestinationPort:int,\n DestinationPortName:string\n ) with (regex=@'{?([^>]*?)}?')\n | project-away EventData\n | project-rename\n SrcHostname = SourceHostname,\n DstHostname = DestinationHostname\n | project-away\n Source,\n EventLog,\n EventCategory,\n UserName,\n Message,\n ParameterXml,\n RenderedDescription,\n MG,\n AzureDeploymentID,\n Role\n | extend\n AppName = tostring(split(Image, \"\\\\\")[-1])\n | extend\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\n SrcAppName = iff(not(Initiated), AppName, \"\"),\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\n DstUsername = iff(Initiated, tostring(User), \"\"),\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\n DstAppName = iff(Initiated, AppName, \"\"),\n DstAppType = iff(Initiated, 'Process', \"\"),\n EventUid = _ItemId\n | project-away ProcessId, ProcessGuid, Image, AppName\n | project-rename \n EventStartTime = UtcTime,\n Dvc = Computer,\n SrcIpAddr = SourceIp,\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n NetworkRuleName = RuleName \n | extend \n EventEndTime = EventStartTime,\n Hostname = case(\n Initiated, DstHostname,\n not(Initiated), SrcHostname,\n Dvc),\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\n IpAddr = SrcIpAddr,\n EventType = 'EndpointNetworkSession',\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.5',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Windows',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing \n | extend\n DvcHostname = Hostname\n | extend\n SrcHostname = iff( SrcHostname == \"-\", \"\", SrcHostname),\n DvcHostname = iff( DvcHostname == \"-\", \"\", DvcHostname),\n DstHostname = iff( DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\n | project-rename\n TmpSrcHostname = SrcHostname,\n TmpDvcHostname = DvcHostname,\n TmpDstHostname = DstHostname\n | invoke \n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\n | invoke \n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\n | invoke \n _ASIM_ResolveDstFQDN('TmpDstHostname')\n | project-away\n TmpSrcHostname,\n TmpDvcHostname,\n TmpDstHostname\n | extend \n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\n NetworkProtocol = toupper(Protocol)\n | project-away \n Destination*,\n Initiated,\n ManagementGroupName,\n TenantId,\n Protocol,\n Source*,\n EventID,\n EventLevelName,\n EventLevel,_ResourceId\n };\n parser (disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session Event ASIM parser for Sysmon (Event 3)", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionMicrosoftSysmon", + "query": "let parser = (disabled:bool = false) {\n Event\n | where not(disabled)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID==3\n | parse-kv EventData as (\n SourceIp:string,\n DestinationIp:string,\n SourceHostname:string,\n DestinationHostname:string,\n Initiated:bool, // Initiated indicates the process initiated a connection (meaning outbound)\n RuleName:string,\n UtcTime:datetime,\n ProcessGuid:string,\n ProcessId:string,\n Image:string,\n User:string,\n Protocol:string,\n SourceIsIpv6:bool,\n SourcePort:int,\n SourcePortName:string,\n DestinationIsIpv6:bool,\n DestinationPort:int,\n DestinationPortName:string\n ) with (regex=@'{?([^>]*?)}?')\n | project-away EventData\n | project-rename\n SrcHostname = SourceHostname,\n DstHostname = DestinationHostname\n | project-away\n Source,\n EventLog,\n EventCategory,\n UserName,\n Message,\n ParameterXml,\n RenderedDescription,\n MG,\n AzureDeploymentID,\n Role\n | extend\n AppName = tostring(split(Image, \"\\\\\")[-1])\n | extend\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\n SrcAppName = iff(not(Initiated), AppName, \"\"),\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\n DstUsername = iff(Initiated, tostring(User), \"\"),\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\n DstAppName = iff(Initiated, AppName, \"\"),\n DstAppType = iff(Initiated, 'Process', \"\"),\n EventUid = _ItemId\n | project-away ProcessId, ProcessGuid, Image, AppName\n | project-rename \n EventStartTime = UtcTime,\n Dvc = Computer,\n SrcIpAddr = SourceIp,\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n NetworkRuleName = RuleName \n | extend \n EventEndTime = EventStartTime,\n Hostname = case(\n Initiated, DstHostname,\n not(Initiated), SrcHostname,\n Dvc),\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\n IpAddr = SrcIpAddr,\n EventType = 'EndpointNetworkSession',\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.5',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Windows',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing \n | extend\n DvcHostname = Hostname\n | extend\n SrcHostname = iff( SrcHostname == \"-\", \"\", SrcHostname),\n DvcHostname = iff( DvcHostname == \"-\", \"\", DvcHostname),\n DstHostname = iff( DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\n | project-rename\n TmpSrcHostname = SrcHostname,\n TmpDvcHostname = DvcHostname,\n TmpDstHostname = DstHostname\n | invoke \n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\n | invoke \n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\n | invoke \n _ASIM_ResolveDstFQDN('TmpDstHostname')\n | project-away\n TmpSrcHostname,\n TmpDvcHostname,\n TmpDstHostname\n | extend \n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\n NetworkProtocol = toupper(Protocol)\n | project-away \n Destination*,\n Initiated,\n ManagementGroupName,\n TenantId,\n Protocol,\n Source*,\n EventID,\n EventLevelName,\n EventLevel,_ResourceId\n };\n parser (disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmonWindowsEvent/ASimNetworkSessionMicrosoftSysmonWindowsEvent.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmonWindowsEvent/ASimNetworkSessionMicrosoftSysmonWindowsEvent.json index da140e9352d..010dd89612a 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmonWindowsEvent/ASimNetworkSessionMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmonWindowsEvent/ASimNetworkSessionMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session Event ASIM parser for Sysmon (Event 3)", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionMicrosoftSysmonWindowsEvent", - "query": "let parser = (disabled:bool = false) {\nlet Sysmon3_WindowsEvent=(disabled:bool=false){\n WindowsEvent\n | where not(disabled) \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 3\n | extend\n SourceIp = tostring(EventData.SourceIp),\n DestinationIp = tostring(EventData.DestinationIp),\n DstHostname = tostring(EventData.DestinationHostname),\n SrcHostname = tostring(EventData.SrcHostname),\n RuleName = tostring(EventData.RuleName),\n UtcTime = todatetime(EventData.UtcTime),\n ProcessId = tostring(EventData.ProcessId),\n Image = tostring(EventData.Image),\n User = tostring(EventData.User),\n Protocol = tostring(EventData.Protocol),\n Initiated = tobool(EventData.Initiated), // Initiated indicates the process initiated a connection (meaning outbound)\n SourceIsIpv6 = tobool(EventData.SourceIsIpv6),\n SourcePort = toint(EventData.SourcePort),\n SourcePortName = tostring(EventData.SourcePortName),\n DestinationIsIpv6 = tobool(EventData.DestinationIsIpv6),\n DestinationPort = toint(EventData.DestinationPort),\n DestinationPortName = tostring(EventData.DestinationPortName)\n | parse EventData.ProcessGuid with \"{\" ProcessGuid \"}\"\n | project-away EventData\n | project-away\n Provider,\n Channel,\n Task,\n Data,\n RawEventData,\n EventOriginId\n };\nSysmon3_WindowsEvent\n | extend\n AppName = tostring(split(Image, \"\\\\\")[-1])\n | extend\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\n SrcAppName = iff(not(Initiated), AppName, \"\"),\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\n DstUsername = iff(Initiated, tostring(User), \"\"),\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\n DstAppName = iff(Initiated, AppName, \"\"),\n DstAppType = iff(Initiated, 'Process', \"\"),\n EventUid = _ItemId\n | project-away ProcessId, ProcessGuid, Image, AppName\n | project-rename \n EventStartTime = UtcTime,\n Dvc = Computer,\n SrcIpAddr = SourceIp,\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n NetworkRuleName = RuleName \n | extend \n EventEndTime = EventStartTime,\n Hostname = case(\n Initiated, DstHostname,\n not(Initiated), SrcHostname,\n Dvc),\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\n IpAddr = SrcIpAddr,\n EventType = 'EndpointNetworkSession',\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.5',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Windows',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing \n | extend\n DvcHostname = Hostname\n | extend\n SrcHostname = iff( SrcHostname == \"-\", \"\", SrcHostname),\n DvcHostname = iff( DvcHostname == \"-\", \"\", DvcHostname),\n DstHostname = iff( DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\n | project-rename\n TmpSrcHostname = SrcHostname,\n TmpDvcHostname = DvcHostname,\n TmpDstHostname = DstHostname\n | invoke \n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\n | invoke \n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\n | invoke \n _ASIM_ResolveDstFQDN('TmpDstHostname')\n | project-away\n TmpSrcHostname,\n TmpDvcHostname,\n TmpDstHostname\n | extend \n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\n NetworkProtocol = toupper(Protocol)\n | project-away \n Destination*,\n Initiated,\n ManagementGroupName,\n TenantId,\n Protocol,\n Source*,\n EventID,\n EventLevelName,\n EventLevel,Correlation,EventRecordId,Keywords,Opcode,SystemProcessId,SystemThreadId,SystemUserId,TimeCreated,_ResourceId,Version\n };\n parser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session Event ASIM parser for Sysmon (Event 3)", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionMicrosoftSysmonWindowsEvent", + "query": "let parser = (disabled:bool = false) {\nlet Sysmon3_WindowsEvent=(disabled:bool=false){\n WindowsEvent\n | where not(disabled) \n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 3\n | extend\n SourceIp = tostring(EventData.SourceIp),\n DestinationIp = tostring(EventData.DestinationIp),\n DstHostname = tostring(EventData.DestinationHostname),\n SrcHostname = tostring(EventData.SrcHostname),\n RuleName = tostring(EventData.RuleName),\n UtcTime = todatetime(EventData.UtcTime),\n ProcessId = tostring(EventData.ProcessId),\n Image = tostring(EventData.Image),\n User = tostring(EventData.User),\n Protocol = tostring(EventData.Protocol),\n Initiated = tobool(EventData.Initiated), // Initiated indicates the process initiated a connection (meaning outbound)\n SourceIsIpv6 = tobool(EventData.SourceIsIpv6),\n SourcePort = toint(EventData.SourcePort),\n SourcePortName = tostring(EventData.SourcePortName),\n DestinationIsIpv6 = tobool(EventData.DestinationIsIpv6),\n DestinationPort = toint(EventData.DestinationPort),\n DestinationPortName = tostring(EventData.DestinationPortName)\n | parse EventData.ProcessGuid with \"{\" ProcessGuid \"}\"\n | project-away EventData\n | project-away\n Provider,\n Channel,\n Task,\n Data,\n RawEventData,\n EventOriginId\n };\nSysmon3_WindowsEvent\n | extend\n AppName = tostring(split(Image, \"\\\\\")[-1])\n | extend\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\n SrcAppName = iff(not(Initiated), AppName, \"\"),\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\n DstUsername = iff(Initiated, tostring(User), \"\"),\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\n DstAppName = iff(Initiated, AppName, \"\"),\n DstAppType = iff(Initiated, 'Process', \"\"),\n EventUid = _ItemId\n | project-away ProcessId, ProcessGuid, Image, AppName\n | project-rename \n EventStartTime = UtcTime,\n Dvc = Computer,\n SrcIpAddr = SourceIp,\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n NetworkRuleName = RuleName \n | extend \n EventEndTime = EventStartTime,\n Hostname = case(\n Initiated, DstHostname,\n not(Initiated), SrcHostname,\n Dvc),\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\n IpAddr = SrcIpAddr,\n EventType = 'EndpointNetworkSession',\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.5',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Windows',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing \n | extend\n DvcHostname = Hostname\n | extend\n SrcHostname = iff( SrcHostname == \"-\", \"\", SrcHostname),\n DvcHostname = iff( DvcHostname == \"-\", \"\", DvcHostname),\n DstHostname = iff( DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\n | project-rename\n TmpSrcHostname = SrcHostname,\n TmpDvcHostname = DvcHostname,\n TmpDstHostname = DstHostname\n | invoke \n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\n | invoke \n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\n | invoke \n _ASIM_ResolveDstFQDN('TmpDstHostname')\n | project-away\n TmpSrcHostname,\n TmpDvcHostname,\n TmpDstHostname\n | extend \n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\n NetworkProtocol = toupper(Protocol)\n | project-away \n Destination*,\n Initiated,\n ManagementGroupName,\n TenantId,\n Protocol,\n Source*,\n EventID,\n EventLevelName,\n EventLevel,Correlation,EventRecordId,Keywords,Opcode,SystemProcessId,SystemThreadId,SystemUserId,TimeCreated,_ResourceId,Version\n };\n parser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json index cf88e86eb9a..dd09199cb10 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionMicrosoftWindowsEventFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionMicrosoftWindowsEventFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Microsoft Windows Firewall Events", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionMicrosoftWindowsEventFirewall", - "query": "// Data tables for mapping raw values into string\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n//////////////////////////////////////////////////////\n// this query extract the data from WindowsEvent table\n//////////////////////////////////////////////////////\nlet parser = (disabled: bool=false) {\nlet WindowsFirewall_WindowsEvent=(){ \n WindowsEvent | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\n | where EventID between (5150 .. 5159)\n | project-rename DvcHostname = Computer\n | extend \n EventSeverity=tostring(EventData.Severity),\n LayerCode = tostring(EventData.LayerName),\n NetworkRuleNumber = toint(EventData.FilterRTID),\n Protocol = toint(EventData.Protocol),\n DirectionCode = iff(EventID in (5154, 5155, 5158, 5159), \"%%14609\",tostring(EventData.Direction))\n | lookup Directions on DirectionCode \n | extend SrcAppName = iff(isOutBound, tostring(EventData.Application), \"\"),\n DstAppName = iff(not(isOutBound), tostring(EventData.Application), \"\"),\n SrcIpAddr = tostring(EventData.SourceAddress),\n DstIpAddr = tostring(EventData.DestAddress),\n SrcDvcId = iff(isOutBound, tostring(EventData.RemoteMachineID), \"\"),\n DstDvcId = iff(not(isOutBound), tostring(EventData.RemoteMachineID), \"\"),\n SrcPortNumber=toint(EventData.SourcePort),\n DstPortNumber=toint(EventData.DestPort),\n SrcProcessId = iff(isOutBound, tostring(EventData.ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(EventData.ProcessId), \"\"),\n DstUserId = iff(isOutBound, tostring(EventData.RemoteUserID), \"\"),\n SrcUserId = iff(not(isOutBound), tostring(EventData.RemoteUserID), \"\"),\n DstHostname = iff(isOutBound, \"\", DvcHostname),\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\n | project-away EventData\n };\n// Main query -> outputs both schemas as one normalized table\nWindowsFirewall_WindowsEvent \n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstUserIdType = iff (DstUserId <> \"S-1-0-0\", \"SID\", \"\"),\n DstUserId = iff (DstUserId <> \"S-1-0-0\", DstUserId, \"\"),\n SrcAppType = \"Process\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.0\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Windows Firewall\",\n EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\"),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\"),\n EventOriginalType = tostring(EventID),\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\n // aliases\n | extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = tostring (NetworkRuleNumber)\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID,_ResourceId,_SubscriptionId\n }; \n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Microsoft Windows Firewall Events", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionMicrosoftWindowsEventFirewall", + "query": "// Data tables for mapping raw values into string\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n//////////////////////////////////////////////////////\n// this query extract the data from WindowsEvent table\n//////////////////////////////////////////////////////\nlet parser = (disabled: bool=false) {\nlet WindowsFirewall_WindowsEvent=(){ \n WindowsEvent | where not(disabled)\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\n | where EventID between (5150 .. 5159)\n | project-rename DvcHostname = Computer\n | extend \n EventSeverity=tostring(EventData.Severity),\n LayerCode = tostring(EventData.LayerName),\n NetworkRuleNumber = toint(EventData.FilterRTID),\n Protocol = toint(EventData.Protocol),\n DirectionCode = iff(EventID in (5154, 5155, 5158, 5159), \"%%14609\",tostring(EventData.Direction))\n | lookup Directions on DirectionCode \n | extend SrcAppName = iff(isOutBound, tostring(EventData.Application), \"\"),\n DstAppName = iff(not(isOutBound), tostring(EventData.Application), \"\"),\n SrcIpAddr = tostring(EventData.SourceAddress),\n DstIpAddr = tostring(EventData.DestAddress),\n SrcDvcId = iff(isOutBound, tostring(EventData.RemoteMachineID), \"\"),\n DstDvcId = iff(not(isOutBound), tostring(EventData.RemoteMachineID), \"\"),\n SrcPortNumber=toint(EventData.SourcePort),\n DstPortNumber=toint(EventData.DestPort),\n SrcProcessId = iff(isOutBound, tostring(EventData.ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(EventData.ProcessId), \"\"),\n DstUserId = iff(isOutBound, tostring(EventData.RemoteUserID), \"\"),\n SrcUserId = iff(not(isOutBound), tostring(EventData.RemoteUserID), \"\"),\n DstHostname = iff(isOutBound, \"\", DvcHostname),\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\n | project-away EventData\n };\n// Main query -> outputs both schemas as one normalized table\nWindowsFirewall_WindowsEvent \n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstUserIdType = iff (DstUserId <> \"S-1-0-0\", \"SID\", \"\"),\n DstUserId = iff (DstUserId <> \"S-1-0-0\", DstUserId, \"\"),\n SrcAppType = \"Process\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.0\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Windows Firewall\",\n EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\"),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\"),\n EventOriginalType = tostring(EventID),\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\n // aliases\n | extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = tostring (NetworkRuleNumber)\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID,_ResourceId,_SubscriptionId\n }; \n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionNative/ASimNetworkSessionNative.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionNative/ASimNetworkSessionNative.json index 6014945874e..3e228a66b59 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionNative/ASimNetworkSessionNative.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionNative/ASimNetworkSessionNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Microsoft Sentinel native Network Session table", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionNative", - "query": "let parser=(disabled:bool=false) \n{\n ASimNetworkSessionLogs | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"NetworkSession\",\n DvcScopeId = iff(isempty(DvcSubscriptionId), _SubscriptionId, DvcSubscriptionId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = case(EventType == 'L2NetworkSession',\n coalesce (DvcFQDN, DvcHostname, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct))\n ),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n DvcInterface = iff(isempty(DvcInterface), coalesce(DvcInboundInterface, DvcOutboundInterface), DvcInterface),\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\n Rule = coalesce(NetworkRuleName, tostring(NetworkRuleNumber)),\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n User = DstUsername,\n InnerVlanId = SrcVlanId,\n OuterVlanId = DstVlanId\n | project-away\n TenantId, SourceSystem, DvcSubscriptionId, _SubscriptionId, _ResourceId\n };\nparser (disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Microsoft Sentinel native Network Session table", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionNative", + "query": "let parser=(disabled:bool=false) \n{\n ASimNetworkSessionLogs | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"NetworkSession\",\n DvcScopeId = iff(isempty(DvcSubscriptionId), _SubscriptionId, DvcSubscriptionId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = case(EventType == 'L2NetworkSession',\n coalesce (DvcFQDN, DvcHostname, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct))\n ),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n DvcInterface = iff(isempty(DvcInterface), coalesce(DvcInboundInterface, DvcOutboundInterface), DvcInterface),\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\n Rule = coalesce(NetworkRuleName, tostring(NetworkRuleNumber)),\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n User = DstUsername,\n InnerVlanId = SrcVlanId,\n OuterVlanId = DstVlanId\n | project-away\n TenantId, SourceSystem, DvcSubscriptionId, _SubscriptionId, _ResourceId\n };\nparser (disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json index 6bb0362af18..feb595a1a95 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionPaloAltoCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionPaloAltoCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Palo Alto PanOS", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionPaloAltoCEF", - "query": "let Actions=datatable(DeviceAction:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\"\n, \"allow\",\"Allow\"\n, \"deny\",\"Deny\"\n, \"drop\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"\n, \"reset-client\",\"Reset Source\"\n, \"reset-server\",\"Reset Destination\"\n, \"reset-both\", \"Reset\"\n, \"drop-icmp\", \"Drop ICMP\"];\nlet NWParser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"PAN-OS\" and Activity == \"TRAFFIC\"\n| parse AdditionalExtensions with \"PanOSPacketsReceived=\" DstPackets:long * \"PanOSPacketsSent=\" SrcPackets:long *\n // -- Adjustment to support both old and new CSL fields.\n| extend \n EventStartTime = coalesce(\n todatetime(StartTime), \n extract(@'start=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),\n datetime(null)\n ),\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),\n \"\"\n )\n| project-rename \n EventProductVersion=DeviceVersion // Not Documented\n , Dvc=DeviceName \n , NetworkApplicationProtocol=ApplicationProtocol\n , SrcZone=DeviceCustomString4 \n , DstZone=DeviceCustomString5\n , NetworkRuleName=DeviceCustomString1\n , SrcUsername=SourceUserName \n , DstUsername=DestinationUserName \n , EventOriginalSeverity=LogSeverity // not documented\n , SrcNatIpAddr=SourceTranslatedAddress\n , DstNatIpAddr=DestinationTranslatedAddress\n , PaloAltoFlags=FlexString1 // Flags\n| extend\nEventVendor=\"Palo Alto\"\n ,EventProduct=\"PanOS\" // Not Documented\n , SrcBytes=tolong(SentBytes)\n , DstBytes=tolong(ReceivedBytes) \n , NetworkProtocol=toupper(Protocol)\n , NetworkBytes=tolong(FlexNumber1)\n , SrcUsernameType=case(isempty(SrcUsername), \"\", SrcUsername contains \"@\", \"UPN\", \"Simple\")\n , DstUsernameType=case(isempty(DstUsername), \"\", DstUsername contains \"@\", \"UPN\", \"Simple\")\n , EventType=\"NetworkSession\"\n , EventCount=toint(1)\n , EventResult=case(DeviceAction==\"allow\",\"Success\",\"Failure\")\n // -- Adjustment to support both old and new CSL fields.\n , NetworkPackets = coalesce(\n tolong(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tolong(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n )\n , NetworkSessionId = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber1\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber1\",long(null)))\n )\n , NetworkDuration= coalesce(\n toint(1000*column_ifexists(\"FieldDeviceCustomNumber3\", 0)),\n toint(1000*column_ifexists(\"DeviceCustomNumber3\",0)),\n int(null)\n )\n , EventSchemaVersion=\"0.2.1\"\n , EventSchema=\"NetworkSession\"\n , EventSeverity = \"Informational\"\n| extend hostelements=split(Dvc,'.')\n| extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n| extend DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n , DvcDomainType=iff(Dvc contains \".\",\"FQDN\",\"\" )\n| project-away hostelements\n| lookup Actions on DeviceAction\n| project-rename\n DstMacAddr=DestinationMACAddress\n , SrcMacAddr=SourceMACAddress\n , DstIpAddr=DestinationIP\n , DstPortNumber=DestinationPort\n , DstNatPortNumber=DestinationTranslatedPort\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcNatPortNumber=SourceTranslatedPort\n , DvcOutboundInterface=DeviceOutboundInterface\n , DvcInboundInterface=DeviceInboundInterface\n , EventMessage=Message\n , DvcOriginalAction=DeviceAction\n// -- Aliases\n| extend\nIpAddr = SrcIpAddr,\nRule=NetworkRuleName,\nDst=DstIpAddr,\n// Host=DstHostname, \nUser=DstUsername,\nDuration=NetworkDuration,\nSessionId=NetworkSessionId,\nEventEndTime =EventStartTime,\nSrc=SrcIpAddr\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, Activity, Computer, OriginalLogSeverity, PaloAltoFlags, Protocol\n};\nNWParser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Palo Alto PanOS", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionPaloAltoCEF", + "query": "let Actions=datatable(DeviceAction:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\"\n, \"allow\",\"Allow\"\n, \"deny\",\"Deny\"\n, \"drop\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"\n, \"reset-client\",\"Reset Source\"\n, \"reset-server\",\"Reset Destination\"\n, \"reset-both\", \"Reset\"\n, \"drop-icmp\", \"Drop ICMP\"];\nlet NWParser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"PAN-OS\" and Activity == \"TRAFFIC\"\n| parse AdditionalExtensions with \"PanOSPacketsReceived=\" DstPackets:long * \"PanOSPacketsSent=\" SrcPackets:long *\n // -- Adjustment to support both old and new CSL fields.\n| extend \n EventStartTime = coalesce(\n todatetime(StartTime), \n extract(@'start=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),\n datetime(null)\n ),\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),\n \"\"\n )\n| project-rename \n EventProductVersion=DeviceVersion // Not Documented\n , Dvc=DeviceName \n , NetworkApplicationProtocol=ApplicationProtocol\n , SrcZone=DeviceCustomString4 \n , DstZone=DeviceCustomString5\n , NetworkRuleName=DeviceCustomString1\n , SrcUsername=SourceUserName \n , DstUsername=DestinationUserName \n , EventOriginalSeverity=LogSeverity // not documented\n , SrcNatIpAddr=SourceTranslatedAddress\n , DstNatIpAddr=DestinationTranslatedAddress\n , PaloAltoFlags=FlexString1 // Flags\n| extend\nEventVendor=\"Palo Alto\"\n ,EventProduct=\"PanOS\" // Not Documented\n , SrcBytes=tolong(SentBytes)\n , DstBytes=tolong(ReceivedBytes) \n , NetworkProtocol=toupper(Protocol)\n , NetworkBytes=tolong(FlexNumber1)\n , SrcUsernameType=case(isempty(SrcUsername), \"\", SrcUsername contains \"@\", \"UPN\", \"Simple\")\n , DstUsernameType=case(isempty(DstUsername), \"\", DstUsername contains \"@\", \"UPN\", \"Simple\")\n , EventType=\"NetworkSession\"\n , EventCount=toint(1)\n , EventResult=case(DeviceAction==\"allow\",\"Success\",\"Failure\")\n // -- Adjustment to support both old and new CSL fields.\n , NetworkPackets = coalesce(\n tolong(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tolong(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n )\n , NetworkSessionId = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber1\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber1\",long(null)))\n )\n , NetworkDuration= coalesce(\n toint(1000*column_ifexists(\"FieldDeviceCustomNumber3\", 0)),\n toint(1000*column_ifexists(\"DeviceCustomNumber3\",0)),\n int(null)\n )\n , EventSchemaVersion=\"0.2.1\"\n , EventSchema=\"NetworkSession\"\n , EventSeverity = \"Informational\"\n| extend hostelements=split(Dvc,'.')\n| extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n| extend DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n , DvcDomainType=iff(Dvc contains \".\",\"FQDN\",\"\" )\n| project-away hostelements\n| lookup Actions on DeviceAction\n| project-rename\n DstMacAddr=DestinationMACAddress\n , SrcMacAddr=SourceMACAddress\n , DstIpAddr=DestinationIP\n , DstPortNumber=DestinationPort\n , DstNatPortNumber=DestinationTranslatedPort\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcNatPortNumber=SourceTranslatedPort\n , DvcOutboundInterface=DeviceOutboundInterface\n , DvcInboundInterface=DeviceInboundInterface\n , EventMessage=Message\n , DvcOriginalAction=DeviceAction\n// -- Aliases\n| extend\nIpAddr = SrcIpAddr,\nRule=NetworkRuleName,\nDst=DstIpAddr,\n// Host=DstHostname, \nUser=DstUsername,\nDuration=NetworkDuration,\nSessionId=NetworkSessionId,\nEventEndTime =EventStartTime,\nSrc=SrcIpAddr\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, Activity, Computer, OriginalLogSeverity, PaloAltoFlags, Protocol\n};\nNWParser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json index 2435b3abd71..e546d3d2859 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionPaloAltoCortexDataLake')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionPaloAltoCortexDataLake", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Palo Alto Cortex Data Lake", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionPaloAltoCortexDataLake", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDvcActionLookup = datatable (\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"reset client\", \"Reset Source\", \"Failure\",\n \"reset server\", \"Reset Destination\", \"Failure\",\n \"reset both\", \"Reset\", \"Failure\",\n \"drop\", \"Drop\", \"Failure\",\n \"drop ICMP\", \"Drop ICMP\", \"Failure\",\n \"reset-both\", \"Reset\", \"Failure\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)[\n \"threat\", \"Reset\",\n \"policy-deny\", \"Unknown\",\n \"decrypt-cert-validation\", \"Terminated\",\n \"decrypt-unsupport-param\", \"Terminated\",\n \"decrypt-error\", \"Terminated\",\n \"tcp-rst-from-client\", \"Reset\",\n \"tcp-rst-from-server\", \"Reset\",\n \"resources-unavailable\", \"Unknown\",\n \"tcp-fin\", \"Unknown\",\n \"tcp-reuse\", \"Unknown\",\n \"decoder\", \"Unknown\",\n \"aged-out\", \"Unknown\",\n \"unknown\", \"Unknown\",\n \"n/a\", \"NA\",\n];\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\n [\n \"1\", 20,\n \"2\", 40,\n \"3\", 60,\n \"4\", 80,\n \"5\", 100\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"TRAFFIC\"\n | parse-kv AdditionalExtensions as (PanOSSessionStartTime: string, PanOSDestinationDeviceHost: string, PanOSSourceDeviceHost: string, PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSSourceUUID: string, PanOSDestinationDeviceMac: string, PanOsBytes: long, PanOSIsClienttoServer: string, PanOSSourceLocation: string, PanOSSourceDeviceMac: string, PanOSPacketsReceived: long, PanOSPacketsSent: long, PanOSRuleUUID: int, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSChunksReceived: string, PanOSChunksSent: string, PanOSChunksTotal: string, PanOSApplicationContainer: string, PanOSDestinationDeviceCategory: string, PanOSLinkChangeCount: string, PanOSLinkSwitches: string, PanOSLogSource: string, PanOSNSSAINetworkSliceDifferentiator: string, PanOSNSSAINetworkSliceType: string, PanOSOutboundInterfaceDetailsPort: string, PanOSOutboundInterfaceDetailsSlot: string, PanOSOutboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsUnit: string, PanOSParentSessionID: string, PanOsRuleUUID: string, PanOSSourceDeviceOS: string, PanOSSourceDeviceOSFamily: string, PanOSSourceDeviceOSVersion: string, PanOSSourceDeviceCategory: string, PanOSVirtualSystemID: string, PanOSVirtualSystemName: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string, PanOSIsSaaSApplication: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventResultDvcActionLookup on DeviceAction\n | lookup EventSeverityLookup on LogSeverity\n | lookup EventResultDetailsLookup on Reason\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\n | extend\n EventStartTime = todatetime(PanOSSessionStartTime),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\n NetworkDuration = toint(FieldDeviceCustomNumber3),\n DstBytes = tolong(ReceivedBytes),\n SrcBytes = tolong(SentBytes),\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\n AdditionalFields = bag_pack(\n \"urlcategory\",\n DeviceCustomString2,\n \"virtualLocation\",\n DeviceCustomString3,\n \"PanOSApplicationCategory\",\n PanOSApplicationCategory,\n \"PanOSApplicationSubcategory\",\n PanOSApplicationSubcategory,\n \"PanOSChunksReceived\",\n PanOSChunksReceived,\n \"PanOSChunksSent\",\n PanOSChunksSent,\n \"PanOSChunksTotal\",\n PanOSChunksTotal,\n \"PanOSApplicationContainer\",\n PanOSApplicationContainer,\n \"PanOSDestinationDeviceCategory\",\n PanOSDestinationDeviceCategory,\n \"PanOSIsClienttoServer\",\n PanOSIsClienttoServer,\n \"PanOSLinkChangeCount\",\n PanOSLinkChangeCount,\n \"PanOSLinkSwitches\",\n PanOSLinkSwitches,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSNSSAINetworkSliceDifferentiator\",\n PanOSNSSAINetworkSliceDifferentiator,\n \"PanOSNSSAINetworkSliceType\",\n PanOSNSSAINetworkSliceType,\n \"PanOSOutboundInterfaceDetailsPort\",\n PanOSOutboundInterfaceDetailsPort,\n \"PanOSOutboundInterfaceDetailsSlot\",\n PanOSOutboundInterfaceDetailsSlot,\n \"PanOSOutboundInterfaceDetailsType\",\n PanOSOutboundInterfaceDetailsType,\n \"PanOSOutboundInterfaceDetailsUnit\",\n PanOSOutboundInterfaceDetailsUnit,\n \"PanOSParentSessionID\",\n PanOSParentSessionID,\n \"PanOsRuleUUID\",\n PanOsRuleUUID,\n \"PanOSSourceDeviceOS\",\n PanOSSourceDeviceOS,\n \"PanOSSourceDeviceOSFamily\",\n PanOSSourceDeviceOSFamily,\n \"PanOSSourceDeviceOSVersion\",\n PanOSSourceDeviceOSVersion,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSVirtualSystemID\",\n PanOSVirtualSystemID,\n \"PanOSVirtualSystemName\",\n PanOSVirtualSystemName\n )\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DstDvcId = PanOSDestinationUUID,\n DstGeoCountry = PanOSDestinationLocation,\n DstMacAddr = PanOSDestinationDeviceMac,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n DstPackets = PanOSPacketsReceived,\n DstPortNumber = DestinationPort,\n DstUsername = DestinationUserName,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n EventOriginalSeverity = LogSeverity,\n DstZone = DeviceCustomString5,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n NetworkPackets = FieldDeviceCustomNumber2,\n NetworkRuleName = DeviceCustomString1,\n SrcDvcId = PanOSSourceUUID,\n SrcGeoCountry = PanOSSourceLocation,\n SrcMacAddr = PanOSSourceDeviceMac,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n SrcPackets = PanOSPacketsSent,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n SrcZone = DeviceCustomString4,\n DvcScopeId = PanOSCortexDataLakeTenantID,\n EventOriginalSubType = Activity,\n DstUserId = DestinationUserID,\n EventOriginalResultDetails = Reason,\n SrcUserId = SourceUserID,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n SrcAppName = ApplicationProtocol,\n ThreatOriginalRiskLevel = PanOSApplicationRisk\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstDvcId, DstHostname, DstIpAddr),\n Src = coalesce(SrcDvcId, SrcHostname, SrcIpAddr),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\n NetworkProtocol = toupper(Protocol),\n NetworkBytes = SrcBytes + DstBytes,\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n ),\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\n Rule = NetworkRuleName,\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId,\n User = DstUsername,\n Hostname = DstHostname,\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\n SrcAppType = case(\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\",\n \"SaaS Application\",\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\",\n \"Other\",\n \"\"\n )\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n PanOs*,\n Protocol,\n SimplifiedDeviceAction,\n ExternalID,\n Message,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Palo Alto Cortex Data Lake", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionPaloAltoCortexDataLake", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDvcActionLookup = datatable (\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"reset client\", \"Reset Source\", \"Failure\",\n \"reset server\", \"Reset Destination\", \"Failure\",\n \"reset both\", \"Reset\", \"Failure\",\n \"drop\", \"Drop\", \"Failure\",\n \"drop ICMP\", \"Drop ICMP\", \"Failure\",\n \"reset-both\", \"Reset\", \"Failure\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)[\n \"threat\", \"Reset\",\n \"policy-deny\", \"Unknown\",\n \"decrypt-cert-validation\", \"Terminated\",\n \"decrypt-unsupport-param\", \"Terminated\",\n \"decrypt-error\", \"Terminated\",\n \"tcp-rst-from-client\", \"Reset\",\n \"tcp-rst-from-server\", \"Reset\",\n \"resources-unavailable\", \"Unknown\",\n \"tcp-fin\", \"Unknown\",\n \"tcp-reuse\", \"Unknown\",\n \"decoder\", \"Unknown\",\n \"aged-out\", \"Unknown\",\n \"unknown\", \"Unknown\",\n \"n/a\", \"NA\",\n];\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\n [\n \"1\", 20,\n \"2\", 40,\n \"3\", 60,\n \"4\", 80,\n \"5\", 100\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"TRAFFIC\"\n | parse-kv AdditionalExtensions as (PanOSSessionStartTime: string, PanOSDestinationDeviceHost: string, PanOSSourceDeviceHost: string, PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSSourceUUID: string, PanOSDestinationDeviceMac: string, PanOsBytes: long, PanOSIsClienttoServer: string, PanOSSourceLocation: string, PanOSSourceDeviceMac: string, PanOSPacketsReceived: long, PanOSPacketsSent: long, PanOSRuleUUID: int, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSChunksReceived: string, PanOSChunksSent: string, PanOSChunksTotal: string, PanOSApplicationContainer: string, PanOSDestinationDeviceCategory: string, PanOSLinkChangeCount: string, PanOSLinkSwitches: string, PanOSLogSource: string, PanOSNSSAINetworkSliceDifferentiator: string, PanOSNSSAINetworkSliceType: string, PanOSOutboundInterfaceDetailsPort: string, PanOSOutboundInterfaceDetailsSlot: string, PanOSOutboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsUnit: string, PanOSParentSessionID: string, PanOsRuleUUID: string, PanOSSourceDeviceOS: string, PanOSSourceDeviceOSFamily: string, PanOSSourceDeviceOSVersion: string, PanOSSourceDeviceCategory: string, PanOSVirtualSystemID: string, PanOSVirtualSystemName: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string, PanOSIsSaaSApplication: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventResultDvcActionLookup on DeviceAction\n | lookup EventSeverityLookup on LogSeverity\n | lookup EventResultDetailsLookup on Reason\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\n | extend\n EventStartTime = todatetime(PanOSSessionStartTime),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\n NetworkDuration = toint(FieldDeviceCustomNumber3),\n DstBytes = tolong(ReceivedBytes),\n SrcBytes = tolong(SentBytes),\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\n AdditionalFields = bag_pack(\n \"urlcategory\",\n DeviceCustomString2,\n \"virtualLocation\",\n DeviceCustomString3,\n \"PanOSApplicationCategory\",\n PanOSApplicationCategory,\n \"PanOSApplicationSubcategory\",\n PanOSApplicationSubcategory,\n \"PanOSChunksReceived\",\n PanOSChunksReceived,\n \"PanOSChunksSent\",\n PanOSChunksSent,\n \"PanOSChunksTotal\",\n PanOSChunksTotal,\n \"PanOSApplicationContainer\",\n PanOSApplicationContainer,\n \"PanOSDestinationDeviceCategory\",\n PanOSDestinationDeviceCategory,\n \"PanOSIsClienttoServer\",\n PanOSIsClienttoServer,\n \"PanOSLinkChangeCount\",\n PanOSLinkChangeCount,\n \"PanOSLinkSwitches\",\n PanOSLinkSwitches,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSNSSAINetworkSliceDifferentiator\",\n PanOSNSSAINetworkSliceDifferentiator,\n \"PanOSNSSAINetworkSliceType\",\n PanOSNSSAINetworkSliceType,\n \"PanOSOutboundInterfaceDetailsPort\",\n PanOSOutboundInterfaceDetailsPort,\n \"PanOSOutboundInterfaceDetailsSlot\",\n PanOSOutboundInterfaceDetailsSlot,\n \"PanOSOutboundInterfaceDetailsType\",\n PanOSOutboundInterfaceDetailsType,\n \"PanOSOutboundInterfaceDetailsUnit\",\n PanOSOutboundInterfaceDetailsUnit,\n \"PanOSParentSessionID\",\n PanOSParentSessionID,\n \"PanOsRuleUUID\",\n PanOsRuleUUID,\n \"PanOSSourceDeviceOS\",\n PanOSSourceDeviceOS,\n \"PanOSSourceDeviceOSFamily\",\n PanOSSourceDeviceOSFamily,\n \"PanOSSourceDeviceOSVersion\",\n PanOSSourceDeviceOSVersion,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSVirtualSystemID\",\n PanOSVirtualSystemID,\n \"PanOSVirtualSystemName\",\n PanOSVirtualSystemName\n )\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DstDvcId = PanOSDestinationUUID,\n DstGeoCountry = PanOSDestinationLocation,\n DstMacAddr = PanOSDestinationDeviceMac,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n DstPackets = PanOSPacketsReceived,\n DstPortNumber = DestinationPort,\n DstUsername = DestinationUserName,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n EventOriginalSeverity = LogSeverity,\n DstZone = DeviceCustomString5,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n NetworkPackets = FieldDeviceCustomNumber2,\n NetworkRuleName = DeviceCustomString1,\n SrcDvcId = PanOSSourceUUID,\n SrcGeoCountry = PanOSSourceLocation,\n SrcMacAddr = PanOSSourceDeviceMac,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n SrcPackets = PanOSPacketsSent,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n SrcZone = DeviceCustomString4,\n DvcScopeId = PanOSCortexDataLakeTenantID,\n EventOriginalSubType = Activity,\n DstUserId = DestinationUserID,\n EventOriginalResultDetails = Reason,\n SrcUserId = SourceUserID,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n SrcAppName = ApplicationProtocol,\n ThreatOriginalRiskLevel = PanOSApplicationRisk\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstDvcId, DstHostname, DstIpAddr),\n Src = coalesce(SrcDvcId, SrcHostname, SrcIpAddr),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\n NetworkProtocol = toupper(Protocol),\n NetworkBytes = SrcBytes + DstBytes,\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n ),\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\n Rule = NetworkRuleName,\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId,\n User = DstUsername,\n Hostname = DstHostname,\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\n SrcAppType = case(\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\",\n \"SaaS Application\",\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\",\n \"Other\",\n \"\"\n )\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n PanOs*,\n Protocol,\n SimplifiedDeviceAction,\n ExternalID,\n Message,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json index 23bd6190fe3..7c0188f1f05 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionSentinelOne", - "query": "let NetworkDirectionLookup = datatable (\n alertInfo_netEventDirection_s: string, \n NetworkDirection: string\n)[\n \"OUTGOING\", \"Outbound\",\n \"INCOMING\", \"Inbound\",\n];\nlet DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n)\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled) \n and event_name_s == \"Alerts.\" \n and alertInfo_eventType_s == \"TCPV4\"\n | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend \n DstPortNumber = toint(alertInfo_dstPort_s),\n SrcPortNumber = toint(alertInfo_srcPort_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DstIpAddr = alertInfo_dstIp_s,\n EventUid = _ItemId,\n SrcIpAddr = alertInfo_srcIp_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n DvcIpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n SrcHostname = DvcHostname,\n SrcDvcId = DvcId,\n IpAddr = SrcIpAddr,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n SrcDvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr),\n Hostname = SrcHostname\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allow\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventResultDetails = \"NA\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"SentinelOne\",\n NetworkProtocol = \"TCP\",\n NetworkProtocolVersion = \"IPv4\"\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionSentinelOne", + "query": "let NetworkDirectionLookup = datatable (\n alertInfo_netEventDirection_s: string, \n NetworkDirection: string\n)[\n \"OUTGOING\", \"Outbound\",\n \"INCOMING\", \"Inbound\",\n];\nlet DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n)\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled) \n and event_name_s == \"Alerts.\" \n and alertInfo_eventType_s == \"TCPV4\"\n | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend \n DstPortNumber = toint(alertInfo_dstPort_s),\n SrcPortNumber = toint(alertInfo_srcPort_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DstIpAddr = alertInfo_dstIp_s,\n EventUid = _ItemId,\n SrcIpAddr = alertInfo_srcIp_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n DvcIpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n SrcHostname = DvcHostname,\n SrcDvcId = DvcId,\n IpAddr = SrcIpAddr,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n SrcDvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr),\n Hostname = SrcHostname\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allow\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventResultDetails = \"NA\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"SentinelOne\",\n NetworkProtocol = \"TCP\",\n NetworkProtocolVersion = \"IPv4\"\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSonicWallFirewall/ASimNetworkSessionSonicWallFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSonicWallFirewall/ASimNetworkSessionSonicWallFirewall.json index 4999eb6a334..7f0c242b9d2 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSonicWallFirewall/ASimNetworkSessionSonicWallFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSonicWallFirewall/ASimNetworkSessionSonicWallFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionSonicWallFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionSonicWallFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for SonicWall firewalls", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionSonicWallFirewall", - "query": "let Actions=datatable(fw_action:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\" \n, \"allow\",\"Allow\"\n, \"\\\"forward\\\"\",\"Allow\"\n, \"\\\"mgmt\\\"\",\"Other\"\n, \"\\\"NA\\\"\",\"Other\"\n, \"deny\",\"Deny\"\n, \"\\\"drop\\\"\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"];\nlet Parser=(disabled:bool=false){\nCommonSecurityLog\n| where not(disabled)\n| where DeviceVendor == \"SonicWall\"\n| where DeviceEventClassID !in (14, 97, 1382, 440, 441, 442, 646, 647, 734, 735)\n| parse-kv AdditionalExtensions as (['gcat']:string, ['app']:string, ['arg']:string, ['dstV6']:string, ['srcV6']:string, ['snpt']:string, ['dnpt']:string, ['susr']:string,['appName']:string, ['appcat']:string, ['appid']:string, ['sid']:string, ['catid']:string, ['ipscat']:string, ['ipspri']:string, ['spycat']:string, ['spypri']:string, ['fw_action']:string, ['dpi']:string, ['bid']:string, ['af_action']:string, ['af_polid']:string, ['af_policy']:string, ['af_type']:string, ['af_service']:string, ['af_object']:string, ['contentObject']:string, ['fileid']:string, ['uuid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n| extend\n SourceIP = coalesce(SourceIP, srcV6)\n , DestinationIP = coalesce(DestinationIP, dstV6)\n| where ( isnotempty(SourceIP) and isnotempty(DestinationIP) )\n| where gcat in (3, 5, 6, 10) // Include only these event categories.\n| lookup Actions on fw_action\n// Sets the mandatory EventResult based on the DvcAction.\n| extend EventResult = case(DvcAction == \"Allow\", \"Success\",\n DvcAction == \"Management\", \"NA\",\n DvcAction == \"NA\", \"NA\",\n DvcAction == \"Other\", \"NA\",\n \"Failure\"\n )\n| extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\n LogSeverity == 9, \"Alert (1)\",\n LogSeverity == 8, \"Critical (2)\",\n LogSeverity == 7, \"Error (3)\",\n LogSeverity == 6, \"Warning (4)\",\n LogSeverity == 5, \"Notice (5)\",\n LogSeverity == 4, \"Info (6)/Debug (7)\",\n LogSeverity == 3, \"Not Mapped (3)\",\n LogSeverity == 2, \"Not Mapped (2)\",\n LogSeverity == 1, \"Not Mapped (1)\",\n \"Not Mapped\"\n )\n| extend EventSeverity = case(tolong(LogSeverity) <= 4, \"Informational\"\n , tolong(LogSeverity) <= 6, \"Low\"\n , tolong(LogSeverity) <= 8, \"Medium\"\n , tolong(LogSeverity) > 8, \"High\"\n , \"\"\n )\n| extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\n , DestinationIP has \":\", \"IPv6\"\n , \"\"\n )\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\n , EventOriginalType = DeviceEventClassID\n| project-rename\n DstMacAddr = DestinationMACAddress\n , SrcMacAddr = SourceMACAddress\n , DstIpAddr = DestinationIP\n , SrcIpAddr = SourceIP\n , DstPortNumber = DestinationPort\n , SrcPortNumber = SourcePort\n , EventMessage = Activity\n , sosEventMessageDetail = Message\n , EventProductVersion = DeviceVersion\n , sosSerialNumber = Computer\n , DvcOutboundInterface = DeviceOutboundInterface\n , DvcInboundInterface = DeviceInboundInterface\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\n , sosCFSFullString = Reason // CFS Category ID and Name\n , NetworkRuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\n , sosSourceZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\n , sosDestinationZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\n , NetworkIcmpType = FieldDeviceCustomNumber1 // ICMP Type\n , NetworkIcmpCode = FieldDeviceCustomNumber2 // ICMP Code\n , SrcUsername = SourceUserName\n , ThreatOriginalConfidence = ThreatConfidence\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\n gcat == 2, \"Log (2)\",\n gcat == 3, \"Security Services (3)\",\n gcat == 4, \"Users (4)\",\n gcat == 5, \"Firewall Settings (5)\",\n gcat == 6, \"Network (6)\",\n gcat == 7, \"VPN (7)\",\n gcat == 8, \"High Availability (8)\",\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\n gcat == 10, \"Firewall (10)\",\n gcat == 11, \"Wireless (11)\",\n gcat == 12, \"VoIP (12)\",\n gcat == 13, \"SSL VPN (13)\",\n gcat == 14, \"Anti-Spam (14)\",\n gcat == 15, \"WAN Acceleration (15)\",\n gcat == 16, \"Object (16)\",\n gcat == 17, \"SD-WAN (17)\",\n gcat == 18, \"Multi-Instance (18)\",\n gcat == 19, \"Unified Policy Engine (19)\",\n \"Log Category Not Mapped\"\n )\n| extend sosLegacyMessageCategory = case(DeviceEventCategory == 0, \"None (0)\",\n DeviceEventCategory == 1, \"System Maintenance (1)\",\n DeviceEventCategory == 2, \"System Errors (2)\",\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\n DeviceEventCategory == 16, \"User Activity (16)\",\n DeviceEventCategory == 32, \"Attacks (32)\",\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\n DeviceEventCategory == 512, \"Network Debug (512)\",\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\n DeviceEventCategory == 524288, \"System Environment (524288)\",\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\n \"Legacy Category Not Mapped\"\n )\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\n ipspri == 2, \"Medium (2)\",\n ipspri == 3, \"Low (3)\",\n \"\"\n )\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\n spypri == 2, \"Medium (2)\",\n spypri == 3, \"Low (3)\",\n \"\"\n )\n| extend\n EventVendor = \"SonicWall\"\n , EventProduct = \"Firewall\"\n , DvcOs = \"SonicOS\"\n , DvcOsVersion = EventProductVersion\n , DvcIdType = \"Other\"\n , Dvc = sosSerialNumber\n , DvcDescription = DeviceProduct\n , ASimMatchingHostname = \"-\"\n , ASimMatchingIpAddr = \"-\"\n , NetworkIcmpType = tostring(NetworkIcmpType)\n , NetworkIcmpCode = toint(NetworkIcmpCode)\n , Rule = NetworkRuleName\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\n , sosIPSFullString = ipscat\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\n , FileSize = tolong(coalesce(FileSize, long(null)))\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\n , SrcZone = sosSourceZone\n , DstZone = sosDestinationZone\n , EventOriginalSeverity = LogSeverity\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventSchema = \"NetworkSession\"\n , EventCount = toint(1)\n , EventUid = _ItemId\n , EventResultDetails = \"NA\"\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\n| extend\n SrcUsername = coalesce(susr, SrcUsername)\n , FileName = coalesce(FileName, sosAppControlFileName)\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\n , DstZone == \"MULTICAST\", \"NA\"\n , DstZone == \"WAN\", \"Outbound\"\n , \"Local\"\n )\n| extend\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\n SrcUsername has \"\\\\\", \"Windows\",\n SrcUsername has \"@\", \"UPN\",\n SrcUsername == \"Unknown (external IP)\", \"\",\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"\n )\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\"\n )\n| extend\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\"\n )\n| extend\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\n| extend\n SrcAppType = case(isempty(SrcAppName), \"\"\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\n , DstAppType = case(isempty(DstAppName), \"\"\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\n| project-rename\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\n| extend\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\n , tolong(long(null))\n )\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\n , tolong(long(null))\n )\n| project-rename\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\n , sosUser = susr // Logged-in username associated with the log event.\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\n , sosAppRuleService = af_service // App Rule Service Name.\n , sosAppRuleType = af_type // App Rule Policy Type.\n , sosAppRuleObject = af_object // App Rule Object Name.\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\n , sosAppRuleAction = af_action\n , sosSourceIPv6Address = srcV6\n , sosDestinationIPv6Address = dstV6\n , sosAppFullString = appcat // The full \" -- \" string.\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\n , sosAppID = appid // Application ID from App Control\n , sosAppCategoryID = catid // Application Category ID\n , sosAppSignatureID = sid // Application Signature ID\n , sosIPSCategoryName = ipscat // IPS Category Name\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\n , sosURLPathName = arg // URL. Represents the URL path name.\n , sosFileIdentifier = fileid // File hash or URL\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\n , DstNatPortNumber = dnpt\n , SrcNatPortNumber = snpt\n , sosBladeID = bid // Blade ID\n , sosUUID = uuid\n , sosFileName = FileName\n , DvcOriginalAction = fw_action\n| extend\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\n , ThreatId = coalesce(sosAppSignatureID, \"\")\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\n , DstNatPortNumber = toint(DstNatPortNumber)\n , SrcNatPortNumber = toint(SrcNatPortNumber)\n| extend AdditionalFields = bag_pack(\n \"AppRulePolicyId\", sosAppRulePolicyId\n , \"AppRulePolicyName\", sosAppRulePolicyName\n , \"AppRuleService\", sosAppRuleService\n , \"AppRuleType\", sosAppRuleType\n , \"AppRuleObject\", sosAppRuleObject\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\n , \"AppRuleAction\", sosAppRuleAction\n , \"AppID\", sosAppID\n , \"AppCategoryID\", sosAppCategoryID\n , \"IPSCategoryName\", sosIPSCategoryName\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\n , \"FileIdentifier\", sosFileIdentifier\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\n , \"BladeID\", sosBladeID\n , \"UUID\", sosUUID\n , \"FileName\", sosFileName\n , \"FileSize\", FileSize\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\n , \"CFSCategoryID\", sosCFSCategoryID\n , \"CFSCategoryName\", sosCFSCategoryName\n , \"CFSPolicyName\", sosCFSPolicyName\n , \"AppControlFileName\", sosAppControlFileName\n , \"IPSFullString\", sosIPSFullString\n , \"IPSSignatureName\", sosIPSSignatureName\n , \"LegacyMessageCategory\", sosLegacyMessageCategory\n , \"LogMsgCategory\", sosLogMsgCategory\n , \"LogMsgNote\", sosLogMsgNote\n , \"LogMsgSeverity\", sosLogMsgSeverity\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\n , \"EventMessageDetail\", sosEventMessageDetail\n , \"UserSessionType\", sosUserSessionType\n )\n| project-away\n DeviceEventCategory\n , gcat\n , RequestMethod\n , ipspri\n , spypri\n , sos*\n , RequestURL\n , Protocol\n , appName\n , AdditionalExtensions\n , Flex*\n , Indicator*\n , Malicious*\n , Field*\n , DeviceCustom*\n , Old*\n , File*\n , Source*\n , Destination*\n , Device*\n , SimplifiedDeviceAction\n , ExternalID\n , ExtID\n , TenantId\n , ProcessName\n , ProcessID\n , ExtID\n , OriginalLogSeverity\n , LogSeverity\n , EventOutcome\n , StartTime\n , EndTime\n , ReceiptTime\n , Remote*\n , ThreatDescription\n , ThreatSeverity\n , RequestContext\n , RequestCookies\n , CommunicationDirection\n , ReportReferenceLink\n , ReceivedBytes\n , SentBytes\n , _ResourceId\n , _ItemId\n| project-reorder\n TimeGenerated\n , EventVendor\n , EventProduct\n , DvcDescription\n , Dvc\n , DvcOs\n , DvcOsVersion\n};\nParser (disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for SonicWall firewalls", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionSonicWallFirewall", + "query": "let Actions=datatable(fw_action:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\" \n, \"allow\",\"Allow\"\n, \"\\\"forward\\\"\",\"Allow\"\n, \"\\\"mgmt\\\"\",\"Other\"\n, \"\\\"NA\\\"\",\"Other\"\n, \"deny\",\"Deny\"\n, \"\\\"drop\\\"\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"];\nlet Parser=(disabled:bool=false){\nCommonSecurityLog\n| where not(disabled)\n| where DeviceVendor == \"SonicWall\"\n| where DeviceEventClassID !in (14, 97, 1382, 440, 441, 442, 646, 647, 734, 735)\n| parse-kv AdditionalExtensions as (['gcat']:string, ['app']:string, ['arg']:string, ['dstV6']:string, ['srcV6']:string, ['snpt']:string, ['dnpt']:string, ['susr']:string,['appName']:string, ['appcat']:string, ['appid']:string, ['sid']:string, ['catid']:string, ['ipscat']:string, ['ipspri']:string, ['spycat']:string, ['spypri']:string, ['fw_action']:string, ['dpi']:string, ['bid']:string, ['af_action']:string, ['af_polid']:string, ['af_policy']:string, ['af_type']:string, ['af_service']:string, ['af_object']:string, ['contentObject']:string, ['fileid']:string, ['uuid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n| extend\n SourceIP = coalesce(SourceIP, srcV6)\n , DestinationIP = coalesce(DestinationIP, dstV6)\n| where ( isnotempty(SourceIP) and isnotempty(DestinationIP) )\n| where gcat in (3, 5, 6, 10) // Include only these event categories.\n| lookup Actions on fw_action\n// Sets the mandatory EventResult based on the DvcAction.\n| extend EventResult = case(DvcAction == \"Allow\", \"Success\",\n DvcAction == \"Management\", \"NA\",\n DvcAction == \"NA\", \"NA\",\n DvcAction == \"Other\", \"NA\",\n \"Failure\"\n )\n| extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\n LogSeverity == 9, \"Alert (1)\",\n LogSeverity == 8, \"Critical (2)\",\n LogSeverity == 7, \"Error (3)\",\n LogSeverity == 6, \"Warning (4)\",\n LogSeverity == 5, \"Notice (5)\",\n LogSeverity == 4, \"Info (6)/Debug (7)\",\n LogSeverity == 3, \"Not Mapped (3)\",\n LogSeverity == 2, \"Not Mapped (2)\",\n LogSeverity == 1, \"Not Mapped (1)\",\n \"Not Mapped\"\n )\n| extend EventSeverity = case(tolong(LogSeverity) <= 4, \"Informational\"\n , tolong(LogSeverity) <= 6, \"Low\"\n , tolong(LogSeverity) <= 8, \"Medium\"\n , tolong(LogSeverity) > 8, \"High\"\n , \"\"\n )\n| extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\n , DestinationIP has \":\", \"IPv6\"\n , \"\"\n )\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\n , EventOriginalType = DeviceEventClassID\n| project-rename\n DstMacAddr = DestinationMACAddress\n , SrcMacAddr = SourceMACAddress\n , DstIpAddr = DestinationIP\n , SrcIpAddr = SourceIP\n , DstPortNumber = DestinationPort\n , SrcPortNumber = SourcePort\n , EventMessage = Activity\n , sosEventMessageDetail = Message\n , EventProductVersion = DeviceVersion\n , sosSerialNumber = Computer\n , DvcOutboundInterface = DeviceOutboundInterface\n , DvcInboundInterface = DeviceInboundInterface\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\n , sosCFSFullString = Reason // CFS Category ID and Name\n , NetworkRuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\n , sosSourceZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\n , sosDestinationZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\n , NetworkIcmpType = FieldDeviceCustomNumber1 // ICMP Type\n , NetworkIcmpCode = FieldDeviceCustomNumber2 // ICMP Code\n , SrcUsername = SourceUserName\n , ThreatOriginalConfidence = ThreatConfidence\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\n gcat == 2, \"Log (2)\",\n gcat == 3, \"Security Services (3)\",\n gcat == 4, \"Users (4)\",\n gcat == 5, \"Firewall Settings (5)\",\n gcat == 6, \"Network (6)\",\n gcat == 7, \"VPN (7)\",\n gcat == 8, \"High Availability (8)\",\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\n gcat == 10, \"Firewall (10)\",\n gcat == 11, \"Wireless (11)\",\n gcat == 12, \"VoIP (12)\",\n gcat == 13, \"SSL VPN (13)\",\n gcat == 14, \"Anti-Spam (14)\",\n gcat == 15, \"WAN Acceleration (15)\",\n gcat == 16, \"Object (16)\",\n gcat == 17, \"SD-WAN (17)\",\n gcat == 18, \"Multi-Instance (18)\",\n gcat == 19, \"Unified Policy Engine (19)\",\n \"Log Category Not Mapped\"\n )\n| extend sosLegacyMessageCategory = case(DeviceEventCategory == 0, \"None (0)\",\n DeviceEventCategory == 1, \"System Maintenance (1)\",\n DeviceEventCategory == 2, \"System Errors (2)\",\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\n DeviceEventCategory == 16, \"User Activity (16)\",\n DeviceEventCategory == 32, \"Attacks (32)\",\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\n DeviceEventCategory == 512, \"Network Debug (512)\",\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\n DeviceEventCategory == 524288, \"System Environment (524288)\",\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\n \"Legacy Category Not Mapped\"\n )\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\n ipspri == 2, \"Medium (2)\",\n ipspri == 3, \"Low (3)\",\n \"\"\n )\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\n spypri == 2, \"Medium (2)\",\n spypri == 3, \"Low (3)\",\n \"\"\n )\n| extend\n EventVendor = \"SonicWall\"\n , EventProduct = \"Firewall\"\n , DvcOs = \"SonicOS\"\n , DvcOsVersion = EventProductVersion\n , DvcIdType = \"Other\"\n , Dvc = sosSerialNumber\n , DvcDescription = DeviceProduct\n , ASimMatchingHostname = \"-\"\n , ASimMatchingIpAddr = \"-\"\n , NetworkIcmpType = tostring(NetworkIcmpType)\n , NetworkIcmpCode = toint(NetworkIcmpCode)\n , Rule = NetworkRuleName\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\n , sosIPSFullString = ipscat\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\n , FileSize = tolong(coalesce(FileSize, long(null)))\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\n , SrcZone = sosSourceZone\n , DstZone = sosDestinationZone\n , EventOriginalSeverity = LogSeverity\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventSchema = \"NetworkSession\"\n , EventCount = toint(1)\n , EventUid = _ItemId\n , EventResultDetails = \"NA\"\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\n| extend\n SrcUsername = coalesce(susr, SrcUsername)\n , FileName = coalesce(FileName, sosAppControlFileName)\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\n , DstZone == \"MULTICAST\", \"NA\"\n , DstZone == \"WAN\", \"Outbound\"\n , \"Local\"\n )\n| extend\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\n SrcUsername has \"\\\\\", \"Windows\",\n SrcUsername has \"@\", \"UPN\",\n SrcUsername == \"Unknown (external IP)\", \"\",\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"\n )\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\"\n )\n| extend\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\"\n )\n| extend\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\n| extend\n SrcAppType = case(isempty(SrcAppName), \"\"\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\n , DstAppType = case(isempty(DstAppName), \"\"\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\n| project-rename\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\n| extend\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\n , tolong(long(null))\n )\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\n , tolong(long(null))\n )\n| project-rename\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\n , sosUser = susr // Logged-in username associated with the log event.\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\n , sosAppRuleService = af_service // App Rule Service Name.\n , sosAppRuleType = af_type // App Rule Policy Type.\n , sosAppRuleObject = af_object // App Rule Object Name.\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\n , sosAppRuleAction = af_action\n , sosSourceIPv6Address = srcV6\n , sosDestinationIPv6Address = dstV6\n , sosAppFullString = appcat // The full \" -- \" string.\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\n , sosAppID = appid // Application ID from App Control\n , sosAppCategoryID = catid // Application Category ID\n , sosAppSignatureID = sid // Application Signature ID\n , sosIPSCategoryName = ipscat // IPS Category Name\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\n , sosURLPathName = arg // URL. Represents the URL path name.\n , sosFileIdentifier = fileid // File hash or URL\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\n , DstNatPortNumber = dnpt\n , SrcNatPortNumber = snpt\n , sosBladeID = bid // Blade ID\n , sosUUID = uuid\n , sosFileName = FileName\n , DvcOriginalAction = fw_action\n| extend\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\n , ThreatId = coalesce(sosAppSignatureID, \"\")\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\n , DstNatPortNumber = toint(DstNatPortNumber)\n , SrcNatPortNumber = toint(SrcNatPortNumber)\n| extend AdditionalFields = bag_pack(\n \"AppRulePolicyId\", sosAppRulePolicyId\n , \"AppRulePolicyName\", sosAppRulePolicyName\n , \"AppRuleService\", sosAppRuleService\n , \"AppRuleType\", sosAppRuleType\n , \"AppRuleObject\", sosAppRuleObject\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\n , \"AppRuleAction\", sosAppRuleAction\n , \"AppID\", sosAppID\n , \"AppCategoryID\", sosAppCategoryID\n , \"IPSCategoryName\", sosIPSCategoryName\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\n , \"FileIdentifier\", sosFileIdentifier\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\n , \"BladeID\", sosBladeID\n , \"UUID\", sosUUID\n , \"FileName\", sosFileName\n , \"FileSize\", FileSize\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\n , \"CFSCategoryID\", sosCFSCategoryID\n , \"CFSCategoryName\", sosCFSCategoryName\n , \"CFSPolicyName\", sosCFSPolicyName\n , \"AppControlFileName\", sosAppControlFileName\n , \"IPSFullString\", sosIPSFullString\n , \"IPSSignatureName\", sosIPSSignatureName\n , \"LegacyMessageCategory\", sosLegacyMessageCategory\n , \"LogMsgCategory\", sosLogMsgCategory\n , \"LogMsgNote\", sosLogMsgNote\n , \"LogMsgSeverity\", sosLogMsgSeverity\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\n , \"EventMessageDetail\", sosEventMessageDetail\n , \"UserSessionType\", sosUserSessionType\n )\n| project-away\n DeviceEventCategory\n , gcat\n , RequestMethod\n , ipspri\n , spypri\n , sos*\n , RequestURL\n , Protocol\n , appName\n , AdditionalExtensions\n , Flex*\n , Indicator*\n , Malicious*\n , Field*\n , DeviceCustom*\n , Old*\n , File*\n , Source*\n , Destination*\n , Device*\n , SimplifiedDeviceAction\n , ExternalID\n , ExtID\n , TenantId\n , ProcessName\n , ProcessID\n , ExtID\n , OriginalLogSeverity\n , LogSeverity\n , EventOutcome\n , StartTime\n , EndTime\n , ReceiptTime\n , Remote*\n , ThreatDescription\n , ThreatSeverity\n , RequestContext\n , RequestCookies\n , CommunicationDirection\n , ReportReferenceLink\n , ReceivedBytes\n , SentBytes\n , _ResourceId\n , _ItemId\n| project-reorder\n TimeGenerated\n , EventVendor\n , EventProduct\n , DvcDescription\n , Dvc\n , DvcOs\n , DvcOsVersion\n};\nParser (disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json index b805da82caf..ee37d31ea88 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionVMConnection')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionVMConnection", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for VM connection information collected using the Log Analytics agent", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionVMConnection", - "query": "let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity:string) [\n '', 'Informational', \n '0', 'Informational',\n '1', 'Low',\n '2', 'Medium',\n '3', 'High'\n];\nlet VMConnectionProjected = VMConnection | project-away AdditionalInformation, AgentId, TenantId, TLPLevel, SourceSystem, IsActive, *ReportedDateTime, LinksFailed, LinksLive, LinksTerminated, Description, Responses, ResponseTimeMin, ResponseTimeMax, RemoteClassification, RemoteDnsQuestions;\nlet outbound = (disabled:bool=false) {\n VMConnectionProjected\n | where not (disabled)\n | where Direction == \"outbound\"\n | extend\n SrcAppType = \"Process\",\n SrcDvcIdType = \"VMConnectionId\",\n SrcHostnameType = \"Simple\",\n DstGeoCountry = RemoteCountry,\n DstGeoLongitude = RemoteLongitude,\n DstGeoLatitude = RemoteLatitude,\n SrcAppId = Process,\n SrcAppName = ProcessName,\n SrcDvcId = Machine,\n ThreatField = iff (MaliciousIp != \"\", \"DstIpAddr\", \"\")\n | invoke _ASIM_ResolveSrcFQDN (\"Computer\")\n | extend FQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | invoke _ASIM_ResolveDstFQDN(\"FQDN\")\n | project-away Computer, RemoteDnsCanonicalNames\n | extend\n RemoteFQDN = DstFQDN,\n RemoteHostname = DstHostname,\n RemoteDomain = DstDomain,\n RemoteDomainType = DstDomainType,\n LocalFQDN = SrcFQDN,\n LocalHostname = SrcHostname,\n LocalDomain = SrcDomain,\n LocalDomainType = SrcDomainType,\n LocalIpAddr = SourceIp\n};\nlet inbound = (disabled:bool=false) {\n VMConnectionProjected\n | where not (disabled)\n | where Direction == \"inbound\"\n | extend\n DstAppType = \"Process\",\n DstDvcIdType = \"VMConnectionId\",\n SrcGeoCountry = RemoteCountry,\n SrcGeoLongitude = RemoteLongitude,\n SrcGeoLatitude = RemoteLatitude,\n DstAppId = Process,\n DstAppName = ProcessName,\n DstDvcId = Machine,\n ThreatField = iff (MaliciousIp != \"\", \"SrcIpAddr\", \"\")\n | invoke _ASIM_ResolveDstFQDN (\"Computer\")\n | extend FQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | invoke _ASIM_ResolveSrcFQDN(\"FQDN\")\n | project-away Computer, RemoteDnsCanonicalNames\n | extend\n RemoteFQDN = SrcFQDN,\n RemoteHostname = SrcHostname,\n RemoteDomain = SrcDomain,\n RemoteDomainType = SrcDomainType,\n LocalFQDN = DstFQDN,\n LocalHostname = DstHostname,\n LocalDomain = DstDomain,\n LocalDomainType = DstDomainType,\n LocalIpAddr = DestinationIp\n};\nlet parser=(disabled:bool=false){\n union outbound(disabled), inbound(disabled)\n // Event fields\n | extend \n EventCount = toint(LinksEstablished), // -- prioritized over LinksLive and LinksTerminated\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"VMConnection\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.2\",\n EventType = \"EndpointNetworkSession\",\n DvcIdType = \"VMConnectionId\",\n NetworkDirection = iff(Direction==\"inbound\", \"Inbound\", \"Outbound\"),\n EventEndTime = TimeGenerated\n | project-rename\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort, \n SrcIpAddr = SourceIp, \n NetworkSessionId = ConnectionId,\n ThreatName = IndicatorThreatType,\n RemoteGeoCountry = RemoteCountry,\n RemoteGeoLatitude = RemoteLatitude, \n RemoteGeoLongitude = RemoteLongitude,\n LocalAppId = Process,\n LocalAppName = ProcessName,\n DvcId = Machine,\n RemoteIpAddr = RemoteIp,\n EventReportUrl = ReportReferenceLink,\n ThreatIpAddr = MaliciousIp\n // -- Calculated fields\n | extend EventOriginalSeverity = tostring(Severity)\n | lookup SeverityLookup on EventOriginalSeverity\n | extend\n EventResult = \"Success\",\n LocalAppType = \"Process\",\n NetworkDuration = toint(ResponseTimeSum/LinksEstablished) ,\n ThreatRiskLevel = toint(Confidence),\n NetworkProtocol = toupper(Protocol),\n SrcBytes = tolong(BytesSent),\n DstBytes = tolong(BytesReceived)\n | project-away BytesSent, BytesReceived, Confidence, ResponseTimeSum, Protocol, Direction, Severity, LinksEstablished\n // -- Aliases\n | extend\n IpAddr = RemoteIpAddr,\n Src = SrcIpAddr,\n Local = LocalIpAddr,\n DvcIpAddr = LocalIpAddr,\n Dst = DstIpAddr,\n Remote = RemoteIpAddr,\n Dvc = LocalHostname,\n DvcHostname = LocalHostname,\n DvcDomain = LocalDomain,\n DvcDomainType = LocalDomainType,\n DvcFQDN = LocalFQDN,\n Hostname = RemoteHostname,\n Duration = NetworkDuration,\n SessionId = NetworkSessionId\n};\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for VM connection information collected using the Log Analytics agent", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionVMConnection", + "query": "let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity:string) [\n '', 'Informational', \n '0', 'Informational',\n '1', 'Low',\n '2', 'Medium',\n '3', 'High'\n];\nlet VMConnectionProjected = VMConnection | project-away AdditionalInformation, AgentId, TenantId, TLPLevel, SourceSystem, IsActive, *ReportedDateTime, LinksFailed, LinksLive, LinksTerminated, Description, Responses, ResponseTimeMin, ResponseTimeMax, RemoteClassification, RemoteDnsQuestions;\nlet outbound = (disabled:bool=false) {\n VMConnectionProjected\n | where not (disabled)\n | where Direction == \"outbound\"\n | extend\n SrcAppType = \"Process\",\n SrcDvcIdType = \"VMConnectionId\",\n SrcHostnameType = \"Simple\",\n DstGeoCountry = RemoteCountry,\n DstGeoLongitude = RemoteLongitude,\n DstGeoLatitude = RemoteLatitude,\n SrcAppId = Process,\n SrcAppName = ProcessName,\n SrcDvcId = Machine,\n ThreatField = iff (MaliciousIp != \"\", \"DstIpAddr\", \"\")\n | invoke _ASIM_ResolveSrcFQDN (\"Computer\")\n | extend FQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | invoke _ASIM_ResolveDstFQDN(\"FQDN\")\n | project-away Computer, RemoteDnsCanonicalNames\n | extend\n RemoteFQDN = DstFQDN,\n RemoteHostname = DstHostname,\n RemoteDomain = DstDomain,\n RemoteDomainType = DstDomainType,\n LocalFQDN = SrcFQDN,\n LocalHostname = SrcHostname,\n LocalDomain = SrcDomain,\n LocalDomainType = SrcDomainType,\n LocalIpAddr = SourceIp\n};\nlet inbound = (disabled:bool=false) {\n VMConnectionProjected\n | where not (disabled)\n | where Direction == \"inbound\"\n | extend\n DstAppType = \"Process\",\n DstDvcIdType = \"VMConnectionId\",\n SrcGeoCountry = RemoteCountry,\n SrcGeoLongitude = RemoteLongitude,\n SrcGeoLatitude = RemoteLatitude,\n DstAppId = Process,\n DstAppName = ProcessName,\n DstDvcId = Machine,\n ThreatField = iff (MaliciousIp != \"\", \"SrcIpAddr\", \"\")\n | invoke _ASIM_ResolveDstFQDN (\"Computer\")\n | extend FQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | invoke _ASIM_ResolveSrcFQDN(\"FQDN\")\n | project-away Computer, RemoteDnsCanonicalNames\n | extend\n RemoteFQDN = SrcFQDN,\n RemoteHostname = SrcHostname,\n RemoteDomain = SrcDomain,\n RemoteDomainType = SrcDomainType,\n LocalFQDN = DstFQDN,\n LocalHostname = DstHostname,\n LocalDomain = DstDomain,\n LocalDomainType = DstDomainType,\n LocalIpAddr = DestinationIp\n};\nlet parser=(disabled:bool=false){\n union outbound(disabled), inbound(disabled)\n // Event fields\n | extend \n EventCount = toint(LinksEstablished), // -- prioritized over LinksLive and LinksTerminated\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"VMConnection\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.2\",\n EventType = \"EndpointNetworkSession\",\n DvcIdType = \"VMConnectionId\",\n NetworkDirection = iff(Direction==\"inbound\", \"Inbound\", \"Outbound\"),\n EventEndTime = TimeGenerated\n | project-rename\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort, \n SrcIpAddr = SourceIp, \n NetworkSessionId = ConnectionId,\n ThreatName = IndicatorThreatType,\n RemoteGeoCountry = RemoteCountry,\n RemoteGeoLatitude = RemoteLatitude, \n RemoteGeoLongitude = RemoteLongitude,\n LocalAppId = Process,\n LocalAppName = ProcessName,\n DvcId = Machine,\n RemoteIpAddr = RemoteIp,\n EventReportUrl = ReportReferenceLink,\n ThreatIpAddr = MaliciousIp\n // -- Calculated fields\n | extend EventOriginalSeverity = tostring(Severity)\n | lookup SeverityLookup on EventOriginalSeverity\n | extend\n EventResult = \"Success\",\n LocalAppType = \"Process\",\n NetworkDuration = toint(ResponseTimeSum/LinksEstablished) ,\n ThreatRiskLevel = toint(Confidence),\n NetworkProtocol = toupper(Protocol),\n SrcBytes = tolong(BytesSent),\n DstBytes = tolong(BytesReceived)\n | project-away BytesSent, BytesReceived, Confidence, ResponseTimeSum, Protocol, Direction, Severity, LinksEstablished\n // -- Aliases\n | extend\n IpAddr = RemoteIpAddr,\n Src = SrcIpAddr,\n Local = LocalIpAddr,\n DvcIpAddr = LocalIpAddr,\n Dst = DstIpAddr,\n Remote = RemoteIpAddr,\n Dvc = LocalHostname,\n DvcHostname = LocalHostname,\n DvcDomain = LocalDomain,\n DvcDomainType = LocalDomainType,\n DvcFQDN = LocalFQDN,\n Hostname = RemoteHostname,\n Duration = NetworkDuration,\n SessionId = NetworkSessionId\n};\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json index 70e46480888..53c687b9be5 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "NetworkSession ASIM Parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionVMwareCarbonBlackCloud", - "query": "let NetworkProtocolLookup = datatable (netconn_protocol_s: string, NetworkProtocol: string)\n [\n \"PROTO_TCP\", \"TCP\",\n \"PROTO_UDP\", \"UDP\"\n ];\n let DvcActionLookup = datatable (sensor_action_s: string, DvcAction: string)\n [\n \"ACTION_ALLOW\", \"Allow\",\n \"ACTION_SUSPEND\", \"Drop\",\n \"ACTION_TERMINATE\", \"Drop\",\n \"ACTION_BREAK\", \"Drop\",\n \"ACTION_BLOCK\", \"Deny\"\n ];\n let EventSeverityLookup = datatable (DvcAction: string, EventSeverity: string)\n [\n \"Allow\", \"Informational\",\n \"Drop\", \"Low\",\n \"Deny\", \"Low\"\n ];\n let ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n ];\n let parser=(disabled: bool=false) {\n let CarbonBlackEventsSchema = datatable ( \n eventType_s: string,\n netconn_protocol_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n device_name_s: string,\n action_s: string,\n createTime_s: string,\n netconn_domain_s: string,\n remote_ip_s: string,\n netconn_inbound_b: bool,\n process_guid_s: string,\n remote_port_d: real,\n local_port_d: real,\n process_pid_d: real,\n device_external_ip_s: string,\n local_ip_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n event_id_g: string,\n event_origin_s: string,\n process_path_s: string,\n process_username_s: string,\n org_key_s: string,\n )[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n )[];\n let alldata = union (CarbonBlackEventsSchema), (CarbonBlackEvents_CL)\n | where not(disabled)\n | where eventType_s == \"endpoint.event.netconn\"\n | lookup NetworkProtocolLookup on netconn_protocol_s\n | lookup DvcActionLookup on sensor_action_s\n | lookup EventSeverityLookup on DvcAction;\n let alldatawiththreat = alldata \n | where isnotempty(alert_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.threatInfo_incidentId_g\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g\n | extend \n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s,\n \"threatInfo_summary\",\n coalesce(threatInfo_summary_s, threatInfo_summary_s1)\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence;\n let alldatawithoutthreat = alldata\n | where isempty(alert_id_g);\n union alldatawiththreat, alldatawithoutthreat\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend temp_action = tostring(split(action_s, \"|\")[0])\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n SrcDomain = case(\n netconn_domain_s == remote_ip_s or netconn_domain_s has \":\" or netconn_domain_s !has \".\",\n \"\",\n netconn_inbound_b,\n netconn_domain_s,\n \"\"\n ),\n AdditionalFields_Common = bag_pack(\n \"Process Guid\",\n process_guid_s\n ),\n DstPortNumber = toint(remote_port_d),\n NetworkDirection = case(\n temp_action == \"ACTION_CONNECTION_LISTEN\",\n \"Listen\",\n netconn_inbound_b == true,\n \"Inbound\",\n \"Unknown\"\n ),\n SrcPortNumber = toint(local_port_d),\n SrcProcessId = tostring(toint(process_pid_d))\n | project-rename\n DstIpAddr = remote_ip_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n SrcIpAddr = local_ip_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n SrcProcessName = process_path_s,\n SrcUsername = process_username_s,\n DvcScopeId = org_key_s\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"VMware\",\n SrcHostname = SrcIpAddr,\n DstHostname = iff(NetworkDirection == \"Inbound\", coalesce(DvcHostname, DstIpAddr), DstIpAddr),\n EventResult = case(\n temp_action == \"ACTION_CONNECTION_CREATE_FAILED\",\n \"Failure\",\n DvcOriginalAction == \"ACTION_ALLOW\" or isempty(DvcOriginalAction),\n \"Success\",\n \"Failure\"\n ),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n )\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstHostname, DstIpAddr),\n Src = coalesce(SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcDomainType = iff(isnotempty(SrcDomain), \"FQDN\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common),\n SrcAppName = SrcProcessName,\n SrcAppId = SrcProcessId,\n SrcAppType = \"Process\",\n Hostname = DstHostname\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp_action,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n };\n parser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "NetworkSession ASIM Parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionVMwareCarbonBlackCloud", + "query": "let NetworkProtocolLookup = datatable (netconn_protocol_s: string, NetworkProtocol: string)\n [\n \"PROTO_TCP\", \"TCP\",\n \"PROTO_UDP\", \"UDP\"\n ];\n let DvcActionLookup = datatable (sensor_action_s: string, DvcAction: string)\n [\n \"ACTION_ALLOW\", \"Allow\",\n \"ACTION_SUSPEND\", \"Drop\",\n \"ACTION_TERMINATE\", \"Drop\",\n \"ACTION_BREAK\", \"Drop\",\n \"ACTION_BLOCK\", \"Deny\"\n ];\n let EventSeverityLookup = datatable (DvcAction: string, EventSeverity: string)\n [\n \"Allow\", \"Informational\",\n \"Drop\", \"Low\",\n \"Deny\", \"Low\"\n ];\n let ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n ];\n let parser=(disabled: bool=false) {\n let CarbonBlackEventsSchema = datatable ( \n eventType_s: string,\n netconn_protocol_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n device_name_s: string,\n action_s: string,\n createTime_s: string,\n netconn_domain_s: string,\n remote_ip_s: string,\n netconn_inbound_b: bool,\n process_guid_s: string,\n remote_port_d: real,\n local_port_d: real,\n process_pid_d: real,\n device_external_ip_s: string,\n local_ip_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n event_id_g: string,\n event_origin_s: string,\n process_path_s: string,\n process_username_s: string,\n org_key_s: string,\n )[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n )[];\n let alldata = union (CarbonBlackEventsSchema), (CarbonBlackEvents_CL)\n | where not(disabled)\n | where eventType_s == \"endpoint.event.netconn\"\n | lookup NetworkProtocolLookup on netconn_protocol_s\n | lookup DvcActionLookup on sensor_action_s\n | lookup EventSeverityLookup on DvcAction;\n let alldatawiththreat = alldata \n | where isnotempty(alert_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.threatInfo_incidentId_g\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g\n | extend \n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s,\n \"threatInfo_summary\",\n coalesce(threatInfo_summary_s, threatInfo_summary_s1)\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence;\n let alldatawithoutthreat = alldata\n | where isempty(alert_id_g);\n union alldatawiththreat, alldatawithoutthreat\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend temp_action = tostring(split(action_s, \"|\")[0])\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n SrcDomain = case(\n netconn_domain_s == remote_ip_s or netconn_domain_s has \":\" or netconn_domain_s !has \".\",\n \"\",\n netconn_inbound_b,\n netconn_domain_s,\n \"\"\n ),\n AdditionalFields_Common = bag_pack(\n \"Process Guid\",\n process_guid_s\n ),\n DstPortNumber = toint(remote_port_d),\n NetworkDirection = case(\n temp_action == \"ACTION_CONNECTION_LISTEN\",\n \"Listen\",\n netconn_inbound_b == true,\n \"Inbound\",\n \"Unknown\"\n ),\n SrcPortNumber = toint(local_port_d),\n SrcProcessId = tostring(toint(process_pid_d))\n | project-rename\n DstIpAddr = remote_ip_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n SrcIpAddr = local_ip_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n SrcProcessName = process_path_s,\n SrcUsername = process_username_s,\n DvcScopeId = org_key_s\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"VMware\",\n SrcHostname = SrcIpAddr,\n DstHostname = iff(NetworkDirection == \"Inbound\", coalesce(DvcHostname, DstIpAddr), DstIpAddr),\n EventResult = case(\n temp_action == \"ACTION_CONNECTION_CREATE_FAILED\",\n \"Failure\",\n DvcOriginalAction == \"ACTION_ALLOW\" or isempty(DvcOriginalAction),\n \"Success\",\n \"Failure\"\n ),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n )\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstHostname, DstIpAddr),\n Src = coalesce(SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcDomainType = iff(isnotempty(SrcDomain), \"FQDN\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common),\n SrcAppName = SrcProcessName,\n SrcAppId = SrcProcessId,\n SrcAppType = \"Process\",\n Hostname = DstHostname\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp_action,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n };\n parser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json index a027a6e6e33..5c2ae6a55b5 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionVectraAI')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionVectraAI", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Vectra AI Streams", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionVectraAI", - "query": "let parser = (disabled:bool=false, pack:bool=false) \n{\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)[\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'External'];\n let EventSubTypeLookup = datatable(conn_state_s:string, EventSubType:string)[\n \"S1\", 'Start',\n \"SF\", 'End'];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n VectraStream_CL\n | where metadata_type_s == 'metadata_isession'\n | project-away MG, ManagementGroupName, RawData, SourceSystem, TenantId\n | project-rename\n DstIpAddr = id_resp_h_s,\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n // -- huid does not seem to be unique per device and not mapped for now\n // DstDvcId = resp_huid_s, \n // SrcDvcId = orig_huid_s,\n DvcId = sensor_uid_s,\n // -- community id is just a hash of addresses and ports, and not unique for the session\n // NetworkSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n EventUid = _ItemId\n // -- the domain field may have invalid values. Most of them are IP addresses filtered out, but a small fraction are not filtered.\n | extend resp_domain_s = iff (ipv4_is_match(resp_domain_s, \"0.0.0.0\",0), \"\", resp_domain_s)\n | extend SplitRespDomain = split(resp_domain_s,\".\")\n | extend \n DstDomain = tostring(strcat_array(array_slice(SplitRespDomain, 1, -1), '.')),\n DstFQDN = iif (array_length(SplitRespDomain) > 1, resp_domain_s, ''),\n DstDomainType = iif (array_length(SplitRespDomain) > 1, 'FQDN', '')\n | extend\n DstHostname = case (\n resp_domain_s != \"\", tostring(SplitRespDomain[0]),\n DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\",\n DstDescription)\n | project-away SplitRespDomain\n | extend\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n NetworkApplicationProtocol = toupper(service_s),\n NetworkProtocol = toupper(protoName_s),\n NetworkProtocolVersion = toupper(id_ip_ver_s),\n Dst = DstIpAddr,\n DstBytes = tolong(resp_ip_bytes_d),\n DstPackets = tolong(resp_pkts_d),\n DstPortNumber = toint(id_resp_p_d),\n DstVlanId = tostring(toint(resp_vlan_id_d)),\n EventCount = toint(1),\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResult = 'Success',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.2',\n EventSeverity = 'Informational',\n EventStartTime = unixtime_milliseconds_todatetime(session_start_time_d),\n EventType = 'NetworkSession',\n EventVendor = 'Vectra AI',\n SrcBytes = tolong(orig_ip_bytes_d),\n SrcPackets = tolong(orig_pkts_d),\n SrcPortNumber = toint(id_orig_p_d),\n SrcVlanId = tostring(toint(orig_vlan_id_d)),\n // -- No ID mapped, since huid found not to be unique\n // SrcDvcIdType = 'VectraId',\n // DstDvcIdType = 'VectraId',\n DvcIdType = 'VectraId',\n NetworkDuration = toint(duration_d)\n | extend \n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n // SessionId = NetworkSessionId,\n Src = SrcIpAddr,\n Dvc = DvcId,\n Duration = NetworkDuration,\n InnerVlanId = SrcVlanId,\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n OuterVlanId = DstVlanId\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\n | lookup EventSubTypeLookup on conn_state_s\n // -- preserving non-normalized important fields\n | extend AdditionalFields = iff (\n pack, \n bag_pack (\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\n \"orig_sluid\", orig_sluid_s, \n \"resp_sluid\", resp_sluid_s,\n \"orig_huid\", orig_huid_s,\n \"resp_huid\", resp_huid_s,\n \"community_id\", community_id_s,\n \"resp_multihome\", resp_multihomed_b,\n \"host_multihomed\", host_multihomed_b,\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\n ),\n dynamic([])\n )\n | project-away\n *_d, *_s, *_b, *_g, Computer\n};\nparser (disabled=disabled, pack=pack)", - "version": 1, - "functionParameters": "disabled:bool=False,pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Vectra AI Streams", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionVectraAI", + "query": "let parser = (disabled:bool=false, pack:bool=false) \n{\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)[\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'External'];\n let EventSubTypeLookup = datatable(conn_state_s:string, EventSubType:string)[\n \"S1\", 'Start',\n \"SF\", 'End'];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n VectraStream_CL\n | where metadata_type_s == 'metadata_isession'\n | project-away MG, ManagementGroupName, RawData, SourceSystem, TenantId\n | project-rename\n DstIpAddr = id_resp_h_s,\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n // -- huid does not seem to be unique per device and not mapped for now\n // DstDvcId = resp_huid_s, \n // SrcDvcId = orig_huid_s,\n DvcId = sensor_uid_s,\n // -- community id is just a hash of addresses and ports, and not unique for the session\n // NetworkSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n EventUid = _ItemId\n // -- the domain field may have invalid values. Most of them are IP addresses filtered out, but a small fraction are not filtered.\n | extend resp_domain_s = iff (ipv4_is_match(resp_domain_s, \"0.0.0.0\",0), \"\", resp_domain_s)\n | extend SplitRespDomain = split(resp_domain_s,\".\")\n | extend \n DstDomain = tostring(strcat_array(array_slice(SplitRespDomain, 1, -1), '.')),\n DstFQDN = iif (array_length(SplitRespDomain) > 1, resp_domain_s, ''),\n DstDomainType = iif (array_length(SplitRespDomain) > 1, 'FQDN', '')\n | extend\n DstHostname = case (\n resp_domain_s != \"\", tostring(SplitRespDomain[0]),\n DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\",\n DstDescription)\n | project-away SplitRespDomain\n | extend\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n NetworkApplicationProtocol = toupper(service_s),\n NetworkProtocol = toupper(protoName_s),\n NetworkProtocolVersion = toupper(id_ip_ver_s),\n Dst = DstIpAddr,\n DstBytes = tolong(resp_ip_bytes_d),\n DstPackets = tolong(resp_pkts_d),\n DstPortNumber = toint(id_resp_p_d),\n DstVlanId = tostring(toint(resp_vlan_id_d)),\n EventCount = toint(1),\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResult = 'Success',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.2',\n EventSeverity = 'Informational',\n EventStartTime = unixtime_milliseconds_todatetime(session_start_time_d),\n EventType = 'NetworkSession',\n EventVendor = 'Vectra AI',\n SrcBytes = tolong(orig_ip_bytes_d),\n SrcPackets = tolong(orig_pkts_d),\n SrcPortNumber = toint(id_orig_p_d),\n SrcVlanId = tostring(toint(orig_vlan_id_d)),\n // -- No ID mapped, since huid found not to be unique\n // SrcDvcIdType = 'VectraId',\n // DstDvcIdType = 'VectraId',\n DvcIdType = 'VectraId',\n NetworkDuration = toint(duration_d)\n | extend \n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n // SessionId = NetworkSessionId,\n Src = SrcIpAddr,\n Dvc = DvcId,\n Duration = NetworkDuration,\n InnerVlanId = SrcVlanId,\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n OuterVlanId = DstVlanId\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\n | lookup EventSubTypeLookup on conn_state_s\n // -- preserving non-normalized important fields\n | extend AdditionalFields = iff (\n pack, \n bag_pack (\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\n \"orig_sluid\", orig_sluid_s, \n \"resp_sluid\", resp_sluid_s,\n \"orig_huid\", orig_huid_s,\n \"resp_huid\", resp_huid_s,\n \"community_id\", community_id_s,\n \"resp_multihome\", resp_multihomed_b,\n \"host_multihomed\", host_multihomed_b,\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\n ),\n dynamic([])\n )\n | project-away\n *_d, *_s, *_b, *_g, Computer\n};\nparser (disabled=disabled, pack=pack)", + "version": 1, + "functionParameters": "disabled:bool=False,pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionWatchGuardFirewareOS/ASimNetworkSessionWatchGuardFirewareOS.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionWatchGuardFirewareOS/ASimNetworkSessionWatchGuardFirewareOS.json index 3216b4523ab..bc3861e4c88 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionWatchGuardFirewareOS/ASimNetworkSessionWatchGuardFirewareOS.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionWatchGuardFirewareOS/ASimNetworkSessionWatchGuardFirewareOS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionWatchGuardFirewareOS')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionWatchGuardFirewareOS", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for WatchGuard Fireware OS", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionWatchGuardFirewareOS", - "query": "let Parser=(disabled:bool=false){\n let EventLookup=datatable(DvcAction:string,EventResult:string,EventSeverity:string)\n [\n \"Allow\",\"Success\",\"Informational\"\n , \"Deny\",\"Failure\",\"Low\"\n ];\n let SyslogParser = (T:(SyslogMessage:string)) {\n T\n | parse-kv SyslogMessage as (geo_src:string\n , geo_dst:string\n , src_user:string\n , dst_user:string\n , duration:int\n , sent_bytes:long\n , rcvd_bytes:long\n , fqdn_src_match:string\n , fqdn_dst_match:string) with (pair_delimiter=' ', kv_delimiter='=', quote='\"')\n | project-rename SrcGeoCountry = geo_src\n , DstGeoCountry = geo_dst\n , SrcUsername = src_user\n , DstUsername = dst_user\n , NetworkDuration = duration\n , SrcBytes = sent_bytes\n , DstBytes = rcvd_bytes\n , DstDomain = fqdn_dst_match\n , SrcDomain = fqdn_src_match\n | extend DvcAction = extract(@'\" (Allow|Deny) ', 1, SyslogMessage)\n | lookup EventLookup on DvcAction\n | extend DstDomainType = iif(isnotempty(DstDomain),\"FQDN\",\"\")\n | extend SrcDomainType = iif(isnotempty(SrcDomain),\"FQDN\",\"\")\n | extend NetworkProtocol = extract(@\" (tcp|udp|icmp|igmp) \", 1, SyslogMessage)\n | extend SrcUsernameType = case(isempty(SrcUsername), \"\"\n , countof(SrcUsername, \"@\") == 1, \"UPN\"\n , \"Simple\"\n )\n | extend DstUsernameType = case(isempty(DstUsername), \"\"\n , countof(DstUsername, \"@\") == 1, \"UPN\"\n , \"Simple\"\n )\n | parse SyslogMessage with * \"repeated \" EventCount:int \" times\" *\n | extend EventCount = iif(isnotempty(EventCount), EventCount, toint(1))\n | project-away SyslogMessage\n };\n let AllSyslog = \n Syslog\n | where not(disabled)\n | where SyslogMessage has_any('msg_id=\"3000-0148\"' \n , 'msg_id=\"3000-0149\"' \n , 'msg_id=\"3000-0150\"'\n , 'msg_id=\"3000-0151\"'\n , 'msg_id=\"3000-0173\"'\n ) and SyslogMessage !has 'msg=\"DNS Forwarding\" '\n | project TimeGenerated, SyslogMessage, HostName\n ;\n let Parse1 = \n AllSyslog\n | where SyslogMessage !has \"icmp\" and SyslogMessage !has \"igmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} (tcp|udp) \\d{2,5} \\d{2,5} \" SrcIpAddr \" \" DstIpAddr \" \" SrcPortNumber:int @\" \" DstPortNumber:int @\" \" *\n | invoke SyslogParser()\n ;\n let Parse2 = \n AllSyslog\n | where SyslogMessage !has \"icmp\" and SyslogMessage !has \"igmp\" and SyslogMessage has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" (tcp|udp) \" SrcIpAddr \" \" DstIpAddr \" \" SrcPortNumber:int @\" \" DstPortNumber:int @\" \" *\n | invoke SyslogParser()\n ;\n let Parse3 = \n AllSyslog\n | where SyslogMessage has \"icmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} icmp \\d{2,5} \\d{1,5} \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n ;\n let Parse4 = \n AllSyslog\n | where SyslogMessage has \"icmp\" and SyslogMessage has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" icmp \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n ;\n let Parse5 = \n AllSyslog\n | where SyslogMessage has \"igmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} igmp \\d{2,5} \\d{1,5} \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n ;\n union isfuzzy=false Parse1, Parse2, Parse3, Parse4, Parse5\n | extend EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.4\"\n , EventVendor = \"WatchGuard\"\n , EventProduct = \"Fireware\"\n , EventType = \"NetworkSession\"\n , DvcHostname = HostName\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkProtocol = toupper(NetworkProtocol)\n , NetworkDuration = toint(NetworkDuration * toint(1000))\n , NetworkBytes = SrcBytes + DstBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = TimeGenerated\n , Src = SrcIpAddr\n , Dst = DstIpAddr\n , Duration = NetworkDuration\n , User = DstUsername\n , IpAddr = SrcIpAddr\n | project-rename Dvc = HostName\n};\nParser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for WatchGuard Fireware OS", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionWatchGuardFirewareOS", + "query": "let Parser=(disabled:bool=false){\n let EventLookup=datatable(DvcAction:string,EventResult:string,EventSeverity:string)\n [\n \"Allow\",\"Success\",\"Informational\"\n , \"Deny\",\"Failure\",\"Low\"\n ];\n let SyslogParser = (T:(SyslogMessage:string)) {\n T\n | parse-kv SyslogMessage as (geo_src:string\n , geo_dst:string\n , src_user:string\n , dst_user:string\n , duration:int\n , sent_bytes:long\n , rcvd_bytes:long\n , fqdn_src_match:string\n , fqdn_dst_match:string) with (pair_delimiter=' ', kv_delimiter='=', quote='\"')\n | project-rename SrcGeoCountry = geo_src\n , DstGeoCountry = geo_dst\n , SrcUsername = src_user\n , DstUsername = dst_user\n , NetworkDuration = duration\n , SrcBytes = sent_bytes\n , DstBytes = rcvd_bytes\n , DstDomain = fqdn_dst_match\n , SrcDomain = fqdn_src_match\n | extend DvcAction = extract(@'\" (Allow|Deny) ', 1, SyslogMessage)\n | lookup EventLookup on DvcAction\n | extend DstDomainType = iif(isnotempty(DstDomain),\"FQDN\",\"\")\n | extend SrcDomainType = iif(isnotempty(SrcDomain),\"FQDN\",\"\")\n | extend NetworkProtocol = extract(@\" (tcp|udp|icmp|igmp) \", 1, SyslogMessage)\n | extend SrcUsernameType = case(isempty(SrcUsername), \"\"\n , countof(SrcUsername, \"@\") == 1, \"UPN\"\n , \"Simple\"\n )\n | extend DstUsernameType = case(isempty(DstUsername), \"\"\n , countof(DstUsername, \"@\") == 1, \"UPN\"\n , \"Simple\"\n )\n | parse SyslogMessage with * \"repeated \" EventCount:int \" times\" *\n | extend EventCount = iif(isnotempty(EventCount), EventCount, toint(1))\n | project-away SyslogMessage\n };\n let AllSyslog = \n Syslog\n | where not(disabled)\n | where SyslogMessage has_any('msg_id=\"3000-0148\"' \n , 'msg_id=\"3000-0149\"' \n , 'msg_id=\"3000-0150\"'\n , 'msg_id=\"3000-0151\"'\n , 'msg_id=\"3000-0173\"'\n ) and SyslogMessage !has 'msg=\"DNS Forwarding\" '\n | project TimeGenerated, SyslogMessage, HostName\n ;\n let Parse1 = \n AllSyslog\n | where SyslogMessage !has \"icmp\" and SyslogMessage !has \"igmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} (tcp|udp) \\d{2,5} \\d{2,5} \" SrcIpAddr \" \" DstIpAddr \" \" SrcPortNumber:int @\" \" DstPortNumber:int @\" \" *\n | invoke SyslogParser()\n ;\n let Parse2 = \n AllSyslog\n | where SyslogMessage !has \"icmp\" and SyslogMessage !has \"igmp\" and SyslogMessage has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" (tcp|udp) \" SrcIpAddr \" \" DstIpAddr \" \" SrcPortNumber:int @\" \" DstPortNumber:int @\" \" *\n | invoke SyslogParser()\n ;\n let Parse3 = \n AllSyslog\n | where SyslogMessage has \"icmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} icmp \\d{2,5} \\d{1,5} \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n ;\n let Parse4 = \n AllSyslog\n | where SyslogMessage has \"icmp\" and SyslogMessage has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" icmp \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n ;\n let Parse5 = \n AllSyslog\n | where SyslogMessage has \"igmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} igmp \\d{2,5} \\d{1,5} \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n ;\n union isfuzzy=false Parse1, Parse2, Parse3, Parse4, Parse5\n | extend EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.4\"\n , EventVendor = \"WatchGuard\"\n , EventProduct = \"Fireware\"\n , EventType = \"NetworkSession\"\n , DvcHostname = HostName\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkProtocol = toupper(NetworkProtocol)\n , NetworkDuration = toint(NetworkDuration * toint(1000))\n , NetworkBytes = SrcBytes + DstBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = TimeGenerated\n , Src = SrcIpAddr\n , Dst = DstIpAddr\n , Duration = NetworkDuration\n , User = DstUsername\n , IpAddr = SrcIpAddr\n | project-rename Dvc = HostName\n};\nParser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json index cd5255af492..c873b739c5c 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimNetworkSessionZscalerZIA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimNetworkSessionZscalerZIA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Zscaler ZIA Firewall", - "category": "ASIM", - "FunctionAlias": "ASimNetworkSessionZscalerZIA", - "query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n// Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.1\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcOriginalAction = DeviceAction, \n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort,\n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n NetworkRuleName = Activity,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n// -- Calculated fields\n| lookup ActionLookup on DvcOriginalAction \n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\"),\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = NetworkRuleName,\n Duration = NetworkDuration\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink\n};\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Zscaler ZIA Firewall", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionZscalerZIA", + "query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n// Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.1\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcOriginalAction = DeviceAction, \n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort,\n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n NetworkRuleName = Activity,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n// -- Calculated fields\n| lookup ActionLookup on DvcOriginalAction \n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\"),\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = NetworkRuleName,\n Duration = NetworkDuration\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink\n};\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json b/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json index 66b122ce568..16d740103d0 100644 --- a/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json @@ -358,6 +358,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimNetworkSessionIllumioSaaSCore", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/ASimNetworkSessionIllumioSaaSCore.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -1078,6 +1098,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimNetworkSessionIllumioSaaSCore", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/vimNetworkSessionIllumioSaaSCore.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json b/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json index da1ce681b1d..f0c37dbad81 100644 --- a/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imNetworkSession')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imNetworkSession", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser", - "category": "ASIM", - "FunctionAlias": "imNetworkSession", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n dstipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null),\n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , vimNetworkSessionMD4IoTAgent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftSecurityEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSecurityEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , vimNetworkSessionVMConnection (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMConnection' in (DisabledParsers) ))\n , vimNetworkSessionAWSVPC (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , vimNetworkSessionAzureFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , vimNetworkSessionAzureNSG (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , vimNetworkSessionVectraAI (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludevimNetworkSessionVectraAI' in (DisabledParsers) )))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMerakiSyslog (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMerakiSyslog' in (DisabledParsers) ))\n , vimNetworkSessionAppGateSDP (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , vimNetworkSessionFortinetFortiGate (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , vimNetworkSessionCorelightZeek (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , vimNetworkSessionCheckPointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionWatchGuardFirewareOS (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , vimNetworkSessionCiscoASA (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , vimNetworkSessionForcePointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionNative (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionNative' in (DisabledParsers) ))\n , vimNetworkSessionSentinelOne (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionCiscoISE (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , vimNetworkSessionBarracudaWAF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , vimNetworkSessionBarracudaCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaCEF' in (DisabledParsers) ))\n , vimNetworkSessionCiscoFirepower (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , vimNetworkSessionCrowdStrikeFalconHost (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , vimNetworkSessionVMwareCarbonBlackCloud (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCortexDataLake (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCortexDataLake' in (DisabledParsers) ))\n , vimNetworkSessionSonicWallFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSonicWallFirewall' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftSysmonWindowsEvent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser", + "category": "ASIM", + "FunctionAlias": "imNetworkSession", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n dstipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null),\n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , vimNetworkSessionMD4IoTAgent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftSecurityEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSecurityEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , vimNetworkSessionVMConnection (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMConnection' in (DisabledParsers) ))\n , vimNetworkSessionAWSVPC (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , vimNetworkSessionAzureFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , vimNetworkSessionAzureNSG (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , vimNetworkSessionVectraAI (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludevimNetworkSessionVectraAI' in (DisabledParsers) )))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMerakiSyslog (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMerakiSyslog' in (DisabledParsers) ))\n , vimNetworkSessionAppGateSDP (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , vimNetworkSessionFortinetFortiGate (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , vimNetworkSessionCorelightZeek (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , vimNetworkSessionCheckPointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionWatchGuardFirewareOS (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , vimNetworkSessionCiscoASA (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , vimNetworkSessionForcePointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionNative (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionNative' in (DisabledParsers) ))\n , vimNetworkSessionSentinelOne (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionCiscoISE (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , vimNetworkSessionBarracudaWAF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , vimNetworkSessionBarracudaCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaCEF' in (DisabledParsers) ))\n , vimNetworkSessionCiscoFirepower (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , vimNetworkSessionCrowdStrikeFalconHost (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , vimNetworkSessionVMwareCarbonBlackCloud (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCortexDataLake (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCortexDataLake' in (DisabledParsers) ))\n , vimNetworkSessionSonicWallFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSonicWallFirewall' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftSysmonWindowsEvent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))\n , vimNetworkSessionIllumioSaaSCore (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionIllumioSaaSCore' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json index e08743f5f8e..e237c6fb537 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionAWSVPC')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionAWSVPC", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for AWS VPC logs", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionAWSVPC", - "query": "let ProtocolLookup = datatable(Protocol:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n ];\n let DirectionLookup = datatable (FlowDirection:string, NetworkDirection:string) [\n 'ingress', 'Inbound',\n 'egress', 'Outbound'\n ];\n let ActionLookup = datatable (Action:string, DvcAction:string) [\n 'ACCEPT', 'Allow',\n 'REJECT', 'Deny'\n ];\n let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false\n )\n {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n AWSVPCFlow \n | where(isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not(disabled)\n | where LogStatus == \"OK\"\n // -- Pre-filtering:\n | where\n (isnull(dstportnumber) or (DstPort == dstportnumber))\n and (array_length(hostname_has_any) == 0)\n | extend EventResult = iff (Action==\"ACCEPT\",\"Success\",\"Failure\")\n | where (eventresult == \"*\" or eventresult == EventResult) \n | lookup ActionLookup on Action\n | where (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n // -- End pre-filtering\n | extend\n EventVendor=\"AWS\", \n EventProduct=\"VPC\",\n NetworkBytes = tolong(Bytes),\n NetworkPackets = tolong(Packets),\n EventProductVersion = tostring(Version),\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventSeverity = iff (Action==\"ACCEPT\",\"Informational\",\"Low\"),\n EventSchemaVersion=\"0.2.3\",\n EventSchema=\"NetworkSession\",\n SrcAppType = iff (PktSrcAwsService != \"\", \"CloudService\", \"\"),\n DstAppType = iff (PktDstAwsService != \"\", \"CloudService\", \"\"),\n DvcIdType = \"AwsVpcId\"\n | lookup ProtocolLookup on Protocol\n | lookup DirectionLookup on FlowDirection\n | project-rename\n DstIpAddr = DstAddr, \n DstPortNumber = DstPort, \n SrcNatIpAddr=PktSrcAddr, \n DstNatIpAddr=PktDstAddr, \n SrcPortNumber = SrcPort, \n SrcIpAddr = SrcAddr, \n EventEndTime = End, \n DvcInboundInterface = InterfaceId,\n DvcSubscriptionId = AccountId,\n DvcId = VpcId,\n NetworkProtocolVersion = TrafficType,\n EventOriginalResultDetails = LogStatus,\n SrcAppName = PktSrcAwsService,\n DstAppName = PktDstAwsService\n // -- Aliases\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n DvcInterface = DvcInboundInterface\n | project-away Action, AzId, Bytes, FlowDirection, InstanceId, Packets, Protocol, Region, SourceSystem, SublocationId, SublocationType, SubnetId, TcpFlags, TenantId, TrafficPath, Version\n };\n parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix,dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for AWS VPC logs", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionAWSVPC", + "query": "let ProtocolLookup = datatable(Protocol:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n ];\n let DirectionLookup = datatable (FlowDirection:string, NetworkDirection:string) [\n 'ingress', 'Inbound',\n 'egress', 'Outbound'\n ];\n let ActionLookup = datatable (Action:string, DvcAction:string) [\n 'ACCEPT', 'Allow',\n 'REJECT', 'Deny'\n ];\n let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false\n )\n {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n AWSVPCFlow \n | where(isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not(disabled)\n | where LogStatus == \"OK\"\n // -- Pre-filtering:\n | where\n (isnull(dstportnumber) or (DstPort == dstportnumber))\n and (array_length(hostname_has_any) == 0)\n | extend EventResult = iff (Action==\"ACCEPT\",\"Success\",\"Failure\")\n | where (eventresult == \"*\" or eventresult == EventResult) \n | lookup ActionLookup on Action\n | where (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n // -- End pre-filtering\n | extend\n EventVendor=\"AWS\", \n EventProduct=\"VPC\",\n NetworkBytes = tolong(Bytes),\n NetworkPackets = tolong(Packets),\n EventProductVersion = tostring(Version),\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventSeverity = iff (Action==\"ACCEPT\",\"Informational\",\"Low\"),\n EventSchemaVersion=\"0.2.3\",\n EventSchema=\"NetworkSession\",\n SrcAppType = iff (PktSrcAwsService != \"\", \"CloudService\", \"\"),\n DstAppType = iff (PktDstAwsService != \"\", \"CloudService\", \"\"),\n DvcIdType = \"AwsVpcId\"\n | lookup ProtocolLookup on Protocol\n | lookup DirectionLookup on FlowDirection\n | project-rename\n DstIpAddr = DstAddr, \n DstPortNumber = DstPort, \n SrcNatIpAddr=PktSrcAddr, \n DstNatIpAddr=PktDstAddr, \n SrcPortNumber = SrcPort, \n SrcIpAddr = SrcAddr, \n EventEndTime = End, \n DvcInboundInterface = InterfaceId,\n DvcSubscriptionId = AccountId,\n DvcId = VpcId,\n NetworkProtocolVersion = TrafficType,\n EventOriginalResultDetails = LogStatus,\n SrcAppName = PktSrcAwsService,\n DstAppName = PktDstAwsService\n // -- Aliases\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n DvcInterface = DvcInboundInterface\n | project-away Action, AzId, Bytes, FlowDirection, InstanceId, Packets, Protocol, Region, SourceSystem, SublocationId, SublocationType, SubnetId, TcpFlags, TenantId, TrafficPath, Version\n };\n parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix,dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json index 6aea2485afd..20b167404e3 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionAppGateSDP')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionAppGateSDP", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for AppGate SDP", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionAppGateSDP", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false\n) \n{\n let DirectionLookup = datatable (direction:string, NetworkDirection:string) \n [\n 'up', 'Inbound',\n 'down', 'Outbound'\n ];\n let ActionLookup = datatable (DvcOriginalAction:string, DvcAction:string, EventSeverity:string, EventResult:string)\n [\n 'allow', 'Allow', 'Informational', 'Success',\n 'drop', 'Drop', 'Low', 'Failure',\n 'reject', 'Deny', 'Low', 'Failure',\n 'block', 'Deny', 'Low', 'Failure',\n 'block_report', 'Deny', 'Low', 'Failure',\n 'allow_report', 'Allow', 'Informational', 'Success'\n ];\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_access_events = \n Syslog\n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n and not(disabled)\n and (array_length(hostname_has_any) == 0)\n and ProcessName in (\"cz-sessiond\", \"cz-vpnd\")\n and SyslogMessage has_all (\"[AUDIT]\",'\"event_type\":\"ip_access\"')\n | project TimeGenerated, SyslogMessage, Computer\n ;\n let tcpupd_success = \n ip_access_events\n | where \n SyslogMessage has '\"rule_name\"'\n and SyslogMessage has_any ('\"protocol\":\"UDP\"','\"protocol\":\"TCP\"') \n and (array_length(ip_any)==0 or has_any_ipv4_prefix(SyslogMessage,ip_any)) \n and (isnull(dstportnumber) or SyslogMessage has (strcat('\"destination_port\":', tostring(dstportnumber)))) \n and (eventresult=='*' or iff(eventresult=='Success', SyslogMessage has 'allow', SyslogMessage has_any('drop', 'reject','block')))\n | parse SyslogMessage with * '\"action\":\"' DvcOriginalAction:string '\",' * \n | lookup ActionLookup on DvcOriginalAction\n | where \n (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n and (eventresult=='*' or EventResult == eventresult)\n | parse-where SyslogMessage with \n *\n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"destination_port\":' DstPortNumber:int ',' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' * \n '\"rule_name\":\"' NetworkRuleName:string '\",' * \n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"source_port\":' SrcNatPortNumber:int ',' * \n '\"version\":' EventProductVersion:string '}' *\n ;\n let tcpupd_fail = \n ip_access_events\n | where \n SyslogMessage has'\"drop-reason\"'\n and SyslogMessage has_any ('\"protocol\":\"UDP\"','\"protocol\":\"TCP\"') \n and (array_length(ip_any)==0 or has_any_ipv4_prefix(SyslogMessage,ip_any)) \n and (isnull(dstportnumber) or SyslogMessage has (strcat('\"destination_port\":', tostring(dstportnumber)))) \n and (eventresult=='*' or iff(eventresult=='Success', SyslogMessage has 'allow', SyslogMessage has_any('drop', 'reject','block')))\n | parse SyslogMessage with * '\"action\":\"' DvcOriginalAction:string '\",' * \n | lookup ActionLookup on DvcOriginalAction\n | where \n (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n and (eventresult=='*' or EventResult == eventresult)\n | parse-where SyslogMessage with \n *\n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"destination_port\":' DstPortNumber:int ',' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"drop-reason\":\"' EventOriginalResultDetails:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' *\n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"source_port\":' SrcNatPortNumber:int ',' * \n '\"version\":' EventProductVersion:string '}' *\n ;\n let icmp_success = \n ip_access_events\n | where \n SyslogMessage has '\"ICMP\"'\n and (array_length(ip_any)==0 or has_any_ipv4_prefix(SyslogMessage,ip_any)) \n and (isnull(dstportnumber)) \n and (eventresult=='*' or iff(eventresult=='Success', SyslogMessage has 'allow', SyslogMessage has_any('drop', 'reject','block')))\n | parse SyslogMessage with * '\"action\":\"' DvcOriginalAction:string '\",' * \n | lookup ActionLookup on DvcOriginalAction\n | where \n (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n and (eventresult=='*' or EventResult == eventresult)\n | parse-where SyslogMessage with \n *\n '\"action\":\"' DvcOriginalAction:string '\",' * \n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"icmp_code\":' NetworkIcmpSubCode:int ',' *\n '\"icmp_type\":' NetworkIcmpCode:int ',' * \n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' * \n '\"rule_name\":\"' NetworkRuleName:string '\",' * \n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"version\":' EventProductVersion:string '}' *\n ;\n union tcpupd_success, tcpupd_fail, icmp_success \n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp*\n | where ASimMatchingIpAddr != \"No match\"\n | parse SyslogMessage with \n *\n '\"country_name\":\"' SrcGeoCountry:string '\",' *\n '\"lat\":' SrcGeoLatitude:real ',' * \n '\"lon\":' SrcGeoLongitude:real '}' *\n | parse SyslogMessage with \n *\n '\"city_name\":\"' SrcGeoCity:string '\",' *\n '\"region_name\":\"' SrcGeoRegion:string '\",' *\n | extend \n SrcDvcIdType = 'AppGateId',\n SrcUsernameType = 'UPN'\n // -- Event fields\n | project-rename \n DvcHostname = Computer\n | extend \n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.2.3',\n EventVendor = 'AppGate',\n EventProduct = 'SDP',\n EventType = 'NetworkSession'\n | lookup DirectionLookup on direction\n // -- Aliases\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcHostname,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n // -- Entity identifier explicit aliases\n SrcUserUpn = SrcUsername\n | project-away \n SyslogMessage, direction\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for AppGate SDP", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionAppGateSDP", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false\n) \n{\n let DirectionLookup = datatable (direction:string, NetworkDirection:string) \n [\n 'up', 'Inbound',\n 'down', 'Outbound'\n ];\n let ActionLookup = datatable (DvcOriginalAction:string, DvcAction:string, EventSeverity:string, EventResult:string)\n [\n 'allow', 'Allow', 'Informational', 'Success',\n 'drop', 'Drop', 'Low', 'Failure',\n 'reject', 'Deny', 'Low', 'Failure',\n 'block', 'Deny', 'Low', 'Failure',\n 'block_report', 'Deny', 'Low', 'Failure',\n 'allow_report', 'Allow', 'Informational', 'Success'\n ];\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_access_events = \n Syslog\n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n and not(disabled)\n and (array_length(hostname_has_any) == 0)\n and ProcessName in (\"cz-sessiond\", \"cz-vpnd\")\n and SyslogMessage has_all (\"[AUDIT]\",'\"event_type\":\"ip_access\"')\n | project TimeGenerated, SyslogMessage, Computer\n ;\n let tcpupd_success = \n ip_access_events\n | where \n SyslogMessage has '\"rule_name\"'\n and SyslogMessage has_any ('\"protocol\":\"UDP\"','\"protocol\":\"TCP\"') \n and (array_length(ip_any)==0 or has_any_ipv4_prefix(SyslogMessage,ip_any)) \n and (isnull(dstportnumber) or SyslogMessage has (strcat('\"destination_port\":', tostring(dstportnumber)))) \n and (eventresult=='*' or iff(eventresult=='Success', SyslogMessage has 'allow', SyslogMessage has_any('drop', 'reject','block')))\n | parse SyslogMessage with * '\"action\":\"' DvcOriginalAction:string '\",' * \n | lookup ActionLookup on DvcOriginalAction\n | where \n (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n and (eventresult=='*' or EventResult == eventresult)\n | parse-where SyslogMessage with \n *\n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"destination_port\":' DstPortNumber:int ',' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' * \n '\"rule_name\":\"' NetworkRuleName:string '\",' * \n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"source_port\":' SrcNatPortNumber:int ',' * \n '\"version\":' EventProductVersion:string '}' *\n ;\n let tcpupd_fail = \n ip_access_events\n | where \n SyslogMessage has'\"drop-reason\"'\n and SyslogMessage has_any ('\"protocol\":\"UDP\"','\"protocol\":\"TCP\"') \n and (array_length(ip_any)==0 or has_any_ipv4_prefix(SyslogMessage,ip_any)) \n and (isnull(dstportnumber) or SyslogMessage has (strcat('\"destination_port\":', tostring(dstportnumber)))) \n and (eventresult=='*' or iff(eventresult=='Success', SyslogMessage has 'allow', SyslogMessage has_any('drop', 'reject','block')))\n | parse SyslogMessage with * '\"action\":\"' DvcOriginalAction:string '\",' * \n | lookup ActionLookup on DvcOriginalAction\n | where \n (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n and (eventresult=='*' or EventResult == eventresult)\n | parse-where SyslogMessage with \n *\n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"destination_port\":' DstPortNumber:int ',' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"drop-reason\":\"' EventOriginalResultDetails:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' *\n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"source_port\":' SrcNatPortNumber:int ',' * \n '\"version\":' EventProductVersion:string '}' *\n ;\n let icmp_success = \n ip_access_events\n | where \n SyslogMessage has '\"ICMP\"'\n and (array_length(ip_any)==0 or has_any_ipv4_prefix(SyslogMessage,ip_any)) \n and (isnull(dstportnumber)) \n and (eventresult=='*' or iff(eventresult=='Success', SyslogMessage has 'allow', SyslogMessage has_any('drop', 'reject','block')))\n | parse SyslogMessage with * '\"action\":\"' DvcOriginalAction:string '\",' * \n | lookup ActionLookup on DvcOriginalAction\n | where \n (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n and (eventresult=='*' or EventResult == eventresult)\n | parse-where SyslogMessage with \n *\n '\"action\":\"' DvcOriginalAction:string '\",' * \n '\"client_ip\":\"' SrcIpAddr:string '\",' *\n '\"client_port\":' SrcPortNumber:int ',' *\n '\"destination_ip\":\"' DstIpAddr:string '\",' *\n '\"direction\":\"' direction:string '\",' * \n '\"distinguished_name_device_id\":\"' SrcDvcId:string '\",' *\n '\"distinguished_name_user\":\"' SrcUsername:string '\",' *\n '\"entitlement_token_id\":\"' NetworkSessionId:string '\",' *\n '\"icmp_code\":' NetworkIcmpSubCode:int ',' *\n '\"icmp_type\":' NetworkIcmpCode:int ',' * \n '\"packet_size\":' SrcBytes:long ',' *\n '\"protocol\":\"' NetworkProtocol:string '\",' * \n '\"rule_name\":\"' NetworkRuleName:string '\",' * \n '\"source_ip\":\"' SrcNatIpAddr:string '\",' *\n '\"version\":' EventProductVersion:string '}' *\n ;\n union tcpupd_success, tcpupd_fail, icmp_success \n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp*\n | where ASimMatchingIpAddr != \"No match\"\n | parse SyslogMessage with \n *\n '\"country_name\":\"' SrcGeoCountry:string '\",' *\n '\"lat\":' SrcGeoLatitude:real ',' * \n '\"lon\":' SrcGeoLongitude:real '}' *\n | parse SyslogMessage with \n *\n '\"city_name\":\"' SrcGeoCity:string '\",' *\n '\"region_name\":\"' SrcGeoRegion:string '\",' *\n | extend \n SrcDvcIdType = 'AppGateId',\n SrcUsernameType = 'UPN'\n // -- Event fields\n | project-rename \n DvcHostname = Computer\n | extend \n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.2.3',\n EventVendor = 'AppGate',\n EventProduct = 'SDP',\n EventType = 'NetworkSession'\n | lookup DirectionLookup on direction\n // -- Aliases\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcHostname,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n // -- Entity identifier explicit aliases\n SrcUserUpn = SrcUsername\n | project-away \n SyslogMessage, direction\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json index c27aa3cc9c5..a5e94f01714 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionAzureFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionAzureFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Azure Firewall logs", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionAzureFirewall", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let ip_any=set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let AzureFirewallNetworkRuleLogs = \n AzureDiagnostics\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and not(disabled)\n | where Category == \"AzureFirewallNetworkRule\"\n | where isnotempty(msg_s)\n | project msg_s, OperationName, SubscriptionId, ResourceId, TimeGenerated, Type, _ResourceId;\n let prefilter = (T: (msg_s:string, TimeGenerated:datetime, OperationName:string)) {\n T | where \n //(isnull(starttime) or TimeGenerated >= starttime) \n // and (isnull(endtime) or TimeGenerated <= endtime) \n (array_length(hostname_has_any) == 0)\n and (isnull(dstportnumber) or msg_s has (tostring(dstportnumber)))\n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(msg_s,ip_any)\n ) \n };\n let AzureFirewallSessionLogs = \n AzureFirewallNetworkRuleLogs\n | where OperationName in (\"AzureFirewallNetworkRuleLog\",\"AzureFirewallThreatIntelLog\")\n // -- pre-filter\n | where (array_length(dvcaction) == 0) or (msg_s has_any (dvcaction))\n | where (eventresult == \"*\") or ((eventresult == \"Success\") and (msg_s has \"Allow\")) or ((eventresult == \"Failure\") and (msg_s has \"Deny\"))\n | invoke prefilter()\n // -- end pre-filter\n | parse-where\n msg_s with NetworkProtocol:string \n \" request from \" SrcIpAddr:string\n \":\" SrcPortNumber:int\n \" to \" DstIpAddr:string\n \":\" DstPortNumber:int\n \". Action: \" DvcAction:string\n \".\" *\n | project-away msg_s\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" \n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n | extend NetworkIcmpCode = iff(NetworkProtocol startswith \"ICMP\", toint(extract (\"type=(\\\\d+)\",1,NetworkProtocol)), int(null))\n | extend NetworkIcmpType = iff(isnotnull(NetworkIcmpCode), _ASIM_LookupICMPType(NetworkIcmpCode), \"\")\n | extend NetworkProtocol = iff(NetworkProtocol startswith \"ICMP\", \"ICMP\", NetworkProtocol)\n | extend EventSeverity = case (\n OperationName == \"AzureFirewallThreatIntelLog\", \"Medium\",\n DvcAction == \"Deny\", \"Low\",\n \"Informational\")\n | extend EventResult = iff(DvcAction == \"Allow\", \"Success\", \"Failure\")\n ;\n let AzureFirewallNATLogs = \n AzureFirewallNetworkRuleLogs\n | where OperationName == \"AzureFirewallNatRuleLog\"\n // -- pre-filter\n | where (array_length(dvcaction) == 0) or (\"Allow\" in (dvcaction))\n | where eventresult in (\"*\", \"Success\")\n | invoke prefilter()\n // -- end pre-filter\n | parse-where\n msg_s with NetworkProtocol:string \n \" request from \" SrcIpAddr:string\n \":\" SrcPortNumber:int\n \" to \" DstIpAddr:string\n \":\" DstPortNumber:int\n \" was DNAT'ed to \" DstNatIpAddr:string\n \":\" DstNatPortNumber:int\n | project-away msg_s\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" \n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n | extend EventSeverity = \"Informational\"\n | extend EventResult = \"Success\"\n | extend DvcAction = \"Allow\"\n ;\n union AzureFirewallSessionLogs, AzureFirewallNATLogs\n | where \n (isnull(dstportnumber) or DstPortNumber ==dstportnumber)\n // -- end post-filtering\n | extend\n EventVendor=\"Microsoft\",\n EventProduct=\"Azure Firewall\",\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventSchemaVersion=\"0.2.3\",\n EventSchema=\"NetworkSession\",\n DvcIdType = \"AzureResourceId\"\n | project-rename\n DvcSubscriptionId = SubscriptionId,\n DvcId = ResourceId\n // -- Aliases\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated // ??\n | project-keep\n ASim*,\n Src*,\n Dst*,\n Event*,\n Dvc*,\n IpAddr,\n NetworkIcmpCode,\n NetworkIcmpType,\n NetworkProtocol,\n Type,\n _ResourceId,\n TimeGenerated\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Azure Firewall logs", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionAzureFirewall", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let ip_any=set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let AzureFirewallNetworkRuleLogs = \n AzureDiagnostics\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and not(disabled)\n | where Category == \"AzureFirewallNetworkRule\"\n | where isnotempty(msg_s)\n | project msg_s, OperationName, SubscriptionId, ResourceId, TimeGenerated, Type, _ResourceId;\n let prefilter = (T: (msg_s:string, TimeGenerated:datetime, OperationName:string)) {\n T | where \n //(isnull(starttime) or TimeGenerated >= starttime) \n // and (isnull(endtime) or TimeGenerated <= endtime) \n (array_length(hostname_has_any) == 0)\n and (isnull(dstportnumber) or msg_s has (tostring(dstportnumber)))\n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(msg_s,ip_any)\n ) \n };\n let AzureFirewallSessionLogs = \n AzureFirewallNetworkRuleLogs\n | where OperationName in (\"AzureFirewallNetworkRuleLog\",\"AzureFirewallThreatIntelLog\")\n // -- pre-filter\n | where (array_length(dvcaction) == 0) or (msg_s has_any (dvcaction))\n | where (eventresult == \"*\") or ((eventresult == \"Success\") and (msg_s has \"Allow\")) or ((eventresult == \"Failure\") and (msg_s has \"Deny\"))\n | invoke prefilter()\n // -- end pre-filter\n | parse-where\n msg_s with NetworkProtocol:string \n \" request from \" SrcIpAddr:string\n \":\" SrcPortNumber:int\n \" to \" DstIpAddr:string\n \":\" DstPortNumber:int\n \". Action: \" DvcAction:string\n \".\" *\n | project-away msg_s\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" \n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n | extend NetworkIcmpCode = iff(NetworkProtocol startswith \"ICMP\", toint(extract (\"type=(\\\\d+)\",1,NetworkProtocol)), int(null))\n | extend NetworkIcmpType = iff(isnotnull(NetworkIcmpCode), _ASIM_LookupICMPType(NetworkIcmpCode), \"\")\n | extend NetworkProtocol = iff(NetworkProtocol startswith \"ICMP\", \"ICMP\", NetworkProtocol)\n | extend EventSeverity = case (\n OperationName == \"AzureFirewallThreatIntelLog\", \"Medium\",\n DvcAction == \"Deny\", \"Low\",\n \"Informational\")\n | extend EventResult = iff(DvcAction == \"Allow\", \"Success\", \"Failure\")\n ;\n let AzureFirewallNATLogs = \n AzureFirewallNetworkRuleLogs\n | where OperationName == \"AzureFirewallNatRuleLog\"\n // -- pre-filter\n | where (array_length(dvcaction) == 0) or (\"Allow\" in (dvcaction))\n | where eventresult in (\"*\", \"Success\")\n | invoke prefilter()\n // -- end pre-filter\n | parse-where\n msg_s with NetworkProtocol:string \n \" request from \" SrcIpAddr:string\n \":\" SrcPortNumber:int\n \" to \" DstIpAddr:string\n \":\" DstPortNumber:int\n \" was DNAT'ed to \" DstNatIpAddr:string\n \":\" DstNatPortNumber:int\n | project-away msg_s\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" \n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n | extend EventSeverity = \"Informational\"\n | extend EventResult = \"Success\"\n | extend DvcAction = \"Allow\"\n ;\n union AzureFirewallSessionLogs, AzureFirewallNATLogs\n | where \n (isnull(dstportnumber) or DstPortNumber ==dstportnumber)\n // -- end post-filtering\n | extend\n EventVendor=\"Microsoft\",\n EventProduct=\"Azure Firewall\",\n EventType=\"NetworkSession\",\n EventCount=toint(1),\n EventSchemaVersion=\"0.2.3\",\n EventSchema=\"NetworkSession\",\n DvcIdType = \"AzureResourceId\"\n | project-rename\n DvcSubscriptionId = SubscriptionId,\n DvcId = ResourceId\n // -- Aliases\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated // ??\n | project-keep\n ASim*,\n Src*,\n Dst*,\n Event*,\n Dvc*,\n IpAddr,\n NetworkIcmpCode,\n NetworkIcmpType,\n NetworkProtocol,\n Type,\n _ResourceId,\n TimeGenerated\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json index 7bb43152b02..fafe9b3f1db 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionAzureNSG')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionAzureNSG", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Azure NSG flows", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionAzureNSG", - "query": "let DvcActionLookup = datatable(FlowStatus_s:string, DvcAction:string, EventResult:string) [\n 'A', 'Allow', 'Success',\n 'D', 'Deny', 'Failure',\n];\nlet NetworkDirectionLookup = datatable(FlowDirection_s:string, NetworkDirection:string, isOutBound:bool) [\n 'I', 'Inbound', false,\n 'O', 'Outbound', true\n];\nlet NetworkProtocolLookup = datatable(L4Protocol_s:string, NetworkProtocol:string)[\n 'T', 'TCP',\n 'U', 'UDP'\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let prefilter = (T:(TimeGenerated:datetime, SrcIP_s:string, SrcPublicIPs_s:string, DestIP_s:string, DestPublicIPs_s:string, DestPort_d:real, FlowStatus_s:string, VM1_s:string, VM2_s:string)) { \n T\n | where\n (isnull(dstportnumber) or dstportnumber == toint(DestPort_d)) \n | extend dataSrcIPs = strcat(SrcIP_s,\" \",SrcPublicIPs_s),\n dataDstIPs = strcat(DestIP_s,\" \",DestPublicIPs_s)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(dataSrcIPs,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(dataDstIPs,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend temp_is_MatchSrcHostname = VM1_s has_any (hostname_has_any)\n , temp_is_MatchDstHostname = VM2_s has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"-\",\n temp_is_MatchSrcHostname and temp_is_MatchDstHostname, \"Both\",\n temp_is_MatchSrcHostname, \"SrcHostname\",\n temp_is_MatchDstHostname, \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | lookup DvcActionLookup on FlowStatus_s\n | where array_length(dvcaction) == 0 or DvcAction in (dvcaction)\n | where (eventresult=='*' or EventResult == eventresult)\n }; // prefilter ends\n let AzureNetworkAnalytics = \n AzureNetworkAnalytics_CL\n | where\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not(disabled) and isnotempty(FlowType_s)\n | lookup NetworkDirectionLookup on FlowDirection_s\n ;\n let AzureNetworkAnalyticsInbound =\n AzureNetworkAnalytics\n | where not(isOutBound)\n | invoke prefilter()\n | project-rename\n DstMacAddr = MACAddress_s\n | extend\n DstBytes = tolong(OutboundBytes_d), // -- size fields seem not to be populated for inbound\n DstPackets = tolong(OutboundPackets_d),\n SrcBytes = tolong(InboundBytes_d),\n SrcPackets = tolong(InboundPackets_d),\n SrcInterfaceName = tostring(split(NIC_s, '/')[1]),\n SrcGeoCountry = toupper(Country_s)\n | extend hostelements=split(VM2_s,'/')\n | extend \n DstFQDN = strcat(hostelements[0], @\"\\\", hostelements[1]),\n DstHostname = tostring(hostelements[1]),\n DstDomain = tostring(hostelements[0]),\n DstDomainType = \"ResourceGroup\"\n | extend Hostname = DstHostname\n | project-away hostelements, isOutBound\n ; \n let AzureNetworkAnalyticsOutbound =\n AzureNetworkAnalytics\n | where isOutBound\n | invoke prefilter()\n | project-rename\n SrcMacAddr = MACAddress_s\n | extend\n SrcBytes = tolong(OutboundBytes_d), \n SrcPackets = tolong(OutboundPackets_d),\n DstBytes = tolong(InboundBytes_d),\n DstPackets = tolong(InboundPackets_d),\n DstInterfaceName = tostring(split(NIC_s, '/')[1]),\n DstGeoCountry = toupper(Country_s)\n | extend hostelements=split(VM1_s,'/')\n | extend \n SrcFQDN = strcat(hostelements[0], @\"\\\", hostelements[1]),\n SrcHostname = tostring(hostelements[1]),\n SrcDomain = tostring(hostelements[0]),\n SrcDomainType = \"ResourceGroup\"\n | extend Hostname = SrcHostname\n | project-away hostelements, isOutBound\n ;\n union AzureNetworkAnalyticsInbound, AzureNetworkAnalyticsOutbound\n | project-rename\n Dvc = NSGList_s,\n DvcSubscriptionId = Subscription_g,\n EventEndTime = FlowEndTime_t,\n EventStartTime = FlowStartTime_t,\n NetworkApplicationProtocol = L7Protocol_s,\n NetworkRuleName = NSGRule_s,\n NetworkSessionId = ConnectionName_s,\n EventOriginalSubType = FlowType_s\n | extend\n DstPortNumber = toint(DestPort_d),\n EventProduct = 'NSGFlow',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.3',\n EventSeverity = 'Informational', //??\n EventType = 'Flow',\n EventVendor = 'Microsoft',\n EventCount = toint(AllowedInFlows_d+DeniedInFlows_d+AllowedOutFlows_d+DeniedOutFlows_d),\n NetworkDuration = toint((((EventEndTime - datetime(1970-01-01)) / 1s) - ((EventStartTime - datetime(1970-01-01)) / 1s )) * 1000),\n Rule = NetworkRuleName,\n SessionId = NetworkSessionId\n | extend \n DstIpAddr = iff(isnotempty(DestIP_s),\n DestIP_s,\n split(DestPublicIPs_s, '|')[0]),\n Duration = NetworkDuration,\n NetworkBytes = tolong(DstBytes + SrcBytes),\n NetworkPackets = tolong(DstPackets + SrcPackets),\n SrcIpAddr = iff(isnotempty(SrcIP_s),\n SrcIP_s,\n split(SrcPublicIPs_s, '|')[0])\n | extend\n Dst = DstIpAddr,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | lookup NetworkProtocolLookup on L4Protocol_s\n | project-keep\n Src*,\n Dst*,\n Event*,\n Dvc*,\n Network*,\n IpAddr,\n Hostname,\n Type,\n Duration,\n SessionId,\n _ResourceId,\n TimeGenerated,\n ASim*\n | project-away *_s\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Azure NSG flows", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionAzureNSG", + "query": "let DvcActionLookup = datatable(FlowStatus_s:string, DvcAction:string, EventResult:string) [\n 'A', 'Allow', 'Success',\n 'D', 'Deny', 'Failure',\n];\nlet NetworkDirectionLookup = datatable(FlowDirection_s:string, NetworkDirection:string, isOutBound:bool) [\n 'I', 'Inbound', false,\n 'O', 'Outbound', true\n];\nlet NetworkProtocolLookup = datatable(L4Protocol_s:string, NetworkProtocol:string)[\n 'T', 'TCP',\n 'U', 'UDP'\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let prefilter = (T:(TimeGenerated:datetime, SrcIP_s:string, SrcPublicIPs_s:string, DestIP_s:string, DestPublicIPs_s:string, DestPort_d:real, FlowStatus_s:string, VM1_s:string, VM2_s:string)) { \n T\n | where\n (isnull(dstportnumber) or dstportnumber == toint(DestPort_d)) \n | extend dataSrcIPs = strcat(SrcIP_s,\" \",SrcPublicIPs_s),\n dataDstIPs = strcat(DestIP_s,\" \",DestPublicIPs_s)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(dataSrcIPs,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(dataDstIPs,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend temp_is_MatchSrcHostname = VM1_s has_any (hostname_has_any)\n , temp_is_MatchDstHostname = VM2_s has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"-\",\n temp_is_MatchSrcHostname and temp_is_MatchDstHostname, \"Both\",\n temp_is_MatchSrcHostname, \"SrcHostname\",\n temp_is_MatchDstHostname, \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | lookup DvcActionLookup on FlowStatus_s\n | where array_length(dvcaction) == 0 or DvcAction in (dvcaction)\n | where (eventresult=='*' or EventResult == eventresult)\n }; // prefilter ends\n let AzureNetworkAnalytics = \n AzureNetworkAnalytics_CL\n | where\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not(disabled) and isnotempty(FlowType_s)\n | lookup NetworkDirectionLookup on FlowDirection_s\n ;\n let AzureNetworkAnalyticsInbound =\n AzureNetworkAnalytics\n | where not(isOutBound)\n | invoke prefilter()\n | project-rename\n DstMacAddr = MACAddress_s\n | extend\n DstBytes = tolong(OutboundBytes_d), // -- size fields seem not to be populated for inbound\n DstPackets = tolong(OutboundPackets_d),\n SrcBytes = tolong(InboundBytes_d),\n SrcPackets = tolong(InboundPackets_d),\n SrcInterfaceName = tostring(split(NIC_s, '/')[1]),\n SrcGeoCountry = toupper(Country_s)\n | extend hostelements=split(VM2_s,'/')\n | extend \n DstFQDN = strcat(hostelements[0], @\"\\\", hostelements[1]),\n DstHostname = tostring(hostelements[1]),\n DstDomain = tostring(hostelements[0]),\n DstDomainType = \"ResourceGroup\"\n | extend Hostname = DstHostname\n | project-away hostelements, isOutBound\n ; \n let AzureNetworkAnalyticsOutbound =\n AzureNetworkAnalytics\n | where isOutBound\n | invoke prefilter()\n | project-rename\n SrcMacAddr = MACAddress_s\n | extend\n SrcBytes = tolong(OutboundBytes_d), \n SrcPackets = tolong(OutboundPackets_d),\n DstBytes = tolong(InboundBytes_d),\n DstPackets = tolong(InboundPackets_d),\n DstInterfaceName = tostring(split(NIC_s, '/')[1]),\n DstGeoCountry = toupper(Country_s)\n | extend hostelements=split(VM1_s,'/')\n | extend \n SrcFQDN = strcat(hostelements[0], @\"\\\", hostelements[1]),\n SrcHostname = tostring(hostelements[1]),\n SrcDomain = tostring(hostelements[0]),\n SrcDomainType = \"ResourceGroup\"\n | extend Hostname = SrcHostname\n | project-away hostelements, isOutBound\n ;\n union AzureNetworkAnalyticsInbound, AzureNetworkAnalyticsOutbound\n | project-rename\n Dvc = NSGList_s,\n DvcSubscriptionId = Subscription_g,\n EventEndTime = FlowEndTime_t,\n EventStartTime = FlowStartTime_t,\n NetworkApplicationProtocol = L7Protocol_s,\n NetworkRuleName = NSGRule_s,\n NetworkSessionId = ConnectionName_s,\n EventOriginalSubType = FlowType_s\n | extend\n DstPortNumber = toint(DestPort_d),\n EventProduct = 'NSGFlow',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.3',\n EventSeverity = 'Informational', //??\n EventType = 'Flow',\n EventVendor = 'Microsoft',\n EventCount = toint(AllowedInFlows_d+DeniedInFlows_d+AllowedOutFlows_d+DeniedOutFlows_d),\n NetworkDuration = toint((((EventEndTime - datetime(1970-01-01)) / 1s) - ((EventStartTime - datetime(1970-01-01)) / 1s )) * 1000),\n Rule = NetworkRuleName,\n SessionId = NetworkSessionId\n | extend \n DstIpAddr = iff(isnotempty(DestIP_s),\n DestIP_s,\n split(DestPublicIPs_s, '|')[0]),\n Duration = NetworkDuration,\n NetworkBytes = tolong(DstBytes + SrcBytes),\n NetworkPackets = tolong(DstPackets + SrcPackets),\n SrcIpAddr = iff(isnotempty(SrcIP_s),\n SrcIP_s,\n split(SrcPublicIPs_s, '|')[0])\n | extend\n Dst = DstIpAddr,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | lookup NetworkProtocolLookup on L4Protocol_s\n | project-keep\n Src*,\n Dst*,\n Event*,\n Dvc*,\n Network*,\n IpAddr,\n Hostname,\n Type,\n Duration,\n SessionId,\n _ResourceId,\n TimeGenerated,\n ASim*\n | project-away *_s\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaCEF/vimNetworkSessionBarracudaCEF.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaCEF/vimNetworkSessionBarracudaCEF.json index 5a0afb90a5e..8e63af38325 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaCEF/vimNetworkSessionBarracudaCEF.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaCEF/vimNetworkSessionBarracudaCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionBarracudaCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionBarracudaCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionBarracudaCEF", - "query": "let ProtocolLookup = datatable(\n Protocol_s: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string\n)[\n \"TCP\", \"TCP\", \"\",\n \"TCP/ip\", \"TCP\", \"\",\n \"UDP\", \"UDP\", \"\",\n \"UDP/ip\", \"UDP\", \"\",\n \"ICMP\", \"ICMP\", \"IPV4\",\n \"ICMPv6\", \"ICMP\", \"IPV6\",\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultLookup = datatable (\n ActionID_s: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"ALLOW\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]),\n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false){\nlet src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"NF\"\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DestinationIP, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n and (array_length(hostname_has_any) == 0 or DeviceName has_any (hostname_has_any))\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | lookup EventResultLookup on $left.DeviceAction == $right.ActionID_s\n | where (array_length(dvcaction) == 0 or DvcAction has_any(dvcaction))\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend \n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | lookup ProtocolLookup on $left.Protocol == $right.Protocol_s\n | extend\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = DeviceName,\n DstIpAddr = DestinationIP,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n DvcIpAddr = DestinationIP, \n DstPortNumber = toint(DestinationPort),\n SrcPortNumber = toint(SourcePort),\n EventProductVersion = DeviceVersion,\n EventUid = _ItemId,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst=DstIpAddr,\n EventEndTime = EventStartTime\n | project-away\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n temp_*,\n TenantId,CollectorHostName;\nBarracudaCEF\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber,\n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult, \n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionBarracudaCEF", + "query": "let ProtocolLookup = datatable(\n Protocol_s: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string\n)[\n \"TCP\", \"TCP\", \"\",\n \"TCP/ip\", \"TCP\", \"\",\n \"UDP\", \"UDP\", \"\",\n \"UDP/ip\", \"UDP\", \"\",\n \"ICMP\", \"ICMP\", \"IPV4\",\n \"ICMPv6\", \"ICMP\", \"IPV6\",\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultLookup = datatable (\n ActionID_s: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"ALLOW\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]),\n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false){\nlet src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"NF\"\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DestinationIP, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n and (array_length(hostname_has_any) == 0 or DeviceName has_any (hostname_has_any))\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | lookup EventResultLookup on $left.DeviceAction == $right.ActionID_s\n | where (array_length(dvcaction) == 0 or DvcAction has_any(dvcaction))\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend \n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | lookup ProtocolLookup on $left.Protocol == $right.Protocol_s\n | extend\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = DeviceName,\n DstIpAddr = DestinationIP,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n DvcIpAddr = DestinationIP, \n DstPortNumber = toint(DestinationPort),\n SrcPortNumber = toint(SourcePort),\n EventProductVersion = DeviceVersion,\n EventUid = _ItemId,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst=DstIpAddr,\n EventEndTime = EventStartTime\n | project-away\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n temp_*,\n TenantId,CollectorHostName;\nBarracudaCEF\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber,\n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaWAF/vimNetworkSessionBarracudaWAF.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaWAF/vimNetworkSessionBarracudaWAF.json index f5c9d9086ee..59268e62134 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaWAF/vimNetworkSessionBarracudaWAF.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaWAF/vimNetworkSessionBarracudaWAF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionBarracudaWAF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionBarracudaWAF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionBarracudaWAF", - "query": "let barracudaSchema = datatable(\n UnitName_s: string,\n DeviceReceiptTime_s: string,\n ActionID_s: string,\n DestinationIP_s: string,\n SourceIP: string,\n host_s: string,\n HostIP_s: string,\n Severity_s: string,\n LogType_s: string,\n DestinationPort_d: real,\n SourcePort_d: real,\n Protocol_s: string,\n DeviceVersion_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string,\n TimeGenerated: datetime\n)[];\nlet ProtocolLookup = datatable(\n Protocol_s: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string\n)[\n \"TCP\", \"TCP\", \"\",\n \"TCP/ip\", \"TCP\", \"\",\n \"UDP\", \"UDP\", \"\",\n \"UDP/ip\", \"UDP\", \"\",\n \"ICMP\", \"ICMP\", \"IPV4\",\n \"ICMPv6\", \"ICMP\", \"IPV6\",\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultLookup = datatable (\n ActionID_s: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"ALLOW\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]),\n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false){\nlet src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet BarracudaCustom = union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n and LogType_s == \"NF\"\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DestinationIP_s, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n and (array_length(hostname_has_any) == 0 or host_s has_any (hostname_has_any))\n | where (isnull(dstportnumber) or (DestinationPort_d == dstportnumber))\n | lookup EventResultLookup on ActionID_s\n | where (array_length(dvcaction) == 0 or DvcAction has_any(dvcaction))\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend \n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | lookup ProtocolLookup on Protocol_s\n | extend\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = UnitName_s,\n DstIpAddr = DestinationIP_s,\n SrcIpAddr = SourceIP,\n DvcHostname = host_s,\n DvcIpAddr = HostIP_s, \n DstPortNumber = toint(DestinationPort_d),\n SrcPortNumber = toint(SourcePort_d),\n EventProductVersion = DeviceVersion_s,\n EventUid = _ItemId,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n EventEndTime = EventStartTime\n | project-away\n *_d,\n *_s,\n _ResourceId,\n severity,\n RawData,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem,\n temp_SrcMatch,\n temp_DstMatch,\n SourceIP;\nBarracudaCustom\n};parser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber,\n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult, \n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionBarracudaWAF", + "query": "let barracudaSchema = datatable(\n UnitName_s: string,\n DeviceReceiptTime_s: string,\n ActionID_s: string,\n DestinationIP_s: string,\n SourceIP: string,\n host_s: string,\n HostIP_s: string,\n Severity_s: string,\n LogType_s: string,\n DestinationPort_d: real,\n SourcePort_d: real,\n Protocol_s: string,\n DeviceVersion_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string,\n TimeGenerated: datetime\n)[];\nlet ProtocolLookup = datatable(\n Protocol_s: string,\n NetworkProtocol: string,\n NetworkProtocolVersion: string\n)[\n \"TCP\", \"TCP\", \"\",\n \"TCP/ip\", \"TCP\", \"\",\n \"UDP\", \"UDP\", \"\",\n \"UDP/ip\", \"UDP\", \"\",\n \"ICMP\", \"ICMP\", \"IPV4\",\n \"ICMPv6\", \"ICMP\", \"IPV6\",\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultLookup = datatable (\n ActionID_s: string,\n EventResult: string,\n DvcAction: string\n)\n [\n \"ALLOW\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]),\n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false){\nlet src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet BarracudaCustom = union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n and LogType_s == \"NF\"\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DestinationIP_s, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n and (array_length(hostname_has_any) == 0 or host_s has_any (hostname_has_any))\n | where (isnull(dstportnumber) or (DestinationPort_d == dstportnumber))\n | lookup EventResultLookup on ActionID_s\n | where (array_length(dvcaction) == 0 or DvcAction has_any(dvcaction))\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend \n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | lookup ProtocolLookup on Protocol_s\n | extend\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = UnitName_s,\n DstIpAddr = DestinationIP_s,\n SrcIpAddr = SourceIP,\n DvcHostname = host_s,\n DvcIpAddr = HostIP_s, \n DstPortNumber = toint(DestinationPort_d),\n SrcPortNumber = toint(SourcePort_d),\n EventProductVersion = DeviceVersion_s,\n EventUid = _ItemId,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n EventEndTime = EventStartTime\n | project-away\n *_d,\n *_s,\n _ResourceId,\n severity,\n RawData,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem,\n temp_SrcMatch,\n temp_DstMatch,\n SourceIP;\nBarracudaCustom\n};parser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber,\n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckPointFirewall/vimNetworkSessionCheckPointFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckPointFirewall/vimNetworkSessionCheckPointFirewall.json index d2f729b1aed..ec48ec479c9 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckPointFirewall/vimNetworkSessionCheckPointFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckPointFirewall/vimNetworkSessionCheckPointFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionCheckPointFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionCheckPointFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Check Point Firewall", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionCheckPointFirewall", - "query": "let ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)\n [\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"];\n let DirectionLookup=datatable(conn_direction:string,NetworkDirection:string)\n [\n \"Incoming\",\"Inbound\", \n \"Outgoing\",\"Outbound\", \n \"Internal\",\"Local\"];\n let ActionLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventSeverity:string)\n [\n \"Accept\",\"Allow\",\"Success\",\"Informational\",\n \"Allow\",\"Allow\",\"Success\",\"Informational\",\n \"Drop\",\"Drop\",\"Failure\",\"Low\",\n \"Reject\",\"Deny\",\"Failure\",\"Low\",\n \"Encrypt\",\"Encrypt\",\"Success\",\"Informational\",\n \"Decrypt\",\"Decrypt\",\"Success\",\"Informational\",\n \"Bypass\",\"Allow\",\"Success\",\"Informational\",\n \"Block\",\"Deny\",\"Failure\",\"Low\",\n \"\",\"\",\"NA\",\"Informational\"\n ];\n let NWParser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n CommonSecurityLog\n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where \n array_length(hostname_has_any) == 0\n | where DeviceVendor==\"Check Point\" and DeviceProduct==\"VPN-1 & FireWall-1\"\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | lookup ActionLookup on DeviceAction\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or (EventResult == eventresult))\n | lookup ProtocolLookup on Protocol\n | extend \n EventProduct = \"Firewall\",\n EventCount = toint(1),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\"\n | parse-kv AdditionalExtensions as (\n rule_uid:string,\n loguid:string,\n origin:string,\n originsicname:string,\n inzone:string,\n outzone:string,\n conn_direction:string,\n alert:string,\n inspection_category:string,\n inspection_item:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | extend\n ThreatCategory = coalesce(alert, inspection_category),\n NetworkRuleName = coalesce(DeviceCustomString2, rule_uid, Activity),\n EventStartTime = TimeGenerated\n | parse originsicname with \"CN\\\\=\" DvcHostname \",\" *\n | project-rename\n Dvc = origin, \n EventOriginalUid = loguid,\n ThreatName = inspection_item,\n EventVendor = DeviceVendor,\n DstPortNumber = DestinationPort,\n DstIpAddr = DestinationIP,\n SrcPortNumber = SourcePort,\n SrcIpAddr = SourceIP,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n EventProductVersion = DeviceVersion,\n EventOriginalSeverity = LogSeverity,\n Rule = NetworkRuleName,\n DvcOriginalAction = DeviceAction,\n DstAppName = Activity,\n EventMessage = Message\n | lookup DirectionLookup on conn_direction\n | extend \n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n NetworkDirection = case(\n isnotempty(NetworkDirection), NetworkDirection,\n inzone == \"Internal\" and (outzone == \"Internal\" or outzone == \"Local\"), \"Local\",\n (inzone == \"Internal\" or inzone == \"Local\") and outzone == \"External\", \"Outbound\",\n inzone == \"External\" and (outzone == \"Internal\" or outzone == \"Local\"), \"Inbound\",\n CommunicationDirection == \"0\", \"Inbound\",\n CommunicationDirection == \"1\", \"Outbound\",\n \"\"\n ),\n EventSeverity = iif(isnotempty(ThreatCategory),\"High\",EventSeverity),\n NetworkIcmpType = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n ),\n NetworkIcmpCode = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber3\", long(null))),\n toint(column_ifexists(\"DeviceCustomNumber3\",long(null)))\n )\n | project-away ApplicationProtocol, AdditionalExtensions, CommunicationDirection, Computer, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, ReceivedBytes, Remote*, ReportReferenceLink, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, rule_uid, originsicname, inzone, outzone, alert, conn_direction, inspection_category, temp_isDstMatch, temp_isSrcMatch, ExtID, EventOutcome, FieldDevice*, Reason\n };\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Check Point Firewall", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionCheckPointFirewall", + "query": "let ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)\n [\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"];\n let DirectionLookup=datatable(conn_direction:string,NetworkDirection:string)\n [\n \"Incoming\",\"Inbound\", \n \"Outgoing\",\"Outbound\", \n \"Internal\",\"Local\"];\n let ActionLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventSeverity:string)\n [\n \"Accept\",\"Allow\",\"Success\",\"Informational\",\n \"Allow\",\"Allow\",\"Success\",\"Informational\",\n \"Drop\",\"Drop\",\"Failure\",\"Low\",\n \"Reject\",\"Deny\",\"Failure\",\"Low\",\n \"Encrypt\",\"Encrypt\",\"Success\",\"Informational\",\n \"Decrypt\",\"Decrypt\",\"Success\",\"Informational\",\n \"Bypass\",\"Allow\",\"Success\",\"Informational\",\n \"Block\",\"Deny\",\"Failure\",\"Low\",\n \"\",\"\",\"NA\",\"Informational\"\n ];\n let NWParser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n CommonSecurityLog\n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where \n array_length(hostname_has_any) == 0\n | where DeviceVendor==\"Check Point\" and DeviceProduct==\"VPN-1 & FireWall-1\"\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | lookup ActionLookup on DeviceAction\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or (EventResult == eventresult))\n | lookup ProtocolLookup on Protocol\n | extend \n EventProduct = \"Firewall\",\n EventCount = toint(1),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\"\n | parse-kv AdditionalExtensions as (\n rule_uid:string,\n loguid:string,\n origin:string,\n originsicname:string,\n inzone:string,\n outzone:string,\n conn_direction:string,\n alert:string,\n inspection_category:string,\n inspection_item:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | extend\n ThreatCategory = coalesce(alert, inspection_category),\n NetworkRuleName = coalesce(DeviceCustomString2, rule_uid, Activity),\n EventStartTime = TimeGenerated\n | parse originsicname with \"CN\\\\=\" DvcHostname \",\" *\n | project-rename\n Dvc = origin, \n EventOriginalUid = loguid,\n ThreatName = inspection_item,\n EventVendor = DeviceVendor,\n DstPortNumber = DestinationPort,\n DstIpAddr = DestinationIP,\n SrcPortNumber = SourcePort,\n SrcIpAddr = SourceIP,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n EventProductVersion = DeviceVersion,\n EventOriginalSeverity = LogSeverity,\n Rule = NetworkRuleName,\n DvcOriginalAction = DeviceAction,\n DstAppName = Activity,\n EventMessage = Message\n | lookup DirectionLookup on conn_direction\n | extend \n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n NetworkDirection = case(\n isnotempty(NetworkDirection), NetworkDirection,\n inzone == \"Internal\" and (outzone == \"Internal\" or outzone == \"Local\"), \"Local\",\n (inzone == \"Internal\" or inzone == \"Local\") and outzone == \"External\", \"Outbound\",\n inzone == \"External\" and (outzone == \"Internal\" or outzone == \"Local\"), \"Inbound\",\n CommunicationDirection == \"0\", \"Inbound\",\n CommunicationDirection == \"1\", \"Outbound\",\n \"\"\n ),\n EventSeverity = iif(isnotempty(ThreatCategory),\"High\",EventSeverity),\n NetworkIcmpType = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n ),\n NetworkIcmpCode = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber3\", long(null))),\n toint(column_ifexists(\"DeviceCustomNumber3\",long(null)))\n )\n | project-away ApplicationProtocol, AdditionalExtensions, CommunicationDirection, Computer, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, ReceivedBytes, Remote*, ReportReferenceLink, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, rule_uid, originsicname, inzone, outzone, alert, conn_direction, inspection_category, temp_isDstMatch, temp_isSrcMatch, ExtID, EventOutcome, FieldDevice*, Reason\n };\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json index d2019c2da19..a921bb70636 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionCiscoASA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionCiscoASA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Cisco ASA", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionCiscoASA", - "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n { \n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction) or DvcAction == \"\")\n | where ((eventresult == \"*\") or EventResult == eventresult or EventResult == \"\")\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | where Message has tostring(dstportnumber)\n and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) \n or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any)))\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * \n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\";\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, temp_*, Device*\n };\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Cisco ASA", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionCiscoASA", + "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n { \n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction) or DvcAction == \"\")\n | where ((eventresult == \"*\") or EventResult == eventresult or EventResult == \"\")\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | where Message has tostring(dstportnumber)\n and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) \n or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any)))\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * \n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\";\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, temp_*, Device*\n };\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json index d8c98d66d55..51dc52a1955 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionCiscoFirepower')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionCiscoFirepower", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Cisco Firepower", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionCiscoFirepower", - "query": "let ActionLookup = datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n \"Blocked\", \"Deny\", \"Failure\",\n \"Alerted\", \"Allow\", \"Success\",\n \"Rewritten\", \"Allow\", \"Success\",\n \"Would be Rewritten\", \"Allow\", \"Partial\",\n \"Would be Blocked\", \"Deny\", \"Partial\",\n \"Would Be Blocked\", \"Deny\", \"Partial\",\n \"Dropped\", \"Drop\", \"Failure\",\n \"Would be Dropped\", \"Drop\", \"Partial\",\n \"Partially Dropped\", \"Drop\", \"Partial\",\n \"Would be Block\", \"Deny\", \"Partial\",\n \"Partial Blocked\", \"Deny\", \"Partial\",\n \"Rejected\", \"Deny\", \"Failure\",\n \"Would be Rejected\", \"Deny\", \"Partial\",\n \"Would Rejected\", \"Deny\", \"Partial\",\n \"Block\", \"Deny\", \"Failure\",\n \"Partial Block\", \"Deny\", \"Partial\",\n \"Drop\", \"Drop\", \"Failure\",\n \"Would Drop\", \"Drop\", \"Partial\",\n \"Reject\", \"Deny\", \"Failure\",\n \"Rewrite\", \"Allow\", \"Success\",\n \"Allow\", \"Allow\", \"Success\",\n \"Monitor\", \"Allow\", \"Success\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)\n[\n \"N/A\", \"NA\",\n \"IP Block\", \"Terminated\",\n \"IP Monitor\", \"Unknown\",\n \"User Bypass\", \"Unknown\",\n \"File Monitor\", \"Unknown\",\n \"File Block\", \"Terminated\",\n \"Intrusion Monitor\", \"Unknown\",\n \"Intrusion Block\", \"Terminated\",\n \"File Resume Block\", \"Terminated\",\n \"File Resume Allow\", \"Unknown\",\n \"File Custom Detection\", \"Unknown\"\n];\nlet parser = (starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]), \n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let AllLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\n and DeviceEventClassID has_any(\"INTRUSION:400\", \"PV:112\", \"RNA:1003:1\")\n and (array_length(hostname_has_any) == 0 or DestinationDnsDomain has_any (hostname_has_any)) \n and (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend\n temp_isSrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any), \n temp_isDstMatch = has_any_ipv4_prefix(DestinationIP, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", \n (temp_isSrcMatch and temp_isDstMatch), \"Both\", \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\" \n ) \n | where ASimMatchingIpAddr != \"No match\"\n | invoke _ASIM_ResolveDstFQDN('DestinationDnsDomain')\n | extend temp_is_MatchDstHostname = DstHostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n temp_is_MatchDstHostname,\n \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol);\n let Connection_Statistics_Events = AllLogs\n | where DeviceEventClassID has \"RNA:1003:1\"\n | parse-kv AdditionalExtensions as (\n start: long,\n end: long,\n bytesIn: long,\n bytesOut: long,\n )\n with (pair_delimiter=';', kv_delimiter='=') \n | lookup EventResultDetailsLookup on Reason\n | extend\n SrcBytes = bytesIn,\n DstBytes = bytesOut,\n EventOriginalResultDetails = Reason,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"instanceID\", ProcessID,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Intrusion_Events = AllLogs\n | where DeviceEventClassID has \"INTRUSION:400\"\n | parse-kv AdditionalExtensions as (\n start: long\n )\n with (pair_delimiter=';', kv_delimiter='=')\n | extend \n EventMessage = Activity,\n ThreatCategory = DeviceEventCategory,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"ipspolicy\", DeviceCustomString5,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Policy_Violation_Events = AllLogs\n | where DeviceEventClassID has \"PV:112\"\n | extend\n EventMessage = Message,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1)\n | project-rename DstUsername = DestinationUserName\n | extend\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\");\n union Connection_Statistics_Events, Intrusion_Events, Policy_Violation_Events\n | extend\n SrcPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), SourcePort),\n DstPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), DestinationPort),\n NetworkIcmpCode = iff(NetworkProtocol == \"ICMP\", DestinationPort, int(null)),\n NetworkIcmpType = iff(NetworkProtocol == \"ICMP\", tostring(SourcePort), \"\"),\n SrcZone = DeviceCustomString3,\n DstZone = DeviceCustomString4\n | lookup ActionLookup on DeviceAction\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | lookup EventSeverityLookup on LogSeverity\n | extend \n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventOriginalType = iff(DeviceEventClassID has \"INTRUSION:400\", \"INTRUSION EVENT\", Activity),\n SrcVlanId = tostring(DeviceCustomNumber1)\n | extend\n EventEndTime = coalesce(unixtime_milliseconds_todatetime(end), EventStartTime),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\",\n DstIpAddr contains \":\",\n \"IPv6\",\n \"\"\n )\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\n | extend\n DvcIpAddr = Ip_device,\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\n | extend host = coalesce(DeviceName, Computer)\n | invoke _ASIM_ResolveDvcFQDN('host')\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventCount = int(1)\n | project-rename \n EventProduct = DeviceProduct,\n EventVendor = DeviceVendor,\n SrcUsername = SourceUserName,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n EventOriginalSeverity = LogSeverity,\n DvcId = DeviceExternalID,\n NetworkApplicationProtocol = ApplicationProtocol,\n EventProductVersion = DeviceVersion,\n EventOriginalUid = ExtID,\n NetworkRuleName = DeviceCustomString2,\n EventUid = _ItemId,\n DvcOriginalAction = DeviceAction\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DvcIdType = \"Other\"\n | extend \n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = coalesce(DvcIpAddr, DvcHostname),\n Rule = NetworkRuleName,\n User = SrcUsername,\n Hostname = DstHostname\n | project-away\n bytesIn,\n bytesOut,\n start,\n end,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n ProcessID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n ThreatConfidence,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,\n Ip_*,\n host,\n NetworkProtocolNumber,\n temp*\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Cisco Firepower", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionCiscoFirepower", + "query": "let ActionLookup = datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n \"Blocked\", \"Deny\", \"Failure\",\n \"Alerted\", \"Allow\", \"Success\",\n \"Rewritten\", \"Allow\", \"Success\",\n \"Would be Rewritten\", \"Allow\", \"Partial\",\n \"Would be Blocked\", \"Deny\", \"Partial\",\n \"Would Be Blocked\", \"Deny\", \"Partial\",\n \"Dropped\", \"Drop\", \"Failure\",\n \"Would be Dropped\", \"Drop\", \"Partial\",\n \"Partially Dropped\", \"Drop\", \"Partial\",\n \"Would be Block\", \"Deny\", \"Partial\",\n \"Partial Blocked\", \"Deny\", \"Partial\",\n \"Rejected\", \"Deny\", \"Failure\",\n \"Would be Rejected\", \"Deny\", \"Partial\",\n \"Would Rejected\", \"Deny\", \"Partial\",\n \"Block\", \"Deny\", \"Failure\",\n \"Partial Block\", \"Deny\", \"Partial\",\n \"Drop\", \"Drop\", \"Failure\",\n \"Would Drop\", \"Drop\", \"Partial\",\n \"Reject\", \"Deny\", \"Failure\",\n \"Rewrite\", \"Allow\", \"Success\",\n \"Allow\", \"Allow\", \"Success\",\n \"Monitor\", \"Allow\", \"Success\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)\n[\n \"N/A\", \"NA\",\n \"IP Block\", \"Terminated\",\n \"IP Monitor\", \"Unknown\",\n \"User Bypass\", \"Unknown\",\n \"File Monitor\", \"Unknown\",\n \"File Block\", \"Terminated\",\n \"Intrusion Monitor\", \"Unknown\",\n \"Intrusion Block\", \"Terminated\",\n \"File Resume Block\", \"Terminated\",\n \"File Resume Allow\", \"Unknown\",\n \"File Custom Detection\", \"Unknown\"\n];\nlet parser = (starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]), \n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let AllLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\n and DeviceEventClassID has_any(\"INTRUSION:400\", \"PV:112\", \"RNA:1003:1\")\n and (array_length(hostname_has_any) == 0 or DestinationDnsDomain has_any (hostname_has_any)) \n and (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend\n temp_isSrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any), \n temp_isDstMatch = has_any_ipv4_prefix(DestinationIP, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", \n (temp_isSrcMatch and temp_isDstMatch), \"Both\", \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\" \n ) \n | where ASimMatchingIpAddr != \"No match\"\n | invoke _ASIM_ResolveDstFQDN('DestinationDnsDomain')\n | extend temp_is_MatchDstHostname = DstHostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n temp_is_MatchDstHostname,\n \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol);\n let Connection_Statistics_Events = AllLogs\n | where DeviceEventClassID has \"RNA:1003:1\"\n | parse-kv AdditionalExtensions as (\n start: long,\n end: long,\n bytesIn: long,\n bytesOut: long,\n )\n with (pair_delimiter=';', kv_delimiter='=') \n | lookup EventResultDetailsLookup on Reason\n | extend\n SrcBytes = bytesIn,\n DstBytes = bytesOut,\n EventOriginalResultDetails = Reason,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"instanceID\", ProcessID,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Intrusion_Events = AllLogs\n | where DeviceEventClassID has \"INTRUSION:400\"\n | parse-kv AdditionalExtensions as (\n start: long\n )\n with (pair_delimiter=';', kv_delimiter='=')\n | extend \n EventMessage = Activity,\n ThreatCategory = DeviceEventCategory,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1,\n \"ipspolicy\", DeviceCustomString5,\n \"clientApplicationID\", RequestClientApplication,\n \"clientUrl\", RequestURL);\n let Policy_Violation_Events = AllLogs\n | where DeviceEventClassID has \"PV:112\"\n | extend\n EventMessage = Message,\n AdditionalFields = bag_pack(\"policy\", DeviceCustomString1)\n | project-rename DstUsername = DestinationUserName\n | extend\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\");\n union Connection_Statistics_Events, Intrusion_Events, Policy_Violation_Events\n | extend\n SrcPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), SourcePort),\n DstPortNumber = iff(NetworkProtocol == \"ICMP\", int(null), DestinationPort),\n NetworkIcmpCode = iff(NetworkProtocol == \"ICMP\", DestinationPort, int(null)),\n NetworkIcmpType = iff(NetworkProtocol == \"ICMP\", tostring(SourcePort), \"\"),\n SrcZone = DeviceCustomString3,\n DstZone = DeviceCustomString4\n | lookup ActionLookup on DeviceAction\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | lookup EventSeverityLookup on LogSeverity\n | extend \n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventOriginalType = iff(DeviceEventClassID has \"INTRUSION:400\", \"INTRUSION EVENT\", Activity),\n SrcVlanId = tostring(DeviceCustomNumber1)\n | extend\n EventEndTime = coalesce(unixtime_milliseconds_todatetime(end), EventStartTime),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\",\n DstIpAddr contains \":\",\n \"IPv6\",\n \"\"\n )\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\n | extend\n DvcIpAddr = Ip_device,\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\n | extend host = coalesce(DeviceName, Computer)\n | invoke _ASIM_ResolveDvcFQDN('host')\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventCount = int(1)\n | project-rename \n EventProduct = DeviceProduct,\n EventVendor = DeviceVendor,\n SrcUsername = SourceUserName,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n EventOriginalSeverity = LogSeverity,\n DvcId = DeviceExternalID,\n NetworkApplicationProtocol = ApplicationProtocol,\n EventProductVersion = DeviceVersion,\n EventOriginalUid = ExtID,\n NetworkRuleName = DeviceCustomString2,\n EventUid = _ItemId,\n DvcOriginalAction = DeviceAction\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DvcIdType = \"Other\"\n | extend \n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = coalesce(DvcIpAddr, DvcHostname),\n Rule = NetworkRuleName,\n User = SrcUsername,\n Hostname = DstHostname\n | project-away\n bytesIn,\n bytesOut,\n start,\n end,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n ProcessID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n ThreatConfidence,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId,\n Ip_*,\n host,\n NetworkProtocolNumber,\n temp*\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoISE/vimNetworkSessionCiscoISE.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoISE/vimNetworkSessionCiscoISE.json index 253a98e8572..c70fbc26768 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoISE/vimNetworkSessionCiscoISE.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoISE/vimNetworkSessionCiscoISE.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionCiscoISE')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionCiscoISE", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Cisco ISE", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionCiscoISE", - "query": "let EventFieldsLookup=datatable(\nEventOriginalType: string,\nEventResult: string,\nDvcAction: string,\nEventResultDetails: string,\nEventSubType: string,\nEventOriginalSeverity: string,\nEventSeverity: string,\nEventMessage: string,\nEventOriginalResultDetails: string\n)[\n\"25023\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAP connect to domain controller succeeded\", \"LDAP connect to domain controller succeeded\",\n\"25024\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"LDAP connect to domain controller failed\", \"LDAP connect to domain controller failed\",\n\"25025\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAP connect to global catalog succeeded\", \"LDAP connect to domain controller succeeded\",\n\"25026\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"LDAP connect to global catalog failed\", \"LDAP connect to domain controller failed\",\n\"25027\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"RPC connect to domain controller succeeded\", \"RPC connect to domain controller succeeded\",\n\"25028\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"RPC connect to domain controller failed\", \"RPC connect to domain controller failed\",\n\"25029\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"KDC connect to domain controller succeeded\", \"KDC connect to domain controller succeeded\",\n\"25030\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"KDC connect to domain controller failed\", \"KDC connect to domain controller failed\",\n\"25101\", \"Success\", \"Allow\", \"\", \"Start\", \"DEBUG\", \"Informational\", \"Successfully connected to external REST ID store server\", \"ISE successfully connect to external REST ID store server\",\n\"25102\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"DEBUG\", \"Low\", \"Connection to external REST database failed\", \"ISE failed to establish a new connection to external REST database\",\n\"60188\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"INFO\", \"Low\", \"An attempted SSH connection has failed\", \"An attempted SSH connection has failed\",\n\"60234\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"The SXP connection has been disconnected\", \"The SXP connection has been disconnected\",\n\"60235\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"SXP connection succeeded\", \"SXP connection succeeded\",\n\"60236\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"SXP connection failed\", \"SXP connection failed\",\n\"61010\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"ISE has established connection to APIC\", \"ISE has established connection to APIC\",\n\"61011\", \"Success\", \"Allow\", \"\", \"End\", \"INFO\", \"Informational\", \"ISE was disconnected from APIC\", \"ISE was disconnected from APIC\",\n\"61025\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Open secure connection with TLS peer\", \"Secure connection established with TLS peer\",\n\"61026\", \"Success\", \"Allow\", \"\", \"End\", \"INFO\", \"Informational\", \"Shutdown secure connection with TLS peer\", \"Secure connection with TLS peer shutdown\",\n\"60509\", \"Failure\", \"Deny\", \"Maximum Retry\", \"End\", \"ERROR\", \"Low\", \"ERS request was denied as maximum possible connection was exceeded\", \"ERS request was denied as maximum possible connection was exceeded\",\n\"61231\", \"Failure\", \"Drop\", \"Routing issue\", \"End\", \"WARN\", \"Low\", \"Kafka connection to ACI error while receiving message\", \"Kafka connection to ACI error while receiving message\",\n\"61232\", \"Failure\", \"Drop\", \"Routing issue\", \"End\", \"WARN\", \"Low\", \"Kafka connection to ACI error while sending message\", \"Kafka connection to ACI error while sending message\",\n\"89003\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Failed to connect to MDM server\", \"Failed to connect to MDM server\",\n\"24000\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Connection established with LDAP server\", \"Connection established with LDAP server\",\n\"24001\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Cannot establish connection with LDAP server\", \"Cannot establish connection with LDAP server\",\n\"24019\", \"Failure\", \"Drop\", \"Unknown\", \"End\", \"ERROR\", \"Low\", \"LDAP connection error was encountered\", \"ISE cannot connect to LDAP external ID store\",\n\"24030\", \"Failure\", \"Drop\", \"Unknown\", \"End\", \"ERROR\", \"Low\", \"SSL connection error was encountered\", \"SSL connection error was encountered\",\n\"24400\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Connection to ISE Active Directory agent established successfully\", \"Connection to ISE Active Directory agent established successfully\",\n\"24401\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Could not establish connection with ISE Active Directory agent\", \"Could not establish connection with ISE Active Directory agent\",\n\"24428\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Connection related error has occurred in either LRPC, LDAP or KERBEROS\", \"This RPC connection problem may be because the stub received incorrect data\",\n\"24429\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Could not establish connection with Active Directory\", \"Could not establish connection with Active Directory\",\n\"24850\", \"Success\", \"Allow\", \"\", \"Start\", \"DEBUG\", \"Informational\", \"Successfully connected to external ODBC database\", \"ISE successfully established a new connection to external ODBC database\",\n\"24851\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"DEBUG\", \"Low\", \"Connection to external ODBC database failed\", \"ISE failed to establish a new connection to external ODBC database\",\n\"34120\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Profiler failed to get the connection to NAC Manager\", \"Profiler sends a notification event to NAC Manager, but the notification fails because could not connect to NAC Manager\",\n\"34147\", \"Failure\", \"Deny\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"JGroups TLS Handshake Failed\", \"JGroups TLS Handshake Failed\",\n\"34148\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"JGroups TLS Handshake Succeeded\", \"JGroups TLS Handshake Succeeded\",\n\"34149\", \"Failure\", \"Deny\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"HTTPS TLS Handshake Failed\", \"HTTPS TLS Handshake Failed\",\n\"34150\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"HTTPS TLS Handshake Succeeded\", \"HTTPS TLS Handshake Succeeded\",\n\"34159\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAPS connection established successfully\", \"LDAPS connection established successfully\",\n\"34160\", \"Success\", \"Allow\", \"\", \"End\", \"INFO\", \"Informational\", \"LDAPS connection terminated successfully\", \"LDAPS connection terminated successfully\",\n\"34161\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection establishment failed with SSL error\", \"LDAPS connection establishment failed with SSL error\",\n\"34162\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection terminated with SSL error\", \"LDAPS connection terminated with SSL error\",\n\"34163\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection establishment failed with non-SSL error\", \"LDAPS connection establishment failed with non-SSL error\",\n\"34164\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection terminated with non-SSL error\", \"LDAPS connection terminated with non-SSL error\",\n\"90062\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Cannot connect to Domain Controller\", \"Cannot connect to Domain Controller\",\n\"90063\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Successfully establish connection to Domain Controller\", \"Successfully establish connection to Domain Controller\",\n\"90066\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Lost connection with Domain Controller\", \"Lost connection with Domain Controller\",\n\"90078\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Closed connection to Domain Controller\", \"Closed connection to Domain Controller\",\n\"91082\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"RADIUS DTLS: Connection to OCSP server failed\", \"RADIUS DTLS: Connection attempt to OCSP server failed.\",\n\"11317\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"TrustSec SSH connection failed\", \"ISE failed to establish SSH connection to a network device. Verify network device SSH credentials in the Network Device page are similar to the credentials configured on the network device. Check network device enabled ssh connections from ISE (ip address)\",\n\"5405\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"NOTICE\", \"Low\", \"RADIUS Request dropped\", \"RADIUS request dropped\",\n\"5406\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"NOTICE\", \"Low\", \"TACACS+ Request dropped\", \"TACACS+ request dropped\"\n];\nlet GetSrcIpAddr = (src_ip: string) {\n case ( \n src_ip matches regex @\"\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\",\n src_ip,\n \"\"\n )\n};\nlet GetMacAddr = (mac: string) {\n case ( \n mac matches regex @\"[a-fA-F0-9\\-:]{17}\",\n mac,\n \"\"\n )\n};\nlet CiscoISENSParser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \ndstipaddr_has_any_prefix: dynamic=dynamic([]), \nipaddr_has_any_prefix: dynamic=dynamic([]),\ndstportnumber: int=int(null), \nhostname_has_any: dynamic=dynamic([]), \ndvcaction: dynamic=dynamic([]), \neventresult: string='*', \ndisabled: bool=false) {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let EventOriginalTypeList = toscalar(EventFieldsLookup\n | where (eventresult == \"*\" or eventresult == EventResult) \n and (array_length(dvcaction) == 0 or DvcAction in~ (dvcaction))\n | summarize make_set(EventOriginalType));\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n and (array_length(ip_any) == 0 or has_any_ipv4_prefix(SyslogMessage, ip_any)) \n and (array_length(hostname_has_any) == 0 or SyslogMessage has_any(hostname_has_any)) \n and (isnull(dstportnumber) or SyslogMessage has (strcat('DestinationPort=', tostring(dstportnumber))))\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, DestinationIPAddress: string, DestinationPort: int, ['Remote-Address']: string, ['Device IP Address']: string, ['User-Name']: string, UserName: string, User: string, ['Device Port']: int, Protocol: string, ['Calling-Station-ID']: string, ['Called-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n DstIpAddr=DestinationIPAddress\n , DstPortNumber=DestinationPort\n , SrcPortNumber=['Device Port']\n , NetworkApplicationProtocol=Protocol\n | invoke _ASIM_ResolveSrcFQDN(\"['Calling-Station-ID']\")\n | extend \n EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventType = \"NetworkSession\"\n , EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n , DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , DstMacAddr = GetMacAddr(['Called-Station-ID'])\n , SrcMacAddr = GetMacAddr(['Calling-Station-ID'])\n , DstUsername = coalesce(UserName, ['User-Name'], User)\n | extend\n DstUsernameType = _ASIM_GetUsernameType(DstUsername)\n , DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n , SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], GetSrcIpAddr(['Calling-Station-ID']))\n //********************** ************************\n | extend \n Dvc = coalesce(DvcHostname, DvcIpAddr)\n , IpAddr = SrcIpAddr\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , User = DstUsername\n //********************** ***********************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n ['Device IP Address'],\n ['Remote-Address'],\n ['Calling-Station-ID'],\n ['Called-Station-ID']\n};\nCiscoISENSParser(\nstarttime=starttime,\nendtime=endtime, \nsrcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \ndstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \nipaddr_has_any_prefix=ipaddr_has_any_prefix, \ndstportnumber=dstportnumber, \nhostname_has_any=hostname_has_any, \ndvcaction=dvcaction, \neventresult=eventresult, \ndisabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionCiscoISE", + "query": "let EventFieldsLookup=datatable(\nEventOriginalType: string,\nEventResult: string,\nDvcAction: string,\nEventResultDetails: string,\nEventSubType: string,\nEventOriginalSeverity: string,\nEventSeverity: string,\nEventMessage: string,\nEventOriginalResultDetails: string\n)[\n\"25023\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAP connect to domain controller succeeded\", \"LDAP connect to domain controller succeeded\",\n\"25024\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"LDAP connect to domain controller failed\", \"LDAP connect to domain controller failed\",\n\"25025\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAP connect to global catalog succeeded\", \"LDAP connect to domain controller succeeded\",\n\"25026\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"LDAP connect to global catalog failed\", \"LDAP connect to domain controller failed\",\n\"25027\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"RPC connect to domain controller succeeded\", \"RPC connect to domain controller succeeded\",\n\"25028\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"RPC connect to domain controller failed\", \"RPC connect to domain controller failed\",\n\"25029\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"KDC connect to domain controller succeeded\", \"KDC connect to domain controller succeeded\",\n\"25030\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"KDC connect to domain controller failed\", \"KDC connect to domain controller failed\",\n\"25101\", \"Success\", \"Allow\", \"\", \"Start\", \"DEBUG\", \"Informational\", \"Successfully connected to external REST ID store server\", \"ISE successfully connect to external REST ID store server\",\n\"25102\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"DEBUG\", \"Low\", \"Connection to external REST database failed\", \"ISE failed to establish a new connection to external REST database\",\n\"60188\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"INFO\", \"Low\", \"An attempted SSH connection has failed\", \"An attempted SSH connection has failed\",\n\"60234\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"The SXP connection has been disconnected\", \"The SXP connection has been disconnected\",\n\"60235\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"SXP connection succeeded\", \"SXP connection succeeded\",\n\"60236\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"SXP connection failed\", \"SXP connection failed\",\n\"61010\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"ISE has established connection to APIC\", \"ISE has established connection to APIC\",\n\"61011\", \"Success\", \"Allow\", \"\", \"End\", \"INFO\", \"Informational\", \"ISE was disconnected from APIC\", \"ISE was disconnected from APIC\",\n\"61025\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Open secure connection with TLS peer\", \"Secure connection established with TLS peer\",\n\"61026\", \"Success\", \"Allow\", \"\", \"End\", \"INFO\", \"Informational\", \"Shutdown secure connection with TLS peer\", \"Secure connection with TLS peer shutdown\",\n\"60509\", \"Failure\", \"Deny\", \"Maximum Retry\", \"End\", \"ERROR\", \"Low\", \"ERS request was denied as maximum possible connection was exceeded\", \"ERS request was denied as maximum possible connection was exceeded\",\n\"61231\", \"Failure\", \"Drop\", \"Routing issue\", \"End\", \"WARN\", \"Low\", \"Kafka connection to ACI error while receiving message\", \"Kafka connection to ACI error while receiving message\",\n\"61232\", \"Failure\", \"Drop\", \"Routing issue\", \"End\", \"WARN\", \"Low\", \"Kafka connection to ACI error while sending message\", \"Kafka connection to ACI error while sending message\",\n\"89003\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"Failed to connect to MDM server\", \"Failed to connect to MDM server\",\n\"24000\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Connection established with LDAP server\", \"Connection established with LDAP server\",\n\"24001\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Cannot establish connection with LDAP server\", \"Cannot establish connection with LDAP server\",\n\"24019\", \"Failure\", \"Drop\", \"Unknown\", \"End\", \"ERROR\", \"Low\", \"LDAP connection error was encountered\", \"ISE cannot connect to LDAP external ID store\",\n\"24030\", \"Failure\", \"Drop\", \"Unknown\", \"End\", \"ERROR\", \"Low\", \"SSL connection error was encountered\", \"SSL connection error was encountered\",\n\"24400\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Connection to ISE Active Directory agent established successfully\", \"Connection to ISE Active Directory agent established successfully\",\n\"24401\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Could not establish connection with ISE Active Directory agent\", \"Could not establish connection with ISE Active Directory agent\",\n\"24428\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Connection related error has occurred in either LRPC, LDAP or KERBEROS\", \"This RPC connection problem may be because the stub received incorrect data\",\n\"24429\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Could not establish connection with Active Directory\", \"Could not establish connection with Active Directory\",\n\"24850\", \"Success\", \"Allow\", \"\", \"Start\", \"DEBUG\", \"Informational\", \"Successfully connected to external ODBC database\", \"ISE successfully established a new connection to external ODBC database\",\n\"24851\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"DEBUG\", \"Low\", \"Connection to external ODBC database failed\", \"ISE failed to establish a new connection to external ODBC database\",\n\"34120\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Profiler failed to get the connection to NAC Manager\", \"Profiler sends a notification event to NAC Manager, but the notification fails because could not connect to NAC Manager\",\n\"34147\", \"Failure\", \"Deny\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"JGroups TLS Handshake Failed\", \"JGroups TLS Handshake Failed\",\n\"34148\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"JGroups TLS Handshake Succeeded\", \"JGroups TLS Handshake Succeeded\",\n\"34149\", \"Failure\", \"Deny\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"HTTPS TLS Handshake Failed\", \"HTTPS TLS Handshake Failed\",\n\"34150\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"HTTPS TLS Handshake Succeeded\", \"HTTPS TLS Handshake Succeeded\",\n\"34159\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"LDAPS connection established successfully\", \"LDAPS connection established successfully\",\n\"34160\", \"Success\", \"Allow\", \"\", \"End\", \"INFO\", \"Informational\", \"LDAPS connection terminated successfully\", \"LDAPS connection terminated successfully\",\n\"34161\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection establishment failed with SSL error\", \"LDAPS connection establishment failed with SSL error\",\n\"34162\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection terminated with SSL error\", \"LDAPS connection terminated with SSL error\",\n\"34163\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection establishment failed with non-SSL error\", \"LDAPS connection establishment failed with non-SSL error\",\n\"34164\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"LDAPS connection terminated with non-SSL error\", \"LDAPS connection terminated with non-SSL error\",\n\"90062\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Cannot connect to Domain Controller\", \"Cannot connect to Domain Controller\",\n\"90063\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Successfully establish connection to Domain Controller\", \"Successfully establish connection to Domain Controller\",\n\"90066\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"ERROR\", \"Low\", \"Lost connection with Domain Controller\", \"Lost connection with Domain Controller\",\n\"90078\", \"Success\", \"Allow\", \"\", \"Start\", \"INFO\", \"Informational\", \"Closed connection to Domain Controller\", \"Closed connection to Domain Controller\",\n\"91082\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"RADIUS DTLS: Connection to OCSP server failed\", \"RADIUS DTLS: Connection attempt to OCSP server failed.\",\n\"11317\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"WARN\", \"Low\", \"TrustSec SSH connection failed\", \"ISE failed to establish SSH connection to a network device. Verify network device SSH credentials in the Network Device page are similar to the credentials configured on the network device. Check network device enabled ssh connections from ISE (ip address)\",\n\"5405\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"NOTICE\", \"Low\", \"RADIUS Request dropped\", \"RADIUS request dropped\",\n\"5406\", \"Failure\", \"Drop\", \"Terminated\", \"End\", \"NOTICE\", \"Low\", \"TACACS+ Request dropped\", \"TACACS+ request dropped\"\n];\nlet GetSrcIpAddr = (src_ip: string) {\n case ( \n src_ip matches regex @\"\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\",\n src_ip,\n \"\"\n )\n};\nlet GetMacAddr = (mac: string) {\n case ( \n mac matches regex @\"[a-fA-F0-9\\-:]{17}\",\n mac,\n \"\"\n )\n};\nlet CiscoISENSParser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \ndstipaddr_has_any_prefix: dynamic=dynamic([]), \nipaddr_has_any_prefix: dynamic=dynamic([]),\ndstportnumber: int=int(null), \nhostname_has_any: dynamic=dynamic([]), \ndvcaction: dynamic=dynamic([]), \neventresult: string='*', \ndisabled: bool=false) {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let EventOriginalTypeList = toscalar(EventFieldsLookup\n | where (eventresult == \"*\" or eventresult == EventResult) \n and (array_length(dvcaction) == 0 or DvcAction in~ (dvcaction))\n | summarize make_set(EventOriginalType));\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n and (array_length(ip_any) == 0 or has_any_ipv4_prefix(SyslogMessage, ip_any)) \n and (array_length(hostname_has_any) == 0 or SyslogMessage has_any(hostname_has_any)) \n and (isnull(dstportnumber) or SyslogMessage has (strcat('DestinationPort=', tostring(dstportnumber))))\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, DestinationIPAddress: string, DestinationPort: int, ['Remote-Address']: string, ['Device IP Address']: string, ['User-Name']: string, UserName: string, User: string, ['Device Port']: int, Protocol: string, ['Calling-Station-ID']: string, ['Called-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n DstIpAddr=DestinationIPAddress\n , DstPortNumber=DestinationPort\n , SrcPortNumber=['Device Port']\n , NetworkApplicationProtocol=Protocol\n | invoke _ASIM_ResolveSrcFQDN(\"['Calling-Station-ID']\")\n | extend \n EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventType = \"NetworkSession\"\n , EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n , DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , DstMacAddr = GetMacAddr(['Called-Station-ID'])\n , SrcMacAddr = GetMacAddr(['Calling-Station-ID'])\n , DstUsername = coalesce(UserName, ['User-Name'], User)\n | extend\n DstUsernameType = _ASIM_GetUsernameType(DstUsername)\n , DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n , SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], GetSrcIpAddr(['Calling-Station-ID']))\n //********************** ************************\n | extend \n Dvc = coalesce(DvcHostname, DvcIpAddr)\n , IpAddr = SrcIpAddr\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , User = DstUsername\n //********************** ***********************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n ['Device IP Address'],\n ['Remote-Address'],\n ['Calling-Station-ID'],\n ['Called-Station-ID']\n};\nCiscoISENSParser(\nstarttime=starttime,\nendtime=endtime, \nsrcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \ndstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \nipaddr_has_any_prefix=ipaddr_has_any_prefix, \ndstportnumber=dstportnumber, \nhostname_has_any=hostname_has_any, \ndvcaction=dvcaction, \neventresult=eventresult, \ndisabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json index cbc0a2e60c3..6f45b405d8a 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionCiscoMeraki')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionCiscoMeraki", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionCiscoMeraki", - "query": "let EventResultDetailsLookup = datatable(reason: string, EventResultDetails: string)\n [\n \"0\", \"Unknown\",\n \"1\", \"Unknown\",\n \"2\", \"Timeout\",\n \"3\", \"Terminated\",\n \"4\", \"Timeout\",\n \"5\", \"Transient error\",\n \"6\", \"Invalid Tunnel\",\n \"7\", \"Invalid Tunnel\",\n \"8\", \"Terminated\",\n \"9\", \"Invalid Tunnel\",\n \"10\", \"Unknown\",\n \"11\", \"Invalid TCP\",\n \"12\", \"Unknown\",\n \"13\", \"Invalid TCP\",\n \"14\", \"Invalid Tunnel\",\n \"15\", \"Invalid TCP\",\n \"16\", \"Timeout\",\n \"17\", \"Invalid Tunnel\",\n \"18\", \"Invalid TCP\",\n \"19\", \"Invalid TCP\",\n \"20\", \"Invalid TCP\",\n \"21\", \"Unknown\",\n \"22\", \"Invalid TCP\",\n \"23\", \"Invalid Tunnel\",\n \"24\", \"Invalid Tunnel\",\n \"32\", \"Unknown\",\n \"33\", \"Invalid TCP\",\n \"34\", \"Invalid TCP\",\n \"35\", \"Invalid TCP\",\n \"36\", \"Unknown\",\n \"37\", \"Unknown\",\n \"38\", \"Unknown\",\n \"39\", \"Timeout\",\n \"40\", \"Invalid TCP\",\n \"98\", \"Unknown\",\n \"99\", \"Unknown\"\n];\nlet NetworkIcmpTypeLookup = datatable(\n NetworkIcmpCode_lookup: int,\n NetworkIcmpType_lookup: string\n)\n [\n 0, \"Reserved\",\n 1, \"Destination Unreachable\",\n 2, \"Packet Too Big\",\n 3, \"Time Exceeded\",\n 4, \"Parameter Problem\",\n 100, \"Private experimentation\",\n 101, \"Private experimentation\",\n 127, \"Reserved for expansion of ICMPv6 error messages\",\n 128, \"Echo Request\",\n 129, \"Echo Reply\",\n 130, \"Multicast Listener Query\",\n 131, \"Multicast Listener Report\",\n 132, \"Multicast Listener Done\",\n 133, \"Router Solicitation\",\n 134, \"Router Advertisement\",\n 135, \"Neighbor Solicitation\",\n 136, \"Neighbor Advertisement\",\n 137, \"Redirect Message\",\n 138, \"Router Renumbering\",\n 139, \"ICMP Node Information Query\",\n 140, \"ICMP Node Information Response\",\n 141, \"Inverse Neighbor Discovery Solicitation Message\",\n 142, \"Inverse Neighbor Discovery Advertisement Message\",\n 143, \"Version 2 Multicast Listener Report\",\n 144, \"Home Agent Address Discovery Request Message\",\n 145, \"Home Agent Address Discovery Reply Message\",\n 146, \"Mobile Prefix Solicitation\",\n 147, \"Mobile Prefix Advertisement\",\n 148, \"Certification Path Solicitation Message\",\n 149, \"Certification Path Advertisement Message\",\n 150, \"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\n 151, \"Multicast Router Advertisement\",\n 152, \"Multicast Router Solicitation\",\n 153, \"Multicast Router Termination\",\n 154, \"FMIPv6 Messages\",\n 155, \"RPL Control Message\",\n 156, \"ILNPv6 Locator Update Message\",\n 157, \"Duplicate Address Request\",\n 158, \"Duplicate Address Confirmation\",\n 159, \"MPL Control Message\",\n 160, \"Extended Echo Request\",\n 161, \"Extended Echo Reply\",\n 200, \"Private experimentation\",\n 201, \"Private experimentation\",\n 255, \"Reserved for expansion of ICMPv6 informational messages\"\n];\nlet NetworkProtocolLookup = datatable(\n protocol: string,\n NetworkProtocol_lookup: string,\n NetworkProtocolVersion: string\n)[\n \"tcp\", \"TCP\", \"\",\n \"tcp/ip\", \"TCP\", \"\",\n \"udp\", \"UDP\", \"\",\n \"udp/ip\", \"UDP\", \"\",\n \"icmp\", \"ICMP\", \"IPV4\",\n \"icmp6\", \"ICMP\", \"IPV6\",\n];\nlet EventSeverityPriorityLookup = datatable(priority: string, EventSeverity: string)[\n \"1\", \"High\",\n \"2\", \"Medium\",\n \"3\", \"Low\",\n \"4\", \"Informational\"\n];\nlet EventSeverityDvcActionLookup = datatable(DvcAction: string, EventSeverity: string)[\n \"Allow\", \"Informational\",\n \"Deny\", \"Low\"\n];\nlet NetworkDirectionLookup = datatable(direction: string, NetworkDirection: string)[\n \"ingress\", \"Inbound\",\n \"egress\", \"Outbound\",\n \"Unknown\", \"NA\"\n];\nlet DvcActionLookup = datatable(pattern: string, DvcAction: string, EventResult: string)[\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"0\", \"Allow\", \"Success\",\n \"1\", \"Deny\", \"Failure\",\n \"Blocked\", \"Deny\", \"Failure\"\n];\nlet EventResultLookup = datatable(LogSubType: string, EventResult_type: string)[\n \"association\", \"Success\",\n \"disassociation\", \"Failure\",\n \"Virtual router collision\", \"Failure\",\n];\nlet parser=(disabled: bool=false, \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventresult: string='*', \n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n hostname_has_any: dynamic=dynamic([]),\n dstportnumber: int=int(null),\n dvcaction: dynamic=dynamic([])\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let allData = (\n meraki_CL\n | project-rename LogMessage = Message\n );\n let PreFilteredData = allData\n | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) and (LogMessage has_any(\"flows\", \"firewall\", \"ids-alerts\") or LogMessage has_all(\"security_event\", \"ids-alerted\") or (LogMessage has \"events\" and (LogMessage has_any (\"Blocked DHCP server response\", \"association\") or (LogMessage has \"VRRP packet\" and not(LogMessage has_any (\"VRRP passive\", \"VRRP active\"))) or (LogMessage has \"disassociation\" and not(LogMessage has_any (\"auth_neg_failed\", \"dhcp\"))))) or (LogMessage has \"airmarshal_events\" and LogMessage has_any(\"ssid_spoofing_detected\", \"rogue_ssid_detected\")))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3]),\n Device = tostring(Parser[1])\n | parse Substring with * \"timestamp=\" timestamp: string \" \" *\n | extend\n Epoch = iff(isnotempty(timestamp), timestamp, tostring(Parser[0]))\n | extend\n EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where (array_length(hostname_has_any) == 0)\n and ((isnull(dstportnumber)) or Substring has tostring(dstportnumber))\n and (array_length(dvcaction) == 0 or LogMessage has_any (dvcaction));\n let FlowsFirewallData = PreFilteredData\n | where LogType in (\"flows\", \"firewall\", \"cellular_firewall\", \"vpn_firewall\")\n | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with pattern1: string \" src=\" temp_restmessage: string\n | parse Substring with * \"pattern: \" pattern2: string \" \" temp_restmessage: string\n | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))\n | extend type_icmp4 = iff(protocol == 'icmp', type, int(null))\n | lookup NetworkIcmpTypeLookup on NetworkIcmpCode_lookup\n | invoke _ASIM_ResolveICMPType('type_icmp4')\n | extend NetworkIcmpCode = coalesce(NetworkIcmpCode_lookup, NetworkIcmpCode)\n | extend NetworkIcmpType = iff(isnotempty(NetworkIcmpCode), coalesce(NetworkIcmpType_lookup, NetworkIcmpType), \"\")\n | extend pattern = coalesce(trim(\"'\", pattern1), trim(\"'\", pattern2))\n | extend pattern = trim('\"', pattern)\n | extend direction = case(pattern has_any ('0','1'), 'ingress', pattern has_any ('allow','deny'), 'egress', 'unknown')\n | lookup NetworkDirectionLookup on direction\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | extend\n SrcMacAddr = trim('\"', mac),\n EventType = \"Flow\";\n let IDSAlertData = PreFilteredData\n | where LogType in (\"ids-alerts\", \"security_event\")\n | parse LogMessage with * \"security_event \" LogSubType: string \" \" * \"message: \" message: string \n | where LogType == \"security_event\" and LogSubType == \"ids-alerted\" or LogType == \"ids-alerts\"\n | parse-kv Substring as(priority: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend EventResult = \"Success\"\n | extend\n priority = trim('\"', priority),\n direction = trim('\"', direction)\n | lookup EventSeverityPriorityLookup on priority\n | lookup NetworkDirectionLookup on direction\n | extend AdditionalFields = bag_pack(\n \"signature\", trim('\"', signature)\n )\n | extend\n SrcMacAddr = trim('\"', shost),\n DstMacAddr = trim('\"', dhost)\n | extend EventMessage = trim(\"'\", message);\n let AirmarshalEvents = PreFilteredData\n | where LogType in (\"airmarshal_events\")\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType in (\"ssid_spoofing_detected\", \"rogue_ssid_detected\")\n | parse-kv temp_message as(src: string, dst: string, wired_mac: string, vlan_id: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n SrcMacAddr = trim('\"', src),\n DstMacAddr = trim('\"', dst),\n DvcMacAddr = trim('\"', wired_mac)\n | extend\n EventResult = \"Success\",\n EventSeverity = \"High\";\n let EventsData = PreFilteredData\n | where LogType == \"events\";\n let EventsData_associ = EventsData\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType == \"association\" or (LogSubType == \"disassociation\" and not(Substring has_any (\"auth_neg_failed\", \"dhcp\")))\n | parse-kv Substring as (last_known_client_ip: string, client_mac: string, identity: string, aid: string, duration: string, ip_src: string, dns_server: string, reason: string, rssi: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend AdditionalFields = bag_pack(\n \"aid\", aid,\n \"rssi\", rssi\n )\n | extend SrcMacAddr = trim('\"', client_mac)\n | lookup EventResultLookup on LogSubType\n | extend EventResult = EventResult_type\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff((toint(reason) >= 25 and toint(reason) <= 31) or (toint(reason) >= 25 and toint(reason) <= 31), \"Unknown\", EventResultDetails);\n let EventsData_space = EventsData\n | where Substring has \"Blocked DHCP server response\" or (Substring has \"VRRP packet\" and not(Substring in~ (\"VRRP passive\", \"VRRP active\"))) \n | parse Substring with LogSubType1: string \" from\" temp_addr1: string \" on VLAN \" vlan_id1: string \" \" restmessage\n | parse Substring with LogSubType2: string \" from\" temp_addr2: string \" on VLAN \" vlan_id2: string\n | extend LogSubType = coalesce(LogSubType1, LogSubType2)\n | extend LogSubType = iff(LogSubType has \"VRRP Packet\", \"Virtual router collision\", LogSubType)\n | extend pattern = iff(Substring has \"Blocked\", \"Blocked\", \"\")\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | lookup EventResultLookup on LogSubType\n | extend EventResult = coalesce(EventResult, EventResult_type)\n | extend temp_addr = coalesce(trim('\"', temp_addr1), trim('\"', temp_addr2))\n | extend vlan_id = coalesce(trim('\"', vlan_id1), trim('\"', vlan_id2))\n | extend SrcMacAddr = iff(temp_addr matches regex \"(([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}))\", temp_addr, \"\")\n | parse temp_addr with * \"[\" temp_ip: string \"]:\" temp_port: string \n | extend SrcIpAddr = case(\n temp_addr has \".\",\n split(temp_addr, \":\")[0],\n isnotempty(temp_ip),\n temp_ip,\n temp_addr\n )\n | extend SrcPortNumber = toint(case(\n isnotempty(temp_port),\n temp_port,\n temp_addr has \".\",\n split(temp_addr, \":\")[1],\n \"\"\n )\n )\n | extend\n SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr),\n EventMessage = Substring;\n union\n FlowsFirewallData,\n IDSAlertData,\n EventsData_associ,\n EventsData_space,\n AirmarshalEvents\n | where (array_length(dvcaction) == 0 or DvcAction has_any (dvcaction))\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend protocol = trim('\"', protocol)\n | lookup NetworkProtocolLookup on protocol\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkProtocol = iff(isempty(NetworkProtocolNumber), NetworkProtocol_lookup, NetworkProtocol)\n | extend temp_srcipport = trim('\"', coalesce(src, ip_src, last_known_client_ip))\n | parse temp_srcipport with * \"[\" temp_srcip: string \"]:\" temp_srcport: string \n | extend SrcIpAddr = case( \n isnotempty(SrcIpAddr),\n SrcIpAddr,\n temp_srcipport has \".\",\n split(temp_srcipport, \":\")[0],\n coalesce(temp_srcip, temp_srcipport)\n )\n | extend SrcPortNumber = iff(isempty(SrcPortNumber), toint(coalesce(sport, temp_srcport)), SrcPortNumber)\n | extend SrcPortNumber = toint(iff(isempty(SrcPortNumber) and SrcIpAddr has \".\", split(temp_srcipport, \":\")[1], SrcPortNumber))\n | extend temp_dstipport = trim('\"', coalesce(dst, dns_server))\n | parse temp_dstipport with * \"[\" temp_dstip \"]:\" temp_dstport\n | extend DstIpAddr = iff(temp_dstipport has \".\", split(temp_dstipport, \":\")[0], coalesce(temp_dstip, temp_dstipport))\n | extend DstPortNumber = toint(coalesce(dport, temp_dstport))\n | extend DstPortNumber = toint(iff(isempty(DstPortNumber) and DstIpAddr has \".\", split(temp_dstipport, \":\")[1], DstPortNumber))\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend DstIpAddr = iff(DstIpAddr == DstMacAddr, \"\", DstIpAddr)\n | where (isnull(dstportnumber) or dstportnumber == DstPortNumber)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DstIpAddr, dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend\n SrcUsername = trim('\"', identity),\n SrcVlanId = trim('\"', vlan_id)\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend NetworkIcmpType = iff((protocol == 'icmp6' and isnotempty(NetworkIcmpCode)) and (NetworkIcmpCode between (5 .. 99) or NetworkIcmpCode between (102 .. 126) or NetworkIcmpCode between(162 .. 199) or NetworkIcmpCode between (202 .. 254)), \"Unassigned\", NetworkIcmpType)\n | extend\n EventSeverity = case(\n isnotempty(EventSeverity),\n EventSeverity,\n EventResult == \"Failure\",\n \"Low\",\n \"Informational\"\n ),\n EventType = iff(isnotempty(EventType), EventType, \"NetworkSession\"),\n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\")\n | extend\n Dvc = DvcHostname,\n Src = coalesce(SrcIpAddr, SrcMacAddr),\n Dst = coalesce(DstIpAddr, DstMacAddr),\n NetworkDuration = toint(todouble(trim('\"', duration)) * 1000)\n | project-rename\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType\n | extend\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n EventUid = _ResourceId\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n protocol,\n priority,\n reason,\n direction,\n duration,\n src,\n dst,\n dns_server,\n sport,\n dport,\n *_lookup,\n type*,\n pattern*,\n last_known_client_ip,\n ip_src,\n client_mac,\n mac,\n shost,\n dhost,\n wired_mac,\n identity,\n temp*,\n vlan_id*,\n LogSubType1,\n LogSubType2,\n restmessage*,\n message,\n rssi,\n aid,\n signature,\n timestamp,\n EventResult_type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,ManagementGroupName,NetworkProtocolNumber\n};\nparser(\n disabled=disabled,\n starttime=starttime, \n endtime=endtime,\n eventresult=eventresult,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n hostname_has_any=hostname_has_any,\n dstportnumber=dstportnumber,\n dvcaction=dvcaction\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionCiscoMeraki", + "query": "let EventResultDetailsLookup = datatable(reason: string, EventResultDetails: string)\n [\n \"0\", \"Unknown\",\n \"1\", \"Unknown\",\n \"2\", \"Timeout\",\n \"3\", \"Terminated\",\n \"4\", \"Timeout\",\n \"5\", \"Transient error\",\n \"6\", \"Invalid Tunnel\",\n \"7\", \"Invalid Tunnel\",\n \"8\", \"Terminated\",\n \"9\", \"Invalid Tunnel\",\n \"10\", \"Unknown\",\n \"11\", \"Invalid TCP\",\n \"12\", \"Unknown\",\n \"13\", \"Invalid TCP\",\n \"14\", \"Invalid Tunnel\",\n \"15\", \"Invalid TCP\",\n \"16\", \"Timeout\",\n \"17\", \"Invalid Tunnel\",\n \"18\", \"Invalid TCP\",\n \"19\", \"Invalid TCP\",\n \"20\", \"Invalid TCP\",\n \"21\", \"Unknown\",\n \"22\", \"Invalid TCP\",\n \"23\", \"Invalid Tunnel\",\n \"24\", \"Invalid Tunnel\",\n \"32\", \"Unknown\",\n \"33\", \"Invalid TCP\",\n \"34\", \"Invalid TCP\",\n \"35\", \"Invalid TCP\",\n \"36\", \"Unknown\",\n \"37\", \"Unknown\",\n \"38\", \"Unknown\",\n \"39\", \"Timeout\",\n \"40\", \"Invalid TCP\",\n \"98\", \"Unknown\",\n \"99\", \"Unknown\"\n];\nlet NetworkIcmpTypeLookup = datatable(\n NetworkIcmpCode_lookup: int,\n NetworkIcmpType_lookup: string\n)\n [\n 0, \"Reserved\",\n 1, \"Destination Unreachable\",\n 2, \"Packet Too Big\",\n 3, \"Time Exceeded\",\n 4, \"Parameter Problem\",\n 100, \"Private experimentation\",\n 101, \"Private experimentation\",\n 127, \"Reserved for expansion of ICMPv6 error messages\",\n 128, \"Echo Request\",\n 129, \"Echo Reply\",\n 130, \"Multicast Listener Query\",\n 131, \"Multicast Listener Report\",\n 132, \"Multicast Listener Done\",\n 133, \"Router Solicitation\",\n 134, \"Router Advertisement\",\n 135, \"Neighbor Solicitation\",\n 136, \"Neighbor Advertisement\",\n 137, \"Redirect Message\",\n 138, \"Router Renumbering\",\n 139, \"ICMP Node Information Query\",\n 140, \"ICMP Node Information Response\",\n 141, \"Inverse Neighbor Discovery Solicitation Message\",\n 142, \"Inverse Neighbor Discovery Advertisement Message\",\n 143, \"Version 2 Multicast Listener Report\",\n 144, \"Home Agent Address Discovery Request Message\",\n 145, \"Home Agent Address Discovery Reply Message\",\n 146, \"Mobile Prefix Solicitation\",\n 147, \"Mobile Prefix Advertisement\",\n 148, \"Certification Path Solicitation Message\",\n 149, \"Certification Path Advertisement Message\",\n 150, \"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\n 151, \"Multicast Router Advertisement\",\n 152, \"Multicast Router Solicitation\",\n 153, \"Multicast Router Termination\",\n 154, \"FMIPv6 Messages\",\n 155, \"RPL Control Message\",\n 156, \"ILNPv6 Locator Update Message\",\n 157, \"Duplicate Address Request\",\n 158, \"Duplicate Address Confirmation\",\n 159, \"MPL Control Message\",\n 160, \"Extended Echo Request\",\n 161, \"Extended Echo Reply\",\n 200, \"Private experimentation\",\n 201, \"Private experimentation\",\n 255, \"Reserved for expansion of ICMPv6 informational messages\"\n];\nlet NetworkProtocolLookup = datatable(\n protocol: string,\n NetworkProtocol_lookup: string,\n NetworkProtocolVersion: string\n)[\n \"tcp\", \"TCP\", \"\",\n \"tcp/ip\", \"TCP\", \"\",\n \"udp\", \"UDP\", \"\",\n \"udp/ip\", \"UDP\", \"\",\n \"icmp\", \"ICMP\", \"IPV4\",\n \"icmp6\", \"ICMP\", \"IPV6\",\n];\nlet EventSeverityPriorityLookup = datatable(priority: string, EventSeverity: string)[\n \"1\", \"High\",\n \"2\", \"Medium\",\n \"3\", \"Low\",\n \"4\", \"Informational\"\n];\nlet EventSeverityDvcActionLookup = datatable(DvcAction: string, EventSeverity: string)[\n \"Allow\", \"Informational\",\n \"Deny\", \"Low\"\n];\nlet NetworkDirectionLookup = datatable(direction: string, NetworkDirection: string)[\n \"ingress\", \"Inbound\",\n \"egress\", \"Outbound\",\n \"Unknown\", \"NA\"\n];\nlet DvcActionLookup = datatable(pattern: string, DvcAction: string, EventResult: string)[\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"0\", \"Allow\", \"Success\",\n \"1\", \"Deny\", \"Failure\",\n \"Blocked\", \"Deny\", \"Failure\"\n];\nlet EventResultLookup = datatable(LogSubType: string, EventResult_type: string)[\n \"association\", \"Success\",\n \"disassociation\", \"Failure\",\n \"Virtual router collision\", \"Failure\",\n];\nlet parser=(disabled: bool=false, \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventresult: string='*', \n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n hostname_has_any: dynamic=dynamic([]),\n dstportnumber: int=int(null),\n dvcaction: dynamic=dynamic([])\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let allData = (\n meraki_CL\n | project-rename LogMessage = Message\n );\n let PreFilteredData = allData\n | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) and (LogMessage has_any(\"flows\", \"firewall\", \"ids-alerts\") or LogMessage has_all(\"security_event\", \"ids-alerted\") or (LogMessage has \"events\" and (LogMessage has_any (\"Blocked DHCP server response\", \"association\") or (LogMessage has \"VRRP packet\" and not(LogMessage has_any (\"VRRP passive\", \"VRRP active\"))) or (LogMessage has \"disassociation\" and not(LogMessage has_any (\"auth_neg_failed\", \"dhcp\"))))) or (LogMessage has \"airmarshal_events\" and LogMessage has_any(\"ssid_spoofing_detected\", \"rogue_ssid_detected\")))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3]),\n Device = tostring(Parser[1])\n | parse Substring with * \"timestamp=\" timestamp: string \" \" *\n | extend\n Epoch = iff(isnotempty(timestamp), timestamp, tostring(Parser[0]))\n | extend\n EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where (array_length(hostname_has_any) == 0)\n and ((isnull(dstportnumber)) or Substring has tostring(dstportnumber))\n and (array_length(dvcaction) == 0 or LogMessage has_any (dvcaction));\n let FlowsFirewallData = PreFilteredData\n | where LogType in (\"flows\", \"firewall\", \"cellular_firewall\", \"vpn_firewall\")\n | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with pattern1: string \" src=\" temp_restmessage: string\n | parse Substring with * \"pattern: \" pattern2: string \" \" temp_restmessage: string\n | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))\n | extend type_icmp4 = iff(protocol == 'icmp', type, int(null))\n | lookup NetworkIcmpTypeLookup on NetworkIcmpCode_lookup\n | invoke _ASIM_ResolveICMPType('type_icmp4')\n | extend NetworkIcmpCode = coalesce(NetworkIcmpCode_lookup, NetworkIcmpCode)\n | extend NetworkIcmpType = iff(isnotempty(NetworkIcmpCode), coalesce(NetworkIcmpType_lookup, NetworkIcmpType), \"\")\n | extend pattern = coalesce(trim(\"'\", pattern1), trim(\"'\", pattern2))\n | extend pattern = trim('\"', pattern)\n | extend direction = case(pattern has_any ('0','1'), 'ingress', pattern has_any ('allow','deny'), 'egress', 'unknown')\n | lookup NetworkDirectionLookup on direction\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | extend\n SrcMacAddr = trim('\"', mac),\n EventType = \"Flow\";\n let IDSAlertData = PreFilteredData\n | where LogType in (\"ids-alerts\", \"security_event\")\n | parse LogMessage with * \"security_event \" LogSubType: string \" \" * \"message: \" message: string \n | where LogType == \"security_event\" and LogSubType == \"ids-alerted\" or LogType == \"ids-alerts\"\n | parse-kv Substring as(priority: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend EventResult = \"Success\"\n | extend\n priority = trim('\"', priority),\n direction = trim('\"', direction)\n | lookup EventSeverityPriorityLookup on priority\n | lookup NetworkDirectionLookup on direction\n | extend AdditionalFields = bag_pack(\n \"signature\", trim('\"', signature)\n )\n | extend\n SrcMacAddr = trim('\"', shost),\n DstMacAddr = trim('\"', dhost)\n | extend EventMessage = trim(\"'\", message);\n let AirmarshalEvents = PreFilteredData\n | where LogType in (\"airmarshal_events\")\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType in (\"ssid_spoofing_detected\", \"rogue_ssid_detected\")\n | parse-kv temp_message as(src: string, dst: string, wired_mac: string, vlan_id: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n SrcMacAddr = trim('\"', src),\n DstMacAddr = trim('\"', dst),\n DvcMacAddr = trim('\"', wired_mac)\n | extend\n EventResult = \"Success\",\n EventSeverity = \"High\";\n let EventsData = PreFilteredData\n | where LogType == \"events\";\n let EventsData_associ = EventsData\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType == \"association\" or (LogSubType == \"disassociation\" and not(Substring has_any (\"auth_neg_failed\", \"dhcp\")))\n | parse-kv Substring as (last_known_client_ip: string, client_mac: string, identity: string, aid: string, duration: string, ip_src: string, dns_server: string, reason: string, rssi: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend AdditionalFields = bag_pack(\n \"aid\", aid,\n \"rssi\", rssi\n )\n | extend SrcMacAddr = trim('\"', client_mac)\n | lookup EventResultLookup on LogSubType\n | extend EventResult = EventResult_type\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff((toint(reason) >= 25 and toint(reason) <= 31) or (toint(reason) >= 25 and toint(reason) <= 31), \"Unknown\", EventResultDetails);\n let EventsData_space = EventsData\n | where Substring has \"Blocked DHCP server response\" or (Substring has \"VRRP packet\" and not(Substring in~ (\"VRRP passive\", \"VRRP active\"))) \n | parse Substring with LogSubType1: string \" from\" temp_addr1: string \" on VLAN \" vlan_id1: string \" \" restmessage\n | parse Substring with LogSubType2: string \" from\" temp_addr2: string \" on VLAN \" vlan_id2: string\n | extend LogSubType = coalesce(LogSubType1, LogSubType2)\n | extend LogSubType = iff(LogSubType has \"VRRP Packet\", \"Virtual router collision\", LogSubType)\n | extend pattern = iff(Substring has \"Blocked\", \"Blocked\", \"\")\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | lookup EventResultLookup on LogSubType\n | extend EventResult = coalesce(EventResult, EventResult_type)\n | extend temp_addr = coalesce(trim('\"', temp_addr1), trim('\"', temp_addr2))\n | extend vlan_id = coalesce(trim('\"', vlan_id1), trim('\"', vlan_id2))\n | extend SrcMacAddr = iff(temp_addr matches regex \"(([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}))\", temp_addr, \"\")\n | parse temp_addr with * \"[\" temp_ip: string \"]:\" temp_port: string \n | extend SrcIpAddr = case(\n temp_addr has \".\",\n split(temp_addr, \":\")[0],\n isnotempty(temp_ip),\n temp_ip,\n temp_addr\n )\n | extend SrcPortNumber = toint(case(\n isnotempty(temp_port),\n temp_port,\n temp_addr has \".\",\n split(temp_addr, \":\")[1],\n \"\"\n )\n )\n | extend\n SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr),\n EventMessage = Substring;\n union\n FlowsFirewallData,\n IDSAlertData,\n EventsData_associ,\n EventsData_space,\n AirmarshalEvents\n | where (array_length(dvcaction) == 0 or DvcAction has_any (dvcaction))\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend protocol = trim('\"', protocol)\n | lookup NetworkProtocolLookup on protocol\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkProtocol = iff(isempty(NetworkProtocolNumber), NetworkProtocol_lookup, NetworkProtocol)\n | extend temp_srcipport = trim('\"', coalesce(src, ip_src, last_known_client_ip))\n | parse temp_srcipport with * \"[\" temp_srcip: string \"]:\" temp_srcport: string \n | extend SrcIpAddr = case( \n isnotempty(SrcIpAddr),\n SrcIpAddr,\n temp_srcipport has \".\",\n split(temp_srcipport, \":\")[0],\n coalesce(temp_srcip, temp_srcipport)\n )\n | extend SrcPortNumber = iff(isempty(SrcPortNumber), toint(coalesce(sport, temp_srcport)), SrcPortNumber)\n | extend SrcPortNumber = toint(iff(isempty(SrcPortNumber) and SrcIpAddr has \".\", split(temp_srcipport, \":\")[1], SrcPortNumber))\n | extend temp_dstipport = trim('\"', coalesce(dst, dns_server))\n | parse temp_dstipport with * \"[\" temp_dstip \"]:\" temp_dstport\n | extend DstIpAddr = iff(temp_dstipport has \".\", split(temp_dstipport, \":\")[0], coalesce(temp_dstip, temp_dstipport))\n | extend DstPortNumber = toint(coalesce(dport, temp_dstport))\n | extend DstPortNumber = toint(iff(isempty(DstPortNumber) and DstIpAddr has \".\", split(temp_dstipport, \":\")[1], DstPortNumber))\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend DstIpAddr = iff(DstIpAddr == DstMacAddr, \"\", DstIpAddr)\n | where (isnull(dstportnumber) or dstportnumber == DstPortNumber)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DstIpAddr, dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend\n SrcUsername = trim('\"', identity),\n SrcVlanId = trim('\"', vlan_id)\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend NetworkIcmpType = iff((protocol == 'icmp6' and isnotempty(NetworkIcmpCode)) and (NetworkIcmpCode between (5 .. 99) or NetworkIcmpCode between (102 .. 126) or NetworkIcmpCode between(162 .. 199) or NetworkIcmpCode between (202 .. 254)), \"Unassigned\", NetworkIcmpType)\n | extend\n EventSeverity = case(\n isnotempty(EventSeverity),\n EventSeverity,\n EventResult == \"Failure\",\n \"Low\",\n \"Informational\"\n ),\n EventType = iff(isnotempty(EventType), EventType, \"NetworkSession\"),\n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\")\n | extend\n Dvc = DvcHostname,\n Src = coalesce(SrcIpAddr, SrcMacAddr),\n Dst = coalesce(DstIpAddr, DstMacAddr),\n NetworkDuration = toint(todouble(trim('\"', duration)) * 1000)\n | project-rename\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType\n | extend\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n EventUid = _ResourceId\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n protocol,\n priority,\n reason,\n direction,\n duration,\n src,\n dst,\n dns_server,\n sport,\n dport,\n *_lookup,\n type*,\n pattern*,\n last_known_client_ip,\n ip_src,\n client_mac,\n mac,\n shost,\n dhost,\n wired_mac,\n identity,\n temp*,\n vlan_id*,\n LogSubType1,\n LogSubType2,\n restmessage*,\n message,\n rssi,\n aid,\n signature,\n timestamp,\n EventResult_type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,ManagementGroupName,NetworkProtocolNumber\n};\nparser(\n disabled=disabled,\n starttime=starttime, \n endtime=endtime,\n eventresult=eventresult,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n hostname_has_any=hostname_has_any,\n dstportnumber=dstportnumber,\n dvcaction=dvcaction\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMerakiSyslog/vimNetworkSessionCiscoMerakiSyslog.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMerakiSyslog/vimNetworkSessionCiscoMerakiSyslog.json index 7f872137385..7ebe916fb76 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMerakiSyslog/vimNetworkSessionCiscoMerakiSyslog.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMerakiSyslog/vimNetworkSessionCiscoMerakiSyslog.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionCiscoMerakiSyslog')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionCiscoMerakiSyslog", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionCiscoMerakiSyslog", - "query": "let EventResultDetailsLookup = datatable(reason: string, EventResultDetails: string)\n [\n \"0\", \"Unknown\",\n \"1\", \"Unknown\",\n \"2\", \"Timeout\",\n \"3\", \"Terminated\",\n \"4\", \"Timeout\",\n \"5\", \"Transient error\",\n \"6\", \"Invalid Tunnel\",\n \"7\", \"Invalid Tunnel\",\n \"8\", \"Terminated\",\n \"9\", \"Invalid Tunnel\",\n \"10\", \"Unknown\",\n \"11\", \"Invalid TCP\",\n \"12\", \"Unknown\",\n \"13\", \"Invalid TCP\",\n \"14\", \"Invalid Tunnel\",\n \"15\", \"Invalid TCP\",\n \"16\", \"Timeout\",\n \"17\", \"Invalid Tunnel\",\n \"18\", \"Invalid TCP\",\n \"19\", \"Invalid TCP\",\n \"20\", \"Invalid TCP\",\n \"21\", \"Unknown\",\n \"22\", \"Invalid TCP\",\n \"23\", \"Invalid Tunnel\",\n \"24\", \"Invalid Tunnel\",\n \"32\", \"Unknown\",\n \"33\", \"Invalid TCP\",\n \"34\", \"Invalid TCP\",\n \"35\", \"Invalid TCP\",\n \"36\", \"Unknown\",\n \"37\", \"Unknown\",\n \"38\", \"Unknown\",\n \"39\", \"Timeout\",\n \"40\", \"Invalid TCP\",\n \"98\", \"Unknown\",\n \"99\", \"Unknown\"\n];\nlet NetworkIcmpTypeLookup = datatable(\n NetworkIcmpCode_lookup: int,\n NetworkIcmpType_lookup: string\n)\n [\n 0, \"Reserved\",\n 1, \"Destination Unreachable\",\n 2, \"Packet Too Big\",\n 3, \"Time Exceeded\",\n 4, \"Parameter Problem\",\n 100, \"Private experimentation\",\n 101, \"Private experimentation\",\n 127, \"Reserved for expansion of ICMPv6 error messages\",\n 128, \"Echo Request\",\n 129, \"Echo Reply\",\n 130, \"Multicast Listener Query\",\n 131, \"Multicast Listener Report\",\n 132, \"Multicast Listener Done\",\n 133, \"Router Solicitation\",\n 134, \"Router Advertisement\",\n 135, \"Neighbor Solicitation\",\n 136, \"Neighbor Advertisement\",\n 137, \"Redirect Message\",\n 138, \"Router Renumbering\",\n 139, \"ICMP Node Information Query\",\n 140, \"ICMP Node Information Response\",\n 141, \"Inverse Neighbor Discovery Solicitation Message\",\n 142, \"Inverse Neighbor Discovery Advertisement Message\",\n 143, \"Version 2 Multicast Listener Report\",\n 144, \"Home Agent Address Discovery Request Message\",\n 145, \"Home Agent Address Discovery Reply Message\",\n 146, \"Mobile Prefix Solicitation\",\n 147, \"Mobile Prefix Advertisement\",\n 148, \"Certification Path Solicitation Message\",\n 149, \"Certification Path Advertisement Message\",\n 150, \"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\n 151, \"Multicast Router Advertisement\",\n 152, \"Multicast Router Solicitation\",\n 153, \"Multicast Router Termination\",\n 154, \"FMIPv6 Messages\",\n 155, \"RPL Control Message\",\n 156, \"ILNPv6 Locator Update Message\",\n 157, \"Duplicate Address Request\",\n 158, \"Duplicate Address Confirmation\",\n 159, \"MPL Control Message\",\n 160, \"Extended Echo Request\",\n 161, \"Extended Echo Reply\",\n 200, \"Private experimentation\",\n 201, \"Private experimentation\",\n 255, \"Reserved for expansion of ICMPv6 informational messages\"\n];\nlet NetworkProtocolLookup = datatable(\n protocol: string,\n NetworkProtocol_lookup: string,\n NetworkProtocolVersion: string\n)[\n \"tcp\", \"TCP\", \"\",\n \"tcp/ip\", \"TCP\", \"\",\n \"udp\", \"UDP\", \"\",\n \"udp/ip\", \"UDP\", \"\",\n \"icmp\", \"ICMP\", \"IPV4\",\n \"icmp6\", \"ICMP\", \"IPV6\",\n];\nlet EventSeverityPriorityLookup = datatable(priority: string, EventSeverity: string)[\n \"1\", \"High\",\n \"2\", \"Medium\",\n \"3\", \"Low\",\n \"4\", \"Informational\"\n];\nlet EventSeverityDvcActionLookup = datatable(DvcAction: string, EventSeverity: string)[\n \"Allow\", \"Informational\",\n \"Deny\", \"Low\"\n];\nlet NetworkDirectionLookup = datatable(direction: string, NetworkDirection: string)[\n \"ingress\", \"Inbound\",\n \"egress\", \"Outbound\",\n \"Unknown\", \"NA\"\n];\nlet DvcActionLookup = datatable(pattern: string, DvcAction: string, EventResult: string)[\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"Blocked\", \"Deny\", \"Failure\"\n];\nlet EventResultLookup = datatable(LogSubType: string, EventResult_type: string)[\n \"association\", \"Success\",\n \"disassociation\", \"Failure\",\n \"Virtual router collision\", \"Failure\",\n];\nlet parser=(disabled: bool=false, \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventresult: string='*', \n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n hostname_has_any: dynamic=dynamic([]),\n dstportnumber: int=int(null),\n dvcaction: dynamic=dynamic([])\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let allData = (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\n let PreFilteredData = allData\n | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) and (LogMessage has_any(\"flows\", \"firewall\", \"ids-alerts\") or LogMessage has_all(\"security_event\", \"ids-alerted\") or (LogMessage has \"events\" and (LogMessage has_any (\"Blocked DHCP server response\", \"association\") or (LogMessage has \"VRRP packet\" and not(LogMessage has_any (\"VRRP passive\", \"VRRP active\"))) or (LogMessage has \"disassociation\" and not(LogMessage has_any (\"auth_neg_failed\", \"dhcp\"))))) or (LogMessage has \"airmarshal_events\" and LogMessage has_any(\"ssid_spoofing_detected\", \"rogue_ssid_detected\")))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3]),\n Device = tostring(Parser[1])\n | parse Substring with * \"timestamp=\" timestamp: string \" \" *\n | extend\n Epoch = iff(isnotempty(timestamp), timestamp, tostring(Parser[0]))\n | extend\n EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where (array_length(hostname_has_any) == 0)\n and ((isnull(dstportnumber)) or Substring has tostring(dstportnumber))\n and (array_length(dvcaction) == 0 or LogMessage has_any (dvcaction));\n let FlowsFirewallData = PreFilteredData\n | where LogType in (\"flows\", \"firewall\", \"cellular_firewall\", \"vpn_firewall\")\n | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with pattern1: string \" src=\" temp_restmessage: string\n | parse Substring with * \"pattern: \" pattern2: string \" \" temp_restmessage: string\n | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))\n | extend type_icmp4 = iff(protocol == 'icmp', type, int(null))\n | lookup NetworkIcmpTypeLookup on NetworkIcmpCode_lookup\n | invoke _ASIM_ResolveICMPType('type_icmp4')\n | extend NetworkIcmpCode = coalesce(NetworkIcmpCode_lookup, NetworkIcmpCode)\n | extend NetworkIcmpType = iff(isnotempty(NetworkIcmpCode), coalesce(NetworkIcmpType_lookup, NetworkIcmpType), \"\")\n | extend pattern = coalesce(trim(\"'\", pattern1), trim(\"'\", pattern2))\n | extend pattern = trim('\"', pattern)\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | extend\n SrcMacAddr = trim('\"', mac),\n EventType = \"Flow\";\n let IDSAlertData = PreFilteredData\n | where LogType in (\"ids-alerts\", \"security_event\")\n | parse LogMessage with * \"security_event \" LogSubType: string \" \" * \"message: \" message: string \n | where LogType == \"security_event\" and LogSubType == \"ids-alerted\" or LogType == \"ids-alerts\"\n | parse-kv Substring as(priority: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend EventResult = \"Success\"\n | extend\n priority = trim('\"', priority),\n direction = trim('\"', direction)\n | lookup EventSeverityPriorityLookup on priority\n | lookup NetworkDirectionLookup on direction\n | extend AdditionalFields = bag_pack(\n \"signature\", trim('\"', signature)\n )\n | extend\n SrcMacAddr = trim('\"', shost),\n DstMacAddr = trim('\"', dhost)\n | extend EventMessage = trim(\"'\", message);\n let AirmarshalEvents = PreFilteredData\n | where LogType in (\"airmarshal_events\")\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType in (\"ssid_spoofing_detected\", \"rogue_ssid_detected\")\n | parse-kv temp_message as(src: string, dst: string, wired_mac: string, vlan_id: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n SrcMacAddr = trim('\"', src),\n DstMacAddr = trim('\"', dst),\n DvcMacAddr = trim('\"', wired_mac)\n | extend\n EventResult = \"Success\",\n EventSeverity = \"High\";\n let EventsData = PreFilteredData\n | where LogType == \"events\";\n let EventsData_associ = EventsData\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType == \"association\" or (LogSubType == \"disassociation\" and not(Substring has_any (\"auth_neg_failed\", \"dhcp\")))\n | parse-kv Substring as (last_known_client_ip: string, client_mac: string, identity: string, aid: string, duration: string, ip_src: string, dns_server: string, reason: string, rssi: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend AdditionalFields = bag_pack(\n \"aid\", aid,\n \"rssi\", rssi\n )\n | extend SrcMacAddr = trim('\"', client_mac)\n | lookup EventResultLookup on LogSubType\n | extend EventResult = EventResult_type\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff((toint(reason) >= 25 and toint(reason) <= 31) or (toint(reason) >= 25 and toint(reason) <= 31), \"Unknown\", EventResultDetails);\n let EventsData_space = EventsData\n | where Substring has \"Blocked DHCP server response\" or (Substring has \"VRRP packet\" and not(Substring in~ (\"VRRP passive\", \"VRRP active\"))) \n | parse Substring with LogSubType1: string \" from\" temp_addr1: string \" on VLAN \" vlan_id1: string \" \" restmessage\n | parse Substring with LogSubType2: string \" from\" temp_addr2: string \" on VLAN \" vlan_id2: string\n | extend LogSubType = coalesce(LogSubType1, LogSubType2)\n | extend LogSubType = iff(LogSubType has \"VRRP Packet\", \"Virtual router collision\", LogSubType)\n | extend pattern = iff(Substring has \"Blocked\", \"Blocked\", \"\")\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | lookup EventResultLookup on LogSubType\n | extend EventResult = coalesce(EventResult, EventResult_type)\n | extend temp_addr = coalesce(trim('\"', temp_addr1), trim('\"', temp_addr2))\n | extend vlan_id = coalesce(trim('\"', vlan_id1), trim('\"', vlan_id2))\n | extend SrcMacAddr = iff(temp_addr matches regex \"(([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}))\", temp_addr, \"\")\n | parse temp_addr with * \"[\" temp_ip: string \"]:\" temp_port: string \n | extend SrcIpAddr = case(\n temp_addr has \".\",\n split(temp_addr, \":\")[0],\n isnotempty(temp_ip),\n temp_ip,\n temp_addr\n )\n | extend SrcPortNumber = toint(case(\n isnotempty(temp_port),\n temp_port,\n temp_addr has \".\",\n split(temp_addr, \":\")[1],\n \"\"\n )\n )\n | extend\n SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr),\n EventMessage = Substring;\n union\n FlowsFirewallData,\n IDSAlertData,\n EventsData_associ,\n EventsData_space,\n AirmarshalEvents\n | where (array_length(dvcaction) == 0 or DvcAction has_any (dvcaction))\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend protocol = trim('\"', protocol)\n | lookup NetworkProtocolLookup on protocol\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkProtocol = iff(isempty(NetworkProtocolNumber), NetworkProtocol_lookup, NetworkProtocol)\n | extend temp_srcipport = trim('\"', coalesce(src, ip_src, last_known_client_ip))\n | parse temp_srcipport with * \"[\" temp_srcip: string \"]:\" temp_srcport: string \n | extend SrcIpAddr = case( \n isnotempty(SrcIpAddr),\n SrcIpAddr,\n temp_srcipport has \".\",\n split(temp_srcipport, \":\")[0],\n coalesce(temp_srcip, temp_srcipport)\n )\n | extend SrcPortNumber = iff(isempty(SrcPortNumber), toint(coalesce(sport, temp_srcport)), SrcPortNumber)\n | extend SrcPortNumber = toint(iff(isempty(SrcPortNumber) and SrcIpAddr has \".\", split(temp_srcipport, \":\")[1], SrcPortNumber))\n | extend temp_dstipport = trim('\"', coalesce(dst, dns_server))\n | parse temp_dstipport with * \"[\" temp_dstip \"]:\" temp_dstport\n | extend DstIpAddr = iff(temp_dstipport has \".\", split(temp_dstipport, \":\")[0], coalesce(temp_dstip, temp_dstipport))\n | extend DstPortNumber = toint(coalesce(dport, temp_dstport))\n | extend DstPortNumber = toint(iff(isempty(DstPortNumber) and DstIpAddr has \".\", split(temp_dstipport, \":\")[1], DstPortNumber))\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend DstIpAddr = iff(DstIpAddr == DstMacAddr, \"\", DstIpAddr)\n | where (isnull(dstportnumber) or dstportnumber == DstPortNumber)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DstIpAddr, dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend\n SrcUsername = trim('\"', identity),\n SrcVlanId = trim('\"', vlan_id)\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend NetworkIcmpType = iff((protocol == 'icmp6' and isnotempty(NetworkIcmpCode)) and (NetworkIcmpCode between (5 .. 99) or NetworkIcmpCode between (102 .. 126) or NetworkIcmpCode between(162 .. 199) or NetworkIcmpCode between (202 .. 254)), \"Unassigned\", NetworkIcmpType)\n | extend\n EventSeverity = case(\n isnotempty(EventSeverity),\n EventSeverity,\n EventResult == \"Failure\",\n \"Low\",\n \"Informational\"\n ),\n EventType = iff(isnotempty(EventType), EventType, \"NetworkSession\"),\n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\")\n | extend\n Dvc = DvcHostname,\n Src = coalesce(SrcIpAddr, SrcMacAddr),\n Dst = coalesce(DstIpAddr, DstMacAddr),\n NetworkDuration = toint(todouble(trim('\"', duration)) * 1000)\n | project-rename\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType\n | extend\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n EventUid = _ResourceId\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n protocol,\n priority,\n reason,\n direction,\n duration,\n src,\n dst,\n dns_server,\n sport,\n dport,\n *_lookup,\n type*,\n pattern*,\n last_known_client_ip,\n ip_src,\n client_mac,\n mac,\n shost,\n dhost,\n wired_mac,\n identity,\n temp*,\n vlan_id*,\n LogSubType1,\n LogSubType2,\n restmessage*,\n message,\n rssi,\n aid,\n signature,\n timestamp,\n EventResult_type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,CollectorHostName,NetworkProtocolNumber\n};\nparser(\n disabled=disabled,\n starttime=starttime, \n endtime=endtime,\n eventresult=eventresult,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n hostname_has_any=hostname_has_any,\n dstportnumber=dstportnumber,\n dvcaction=dvcaction\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionCiscoMerakiSyslog", + "query": "let EventResultDetailsLookup = datatable(reason: string, EventResultDetails: string)\n [\n \"0\", \"Unknown\",\n \"1\", \"Unknown\",\n \"2\", \"Timeout\",\n \"3\", \"Terminated\",\n \"4\", \"Timeout\",\n \"5\", \"Transient error\",\n \"6\", \"Invalid Tunnel\",\n \"7\", \"Invalid Tunnel\",\n \"8\", \"Terminated\",\n \"9\", \"Invalid Tunnel\",\n \"10\", \"Unknown\",\n \"11\", \"Invalid TCP\",\n \"12\", \"Unknown\",\n \"13\", \"Invalid TCP\",\n \"14\", \"Invalid Tunnel\",\n \"15\", \"Invalid TCP\",\n \"16\", \"Timeout\",\n \"17\", \"Invalid Tunnel\",\n \"18\", \"Invalid TCP\",\n \"19\", \"Invalid TCP\",\n \"20\", \"Invalid TCP\",\n \"21\", \"Unknown\",\n \"22\", \"Invalid TCP\",\n \"23\", \"Invalid Tunnel\",\n \"24\", \"Invalid Tunnel\",\n \"32\", \"Unknown\",\n \"33\", \"Invalid TCP\",\n \"34\", \"Invalid TCP\",\n \"35\", \"Invalid TCP\",\n \"36\", \"Unknown\",\n \"37\", \"Unknown\",\n \"38\", \"Unknown\",\n \"39\", \"Timeout\",\n \"40\", \"Invalid TCP\",\n \"98\", \"Unknown\",\n \"99\", \"Unknown\"\n];\nlet NetworkIcmpTypeLookup = datatable(\n NetworkIcmpCode_lookup: int,\n NetworkIcmpType_lookup: string\n)\n [\n 0, \"Reserved\",\n 1, \"Destination Unreachable\",\n 2, \"Packet Too Big\",\n 3, \"Time Exceeded\",\n 4, \"Parameter Problem\",\n 100, \"Private experimentation\",\n 101, \"Private experimentation\",\n 127, \"Reserved for expansion of ICMPv6 error messages\",\n 128, \"Echo Request\",\n 129, \"Echo Reply\",\n 130, \"Multicast Listener Query\",\n 131, \"Multicast Listener Report\",\n 132, \"Multicast Listener Done\",\n 133, \"Router Solicitation\",\n 134, \"Router Advertisement\",\n 135, \"Neighbor Solicitation\",\n 136, \"Neighbor Advertisement\",\n 137, \"Redirect Message\",\n 138, \"Router Renumbering\",\n 139, \"ICMP Node Information Query\",\n 140, \"ICMP Node Information Response\",\n 141, \"Inverse Neighbor Discovery Solicitation Message\",\n 142, \"Inverse Neighbor Discovery Advertisement Message\",\n 143, \"Version 2 Multicast Listener Report\",\n 144, \"Home Agent Address Discovery Request Message\",\n 145, \"Home Agent Address Discovery Reply Message\",\n 146, \"Mobile Prefix Solicitation\",\n 147, \"Mobile Prefix Advertisement\",\n 148, \"Certification Path Solicitation Message\",\n 149, \"Certification Path Advertisement Message\",\n 150, \"ICMP messages utilized by experimental mobility protocols such as Seamoby\",\n 151, \"Multicast Router Advertisement\",\n 152, \"Multicast Router Solicitation\",\n 153, \"Multicast Router Termination\",\n 154, \"FMIPv6 Messages\",\n 155, \"RPL Control Message\",\n 156, \"ILNPv6 Locator Update Message\",\n 157, \"Duplicate Address Request\",\n 158, \"Duplicate Address Confirmation\",\n 159, \"MPL Control Message\",\n 160, \"Extended Echo Request\",\n 161, \"Extended Echo Reply\",\n 200, \"Private experimentation\",\n 201, \"Private experimentation\",\n 255, \"Reserved for expansion of ICMPv6 informational messages\"\n];\nlet NetworkProtocolLookup = datatable(\n protocol: string,\n NetworkProtocol_lookup: string,\n NetworkProtocolVersion: string\n)[\n \"tcp\", \"TCP\", \"\",\n \"tcp/ip\", \"TCP\", \"\",\n \"udp\", \"UDP\", \"\",\n \"udp/ip\", \"UDP\", \"\",\n \"icmp\", \"ICMP\", \"IPV4\",\n \"icmp6\", \"ICMP\", \"IPV6\",\n];\nlet EventSeverityPriorityLookup = datatable(priority: string, EventSeverity: string)[\n \"1\", \"High\",\n \"2\", \"Medium\",\n \"3\", \"Low\",\n \"4\", \"Informational\"\n];\nlet EventSeverityDvcActionLookup = datatable(DvcAction: string, EventSeverity: string)[\n \"Allow\", \"Informational\",\n \"Deny\", \"Low\"\n];\nlet NetworkDirectionLookup = datatable(direction: string, NetworkDirection: string)[\n \"ingress\", \"Inbound\",\n \"egress\", \"Outbound\",\n \"Unknown\", \"NA\"\n];\nlet DvcActionLookup = datatable(pattern: string, DvcAction: string, EventResult: string)[\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"Blocked\", \"Deny\", \"Failure\"\n];\nlet EventResultLookup = datatable(LogSubType: string, EventResult_type: string)[\n \"association\", \"Success\",\n \"disassociation\", \"Failure\",\n \"Virtual router collision\", \"Failure\",\n];\nlet parser=(disabled: bool=false, \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventresult: string='*', \n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n hostname_has_any: dynamic=dynamic([]),\n dstportnumber: int=int(null),\n dvcaction: dynamic=dynamic([])\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let allData = (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\n let PreFilteredData = allData\n | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) and (LogMessage has_any(\"flows\", \"firewall\", \"ids-alerts\") or LogMessage has_all(\"security_event\", \"ids-alerted\") or (LogMessage has \"events\" and (LogMessage has_any (\"Blocked DHCP server response\", \"association\") or (LogMessage has \"VRRP packet\" and not(LogMessage has_any (\"VRRP passive\", \"VRRP active\"))) or (LogMessage has \"disassociation\" and not(LogMessage has_any (\"auth_neg_failed\", \"dhcp\"))))) or (LogMessage has \"airmarshal_events\" and LogMessage has_any(\"ssid_spoofing_detected\", \"rogue_ssid_detected\")))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3]),\n Device = tostring(Parser[1])\n | parse Substring with * \"timestamp=\" timestamp: string \" \" *\n | extend\n Epoch = iff(isnotempty(timestamp), timestamp, tostring(Parser[0]))\n | extend\n EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where (array_length(hostname_has_any) == 0)\n and ((isnull(dstportnumber)) or Substring has tostring(dstportnumber))\n and (array_length(dvcaction) == 0 or LogMessage has_any (dvcaction));\n let FlowsFirewallData = PreFilteredData\n | where LogType in (\"flows\", \"firewall\", \"cellular_firewall\", \"vpn_firewall\")\n | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with pattern1: string \" src=\" temp_restmessage: string\n | parse Substring with * \"pattern: \" pattern2: string \" \" temp_restmessage: string\n | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))\n | extend type_icmp4 = iff(protocol == 'icmp', type, int(null))\n | lookup NetworkIcmpTypeLookup on NetworkIcmpCode_lookup\n | invoke _ASIM_ResolveICMPType('type_icmp4')\n | extend NetworkIcmpCode = coalesce(NetworkIcmpCode_lookup, NetworkIcmpCode)\n | extend NetworkIcmpType = iff(isnotempty(NetworkIcmpCode), coalesce(NetworkIcmpType_lookup, NetworkIcmpType), \"\")\n | extend pattern = coalesce(trim(\"'\", pattern1), trim(\"'\", pattern2))\n | extend pattern = trim('\"', pattern)\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | extend\n SrcMacAddr = trim('\"', mac),\n EventType = \"Flow\";\n let IDSAlertData = PreFilteredData\n | where LogType in (\"ids-alerts\", \"security_event\")\n | parse LogMessage with * \"security_event \" LogSubType: string \" \" * \"message: \" message: string \n | where LogType == \"security_event\" and LogSubType == \"ids-alerted\" or LogType == \"ids-alerts\"\n | parse-kv Substring as(priority: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend EventResult = \"Success\"\n | extend\n priority = trim('\"', priority),\n direction = trim('\"', direction)\n | lookup EventSeverityPriorityLookup on priority\n | lookup NetworkDirectionLookup on direction\n | extend AdditionalFields = bag_pack(\n \"signature\", trim('\"', signature)\n )\n | extend\n SrcMacAddr = trim('\"', shost),\n DstMacAddr = trim('\"', dhost)\n | extend EventMessage = trim(\"'\", message);\n let AirmarshalEvents = PreFilteredData\n | where LogType in (\"airmarshal_events\")\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType in (\"ssid_spoofing_detected\", \"rogue_ssid_detected\")\n | parse-kv temp_message as(src: string, dst: string, wired_mac: string, vlan_id: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n SrcMacAddr = trim('\"', src),\n DstMacAddr = trim('\"', dst),\n DvcMacAddr = trim('\"', wired_mac)\n | extend\n EventResult = \"Success\",\n EventSeverity = \"High\";\n let EventsData = PreFilteredData\n | where LogType == \"events\";\n let EventsData_associ = EventsData\n | parse Substring with * \"type=\" LogSubType: string \" \" temp_message: string\n | where LogSubType == \"association\" or (LogSubType == \"disassociation\" and not(Substring has_any (\"auth_neg_failed\", \"dhcp\")))\n | parse-kv Substring as (last_known_client_ip: string, client_mac: string, identity: string, aid: string, duration: string, ip_src: string, dns_server: string, reason: string, rssi: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend AdditionalFields = bag_pack(\n \"aid\", aid,\n \"rssi\", rssi\n )\n | extend SrcMacAddr = trim('\"', client_mac)\n | lookup EventResultLookup on LogSubType\n | extend EventResult = EventResult_type\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff((toint(reason) >= 25 and toint(reason) <= 31) or (toint(reason) >= 25 and toint(reason) <= 31), \"Unknown\", EventResultDetails);\n let EventsData_space = EventsData\n | where Substring has \"Blocked DHCP server response\" or (Substring has \"VRRP packet\" and not(Substring in~ (\"VRRP passive\", \"VRRP active\"))) \n | parse Substring with LogSubType1: string \" from\" temp_addr1: string \" on VLAN \" vlan_id1: string \" \" restmessage\n | parse Substring with LogSubType2: string \" from\" temp_addr2: string \" on VLAN \" vlan_id2: string\n | extend LogSubType = coalesce(LogSubType1, LogSubType2)\n | extend LogSubType = iff(LogSubType has \"VRRP Packet\", \"Virtual router collision\", LogSubType)\n | extend pattern = iff(Substring has \"Blocked\", \"Blocked\", \"\")\n | lookup DvcActionLookup on pattern\n | lookup EventSeverityDvcActionLookup on DvcAction\n | lookup EventResultLookup on LogSubType\n | extend EventResult = coalesce(EventResult, EventResult_type)\n | extend temp_addr = coalesce(trim('\"', temp_addr1), trim('\"', temp_addr2))\n | extend vlan_id = coalesce(trim('\"', vlan_id1), trim('\"', vlan_id2))\n | extend SrcMacAddr = iff(temp_addr matches regex \"(([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}))\", temp_addr, \"\")\n | parse temp_addr with * \"[\" temp_ip: string \"]:\" temp_port: string \n | extend SrcIpAddr = case(\n temp_addr has \".\",\n split(temp_addr, \":\")[0],\n isnotempty(temp_ip),\n temp_ip,\n temp_addr\n )\n | extend SrcPortNumber = toint(case(\n isnotempty(temp_port),\n temp_port,\n temp_addr has \".\",\n split(temp_addr, \":\")[1],\n \"\"\n )\n )\n | extend\n SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr),\n EventMessage = Substring;\n union\n FlowsFirewallData,\n IDSAlertData,\n EventsData_associ,\n EventsData_space,\n AirmarshalEvents\n | where (array_length(dvcaction) == 0 or DvcAction has_any (dvcaction))\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend protocol = trim('\"', protocol)\n | lookup NetworkProtocolLookup on protocol\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkProtocol = iff(isempty(NetworkProtocolNumber), NetworkProtocol_lookup, NetworkProtocol)\n | extend temp_srcipport = trim('\"', coalesce(src, ip_src, last_known_client_ip))\n | parse temp_srcipport with * \"[\" temp_srcip: string \"]:\" temp_srcport: string \n | extend SrcIpAddr = case( \n isnotempty(SrcIpAddr),\n SrcIpAddr,\n temp_srcipport has \".\",\n split(temp_srcipport, \":\")[0],\n coalesce(temp_srcip, temp_srcipport)\n )\n | extend SrcPortNumber = iff(isempty(SrcPortNumber), toint(coalesce(sport, temp_srcport)), SrcPortNumber)\n | extend SrcPortNumber = toint(iff(isempty(SrcPortNumber) and SrcIpAddr has \".\", split(temp_srcipport, \":\")[1], SrcPortNumber))\n | extend temp_dstipport = trim('\"', coalesce(dst, dns_server))\n | parse temp_dstipport with * \"[\" temp_dstip \"]:\" temp_dstport\n | extend DstIpAddr = iff(temp_dstipport has \".\", split(temp_dstipport, \":\")[0], coalesce(temp_dstip, temp_dstipport))\n | extend DstPortNumber = toint(coalesce(dport, temp_dstport))\n | extend DstPortNumber = toint(iff(isempty(DstPortNumber) and DstIpAddr has \".\", split(temp_dstipport, \":\")[1], DstPortNumber))\n | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, \"\", SrcIpAddr)\n | extend DstIpAddr = iff(DstIpAddr == DstMacAddr, \"\", DstIpAddr)\n | where (isnull(dstportnumber) or dstportnumber == DstPortNumber)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DstIpAddr, dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend\n SrcUsername = trim('\"', identity),\n SrcVlanId = trim('\"', vlan_id)\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend NetworkIcmpType = iff((protocol == 'icmp6' and isnotempty(NetworkIcmpCode)) and (NetworkIcmpCode between (5 .. 99) or NetworkIcmpCode between (102 .. 126) or NetworkIcmpCode between(162 .. 199) or NetworkIcmpCode between (202 .. 254)), \"Unassigned\", NetworkIcmpType)\n | extend\n EventSeverity = case(\n isnotempty(EventSeverity),\n EventSeverity,\n EventResult == \"Failure\",\n \"Low\",\n \"Informational\"\n ),\n EventType = iff(isnotempty(EventType), EventType, \"NetworkSession\"),\n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\")\n | extend\n Dvc = DvcHostname,\n Src = coalesce(SrcIpAddr, SrcMacAddr),\n Dst = coalesce(DstIpAddr, DstMacAddr),\n NetworkDuration = toint(todouble(trim('\"', duration)) * 1000)\n | project-rename\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType\n | extend\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n InnerVlanId = SrcVlanId,\n EventUid = _ResourceId\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n protocol,\n priority,\n reason,\n direction,\n duration,\n src,\n dst,\n dns_server,\n sport,\n dport,\n *_lookup,\n type*,\n pattern*,\n last_known_client_ip,\n ip_src,\n client_mac,\n mac,\n shost,\n dhost,\n wired_mac,\n identity,\n temp*,\n vlan_id*,\n LogSubType1,\n LogSubType2,\n restmessage*,\n message,\n rssi,\n aid,\n signature,\n timestamp,\n EventResult_type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName,CollectorHostName,NetworkProtocolNumber\n};\nparser(\n disabled=disabled,\n starttime=starttime, \n endtime=endtime,\n eventresult=eventresult,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n hostname_has_any=hostname_has_any,\n dstportnumber=dstportnumber,\n dvcaction=dvcaction\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCorelightZeek/vimNetworkSessionCorelightZeek.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCorelightZeek/vimNetworkSessionCorelightZeek.json index 2fbcb856480..dea11980926 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCorelightZeek/vimNetworkSessionCorelightZeek.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCorelightZeek/vimNetworkSessionCorelightZeek.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionCorelightZeek')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionCorelightZeek", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Corelight Zeek", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionCorelightZeek", - "query": "let NetworkDirectionLookup = datatable(local_orig: bool, local_resp: bool, NetworkDirection: string)\n[\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'Local'\n];\nlet ResultLookup = datatable (conn_state:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string, EventSeverity:string)\n[ \n 'S0', 'Success', '', 'Connection attempt seen, no reply', 'Informational',\n 'S1', 'Success', '', 'Connection established, not terminated', 'Informational',\n 'SF', 'Success', 'Terminated', 'Normal establishment and termination', 'Informational', // Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be.\n 'REJ', 'Failure', 'Rejeced', 'Connection attempt rejected', 'Low',\n 'S2', 'Failure', 'Terminated', 'Connection established and close attempt by originator seen (but no reply from responder)', 'Low',\n 'S3', 'Failure', 'Terminated', 'Connection established and close attempt by responder seen (but no reply from originator)', 'Low',\n 'RSTO', 'Failure', 'Reset', 'Connection established, originator aborted (sent a RST)', 'Low',\n 'RSTR', 'Failure', 'Reset', 'Responder sent a RST', 'Low',\n 'RSTOS0', 'Failure', 'Reset', 'Originator sent a SYN followed by a RST, no SYN-ACK from the responder','Low',\n 'RSTRH', 'Failure', 'Reset', 'Responder sent a SYN ACK followed by a RST, no SYN from the originator','Low',\n 'SH', 'Failure', 'Timeout', 'Originator sent a SYN followed by a FIN, no SYN ACK from the responder', 'Low',\n 'SHR', 'Failure', 'Timeout', 'Responder sent a SYN ACK followed by a FIN, no SYN from the originator', 'Low',\n 'OTH', 'Success', '', 'No SYN seen, just midstream traffic', 'Informational'\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false\n) \n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n Corelight_CL \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n and not(disabled)\n and (array_length(hostname_has_any) == 0)\n and (array_length(dvcaction) == 0)\n and (Message has '\"_path\":\"conn\"' or Message has '\"conn_red\"')\n and (array_length(ip_any)==0 or has_any_ipv4_prefix(Message,ip_any)) \n and (isnull(dstportnumber) or Message has (strcat('\"id.resp_p\":', tostring(dstportnumber)))) \n | project Message\n | parse Message with * '\"conn_state\":\"' conn_state '\",' *\n | lookup ResultLookup on conn_state\n | where (eventresult == \"*\" or eventresult == EventResult)\n | parse-kv Message as (\n ['\"_system_name\"']:string,\n ['\"_write_ts\"']:datetime,\n ['\"ts\"']:datetime,\n ['\"uid\"']:string,\n ['\"id.orig_h\"']:string,\n ['\"id.orig_p\"']:int,\n ['\"id.resp_h\"']:string,\n ['\"id.resp_p\"']:int,\n ['\"proto\"']:string,\n ['\"service\"']:string,\n ['\"duration\"']:int,\n ['\"orig_bytes\"']:long,\n ['\"resp_bytes\"']:long,\n ['\"local_orig\"']:bool,\n ['\"local_resp\"']:bool,\n ['\"missed_bytes\"']:long,\n ['\"history\"']:string,\n ['\"orig_pkts\"']:long,\n ['\"resp_pkts\"']:long,\n ['\"orig_l2_addr\"']:string,\n ['\"resp_l2_addr\"']:string,\n ['\"community_id']:string,\n ['\"vlan\"']:string,\n ['\"inner_vlan\"']:string\n ) \n with (quote = '\"')\n | extend \n EventCount=int(1),\n EventProduct=\"Zeek\",\n EventVendor=\"Corelight\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.4\",\n EventType=\"Flow\"\n | project-rename\n EventStartTime= ['\"ts\"'],\n EventEndTime = ['\"_write_ts\"'],\n EventOriginalUid = ['\"uid\"'],\n SrcIpAddr = ['\"id.orig_h\"'],\n SrcPortNumber = ['\"id.orig_p\"'],\n DstIpAddr = ['\"id.resp_h\"'],\n DstPortNumber = ['\"id.resp_p\"'],\n NetworkProtocol = ['\"proto\"'],\n NetworkApplicationProtocol = ['\"service\"'],\n NetworkDuration = ['\"duration\"'],\n SrcBytes = ['\"orig_bytes\"'],\n DstBytes = ['\"resp_bytes\"'],\n local_orig = ['\"local_orig\"'],\n local_resp = ['\"local_resp\"'],\n FlowMissedBytes = ['\"missed_bytes\"'],\n SrcPackets = ['\"orig_pkts\"'],\n DstPackets = ['\"resp_pkts\"'],\n SrcMacAddr = ['\"orig_l2_addr\"'],\n DstMacAddr = ['\"resp_l2_addr\"'],\n DstVlanId = ['\"vlan\"'],\n SrcVlanId = ['\"inner_vlan\"'],\n FlowHistory = ['\"history\"'],\n NetworkSessionId = ['\"community_id'],\n Dvc = ['\"_system_name\"']\n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp*\n | where ASimMatchingIpAddr != \"No match\"\n | lookup NetworkDirectionLookup on local_orig, local_resp\n | extend\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n NetworkProtocol = toupper(NetworkProtocol)\n // Aliases\n | extend \n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=NetworkDuration,\n SessionId = NetworkSessionId,\n InnerVlanId = SrcVlanId,\n OuterVlanId = DstVlanId,\n Dst=DstIpAddr\n | project-away Message, local_orig, local_resp, conn_state\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled) ", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Corelight Zeek", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionCorelightZeek", + "query": "let NetworkDirectionLookup = datatable(local_orig: bool, local_resp: bool, NetworkDirection: string)\n[\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'Local'\n];\nlet ResultLookup = datatable (conn_state:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string, EventSeverity:string)\n[ \n 'S0', 'Success', '', 'Connection attempt seen, no reply', 'Informational',\n 'S1', 'Success', '', 'Connection established, not terminated', 'Informational',\n 'SF', 'Success', 'Terminated', 'Normal establishment and termination', 'Informational', // Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be.\n 'REJ', 'Failure', 'Rejeced', 'Connection attempt rejected', 'Low',\n 'S2', 'Failure', 'Terminated', 'Connection established and close attempt by originator seen (but no reply from responder)', 'Low',\n 'S3', 'Failure', 'Terminated', 'Connection established and close attempt by responder seen (but no reply from originator)', 'Low',\n 'RSTO', 'Failure', 'Reset', 'Connection established, originator aborted (sent a RST)', 'Low',\n 'RSTR', 'Failure', 'Reset', 'Responder sent a RST', 'Low',\n 'RSTOS0', 'Failure', 'Reset', 'Originator sent a SYN followed by a RST, no SYN-ACK from the responder','Low',\n 'RSTRH', 'Failure', 'Reset', 'Responder sent a SYN ACK followed by a RST, no SYN from the originator','Low',\n 'SH', 'Failure', 'Timeout', 'Originator sent a SYN followed by a FIN, no SYN ACK from the responder', 'Low',\n 'SHR', 'Failure', 'Timeout', 'Responder sent a SYN ACK followed by a FIN, no SYN from the originator', 'Low',\n 'OTH', 'Success', '', 'No SYN seen, just midstream traffic', 'Informational'\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false\n) \n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n Corelight_CL \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n and not(disabled)\n and (array_length(hostname_has_any) == 0)\n and (array_length(dvcaction) == 0)\n and (Message has '\"_path\":\"conn\"' or Message has '\"conn_red\"')\n and (array_length(ip_any)==0 or has_any_ipv4_prefix(Message,ip_any)) \n and (isnull(dstportnumber) or Message has (strcat('\"id.resp_p\":', tostring(dstportnumber)))) \n | project Message\n | parse Message with * '\"conn_state\":\"' conn_state '\",' *\n | lookup ResultLookup on conn_state\n | where (eventresult == \"*\" or eventresult == EventResult)\n | parse-kv Message as (\n ['\"_system_name\"']:string,\n ['\"_write_ts\"']:datetime,\n ['\"ts\"']:datetime,\n ['\"uid\"']:string,\n ['\"id.orig_h\"']:string,\n ['\"id.orig_p\"']:int,\n ['\"id.resp_h\"']:string,\n ['\"id.resp_p\"']:int,\n ['\"proto\"']:string,\n ['\"service\"']:string,\n ['\"duration\"']:int,\n ['\"orig_bytes\"']:long,\n ['\"resp_bytes\"']:long,\n ['\"local_orig\"']:bool,\n ['\"local_resp\"']:bool,\n ['\"missed_bytes\"']:long,\n ['\"history\"']:string,\n ['\"orig_pkts\"']:long,\n ['\"resp_pkts\"']:long,\n ['\"orig_l2_addr\"']:string,\n ['\"resp_l2_addr\"']:string,\n ['\"community_id']:string,\n ['\"vlan\"']:string,\n ['\"inner_vlan\"']:string\n ) \n with (quote = '\"')\n | extend \n EventCount=int(1),\n EventProduct=\"Zeek\",\n EventVendor=\"Corelight\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.4\",\n EventType=\"Flow\"\n | project-rename\n EventStartTime= ['\"ts\"'],\n EventEndTime = ['\"_write_ts\"'],\n EventOriginalUid = ['\"uid\"'],\n SrcIpAddr = ['\"id.orig_h\"'],\n SrcPortNumber = ['\"id.orig_p\"'],\n DstIpAddr = ['\"id.resp_h\"'],\n DstPortNumber = ['\"id.resp_p\"'],\n NetworkProtocol = ['\"proto\"'],\n NetworkApplicationProtocol = ['\"service\"'],\n NetworkDuration = ['\"duration\"'],\n SrcBytes = ['\"orig_bytes\"'],\n DstBytes = ['\"resp_bytes\"'],\n local_orig = ['\"local_orig\"'],\n local_resp = ['\"local_resp\"'],\n FlowMissedBytes = ['\"missed_bytes\"'],\n SrcPackets = ['\"orig_pkts\"'],\n DstPackets = ['\"resp_pkts\"'],\n SrcMacAddr = ['\"orig_l2_addr\"'],\n DstMacAddr = ['\"resp_l2_addr\"'],\n DstVlanId = ['\"vlan\"'],\n SrcVlanId = ['\"inner_vlan\"'],\n FlowHistory = ['\"history\"'],\n NetworkSessionId = ['\"community_id'],\n Dvc = ['\"_system_name\"']\n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp*\n | where ASimMatchingIpAddr != \"No match\"\n | lookup NetworkDirectionLookup on local_orig, local_resp\n | extend\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n NetworkProtocol = toupper(NetworkProtocol)\n // Aliases\n | extend \n IpAddr=SrcIpAddr,\n Src=SrcIpAddr,\n Duration=NetworkDuration,\n SessionId = NetworkSessionId,\n InnerVlanId = SrcVlanId,\n OuterVlanId = DstVlanId,\n Dst=DstIpAddr\n | project-away Message, local_orig, local_resp, conn_state\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled) ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json index 8a4ad88fbe6..a546418acdf 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionCrowdStrikeFalconHost')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionCrowdStrikeFalconHost", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "NetworkSession ASIM Parser for CrowdStrike Falcon Endpoint Protection", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionCrowdStrikeFalconHost", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet EventFieldsLookup = datatable (\n ruleAction: int,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n 0, \"invalid\", \"Deny\", \"Failure\",\n 1, \"allowed\", \"Allow\", \"Success\",\n 2, \"blocked\", \"Deny\", \"Failure\"\n];\n//ActionLokkup is prepapred by considering facts as below:\n//Response bit: KILL PROCESS, modifier bit: '', DvcAction: Deny\n//Response bit: KILL PROCESS, modifier bit: POLICY_DISABLED, DvcAction: Allow as here process would have been killed or blocked if policy was enabled so current event is not killed.\nlet ActionLookup = datatable (\n EventOutcome: string,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n \"0\", \"Detection\", \"Allow\", \"Success\",\n \"2\", \"Detection\", \"Allow\", \"Success\",\n \"16\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"128\", \"Quarantine\", \"Allow\", \"Success\",\n \"144\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"272\", \"Detection\", \"Allow\", \"Success\",\n \"400\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"512\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"640\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"768\", \"Detection\", \"Allow\", \"Success\", \n \"1024\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"1040\", \"Prevention-killed,blocked\", \"Deny\", \"Failure\",\n \"1152\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1168\", \"Prevention-killed,blocked,quarnatine\", \"Deny\", \"Failure\",\n \"1280\", \"Detection\", \"Allow\", \"Success\",\n \"1296\", \"Detection\", \"Allow\", \"Success\",\n \"2048\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2176\", \"Prevention-quarantine,blocked \", \"Deny\", \"Failure\",\n \"2304\", \"Detection\", \"Allow\", \"Success\",\n \"2432\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"4096\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4112\", \"Prevention-blocked,killed\", \"Deny\", \"Failure\",\n \"4224\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4240\", \"Prevention-killed,blocked,quarantine\", \"Deny\", \"Failure\",\n \"4352\", \"Detection\", \"Allow\", \"Success\",\n \"4368\", \"Detection\", \"Allow\", \"Success\",\n \"4638\", \"Detection\", \"Allow\", \"Success\",\n \"5120\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"8192\", \"Disabled\", \"Allow\", \"Success\",\n \"8208\", \"Detection\", \"Allow\", \"Success\",\n \"8320\", \"Detection-quarnatine\", \"Allow\", \"Success\",\n \"8704\", \"Detection\", \"Allow\", \"Success\",\n \"9216\", \"Detection\", \"Allow\", \"Success\",\n \"10240\", \"Detection\", \"Allow\", \"Success\",\n \"12304\", \"Detection\", \"Allow\", \"Success\",\n \"16400\", \"Killed\", \"Deny\", \"Failure\",\n \"32768\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"32896\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"33024\", \"Detection\", \"Allow\", \"Success\",\n \"65536\", \"Downgraded\", \"Allow\", \"Success\",\n \"65552\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"65792\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"65808\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73728\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73744\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"131088\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131216\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"131584\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131712\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"2099200\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2099328\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4196352\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4196480\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1048576\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"524288\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"262144\", \"Blocking Disabled\", \"Allow\", \"Success\",\n \"16384\", \"Safeguard Enabled\", \"Allow\", \"Success\",\n \"131072\", \"Kill Failed\", \"Deny\", \"Failure\",\n \"256\", \"Policy Disabled\", \"Allow\", \"Success\",\n \"2097152\", \"Response Action Already Applied\", \"Deny\", \"Failure\",\n \"4194304\", \"Response Failed\", \"Deny\", \"Failure\"\n];\nlet parser = (starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]), \n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let alldata = CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"\n | where DeviceEventClassID in (\"Network Access In A Detection Summary Event\", \"FirewallMatchEvent\")\n | where (array_length(hostname_has_any) == 0 or DestinationHostName has_any (hostname_has_any))\n and (isnull(dstportnumber) or (DestinationPort == dstportnumber) or (AdditionalExtensions has tostring(dstportnumber)))\n ;\n let firewalldata = alldata\n | where DeviceEventClassID == \"FirewallMatchEvent\"\n | parse-kv AdditionalExtensions as (deviceId: string, cmdLine: string, connectionDirection: int, eventType: string, hostName: string, icmpCode: int, icmpType: string, localAddress: string, localPort: int, matchCount: int, networkProfile: string, protocol: int, remoteAddress: string, remotePort: int, ruleAction: int, ruleDescription: string, ruleGroupName: string, ruleName: string, status: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | lookup EventFieldsLookup on ruleAction\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend\n EventCount = matchCount,\n EventStartTime = unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\n NetworkDirection = case(\n connectionDirection == 1, \"Inbound\",\n connectionDirection == 2, \"Outbound\",\n \"\"\n ),\n SrcIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n SrcPortNumber = case(\n connectionDirection == 1, remotePort,\n connectionDirection == 2, localPort,\n int(null)\n ),\n DstIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n DstPortNumber = case(\n connectionDirection == 1, localPort,\n connectionDirection == 2, remotePort,\n int(null)\n )\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend\n temp_isSrcMatch = has_any_ipv4_prefix(SrcIpAddr, src_or_any), \n temp_isDstMatch = has_any_ipv4_prefix(DstIpAddr, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\", \n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\", \n temp_isSrcMatch,\n \"SrcIpAddr\",\n temp_isDstMatch,\n \"DstIpAddr\",\n \"No match\" \n ) \n | where ASimMatchingIpAddr != \"No match\"\n | extend deviceIp = iff(hostName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", hostName, \"\")\n | extend \n hostName = iff(isempty(deviceIp), hostName, \"\"),\n AdditionalFields = bag_pack(\n \"networkProfile\", networkProfile,\n \"ruleDescription\", ruleDescription,\n \"ruleGroupName\", ruleGroupName,\n \"cmdLine\", cmdLine\n ),\n NetworkIcmpCode = icmpCode\n | invoke _ASIM_ResolveDvcFQDN('hostName')\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkIcmpType = _ASIM_LookupICMPType('icmpType')\n | project-rename\n DvcId = deviceId,\n DvcIpAddr = deviceIp,\n EventOriginalSubType = eventType,\n NetworkRuleName = ruleName\n | extend\n Rule = NetworkRuleName,\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr);\n let networkaccessdata = alldata\n | where DeviceEventClassID has \"Network Access In A Detection Summary Event\"\n | lookup ActionLookup on EventOutcome\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend\n temp_isSrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any), \n temp_isDstMatch = has_any_ipv4_prefix(DestinationIP, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\", \n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\", \n temp_isSrcMatch,\n \"SrcIpAddr\",\n temp_isDstMatch,\n \"DstIpAddr\",\n \"No match\" \n ) \n | where ASimMatchingIpAddr != \"No match\"\n | parse-kv AdditionalExtensions as (CSMTRPatternDisposition: string, tactic: string, technique: string, objective: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveSrcFQDN('DestinationHostName')\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n SrcHostname has_any (hostname_has_any),\n \"SrcHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | extend\n EventStartTime = todatetime(DeviceCustomDate1),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n EventCount = int(1),\n SrcDomain = coalesce(SrcDomain, DestinationNTDomain),\n EventOriginalResultDetails = CSMTRPatternDisposition,\n SrcProcessId = tostring(FieldDeviceCustomNumber2),\n SrcDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", SrcDomainType),\n AdditionalFields = bag_pack(\n \"CSMTRPatternDisposition\", CSMTRPatternDisposition, \n \"Tactic\", coalesce(tactic, Activity),\n \"Technique\", coalesce(technique, DeviceAction),\n \"Objective\", coalesce(objective, Reason),\n DeviceCustomString6Label, DeviceCustomString6\n )\n | project-rename\n DvcId = ExtID,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n SrcMacAddr = SourceMACAddress,\n SrcUsername = DestinationUserName,\n SrcProcessName = FileName\n | extend\n Dvc = DvcId,\n Hostname = SrcHostname,\n User = SrcUsername,\n SrcAppId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\",\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername);\n union firewalldata, networkaccessdata\n | lookup EventSeverityLookup on LogSeverity\n | extend NetworkProtocolVersion = case(\n DstIpAddr contains \".\", \"IPv4\",\n DstIpAddr contains \":\", \"IPv6\",\n \"\"\n )\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"CrowdStrike\",\n EventProduct = \"FalconHost\",\n EventType = \"EndpointNetworkSession\"\n | project-rename\n EventOriginalType = DeviceEventClassID,\n EventProductVersion = DeviceVersion,\n EventUid = _ItemId,\n EventOriginalSeverity= LogSeverity\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\")\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n EventOutcome,\n IndicatorThreatType,\n cmdLine,\n connectionDirection,\n hostName,\n matchCount,\n networkProfile,\n protocol,\n ruleAction,\n ruleDescription,\n ruleGroupName,\n icmpCode,\n icmpType,\n status,\n CSMTRPatternDisposition,\n temp_*,\n NetworkProtocolNumber,\n localAddress,\n localPort,\n remoteAddress,\n remotePort\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "NetworkSession ASIM Parser for CrowdStrike Falcon Endpoint Protection", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionCrowdStrikeFalconHost", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet EventFieldsLookup = datatable (\n ruleAction: int,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n 0, \"invalid\", \"Deny\", \"Failure\",\n 1, \"allowed\", \"Allow\", \"Success\",\n 2, \"blocked\", \"Deny\", \"Failure\"\n];\n//ActionLokkup is prepapred by considering facts as below:\n//Response bit: KILL PROCESS, modifier bit: '', DvcAction: Deny\n//Response bit: KILL PROCESS, modifier bit: POLICY_DISABLED, DvcAction: Allow as here process would have been killed or blocked if policy was enabled so current event is not killed.\nlet ActionLookup = datatable (\n EventOutcome: string,\n DvcOriginalAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n \"0\", \"Detection\", \"Allow\", \"Success\",\n \"2\", \"Detection\", \"Allow\", \"Success\",\n \"16\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"128\", \"Quarantine\", \"Allow\", \"Success\",\n \"144\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"272\", \"Detection\", \"Allow\", \"Success\",\n \"400\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"512\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"640\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"768\", \"Detection\", \"Allow\", \"Success\", \n \"1024\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"1040\", \"Prevention-killed,blocked\", \"Deny\", \"Failure\",\n \"1152\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1168\", \"Prevention-killed,blocked,quarnatine\", \"Deny\", \"Failure\",\n \"1280\", \"Detection\", \"Allow\", \"Success\",\n \"1296\", \"Detection\", \"Allow\", \"Success\",\n \"2048\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2176\", \"Prevention-quarantine,blocked \", \"Deny\", \"Failure\",\n \"2304\", \"Detection\", \"Allow\", \"Success\",\n \"2432\", \"Detection-quarantine\", \"Allow\", \"Success\",\n \"4096\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4112\", \"Prevention-blocked,killed\", \"Deny\", \"Failure\",\n \"4224\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4240\", \"Prevention-killed,blocked,quarantine\", \"Deny\", \"Failure\",\n \"4352\", \"Detection\", \"Allow\", \"Success\",\n \"4368\", \"Detection\", \"Allow\", \"Success\",\n \"4638\", \"Detection\", \"Allow\", \"Success\",\n \"5120\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"8192\", \"Disabled\", \"Allow\", \"Success\",\n \"8208\", \"Detection\", \"Allow\", \"Success\",\n \"8320\", \"Detection-quarnatine\", \"Allow\", \"Success\",\n \"8704\", \"Detection\", \"Allow\", \"Success\",\n \"9216\", \"Detection\", \"Allow\", \"Success\",\n \"10240\", \"Detection\", \"Allow\", \"Success\",\n \"12304\", \"Detection\", \"Allow\", \"Success\",\n \"16400\", \"Killed\", \"Deny\", \"Failure\",\n \"32768\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"32896\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"33024\", \"Detection\", \"Allow\", \"Success\",\n \"65536\", \"Downgraded\", \"Allow\", \"Success\",\n \"65552\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"65792\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"65808\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73728\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"73744\", \"Detection-downgraded\", \"Allow\", \"Success\",\n \"131088\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131216\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"131584\", \"Prevention-killed\", \"Deny\", \"Failure\",\n \"131712\", \"Prevention-killed,quarantine\", \"Deny\", \"Failure\",\n \"2099200\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"2099328\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"4196352\", \"Prevention-blocked\", \"Deny\", \"Failure\",\n \"4196480\", \"Prevention-blocked,quarantine\", \"Deny\", \"Failure\",\n \"1048576\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"524288\", \"Prevention-suspend\", \"Deny\", \"Failure\",\n \"262144\", \"Blocking Disabled\", \"Allow\", \"Success\",\n \"16384\", \"Safeguard Enabled\", \"Allow\", \"Success\",\n \"131072\", \"Kill Failed\", \"Deny\", \"Failure\",\n \"256\", \"Policy Disabled\", \"Allow\", \"Success\",\n \"2097152\", \"Response Action Already Applied\", \"Deny\", \"Failure\",\n \"4194304\", \"Response Failed\", \"Deny\", \"Failure\"\n];\nlet parser = (starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]), \n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let alldata = CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"\n | where DeviceEventClassID in (\"Network Access In A Detection Summary Event\", \"FirewallMatchEvent\")\n | where (array_length(hostname_has_any) == 0 or DestinationHostName has_any (hostname_has_any))\n and (isnull(dstportnumber) or (DestinationPort == dstportnumber) or (AdditionalExtensions has tostring(dstportnumber)))\n ;\n let firewalldata = alldata\n | where DeviceEventClassID == \"FirewallMatchEvent\"\n | parse-kv AdditionalExtensions as (deviceId: string, cmdLine: string, connectionDirection: int, eventType: string, hostName: string, icmpCode: int, icmpType: string, localAddress: string, localPort: int, matchCount: int, networkProfile: string, protocol: int, remoteAddress: string, remotePort: int, ruleAction: int, ruleDescription: string, ruleGroupName: string, ruleName: string, status: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | lookup EventFieldsLookup on ruleAction\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend\n EventCount = matchCount,\n EventStartTime = unixtime_milliseconds_todatetime(tolong(ReceiptTime)),\n NetworkDirection = case(\n connectionDirection == 1, \"Inbound\",\n connectionDirection == 2, \"Outbound\",\n \"\"\n ),\n SrcIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n SrcPortNumber = case(\n connectionDirection == 1, remotePort,\n connectionDirection == 2, localPort,\n int(null)\n ),\n DstIpAddr = case(\n connectionDirection == 1, remoteAddress,\n connectionDirection == 2, localAddress,\n \"\"\n ),\n DstPortNumber = case(\n connectionDirection == 1, localPort,\n connectionDirection == 2, remotePort,\n int(null)\n )\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend\n temp_isSrcMatch = has_any_ipv4_prefix(SrcIpAddr, src_or_any), \n temp_isDstMatch = has_any_ipv4_prefix(DstIpAddr, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\", \n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\", \n temp_isSrcMatch,\n \"SrcIpAddr\",\n temp_isDstMatch,\n \"DstIpAddr\",\n \"No match\" \n ) \n | where ASimMatchingIpAddr != \"No match\"\n | extend deviceIp = iff(hostName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", hostName, \"\")\n | extend \n hostName = iff(isempty(deviceIp), hostName, \"\"),\n AdditionalFields = bag_pack(\n \"networkProfile\", networkProfile,\n \"ruleDescription\", ruleDescription,\n \"ruleGroupName\", ruleGroupName,\n \"cmdLine\", cmdLine\n ),\n NetworkIcmpCode = icmpCode\n | invoke _ASIM_ResolveDvcFQDN('hostName')\n | invoke _ASIM_ResolveNetworkProtocol('protocol')\n | extend NetworkIcmpType = _ASIM_LookupICMPType('icmpType')\n | project-rename\n DvcId = deviceId,\n DvcIpAddr = deviceIp,\n EventOriginalSubType = eventType,\n NetworkRuleName = ruleName\n | extend\n Rule = NetworkRuleName,\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr);\n let networkaccessdata = alldata\n | where DeviceEventClassID has \"Network Access In A Detection Summary Event\"\n | lookup ActionLookup on EventOutcome\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend\n temp_isSrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any), \n temp_isDstMatch = has_any_ipv4_prefix(DestinationIP, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\", \n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\", \n temp_isSrcMatch,\n \"SrcIpAddr\",\n temp_isDstMatch,\n \"DstIpAddr\",\n \"No match\" \n ) \n | where ASimMatchingIpAddr != \"No match\"\n | parse-kv AdditionalExtensions as (CSMTRPatternDisposition: string, tactic: string, technique: string, objective: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveSrcFQDN('DestinationHostName')\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n SrcHostname has_any (hostname_has_any),\n \"SrcHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | extend\n EventStartTime = todatetime(DeviceCustomDate1),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n EventCount = int(1),\n SrcDomain = coalesce(SrcDomain, DestinationNTDomain),\n EventOriginalResultDetails = CSMTRPatternDisposition,\n SrcProcessId = tostring(FieldDeviceCustomNumber2),\n SrcDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", SrcDomainType),\n AdditionalFields = bag_pack(\n \"CSMTRPatternDisposition\", CSMTRPatternDisposition, \n \"Tactic\", coalesce(tactic, Activity),\n \"Technique\", coalesce(technique, DeviceAction),\n \"Objective\", coalesce(objective, Reason),\n DeviceCustomString6Label, DeviceCustomString6\n )\n | project-rename\n DvcId = ExtID,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n SrcMacAddr = SourceMACAddress,\n SrcUsername = DestinationUserName,\n SrcProcessName = FileName\n | extend\n Dvc = DvcId,\n Hostname = SrcHostname,\n User = SrcUsername,\n SrcAppId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\",\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername);\n union firewalldata, networkaccessdata\n | lookup EventSeverityLookup on LogSeverity\n | extend NetworkProtocolVersion = case(\n DstIpAddr contains \".\", \"IPv4\",\n DstIpAddr contains \":\", \"IPv6\",\n \"\"\n )\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"CrowdStrike\",\n EventProduct = \"FalconHost\",\n EventType = \"EndpointNetworkSession\"\n | project-rename\n EventOriginalType = DeviceEventClassID,\n EventProductVersion = DeviceVersion,\n EventUid = _ItemId,\n EventOriginalSeverity= LogSeverity\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\")\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message,\n EventOutcome,\n IndicatorThreatType,\n cmdLine,\n connectionDirection,\n hostName,\n matchCount,\n networkProfile,\n protocol,\n ruleAction,\n ruleDescription,\n ruleGroupName,\n icmpCode,\n icmpType,\n status,\n CSMTRPatternDisposition,\n temp_*,\n NetworkProtocolNumber,\n localAddress,\n localPort,\n remoteAddress,\n remotePort\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json index f4941f57026..7a5d3ff897a 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionEmpty", - "query": "let parser=datatable(\n TimeGenerated:datetime\n , _ResourceId:string\n , Type:string\n // -- Event Fields\n , EventMessage:string // Optional\n , EventCount:int // Mandatory\n , EventStartTime:datetime // Mandatory\n , EventEndTime:datetime // Alias\n , EventType:string // Mandatory\n , EventSubType:string // Optional\n , EventResult:string // Mandatory\n , EventResultDetails:string // Optional\n , EventOriginalResultDetails:string // Optional\n , EventSeverity:string // Mandatory\n , EventOriginalSeverity:string // Optional\n , EventOriginalUid:string // Optional\n , EventOriginalType:string // Optional\n , EventOriginalSubType:string // Optional\n , EventProduct:string // Mandatory\n , EventProductVersion:string // Optional\n , EventVendor:string // Mandatory\n , EventSchema:string // Mandatory\n , EventSchemaVersion:string // Mandatory\n , EventReportUrl:string // Mandatory\n , Dvc:string // Alias\n , DvcIpAddr:string // Mandatory\n , DvcHostname:string // Mandatory\n , DvcDomain:string // Recommended\n , DvcDomainType:string // Recommended\n , DvcFQDN:string // Optional\n , DvcId:string // Optional\n , DvcIdType:string // Optional\n , DvcMacAddr:string // Optional\n , DvcZone:string // Optional\n , DvcDescription:string // Optional\n // -- Network Session Fields\n , Dst:string // Alias\n , DstIpAddr:string // Recommended\n , DstPortNumber:int // Optional\n , DstHostname:string // Recommended\n , Hostname:string // Alias\n , DstDescription:string // Optional\n , DstDomain:string // Recommended\n , DstDomainType:string // Recommended\n , DstFQDN:string // Optional\n , DstDvcId:string // Optional\n , DstDvcIdType:string // Optional\n , DstDeviceType:string // Optional\n , DstUserId:string // Optional\n , DstUserIdType:string // Optional\n , DstUsername:string // Optional\n , User:string // Alias\n , DstUsernameType:string // Alias\n , DstUserType:string // Optional\n , DstOriginalUserType:string // Optional\n , DstUserDomain:string // Optional\n , DstAppName:string // Optional\n , DstAppId:string // Optional\n , DstAppType:string // Optional\n , DstZone:string // Optional\n , DstInterfaceName:string // Optional\n , DstInterfaceGuid:string // Optional\n , DstMacAddr:string // Optional\n , DstGeoCountry:string // Optional\n , DstGeoRegion: string // Optional\n , DstGeoCity:string // Optional\n , DstGeoLatitude:real // Optional\n , DstGeoLongitude:real // Optional\n , Src:string // Alias\n , SrcIpAddr:string // Recommended\n , SrcPortNumber:int // Optional\n , SrcHostname:string // Recommended\n , SrcDescription:string // Optional\n , SrcDomain:string // Recommended\n , SrcDomainType:string // Recommended\n , SrcFQDN:string // Optional\n , SrcDvcId:string // Optional\n , SrcDvcIdType:string // Optional\n , SrcDeviceType:string // Optional\n , SrcUserId:string // Optional\n , SrcUserIdType:string // Optional\n , SrcUsername:string // Optional\n , SrcUsernameType:string // Alias\n , SrcUserType:string // Optional\n , SrcOriginalUserType:string // Optional\n , SrcUserDomain:string // Optional\n , SrcAppName:string // Optional\n , SrcAppId:string // Optional\n , IpAddr:string // Alias\n , SrcAppType:string // Optional\n , SrcZone:string // Optional\n , SrcInterfaceName:string // Optional\n , SrcInterfaceGuid:string // Optional\n , SrcMacAddr:string // Optional\n , SrcGeoCountry:string // Optional\n , SrcGeoCity:string // Optional\n , SrcGeoRegion: string // Optional \n , SrcGeoLatitude:real // Optional\n , SrcGeoLongitude:real // Optional\n , NetworkApplicationProtocol:string // Optional\n , NetworkProtocol:string // Optional\n , NetworkProtocolVersion:string // Optional\n , NetworkDirection:string // Optional\n , NetworkDuration:int // Optional\n , Duration:int // Alias\n , NetworkIcmpCode:int // Optional\n , NetworkIcmpType:string // Optional\n , DstBytes:long // Optional\n , SrcBytes:long // Optional\n , NetworkBytes:long // Optional\n , DstPackets:long // Optional\n , SrcPackets:long // Optional\n , NetworkPackets:long // Optional\n , NetworkSessionId:string // Optional\n , SessionId:string // Alias\n , NetworkConnectionHistory:string // Optional\n , SrcVlanId:string // Optional\n , DstVlanId:string // Alias\n , InnerVlanId:string // Optional\n , OuterVlanId: string // Alias\n // -- Intermediary device fields\n , DstNatIpAddr:string // Optional\n , DstNatPortNumber:int // Optional\n , SrcNatIpAddr:string // Optional\n , SrcNatPortNumber:int // Optional\n , DvcInboundInterface:string // Optional\n , DvcOutboundInterface:string // Optional\n , DvcInterface:string // Optional\n // -- Inspection fields\n , NetworkRuleName:string // Optional\n , NetworkRuleNumber:int // Optional\n , Rule:string // Optional\n , DvcAction:string // Optional\n , DvcOriginalAction:string // Optional\n , ThreatId:string // Optional\n , ThreatName:string // Optional\n , ThreatCategory:string // Optional\n , ThreatRiskLevel:int // Optional\n , ThreatOriginalRiskLevel:string // Optional\n , DvcSubscriptionId:string // Optional\n , SrcSubscriptionId:string // Optional\n , DstSubscriptionId:string // Optional \n )[];\nparser", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionEmpty", + "query": "let parser=datatable(\n TimeGenerated:datetime\n , _ResourceId:string\n , Type:string\n // -- Event Fields\n , EventMessage:string // Optional\n , EventCount:int // Mandatory\n , EventStartTime:datetime // Mandatory\n , EventEndTime:datetime // Alias\n , EventType:string // Mandatory\n , EventSubType:string // Optional\n , EventResult:string // Mandatory\n , EventResultDetails:string // Optional\n , EventOriginalResultDetails:string // Optional\n , EventSeverity:string // Mandatory\n , EventOriginalSeverity:string // Optional\n , EventOriginalUid:string // Optional\n , EventOriginalType:string // Optional\n , EventOriginalSubType:string // Optional\n , EventProduct:string // Mandatory\n , EventProductVersion:string // Optional\n , EventVendor:string // Mandatory\n , EventSchema:string // Mandatory\n , EventSchemaVersion:string // Mandatory\n , EventReportUrl:string // Mandatory\n , Dvc:string // Alias\n , DvcIpAddr:string // Mandatory\n , DvcHostname:string // Mandatory\n , DvcDomain:string // Recommended\n , DvcDomainType:string // Recommended\n , DvcFQDN:string // Optional\n , DvcId:string // Optional\n , DvcIdType:string // Optional\n , DvcMacAddr:string // Optional\n , DvcZone:string // Optional\n , DvcDescription:string // Optional\n // -- Network Session Fields\n , Dst:string // Alias\n , DstIpAddr:string // Recommended\n , DstPortNumber:int // Optional\n , DstHostname:string // Recommended\n , Hostname:string // Alias\n , DstDescription:string // Optional\n , DstDomain:string // Recommended\n , DstDomainType:string // Recommended\n , DstFQDN:string // Optional\n , DstDvcId:string // Optional\n , DstDvcIdType:string // Optional\n , DstDeviceType:string // Optional\n , DstUserId:string // Optional\n , DstUserIdType:string // Optional\n , DstUsername:string // Optional\n , User:string // Alias\n , DstUsernameType:string // Alias\n , DstUserType:string // Optional\n , DstOriginalUserType:string // Optional\n , DstUserDomain:string // Optional\n , DstAppName:string // Optional\n , DstAppId:string // Optional\n , DstAppType:string // Optional\n , DstZone:string // Optional\n , DstInterfaceName:string // Optional\n , DstInterfaceGuid:string // Optional\n , DstMacAddr:string // Optional\n , DstGeoCountry:string // Optional\n , DstGeoRegion: string // Optional\n , DstGeoCity:string // Optional\n , DstGeoLatitude:real // Optional\n , DstGeoLongitude:real // Optional\n , Src:string // Alias\n , SrcIpAddr:string // Recommended\n , SrcPortNumber:int // Optional\n , SrcHostname:string // Recommended\n , SrcDescription:string // Optional\n , SrcDomain:string // Recommended\n , SrcDomainType:string // Recommended\n , SrcFQDN:string // Optional\n , SrcDvcId:string // Optional\n , SrcDvcIdType:string // Optional\n , SrcDeviceType:string // Optional\n , SrcUserId:string // Optional\n , SrcUserIdType:string // Optional\n , SrcUsername:string // Optional\n , SrcUsernameType:string // Alias\n , SrcUserType:string // Optional\n , SrcOriginalUserType:string // Optional\n , SrcUserDomain:string // Optional\n , SrcAppName:string // Optional\n , SrcAppId:string // Optional\n , IpAddr:string // Alias\n , SrcAppType:string // Optional\n , SrcZone:string // Optional\n , SrcInterfaceName:string // Optional\n , SrcInterfaceGuid:string // Optional\n , SrcMacAddr:string // Optional\n , SrcGeoCountry:string // Optional\n , SrcGeoCity:string // Optional\n , SrcGeoRegion: string // Optional \n , SrcGeoLatitude:real // Optional\n , SrcGeoLongitude:real // Optional\n , NetworkApplicationProtocol:string // Optional\n , NetworkProtocol:string // Optional\n , NetworkProtocolVersion:string // Optional\n , NetworkDirection:string // Optional\n , NetworkDuration:int // Optional\n , Duration:int // Alias\n , NetworkIcmpCode:int // Optional\n , NetworkIcmpType:string // Optional\n , DstBytes:long // Optional\n , SrcBytes:long // Optional\n , NetworkBytes:long // Optional\n , DstPackets:long // Optional\n , SrcPackets:long // Optional\n , NetworkPackets:long // Optional\n , NetworkSessionId:string // Optional\n , SessionId:string // Alias\n , NetworkConnectionHistory:string // Optional\n , SrcVlanId:string // Optional\n , DstVlanId:string // Alias\n , InnerVlanId:string // Optional\n , OuterVlanId: string // Alias\n // -- Intermediary device fields\n , DstNatIpAddr:string // Optional\n , DstNatPortNumber:int // Optional\n , SrcNatIpAddr:string // Optional\n , SrcNatPortNumber:int // Optional\n , DvcInboundInterface:string // Optional\n , DvcOutboundInterface:string // Optional\n , DvcInterface:string // Optional\n // -- Inspection fields\n , NetworkRuleName:string // Optional\n , NetworkRuleNumber:int // Optional\n , Rule:string // Optional\n , DvcAction:string // Optional\n , DvcOriginalAction:string // Optional\n , ThreatId:string // Optional\n , ThreatName:string // Optional\n , ThreatCategory:string // Optional\n , ThreatRiskLevel:int // Optional\n , ThreatOriginalRiskLevel:string // Optional\n , DvcSubscriptionId:string // Optional\n , SrcSubscriptionId:string // Optional\n , DstSubscriptionId:string // Optional \n )[];\nparser", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionForcePointFirewall/vimNetworkSessionForcePointFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionForcePointFirewall/vimNetworkSessionForcePointFirewall.json index ccee34440ae..ba857324972 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionForcePointFirewall/vimNetworkSessionForcePointFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionForcePointFirewall/vimNetworkSessionForcePointFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionForcePointFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionForcePointFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Force Point Firewall", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionForcePointFirewall", - "query": "let ApplicationProtocolLookup=datatable(ApplicationProtocol:string,NetworkApplicationProtocol:string)\n [\n \"HTTPS\",\"HTTPS\",\n \"HTTP-Over-QUIC\",\"HTTP\",\n \"HTTP\",\"HTTP\",\n \"DNS Over TLS\",\"DNS\",\n \"HTTP proxy\",\"HTTP\",\n \"IMAPS\",\"IMAPS\",\n \"SMTP\",\"SMTP\",\n \"IMAP\",\"IMAP\",\n \"POP3S\",\"POP3\",\n \"SMTP Submission Service\",\"SMTP\",\n \"X11\",\"X11\",\n \"RTSP\",\"RTSP\",\n \"Telnet\",\"TELNET\",\n \"NNTP\",\"NNTP\",\n \"ISAKMP\",\"ISAKMP\",\"ISAKMP\",\"ISAKMP\",\n \"POP3\",\"POP3\",\n \"BGP\",\"BGP\",\n \"FTP\",\"FTP\",\n \"RIP\",\"RIP\",\n \"Squid HTTP proxy\",\"HTTP\",\n \"TFTP\",\"TFTP\",\n \"QOTD\",\"QOTD\",\n \"SCCP\",\"SCCP\",\n \"Modbus\",\"MODBUS\",\n \"SVN\",\"SVN\",\n \"RADIUS (Accounting)\",\"RADIUS\",\n \"Kerberos\",\"KERBEROS\",\n \"GRE\",\"GRE\",\n \"UUCP-rlogin\",\"UUCP\",\n \"GTP User Data Tunneling\",\"GTP\",\n \"NNTPS\",\"NNTP\",\n \"GTP Control\",\"GTP\",\n \"IRC-default\",\"IRC\",\n \"FTPS (Control)\",\"FTPS\",\n \"ICCP\",\"ICCP\",\n \"IRCS\",\"IRC\",\n \"Telnets\",\"TELNET\",\n \"Finger\",\"FINGER\",\n \"ESP\",\"ESP\",\n \"Rlogin\",\"RLP\",\n \"IMAP3\",\"IMAP\",\n \"MGCP\",\"MGCP\",\n \"RADIUS Accounting (Old)\",\"RADIUS\",\n \"RADIUS (Old)\",\"RADIUS\",\n \"CVS\",\"CVS\",\n \"Ident\",\"IDENT\",\n \"Gopher\",\"GOPHER\",\n \"BGMP\",\"BGMP\",\n \"FTPS (Data)\",\"FTPS\",\n \"POP2\",\"POP\",\n \"TLISRV\",\"TLISRV\",\n \"INGRES-NET\",\"INGRES-NET\",\n \"IPIP\",\"IPIP\",\n \"XTP\",\"XTP\",\n \"UUCP\",\"UUCP\",\n \"IRC\",\"IRC\",\n \"Photuris (ICMP)\",\"ICMP\",\n \"TACACS-DS\",\"TACACS-DS\",\n \"WESP\",\"WESP\",\n \"EGP\",\"EGP\",\n \"WSN\",\"WSN\",\n \"XDMCP\",\"XDMCP\",\n \"Kerberos IV\",\"KERBEROS\",\n \"IRTP\",\"IRTP\",\n \"TTP\",\"TTP\",\n \"IRC-SERV\",\"IRC\",\n \"I-NLSP\",\"NLSP\",\n \"SNP\",\"SNP\",\n \"XNS-IDP\",\"XNS\",\n \"SECURE-VMTP\",\"VMTP\",\n \"VMTP\",\"VMTP\",\n \"IPLT\",\"IPLT\",\n \"GGP\",\"GGP\",\n \"MFE-NSP\",\"NSP\",\n \"HIP\",\"HIP\",\n \"MERIT-NSP\",\"NSP\",\n \"NSFNET-IGP\",\"IGP\",\n \"DCN-MEAS\",\"DCN\",\n \"STP\",\"STP\",\n \"SRP\",\"SRP\",\n \"HMP\",\"HMP\",\n \"XNET\",\"XNET\",\n \"VRRP\",\"VRRP\",\n \"ENCAP\",\"ENCAP\",\n \"CPNX\",\"CPNX\",\n \"PTP\",\"PTP\",\n \"SKIP\",\"SKIP\",\n \"SCPS\",\"SCPS\",\n \"Sprite-RPC\",\"RPC\",\n \"IPv6 ICMP\",\"ICMP\",\n \"MUX\",\"MUX\",\n \"CHAOS\",\"CHAOS\",\n \"SSCOPMCE\",\"SSCOPMCE\",\n \"CBT\",\"CBT\",\n \"SPS\",\"SPS\",\n \"ETHERIP\",\"ETHERIP\",\n \"MTP\",\"MTP\",\n \"ROHC\",\"ROHC\",\n \"CRTP\",\"CRTP\",\n \"PNNI\",\"PNNI\",\n \"NETBLT\",\"NETBLT\",\n \"TLSP\",\"TLSP\",\n \"IDPR\",\"IDPR\",\n \"DDX\",\"DDX\",\n \"PUP\",\"PUP\",\n \"DSR\",\"DSR\",\n \"NARP\",\"NARP\",\n \"CPHB\",\"CPHB\",\n \"SMP\",\"SMP\",\n \"L2TP\",\"L2TP\",\n \"IPv6 ICMP/143/0\",\"ICMP\",\n \"MICP\",\"MICP\",\n \"GMTP\",\"GMTP\",\n \"LARP\",\"LARP\",\n \"IFMP\",\"IFMP\",\n \"IGP\",\"IGP\",\n \"CFTP\",\"CFTP\",\n \"PGM\",\"PGM\",\n \"DDP\",\"DDP\",\n \"PIPE\",\"PIPE\",\n \"IATP\",\"IATP\",\n \"IGMP\",\"IGMP\",\n \"3PC\",\"3PC\",\n \"DGP\",\"DGP\",\n \"TCF\",\"TCF\",\n \"UTI\",\"UTI\",\n \"DCCP\",\"DCCP\",\n \"SWIPE\",\"SWIPE\",\n \"EMCON\",\"EMCON\",\n \"PIM\",\"PIM\",\n \"RVD\",\"RVD\",\n ];\n let ActionLookup=datatable(DeviceAction:string,DvcAction_ActionLookup:string,EventResult_ActionLookup:string,EventSeverity_ActionLookup:string)\n [\n \"Allow\",\"Allow\",\"Success\",\"Informational\", \n \"Discard\",\"Drop\",\"Failure\",\"Low\",\n \"Permit\",\"Allow\",\"Success\",\"Informational\", \n \"Refuse\",\"Deny\",\"Failure\",\"Low\",\n \"Terminate\",\"Reset Source\",\"Failure\",\"Low\", \n \"Terminate (failed)\",\"\",\"Failure\",\"Low\",\n \"Terminate (passive)\",\"Reset Destination\",\"Failure\",\"Low\", \n \"Terminate (reset)\",\"Reset\",\"Failure\",\"Low\",\n \"Wait for Authentication\",\"\",\"Success\",\"Informational\",\n \"Wait for Further Actions\",\"\",\"Success\",\"Informational\", \n \"Wait for RPC Reply\",\"\",\"Success\",\"Informational\"\n ];\n let DeviceEventClassIDLookup_Packet=datatable(DeviceEventClassID:string,EventSubType:string,DvcAction_DeviceEventClassIDLookup:string,EventResult_DeviceEventClassIDLookup:string,EventSeverity_DeviceEventClassIDLookup:string) //Add more codes if needed\n [\n \"70018\",\"Start\",\"Allow\",\"Success\",\"Informational\", // Connection_Allowed\n \"70019\",\"End\",\"Deny\",\"Failure\",\"Low\", // Connection_Discarded\n \"70021\",\"End\",\"Reset\",\"Failure\",\"Low\", // Connection_Closed\n \"70022\",\"End\",\"Reset\",\"Failure\",\"Low\", // Connection_Closed-Abnormally\n \"70026\",\"\",\"\",\"Success\",\"Informational\", // Connection_Progress\n ];\n let DeviceEventClassIDLookup_File=datatable(DeviceEventClassID:string,DvcAction_DeviceEventClassIDLookup:string,EventResult_DeviceEventClassIDLookup:string,EventSeverity_DeviceEventClassIDLookup:string)\n [\n \"76506\",\"Allow\",\"Success\",\"Informational\", // File_Allowed\n \"76508\",\"Deny\",\"Failure\",\"Low\", // File_Malware-Blocked\n \"76509\",\"\",\"Failure\",\"Low\" // File_Malware-Detected\n ];\n let MessageLookup = datatable (Message:string, DvcAction_MessageLookup:string, EventResult_MessageLookup:string, EventResultDetails:string, EventOriginalResultDetails:string) \n [\n \"Connection dropped\", \"Drop\", \"Failure\",\"Terminated\", \"Connection dropped\",\n \"Connection removed because NGFW Engine is low on memory.\",\"Drop\", \"Failure\",\"Terminated\",\"Connection removed because NGFW Engine is low on memory.\",\n \"Connection timeout in state TCP_CLOSE_WAIT\", \"\", \"Success\", \"Timeout\",\t\"One end of the Connection waits for the FIN packet (passive close).\",\n \"Connection timeout in state TCP_CLOSE_WAIT_ACK\", \"\", \"Success\", \"Timeout\", \"One end of the Connection waits for the FIN packet (passive close)\",\n \"Connection timeout in state TCP_CLOSING\", \"\", \"Success\", \"Timeout\", \"Closing packet (FIN) sent by one end of the Connection (simultaneous).\",\n \"Connection timeout in state TCP_CLOSING_ACK\", \"\", \"Success\", \"Timeout\", \"Waiting for ACK for the FIN before going to closing status (active close).\",\n \"Connection timeout in state TCP_ESTABLISHED\", \"\", \"Failure\", \"Timeout\", \"Normal status of TCP Connections for data transfer.\",\n \"Connection timeout in state TCP_FIN_WAIT_1\", \"\", \"Success\", \"Timeout\",\t\"One end of the Connection waits for sending the FIN packet (active close).\",\n \"Connection timeout in state TCP_FIN_WAIT_2\", \"\", \"Success\", \"Timeout\", \"One end of the Connection waits for receiving ACK packet.\",\n \"Connection timeout in state TCP_LAST_ACK\", \"\",\t\"Success\", \"Timeout\", \"One end of the Connection sent a FIN packet (passive close).\",\n \"Connection timeout in state TCP_LAST_ACK_WAIT\", \"\", \"Failure\",\t\"Timeout\", \"Waiting for the FIN packet to be acknowledged.\",\n \"Connection timeout in state TCP_SYN_ACK_SEEN\", \"\", \"Failure\",\t\"Timeout\", \"Second phase of the TCP three-way handshake, the server has replied to client sent SYN with SYN+ACK, next status will be established.\",\n \"Connection timeout in state TCP_SYN_FIN_SEEN\", \"\",\t\"Success\", \"Timeout\", \"T/TCP (Transactional TCP) Connection, RFC 1644.\",\n \"Connection timeout in state TCP_SYN_RETURN\", \"\", \"Failure\", \"Timeout\", \"Received simultaneous SYN from the other end (simultaneous open).\",\n \"Connection timeout in state TCP_SYN_SEEN\", \"\", \"Failure\", \"Timeout\", \"First packet sent by one end of the Connection.\",\n \"Connection timeout in state TCP_TIME_WAIT\", \"\", \"Success\", \"Timeout\", \"One end of the Connection acknowledged closing packet (FIN).\",\n \"Connection timeout in state TCP_TIME_WAIT_ACK\", \"\", \"Failure\",\t\"Timeout\", \"Waiting for ACK for the FIN status before going to time wait status (active close).\",\n \"Connection timeout in state ICMP_ECHO\", \"\", \"Failure\", \"Timeout\", \"Ping reply is expected.\",\n \"Connection timeout in state ICMP_REPLY_WAIT\", \"\", \"Failure\", \"Timeout\", \"Other ICMP request or reply types.\",\n \"Connection was reset by client\", \"Reset Source\", \"Failure\",\"Reset\", \"\",\n \"Connection was reset by server\", \"Reset Destination\", \"Failure\",\"Reset\", \"\",\n \"invalid packet (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [A] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [FA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [FPA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [PA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [RA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [SA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"TCP state violation\",\"Deny\",\"Failure\", \"Invalid TCP\", \"\",\n \"TCP state violation: Connection end-point replied with ACK to SYN-packet. Connection refused.\", \"Deny\", \"Failure\", \"Invalid TCP\", \"\",\n \"TSC error: Query timed out\", \"\", \"Failure\", \"Timeout\", \"\"\n ];\n let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let prefilter = (T:(DestinationPort:int,ApplicationProtocol:string,SourceIP:string,DestinationIP:string,AdditionalExtensions:string)) {\n T\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber) or (ApplicationProtocol has tostring(dstportnumber)))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | where array_length(hostname_has_any) == 0 or AdditionalExtensions has_any (hostname_has_any)\n };\n let ForcePointNetwork = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor==\"FORCEPOINT\" and DeviceProduct==\"Firewall\"\n | where DeviceFacility in~ (\"Inspection\",\"Packet Filtering\",\"File Filtering\") and isnotempty(DeviceEventClassID) and DeviceEventClassID != \"0\"\n ;\n let PacketFilteringData = ForcePointNetwork\n | where DeviceFacility == \"Packet Filtering\" and DeviceEventClassID !in (\"70383\",\"70393\",\"70734\",\"71009\",\"71040\")\n | invoke prefilter()\n | lookup DeviceEventClassIDLookup_Packet on DeviceEventClassID\n | lookup MessageLookup on Message\n | extend DvcAction = coalesce(DvcAction_MessageLookup, DvcAction_DeviceEventClassIDLookup), \n EventResult = case (Message startswith \"Referred connection not known\", \"Failure\",\n coalesce(EventResult_MessageLookup, EventResult_DeviceEventClassIDLookup)), \n EventSeverity = case(Message startswith \"Referred connection not known\", \"Low\",\n EventSeverity_DeviceEventClassIDLookup),\n EventOriginalResultDetails = case(Message startswith \"Referred connection not known\", Message,\n EventOriginalResultDetails),\n EventType = \"NetworkSession\"\n | project-away DvcAction_*, EventResult_*, EventSeverity_DeviceEventClassIDLookup;\n let FileFilteringData = ForcePointNetwork\n | where DeviceFacility == \"File Filtering\"\n | invoke prefilter()\n | lookup DeviceEventClassIDLookup_File on DeviceEventClassID\n | extend ThreatName = case (DeviceEventClassID in (\"76508\", \"76509\"), Activity,\n \"\")\n | project-rename DvcAction = DvcAction_DeviceEventClassIDLookup\n | extend EventResult = case(isnotempty(Message), \"Failure\",\n EventResult_DeviceEventClassIDLookup), \n EventSeverity = case(isnotempty(Message), \"Low\",\n EventSeverity_DeviceEventClassIDLookup),\n EventOriginalResultDetails = case(isnotempty(Message), Message,\n \"\"),\n EventType = \"NetworkSession\"\n | project-away *_DeviceEventClassIDLookup;\n let InspectionData = ForcePointNetwork\n | where DeviceFacility == \"Inspection\" or DeviceEventClassID == \"70734\"\n | invoke prefilter()\n | extend MessageCode = toint(DeviceEventClassID)\n | extend EventSeverity = case (DeviceAction in~ (\"Allow\",\"Permit\"), \"Informational\",\n MessageCode >= 200000, \"High\",\n MessageCode < 200000, \"Low\",\n \"\"),\n EventType = case (MessageCode < 80000, \"NetworkSession\",\n \"IDS\")\n | extend ThreatName = Activity\n | project-away MessageCode;\n union PacketFilteringData, FileFilteringData, InspectionData\n | extend NetworkProtocol = _ASIM_LookupNetworkProtocol(Protocol)\n | lookup ActionLookup on DeviceAction\n | extend DvcAction = coalesce(DvcAction,DvcAction_ActionLookup), \n EventResult = coalesce(EventResult,EventResult_ActionLookup), \n EventSeverity = coalesce(EventSeverity, EventSeverity_ActionLookup)\n | project-away *_ActionLookup\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or (EventResult == eventresult))\n | lookup ApplicationProtocolLookup on ApplicationProtocol\n | extend \n EventCount = toint(1),\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Forcepoint\",\n EventProduct = \"Firewall\"\n | parse AdditionalExtensions with * \"requestURL=\" requestURL \n | project-rename\n EventOriginalType = DeviceEventClassID,\n DstPortNumber = DestinationPort,\n DstIpAddr = DestinationIP,\n SrcPortNumber = SourcePort,\n SrcIpAddr = SourceIP,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n EventProductVersion = DeviceVersion,\n EventMessage = Message,\n DvcOriginalAction = DeviceAction,\n SrcBytes = SentBytes,\n DstBytes = ReceivedBytes,\n EventOriginalSubType = DeviceFacility,\n DvcId = DeviceExternalID,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n DvcIpAddr = DeviceAddress,\n EventOriginalSeverity = LogSeverity,\n ThreatId = DeviceCustomString3\n | invoke _ASIM_ResolveDvcFQDN('Computer')\n | extend\n ThreatCategory = column_ifexists(\"DeviceEventCategory\",\"\"),\n EventStartTime = todatetime(ReceiptTime),\n EventEndTime = todatetime(ReceiptTime),\n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',requestURL)[0],\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',requestURL)[0],\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',requestURL)[0]\n | extend \n NetworkRuleName = case(isnotempty(DeviceCustomString2), strcat(DeviceCustomString1,',',DeviceCustomString2),\n DeviceCustomString1),\n DstDomainPart = tostring(host_parts[0]),\n DstIpAddr = coalesce(DstIpAddr, tostring(ipv4_parts[0]), tostring(ipv6_parts[0])),\n DstPortNumber = coalesce(DstPortNumber, toint(host_parts[1]), toint(ipv4_parts[1]), toint(ipv6_parts[1]))\n | invoke _ASIM_ResolveDstFQDN('DstDomainPart')\n | extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"-\",\n DstHostname has_any (hostname_has_any), \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | extend\n DvcIdType = case(isnotempty(DvcId), \"ForcepointId\",\n \"\"),\n DstPortNumber = case(\n isnotempty(DstPortNumber), DstPortNumber,\n ApplicationProtocol startswith \"TCP\", toint(split(ApplicationProtocol,'/')[1]),\n ApplicationProtocol startswith \"UDP\", toint(split(ApplicationProtocol,'/')[1]),\n int(null)),\n AdditionalFields = pack(iff(isnotempty(RequestMethod) and RequestMethod != \"UNKNOWN\", \"RequestMethod\", \"\"),RequestMethod,\n iff(isnotempty(DeviceCustomString4),\"VirusId\",\"\"),DeviceCustomString4),\n DstAppName = case(DestinationServiceName in~ (\"Generic-Web-HTTP\",\"Application-Unknown\",\"Unknown-Encrypted-Application\"), \"\",\n DestinationServiceName),\n DvcIpAddr = coalesce(DvcIpAddr,DeviceName)\n | extend\n Dvc = DvcIpAddr,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n DvcInterface = DvcInboundInterface,\n Hostname = DstHostname\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, Remote*, ReportReferenceLink, Request*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, ExtID, EventOutcome, FieldDevice*, Reason, ApplicationProtocol, Activity, requestURL, Computer, DstDomainPart, host_parts, ipv4_parts, ipv6_parts, temp_*\n };\n parser(starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Force Point Firewall", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionForcePointFirewall", + "query": "let ApplicationProtocolLookup=datatable(ApplicationProtocol:string,NetworkApplicationProtocol:string)\n [\n \"HTTPS\",\"HTTPS\",\n \"HTTP-Over-QUIC\",\"HTTP\",\n \"HTTP\",\"HTTP\",\n \"DNS Over TLS\",\"DNS\",\n \"HTTP proxy\",\"HTTP\",\n \"IMAPS\",\"IMAPS\",\n \"SMTP\",\"SMTP\",\n \"IMAP\",\"IMAP\",\n \"POP3S\",\"POP3\",\n \"SMTP Submission Service\",\"SMTP\",\n \"X11\",\"X11\",\n \"RTSP\",\"RTSP\",\n \"Telnet\",\"TELNET\",\n \"NNTP\",\"NNTP\",\n \"ISAKMP\",\"ISAKMP\",\"ISAKMP\",\"ISAKMP\",\n \"POP3\",\"POP3\",\n \"BGP\",\"BGP\",\n \"FTP\",\"FTP\",\n \"RIP\",\"RIP\",\n \"Squid HTTP proxy\",\"HTTP\",\n \"TFTP\",\"TFTP\",\n \"QOTD\",\"QOTD\",\n \"SCCP\",\"SCCP\",\n \"Modbus\",\"MODBUS\",\n \"SVN\",\"SVN\",\n \"RADIUS (Accounting)\",\"RADIUS\",\n \"Kerberos\",\"KERBEROS\",\n \"GRE\",\"GRE\",\n \"UUCP-rlogin\",\"UUCP\",\n \"GTP User Data Tunneling\",\"GTP\",\n \"NNTPS\",\"NNTP\",\n \"GTP Control\",\"GTP\",\n \"IRC-default\",\"IRC\",\n \"FTPS (Control)\",\"FTPS\",\n \"ICCP\",\"ICCP\",\n \"IRCS\",\"IRC\",\n \"Telnets\",\"TELNET\",\n \"Finger\",\"FINGER\",\n \"ESP\",\"ESP\",\n \"Rlogin\",\"RLP\",\n \"IMAP3\",\"IMAP\",\n \"MGCP\",\"MGCP\",\n \"RADIUS Accounting (Old)\",\"RADIUS\",\n \"RADIUS (Old)\",\"RADIUS\",\n \"CVS\",\"CVS\",\n \"Ident\",\"IDENT\",\n \"Gopher\",\"GOPHER\",\n \"BGMP\",\"BGMP\",\n \"FTPS (Data)\",\"FTPS\",\n \"POP2\",\"POP\",\n \"TLISRV\",\"TLISRV\",\n \"INGRES-NET\",\"INGRES-NET\",\n \"IPIP\",\"IPIP\",\n \"XTP\",\"XTP\",\n \"UUCP\",\"UUCP\",\n \"IRC\",\"IRC\",\n \"Photuris (ICMP)\",\"ICMP\",\n \"TACACS-DS\",\"TACACS-DS\",\n \"WESP\",\"WESP\",\n \"EGP\",\"EGP\",\n \"WSN\",\"WSN\",\n \"XDMCP\",\"XDMCP\",\n \"Kerberos IV\",\"KERBEROS\",\n \"IRTP\",\"IRTP\",\n \"TTP\",\"TTP\",\n \"IRC-SERV\",\"IRC\",\n \"I-NLSP\",\"NLSP\",\n \"SNP\",\"SNP\",\n \"XNS-IDP\",\"XNS\",\n \"SECURE-VMTP\",\"VMTP\",\n \"VMTP\",\"VMTP\",\n \"IPLT\",\"IPLT\",\n \"GGP\",\"GGP\",\n \"MFE-NSP\",\"NSP\",\n \"HIP\",\"HIP\",\n \"MERIT-NSP\",\"NSP\",\n \"NSFNET-IGP\",\"IGP\",\n \"DCN-MEAS\",\"DCN\",\n \"STP\",\"STP\",\n \"SRP\",\"SRP\",\n \"HMP\",\"HMP\",\n \"XNET\",\"XNET\",\n \"VRRP\",\"VRRP\",\n \"ENCAP\",\"ENCAP\",\n \"CPNX\",\"CPNX\",\n \"PTP\",\"PTP\",\n \"SKIP\",\"SKIP\",\n \"SCPS\",\"SCPS\",\n \"Sprite-RPC\",\"RPC\",\n \"IPv6 ICMP\",\"ICMP\",\n \"MUX\",\"MUX\",\n \"CHAOS\",\"CHAOS\",\n \"SSCOPMCE\",\"SSCOPMCE\",\n \"CBT\",\"CBT\",\n \"SPS\",\"SPS\",\n \"ETHERIP\",\"ETHERIP\",\n \"MTP\",\"MTP\",\n \"ROHC\",\"ROHC\",\n \"CRTP\",\"CRTP\",\n \"PNNI\",\"PNNI\",\n \"NETBLT\",\"NETBLT\",\n \"TLSP\",\"TLSP\",\n \"IDPR\",\"IDPR\",\n \"DDX\",\"DDX\",\n \"PUP\",\"PUP\",\n \"DSR\",\"DSR\",\n \"NARP\",\"NARP\",\n \"CPHB\",\"CPHB\",\n \"SMP\",\"SMP\",\n \"L2TP\",\"L2TP\",\n \"IPv6 ICMP/143/0\",\"ICMP\",\n \"MICP\",\"MICP\",\n \"GMTP\",\"GMTP\",\n \"LARP\",\"LARP\",\n \"IFMP\",\"IFMP\",\n \"IGP\",\"IGP\",\n \"CFTP\",\"CFTP\",\n \"PGM\",\"PGM\",\n \"DDP\",\"DDP\",\n \"PIPE\",\"PIPE\",\n \"IATP\",\"IATP\",\n \"IGMP\",\"IGMP\",\n \"3PC\",\"3PC\",\n \"DGP\",\"DGP\",\n \"TCF\",\"TCF\",\n \"UTI\",\"UTI\",\n \"DCCP\",\"DCCP\",\n \"SWIPE\",\"SWIPE\",\n \"EMCON\",\"EMCON\",\n \"PIM\",\"PIM\",\n \"RVD\",\"RVD\",\n ];\n let ActionLookup=datatable(DeviceAction:string,DvcAction_ActionLookup:string,EventResult_ActionLookup:string,EventSeverity_ActionLookup:string)\n [\n \"Allow\",\"Allow\",\"Success\",\"Informational\", \n \"Discard\",\"Drop\",\"Failure\",\"Low\",\n \"Permit\",\"Allow\",\"Success\",\"Informational\", \n \"Refuse\",\"Deny\",\"Failure\",\"Low\",\n \"Terminate\",\"Reset Source\",\"Failure\",\"Low\", \n \"Terminate (failed)\",\"\",\"Failure\",\"Low\",\n \"Terminate (passive)\",\"Reset Destination\",\"Failure\",\"Low\", \n \"Terminate (reset)\",\"Reset\",\"Failure\",\"Low\",\n \"Wait for Authentication\",\"\",\"Success\",\"Informational\",\n \"Wait for Further Actions\",\"\",\"Success\",\"Informational\", \n \"Wait for RPC Reply\",\"\",\"Success\",\"Informational\"\n ];\n let DeviceEventClassIDLookup_Packet=datatable(DeviceEventClassID:string,EventSubType:string,DvcAction_DeviceEventClassIDLookup:string,EventResult_DeviceEventClassIDLookup:string,EventSeverity_DeviceEventClassIDLookup:string) //Add more codes if needed\n [\n \"70018\",\"Start\",\"Allow\",\"Success\",\"Informational\", // Connection_Allowed\n \"70019\",\"End\",\"Deny\",\"Failure\",\"Low\", // Connection_Discarded\n \"70021\",\"End\",\"Reset\",\"Failure\",\"Low\", // Connection_Closed\n \"70022\",\"End\",\"Reset\",\"Failure\",\"Low\", // Connection_Closed-Abnormally\n \"70026\",\"\",\"\",\"Success\",\"Informational\", // Connection_Progress\n ];\n let DeviceEventClassIDLookup_File=datatable(DeviceEventClassID:string,DvcAction_DeviceEventClassIDLookup:string,EventResult_DeviceEventClassIDLookup:string,EventSeverity_DeviceEventClassIDLookup:string)\n [\n \"76506\",\"Allow\",\"Success\",\"Informational\", // File_Allowed\n \"76508\",\"Deny\",\"Failure\",\"Low\", // File_Malware-Blocked\n \"76509\",\"\",\"Failure\",\"Low\" // File_Malware-Detected\n ];\n let MessageLookup = datatable (Message:string, DvcAction_MessageLookup:string, EventResult_MessageLookup:string, EventResultDetails:string, EventOriginalResultDetails:string) \n [\n \"Connection dropped\", \"Drop\", \"Failure\",\"Terminated\", \"Connection dropped\",\n \"Connection removed because NGFW Engine is low on memory.\",\"Drop\", \"Failure\",\"Terminated\",\"Connection removed because NGFW Engine is low on memory.\",\n \"Connection timeout in state TCP_CLOSE_WAIT\", \"\", \"Success\", \"Timeout\",\t\"One end of the Connection waits for the FIN packet (passive close).\",\n \"Connection timeout in state TCP_CLOSE_WAIT_ACK\", \"\", \"Success\", \"Timeout\", \"One end of the Connection waits for the FIN packet (passive close)\",\n \"Connection timeout in state TCP_CLOSING\", \"\", \"Success\", \"Timeout\", \"Closing packet (FIN) sent by one end of the Connection (simultaneous).\",\n \"Connection timeout in state TCP_CLOSING_ACK\", \"\", \"Success\", \"Timeout\", \"Waiting for ACK for the FIN before going to closing status (active close).\",\n \"Connection timeout in state TCP_ESTABLISHED\", \"\", \"Failure\", \"Timeout\", \"Normal status of TCP Connections for data transfer.\",\n \"Connection timeout in state TCP_FIN_WAIT_1\", \"\", \"Success\", \"Timeout\",\t\"One end of the Connection waits for sending the FIN packet (active close).\",\n \"Connection timeout in state TCP_FIN_WAIT_2\", \"\", \"Success\", \"Timeout\", \"One end of the Connection waits for receiving ACK packet.\",\n \"Connection timeout in state TCP_LAST_ACK\", \"\",\t\"Success\", \"Timeout\", \"One end of the Connection sent a FIN packet (passive close).\",\n \"Connection timeout in state TCP_LAST_ACK_WAIT\", \"\", \"Failure\",\t\"Timeout\", \"Waiting for the FIN packet to be acknowledged.\",\n \"Connection timeout in state TCP_SYN_ACK_SEEN\", \"\", \"Failure\",\t\"Timeout\", \"Second phase of the TCP three-way handshake, the server has replied to client sent SYN with SYN+ACK, next status will be established.\",\n \"Connection timeout in state TCP_SYN_FIN_SEEN\", \"\",\t\"Success\", \"Timeout\", \"T/TCP (Transactional TCP) Connection, RFC 1644.\",\n \"Connection timeout in state TCP_SYN_RETURN\", \"\", \"Failure\", \"Timeout\", \"Received simultaneous SYN from the other end (simultaneous open).\",\n \"Connection timeout in state TCP_SYN_SEEN\", \"\", \"Failure\", \"Timeout\", \"First packet sent by one end of the Connection.\",\n \"Connection timeout in state TCP_TIME_WAIT\", \"\", \"Success\", \"Timeout\", \"One end of the Connection acknowledged closing packet (FIN).\",\n \"Connection timeout in state TCP_TIME_WAIT_ACK\", \"\", \"Failure\",\t\"Timeout\", \"Waiting for ACK for the FIN status before going to time wait status (active close).\",\n \"Connection timeout in state ICMP_ECHO\", \"\", \"Failure\", \"Timeout\", \"Ping reply is expected.\",\n \"Connection timeout in state ICMP_REPLY_WAIT\", \"\", \"Failure\", \"Timeout\", \"Other ICMP request or reply types.\",\n \"Connection was reset by client\", \"Reset Source\", \"Failure\",\"Reset\", \"\",\n \"Connection was reset by server\", \"Reset Destination\", \"Failure\",\"Reset\", \"\",\n \"invalid packet (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [A] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [FA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [FPA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [PA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [RA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"not a (valid) SYN packet [SA] (CT)\", \"\", \"Failure\", \"Invalid TCP\", \"\",\n \"TCP state violation\",\"Deny\",\"Failure\", \"Invalid TCP\", \"\",\n \"TCP state violation: Connection end-point replied with ACK to SYN-packet. Connection refused.\", \"Deny\", \"Failure\", \"Invalid TCP\", \"\",\n \"TSC error: Query timed out\", \"\", \"Failure\", \"Timeout\", \"\"\n ];\n let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let prefilter = (T:(DestinationPort:int,ApplicationProtocol:string,SourceIP:string,DestinationIP:string,AdditionalExtensions:string)) {\n T\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber) or (ApplicationProtocol has tostring(dstportnumber)))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | where array_length(hostname_has_any) == 0 or AdditionalExtensions has_any (hostname_has_any)\n };\n let ForcePointNetwork = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor==\"FORCEPOINT\" and DeviceProduct==\"Firewall\"\n | where DeviceFacility in~ (\"Inspection\",\"Packet Filtering\",\"File Filtering\") and isnotempty(DeviceEventClassID) and DeviceEventClassID != \"0\"\n ;\n let PacketFilteringData = ForcePointNetwork\n | where DeviceFacility == \"Packet Filtering\" and DeviceEventClassID !in (\"70383\",\"70393\",\"70734\",\"71009\",\"71040\")\n | invoke prefilter()\n | lookup DeviceEventClassIDLookup_Packet on DeviceEventClassID\n | lookup MessageLookup on Message\n | extend DvcAction = coalesce(DvcAction_MessageLookup, DvcAction_DeviceEventClassIDLookup), \n EventResult = case (Message startswith \"Referred connection not known\", \"Failure\",\n coalesce(EventResult_MessageLookup, EventResult_DeviceEventClassIDLookup)), \n EventSeverity = case(Message startswith \"Referred connection not known\", \"Low\",\n EventSeverity_DeviceEventClassIDLookup),\n EventOriginalResultDetails = case(Message startswith \"Referred connection not known\", Message,\n EventOriginalResultDetails),\n EventType = \"NetworkSession\"\n | project-away DvcAction_*, EventResult_*, EventSeverity_DeviceEventClassIDLookup;\n let FileFilteringData = ForcePointNetwork\n | where DeviceFacility == \"File Filtering\"\n | invoke prefilter()\n | lookup DeviceEventClassIDLookup_File on DeviceEventClassID\n | extend ThreatName = case (DeviceEventClassID in (\"76508\", \"76509\"), Activity,\n \"\")\n | project-rename DvcAction = DvcAction_DeviceEventClassIDLookup\n | extend EventResult = case(isnotempty(Message), \"Failure\",\n EventResult_DeviceEventClassIDLookup), \n EventSeverity = case(isnotempty(Message), \"Low\",\n EventSeverity_DeviceEventClassIDLookup),\n EventOriginalResultDetails = case(isnotempty(Message), Message,\n \"\"),\n EventType = \"NetworkSession\"\n | project-away *_DeviceEventClassIDLookup;\n let InspectionData = ForcePointNetwork\n | where DeviceFacility == \"Inspection\" or DeviceEventClassID == \"70734\"\n | invoke prefilter()\n | extend MessageCode = toint(DeviceEventClassID)\n | extend EventSeverity = case (DeviceAction in~ (\"Allow\",\"Permit\"), \"Informational\",\n MessageCode >= 200000, \"High\",\n MessageCode < 200000, \"Low\",\n \"\"),\n EventType = case (MessageCode < 80000, \"NetworkSession\",\n \"IDS\")\n | extend ThreatName = Activity\n | project-away MessageCode;\n union PacketFilteringData, FileFilteringData, InspectionData\n | extend NetworkProtocol = _ASIM_LookupNetworkProtocol(Protocol)\n | lookup ActionLookup on DeviceAction\n | extend DvcAction = coalesce(DvcAction,DvcAction_ActionLookup), \n EventResult = coalesce(EventResult,EventResult_ActionLookup), \n EventSeverity = coalesce(EventSeverity, EventSeverity_ActionLookup)\n | project-away *_ActionLookup\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or (EventResult == eventresult))\n | lookup ApplicationProtocolLookup on ApplicationProtocol\n | extend \n EventCount = toint(1),\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Forcepoint\",\n EventProduct = \"Firewall\"\n | parse AdditionalExtensions with * \"requestURL=\" requestURL \n | project-rename\n EventOriginalType = DeviceEventClassID,\n DstPortNumber = DestinationPort,\n DstIpAddr = DestinationIP,\n SrcPortNumber = SourcePort,\n SrcIpAddr = SourceIP,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n EventProductVersion = DeviceVersion,\n EventMessage = Message,\n DvcOriginalAction = DeviceAction,\n SrcBytes = SentBytes,\n DstBytes = ReceivedBytes,\n EventOriginalSubType = DeviceFacility,\n DvcId = DeviceExternalID,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n DvcIpAddr = DeviceAddress,\n EventOriginalSeverity = LogSeverity,\n ThreatId = DeviceCustomString3\n | invoke _ASIM_ResolveDvcFQDN('Computer')\n | extend\n ThreatCategory = column_ifexists(\"DeviceEventCategory\",\"\"),\n EventStartTime = todatetime(ReceiptTime),\n EventEndTime = todatetime(ReceiptTime),\n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',requestURL)[0],\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',requestURL)[0],\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',requestURL)[0]\n | extend \n NetworkRuleName = case(isnotempty(DeviceCustomString2), strcat(DeviceCustomString1,',',DeviceCustomString2),\n DeviceCustomString1),\n DstDomainPart = tostring(host_parts[0]),\n DstIpAddr = coalesce(DstIpAddr, tostring(ipv4_parts[0]), tostring(ipv6_parts[0])),\n DstPortNumber = coalesce(DstPortNumber, toint(host_parts[1]), toint(ipv4_parts[1]), toint(ipv6_parts[1]))\n | invoke _ASIM_ResolveDstFQDN('DstDomainPart')\n | extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"-\",\n DstHostname has_any (hostname_has_any), \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | extend\n DvcIdType = case(isnotempty(DvcId), \"ForcepointId\",\n \"\"),\n DstPortNumber = case(\n isnotempty(DstPortNumber), DstPortNumber,\n ApplicationProtocol startswith \"TCP\", toint(split(ApplicationProtocol,'/')[1]),\n ApplicationProtocol startswith \"UDP\", toint(split(ApplicationProtocol,'/')[1]),\n int(null)),\n AdditionalFields = pack(iff(isnotempty(RequestMethod) and RequestMethod != \"UNKNOWN\", \"RequestMethod\", \"\"),RequestMethod,\n iff(isnotempty(DeviceCustomString4),\"VirusId\",\"\"),DeviceCustomString4),\n DstAppName = case(DestinationServiceName in~ (\"Generic-Web-HTTP\",\"Application-Unknown\",\"Unknown-Encrypted-Application\"), \"\",\n DestinationServiceName),\n DvcIpAddr = coalesce(DvcIpAddr,DeviceName)\n | extend\n Dvc = DvcIpAddr,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n DvcInterface = DvcInboundInterface,\n Hostname = DstHostname\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, Remote*, ReportReferenceLink, Request*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, ExtID, EventOutcome, FieldDevice*, Reason, ApplicationProtocol, Activity, requestURL, Computer, DstDomainPart, host_parts, ipv4_parts, ipv6_parts, temp_*\n };\n parser(starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json index 0a27dfc50b8..3a086215c44 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionFortinetFortiGate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionFortinetFortiGate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Fortinet FortiGate", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionFortinetFortiGate", - "query": "let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventResultDetails:string)\n [\n \"accept\",\"Allow\",\"Success\",\"\"\n , \"client-rst\",\"Reset Source\",\"Failure\",\"\"\n , \"close\",\"\",\"Success\",\"\"\n , \"deny\",\"Deny\",\"Failure\",\"\"\n , \"ip-conn\",\"\",\"Failure\",\"IP connection error\"\n , \"server-rst\",\"Reset Destination\",\"Failure\",\"\"\n , \"timeout\",\"\",\"Failure\",\"\"\n ];\n // -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n [\n \"1\", \"Informational\", // Debug\n \"2\", \"Informational\", // Information\n \"3\", \"Informational\", // Notification\n \"4\", \"Low\", // Warning\n \"5\", \"Low\", // Error\n \"6\", \"Critical\", // High\n \"7\", \"Alert\", // Medium\n \"8\", \"High\" // Emergency\n ];\n let Parser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)\n | where DeviceVendor == \"Fortinet\" and DeviceProduct startswith \"FortiGate\" and (column_ifexists(\"DeviceEventCategory\",\"\") has \"traffic\" or AdditionalExtensions has \"cat=traffic\")\n | where DeviceAction != \"dns\" and Activity !has \"dns\" \n | where (array_length(hostname_has_any)==0)\n | where (isnull(dstportnumber) or DestinationPort==dstportnumber)\n | extend temp_ResultMatch = case (\n eventresult==\"*\", true,\n (eventresult == \"Success\") and (DeviceAction in (\"accept\", \"close\") or Activity has_any (\"accept\", \"close\")), true,\n (eventresult == \"Failure\") and (DeviceAction !in (\"accept\", \"close\") and not(Activity has_any (\"accept\", \"close\"))), true,\n false\n )\n | where temp_ResultMatch\n | extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | parse Activity with \"traffic:forward \" temp_DeviceAction:string \n | extend DeviceAction = coalesce(DeviceAction, temp_DeviceAction) \n | lookup EventLookup on DeviceAction \n | where (array_length(dvcaction)==0 or DvcAction has_any (dvcaction))\n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, ASimMatchingIpAddr, DvcAction\n | project-rename DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , Dvc = Computer\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , DvcId = DeviceExternalID\n , EventUid = _ItemId\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\n | project-rename DvcOriginalAction = DeviceAction\n | parse-kv AdditionalExtensions as (\n FortinetFortiGatestart:datetime,\n FortinetFortiGatesrcintfrole:string,\n FortinetFortiGatedstintfrole:string,\n FortinetFortiGateexternalID:string,\n FortinetFortiGatepolicyid:int,\n FortinetFortiGatedstcountry:string,\n FortinetFortiGatesrccountry:string,\n FortinetFortiGatecrscore:string,\n FortinetFortiGateduration:int,\n FortinetFortiGatesentpkt:long,\n FortinetFortiGatercvdpkt:long\n ) with (pair_delimiter=';', kv_delimiter='=')\n | project-rename\n EventStartTime = FortinetFortiGatestart,\n SrcZone = FortinetFortiGatesrcintfrole,\n DstZone = FortinetFortiGatedstintfrole,\n NetworkSessionId = FortinetFortiGateexternalID,\n NetworkRuleNumber = FortinetFortiGatepolicyid,\n NetworkDuration = FortinetFortiGateduration,\n DstGeoCountry = FortinetFortiGatedstcountry,\n SrcGeoCountry = FortinetFortiGatesrccountry,\n ThreatOriginalRiskLevel = FortinetFortiGatecrscore,\n SrcPackets = FortinetFortiGatesentpkt,\n DstPackets = FortinetFortiGatercvdpkt\n | extend EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.3\"\n , EventType = \"NetworkSession\"\n , EventVendor = \"Fortinet\"\n , DvcIdType = \"Other\"\n , NetworkBytes = DstBytes + SrcBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n | lookup SeverityLookup on EventOriginalSeverity\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration,\n Rule = tostring(NetworkRuleNumber)\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber\n };\n Parser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Fortinet FortiGate", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionFortinetFortiGate", + "query": "let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventResultDetails:string)\n [\n \"accept\",\"Allow\",\"Success\",\"\"\n , \"client-rst\",\"Reset Source\",\"Failure\",\"\"\n , \"close\",\"\",\"Success\",\"\"\n , \"deny\",\"Deny\",\"Failure\",\"\"\n , \"ip-conn\",\"\",\"Failure\",\"IP connection error\"\n , \"server-rst\",\"Reset Destination\",\"Failure\",\"\"\n , \"timeout\",\"\",\"Failure\",\"\"\n ];\n // -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n [\n \"1\", \"Informational\", // Debug\n \"2\", \"Informational\", // Information\n \"3\", \"Informational\", // Notification\n \"4\", \"Low\", // Warning\n \"5\", \"Low\", // Error\n \"6\", \"Critical\", // High\n \"7\", \"Alert\", // Medium\n \"8\", \"High\" // Emergency\n ];\n let Parser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)\n | where DeviceVendor == \"Fortinet\" and DeviceProduct startswith \"FortiGate\" and (column_ifexists(\"DeviceEventCategory\",\"\") has \"traffic\" or AdditionalExtensions has \"cat=traffic\")\n | where DeviceAction != \"dns\" and Activity !has \"dns\" \n | where (array_length(hostname_has_any)==0)\n | where (isnull(dstportnumber) or DestinationPort==dstportnumber)\n | extend temp_ResultMatch = case (\n eventresult==\"*\", true,\n (eventresult == \"Success\") and (DeviceAction in (\"accept\", \"close\") or Activity has_any (\"accept\", \"close\")), true,\n (eventresult == \"Failure\") and (DeviceAction !in (\"accept\", \"close\") and not(Activity has_any (\"accept\", \"close\"))), true,\n false\n )\n | where temp_ResultMatch\n | extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | parse Activity with \"traffic:forward \" temp_DeviceAction:string \n | extend DeviceAction = coalesce(DeviceAction, temp_DeviceAction) \n | lookup EventLookup on DeviceAction \n | where (array_length(dvcaction)==0 or DvcAction has_any (dvcaction))\n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, ASimMatchingIpAddr, DvcAction\n | project-rename DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , Dvc = Computer\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , DvcId = DeviceExternalID\n , EventUid = _ItemId\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\n | project-rename DvcOriginalAction = DeviceAction\n | parse-kv AdditionalExtensions as (\n FortinetFortiGatestart:datetime,\n FortinetFortiGatesrcintfrole:string,\n FortinetFortiGatedstintfrole:string,\n FortinetFortiGateexternalID:string,\n FortinetFortiGatepolicyid:int,\n FortinetFortiGatedstcountry:string,\n FortinetFortiGatesrccountry:string,\n FortinetFortiGatecrscore:string,\n FortinetFortiGateduration:int,\n FortinetFortiGatesentpkt:long,\n FortinetFortiGatercvdpkt:long\n ) with (pair_delimiter=';', kv_delimiter='=')\n | project-rename\n EventStartTime = FortinetFortiGatestart,\n SrcZone = FortinetFortiGatesrcintfrole,\n DstZone = FortinetFortiGatedstintfrole,\n NetworkSessionId = FortinetFortiGateexternalID,\n NetworkRuleNumber = FortinetFortiGatepolicyid,\n NetworkDuration = FortinetFortiGateduration,\n DstGeoCountry = FortinetFortiGatedstcountry,\n SrcGeoCountry = FortinetFortiGatesrccountry,\n ThreatOriginalRiskLevel = FortinetFortiGatecrscore,\n SrcPackets = FortinetFortiGatesentpkt,\n DstPackets = FortinetFortiGatercvdpkt\n | extend EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.3\"\n , EventType = \"NetworkSession\"\n , EventVendor = \"Fortinet\"\n , DvcIdType = \"Other\"\n , NetworkBytes = DstBytes + SrcBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n | lookup SeverityLookup on EventOriginalSeverity\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration,\n Rule = tostring(NetworkRuleNumber)\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber\n };\n Parser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/README.md b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/README.md new file mode 100644 index 00000000000..874cb484eb3 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/README.md @@ -0,0 +1,18 @@ +# Illumio SaaS Core ASIM NetworkSession Normalization Parser + +ARM template for ASIM NetworkSession schema parser for Illumio SaaS Core. + +This ASIM parser supports normalizing Illumio SaaS Core logs to the ASIM Network Session normalized schema. These events are captured through Illumio Sentinel Integration data connector. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionIllumioSaaSCore%2FvimNetworkSessionIllumioSaaSCore.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionIllumioSaaSCore%2FvimNetworkSessionIllumioSaaSCore.json) diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/vimNetworkSessionIllumioSaaSCore.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/vimNetworkSessionIllumioSaaSCore.json new file mode 100644 index 00000000000..a7193048c13 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/vimNetworkSessionIllumioSaaSCore.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionIllumioSaaSCore')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "NetworkSession ASIM Parser for Illumio SaaS Core", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionIllumioSaaSCore", + "query": "let ProtocolLookup = datatable(proto:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n ];\nlet NetworkProtocolVersionLookup = datatable(version: int, NetworkProtocolVersion: string)\n[\n 4,\"IPv4\",\n 6,\"IPv6\"\n];\nlet EventResultLookup = datatable(DvcAction: string, EventResult: string)\n[\n \"Deny\", \"Failure\",\n \"Allow\", \"Success\"\n];\nlet DvcActionLookup = datatable(pd: int, DvcAction: string)\n[\n// - Allow\n// - Deny\n// - Drop\n// - Drop ICMP\n// - Reset\n// - Reset Source\n// - Reset Destination\n// - Encrypt\n// - Decrypt\n// - VPNroute\n 2, \"Deny\",\n 1, \"Allow\",\n 0, \"Allow\"\n];\nlet ClassLookup = datatable(class: string, ClassDetail: string)\n[\n\"M\", \"Multicast\",\n\"B\", \"Broadcast\",\n\"U\", \"Unicast\"\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n Illumio_Flow_Events_CL \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime)\n // ***** parser filter params *****\n | where\n (isnull(dstportnumber) or (dst_port == dstportnumber)) \n | extend temp_isSrcMatch=has_any_ipv4_prefix(src_ip,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(dst_ip,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | extend temp_is_MatchSrcHostname = src_hostname has_any (hostname_has_any)\n , temp_is_MatchDstHostname = dst_hostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"-\",\n temp_is_MatchSrcHostname and temp_is_MatchDstHostname, \"Both\",\n temp_is_MatchSrcHostname, \"SrcHostname\",\n temp_is_MatchDstHostname, \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\" \n | project-away temp_*\n // ***** parser filter params *****\n | lookup ProtocolLookup on proto\n | lookup NetworkProtocolVersionLookup on version\n | lookup DvcActionLookup on pd //set DvcAction\n | extend EventResult = iff(DvcAction == \"Deny\", \"Failure\", \"Success\")\n | lookup ClassLookup on class\n // ***** parser filter params *****\n | where (array_length(dvcaction) == 0 or DvcAction in (dvcaction)) \n and eventresult=='*' or (eventresult == EventResult) \n and (array_length(hostname_has_any)==0 or dst_hostname has_any (hostname_has_any) or src_hostname has_any(hostname_has_any))\n // ***** parser filter params ***** \n | extend\n EventCount = flow_count,\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventType = 'Flow',\n EventProduct = 'Core',\n EventVendor = 'Illumio',\n EventSchemaVersion = '0.2.6',\n EventSchema = 'NetworkSession',\n Dvc = pce_fqdn \n | extend NetworkDirection = case(\n dir=='I', 'Inbound',\n dir=='O', 'Outbound',\n 'Unknown'\n ),\n NetworkDuration = interval_sec,\n DstBytes = tolong(dst_dbo),\n SrcBytes = tolong(dst_dbi),\n DstIpAddr = dst_ip,\n SrcIpAddr = src_ip,\n DstPortNumber = dst_port,\n DstHostname = dst_hostname,\n SrcHostname = src_hostname,\n EventSeverity = case( \n DvcAction=='Deny', 'Low',\n 'Informational' \n )\n | extend \n SrcProcessName = iif(dir=='O', pn, ''),\n DstProcessName = iif(dir=='I', pn, ''),\n SrcUsername = iif(dir=='O', un, ''),\n DstUsername = iif(dir=='I', un, '')\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername) \n //Aliases\n | extend \n DvcIpAddr = SrcIpAddr,\n DvcHostname = SrcHostname\n | extend\n AdditionalFields = bag_pack(\"Class\", ClassDetail,\n \"Network\",network,\n \"Source_Labels\", src_labels,\n \"Dest_Labels\", dst_labels,\n \"Src_href\", src_href, // can this be stored in SrcId instead?\n \"Dst_href\", dst_href // can this be stored in DvcId instead?\n )\n // aliases \n | extend\n Duration = NetworkDuration,\n User = DstUsername,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n EventUid = _ItemId\n | project-away \n pce_fqdn,\n icmp_type,\n TenantId,\n proto,\n dst_port,\n src_ip,\n dst_ip,\n code,\n dst_dbi,\n dst_dbo,\n dst_tbi,\n dst_tbo, \n dst_hostname,\n src_hostname,\n dir,\n flow_count,\n src_href,\n dst_href,\n src_labels,\n dst_labels,\n network,\n class,\n org_id,\n state, // decide how to use this\n pd_qualifier, //decide how to use this\n interval_sec,\n version,\n ddms, // not needed\n tdms, // not needed\n pn, \n un,\n pd,\n ClassDetail\n}; \nparser(starttime=starttime, \nendtime=endtime, \nsrcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \ndstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \nipaddr_has_any_prefix=ipaddr_has_any_prefix,\ndstportnumber=dstportnumber,\nhostname_has_any=hostname_has_any, \ndvcaction=dvcaction,\neventresult=eventresult, \ndisabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTAgent/vimNetworkSessionMD4IoTAgent.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTAgent/vimNetworkSessionMD4IoTAgent.json index 779ae1148f3..8925cd81f0d 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTAgent/vimNetworkSessionMD4IoTAgent.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTAgent/vimNetworkSessionMD4IoTAgent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionMD4IoTAgent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionMD4IoTAgent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Microsoft Defender for IoT micro agent", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionMD4IoTAgent", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix, srcipaddr_has_any_prefix); \n let DirectionNetworkEvents =\n SecurityIoTRawEvent \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime)\n | where not(disabled)\n | where RawEventName == \"NetworkActivity\"\n // *************** Prefilterring *****************************************************************\n |where (eventresult=='*' or eventresult=='Success')\n and (array_length(hostname_has_any)==0) \n and (array_length(dvcaction) ==0 ) /// if filtered by action return nothing\n and EventDetails has tostring(dstportnumber)\n and (array_length (ip_any)==0 or has_any_ipv4_prefix(EventDetails,ip_any))\n // *************** Prefilterring *****************************************************************\n | parse EventDetails with * ',\"LocalPort\":' LocalPort:int ',\"RemotePort\":' RemotePort:int ',' *\n | extend outbound = LocalPort > RemotePort\n | where (isnull(dstportnumber) or (not(outbound) and dstportnumber == LocalPort) or (outbound and dstportnumber == RemotePort) ) \n ;\n let parser = (T: (EventDetails: string)) {\n T \n | parse EventDetails with \n '{\"LocalAddress\":\"' LocalAddress:string '\",'\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\n *\n '\"BytesIn\":' BytesIn:long ','\n '\"BytesOut\":' BytesOut:long ','\n '\"Protocol\":\"' Protocol:string '\",'\n '\"ProcessId\":' ProcessId:string ','\n '\"UserId\":' UserId:string ','\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\n '\"DeviceId\":\"' DeviceId:string '\",'\n '\"MessageSource\":\"' MessageSource:string '\",'\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\n *\n }\n ; \n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==LocalPort)\n // *************** Postfilterring *****************************************************************\n | invoke parser ()\n | extend temp_isSrcMatch=has_any_ipv4_prefix(LocalAddress,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(RemoteAddress,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n ) \n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | project-rename\n SrcBytes = BytesOut,\n DstBytes = BytesIn,\n SrcPortNumber = LocalPort,\n DstIpAddr = RemoteAddress,\n DstPortNumber = RemotePort,\n SrcProcessId = ProcessId\n | extend\n SrcIpAddr = LocalAddress,\n SrcDvcIdType = \"MD4IoTid\",\n SrcUserId = UserId,\n SrcUserIdType = \"UID\",\n SrcDvcId = DeviceId,\n Process = SrcProcessId, // alias\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==RemotePort)\n // *************** Postfilterring *****************************************************************\n | invoke parser ()\n | extend temp_isSrcMatch=( // only one of each pair has_any_ipv4_prefix is calculated\n has_any_ipv4_prefix(RemoteAddress,src_or_any)\n ) \n , temp_isDstMatch=(\n has_any_ipv4_prefix(LocalAddress,dst_or_any) \n ) \n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n ) \n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n | project-rename\n DstBytes = BytesOut,\n SrcBytes = BytesIn,\n DstPortNumber = LocalPort,\n SrcIpAddr = RemoteAddress,\n SrcPortNumber = RemotePort,\n DstProcessId = ProcessId\n | extend\n DstIpAddr = LocalAddress,\n DstDvcIdType = \"MD4IoTid\",\n DstUserId = UserId,\n DstUserIdType = \"UID\",\n DstDvcId = DeviceId,\n Process = DstProcessId, // alias\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n ;\n let NetworkSessionMD4IoT = \n union InboundNetworkEvents, OutboundNetworkEvents\n | extend\n EventCount = int(1),\n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.3',\n EventSchema = \"NetworkSession\", \n EventType = 'NetworkSession',\n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated, \n EventResult = 'Success',\n EventSeverity = 'Informational'\n | project-rename\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n EventOriginalUid = OriginalEventId, // OK pending question\n DvcOs = MessageSource,\n NetworkProtocol = Protocol,\n NetworkApplicationProtocol = ApplicationProtocol,\n DvcId = DeviceId,\n DvcIpAddr = LocalAddress\n | project-away outbound\n | extend\n Dvc = DvcId,\n DvcIdType = \"MD4IoTid\",\n User = UserId,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n NetworkSessionMD4IoT};\n parser(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Microsoft Defender for IoT micro agent", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionMD4IoTAgent", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix, srcipaddr_has_any_prefix); \n let DirectionNetworkEvents =\n SecurityIoTRawEvent \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime)\n | where not(disabled)\n | where RawEventName == \"NetworkActivity\"\n // *************** Prefilterring *****************************************************************\n |where (eventresult=='*' or eventresult=='Success')\n and (array_length(hostname_has_any)==0) \n and (array_length(dvcaction) ==0 ) /// if filtered by action return nothing\n and EventDetails has tostring(dstportnumber)\n and (array_length (ip_any)==0 or has_any_ipv4_prefix(EventDetails,ip_any))\n // *************** Prefilterring *****************************************************************\n | parse EventDetails with * ',\"LocalPort\":' LocalPort:int ',\"RemotePort\":' RemotePort:int ',' *\n | extend outbound = LocalPort > RemotePort\n | where (isnull(dstportnumber) or (not(outbound) and dstportnumber == LocalPort) or (outbound and dstportnumber == RemotePort) ) \n ;\n let parser = (T: (EventDetails: string)) {\n T \n | parse EventDetails with \n '{\"LocalAddress\":\"' LocalAddress:string '\",'\n '\"RemoteAddress\":\"' RemoteAddress:string '\",'\n *\n '\"BytesIn\":' BytesIn:long ','\n '\"BytesOut\":' BytesOut:long ','\n '\"Protocol\":\"' Protocol:string '\",'\n '\"ProcessId\":' ProcessId:string ','\n '\"UserId\":' UserId:string ','\n '\"ApplicationProtocol\":\"' ApplicationProtocol:string '\",'\n * // '\"AzureResourceId\":\"' AzureResourceId:string '\",'\n '\"DeviceId\":\"' DeviceId:string '\",'\n '\"MessageSource\":\"' MessageSource:string '\",'\n '\"OriginalEventId\":\"' OriginalEventId:string '\",'\n '\"TimestampUTC\":\"' TimestampUTC:datetime '\",'\n *\n }\n ; \n let OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==LocalPort)\n // *************** Postfilterring *****************************************************************\n | invoke parser ()\n | extend temp_isSrcMatch=has_any_ipv4_prefix(LocalAddress,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(RemoteAddress,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n ) \n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | project-rename\n SrcBytes = BytesOut,\n DstBytes = BytesIn,\n SrcPortNumber = LocalPort,\n DstIpAddr = RemoteAddress,\n DstPortNumber = RemotePort,\n SrcProcessId = ProcessId\n | extend\n SrcIpAddr = LocalAddress,\n SrcDvcIdType = \"MD4IoTid\",\n SrcUserId = UserId,\n SrcUserIdType = \"UID\",\n SrcDvcId = DeviceId,\n Process = SrcProcessId, // alias\n SrcDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n ;\n let InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==RemotePort)\n // *************** Postfilterring *****************************************************************\n | invoke parser ()\n | extend temp_isSrcMatch=( // only one of each pair has_any_ipv4_prefix is calculated\n has_any_ipv4_prefix(RemoteAddress,src_or_any)\n ) \n , temp_isDstMatch=(\n has_any_ipv4_prefix(LocalAddress,dst_or_any) \n ) \n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n ) \n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n | project-rename\n DstBytes = BytesOut,\n SrcBytes = BytesIn,\n DstPortNumber = LocalPort,\n SrcIpAddr = RemoteAddress,\n SrcPortNumber = RemotePort,\n DstProcessId = ProcessId\n | extend\n DstIpAddr = LocalAddress,\n DstDvcIdType = \"MD4IoTid\",\n DstUserId = UserId,\n DstUserIdType = \"UID\",\n DstDvcId = DeviceId,\n Process = DstProcessId, // alias\n DstDvcOs = iif (MessageSource == \"Linux\", \"Linux\", \"Windows\")\n ;\n let NetworkSessionMD4IoT = \n union InboundNetworkEvents, OutboundNetworkEvents\n | extend\n EventCount = int(1),\n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.3',\n EventSchema = \"NetworkSession\", \n EventType = 'NetworkSession',\n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated, \n EventResult = 'Success',\n EventSeverity = 'Informational'\n | project-rename\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n EventOriginalUid = OriginalEventId, // OK pending question\n DvcOs = MessageSource,\n NetworkProtocol = Protocol,\n NetworkApplicationProtocol = ApplicationProtocol,\n DvcId = DeviceId,\n DvcIpAddr = LocalAddress\n | project-away outbound\n | extend\n Dvc = DvcId,\n DvcIdType = \"MD4IoTid\",\n User = UserId,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n ;\n NetworkSessionMD4IoT};\n parser(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTSensor/vimNetworkSessionMD4IoTSensor.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTSensor/vimNetworkSessionMD4IoTSensor.json index 6d4e4916c3e..55a8f122183 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTSensor/vimNetworkSessionMD4IoTSensor.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTSensor/vimNetworkSessionMD4IoTSensor.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionMD4IoTSensor')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionMD4IoTSensor", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Microsoft Defender for IoT sensor logs", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionMD4IoTSensor", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n DefenderIoTRawEvent\n | where RawEventName == \"NetworkConnectionData\"\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n and not(disabled)\n and (array_length(dvcaction) == 0)\n and (array_length(hostname_has_any) == 0)\n and (eventresult in (\"*\",\"Success\"))\n | extend\n DstIpAddr = tostring(EventDetails.Destination.IPAddress),\n SrcIpAddr = tostring(EventDetails.Source.IPAddress)\n | extend temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend\n DstPortNumber = toint(EventDetails.Destination.Port)\n | where (isnull(dstportnumber) or DstPortNumber==dstportnumber)\n | project-rename \n DvcSubscriptionId = AzureSubscriptionId\n | extend \n Dvc = tostring(EventDetails.SourceId),\n DstDvcId = tostring(EventDetails.Destination.DeviceId),\n DstMacAddr = tostring(EventDetails.Destination.MacAddress),\n DstDescription = tostring(EventDetails.Destination.DeviceName),\n SrcDvcId = tostring(EventDetails.Source.DeviceId),\n SrcMacAddr = tostring(EventDetails.Source.MacAddress),\n SrcPortNumber = toint(EventDetails.Source.Port),\n SrcDescription = tostring(EventDetails.Source.DeviceName),\n EventOriginalUid = tostring(EventDetails.Id),\n EventEndTime = todatetime(EventDetails.LastSeen),\n EventStartTime = todatetime(EventDetails.StartTime),\n NetworkProtocol = tostring(EventDetails.TransportProtocol)\n | extend\n EventProduct = 'Defender for IoT',\n EventResult = 'Success',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.4',\n EventCount = toint(1),\n EventSeverity = 'Informational',\n EventType = iff(DstIpAddr=='' and SrcIpAddr == '','L2NetworkSession','NetworkSession'),\n NetworkDirection = iff(tobool(EventDetails.IsInternal), 'Local',''),\n EventVendor = 'Microsoft',\n DstDvcIdType = 'MD4IoTid',\n SrcDvcIdType = 'MD4IoTid'\n | extend // -- Aliases\n Dst = coalesce(DstIpAddr,DstMacAddr),\n Src = coalesce(SrcIpAddr,SrcMacAddr),\n IpAddr = SrcIpAddr,\n EventStartTime = EventEndTime\n | project-away \n RawEventCategory, RawEventName, RawEventType, SourceSystem, TenantId, AgentVersion, IoTRawEventId, IsEmpty, AgentId, DeviceId, TimeStamp\n | project-away EventDetails, AssociatedResourceId\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Microsoft Defender for IoT sensor logs", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionMD4IoTSensor", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n DefenderIoTRawEvent\n | where RawEventName == \"NetworkConnectionData\"\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n and not(disabled)\n and (array_length(dvcaction) == 0)\n and (array_length(hostname_has_any) == 0)\n and (eventresult in (\"*\",\"Success\"))\n | extend\n DstIpAddr = tostring(EventDetails.Destination.IPAddress),\n SrcIpAddr = tostring(EventDetails.Source.IPAddress)\n | extend temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend\n DstPortNumber = toint(EventDetails.Destination.Port)\n | where (isnull(dstportnumber) or DstPortNumber==dstportnumber)\n | project-rename \n DvcSubscriptionId = AzureSubscriptionId\n | extend \n Dvc = tostring(EventDetails.SourceId),\n DstDvcId = tostring(EventDetails.Destination.DeviceId),\n DstMacAddr = tostring(EventDetails.Destination.MacAddress),\n DstDescription = tostring(EventDetails.Destination.DeviceName),\n SrcDvcId = tostring(EventDetails.Source.DeviceId),\n SrcMacAddr = tostring(EventDetails.Source.MacAddress),\n SrcPortNumber = toint(EventDetails.Source.Port),\n SrcDescription = tostring(EventDetails.Source.DeviceName),\n EventOriginalUid = tostring(EventDetails.Id),\n EventEndTime = todatetime(EventDetails.LastSeen),\n EventStartTime = todatetime(EventDetails.StartTime),\n NetworkProtocol = tostring(EventDetails.TransportProtocol)\n | extend\n EventProduct = 'Defender for IoT',\n EventResult = 'Success',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.4',\n EventCount = toint(1),\n EventSeverity = 'Informational',\n EventType = iff(DstIpAddr=='' and SrcIpAddr == '','L2NetworkSession','NetworkSession'),\n NetworkDirection = iff(tobool(EventDetails.IsInternal), 'Local',''),\n EventVendor = 'Microsoft',\n DstDvcIdType = 'MD4IoTid',\n SrcDvcIdType = 'MD4IoTid'\n | extend // -- Aliases\n Dst = coalesce(DstIpAddr,DstMacAddr),\n Src = coalesce(SrcIpAddr,SrcMacAddr),\n IpAddr = SrcIpAddr,\n EventStartTime = EventEndTime\n | project-away \n RawEventCategory, RawEventName, RawEventType, SourceSystem, TenantId, AgentVersion, IoTRawEventId, IsEmpty, AgentId, DeviceId, TimeStamp\n | project-away EventDetails, AssociatedResourceId\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json index 45542d94910..8673d8717b4 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionMicrosoft365Defender')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionMicrosoft365Defender", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for M365 Defender for Endpoint", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionMicrosoft365Defender", - "query": "let M365Defender=\n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\n , ipaddr_has_any_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false\n ){\nlet DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\n 'ConnectionSuccess','Outbound', true\n ,'ConnectionFailed', 'Outbound', true\n ,'ConnectionRequest','Outbound', true\n ,'InboundConnectionAccepted', 'Inbound', false\n ,'ConnectionFound', 'Unknown', false\n ,'ListeningConnectionCreated', 'Listen', false \n];\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n// -- Common preprocessing to both input and outbound events\nlet RawNetworkEvents = (select_outbound:boolean) {\n DeviceNetworkEvents \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n | where not(disabled)\n | lookup DirectionLookup on ActionType\n | where Outbound == select_outbound\n | project-away AppGuardContainerId, LocalIPType, MachineGroup, RemoteIPType, Timestamp // , SourceSystem, TenantId, \n // -- Pre-filtering\n |where (array_length(dvcaction)==0 ) /// if filtered by action return nothing\n and (isnull(dstportnumber) or dstportnumber == LocalPort or dstportnumber == RemotePort)\n and (array_length(hostname_has_any)==0 \n or RemoteUrl has_any(hostname_has_any) or DeviceName has_any(hostname_has_any)\n )\n | extend temp_isSrcMatch=( // only one of each pair has_any_ipv4_prefix is calculated\n (Outbound and has_any_ipv4_prefix(LocalIP,src_or_any))\n or\n (not(Outbound) and has_any_ipv4_prefix(RemoteIP,src_or_any))\n ) \n , temp_isDstMatch=(\n (not(Outbound) and has_any_ipv4_prefix(LocalIP,dst_or_any))\n or\n (Outbound and has_any_ipv4_prefix(RemoteIP,dst_or_any))\n ) \n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n ) \n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | extend EventResult = iff(ActionType=='ConnectionFailed','Failure','Success')\n | where (eventresult=='*' or EventResult==eventresult)\n // -- End of pre-filtering\n | extend\n // Event\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.2.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventSeverity = \"Informational\",\n DvcIdType = 'MDEid'\n | project-away \n ReportId, Outbound\n | project-rename \n EventOriginalResultDetails = ActionType\n | extend\n RemoteUrl = extract (@\"(?:https?://)?(.*)\", 1, RemoteUrl)\n | extend\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n SplitHostname = split(DeviceName,\".\"),\n SplitUrl = split(RemoteUrl,\".\"),\n NetworkProtocol = case (\n Protocol startswith \"Tcp\", \"TCP\",\n Protocol == \"Unknown\", \"\",\n toupper(Protocol)\n )\n | project-away Protocol\n | extend \n DvcHostname = tostring(SplitHostname[0]),\n DvcDomain = tostring(strcat_array(array_slice(SplitHostname, 1, -1), '.')),\n DvcFQDN = iif (DeviceName contains \".\", DeviceName, \"\"),\n UrlHostname = tostring(SplitUrl[0]),\n UrlDomain = tostring(strcat_array(array_slice(SplitUrl, 1, -1), '.')),\n UrlFQDN = iif(RemoteUrl contains \".\", RemoteUrl, \"\")\n | project-away RemoteUrl, DeviceName\n | extend\n DvcDomainType = iif(DvcFQDN != \"\", \"FQDN\", \"\"),\n UrlDomainType = iff(UrlFQDN != \"\", \"FQDN\", \"\"),\n DvcIpAddr = LocalIP\n | extend\n Dvc = DvcHostname \n | project-rename\n DvcId = DeviceId\n | project-away SplitUrl, SplitHostname\n};\nlet OutboundNetworkEvents = \n RawNetworkEvents (true)\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==RemotePort)\n // *************** /Postfilterring *****************************************************************\n | extend temp_isMatchSrcHostname=DvcHostname has_any(hostname_has_any)\n , temp_isMatchDstHostname=UrlHostname has_any(hostname_has_any)\n |extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"-\",\n temp_isMatchDstHostname and temp_isMatchSrcHostname, \"Both\",\n temp_isMatchDstHostname, \"DstHostname\",\n temp_isMatchSrcHostname, \"SrcHostname\",\n \"No match\"\n )\n | project-away temp*\n | where ASimMatchingHostname != \"No match\"\n | project-rename\n DstIpAddr = RemoteIP,\n SrcIpAddr = LocalIP,\n DstPortNumber = RemotePort,\n SrcPortNumber = LocalPort,\n SrcUsernameType = UsernameType,\n SrcUserAadId = InitiatingProcessAccountObjectId,\n SrcUserId = InitiatingProcessAccountSid,\n SrcUserUpn = InitiatingProcessAccountUpn\n | extend\n SrcUsername = User,\n SrcDvcId = DvcId,\n SrcDvcIdType = 'MDEid',\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstHostname = UrlHostname\n | project-rename\n DstDomain = UrlDomain,\n DstFQDN = UrlFQDN,\n DstDomainType = UrlDomainType\n | extend \n SrcHostname = DvcHostname,\n SrcDomain = DvcDomain,\n SrcFQDN = DvcFQDN,\n SrcDomainType = DvcDomainType\n // Processes\n | extend\n SrcProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n SrcProcessName = InitiatingProcessFileName,\n SrcProcessCommandLine = InitiatingProcessCommandLine,\n SrcProcessCreationTime = InitiatingProcessCreationTime,\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n | extend\n Process = SrcProcessName,\n ProcessId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\"\n;\nlet InboundNetworkEvents = \n RawNetworkEvents (false)\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==LocalPort)\n // *************** /Postfilterring *****************************************************************\n |extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"\",\n UrlHostname has_any(hostname_has_any), \"SrcHostname\",\n DvcHostname has_any(hostname_has_any), \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-rename\n SrcIpAddr = RemoteIP,\n DstIpAddr = LocalIP,\n SrcPortNumber = RemotePort,\n DstPortNumber = LocalPort,\n DstUsernameType = UsernameType,\n DstUserAadId = InitiatingProcessAccountObjectId,\n DstUserId = InitiatingProcessAccountSid,\n DstUserUpn = InitiatingProcessAccountUpn,\n SrcDomain = UrlDomain,\n SrcFQDN = UrlFQDN,\n SrcDomainType = UrlDomainType\n | extend\n DstUsername = User,\n DstDvcId = DvcId,\n DstDvcIdType = 'MDEid',\n DstUserIdType = 'SID',\n SrcHostname = UrlHostname\n | extend \n DstHostname = DvcHostname,\n DstDomain = DvcDomain,\n DstFQDN = DvcFQDN\n // Processes\n | extend\n DstProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n DstProcessName = InitiatingProcessFileName,\n DstProcessCommandLine = InitiatingProcessCommandLine,\n DstProcessCreationTime = InitiatingProcessCreationTime,\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n | extend\n Process = DstProcessName,\n DstAppName = DstProcessName,\n DstAppType = \"Process\"\n;\nunion InboundNetworkEvents, OutboundNetworkEvents\n| project-rename \n Hostname = UrlHostname\n| extend // aliases\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr \n};\nM365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for M365 Defender for Endpoint", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionMicrosoft365Defender", + "query": "let M365Defender=\n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\n , ipaddr_has_any_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false\n ){\nlet DirectionLookup=datatable(ActionType:string,NetworkDirection:string,Outbound:boolean)[\n 'ConnectionSuccess','Outbound', true\n ,'ConnectionFailed', 'Outbound', true\n ,'ConnectionRequest','Outbound', true\n ,'InboundConnectionAccepted', 'Inbound', false\n ,'ConnectionFound', 'Unknown', false\n ,'ListeningConnectionCreated', 'Listen', false \n];\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n// -- Common preprocessing to both input and outbound events\nlet RawNetworkEvents = (select_outbound:boolean) {\n DeviceNetworkEvents \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n | where not(disabled)\n | lookup DirectionLookup on ActionType\n | where Outbound == select_outbound\n | project-away AppGuardContainerId, LocalIPType, MachineGroup, RemoteIPType, Timestamp // , SourceSystem, TenantId, \n // -- Pre-filtering\n |where (array_length(dvcaction)==0 ) /// if filtered by action return nothing\n and (isnull(dstportnumber) or dstportnumber == LocalPort or dstportnumber == RemotePort)\n and (array_length(hostname_has_any)==0 \n or RemoteUrl has_any(hostname_has_any) or DeviceName has_any(hostname_has_any)\n )\n | extend temp_isSrcMatch=( // only one of each pair has_any_ipv4_prefix is calculated\n (Outbound and has_any_ipv4_prefix(LocalIP,src_or_any))\n or\n (not(Outbound) and has_any_ipv4_prefix(RemoteIP,src_or_any))\n ) \n , temp_isDstMatch=(\n (not(Outbound) and has_any_ipv4_prefix(LocalIP,dst_or_any))\n or\n (Outbound and has_any_ipv4_prefix(RemoteIP,dst_or_any))\n ) \n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n ) \n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | extend EventResult = iff(ActionType=='ConnectionFailed','Failure','Success')\n | where (eventresult=='*' or EventResult==eventresult)\n // -- End of pre-filtering\n | extend\n // Event\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchema = 'NetworkSession',\n EventSchemaVersion = '0.2.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'NetworkSession',\n EventSeverity = \"Informational\",\n DvcIdType = 'MDEid'\n | project-away \n ReportId, Outbound\n | project-rename \n EventOriginalResultDetails = ActionType\n | extend\n RemoteUrl = extract (@\"(?:https?://)?(.*)\", 1, RemoteUrl)\n | extend\n User = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n UsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n SplitHostname = split(DeviceName,\".\"),\n SplitUrl = split(RemoteUrl,\".\"),\n NetworkProtocol = case (\n Protocol startswith \"Tcp\", \"TCP\",\n Protocol == \"Unknown\", \"\",\n toupper(Protocol)\n )\n | project-away Protocol\n | extend \n DvcHostname = tostring(SplitHostname[0]),\n DvcDomain = tostring(strcat_array(array_slice(SplitHostname, 1, -1), '.')),\n DvcFQDN = iif (DeviceName contains \".\", DeviceName, \"\"),\n UrlHostname = tostring(SplitUrl[0]),\n UrlDomain = tostring(strcat_array(array_slice(SplitUrl, 1, -1), '.')),\n UrlFQDN = iif(RemoteUrl contains \".\", RemoteUrl, \"\")\n | project-away RemoteUrl, DeviceName\n | extend\n DvcDomainType = iif(DvcFQDN != \"\", \"FQDN\", \"\"),\n UrlDomainType = iff(UrlFQDN != \"\", \"FQDN\", \"\"),\n DvcIpAddr = LocalIP\n | extend\n Dvc = DvcHostname \n | project-rename\n DvcId = DeviceId\n | project-away SplitUrl, SplitHostname\n};\nlet OutboundNetworkEvents = \n RawNetworkEvents (true)\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==RemotePort)\n // *************** /Postfilterring *****************************************************************\n | extend temp_isMatchSrcHostname=DvcHostname has_any(hostname_has_any)\n , temp_isMatchDstHostname=UrlHostname has_any(hostname_has_any)\n |extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"-\",\n temp_isMatchDstHostname and temp_isMatchSrcHostname, \"Both\",\n temp_isMatchDstHostname, \"DstHostname\",\n temp_isMatchSrcHostname, \"SrcHostname\",\n \"No match\"\n )\n | project-away temp*\n | where ASimMatchingHostname != \"No match\"\n | project-rename\n DstIpAddr = RemoteIP,\n SrcIpAddr = LocalIP,\n DstPortNumber = RemotePort,\n SrcPortNumber = LocalPort,\n SrcUsernameType = UsernameType,\n SrcUserAadId = InitiatingProcessAccountObjectId,\n SrcUserId = InitiatingProcessAccountSid,\n SrcUserUpn = InitiatingProcessAccountUpn\n | extend\n SrcUsername = User,\n SrcDvcId = DvcId,\n SrcDvcIdType = 'MDEid',\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstHostname = UrlHostname\n | project-rename\n DstDomain = UrlDomain,\n DstFQDN = UrlFQDN,\n DstDomainType = UrlDomainType\n | extend \n SrcHostname = DvcHostname,\n SrcDomain = DvcDomain,\n SrcFQDN = DvcFQDN,\n SrcDomainType = DvcDomainType\n // Processes\n | extend\n SrcProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n SrcProcessName = InitiatingProcessFileName,\n SrcProcessCommandLine = InitiatingProcessCommandLine,\n SrcProcessCreationTime = InitiatingProcessCreationTime,\n SrcProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n SrcProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n | extend\n Process = SrcProcessName,\n ProcessId = SrcProcessId,\n SrcAppName = SrcProcessName,\n SrcAppType = \"Process\"\n;\nlet InboundNetworkEvents = \n RawNetworkEvents (false)\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or dstportnumber==LocalPort)\n // *************** /Postfilterring *****************************************************************\n |extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"\",\n UrlHostname has_any(hostname_has_any), \"SrcHostname\",\n DvcHostname has_any(hostname_has_any), \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-rename\n SrcIpAddr = RemoteIP,\n DstIpAddr = LocalIP,\n SrcPortNumber = RemotePort,\n DstPortNumber = LocalPort,\n DstUsernameType = UsernameType,\n DstUserAadId = InitiatingProcessAccountObjectId,\n DstUserId = InitiatingProcessAccountSid,\n DstUserUpn = InitiatingProcessAccountUpn,\n SrcDomain = UrlDomain,\n SrcFQDN = UrlFQDN,\n SrcDomainType = UrlDomainType\n | extend\n DstUsername = User,\n DstDvcId = DvcId,\n DstDvcIdType = 'MDEid',\n DstUserIdType = 'SID',\n SrcHostname = UrlHostname\n | extend \n DstHostname = DvcHostname,\n DstDomain = DvcDomain,\n DstFQDN = DvcFQDN\n // Processes\n | extend\n DstProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId)\n | project-rename\n DstProcessName = InitiatingProcessFileName,\n DstProcessCommandLine = InitiatingProcessCommandLine,\n DstProcessCreationTime = InitiatingProcessCreationTime,\n DstProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n DstProcessTokenElevation = InitiatingProcessTokenElevation,\n ParentProcessName = InitiatingProcessParentFileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime\n | extend\n Process = DstProcessName,\n DstAppName = DstProcessName,\n DstAppType = \"Process\"\n;\nunion InboundNetworkEvents, OutboundNetworkEvents\n| project-rename \n Hostname = UrlHostname\n| extend // aliases\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr \n};\nM365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json index 9db0e2bb7d4..f0cdaf3bd64 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionLinuxSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionLinuxSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionLinuxSysmon", - "query": "let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet DirectionNetworkEvents =\n Syslog \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n | where not(disabled)\n | project SyslogMessage, TimeGenerated, HostIP\n | where SyslogMessage has_all ('3')\n // *************** Prefilterring *****************************************************************\n | where \n (eventresult=='*' or eventresult=='Success')\n and (array_length(dvcaction) ==0 ) /// if filtered by action return nothing\n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(SyslogMessage,ip_any)\n ) \n and (array_length(hostname_has_any)==0 \n or SyslogMessage has_any(hostname_has_any)) \n and (isnull(dstportnumber) or SyslogMessage has (tostring(dstportnumber))) \n // *************** / Prefilterring ***************************************************************\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\n | where (array_length(srcipaddr_has_any_prefix)==0 \n or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix)\n ) \n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n;\nlet parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '' EventOriginalUid:string ''\n *\n '' SysmonComputer:string ''\n *\n '' RuleName:string ''\n '' EventEndTime:datetime ''\n '{' ProcessGuid:string '}'\n '' ProcessId:string ''\n '' Process:string ''\n '' User:string ''\n '' Protocol:string '' // -- source is lowercase\n '' Initiated:bool '' \n '' SourceIsIpv6:bool ''\t\t\n '' * ''\n '' SrcHostname:string ''\n '' SrcPortNumber:int ''\n '' SrcPortName:string ''\n '' DestinationIsIpv6:bool ''\n '' DstIpAddr:string ''\n '' DstHostname:string ''\n '' DstPortNumber:int ''\n '' DstPortName:string ''\n *\n | project-away DstPortName, DestinationIsIpv6, Initiated, SourceIsIpv6, SrcPortName, RuleName\n};\nlet OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) \n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n| extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n)\n | where ASimMatchingIpAddr != \"No match\"\n | extend temp_isSrcHostMatch= (SrcHostname has_any (hostname_has_any))\n , temp_isDstHostMatch = (DstHostname has_any (hostname_has_any))\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcHostMatch and temp_isDstHostMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcHostMatch, \"SrcHostname\"\n , temp_isDstHostMatch, \"DstHostname\"\n , \"No match\"\n)\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcAppType = 'Process'\n | project-rename\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process\n | extend\n SrcAppName = SrcProcessName\n | project-away SyslogMessage\n;\nlet InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n // *************** Postfilterring ***************************************************************\n | where (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any)or SrcHostname has_any (hostname_has_any) )\n and (isnull(dstportnumber) or DstPortNumber ==dstportnumber)\n // *************** Postfilterring ***************************************************************\n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) \n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n | extend\n DstUsernameType = 'Simple',\n DstAppType = 'Process' \n | project-rename\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process\n | extend\n DstAppName = DstProcessName\n | project-away SyslogMessage\n;\nlet SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.3',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon for Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n NetworkProtocol = toupper(Protocol),\n NetworkDirection = iff(outbound, \"Outbound\", \"Inbound\"),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-away outbound, Protocol\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n;\nSysmonForLinuxNetwork ", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionLinuxSysmon", + "query": "let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet DirectionNetworkEvents =\n Syslog \n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n | where not(disabled)\n | project SyslogMessage, TimeGenerated, HostIP\n | where SyslogMessage has_all ('3')\n // *************** Prefilterring *****************************************************************\n | where \n (eventresult=='*' or eventresult=='Success')\n and (array_length(dvcaction) ==0 ) /// if filtered by action return nothing\n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(SyslogMessage,ip_any)\n ) \n and (array_length(hostname_has_any)==0 \n or SyslogMessage has_any(hostname_has_any)) \n and (isnull(dstportnumber) or SyslogMessage has (tostring(dstportnumber))) \n // *************** / Prefilterring ***************************************************************\n | parse SyslogMessage with * '' SrcIpAddr:string '' *\n | where (array_length(srcipaddr_has_any_prefix)==0 \n or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix)\n ) \n | extend outbound = (SrcIpAddr == HostIP or SrcIpAddr in ('127.0.0.1', '0.0.0.0'))\n;\nlet parser = (T: (SyslogMessage: string)) {\n T \n | parse SyslogMessage with \n *\n '' EventOriginalUid:string ''\n *\n '' SysmonComputer:string ''\n *\n '' RuleName:string ''\n '' EventEndTime:datetime ''\n '{' ProcessGuid:string '}'\n '' ProcessId:string ''\n '' Process:string ''\n '' User:string ''\n '' Protocol:string '' // -- source is lowercase\n '' Initiated:bool '' \n '' SourceIsIpv6:bool ''\t\t\n '' * ''\n '' SrcHostname:string ''\n '' SrcPortNumber:int ''\n '' SrcPortName:string ''\n '' DestinationIsIpv6:bool ''\n '' DstIpAddr:string ''\n '' DstHostname:string ''\n '' DstPortNumber:int ''\n '' DstPortName:string ''\n *\n | project-away DstPortName, DestinationIsIpv6, Initiated, SourceIsIpv6, SrcPortName, RuleName\n};\nlet OutboundNetworkEvents = \n DirectionNetworkEvents\n | where outbound\n | invoke parser ()\n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) \n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n| extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n)\n | where ASimMatchingIpAddr != \"No match\"\n | extend temp_isSrcHostMatch= (SrcHostname has_any (hostname_has_any))\n , temp_isDstHostMatch = (DstHostname has_any (hostname_has_any))\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcHostMatch and temp_isDstHostMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcHostMatch, \"SrcHostname\"\n , temp_isDstHostMatch, \"DstHostname\"\n , \"No match\"\n)\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | extend\n SrcUsernameType = 'Simple',\n SrcUsername = User,\n SrcAppType = 'Process'\n | project-rename\n SrcProcessId = ProcessId, \n SrcProcessGuid = ProcessGuid,\n SrcProcessName = Process\n | extend\n SrcAppName = SrcProcessName\n | project-away SyslogMessage\n;\nlet InboundNetworkEvents = \n DirectionNetworkEvents\n | where not(outbound)\n | invoke parser ()\n // *************** Postfilterring ***************************************************************\n | where (array_length(hostname_has_any)==0 or DstHostname has_any (hostname_has_any)or SrcHostname has_any (hostname_has_any) )\n and (isnull(dstportnumber) or DstPortNumber ==dstportnumber)\n // *************** Postfilterring ***************************************************************\n | extend \n temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any) \n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | project-away temp_*\n | where ASimMatchingIpAddr != \"No match\"\n | extend\n DstUsernameType = 'Simple',\n DstAppType = 'Process' \n | project-rename\n DstUsername = User,\n DstProcessId = ProcessId, \n DstProcessGuid = ProcessGuid,\n DstProcessName = Process\n | extend\n DstAppName = DstProcessName\n | project-away SyslogMessage\n;\nlet SysmonForLinuxNetwork=\n union OutboundNetworkEvents, InboundNetworkEvents\n | extend \n EventType = 'NetworkSession',\n EventStartTime = EventEndTime,\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.3',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon for Linux',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Linux',\n NetworkProtocol = toupper(Protocol),\n NetworkDirection = iff(outbound, \"Outbound\", \"Inbound\"),\n EventOriginalType = '3' // Set with a constant value to avoid parsing\n | project-away outbound, Protocol\n | project-rename \n DvcIpAddr = HostIP,\n DvcHostname = SysmonComputer\n | extend // aliases\n Dvc = DvcHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr\n;\nSysmonForLinuxNetwork ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSecurityEventFirewall/vimNetworkSessionMicrosoftSecurityEventFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSecurityEventFirewall/vimNetworkSessionMicrosoftSecurityEventFirewall.json index 4a114a7d84b..b0c8ada05ca 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSecurityEventFirewall/vimNetworkSessionMicrosoftSecurityEventFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSecurityEventFirewall/vimNetworkSessionMicrosoftSecurityEventFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionMicrosoftSecurityEventFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionMicrosoftSecurityEventFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Microsoft Windows Firewall", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionMicrosoftSecurityEventFirewall", - "query": "let LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n///////////////////////////////////////////////////////\n// this query extract data fields from EventData column from SecurityEvent table\n///////////////////////////////////////////////////////\nlet parser = (starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n, srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null)\n, hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]),eventresult:string='*', disabled:bool=false\n) { \n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let SecurityEventProjected =\n SecurityEvent\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\n ;\n // Event IDs between (5151 .. 5159)\n // will be extracting Event specific fields from 'EventData' field\n let SecurityEvent_5152 = \n SecurityEventProjected \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n | where EventID==5152\n // *************** Prefilterring *****************************************************************\n |where (isnull(dstportnumber) or EventData has tostring(dstportnumber) ) \n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(EventData ,ip_any)\n ) \n and (array_length(dvcaction)==0 or (dvcaction=='Deny') ) \n and (array_length(hostname_has_any)==0 )\n and (eventresult=='*' or eventresult=='Failure')\n // *************** / Prefilterring *****************************************************************\n | extend EventResult = \"Failure\"\n | parse EventData with * \n ''ProcessId:string''\n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'DirectionCode''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'DstIpAddr''\n '\\x0d\\x0a 'DstPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*, EventData\n ;\n let SecurityEvent_5154_5155_5158_5159 =\n SecurityEventProjected \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n | where EventID in (5154, 5155, 5158, 5159)\n // *************** Prefilterring *****************************************************************\n |where (array_length(dstipaddr_has_any_prefix)==0 ) \n and (array_length(hostname_has_any)==0 ) \n and (isnull(dstportnumber) ) \n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(EventData ,ip_any)\n ) \n and (array_length(dvcaction)==0 \n or (dvcaction=='Allow' and EventID in (5154,5158)) \n or (dvcaction=='Deny' and EventID !in (5154,5158))\n ) \n | extend EventResult = iff(EventID in (5154, 5158), \"Success\", \"Failure\")\n | where (eventresult=='*' or EventResult==eventresult)\n // *************** / Prefilterring *****************************************************************\n | parse EventData with * ''ProcessId:string'' \n '\\x0d\\x0a 'Application:string''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n | extend DirectionCode = \"%%14609\"\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=false\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_* , EventData\n ;\n let SecurityEvent_5156_5157 =\n SecurityEventProjected\n | where not(disabled) \n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n | where EventID in (5156, 5157)\n | extend EventResult = iff(EventID == 5156, \"Success\", \"Failure\")\n // *************** Prefilterring *****************************************************************\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(EventData ,ip_any)\n ) \n and (isnull(dstportnumber) or EventData has tostring(dstportnumber) ) \n and (array_length(dvcaction)==0 \n or (dvcaction=='Allow' and EventID == 5156) \n or (dvcaction=='Deny' and EventID <> 5156)\n )\n and (array_length(hostname_has_any)==0 )\n and (eventresult=='*' or EventResult==eventresult) \n // *************** / Prefilterring *****************************************************************\n | parse EventData with * ''ProcessId:string''\n '\\x0d\\x0a 'Application:string''\n '\\x0d\\x0a 'DirectionCode:string''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'DstIpAddr:string''\n '\\x0d\\x0a 'DstPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''\n '\\x0d\\x0a 'RemoteUserID:string''\n '\\x0d\\x0a 'RemoteMachineID:string''*\n | project-away EventData\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n ;\n union SecurityEvent_5154_5155_5158_5159, SecurityEvent_5156_5157, SecurityEvent_5152\n | lookup Directions on DirectionCode\n | project-rename DvcHostname = Computer\n | extend\n SrcAppName = iff(isOutBound, Application, \"\"),\n DstAppName = iff(not(isOutBound), Application, \"\"),\n SrcDvcId = iff(isOutBound, RemoteMachineID, \"\"),\n DstDvcId = iff(not(isOutBound), RemoteMachineID, \"\"),\n SrcProcessId = iff(isOutBound, tostring(ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(ProcessId), \"\"),\n DstUserId = iff(isOutBound, RemoteUserID, \"\"),\n SrcUserId = iff(not(isOutBound), RemoteUserID, \"\"),\n DstHostname = iff(isOutBound, \"\", DvcHostname),\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\n | project-away Application, RemoteMachineID, ProcessId, RemoteUserID\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or DstPortNumber == dstportnumber )\n // *************** / Postfilterring *****************************************************************\n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstUserIdType = iff (DstUserId <> \"S-1-0-0\", \"SID\", \"\"),\n DstUserId = iff (DstUserId <> \"S-1-0-0\", DstUserId, \"\"),\n SrcAppType = \"Process\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.3\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Windows Firewall\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\")\n // -- Aliases\n | extend \n Dvc = DvcHostname,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = tostring(NetworkRuleNumber),\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID, LayerRTID,_ResourceId,_SubscriptionId\n };\n parser(starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber,\n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult, \n disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Microsoft Windows Firewall", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionMicrosoftSecurityEventFirewall", + "query": "let LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n///////////////////////////////////////////////////////\n// this query extract data fields from EventData column from SecurityEvent table\n///////////////////////////////////////////////////////\nlet parser = (starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n, srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null)\n, hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]),eventresult:string='*', disabled:bool=false\n) { \n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let SecurityEventProjected =\n SecurityEvent\n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\n ;\n // Event IDs between (5151 .. 5159)\n // will be extracting Event specific fields from 'EventData' field\n let SecurityEvent_5152 = \n SecurityEventProjected \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n | where EventID==5152\n // *************** Prefilterring *****************************************************************\n |where (isnull(dstportnumber) or EventData has tostring(dstportnumber) ) \n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(EventData ,ip_any)\n ) \n and (array_length(dvcaction)==0 or (dvcaction=='Deny') ) \n and (array_length(hostname_has_any)==0 )\n and (eventresult=='*' or eventresult=='Failure')\n // *************** / Prefilterring *****************************************************************\n | extend EventResult = \"Failure\"\n | parse EventData with * \n ''ProcessId:string''\n '\\x0d\\x0a 'Application''\n '\\x0d\\x0a 'DirectionCode''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'DstIpAddr''\n '\\x0d\\x0a 'DstPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*, EventData\n ;\n let SecurityEvent_5154_5155_5158_5159 =\n SecurityEventProjected \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n | where EventID in (5154, 5155, 5158, 5159)\n // *************** Prefilterring *****************************************************************\n |where (array_length(dstipaddr_has_any_prefix)==0 ) \n and (array_length(hostname_has_any)==0 ) \n and (isnull(dstportnumber) ) \n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(EventData ,ip_any)\n ) \n and (array_length(dvcaction)==0 \n or (dvcaction=='Allow' and EventID in (5154,5158)) \n or (dvcaction=='Deny' and EventID !in (5154,5158))\n ) \n | extend EventResult = iff(EventID in (5154, 5158), \"Success\", \"Failure\")\n | where (eventresult=='*' or EventResult==eventresult)\n // *************** / Prefilterring *****************************************************************\n | parse EventData with * ''ProcessId:string'' \n '\\x0d\\x0a 'Application:string''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''*\n | extend DirectionCode = \"%%14609\"\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=false\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_* , EventData\n ;\n let SecurityEvent_5156_5157 =\n SecurityEventProjected\n | where not(disabled) \n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n | where EventID in (5156, 5157)\n | extend EventResult = iff(EventID == 5156, \"Success\", \"Failure\")\n // *************** Prefilterring *****************************************************************\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(EventData ,ip_any)\n ) \n and (isnull(dstportnumber) or EventData has tostring(dstportnumber) ) \n and (array_length(dvcaction)==0 \n or (dvcaction=='Allow' and EventID == 5156) \n or (dvcaction=='Deny' and EventID <> 5156)\n )\n and (array_length(hostname_has_any)==0 )\n and (eventresult=='*' or EventResult==eventresult) \n // *************** / Prefilterring *****************************************************************\n | parse EventData with * ''ProcessId:string''\n '\\x0d\\x0a 'Application:string''\n '\\x0d\\x0a 'DirectionCode:string''\n '\\x0d\\x0a 'SrcIpAddr:string''\n '\\x0d\\x0a 'SrcPortNumber:int''\n '\\x0d\\x0a 'DstIpAddr:string''\n '\\x0d\\x0a 'DstPortNumber:int''\n '\\x0d\\x0a 'Protocol:int''\n '\\x0d\\x0a 'NetworkRuleNumber:int''\n '\\x0d\\x0a 'LayerCode''\n '\\x0d\\x0a 'LayerRTID''\n '\\x0d\\x0a 'RemoteUserID:string''\n '\\x0d\\x0a 'RemoteMachineID:string''*\n | project-away EventData\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n ;\n union SecurityEvent_5154_5155_5158_5159, SecurityEvent_5156_5157, SecurityEvent_5152\n | lookup Directions on DirectionCode\n | project-rename DvcHostname = Computer\n | extend\n SrcAppName = iff(isOutBound, Application, \"\"),\n DstAppName = iff(not(isOutBound), Application, \"\"),\n SrcDvcId = iff(isOutBound, RemoteMachineID, \"\"),\n DstDvcId = iff(not(isOutBound), RemoteMachineID, \"\"),\n SrcProcessId = iff(isOutBound, tostring(ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(ProcessId), \"\"),\n DstUserId = iff(isOutBound, RemoteUserID, \"\"),\n SrcUserId = iff(not(isOutBound), RemoteUserID, \"\"),\n DstHostname = iff(isOutBound, \"\", DvcHostname),\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\n | project-away Application, RemoteMachineID, ProcessId, RemoteUserID\n // *************** Postfilterring *****************************************************************\n | where (isnull(dstportnumber) or DstPortNumber == dstportnumber )\n // *************** / Postfilterring *****************************************************************\n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstUserIdType = iff (DstUserId <> \"S-1-0-0\", \"SID\", \"\"),\n DstUserId = iff (DstUserId <> \"S-1-0-0\", DstUserId, \"\"),\n SrcAppType = \"Process\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.3\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Windows Firewall\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\")\n // -- Aliases\n | extend \n Dvc = DvcHostname,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = tostring(NetworkRuleNumber),\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID, LayerRTID,_ResourceId,_SubscriptionId\n };\n parser(starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber,\n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult, \n disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmon/vimNetworkSessionMicrosoftSysmon.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmon/vimNetworkSessionMicrosoftSysmon.json index 89f417af727..874a35dc85d 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmon/vimNetworkSessionMicrosoftSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmon/vimNetworkSessionMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session Event ASIM parser for Sysmon (Event 3)", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionMicrosoftSysmon", - "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null), \nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \ndstipaddr_has_any_prefix: dynamic=dynamic([]), \nipaddr_has_any_prefix: dynamic=dynamic([]),\ndstportnumber: int=int(null), \nhostname_has_any: dynamic=dynamic([]), \ndvcaction: dynamic=dynamic([]), \neventresult: string='*', \ndisabled: bool=false\n) {\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet Sysmon3_Event=Event\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not(disabled)\n // -- Pre-filtering:\n | where (eventresult == '*' or eventresult == 'Success')\n and array_length(dvcaction) == 0\n // dstportnumber filter used later in the parser\n // hostname_has_any used later in the parser \n // -- End pre-filtering\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID == 3\n | parse-kv EventData as (\n SourceIp: string,\n DestinationIp: string,\n SourceHostname: string,\n DestinationHostname: string,\n Initiated: bool, // Initiated indicates the process initiated a connection (meaning outbound)\n RuleName: string,\n UtcTime: datetime,\n ProcessGuid: string,\n ProcessId: string,\n Image: string,\n User: string,\n Protocol: string,\n SourceIsIpv6: bool,\n SourcePort: int,\n SourcePortName: string,\n DestinationIsIpv6: bool,\n DestinationPort: int,\n DestinationPortName: string\n )\n with (regex=@'{?([^>]*?)}?')\n | where (array_length(ip_any) == 0 \n or has_any_ipv4_prefix(EventData, ip_any)\n ) \n and (isnull(dstportnumber)) or dstportnumber == DestinationPort\n and (array_length(hostname_has_any) == 0) or SourceHostname has_any (hostname_has_any) or DestinationHostname has_any (hostname_has_any)\n | extend\n temp_isSrcMatch=has_any_ipv4_prefix(SourceIp, src_or_any)\n ,\n temp_isDstMatch=has_any_ipv4_prefix(DestinationIp, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\" // match not requested: probably most common case\n ,\n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\" // has to be checked before the individual \n ,\n temp_isSrcMatch,\n \"SrcIpAddr\"\n ,\n temp_isDstMatch,\n \"DstIpAddr\"\n ,\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away EventData\n | project-rename\n SrcHostname = SourceHostname,\n DstHostname = DestinationHostname\n | project-away\n Source,\n EventLog,\n EventCategory,\n UserName,\n Message,\n ParameterXml,\n RenderedDescription,\n MG,\n AzureDeploymentID,\n Role; \nSysmon3_Event\n| extend\n AppName = tostring(split(Image, \"\\\\\")[-1])\n| extend\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\n SrcAppName = iff(not(Initiated), AppName, \"\"),\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\n DstUsername = iff(Initiated, tostring(User), \"\"),\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\n DstAppName = iff(Initiated, AppName, \"\"),\n DstAppType = iff(Initiated, 'Process', \"\")\n| project-away ProcessId, ProcessGuid, Image, AppName\n| project-rename \n EventStartTime = UtcTime,\n Dvc = Computer,\n SrcIpAddr = SourceIp,\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n NetworkRuleName = RuleName\n| extend \n EventEndTime = EventStartTime,\n Hostname = case(\n Initiated,\n DstHostname,\n not(Initiated),\n SrcHostname,\n Dvc\n ),\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\n IpAddr = SrcIpAddr,\n EventType = 'EndpointNetworkSession',\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.5',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Windows',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing \n| extend\n DvcHostname = Hostname\n| extend\n SrcHostname = iff(SrcHostname == \"-\", \"\", SrcHostname),\n DvcHostname = iff(DvcHostname == \"-\", \"\", DvcHostname),\n DstHostname = iff(DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\n| project-rename\n TmpSrcHostname = SrcHostname,\n TmpDvcHostname = DvcHostname,\n TmpDstHostname = DstHostname\n| invoke \n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\n| invoke \n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\n| invoke \n _ASIM_ResolveDstFQDN('TmpDstHostname')\n| project-away\n TmpSrcHostname,\n TmpDvcHostname,\n TmpDstHostname\n| extend \n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\n NetworkProtocol = toupper(Protocol)\n| project-away \n Destination*,\n Initiated,\n ManagementGroupName,\n TenantId,\n Protocol,\n Source*,\n EventID,\n EventLevelName,\n EventLevel,\n _ResourceId\n};\n parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix,dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session Event ASIM parser for Sysmon (Event 3)", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionMicrosoftSysmon", + "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null), \nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \ndstipaddr_has_any_prefix: dynamic=dynamic([]), \nipaddr_has_any_prefix: dynamic=dynamic([]),\ndstportnumber: int=int(null), \nhostname_has_any: dynamic=dynamic([]), \ndvcaction: dynamic=dynamic([]), \neventresult: string='*', \ndisabled: bool=false\n) {\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet Sysmon3_Event=Event\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not(disabled)\n // -- Pre-filtering:\n | where (eventresult == '*' or eventresult == 'Success')\n and array_length(dvcaction) == 0\n // dstportnumber filter used later in the parser\n // hostname_has_any used later in the parser \n // -- End pre-filtering\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID == 3\n | parse-kv EventData as (\n SourceIp: string,\n DestinationIp: string,\n SourceHostname: string,\n DestinationHostname: string,\n Initiated: bool, // Initiated indicates the process initiated a connection (meaning outbound)\n RuleName: string,\n UtcTime: datetime,\n ProcessGuid: string,\n ProcessId: string,\n Image: string,\n User: string,\n Protocol: string,\n SourceIsIpv6: bool,\n SourcePort: int,\n SourcePortName: string,\n DestinationIsIpv6: bool,\n DestinationPort: int,\n DestinationPortName: string\n )\n with (regex=@'{?([^>]*?)}?')\n | where (array_length(ip_any) == 0 \n or has_any_ipv4_prefix(EventData, ip_any)\n ) \n and (isnull(dstportnumber)) or dstportnumber == DestinationPort\n and (array_length(hostname_has_any) == 0) or SourceHostname has_any (hostname_has_any) or DestinationHostname has_any (hostname_has_any)\n | extend\n temp_isSrcMatch=has_any_ipv4_prefix(SourceIp, src_or_any)\n ,\n temp_isDstMatch=has_any_ipv4_prefix(DestinationIp, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\" // match not requested: probably most common case\n ,\n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\" // has to be checked before the individual \n ,\n temp_isSrcMatch,\n \"SrcIpAddr\"\n ,\n temp_isDstMatch,\n \"DstIpAddr\"\n ,\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away EventData\n | project-rename\n SrcHostname = SourceHostname,\n DstHostname = DestinationHostname\n | project-away\n Source,\n EventLog,\n EventCategory,\n UserName,\n Message,\n ParameterXml,\n RenderedDescription,\n MG,\n AzureDeploymentID,\n Role; \nSysmon3_Event\n| extend\n AppName = tostring(split(Image, \"\\\\\")[-1])\n| extend\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\n SrcAppName = iff(not(Initiated), AppName, \"\"),\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\n DstUsername = iff(Initiated, tostring(User), \"\"),\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\n DstAppName = iff(Initiated, AppName, \"\"),\n DstAppType = iff(Initiated, 'Process', \"\")\n| project-away ProcessId, ProcessGuid, Image, AppName\n| project-rename \n EventStartTime = UtcTime,\n Dvc = Computer,\n SrcIpAddr = SourceIp,\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n NetworkRuleName = RuleName\n| extend \n EventEndTime = EventStartTime,\n Hostname = case(\n Initiated,\n DstHostname,\n not(Initiated),\n SrcHostname,\n Dvc\n ),\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\n IpAddr = SrcIpAddr,\n EventType = 'EndpointNetworkSession',\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.5',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Windows',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing \n| extend\n DvcHostname = Hostname\n| extend\n SrcHostname = iff(SrcHostname == \"-\", \"\", SrcHostname),\n DvcHostname = iff(DvcHostname == \"-\", \"\", DvcHostname),\n DstHostname = iff(DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\n| project-rename\n TmpSrcHostname = SrcHostname,\n TmpDvcHostname = DvcHostname,\n TmpDstHostname = DstHostname\n| invoke \n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\n| invoke \n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\n| invoke \n _ASIM_ResolveDstFQDN('TmpDstHostname')\n| project-away\n TmpSrcHostname,\n TmpDvcHostname,\n TmpDstHostname\n| extend \n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\n NetworkProtocol = toupper(Protocol)\n| project-away \n Destination*,\n Initiated,\n ManagementGroupName,\n TenantId,\n Protocol,\n Source*,\n EventID,\n EventLevelName,\n EventLevel,\n _ResourceId\n};\n parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix,dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmonWindowsEvent/vimNetworkSessionMicrosoftSysmonWindowsEvent.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmonWindowsEvent/vimNetworkSessionMicrosoftSysmonWindowsEvent.json index 37eef261dfd..49666efc4b6 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmonWindowsEvent/vimNetworkSessionMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmonWindowsEvent/vimNetworkSessionMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session Event ASIM parser for Sysmon (Event 3)", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionMicrosoftSysmonWindowsEvent", - "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null), \nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \ndstipaddr_has_any_prefix: dynamic=dynamic([]), \nipaddr_has_any_prefix: dynamic=dynamic([]),\ndstportnumber: int=int(null), \nhostname_has_any: dynamic=dynamic([]), \ndvcaction: dynamic=dynamic([]), \neventresult: string='*', \ndisabled: bool=false\n) {\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet Sysmon3_WindowsEvent=WindowsEvent\n | where not(disabled) \n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // -- Pre-filtering:\n | where (eventresult == '*' or eventresult == 'Success') \n and array_length(dvcaction) == 0\n // dstportnumber filter used later in the parser\n // hostname_has_any used later in the parser \n // -- End pre-filtering\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 3\n | extend\n SourceIp = tostring(EventData.SourceIp),\n DestinationIp = tostring(EventData.DestinationIp),\n DstHostname = tostring(EventData.DestinationHostname),\n SrcHostname = tostring(EventData.SrcHostname),\n RuleName = tostring(EventData.RuleName),\n UtcTime = todatetime(EventData.UtcTime),\n ProcessId = tostring(EventData.ProcessId),\n Image = tostring(EventData.Image),\n User = tostring(EventData.User),\n Protocol = tostring(EventData.Protocol),\n Initiated = tobool(EventData.Initiated), // Initiated indicates the process initiated a connection (meaning outbound)\n SourceIsIpv6 = tobool(EventData.SourceIsIpv6),\n SourcePort = toint(EventData.SourcePort),\n SourcePortName = tostring(EventData.SourcePortName),\n DestinationIsIpv6 = tobool(EventData.DestinationIsIpv6),\n DestinationPort = toint(EventData.DestinationPort),\n DestinationPortName = tostring(EventData.DestinationPortName)\n | where (array_length(ip_any) == 0 \n or has_any_ipv4_prefix(EventData, ip_any)\n ) \n and (isnull(dstportnumber)) or dstportnumber == DestinationPort\n and (array_length(hostname_has_any) == 0) or SrcHostname has_any (hostname_has_any) or DstHostname has_any (hostname_has_any)\n | extend\n temp_isSrcMatch=has_any_ipv4_prefix(SourceIp, src_or_any)\n ,\n temp_isDstMatch=has_any_ipv4_prefix(DestinationIp, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\" // match not requested: probably most common case\n ,\n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\" // has to be checked before the individual \n ,\n temp_isSrcMatch,\n \"SrcIpAddr\"\n ,\n temp_isDstMatch,\n \"DstIpAddr\"\n ,\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse EventData.ProcessGuid with \"{\" ProcessGuid \"}\"\n | project-away EventData\n | project-away\n Provider,\n Channel,\n Task,\n Data,\n RawEventData,\n EventOriginId;\nSysmon3_WindowsEvent\n| extend\n AppName = tostring(split(Image, \"\\\\\")[-1])\n| extend\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\n SrcAppName = iff(not(Initiated), AppName, \"\"),\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\n DstUsername = iff(Initiated, tostring(User), \"\"),\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\n DstAppName = iff(Initiated, AppName, \"\"),\n DstAppType = iff(Initiated, 'Process', \"\")\n| project-away ProcessId, ProcessGuid, Image, AppName\n| project-rename \n EventStartTime = UtcTime,\n Dvc = Computer,\n SrcIpAddr = SourceIp,\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n NetworkRuleName = RuleName \n| extend \n EventEndTime = EventStartTime,\n Hostname = case(\n Initiated,\n DstHostname,\n not(Initiated),\n SrcHostname,\n Dvc\n ),\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\n IpAddr = SrcIpAddr,\n EventType = 'EndpointNetworkSession',\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.5',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Windows',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing \n| extend\n DvcHostname = Hostname\n| extend\n SrcHostname = iff(SrcHostname == \"-\", \"\", SrcHostname),\n DvcHostname = iff(DvcHostname == \"-\", \"\", DvcHostname),\n DstHostname = iff(DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\n| project-rename\n TmpSrcHostname = SrcHostname,\n TmpDvcHostname = DvcHostname,\n TmpDstHostname = DstHostname\n| invoke \n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\n| invoke \n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\n| invoke \n _ASIM_ResolveDstFQDN('TmpDstHostname')\n| project-away\n TmpSrcHostname,\n TmpDvcHostname,\n TmpDstHostname\n| extend \n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\n NetworkProtocol = toupper(Protocol)\n| project-away \n Destination*,\n Initiated,\n ManagementGroupName,\n TenantId,\n Protocol,\n Source*,\n EventID,\n EventLevelName,\n EventLevel,\n Correlation,\n EventRecordId,\n Keywords,\n Opcode,\n SystemProcessId,\n SystemThreadId,\n SystemUserId,\n TimeCreated,\n _ResourceId,\n Version\n};\n parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix,dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session Event ASIM parser for Sysmon (Event 3)", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionMicrosoftSysmonWindowsEvent", + "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null), \nsrcipaddr_has_any_prefix: dynamic=dynamic([]), \ndstipaddr_has_any_prefix: dynamic=dynamic([]), \nipaddr_has_any_prefix: dynamic=dynamic([]),\ndstportnumber: int=int(null), \nhostname_has_any: dynamic=dynamic([]), \ndvcaction: dynamic=dynamic([]), \neventresult: string='*', \ndisabled: bool=false\n) {\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet Sysmon3_WindowsEvent=WindowsEvent\n | where not(disabled) \n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n // -- Pre-filtering:\n | where (eventresult == '*' or eventresult == 'Success') \n and array_length(dvcaction) == 0\n // dstportnumber filter used later in the parser\n // hostname_has_any used later in the parser \n // -- End pre-filtering\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 3\n | extend\n SourceIp = tostring(EventData.SourceIp),\n DestinationIp = tostring(EventData.DestinationIp),\n DstHostname = tostring(EventData.DestinationHostname),\n SrcHostname = tostring(EventData.SrcHostname),\n RuleName = tostring(EventData.RuleName),\n UtcTime = todatetime(EventData.UtcTime),\n ProcessId = tostring(EventData.ProcessId),\n Image = tostring(EventData.Image),\n User = tostring(EventData.User),\n Protocol = tostring(EventData.Protocol),\n Initiated = tobool(EventData.Initiated), // Initiated indicates the process initiated a connection (meaning outbound)\n SourceIsIpv6 = tobool(EventData.SourceIsIpv6),\n SourcePort = toint(EventData.SourcePort),\n SourcePortName = tostring(EventData.SourcePortName),\n DestinationIsIpv6 = tobool(EventData.DestinationIsIpv6),\n DestinationPort = toint(EventData.DestinationPort),\n DestinationPortName = tostring(EventData.DestinationPortName)\n | where (array_length(ip_any) == 0 \n or has_any_ipv4_prefix(EventData, ip_any)\n ) \n and (isnull(dstportnumber)) or dstportnumber == DestinationPort\n and (array_length(hostname_has_any) == 0) or SrcHostname has_any (hostname_has_any) or DstHostname has_any (hostname_has_any)\n | extend\n temp_isSrcMatch=has_any_ipv4_prefix(SourceIp, src_or_any)\n ,\n temp_isDstMatch=has_any_ipv4_prefix(DestinationIp, dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\" // match not requested: probably most common case\n ,\n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\" // has to be checked before the individual \n ,\n temp_isSrcMatch,\n \"SrcIpAddr\"\n ,\n temp_isDstMatch,\n \"DstIpAddr\"\n ,\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse EventData.ProcessGuid with \"{\" ProcessGuid \"}\"\n | project-away EventData\n | project-away\n Provider,\n Channel,\n Task,\n Data,\n RawEventData,\n EventOriginId;\nSysmon3_WindowsEvent\n| extend\n AppName = tostring(split(Image, \"\\\\\")[-1])\n| extend\n SrcUsernameType = iff(not(Initiated), \"Windows\", \"\"),\n SrcUsername = iff(not(Initiated), tostring(User), \"\"),\n SrcProcessId = iff(not(Initiated), tostring(ProcessId), \"\"),\n SrcProcessGuid = iff(not(Initiated), ProcessGuid, \"\"),\n SrcProcessName = iff(not(Initiated), tostring(Image), \"\"),\n SrcAppName = iff(not(Initiated), AppName, \"\"),\n SrcAppType = iff(not(Initiated), 'Process', \"\"),\n DstUsernameType = iff(Initiated, \"Windows\", \"\"),\n DstUsername = iff(Initiated, tostring(User), \"\"),\n DstProcessId = iff(Initiated, tostring(ProcessId), \"\"),\n DstProcessGuid = iff(Initiated, ProcessGuid, \"\"),\n DstProcessName = iff(Initiated, tostring(Image), \"\"),\n DstAppName = iff(Initiated, AppName, \"\"),\n DstAppType = iff(Initiated, 'Process', \"\")\n| project-away ProcessId, ProcessGuid, Image, AppName\n| project-rename \n EventStartTime = UtcTime,\n Dvc = Computer,\n SrcIpAddr = SourceIp,\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort,\n SrcPortNumber = SourcePort,\n NetworkRuleName = RuleName \n| extend \n EventEndTime = EventStartTime,\n Hostname = case(\n Initiated,\n DstHostname,\n not(Initiated),\n SrcHostname,\n Dvc\n ),\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n DvcIpAddr = iff(Initiated, SrcIpAddr, DstIpAddr),\n IpAddr = SrcIpAddr,\n EventType = 'EndpointNetworkSession',\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.5',\n EventSchema = 'NetworkSession', \n EventProduct = 'Sysmon',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs = 'Windows',\n Protocol = toupper(Protocol),\n EventOriginalType = '3' // Set with a constant value to avoid parsing \n| extend\n DvcHostname = Hostname\n| extend\n SrcHostname = iff(SrcHostname == \"-\", \"\", SrcHostname),\n DvcHostname = iff(DvcHostname == \"-\", \"\", DvcHostname),\n DstHostname = iff(DstHostname == \"-\", \"\", DstHostname) // let's make empty values actually empty\n| project-rename\n TmpSrcHostname = SrcHostname,\n TmpDvcHostname = DvcHostname,\n TmpDstHostname = DstHostname\n| invoke \n _ASIM_ResolveSrcFQDN('TmpSrcHostname')\n| invoke \n _ASIM_ResolveDvcFQDN('TmpDvcHostname')\n| invoke \n _ASIM_ResolveDstFQDN('TmpDstHostname')\n| project-away\n TmpSrcHostname,\n TmpDvcHostname,\n TmpDstHostname\n| extend \n NetworkProtocolVersion = iff((DestinationIsIpv6) or (SourceIsIpv6), \"IPV6\", \"IPV4\"),\n NetworkProtocol = toupper(Protocol)\n| project-away \n Destination*,\n Initiated,\n ManagementGroupName,\n TenantId,\n Protocol,\n Source*,\n EventID,\n EventLevelName,\n EventLevel,\n Correlation,\n EventRecordId,\n Keywords,\n Opcode,\n SystemProcessId,\n SystemThreadId,\n SystemUserId,\n TimeCreated,\n _ResourceId,\n Version\n};\n parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix,dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json index cb60e79f89b..49edb72a4ef 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionMicrosoftWindowsEventFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionMicrosoftWindowsEventFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Microsoft Windows Firewall", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionMicrosoftWindowsEventFirewall", - "query": "// Data tables for mapping raw values into string\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n//////////////////////////////////////////////////////\n// this query extract the data from WindowsEvent table\n//////////////////////////////////////////////////////\nlet parser = (starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n, srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null)\n, hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]),eventresult:string='*', disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n WindowsEvent \n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n |where not(disabled)\n | where EventID between (5150 .. 5159)\n | extend EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\")\n // *************** Prefilterring *******************\n | where (isnull(dstportnumber) or EventData has tostring(dstportnumber)) \n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(EventData,ip_any)) \n and (array_length(hostname_has_any)==0 ) \n and (array_length(dvcaction)==0 ) \n and (eventresult=='*' or EventResult==eventresult)\n // *************** Prefilterring *****************************************************************\n | extend SrcIpAddr = tostring(EventData.SourceAddress)\n , DstIpAddr = tostring(EventData.DestAddress)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | extend \n EventSeverity=tostring(EventData.Severity),\n LayerCode = tostring(EventData.LayerName),\n NetworkRuleNumber = toint(EventData.FilterRTID),\n Protocol = toint(EventData.Protocol),\n DirectionCode = iff(EventID in (5154, 5155, 5158, 5159), \"%%14609\",tostring(EventData.Direction))\n | lookup Directions on DirectionCode \n | project-rename DvcHostname = Computer\n | extend SrcAppName = iff(isOutBound, tostring(EventData.Application), \"\"),\n DstAppName = iff(not(isOutBound), tostring(EventData.Application), \"\"),\n SrcDvcId = iff(isOutBound, tostring(EventData.RemoteMachineID), \"\"),\n DstDvcId = iff(not(isOutBound), tostring(EventData.RemoteMachineID), \"\"),\n SrcPortNumber = toint(EventData.SourcePort),\n DstPortNumber = toint(EventData.DestPort),\n SrcProcessId = iff(isOutBound, tostring(EventData.ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(EventData.ProcessId), \"\"),\n DstUserId = iff(isOutBound, tostring(EventData.RemoteUserID), \"\"),\n SrcUserId = iff(not(isOutBound), tostring(EventData.RemoteUserID), \"\"),\n DstHostname = iff(isOutBound, \"\", DvcHostname),\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\n | project-away EventData\n | where (isnull(dstportnumber) or DstPortNumber == dstportnumber )\n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstUserIdType = iff (DstUserId <> \"S-1-0-0\", \"SID\", \"\"),\n DstUserId = iff (DstUserId <> \"S-1-0-0\", DstUserId, \"\"),\n SrcAppType = \"Process\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.3\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Windows Firewall\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\")\n // -- Aliases\n | extend \n Dvc = DvcHostname,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = tostring(NetworkRuleNumber),\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID,_ResourceId,_SubscriptionId\n };\n parser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber,\n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult, \n disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Microsoft Windows Firewall", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionMicrosoftWindowsEventFirewall", + "query": "// Data tables for mapping raw values into string\nlet LayerCodeTable = datatable (LayerCode:string,LayerName:string)[\n '%%14596', 'IP Packet',\n '%%14597', 'Transport',\n '%%14598', 'Forward',\n '%%14599', 'Stream',\n '%%14600', 'Datagram Data',\n '%%14601', 'ICMP Error',\n '%%14602', 'MAC 802.3',\n '%%14603', 'MAC Native',\n '%%14604', 'vSwitch',\n '%%14608', 'Resource Assignment',\n '%%14609', 'Listen',\n '%%14610', 'Receive/Accept',\n '%%14611', 'Connect',\n '%%14612', 'Flow Established',\n '%%14614', 'Resource Release',\n '%%14615', 'Endpoint Closure',\n '%%14616', 'Connect Redirect',\n '%%14617', 'Bind Redirect',\n '%%14624', 'Stream Packet'];\nlet ProtocolTable = datatable (Protocol:int, NetworkProtocol: string)[\n 1, 'ICMP',\n 3, 'GGP',\n 6, 'TCP',\n 8, 'EGP',\n 12, 'PUP',\n 17, 'UDP',\n 20, 'HMP',\n 27, 'RDP',\n 46, 'RSVP',\n 47, 'PPTP data over GRE',\n 50, 'ESP',\n 51, 'AH',\n 66, 'RVD',\n 88, 'IGMP',\n 89, 'OSPF'];\nlet Directions = datatable (DirectionCode:string,NetworkDirection:string, isOutBound:bool)[\n '%%14592', 'Inbound', false,\n '%%14593', 'Outbound', true,\n '%%14594', 'Forward',false,\n '%%14595', 'Bidirectional', false,\n '%%14609', 'Listen', false];\n//////////////////////////////////////////////////////\n// this query extract the data from WindowsEvent table\n//////////////////////////////////////////////////////\nlet parser = (starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n, srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null)\n, hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]),eventresult:string='*', disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let ip_any =set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n WindowsEvent \n | project EventID, EventData, Computer, TimeGenerated, _ResourceId, _SubscriptionId, Type\n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime) \n |where not(disabled)\n | where EventID between (5150 .. 5159)\n | extend EventResult = iff(EventID in (5154, 5156, 5158), \"Success\", \"Failure\")\n // *************** Prefilterring *******************\n | where (isnull(dstportnumber) or EventData has tostring(dstportnumber)) \n and (array_length(ip_any)==0 \n or has_any_ipv4_prefix(EventData,ip_any)) \n and (array_length(hostname_has_any)==0 ) \n and (array_length(dvcaction)==0 ) \n and (eventresult=='*' or EventResult==eventresult)\n // *************** Prefilterring *****************************************************************\n | extend SrcIpAddr = tostring(EventData.SourceAddress)\n , DstIpAddr = tostring(EventData.DestAddress)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | extend \n EventSeverity=tostring(EventData.Severity),\n LayerCode = tostring(EventData.LayerName),\n NetworkRuleNumber = toint(EventData.FilterRTID),\n Protocol = toint(EventData.Protocol),\n DirectionCode = iff(EventID in (5154, 5155, 5158, 5159), \"%%14609\",tostring(EventData.Direction))\n | lookup Directions on DirectionCode \n | project-rename DvcHostname = Computer\n | extend SrcAppName = iff(isOutBound, tostring(EventData.Application), \"\"),\n DstAppName = iff(not(isOutBound), tostring(EventData.Application), \"\"),\n SrcDvcId = iff(isOutBound, tostring(EventData.RemoteMachineID), \"\"),\n DstDvcId = iff(not(isOutBound), tostring(EventData.RemoteMachineID), \"\"),\n SrcPortNumber = toint(EventData.SourcePort),\n DstPortNumber = toint(EventData.DestPort),\n SrcProcessId = iff(isOutBound, tostring(EventData.ProcessId), \"\"),\n DstProcessId = iff(not(isOutBound), tostring(EventData.ProcessId), \"\"),\n DstUserId = iff(isOutBound, tostring(EventData.RemoteUserID), \"\"),\n SrcUserId = iff(not(isOutBound), tostring(EventData.RemoteUserID), \"\"),\n DstHostname = iff(isOutBound, \"\", DvcHostname),\n SrcHostname = iff(isOutBound, DvcHostname, \"\")\n | project-away EventData\n | where (isnull(dstportnumber) or DstPortNumber == dstportnumber )\n | extend \n DvcAction = iff(EventID in (5154, 5156, 5158), \"Allow\", \"Deny\"),\n DvcOs = 'Windows',\n DstAppType = \"Process\",\n SrcUserIdType = iff (SrcUserId <> \"S-1-0-0\", \"SID\", \"\"),\n SrcUserId = iff (SrcUserId <> \"S-1-0-0\", SrcUserId, \"\"),\n DstUserIdType = iff (DstUserId <> \"S-1-0-0\", \"SID\", \"\"),\n DstUserId = iff (DstUserId <> \"S-1-0-0\", DstUserId, \"\"),\n SrcAppType = \"Process\",\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion=\"0.2.3\",\n EventCount=toint(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Windows Firewall\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventID in (5154, 5156, 5158), \"Informational\", \"Low\")\n // -- Aliases\n | extend \n Dvc = DvcHostname,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = tostring(NetworkRuleNumber),\n DstDvcIdType = iff (DstDvcId != \"\", \"SID\", \"\"),\n SrcDvcIdType = iff (SrcDvcId != \"\", \"SID\", \"\")\n | lookup LayerCodeTable on LayerCode\n | lookup ProtocolTable on Protocol\n | project-away LayerCode, DirectionCode, Protocol, isOutBound, LayerName, EventID,_ResourceId,_SubscriptionId\n };\n parser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber,\n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult, \n disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionNative/vimNetworkSessionNative.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionNative/vimNetworkSessionNative.json index 8eff404a343..76cc5af26db 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionNative/vimNetworkSessionNative.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionNative/vimNetworkSessionNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Microsoft Sentinel native Network Session table", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionNative", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n ASimNetworkSessionLogs \n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n and not(disabled)\n and (isnull(dstportnumber) or DstPortNumber==dstportnumber)\n and (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n and (eventresult == \"*\" or eventresult==EventResult)\n | extend temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n |extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 ,\"\",\n SrcHostname has_any(hostname_has_any), \"SrcHostname\",\n DstHostname has_any(hostname_has_any), \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"NetworkSession\",\n DvcScopeId = iff(isempty(DvcSubscriptionId), _SubscriptionId, DvcSubscriptionId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = case(EventType == 'L2NetworkSession',\n coalesce (DvcFQDN, DvcHostname, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct))\n ),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n DvcInterface = iff(isempty(DvcInterface), coalesce(DvcInboundInterface, DvcOutboundInterface), DvcInterface),\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\n Rule = coalesce(NetworkRuleName, tostring(NetworkRuleNumber)),\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n User = DstUsername,\n InnerVlanId = SrcVlanId,\n OuterVlanId = DstVlanId\n | project-away\n TenantId, SourceSystem, DvcSubscriptionId, _SubscriptionId, _ResourceId\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Microsoft Sentinel native Network Session table", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionNative", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n ASimNetworkSessionLogs \n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n and not(disabled)\n and (isnull(dstportnumber) or DstPortNumber==dstportnumber)\n and (array_length(dvcaction) == 0 or DvcAction in (dvcaction))\n and (eventresult == \"*\" or eventresult==EventResult)\n | extend temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n |extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 ,\"\",\n SrcHostname has_any(hostname_has_any), \"SrcHostname\",\n DstHostname has_any(hostname_has_any), \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"NetworkSession\",\n DvcScopeId = iff(isempty(DvcSubscriptionId), _SubscriptionId, DvcSubscriptionId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = case(EventType == 'L2NetworkSession',\n coalesce (DvcFQDN, DvcHostname, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct))\n ),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n DvcInterface = iff(isempty(DvcInterface), coalesce(DvcInboundInterface, DvcOutboundInterface), DvcInterface),\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\n Rule = coalesce(NetworkRuleName, tostring(NetworkRuleNumber)),\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n User = DstUsername,\n InnerVlanId = SrcVlanId,\n OuterVlanId = DstVlanId\n | project-away\n TenantId, SourceSystem, DvcSubscriptionId, _SubscriptionId, _ResourceId\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json index 5522d220ca4..41068b9fe31 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionPaloAltoCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionPaloAltoCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Palo Alto PanOS", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionPaloAltoCEF", - "query": "let Actions=datatable(DeviceAction:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\"\n, \"allow\",\"Allow\"\n, \"deny\",\"Deny\"\n, \"drop\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"\n, \"reset-client\",\"Reset Source\"\n, \"reset-server\",\"Reset Destination\"\n, \"reset-both\", \"Reset\"\n, \"drop-icmp\", \"Drop ICMP\"];\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet NWParser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\nCommonSecurityLog \n| where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n| where not(disabled)\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"PAN-OS\" and Activity == \"TRAFFIC\"\n| where (isnull(dstportnumber) or DestinationPort==dstportnumber)\n and (array_length(hostname_has_any)==0)\n // dvcaction - post filterring\n and (eventresult==\"*\" or (DeviceAction==\"allow\" and eventresult==\"Success\") or (eventresult==\"Failure\" and DeviceAction!=\"allow\"))\n| extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n| parse AdditionalExtensions with \"PanOSPacketsReceived=\" DstPackets:long * \"PanOSPacketsSent=\" SrcPackets:long *\n // -- Adjustment to support both old and new CSL fields.\n| extend \n EventStartTime = coalesce(\n todatetime(StartTime), \n extract(@'start=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),\n datetime(null)\n ),\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),\n \"\"\n )\n| project-rename \n EventProductVersion=DeviceVersion // Not Documented\n , Dvc=DeviceName \n , NetworkApplicationProtocol=ApplicationProtocol\n , SrcZone=DeviceCustomString4 \n , DstZone=DeviceCustomString5\n , NetworkRuleName=DeviceCustomString1\n , SrcUsername=SourceUserName \n , DstUsername=DestinationUserName \n , EventOriginalSeverity=LogSeverity\n , SrcNatIpAddr=SourceTranslatedAddress\n , DstNatIpAddr=DestinationTranslatedAddress\n , PaloAltoFlags=FlexString1 // Flags\n| extend\n EventVendor=\"Palo Alto\"\n ,EventProduct=\"PanOS\"\n , DstBytes=tolong(ReceivedBytes) \n , SrcBytes=tolong(SentBytes) \n , NetworkProtocol=toupper(Protocol)\n , NetworkBytes=tolong(FlexNumber1)\n , SrcUsernameType=case(isempty(SrcUsername), \"\", SrcUsername contains \"@\", \"UPN\", \"Simple\")\n , DstUsernameType=case(isempty(DstUsername), \"\", DstUsername contains \"@\", \"UPN\", \"Simple\")\n , EventType=\"NetworkSession\"\n , EventCount=toint(1)\n , EventResult=case(DeviceAction==\"allow\",\"Success\",\"Failure\")\n // -- Adjustment to support both old and new CSL fields.\n , NetworkPackets = coalesce(\n tolong(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tolong(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n )\n , NetworkSessionId = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber1\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber1\",long(null)))\n )\n , NetworkDuration= coalesce(\n toint(1000*column_ifexists(\"FieldDeviceCustomNumber3\", 0)),\n toint(1000*column_ifexists(\"DeviceCustomNumber3\",0)),\n int(null)\n )\n , EventSchemaVersion=\"0.2.3\"\n , EventSchema=\"NetworkSession\"\n , EventSeverity = \"Informational\"\n | extend hostelements=split(Dvc,'.')\n | extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n | extend DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n , DvcDomainType=iff(Dvc contains \".\",\"FQDN\",\"\" )\n| project-away hostelements\n| lookup Actions on DeviceAction\n// Action post filtering\n| where (array_length(dvcaction)==0 or DvcAction has_any (dvcaction))\n| project-rename\n DstMacAddr=DestinationMACAddress\n , SrcMacAddr=SourceMACAddress\n , DstIpAddr=DestinationIP\n , DstPortNumber=DestinationPort\n , DstNatPortNumber=DestinationTranslatedPort\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcNatPortNumber=SourceTranslatedPort\n , DvcOutboundInterface=DeviceOutboundInterface\n , DvcInboundInterface=DeviceInboundInterface\n , EventMessage=Message\n , DvcOriginalAction=DeviceAction\n// -- Aliases\n| extend\n IpAddr = SrcIpAddr,\n Rule=NetworkRuleName,\n Dst=DstIpAddr,\n // Host=DstHostname,\n User=DstUsername,\n Duration=NetworkDuration,\n SessionId=NetworkSessionId,\n EventEndTime =EventStartTime,\n Src=SrcIpAddr\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, Activity, Computer, OriginalLogSeverity, PaloAltoFlags, Protocol\n};\nNWParser(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Palo Alto PanOS", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionPaloAltoCEF", + "query": "let Actions=datatable(DeviceAction:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\"\n, \"allow\",\"Allow\"\n, \"deny\",\"Deny\"\n, \"drop\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"\n, \"reset-client\",\"Reset Source\"\n, \"reset-server\",\"Reset Destination\"\n, \"reset-both\", \"Reset\"\n, \"drop-icmp\", \"Drop ICMP\"];\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet NWParser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\nCommonSecurityLog \n| where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n| where not(disabled)\n| where DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"PAN-OS\" and Activity == \"TRAFFIC\"\n| where (isnull(dstportnumber) or DestinationPort==dstportnumber)\n and (array_length(hostname_has_any)==0)\n // dvcaction - post filterring\n and (eventresult==\"*\" or (DeviceAction==\"allow\" and eventresult==\"Success\") or (eventresult==\"Failure\" and DeviceAction!=\"allow\"))\n| extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n| parse AdditionalExtensions with \"PanOSPacketsReceived=\" DstPackets:long * \"PanOSPacketsSent=\" SrcPackets:long *\n // -- Adjustment to support both old and new CSL fields.\n| extend \n EventStartTime = coalesce(\n todatetime(StartTime), \n extract(@'start=(.*?)(?:;|$)',1, AdditionalExtensions,typeof(datetime)),\n datetime(null)\n ),\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string)),\n \"\"\n )\n| project-rename \n EventProductVersion=DeviceVersion // Not Documented\n , Dvc=DeviceName \n , NetworkApplicationProtocol=ApplicationProtocol\n , SrcZone=DeviceCustomString4 \n , DstZone=DeviceCustomString5\n , NetworkRuleName=DeviceCustomString1\n , SrcUsername=SourceUserName \n , DstUsername=DestinationUserName \n , EventOriginalSeverity=LogSeverity\n , SrcNatIpAddr=SourceTranslatedAddress\n , DstNatIpAddr=DestinationTranslatedAddress\n , PaloAltoFlags=FlexString1 // Flags\n| extend\n EventVendor=\"Palo Alto\"\n ,EventProduct=\"PanOS\"\n , DstBytes=tolong(ReceivedBytes) \n , SrcBytes=tolong(SentBytes) \n , NetworkProtocol=toupper(Protocol)\n , NetworkBytes=tolong(FlexNumber1)\n , SrcUsernameType=case(isempty(SrcUsername), \"\", SrcUsername contains \"@\", \"UPN\", \"Simple\")\n , DstUsernameType=case(isempty(DstUsername), \"\", DstUsername contains \"@\", \"UPN\", \"Simple\")\n , EventType=\"NetworkSession\"\n , EventCount=toint(1)\n , EventResult=case(DeviceAction==\"allow\",\"Success\",\"Failure\")\n // -- Adjustment to support both old and new CSL fields.\n , NetworkPackets = coalesce(\n tolong(column_ifexists(\"FieldDeviceCustomNumber2\", long(null))),\n tolong(column_ifexists(\"DeviceCustomNumber2\",long(null)))\n )\n , NetworkSessionId = coalesce(\n tostring(column_ifexists(\"FieldDeviceCustomNumber1\", long(null))),\n tostring(column_ifexists(\"DeviceCustomNumber1\",long(null)))\n )\n , NetworkDuration= coalesce(\n toint(1000*column_ifexists(\"FieldDeviceCustomNumber3\", 0)),\n toint(1000*column_ifexists(\"DeviceCustomNumber3\",0)),\n int(null)\n )\n , EventSchemaVersion=\"0.2.3\"\n , EventSchema=\"NetworkSession\"\n , EventSeverity = \"Informational\"\n | extend hostelements=split(Dvc,'.')\n | extend DvcHostname=tostring(hostelements[0])\n , DvcDomain=strcat_array( array_slice(hostelements,1,-1), '.')\n | extend DvcFQDN = iff(Dvc contains \".\",Dvc,\"\" )\n , DvcDomainType=iff(Dvc contains \".\",\"FQDN\",\"\" )\n| project-away hostelements\n| lookup Actions on DeviceAction\n// Action post filtering\n| where (array_length(dvcaction)==0 or DvcAction has_any (dvcaction))\n| project-rename\n DstMacAddr=DestinationMACAddress\n , SrcMacAddr=SourceMACAddress\n , DstIpAddr=DestinationIP\n , DstPortNumber=DestinationPort\n , DstNatPortNumber=DestinationTranslatedPort\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcNatPortNumber=SourceTranslatedPort\n , DvcOutboundInterface=DeviceOutboundInterface\n , DvcInboundInterface=DeviceInboundInterface\n , EventMessage=Message\n , DvcOriginalAction=DeviceAction\n// -- Aliases\n| extend\n IpAddr = SrcIpAddr,\n Rule=NetworkRuleName,\n Dst=DstIpAddr,\n // Host=DstHostname,\n User=DstUsername,\n Duration=NetworkDuration,\n SessionId=NetworkSessionId,\n EventEndTime =EventStartTime,\n Src=SrcIpAddr\n | project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, Activity, Computer, OriginalLogSeverity, PaloAltoFlags, Protocol\n};\nNWParser(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json index acaf82d60ea..b9b4284ad1d 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionPaloAltoCortexDataLake')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionPaloAltoCortexDataLake", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for Palo Alto Cortex Data Lake", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionPaloAltoCortexDataLake", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDvcActionLookup = datatable (\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"reset client\", \"Reset Source\", \"Failure\",\n \"reset server\", \"Reset Destination\", \"Failure\",\n \"reset both\", \"Reset\", \"Failure\",\n \"drop\", \"Drop\", \"Failure\",\n \"drop ICMP\", \"Drop ICMP\", \"Failure\",\n \"reset-both\", \"Reset\", \"Failure\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)[\n \"threat\", \"Reset\",\n \"policy-deny\", \"Unknown\",\n \"decrypt-cert-validation\", \"Terminated\",\n \"decrypt-unsupport-param\", \"Terminated\",\n \"decrypt-error\", \"Terminated\",\n \"tcp-rst-from-client\", \"Reset\",\n \"tcp-rst-from-server\", \"Reset\",\n \"resources-unavailable\", \"Unknown\",\n \"tcp-fin\", \"Unknown\",\n \"tcp-reuse\", \"Unknown\",\n \"decoder\", \"Unknown\",\n \"aged-out\", \"Unknown\",\n \"unknown\", \"Unknown\",\n \"n/a\", \"NA\",\n];\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\n[\n \"1\", 20,\n \"2\", 40,\n \"3\", 60,\n \"4\", 80,\n \"5\", 100\n];\nlet parser=(\n disabled: bool=false, \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventresult: string='*', \n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n hostname_has_any: dynamic=dynamic([]),\n dstportnumber: int=int(null),\n dvcaction: dynamic=dynamic([])\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"TRAFFIC\"\n and (array_length(hostname_has_any) == 0 or AdditionalExtensions has_any (hostname_has_any))\n and (isnull(dstportnumber) or toint(DestinationPort) == dstportnumber)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(coalesce(DeviceCustomIPv6Address2, SourceIP), src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(coalesce(DeviceCustomIPv6Address3, DestinationIP), dst_or_any)\n | extend \n ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse-kv AdditionalExtensions as (PanOSSessionStartTime: string, PanOSDestinationDeviceHost: string, PanOSSourceDeviceHost: string, PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSSourceUUID: string, PanOSDestinationDeviceMac: string, PanOsBytes: long, PanOSIsClienttoServer: string, PanOSSourceLocation: string, PanOSSourceDeviceMac: string, PanOSPacketsReceived: long, PanOSPacketsSent: long, PanOSRuleUUID: int, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSChunksReceived: string, PanOSChunksSent: string, PanOSChunksTotal: string, PanOSApplicationContainer: string, PanOSDestinationDeviceCategory: string, PanOSLinkChangeCount: string, PanOSLinkSwitches: string, PanOSLogSource: string, PanOSNSSAINetworkSliceDifferentiator: string, PanOSNSSAINetworkSliceType: string, PanOSOutboundInterfaceDetailsPort: string, PanOSOutboundInterfaceDetailsSlot: string, PanOSOutboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsUnit: string, PanOSParentSessionID: string, PanOsRuleUUID: string, PanOSSourceDeviceOS: string, PanOSSourceDeviceOSFamily: string, PanOSSourceDeviceOSVersion: string, PanOSSourceDeviceCategory: string, PanOSVirtualSystemID: string, PanOSVirtualSystemName: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string, PanOSIsSaaSApplication: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend \n temp_is_MatchSrcHostname = PanOSSourceDeviceHost has_any (hostname_has_any),\n temp_is_MatchDstHostname = PanOSDestinationDeviceHost has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n temp_is_MatchSrcHostname and temp_is_MatchDstHostname,\n \"Both\",\n temp_is_MatchSrcHostname,\n \"SrcHostname\",\n temp_is_MatchDstHostname,\n \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventResultDvcActionLookup on DeviceAction\n // post-filtering\n | where (eventresult == \"*\" or eventresult == EventResult)\n and (array_length(dvcaction)==0 or DvcAction has_any (dvcaction))\n | lookup EventSeverityLookup on LogSeverity\n | lookup EventResultDetailsLookup on Reason\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\n | extend\n EventStartTime = todatetime(PanOSSessionStartTime),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\n NetworkDuration = toint(FieldDeviceCustomNumber3),\n DstBytes = tolong(ReceivedBytes),\n SrcBytes = tolong(SentBytes),\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\n AdditionalFields = bag_pack(\n \"urlcategory\",\n DeviceCustomString2,\n \"virtualLocation\",\n DeviceCustomString3,\n \"PanOSApplicationCategory\",\n PanOSApplicationCategory,\n \"PanOSApplicationSubcategory\",\n PanOSApplicationSubcategory,\n \"PanOSChunksReceived\",\n PanOSChunksReceived,\n \"PanOSChunksSent\",\n PanOSChunksSent,\n \"PanOSChunksTotal\",\n PanOSChunksTotal,\n \"PanOSApplicationContainer\",\n PanOSApplicationContainer,\n \"PanOSDestinationDeviceCategory\",\n PanOSDestinationDeviceCategory,\n \"PanOSIsClienttoServer\",\n PanOSIsClienttoServer,\n \"PanOSLinkChangeCount\",\n PanOSLinkChangeCount,\n \"PanOSLinkSwitches\",\n PanOSLinkSwitches,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSNSSAINetworkSliceDifferentiator\",\n PanOSNSSAINetworkSliceDifferentiator,\n \"PanOSNSSAINetworkSliceType\",\n PanOSNSSAINetworkSliceType,\n \"PanOSOutboundInterfaceDetailsPort\",\n PanOSOutboundInterfaceDetailsPort,\n \"PanOSOutboundInterfaceDetailsSlot\",\n PanOSOutboundInterfaceDetailsSlot,\n \"PanOSOutboundInterfaceDetailsType\",\n PanOSOutboundInterfaceDetailsType,\n \"PanOSOutboundInterfaceDetailsUnit\",\n PanOSOutboundInterfaceDetailsUnit,\n \"PanOSParentSessionID\",\n PanOSParentSessionID,\n \"PanOsRuleUUID\",\n PanOsRuleUUID,\n \"PanOSSourceDeviceOS\",\n PanOSSourceDeviceOS,\n \"PanOSSourceDeviceOSFamily\",\n PanOSSourceDeviceOSFamily,\n \"PanOSSourceDeviceOSVersion\",\n PanOSSourceDeviceOSVersion,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSVirtualSystemID\",\n PanOSVirtualSystemID,\n \"PanOSVirtualSystemName\",\n PanOSVirtualSystemName\n ),\n TcpFlagsFin = iff(Reason== \"tcp-fin\", true, false),\n TcpFlagsRst = iff(Reason in(\"tcp-rst-from-client\", \"tcp-rst-from-server\"), true, false)\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DstDvcId = PanOSDestinationUUID,\n DstGeoCountry = PanOSDestinationLocation,\n DstMacAddr = PanOSDestinationDeviceMac,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n DstPackets = PanOSPacketsReceived,\n DstPortNumber = DestinationPort,\n DstUsername = DestinationUserName,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n EventOriginalSeverity = LogSeverity,\n DstZone = DeviceCustomString5,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n NetworkPackets = FieldDeviceCustomNumber2,\n NetworkRuleName = DeviceCustomString1,\n SrcDvcId = PanOSSourceUUID,\n SrcGeoCountry = PanOSSourceLocation,\n SrcMacAddr = PanOSSourceDeviceMac,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n SrcPackets = PanOSPacketsSent,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n SrcZone = DeviceCustomString4,\n DvcScopeId = PanOSCortexDataLakeTenantID,\n EventOriginalSubType = Activity,\n EventOriginalResultDetails = Reason,\n SrcUserId = SourceUserID,\n DstUserId = DestinationUserID,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n SrcAppName = ApplicationProtocol,\n ThreatOriginalRiskLevel = PanOSApplicationRisk\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstDvcId, DstHostname, DstIpAddr),\n Src = coalesce(SrcDvcId, SrcHostname, SrcIpAddr),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\n NetworkProtocol = toupper(Protocol),\n NetworkBytes = SrcBytes + DstBytes,\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n ),\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\n Rule = NetworkRuleName,\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId,\n User = DstUsername,\n Hostname = DstHostname,\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\n SrcAppType = case(isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\", \"SaaS Application\",\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\", \"Other\",\n \"\")\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n PanOs*,\n Protocol,\n SimplifiedDeviceAction,\n temp*,\n ExternalID,\n Message,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity\n};\nparser(\n disabled=disabled,\n starttime=starttime, \n endtime=endtime,\n eventresult=eventresult,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n hostname_has_any=hostname_has_any,\n dstportnumber=dstportnumber,\n dvcaction=dvcaction\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for Palo Alto Cortex Data Lake", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionPaloAltoCortexDataLake", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventResultDvcActionLookup = datatable (\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"allow\", \"Allow\", \"Success\",\n \"deny\", \"Deny\", \"Failure\",\n \"reset client\", \"Reset Source\", \"Failure\",\n \"reset server\", \"Reset Destination\", \"Failure\",\n \"reset both\", \"Reset\", \"Failure\",\n \"drop\", \"Drop\", \"Failure\",\n \"drop ICMP\", \"Drop ICMP\", \"Failure\",\n \"reset-both\", \"Reset\", \"Failure\"\n];\nlet EventResultDetailsLookup = datatable(Reason: string, EventResultDetails: string)[\n \"threat\", \"Reset\",\n \"policy-deny\", \"Unknown\",\n \"decrypt-cert-validation\", \"Terminated\",\n \"decrypt-unsupport-param\", \"Terminated\",\n \"decrypt-error\", \"Terminated\",\n \"tcp-rst-from-client\", \"Reset\",\n \"tcp-rst-from-server\", \"Reset\",\n \"resources-unavailable\", \"Unknown\",\n \"tcp-fin\", \"Unknown\",\n \"tcp-reuse\", \"Unknown\",\n \"decoder\", \"Unknown\",\n \"aged-out\", \"Unknown\",\n \"unknown\", \"Unknown\",\n \"n/a\", \"NA\",\n];\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\n[\n \"1\", 20,\n \"2\", 40,\n \"3\", 60,\n \"4\", 80,\n \"5\", 100\n];\nlet parser=(\n disabled: bool=false, \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventresult: string='*', \n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n hostname_has_any: dynamic=dynamic([]),\n dstportnumber: int=int(null),\n dvcaction: dynamic=dynamic([])\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"TRAFFIC\"\n and (array_length(hostname_has_any) == 0 or AdditionalExtensions has_any (hostname_has_any))\n and (isnull(dstportnumber) or toint(DestinationPort) == dstportnumber)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(coalesce(DeviceCustomIPv6Address2, SourceIP), src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(coalesce(DeviceCustomIPv6Address3, DestinationIP), dst_or_any)\n | extend \n ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse-kv AdditionalExtensions as (PanOSSessionStartTime: string, PanOSDestinationDeviceHost: string, PanOSSourceDeviceHost: string, PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSSourceUUID: string, PanOSDestinationDeviceMac: string, PanOsBytes: long, PanOSIsClienttoServer: string, PanOSSourceLocation: string, PanOSSourceDeviceMac: string, PanOSPacketsReceived: long, PanOSPacketsSent: long, PanOSRuleUUID: int, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSChunksReceived: string, PanOSChunksSent: string, PanOSChunksTotal: string, PanOSApplicationContainer: string, PanOSDestinationDeviceCategory: string, PanOSLinkChangeCount: string, PanOSLinkSwitches: string, PanOSLogSource: string, PanOSNSSAINetworkSliceDifferentiator: string, PanOSNSSAINetworkSliceType: string, PanOSOutboundInterfaceDetailsPort: string, PanOSOutboundInterfaceDetailsSlot: string, PanOSOutboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsUnit: string, PanOSParentSessionID: string, PanOsRuleUUID: string, PanOSSourceDeviceOS: string, PanOSSourceDeviceOSFamily: string, PanOSSourceDeviceOSVersion: string, PanOSSourceDeviceCategory: string, PanOSVirtualSystemID: string, PanOSVirtualSystemName: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string, PanOSIsSaaSApplication: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend \n temp_is_MatchSrcHostname = PanOSSourceDeviceHost has_any (hostname_has_any),\n temp_is_MatchDstHostname = PanOSDestinationDeviceHost has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n temp_is_MatchSrcHostname and temp_is_MatchDstHostname,\n \"Both\",\n temp_is_MatchSrcHostname,\n \"SrcHostname\",\n temp_is_MatchDstHostname,\n \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventResultDvcActionLookup on DeviceAction\n // post-filtering\n | where (eventresult == \"*\" or eventresult == EventResult)\n and (array_length(dvcaction)==0 or DvcAction has_any (dvcaction))\n | lookup EventSeverityLookup on LogSeverity\n | lookup EventResultDetailsLookup on Reason\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\n | extend\n EventStartTime = todatetime(PanOSSessionStartTime),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\n NetworkDuration = toint(FieldDeviceCustomNumber3),\n DstBytes = tolong(ReceivedBytes),\n SrcBytes = tolong(SentBytes),\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\n AdditionalFields = bag_pack(\n \"urlcategory\",\n DeviceCustomString2,\n \"virtualLocation\",\n DeviceCustomString3,\n \"PanOSApplicationCategory\",\n PanOSApplicationCategory,\n \"PanOSApplicationSubcategory\",\n PanOSApplicationSubcategory,\n \"PanOSChunksReceived\",\n PanOSChunksReceived,\n \"PanOSChunksSent\",\n PanOSChunksSent,\n \"PanOSChunksTotal\",\n PanOSChunksTotal,\n \"PanOSApplicationContainer\",\n PanOSApplicationContainer,\n \"PanOSDestinationDeviceCategory\",\n PanOSDestinationDeviceCategory,\n \"PanOSIsClienttoServer\",\n PanOSIsClienttoServer,\n \"PanOSLinkChangeCount\",\n PanOSLinkChangeCount,\n \"PanOSLinkSwitches\",\n PanOSLinkSwitches,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSNSSAINetworkSliceDifferentiator\",\n PanOSNSSAINetworkSliceDifferentiator,\n \"PanOSNSSAINetworkSliceType\",\n PanOSNSSAINetworkSliceType,\n \"PanOSOutboundInterfaceDetailsPort\",\n PanOSOutboundInterfaceDetailsPort,\n \"PanOSOutboundInterfaceDetailsSlot\",\n PanOSOutboundInterfaceDetailsSlot,\n \"PanOSOutboundInterfaceDetailsType\",\n PanOSOutboundInterfaceDetailsType,\n \"PanOSOutboundInterfaceDetailsUnit\",\n PanOSOutboundInterfaceDetailsUnit,\n \"PanOSParentSessionID\",\n PanOSParentSessionID,\n \"PanOsRuleUUID\",\n PanOsRuleUUID,\n \"PanOSSourceDeviceOS\",\n PanOSSourceDeviceOS,\n \"PanOSSourceDeviceOSFamily\",\n PanOSSourceDeviceOSFamily,\n \"PanOSSourceDeviceOSVersion\",\n PanOSSourceDeviceOSVersion,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSVirtualSystemID\",\n PanOSVirtualSystemID,\n \"PanOSVirtualSystemName\",\n PanOSVirtualSystemName\n ),\n TcpFlagsFin = iff(Reason== \"tcp-fin\", true, false),\n TcpFlagsRst = iff(Reason in(\"tcp-rst-from-client\", \"tcp-rst-from-server\"), true, false)\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DstDvcId = PanOSDestinationUUID,\n DstGeoCountry = PanOSDestinationLocation,\n DstMacAddr = PanOSDestinationDeviceMac,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n DstPackets = PanOSPacketsReceived,\n DstPortNumber = DestinationPort,\n DstUsername = DestinationUserName,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n EventOriginalSeverity = LogSeverity,\n DstZone = DeviceCustomString5,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n NetworkPackets = FieldDeviceCustomNumber2,\n NetworkRuleName = DeviceCustomString1,\n SrcDvcId = PanOSSourceUUID,\n SrcGeoCountry = PanOSSourceLocation,\n SrcMacAddr = PanOSSourceDeviceMac,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n SrcPackets = PanOSPacketsSent,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n SrcZone = DeviceCustomString4,\n DvcScopeId = PanOSCortexDataLakeTenantID,\n EventOriginalSubType = Activity,\n EventOriginalResultDetails = Reason,\n SrcUserId = SourceUserID,\n DstUserId = DestinationUserID,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n SrcAppName = ApplicationProtocol,\n ThreatOriginalRiskLevel = PanOSApplicationRisk\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstDvcId, DstHostname, DstIpAddr),\n Src = coalesce(SrcDvcId, SrcHostname, SrcIpAddr),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\n NetworkProtocol = toupper(Protocol),\n NetworkBytes = SrcBytes + DstBytes,\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n ),\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\n Rule = NetworkRuleName,\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId,\n User = DstUsername,\n Hostname = DstHostname,\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\n SrcAppType = case(isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\", \"SaaS Application\",\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\", \"Other\",\n \"\")\n | extend\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"NetworkSession\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n PanOs*,\n Protocol,\n SimplifiedDeviceAction,\n temp*,\n ExternalID,\n Message,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity\n};\nparser(\n disabled=disabled,\n starttime=starttime, \n endtime=endtime,\n eventresult=eventresult,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n hostname_has_any=hostname_has_any,\n dstportnumber=dstportnumber,\n dvcaction=dvcaction\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json index 65d81498eb4..3191da3f9c0 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionSentinelOne", - "query": "let NetworkDirectionLookup = datatable (\n alertInfo_netEventDirection_s: string, \n NetworkDirection: string\n)[\n \"OUTGOING\", \"Outbound\",\n \"INCOMING\", \"Inbound\",\n];\nlet DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n)\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser=(\n disabled: bool=false, \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventresult: string='*', \n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n hostname_has_any: dynamic=dynamic([]),\n dstportnumber: int=int(null),\n dvcaction: dynamic=dynamic([])\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let alldata = SentinelOne_CL\n | where not(disabled) \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s == \"TCPV4\"\n and (eventresult == \"*\" or eventresult == \"Success\")\n and (isnull(dstportnumber) or toint(alertInfo_dstPort_s) == dstportnumber)\n and (array_length(hostname_has_any) == 0 or agentDetectionInfo_name_s has_any (hostname_has_any))\n and (array_length(dvcaction) == 0 or dvcaction has_any (\"Allow\"))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(alertInfo_srcIp_s, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(alertInfo_dstIp_s, dst_or_any)\n | extend \n ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n ),\n ASimMatchingHostname = \"SrcHostname\"\n | where ASimMatchingIpAddr != \"No match\";\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maliciousdata\n | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend \n DstPortNumber = toint(alertInfo_dstPort_s),\n SrcPortNumber = toint(alertInfo_srcPort_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DstIpAddr = alertInfo_dstIp_s,\n EventUid = _ItemId,\n SrcIpAddr = alertInfo_srcIp_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n DvcIpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n SrcHostname = DvcHostname,\n SrcDvcId = DvcId,\n IpAddr = SrcIpAddr,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n SrcDvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr),\n Hostname = SrcHostname\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allow\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventResultDetails = \"NA\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"SentinelOne\",\n NetworkProtocol = \"TCP\",\n NetworkProtocolVersion = \"IPv4\"\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n temp*,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(\n disabled=disabled,\n starttime=starttime, \n endtime=endtime,\n eventresult=eventresult,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n hostname_has_any=hostname_has_any,\n dstportnumber=dstportnumber,\n dvcaction=dvcaction\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionSentinelOne", + "query": "let NetworkDirectionLookup = datatable (\n alertInfo_netEventDirection_s: string, \n NetworkDirection: string\n)[\n \"OUTGOING\", \"Outbound\",\n \"INCOMING\", \"Inbound\",\n];\nlet DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n)\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser=(\n disabled: bool=false, \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventresult: string='*', \n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n dstipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n hostname_has_any: dynamic=dynamic([]),\n dstportnumber: int=int(null),\n dvcaction: dynamic=dynamic([])\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let alldata = SentinelOne_CL\n | where not(disabled) \n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s == \"TCPV4\"\n and (eventresult == \"*\" or eventresult == \"Success\")\n and (isnull(dstportnumber) or toint(alertInfo_dstPort_s) == dstportnumber)\n and (array_length(hostname_has_any) == 0 or agentDetectionInfo_name_s has_any (hostname_has_any))\n and (array_length(dvcaction) == 0 or dvcaction has_any (\"Allow\"))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(alertInfo_srcIp_s, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(alertInfo_dstIp_s, dst_or_any)\n | extend \n ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n ),\n ASimMatchingHostname = \"SrcHostname\"\n | where ASimMatchingIpAddr != \"No match\";\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maliciousdata\n | lookup NetworkDirectionLookup on alertInfo_netEventDirection_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend \n DstPortNumber = toint(alertInfo_dstPort_s),\n SrcPortNumber = toint(alertInfo_srcPort_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n DstIpAddr = alertInfo_dstIp_s,\n EventUid = _ItemId,\n SrcIpAddr = alertInfo_srcIp_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n SrcProcessName = sourceProcessInfo_name_s,\n SrcProcessId = sourceProcessInfo_pid_s,\n SrcUsername = sourceProcessInfo_user_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n DvcIpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n SrcHostname = DvcHostname,\n SrcDvcId = DvcId,\n IpAddr = SrcIpAddr,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n SrcDvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | extend\n Dvc = coalesce(DvcId, DvcHostname, DvcIpAddr),\n Hostname = SrcHostname\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allow\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventResultDetails = \"NA\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"SentinelOne\",\n NetworkProtocol = \"TCP\",\n NetworkProtocolVersion = \"IPv4\"\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n temp*,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(\n disabled=disabled,\n starttime=starttime, \n endtime=endtime,\n eventresult=eventresult,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n hostname_has_any=hostname_has_any,\n dstportnumber=dstportnumber,\n dvcaction=dvcaction\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSonicWallFirewall/vimNetworkSessionSonicWallFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSonicWallFirewall/vimNetworkSessionSonicWallFirewall.json index b1c8c83c648..b45506ed48b 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSonicWallFirewall/vimNetworkSessionSonicWallFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSonicWallFirewall/vimNetworkSessionSonicWallFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionSonicWallFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionSonicWallFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for SonicWall firewalls", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionSonicWallFirewall", - "query": "let Actions=datatable(fw_action:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\" \n, \"allow\",\"Allow\"\n, \"\\\"forward\\\"\",\"Allow\"\n, \"\\\"mgmt\\\"\",\"Other\"\n, \"\\\"NA\\\"\",\"Other\"\n, \"deny\",\"Deny\"\n, \"\\\"drop\\\"\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"];\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet Parser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\nCommonSecurityLog\n| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n| where not(disabled)\n| where DeviceVendor == \"SonicWall\"\n| where DeviceEventClassID !in (14, 97, 1382, 440, 441, 442, 646, 647, 734, 735)\n| where ( isnotempty(SourceIP) and isnotempty(DestinationIP) )\n| where (isnull(dstportnumber) or DestinationPort == dstportnumber) and (array_length(hostname_has_any) == 0)\n| parse-kv AdditionalExtensions as (['gcat']:string, ['app']:string, ['arg']:string, ['dstV6']:string, ['srcV6']:string, ['snpt']:string, ['dnpt']:string, ['susr']:string,['appName']:string, ['appcat']:string, ['appid']:string, ['sid']:string, ['catid']:string, ['ipscat']:string, ['ipspri']:string, ['spycat']:string, ['spypri']:string, ['fw_action']:string, ['dpi']:string, ['bid']:string, ['af_action']:string, ['af_polid']:string, ['af_policy']:string, ['af_type']:string, ['af_service']:string, ['af_object']:string, ['contentObject']:string, ['fileid']:string, ['uuid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n| extend\n SourceIP = coalesce(SourceIP, srcV6)\n , DestinationIP = coalesce(DestinationIP, dstV6)\n| where gcat in (3, 5, 6, 10) // Include only these event categories.\n| extend\n temp_SrcMatch=has_any_ipv4_prefix(SourceIP, src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DestinationIP, dst_or_any)\n// Filter by source/dest. https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-network\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 , \"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n| where ASimMatchingIpAddr != \"No match\" \n| project-away temp_*\n| extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 , \"-\",\n DestinationHostName has_any (hostname_has_any), \"DestinationHostname\",\n \"No match\"\n )\n| extend fw_action = column_ifexists(\"fw_action\", \"\") // Firewall Action, such as drop, forward, mgmt, NA\n| lookup Actions on fw_action\n | where (array_length(dvcaction) == 0 or DvcAction has_any(dvcaction))\n// Sets the mandatory EventResult based on the DvcAction.\n| extend EventResult = case(DvcAction == \"Allow\", \"Success\",\n DvcAction == \"Management\", \"NA\",\n DvcAction == \"NA\", \"NA\",\n DvcAction == \"Other\", \"NA\",\n \"Failure\"\n )\n| where (eventresult == \"*\" or eventresult == \"\" or (eventresult has_any(\"Success\", \"Failure\", \"NA\") and EventResult has eventresult))\n| extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\n LogSeverity == 9, \"Alert (1)\",\n LogSeverity == 8, \"Critical (2)\",\n LogSeverity == 7, \"Error (3)\",\n LogSeverity == 6, \"Warning (4)\",\n LogSeverity == 5, \"Notice (5)\",\n LogSeverity == 4, \"Info (6)/Debug (7)\",\n LogSeverity == 3, \"Not Mapped (3)\",\n LogSeverity == 2, \"Not Mapped (2)\",\n LogSeverity == 1, \"Not Mapped (1)\",\n \"Not Mapped\"\n )\n| extend EventSeverity = case(tolong(LogSeverity) <= 4, \"Informational\"\n , tolong(LogSeverity) <= 6, \"Low\"\n , tolong(LogSeverity) <= 8, \"Medium\"\n , tolong(LogSeverity) > 8, \"High\"\n , \"\"\n )\n| extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\n , DestinationIP has \":\", \"IPv6\"\n , \"\"\n )\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\n , EventOriginalType = DeviceEventClassID\n| project-rename\n DstMacAddr = DestinationMACAddress\n , SrcMacAddr = SourceMACAddress\n , DstIpAddr = DestinationIP\n , SrcIpAddr = SourceIP\n , DstPortNumber = DestinationPort\n , SrcPortNumber = SourcePort\n , EventMessage = Activity\n , sosEventMessageDetail = Message\n , EventProductVersion = DeviceVersion\n , sosSerialNumber = Computer\n , DvcOutboundInterface = DeviceOutboundInterface\n , DvcInboundInterface = DeviceInboundInterface\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\n , sosCFSFullString = Reason // CFS Category ID and Name\n , NetworkRuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\n , sosSourceZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\n , sosDestinationZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\n , NetworkIcmpType = FieldDeviceCustomNumber1 // ICMP Type\n , NetworkIcmpCode = FieldDeviceCustomNumber2 // ICMP Code\n , SrcUsername = SourceUserName\n , ThreatOriginalConfidence = ThreatConfidence\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\n gcat == 2, \"Log (2)\",\n gcat == 3, \"Security Services (3)\",\n gcat == 4, \"Users (4)\",\n gcat == 5, \"Firewall Settings (5)\",\n gcat == 6, \"Network (6)\",\n gcat == 7, \"VPN (7)\",\n gcat == 8, \"High Availability (8)\",\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\n gcat == 10, \"Firewall (10)\",\n gcat == 11, \"Wireless (11)\",\n gcat == 12, \"VoIP (12)\",\n gcat == 13, \"SSL VPN (13)\",\n gcat == 14, \"Anti-Spam (14)\",\n gcat == 15, \"WAN Acceleration (15)\",\n gcat == 16, \"Object (16)\",\n gcat == 17, \"SD-WAN (17)\",\n gcat == 18, \"Multi-Instance (18)\",\n gcat == 19, \"Unified Policy Engine (19)\",\n \"Log Category Not Mapped\"\n )\n| extend sosLegacyMessageCategory = case(DeviceEventCategory == 0, \"None (0)\",\n DeviceEventCategory == 1, \"System Maintenance (1)\",\n DeviceEventCategory == 2, \"System Errors (2)\",\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\n DeviceEventCategory == 16, \"User Activity (16)\",\n DeviceEventCategory == 32, \"Attacks (32)\",\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\n DeviceEventCategory == 512, \"Network Debug (512)\",\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\n DeviceEventCategory == 524288, \"System Environment (524288)\",\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\n \"Legacy Category Not Mapped\"\n )\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\n ipspri == 2, \"Medium (2)\",\n ipspri == 3, \"Low (3)\",\n \"\"\n )\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\n spypri == 2, \"Medium (2)\",\n spypri == 3, \"Low (3)\",\n \"\"\n )\n| extend\n EventVendor = \"SonicWall\"\n , EventProduct = \"Firewall\"\n , DvcOs = \"SonicOS\"\n , DvcOsVersion = EventProductVersion\n , DvcIdType = \"Other\"\n , Dvc = sosSerialNumber\n , DvcDescription = DeviceProduct\n , NetworkIcmpType = tostring(NetworkIcmpType)\n , NetworkIcmpCode = toint(NetworkIcmpCode)\n , Rule = NetworkRuleName\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\n , sosIPSFullString = ipscat\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\n , FileSize = tolong(coalesce(FileSize, long(null)))\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\n , SrcZone = sosSourceZone\n , DstZone = sosDestinationZone\n , EventOriginalSeverity = LogSeverity\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\n , EventStartTime = coalesce(todatetime(StartTime), TimeGenerated)\n , EventEndTime = coalesce(todatetime(EndTime), TimeGenerated)\n , EventType = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventSchema = \"NetworkSession\"\n , EventCount = toint(1)\n , EventUid = _ItemId\n , EventResultDetails = \"NA\"\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\n| extend\n SrcUsername = coalesce(susr, SrcUsername)\n , FileName = coalesce(FileName, sosAppControlFileName)\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\n , DstZone == \"MULTICAST\", \"NA\"\n , DstZone == \"WAN\", \"Outbound\"\n , \"Local\"\n )\n| extend\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\n SrcUsername has \"\\\\\", \"Windows\",\n SrcUsername has \"@\", \"UPN\",\n SrcUsername == \"Unknown (external IP)\", \"\",\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"\n )\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\"\n )\n| extend\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\"\n )\n| extend\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\n| extend\n SrcAppType = case(isempty(SrcAppName), \"\"\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\n , DstAppType = case(isempty(DstAppName), \"\"\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\n| project-rename\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\n| extend\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\n , tolong(long(null))\n )\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\n , tolong(long(null))\n )\n| project-rename\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\n , sosUser = susr // Logged-in username associated with the log event.\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\n , sosAppRuleService = af_service // App Rule Service Name.\n , sosAppRuleType = af_type // App Rule Policy Type.\n , sosAppRuleObject = af_object // App Rule Object Name.\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\n , sosAppRuleAction = af_action\n , sosSourceIPv6Address = srcV6\n , sosDestinationIPv6Address = dstV6\n , sosAppFullString = appcat // The full \" -- \" string.\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\n , sosAppID = appid // Application ID from App Control\n , sosAppCategoryID = catid // Application Category ID\n , sosAppSignatureID = sid // Application Signature ID\n , sosIPSCategoryName = ipscat // IPS Category Name\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\n , sosURLPathName = arg // URL. Represents the URL path name.\n , sosFileIdentifier = fileid // File hash or URL\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\n , DstNatPortNumber = dnpt\n , SrcNatPortNumber = snpt\n , sosBladeID = bid // Blade ID\n , sosUUID = uuid\n , sosFileName = FileName\n , DvcOriginalAction = fw_action\n| extend\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\n , ThreatId = coalesce(sosAppSignatureID, \"\")\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\n , DstNatPortNumber = toint(DstNatPortNumber)\n , SrcNatPortNumber = toint(SrcNatPortNumber)\n| extend AdditionalFields = bag_pack(\n \"AppRulePolicyId\", sosAppRulePolicyId\n , \"AppRulePolicyName\", sosAppRulePolicyName\n , \"AppRuleService\", sosAppRuleService\n , \"AppRuleType\", sosAppRuleType\n , \"AppRuleObject\", sosAppRuleObject\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\n , \"AppRuleAction\", sosAppRuleAction\n , \"AppID\", sosAppID\n , \"AppCategoryID\", sosAppCategoryID\n , \"IPSCategoryName\", sosIPSCategoryName\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\n , \"FileIdentifier\", sosFileIdentifier\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\n , \"BladeID\", sosBladeID\n , \"UUID\", sosUUID\n , \"FileName\", sosFileName\n , \"FileSize\", FileSize\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\n , \"CFSCategoryID\", sosCFSCategoryID\n , \"CFSCategoryName\", sosCFSCategoryName\n , \"CFSPolicyName\", sosCFSPolicyName\n , \"AppControlFileName\", sosAppControlFileName\n , \"IPSFullString\", sosIPSFullString\n , \"IPSSignatureName\", sosIPSSignatureName\n , \"LegacyMessageCategory\", sosLegacyMessageCategory\n , \"LogMsgCategory\", sosLogMsgCategory\n , \"LogMsgNote\", sosLogMsgNote\n , \"LogMsgSeverity\", sosLogMsgSeverity\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\n , \"EventMessageDetail\", sosEventMessageDetail\n , \"UserSessionType\", sosUserSessionType\n )\n| project-away\n DeviceEventCategory\n , gcat\n , RequestMethod\n , ipspri\n , spypri\n , sos*\n , RequestURL\n , Protocol\n , appName\n , AdditionalExtensions\n , Flex*\n , Indicator*\n , Malicious*\n , Field*\n , DeviceCustom*\n , Old*\n , File*\n , Source*\n , Destination*\n , Device*\n , SimplifiedDeviceAction\n , ExternalID\n , ExtID\n , TenantId\n , ProcessName\n , ProcessID\n , ExtID\n , OriginalLogSeverity\n , LogSeverity\n , EventOutcome\n , StartTime\n , EndTime\n , ReceiptTime\n , Remote*\n , ThreatDescription\n , ThreatSeverity\n , RequestContext\n , RequestCookies\n , CommunicationDirection\n , ReportReferenceLink\n , ReceivedBytes\n , SentBytes\n , _ResourceId\n , _ItemId\n| project-reorder\n TimeGenerated\n , EventVendor\n , EventProduct\n , DvcDescription\n , Dvc\n , DvcOs\n , DvcOsVersion\n};\nParser(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for SonicWall firewalls", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionSonicWallFirewall", + "query": "let Actions=datatable(fw_action:string,DvcAction:string)\n[ \"reset client\",\"Reset Source\"\n, \"reset server\",\"Reset Destination\"\n, \"reset both\", \"Reset\" \n, \"allow\",\"Allow\"\n, \"\\\"forward\\\"\",\"Allow\"\n, \"\\\"mgmt\\\"\",\"Other\"\n, \"\\\"NA\\\"\",\"Other\"\n, \"deny\",\"Deny\"\n, \"\\\"drop\\\"\", \"Drop\"\n, \"drop ICMP\", \"Drop ICMP\"];\nlet src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nlet Parser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\nCommonSecurityLog\n| where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n| where not(disabled)\n| where DeviceVendor == \"SonicWall\"\n| where DeviceEventClassID !in (14, 97, 1382, 440, 441, 442, 646, 647, 734, 735)\n| where ( isnotempty(SourceIP) and isnotempty(DestinationIP) )\n| where (isnull(dstportnumber) or DestinationPort == dstportnumber) and (array_length(hostname_has_any) == 0)\n| parse-kv AdditionalExtensions as (['gcat']:string, ['app']:string, ['arg']:string, ['dstV6']:string, ['srcV6']:string, ['snpt']:string, ['dnpt']:string, ['susr']:string,['appName']:string, ['appcat']:string, ['appid']:string, ['sid']:string, ['catid']:string, ['ipscat']:string, ['ipspri']:string, ['spycat']:string, ['spypri']:string, ['fw_action']:string, ['dpi']:string, ['bid']:string, ['af_action']:string, ['af_polid']:string, ['af_policy']:string, ['af_type']:string, ['af_service']:string, ['af_object']:string, ['contentObject']:string, ['fileid']:string, ['uuid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n| extend\n SourceIP = coalesce(SourceIP, srcV6)\n , DestinationIP = coalesce(DestinationIP, dstV6)\n| where gcat in (3, 5, 6, 10) // Include only these event categories.\n| extend\n temp_SrcMatch=has_any_ipv4_prefix(SourceIP, src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DestinationIP, dst_or_any)\n// Filter by source/dest. https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-network\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 , \"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n| where ASimMatchingIpAddr != \"No match\" \n| project-away temp_*\n| extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 , \"-\",\n DestinationHostName has_any (hostname_has_any), \"DestinationHostname\",\n \"No match\"\n )\n| extend fw_action = column_ifexists(\"fw_action\", \"\") // Firewall Action, such as drop, forward, mgmt, NA\n| lookup Actions on fw_action\n | where (array_length(dvcaction) == 0 or DvcAction has_any(dvcaction))\n// Sets the mandatory EventResult based on the DvcAction.\n| extend EventResult = case(DvcAction == \"Allow\", \"Success\",\n DvcAction == \"Management\", \"NA\",\n DvcAction == \"NA\", \"NA\",\n DvcAction == \"Other\", \"NA\",\n \"Failure\"\n )\n| where (eventresult == \"*\" or eventresult == \"\" or (eventresult has_any(\"Success\", \"Failure\", \"NA\") and EventResult has eventresult))\n| extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\n LogSeverity == 9, \"Alert (1)\",\n LogSeverity == 8, \"Critical (2)\",\n LogSeverity == 7, \"Error (3)\",\n LogSeverity == 6, \"Warning (4)\",\n LogSeverity == 5, \"Notice (5)\",\n LogSeverity == 4, \"Info (6)/Debug (7)\",\n LogSeverity == 3, \"Not Mapped (3)\",\n LogSeverity == 2, \"Not Mapped (2)\",\n LogSeverity == 1, \"Not Mapped (1)\",\n \"Not Mapped\"\n )\n| extend EventSeverity = case(tolong(LogSeverity) <= 4, \"Informational\"\n , tolong(LogSeverity) <= 6, \"Low\"\n , tolong(LogSeverity) <= 8, \"Medium\"\n , tolong(LogSeverity) > 8, \"High\"\n , \"\"\n )\n| extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\n , DestinationIP has \":\", \"IPv6\"\n , \"\"\n )\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\n , EventOriginalType = DeviceEventClassID\n| project-rename\n DstMacAddr = DestinationMACAddress\n , SrcMacAddr = SourceMACAddress\n , DstIpAddr = DestinationIP\n , SrcIpAddr = SourceIP\n , DstPortNumber = DestinationPort\n , SrcPortNumber = SourcePort\n , EventMessage = Activity\n , sosEventMessageDetail = Message\n , EventProductVersion = DeviceVersion\n , sosSerialNumber = Computer\n , DvcOutboundInterface = DeviceOutboundInterface\n , DvcInboundInterface = DeviceInboundInterface\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\n , sosCFSFullString = Reason // CFS Category ID and Name\n , NetworkRuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\n , sosSourceZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\n , sosDestinationZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\n , NetworkIcmpType = FieldDeviceCustomNumber1 // ICMP Type\n , NetworkIcmpCode = FieldDeviceCustomNumber2 // ICMP Code\n , SrcUsername = SourceUserName\n , ThreatOriginalConfidence = ThreatConfidence\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\n gcat == 2, \"Log (2)\",\n gcat == 3, \"Security Services (3)\",\n gcat == 4, \"Users (4)\",\n gcat == 5, \"Firewall Settings (5)\",\n gcat == 6, \"Network (6)\",\n gcat == 7, \"VPN (7)\",\n gcat == 8, \"High Availability (8)\",\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\n gcat == 10, \"Firewall (10)\",\n gcat == 11, \"Wireless (11)\",\n gcat == 12, \"VoIP (12)\",\n gcat == 13, \"SSL VPN (13)\",\n gcat == 14, \"Anti-Spam (14)\",\n gcat == 15, \"WAN Acceleration (15)\",\n gcat == 16, \"Object (16)\",\n gcat == 17, \"SD-WAN (17)\",\n gcat == 18, \"Multi-Instance (18)\",\n gcat == 19, \"Unified Policy Engine (19)\",\n \"Log Category Not Mapped\"\n )\n| extend sosLegacyMessageCategory = case(DeviceEventCategory == 0, \"None (0)\",\n DeviceEventCategory == 1, \"System Maintenance (1)\",\n DeviceEventCategory == 2, \"System Errors (2)\",\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\n DeviceEventCategory == 16, \"User Activity (16)\",\n DeviceEventCategory == 32, \"Attacks (32)\",\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\n DeviceEventCategory == 512, \"Network Debug (512)\",\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\n DeviceEventCategory == 524288, \"System Environment (524288)\",\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\n \"Legacy Category Not Mapped\"\n )\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\n ipspri == 2, \"Medium (2)\",\n ipspri == 3, \"Low (3)\",\n \"\"\n )\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\n spypri == 2, \"Medium (2)\",\n spypri == 3, \"Low (3)\",\n \"\"\n )\n| extend\n EventVendor = \"SonicWall\"\n , EventProduct = \"Firewall\"\n , DvcOs = \"SonicOS\"\n , DvcOsVersion = EventProductVersion\n , DvcIdType = \"Other\"\n , Dvc = sosSerialNumber\n , DvcDescription = DeviceProduct\n , NetworkIcmpType = tostring(NetworkIcmpType)\n , NetworkIcmpCode = toint(NetworkIcmpCode)\n , Rule = NetworkRuleName\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\n , sosIPSFullString = ipscat\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\n , FileSize = tolong(coalesce(FileSize, long(null)))\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\n , SrcZone = sosSourceZone\n , DstZone = sosDestinationZone\n , EventOriginalSeverity = LogSeverity\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\n , EventStartTime = coalesce(todatetime(StartTime), TimeGenerated)\n , EventEndTime = coalesce(todatetime(EndTime), TimeGenerated)\n , EventType = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventSchema = \"NetworkSession\"\n , EventCount = toint(1)\n , EventUid = _ItemId\n , EventResultDetails = \"NA\"\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\n| extend\n SrcUsername = coalesce(susr, SrcUsername)\n , FileName = coalesce(FileName, sosAppControlFileName)\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\n , DstZone == \"MULTICAST\", \"NA\"\n , DstZone == \"WAN\", \"Outbound\"\n , \"Local\"\n )\n| extend\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\n SrcUsername has \"\\\\\", \"Windows\",\n SrcUsername has \"@\", \"UPN\",\n SrcUsername == \"Unknown (external IP)\", \"\",\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"\n )\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\"\n )\n| extend\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\"\n )\n| extend\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\n| extend\n SrcAppType = case(isempty(SrcAppName), \"\"\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\n , DstAppType = case(isempty(DstAppName), \"\"\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\n| project-rename\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\n| extend\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\n , tolong(long(null))\n )\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\n , tolong(long(null))\n )\n| project-rename\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\n , sosUser = susr // Logged-in username associated with the log event.\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\n , sosAppRuleService = af_service // App Rule Service Name.\n , sosAppRuleType = af_type // App Rule Policy Type.\n , sosAppRuleObject = af_object // App Rule Object Name.\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\n , sosAppRuleAction = af_action\n , sosSourceIPv6Address = srcV6\n , sosDestinationIPv6Address = dstV6\n , sosAppFullString = appcat // The full \" -- \" string.\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\n , sosAppID = appid // Application ID from App Control\n , sosAppCategoryID = catid // Application Category ID\n , sosAppSignatureID = sid // Application Signature ID\n , sosIPSCategoryName = ipscat // IPS Category Name\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\n , sosURLPathName = arg // URL. Represents the URL path name.\n , sosFileIdentifier = fileid // File hash or URL\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\n , DstNatPortNumber = dnpt\n , SrcNatPortNumber = snpt\n , sosBladeID = bid // Blade ID\n , sosUUID = uuid\n , sosFileName = FileName\n , DvcOriginalAction = fw_action\n| extend\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\n , ThreatId = coalesce(sosAppSignatureID, \"\")\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\n , DstNatPortNumber = toint(DstNatPortNumber)\n , SrcNatPortNumber = toint(SrcNatPortNumber)\n| extend AdditionalFields = bag_pack(\n \"AppRulePolicyId\", sosAppRulePolicyId\n , \"AppRulePolicyName\", sosAppRulePolicyName\n , \"AppRuleService\", sosAppRuleService\n , \"AppRuleType\", sosAppRuleType\n , \"AppRuleObject\", sosAppRuleObject\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\n , \"AppRuleAction\", sosAppRuleAction\n , \"AppID\", sosAppID\n , \"AppCategoryID\", sosAppCategoryID\n , \"IPSCategoryName\", sosIPSCategoryName\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\n , \"FileIdentifier\", sosFileIdentifier\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\n , \"BladeID\", sosBladeID\n , \"UUID\", sosUUID\n , \"FileName\", sosFileName\n , \"FileSize\", FileSize\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\n , \"CFSCategoryID\", sosCFSCategoryID\n , \"CFSCategoryName\", sosCFSCategoryName\n , \"CFSPolicyName\", sosCFSPolicyName\n , \"AppControlFileName\", sosAppControlFileName\n , \"IPSFullString\", sosIPSFullString\n , \"IPSSignatureName\", sosIPSSignatureName\n , \"LegacyMessageCategory\", sosLegacyMessageCategory\n , \"LogMsgCategory\", sosLogMsgCategory\n , \"LogMsgNote\", sosLogMsgNote\n , \"LogMsgSeverity\", sosLogMsgSeverity\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\n , \"EventMessageDetail\", sosEventMessageDetail\n , \"UserSessionType\", sosUserSessionType\n )\n| project-away\n DeviceEventCategory\n , gcat\n , RequestMethod\n , ipspri\n , spypri\n , sos*\n , RequestURL\n , Protocol\n , appName\n , AdditionalExtensions\n , Flex*\n , Indicator*\n , Malicious*\n , Field*\n , DeviceCustom*\n , Old*\n , File*\n , Source*\n , Destination*\n , Device*\n , SimplifiedDeviceAction\n , ExternalID\n , ExtID\n , TenantId\n , ProcessName\n , ProcessID\n , ExtID\n , OriginalLogSeverity\n , LogSeverity\n , EventOutcome\n , StartTime\n , EndTime\n , ReceiptTime\n , Remote*\n , ThreatDescription\n , ThreatSeverity\n , RequestContext\n , RequestCookies\n , CommunicationDirection\n , ReportReferenceLink\n , ReceivedBytes\n , SentBytes\n , _ResourceId\n , _ItemId\n| project-reorder\n TimeGenerated\n , EventVendor\n , EventProduct\n , DvcDescription\n , Dvc\n , DvcOs\n , DvcOsVersion\n};\nParser(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json index dad47deb4b4..044f4869f8e 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionVMConnection')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionVMConnection", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for VM connection information collected using the Log Analytics agent", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionVMConnection", - "query": "let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity:string) [\n '', 'Informational', \n '0', 'Informational',\n '1', 'Low',\n '2', 'Medium',\n '3', 'High'\n];\nlet VMConnectionProjected = VMConnection | project-away AdditionalInformation, AgentId, TenantId, TLPLevel, SourceSystem, IsActive, *ReportedDateTime, LinksFailed, LinksLive, LinksTerminated, Description, Responses, ResponseTimeMin, ResponseTimeMax, RemoteClassification, RemoteDnsQuestions;\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let outbound = \n VMConnectionProjected\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not (disabled)\n | where array_length(hostname_has_any)==0 \n or (Computer has_any (hostname_has_any)) or ( RemoteDnsCanonicalNames has_any (hostname_has_any))\n | where Direction == \"outbound\"\n // -- Pre-filtering:\n | where\n eventresult in (\"*\", \"Success\") \n and array_length(dvcaction) == 0\n and (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend EventOriginalSeverity = tostring(Severity)\n | lookup SeverityLookup on EventOriginalSeverity\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIp,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DestinationIp,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // -- End pre-filtering\n | invoke _ASIM_ResolveSrcFQDN (\"Computer\")\n | extend FQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | invoke _ASIM_ResolveDstFQDN(\"FQDN\")\n | project-away RemoteDnsCanonicalNames, Computer\n // -- post-filtering\n | extend temp_isMatchSrcHostname= SrcHostname has_any (hostname_has_any)\n , temp_isMatchDstHostname = DstHostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 , \"-\"\n , (temp_isMatchSrcHostname and temp_isMatchDstHostname), \"Both\" \n , temp_isMatchSrcHostname, \"SrcHostname\"\n , temp_isMatchDstHostname, \"DstHostname\"\n , \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | extend\n SrcAppType = \"Process\",\n SrcDvcIdType = \"VMConnectionId\",\n SrcHostnameType = \"Simple\",\n DstGeoCountry = RemoteCountry,\n DstGeoLongitude = RemoteLongitude,\n DstGeoLatitude = RemoteLatitude,\n SrcAppId = Process,\n SrcAppName = ProcessName,\n SrcDvcId = Machine,\n ThreatField = iff (MaliciousIp != \"\", \"DstIpAddr\", \"\")\n | extend\n RemoteFQDN = DstFQDN,\n RemoteHostname = DstHostname,\n RemoteDomain = DstDomain,\n RemoteDomainType = DstDomainType,\n LocalFQDN = SrcFQDN,\n LocalHostname = SrcHostname,\n LocalDomain = SrcDomain,\n LocalDomainType = SrcDomainType,\n LocalIpAddr = SourceIp\n ;\n let inbound =\n VMConnectionProjected\n | where (starttime == datetime(null) or TimeGenerated >= starttime)\n and (endtime == datetime(null) or TimeGenerated <= endtime)\n | where not (disabled)\n | where Direction == \"inbound\"\n // -- Pre-filtering:\n | where\n eventresult in (\"*\", \"Success\") \n and array_length(dvcaction) == 0\n and (dstportnumber==int(null) or DestinationPort == dstportnumber)\n and (array_length(hostname_has_any)==0 \n or Computer has_any (hostname_has_any) or RemoteDnsCanonicalNames has_any (hostname_has_any)\n )\n | extend EventOriginalSeverity = tostring(Severity)\n | lookup SeverityLookup on EventOriginalSeverity\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIp,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DestinationIp,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // -- End pre-filtering\n | invoke _ASIM_ResolveDstFQDN (\"Computer\")\n | extend FQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | invoke _ASIM_ResolveSrcFQDN(\"FQDN\")\n | project-away Computer, RemoteDnsCanonicalNames\n // -- post-filtering\n | extend temp_isMatchSrcHostname= SrcHostname has_any (hostname_has_any)\n , temp_isMatchDstHostname = DstHostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 , \"-\"\n , (temp_isMatchSrcHostname and temp_isMatchDstHostname), \"Both\" \n , temp_isMatchSrcHostname, \"SrcHostname\"\n , temp_isMatchDstHostname, \"DstHostname\"\n , \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | extend\n DstAppType = \"Process\",\n DstDvcIdType = \"VMConnectionId\",\n SrcGeoCountry = RemoteCountry,\n SrcGeoLongitude = RemoteLongitude,\n SrcGeoLatitude = RemoteLatitude,\n DstAppId = Process,\n DstAppName = ProcessName,\n DstDvcId = Machine,\n ThreatField = iff (MaliciousIp != \"\", \"SrcIpAddr\", \"\")\n | extend\n RemoteFQDN = SrcFQDN,\n RemoteHostname = SrcHostname,\n RemoteDomain = SrcDomain,\n RemoteDomainType = SrcDomainType,\n LocalFQDN = DstFQDN,\n LocalHostname = DstHostname,\n LocalDomain = DstDomain,\n LocalDomainType = DstDomainType,\n LocalIpAddr = DestinationIp\n ;\n union outbound, inbound\n // Event fields\n | extend \n EventCount = toint(LinksEstablished), // -- prioritized over LinksLive and LinksTerminated\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"VMConnection\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.3\",\n EventType = \"EndpointNetworkSession\",\n DvcIdType = \"VMConnectionId\",\n NetworkDirection = iff(Direction==\"inbound\", \"Inbound\", \"Outbound\"),\n EventEndTime = TimeGenerated\n | project-rename\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort, \n SrcIpAddr = SourceIp, \n NetworkSessionId = ConnectionId,\n ThreatName = IndicatorThreatType,\n RemoteGeoCountry = RemoteCountry,\n RemoteGeoLatitude = RemoteLatitude, \n RemoteGeoLongitude = RemoteLongitude,\n LocalAppId = Process,\n LocalAppName = ProcessName,\n DvcId = Machine,\n RemoteIpAddr = RemoteIp,\n EventReportUrl = ReportReferenceLink,\n ThreatIpAddr = MaliciousIp\n // -- Calculated fields\n | extend\n EventResult = \"Success\",\n LocalAppType = \"Process\",\n NetworkDuration = toint(ResponseTimeSum/LinksEstablished),\n ThreatRiskLevel = toint(Confidence),\n NetworkProtocol = toupper(Protocol),\n SrcBytes = tolong(BytesSent),\n DstBytes = tolong(BytesReceived)\n | project-away BytesSent, BytesReceived, Confidence, ResponseTimeSum, Protocol, Direction, Severity, LinksEstablished\n // -- Aliases\n | extend\n IpAddr = RemoteIpAddr,\n Src = SrcIpAddr,\n Local = LocalIpAddr,\n DvcIpAddr = LocalIpAddr,\n Dst = DstIpAddr,\n Remote = RemoteIpAddr,\n Dvc = LocalHostname,\n DvcHostname = LocalHostname,\n DvcDomain = LocalDomain,\n DvcDomainType = LocalDomainType,\n DvcFQDN = LocalFQDN,\n Hostname = RemoteHostname,\n Duration = NetworkDuration,\n SessionId = NetworkSessionId\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for VM connection information collected using the Log Analytics agent", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionVMConnection", + "query": "let SeverityLookup = datatable (EventOriginalSeverity: string, EventSeverity:string) [\n '', 'Informational', \n '0', 'Informational',\n '1', 'Low',\n '2', 'Medium',\n '3', 'High'\n];\nlet VMConnectionProjected = VMConnection | project-away AdditionalInformation, AgentId, TenantId, TLPLevel, SourceSystem, IsActive, *ReportedDateTime, LinksFailed, LinksLive, LinksTerminated, Description, Responses, ResponseTimeMin, ResponseTimeMax, RemoteClassification, RemoteDnsQuestions;\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let outbound = \n VMConnectionProjected\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where not (disabled)\n | where array_length(hostname_has_any)==0 \n or (Computer has_any (hostname_has_any)) or ( RemoteDnsCanonicalNames has_any (hostname_has_any))\n | where Direction == \"outbound\"\n // -- Pre-filtering:\n | where\n eventresult in (\"*\", \"Success\") \n and array_length(dvcaction) == 0\n and (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend EventOriginalSeverity = tostring(Severity)\n | lookup SeverityLookup on EventOriginalSeverity\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIp,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DestinationIp,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // -- End pre-filtering\n | invoke _ASIM_ResolveSrcFQDN (\"Computer\")\n | extend FQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | invoke _ASIM_ResolveDstFQDN(\"FQDN\")\n | project-away RemoteDnsCanonicalNames, Computer\n // -- post-filtering\n | extend temp_isMatchSrcHostname= SrcHostname has_any (hostname_has_any)\n , temp_isMatchDstHostname = DstHostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 , \"-\"\n , (temp_isMatchSrcHostname and temp_isMatchDstHostname), \"Both\" \n , temp_isMatchSrcHostname, \"SrcHostname\"\n , temp_isMatchDstHostname, \"DstHostname\"\n , \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | extend\n SrcAppType = \"Process\",\n SrcDvcIdType = \"VMConnectionId\",\n SrcHostnameType = \"Simple\",\n DstGeoCountry = RemoteCountry,\n DstGeoLongitude = RemoteLongitude,\n DstGeoLatitude = RemoteLatitude,\n SrcAppId = Process,\n SrcAppName = ProcessName,\n SrcDvcId = Machine,\n ThreatField = iff (MaliciousIp != \"\", \"DstIpAddr\", \"\")\n | extend\n RemoteFQDN = DstFQDN,\n RemoteHostname = DstHostname,\n RemoteDomain = DstDomain,\n RemoteDomainType = DstDomainType,\n LocalFQDN = SrcFQDN,\n LocalHostname = SrcHostname,\n LocalDomain = SrcDomain,\n LocalDomainType = SrcDomainType,\n LocalIpAddr = SourceIp\n ;\n let inbound =\n VMConnectionProjected\n | where (starttime == datetime(null) or TimeGenerated >= starttime)\n and (endtime == datetime(null) or TimeGenerated <= endtime)\n | where not (disabled)\n | where Direction == \"inbound\"\n // -- Pre-filtering:\n | where\n eventresult in (\"*\", \"Success\") \n and array_length(dvcaction) == 0\n and (dstportnumber==int(null) or DestinationPort == dstportnumber)\n and (array_length(hostname_has_any)==0 \n or Computer has_any (hostname_has_any) or RemoteDnsCanonicalNames has_any (hostname_has_any)\n )\n | extend EventOriginalSeverity = tostring(Severity)\n | lookup SeverityLookup on EventOriginalSeverity\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIp,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(DestinationIp,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // -- End pre-filtering\n | invoke _ASIM_ResolveDstFQDN (\"Computer\")\n | extend FQDN = iff(RemoteDnsCanonicalNames == \"\", \"\", todynamic(RemoteDnsCanonicalNames)[0])\n | invoke _ASIM_ResolveSrcFQDN(\"FQDN\")\n | project-away Computer, RemoteDnsCanonicalNames\n // -- post-filtering\n | extend temp_isMatchSrcHostname= SrcHostname has_any (hostname_has_any)\n , temp_isMatchDstHostname = DstHostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0 , \"-\"\n , (temp_isMatchSrcHostname and temp_isMatchDstHostname), \"Both\" \n , temp_isMatchSrcHostname, \"SrcHostname\"\n , temp_isMatchDstHostname, \"DstHostname\"\n , \"No match\"\n )\n | where ASimMatchingHostname != \"No match\"\n | project-away temp_*\n | extend\n DstAppType = \"Process\",\n DstDvcIdType = \"VMConnectionId\",\n SrcGeoCountry = RemoteCountry,\n SrcGeoLongitude = RemoteLongitude,\n SrcGeoLatitude = RemoteLatitude,\n DstAppId = Process,\n DstAppName = ProcessName,\n DstDvcId = Machine,\n ThreatField = iff (MaliciousIp != \"\", \"SrcIpAddr\", \"\")\n | extend\n RemoteFQDN = SrcFQDN,\n RemoteHostname = SrcHostname,\n RemoteDomain = SrcDomain,\n RemoteDomainType = SrcDomainType,\n LocalFQDN = DstFQDN,\n LocalHostname = DstHostname,\n LocalDomain = DstDomain,\n LocalDomainType = DstDomainType,\n LocalIpAddr = DestinationIp\n ;\n union outbound, inbound\n // Event fields\n | extend \n EventCount = toint(LinksEstablished), // -- prioritized over LinksLive and LinksTerminated\n EventStartTime = TimeGenerated,\n EventVendor = \"Microsoft\",\n EventProduct = \"VMConnection\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.3\",\n EventType = \"EndpointNetworkSession\",\n DvcIdType = \"VMConnectionId\",\n NetworkDirection = iff(Direction==\"inbound\", \"Inbound\", \"Outbound\"),\n EventEndTime = TimeGenerated\n | project-rename\n DstIpAddr = DestinationIp,\n DstPortNumber = DestinationPort, \n SrcIpAddr = SourceIp, \n NetworkSessionId = ConnectionId,\n ThreatName = IndicatorThreatType,\n RemoteGeoCountry = RemoteCountry,\n RemoteGeoLatitude = RemoteLatitude, \n RemoteGeoLongitude = RemoteLongitude,\n LocalAppId = Process,\n LocalAppName = ProcessName,\n DvcId = Machine,\n RemoteIpAddr = RemoteIp,\n EventReportUrl = ReportReferenceLink,\n ThreatIpAddr = MaliciousIp\n // -- Calculated fields\n | extend\n EventResult = \"Success\",\n LocalAppType = \"Process\",\n NetworkDuration = toint(ResponseTimeSum/LinksEstablished),\n ThreatRiskLevel = toint(Confidence),\n NetworkProtocol = toupper(Protocol),\n SrcBytes = tolong(BytesSent),\n DstBytes = tolong(BytesReceived)\n | project-away BytesSent, BytesReceived, Confidence, ResponseTimeSum, Protocol, Direction, Severity, LinksEstablished\n // -- Aliases\n | extend\n IpAddr = RemoteIpAddr,\n Src = SrcIpAddr,\n Local = LocalIpAddr,\n DvcIpAddr = LocalIpAddr,\n Dst = DstIpAddr,\n Remote = RemoteIpAddr,\n Dvc = LocalHostname,\n DvcHostname = LocalHostname,\n DvcDomain = LocalDomain,\n DvcDomainType = LocalDomainType,\n DvcFQDN = LocalFQDN,\n Hostname = RemoteHostname,\n Duration = NetworkDuration,\n SessionId = NetworkSessionId\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json index 4b20e5efc8e..7e2ff29b9b9 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "NetworkSession ASIM Parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionVMwareCarbonBlackCloud", - "query": "let NetworkProtocolLookup = datatable (netconn_protocol_s: string, NetworkProtocol: string)\n [\n \"PROTO_TCP\", \"TCP\",\n \"PROTO_UDP\", \"UDP\"\n];\nlet DvcActionLookup = datatable (sensor_action_s: string, DvcAction: string)\n [\n \"ACTION_ALLOW\", \"Allow\",\n \"ACTION_SUSPEND\", \"Drop\",\n \"ACTION_TERMINATE\", \"Drop\",\n \"ACTION_BREAK\", \"Drop\",\n \"ACTION_BLOCK\", \"Deny\"\n];\nlet EventSeverityLookup = datatable (DvcAction: string, EventSeverity: string)\n [\n \"Allow\", \"Informational\",\n \"Drop\", \"Low\",\n \"Deny\", \"Low\"\n];\nlet ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n];\nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]), \n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let CarbonBlackEventsSchema = datatable ( \n eventType_s: string,\n netconn_protocol_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n device_name_s: string,\n action_s: string,\n createTime_s: string,\n netconn_domain_s: string,\n remote_ip_s: string,\n netconn_inbound_b: bool,\n process_guid_s: string,\n remote_port_d: real,\n local_port_d: real,\n process_pid_d: real,\n device_external_ip_s: string,\n local_ip_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n event_id_g: string,\n event_origin_s: string,\n process_path_s: string,\n process_username_s: string,\n org_key_s: string\n)[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n)[];\n let alldata = union (CarbonBlackEventsSchema), (CarbonBlackEvents_CL)\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and array_length(hostname_has_any) == 0\n and eventType_s == \"endpoint.event.netconn\"\n and (isnull(dstportnumber) or toint(remote_port_d) == dstportnumber)\n | lookup NetworkProtocolLookup on netconn_protocol_s\n | lookup DvcActionLookup on sensor_action_s\n | lookup EventSeverityLookup on DvcAction\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend temp_action = tostring(split(action_s, \"|\")[0])\n | extend \n EventResult = case(\n temp_action == \"ACTION_CONNECTION_CREATE_FAILED\",\n \"Failure\",\n sensor_action_s == \"ACTION_ALLOW\" or isempty(sensor_action_s),\n \"Success\",\n \"Failure\"\n ),\n temp_SrcMatch = has_any_ipv4_prefix(local_ip_s, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(remote_ip_s, dst_or_any)\n | extend \n ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n ),\n ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n DvcHostname has_any (hostname_has_any),\n \"SrcHostname\",\n \"No match\"\n )\n | where (eventresult == \"*\" or eventresult =~ EventResult)\n and (array_length(dvcaction) == 0 or DvcAction has_any (dvcaction))\n and ASimMatchingIpAddr != \"No match\"\n and ASimMatchingHostname != \"No match\";\n let alldatawiththreat = alldata \n | where isnotempty(alert_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.threatInfo_incidentId_g\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g\n | extend \n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s,\n \"threatInfo_summary\",\n coalesce(threatInfo_summary_s, threatInfo_summary_s1)\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence;\n let alldatawithoutthreat = alldata\n | where isempty(alert_id_g);\n union alldatawiththreat, alldatawithoutthreat\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n SrcDomain = case(\n netconn_domain_s == remote_ip_s or netconn_domain_s has \":\" or netconn_domain_s !has \".\",\n \"\",\n netconn_inbound_b,\n netconn_domain_s,\n \"\"\n ),\n AdditionalFields_Common = bag_pack(\n \"Process Guid\",\n process_guid_s\n ),\n DstPortNumber = toint(remote_port_d),\n NetworkDirection = case(\n temp_action == \"ACTION_CONNECTION_LISTEN\",\n \"Listen\",\n netconn_inbound_b == true,\n \"Inbound\",\n \"Unknown\"\n ),\n SrcPortNumber = toint(local_port_d),\n SrcProcessId = tostring(toint(process_pid_d))\n | project-rename\n DstIpAddr = remote_ip_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n SrcIpAddr = local_ip_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n SrcUsername = process_username_s,\n SrcProcessName = process_path_s,\n DvcScopeId = org_key_s\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"VMware\",\n SrcHostname = SrcIpAddr,\n DstHostname = iff(NetworkDirection == \"Inbound\", coalesce(DvcHostname, DstIpAddr), DstIpAddr),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n )\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstHostname, DstIpAddr),\n Src = coalesce(SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcDomainType = iff(isnotempty(SrcDomain), \"FQDN\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common),\n SrcAppName = SrcProcessName,\n SrcAppId = SrcProcessId,\n SrcAppType = \"Process\",\n Hostname = DstHostname\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp*,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "NetworkSession ASIM Parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionVMwareCarbonBlackCloud", + "query": "let NetworkProtocolLookup = datatable (netconn_protocol_s: string, NetworkProtocol: string)\n [\n \"PROTO_TCP\", \"TCP\",\n \"PROTO_UDP\", \"UDP\"\n];\nlet DvcActionLookup = datatable (sensor_action_s: string, DvcAction: string)\n [\n \"ACTION_ALLOW\", \"Allow\",\n \"ACTION_SUSPEND\", \"Drop\",\n \"ACTION_TERMINATE\", \"Drop\",\n \"ACTION_BREAK\", \"Drop\",\n \"ACTION_BLOCK\", \"Deny\"\n];\nlet EventSeverityLookup = datatable (DvcAction: string, EventSeverity: string)\n [\n \"Allow\", \"Informational\",\n \"Drop\", \"Low\",\n \"Deny\", \"Low\"\n];\nlet ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n];\nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n dstipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n dstportnumber: int=int(null), \n hostname_has_any: dynamic=dynamic([]), \n dvcaction: dynamic=dynamic([]), \n eventresult: string='*', \n disabled: bool=false\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let CarbonBlackEventsSchema = datatable ( \n eventType_s: string,\n netconn_protocol_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n device_name_s: string,\n action_s: string,\n createTime_s: string,\n netconn_domain_s: string,\n remote_ip_s: string,\n netconn_inbound_b: bool,\n process_guid_s: string,\n remote_port_d: real,\n local_port_d: real,\n process_pid_d: real,\n device_external_ip_s: string,\n local_ip_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n event_id_g: string,\n event_origin_s: string,\n process_path_s: string,\n process_username_s: string,\n org_key_s: string\n)[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n)[];\n let alldata = union (CarbonBlackEventsSchema), (CarbonBlackEvents_CL)\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and array_length(hostname_has_any) == 0\n and eventType_s == \"endpoint.event.netconn\"\n and (isnull(dstportnumber) or toint(remote_port_d) == dstportnumber)\n | lookup NetworkProtocolLookup on netconn_protocol_s\n | lookup DvcActionLookup on sensor_action_s\n | lookup EventSeverityLookup on DvcAction\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend temp_action = tostring(split(action_s, \"|\")[0])\n | extend \n EventResult = case(\n temp_action == \"ACTION_CONNECTION_CREATE_FAILED\",\n \"Failure\",\n sensor_action_s == \"ACTION_ALLOW\" or isempty(sensor_action_s),\n \"Success\",\n \"Failure\"\n ),\n temp_SrcMatch = has_any_ipv4_prefix(local_ip_s, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(remote_ip_s, dst_or_any)\n | extend \n ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n ),\n ASimMatchingHostname = case(\n array_length(hostname_has_any) == 0,\n \"-\",\n DvcHostname has_any (hostname_has_any),\n \"SrcHostname\",\n \"No match\"\n )\n | where (eventresult == \"*\" or eventresult =~ EventResult)\n and (array_length(dvcaction) == 0 or DvcAction has_any (dvcaction))\n and ASimMatchingIpAddr != \"No match\"\n and ASimMatchingHostname != \"No match\";\n let alldatawiththreat = alldata \n | where isnotempty(alert_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.threatInfo_incidentId_g\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g\n | extend \n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s,\n \"threatInfo_summary\",\n coalesce(threatInfo_summary_s, threatInfo_summary_s1)\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence;\n let alldatawithoutthreat = alldata\n | where isempty(alert_id_g);\n union alldatawiththreat, alldatawithoutthreat\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n SrcDomain = case(\n netconn_domain_s == remote_ip_s or netconn_domain_s has \":\" or netconn_domain_s !has \".\",\n \"\",\n netconn_inbound_b,\n netconn_domain_s,\n \"\"\n ),\n AdditionalFields_Common = bag_pack(\n \"Process Guid\",\n process_guid_s\n ),\n DstPortNumber = toint(remote_port_d),\n NetworkDirection = case(\n temp_action == \"ACTION_CONNECTION_LISTEN\",\n \"Listen\",\n netconn_inbound_b == true,\n \"Inbound\",\n \"Unknown\"\n ),\n SrcPortNumber = toint(local_port_d),\n SrcProcessId = tostring(toint(process_pid_d))\n | project-rename\n DstIpAddr = remote_ip_s,\n DvcIpAddr = device_external_ip_s,\n EventUid = _ItemId,\n SrcIpAddr = local_ip_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n SrcUsername = process_username_s,\n SrcProcessName = process_path_s,\n DvcScopeId = org_key_s\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"EndpointNetworkSession\",\n EventVendor = \"VMware\",\n SrcHostname = SrcIpAddr,\n DstHostname = iff(NetworkDirection == \"Inbound\", coalesce(DvcHostname, DstIpAddr), DstIpAddr),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n )\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = coalesce(DstHostname, DstIpAddr),\n Src = coalesce(SrcHostname, SrcIpAddr),\n IpAddr = SrcIpAddr,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n SrcDomainType = iff(isnotempty(SrcDomain), \"FQDN\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common),\n SrcAppName = SrcProcessName,\n SrcAppId = SrcProcessId,\n SrcAppType = \"Process\",\n Hostname = DstHostname\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp*,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix,\n dstportnumber=dstportnumber, \n hostname_has_any=hostname_has_any, \n dvcaction=dvcaction, \n eventresult=eventresult, \n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),dvcaction:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json index 9ff07625f08..a46f817f897 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionVectraAI')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionVectraAI", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Vectra AI Streams", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionVectraAI", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]),\n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false,\n pack:bool=false)\n{\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)[\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'External'];\n let EventSubTypeLookup = datatable(conn_state_s:string, EventSubType:string)[\n \"S1\", 'Start',\n \"SF\", 'End'];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n VectraStream_CL\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n | where not(disabled)\n | where metadata_type_s == 'metadata_isession'\n | project-away MG, ManagementGroupName, RawData, SourceSystem, TenantId\n | where array_length(dvcaction) == 0\n | where eventresult == \"*\"\n | where (isnull(dstportnumber) or dstportnumber==id_resp_p_d)\n and (array_length(hostname_has_any)==0 \n or resp_domain_s has_any (hostname_has_any)\n or resp_hostname_s has_any (hostname_has_any)\n or orig_hostname_s has_any (hostname_has_any)\n )\n | extend temp_SrcMatch=has_any_ipv4_prefix(id_orig_h_s,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(id_resp_h_s,dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | project-rename\n DstIpAddr = id_resp_h_s,\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n // -- huid does not seem to be unique per device and not mapped for now\n // DstDvcId = resp_huid_s, \n // SrcDvcId = orig_huid_s,\n DvcId = sensor_uid_s,\n // -- community id is just a hash of addresses and ports, and not unique for the session\n // NetworkSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n EventUid = _ItemId\n // -- the domain field may have invalid values. Most of them are IP addresses filtered out, but a small fraction are not filtered.\n | extend resp_domain_s = iff (ipv4_is_match(resp_domain_s, \"0.0.0.0\",0), \"\", resp_domain_s)\n | extend SplitRespDomain = split(resp_domain_s,\".\")\n | extend \n DstDomain = tostring(strcat_array(array_slice(SplitRespDomain, 1, -1), '.')),\n DstFQDN = iif (array_length(SplitRespDomain) > 1, resp_domain_s, ''),\n DstDomainType = iif (array_length(SplitRespDomain) > 1, 'FQDN', '')\n | extend\n DstHostname = case (\n resp_domain_s != \"\", tostring(SplitRespDomain[0]),\n DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\",\n DstDescription)\n | project-away SplitRespDomain\n | extend\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n NetworkApplicationProtocol = toupper(service_s),\n NetworkProtocol = toupper(protoName_s),\n NetworkProtocolVersion = toupper(id_ip_ver_s),\n Dst = DstIpAddr,\n DstBytes = tolong(resp_ip_bytes_d),\n DstPackets = tolong(resp_pkts_d),\n DstPortNumber = toint(id_resp_p_d),\n DstVlanId = tostring(toint(resp_vlan_id_d)),\n EventCount = toint(1),\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResult = 'Success',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.2',\n EventSeverity = 'Informational',\n EventStartTime = unixtime_milliseconds_todatetime(session_start_time_d),\n EventType = 'NetworkSession',\n EventVendor = 'Vectra AI',\n SrcBytes = tolong(orig_ip_bytes_d),\n SrcPackets = tolong(orig_pkts_d),\n SrcPortNumber = toint(id_orig_p_d),\n SrcVlanId = tostring(toint(orig_vlan_id_d)),\n // -- No ID mapped, since huid found not to be unique\n // SrcDvcIdType = 'VectraId',\n // DstDvcIdType = 'VectraId',\n DvcIdType = 'VectraId',\n NetworkDuration = toint(duration_d)\n | extend \n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n // SessionId = NetworkSessionId,\n Src = SrcIpAddr,\n Dvc = DvcId,\n Duration = NetworkDuration,\n InnerVlanId = SrcVlanId,\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n OuterVlanId = DstVlanId\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\n | lookup EventSubTypeLookup on conn_state_s\n // -- preserving non-normalized important fields\n | extend AdditionalFields = iff (\n pack, \n bag_pack (\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\n \"orig_sluid\", orig_sluid_s, \n \"resp_sluid\", resp_sluid_s,\n \"orig_huid\", orig_huid_s,\n \"resp_huid\", resp_huid_s,\n \"community_id\", community_id_s,\n \"resp_multihome\", resp_multihomed_b,\n \"host_multihomed\", host_multihomed_b,\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\n ),\n dynamic([])\n )\n | project-away\n *_d, *_s, *_b, *_g, Computer\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled, pack=pack)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False,pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Vectra AI Streams", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionVectraAI", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]),\n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false,\n pack:bool=false)\n{\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)[\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'External'];\n let EventSubTypeLookup = datatable(conn_state_s:string, EventSubType:string)[\n \"S1\", 'Start',\n \"SF\", 'End'];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n VectraStream_CL\n | where (isnull(starttime) or TimeGenerated>=starttime)\n and (isnull(endtime) or TimeGenerated<=endtime)\n | where not(disabled)\n | where metadata_type_s == 'metadata_isession'\n | project-away MG, ManagementGroupName, RawData, SourceSystem, TenantId\n | where array_length(dvcaction) == 0\n | where eventresult == \"*\"\n | where (isnull(dstportnumber) or dstportnumber==id_resp_p_d)\n and (array_length(hostname_has_any)==0 \n or resp_domain_s has_any (hostname_has_any)\n or resp_hostname_s has_any (hostname_has_any)\n or orig_hostname_s has_any (hostname_has_any)\n )\n | extend temp_SrcMatch=has_any_ipv4_prefix(id_orig_h_s,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(id_resp_h_s,dst_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | project-rename\n DstIpAddr = id_resp_h_s,\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n // -- huid does not seem to be unique per device and not mapped for now\n // DstDvcId = resp_huid_s, \n // SrcDvcId = orig_huid_s,\n DvcId = sensor_uid_s,\n // -- community id is just a hash of addresses and ports, and not unique for the session\n // NetworkSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n EventUid = _ItemId\n // -- the domain field may have invalid values. Most of them are IP addresses filtered out, but a small fraction are not filtered.\n | extend resp_domain_s = iff (ipv4_is_match(resp_domain_s, \"0.0.0.0\",0), \"\", resp_domain_s)\n | extend SplitRespDomain = split(resp_domain_s,\".\")\n | extend \n DstDomain = tostring(strcat_array(array_slice(SplitRespDomain, 1, -1), '.')),\n DstFQDN = iif (array_length(SplitRespDomain) > 1, resp_domain_s, ''),\n DstDomainType = iif (array_length(SplitRespDomain) > 1, 'FQDN', '')\n | extend\n DstHostname = case (\n resp_domain_s != \"\", tostring(SplitRespDomain[0]),\n DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\",\n DstDescription)\n | project-away SplitRespDomain\n | extend\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n NetworkApplicationProtocol = toupper(service_s),\n NetworkProtocol = toupper(protoName_s),\n NetworkProtocolVersion = toupper(id_ip_ver_s),\n Dst = DstIpAddr,\n DstBytes = tolong(resp_ip_bytes_d),\n DstPackets = tolong(resp_pkts_d),\n DstPortNumber = toint(id_resp_p_d),\n DstVlanId = tostring(toint(resp_vlan_id_d)),\n EventCount = toint(1),\n EventEndTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResult = 'Success',\n EventSchema = 'NetworkSession',\n EventSchemaVersion='0.2.2',\n EventSeverity = 'Informational',\n EventStartTime = unixtime_milliseconds_todatetime(session_start_time_d),\n EventType = 'NetworkSession',\n EventVendor = 'Vectra AI',\n SrcBytes = tolong(orig_ip_bytes_d),\n SrcPackets = tolong(orig_pkts_d),\n SrcPortNumber = toint(id_orig_p_d),\n SrcVlanId = tostring(toint(orig_vlan_id_d)),\n // -- No ID mapped, since huid found not to be unique\n // SrcDvcIdType = 'VectraId',\n // DstDvcIdType = 'VectraId',\n DvcIdType = 'VectraId',\n NetworkDuration = toint(duration_d)\n | extend \n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n // SessionId = NetworkSessionId,\n Src = SrcIpAddr,\n Dvc = DvcId,\n Duration = NetworkDuration,\n InnerVlanId = SrcVlanId,\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n OuterVlanId = DstVlanId\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\n | lookup EventSubTypeLookup on conn_state_s\n // -- preserving non-normalized important fields\n | extend AdditionalFields = iff (\n pack, \n bag_pack (\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\n \"orig_sluid\", orig_sluid_s, \n \"resp_sluid\", resp_sluid_s,\n \"orig_huid\", orig_huid_s,\n \"resp_huid\", resp_huid_s,\n \"community_id\", community_id_s,\n \"resp_multihome\", resp_multihomed_b,\n \"host_multihomed\", host_multihomed_b,\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\n ),\n dynamic([])\n )\n | project-away\n *_d, *_s, *_b, *_g, Computer\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled, pack=pack)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False,pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionWatchGuardFirewareOS/vimNetworkSessionWatchGuardFirewareOS.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionWatchGuardFirewareOS/vimNetworkSessionWatchGuardFirewareOS.json index b68419222ae..9fcdcc9e9ce 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionWatchGuardFirewareOS/vimNetworkSessionWatchGuardFirewareOS.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionWatchGuardFirewareOS/vimNetworkSessionWatchGuardFirewareOS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionWatchGuardFirewareOS')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionWatchGuardFirewareOS", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM parser for WatchGuard Fireware OS", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionWatchGuardFirewareOS", - "query": "let Parser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let EventLookup=datatable(DvcAction:string,EventResult:string,EventSeverity:string)\n [\n \"Allow\",\"Success\",\"Informational\"\n , \"Deny\",\"Failure\",\"Low\"\n ];\n let SyslogParser = (Syslog:(SyslogMessage:string)) {\n Syslog\n | parse-kv SyslogMessage as (geo_src:string\n , geo_dst:string\n , src_user:string\n , dst_user:string\n , duration:int\n , sent_bytes:long\n , rcvd_bytes:long\n , fqdn_src_match:string\n , fqdn_dst_match:string) with (pair_delimiter=' ', kv_delimiter='=', quote='\"')\n | project-rename SrcGeoCountry = geo_src\n , DstGeoCountry = geo_dst\n , SrcUsername = src_user\n , DstUsername = dst_user\n , NetworkDuration = duration\n , SrcBytes = sent_bytes\n , DstBytes = rcvd_bytes\n , DstDomain = fqdn_dst_match\n , SrcDomain = fqdn_src_match\n | extend DstDomainType = iif(isnotempty(DstDomain),\"FQDN\",\"\")\n | extend SrcDomainType = iif(isnotempty(SrcDomain),\"FQDN\",\"\")\n | extend NetworkProtocol = extract(@\" (tcp|udp|icmp|igmp) \", 1, SyslogMessage)\n | extend SrcUsernameType = case(isempty(SrcUsername), \"\"\n , SrcUsername contains \"@\" , \"UPN\"\n , \"Simple\"\n )\n | extend DstUsernameType = case(isempty(DstUsername), \"\"\n , DstUsername contains \"@\" , \"UPN\"\n , \"Simple\"\n )\n | parse SyslogMessage with * \"repeated \" EventCount:int \" times\" *\n | extend EventCount = iif(isnotempty(EventCount), EventCount, toint(1))\n | project-away SyslogMessage\n };\n let IPParser = (T:(SrcIpAddr:string,DstIpAddr:string)){\n T\n | extend temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_DstMatch = has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n };\n let HostParser = (Syslog:(SrcDomain:string,DstDomain:string)){\n Syslog\n | extend temp_SrcMatch = SrcDomain has_any(hostname_has_any)\n , temp_DstMatch= DstDomain has_any(hostname_has_any)\n | extend ASimMatchingHostname =case(\n array_length(hostname_has_any) == 0, \"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcDomain\",\n temp_DstMatch, \"DstDomain\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\" \n | project-away temp_*\n };\n let AllSyslog = \n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)\n | where SyslogMessage has_any('msg_id=\"3000-0148\"' \n , 'msg_id=\"3000-0149\"' \n , 'msg_id=\"3000-0150\"'\n , 'msg_id=\"3000-0151\"'\n , 'msg_id=\"3000-0173\"'\n ) and SyslogMessage !has 'msg=\"DNS Forwarding\" '\n and (array_length(ip_any)==0 or has_any_ipv4_prefix(SyslogMessage,ip_any))\n and (array_length(hostname_has_any)==0 or SyslogMessage has_any(hostname_has_any))\n | where (array_length(dvcaction)==0 or SyslogMessage has_any (dvcaction))\n | extend DvcAction = extract(@'\" (Allow|Deny) ', 1, SyslogMessage)\n | lookup EventLookup on DvcAction\n | where (eventresult=='*' or EventResult == eventresult)\n | project TimeGenerated, SyslogMessage, HostName, DvcAction, EventResult, EventSeverity\n ;\n let Parse1 = \n AllSyslog\n | where SyslogMessage !has \"icmp\" and SyslogMessage !has \"igmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} (tcp|udp) \\d{2,5} \\d{2,5} \" SrcIpAddr \" \" DstIpAddr \" \" SrcPortNumber:int @\" \" DstPortNumber:int @\" \" *\n | where (isnull(dstportnumber) or DstPortNumber==dstportnumber)\n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n let Parse2 = \n AllSyslog\n | where SyslogMessage !has \"icmp\" and SyslogMessage !has \"igmp\" and SyslogMessage has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" (tcp|udp) \" SrcIpAddr \" \" DstIpAddr \" \" SrcPortNumber:int @\" \" DstPortNumber:int @\" \" *\n | where (isnull(dstportnumber) or DstPortNumber==dstportnumber)\n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n let Parse3 = \n AllSyslog\n | where SyslogMessage has \"icmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} icmp \\d{2,5} \\d{1,5} \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n let Parse4 = \n AllSyslog\n | where SyslogMessage has \"icmp\" and SyslogMessage has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" icmp \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n let Parse5 = \n AllSyslog\n | where SyslogMessage has \"igmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} igmp \\d{2,5} \\d{1,5} \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n union isfuzzy=false Parse1, Parse2, Parse3, Parse4, Parse5\n | extend EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.4\"\n , EventVendor = \"WatchGuard\"\n , EventProduct = \"Fireware\"\n , EventType = \"NetworkSession\"\n , DvcHostname = HostName\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkProtocol = toupper(NetworkProtocol)\n , NetworkDuration = toint(NetworkDuration * toint(1000))\n , NetworkBytes = SrcBytes + DstBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = TimeGenerated\n , Src = SrcIpAddr\n , Dst = DstIpAddr\n , Duration = NetworkDuration\n , User = DstUsername\n , IpAddr = SrcIpAddr\n | project-rename Dvc = HostName\n};\nParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM parser for WatchGuard Fireware OS", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionWatchGuardFirewareOS", + "query": "let Parser=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), ipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false){\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let ip_any = set_union(srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let EventLookup=datatable(DvcAction:string,EventResult:string,EventSeverity:string)\n [\n \"Allow\",\"Success\",\"Informational\"\n , \"Deny\",\"Failure\",\"Low\"\n ];\n let SyslogParser = (Syslog:(SyslogMessage:string)) {\n Syslog\n | parse-kv SyslogMessage as (geo_src:string\n , geo_dst:string\n , src_user:string\n , dst_user:string\n , duration:int\n , sent_bytes:long\n , rcvd_bytes:long\n , fqdn_src_match:string\n , fqdn_dst_match:string) with (pair_delimiter=' ', kv_delimiter='=', quote='\"')\n | project-rename SrcGeoCountry = geo_src\n , DstGeoCountry = geo_dst\n , SrcUsername = src_user\n , DstUsername = dst_user\n , NetworkDuration = duration\n , SrcBytes = sent_bytes\n , DstBytes = rcvd_bytes\n , DstDomain = fqdn_dst_match\n , SrcDomain = fqdn_src_match\n | extend DstDomainType = iif(isnotempty(DstDomain),\"FQDN\",\"\")\n | extend SrcDomainType = iif(isnotempty(SrcDomain),\"FQDN\",\"\")\n | extend NetworkProtocol = extract(@\" (tcp|udp|icmp|igmp) \", 1, SyslogMessage)\n | extend SrcUsernameType = case(isempty(SrcUsername), \"\"\n , SrcUsername contains \"@\" , \"UPN\"\n , \"Simple\"\n )\n | extend DstUsernameType = case(isempty(DstUsername), \"\"\n , DstUsername contains \"@\" , \"UPN\"\n , \"Simple\"\n )\n | parse SyslogMessage with * \"repeated \" EventCount:int \" times\" *\n | extend EventCount = iif(isnotempty(EventCount), EventCount, toint(1))\n | project-away SyslogMessage\n };\n let IPParser = (T:(SrcIpAddr:string,DstIpAddr:string)){\n T\n | extend temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_DstMatch = has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n };\n let HostParser = (Syslog:(SrcDomain:string,DstDomain:string)){\n Syslog\n | extend temp_SrcMatch = SrcDomain has_any(hostname_has_any)\n , temp_DstMatch= DstDomain has_any(hostname_has_any)\n | extend ASimMatchingHostname =case(\n array_length(hostname_has_any) == 0, \"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcDomain\",\n temp_DstMatch, \"DstDomain\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\" \n | project-away temp_*\n };\n let AllSyslog = \n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)\n | where SyslogMessage has_any('msg_id=\"3000-0148\"' \n , 'msg_id=\"3000-0149\"' \n , 'msg_id=\"3000-0150\"'\n , 'msg_id=\"3000-0151\"'\n , 'msg_id=\"3000-0173\"'\n ) and SyslogMessage !has 'msg=\"DNS Forwarding\" '\n and (array_length(ip_any)==0 or has_any_ipv4_prefix(SyslogMessage,ip_any))\n and (array_length(hostname_has_any)==0 or SyslogMessage has_any(hostname_has_any))\n | where (array_length(dvcaction)==0 or SyslogMessage has_any (dvcaction))\n | extend DvcAction = extract(@'\" (Allow|Deny) ', 1, SyslogMessage)\n | lookup EventLookup on DvcAction\n | where (eventresult=='*' or EventResult == eventresult)\n | project TimeGenerated, SyslogMessage, HostName, DvcAction, EventResult, EventSeverity\n ;\n let Parse1 = \n AllSyslog\n | where SyslogMessage !has \"icmp\" and SyslogMessage !has \"igmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} (tcp|udp) \\d{2,5} \\d{2,5} \" SrcIpAddr \" \" DstIpAddr \" \" SrcPortNumber:int @\" \" DstPortNumber:int @\" \" *\n | where (isnull(dstportnumber) or DstPortNumber==dstportnumber)\n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n let Parse2 = \n AllSyslog\n | where SyslogMessage !has \"icmp\" and SyslogMessage !has \"igmp\" and SyslogMessage has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" (tcp|udp) \" SrcIpAddr \" \" DstIpAddr \" \" SrcPortNumber:int @\" \" DstPortNumber:int @\" \" *\n | where (isnull(dstportnumber) or DstPortNumber==dstportnumber)\n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n let Parse3 = \n AllSyslog\n | where SyslogMessage has \"icmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} icmp \\d{2,5} \\d{1,5} \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n let Parse4 = \n AllSyslog\n | where SyslogMessage has \"icmp\" and SyslogMessage has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" icmp \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n let Parse5 = \n AllSyslog\n | where SyslogMessage has \"igmp\" and SyslogMessage !has \"3000-0151\"\n | parse kind=regex flags=U SyslogMessage with * @'\" (Allow|Deny) ' RuleName @\" \\d{2,5} igmp \\d{2,5} \\d{1,5} \" SrcIpAddr \" \" DstIpAddr \" \" * \n | invoke SyslogParser()\n | invoke IPParser()\n | invoke HostParser()\n ;\n union isfuzzy=false Parse1, Parse2, Parse3, Parse4, Parse5\n | extend EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.4\"\n , EventVendor = \"WatchGuard\"\n , EventProduct = \"Fireware\"\n , EventType = \"NetworkSession\"\n , DvcHostname = HostName\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkProtocol = toupper(NetworkProtocol)\n , NetworkDuration = toint(NetworkDuration * toint(1000))\n , NetworkBytes = SrcBytes + DstBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = TimeGenerated\n , Src = SrcIpAddr\n , Dst = DstIpAddr\n , Duration = NetworkDuration\n , User = DstUsername\n , IpAddr = SrcIpAddr\n | project-rename Dvc = HostName\n};\nParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json index adfe70b3d72..ade8927846f 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionZscalerZIA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimNetworkSessionZscalerZIA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Network Session ASIM filtering parser for Zscaler ZIA firewall", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionZscalerZIA", - "query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser= \n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\n , ipaddr_has_any_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false) {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nCommonSecurityLog \n| where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n| where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n|where\n (array_length(hostname_has_any) == 0) // No host name information, so always filter out if hostname filter used. \n and (isnull(dstportnumber) or dstportnumber == DestinationPort) \n| extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n// -- Pre-filtering\n| where ASimMatchingIpAddr != \"No match\"\n| project-away temp_*\n| project-rename DvcOriginalAction = DeviceAction\n| lookup ActionLookup on DvcOriginalAction \n| where array_length(dvcaction) == 0 or DvcAction in (dvcaction)\n| extend EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\") \n| where (eventresult=='*' or EventResult == eventresult)\n// -- Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort, \n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n NetworkRuleName = Activity,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message \n// -- Calculated fields\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = NetworkRuleName,\n Duration = NetworkDuration\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Network Session ASIM filtering parser for Zscaler ZIA firewall", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionZscalerZIA", + "query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n 'Allow','Allow',\n 'Allow due to insufficient app data','Allow',\n 'Block/Drop','Drop',\n 'Block/ICMP','Drop ICMP',\n 'Block/Reset', 'Reset',\n 'IPS Drop', 'Drop',\n 'IPS Reset', 'Reset',\n // Observed in real world events\n 'Block ICMP', 'Drop ICMP',\n 'Drop', 'Drop'\n];\nlet parser= \n (starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , srcipaddr_has_any_prefix:dynamic=dynamic([])\n , dstipaddr_has_any_prefix:dynamic=dynamic([])\n , ipaddr_has_any_prefix:dynamic=dynamic([])\n , dstportnumber:int=int(null)\n , hostname_has_any:dynamic=dynamic([])\n , dvcaction:dynamic=dynamic([])\n , eventresult:string='*'\n , disabled:bool=false) {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \nCommonSecurityLog \n| where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n| where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n|where\n (array_length(hostname_has_any) == 0) // No host name information, so always filter out if hostname filter used. \n and (isnull(dstportnumber) or dstportnumber == DestinationPort) \n| extend temp_SrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), temp_DstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n| extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n// -- Pre-filtering\n| where ASimMatchingIpAddr != \"No match\"\n| project-away temp_*\n| project-rename DvcOriginalAction = DeviceAction\n| lookup ActionLookup on DvcOriginalAction \n| where array_length(dvcaction) == 0 or DvcAction in (dvcaction)\n| extend EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\") \n| where (eventresult=='*' or EventResult == eventresult)\n// -- Event fields\n| extend \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Firewall\", \n EventSchema = \"NetworkSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'NetworkSession', \n EventSeverity = 'Informational',\n EventEndTime=TimeGenerated \n| project-rename\n DvcHostname = Computer, \n EventProductVersion = DeviceVersion, \n NetworkProtocol = Protocol, \n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort, \n DstNatIpAddr = DestinationTranslatedAddress, \n DstNatPortNumber = DestinationTranslatedPort, \n DstAppName = DeviceCustomString3, \n NetworkApplicationProtocol = DeviceCustomString2, \n SrcIpAddr = SourceIP, \n SrcPortNumber = SourcePort, \n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress, \n SrcNatPortNumber = SourceTranslatedPort, \n SrcUserDepartment = DeviceCustomString1, // Not in standard schema\n SrcUserLocation = SourceUserPrivileges, // Not in standard schema\n ThreatName = DeviceCustomString6, \n ThreatCategory = DeviceCustomString5, \n NetworkRuleName = Activity,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message \n// -- Calculated fields\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventCount=coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber2\", int(null))), \n toint(column_ifexists(\"DeviceCustomNumber2\",int(null)))\n ),\n NetworkDuration = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername),\n DstBytes = tolong(ReceivedBytes), \n SrcBytes = tolong(SentBytes)\n// -- Enrichment\n| extend\n DstAppType = \"Service\", \n SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n Dvc = DvcHostname,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Rule = NetworkRuleName,\n Duration = NetworkDuration\n| project-away AdditionalExtensions, CommunicationDirection, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, EventOutcome, FieldDevice*, ExtID, Reason, ApplicationProtocol, ReportReferenceLink\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml index 176aafd3daf..339a961a9ff 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml @@ -12,7 +12,6 @@ References: Link: https://aka.ms/ASimNetworkSessionDoc - Title: ASIM Link: https://aka.ms/AboutASIM - Description: | This ASIM parser supports normalizing Network Session logs from all supported sources to the ASIM Network Session normalized schema. ParserName: ASimNetworkSession @@ -55,12 +54,10 @@ Parsers: - _ASim_NetworkSession_PaloAltoCortexDataLake - _ASim_NetworkSession_SonicWallFirewall - _ASim_NetworkSession_IllumioSaaSCore - ParserParams: - Name: pack Type: bool Default: false - ParserQuery: | let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); let ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); @@ -68,7 +65,6 @@ ParserQuery: | union isfuzzy=true vimNetworkSessionEmpty , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) )) - , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) )) , ASimNetworkSessionMD4IoTSensor (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTSSensor' in (DisabledParsers) )) , ASimNetworkSessionMD4IoTAgent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTAgent' in (DisabledParsers) )) diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateLinuxSysmon/ASimProcessCreateLinuxSysmon.json b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateLinuxSysmon/ASimProcessCreateLinuxSysmon.json index b0c66877f6f..7c6c5f2c541 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateLinuxSysmon/ASimProcessCreateLinuxSysmon.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateLinuxSysmon/ASimProcessCreateLinuxSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessCreateLinuxSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessCreateLinuxSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "ASimProcessCreateLinuxSysmon", - "query": "let ParsedProcessEvent=(){\n Syslog\n | where not(disabled)\n | where SyslogMessage has_all ('1')\n | parse SyslogMessage with \n *\n '' EventRecordId:int ''\n *\n '' SysmonComputer:string ''\n *\n ''RuleName // parsing the XML using the original fields name - for readability \n ''UtcTime\n '{'ProcessGuid\n '}'ProcessId:string\n ''Image\n ''FileVersion\n ''Description\n ''Product\n ''Company'' *\n | extend OriginalFileName = extract (@'\"OriginalFileName\">([^<]+)<',1,SyslogMessage) // this field exists in sysmon version 10.42 and above - using extact to avoid parsing failure\n | parse SyslogMessage with *\n ''CommandLine''\n ''CurrentDirectory\n ''User\n '{'LogonGuid\n '}'LogonId\n ''TerminalSessionId\n ''IntegrityLevel\n ''Hashes\n '{'ParentProcessGuid\n '}'ParentProcessId:string\n ''ParentImage\n ''ParentCommandLine ''*\n | parse SyslogMessage with *''ActorUsername '' *// this field appears in newer versions of Sysmon \n | extend TargetProcessSHA1=extract(@'SHA1=(\\w+)',1, tostring(Hashes)),\n TargetProcessSHA256=extract(@'SHA256=(\\w+)',1, tostring(Hashes)),\n TargetProcessIMPHASH=extract(@'IMPHASH=(\\w+)',1,tostring(Hashes)), // add to the empty schema + Excel file\n TargetProcessMD5=extract(@'MD5=(\\w+)',1, tostring(Hashes))\n // End of XML parse\n | project-away SyslogMessage, Hashes\n | extend \n EventType = \"ProcessCreated\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventProduct = \"Sysmon for Linux\",\n EventResult = 'Success',\n EventOriginalUid = tostring(EventRecordId),\n DvcOs = \"Linux\",\n TargetUserSessionId = tostring(LogonId) , \n TargetUsernameType = \"Simple\",\n TargetUsername = User,\n TargetProcessCommandLine = CommandLine,\n TargetProcessCurrentDirectory = CurrentDirectory,\n ActorUsernameType = \"Simple\",\n EventOriginalType = '1' // Set with a constant value to avoid parsing\n | project-rename \n // EventMessage = RenderedDescription, // field not available in Linux\n DvcHostName = SysmonComputer, // Computer may be different than HostName, in which case HostIP may be incorrect. \n DvcIpAddr = HostIP, \n TargetUserSessionGuid = LogonGuid, \n TargetProcessId = ProcessId,\n TargetProcessGuid = ProcessGuid,\n TargetProcessName = Image,\n TargetProcessIntegrityLevel = IntegrityLevel,\n TargetProcessCompany = Company,\n TargetProcessFileDescription = Description,\n TargetProcessFileVersion = FileVersion,\n TargetProcessFileProduct = Product,\n ActingProcessId = ParentProcessId,\n ActingProcessGuid = ParentProcessGuid, \n ActingProcessCommandLine = ParentCommandLine,\n ActingProcessName = ParentImage\n | extend // aliases\n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostName,\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5) // which appears first - will be aliases to \"Hash\"\n | project-away\n ProcessName, ProcessID\n}; ParsedProcessEvent", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "ASimProcessCreateLinuxSysmon", + "query": "let ParsedProcessEvent=(){\n Syslog\n | where not(disabled)\n | where SyslogMessage has_all ('1')\n | parse SyslogMessage with \n *\n '' EventRecordId:int ''\n *\n '' SysmonComputer:string ''\n *\n ''RuleName // parsing the XML using the original fields name - for readability \n ''UtcTime\n '{'ProcessGuid\n '}'ProcessId:string\n ''Image\n ''FileVersion\n ''Description\n ''Product\n ''Company'' *\n | extend OriginalFileName = extract (@'\"OriginalFileName\">([^<]+)<',1,SyslogMessage) // this field exists in sysmon version 10.42 and above - using extact to avoid parsing failure\n | parse SyslogMessage with *\n ''CommandLine''\n ''CurrentDirectory\n ''User\n '{'LogonGuid\n '}'LogonId\n ''TerminalSessionId\n ''IntegrityLevel\n ''Hashes\n '{'ParentProcessGuid\n '}'ParentProcessId:string\n ''ParentImage\n ''ParentCommandLine ''*\n | parse SyslogMessage with *''ActorUsername '' *// this field appears in newer versions of Sysmon \n | extend TargetProcessSHA1=extract(@'SHA1=(\\w+)',1, tostring(Hashes)),\n TargetProcessSHA256=extract(@'SHA256=(\\w+)',1, tostring(Hashes)),\n TargetProcessIMPHASH=extract(@'IMPHASH=(\\w+)',1,tostring(Hashes)), // add to the empty schema + Excel file\n TargetProcessMD5=extract(@'MD5=(\\w+)',1, tostring(Hashes))\n // End of XML parse\n | project-away SyslogMessage, Hashes\n | extend \n EventType = \"ProcessCreated\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventProduct = \"Sysmon for Linux\",\n EventResult = 'Success',\n EventOriginalUid = tostring(EventRecordId),\n DvcOs = \"Linux\",\n TargetUserSessionId = tostring(LogonId) , \n TargetUsernameType = \"Simple\",\n TargetUsername = User,\n TargetProcessCommandLine = CommandLine,\n TargetProcessCurrentDirectory = CurrentDirectory,\n ActorUsernameType = \"Simple\",\n EventOriginalType = '1' // Set with a constant value to avoid parsing\n | project-rename \n // EventMessage = RenderedDescription, // field not available in Linux\n DvcHostName = SysmonComputer, // Computer may be different than HostName, in which case HostIP may be incorrect. \n DvcIpAddr = HostIP, \n TargetUserSessionGuid = LogonGuid, \n TargetProcessId = ProcessId,\n TargetProcessGuid = ProcessGuid,\n TargetProcessName = Image,\n TargetProcessIntegrityLevel = IntegrityLevel,\n TargetProcessCompany = Company,\n TargetProcessFileDescription = Description,\n TargetProcessFileVersion = FileVersion,\n TargetProcessFileProduct = Product,\n ActingProcessId = ParentProcessId,\n ActingProcessGuid = ParentProcessGuid, \n ActingProcessCommandLine = ParentCommandLine,\n ActingProcessName = ParentImage\n | extend // aliases\n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostName,\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5) // which appears first - will be aliases to \"Hash\"\n | project-away\n ProcessName, ProcessID\n}; ParsedProcessEvent", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSecurityEvents/ASimProcessCreateMicrosoftSecurityEvents.json b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSecurityEvents/ASimProcessCreateMicrosoftSecurityEvents.json index 4a9a9ccb06f..16bcabd42d6 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSecurityEvents/ASimProcessCreateMicrosoftSecurityEvents.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSecurityEvents/ASimProcessCreateMicrosoftSecurityEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessCreateMicrosoftSecurityEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessCreateMicrosoftSecurityEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Windows Security Events", - "category": "ASIM", - "FunctionAlias": "ASimProcessCreateMicrosoftSecurityEvents", - "query": "let MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n [\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\n// Source: https://support.microsoft.com/topic/0fdcaf87-ee5e-8929-e54c-65e04235a634\nlet KnownSIDs = datatable (sid:string, username:string, type:string)\n [\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n ];\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n [\n 'User', 'Regular',\n 'Machine', 'Machine'\n ];\nlet parser=(disabled:bool=false){\nSecurityEvent\n| where not(disabled)\n// -- Filter\n| where EventID == 4688\n// -- Map\n| extend\n // Event\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.3',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n| extend\n ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount),\n ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n| lookup KnownSIDs on $left.TargetUserSid == $right.sid\n| extend\n TargetUsername = iff (TargetUserName == \"-\", username, TargetAccount),\n TargetUsernameType = iff(TargetDomainName == '-',type, 'Windows')\n| lookup UserTypeLookup on AccountType\n| extend\n ActorUserIdType = 'SID',\n TargetUserIdType = 'SID',\n // Processes\n ActingProcessId = tostring(toint(ProcessId)),\n TargetProcessId = tostring(toint(NewProcessId)),\n TargetProcessCommandLine = CommandLine\n | project-rename\n DvcId = SourceComputerId,\n DvcHostname = Computer,\n ActingProcessName = ParentProcessName,\n TargetProcessName = NewProcessName,\n ActorDomainName = SubjectDomainName,\n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n TargetUserId =TargetUserSid,\n TargetUserSessionId = TargetLogonId,\n EventOriginalUid = EventOriginId,\n TargetProcessTokenElevation = TokenElevationType\n | lookup MandatoryLabelLookup on MandatoryLabel\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n // -- Remove potentially confusing\n | project-keep Event*, Dvc*, Actor*, Target*, Acting*, User, Dvc, Process, CommandLine, TimeGenerated, Type, _ResourceId\n | project-away\n TargetDomainName,\n TargetUserName,\n TargetAccount,\n EventID\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Windows Security Events", + "category": "ASIM", + "FunctionAlias": "ASimProcessCreateMicrosoftSecurityEvents", + "query": "let MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n [\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\n// Source: https://support.microsoft.com/topic/0fdcaf87-ee5e-8929-e54c-65e04235a634\nlet KnownSIDs = datatable (sid:string, username:string, type:string)\n [\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n ];\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n [\n 'User', 'Regular',\n 'Machine', 'Machine'\n ];\nlet parser=(disabled:bool=false){\nSecurityEvent\n| where not(disabled)\n// -- Filter\n| where EventID == 4688\n// -- Map\n| extend\n // Event\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.3',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n| extend\n ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount),\n ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n| lookup KnownSIDs on $left.TargetUserSid == $right.sid\n| extend\n TargetUsername = iff (TargetUserName == \"-\", username, TargetAccount),\n TargetUsernameType = iff(TargetDomainName == '-',type, 'Windows')\n| lookup UserTypeLookup on AccountType\n| extend\n ActorUserIdType = 'SID',\n TargetUserIdType = 'SID',\n // Processes\n ActingProcessId = tostring(toint(ProcessId)),\n TargetProcessId = tostring(toint(NewProcessId)),\n TargetProcessCommandLine = CommandLine\n | project-rename\n DvcId = SourceComputerId,\n DvcHostname = Computer,\n ActingProcessName = ParentProcessName,\n TargetProcessName = NewProcessName,\n ActorDomainName = SubjectDomainName,\n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n TargetUserId =TargetUserSid,\n TargetUserSessionId = TargetLogonId,\n EventOriginalUid = EventOriginId,\n TargetProcessTokenElevation = TokenElevationType\n | lookup MandatoryLabelLookup on MandatoryLabel\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n // -- Remove potentially confusing\n | project-keep Event*, Dvc*, Actor*, Target*, Acting*, User, Dvc, Process, CommandLine, TimeGenerated, Type, _ResourceId\n | project-away\n TargetDomainName,\n TargetUserName,\n TargetAccount,\n EventID\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSysmon/ASimProcessCreateMicrosoftSysmon.json b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSysmon/ASimProcessCreateMicrosoftSysmon.json index f9888a6a61b..ac94b8b9a5b 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSysmon/ASimProcessCreateMicrosoftSysmon.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSysmon/ASimProcessCreateMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEventCreateMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEventCreateMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Sysmon", - "category": "ASIM", - "FunctionAlias": "ASimProcessEventCreateMicrosoftSysmon", - "query": "let parser = (disabled: bool = false) {\n // this is the parser for sysmon from Event table\n let parser_Event =\n Event \n | where not(disabled)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID == 1\n | parse-kv EventData as (\n ProcessGuid: string, \n ProcessId: string,\n Image: string,\n FileVersion: string,\n Description: string,\n Product: string,\n Company: string,\n OriginalFileName: string,\n CommandLine: string,\n CurrentDirectory: string,\n User: string,\n LogonGuid: string, \n LogonId: string,\n IntegrityLevel: string,\n Hashes: string,\n ParentProcessGuid: string, \n ParentProcessId: string,\n ParentImage: string,\n ParentCommandLine: string,\n ParentUser: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | parse-kv Hashes as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\n | extend\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\n | project-rename\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIMPHASH = IMPHASH\n | project-away Hashes\n | extend \n TargetUsername = User,\n TargetProcessCommandLine = CommandLine\n | project-rename \n DvcHostname = Computer,\n TargetUserSessionGuid = LogonGuid,\n TargetProcessId = ProcessId,\n TargetUserSessionId = LogonId, \n TargetProcessGuid = ProcessGuid,\n TargetProcessName = Image,\n TargetProcessFilename = OriginalFileName,\n TargetProcessCurrentDirectory = CurrentDirectory,\n TargetProcessIntegrityLevel = IntegrityLevel, \n TargetProcessFileCompany = Company,\n TargetProcessFileDescription = Description,\n TargetProcessFileVersion = FileVersion,\n TargetProcessFileProduct = Product, \n ActingProcessId = ParentProcessId,\n ActingProcessGuid = ParentProcessGuid, \n ActingProcessCommandLine = ParentCommandLine,\n ActingProcessName = ParentImage,\n ActorUsername = ParentUser\n | extend \n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n EventProduct = \"Sysmon\",\n // aliases\n Process = TargetProcessName,\n Dvc = DvcHostname,\n EventUid = _ItemId\n | project-away\n EventData,\n ParameterXml,\n AzureDeploymentID,\n EventCategory,\n EventID,\n EventLevel,\n EventLevelName,\n TenantId,\n EventLog,\n MG,\n ManagementGroupName,\n Message,\n Role,\n SourceSystem,\n Source,\n UserName,\n RenderedDescription,\n _ResourceId,\n _ItemId\n | extend \n EventType = \"ProcessCreated\",\n EventOriginalType = \"1\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventProduct = \"Sysmon\",\n EventResult = 'Success',\n DvcOs = \"Windows\",\n TargetUsernameType = \"Windows\",\n ActorUsernameType = \"Windows\"\n ;\n parser_Event \n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Sysmon", + "category": "ASIM", + "FunctionAlias": "ASimProcessEventCreateMicrosoftSysmon", + "query": "let parser = (disabled: bool = false) {\n // this is the parser for sysmon from Event table\n let parser_Event =\n Event \n | where not(disabled)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID == 1\n | parse-kv EventData as (\n ProcessGuid: string, \n ProcessId: string,\n Image: string,\n FileVersion: string,\n Description: string,\n Product: string,\n Company: string,\n OriginalFileName: string,\n CommandLine: string,\n CurrentDirectory: string,\n User: string,\n LogonGuid: string, \n LogonId: string,\n IntegrityLevel: string,\n Hashes: string,\n ParentProcessGuid: string, \n ParentProcessId: string,\n ParentImage: string,\n ParentCommandLine: string,\n ParentUser: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | parse-kv Hashes as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\n | extend\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\n | project-rename\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIMPHASH = IMPHASH\n | project-away Hashes\n | extend \n TargetUsername = User,\n TargetProcessCommandLine = CommandLine\n | project-rename \n DvcHostname = Computer,\n TargetUserSessionGuid = LogonGuid,\n TargetProcessId = ProcessId,\n TargetUserSessionId = LogonId, \n TargetProcessGuid = ProcessGuid,\n TargetProcessName = Image,\n TargetProcessFilename = OriginalFileName,\n TargetProcessCurrentDirectory = CurrentDirectory,\n TargetProcessIntegrityLevel = IntegrityLevel, \n TargetProcessFileCompany = Company,\n TargetProcessFileDescription = Description,\n TargetProcessFileVersion = FileVersion,\n TargetProcessFileProduct = Product, \n ActingProcessId = ParentProcessId,\n ActingProcessGuid = ParentProcessGuid, \n ActingProcessCommandLine = ParentCommandLine,\n ActingProcessName = ParentImage,\n ActorUsername = ParentUser\n | extend \n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n EventProduct = \"Sysmon\",\n // aliases\n Process = TargetProcessName,\n Dvc = DvcHostname,\n EventUid = _ItemId\n | project-away\n EventData,\n ParameterXml,\n AzureDeploymentID,\n EventCategory,\n EventID,\n EventLevel,\n EventLevelName,\n TenantId,\n EventLog,\n MG,\n ManagementGroupName,\n Message,\n Role,\n SourceSystem,\n Source,\n UserName,\n RenderedDescription,\n _ResourceId,\n _ItemId\n | extend \n EventType = \"ProcessCreated\",\n EventOriginalType = \"1\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventProduct = \"Sysmon\",\n EventResult = 'Success',\n DvcOs = \"Windows\",\n TargetUsernameType = \"Windows\",\n ActorUsernameType = \"Windows\"\n ;\n parser_Event \n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSysmonWindowsEvent/ASimProcessCreateMicrosoftSysmonWindowsEvent.json b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSysmonWindowsEvent/ASimProcessCreateMicrosoftSysmonWindowsEvent.json index d8e53937ccc..6b417f56cb2 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSysmonWindowsEvent/ASimProcessCreateMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftSysmonWindowsEvent/ASimProcessCreateMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEventCreateMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEventCreateMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Sysmon", - "category": "ASIM", - "FunctionAlias": "ASimProcessEventCreateMicrosoftSysmonWindowsEvent", - "query": "let parser = (disabled: bool = false) {\n // this is the parser for sysmon from WindowsEvent table\n let parser_WindowsEvent=\n WindowsEvent\n | where not(disabled)\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 1\n | parse-kv tostring(EventData.Hashes) as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\n | extend\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\n | project-rename\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIMPHASH = IMPHASH\n | extend \n EventOriginalType = tostring(EventID),\n TargetUserSessionId = tostring(EventData.LogonId), \n TargetUsername = tostring(EventData.User),\n TargetProcessCommandLine = tostring(EventData.CommandLine),\n TargetProcessCurrentDirectory = tostring(EventData.CurrentDirectory),\n TargetUserSessionGuid = extract ('^{(.*)}$', 1, tostring(EventData.LogonGuid), typeof(string)),\n TargetProcessId = tostring(EventData.ProcessId),\n TargetProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\n TargetProcessName = tostring(EventData.Image),\n TargetProcessFilename = tostring(EventData.OriginalFileName),\n TargetProcessIntegrityLevel = tostring(EventData.IntegrityLevel),\n TargetProcessFileCompany = tostring(EventData.Company),\n TargetProcessFileDescription = tostring(EventData.Description),\n TargetProcessFileVersion = tostring(EventData.FileVersion),\n TargetProcessFileProduct = tostring(EventData.Product),\n ActingProcessId = tostring(EventData.ParentProcessId), \n ActingProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ParentProcessGuid), typeof(string)), \n ActingProcessCommandLine = tostring(EventData.ParentCommandLine),\n ActingProcessName = tostring(EventData.ParentImage),\n ActorUsername = tostring(EventData.ParentUser)\n | extend \n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n EventProduct = \"Security Events\"\n | project-rename\n DvcHostname = Computer,\n EventOriginalUid = EventOriginId\n | extend // aliases \n Dvc = DvcHostname,\n User = TargetUsername,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n EventUid = _ItemId\n | project-away\n EventData,\n Provider,\n ManagementGroupName,\n RawEventData,\n SourceSystem,\n Task,\n TenantId,\n EventID,\n Data,\n Channel,\n EventLevel,\n EventLevelName,\n Correlation,\n EventRecordId,\n Keywords,\n Opcode,\n SystemProcessId,\n SystemThreadId,\n SystemUserId,\n TimeCreated,\n Version,\n _ResourceId,\n _ItemId\n | extend \n EventType = \"ProcessCreated\",\n EventOriginalType = \"1\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventProduct = \"Sysmon\",\n EventResult = 'Success',\n DvcOs = \"Windows\",\n TargetUsernameType = \"Windows\",\n ActorUsernameType = \"Windows\";\n parser_WindowsEvent\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Sysmon", + "category": "ASIM", + "FunctionAlias": "ASimProcessEventCreateMicrosoftSysmonWindowsEvent", + "query": "let parser = (disabled: bool = false) {\n // this is the parser for sysmon from WindowsEvent table\n let parser_WindowsEvent=\n WindowsEvent\n | where not(disabled)\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 1\n | parse-kv tostring(EventData.Hashes) as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\n | extend\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\n | project-rename\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIMPHASH = IMPHASH\n | extend \n EventOriginalType = tostring(EventID),\n TargetUserSessionId = tostring(EventData.LogonId), \n TargetUsername = tostring(EventData.User),\n TargetProcessCommandLine = tostring(EventData.CommandLine),\n TargetProcessCurrentDirectory = tostring(EventData.CurrentDirectory),\n TargetUserSessionGuid = extract ('^{(.*)}$', 1, tostring(EventData.LogonGuid), typeof(string)),\n TargetProcessId = tostring(EventData.ProcessId),\n TargetProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\n TargetProcessName = tostring(EventData.Image),\n TargetProcessFilename = tostring(EventData.OriginalFileName),\n TargetProcessIntegrityLevel = tostring(EventData.IntegrityLevel),\n TargetProcessFileCompany = tostring(EventData.Company),\n TargetProcessFileDescription = tostring(EventData.Description),\n TargetProcessFileVersion = tostring(EventData.FileVersion),\n TargetProcessFileProduct = tostring(EventData.Product),\n ActingProcessId = tostring(EventData.ParentProcessId), \n ActingProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ParentProcessGuid), typeof(string)), \n ActingProcessCommandLine = tostring(EventData.ParentCommandLine),\n ActingProcessName = tostring(EventData.ParentImage),\n ActorUsername = tostring(EventData.ParentUser)\n | extend \n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n EventProduct = \"Security Events\"\n | project-rename\n DvcHostname = Computer,\n EventOriginalUid = EventOriginId\n | extend // aliases \n Dvc = DvcHostname,\n User = TargetUsername,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n EventUid = _ItemId\n | project-away\n EventData,\n Provider,\n ManagementGroupName,\n RawEventData,\n SourceSystem,\n Task,\n TenantId,\n EventID,\n Data,\n Channel,\n EventLevel,\n EventLevelName,\n Correlation,\n EventRecordId,\n Keywords,\n Opcode,\n SystemProcessId,\n SystemThreadId,\n SystemUserId,\n TimeCreated,\n Version,\n _ResourceId,\n _ItemId\n | extend \n EventType = \"ProcessCreated\",\n EventOriginalType = \"1\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventProduct = \"Sysmon\",\n EventResult = 'Success',\n DvcOs = \"Windows\",\n TargetUsernameType = \"Windows\",\n ActorUsernameType = \"Windows\";\n parser_WindowsEvent\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftWindowsEvents/ASimProcessCreateMicrosoftWindowsEvents.json b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftWindowsEvents/ASimProcessCreateMicrosoftWindowsEvents.json index cc5c5bf72d0..be21415d960 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftWindowsEvents/ASimProcessCreateMicrosoftWindowsEvents.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateMicrosoftWindowsEvents/ASimProcessCreateMicrosoftWindowsEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessCreateMicrosoftWindowsEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessCreateMicrosoftWindowsEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for WEF Security Events", - "category": "ASIM", - "FunctionAlias": "ASimProcessCreateMicrosoftWindowsEvents", - "query": "let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\\')[-1]) };\nlet ASIM_ResolveWindowsUsername = (T:(username:string, domain:string, sid:string)) { \n T \n | extend \n type = case (\n username == \"-\", \"\",\n domain == \"-\", \"Simple\",\n \"Windows\"\n ),\n username = case (\n username == \"-\", \"\",\n domain == '-', username,\n strcat(domain, @\"\\\" , username)\n )\n};\nlet MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n[\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\nlet parser=(disabled:boolean=false){\nWindowsEvent\n| where not(disabled)\n| where EventID == 4688\n| project-rename\n DvcHostname = Computer\n| extend\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| extend \n ActorUsername = strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), \n ActorUserId = tostring(EventData.SubjectUserSid)\n| extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\"), \n ActorUsernameType = \"Windows\",\n username = tostring(EventData.TargetUserName)\n| extend\n TargetUsername = iff(username == \"-\", ActorUsername, strcat(EventData.SubjectDomainName, @'\\', username)),\n TargetUserId = iff(username == \"-\", ActorUserId, tostring(EventData.TargetUserSid))\n| extend\n TargetUserIdType = iff (TargetUserId <> \"S-1-0-0\", \"SID\", \"\"),\n TargetUserId = iff (TargetUserId <> \"S-1-0-0\", TargetUserId, \"\"), \n TargetUsernameType = \"Windows\"\n| project-away\n username\n| extend \n TargetUserSid = TargetUserId,\n ActorUserSid = ActorUserId,\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType(TargetUsername, TargetUserId)\n| extend\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\n TargetUserSessionId = tostring(toint(EventData.TargetLogonId)), \n // Processes \n ActingProcessId = tostring(toint(tolong(EventData.ProcessId))),\n ActingProcessName = tostring(EventData.ParentProcessName),\n TargetProcessId = tostring(toint(tolong(EventData.NewProcessId))),\n TargetProcessName = tostring(EventData.NewProcessName),\n TargetProcessCommandLine = tostring(EventData.CommandLine),\n TargetProcessTokenElevation = tostring(EventData.TokenElevationType),\n MandatoryLabel = tostring(EventData.MandatoryLabel)\n| extend \n ActingProcessFilename = ASIM_GetFilenamePart(ActingProcessName),\n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\n| lookup MandatoryLabelLookup on MandatoryLabel\n// -- Aliases\n| extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName,\n CommandLine = TargetProcessCommandLine\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId\n}; \nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for WEF Security Events", + "category": "ASIM", + "FunctionAlias": "ASimProcessCreateMicrosoftWindowsEvents", + "query": "let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\\')[-1]) };\nlet ASIM_ResolveWindowsUsername = (T:(username:string, domain:string, sid:string)) { \n T \n | extend \n type = case (\n username == \"-\", \"\",\n domain == \"-\", \"Simple\",\n \"Windows\"\n ),\n username = case (\n username == \"-\", \"\",\n domain == '-', username,\n strcat(domain, @\"\\\" , username)\n )\n};\nlet MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n[\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\nlet parser=(disabled:boolean=false){\nWindowsEvent\n| where not(disabled)\n| where EventID == 4688\n| project-rename\n DvcHostname = Computer\n| extend\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| extend \n ActorUsername = strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), \n ActorUserId = tostring(EventData.SubjectUserSid)\n| extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\"), \n ActorUsernameType = \"Windows\",\n username = tostring(EventData.TargetUserName)\n| extend\n TargetUsername = iff(username == \"-\", ActorUsername, strcat(EventData.SubjectDomainName, @'\\', username)),\n TargetUserId = iff(username == \"-\", ActorUserId, tostring(EventData.TargetUserSid))\n| extend\n TargetUserIdType = iff (TargetUserId <> \"S-1-0-0\", \"SID\", \"\"),\n TargetUserId = iff (TargetUserId <> \"S-1-0-0\", TargetUserId, \"\"), \n TargetUsernameType = \"Windows\"\n| project-away\n username\n| extend \n TargetUserSid = TargetUserId,\n ActorUserSid = ActorUserId,\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType(TargetUsername, TargetUserId)\n| extend\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\n TargetUserSessionId = tostring(toint(EventData.TargetLogonId)), \n // Processes \n ActingProcessId = tostring(toint(tolong(EventData.ProcessId))),\n ActingProcessName = tostring(EventData.ParentProcessName),\n TargetProcessId = tostring(toint(tolong(EventData.NewProcessId))),\n TargetProcessName = tostring(EventData.NewProcessName),\n TargetProcessCommandLine = tostring(EventData.CommandLine),\n TargetProcessTokenElevation = tostring(EventData.TokenElevationType),\n MandatoryLabel = tostring(EventData.MandatoryLabel)\n| extend \n ActingProcessFilename = ASIM_GetFilenamePart(ActingProcessName),\n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\n| lookup MandatoryLabelLookup on MandatoryLabel\n// -- Aliases\n| extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName,\n CommandLine = TargetProcessCommandLine\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId\n}; \nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateSentinelOne/ASimProcessCreateSentinelOne.json b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateSentinelOne/ASimProcessCreateSentinelOne.json index efd3aed5945..d431d8d36b7 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateSentinelOne/ASimProcessCreateSentinelOne.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateSentinelOne/ASimProcessCreateSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessCreateSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessCreateSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create ASIM parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "ASimProcessCreateSentinelOne", - "query": "let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n[\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n[\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n[\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled) \n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s == \"PROCESSCREATION\";\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n DvcId = agentDetectionInfo_uuid_g,\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n TargetProcessCommandLine = targetProcessInfo_tgtProcCmdLine_s,\n TargetProcessId = targetProcessInfo_tgtProcPid_s,\n TargetProcessName = targetProcessInfo_tgtProcName_s,\n EventUid = _ItemId,\n TargetProcessCreationTime = targetProcessInfo_tgtProcessStartTime_t,\n ActingProcessName = sourceProcessInfo_name_s,\n ParentProcessName = sourceParentProcessInfo_name_s,\n ActingProcessCommandLine = sourceProcessInfo_commandline_s,\n ActingProcessGuid = sourceProcessInfo_uniqueId_g,\n ActingProcessSHA1 = sourceProcessInfo_fileHashSha1_s,\n ParentProcessSHA1 = sourceParentProcessInfo_fileHashSha1_s,\n ActingProcessSHA256 = sourceProcessInfo_fileHashSha256_s,\n ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n ActingProcessId = sourceProcessInfo_pid_s,\n ActorUsername = sourceProcessInfo_user_s,\n TargetUsername = sourceProcessInfo_user_s,\n Hash = coalesce(targetProcessInfo_tgtFileHashSha256_s, targetProcessInfo_tgtFileHashSha1_s),\n ParentProcessId = sourceProcessInfo_pid_s,\n TargetProcessSHA1 = targetProcessInfo_tgtFileHashSha1_s,\n TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s,\n ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, \"-\", \"\"),\n ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, \"-\", \"\"),\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity)\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"ProcessEvent\"\n | extend \n Dvc = DvcId,\n EventEndTime = EventStartTime,\n User = TargetUsername,\n ActingProcessCreationTime = EventStartTime,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n Rule = RuleName\n | extend \n HashType = case(\n isnotempty(Hash) and isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(Hash) and isnotempty(TargetProcessSHA1),\n \"TargetProcessSHA1\",\n \"\"\n ),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create ASIM parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "ASimProcessCreateSentinelOne", + "query": "let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n[\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n[\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n[\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled) \n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s == \"PROCESSCREATION\";\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n DvcId = agentDetectionInfo_uuid_g,\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n TargetProcessCommandLine = targetProcessInfo_tgtProcCmdLine_s,\n TargetProcessId = targetProcessInfo_tgtProcPid_s,\n TargetProcessName = targetProcessInfo_tgtProcName_s,\n EventUid = _ItemId,\n TargetProcessCreationTime = targetProcessInfo_tgtProcessStartTime_t,\n ActingProcessName = sourceProcessInfo_name_s,\n ParentProcessName = sourceParentProcessInfo_name_s,\n ActingProcessCommandLine = sourceProcessInfo_commandline_s,\n ActingProcessGuid = sourceProcessInfo_uniqueId_g,\n ActingProcessSHA1 = sourceProcessInfo_fileHashSha1_s,\n ParentProcessSHA1 = sourceParentProcessInfo_fileHashSha1_s,\n ActingProcessSHA256 = sourceProcessInfo_fileHashSha256_s,\n ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n ActingProcessId = sourceProcessInfo_pid_s,\n ActorUsername = sourceProcessInfo_user_s,\n TargetUsername = sourceProcessInfo_user_s,\n Hash = coalesce(targetProcessInfo_tgtFileHashSha256_s, targetProcessInfo_tgtFileHashSha1_s),\n ParentProcessId = sourceProcessInfo_pid_s,\n TargetProcessSHA1 = targetProcessInfo_tgtFileHashSha1_s,\n TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s,\n ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, \"-\", \"\"),\n ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, \"-\", \"\"),\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity)\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"ProcessEvent\"\n | extend \n Dvc = DvcId,\n EventEndTime = EventStartTime,\n User = TargetUsername,\n ActingProcessCreationTime = EventStartTime,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n Rule = RuleName\n | extend \n HashType = case(\n isnotempty(Hash) and isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(Hash) and isnotempty(TargetProcessSHA1),\n \"TargetProcessSHA1\",\n \"\"\n ),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateTrendMicroVisionOne/ASimProcessCreateTrendMicroVisionOne.json b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateTrendMicroVisionOne/ASimProcessCreateTrendMicroVisionOne.json index 221c8b2488a..495b9c3cb5e 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateTrendMicroVisionOne/ASimProcessCreateTrendMicroVisionOne.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateTrendMicroVisionOne/ASimProcessCreateTrendMicroVisionOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessCreateTrendMicroVisionOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessCreateTrendMicroVisionOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimProcessCreateTrendMicroVisionOne", - "query": "let GetFilenamePart = (path: string) { tostring(split(path, @'\\')[-1]) };\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\n \"low\", \"Low\",\n \"medium\", \"Medium\",\n \"high\", \"High\",\n \"info\", \"Informational\",\n \"critical\", \"High\"\n];\nlet IntegrityLevelLookup = datatable(IntegrityLevel: real, IntegrityType: string)\n [\n 0, \"Untrusted\",\n 4096, \"Low\",\n 8192, \"Medium\",\n 12288, \"High\",\n 16384, \"System\"\n];\nlet parser = (disabled: bool=false) {\n TrendMicro_XDR_OAT_CL\n | where not(disabled)\n | where detail_eventId_s == \"TELEMETRY_PROCESS\"\n and detail_eventSubId_s has_any (\"TELEMETRY_PROCESS_CREATE\",\"TELEMETRY_PROCESS_LOAD_IMAGE\",\"TELEMETRY_PROCESS_OPEN\")\n | parse filters_s with * \"[\" filters: string \"]\"\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | extend\n ActingProcessId = tostring(toint(detail_processPid_d)),\n TargetProcessId = tostring(toint(detail_objectPid_d)),\n ParentProcessId = tostring(toint(detail_parentPid_d)),\n TargetProcessCreationTime = unixtime_milliseconds_todatetime(detail_objectLaunchTime_d),\n ActingProcessCreationTime = unixtime_milliseconds_todatetime(detail_processLaunchTime_d),\n ActingProcessFilename = GetFilenamePart(detail_processFilePath_s),\n ParentProcessCreationTime = unixtime_milliseconds_todatetime(detail_parentLaunchTime_d),\n ParentProcessName = detail_parentName_s,\n TargetProcessFilename = GetFilenamePart(detail_objectFilePath_s),\n ActingProcessFileSize = tolong(detail_processFileSize_d),\n TargetUserSessionId = tostring(toint(detail_objectAuthId_d)),\n ActorSessionId = tostring(toint(detail_authId_d)),\n TargetProcessMD5 = replace_string(detail_objectFileHashMd5_g, \"-\", \"\"),\n ActingProcessMD5 = replace_string(detail_processFileHashMd5_g, \"-\", \"\"),\n ParentProcessMD5 = replace_string(detail_parentFileHashMd5_g, \"-\", \"\"),\n TargetProcessCommandLine = replace_string(detail_objectCmd_s, '\"', ''),\n ActingProcessCommandLine = replace_string(detail_processCmd_s, '\"', ''),\n AdditionalFields = bag_pack(\n \"name\", name,\n \"tags\", detail_tags_s\n )\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\n | lookup IntegrityLevelLookup on $left.detail_parentIntegrityLevel_d == $right.IntegrityLevel\n | project-rename ParentProcessIntegrityLevel = IntegrityType\n | lookup IntegrityLevelLookup on $left.detail_objectIntegrityLevel_d == $right.IntegrityLevel\n | project-rename TargetProcessIntegrityLevel = IntegrityType\n | lookup IntegrityLevelLookup on $left.detail_integrityLevel_d == $right.IntegrityLevel\n | project-rename ActingProcessIntegrityLevel = IntegrityType\n | extend\n EventCount = int(1),\n EventProduct = \"Vision One\",\n EventResult = \"Success\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"Trend Micro\",\n EventSchema = \"ProcessEvent\",\n DvcAction = \"Allowed\"\n | project-rename\n ActorUsername = detail_processUser_s,\n EventStartTime = detail_eventTimeDT_t,\n TargetProcessName = detail_objectName_s,\n TargetUsername = detail_objectUser_s,\n ActingProcessName = detail_processName_s,\n ActingProcessSHA1 = detail_processFileHashSha1_s,\n ActingProcessSHA256 = detail_processFileHashSha256_s,\n DvcId = detail_endpointGuid_g,\n DvcOs = detail_osName_s,\n DvcOsVersion = detail_osVer_s,\n EventOriginalSubType = detail_eventSubId_s,\n EventOriginalType = detail_eventId_s,\n EventOriginalUid = detail_uuid_g,\n EventOriginalSeverity = detail_filterRiskLevel_s,\n EventProductVersion = detail_pver_s,\n ParentProcessSHA1 = detail_parentFileHashSha1_s,\n ParentProcessSHA256 = detail_parentFileHashSha256_s,\n TargetProcessSHA1 = detail_objectFileHashSha1_s,\n TargetProcessSHA256 = detail_objectFileHashSha256_s,\n EventUid = _ItemId,\n EventMessage = description\n | extend \n Dvc = DvcHostname,\n EventEndTime = EventStartTime,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = TargetUsername,\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5)\n | extend\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(Hash) and isnotempty(TargetProcessSHA1),\n \"TargetProcessSHA1\",\n isnotempty(Hash) and isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n )\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n filters,\n name\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimProcessCreateTrendMicroVisionOne", + "query": "let GetFilenamePart = (path: string) { tostring(split(path, @'\\')[-1]) };\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\n \"low\", \"Low\",\n \"medium\", \"Medium\",\n \"high\", \"High\",\n \"info\", \"Informational\",\n \"critical\", \"High\"\n];\nlet IntegrityLevelLookup = datatable(IntegrityLevel: real, IntegrityType: string)\n [\n 0, \"Untrusted\",\n 4096, \"Low\",\n 8192, \"Medium\",\n 12288, \"High\",\n 16384, \"System\"\n];\nlet parser = (disabled: bool=false) {\n TrendMicro_XDR_OAT_CL\n | where not(disabled)\n | where detail_eventId_s == \"TELEMETRY_PROCESS\"\n and detail_eventSubId_s has_any (\"TELEMETRY_PROCESS_CREATE\",\"TELEMETRY_PROCESS_LOAD_IMAGE\",\"TELEMETRY_PROCESS_OPEN\")\n | parse filters_s with * \"[\" filters: string \"]\"\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | extend\n ActingProcessId = tostring(toint(detail_processPid_d)),\n TargetProcessId = tostring(toint(detail_objectPid_d)),\n ParentProcessId = tostring(toint(detail_parentPid_d)),\n TargetProcessCreationTime = unixtime_milliseconds_todatetime(detail_objectLaunchTime_d),\n ActingProcessCreationTime = unixtime_milliseconds_todatetime(detail_processLaunchTime_d),\n ActingProcessFilename = GetFilenamePart(detail_processFilePath_s),\n ParentProcessCreationTime = unixtime_milliseconds_todatetime(detail_parentLaunchTime_d),\n ParentProcessName = detail_parentName_s,\n TargetProcessFilename = GetFilenamePart(detail_objectFilePath_s),\n ActingProcessFileSize = tolong(detail_processFileSize_d),\n TargetUserSessionId = tostring(toint(detail_objectAuthId_d)),\n ActorSessionId = tostring(toint(detail_authId_d)),\n TargetProcessMD5 = replace_string(detail_objectFileHashMd5_g, \"-\", \"\"),\n ActingProcessMD5 = replace_string(detail_processFileHashMd5_g, \"-\", \"\"),\n ParentProcessMD5 = replace_string(detail_parentFileHashMd5_g, \"-\", \"\"),\n TargetProcessCommandLine = replace_string(detail_objectCmd_s, '\"', ''),\n ActingProcessCommandLine = replace_string(detail_processCmd_s, '\"', ''),\n AdditionalFields = bag_pack(\n \"name\", name,\n \"tags\", detail_tags_s\n )\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\n | lookup IntegrityLevelLookup on $left.detail_parentIntegrityLevel_d == $right.IntegrityLevel\n | project-rename ParentProcessIntegrityLevel = IntegrityType\n | lookup IntegrityLevelLookup on $left.detail_objectIntegrityLevel_d == $right.IntegrityLevel\n | project-rename TargetProcessIntegrityLevel = IntegrityType\n | lookup IntegrityLevelLookup on $left.detail_integrityLevel_d == $right.IntegrityLevel\n | project-rename ActingProcessIntegrityLevel = IntegrityType\n | extend\n EventCount = int(1),\n EventProduct = \"Vision One\",\n EventResult = \"Success\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"Trend Micro\",\n EventSchema = \"ProcessEvent\",\n DvcAction = \"Allowed\"\n | project-rename\n ActorUsername = detail_processUser_s,\n EventStartTime = detail_eventTimeDT_t,\n TargetProcessName = detail_objectName_s,\n TargetUsername = detail_objectUser_s,\n ActingProcessName = detail_processName_s,\n ActingProcessSHA1 = detail_processFileHashSha1_s,\n ActingProcessSHA256 = detail_processFileHashSha256_s,\n DvcId = detail_endpointGuid_g,\n DvcOs = detail_osName_s,\n DvcOsVersion = detail_osVer_s,\n EventOriginalSubType = detail_eventSubId_s,\n EventOriginalType = detail_eventId_s,\n EventOriginalUid = detail_uuid_g,\n EventOriginalSeverity = detail_filterRiskLevel_s,\n EventProductVersion = detail_pver_s,\n ParentProcessSHA1 = detail_parentFileHashSha1_s,\n ParentProcessSHA256 = detail_parentFileHashSha256_s,\n TargetProcessSHA1 = detail_objectFileHashSha1_s,\n TargetProcessSHA256 = detail_objectFileHashSha256_s,\n EventUid = _ItemId,\n EventMessage = description\n | extend \n Dvc = DvcHostname,\n EventEndTime = EventStartTime,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = TargetUsername,\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5)\n | extend\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(Hash) and isnotempty(TargetProcessSHA1),\n \"TargetProcessSHA1\",\n isnotempty(Hash) and isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n )\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n filters,\n name\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateVMwareCarbonBlackCloud/ASimProcessCreateVMwareCarbonBlackCloud.json b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateVMwareCarbonBlackCloud/ASimProcessCreateVMwareCarbonBlackCloud.json index dd54573f70a..49fcd116b76 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessCreateVMwareCarbonBlackCloud/ASimProcessCreateVMwareCarbonBlackCloud.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessCreateVMwareCarbonBlackCloud/ASimProcessCreateVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessCreateVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessCreateVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create ASIM parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "ASimProcessCreateVMwareCarbonBlackCloud", - "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n];\nlet parser = (disabled: bool=false) {\n let CarbonBlackEventsSchema = datatable (\n eventType_s: string,\n childproc_pid_d: real,\n process_hash_s: string,\n parent_hash_s: string,\n childproc_hash_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n event_id_g: string,\n createTime_s: string,\n process_pid_d: real,\n parent_pid_d: real,\n org_key_s: string,\n parent_cmdline_s: string,\n process_reputation_s: string,\n childproc_reputation_s: string,\n parent_reputation_s: string,\n process_guid_s: string,\n childproc_guid_s: string,\n parent_guid_s: string,\n process_username_s: string,\n target_cmdline_s: string,\n childproc_name_s: string,\n childproc_username_s: string,\n device_external_ip_s: string,\n device_group_s: string,\n process_cmdline_s: string,\n process_path_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n action_s: string,\n event_origin_s: string,\n parent_path_s: string,\n device_name_s: string\n)[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n)[];\n let processdata = union (CarbonBlackEvents_CL), (CarbonBlackEventsSchema)\n | where not(disabled)\n | where eventType_s == \"endpoint.event.procstart\" and isnotempty(childproc_pid_d)\n | parse process_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ParentProcessMD5: string '\",\"' ParentProcessSHA256: string '\"]'\n | parse childproc_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s;\n let processdatawiththreat = processdata\n | where isnotempty(alert_id_g) and isnotempty(event_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on\n $left.alert_id_g == $right.threatInfo_incidentId_g,\n $left.event_id_g == $right.threatInfo_threatCause_causeEventId_g\n | join kind=leftouter (union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n primary_event_id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g, $left.event_id_g == $right.primary_event_id_g\n | extend \n ThreatDescription = coalesce(threatInfo_summary_s, threatInfo_summary_s1),\n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence\n | extend Rule = RuleName;\n let processdatawithoutthreat = processdata\n | where isempty(alert_id_g) or isempty(event_id_g);\n union processdatawithoutthreat, processdatawiththreat\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(childproc_pid_d)),\n ActingProcessId = tostring(toint(process_pid_d)),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields_Common = bag_pack(\n \"org_key\",\n org_key_s,\n \"alert_id\",\n alert_id_g,\n \"parent_cmdline\",\n parent_cmdline_s,\n \"process_reputation\",\n process_reputation_s,\n \"childproc_reputation\",\n childproc_reputation_s,\n \"parent_reputation\",\n parent_reputation_s,\n \"process_guid\",\n process_guid_s,\n \"childproc_guid\",\n childproc_guid_s,\n \"parent_guid\",\n parent_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n ActorUsername = process_username_s,\n TargetProcessCommandLine = target_cmdline_s,\n TargetProcessName = childproc_name_s,\n TargetUsername = childproc_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\",\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common)\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = TargetUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n ),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\")\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create ASIM parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimProcessCreateVMwareCarbonBlackCloud", + "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n];\nlet parser = (disabled: bool=false) {\n let CarbonBlackEventsSchema = datatable (\n eventType_s: string,\n childproc_pid_d: real,\n process_hash_s: string,\n parent_hash_s: string,\n childproc_hash_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n event_id_g: string,\n createTime_s: string,\n process_pid_d: real,\n parent_pid_d: real,\n org_key_s: string,\n parent_cmdline_s: string,\n process_reputation_s: string,\n childproc_reputation_s: string,\n parent_reputation_s: string,\n process_guid_s: string,\n childproc_guid_s: string,\n parent_guid_s: string,\n process_username_s: string,\n target_cmdline_s: string,\n childproc_name_s: string,\n childproc_username_s: string,\n device_external_ip_s: string,\n device_group_s: string,\n process_cmdline_s: string,\n process_path_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n action_s: string,\n event_origin_s: string,\n parent_path_s: string,\n device_name_s: string\n)[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n)[];\n let processdata = union (CarbonBlackEvents_CL), (CarbonBlackEventsSchema)\n | where not(disabled)\n | where eventType_s == \"endpoint.event.procstart\" and isnotempty(childproc_pid_d)\n | parse process_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ParentProcessMD5: string '\",\"' ParentProcessSHA256: string '\"]'\n | parse childproc_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s;\n let processdatawiththreat = processdata\n | where isnotempty(alert_id_g) and isnotempty(event_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on\n $left.alert_id_g == $right.threatInfo_incidentId_g,\n $left.event_id_g == $right.threatInfo_threatCause_causeEventId_g\n | join kind=leftouter (union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n primary_event_id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g, $left.event_id_g == $right.primary_event_id_g\n | extend \n ThreatDescription = coalesce(threatInfo_summary_s, threatInfo_summary_s1),\n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence\n | extend Rule = RuleName;\n let processdatawithoutthreat = processdata\n | where isempty(alert_id_g) or isempty(event_id_g);\n union processdatawithoutthreat, processdatawiththreat\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(childproc_pid_d)),\n ActingProcessId = tostring(toint(process_pid_d)),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields_Common = bag_pack(\n \"org_key\",\n org_key_s,\n \"alert_id\",\n alert_id_g,\n \"parent_cmdline\",\n parent_cmdline_s,\n \"process_reputation\",\n process_reputation_s,\n \"childproc_reputation\",\n childproc_reputation_s,\n \"parent_reputation\",\n parent_reputation_s,\n \"process_guid\",\n process_guid_s,\n \"childproc_guid\",\n childproc_guid_s,\n \"parent_guid\",\n parent_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n ActorUsername = process_username_s,\n TargetProcessCommandLine = target_cmdline_s,\n TargetProcessName = childproc_name_s,\n TargetUsername = childproc_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\",\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common)\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = TargetUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n ),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\")\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessEvent/ASimProcessEvent.json b/Parsers/ASimProcessEvent/ARM/ASimProcessEvent/ASimProcessEvent.json index 251122161d0..cb84e1ab896 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessEvent/ASimProcessEvent.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessEvent/ASimProcessEvent.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Event ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimProcessEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n ASimProcessEventMicrosoft365D(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )),\n ASimProcessEventCreateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventCreateMicrosoftSysmon' in (DisabledParsers) )),\n ASimProcessEventCreateMicrosoftSysmonWindowsEvent(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventCreateMicrosoftSysmonWindowsEvent' in (DisabledParsers) )),\n ASimProcessEventTerminateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventTerminateMicrosoftSysmon' in (DisabledParsers) )),\n ASimProcessEventTerminateMicrosoftSysmonWindowsEvent(imProcessEventBuiltInDisabled or ('ExcludeASimProcessASimProcessEventTerminateMicrosoftSysmonWindowsEvent' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )),\n ASimProcessTerminateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )),\n ASimProcessCreateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )),\n ASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )),\n ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),\n ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )),\n ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )),\n ASimProcessEventNative(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventNative' in (DisabledParsers) )),\n ASimProcessCreateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimProcessTerminateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimProcessCreateTrendMicroVisionOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateTrendMicroVisionOne' in (DisabledParsers) ))", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Event ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimProcessEvent", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n ASimProcessEventMicrosoft365D(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )),\n ASimProcessEventCreateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventCreateMicrosoftSysmon' in (DisabledParsers) )),\n ASimProcessEventCreateMicrosoftSysmonWindowsEvent(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventCreateMicrosoftSysmonWindowsEvent' in (DisabledParsers) )),\n ASimProcessEventTerminateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventTerminateMicrosoftSysmon' in (DisabledParsers) )),\n ASimProcessEventTerminateMicrosoftSysmonWindowsEvent(imProcessEventBuiltInDisabled or ('ExcludeASimProcessASimProcessEventTerminateMicrosoftSysmonWindowsEvent' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )),\n ASimProcessTerminateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )),\n ASimProcessCreateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )),\n ASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )),\n ASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),\n ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoTh' in (DisabledParsers) )),\n ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )),\n ASimProcessEventNative(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventNative' in (DisabledParsers) )),\n ASimProcessCreateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimProcessTerminateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimProcessCreateTrendMicroVisionOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateTrendMicroVisionOne' in (DisabledParsers) ))", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessEventCreate/ASimProcessEventCreate.json b/Parsers/ASimProcessEvent/ARM/ASimProcessEventCreate/ASimProcessEventCreate.json index f5ccbad5ed8..d50ec330c18 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessEventCreate/ASimProcessEventCreate.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessEventCreate/ASimProcessEventCreate.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEventCreate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEventCreate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimProcessEventCreate", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcessEventCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n ASimProcessEventMicrosoft365D(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSysmon' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )),\n ASimProcessCreateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),\n ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )),\n ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )),\n ASimProcessEventNative(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventNative' in (DisabledParsers) )),\n ASimProcessCreateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimProcessCreateTrendMicroVisionOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateTrendMicroVisionOne' in (DisabledParsers) ))\n", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimProcessEventCreate", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcessEventCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n ASimProcessEventMicrosoft365D(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSysmon' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) )),\n ASimProcessCreateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateLinuxSysmon' in (DisabledParsers) )),\n ASimProcessCreateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) )),\n ASimProcessCreateSentinelOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateSentinelOne' in (DisabledParsers) )),\n ASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )),\n ASimProcessEventNative(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventNative' in (DisabledParsers) )),\n ASimProcessCreateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimProcessCreateTrendMicroVisionOne(imProcessEventBuiltInDisabled or ('ExcludeASimProcessCreateTrendMicroVisionOne' in (DisabledParsers) ))\n", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessEventMD4IoT/ASimProcessEventMD4IoT.json b/Parsers/ASimProcessEvent/ARM/ASimProcessEventMD4IoT/ASimProcessEventMD4IoT.json index 50df8bbb1b8..49ae4618b2e 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessEventMD4IoT/ASimProcessEventMD4IoT.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessEventMD4IoT/ASimProcessEventMD4IoT.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEventMD4IoT')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEventMD4IoT", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Microsoft Defender for IoT", - "category": "ASIM", - "FunctionAlias": "ASimProcessEventMD4IoT", - "query": "let ProcessEvents_MD4IoT=()\n{\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"Process\"\n | extend\n EventDetails = todynamic(EventDetails)\n | extend \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\") // Intermediate fix\n | extend \n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventCount = toint(EventDetails.HitCount), \n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.EventType == 'EXIT', 'ProcessTerminate', 'ProcessCreated'), \n EventSubType = tostring(EventDetails.EventType),\n EventResult = 'Success', \n TargetProcessId = tostring(EventDetails.ProcessId), \n TargetProcessCommandLine = coalesce (tostring(EventDetails.Commandline), tostring(EventDetails.Executable)), \n TargetProcessName = coalesce (tostring(EventDetails.Executable), split(EventDetails.Commandline,\" \")[0]),\n TargetUsernameType = iif (DvcOs == \"Windows\", \"Windows\", \"Simple\"), \n TargetUsername = iff (DvcOs == \"Windows\", tostring(EventDetails.UserName), \"\"), \n ActingProcessId = iff (DvcOs == \"Windows\", tostring(EventDetails.ParentProcessId), \"\") \n | project-rename\n DvcHostname = DeviceId,\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n | extend \n // -- aliases\n User = TargetUsername, \n CommandLine = TargetProcessCommandLine, \n Process = TargetProcessName, \n Dvc = DvcHostname \n };\n ProcessEvents_MD4IoT\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Microsoft Defender for IoT", + "category": "ASIM", + "FunctionAlias": "ASimProcessEventMD4IoT", + "query": "let ProcessEvents_MD4IoT=()\n{\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"Process\"\n | extend\n EventDetails = todynamic(EventDetails)\n | extend \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\") // Intermediate fix\n | extend \n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventCount = toint(EventDetails.HitCount), \n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.EventType == 'EXIT', 'ProcessTerminate', 'ProcessCreated'), \n EventSubType = tostring(EventDetails.EventType),\n EventResult = 'Success', \n TargetProcessId = tostring(EventDetails.ProcessId), \n TargetProcessCommandLine = coalesce (tostring(EventDetails.Commandline), tostring(EventDetails.Executable)), \n TargetProcessName = coalesce (tostring(EventDetails.Executable), split(EventDetails.Commandline,\" \")[0]),\n TargetUsernameType = iif (DvcOs == \"Windows\", \"Windows\", \"Simple\"), \n TargetUsername = iff (DvcOs == \"Windows\", tostring(EventDetails.UserName), \"\"), \n ActingProcessId = iff (DvcOs == \"Windows\", tostring(EventDetails.ParentProcessId), \"\") \n | project-rename\n DvcHostname = DeviceId,\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n | extend \n // -- aliases\n User = TargetUsername, \n CommandLine = TargetProcessCommandLine, \n Process = TargetProcessName, \n Dvc = DvcHostname \n };\n ProcessEvents_MD4IoT\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessEventMicrosoft365D/ASimProcessEventMicrosoft365D.json b/Parsers/ASimProcessEvent/ARM/ASimProcessEventMicrosoft365D/ASimProcessEventMicrosoft365D.json index dc125667ec4..40721bc9f71 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessEventMicrosoft365D/ASimProcessEventMicrosoft365D.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessEventMicrosoft365D/ASimProcessEventMicrosoft365D.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEventMicrosoft365D')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEventMicrosoft365D", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Microsoft 365 Defender for endpoint", - "category": "ASIM", - "FunctionAlias": "ASimProcessEventMicrosoft365D", - "query": "let parser=(disabled:boolean=false)\n {\n DeviceProcessEvents \n | where not(disabled)\n | extend\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventResult = 'Success'\n | extend\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n TargetUsername = iff (AccountDomain == '', AccountName, strcat(AccountDomain, '\\\\', AccountName)),\n TargetUsernameType = iff(AccountDomain == '','Simple', 'Windows'),\n ActorUsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n ActorUserIdType = 'SID',\n TargetUserIdType = 'SID',\n ActorSessionId = tostring(InitiatingProcessLogonId),\n TargetUserSessionId = tostring(LogonId),\n Hash = coalesce (SHA256, SHA1, MD5, \"\"),\n TargetProcessId = tostring(ProcessId),\n ActingProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId),\n DvcOs = iff (AdditionalFields has \"ProcessPosixProcessGroupId\", \"Linux\", \"Windows\")\n | project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName, AccountDomain, AccountName, ProcessId, InitiatingProcessId, InitiatingProcessParentId, LogonId, InitiatingProcessLogonId, ReportId\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, MD5),Hash)])\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename\n DvcId = DeviceId,\n EventType = ActionType,\n ActorUserId = InitiatingProcessAccountSid,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n TargetUserId = AccountSid,\n TargetUserAadId = AccountObjectId,\n TargetUserUpn = AccountUpn,\n ParentProcessName = InitiatingProcessParentFileName,\n TargetProcessFilename = FileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n TargetProcessName = FolderPath,\n TargetProcessCommandLine = ProcessCommandLine,\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIntegrityLevel = ProcessIntegrityLevel,\n TargetProcessTokenElevation = ProcessTokenElevation,\n TargetProcessCreationTime = ProcessCreationTime,\n ActingProcessName = InitiatingProcessFolderPath, \n ActingProcessFilename = InitiatingProcessFileName,\n ActingProcessCommandLine = InitiatingProcessCommandLine, \n ActingProcessMD5 = InitiatingProcessMD5, \n ActingProcessSHA1 = InitiatingProcessSHA1, \n ActingProcessSHA256 = InitiatingProcessSHA256, \n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n MDE_MachineGroup = MachineGroup\n | extend // -- aliases\n User = coalesce(TargetUsername, ActorUsername),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away AppGuardContainerId, Timestamp , SourceSystem, TenantId \n };\n parser (disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Microsoft 365 Defender for endpoint", + "category": "ASIM", + "FunctionAlias": "ASimProcessEventMicrosoft365D", + "query": "let parser=(disabled:boolean=false)\n {\n DeviceProcessEvents \n | where not(disabled)\n | extend\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventResult = 'Success'\n | extend\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n TargetUsername = iff (AccountDomain == '', AccountName, strcat(AccountDomain, '\\\\', AccountName)),\n TargetUsernameType = iff(AccountDomain == '','Simple', 'Windows'),\n ActorUsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n ActorUserIdType = 'SID',\n TargetUserIdType = 'SID',\n ActorSessionId = tostring(InitiatingProcessLogonId),\n TargetUserSessionId = tostring(LogonId),\n Hash = coalesce (SHA256, SHA1, MD5, \"\"),\n TargetProcessId = tostring(ProcessId),\n ActingProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId),\n DvcOs = iff (AdditionalFields has \"ProcessPosixProcessGroupId\", \"Linux\", \"Windows\")\n | project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName, AccountDomain, AccountName, ProcessId, InitiatingProcessId, InitiatingProcessParentId, LogonId, InitiatingProcessLogonId, ReportId\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, MD5),Hash)])\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename\n DvcId = DeviceId,\n EventType = ActionType,\n ActorUserId = InitiatingProcessAccountSid,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n TargetUserId = AccountSid,\n TargetUserAadId = AccountObjectId,\n TargetUserUpn = AccountUpn,\n ParentProcessName = InitiatingProcessParentFileName,\n TargetProcessFilename = FileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n TargetProcessName = FolderPath,\n TargetProcessCommandLine = ProcessCommandLine,\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIntegrityLevel = ProcessIntegrityLevel,\n TargetProcessTokenElevation = ProcessTokenElevation,\n TargetProcessCreationTime = ProcessCreationTime,\n ActingProcessName = InitiatingProcessFolderPath, \n ActingProcessFilename = InitiatingProcessFileName,\n ActingProcessCommandLine = InitiatingProcessCommandLine, \n ActingProcessMD5 = InitiatingProcessMD5, \n ActingProcessSHA1 = InitiatingProcessSHA1, \n ActingProcessSHA256 = InitiatingProcessSHA256, \n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n MDE_MachineGroup = MachineGroup\n | extend // -- aliases\n User = coalesce(TargetUsername, ActorUsername),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away AppGuardContainerId, Timestamp , SourceSystem, TenantId \n };\n parser (disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessEventNative/ASimProcessEventNative.json b/Parsers/ASimProcessEvent/ARM/ASimProcessEventNative/ASimProcessEventNative.json index a6f2a261ce5..fa61dac4edf 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessEventNative/ASimProcessEventNative.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessEventNative/ASimProcessEventNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEventNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEventNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Event ASIM parser for Microsoft Sentinel native Process Event table", - "category": "ASIM", - "FunctionAlias": "ASimProcessEventNative", - "query": "let parser=(disabled: bool=false) {\n ASimProcessEventLogs \n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"ProcessEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = TargetUsername,\n Process = TargetProcessName,\n CommandLine = TargetProcessCommandLine,\n Hash = coalesce(TargetProcessSHA512, TargetProcessSHA256, TargetProcessMD5, TargetProcessSHA1, TargetProcessIMPHASH)\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Event ASIM parser for Microsoft Sentinel native Process Event table", + "category": "ASIM", + "FunctionAlias": "ASimProcessEventNative", + "query": "let parser=(disabled: bool=false) {\n ASimProcessEventLogs \n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"ProcessEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = TargetUsername,\n Process = TargetProcessName,\n CommandLine = TargetProcessCommandLine,\n Hash = coalesce(TargetProcessSHA512, TargetProcessSHA256, TargetProcessMD5, TargetProcessSHA1, TargetProcessIMPHASH)\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessEventTerminate/ASimProcessEventTerminate.json b/Parsers/ASimProcessEvent/ARM/ASimProcessEventTerminate/ASimProcessEventTerminate.json index 6c0f9639ea8..800f996da3d 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessEventTerminate/ASimProcessEventTerminate.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessEventTerminate/ASimProcessEventTerminate.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEventTerminate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEventTerminate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimProcessEventTerminate", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\nvimProcessEmpty,\nASimProcessEventMicrosoft365D(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )),\nASimProcessTerminateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSysmon' in (DisabledParsers) )),\nASimProcessTerminateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )),\nASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )),\nASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )),\nASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )),\nASimProcessEventNative(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventNative' in (DisabledParsers) )),\nASimProcessTerminateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) ))\n", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimProcessEventTerminate", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imProcessEventBuiltInDisabled=toscalar('ExcludeASimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\nvimProcessEmpty,\nASimProcessEventMicrosoft365D(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMicrosoft365D' in (DisabledParsers) )),\nASimProcessTerminateMicrosoftSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSysmon' in (DisabledParsers) )),\nASimProcessTerminateMicrosoftSecurityEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) )),\nASimProcessTerminateLinuxSysmon(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateLinuxSysmon' in (DisabledParsers) )),\nASimProcessTerminateMicrosoftWindowsEvents(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) )),\nASimProcessEventMD4IoT(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventMD4IoT' in (DisabledParsers) )),\nASimProcessEventNative(imProcessEventBuiltInDisabled or ('ExcludeASimProcessEventNative' in (DisabledParsers) )),\nASimProcessTerminateVMwareCarbonBlackCloud(imProcessEventBuiltInDisabled or ('ExcludeASimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) ))\n", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateLinuxSysmon/ASimProcessTerminateLinuxSysmon.json b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateLinuxSysmon/ASimProcessTerminateLinuxSysmon.json index 9ec2af8d912..c1a2c8f713f 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateLinuxSysmon/ASimProcessTerminateLinuxSysmon.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateLinuxSysmon/ASimProcessTerminateLinuxSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessTerminateLinuxSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessTerminateLinuxSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "ASimProcessTerminateLinuxSysmon", - "query": "let ParsedProcessEvent=(){\nSyslog\n| where not(disabled)\n| where SyslogMessage has_all ('5')\n| parse SyslogMessage with * ''RuleName''\n ''UtcTime''\n '{'ProcessGuid'}'\n ''ProcessId:string''\n ''Image''*\n| parse SyslogMessage with *''ActorUsername '' *\n| project-away SyslogMessage\n| extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType='5',\n EventProduct = \"Sysmon\",\n EventResult = 'Success',\n DvcOs = \"Linux\"\n | project-rename\n DvcHostname = Computer,\n TargetProcessName = Image,\n TargetProcessId = ProcessId\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n TargetProcessGuid = ProcessGuid,\n //***** Aliases ******\n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n}; ParsedProcessEvent\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "ASimProcessTerminateLinuxSysmon", + "query": "let ParsedProcessEvent=(){\nSyslog\n| where not(disabled)\n| where SyslogMessage has_all ('5')\n| parse SyslogMessage with * ''RuleName''\n ''UtcTime''\n '{'ProcessGuid'}'\n ''ProcessId:string''\n ''Image''*\n| parse SyslogMessage with *''ActorUsername '' *\n| project-away SyslogMessage\n| extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType='5',\n EventProduct = \"Sysmon\",\n EventResult = 'Success',\n DvcOs = \"Linux\"\n | project-rename\n DvcHostname = Computer,\n TargetProcessName = Image,\n TargetProcessId = ProcessId\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n TargetProcessGuid = ProcessGuid,\n //***** Aliases ******\n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n}; ParsedProcessEvent\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSecurityEvents/ASimProcessTerminateMicrosoftSecurityEvents.json b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSecurityEvents/ASimProcessTerminateMicrosoftSecurityEvents.json index f57f8be50a8..3c1985a1d61 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSecurityEvents/ASimProcessTerminateMicrosoftSecurityEvents.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSecurityEvents/ASimProcessTerminateMicrosoftSecurityEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessTerminateMicrosoftSecurityEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessTerminateMicrosoftSecurityEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for Windows Security Events", - "category": "ASIM", - "FunctionAlias": "ASimProcessTerminateMicrosoftSecurityEvents", - "query": "let ProcessEvents=(){\n SecurityEvent\n | where not(disabled)\n // -- Filter\n | where EventID == 4689\n // -- Map\n | extend\n // Event\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Security Events\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = \"ProcessTerminated\",\n EventResult = 'Success',\n EventOriginalType = tostring(EventID),\n EventOriginalUid = EventOriginId,\n EventResultDetails = Status,\n EventOriginalResultDetails = Status, \n // Device\n DvcId = SourceComputerId,\n DvcHostname = Computer,\n DvcOs = \"Windows\",\n // Users\n ActorUserIdType = iff (SubjectUserSid <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (SubjectUserSid <> \"S-1-0-0\", SubjectUserSid, \"\"), \n ActorUsername = iff (SubjectDomainName == '-', SubjectUserName, SubjectAccount),\n ActorUsernameType = iff(SubjectDomainName == '-','Simple', 'Windows'),\n ActorSessionId = SubjectLogonId,\n ActorDomainName = SubjectDomainName,\n // Processes \n TargetProcessId = tostring(toint(ProcessId)),\n TargetProcessName = ProcessName,\n TargetProcessCommandLine = CommandLine,\n TargetProcessTokenElevation = TokenElevationType,\n Process = ProcessName\n // Aliases\n | extend \n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n }; ProcessEvents\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for Windows Security Events", + "category": "ASIM", + "FunctionAlias": "ASimProcessTerminateMicrosoftSecurityEvents", + "query": "let ProcessEvents=(){\n SecurityEvent\n | where not(disabled)\n // -- Filter\n | where EventID == 4689\n // -- Map\n | extend\n // Event\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Security Events\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = \"ProcessTerminated\",\n EventResult = 'Success',\n EventOriginalType = tostring(EventID),\n EventOriginalUid = EventOriginId,\n EventResultDetails = Status,\n EventOriginalResultDetails = Status, \n // Device\n DvcId = SourceComputerId,\n DvcHostname = Computer,\n DvcOs = \"Windows\",\n // Users\n ActorUserIdType = iff (SubjectUserSid <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (SubjectUserSid <> \"S-1-0-0\", SubjectUserSid, \"\"), \n ActorUsername = iff (SubjectDomainName == '-', SubjectUserName, SubjectAccount),\n ActorUsernameType = iff(SubjectDomainName == '-','Simple', 'Windows'),\n ActorSessionId = SubjectLogonId,\n ActorDomainName = SubjectDomainName,\n // Processes \n TargetProcessId = tostring(toint(ProcessId)),\n TargetProcessName = ProcessName,\n TargetProcessCommandLine = CommandLine,\n TargetProcessTokenElevation = TokenElevationType,\n Process = ProcessName\n // Aliases\n | extend \n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n }; ProcessEvents\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSysmon/ASimProcessTerminateMicrosoftSysmon.json b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSysmon/ASimProcessTerminateMicrosoftSysmon.json index 5d6b263715f..9697c29b8b6 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSysmon/ASimProcessTerminateMicrosoftSysmon.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSysmon/ASimProcessTerminateMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEventTerminateMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEventTerminateMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for Microsoft Windows Security Events", - "category": "ASIM", - "FunctionAlias": "ASimProcessEventTerminateMicrosoftSysmon", - "query": "let parser = (disabled: bool = false) {\n// this is the parser for sysmon from Event table\nlet parser_Event =\n Event \n | where not(disabled)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID == 5\n | parse-kv EventData as (\n ProcessId: string,\n ProcessGuid: string,\n Image: string,\n User: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n ActorUsername = User,\n DvcHostname = Computer,\n TargetProcessName = Image,\n TargetProcessGuid = ProcessGuid,\n TargetProcessId = ProcessId\n | extend \n EventProduct = \"Sysmon\"\n | project-away\n EventData,\n ParameterXml,\n RenderedDescription,\n MG,\n ManagementGroupName,\n Message,\n AzureDeploymentID,\n SourceSystem,\n EventCategory,\n EventLevelName,\n EventLevel,\n EventLog,\n Role,\n TenantId,\n UserName,\n Source,\n _ResourceId\n | extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType=tostring(EventID),\n EventResult = 'Success',\n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n // -- Aliases \n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away EventID\n;\nparser_Event\n};\nparser (disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for Microsoft Windows Security Events", + "category": "ASIM", + "FunctionAlias": "ASimProcessEventTerminateMicrosoftSysmon", + "query": "let parser = (disabled: bool = false) {\n// this is the parser for sysmon from Event table\nlet parser_Event =\n Event \n | where not(disabled)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID == 5\n | parse-kv EventData as (\n ProcessId: string,\n ProcessGuid: string,\n Image: string,\n User: string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n ActorUsername = User,\n DvcHostname = Computer,\n TargetProcessName = Image,\n TargetProcessGuid = ProcessGuid,\n TargetProcessId = ProcessId\n | extend \n EventProduct = \"Sysmon\"\n | project-away\n EventData,\n ParameterXml,\n RenderedDescription,\n MG,\n ManagementGroupName,\n Message,\n AzureDeploymentID,\n SourceSystem,\n EventCategory,\n EventLevelName,\n EventLevel,\n EventLog,\n Role,\n TenantId,\n UserName,\n Source,\n _ResourceId\n | extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType=tostring(EventID),\n EventResult = 'Success',\n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n // -- Aliases \n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away EventID\n;\nparser_Event\n};\nparser (disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSysmonWindowsEvent/ASimProcessTerminateMicrosoftSysmonWindowsEvent.json b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSysmonWindowsEvent/ASimProcessTerminateMicrosoftSysmonWindowsEvent.json index fe1c68753d2..476ae2ae389 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSysmonWindowsEvent/ASimProcessTerminateMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftSysmonWindowsEvent/ASimProcessTerminateMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessEventTerminateMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessEventTerminateMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for Microsoft Windows Security Events", - "category": "ASIM", - "FunctionAlias": "ASimProcessEventTerminateMicrosoftSysmonWindowsEvent", - "query": "let parser = (disabled:bool = false) {\n let parser_WindowsEvent=\n WindowsEvent\n | where not(disabled)\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 5\n | extend\n EventProduct = \"Security Events\",\n ActorUsername = tostring(EventData.User),\n TargetProcessName = tostring(EventData.Image),\n TargetProcessId = tostring(EventData.ProcessId),\n TargetProcessGuid = tostring(EventData.ProcessGuid)\n | project-rename\n DvcHostname = Computer,\n EventOriginalUid = EventOriginId\n | project-away Channel, Data, EventData, EventLevelName, EventLevel, ManagementGroupName, Provider, RawEventData, SourceSystem, Task, TenantId,Correlation,EventRecordId,Keywords,Opcode,SystemProcessId,SystemThreadId,SystemUserId,TimeCreated,Version,_ResourceId\n | extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType=tostring(EventID),\n EventResult = 'Success',\n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n // -- Aliases \n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away EventID\n ;\n parser_WindowsEvent\n};\nparser (disabled = disabled) ", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for Microsoft Windows Security Events", + "category": "ASIM", + "FunctionAlias": "ASimProcessEventTerminateMicrosoftSysmonWindowsEvent", + "query": "let parser = (disabled:bool = false) {\n let parser_WindowsEvent=\n WindowsEvent\n | where not(disabled)\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 5\n | extend\n EventProduct = \"Security Events\",\n ActorUsername = tostring(EventData.User),\n TargetProcessName = tostring(EventData.Image),\n TargetProcessId = tostring(EventData.ProcessId),\n TargetProcessGuid = tostring(EventData.ProcessGuid)\n | project-rename\n DvcHostname = Computer,\n EventOriginalUid = EventOriginId\n | project-away Channel, Data, EventData, EventLevelName, EventLevel, ManagementGroupName, Provider, RawEventData, SourceSystem, Task, TenantId,Correlation,EventRecordId,Keywords,Opcode,SystemProcessId,SystemThreadId,SystemUserId,TimeCreated,Version,_ResourceId\n | extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType=tostring(EventID),\n EventResult = 'Success',\n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n // -- Aliases \n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away EventID\n ;\n parser_WindowsEvent\n};\nparser (disabled = disabled) ", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftWindowsEvents/ASimProcessTerminateMicrosoftWindowsEvents.json b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftWindowsEvents/ASimProcessTerminateMicrosoftWindowsEvents.json index ec03f1ba72f..a6f91b82aa1 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftWindowsEvents/ASimProcessTerminateMicrosoftWindowsEvents.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateMicrosoftWindowsEvents/ASimProcessTerminateMicrosoftWindowsEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessTerminateMicrosoftWindowsEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessTerminateMicrosoftWindowsEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for WEF Security Events", - "category": "ASIM", - "FunctionAlias": "ASimProcessTerminateMicrosoftWindowsEvents", - "query": "let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\\')[-1]) };\nlet ASIM_ResolveWindowsUsername = (T:(username:string, domain:string, sid:string)) { \n T \n | extend \n type = case (\n username == \"-\", \"\",\n domain == \"-\", \"Simple\",\n \"Windows\"\n ),\n username = case (\n username == \"-\", \"\",\n domain == '-', username,\n strcat(domain, @\"\\\" , username)\n )\n};\nlet parser=(disabled:boolean=false){\nWindowsEvent\n| where not(disabled)\n| where EventID == 4689\n| project-rename\n DvcHostname = Computer\n| extend\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessTerminated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| extend \n ActorUsername = strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), \n SubjectUserSid = tostring(EventData.SubjectUserSid)\n| extend\n ActorUserIdType = iff (SubjectUserSid <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (SubjectUserSid <> \"S-1-0-0\", SubjectUserSid, \"\"), \n ActorUsernameType = \"Windows\"\n| extend \n ActorUserSid = ActorUserId,\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n| extend\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\n // Processes \n TargetProcessId = tostring(toint(tolong(EventData.NewProcessId))),\n TargetProcessName = tostring(EventData.NewProcessName),\n TargetProcessStatusCode = tostring(EventData.Status)\n| extend \n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\n// -- Aliases\n| extend\n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId, SubjectUserSid\n}; \nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for WEF Security Events", + "category": "ASIM", + "FunctionAlias": "ASimProcessTerminateMicrosoftWindowsEvents", + "query": "let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\\')[-1]) };\nlet ASIM_ResolveWindowsUsername = (T:(username:string, domain:string, sid:string)) { \n T \n | extend \n type = case (\n username == \"-\", \"\",\n domain == \"-\", \"Simple\",\n \"Windows\"\n ),\n username = case (\n username == \"-\", \"\",\n domain == '-', username,\n strcat(domain, @\"\\\" , username)\n )\n};\nlet parser=(disabled:boolean=false){\nWindowsEvent\n| where not(disabled)\n| where EventID == 4689\n| project-rename\n DvcHostname = Computer\n| extend\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessTerminated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| extend \n ActorUsername = strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), \n SubjectUserSid = tostring(EventData.SubjectUserSid)\n| extend\n ActorUserIdType = iff (SubjectUserSid <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (SubjectUserSid <> \"S-1-0-0\", SubjectUserSid, \"\"), \n ActorUsernameType = \"Windows\"\n| extend \n ActorUserSid = ActorUserId,\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n| extend\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\n // Processes \n TargetProcessId = tostring(toint(tolong(EventData.NewProcessId))),\n TargetProcessName = tostring(EventData.NewProcessName),\n TargetProcessStatusCode = tostring(EventData.Status)\n| extend \n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\n// -- Aliases\n| extend\n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId, SubjectUserSid\n}; \nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateVMwareCarbonBlackCloud/ASimProcessTerminateVMwareCarbonBlackCloud.json b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateVMwareCarbonBlackCloud/ASimProcessTerminateVMwareCarbonBlackCloud.json index 203e573a643..6a43fe8a959 100644 --- a/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateVMwareCarbonBlackCloud/ASimProcessTerminateVMwareCarbonBlackCloud.json +++ b/Parsers/ASimProcessEvent/ARM/ASimProcessTerminateVMwareCarbonBlackCloud/ASimProcessTerminateVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimProcessTerminateVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimProcessTerminateVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate ASIM parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "ASimProcessTerminateVMwareCarbonBlackCloud", - "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet parser = (disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where eventType_s == \"endpoint.event.procend\" and isnotempty(process_pid_d)\n | parse process_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(process_pid_d)),\n ActingProcessId = tostring(toint(parent_pid_d)),\n ActorUsername = process_username_s,\n TargetProcessCommandLine = coalesce(target_cmdline_s, process_cmdline_s),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"alert_id\", alert_id_g,\n \"process_reputation\", process_reputation_s,\n \"parent_reputation\", parent_reputation_s,\n \"parent_guid\", parent_guid_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n TargetProcessName = process_path_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = parent_cmdline_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ActingProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessTerminated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\"\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = ActorUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate ASIM parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimProcessTerminateVMwareCarbonBlackCloud", + "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet parser = (disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where eventType_s == \"endpoint.event.procend\" and isnotempty(process_pid_d)\n | parse process_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(process_pid_d)),\n ActingProcessId = tostring(toint(parent_pid_d)),\n ActorUsername = process_username_s,\n TargetProcessCommandLine = coalesce(target_cmdline_s, process_cmdline_s),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"alert_id\", alert_id_g,\n \"process_reputation\", process_reputation_s,\n \"parent_reputation\", parent_reputation_s,\n \"parent_guid\", parent_guid_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n TargetProcessName = process_path_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = parent_cmdline_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ActingProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessTerminated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\"\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = ActorUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/imProcessCreate/imProcessCreate.json b/Parsers/ASimProcessEvent/ARM/imProcessCreate/imProcessCreate.json index 08b58a3a888..4cd9bd18619 100644 --- a/Parsers/ASimProcessEvent/ARM/imProcessCreate/imProcessCreate.json +++ b/Parsers/ASimProcessEvent/ARM/imProcessCreate/imProcessCreate.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imProcessCreate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imProcessCreate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create ASIM parser", - "category": "ASIM", - "FunctionAlias": "imProcessCreate", - "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), targetusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), hashes_has_any:dynamic=dynamic([]), eventtype:string='*'){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcessCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imBuiltInDisabled=toscalar('ExcludevimProcessCreateBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n vimProcessEventMicrosoft365D (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSecurityEvents(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessCreateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessCreateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))),\n vimProcessCreateSentinelOne (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))),\n vimProcessEventNative (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imBuiltInDisabled or('ExcludevimProcessEventNative' in (DisabledParsers) ))),\n vimProcessCreateVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n vimProcessCreateTrendMicroVisionOne (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateTrendMicroVisionOne' in (DisabledParsers) )))\n};\nGeneric(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcipaddr_has_any_prefix, hashes_has_any=hashes_has_any, eventtype=eventtype)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*'" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create ASIM parser", + "category": "ASIM", + "FunctionAlias": "imProcessCreate", + "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), targetusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), hashes_has_any:dynamic=dynamic([]), eventtype:string='*'){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcessCreate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imBuiltInDisabled=toscalar('ExcludevimProcessCreateBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n vimProcessEventMicrosoft365D (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSecurityEvents(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessCreateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessCreateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))),\n vimProcessCreateSentinelOne (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))),\n vimProcessEventNative (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imBuiltInDisabled or('ExcludevimProcessEventNative' in (DisabledParsers) ))),\n vimProcessCreateVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imBuiltInDisabled or('ExcludevimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n vimProcessCreateTrendMicroVisionOne (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateTrendMicroVisionOne' in (DisabledParsers) )))\n};\nGeneric(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcipaddr_has_any_prefix, hashes_has_any=hashes_has_any, eventtype=eventtype)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*'" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/imProcessEvent/imProcessEvent.json b/Parsers/ASimProcessEvent/ARM/imProcessEvent/imProcessEvent.json index 7f00f3e1fc6..191d0928b43 100644 --- a/Parsers/ASimProcessEvent/ARM/imProcessEvent/imProcessEvent.json +++ b/Parsers/ASimProcessEvent/ARM/imProcessEvent/imProcessEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imProcessEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imProcessEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Event filtering parser", - "category": "ASIM", - "FunctionAlias": "imProcessEvent", - "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername:string='*', targetusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), hashes_has_any:dynamic=dynamic([]), eventtype:string='*'){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imBuiltInDisabled=toscalar('ExcludevimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n vimProcessEventMicrosoft365D (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) ))),\n vimProcessEventCreateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventCreateMicrosoftSysmonn' in (DisabledParsers) ))),\n vimProcessEventCreateMicrosoftSysmonWindowsEvent (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventCreateMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n vimProcessEventTerminateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventTerminateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessEventTerminateMicrosoftSysmonWindowsEvent (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventTerminateMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessCreateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessTerminateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftWindowsEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessCreateSentinelOne (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))),\n vimProcessCreateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMD4IoT' in (DisabledParsers) ))),\n vimProcessTerminateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMD4IoT' in (DisabledParsers) ))),\n vimProcessEventNative (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventNative' in (DisabledParsers) ))),\n vimProcessCreateSentinelOne (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))),\n vimProcessCreateVMwareCarbonBlackCloud (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n vimProcessTerminateVMwareCarbonBlackCloud (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) )))\n };\nGeneric(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any,actorusername=actorusername, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, hashes_has_any=hashes_has_any, eventtype=eventtype)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*'" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Event filtering parser", + "category": "ASIM", + "FunctionAlias": "imProcessEvent", + "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername:string='*', targetusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), hashes_has_any:dynamic=dynamic([]), eventtype:string='*'){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imBuiltInDisabled=toscalar('ExcludevimProcessEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimProcessEmpty,\n vimProcessEventMicrosoft365D (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D' in (DisabledParsers) ))),\n vimProcessEventCreateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventCreateMicrosoftSysmonn' in (DisabledParsers) ))),\n vimProcessEventCreateMicrosoftSysmonWindowsEvent (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventCreateMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n vimProcessEventTerminateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventTerminateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessEventTerminateMicrosoftSysmonWindowsEvent (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventTerminateMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessCreateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessTerminateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftWindowsEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessCreateSentinelOne (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))),\n vimProcessCreateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateMD4IoT' in (DisabledParsers) ))),\n vimProcessTerminateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMD4IoT' in (DisabledParsers) ))),\n vimProcessEventNative (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessEventNative' in (DisabledParsers) ))),\n vimProcessCreateSentinelOne (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne' in (DisabledParsers) ))),\n vimProcessCreateVMwareCarbonBlackCloud (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n vimProcessTerminateVMwareCarbonBlackCloud (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) )))\n };\nGeneric(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any,actorusername=actorusername, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, hashes_has_any=hashes_has_any, eventtype=eventtype)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*'" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/imProcessTerminate/imProcessTerminate.json b/Parsers/ASimProcessEvent/ARM/imProcessTerminate/imProcessTerminate.json index b11b332b8fe..76ed8a65f75 100644 --- a/Parsers/ASimProcessEvent/ARM/imProcessTerminate/imProcessTerminate.json +++ b/Parsers/ASimProcessEvent/ARM/imProcessTerminate/imProcessTerminate.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imProcessTerminate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imProcessTerminate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate ASIM parser", - "category": "ASIM", - "FunctionAlias": "imProcessTerminate", - "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), eventtype:string='*'){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcessTerminate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imBuiltInDisabled=toscalar('ExcludevimProcessTerminateBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n\nunion isfuzzy=true\n vimProcessEmpty,\n vimProcessTerminateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftWindowsEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessTerminateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))),\n vimProcessEventNative (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessEventNative' in (DisabledParsers) ))),\n vimProcessTerminateVMwareCarbonBlackCloud (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) )))\n};\nGeneric(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*'" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate ASIM parser", + "category": "ASIM", + "FunctionAlias": "imProcessTerminate", + "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), actorusername:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvcname_has_any:dynamic=dynamic([]), eventtype:string='*'){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcessTerminate') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imBuiltInDisabled=toscalar('ExcludevimProcessTerminateBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n\nunion isfuzzy=true\n vimProcessEmpty,\n vimProcessTerminateMicrosoftSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftSecurityEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents' in (DisabledParsers) ))),\n vimProcessTerminateMicrosoftWindowsEvents (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents' in (DisabledParsers) ))),\n vimProcessTerminateLinuxSysmon (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon' in (DisabledParsers) ))),\n vimProcessTerminateMD4IoT (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT' in (DisabledParsers) ))),\n vimProcessEventNative (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, disabled=(imBuiltInDisabled or('ExcludevimProcessEventNative' in (DisabledParsers) ))),\n vimProcessTerminateVMwareCarbonBlackCloud (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessTerminateVMwareCarbonBlackCloud' in (DisabledParsers) )))\n};\nGeneric(starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, actorusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*'" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateLinuxSysmon/vimProcessCreateLinuxSysmon.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateLinuxSysmon/vimProcessCreateLinuxSysmon.json index f5a11264f7b..b0e32d26ca5 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessCreateLinuxSysmon/vimProcessCreateLinuxSysmon.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateLinuxSysmon/vimProcessCreateLinuxSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessCreateLinuxSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessCreateLinuxSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM filtering parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "vimProcessCreateLinuxSysmon", - "query": "let ParsedProcessEvent=(){\n Syslog\n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(commandline_has_all)==0 or SyslogMessage has_all (commandline_has_all)) \n and (array_length(commandline_has_any)==0 or SyslogMessage has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(SyslogMessage, commandline_has_any_ip_prefix) ) \n and (array_length(actingprocess_has_any)==0 or SyslogMessage has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any)==0 or SyslogMessage has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any)==0) /// ????\n and (targetusername=='*' or SyslogMessage has targetusername) \n and (array_length(dvcipaddr_has_any_prefix)==0 or has_any_ipv4_prefix(HostIP,dvcipaddr_has_any_prefix) )\n and (array_length(dvcname_has_any)==0 or SyslogMessage has_any (dvcname_has_any)) \n // --------------------------------------------------------------------------------------\n | where SyslogMessage has_all ('1')\n | parse SyslogMessage with \n *\n '' EventRecordId:int ''\n *\n '' SysmonComputer:string ''\n *\n ''RuleName // parsing the XML using the original fields name - for readability \n ''UtcTime\n '{'ProcessGuid\n '}'ProcessId:string\n ''Image\n ''FileVersion\n ''Description\n ''Product\n ''Company'' *\n // --------------------------------------------------------------------------------------\n | where \n (array_length(dvcname_has_any)==0 or SysmonComputer has_any (dvcname_has_any))\n and (array_length(targetprocess_has_any)==0 or Image has_any (targetprocess_has_any))\n // --------------------------------------------------------------------------------------\n | extend OriginalFileName = extract (@'\"OriginalFileName\">([^<]+)<',1,SyslogMessage) // this field exists in sysmon version 10.42 and above - using extact to avoid parsing failure\n | parse SyslogMessage with *\n ''CommandLine''\n ''CurrentDirectory\n ''User\n '{'LogonGuid\n '}'LogonId\n ''TerminalSessionId\n ''IntegrityLevel\n ''Hashes\n '{'ParentProcessGuid\n '}'ParentProcessId:string\n ''ParentImage\n ''ParentCommandLine ''*\n // --------------------------------------------------------------------------------------\n | where \n (array_length(commandline_has_all)==0 or CommandLine has_all (commandline_has_all))\n and (array_length(commandline_has_any)==0 or CommandLine has_any (commandline_has_any)) // \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix) )\n and (array_length(actingprocess_has_any)==0 or ParentImage has_any (actingprocess_has_any))\n and (targetusername=='*' or User has targetusername)\n // --------------------------------------------------------------------------------------\n | parse SyslogMessage with *''ActorUsername '' *// this field appears in newer versions of Sysmon \n | extend TargetProcessSHA1=extract(@'SHA1=(\\w+)',1, tostring(Hashes)),\n TargetProcessSHA256=extract(@'SHA256=(\\w+)',1, tostring(Hashes)),\n TargetProcessIMPHASH=extract(@'IMPHASH=(\\w+)',1,tostring(Hashes)), // add to the empty schema + Excel file\n TargetProcessMD5=extract(@'MD5=(\\w+)',1, tostring(Hashes))\n // End of XML parse\n | project-away SyslogMessage, Hashes\n | extend \n EventType = \"ProcessCreated\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventProduct = \"Sysmon for Linux\",\n EventResult = 'Success',\n EventOriginalUid = tostring(EventRecordId),\n DvcOs = \"Linux\",\n TargetUserSessionId = tostring(LogonId) , \n TargetUsernameType = \"Simple\",\n TargetUsername = User,\n TargetProcessCommandLine = CommandLine,\n TargetProcessCurrentDirectory = CurrentDirectory,\n ActorUsernameType = \"Simple\",\n EventOriginalType = '1' // Set with a constant value to avoid parsing\n | project-rename \n // EventMessage = RenderedDescription, // field not available in Linux\n DvcHostName = SysmonComputer, // Computer may be different than HostName, in which case HostIP may be incorrect. \n DvcIpAddr = HostIP, \n TargetUserSessionGuid = LogonGuid, \n TargetProcessId = ProcessId,\n TargetProcessGuid = ProcessGuid,\n TargetProcessName = Image,\n TargetProcessIntegrityLevel = IntegrityLevel,\n TargetProcessCompany = Company,\n TargetProcessFileDescription = Description,\n TargetProcessFileVersion = FileVersion,\n TargetProcessFileProduct = Product,\n ActingProcessId = ParentProcessId,\n ActingProcessGuid = ParentProcessGuid, \n ActingProcessCommandLine = ParentCommandLine,\n ActingProcessName = ParentImage\n | extend // aliases\n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostName,\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5) // which appears first - will be aliases to \"Hash\"\n | project-away\n ProcessName, ProcessID\n}; ParsedProcessEvent", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM filtering parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "vimProcessCreateLinuxSysmon", + "query": "let ParsedProcessEvent=(){\n Syslog\n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(commandline_has_all)==0 or SyslogMessage has_all (commandline_has_all)) \n and (array_length(commandline_has_any)==0 or SyslogMessage has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(SyslogMessage, commandline_has_any_ip_prefix) ) \n and (array_length(actingprocess_has_any)==0 or SyslogMessage has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any)==0 or SyslogMessage has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any)==0) /// ????\n and (targetusername=='*' or SyslogMessage has targetusername) \n and (array_length(dvcipaddr_has_any_prefix)==0 or has_any_ipv4_prefix(HostIP,dvcipaddr_has_any_prefix) )\n and (array_length(dvcname_has_any)==0 or SyslogMessage has_any (dvcname_has_any)) \n // --------------------------------------------------------------------------------------\n | where SyslogMessage has_all ('1')\n | parse SyslogMessage with \n *\n '' EventRecordId:int ''\n *\n '' SysmonComputer:string ''\n *\n ''RuleName // parsing the XML using the original fields name - for readability \n ''UtcTime\n '{'ProcessGuid\n '}'ProcessId:string\n ''Image\n ''FileVersion\n ''Description\n ''Product\n ''Company'' *\n // --------------------------------------------------------------------------------------\n | where \n (array_length(dvcname_has_any)==0 or SysmonComputer has_any (dvcname_has_any))\n and (array_length(targetprocess_has_any)==0 or Image has_any (targetprocess_has_any))\n // --------------------------------------------------------------------------------------\n | extend OriginalFileName = extract (@'\"OriginalFileName\">([^<]+)<',1,SyslogMessage) // this field exists in sysmon version 10.42 and above - using extact to avoid parsing failure\n | parse SyslogMessage with *\n ''CommandLine''\n ''CurrentDirectory\n ''User\n '{'LogonGuid\n '}'LogonId\n ''TerminalSessionId\n ''IntegrityLevel\n ''Hashes\n '{'ParentProcessGuid\n '}'ParentProcessId:string\n ''ParentImage\n ''ParentCommandLine ''*\n // --------------------------------------------------------------------------------------\n | where \n (array_length(commandline_has_all)==0 or CommandLine has_all (commandline_has_all))\n and (array_length(commandline_has_any)==0 or CommandLine has_any (commandline_has_any)) // \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix) )\n and (array_length(actingprocess_has_any)==0 or ParentImage has_any (actingprocess_has_any))\n and (targetusername=='*' or User has targetusername)\n // --------------------------------------------------------------------------------------\n | parse SyslogMessage with *''ActorUsername '' *// this field appears in newer versions of Sysmon \n | extend TargetProcessSHA1=extract(@'SHA1=(\\w+)',1, tostring(Hashes)),\n TargetProcessSHA256=extract(@'SHA256=(\\w+)',1, tostring(Hashes)),\n TargetProcessIMPHASH=extract(@'IMPHASH=(\\w+)',1,tostring(Hashes)), // add to the empty schema + Excel file\n TargetProcessMD5=extract(@'MD5=(\\w+)',1, tostring(Hashes))\n // End of XML parse\n | project-away SyslogMessage, Hashes\n | extend \n EventType = \"ProcessCreated\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventProduct = \"Sysmon for Linux\",\n EventResult = 'Success',\n EventOriginalUid = tostring(EventRecordId),\n DvcOs = \"Linux\",\n TargetUserSessionId = tostring(LogonId) , \n TargetUsernameType = \"Simple\",\n TargetUsername = User,\n TargetProcessCommandLine = CommandLine,\n TargetProcessCurrentDirectory = CurrentDirectory,\n ActorUsernameType = \"Simple\",\n EventOriginalType = '1' // Set with a constant value to avoid parsing\n | project-rename \n // EventMessage = RenderedDescription, // field not available in Linux\n DvcHostName = SysmonComputer, // Computer may be different than HostName, in which case HostIP may be incorrect. \n DvcIpAddr = HostIP, \n TargetUserSessionGuid = LogonGuid, \n TargetProcessId = ProcessId,\n TargetProcessGuid = ProcessGuid,\n TargetProcessName = Image,\n TargetProcessIntegrityLevel = IntegrityLevel,\n TargetProcessCompany = Company,\n TargetProcessFileDescription = Description,\n TargetProcessFileVersion = FileVersion,\n TargetProcessFileProduct = Product,\n ActingProcessId = ParentProcessId,\n ActingProcessGuid = ParentProcessGuid, \n ActingProcessCommandLine = ParentCommandLine,\n ActingProcessName = ParentImage\n | extend // aliases\n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostName,\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5) // which appears first - will be aliases to \"Hash\"\n | project-away\n ProcessName, ProcessID\n}; ParsedProcessEvent", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMD4IoT/vimProcessCreateMD4IoT.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMD4IoT/vimProcessCreateMD4IoT.json index ae5acdc7f4e..eb810c156f9 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMD4IoT/vimProcessCreateMD4IoT.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMD4IoT/vimProcessCreateMD4IoT.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessCreateMD4IoT')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessCreateMD4IoT", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Microsoft Defender for IoT", - "category": "ASIM", - "FunctionAlias": "vimProcessCreateMD4IoT", - "query": "let ProcessEvents_MD4IoT=()\n{\n SecurityIoTRawEvent \n | where RawEventName == \"Process\" // TODO: exclude entries where segment EventType is \"EXIT\" by full segment structure\n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(actingprocess_has_any)==0 ) \n and (array_length(parentprocess_has_any)==0) \n and (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(commandline_has_any)==0 or EventDetails has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or EventDetails has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(EventDetails, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or EventDetails has_any (targetprocess_has_any)) \n and (targetusername=='*' or EventDetails has targetusername) \n and (array_length(dvcname_has_any)==0 or DeviceId has_any (dvcname_has_any)) \n // --------------------------------------------------------------------------------------\n | extend\n EventDetails = todynamic(EventDetails)\n | where EventDetails.EventType != 'EXIT' // TODO: move filter to prefiltering. see prev comment \n | extend // required for postfilterring\n TargetProcessCommandLine = coalesce (tostring(EventDetails.Commandline), tostring(EventDetails.Executable)), \n TargetProcessName = coalesce (tostring(EventDetails.Executable), split(EventDetails.Commandline,\" \")[0]),\n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\") // Intermediate fix\n | extend \n TargetUsername = iff (DvcOs == \"Windows\", tostring(EventDetails.UserName), \"\")\n // --------------------------------------------------------------------------------------\n | where (array_length(commandline_has_any)==0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or TargetProcessName has_any (targetprocess_has_any)) \n and (targetusername=='*' or TargetUsername has targetusername) \n // --------------------------------------------------------------------------------------\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventCount = toint(EventDetails.HitCount), \n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = 'ProcessCreated', \n EventSubType = tostring(EventDetails.EventType),\n EventResult = 'Success', \n TargetProcessId = tostring(EventDetails.ProcessId), \n TargetUsernameType = iif (DvcOs == \"Windows\", \"Windows\", \"Simple\"), \n ActingProcessId = iff (DvcOs == \"Windows\", tostring(EventDetails.ParentProcessId), \"\") \n | project-rename\n DvcHostname = DeviceId,\n EventProductVersion = AgentVersion, \n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n | extend \n // -- aliases\n User = TargetUsername, \n CommandLine = TargetProcessCommandLine, \n Process = TargetProcessName, \n Dvc = DvcHostname \n };\n ProcessEvents_MD4IoT\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Microsoft Defender for IoT", + "category": "ASIM", + "FunctionAlias": "vimProcessCreateMD4IoT", + "query": "let ProcessEvents_MD4IoT=()\n{\n SecurityIoTRawEvent \n | where RawEventName == \"Process\" // TODO: exclude entries where segment EventType is \"EXIT\" by full segment structure\n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(actingprocess_has_any)==0 ) \n and (array_length(parentprocess_has_any)==0) \n and (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(commandline_has_any)==0 or EventDetails has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or EventDetails has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(EventDetails, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or EventDetails has_any (targetprocess_has_any)) \n and (targetusername=='*' or EventDetails has targetusername) \n and (array_length(dvcname_has_any)==0 or DeviceId has_any (dvcname_has_any)) \n // --------------------------------------------------------------------------------------\n | extend\n EventDetails = todynamic(EventDetails)\n | where EventDetails.EventType != 'EXIT' // TODO: move filter to prefiltering. see prev comment \n | extend // required for postfilterring\n TargetProcessCommandLine = coalesce (tostring(EventDetails.Commandline), tostring(EventDetails.Executable)), \n TargetProcessName = coalesce (tostring(EventDetails.Executable), split(EventDetails.Commandline,\" \")[0]),\n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\") // Intermediate fix\n | extend \n TargetUsername = iff (DvcOs == \"Windows\", tostring(EventDetails.UserName), \"\")\n // --------------------------------------------------------------------------------------\n | where (array_length(commandline_has_any)==0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or TargetProcessName has_any (targetprocess_has_any)) \n and (targetusername=='*' or TargetUsername has targetusername) \n // --------------------------------------------------------------------------------------\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventCount = toint(EventDetails.HitCount), \n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = 'ProcessCreated', \n EventSubType = tostring(EventDetails.EventType),\n EventResult = 'Success', \n TargetProcessId = tostring(EventDetails.ProcessId), \n TargetUsernameType = iif (DvcOs == \"Windows\", \"Windows\", \"Simple\"), \n ActingProcessId = iff (DvcOs == \"Windows\", tostring(EventDetails.ParentProcessId), \"\") \n | project-rename\n DvcHostname = DeviceId,\n EventProductVersion = AgentVersion, \n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n | extend \n // -- aliases\n User = TargetUsername, \n CommandLine = TargetProcessCommandLine, \n Process = TargetProcessName, \n Dvc = DvcHostname \n };\n ProcessEvents_MD4IoT\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSecurityEvents/vimProcessCreateMicrosoftSecurityEvents.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSecurityEvents/vimProcessCreateMicrosoftSecurityEvents.json index 897979d726a..8a8661f0f48 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSecurityEvents/vimProcessCreateMicrosoftSecurityEvents.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSecurityEvents/vimProcessCreateMicrosoftSecurityEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessCreateMicrosoftSecurityEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessCreateMicrosoftSecurityEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Windows Security Events", - "category": "ASIM", - "FunctionAlias": "vimProcessCreateMicrosoftSecurityEvents", - "query": "let MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n [\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\n // Source: https://support.microsoft.com/topic/0fdcaf87-ee5e-8929-e54c-65e04235a634\n let KnownSIDs = datatable (sid:string, username:string, type:string)\n [\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n ];\n let UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n [\n 'User', 'Regular',\n 'Machine', 'Machine'\n ];\n let parser=(\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n targetusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n disabled:bool=false\n )\n { SecurityEvent\n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n | where EventID == 4688\n | where\n (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(commandline_has_all)==0 or CommandLine has_all (commandline_has_all))\n and (array_length(commandline_has_any)==0 or CommandLine has_any (commandline_has_any))\n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix) )\n and (array_length(actingprocess_has_any)==0 or ParentProcessName has_any (actingprocess_has_any))\n and (array_length(targetprocess_has_any)==0 or NewProcessName has_any (targetprocess_has_any))\n and (array_length(parentprocess_has_any)==0)\n and (targetusername_has=='*' or TargetAccount has targetusername_has) // take into account mapping?\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any))\n // --------------------------------------------------------------------------------------\n | extend\n // Event\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.3',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n | lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n | extend\n ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount),\n ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n | lookup KnownSIDs on $left.TargetUserSid == $right.sid\n | extend\n TargetUsername = iff (TargetUserName == \"-\", username, TargetAccount),\n TargetUsernameType = iff(TargetDomainName == '-',type, 'Windows')\n | lookup UserTypeLookup on AccountType\n | extend\n ActorUserIdType = 'SID',\n TargetUserIdType = 'SID',\n // Processes\n ActingProcessId = tostring(toint(ProcessId)),\n TargetProcessId = tostring(toint(NewProcessId)),\n TargetProcessCommandLine = CommandLine\n | project-rename\n DvcId = SourceComputerId,\n DvcHostname = Computer,\n ActingProcessName = ParentProcessName,\n TargetProcessName = NewProcessName,\n ActorDomainName = SubjectDomainName,\n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n TargetUserId =TargetUserSid,\n TargetUserSessionId = TargetLogonId,\n EventOriginalUid = EventOriginId,\n TargetProcessTokenElevation = TokenElevationType\n | lookup MandatoryLabelLookup on MandatoryLabel\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n // -- Remove potentially confusing\n | project-keep Event*, Dvc*, Actor*, Target*, Acting*, User, Dvc, Process, CommandLine, TimeGenerated, Type, _ResourceId\n | project-away\n TargetDomainName,\n TargetUserName,\n TargetAccount,\n EventID\n };\n parser (\n starttime=starttime,\n endtime=endtime,\n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Windows Security Events", + "category": "ASIM", + "FunctionAlias": "vimProcessCreateMicrosoftSecurityEvents", + "query": "let MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n [\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\n // Source: https://support.microsoft.com/topic/0fdcaf87-ee5e-8929-e54c-65e04235a634\n let KnownSIDs = datatable (sid:string, username:string, type:string)\n [\n 'S-1-5-18', 'Local System', 'Simple',\n 'S-1-0-0', 'Nobody', 'Simple'\n ];\n let UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n [\n 'User', 'Regular',\n 'Machine', 'Machine'\n ];\n let parser=(\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n targetusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n disabled:bool=false\n )\n { SecurityEvent\n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n | where EventID == 4688\n | where\n (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(commandline_has_all)==0 or CommandLine has_all (commandline_has_all))\n and (array_length(commandline_has_any)==0 or CommandLine has_any (commandline_has_any))\n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix) )\n and (array_length(actingprocess_has_any)==0 or ParentProcessName has_any (actingprocess_has_any))\n and (array_length(targetprocess_has_any)==0 or NewProcessName has_any (targetprocess_has_any))\n and (array_length(parentprocess_has_any)==0)\n and (targetusername_has=='*' or TargetAccount has targetusername_has) // take into account mapping?\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any))\n // --------------------------------------------------------------------------------------\n | extend\n // Event\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.3',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n | lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n | extend\n ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount),\n ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n | lookup KnownSIDs on $left.TargetUserSid == $right.sid\n | extend\n TargetUsername = iff (TargetUserName == \"-\", username, TargetAccount),\n TargetUsernameType = iff(TargetDomainName == '-',type, 'Windows')\n | lookup UserTypeLookup on AccountType\n | extend\n ActorUserIdType = 'SID',\n TargetUserIdType = 'SID',\n // Processes\n ActingProcessId = tostring(toint(ProcessId)),\n TargetProcessId = tostring(toint(NewProcessId)),\n TargetProcessCommandLine = CommandLine\n | project-rename\n DvcId = SourceComputerId,\n DvcHostname = Computer,\n ActingProcessName = ParentProcessName,\n TargetProcessName = NewProcessName,\n ActorDomainName = SubjectDomainName,\n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n TargetUserId =TargetUserSid,\n TargetUserSessionId = TargetLogonId,\n EventOriginalUid = EventOriginId,\n TargetProcessTokenElevation = TokenElevationType\n | lookup MandatoryLabelLookup on MandatoryLabel\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n // -- Remove potentially confusing\n | project-keep Event*, Dvc*, Actor*, Target*, Acting*, User, Dvc, Process, CommandLine, TimeGenerated, Type, _ResourceId\n | project-away\n TargetDomainName,\n TargetUserName,\n TargetAccount,\n EventID\n };\n parser (\n starttime=starttime,\n endtime=endtime,\n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSysmon/vimProcessCreateMicrosoftSysmon.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSysmon/vimProcessCreateMicrosoftSysmon.json index ccfa846ddba..23af7e060ee 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSysmon/vimProcessCreateMicrosoftSysmon.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSysmon/vimProcessCreateMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessEventCreateMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessEventCreateMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Sysmon", - "category": "ASIM", - "FunctionAlias": "vimProcessEventCreateMicrosoftSysmon", - "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n disabled: bool=false\n ) {\n // this is the parser for sysmon from Event table\n let parser_Event = \n Event \n // pre-filtering\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and not (disabled)\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and (Source == \"Microsoft-Windows-Sysmon\" and EventID == 1)\n and (array_length(dvcipaddr_has_any_prefix) == 0)\n and (array_length(commandline_has_all) == 0 or EventData has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or EventData has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(EventData, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or EventData has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or EventData has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0)\n and (targetusername_has == '*' or EventData has targetusername_has) \n and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) \n // -- \n | parse-kv EventData as (\n ProcessGuid: string, \n ProcessId: string,\n Image: string,\n FileVersion: string,\n Description: string,\n Product: string,\n Company: string,\n OriginalFileName: string,\n CommandLine: string,\n CurrentDirectory: string,\n User: string,\n LogonGuid: string, \n LogonId: string,\n IntegrityLevel: string,\n Hashes: string,\n ParentProcessGuid: string, \n ParentProcessId: string,\n ParentImage: string,\n ParentCommandLine: string,\n ParentUser: string\n ) \n with (regex=@'{?([^<]*?)}?')\n // -- post-filtering\n | where (array_length(commandline_has_any) == 0 or CommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all) == 0 or CommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or ParentImage has_any (actingprocess_has_any)) \n and (targetusername_has == '*' or User has targetusername_has) \n and (array_length(targetprocess_has_any) == 0 or Image has_any (targetprocess_has_any))\n // --\n | parse-kv Hashes as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\n | extend\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\n | project-rename\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIMPHASH = IMPHASH\n | project-away Hashes\n | extend \n TargetUsername = User,\n TargetProcessCommandLine = CommandLine\n | project-rename \n DvcHostname = Computer,\n TargetUserSessionGuid = LogonGuid,\n TargetProcessId = ProcessId,\n TargetUserSessionId = LogonId, \n TargetProcessGuid = ProcessGuid,\n TargetProcessName = Image,\n TargetProcessFilename = OriginalFileName,\n TargetProcessCurrentDirectory = CurrentDirectory,\n TargetProcessIntegrityLevel = IntegrityLevel, \n TargetProcessFileCompany = Company,\n TargetProcessFileDescription = Description,\n TargetProcessFileVersion = FileVersion,\n TargetProcessFileProduct = Product, \n ActingProcessId = ParentProcessId,\n ActingProcessGuid = ParentProcessGuid, \n ActingProcessCommandLine = ParentCommandLine,\n ActingProcessName = ParentImage,\n ActorUsername = ParentUser\n | extend \n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n EventProduct = \"Sysmon\",\n // aliases\n Process = TargetProcessName,\n Dvc = DvcHostname,\n EventUid = _ItemId\n | project-away\n EventData,\n ParameterXml,\n AzureDeploymentID,\n EventCategory,\n EventID,\n EventLevel,\n EventLevelName,\n TenantId,\n EventLog,\n MG,\n ManagementGroupName,\n Message,\n Role,\n SourceSystem,\n Source,\n UserName,\n RenderedDescription,\n _ResourceId,\n _ItemId\n | extend \n EventType = \"ProcessCreated\",\n EventOriginalType = \"1\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n DvcOs = \"Windows\",\n TargetUsernameType = \"Windows\",\n ActorUsernameType = \"Windows\";\n parser_Event\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n ) ", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Sysmon", + "category": "ASIM", + "FunctionAlias": "vimProcessEventCreateMicrosoftSysmon", + "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n disabled: bool=false\n ) {\n // this is the parser for sysmon from Event table\n let parser_Event = \n Event \n // pre-filtering\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and not (disabled)\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and (Source == \"Microsoft-Windows-Sysmon\" and EventID == 1)\n and (array_length(dvcipaddr_has_any_prefix) == 0)\n and (array_length(commandline_has_all) == 0 or EventData has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or EventData has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(EventData, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or EventData has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or EventData has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0)\n and (targetusername_has == '*' or EventData has targetusername_has) \n and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) \n // -- \n | parse-kv EventData as (\n ProcessGuid: string, \n ProcessId: string,\n Image: string,\n FileVersion: string,\n Description: string,\n Product: string,\n Company: string,\n OriginalFileName: string,\n CommandLine: string,\n CurrentDirectory: string,\n User: string,\n LogonGuid: string, \n LogonId: string,\n IntegrityLevel: string,\n Hashes: string,\n ParentProcessGuid: string, \n ParentProcessId: string,\n ParentImage: string,\n ParentCommandLine: string,\n ParentUser: string\n ) \n with (regex=@'{?([^<]*?)}?')\n // -- post-filtering\n | where (array_length(commandline_has_any) == 0 or CommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all) == 0 or CommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or ParentImage has_any (actingprocess_has_any)) \n and (targetusername_has == '*' or User has targetusername_has) \n and (array_length(targetprocess_has_any) == 0 or Image has_any (targetprocess_has_any))\n // --\n | parse-kv Hashes as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\n | extend\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\n | project-rename\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIMPHASH = IMPHASH\n | project-away Hashes\n | extend \n TargetUsername = User,\n TargetProcessCommandLine = CommandLine\n | project-rename \n DvcHostname = Computer,\n TargetUserSessionGuid = LogonGuid,\n TargetProcessId = ProcessId,\n TargetUserSessionId = LogonId, \n TargetProcessGuid = ProcessGuid,\n TargetProcessName = Image,\n TargetProcessFilename = OriginalFileName,\n TargetProcessCurrentDirectory = CurrentDirectory,\n TargetProcessIntegrityLevel = IntegrityLevel, \n TargetProcessFileCompany = Company,\n TargetProcessFileDescription = Description,\n TargetProcessFileVersion = FileVersion,\n TargetProcessFileProduct = Product, \n ActingProcessId = ParentProcessId,\n ActingProcessGuid = ParentProcessGuid, \n ActingProcessCommandLine = ParentCommandLine,\n ActingProcessName = ParentImage,\n ActorUsername = ParentUser\n | extend \n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n EventProduct = \"Sysmon\",\n // aliases\n Process = TargetProcessName,\n Dvc = DvcHostname,\n EventUid = _ItemId\n | project-away\n EventData,\n ParameterXml,\n AzureDeploymentID,\n EventCategory,\n EventID,\n EventLevel,\n EventLevelName,\n TenantId,\n EventLog,\n MG,\n ManagementGroupName,\n Message,\n Role,\n SourceSystem,\n Source,\n UserName,\n RenderedDescription,\n _ResourceId,\n _ItemId\n | extend \n EventType = \"ProcessCreated\",\n EventOriginalType = \"1\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n DvcOs = \"Windows\",\n TargetUsernameType = \"Windows\",\n ActorUsernameType = \"Windows\";\n parser_Event\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n ) ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSysmonWidowsEvent/vimProcessCreateMicrosoftSysmonWidowsEvent.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSysmonWidowsEvent/vimProcessCreateMicrosoftSysmonWidowsEvent.json index de4b061c669..b4a59c84b09 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSysmonWidowsEvent/vimProcessCreateMicrosoftSysmonWidowsEvent.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftSysmonWidowsEvent/vimProcessCreateMicrosoftSysmonWidowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessEventCreateMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessEventCreateMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Sysmon", - "category": "ASIM", - "FunctionAlias": "vimProcessEventCreateMicrosoftSysmonWindowsEvent", - "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n disabled: bool=false\n ) {\n // this is the parser for sysmon from WindowsEvent table\n let parser_WindowsEvent=\n WindowsEvent\n | where\n // -- pre-filtering\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and not(disabled)\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and Provider == \"Microsoft-Windows-Sysmon\" and EventID == 1\n and (array_length(commandline_has_all) == 0 or EventData.CommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or EventData.CommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(EventData.CommandLine, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or EventData.ParentImage has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or EventData.Image has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0)\n and (targetusername_has == '*' or EventData.User has targetusername_has) \n and (array_length(dvcipaddr_has_any_prefix) == 0)\n and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) \n // --\n | parse-kv tostring(EventData.Hashes) as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\n | extend\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\n | project-rename\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIMPHASH = IMPHASH\n | extend \n EventOriginalType = tostring(EventID),\n TargetUserSessionId = tostring(EventData.LogonId), \n TargetUsername = tostring(EventData.User),\n TargetProcessCommandLine = tostring(EventData.CommandLine),\n TargetProcessCurrentDirectory = tostring(EventData.CurrentDirectory),\n TargetUserSessionGuid = tostring(EventData.LogonGuid), \n TargetProcessId = tostring(EventData.ProcessId),\n TargetProcessGuid = tostring(EventData.ProcessGuid),\n TargetProcessName = tostring(EventData.Image),\n TargetProcessFilename = tostring(EventData.OriginalFileName),\n TargetProcessIntegrityLevel = tostring(EventData.IntegrityLevel),\n TargetProcessFileCompany = tostring(EventData.Company),\n TargetProcessFileDescription = tostring(EventData.Description),\n TargetProcessFileVersion = tostring(EventData.FileVersion),\n TargetProcessFileProduct = tostring(EventData.Product),\n ActingProcessId = tostring(EventData.ParentProcessId),\n ActingProcessGuid = tostring(EventData.ParentProcessGuid), \n ActingProcessCommandLine = tostring(EventData.ParentCommandLine),\n ActingProcessName = tostring(EventData.ParentImage),\n ActorUsername = tostring(EventData.ParentUser)\n // -- post-filtering\n | where (array_length(commandline_has_any) == 0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all) == 0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or ActingProcessName has_any (actingprocess_has_any)) \n and (targetusername_has == '*' or TargetUsername has targetusername_has) \n and (array_length(targetprocess_has_any) == 0 or TargetProcessName has_any (targetprocess_has_any)) \n // --\n | extend \n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n EventProduct = \"Security Events\"\n | project-rename\n DvcHostname = Computer,\n EventOriginalUid = EventOriginId\n | extend // aliases \n Dvc = DvcHostname,\n User = TargetUsername,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n EventUid = _ItemId\n | project-away\n EventData,\n Provider,\n ManagementGroupName,\n RawEventData,\n SourceSystem,\n Task,\n TenantId,\n EventID,\n Data,\n Channel,\n EventLevel,\n EventLevelName,\n Correlation,\n EventRecordId,\n Keywords,\n Opcode,\n SystemProcessId,\n SystemThreadId,\n SystemUserId,\n TimeCreated,\n Version,\n _ResourceId,\n _ItemId\n | extend \n EventType = \"ProcessCreated\",\n EventOriginalType = \"1\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n DvcOs = \"Windows\",\n TargetUsernameType = \"Windows\",\n ActorUsernameType = \"Windows\";\n parser_WindowsEvent\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n ) ", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Sysmon", + "category": "ASIM", + "FunctionAlias": "vimProcessEventCreateMicrosoftSysmonWindowsEvent", + "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n disabled: bool=false\n ) {\n // this is the parser for sysmon from WindowsEvent table\n let parser_WindowsEvent=\n WindowsEvent\n | where\n // -- pre-filtering\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and not(disabled)\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and Provider == \"Microsoft-Windows-Sysmon\" and EventID == 1\n and (array_length(commandline_has_all) == 0 or EventData.CommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or EventData.CommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(EventData.CommandLine, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or EventData.ParentImage has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or EventData.Image has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0)\n and (targetusername_has == '*' or EventData.User has targetusername_has) \n and (array_length(dvcipaddr_has_any_prefix) == 0)\n and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any)) \n // --\n | parse-kv tostring(EventData.Hashes) as (MD5: string, SHA1: string, SHA256: string, IMPHASH: string) with (quote='\"')\n | extend\n Hash = coalesce (SHA256, SHA1, IMPHASH, MD5, \"\")\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"IMPHASH\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, IMPHASH, MD5), Hash)])\n | project-rename\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIMPHASH = IMPHASH\n | extend \n EventOriginalType = tostring(EventID),\n TargetUserSessionId = tostring(EventData.LogonId), \n TargetUsername = tostring(EventData.User),\n TargetProcessCommandLine = tostring(EventData.CommandLine),\n TargetProcessCurrentDirectory = tostring(EventData.CurrentDirectory),\n TargetUserSessionGuid = tostring(EventData.LogonGuid), \n TargetProcessId = tostring(EventData.ProcessId),\n TargetProcessGuid = tostring(EventData.ProcessGuid),\n TargetProcessName = tostring(EventData.Image),\n TargetProcessFilename = tostring(EventData.OriginalFileName),\n TargetProcessIntegrityLevel = tostring(EventData.IntegrityLevel),\n TargetProcessFileCompany = tostring(EventData.Company),\n TargetProcessFileDescription = tostring(EventData.Description),\n TargetProcessFileVersion = tostring(EventData.FileVersion),\n TargetProcessFileProduct = tostring(EventData.Product),\n ActingProcessId = tostring(EventData.ParentProcessId),\n ActingProcessGuid = tostring(EventData.ParentProcessGuid), \n ActingProcessCommandLine = tostring(EventData.ParentCommandLine),\n ActingProcessName = tostring(EventData.ParentImage),\n ActorUsername = tostring(EventData.ParentUser)\n // -- post-filtering\n | where (array_length(commandline_has_any) == 0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all) == 0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or ActingProcessName has_any (actingprocess_has_any)) \n and (targetusername_has == '*' or TargetUsername has targetusername_has) \n and (array_length(targetprocess_has_any) == 0 or TargetProcessName has_any (targetprocess_has_any)) \n // --\n | extend \n TargetUsernameType = iff(isnotempty(TargetUsername), 'Windows', ''),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n EventProduct = \"Security Events\"\n | project-rename\n DvcHostname = Computer,\n EventOriginalUid = EventOriginId\n | extend // aliases \n Dvc = DvcHostname,\n User = TargetUsername,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n EventUid = _ItemId\n | project-away\n EventData,\n Provider,\n ManagementGroupName,\n RawEventData,\n SourceSystem,\n Task,\n TenantId,\n EventID,\n Data,\n Channel,\n EventLevel,\n EventLevelName,\n Correlation,\n EventRecordId,\n Keywords,\n Opcode,\n SystemProcessId,\n SystemThreadId,\n SystemUserId,\n TimeCreated,\n Version,\n _ResourceId,\n _ItemId\n | extend \n EventType = \"ProcessCreated\",\n EventOriginalType = \"1\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n DvcOs = \"Windows\",\n TargetUsernameType = \"Windows\",\n ActorUsernameType = \"Windows\";\n parser_WindowsEvent\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n ) ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftWindowsEvents/vimProcessCreateMicrosoftWindowsEvents.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftWindowsEvents/vimProcessCreateMicrosoftWindowsEvents.json index 0d259dab016..c129562e226 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftWindowsEvents/vimProcessCreateMicrosoftWindowsEvents.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateMicrosoftWindowsEvents/vimProcessCreateMicrosoftWindowsEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessCreateMicrosoftWindowsEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessCreateMicrosoftWindowsEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for WEF Security Events", - "category": "ASIM", - "FunctionAlias": "vimProcessCreateMicrosoftWindowsEvents", - "query": "let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\\')[-1]) };\nlet ASIM_ResolveWindowsUsername = (T:(username:string, domain:string, sid:string)) { \n T \n | extend \n type = case (\n username == \"-\", \"\",\n domain == \"-\", \"Simple\",\n \"Windows\"\n ),\n username = case (\n username == \"-\", \"\",\n domain == '-', username,\n strcat(domain, @\"\\\" , username)\n )\n};\nlet MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n[\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\nlet parser = (\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n targetusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n hashes_has_any:dynamic=dynamic([]),\n disabled:bool=false\n) {\nWindowsEvent\n// -- pre-filtering\n| where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and EventID == 4688\n and not(disabled)\n and (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(parentprocess_has_any)==0)\n and (array_length(hashes_has_any) == 0)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(commandline_has_all)==0 or EventData.CommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any)==0 or EventData.CommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(EventData.CommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(actingprocess_has_any)==0 or EventData.ParentProcessName has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any)==0 or EventData.NewProcessName has_any (targetprocess_has_any)) \n and (targetusername_has=='*' or EventData has targetusername_has) \n and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any)) \n // --\n| project-rename\n DvcHostname = Computer\n| extend\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| extend \n ActorUsername = strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), \n ActorUserId = tostring(EventData.SubjectUserSid)\n| extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\"), \n ActorUsernameType = \"Windows\",\n username = tostring(EventData.TargetUserName)\n| extend\n TargetUsername = iff(username == \"-\", ActorUsername, strcat(EventData.SubjectDomainName, @'\\', username))\n| where // -- post filtering\n (targetusername_has=='*' or TargetUsername has targetusername_has) \n| extend\n TargetUserId = iff(username == \"-\", ActorUserId, tostring(EventData.TargetUserSid))\n| extend\n TargetUserIdType = iff (TargetUserId <> \"S-1-0-0\", \"SID\", \"\"),\n TargetUserId = iff (TargetUserId <> \"S-1-0-0\", TargetUserId, \"\"), \n TargetUsernameType = \"Windows\"\n| project-away\n username\n| extend \n TargetUserSid = TargetUserId,\n ActorUserSid = ActorUserId,\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType(TargetUsername, TargetUserId)\n| extend\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\n TargetUserSessionId = tostring(toint(EventData.TargetLogonId)), \n // Processes \n ActingProcessId = tostring(toint(tolong(EventData.ProcessId))),\n ActingProcessName = tostring(EventData.ParentProcessName),\n TargetProcessId = tostring(toint(tolong(EventData.NewProcessId))),\n TargetProcessName = tostring(EventData.NewProcessName),\n TargetProcessCommandLine = tostring(EventData.CommandLine),\n TargetProcessTokenElevation = tostring(EventData.TokenElevationType),\n MandatoryLabel = tostring(EventData.MandatoryLabel)\n| extend \n ActingProcessFilename = ASIM_GetFilenamePart(ActingProcessName),\n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\n| lookup MandatoryLabelLookup on MandatoryLabel\n// -- Aliases\n| extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName,\n CommandLine = TargetProcessCommandLine\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId\n}; \nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for WEF Security Events", + "category": "ASIM", + "FunctionAlias": "vimProcessCreateMicrosoftWindowsEvents", + "query": "let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\\')[-1]) };\nlet ASIM_ResolveWindowsUsername = (T:(username:string, domain:string, sid:string)) { \n T \n | extend \n type = case (\n username == \"-\", \"\",\n domain == \"-\", \"Simple\",\n \"Windows\"\n ),\n username = case (\n username == \"-\", \"\",\n domain == '-', username,\n strcat(domain, @\"\\\" , username)\n )\n};\nlet MandatoryLabelLookup = datatable (MandatoryLabel:string,MandatoryLabelRid:string, MandatoryLabelText:string, MandatoryLabelMeaning:string)\n[\n 'S-1-16-0', '0x00000000', 'SECURITY_MANDATORY_UNTRUSTED_RID', 'Untrusted',\n 'S-1-16-4096', '0x00001000', 'SECURITY_MANDATORY_LOW_RID', 'Low integrity',\n 'S-1-16-8192', '0x00002000', 'SECURITY_MANDATORY_MEDIUM_RID', 'Medium integrity',\n 'S-1-16-8448', '0x00002100', 'SECURITY_MANDATORY_MEDIUM_PLUS_RID', 'Medium high integrity',\n 'S-1-16-12288', '0X00003000', 'SECURITY_MANDATORY_HIGH_RID', 'High integrity',\n 'S-1-16-16384', '0x00004000', 'SECURITY_MANDATORY_SYSTEM_RID', 'System integrity',\n 'S-1-16-20480', '0x00005000', 'SECURITY_MANDATORY_PROTECTED_PROCESS_RID', 'Protected process'\n ];\nlet parser = (\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n targetusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n hashes_has_any:dynamic=dynamic([]),\n disabled:bool=false\n) {\nWindowsEvent\n// -- pre-filtering\n| where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and EventID == 4688\n and not(disabled)\n and (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(parentprocess_has_any)==0)\n and (array_length(hashes_has_any) == 0)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(commandline_has_all)==0 or EventData.CommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any)==0 or EventData.CommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(EventData.CommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(actingprocess_has_any)==0 or EventData.ParentProcessName has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any)==0 or EventData.NewProcessName has_any (targetprocess_has_any)) \n and (targetusername_has=='*' or EventData has targetusername_has) \n and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any)) \n // --\n| project-rename\n DvcHostname = Computer\n| extend\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessCreated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| extend \n ActorUsername = strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), \n ActorUserId = tostring(EventData.SubjectUserSid)\n| extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\"), \n ActorUsernameType = \"Windows\",\n username = tostring(EventData.TargetUserName)\n| extend\n TargetUsername = iff(username == \"-\", ActorUsername, strcat(EventData.SubjectDomainName, @'\\', username))\n| where // -- post filtering\n (targetusername_has=='*' or TargetUsername has targetusername_has) \n| extend\n TargetUserId = iff(username == \"-\", ActorUserId, tostring(EventData.TargetUserSid))\n| extend\n TargetUserIdType = iff (TargetUserId <> \"S-1-0-0\", \"SID\", \"\"),\n TargetUserId = iff (TargetUserId <> \"S-1-0-0\", TargetUserId, \"\"), \n TargetUsernameType = \"Windows\"\n| project-away\n username\n| extend \n TargetUserSid = TargetUserId,\n ActorUserSid = ActorUserId,\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType(TargetUsername, TargetUserId)\n| extend\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\n TargetUserSessionId = tostring(toint(EventData.TargetLogonId)), \n // Processes \n ActingProcessId = tostring(toint(tolong(EventData.ProcessId))),\n ActingProcessName = tostring(EventData.ParentProcessName),\n TargetProcessId = tostring(toint(tolong(EventData.NewProcessId))),\n TargetProcessName = tostring(EventData.NewProcessName),\n TargetProcessCommandLine = tostring(EventData.CommandLine),\n TargetProcessTokenElevation = tostring(EventData.TokenElevationType),\n MandatoryLabel = tostring(EventData.MandatoryLabel)\n| extend \n ActingProcessFilename = ASIM_GetFilenamePart(ActingProcessName),\n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\n| lookup MandatoryLabelLookup on MandatoryLabel\n// -- Aliases\n| extend\n User = TargetUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName,\n CommandLine = TargetProcessCommandLine\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId\n}; \nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateSentinelOne/vimProcessCreateSentinelOne.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateSentinelOne/vimProcessCreateSentinelOne.json index 0e20f0d29e0..2c9c4c22c55 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessCreateSentinelOne/vimProcessCreateSentinelOne.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateSentinelOne/vimProcessCreateSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessCreateSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessCreateSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create ASIM parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "vimProcessCreateSentinelOne", - "query": "let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n[\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n[\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n[\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n hashes_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s == \"PROCESSCREATION\"\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and array_length(dvcipaddr_has_any_prefix) == 0\n and (targetusername_has == '*' or sourceProcessInfo_user_s has targetusername_has)\n and (array_length(commandline_has_all) == 0 or targetProcessInfo_tgtProcCmdLine_s has_all (commandline_has_all))\n and (array_length(commandline_has_any) == 0 or targetProcessInfo_tgtProcCmdLine_s has_any (commandline_has_any))\n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(targetProcessInfo_tgtProcCmdLine_s, commandline_has_any_ip_prefix))\n and (array_length(actingprocess_has_any) == 0 or sourceProcessInfo_name_s has_any (actingprocess_has_any))\n and (array_length(targetprocess_has_any) == 0 or targetProcessInfo_tgtProcName_s has_any (targetprocess_has_any))\n and (array_length(parentprocess_has_any) == 0 or sourceParentProcessInfo_name_s has_any (parentprocess_has_any))\n and (array_length(dvchostname_has_any) == 0 or agentDetectionInfo_name_s has_any (dvchostname_has_any))\n and (array_length(hashes_has_any) == 0 or targetProcessInfo_tgtFileHashSha1_s has_any (hashes_has_any) or targetProcessInfo_tgtFileHashSha256_s has_any (hashes_has_any));\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n DvcId = agentDetectionInfo_uuid_g,\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n TargetProcessCommandLine = targetProcessInfo_tgtProcCmdLine_s,\n TargetProcessId = targetProcessInfo_tgtProcPid_s,\n TargetProcessName = targetProcessInfo_tgtProcName_s,\n EventUid = _ItemId,\n TargetProcessCreationTime = targetProcessInfo_tgtProcessStartTime_t,\n ActingProcessName = sourceProcessInfo_name_s,\n ParentProcessName = sourceParentProcessInfo_name_s,\n ActingProcessCommandLine = sourceProcessInfo_commandline_s,\n ActingProcessGuid = sourceProcessInfo_uniqueId_g,\n ActingProcessSHA1 = sourceProcessInfo_fileHashSha1_s,\n ParentProcessSHA1 = sourceParentProcessInfo_fileHashSha1_s,\n ActingProcessSHA256 = sourceProcessInfo_fileHashSha256_s,\n ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n ActingProcessId = sourceProcessInfo_pid_s,\n ActorUsername = sourceProcessInfo_user_s,\n TargetUsername = sourceProcessInfo_user_s,\n Hash = coalesce(targetProcessInfo_tgtFileHashSha256_s, targetProcessInfo_tgtFileHashSha1_s),\n ParentProcessId = sourceProcessInfo_pid_s,\n TargetProcessSHA1 = targetProcessInfo_tgtFileHashSha1_s,\n TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s,\n ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, \"-\", \"\"),\n ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, \"-\", \"\"),\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity)\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"ProcessEvent\"\n | extend\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n User = TargetUsername,\n ActingProcessCreationTime = EventStartTime,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n Rule = RuleName\n | extend\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(Hash) and isnotempty(TargetProcessSHA1),\n \"TargetProcessSHA1\",\n \"\"\n ),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create ASIM parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "vimProcessCreateSentinelOne", + "query": "let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n[\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n[\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n[\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n hashes_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s == \"PROCESSCREATION\"\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and array_length(dvcipaddr_has_any_prefix) == 0\n and (targetusername_has == '*' or sourceProcessInfo_user_s has targetusername_has)\n and (array_length(commandline_has_all) == 0 or targetProcessInfo_tgtProcCmdLine_s has_all (commandline_has_all))\n and (array_length(commandline_has_any) == 0 or targetProcessInfo_tgtProcCmdLine_s has_any (commandline_has_any))\n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(targetProcessInfo_tgtProcCmdLine_s, commandline_has_any_ip_prefix))\n and (array_length(actingprocess_has_any) == 0 or sourceProcessInfo_name_s has_any (actingprocess_has_any))\n and (array_length(targetprocess_has_any) == 0 or targetProcessInfo_tgtProcName_s has_any (targetprocess_has_any))\n and (array_length(parentprocess_has_any) == 0 or sourceParentProcessInfo_name_s has_any (parentprocess_has_any))\n and (array_length(dvchostname_has_any) == 0 or agentDetectionInfo_name_s has_any (dvchostname_has_any))\n and (array_length(hashes_has_any) == 0 or targetProcessInfo_tgtFileHashSha1_s has_any (hashes_has_any) or targetProcessInfo_tgtFileHashSha256_s has_any (hashes_has_any));\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maaliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maaliciousdata\n | extend ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n DvcId = agentDetectionInfo_uuid_g,\n EventStartTime = sourceProcessInfo_pidStarttime_t,\n TargetProcessCommandLine = targetProcessInfo_tgtProcCmdLine_s,\n TargetProcessId = targetProcessInfo_tgtProcPid_s,\n TargetProcessName = targetProcessInfo_tgtProcName_s,\n EventUid = _ItemId,\n TargetProcessCreationTime = targetProcessInfo_tgtProcessStartTime_t,\n ActingProcessName = sourceProcessInfo_name_s,\n ParentProcessName = sourceParentProcessInfo_name_s,\n ActingProcessCommandLine = sourceProcessInfo_commandline_s,\n ActingProcessGuid = sourceProcessInfo_uniqueId_g,\n ActingProcessSHA1 = sourceProcessInfo_fileHashSha1_s,\n ParentProcessSHA1 = sourceParentProcessInfo_fileHashSha1_s,\n ActingProcessSHA256 = sourceProcessInfo_fileHashSha256_s,\n ParentProcessSHA256 = sourceParentProcessInfo_fileHashSha256_s,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n TargetProcessIntegrityLevel = targetProcessInfo_tgtProcIntegrityLevel_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend\n ActingProcessId = sourceProcessInfo_pid_s,\n ActorUsername = sourceProcessInfo_user_s,\n TargetUsername = sourceProcessInfo_user_s,\n Hash = coalesce(targetProcessInfo_tgtFileHashSha256_s, targetProcessInfo_tgtFileHashSha1_s),\n ParentProcessId = sourceProcessInfo_pid_s,\n TargetProcessSHA1 = targetProcessInfo_tgtFileHashSha1_s,\n TargetProcessSHA256 = targetProcessInfo_tgtFileHashSha256_s,\n ParentProcessMD5 = replace_string(sourceParentProcessInfo_fileHashMd5_g, \"-\", \"\"),\n ActingProcessMD5 = replace_string(sourceProcessInfo_fileHashMd5_g, \"-\", \"\"),\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity)\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"ProcessEvent\"\n | extend\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n User = TargetUsername,\n ActingProcessCreationTime = EventStartTime,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n Rule = RuleName\n | extend\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(Hash) and isnotempty(TargetProcessSHA1),\n \"TargetProcessSHA1\",\n \"\"\n ),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n ThreatConfidence_*\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateTrendMicroVisionOne/vimProcessCreateTrendMicroVisionOne.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateTrendMicroVisionOne/vimProcessCreateTrendMicroVisionOne.json index c66bbe1cfc4..34a0b7730df 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessCreateTrendMicroVisionOne/vimProcessCreateTrendMicroVisionOne.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateTrendMicroVisionOne/vimProcessCreateTrendMicroVisionOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessCreateTrendMicroVisionOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessCreateTrendMicroVisionOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create ASIM parser", - "category": "ASIM", - "FunctionAlias": "vimProcessCreateTrendMicroVisionOne", - "query": "let GetFilenamePart = (path: string) { tostring(split(path, @'\\')[-1]) };\nlet IntegrityLevelLookup = datatable(IntegrityLevel: real, IntegrityType: string)\n [\n 0, \"Untrusted\",\n 4096, \"Low\",\n 8192, \"Medium\",\n 12288, \"High\",\n 16384, \"System\"\n];\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\n \"low\", \"Low\",\n \"medium\", \"Medium\",\n \"high\", \"High\",\n \"info\", \"Informational\",\n \"critical\", \"High\"\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n hashes_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n TrendMicro_XDR_OAT_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and detail_eventId_s == \"TELEMETRY_PROCESS\"\n and detail_eventSubId_s has_any (\"TELEMETRY_PROCESS_CREATE\",\"TELEMETRY_PROCESS_LOAD_IMAGE\",\"TELEMETRY_PROCESS_OPEN\")\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and array_length(dvcipaddr_has_any_prefix) == 0 \n and (targetusername_has == '*' or detail_objectUser_s has targetusername_has) \n and (array_length(commandline_has_all) == 0 or detail_objectCmd_s has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or detail_objectCmd_s has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(detail_objectCmd_s, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or detail_processName_s has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or detail_objectName_s has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0 or detail_parentName_s has_any (parentprocess_has_any))\n and (array_length(dvchostname_has_any) == 0 or detail_endpointHostName_s has_any (dvchostname_has_any))\n and array_length(hashes_has_any) == 0 or detail_objectFileHashSha1_s has_any (hashes_has_any) or detail_objectFileHashSha256_s has_any (hashes_has_any)\n | parse filters_s with * \"[\" filters: string \"]\"\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | extend\n ActingProcessId = tostring(toint(detail_processPid_d)),\n TargetProcessId = tostring(toint(detail_objectPid_d)),\n ParentProcessId = tostring(toint(detail_parentPid_d)),\n TargetProcessCreationTime = unixtime_milliseconds_todatetime(detail_objectLaunchTime_d),\n ActingProcessCreationTime = unixtime_milliseconds_todatetime(detail_processLaunchTime_d),\n ActingProcessFilename = GetFilenamePart(detail_processFilePath_s),\n ParentProcessCreationTime = unixtime_milliseconds_todatetime(detail_parentLaunchTime_d),\n ParentProcessName = detail_parentName_s,\n TargetProcessFilename = GetFilenamePart(detail_objectFilePath_s),\n ActingProcessFileSize = tolong(detail_processFileSize_d),\n TargetUserSessionId = tostring(toint(detail_objectAuthId_d)),\n ActorSessionId = tostring(toint(detail_authId_d)),\n TargetProcessMD5 = replace_string(detail_objectFileHashMd5_g, \"-\", \"\"),\n ActingProcessMD5 = replace_string(detail_processFileHashMd5_g, \"-\", \"\"),\n ParentProcessMD5 = replace_string(detail_parentFileHashMd5_g, \"-\", \"\"),\n TargetProcessCommandLine = replace_string(detail_objectCmd_s, '\"', ''),\n ActingProcessCommandLine = replace_string(detail_processCmd_s, '\"', ''),\n AdditionalFields = bag_pack(\n \"name\", name,\n \"tags\", detail_tags_s\n )\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\n | lookup IntegrityLevelLookup on $left.detail_parentIntegrityLevel_d == $right.IntegrityLevel\n | project-rename ParentProcessIntegrityLevel = IntegrityType\n | lookup IntegrityLevelLookup on $left.detail_objectIntegrityLevel_d == $right.IntegrityLevel\n | project-rename TargetProcessIntegrityLevel = IntegrityType\n | lookup IntegrityLevelLookup on $left.detail_integrityLevel_d == $right.IntegrityLevel\n | project-rename ActingProcessIntegrityLevel = IntegrityType\n | extend\n EventCount = int(1),\n EventProduct = \"Vision One\",\n EventResult = \"Success\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"Trend Micro\",\n EventSchema = \"ProcessEvent\",\n DvcAction = \"Allowed\"\n | project-rename\n ActorUsername = detail_processUser_s,\n EventStartTime = detail_eventTimeDT_t,\n TargetProcessName = detail_objectName_s,\n TargetUsername = detail_objectUser_s,\n ActingProcessName = detail_processName_s,\n ActingProcessSHA1 = detail_processFileHashSha1_s,\n ActingProcessSHA256 = detail_processFileHashSha256_s,\n DvcId = detail_endpointGuid_g,\n DvcOs = detail_osName_s,\n DvcOsVersion = detail_osVer_s,\n EventOriginalSubType = detail_eventSubId_s,\n EventOriginalType = detail_eventId_s,\n EventOriginalUid = detail_uuid_g,\n EventOriginalSeverity = detail_filterRiskLevel_s,\n EventProductVersion = detail_pver_s,\n ParentProcessSHA1 = detail_parentFileHashSha1_s,\n ParentProcessSHA256 = detail_parentFileHashSha256_s,\n TargetProcessSHA1 = detail_objectFileHashSha1_s,\n TargetProcessSHA256 = detail_objectFileHashSha256_s,\n EventUid = _ItemId,\n EventMessage = description\n | extend \n Dvc = DvcHostname,\n EventEndTime = EventStartTime,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = TargetUsername,\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5)\n | extend\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(Hash) and isnotempty(TargetProcessSHA1),\n \"TargetProcessSHA1\",\n isnotempty(Hash) and isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n )\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n filters,\n name\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create ASIM parser", + "category": "ASIM", + "FunctionAlias": "vimProcessCreateTrendMicroVisionOne", + "query": "let GetFilenamePart = (path: string) { tostring(split(path, @'\\')[-1]) };\nlet IntegrityLevelLookup = datatable(IntegrityLevel: real, IntegrityType: string)\n [\n 0, \"Untrusted\",\n 4096, \"Low\",\n 8192, \"Medium\",\n 12288, \"High\",\n 16384, \"System\"\n];\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\n \"low\", \"Low\",\n \"medium\", \"Medium\",\n \"high\", \"High\",\n \"info\", \"Informational\",\n \"critical\", \"High\"\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n hashes_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n TrendMicro_XDR_OAT_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and detail_eventId_s == \"TELEMETRY_PROCESS\"\n and detail_eventSubId_s has_any (\"TELEMETRY_PROCESS_CREATE\",\"TELEMETRY_PROCESS_LOAD_IMAGE\",\"TELEMETRY_PROCESS_OPEN\")\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and array_length(dvcipaddr_has_any_prefix) == 0 \n and (targetusername_has == '*' or detail_objectUser_s has targetusername_has) \n and (array_length(commandline_has_all) == 0 or detail_objectCmd_s has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or detail_objectCmd_s has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(detail_objectCmd_s, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or detail_processName_s has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or detail_objectName_s has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0 or detail_parentName_s has_any (parentprocess_has_any))\n and (array_length(dvchostname_has_any) == 0 or detail_endpointHostName_s has_any (dvchostname_has_any))\n and array_length(hashes_has_any) == 0 or detail_objectFileHashSha1_s has_any (hashes_has_any) or detail_objectFileHashSha256_s has_any (hashes_has_any)\n | parse filters_s with * \"[\" filters: string \"]\"\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | extend\n ActingProcessId = tostring(toint(detail_processPid_d)),\n TargetProcessId = tostring(toint(detail_objectPid_d)),\n ParentProcessId = tostring(toint(detail_parentPid_d)),\n TargetProcessCreationTime = unixtime_milliseconds_todatetime(detail_objectLaunchTime_d),\n ActingProcessCreationTime = unixtime_milliseconds_todatetime(detail_processLaunchTime_d),\n ActingProcessFilename = GetFilenamePart(detail_processFilePath_s),\n ParentProcessCreationTime = unixtime_milliseconds_todatetime(detail_parentLaunchTime_d),\n ParentProcessName = detail_parentName_s,\n TargetProcessFilename = GetFilenamePart(detail_objectFilePath_s),\n ActingProcessFileSize = tolong(detail_processFileSize_d),\n TargetUserSessionId = tostring(toint(detail_objectAuthId_d)),\n ActorSessionId = tostring(toint(detail_authId_d)),\n TargetProcessMD5 = replace_string(detail_objectFileHashMd5_g, \"-\", \"\"),\n ActingProcessMD5 = replace_string(detail_processFileHashMd5_g, \"-\", \"\"),\n ParentProcessMD5 = replace_string(detail_parentFileHashMd5_g, \"-\", \"\"),\n TargetProcessCommandLine = replace_string(detail_objectCmd_s, '\"', ''),\n ActingProcessCommandLine = replace_string(detail_processCmd_s, '\"', ''),\n AdditionalFields = bag_pack(\n \"name\", name,\n \"tags\", detail_tags_s\n )\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\n | lookup IntegrityLevelLookup on $left.detail_parentIntegrityLevel_d == $right.IntegrityLevel\n | project-rename ParentProcessIntegrityLevel = IntegrityType\n | lookup IntegrityLevelLookup on $left.detail_objectIntegrityLevel_d == $right.IntegrityLevel\n | project-rename TargetProcessIntegrityLevel = IntegrityType\n | lookup IntegrityLevelLookup on $left.detail_integrityLevel_d == $right.IntegrityLevel\n | project-rename ActingProcessIntegrityLevel = IntegrityType\n | extend\n EventCount = int(1),\n EventProduct = \"Vision One\",\n EventResult = \"Success\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"Trend Micro\",\n EventSchema = \"ProcessEvent\",\n DvcAction = \"Allowed\"\n | project-rename\n ActorUsername = detail_processUser_s,\n EventStartTime = detail_eventTimeDT_t,\n TargetProcessName = detail_objectName_s,\n TargetUsername = detail_objectUser_s,\n ActingProcessName = detail_processName_s,\n ActingProcessSHA1 = detail_processFileHashSha1_s,\n ActingProcessSHA256 = detail_processFileHashSha256_s,\n DvcId = detail_endpointGuid_g,\n DvcOs = detail_osName_s,\n DvcOsVersion = detail_osVer_s,\n EventOriginalSubType = detail_eventSubId_s,\n EventOriginalType = detail_eventId_s,\n EventOriginalUid = detail_uuid_g,\n EventOriginalSeverity = detail_filterRiskLevel_s,\n EventProductVersion = detail_pver_s,\n ParentProcessSHA1 = detail_parentFileHashSha1_s,\n ParentProcessSHA256 = detail_parentFileHashSha256_s,\n TargetProcessSHA1 = detail_objectFileHashSha1_s,\n TargetProcessSHA256 = detail_objectFileHashSha256_s,\n EventUid = _ItemId,\n EventMessage = description\n | extend \n Dvc = DvcHostname,\n EventEndTime = EventStartTime,\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = TargetUsername,\n Hash = coalesce(TargetProcessSHA256, TargetProcessSHA1, TargetProcessMD5)\n | extend\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n HashType = case(\n isnotempty(Hash) and isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(Hash) and isnotempty(TargetProcessSHA1),\n \"TargetProcessSHA1\",\n isnotempty(Hash) and isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n )\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n filters,\n name\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessCreateVMwareCarbonBlackCloud/vimProcessCreateVMwareCarbonBlackCloud.json b/Parsers/ASimProcessEvent/ARM/vimProcessCreateVMwareCarbonBlackCloud/vimProcessCreateVMwareCarbonBlackCloud.json index 50abd33f255..1ca6499ce56 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessCreateVMwareCarbonBlackCloud/vimProcessCreateVMwareCarbonBlackCloud.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessCreateVMwareCarbonBlackCloud/vimProcessCreateVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessCreateVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessCreateVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create ASIM parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "vimProcessCreateVMwareCarbonBlackCloud", - "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n hashes_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n let CarbonBlackEventsSchema = datatable (\n eventType_s: string,\n childproc_pid_d: real,\n process_hash_s: string,\n parent_hash_s: string,\n childproc_hash_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n event_id_g: string,\n createTime_s: string,\n process_pid_d: real,\n parent_pid_d: real,\n org_key_s: string,\n parent_cmdline_s: string,\n process_reputation_s: string,\n childproc_reputation_s: string,\n parent_reputation_s: string,\n process_guid_s: string,\n childproc_guid_s: string,\n parent_guid_s: string,\n process_username_s: string,\n target_cmdline_s: string,\n childproc_name_s: string,\n childproc_username_s: string,\n device_external_ip_s: string,\n device_group_s: string,\n process_cmdline_s: string,\n process_path_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n action_s: string,\n event_origin_s: string,\n parent_path_s: string,\n device_name_s: string\n)[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n)[];\n let processdata = union (CarbonBlackEvents_CL), (CarbonBlackEventsSchema)\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and eventType_s == \"endpoint.event.procstart\" and isnotempty(childproc_pid_d)\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(device_external_ip_s, dvcipaddr_has_any_prefix))\n and (targetusername_has == '*' or childproc_username_s has targetusername_has) \n and (array_length(commandline_has_all) == 0 or target_cmdline_s has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or target_cmdline_s has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(target_cmdline_s, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or process_path_s has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or childproc_name_s has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0 or parent_path_s has_any (parentprocess_has_any))\n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n and array_length(hashes_has_any) == 0 or childproc_hash_s has_any (hashes_has_any)\n | parse process_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ParentProcessMD5: string '\",\"' ParentProcessSHA256: string '\"]'\n | parse childproc_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s; \n let processdatawiththreat = processdata\n | where isnotempty(alert_id_g) and isnotempty(event_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on\n $left.alert_id_g == $right.threatInfo_incidentId_g,\n $left.event_id_g == $right.threatInfo_threatCause_causeEventId_g\n | join kind=leftouter (union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n primary_event_id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g, $left.event_id_g == $right.primary_event_id_g\n | extend \n ThreatDescription = coalesce(threatInfo_summary_s, threatInfo_summary_s1),\n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence\n | extend Rule = RuleName;\n let processdatawithoutthreat = processdata\n | where isempty(alert_id_g) or isempty(event_id_g);\n union processdatawithoutthreat, processdatawiththreat\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(childproc_pid_d)),\n ActingProcessId = tostring(toint(process_pid_d)),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields_Common = bag_pack(\n \"org_key\",\n org_key_s,\n \"alert_id\",\n alert_id_g,\n \"parent_cmdline\",\n parent_cmdline_s,\n \"process_reputation\",\n process_reputation_s,\n \"childproc_reputation\",\n childproc_reputation_s,\n \"parent_reputation\",\n parent_reputation_s,\n \"process_guid\",\n process_guid_s,\n \"childproc_guid\",\n childproc_guid_s,\n \"parent_guid\",\n parent_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n ActorUsername = process_username_s,\n TargetProcessCommandLine = target_cmdline_s,\n TargetProcessName = childproc_name_s,\n TargetUsername = childproc_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\",\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common)\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = TargetUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n ),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\")\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create ASIM parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimProcessCreateVMwareCarbonBlackCloud", + "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet ThreatConfidenceLookup = datatable (ThreatOriginalConfidence: string, ThreatConfidence: int)\n [\n \"1\", 10,\n \"2\", 20,\n \"3\", 30,\n \"4\", 40,\n \"5\", 50,\n \"6\", 60,\n \"7\", 70,\n \"8\", 80,\n \"9\", 90,\n \"10\", 100\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n hashes_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n let CarbonBlackEventsSchema = datatable (\n eventType_s: string,\n childproc_pid_d: real,\n process_hash_s: string,\n parent_hash_s: string,\n childproc_hash_s: string,\n sensor_action_s: string,\n alert_id_g: string,\n event_id_g: string,\n createTime_s: string,\n process_pid_d: real,\n parent_pid_d: real,\n org_key_s: string,\n parent_cmdline_s: string,\n process_reputation_s: string,\n childproc_reputation_s: string,\n parent_reputation_s: string,\n process_guid_s: string,\n childproc_guid_s: string,\n parent_guid_s: string,\n process_username_s: string,\n target_cmdline_s: string,\n childproc_name_s: string,\n childproc_username_s: string,\n device_external_ip_s: string,\n device_group_s: string,\n process_cmdline_s: string,\n process_path_s: string,\n device_id_s: string,\n device_os_s: string,\n event_description_s: string,\n action_s: string,\n event_origin_s: string,\n parent_path_s: string,\n device_name_s: string\n)[];\n let CarbonBlackNotificationsSchema = datatable (\n type_s: string,\n threatInfo_incidentId_g: string,\n threatInfo_score_d: real,\n threatInfo_summary_s: string,\n threatInfo_time_d: real,\n threatInfo_threatCause_threatCategory_s: string,\n threatInfo_threatCause_causeEventId_g: string,\n ruleName_s: string,\n deviceInfo_deviceVersion_s: string,\n threatInfo_threatCause_originSourceType_s: string,\n threatInfo_threatCause_reputation_s: string,\n threatInfo_threatCause_reason_s: string,\n id_g: string,\n primary_event_id_g: string,\n threat_id_g: string\n)[];\n let processdata = union (CarbonBlackEvents_CL), (CarbonBlackEventsSchema)\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and eventType_s == \"endpoint.event.procstart\" and isnotempty(childproc_pid_d)\n and (eventtype == '*' or eventtype == 'ProcessCreated')\n and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(device_external_ip_s, dvcipaddr_has_any_prefix))\n and (targetusername_has == '*' or childproc_username_s has targetusername_has) \n and (array_length(commandline_has_all) == 0 or target_cmdline_s has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or target_cmdline_s has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(target_cmdline_s, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or process_path_s has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or childproc_name_s has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0 or parent_path_s has_any (parentprocess_has_any))\n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n and array_length(hashes_has_any) == 0 or childproc_hash_s has_any (hashes_has_any)\n | parse process_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ParentProcessMD5: string '\",\"' ParentProcessSHA256: string '\"]'\n | parse childproc_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s; \n let processdatawiththreat = processdata\n | where isnotempty(alert_id_g) and isnotempty(event_id_g)\n | join kind=leftouter(union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"THREAT\"\n | project\n threatInfo_incidentId_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_time_d,\n threatInfo_threatCause_threatCategory_s,\n threatInfo_threatCause_causeEventId_g,\n ruleName_s,\n deviceInfo_deviceVersion_s,\n threatInfo_threatCause_originSourceType_s,\n threatInfo_threatCause_reputation_s,\n threatInfo_threatCause_reason_s)\n on\n $left.alert_id_g == $right.threatInfo_incidentId_g,\n $left.event_id_g == $right.threatInfo_threatCause_causeEventId_g\n | join kind=leftouter (union (CarbonBlackNotifications_CL), (CarbonBlackNotificationsSchema)\n | where type_s == \"CB_ANALYTICS\"\n | project\n id_g,\n primary_event_id_g,\n deviceInfo_deviceVersion_s,\n threat_id_g,\n threatInfo_score_d,\n threatInfo_summary_s,\n threatInfo_threatCause_reason_s)\n on $left.alert_id_g == $right.id_g, $left.event_id_g == $right.primary_event_id_g\n | extend \n ThreatDescription = coalesce(threatInfo_summary_s, threatInfo_summary_s1),\n ThreatCategory = threatInfo_threatCause_threatCategory_s,\n ThreatFirstReportedTime = unixtime_milliseconds_todatetime(threatInfo_time_d),\n RuleName = ruleName_s,\n AdditionalFields_threat = bag_pack(\n \"threatInfo_threatCause_reason\",\n coalesce(threatInfo_threatCause_reason_s, threatInfo_threatCause_reason_s1),\n \"threatInfo_threatCause_reputation\",\n threatInfo_threatCause_reputation_s,\n \"threatInfo_threatCause_originSourceType\",\n threatInfo_threatCause_originSourceType_s\n ),\n ThreatId = threat_id_g,\n ThreatOriginalConfidence = tostring(toint(coalesce(threatInfo_score_d, threatInfo_score_d1))),\n DvcOsVersion = coalesce(deviceInfo_deviceVersion_s, deviceInfo_deviceVersion_s1)\n | lookup ThreatConfidenceLookup on ThreatOriginalConfidence\n | extend Rule = RuleName;\n let processdatawithoutthreat = processdata\n | where isempty(alert_id_g) or isempty(event_id_g);\n union processdatawithoutthreat, processdatawiththreat\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(childproc_pid_d)),\n ActingProcessId = tostring(toint(process_pid_d)),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields_Common = bag_pack(\n \"org_key\",\n org_key_s,\n \"alert_id\",\n alert_id_g,\n \"parent_cmdline\",\n parent_cmdline_s,\n \"process_reputation\",\n process_reputation_s,\n \"childproc_reputation\",\n childproc_reputation_s,\n \"parent_reputation\",\n parent_reputation_s,\n \"process_guid\",\n process_guid_s,\n \"childproc_guid\",\n childproc_guid_s,\n \"parent_guid\",\n parent_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n ActorUsername = process_username_s,\n TargetProcessCommandLine = target_cmdline_s,\n TargetProcessName = childproc_name_s,\n TargetUsername = childproc_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = process_cmdline_s,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessCreated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\",\n AdditionalFields = bag_merge(AdditionalFields_threat, AdditionalFields_Common)\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = TargetUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n ),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\")\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n AdditionalFields_*\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessEmpty/vimProcessEmpty.json b/Parsers/ASimProcessEvent/ARM/vimProcessEmpty/vimProcessEmpty.json index 1cf23a68148..8053bf3826c 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessEmpty/vimProcessEmpty.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessEmpty/vimProcessEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Event ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimProcessEmpty", - "query": "let EmptyNewProcessEvents = datatable(\n // ****** Mandatory LA fields ******\n TimeGenerated:datetime, // => EventEndTime\n _ResourceId:string,\n Type:string,\n // ****** Event fields ******\n EventType:string,\n EventProduct:string,\n EventProductVersion:string,\n EventCount:int,\n EventMessage:string,\n EventVendor:string,\n EventSchema:string,\n EventSchemaVersion:string,\n EventSeverity:string,\n EventSubType:string,\n EventOriginalUid:string,\n EventOriginalType:string,\n EventOriginalResultDetails:string,\n EventOriginalSeverity:string,\n EventOriginalSubType:string,\n EventStartTime:datetime,\n EventEndTime:datetime,\n EventReportUrl:string,\n EventResult: string,\n EventResultDetails: string,\n AdditionalFields:dynamic,\n EventOwner:string,\n // ****** Device fields ******\n DvcId:string,\n DvcHostname:string,\n DvcDomain:string,\n DvcDomainType:string,\n DvcFQDN:string,\n DvcIpAddr:string,\n DvcOs:string,\n DvcOsVersion:string,\n DvcMacAddr:string,\n DvcAction:string,\n DvcOriginalAction:string,\n DvcDescription: string,\n DvcIdType: string,\n DvcInterface: string,\n DvcZone: string,\n DvcScopeId:string,\n DvcScope:string,\n // ****** Target fields ******\n TargetUsername:string,\n TargetUsernameType:string,\n TargetOriginalUserType:string,\n TargetUserId:string,\n TargetUserIdType:string,\n TargetUserType:string,\n TargetUserSessionId:string,\n TargetUserUid:string,\n TargetUserScopeId:string,\n TargetUserScope:string,\n TargetProcessName:string,\n TargetProcessFileDescription:string,\n TargetProcessFileProduct:string,\n TargetProcessFileVersion:string,\n TargetProcessFileCompany: string,\n TargetProcessFileInternalName: string,\n TargetProcessFileOriginalName: string,\n TargetProcessFileSize: long,\n TargetProcessCurrentDirectory: string,\n TargetProcessIsHidden:bool,\n TargetProcessInjectedAddress:string,\n TargetProcessMD5:string,\n TargetProcessSHA1:string,\n TargetProcessSHA256:string,\n TargetProcessSHA512:string,\n TargetProcessIMPHASH:string,\n TargetProcessCommandLine:string,\n TargetProcessCreationTime:datetime,\n TargetProcessId:string,\n TargetProcessGuid:string,\n TargetProcessIntegrityLevel:string,\n TargetProcessTokenElevation:string,\n // ****** Process fields ******\n ActorUsername:string,\n ActorUsernameType:string,\n ActorUserId:string,\n ActorUserIdType:string,\n ActorUserType:string,\n ActorOriginalUserType:string,\n ActorSessionId:string,\n ActorUserAadId:string,\n ActorUserSid:string,\n ActorScopeId:string,\n ActorScope:string,\n ActingProcessCommandLine:string,\n ActingProcessName:string,\n ActingProcessFileDescription:string,\n ActingProcessFileProduct:string,\n ActingProcessFileCompany: string,\n ActingProcessFileInternalName: string,\n ActingProcessFileOriginalName: string,\n ActingProcessFileSize: long,\n ActingProcessFileVersion:string,\n ActingProcessIsHidden:bool,\n ActingProcessTokenElevation: string,\n ActingProcessInjectedAddress:string,\n ActingProcessId:string,\n ActingProcessGuid:string,\n ActingProcessIntegrityLevel:string,\n ActingProcessMD5:string,\n ActingProcessSHA1:string,\n ActingProcessSHA256:string,\n ActingProcessSHA512:string,\n ActingProcessIMPHASH:string,\n ActingProcessCreationTime:datetime,\n ParentProcessName:string,\n ParentProcessFileDescription:string,\n ParentProcessFileProduct:string,\n ParentProcessFileVersion:string,\n ParentProcessFileCompany: string,\n ParentProcessTokenElevation:string,\n ParentProcessIsHidden:bool,\n ParentProcessInjectedAddress:string,\n ParentProcessId:string,\n ParentProcessGuid:string,\n ParentProcessIntegrityLevel:string,\n ParentProcessMD5:string,\n ParentProcessSHA1:string,\n ParentProcessSHA256:string,\n ParentProcessSHA512:string,\n ParentProcessIMPHASH:string,\n ParentProcessCreationTime:datetime,\n ParentProcessCommandLine:string,\n ParentProcessFileInternalName: string,\n ParentProcessFileOriginalName: string,\n ParentProcessFileSize: long,\n //****** Inspection fields ******\n RuleName:string,\n RuleNumber:int,\n ThreatId:string,\n ThreatName:string,\n ThreatCategory:string,\n ThreatRiskLevel:int,\n ThreatOriginalRiskLevel:string,\n ThreatConfidence:int,\n ThreatOriginalConfidence:string,\n ThreatIsActive:bool,\n ThreatFirstReportedTime:datetime,\n ThreatLastReportedTime:datetime,\n ThreatField:string,\n //****** aliases ******\n Dvc:string,\n Src:string,\n Dst:string,\n User:string,\n Process:string,\n CommandLine:string,\n Hash:string,\n HashType:string\n )[];\n EmptyNewProcessEvents\n", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Event ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimProcessEmpty", + "query": "let EmptyNewProcessEvents = datatable(\n // ****** Mandatory LA fields ******\n TimeGenerated:datetime, // => EventEndTime\n _ResourceId:string,\n Type:string,\n // ****** Event fields ******\n EventType:string,\n EventProduct:string,\n EventProductVersion:string,\n EventCount:int,\n EventMessage:string,\n EventVendor:string,\n EventSchema:string,\n EventSchemaVersion:string,\n EventSeverity:string,\n EventSubType:string,\n EventOriginalUid:string,\n EventOriginalType:string,\n EventOriginalResultDetails:string,\n EventOriginalSeverity:string,\n EventOriginalSubType:string,\n EventStartTime:datetime,\n EventEndTime:datetime,\n EventReportUrl:string,\n EventResult: string,\n EventResultDetails: string,\n AdditionalFields:dynamic,\n EventOwner:string,\n // ****** Device fields ******\n DvcId:string,\n DvcHostname:string,\n DvcDomain:string,\n DvcDomainType:string,\n DvcFQDN:string,\n DvcIpAddr:string,\n DvcOs:string,\n DvcOsVersion:string,\n DvcMacAddr:string,\n DvcAction:string,\n DvcOriginalAction:string,\n DvcDescription: string,\n DvcIdType: string,\n DvcInterface: string,\n DvcZone: string,\n DvcScopeId:string,\n DvcScope:string,\n // ****** Target fields ******\n TargetUsername:string,\n TargetUsernameType:string,\n TargetOriginalUserType:string,\n TargetUserId:string,\n TargetUserIdType:string,\n TargetUserType:string,\n TargetUserSessionId:string,\n TargetUserUid:string,\n TargetUserScopeId:string,\n TargetUserScope:string,\n TargetProcessName:string,\n TargetProcessFileDescription:string,\n TargetProcessFileProduct:string,\n TargetProcessFileVersion:string,\n TargetProcessFileCompany: string,\n TargetProcessFileInternalName: string,\n TargetProcessFileOriginalName: string,\n TargetProcessFileSize: long,\n TargetProcessCurrentDirectory: string,\n TargetProcessIsHidden:bool,\n TargetProcessInjectedAddress:string,\n TargetProcessMD5:string,\n TargetProcessSHA1:string,\n TargetProcessSHA256:string,\n TargetProcessSHA512:string,\n TargetProcessIMPHASH:string,\n TargetProcessCommandLine:string,\n TargetProcessCreationTime:datetime,\n TargetProcessId:string,\n TargetProcessGuid:string,\n TargetProcessIntegrityLevel:string,\n TargetProcessTokenElevation:string,\n // ****** Process fields ******\n ActorUsername:string,\n ActorUsernameType:string,\n ActorUserId:string,\n ActorUserIdType:string,\n ActorUserType:string,\n ActorOriginalUserType:string,\n ActorSessionId:string,\n ActorUserAadId:string,\n ActorUserSid:string,\n ActorScopeId:string,\n ActorScope:string,\n ActingProcessCommandLine:string,\n ActingProcessName:string,\n ActingProcessFileDescription:string,\n ActingProcessFileProduct:string,\n ActingProcessFileCompany: string,\n ActingProcessFileInternalName: string,\n ActingProcessFileOriginalName: string,\n ActingProcessFileSize: long,\n ActingProcessFileVersion:string,\n ActingProcessIsHidden:bool,\n ActingProcessTokenElevation: string,\n ActingProcessInjectedAddress:string,\n ActingProcessId:string,\n ActingProcessGuid:string,\n ActingProcessIntegrityLevel:string,\n ActingProcessMD5:string,\n ActingProcessSHA1:string,\n ActingProcessSHA256:string,\n ActingProcessSHA512:string,\n ActingProcessIMPHASH:string,\n ActingProcessCreationTime:datetime,\n ParentProcessName:string,\n ParentProcessFileDescription:string,\n ParentProcessFileProduct:string,\n ParentProcessFileVersion:string,\n ParentProcessFileCompany: string,\n ParentProcessTokenElevation:string,\n ParentProcessIsHidden:bool,\n ParentProcessInjectedAddress:string,\n ParentProcessId:string,\n ParentProcessGuid:string,\n ParentProcessIntegrityLevel:string,\n ParentProcessMD5:string,\n ParentProcessSHA1:string,\n ParentProcessSHA256:string,\n ParentProcessSHA512:string,\n ParentProcessIMPHASH:string,\n ParentProcessCreationTime:datetime,\n ParentProcessCommandLine:string,\n ParentProcessFileInternalName: string,\n ParentProcessFileOriginalName: string,\n ParentProcessFileSize: long,\n //****** Inspection fields ******\n RuleName:string,\n RuleNumber:int,\n ThreatId:string,\n ThreatName:string,\n ThreatCategory:string,\n ThreatRiskLevel:int,\n ThreatOriginalRiskLevel:string,\n ThreatConfidence:int,\n ThreatOriginalConfidence:string,\n ThreatIsActive:bool,\n ThreatFirstReportedTime:datetime,\n ThreatLastReportedTime:datetime,\n ThreatField:string,\n //****** aliases ******\n Dvc:string,\n Src:string,\n Dst:string,\n User:string,\n Process:string,\n CommandLine:string,\n Hash:string,\n HashType:string\n )[];\n EmptyNewProcessEvents\n", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessEventMD4IoT/vimProcessEventMD4IoT.json b/Parsers/ASimProcessEvent/ARM/vimProcessEventMD4IoT/vimProcessEventMD4IoT.json index 513771babcc..30517cc1911 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessEventMD4IoT/vimProcessEventMD4IoT.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessEventMD4IoT/vimProcessEventMD4IoT.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessEventMD4IoT')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessEventMD4IoT", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Microsoft Defender for IoT", - "category": "ASIM", - "FunctionAlias": "vimProcessEventMD4IoT", - "query": "let ProcessEvents_MD4IoT=()\n{\n SecurityIoTRawEvent \n | where RawEventName == \"Process\" \n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(actingprocess_has_any)==0 ) \n and (array_length(parentprocess_has_any)==0) \n and (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(commandline_has_any)==0 or EventDetails has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or EventDetails has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(EventDetails, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or EventDetails has_any (targetprocess_has_any)) \n and (targetusername=='*' or EventDetails has targetusername) \n and (array_length(dvcname_has_any)==0 or DeviceId has_any (dvcname_has_any)) \n // --------------------------------------------------------------------------------------\n | extend\n EventDetails = todynamic(EventDetails)\n | extend // required for postfilterring\n TargetProcessCommandLine = coalesce (tostring(EventDetails.Commandline), tostring(EventDetails.Executable)), \n TargetProcessName = coalesce (tostring(EventDetails.Executable), split(EventDetails.Commandline,\" \")[0]),\n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\") // Intermediate fix\n | extend \n TargetUsername = iff (DvcOs == \"Windows\", tostring(EventDetails.UserName), \"\")\n // --------------------------------------------------------------------------------------\n | where (array_length(commandline_has_any)==0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or TargetProcessName has_any (targetprocess_has_any)) \n and (targetusername=='*' or TargetUsername has targetusername) \n // --------------------------------------------------------------------------------------\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventCount = toint(EventDetails.HitCount), \n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.EventType == 'EXIT', 'ProcessTerminate', 'ProcessCreated'), \n EventSubType = tostring(EventDetails.EventType),\n EventResult = 'Success', \n TargetProcessId = tostring(EventDetails.ProcessId), \n TargetUsernameType = iif (DvcOs == \"Windows\", \"Windows\", \"Simple\"), \n ActingProcessId = iff (DvcOs == \"Windows\", tostring(EventDetails.ParentProcessId), \"\") \n | project-rename\n DvcHostname = DeviceId,\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n | extend \n // -- aliases\n User = TargetUsername, \n CommandLine = TargetProcessCommandLine, \n Process = TargetProcessName, \n Dvc = DvcHostname \n };\n ProcessEvents_MD4IoT\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Microsoft Defender for IoT", + "category": "ASIM", + "FunctionAlias": "vimProcessEventMD4IoT", + "query": "let ProcessEvents_MD4IoT=()\n{\n SecurityIoTRawEvent \n | where RawEventName == \"Process\" \n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(actingprocess_has_any)==0 ) \n and (array_length(parentprocess_has_any)==0) \n and (eventtype=='*' or eventtype=='ProcessCreated')\n and (array_length(commandline_has_any)==0 or EventDetails has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or EventDetails has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(EventDetails, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or EventDetails has_any (targetprocess_has_any)) \n and (targetusername=='*' or EventDetails has targetusername) \n and (array_length(dvcname_has_any)==0 or DeviceId has_any (dvcname_has_any)) \n // --------------------------------------------------------------------------------------\n | extend\n EventDetails = todynamic(EventDetails)\n | extend // required for postfilterring\n TargetProcessCommandLine = coalesce (tostring(EventDetails.Commandline), tostring(EventDetails.Executable)), \n TargetProcessName = coalesce (tostring(EventDetails.Executable), split(EventDetails.Commandline,\" \")[0]),\n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\") // Intermediate fix\n | extend \n TargetUsername = iff (DvcOs == \"Windows\", tostring(EventDetails.UserName), \"\")\n // --------------------------------------------------------------------------------------\n | where (array_length(commandline_has_any)==0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or TargetProcessName has_any (targetprocess_has_any)) \n and (targetusername=='*' or TargetUsername has targetusername) \n // --------------------------------------------------------------------------------------\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventCount = toint(EventDetails.HitCount), \n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.EventType == 'EXIT', 'ProcessTerminate', 'ProcessCreated'), \n EventSubType = tostring(EventDetails.EventType),\n EventResult = 'Success', \n TargetProcessId = tostring(EventDetails.ProcessId), \n TargetUsernameType = iif (DvcOs == \"Windows\", \"Windows\", \"Simple\"), \n ActingProcessId = iff (DvcOs == \"Windows\", tostring(EventDetails.ParentProcessId), \"\") \n | project-rename\n DvcHostname = DeviceId,\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n | extend \n // -- aliases\n User = TargetUsername, \n CommandLine = TargetProcessCommandLine, \n Process = TargetProcessName, \n Dvc = DvcHostname \n };\n ProcessEvents_MD4IoT\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessEventMicrosoft365D/vimProcessEventMicrosoft365D.json b/Parsers/ASimProcessEvent/ARM/vimProcessEventMicrosoft365D/vimProcessEventMicrosoft365D.json index 30076232597..49c88a590ac 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessEventMicrosoft365D/vimProcessEventMicrosoft365D.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessEventMicrosoft365D/vimProcessEventMicrosoft365D.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessEventMicrosoft365D')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessEventMicrosoft365D", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Create Event ASIM parser for Microsoft 365 Defender for endpoint", - "category": "ASIM", - "FunctionAlias": "vimProcessEventMicrosoft365D", - "query": "let parser = (\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n targetusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n hashes_has_any:dynamic=dynamic([]),\n disabled:bool=false\n ) {\n DeviceProcessEvents \n // -- pre-filtering\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(commandline_has_all)==0 or ProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any)==0 or ProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(ProcessCommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(actingprocess_has_any)==0 or InitiatingProcessFolderPath has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any)==0 or FolderPath has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any)==0 or InitiatingProcessParentFileName has_any (parentprocess_has_any)) \n and (targetusername_has=='*' or AccountName has targetusername_has or AccountDomain has targetusername_has) \n and (array_length(dvchostname_has_any)==0 or DeviceName has_any (dvchostname_has_any)) \n and (array_length(hashes_has_any)==0 or SHA256 in (hashes_has_any) or SHA1 in (hashes_has_any) or MD5 in (hashes_has_any))\n and (eventtype=='*' or eventtype=='ProcessCreated')\n | extend\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventResult = 'Success'\n | extend\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n TargetUsername = iff (AccountDomain == '', AccountName, strcat(AccountDomain, '\\\\', AccountName)),\n TargetUsernameType = iff(AccountDomain == '','Simple', 'Windows'),\n ActorUsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n ActorUserIdType = 'SID',\n TargetUserIdType = 'SID',\n ActorSessionId = tostring(InitiatingProcessLogonId),\n TargetUserSessionId = tostring(LogonId),\n Hash = coalesce (SHA256, SHA1, MD5, \"\"),\n TargetProcessId = tostring(ProcessId),\n ActingProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId),\n DvcOs = iff (AdditionalFields has \"ProcessPosixProcessGroupId\", \"Linux\", \"Windows\")\n | project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName, AccountDomain, AccountName, ProcessId, InitiatingProcessId, InitiatingProcessParentId, LogonId, InitiatingProcessLogonId, ReportId\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, MD5),Hash)])\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename\n DvcId = DeviceId,\n EventType = ActionType,\n ActorUserId = InitiatingProcessAccountSid,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n TargetUserId = AccountSid,\n TargetUserAadId = AccountObjectId,\n TargetUserUpn = AccountUpn,\n ParentProcessName = InitiatingProcessParentFileName,\n TargetProcessFilename = FileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n TargetProcessName = FolderPath,\n TargetProcessCommandLine = ProcessCommandLine,\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIntegrityLevel = ProcessIntegrityLevel,\n TargetProcessTokenElevation = ProcessTokenElevation,\n TargetProcessCreationTime = ProcessCreationTime,\n ActingProcessName = InitiatingProcessFolderPath, \n ActingProcessFilename = InitiatingProcessFileName,\n ActingProcessCommandLine = InitiatingProcessCommandLine, \n ActingProcessMD5 = InitiatingProcessMD5, \n ActingProcessSHA1 = InitiatingProcessSHA1, \n ActingProcessSHA256 = InitiatingProcessSHA256, \n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n MDE_MachineGroup = MachineGroup\n | extend // -- aliases\n User = coalesce(TargetUsername, ActorUsername),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away AppGuardContainerId, Timestamp , SourceSystem, TenantId\n };\n parser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Create Event ASIM parser for Microsoft 365 Defender for endpoint", + "category": "ASIM", + "FunctionAlias": "vimProcessEventMicrosoft365D", + "query": "let parser = (\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n targetusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n hashes_has_any:dynamic=dynamic([]),\n disabled:bool=false\n ) {\n DeviceProcessEvents \n // -- pre-filtering\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(commandline_has_all)==0 or ProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any)==0 or ProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(ProcessCommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(actingprocess_has_any)==0 or InitiatingProcessFolderPath has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any)==0 or FolderPath has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any)==0 or InitiatingProcessParentFileName has_any (parentprocess_has_any)) \n and (targetusername_has=='*' or AccountName has targetusername_has or AccountDomain has targetusername_has) \n and (array_length(dvchostname_has_any)==0 or DeviceName has_any (dvchostname_has_any)) \n and (array_length(hashes_has_any)==0 or SHA256 in (hashes_has_any) or SHA1 in (hashes_has_any) or MD5 in (hashes_has_any))\n and (eventtype=='*' or eventtype=='ProcessCreated')\n | extend\n EventOriginalUid = tostring(ReportId),\n EventCount = int(1),\n EventProduct = 'M365 Defender for Endpoint',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventResult = 'Success'\n | extend\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)),\n TargetUsername = iff (AccountDomain == '', AccountName, strcat(AccountDomain, '\\\\', AccountName)),\n TargetUsernameType = iff(AccountDomain == '','Simple', 'Windows'),\n ActorUsernameType = iff(InitiatingProcessAccountDomain == '','Simple', 'Windows'),\n ActorUserIdType = 'SID',\n TargetUserIdType = 'SID',\n ActorSessionId = tostring(InitiatingProcessLogonId),\n TargetUserSessionId = tostring(LogonId),\n Hash = coalesce (SHA256, SHA1, MD5, \"\"),\n TargetProcessId = tostring(ProcessId),\n ActingProcessId = tostring(InitiatingProcessId),\n ParentProcessId = tostring(InitiatingProcessParentId),\n DvcOs = iff (AdditionalFields has \"ProcessPosixProcessGroupId\", \"Linux\", \"Windows\")\n | project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName, AccountDomain, AccountName, ProcessId, InitiatingProcessId, InitiatingProcessParentId, LogonId, InitiatingProcessLogonId, ReportId\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(SHA256, SHA1, MD5),Hash)])\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename\n DvcId = DeviceId,\n EventType = ActionType,\n ActorUserId = InitiatingProcessAccountSid,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n TargetUserId = AccountSid,\n TargetUserAadId = AccountObjectId,\n TargetUserUpn = AccountUpn,\n ParentProcessName = InitiatingProcessParentFileName,\n TargetProcessFilename = FileName,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n TargetProcessName = FolderPath,\n TargetProcessCommandLine = ProcessCommandLine,\n TargetProcessMD5 = MD5,\n TargetProcessSHA1 = SHA1,\n TargetProcessSHA256 = SHA256,\n TargetProcessIntegrityLevel = ProcessIntegrityLevel,\n TargetProcessTokenElevation = ProcessTokenElevation,\n TargetProcessCreationTime = ProcessCreationTime,\n ActingProcessName = InitiatingProcessFolderPath, \n ActingProcessFilename = InitiatingProcessFileName,\n ActingProcessCommandLine = InitiatingProcessCommandLine, \n ActingProcessMD5 = InitiatingProcessMD5, \n ActingProcessSHA1 = InitiatingProcessSHA1, \n ActingProcessSHA256 = InitiatingProcessSHA256, \n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n MDE_MachineGroup = MachineGroup\n | extend // -- aliases\n User = coalesce(TargetUsername, ActorUsername),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away AppGuardContainerId, Timestamp , SourceSystem, TenantId\n };\n parser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessEventNative/vimProcessEventNative.json b/Parsers/ASimProcessEvent/ARM/vimProcessEventNative/vimProcessEventNative.json index 852d8db56d6..fe94e581071 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessEventNative/vimProcessEventNative.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessEventNative/vimProcessEventNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessEventNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessEventNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Event ASIM filtering parser for Microsoft Sentinel native Process Event table", - "category": "ASIM", - "FunctionAlias": "vimProcessEventNative", - "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n actorusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n hashes_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n ASimProcessEventLogs \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DvcIpAddr, dvcipaddr_has_any_prefix))\n and (array_length(commandline_has_all) == 0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or ActingProcessName has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or TargetProcessName has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0 or ParentProcessName has_any (parentprocess_has_any)) \n and (targetusername_has == '*' or TargetUsername has targetusername_has)\n and (actorusername_has == '*' or ActorUsername has actorusername_has) \n and (array_length(dvchostname_has_any) == 0 or DvcHostname has_any (dvchostname_has_any)) \n and (array_length(hashes_has_any) == 0 or TargetProcessSHA512 has_any (hashes_has_any) or TargetProcessSHA256 has_any (hashes_has_any) or TargetProcessSHA1 has_any (hashes_has_any) or TargetProcessMD5 has_any (hashes_has_any) or TargetProcessIMPHASH has_any (hashes_has_any))\n and (eventtype == '*' or EventType == eventtype)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"ProcessEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = TargetUsername,\n Process = TargetProcessName,\n CommandLine = TargetProcessCommandLine,\n Hash = coalesce(TargetProcessSHA512, TargetProcessSHA256, TargetProcessMD5, TargetProcessSHA1, TargetProcessIMPHASH)\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Event ASIM filtering parser for Microsoft Sentinel native Process Event table", + "category": "ASIM", + "FunctionAlias": "vimProcessEventNative", + "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n targetusername_has: string='*',\n actorusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n hashes_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n ASimProcessEventLogs \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DvcIpAddr, dvcipaddr_has_any_prefix))\n and (array_length(commandline_has_all) == 0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any) == 0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or ActingProcessName has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or TargetProcessName has_any (targetprocess_has_any)) \n and (array_length(parentprocess_has_any) == 0 or ParentProcessName has_any (parentprocess_has_any)) \n and (targetusername_has == '*' or TargetUsername has targetusername_has)\n and (actorusername_has == '*' or ActorUsername has actorusername_has) \n and (array_length(dvchostname_has_any) == 0 or DvcHostname has_any (dvchostname_has_any)) \n and (array_length(hashes_has_any) == 0 or TargetProcessSHA512 has_any (hashes_has_any) or TargetProcessSHA256 has_any (hashes_has_any) or TargetProcessSHA1 has_any (hashes_has_any) or TargetProcessMD5 has_any (hashes_has_any) or TargetProcessIMPHASH has_any (hashes_has_any))\n and (eventtype == '*' or EventType == eventtype)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"ProcessEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = TargetUsername,\n Process = TargetProcessName,\n CommandLine = TargetProcessCommandLine,\n Hash = coalesce(TargetProcessSHA512, TargetProcessSHA256, TargetProcessMD5, TargetProcessSHA1, TargetProcessIMPHASH)\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n targetusername_has=targetusername_has,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),targetusername_has:string='*',actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateLinuxSysmon/vimProcessTerminateLinuxSysmon.json b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateLinuxSysmon/vimProcessTerminateLinuxSysmon.json index f63d175a5be..d25653b22ba 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateLinuxSysmon/vimProcessTerminateLinuxSysmon.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateLinuxSysmon/vimProcessTerminateLinuxSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessTerminateLinuxSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessTerminateLinuxSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for Sysmon for Linux", - "category": "ASIM", - "FunctionAlias": "vimProcessTerminateLinuxSysmon", - "query": "let ParsedProcessEvent=(){\nSyslog\n| where SyslogMessage has_all ('5')\n// --------------------------------------------------------------------------------------\n| where\n(isnull(starttime) or TimeGenerated >= starttime )\nand (isnull(endtime) or TimeGenerated <= endtime )\nand not(disabled)\nand (array_length(dvcipaddr_has_any_prefix)==0)\nand (array_length(commandline_has_all)==0) \nand (array_length(commandline_has_any)==0) \nand (array_length(actingprocess_has_any)==0) \nand (array_length(parentprocess_has_any)==0) \nand (array_length(commandline_has_any_ip_prefix)==0) \nand (eventtype=='*' or eventtype=='ProcessTerminated')\nand (array_length(targetprocess_has_any)==0 or SyslogMessage has_any (targetprocess_has_any)) \nand (actorusername=='*' or SyslogMessage has actorusername) \nand (array_length(dvcname_has_any)==0 or Computer has_any (dvcname_has_any)) \n// --------------------------------------------------------------------------------------\n| parse SyslogMessage with *''ActorUsername '' *\n// --------------------------------------------------------------------------------------\n| where\n (actorusername=='*' or ActorUsername has actorusername) \n// --------------------------------------------------------------------------------------\n| parse SyslogMessage with * ''RuleName''\n ''UtcTime''\n '{'ProcessGuid'}'\n ''ProcessId:string''\n ''Image''*\n// --------------------------------------------------------------------------------------\n| where\n (array_length(targetprocess_has_any)==0 or Image has_any (targetprocess_has_any)) \n// --------------------------------------------------------------------------------------\n| project-away SyslogMessage\n| extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType='5',\n EventProduct = \"Sysmon\",\n EventResult = 'Success',\n DvcOs = \"Linux\"\n| project-rename\n DvcHostname = Computer,\n TargetProcessName = Image,\n TargetProcessId = ProcessId\n| extend\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n TargetProcessGuid = ProcessGuid,\n //***** Aliases ******\n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n}; ParsedProcessEvent\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for Sysmon for Linux", + "category": "ASIM", + "FunctionAlias": "vimProcessTerminateLinuxSysmon", + "query": "let ParsedProcessEvent=(){\nSyslog\n| where SyslogMessage has_all ('5')\n// --------------------------------------------------------------------------------------\n| where\n(isnull(starttime) or TimeGenerated >= starttime )\nand (isnull(endtime) or TimeGenerated <= endtime )\nand not(disabled)\nand (array_length(dvcipaddr_has_any_prefix)==0)\nand (array_length(commandline_has_all)==0) \nand (array_length(commandline_has_any)==0) \nand (array_length(actingprocess_has_any)==0) \nand (array_length(parentprocess_has_any)==0) \nand (array_length(commandline_has_any_ip_prefix)==0) \nand (eventtype=='*' or eventtype=='ProcessTerminated')\nand (array_length(targetprocess_has_any)==0 or SyslogMessage has_any (targetprocess_has_any)) \nand (actorusername=='*' or SyslogMessage has actorusername) \nand (array_length(dvcname_has_any)==0 or Computer has_any (dvcname_has_any)) \n// --------------------------------------------------------------------------------------\n| parse SyslogMessage with *''ActorUsername '' *\n// --------------------------------------------------------------------------------------\n| where\n (actorusername=='*' or ActorUsername has actorusername) \n// --------------------------------------------------------------------------------------\n| parse SyslogMessage with * ''RuleName''\n ''UtcTime''\n '{'ProcessGuid'}'\n ''ProcessId:string''\n ''Image''*\n// --------------------------------------------------------------------------------------\n| where\n (array_length(targetprocess_has_any)==0 or Image has_any (targetprocess_has_any)) \n// --------------------------------------------------------------------------------------\n| project-away SyslogMessage\n| extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType='5',\n EventProduct = \"Sysmon\",\n EventResult = 'Success',\n DvcOs = \"Linux\"\n| project-rename\n DvcHostname = Computer,\n TargetProcessName = Image,\n TargetProcessId = ProcessId\n| extend\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n TargetProcessGuid = ProcessGuid,\n //***** Aliases ******\n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n}; ParsedProcessEvent\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMD4IoT/vimProcessTerminateMD4IoT.json b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMD4IoT/vimProcessTerminateMD4IoT.json index c0f055ae5b0..9f40f10f059 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMD4IoT/vimProcessTerminateMD4IoT.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMD4IoT/vimProcessTerminateMD4IoT.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessTerminateMD4IoT')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessTerminateMD4IoT", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for Microsoft Defender for IoT", - "category": "ASIM", - "FunctionAlias": "vimProcessTerminateMD4IoT", - "query": "let ProcessEvents_MD4IoT=()\n{\n SecurityIoTRawEvent \n | where RawEventName == \"Process\" and EventDetails has_cs 'EXIT'\n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(actingprocess_has_any)==0 ) \n and (array_length(parentprocess_has_any)==0) \n and (eventtype=='*' or eventtype=='ProcessTerminated')\n and (array_length(commandline_has_any)==0 or EventDetails has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or EventDetails has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(EventDetails, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or EventDetails has_any (targetprocess_has_any)) \n and (actorusername=='*' or EventDetails has actorusername) \n and (array_length(dvcname_has_any)==0 or DeviceId has_any (dvcname_has_any)) \n // --------------------------------------------------------------------------------------\n | extend\n EventDetails = todynamic(EventDetails)\n | where tostring(EventDetails.EventType) == 'EXIT'\n | extend // required for postfilterring\n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // Intermediate fix\n TargetProcessCommandLine = coalesce (tostring(EventDetails.Commandline), tostring(EventDetails.Executable)), \n TargetProcessName = coalesce (tostring(EventDetails.Executable), split(EventDetails.Commandline,\" \")[0])\n | extend // required for postfilterring\n ActorUsername = iff (DvcOs == \"Windows\", tostring(EventDetails.UserName), \"\")\n // --------------------------------------------------------------------------------------\n | where (array_length(commandline_has_any)==0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or TargetProcessName has_any (targetprocess_has_any)) \n and (actorusername=='*' or ActorUsername has actorusername) \n // --------------------------------------------------------------------------------------\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventCount = toint(EventDetails.HitCount), \n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = 'ProcessTerminated', \n EventSubType = tostring(EventDetails.EventType),\n EventResult = 'Success', \n TargetProcessId = tostring(EventDetails.ProcessId), \n ActorUsernameType = iif (DvcOs == \"Windows\", \"Windows\", \"Simple\"), \n ActingProcessId = iff (DvcOs == \"Windows\", tostring(EventDetails.ParentProcessId), \"\") \n | project-rename\n DvcHostname = DeviceId,\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n | extend \n // -- aliases\n User = ActorUsername, \n CommandLine = TargetProcessCommandLine, \n Process = TargetProcessName, \n Dvc = DvcHostname \n };\n ProcessEvents_MD4IoT\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for Microsoft Defender for IoT", + "category": "ASIM", + "FunctionAlias": "vimProcessTerminateMD4IoT", + "query": "let ProcessEvents_MD4IoT=()\n{\n SecurityIoTRawEvent \n | where RawEventName == \"Process\" and EventDetails has_cs 'EXIT'\n // --------------------------------------------------------------------------------------\n | where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(actingprocess_has_any)==0 ) \n and (array_length(parentprocess_has_any)==0) \n and (eventtype=='*' or eventtype=='ProcessTerminated')\n and (array_length(commandline_has_any)==0 or EventDetails has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or EventDetails has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(EventDetails, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or EventDetails has_any (targetprocess_has_any)) \n and (actorusername=='*' or EventDetails has actorusername) \n and (array_length(dvcname_has_any)==0 or DeviceId has_any (dvcname_has_any)) \n // --------------------------------------------------------------------------------------\n | extend\n EventDetails = todynamic(EventDetails)\n | where tostring(EventDetails.EventType) == 'EXIT'\n | extend // required for postfilterring\n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // Intermediate fix\n TargetProcessCommandLine = coalesce (tostring(EventDetails.Commandline), tostring(EventDetails.Executable)), \n TargetProcessName = coalesce (tostring(EventDetails.Executable), split(EventDetails.Commandline,\" \")[0])\n | extend // required for postfilterring\n ActorUsername = iff (DvcOs == \"Windows\", tostring(EventDetails.UserName), \"\")\n // --------------------------------------------------------------------------------------\n | where (array_length(commandline_has_any)==0 or TargetProcessCommandLine has_any (commandline_has_any)) \n and (array_length(commandline_has_all)==0 or TargetProcessCommandLine has_all (commandline_has_all)) \n and (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(TargetProcessCommandLine, commandline_has_any_ip_prefix) ) \n and (array_length(targetprocess_has_any)==0 or TargetProcessName has_any (targetprocess_has_any)) \n and (actorusername=='*' or ActorUsername has actorusername) \n // --------------------------------------------------------------------------------------\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventCount = toint(EventDetails.HitCount), \n EventProduct = 'Azure Defender for IoT', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = 'ProcessTerminated', \n EventSubType = tostring(EventDetails.EventType),\n EventResult = 'Success', \n TargetProcessId = tostring(EventDetails.ProcessId), \n ActorUsernameType = iif (DvcOs == \"Windows\", \"Windows\", \"Simple\"), \n ActingProcessId = iff (DvcOs == \"Windows\", tostring(EventDetails.ParentProcessId), \"\") \n | project-rename\n DvcHostname = DeviceId,\n EventProductVersion = AgentVersion, // Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n | extend \n // -- aliases\n User = ActorUsername, \n CommandLine = TargetProcessCommandLine, \n Process = TargetProcessName, \n Dvc = DvcHostname \n };\n ProcessEvents_MD4IoT\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSecurityEvents/vimProcessTerminateMicrosoftSecurityEvents.json b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSecurityEvents/vimProcessTerminateMicrosoftSecurityEvents.json index c4b4b690b79..e209d38e0f8 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSecurityEvents/vimProcessTerminateMicrosoftSecurityEvents.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSecurityEvents/vimProcessTerminateMicrosoftSecurityEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessTerminateMicrosoftSecurityEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessTerminateMicrosoftSecurityEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for Windows Security Events", - "category": "ASIM", - "FunctionAlias": "vimProcessTerminateMicrosoftSecurityEvents", - "query": "let ProcessEvents=(){\nSecurityEvent\n// -- Filter\n| where EventID == 4689\n// --------------------------------------------------------------------------------------\n| where\n(isnull(starttime) or TimeGenerated >= starttime )\nand (isnull(endtime) or TimeGenerated <= endtime )\nand not(disabled)\nand (array_length(actingprocess_has_any)==0 ) \nand (array_length(parentprocess_has_any)==0) \nand (array_length(dvcipaddr_has_any_prefix)==0)\nand (eventtype=='*' or eventtype=='ProcessTerminated')\nand (array_length(commandline_has_any)==0 or CommandLine has_any (commandline_has_any)) \nand (array_length(commandline_has_all)==0 or CommandLine has_all (commandline_has_all)) \nand (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix) ) \nand (array_length(targetprocess_has_any)==0 or ProcessName has_any (targetprocess_has_any)) \nand (actorusername=='*' or SubjectAccount has actorusername) \nand (array_length(dvcname_has_any)==0 or Computer has_any (dvcname_has_any)) \n// --------------------------------------------------------------------------------------\n// -- Map\n| extend\n // Event\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Security Events\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = \"ProcessTerminated\",\n EventResult = 'Success',\n EventOriginalType = tostring(EventID),\n EventOriginalUid = EventOriginId,\n EventResultDetails = Status,\n EventOriginalResultDetails = Status, \n // Device\n DvcId = SourceComputerId,\n DvcHostname = Computer,\n DvcOs = \"Windows\",\n // Users\n ActorUserIdType = iff (SubjectUserSid <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (SubjectUserSid <> \"S-1-0-0\", SubjectUserSid, \"\"), \n ActorUsername = iff (SubjectDomainName == '-', SubjectUserName, SubjectAccount),\n ActorUsernameType = iff(SubjectDomainName == '-','Simple', 'Windows'),\n ActorSessionId = SubjectLogonId,\n ActorDomainName = SubjectDomainName,\n // Processes \n TargetProcessId = tostring(toint(ProcessId)),\n TargetProcessName = ProcessName,\n TargetProcessCommandLine = CommandLine,\n TargetProcessTokenElevation = TokenElevationType,\n Process = ProcessName\n // Aliases\n | extend \n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n}; ProcessEvents\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for Windows Security Events", + "category": "ASIM", + "FunctionAlias": "vimProcessTerminateMicrosoftSecurityEvents", + "query": "let ProcessEvents=(){\nSecurityEvent\n// -- Filter\n| where EventID == 4689\n// --------------------------------------------------------------------------------------\n| where\n(isnull(starttime) or TimeGenerated >= starttime )\nand (isnull(endtime) or TimeGenerated <= endtime )\nand not(disabled)\nand (array_length(actingprocess_has_any)==0 ) \nand (array_length(parentprocess_has_any)==0) \nand (array_length(dvcipaddr_has_any_prefix)==0)\nand (eventtype=='*' or eventtype=='ProcessTerminated')\nand (array_length(commandline_has_any)==0 or CommandLine has_any (commandline_has_any)) \nand (array_length(commandline_has_all)==0 or CommandLine has_all (commandline_has_all)) \nand (array_length(commandline_has_any_ip_prefix)==0 or has_any_ipv4_prefix(CommandLine, commandline_has_any_ip_prefix) ) \nand (array_length(targetprocess_has_any)==0 or ProcessName has_any (targetprocess_has_any)) \nand (actorusername=='*' or SubjectAccount has actorusername) \nand (array_length(dvcname_has_any)==0 or Computer has_any (dvcname_has_any)) \n// --------------------------------------------------------------------------------------\n// -- Map\n| extend\n // Event\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventProduct = \"Security Events\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = \"ProcessTerminated\",\n EventResult = 'Success',\n EventOriginalType = tostring(EventID),\n EventOriginalUid = EventOriginId,\n EventResultDetails = Status,\n EventOriginalResultDetails = Status, \n // Device\n DvcId = SourceComputerId,\n DvcHostname = Computer,\n DvcOs = \"Windows\",\n // Users\n ActorUserIdType = iff (SubjectUserSid <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (SubjectUserSid <> \"S-1-0-0\", SubjectUserSid, \"\"), \n ActorUsername = iff (SubjectDomainName == '-', SubjectUserName, SubjectAccount),\n ActorUsernameType = iff(SubjectDomainName == '-','Simple', 'Windows'),\n ActorSessionId = SubjectLogonId,\n ActorDomainName = SubjectDomainName,\n // Processes \n TargetProcessId = tostring(toint(ProcessId)),\n TargetProcessName = ProcessName,\n TargetProcessCommandLine = CommandLine,\n TargetProcessTokenElevation = TokenElevationType,\n Process = ProcessName\n // Aliases\n | extend \n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n}; ProcessEvents\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvcname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSysmon/vimProcessTerminateMicrosoftSysmon.json b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSysmon/vimProcessTerminateMicrosoftSysmon.json index c5c298127ca..9dabfd6aadf 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSysmon/vimProcessTerminateMicrosoftSysmon.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSysmon/vimProcessTerminateMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessEventTerminateMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessEventTerminateMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for Microsoft Windows Security Events", - "category": "ASIM", - "FunctionAlias": "vimProcessEventTerminateMicrosoftSysmon", - "query": "let parser = (\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n actorusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n disabled:bool=false\n ) {\n // this is the parser for sysmon from Event table\n let parser_Event =\n Event\n | where // pre-filtering\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and Source == \"Microsoft-Windows-Sysmon\" and EventID == 5\n and (eventtype=='*' or eventtype=='ProcessTerminated')\n and (array_length(commandline_has_all)==0) \n and (array_length(commandline_has_any)==0) \n and (array_length(commandline_has_any_ip_prefix)==0) \n and (array_length(actingprocess_has_any)==0) \n and (array_length(parentprocess_has_any)==0) \n and (array_length(targetprocess_has_any)==0 or EventData has_any (targetprocess_has_any)) \n and (actorusername_has=='*' or EventData has actorusername_has) \n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any))\n | parse-kv EventData as (\n ProcessId:string,\n ProcessGuid:string,\n Image:string,\n User:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n ActorUsername = User,\n DvcHostname = Computer,\n TargetProcessName = Image,\n TargetProcessGuid = ProcessGuid,\n TargetProcessId = ProcessId\n | where // post-filtering\n (actorusername_has=='*' or ActorUsername has actorusername_has) \n and (array_length(targetprocess_has_any)==0 or TargetProcessName has_any (targetprocess_has_any)) \n | extend \n EventProduct = \"Sysmon\"\n | project-away EventData, ParameterXml, RenderedDescription, MG, ManagementGroupName, Message, AzureDeploymentID, SourceSystem, EventCategory, EventLevelName, EventLevel, EventLog, Role, TenantId, UserName, Source\n | extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType=tostring(EventID),\n EventResult = 'Success',\n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n // -- Aliases \n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away EventID,_ResourceId\n ;\n parser_Event\n };\nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n) ", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for Microsoft Windows Security Events", + "category": "ASIM", + "FunctionAlias": "vimProcessEventTerminateMicrosoftSysmon", + "query": "let parser = (\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n actorusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n disabled:bool=false\n ) {\n // this is the parser for sysmon from Event table\n let parser_Event =\n Event\n | where // pre-filtering\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and Source == \"Microsoft-Windows-Sysmon\" and EventID == 5\n and (eventtype=='*' or eventtype=='ProcessTerminated')\n and (array_length(commandline_has_all)==0) \n and (array_length(commandline_has_any)==0) \n and (array_length(commandline_has_any_ip_prefix)==0) \n and (array_length(actingprocess_has_any)==0) \n and (array_length(parentprocess_has_any)==0) \n and (array_length(targetprocess_has_any)==0 or EventData has_any (targetprocess_has_any)) \n and (actorusername_has=='*' or EventData has actorusername_has) \n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any))\n | parse-kv EventData as (\n ProcessId:string,\n ProcessGuid:string,\n Image:string,\n User:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n ActorUsername = User,\n DvcHostname = Computer,\n TargetProcessName = Image,\n TargetProcessGuid = ProcessGuid,\n TargetProcessId = ProcessId\n | where // post-filtering\n (actorusername_has=='*' or ActorUsername has actorusername_has) \n and (array_length(targetprocess_has_any)==0 or TargetProcessName has_any (targetprocess_has_any)) \n | extend \n EventProduct = \"Sysmon\"\n | project-away EventData, ParameterXml, RenderedDescription, MG, ManagementGroupName, Message, AzureDeploymentID, SourceSystem, EventCategory, EventLevelName, EventLevel, EventLog, Role, TenantId, UserName, Source\n | extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType=tostring(EventID),\n EventResult = 'Success',\n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername),'Windows', ''),\n // -- Aliases \n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away EventID,_ResourceId\n ;\n parser_Event\n };\nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n) ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSysmonWindowsEvent/vimProcessTerminateMicrosoftSysmonWindowsEvent.json b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSysmonWindowsEvent/vimProcessTerminateMicrosoftSysmonWindowsEvent.json index 361a9f597a7..a8283b911bb 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSysmonWindowsEvent/vimProcessTerminateMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSysmonWindowsEvent/vimProcessTerminateMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessEventTerminateMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessEventTerminateMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for Microsoft Windows Security Events", - "category": "ASIM", - "FunctionAlias": "vimProcessEventTerminateMicrosoftSysmonWindowsEvent", - "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n actorusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n disabled: bool=false\n ) {\n let parser_WindowsEvent=\n WindowsEvent\n | where // pre-filtering\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and not(disabled)\n and Provider == \"Microsoft-Windows-Sysmon\" and EventID == 5\n and (eventtype == '*' or eventtype == 'ProcessTerminated')\n and (array_length(commandline_has_all) == 0) \n and (array_length(commandline_has_any) == 0) \n and (array_length(commandline_has_any_ip_prefix) == 0) \n and (array_length(actingprocess_has_any) == 0) \n and (array_length(parentprocess_has_any) == 0) \n and (array_length(targetprocess_has_any) == 0 or EventData has_any (targetprocess_has_any)) \n and (actorusername_has == '*' or EventData has actorusername_has) \n and (array_length(dvcipaddr_has_any_prefix) == 0)\n and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | extend\n EventProduct = \"Security Events\",\n ActorUsername = tostring(EventData.User),\n TargetProcessName = tostring(EventData.Image),\n TargetProcessId = tostring(EventData.ProcessId),\n TargetProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string))\n | where // post-filtering\n (actorusername_has == '*' or ActorUsername has actorusername_has) \n and (array_length(targetprocess_has_any) == 0 or TargetProcessName has_any (targetprocess_has_any)) \n | project-rename\n DvcHostname = Computer,\n EventOriginalUid = EventOriginId\n | project-away\n Channel,\n Data,\n EventData,\n EventLevelName,\n EventLevel,\n ManagementGroupName,\n Provider,\n RawEventData,\n SourceSystem,\n Task,\n TenantId\n | extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType=tostring(EventID),\n EventResult = 'Success',\n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n // -- Aliases \n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away\n EventID,\n Correlation,\n EventRecordId,\n Keywords,\n Opcode,\n SystemProcessId,\n SystemThreadId,\n SystemUserId,\n TimeCreated,\n Version,\n _ResourceId\n ;\n parser_WindowsEvent\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n) ", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for Microsoft Windows Security Events", + "category": "ASIM", + "FunctionAlias": "vimProcessEventTerminateMicrosoftSysmonWindowsEvent", + "query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n actorusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n disabled: bool=false\n ) {\n let parser_WindowsEvent=\n WindowsEvent\n | where // pre-filtering\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and not(disabled)\n and Provider == \"Microsoft-Windows-Sysmon\" and EventID == 5\n and (eventtype == '*' or eventtype == 'ProcessTerminated')\n and (array_length(commandline_has_all) == 0) \n and (array_length(commandline_has_any) == 0) \n and (array_length(commandline_has_any_ip_prefix) == 0) \n and (array_length(actingprocess_has_any) == 0) \n and (array_length(parentprocess_has_any) == 0) \n and (array_length(targetprocess_has_any) == 0 or EventData has_any (targetprocess_has_any)) \n and (actorusername_has == '*' or EventData has actorusername_has) \n and (array_length(dvcipaddr_has_any_prefix) == 0)\n and (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | extend\n EventProduct = \"Security Events\",\n ActorUsername = tostring(EventData.User),\n TargetProcessName = tostring(EventData.Image),\n TargetProcessId = tostring(EventData.ProcessId),\n TargetProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string))\n | where // post-filtering\n (actorusername_has == '*' or ActorUsername has actorusername_has) \n and (array_length(targetprocess_has_any) == 0 or TargetProcessName has_any (targetprocess_has_any)) \n | project-rename\n DvcHostname = Computer,\n EventOriginalUid = EventOriginId\n | project-away\n Channel,\n Data,\n EventData,\n EventLevelName,\n EventLevel,\n ManagementGroupName,\n Provider,\n RawEventData,\n SourceSystem,\n Task,\n TenantId\n | extend \n EventType = \"ProcessTerminated\",\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventCount = int(1),\n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\",\n EventSchema = 'ProcessEvent',\n EventOriginalType=tostring(EventID),\n EventResult = 'Success',\n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n // -- Aliases \n User = ActorUsername,\n Process = TargetProcessName,\n Dvc = DvcHostname\n | project-away\n EventID,\n Correlation,\n EventRecordId,\n Keywords,\n Opcode,\n SystemProcessId,\n SystemThreadId,\n SystemUserId,\n TimeCreated,\n Version,\n _ResourceId\n ;\n parser_WindowsEvent\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n) ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftWindowsEvents/vimProcessTerminateMicrosoftWindowsEvents.json b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftWindowsEvents/vimProcessTerminateMicrosoftWindowsEvents.json index c6fd467a2a9..f1444f95774 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftWindowsEvents/vimProcessTerminateMicrosoftWindowsEvents.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftWindowsEvents/vimProcessTerminateMicrosoftWindowsEvents.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessTerminateMicrosoftWindowsEvents')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessTerminateMicrosoftWindowsEvents", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate Event ASIM parser for WEF Security Events", - "category": "ASIM", - "FunctionAlias": "vimProcessTerminateMicrosoftWindowsEvents", - "query": "let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\\')[-1]) };\nlet ASIM_ResolveWindowsUsername = (T:(username:string, domain:string, sid:string)) { \n T \n | extend \n type = case (\n username == \"-\", \"\",\n domain == \"-\", \"Simple\",\n \"Windows\"\n ),\n username = case (\n username == \"-\", \"\",\n domain == '-', username,\n strcat(domain, @\"\\\" , username)\n )\n};\nlet parser = (\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n actorusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n hashes_has_any:dynamic=dynamic([]),\n disabled:bool=false\n) {\nWindowsEvent\n| where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and EventID == 4689\n and (array_length(actingprocess_has_any)==0) \n and (array_length(parentprocess_has_any)==0) \n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (eventtype=='*' or eventtype=='ProcessTerminated')\n and (array_length(commandline_has_all)==0) \n and (array_length(commandline_has_any)==0) \n and (array_length(commandline_has_any_ip_prefix)==0) \n and (array_length(hashes_has_any)==0) \n and (array_length(targetprocess_has_any)==0 or EventData.ProcessName has_any (targetprocess_has_any)) \n and (actorusername_has=='*' or EventData has actorusername_has) \n and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any)) \n| project-rename\n DvcHostname = Computer\n| extend\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessTerminated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| extend \n ActorUsername = strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), \n ActorUserId = tostring(EventData.SubjectUserSid)\n| extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\"), \n ActorUsernameType = \"Windows\"\n| where // -- post filtering\n (actorusername_has=='*' or ActorUsername has actorusername_has) \n| extend \n ActorUserSid = ActorUserId,\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n| extend\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\n // Processes \n TargetProcessId = tostring(toint(tolong(EventData.ProcessId))),\n TargetProcessName = tostring(EventData.ProcessName),\n TargetProcessStatusCode = tostring(EventData.Status)\n| extend \n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\n// -- Aliases\n| extend\n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId\n}; \nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate Event ASIM parser for WEF Security Events", + "category": "ASIM", + "FunctionAlias": "vimProcessTerminateMicrosoftWindowsEvents", + "query": "let ASIM_GetFilenamePart = (path:string) { tostring(split(path,@'\\')[-1]) };\nlet ASIM_ResolveWindowsUsername = (T:(username:string, domain:string, sid:string)) { \n T \n | extend \n type = case (\n username == \"-\", \"\",\n domain == \"-\", \"Simple\",\n \"Windows\"\n ),\n username = case (\n username == \"-\", \"\",\n domain == '-', username,\n strcat(domain, @\"\\\" , username)\n )\n};\nlet parser = (\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n commandline_has_any:dynamic=dynamic([]),\n commandline_has_all:dynamic=dynamic([]),\n commandline_has_any_ip_prefix:dynamic=dynamic([]),\n actingprocess_has_any:dynamic=dynamic([]),\n targetprocess_has_any:dynamic=dynamic([]),\n parentprocess_has_any:dynamic=dynamic([]),\n actorusername_has:string='*',\n dvcipaddr_has_any_prefix:dynamic=dynamic([]),\n dvchostname_has_any:dynamic=dynamic([]),\n eventtype:string='*',\n hashes_has_any:dynamic=dynamic([]),\n disabled:bool=false\n) {\nWindowsEvent\n| where\n (isnull(starttime) or TimeGenerated >= starttime )\n and (isnull(endtime) or TimeGenerated <= endtime )\n and not(disabled)\n and EventID == 4689\n and (array_length(actingprocess_has_any)==0) \n and (array_length(parentprocess_has_any)==0) \n and (array_length(dvcipaddr_has_any_prefix)==0)\n and (eventtype=='*' or eventtype=='ProcessTerminated')\n and (array_length(commandline_has_all)==0) \n and (array_length(commandline_has_any)==0) \n and (array_length(commandline_has_any_ip_prefix)==0) \n and (array_length(hashes_has_any)==0) \n and (array_length(targetprocess_has_any)==0 or EventData.ProcessName has_any (targetprocess_has_any)) \n and (actorusername_has=='*' or EventData has actorusername_has) \n and (array_length(dvchostname_has_any)==0 or Computer has_any (dvchostname_has_any)) \n| project-rename\n DvcHostname = Computer\n| extend\n EventCount = int(1),\n EventVendor = 'Microsoft',\n EventProduct = 'Security Events',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'ProcessEvent',\n EventResult = 'Success',\n EventStartTime = todatetime(TimeGenerated),\n EventEndTime = todatetime(TimeGenerated),\n EventType = 'ProcessTerminated',\n EventOriginalType = tostring(EventID),\n DvcOs = 'Windows'\n| extend \n ActorUsername = strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), \n ActorUserId = tostring(EventData.SubjectUserSid)\n| extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\"), \n ActorUsernameType = \"Windows\"\n| where // -- post filtering\n (actorusername_has=='*' or ActorUsername has actorusername_has) \n| extend \n ActorUserSid = ActorUserId,\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n| extend\n ActorSessionId = tostring(toint(EventData.SubjectLogonId)),\n // Processes \n TargetProcessId = tostring(toint(tolong(EventData.ProcessId))),\n TargetProcessName = tostring(EventData.ProcessName),\n TargetProcessStatusCode = tostring(EventData.Status)\n| extend \n TargetProcessFilename = ASIM_GetFilenamePart(TargetProcessName)\n// -- Aliases\n| extend\n User = ActorUsername,\n Dvc = DvcHostname,\n Process = TargetProcessName\n| project-away Channel, EventData, Data, EventID, EventLevelName, EventLevel, Provider, RawEventData, Task, TenantId, ManagementGroupName, SourceSystem, EventOriginId\n}; \nparser (\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n hashes_has_any=hashes_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',hashes_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateVMwareCarbonBlackCloud/vimProcessTerminateVMwareCarbonBlackCloud.json b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateVMwareCarbonBlackCloud/vimProcessTerminateVMwareCarbonBlackCloud.json index 3e6f481abb2..c13f5be5287 100644 --- a/Parsers/ASimProcessEvent/ARM/vimProcessTerminateVMwareCarbonBlackCloud/vimProcessTerminateVMwareCarbonBlackCloud.json +++ b/Parsers/ASimProcessEvent/ARM/vimProcessTerminateVMwareCarbonBlackCloud/vimProcessTerminateVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimProcessTerminateVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimProcessTerminateVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Process Terminate ASIM parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "vimProcessTerminateVMwareCarbonBlackCloud", - "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n actorusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (eventType_s == \"endpoint.event.procend\" and isnotempty(process_pid_d))\n and (eventtype == '*' or eventtype == 'ProcessTerminated')\n and array_length(parentprocess_has_any) == 0\n and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(device_external_ip_s, dvcipaddr_has_any_prefix)) \n and (actorusername_has == '*' or process_username_s has actorusername_has) \n and (array_length(commandline_has_all) == 0 or target_cmdline_s has_all (commandline_has_all) or process_cmdline_s has_all (commandline_has_all))\n and (array_length(commandline_has_any) == 0 or target_cmdline_s has_any (commandline_has_any) or process_cmdline_s has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(target_cmdline_s, commandline_has_any_ip_prefix) or has_any_ipv4_prefix(process_cmdline_s, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or parent_path_s has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or process_path_s has_any (targetprocess_has_any)) \n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n | parse process_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(process_pid_d)),\n ActingProcessId = tostring(toint(parent_pid_d)),\n ActorUsername = process_username_s,\n TargetProcessCommandLine = coalesce(target_cmdline_s, process_cmdline_s),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"alert_id\", alert_id_g,\n \"process_reputation\", process_reputation_s,\n \"parent_reputation\", parent_reputation_s,\n \"parent_guid\", parent_guid_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n TargetProcessName = process_path_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = parent_cmdline_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ActingProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessTerminated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\"\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = ActorUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Process Terminate ASIM parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimProcessTerminateVMwareCarbonBlackCloud", + "query": "let EventFieldsLookup = datatable(\n sensor_action_s: string,\n DvcAction: string,\n EventResult: string\n)[\n \"ACTION_ALLOW\", \"Allow\", \"Success\",\n \"ACTION_BLOCK\", \"Block\", \"Failure\",\n \"ACTION_TERMINATE\", \"Terminate\", \"Failure\",\n \"ACTION_BREAK\", \"Break\", \"Failure\",\n \"ACTION_SUSPEND\", \"Suspend\", \"Failure\",\n \"\", \"\", \"Success\"\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n commandline_has_any: dynamic=dynamic([]),\n commandline_has_all: dynamic=dynamic([]),\n commandline_has_any_ip_prefix: dynamic=dynamic([]),\n actingprocess_has_any: dynamic=dynamic([]),\n targetprocess_has_any: dynamic=dynamic([]),\n parentprocess_has_any: dynamic=dynamic([]),\n actorusername_has: string='*',\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n eventtype: string='*',\n disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (eventType_s == \"endpoint.event.procend\" and isnotempty(process_pid_d))\n and (eventtype == '*' or eventtype == 'ProcessTerminated')\n and array_length(parentprocess_has_any) == 0\n and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(device_external_ip_s, dvcipaddr_has_any_prefix)) \n and (actorusername_has == '*' or process_username_s has actorusername_has) \n and (array_length(commandline_has_all) == 0 or target_cmdline_s has_all (commandline_has_all) or process_cmdline_s has_all (commandline_has_all))\n and (array_length(commandline_has_any) == 0 or target_cmdline_s has_any (commandline_has_any) or process_cmdline_s has_any (commandline_has_any)) \n and (array_length(commandline_has_any_ip_prefix) == 0 or has_any_ipv4_prefix(target_cmdline_s, commandline_has_any_ip_prefix) or has_any_ipv4_prefix(process_cmdline_s, commandline_has_any_ip_prefix)) \n and (array_length(actingprocess_has_any) == 0 or parent_path_s has_any (actingprocess_has_any)) \n and (array_length(targetprocess_has_any) == 0 or process_path_s has_any (targetprocess_has_any)) \n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n | parse process_hash_s with * '[\"' TargetProcessMD5: string '\",\"' TargetProcessSHA256: string '\"]'\n | parse parent_hash_s with * '[\"' ActingProcessMD5: string '\",\"' ActingProcessSHA256: string '\"]'\n | lookup EventFieldsLookup on sensor_action_s\n | extend\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n TargetProcessId = tostring(toint(process_pid_d)),\n ActingProcessId = tostring(toint(parent_pid_d)),\n ActorUsername = process_username_s,\n TargetProcessCommandLine = coalesce(target_cmdline_s, process_cmdline_s),\n AdditionalFields = bag_pack(\n \"org_key\", org_key_s,\n \"alert_id\", alert_id_g,\n \"process_reputation\", process_reputation_s,\n \"parent_reputation\", parent_reputation_s,\n \"parent_guid\", parent_guid_s,\n \"process_guid\", process_guid_s\n )\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | project-rename \n TargetProcessName = process_path_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n ActingProcessCommandLine = parent_cmdline_s,\n DvcId = device_id_s,\n DvcOriginalAction = sensor_action_s,\n DvcOs = device_os_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ActingProcessName = parent_path_s,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchemaVersion = \"0.1.4\",\n EventType = \"ProcessTerminated\",\n EventVendor = \"VMware\",\n EventSchema = \"ProcessEvent\"\n | extend \n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Hash = coalesce(TargetProcessSHA256, TargetProcessMD5),\n CommandLine = TargetProcessCommandLine,\n Process = TargetProcessName,\n User = ActorUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n HashType = case(\n isnotempty(TargetProcessSHA256),\n \"TargetProcessSHA256\",\n isnotempty(TargetProcessMD5),\n \"TargetProcessMD5\",\n \"\"\n )\n | project-away\n *_s,\n *_d,\n *_g,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n commandline_has_any=commandline_has_any,\n commandline_has_all=commandline_has_all,\n commandline_has_any_ip_prefix=commandline_has_any_ip_prefix,\n actingprocess_has_any=actingprocess_has_any,\n targetprocess_has_any=targetprocess_has_any,\n parentprocess_has_any=parentprocess_has_any,\n actorusername_has=actorusername_has,\n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,\n dvchostname_has_any=dvchostname_has_any,\n eventtype=eventtype,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),commandline_has_any:dynamic=dynamic([]),commandline_has_all:dynamic=dynamic([]),commandline_has_any_ip_prefix:dynamic=dynamic([]),actingprocess_has_any:dynamic=dynamic([]),targetprocess_has_any:dynamic=dynamic([]),parentprocess_has_any:dynamic=dynamic([]),actorusername_has:string='*',dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),eventtype:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEvent/ASimRegistryEvent.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEvent/ASimRegistryEvent.json index 5309fb04f2b..8344eaa34df 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEvent/ASimRegistryEvent.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEvent/ASimRegistryEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistry')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistry", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM Parser", - "category": "ASIM", - "FunctionAlias": "ASimRegistry", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimRegistry') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimRegistryEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimRegistryEventEmpty,\n ASimRegistryEventMicrosoft365D(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoft365D' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftSysmon(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSysmon' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftWindowsEvent' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftSysmonWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftSecurityEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSecurityEvent' in (DisabledParsers) ))),\n ASimRegistryEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventSentinelOne' in (DisabledParsers) ))),\n ASimRegistryEventNative(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventNative' in (DisabledParsers) ))),\n ASimRegistryEventVMwareCarbonBlackCloud(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n ASimRegistryEventTrendMicroVisionOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventTrendMicroVisionOne' in (DisabledParsers) )))\n };\n parser (pack=pack)\n", - "version": 1, - "functionParameters": "pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser", + "category": "ASIM", + "FunctionAlias": "ASimRegistry", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimRegistry') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimRegistryEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimRegistryEventEmpty,\n ASimRegistryEventMicrosoft365D(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoft365D' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftSysmon(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSysmon' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftWindowsEvent' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftSysmonWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n ASimRegistryEventMicrosoftSecurityEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventMicrosoftSecurityEvent' in (DisabledParsers) ))),\n ASimRegistryEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventSentinelOne' in (DisabledParsers) ))),\n ASimRegistryEventNative(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventNative' in (DisabledParsers) ))),\n ASimRegistryEventVMwareCarbonBlackCloud(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n ASimRegistryEventTrendMicroVisionOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimRegistryEventTrendMicroVisionOne' in (DisabledParsers) )))\n };\n parser (pack=pack)\n", + "version": 1, + "functionParameters": "pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoft365D/ASimRegistryEventMicrosoft365D.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoft365D/ASimRegistryEventMicrosoft365D.json index 1ae310de4e6..335f346fcd7 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoft365D/ASimRegistryEventMicrosoft365D.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoft365D/ASimRegistryEventMicrosoft365D.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistryEventMicrosoft365D')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistryEventMicrosoft365D", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM parser for Microsoft 365 Defender for Endpoint", - "category": "ASIM", - "FunctionAlias": "ASimRegistryEventMicrosoft365D", - "query": "let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"None\", \"Reg_None\",\n \"String\", \"Reg_Sz\",\n \"ExpandString\", \"Reg_Expand_Sz\",\n \"Binary\", \"Reg_Binary\",\n \"Dword\", \"Reg_DWord\",\n \"MultiString\", \"Reg_Multi_Sz\",\n \"QWord\", \"Reg_QWord\"\n];\nlet parser = (\n disabled: bool=false\n ) {\n DeviceRegistryEvents\n | where not(disabled)\n | extend\n // Event\n EventOriginalUid = tostring(ReportId), \n EventCount = int(1), \n EventProduct = 'M365 Defender for Endpoint', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated, \n EventType = ActionType,\n // Registry\n RegistryKey = iff (ActionType in (\"RegistryKeyDeleted\", \"RegistryValueDeleted\"), PreviousRegistryKey, RegistryKey),\n RegistryValue = iff (ActionType == \"RegistryValueDeleted\", PreviousRegistryValueName, RegistryValueName),\n // RegistryValueType -- original name is fine \n // RegistryValueData -- original name is fine \n RegistryKeyModified = iff (ActionType == \"RegistryKeyRenamed\", PreviousRegistryKey, \"\"),\n RegistryValueModified = iff (ActionType == \"RegistryValueSet\", PreviousRegistryValueName, \"\"),\n // RegistryValueTypeModified -- Not provided by Defender\n RegistryValueDataModified = PreviousRegistryValueData\n | lookup RegistryType on $left.RegistryValueType == $right.TypeCode\n | extend RegistryValueType = TypeName\n | project-away\n TypeName,\n PreviousRegistryKey,\n PreviousRegistryValueName,\n PreviousRegistryValueData\n // Device\n | extend\n DvcHostname = DeviceName, \n DvcId = DeviceId, \n Dvc = DeviceName \n // Users\n | extend\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)), \n ActorUsernameType = iff(InitiatingProcessAccountDomain == '', 'Simple', 'Windows'), \n ActorUserIdType = 'SID'\n //| project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName\n | project-rename\n ActorUserId = InitiatingProcessAccountSid, \n ActorUserAadId = InitiatingProcessAccountObjectId, \n ActorUserUpn = InitiatingProcessAccountUpn\n // Processes\n | extend\n ActingProcessId = tostring(InitiatingProcessId), \n ParentProcessId = tostring(InitiatingProcessParentId) \n | project-away InitiatingProcessId, InitiatingProcessParentId\n | project-rename\n ParentProcessName = InitiatingProcessParentFileName, \n ParentProcessCreationTime = InitiatingProcessParentCreationTime, \n ActingProcessName = InitiatingProcessFolderPath, \n ActingProcessFileName = InitiatingProcessFileName,\n ActingProcessCommandLine = InitiatingProcessCommandLine, \n ActingProcessMD5 = InitiatingProcessMD5, \n ActingProcessSHA1 = InitiatingProcessSHA1, //OK\n ActingProcessSHA256 = InitiatingProcessSHA256, \n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel, \n ActingProcessTokenElevation = InitiatingProcessTokenElevation, \n ActingProcessCreationTime = InitiatingProcessCreationTime \n // -- aliases\n | extend \n Username = ActorUsername,\n UserId = ActorUserId,\n UserIdType = ActorUserIdType,\n User = ActorUsername,\n CommandLine = ActingProcessCommandLine,\n Process = ActingProcessName\n};\nparser (\n disabled = disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM parser for Microsoft 365 Defender for Endpoint", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventMicrosoft365D", + "query": "let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"None\", \"Reg_None\",\n \"String\", \"Reg_Sz\",\n \"ExpandString\", \"Reg_Expand_Sz\",\n \"Binary\", \"Reg_Binary\",\n \"Dword\", \"Reg_DWord\",\n \"MultiString\", \"Reg_Multi_Sz\",\n \"QWord\", \"Reg_QWord\"\n];\nlet parser = (\n disabled: bool=false\n ) {\n DeviceRegistryEvents\n | where not(disabled)\n | extend\n // Event\n EventOriginalUid = tostring(ReportId), \n EventCount = int(1), \n EventProduct = 'M365 Defender for Endpoint', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated, \n EventType = ActionType,\n // Registry\n RegistryKey = iff (ActionType in (\"RegistryKeyDeleted\", \"RegistryValueDeleted\"), PreviousRegistryKey, RegistryKey),\n RegistryValue = iff (ActionType == \"RegistryValueDeleted\", PreviousRegistryValueName, RegistryValueName),\n // RegistryValueType -- original name is fine \n // RegistryValueData -- original name is fine \n RegistryKeyModified = iff (ActionType == \"RegistryKeyRenamed\", PreviousRegistryKey, \"\"),\n RegistryValueModified = iff (ActionType == \"RegistryValueSet\", PreviousRegistryValueName, \"\"),\n // RegistryValueTypeModified -- Not provided by Defender\n RegistryValueDataModified = PreviousRegistryValueData\n | lookup RegistryType on $left.RegistryValueType == $right.TypeCode\n | extend RegistryValueType = TypeName\n | project-away\n TypeName,\n PreviousRegistryKey,\n PreviousRegistryValueName,\n PreviousRegistryValueData\n // Device\n | extend\n DvcHostname = DeviceName, \n DvcId = DeviceId, \n Dvc = DeviceName \n // Users\n | extend\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)), \n ActorUsernameType = iff(InitiatingProcessAccountDomain == '', 'Simple', 'Windows'), \n ActorUserIdType = 'SID'\n //| project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName\n | project-rename\n ActorUserId = InitiatingProcessAccountSid, \n ActorUserAadId = InitiatingProcessAccountObjectId, \n ActorUserUpn = InitiatingProcessAccountUpn\n // Processes\n | extend\n ActingProcessId = tostring(InitiatingProcessId), \n ParentProcessId = tostring(InitiatingProcessParentId) \n | project-away InitiatingProcessId, InitiatingProcessParentId\n | project-rename\n ParentProcessName = InitiatingProcessParentFileName, \n ParentProcessCreationTime = InitiatingProcessParentCreationTime, \n ActingProcessName = InitiatingProcessFolderPath, \n ActingProcessFileName = InitiatingProcessFileName,\n ActingProcessCommandLine = InitiatingProcessCommandLine, \n ActingProcessMD5 = InitiatingProcessMD5, \n ActingProcessSHA1 = InitiatingProcessSHA1, //OK\n ActingProcessSHA256 = InitiatingProcessSHA256, \n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel, \n ActingProcessTokenElevation = InitiatingProcessTokenElevation, \n ActingProcessCreationTime = InitiatingProcessCreationTime \n // -- aliases\n | extend \n Username = ActorUsername,\n UserId = ActorUserId,\n UserIdType = ActorUserIdType,\n User = ActorUsername,\n CommandLine = ActingProcessCommandLine,\n Process = ActingProcessName\n};\nparser (\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSecurityEvent/ASimRegistryEventMicrosoftSecurityEvent.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSecurityEvent/ASimRegistryEventMicrosoftSecurityEvent.json index 5a1399079f2..f5cc5a86d0b 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSecurityEvent/ASimRegistryEventMicrosoftSecurityEvent.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSecurityEvent/ASimRegistryEventMicrosoftSecurityEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistryEventMicrosoftSecurityEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistryEventMicrosoftSecurityEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM parser for Microsoft Windows Events (registry creation event)", - "category": "ASIM", - "FunctionAlias": "ASimRegistryEventMicrosoftSecurityEvent", - "query": "let parser = (\ndisabled: bool=false\n) {\nlet ASIM_GetAccountType = (sid: string) { \niif ( \nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\n\"Simple\"\n ,\n\"Windows\"\n)\n};\n let ASIM_ParseSecurityEvents = (SecurityEvent: (SubjectDomainName: string, SubjectUserName: string, ProcessId: string, ObjectName: string, SubjectUserSid: string, SubjectLogonId: string, ProcessName: string)) {\n SecurityEvent\n | project-rename\n ActorUsername = SubjectUserName\n ,\n ActorUserId = SubjectUserSid\n ,\n ActorSessionId = SubjectLogonId\n ,\n ActingProcessName = ProcessName\n ,\n ActorDomainName = SubjectDomainName\n | extend\n ActorUsername = iif(isnotempty(ActorDomainName), strcat(ActorDomainName, @'\\', ActorUsername), ActorUsername)\n ,\n ActingProcessId = tostring(toint(tolong(ProcessId)))\n ,\n RegistryKey = iif(\n ObjectName startswith @\"\\REGISTRY\\MACHINE\",\n replace_string(ObjectName, @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\n ,\n replace_string(ObjectName, @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\n )\n};\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"RegistryValueRead\"\n ,\n \"0x10\", \"RegistryKeyNotify\"\n ,\n \"0x10000\", \"RegistryKeyDeleted\"\n ,\n \"0x2\", \"RegistryValueSet\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x20006\", \"RegistryValueSet\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x8\", \"RegistrySubkeyEnumerated\"\n];\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\n [\n \"%%1904\", \"RegistryValueSet\"\n ,\n \"%%1905\", \"RegistryValueSet\"\n ,\n \"%%1906\", \"RegistryValueDeleted\"\n];\n let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"%%1872\", \"REG_NONE\"\n ,\n \"%%1873\", \"REG_SZ\"\n ,\n \"%%1874\", \"REG_EXPAND_SZ\"\n ,\n \"%%1875\", \"REG_BINARY\"\n ,\n \"%%1876\", \"REG_DWORD\"\n ,\n \"%%1879\", \"REG_MULTI_SZ\"\n ,\n \"%%1883\", \"REG_QWORD\"\n];\n union isfuzzy=false\n (\n SecurityEvent\n | where not(disabled)\n | where EventID == 4663 and ObjectType == \"Key\"\n | lookup Event4663TypeLookup on AccessMask\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | invoke ASIM_ParseSecurityEvents()\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type\n ),\n (\n SecurityEvent\n | where not(disabled)\n | where EventID == 4657\n | invoke ASIM_ParseSecurityEvents()\n | extend\n EventOriginalSubType = OperationType\n ,\n RegistryValue = ObjectValueName\n | lookup Event4567TypeLookup on EventOriginalSubType\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type,\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue,\n RegistryValue\n )\n | lookup RegistryType on $left.NewValueType == $right.TypeCode\n | project-rename RegistryValueType = TypeName\n | lookup RegistryType on $left.OldValueType == $right.TypeCode\n | project-rename RegistryPreviousValueType = TypeName\n | extend\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue)\n ,\n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\")\n ,\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\")\n ,\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\n | project-away\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n | invoke _ASIM_ResolveFQDN (\"Computer\")\n | extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\")\n | project-rename\n DvcDomainType = DomainType\n ,\n DvcHostname = ExtractedHostname\n | extend\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\n ,\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n ,\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\n | extend\n User = ActorUsername\n ,\n UserId = ActorUserId\n ,\n ActorUserSid = ActorUserId\n ,\n Process = ActingProcessName\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventOriginalType = tostring(EventID)\n | extend\n EventSchemaVersion = \"0.1\" \n ,\n EventSchema = \"RegistryEvent\"\n ,\n EventCount = toint(1)\n ,\n EventResult = \"Success\"\n ,\n EventVendor = \"Microsoft\"\n ,\n EventProduct = \"Security Events\" \n ,\n DvcOs = \"Windows\"\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId\n};\nparser (\n disabled = disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM parser for Microsoft Windows Events (registry creation event)", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventMicrosoftSecurityEvent", + "query": "let parser = (\ndisabled: bool=false\n) {\nlet ASIM_GetAccountType = (sid: string) { \niif ( \nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\n\"Simple\"\n ,\n\"Windows\"\n)\n};\n let ASIM_ParseSecurityEvents = (SecurityEvent: (SubjectDomainName: string, SubjectUserName: string, ProcessId: string, ObjectName: string, SubjectUserSid: string, SubjectLogonId: string, ProcessName: string)) {\n SecurityEvent\n | project-rename\n ActorUsername = SubjectUserName\n ,\n ActorUserId = SubjectUserSid\n ,\n ActorSessionId = SubjectLogonId\n ,\n ActingProcessName = ProcessName\n ,\n ActorDomainName = SubjectDomainName\n | extend\n ActorUsername = iif(isnotempty(ActorDomainName), strcat(ActorDomainName, @'\\', ActorUsername), ActorUsername)\n ,\n ActingProcessId = tostring(toint(tolong(ProcessId)))\n ,\n RegistryKey = iif(\n ObjectName startswith @\"\\REGISTRY\\MACHINE\",\n replace_string(ObjectName, @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\n ,\n replace_string(ObjectName, @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\n )\n};\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"RegistryValueRead\"\n ,\n \"0x10\", \"RegistryKeyNotify\"\n ,\n \"0x10000\", \"RegistryKeyDeleted\"\n ,\n \"0x2\", \"RegistryValueSet\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x20006\", \"RegistryValueSet\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x8\", \"RegistrySubkeyEnumerated\"\n];\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\n [\n \"%%1904\", \"RegistryValueSet\"\n ,\n \"%%1905\", \"RegistryValueSet\"\n ,\n \"%%1906\", \"RegistryValueDeleted\"\n];\n let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"%%1872\", \"REG_NONE\"\n ,\n \"%%1873\", \"REG_SZ\"\n ,\n \"%%1874\", \"REG_EXPAND_SZ\"\n ,\n \"%%1875\", \"REG_BINARY\"\n ,\n \"%%1876\", \"REG_DWORD\"\n ,\n \"%%1879\", \"REG_MULTI_SZ\"\n ,\n \"%%1883\", \"REG_QWORD\"\n];\n union isfuzzy=false\n (\n SecurityEvent\n | where not(disabled)\n | where EventID == 4663 and ObjectType == \"Key\"\n | lookup Event4663TypeLookup on AccessMask\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | invoke ASIM_ParseSecurityEvents()\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type\n ),\n (\n SecurityEvent\n | where not(disabled)\n | where EventID == 4657\n | invoke ASIM_ParseSecurityEvents()\n | extend\n EventOriginalSubType = OperationType\n ,\n RegistryValue = ObjectValueName\n | lookup Event4567TypeLookup on EventOriginalSubType\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type,\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue,\n RegistryValue\n )\n | lookup RegistryType on $left.NewValueType == $right.TypeCode\n | project-rename RegistryValueType = TypeName\n | lookup RegistryType on $left.OldValueType == $right.TypeCode\n | project-rename RegistryPreviousValueType = TypeName\n | extend\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue)\n ,\n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\")\n ,\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\")\n ,\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\n | project-away\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n | invoke _ASIM_ResolveFQDN (\"Computer\")\n | extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\")\n | project-rename\n DvcDomainType = DomainType\n ,\n DvcHostname = ExtractedHostname\n | extend\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\n ,\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n ,\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\n | extend\n User = ActorUsername\n ,\n UserId = ActorUserId\n ,\n ActorUserSid = ActorUserId\n ,\n Process = ActingProcessName\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventOriginalType = tostring(EventID)\n | extend\n EventSchemaVersion = \"0.1\" \n ,\n EventSchema = \"RegistryEvent\"\n ,\n EventCount = toint(1)\n ,\n EventResult = \"Success\"\n ,\n EventVendor = \"Microsoft\"\n ,\n EventProduct = \"Security Events\" \n ,\n DvcOs = \"Windows\"\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId\n};\nparser (\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSysmon/ASimRegistryEventMicrosoftSysmon.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSysmon/ASimRegistryEventMicrosoftSysmon.json index 65b36c6c540..67ca69ac58a 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSysmon/ASimRegistryEventMicrosoftSysmon.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSysmon/ASimRegistryEventMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistryEventMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistryEventMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM parser for Microsoft Sysmon (registry creation event)", - "category": "ASIM", - "FunctionAlias": "ASimRegistryEventMicrosoftSysmon", - "query": "let parser = (\n disabled: bool=false\n ) {\n let RegistryAction = datatable (EventType: string, NewEventType: string)\n [\n \"CreateKey\", \"RegistryKeyCreated\",\n \"DeleteKey\", \"RegistryKeyDeleted\",\n \"DeleteValue\", \"RegistryValueDeleted\", \n \"SetValue\", \"RegistryValueSet\",\n \"RenameKey\", \"RegistryKeyRenamed\"\n ]; \n let Hives = datatable (KeyPrefix: string, Hive: string)\n [\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\", \n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \n ];\n // this is the parser for sysmon from Event table\n // Create the raw table from the raw XML file structure\n let ParsedRegistryEvent_Event=() {\n Event\n | where not(disabled)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\n | parse EventData with \n * ''RuleName // parsing the XML using the original fields name - for readibliy \n ''EventType\n ''UtcTime\n '{'ProcessGuid\n '}'ProcessId\n ''Image\n ''TargetObject\n '' EventDataRemainder \n | parse EventDataRemainder with '' Parameter '' ActorUsername '' *\n | project-away EventDataRemainder\n // End of XML parse\n | extend \n EventStartTime = todatetime(TimeGenerated), \n EventEndTime = todatetime(TimeGenerated), \n EventCount = int(1), \n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\", \n EventProduct = \"Sysmon\",\n EventOriginalType = tostring(EventID), \n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\n | project-rename \n EventMessage = RenderedDescription, \n DvcHostName = Computer, \n ActingProcessId = ProcessId,\n ActingProcessGuid = ProcessGuid, \n ActingProcessName = Image \n // Lookup Event Type\n | lookup RegistryAction on EventType \n | project-rename EventOriginalSubType = EventType\n | project-rename EventType = NewEventType\n // Normalize Key Hive\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\n | project-away KeyPrefix, KeyMain, Hive\n // Split Key and Value for relevant events \n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\n | extend NewKey = ParsedKey[0][0]\n | extend NewValue = ParsedKey[0][1]\n | project-away ParsedKey, TargetObject, NewName\n // Set normalized registry fields\n | extend\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\"),\n EventResult = \"Success\",\n EventSchema = \"RegistryEvent\",\n Rule=RuleName\n | extend // aliases\n User = ActorUsername,\n Process = ActingProcessName,\n Dvc = DvcHostName\n | project-away\n Parameter,\n Value,\n Key,\n NewKey,\n NewValue,\n EventData,\n ParameterXml,\n DvcHostName,\n EventCategory,\n EventID,\n EventLevelName,\n EventLevel,\n EventLog,\n Hive1,\n MG,\n AzureDeploymentID,\n RegistryKeyModified,\n RegistryValueModified,\n Role,\n SourceSystem,\n Source,\n TenantId,\n UserName,\n UtcTime,\n ManagementGroupName,\n Message,_ResourceId\n };\n ParsedRegistryEvent_Event\n };\n parser (\n disabled = disabled\n )", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM parser for Microsoft Sysmon (registry creation event)", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventMicrosoftSysmon", + "query": "let parser = (\n disabled: bool=false\n ) {\n let RegistryAction = datatable (EventType: string, NewEventType: string)\n [\n \"CreateKey\", \"RegistryKeyCreated\",\n \"DeleteKey\", \"RegistryKeyDeleted\",\n \"DeleteValue\", \"RegistryValueDeleted\", \n \"SetValue\", \"RegistryValueSet\",\n \"RenameKey\", \"RegistryKeyRenamed\"\n ]; \n let Hives = datatable (KeyPrefix: string, Hive: string)\n [\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\", \n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \n ];\n // this is the parser for sysmon from Event table\n // Create the raw table from the raw XML file structure\n let ParsedRegistryEvent_Event=() {\n Event\n | where not(disabled)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\n | parse EventData with \n * ''RuleName // parsing the XML using the original fields name - for readibliy \n ''EventType\n ''UtcTime\n '{'ProcessGuid\n '}'ProcessId\n ''Image\n ''TargetObject\n '' EventDataRemainder \n | parse EventDataRemainder with '' Parameter '' ActorUsername '' *\n | project-away EventDataRemainder\n // End of XML parse\n | extend \n EventStartTime = todatetime(TimeGenerated), \n EventEndTime = todatetime(TimeGenerated), \n EventCount = int(1), \n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\", \n EventProduct = \"Sysmon\",\n EventOriginalType = tostring(EventID), \n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\n | project-rename \n EventMessage = RenderedDescription, \n DvcHostName = Computer, \n ActingProcessId = ProcessId,\n ActingProcessGuid = ProcessGuid, \n ActingProcessName = Image \n // Lookup Event Type\n | lookup RegistryAction on EventType \n | project-rename EventOriginalSubType = EventType\n | project-rename EventType = NewEventType\n // Normalize Key Hive\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\n | project-away KeyPrefix, KeyMain, Hive\n // Split Key and Value for relevant events \n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\n | extend NewKey = ParsedKey[0][0]\n | extend NewValue = ParsedKey[0][1]\n | project-away ParsedKey, TargetObject, NewName\n // Set normalized registry fields\n | extend\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\"),\n EventResult = \"Success\",\n EventSchema = \"RegistryEvent\",\n Rule=RuleName\n | extend // aliases\n User = ActorUsername,\n Process = ActingProcessName,\n Dvc = DvcHostName\n | project-away\n Parameter,\n Value,\n Key,\n NewKey,\n NewValue,\n EventData,\n ParameterXml,\n DvcHostName,\n EventCategory,\n EventID,\n EventLevelName,\n EventLevel,\n EventLog,\n Hive1,\n MG,\n AzureDeploymentID,\n RegistryKeyModified,\n RegistryValueModified,\n Role,\n SourceSystem,\n Source,\n TenantId,\n UserName,\n UtcTime,\n ManagementGroupName,\n Message,_ResourceId\n };\n ParsedRegistryEvent_Event\n };\n parser (\n disabled = disabled\n )", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSysmonWindowsEvent/ASimRegistryEventMicrosoftSysmonWindowsEvent.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSysmonWindowsEvent/ASimRegistryEventMicrosoftSysmonWindowsEvent.json index 61dce80a432..8fcce5bca8a 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSysmonWindowsEvent/ASimRegistryEventMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftSysmonWindowsEvent/ASimRegistryEventMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistryEventMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistryEventMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM parser for Microsoft Sysmon (registry creation event)", - "category": "ASIM", - "FunctionAlias": "ASimRegistryEventMicrosoftSysmonWindowsEvent", - "query": "let parser = (\n disabled: bool=false\n ) {\n let RegistryAction = datatable (EventType: string, NewEventType: string)\n [\n \"CreateKey\", \"RegistryKeyCreated\",\n \"DeleteKey\", \"RegistryKeyDeleted\",\n \"DeleteValue\", \"RegistryValueDeleted\", \n \"SetValue\", \"RegistryValueSet\",\n \"RenameKey\", \"RegistryKeyRenamed\"\n ]; \n let Hives = datatable (KeyPrefix: string, Hive: string)\n [\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\", \n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \n ];\n // this is the parser for sysmon from WindowsEvent table\n let ParsedRegistryEvent_WindowsEvent=() {\n WindowsEvent\n | where not(disabled)\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\n | extend \n EventStartTime = todatetime(TimeGenerated), \n EventEndTime = todatetime(TimeGenerated), \n EventCount = int(1), \n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\", \n EventProduct = \"Sysmon\",\n EventOriginalType = tostring(EventID),\n EventType = tostring(EventData.EventType),\n DvcOs = \"Windows\",\n EventMessage = tostring(EventData.RenderedDescription), \n ActorUsername = tostring(EventData.User),\n ActingProcessId = tostring(EventData.ProcessId),\n ActingProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\n ActingProcessName = tostring(EventData.Image),\n TargetObject = tostring(EventData.TargetObject),\n Parameter = tostring(EventData.Parameter)\n | project-rename\n DvcHostName = Computer \n | lookup RegistryAction on EventType\n | project-rename EventOriginalSubType = EventType\n | project-rename EventType = NewEventType\n // Normalize Key Hive\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\n | project-away KeyPrefix, KeyMain, Hive\n // Split Key and Value for relevant events \n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\n | extend NewKey = ParsedKey[0][0]\n | extend NewValue = ParsedKey[0][1]\n | project-away ParsedKey, TargetObject, NewName\n // Set normalized registry fields\n | extend\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\n | extend // aliases\n User = ActorUsername,\n Process = ActingProcessName,\n Dvc = DvcHostName,\n EventResult = \"Success\",\n EventSchema = \"RegistryEvent\"\n | project-away\n Parameter,\n Value,\n Key,\n NewKey,\n NewValue,\n EventData,\n Channel,Correlation,Data,DvcHostName,EventID,EventLevelName,EventLevel,EventOriginId,EventRecordId,Hive1,Keywords,ManagementGroupName,_ResourceId,Opcode,Provider,RawEventData,RegistryKeyModified,RegistryValueModified,SourceSystem,SystemProcessId,SystemThreadId,SystemUserId,Task,TenantId,TimeCreated,Version,_ResourceId\n };\n ParsedRegistryEvent_WindowsEvent\n };\n parser (\n disabled = disabled\n )", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM parser for Microsoft Sysmon (registry creation event)", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventMicrosoftSysmonWindowsEvent", + "query": "let parser = (\n disabled: bool=false\n ) {\n let RegistryAction = datatable (EventType: string, NewEventType: string)\n [\n \"CreateKey\", \"RegistryKeyCreated\",\n \"DeleteKey\", \"RegistryKeyDeleted\",\n \"DeleteValue\", \"RegistryValueDeleted\", \n \"SetValue\", \"RegistryValueSet\",\n \"RenameKey\", \"RegistryKeyRenamed\"\n ]; \n let Hives = datatable (KeyPrefix: string, Hive: string)\n [\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\", \n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \n ];\n // this is the parser for sysmon from WindowsEvent table\n let ParsedRegistryEvent_WindowsEvent=() {\n WindowsEvent\n | where not(disabled)\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\n | extend \n EventStartTime = todatetime(TimeGenerated), \n EventEndTime = todatetime(TimeGenerated), \n EventCount = int(1), \n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\", \n EventProduct = \"Sysmon\",\n EventOriginalType = tostring(EventID),\n EventType = tostring(EventData.EventType),\n DvcOs = \"Windows\",\n EventMessage = tostring(EventData.RenderedDescription), \n ActorUsername = tostring(EventData.User),\n ActingProcessId = tostring(EventData.ProcessId),\n ActingProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\n ActingProcessName = tostring(EventData.Image),\n TargetObject = tostring(EventData.TargetObject),\n Parameter = tostring(EventData.Parameter)\n | project-rename\n DvcHostName = Computer \n | lookup RegistryAction on EventType\n | project-rename EventOriginalSubType = EventType\n | project-rename EventType = NewEventType\n // Normalize Key Hive\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\n | project-away KeyPrefix, KeyMain, Hive\n // Split Key and Value for relevant events \n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\n | extend NewKey = ParsedKey[0][0]\n | extend NewValue = ParsedKey[0][1]\n | project-away ParsedKey, TargetObject, NewName\n // Set normalized registry fields\n | extend\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\n | extend // aliases\n User = ActorUsername,\n Process = ActingProcessName,\n Dvc = DvcHostName,\n EventResult = \"Success\",\n EventSchema = \"RegistryEvent\"\n | project-away\n Parameter,\n Value,\n Key,\n NewKey,\n NewValue,\n EventData,\n Channel,Correlation,Data,DvcHostName,EventID,EventLevelName,EventLevel,EventOriginId,EventRecordId,Hive1,Keywords,ManagementGroupName,_ResourceId,Opcode,Provider,RawEventData,RegistryKeyModified,RegistryValueModified,SourceSystem,SystemProcessId,SystemThreadId,SystemUserId,Task,TenantId,TimeCreated,Version,_ResourceId\n };\n ParsedRegistryEvent_WindowsEvent\n };\n parser (\n disabled = disabled\n )", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftWindowsEvent/ASimRegistryEventMicrosoftWindowsEvent.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftWindowsEvent/ASimRegistryEventMicrosoftWindowsEvent.json index 5ed1071d700..4ecb7e00a70 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftWindowsEvent/ASimRegistryEventMicrosoftWindowsEvent.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventMicrosoftWindowsEvent/ASimRegistryEventMicrosoftWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistryEventMicrosoftWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistryEventMicrosoftWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM parser for Microsoft Windows Events (registry creation event)", - "category": "ASIM", - "FunctionAlias": "ASimRegistryEventMicrosoftWindowsEvent", - "query": "let parser = (\ndisabled: bool=false\n) {\nlet ASIM_GetAccountType = (sid: string) { \niif ( \nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\n\"Simple\"\n ,\n\"Windows\"\n)\n};\n let ASIM_ParseWindowsEvents = (WindowsEvent: (EventData: dynamic)) {\n WindowsEvent\n | extend\n ActorUsername = iif(isnotempty(EventData.SubjectDomainName), strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), EventData.SubjectUserName)\n ,\n ActorDomainName = tostring(EventData.SubjectDomainName)\n ,\n ActorUserId = tostring(EventData.SubjectUserSid)\n ,\n ActorSessionId = tostring(EventData.SubjectLogonId)\n ,\n ActingProcessName = tostring(EventData.ProcessName)\n ,\n ActingProcessId = tostring(toint(tolong(EventData.ProcessId)))\n ,\n RegistryKey = iif(\n EventData.ObjectName startswith @\"\\REGISTRY\\MACHINE\",\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\n ,\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\n )\n};\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"RegistryValueRead\"\n ,\n \"0x10\", \"RegistryKeyNotify\"\n ,\n \"0x10000\", \"RegistryKeyDeleted\"\n ,\n \"0x2\", \"RegistryValueSet\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x20006\", \"RegistryValueSet\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x8\", \"RegistrySubkeyEnumerated\"\n];\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\n [\n \"%%1904\", \"RegistryValueSet\"\n ,\n \"%%1905\", \"RegistryValueSet\"\n ,\n \"%%1906\", \"RegistryValueDeleted\"\n];\n let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"%%1872\", \"REG_NONE\"\n ,\n \"%%1873\", \"REG_SZ\"\n ,\n \"%%1874\", \"REG_EXPAND_SZ\"\n ,\n \"%%1875\", \"REG_BINARY\"\n ,\n \"%%1876\", \"REG_DWORD\"\n ,\n \"%%1879\", \"REG_MULTI_SZ\"\n ,\n \"%%1883\", \"REG_QWORD\"\n];\n union isfuzzy=false\n (\n WindowsEvent\n | where not(disabled)\n | where EventID == 4663 and EventData.ObjectType == \"Key\"\n | extend\n AccessMask = tostring(EventData.AccessMask)\n ,\n Type = \"WindowsEvent\"\n | lookup Event4663TypeLookup on AccessMask\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | invoke ASIM_ParseWindowsEvents()\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type\n ),\n (\n WindowsEvent\n | where not(disabled)\n | where EventID == 4657\n | invoke ASIM_ParseWindowsEvents()\n | extend\n EventOriginalSubType = tostring(EventData.OperationType)\n ,\n OldValue = tostring(EventData.OldValue)\n ,\n NewValue = tostring(EventData.NewValue)\n ,\n RegistryValue = tostring(EventData.ObjectValueName)\n ,\n NewValueType = tostring(EventData.NewValueType)\n ,\n OldValueType = tostring(EventData.OldValueType)\n | lookup Event4567TypeLookup on EventOriginalSubType\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n RegistryValue,\n Type,\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n | lookup RegistryType on $left.NewValueType == $right.TypeCode\n | project-rename RegistryValueType = TypeName\n | lookup RegistryType on $left.OldValueType == $right.TypeCode\n | project-rename RegistryPreviousValueType = TypeName\n | extend\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue)\n ,\n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\")\n ,\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\")\n ,\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\n | project-away\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n )\n | invoke _ASIM_ResolveFQDN (\"Computer\")\n | extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\")\n | project-rename\n DvcDomainType = DomainType\n ,\n DvcHostname = ExtractedHostname\n | extend\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\n ,\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n ,\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\n | extend\n User = ActorUsername\n ,\n UserId = ActorUserId\n ,\n ActorUserSid = ActorUserId\n ,\n Process = ActingProcessName\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventOriginalType = tostring(EventID)\n | extend\n EventSchemaVersion = \"0.1\" \n ,\n EventSchema = \"RegistryEvent\"\n ,\n EventCount = toint(1)\n ,\n EventResult = \"Success\"\n ,\n EventVendor = \"Microsoft\"\n ,\n EventProduct = \"Security Events\" \n ,\n DvcOs = \"Windows\"\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId };\nparser (\n disabled = disabled\n)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM parser for Microsoft Windows Events (registry creation event)", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventMicrosoftWindowsEvent", + "query": "let parser = (\ndisabled: bool=false\n) {\nlet ASIM_GetAccountType = (sid: string) { \niif ( \nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\n\"Simple\"\n ,\n\"Windows\"\n)\n};\n let ASIM_ParseWindowsEvents = (WindowsEvent: (EventData: dynamic)) {\n WindowsEvent\n | extend\n ActorUsername = iif(isnotempty(EventData.SubjectDomainName), strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), EventData.SubjectUserName)\n ,\n ActorDomainName = tostring(EventData.SubjectDomainName)\n ,\n ActorUserId = tostring(EventData.SubjectUserSid)\n ,\n ActorSessionId = tostring(EventData.SubjectLogonId)\n ,\n ActingProcessName = tostring(EventData.ProcessName)\n ,\n ActingProcessId = tostring(toint(tolong(EventData.ProcessId)))\n ,\n RegistryKey = iif(\n EventData.ObjectName startswith @\"\\REGISTRY\\MACHINE\",\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\n ,\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\n )\n};\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"RegistryValueRead\"\n ,\n \"0x10\", \"RegistryKeyNotify\"\n ,\n \"0x10000\", \"RegistryKeyDeleted\"\n ,\n \"0x2\", \"RegistryValueSet\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x20006\", \"RegistryValueSet\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x8\", \"RegistrySubkeyEnumerated\"\n];\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\n [\n \"%%1904\", \"RegistryValueSet\"\n ,\n \"%%1905\", \"RegistryValueSet\"\n ,\n \"%%1906\", \"RegistryValueDeleted\"\n];\n let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"%%1872\", \"REG_NONE\"\n ,\n \"%%1873\", \"REG_SZ\"\n ,\n \"%%1874\", \"REG_EXPAND_SZ\"\n ,\n \"%%1875\", \"REG_BINARY\"\n ,\n \"%%1876\", \"REG_DWORD\"\n ,\n \"%%1879\", \"REG_MULTI_SZ\"\n ,\n \"%%1883\", \"REG_QWORD\"\n];\n union isfuzzy=false\n (\n WindowsEvent\n | where not(disabled)\n | where EventID == 4663 and EventData.ObjectType == \"Key\"\n | extend\n AccessMask = tostring(EventData.AccessMask)\n ,\n Type = \"WindowsEvent\"\n | lookup Event4663TypeLookup on AccessMask\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | invoke ASIM_ParseWindowsEvents()\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type\n ),\n (\n WindowsEvent\n | where not(disabled)\n | where EventID == 4657\n | invoke ASIM_ParseWindowsEvents()\n | extend\n EventOriginalSubType = tostring(EventData.OperationType)\n ,\n OldValue = tostring(EventData.OldValue)\n ,\n NewValue = tostring(EventData.NewValue)\n ,\n RegistryValue = tostring(EventData.ObjectValueName)\n ,\n NewValueType = tostring(EventData.NewValueType)\n ,\n OldValueType = tostring(EventData.OldValueType)\n | lookup Event4567TypeLookup on EventOriginalSubType\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n RegistryValue,\n Type,\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n | lookup RegistryType on $left.NewValueType == $right.TypeCode\n | project-rename RegistryValueType = TypeName\n | lookup RegistryType on $left.OldValueType == $right.TypeCode\n | project-rename RegistryPreviousValueType = TypeName\n | extend\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue)\n ,\n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\")\n ,\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\")\n ,\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\n | project-away\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n )\n | invoke _ASIM_ResolveFQDN (\"Computer\")\n | extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\")\n | project-rename\n DvcDomainType = DomainType\n ,\n DvcHostname = ExtractedHostname\n | extend\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\n ,\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n ,\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\n | extend\n User = ActorUsername\n ,\n UserId = ActorUserId\n ,\n ActorUserSid = ActorUserId\n ,\n Process = ActingProcessName\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventOriginalType = tostring(EventID)\n | extend\n EventSchemaVersion = \"0.1\" \n ,\n EventSchema = \"RegistryEvent\"\n ,\n EventCount = toint(1)\n ,\n EventResult = \"Success\"\n ,\n EventVendor = \"Microsoft\"\n ,\n EventProduct = \"Security Events\" \n ,\n DvcOs = \"Windows\"\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId };\nparser (\n disabled = disabled\n)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventNative/ASimRegistryEventNative.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventNative/ASimRegistryEventNative.json index d98d15b754e..fe5e650986e 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventNative/ASimRegistryEventNative.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventNative/ASimRegistryEventNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistryEventNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistryEventNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM parser for Microsoft Sentinel native Registry Event table", - "category": "ASIM", - "FunctionAlias": "ASimRegistryEventNative", - "query": "let parser=(disabled: bool=false) {\n ASimRegistryEventLogs\n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"RegistryEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n User = ActorUsername,\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n Process = ActingProcessName\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM parser for Microsoft Sentinel native Registry Event table", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventNative", + "query": "let parser=(disabled: bool=false) {\n ASimRegistryEventLogs\n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"RegistryEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n User = ActorUsername,\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n Process = ActingProcessName\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventSentinelOne/ASimRegistryEventSentinelOne.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventSentinelOne/ASimRegistryEventSentinelOne.json index 774fe409837..4ece2bdd2bd 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventSentinelOne/ASimRegistryEventSentinelOne.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventSentinelOne/ASimRegistryEventSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistryEventSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistryEventSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM Parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "ASimRegistryEventSentinelOne", - "query": "let EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n[\n \"REGVALUEMODIFIED\", \"RegistryValueSet\",\n \"REGVALUECREATE\", \"RegistryValueSet\",\n \"REGKEYCREATE\", \"RegistryKeyCreated\",\n \"REGKEYDELETE\", \"RegistryKeyDeleted\",\n \"REGVALUEDELETE\", \"RegistryValueDeleted\",\n \"REGKEYRENAME\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable (\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)\n [\n \"MACHINE\", \"HKEY_LOCAL_MACHINE\",\n \"USER\", \"HKEY_USERS\",\n \"CONFIG\", \"HKEY_CURRENT_CONFIG\",\n \"ROOT\", \"HKEY_CLASSES_ROOT\"\n];\nlet RegistryPreviousValueTypeLookup = datatable (\n alertInfo_registryOldValueType_s: string,\n RegistryPreviousValueType_lookup: string\n)\n [\n \"BINARY\", \"Reg_Binary\",\n \"DWORD\", \"Reg_DWord\",\n \"QWORD\", \"Reg_QWord\",\n \"SZ\", \"Reg_Sz\",\n \"EXPAND_SZ\", \"Reg_Expand_Sz\",\n \"MULTI_SZ\", \"Reg_Multi_Sz\",\n \"DWORD_BIG_ENDIAN\", \"Reg_DWord\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) { \n let alldata = SentinelOne_CL \n | where not(disabled)\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\", \"REGKEYCREATE\", \"REGKEYDELETE\", \"REGVALUEDELETE\", \"REGKEYRENAME\")\n | lookup EventTypeLookup on alertInfo_eventType_s\n | lookup RegistryPreviousValueTypeLookup on alertInfo_registryOldValueType_s;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend RegistryKeyPrefix = tostring(split(alertInfo_registryKeyPath_s, @'\\')[0])\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend RegistryKey = replace_string(alertInfo_registryKeyPath_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\n | extend RegistryValue = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\", \"REGVALUEDELETE\"), tostring(split(alertInfo_registryKeyPath_s, @'\\')[-1]), \"\")\n | extend RegistryValueType = case(\n alertInfo_registryValue_s matches regex '^[0-9]+$',\n \"Reg_Dword\",\n alertInfo_registryValue_s startswith \"0x\" and strlen(alertInfo_registryValue_s) <= 10,\n \"Reg_DWord\",\n alertInfo_registryValue_s startswith \"0x\" and strlen(alertInfo_registryValue_s) > 10,\n \"Reg_QWord\",\n alertInfo_registryValue_s matches regex '^[A-Fa-f0-9]+$',\n \"Reg_Binary\",\n \"\"\n )\n | extend RegistryValueType = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\") and isempty(RegistryValueType), \"Reg_Sz\", RegistryValueType),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n ActingProcessId = sourceProcessInfo_pid_s,\n ActorUsername = sourceProcessInfo_user_s,\n EventStartTime= sourceProcessInfo_pidStarttime_t,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventUid = _ItemId,\n ParentProcessId = sourceParentProcessInfo_pid_s,\n ActingProcessName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n ParentProcessName = sourceParentProcessInfo_name_s,\n RegistryValueData = alertInfo_registryValue_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\"\n | extend\n Dvc = coalesce(DvcHostname, EventProduct), \n EventEndTime = EventStartTime,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n RegistryPreviousKey = RegistryKey,\n RegistryPreviousValueData = coalesce(alertInfo_registryOldValue_s, RegistryValueData),\n RegistryPreviousValueType = coalesce(RegistryPreviousValueType_lookup, RegistryValueType),\n RegistryPreviousValue = RegistryValue,\n Process = ActingProcessName,\n User = ActorUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n Rule = RuleName\n | project-away \n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n RegistryKeyPrefix,\n RegistryKeyNormalizedPrefix,\n RegistryPreviousValueType_lookup,\n ThreatConfidence_*\n};\nparser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventSentinelOne", + "query": "let EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n[\n \"REGVALUEMODIFIED\", \"RegistryValueSet\",\n \"REGVALUECREATE\", \"RegistryValueSet\",\n \"REGKEYCREATE\", \"RegistryKeyCreated\",\n \"REGKEYDELETE\", \"RegistryKeyDeleted\",\n \"REGVALUEDELETE\", \"RegistryValueDeleted\",\n \"REGKEYRENAME\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable (\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)\n [\n \"MACHINE\", \"HKEY_LOCAL_MACHINE\",\n \"USER\", \"HKEY_USERS\",\n \"CONFIG\", \"HKEY_CURRENT_CONFIG\",\n \"ROOT\", \"HKEY_CLASSES_ROOT\"\n];\nlet RegistryPreviousValueTypeLookup = datatable (\n alertInfo_registryOldValueType_s: string,\n RegistryPreviousValueType_lookup: string\n)\n [\n \"BINARY\", \"Reg_Binary\",\n \"DWORD\", \"Reg_DWord\",\n \"QWORD\", \"Reg_QWord\",\n \"SZ\", \"Reg_Sz\",\n \"EXPAND_SZ\", \"Reg_Expand_Sz\",\n \"MULTI_SZ\", \"Reg_Multi_Sz\",\n \"DWORD_BIG_ENDIAN\", \"Reg_DWord\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (disabled: bool=false) { \n let alldata = SentinelOne_CL \n | where not(disabled)\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\", \"REGKEYCREATE\", \"REGKEYDELETE\", \"REGVALUEDELETE\", \"REGKEYRENAME\")\n | lookup EventTypeLookup on alertInfo_eventType_s\n | lookup RegistryPreviousValueTypeLookup on alertInfo_registryOldValueType_s;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | extend RegistryKeyPrefix = tostring(split(alertInfo_registryKeyPath_s, @'\\')[0])\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend RegistryKey = replace_string(alertInfo_registryKeyPath_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\n | extend RegistryValue = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\", \"REGVALUEDELETE\"), tostring(split(alertInfo_registryKeyPath_s, @'\\')[-1]), \"\")\n | extend RegistryValueType = case(\n alertInfo_registryValue_s matches regex '^[0-9]+$',\n \"Reg_Dword\",\n alertInfo_registryValue_s startswith \"0x\" and strlen(alertInfo_registryValue_s) <= 10,\n \"Reg_DWord\",\n alertInfo_registryValue_s startswith \"0x\" and strlen(alertInfo_registryValue_s) > 10,\n \"Reg_QWord\",\n alertInfo_registryValue_s matches regex '^[A-Fa-f0-9]+$',\n \"Reg_Binary\",\n \"\"\n )\n | extend RegistryValueType = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\") and isempty(RegistryValueType), \"Reg_Sz\", RegistryValueType),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n ActingProcessId = sourceProcessInfo_pid_s,\n ActorUsername = sourceProcessInfo_user_s,\n EventStartTime= sourceProcessInfo_pidStarttime_t,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventUid = _ItemId,\n ParentProcessId = sourceParentProcessInfo_pid_s,\n ActingProcessName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n ParentProcessName = sourceParentProcessInfo_name_s,\n RegistryValueData = alertInfo_registryValue_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\"\n | extend\n Dvc = coalesce(DvcHostname, EventProduct), \n EventEndTime = EventStartTime,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n RegistryPreviousKey = RegistryKey,\n RegistryPreviousValueData = coalesce(alertInfo_registryOldValue_s, RegistryValueData),\n RegistryPreviousValueType = coalesce(RegistryPreviousValueType_lookup, RegistryValueType),\n RegistryPreviousValue = RegistryValue,\n Process = ActingProcessName,\n User = ActorUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n Rule = RuleName\n | project-away \n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n RegistryKeyPrefix,\n RegistryKeyNormalizedPrefix,\n RegistryPreviousValueType_lookup,\n ThreatConfidence_*\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventTrendMicroVisionOne/ASimRegistryEventTrendMicroVisionOne.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventTrendMicroVisionOne/ASimRegistryEventTrendMicroVisionOne.json index 1860d86c854..92947d8e069 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventTrendMicroVisionOne/ASimRegistryEventTrendMicroVisionOne.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventTrendMicroVisionOne/ASimRegistryEventTrendMicroVisionOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistryEventTrendMicroVisionOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistryEventTrendMicroVisionOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM Parser for Trend Micro Vision One", - "category": "ASIM", - "FunctionAlias": "ASimRegistryEventTrendMicroVisionOne", - "query": "let EventTypeLookup = datatable(detail_eventSubId_s: string, EventType: string)[\n \"TELEMETRY_REGISTRY_CREATE\", \"RegistryKeyCreated\",\n \"TELEMETRY_REGISTRY_SET\", \"RegistryValueSet\",\n \"TELEMETRY_REGISTRY_DELETE\", \"RegistryKeyDeleted\",\n \"TELEMETRY_REGISTRY_RENAME\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet RegistryValueTypeLookup = datatable (detail_objectRegType_d: real, RegistryValueType: string)[\n 0, \"Reg_None\",\n 1, \"Reg_Sz\",\n 2, \"Reg_Expand_Sz\",\n 3, \"Reg_Binary\",\n 4, \"Reg_DWord\",\n 5, \"Reg_DWord\",\n 7, \"Reg_Multi_Sz\",\n 11, \"Reg_QWord\"\n];\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\n \"low\", \"Low\",\n \"medium\", \"Medium\",\n \"high\", \"High\",\n \"info\", \"Informational\",\n \"critical\", \"High\"\n];\nlet parser = (disabled: bool=false) {\n TrendMicro_XDR_OAT_CL\n | where not(disabled)\n | where detail_eventId_s == \"TELEMETRY_REGISTRY\"\n | parse filters_s with * \"[\" filters: string \"]\"\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventTypeLookup on detail_eventSubId_s\n | lookup RegistryValueTypeLookup on detail_objectRegType_d\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\n | extend RegistryKeyPrefix = tostring(split(detail_objectRegistryKeyHandle_s, @'\\')[0])\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend \n RegistryKey = replace_string(detail_objectRegistryKeyHandle_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix),\n ActingProcessId = tostring(toint(detail_processPid_d)),\n ParentProcessId = tostring(toint(detail_parentPid_d)),\n ActorSessionId = tostring(toint(detail_authId_d)),\n AdditionalFields = bag_pack(\n \"name\", name,\n \"tags\", detail_tags_s,\n \"objectRegType\", detail_objectRegType_d\n )\n | extend\n EventCount = int(1),\n EventProduct = \"Vision One\",\n EventVendor = \"Trend Micro\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\"\n | project-rename\n ActorUsername = detail_processUser_s,\n EventStartTime = detail_eventTimeDT_t,\n RegistryValue = detail_objectRegistryValue_s,\n RegistryValueData = detail_objectRegistryData_s,\n ActingProcessName = detail_processName_s,\n DvcId = detail_endpointGuid_g,\n DvcOs = detail_osName_s,\n DvcOsVersion = detail_osVer_s,\n EventUid = _ItemId,\n EventOriginalSubType = detail_eventSubId_s,\n EventOriginalType = detail_eventId_s,\n EventOriginalUid = detail_uuid_g,\n EventOriginalSeverity = detail_filterRiskLevel_s,\n EventProductVersion = detail_pver_s,\n EventMessage = description\n | extend\n User = ActorUsername,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername,\"\"),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n Process = ActingProcessName,\n EventEndTime = EventStartTime,\n RegistryPreviousKey = RegistryKey,\n RegistryPreviousValue = RegistryValue,\n RegistryPreviousValueData = RegistryValueData,\n RegistryPreviousValueType = RegistryValueType\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n name,\n filters,\n *Prefix\n};\nparser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser for Trend Micro Vision One", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventTrendMicroVisionOne", + "query": "let EventTypeLookup = datatable(detail_eventSubId_s: string, EventType: string)[\n \"TELEMETRY_REGISTRY_CREATE\", \"RegistryKeyCreated\",\n \"TELEMETRY_REGISTRY_SET\", \"RegistryValueSet\",\n \"TELEMETRY_REGISTRY_DELETE\", \"RegistryKeyDeleted\",\n \"TELEMETRY_REGISTRY_RENAME\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet RegistryValueTypeLookup = datatable (detail_objectRegType_d: real, RegistryValueType: string)[\n 0, \"Reg_None\",\n 1, \"Reg_Sz\",\n 2, \"Reg_Expand_Sz\",\n 3, \"Reg_Binary\",\n 4, \"Reg_DWord\",\n 5, \"Reg_DWord\",\n 7, \"Reg_Multi_Sz\",\n 11, \"Reg_QWord\"\n];\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\n \"low\", \"Low\",\n \"medium\", \"Medium\",\n \"high\", \"High\",\n \"info\", \"Informational\",\n \"critical\", \"High\"\n];\nlet parser = (disabled: bool=false) {\n TrendMicro_XDR_OAT_CL\n | where not(disabled)\n | where detail_eventId_s == \"TELEMETRY_REGISTRY\"\n | parse filters_s with * \"[\" filters: string \"]\"\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventTypeLookup on detail_eventSubId_s\n | lookup RegistryValueTypeLookup on detail_objectRegType_d\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\n | extend RegistryKeyPrefix = tostring(split(detail_objectRegistryKeyHandle_s, @'\\')[0])\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend \n RegistryKey = replace_string(detail_objectRegistryKeyHandle_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix),\n ActingProcessId = tostring(toint(detail_processPid_d)),\n ParentProcessId = tostring(toint(detail_parentPid_d)),\n ActorSessionId = tostring(toint(detail_authId_d)),\n AdditionalFields = bag_pack(\n \"name\", name,\n \"tags\", detail_tags_s,\n \"objectRegType\", detail_objectRegType_d\n )\n | extend\n EventCount = int(1),\n EventProduct = \"Vision One\",\n EventVendor = \"Trend Micro\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\"\n | project-rename\n ActorUsername = detail_processUser_s,\n EventStartTime = detail_eventTimeDT_t,\n RegistryValue = detail_objectRegistryValue_s,\n RegistryValueData = detail_objectRegistryData_s,\n ActingProcessName = detail_processName_s,\n DvcId = detail_endpointGuid_g,\n DvcOs = detail_osName_s,\n DvcOsVersion = detail_osVer_s,\n EventUid = _ItemId,\n EventOriginalSubType = detail_eventSubId_s,\n EventOriginalType = detail_eventId_s,\n EventOriginalUid = detail_uuid_g,\n EventOriginalSeverity = detail_filterRiskLevel_s,\n EventProductVersion = detail_pver_s,\n EventMessage = description\n | extend\n User = ActorUsername,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername,\"\"),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n Process = ActingProcessName,\n EventEndTime = EventStartTime,\n RegistryPreviousKey = RegistryKey,\n RegistryPreviousValue = RegistryValue,\n RegistryPreviousValueData = RegistryValueData,\n RegistryPreviousValueType = RegistryValueType\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n name,\n filters,\n *Prefix\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventVMwareCarbonBlackCloud/ASimRegistryEventVMwareCarbonBlackCloud.json b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventVMwareCarbonBlackCloud/ASimRegistryEventVMwareCarbonBlackCloud.json index a1d836c8012..fea19655e62 100644 --- a/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventVMwareCarbonBlackCloud/ASimRegistryEventVMwareCarbonBlackCloud.json +++ b/Parsers/ASimRegistryEvent/ARM/ASimRegistryEventVMwareCarbonBlackCloud/ASimRegistryEventVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimRegistryEventVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimRegistryEventVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM Parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "ASimRegistryEventVMwareCarbonBlackCloud", - "query": "let EventTypeLookup = datatable (temp_action: string, EventType: string)\n[\n \"ACTION_WRITE_VALUE\", \"RegistryValueSet\",\n \"ACTION_CREATE_KEY\", \"RegistryKeyCreated\",\n \"ACTION_DELETE_KEY\", \"RegistryKeyDeleted\",\n \"ACTION_DELETE_VALUE\", \"RegistryValueDeleted\",\n \"ACTION_RENAME_KEY\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet actionvalues = dynamic([\"ACTION_WRITE_VALUE\", \"ACTION_CREATE_KEY\", \"ACTION_DELETE_KEY\", \"ACTION_DELETE_VALUE\", \"ACTION_RENAME_KEY\"]);\nlet parser=(disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where eventType_s == \"endpoint.event.regmod\"\n and isnotempty(regmod_name_s)\n | extend\n temp_action = case(\n action_s has \"|\" and action_s has \"delete\",\n \"ACTION_DELETE_KEY\",\n action_s has \"|\" and action_s !has \"delete\",\n \"ACTION_CREATE_KEY\",\n action_s\n ),\n RegistryKeyPrefix = tostring(split(regmod_name_s, @'\\')[0])\n | where temp_action in (actionvalues)\n | lookup EventTypeLookup on temp_action\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend\n RegistryKey = replace_string(regmod_name_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix),\n ActingProcessId = tostring(toint(process_pid_d)),\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields = bag_pack(\n \"process_guid\", process_guid_s,\n \"parent_guid\", parent_guid_s \n )\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n EventUid = _ItemId,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = processDetails_parentName_s,\n ActorScopeId = org_key_s\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend\n EventCount = toint(1),\n EventProduct = \"Carbon Black Cloud\",\n EventVendor = \"VMware\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\"\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n EventEndTime = EventStartTime,\n Process = ActingProcessName,\n User = ActorUsername,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp_action,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n RegistryKeyPrefix,\n RegistryKeyNormalizedPrefix\n};\nparser(disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimRegistryEventVMwareCarbonBlackCloud", + "query": "let EventTypeLookup = datatable (temp_action: string, EventType: string)\n[\n \"ACTION_WRITE_VALUE\", \"RegistryValueSet\",\n \"ACTION_CREATE_KEY\", \"RegistryKeyCreated\",\n \"ACTION_DELETE_KEY\", \"RegistryKeyDeleted\",\n \"ACTION_DELETE_VALUE\", \"RegistryValueDeleted\",\n \"ACTION_RENAME_KEY\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet actionvalues = dynamic([\"ACTION_WRITE_VALUE\", \"ACTION_CREATE_KEY\", \"ACTION_DELETE_KEY\", \"ACTION_DELETE_VALUE\", \"ACTION_RENAME_KEY\"]);\nlet parser=(disabled: bool=false) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where eventType_s == \"endpoint.event.regmod\"\n and isnotempty(regmod_name_s)\n | extend\n temp_action = case(\n action_s has \"|\" and action_s has \"delete\",\n \"ACTION_DELETE_KEY\",\n action_s has \"|\" and action_s !has \"delete\",\n \"ACTION_CREATE_KEY\",\n action_s\n ),\n RegistryKeyPrefix = tostring(split(regmod_name_s, @'\\')[0])\n | where temp_action in (actionvalues)\n | lookup EventTypeLookup on temp_action\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend\n RegistryKey = replace_string(regmod_name_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix),\n ActingProcessId = tostring(toint(process_pid_d)),\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields = bag_pack(\n \"process_guid\", process_guid_s,\n \"parent_guid\", parent_guid_s \n )\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n EventUid = _ItemId,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = processDetails_parentName_s,\n ActorScopeId = org_key_s\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend\n EventCount = toint(1),\n EventProduct = \"Carbon Black Cloud\",\n EventVendor = \"VMware\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\"\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n EventEndTime = EventStartTime,\n Process = ActingProcessName,\n User = ActorUsername,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp_action,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n RegistryKeyPrefix,\n RegistryKeyNormalizedPrefix\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/imRegistryEvent/imRegistryEvent.json b/Parsers/ASimRegistryEvent/ARM/imRegistryEvent/imRegistryEvent.json index 7af55176ab9..d27e498feff 100644 --- a/Parsers/ASimRegistryEvent/ARM/imRegistryEvent/imRegistryEvent.json +++ b/Parsers/ASimRegistryEvent/ARM/imRegistryEvent/imRegistryEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imRegistry')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imRegistry", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM Parser", - "category": "ASIM", - "FunctionAlias": "imRegistry", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimRegistry') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimRegistryEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n pack:bool=false\n )\n {\nunion isfuzzy=true\n vimRegistryEventEmpty,\n vimRegistryEventMicrosoft365D (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoft365D' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftSysmon(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSysmon' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftSysmonWindowsEvent(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftWindowsEvent (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftWindowsEvent' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftSecurityEvent (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSecurityEvent' in (DisabledParsers) ))),\n vimRegistryEventSentinelOne (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventSentinelOne' in (DisabledParsers) ))),\n vimRegistryEventNative (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventNative' in (DisabledParsers) ))),\n vimRegistryEventVMwareCarbonBlackCloud(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registryvaluedata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n vimRegistryEventTrendMicroVisionOne (starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, actorusername_has_any=actorusername_has_any, registrykey_has_any=registrykey_has_any, registryvalue_has_any=registryvalue_has_any, registryvaluedata_has_any=registrydata_has_any, dvchostname_has_any=dvchostname_has_any, disabled= (vimBuiltInDisabled or('ExcludevimRegistryEventTrendMicroVisionOne' in (DisabledParsers) )))\n };\n parser(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, pack=pack)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser", + "category": "ASIM", + "FunctionAlias": "imRegistry", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimRegistry') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimRegistryEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n pack:bool=false\n )\n {\nunion isfuzzy=true\n vimRegistryEventEmpty,\n vimRegistryEventMicrosoft365D (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoft365D' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftSysmon(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSysmon' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftSysmonWindowsEvent(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftWindowsEvent (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftWindowsEvent' in (DisabledParsers) ))),\n vimRegistryEventMicrosoftSecurityEvent (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventMicrosoftSecurityEvent' in (DisabledParsers) ))),\n vimRegistryEventSentinelOne (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventSentinelOne' in (DisabledParsers) ))),\n vimRegistryEventNative (starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventNative' in (DisabledParsers) ))),\n vimRegistryEventVMwareCarbonBlackCloud(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registryvaluedata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, disabled=(vimBuiltInDisabled or('ExcludevimRegistryEventVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n vimRegistryEventTrendMicroVisionOne (starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, actorusername_has_any=actorusername_has_any, registrykey_has_any=registrykey_has_any, registryvalue_has_any=registryvalue_has_any, registryvaluedata_has_any=registrydata_has_any, dvchostname_has_any=dvchostname_has_any, disabled= (vimBuiltInDisabled or('ExcludevimRegistryEventTrendMicroVisionOne' in (DisabledParsers) )))\n };\n parser(starttime = starttime, endtime = endtime, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, registrykey_has_any = registrykey_has_any, registryvalue_has_any = registryvalue_has_any, registrydata_has_any = registrydata_has_any, dvchostname_has_any= dvchostname_has_any, pack=pack)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventEmpty/vimRegistryEventEmpty.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventEmpty/vimRegistryEventEmpty.json index 0cb0caa4133..8325f2bbe82 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventEmpty/vimRegistryEventEmpty.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventEmpty/vimRegistryEventEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventEmpty", - "query": "let EmptyNewRegistryEvents = datatable(\n// ****** Mandatory LA fields ******\n TimeGenerated:datetime, // => EventEndTime\n _ResourceId:string,\n Type:string,\n// ****** Event fields ******\n EventType:string,\n EventSubType:string,\n EventProduct:string,\n EventResult:string,\n EventResultDetails:string,\n EventOriginalSubType:string,\n EventOriginalResultDetails:string,\n EventSeverity:string,\n EventOriginalSeverity:string,\n EventSchema:string,\n EventOwner:string,\n EventProductVersion:string, \n EventCount:int, \n EventMessage:string, \n EventVendor:string, \n EventSchemaVersion:string, \n EventOriginalUid:string, \n EventOriginalType:string,\n EventStartTime:datetime, \n EventEndTime:datetime, \n EventReportUrl:string, \n AdditionalFields:dynamic, \n //****** RegistryFields ****** \n RegistryKey:string,\n RegistryValue:string,\n RegistryValueType:string,\n RegistryValueData:string,\n RegistryPreviousKey:string,\n RegistryPreviousValue:string,\n RegistryPreviousValueType:string,\n RegistryPreviousValueData:string,\n //****** Device fields ******\n DvcId:string, \n DvcHostname:string, \n DvcIpAddr:string, \n DvcOs:string, \n DvcOsVersion:string, \n DvcMacAddr:string,\n DvcFQDN:string,\n DvcDomain:string,\n DvcDomainType:string,\n DvcDescription:string,\n DvcZone:string,\n DvcAction:string,\n DvcOriginalAction:string,\n DvcInterface:string,\n DvcScopeId:string,\n DvcScope:string,\n DvcIdType:string,\n // -- User fields\n ActorUsername:string, \n ActorUsernameType:string, \n ActorUserId:string, \n ActorUserIdType:string, \n ActorSessionId:string,\n ActorUserAadId:string,\n ActorUserSid:string,\n ActorScopeId:string,\n ActorScope:string,\n ActorUserType:string,\n ActorOriginalUserType:string,\n ActingProcessCommandLine:string,\n //****** Process fields ******\n ActingProcessName:string,\n ActingProcessId:string,\n ActingProcessGuid:string,\n ParentProcessName:string,\n ParentProcessId:string,\n ParentProcessGuid:string,\n ParentProcessCommandLine:string,\n //****** Inspection fields ******\n RuleName:string,\n RuleNumber:int,\n ThreatId:string,\n ThreatName:string,\n ThreatCategory:string,\n ThreatRiskLevel:int,\n ThreatOriginalRiskLevel:string,\n ThreatConfidence:int,\n ThreatOriginalConfidence:string,\n ThreatIsActive:bool,\n ThreatFirstReportedTime:datetime,\n ThreatLastReportedTime:datetime,\n ThreatField:string,\n //****** aliases ****** \n Dvc:string,\n User:string,\n Process:string,\n Src:string,\n Dst:string\n )[];\n EmptyNewRegistryEvents", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventEmpty", + "query": "let EmptyNewRegistryEvents = datatable(\n// ****** Mandatory LA fields ******\n TimeGenerated:datetime, // => EventEndTime\n _ResourceId:string,\n Type:string,\n// ****** Event fields ******\n EventType:string,\n EventSubType:string,\n EventProduct:string,\n EventResult:string,\n EventResultDetails:string,\n EventOriginalSubType:string,\n EventOriginalResultDetails:string,\n EventSeverity:string,\n EventOriginalSeverity:string,\n EventSchema:string,\n EventOwner:string,\n EventProductVersion:string, \n EventCount:int, \n EventMessage:string, \n EventVendor:string, \n EventSchemaVersion:string, \n EventOriginalUid:string, \n EventOriginalType:string,\n EventStartTime:datetime, \n EventEndTime:datetime, \n EventReportUrl:string, \n AdditionalFields:dynamic, \n //****** RegistryFields ****** \n RegistryKey:string,\n RegistryValue:string,\n RegistryValueType:string,\n RegistryValueData:string,\n RegistryPreviousKey:string,\n RegistryPreviousValue:string,\n RegistryPreviousValueType:string,\n RegistryPreviousValueData:string,\n //****** Device fields ******\n DvcId:string, \n DvcHostname:string, \n DvcIpAddr:string, \n DvcOs:string, \n DvcOsVersion:string, \n DvcMacAddr:string,\n DvcFQDN:string,\n DvcDomain:string,\n DvcDomainType:string,\n DvcDescription:string,\n DvcZone:string,\n DvcAction:string,\n DvcOriginalAction:string,\n DvcInterface:string,\n DvcScopeId:string,\n DvcScope:string,\n DvcIdType:string,\n // -- User fields\n ActorUsername:string, \n ActorUsernameType:string, \n ActorUserId:string, \n ActorUserIdType:string, \n ActorSessionId:string,\n ActorUserAadId:string,\n ActorUserSid:string,\n ActorScopeId:string,\n ActorScope:string,\n ActorUserType:string,\n ActorOriginalUserType:string,\n ActingProcessCommandLine:string,\n //****** Process fields ******\n ActingProcessName:string,\n ActingProcessId:string,\n ActingProcessGuid:string,\n ParentProcessName:string,\n ParentProcessId:string,\n ParentProcessGuid:string,\n ParentProcessCommandLine:string,\n //****** Inspection fields ******\n RuleName:string,\n RuleNumber:int,\n ThreatId:string,\n ThreatName:string,\n ThreatCategory:string,\n ThreatRiskLevel:int,\n ThreatOriginalRiskLevel:string,\n ThreatConfidence:int,\n ThreatOriginalConfidence:string,\n ThreatIsActive:bool,\n ThreatFirstReportedTime:datetime,\n ThreatLastReportedTime:datetime,\n ThreatField:string,\n //****** aliases ****** \n Dvc:string,\n User:string,\n Process:string,\n Src:string,\n Dst:string\n )[];\n EmptyNewRegistryEvents", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoft365D/vimRegistryEventMicrosoft365D.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoft365D/vimRegistryEventMicrosoft365D.json index 0954b70afdd..8ea5483a633 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoft365D/vimRegistryEventMicrosoft365D.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoft365D/vimRegistryEventMicrosoft365D.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventMicrosoft365D')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventMicrosoft365D", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM parser for Microsoft 365 Defender for Endpoint", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventMicrosoft365D", - "query": "let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"None\", \"Reg_None\",\n \"String\", \"Reg_Sz\",\n \"ExpandString\", \"Reg_Expand_Sz\",\n \"Binary\", \"Reg_Binary\",\n \"Dword\", \"Reg_DWord\",\n \"MultiString\", \"Reg_Multi_Sz\",\n \"QWord\", \"Reg_QWord\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n DeviceRegistryEvents\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(eventtype_in) == 0 or ActionType in~ (eventtype_in)) and\n (array_length(actorusername_has_any) == 0 or (InitiatingProcessAccountName has_any (actorusername_has_any)) or (InitiatingProcessAccountDomain has_any (actorusername_has_any)) or (strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName) has_any (actorusername_has_any))) and\n ((array_length(registrykey_has_any)) == 0 or (RegistryKey has_any (registrykey_has_any)) or (PreviousRegistryKey has_any (registrykey_has_any))) and \n ((array_length(registryvalue_has_any)) == 0 or (RegistryValueName has_any (registryvalue_has_any)) or (PreviousRegistryValueName has_any (registryvalue_has_any))) and \n (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or DeviceName has_any (dvchostname_has_any))\n | extend\n // Event\n EventOriginalUid = tostring(ReportId), \n EventCount = int(1), \n EventProduct = 'M365 Defender for Endpoint', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated, \n EventType = ActionType,\n // Registry\n RegistryKey = iff (ActionType in (\"RegistryKeyDeleted\", \"RegistryValueDeleted\"), PreviousRegistryKey, RegistryKey),\n RegistryValue = iff (ActionType == \"RegistryValueDeleted\", PreviousRegistryValueName, RegistryValueName),\n // RegistryValueType -- original name is fine \n // RegistryValueData -- original name is fine \n RegistryKeyModified = iff (ActionType == \"RegistryKeyRenamed\", PreviousRegistryKey, \"\"),\n RegistryValueModified = iff (ActionType == \"RegistryValueSet\", PreviousRegistryValueName, \"\"),\n // RegistryValueTypeModified -- Not provided by Defender\n RegistryValueDataModified = PreviousRegistryValueData\n | where ((array_length(registrykey_has_any)) == 0 or (RegistryKey has_any (registrykey_has_any))) and\n ((array_length(registryvalue_has_any)) == 0 or (RegistryValue has_any (registryvalue_has_any)))\n | lookup RegistryType on $left.RegistryValueType == $right.TypeCode\n | extend RegistryValueType = TypeName\n | project-away\n TypeName,\n PreviousRegistryKey,\n PreviousRegistryValueName,\n PreviousRegistryValueData\n // Device\n | extend\n DvcHostname = DeviceName, \n DvcId = DeviceId, \n Dvc = DeviceName \n // Users\n | extend\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)), \n ActorUsernameType = iff(InitiatingProcessAccountDomain == '', 'Simple', 'Windows'), \n ActorUserIdType = 'SID'\n //| project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName\n | project-rename\n ActorUserId = InitiatingProcessAccountSid, \n ActorUserAadId = InitiatingProcessAccountObjectId, \n ActorUserUpn = InitiatingProcessAccountUpn\n // Processes\n | extend\n ActingProcessId = tostring(InitiatingProcessId), \n ParentProcessId = tostring(InitiatingProcessParentId) \n | project-away InitiatingProcessId, InitiatingProcessParentId\n | project-rename\n ParentProcessName = InitiatingProcessParentFileName, \n ParentProcessCreationTime = InitiatingProcessParentCreationTime, \n ActingProcessName = InitiatingProcessFolderPath, \n ActingProcessFileName = InitiatingProcessFileName,\n ActingProcessCommandLine = InitiatingProcessCommandLine, \n ActingProcessMD5 = InitiatingProcessMD5, \n ActingProcessSHA1 = InitiatingProcessSHA1, //OK\n ActingProcessSHA256 = InitiatingProcessSHA256, \n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel, \n ActingProcessTokenElevation = InitiatingProcessTokenElevation, \n ActingProcessCreationTime = InitiatingProcessCreationTime \n // -- aliases\n | extend \n Username = ActorUsername,\n UserId = ActorUserId,\n UserIdType = ActorUserIdType,\n User = ActorUsername,\n CommandLine = ActingProcessCommandLine,\n Process = ActingProcessName\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM parser for Microsoft 365 Defender for Endpoint", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventMicrosoft365D", + "query": "let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"None\", \"Reg_None\",\n \"String\", \"Reg_Sz\",\n \"ExpandString\", \"Reg_Expand_Sz\",\n \"Binary\", \"Reg_Binary\",\n \"Dword\", \"Reg_DWord\",\n \"MultiString\", \"Reg_Multi_Sz\",\n \"QWord\", \"Reg_QWord\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n DeviceRegistryEvents\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(eventtype_in) == 0 or ActionType in~ (eventtype_in)) and\n (array_length(actorusername_has_any) == 0 or (InitiatingProcessAccountName has_any (actorusername_has_any)) or (InitiatingProcessAccountDomain has_any (actorusername_has_any)) or (strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName) has_any (actorusername_has_any))) and\n ((array_length(registrykey_has_any)) == 0 or (RegistryKey has_any (registrykey_has_any)) or (PreviousRegistryKey has_any (registrykey_has_any))) and \n ((array_length(registryvalue_has_any)) == 0 or (RegistryValueName has_any (registryvalue_has_any)) or (PreviousRegistryValueName has_any (registryvalue_has_any))) and \n (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or DeviceName has_any (dvchostname_has_any))\n | extend\n // Event\n EventOriginalUid = tostring(ReportId), \n EventCount = int(1), \n EventProduct = 'M365 Defender for Endpoint', \n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = TimeGenerated, \n EventEndTime = TimeGenerated, \n EventType = ActionType,\n // Registry\n RegistryKey = iff (ActionType in (\"RegistryKeyDeleted\", \"RegistryValueDeleted\"), PreviousRegistryKey, RegistryKey),\n RegistryValue = iff (ActionType == \"RegistryValueDeleted\", PreviousRegistryValueName, RegistryValueName),\n // RegistryValueType -- original name is fine \n // RegistryValueData -- original name is fine \n RegistryKeyModified = iff (ActionType == \"RegistryKeyRenamed\", PreviousRegistryKey, \"\"),\n RegistryValueModified = iff (ActionType == \"RegistryValueSet\", PreviousRegistryValueName, \"\"),\n // RegistryValueTypeModified -- Not provided by Defender\n RegistryValueDataModified = PreviousRegistryValueData\n | where ((array_length(registrykey_has_any)) == 0 or (RegistryKey has_any (registrykey_has_any))) and\n ((array_length(registryvalue_has_any)) == 0 or (RegistryValue has_any (registryvalue_has_any)))\n | lookup RegistryType on $left.RegistryValueType == $right.TypeCode\n | extend RegistryValueType = TypeName\n | project-away\n TypeName,\n PreviousRegistryKey,\n PreviousRegistryValueName,\n PreviousRegistryValueData\n // Device\n | extend\n DvcHostname = DeviceName, \n DvcId = DeviceId, \n Dvc = DeviceName \n // Users\n | extend\n ActorUsername = iff (InitiatingProcessAccountDomain == '', InitiatingProcessAccountName, strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)), \n ActorUsernameType = iff(InitiatingProcessAccountDomain == '', 'Simple', 'Windows'), \n ActorUserIdType = 'SID'\n //| project-away InitiatingProcessAccountDomain, InitiatingProcessAccountName\n | project-rename\n ActorUserId = InitiatingProcessAccountSid, \n ActorUserAadId = InitiatingProcessAccountObjectId, \n ActorUserUpn = InitiatingProcessAccountUpn\n // Processes\n | extend\n ActingProcessId = tostring(InitiatingProcessId), \n ParentProcessId = tostring(InitiatingProcessParentId) \n | project-away InitiatingProcessId, InitiatingProcessParentId\n | project-rename\n ParentProcessName = InitiatingProcessParentFileName, \n ParentProcessCreationTime = InitiatingProcessParentCreationTime, \n ActingProcessName = InitiatingProcessFolderPath, \n ActingProcessFileName = InitiatingProcessFileName,\n ActingProcessCommandLine = InitiatingProcessCommandLine, \n ActingProcessMD5 = InitiatingProcessMD5, \n ActingProcessSHA1 = InitiatingProcessSHA1, //OK\n ActingProcessSHA256 = InitiatingProcessSHA256, \n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel, \n ActingProcessTokenElevation = InitiatingProcessTokenElevation, \n ActingProcessCreationTime = InitiatingProcessCreationTime \n // -- aliases\n | extend \n Username = ActorUsername,\n UserId = ActorUserId,\n UserIdType = ActorUserIdType,\n User = ActorUsername,\n CommandLine = ActingProcessCommandLine,\n Process = ActingProcessName\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSecurityEvent/vimRegistryEventMicrosoftSecurityEvent.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSecurityEvent/vimRegistryEventMicrosoftSecurityEvent.json index d7a37fb0bb6..59c7031237d 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSecurityEvent/vimRegistryEventMicrosoftSecurityEvent.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSecurityEvent/vimRegistryEventMicrosoftSecurityEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventMicrosoftSecurityEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventMicrosoftSecurityEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM filtering parser for Microsoft Windows Events and Security Events (registry creation event)", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventMicrosoftSecurityEvent", - "query": "let parser = (\nstarttime: datetime=datetime(null),\nendtime: datetime=datetime(null),\neventtype_in: dynamic=dynamic([]),\nactorusername_has_any: dynamic=dynamic([]),\nregistrykey_has_any: dynamic =dynamic([]),\nregistryvalue_has_any: dynamic =dynamic([]),\nregistrydata_has_any: dynamic =dynamic([]),\ndvchostname_has_any: dynamic=dynamic([]),\ndisabled: bool=false\n) {\nlet ASIM_GetAccountType = (sid: string) {\niif (\nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\n\"Simple\"\n ,\n\"Windows\"\n)\n};\n let ASIM_ParseSecurityEvents = (SecurityEvent: (SubjectDomainName: string, SubjectUserName: string, ProcessId: string, ObjectName: string, SubjectUserSid: string, SubjectLogonId: string, ProcessName: string)) {\n SecurityEvent\n | project-rename\n ActorUsername = SubjectUserName\n ,\n ActorUserId = SubjectUserSid\n ,\n ActorSessionId = SubjectLogonId\n ,\n ActingProcessName = ProcessName\n ,\n ActorDomainName = SubjectDomainName\n | extend\n ActorUsername = iif(isnotempty(ActorDomainName), strcat(ActorDomainName, @'\\', ActorUsername), ActorUsername)\n ,\n ActingProcessId = tostring(toint(tolong(ProcessId)))\n ,\n RegistryKey = iif(\n ObjectName startswith @\"\\REGISTRY\\MACHINE\",\n replace_string(ObjectName, @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\n ,\n replace_string(ObjectName, @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\n )\n};\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"RegistryValueRead\"\n ,\n \"0x10\", \"RegistryKeyNotify\"\n ,\n \"0x10000\", \"RegistryKeyDeleted\"\n ,\n \"0x2\", \"RegistryValueSet\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x20006\", \"RegistryValueSet\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x8\", \"RegistrySubkeyEnumerated\"\n];\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\n [\n \"%%1904\", \"RegistryValueSet\"\n ,\n \"%%1905\", \"RegistryValueSet\"\n ,\n \"%%1906\", \"RegistryValueDeleted\"\n];\n let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"%%1872\", \"REG_NONE\"\n ,\n \"%%1873\", \"REG_SZ\"\n ,\n \"%%1874\", \"REG_EXPAND_SZ\"\n ,\n \"%%1875\", \"REG_BINARY\"\n ,\n \"%%1876\", \"REG_DWORD\"\n ,\n \"%%1879\", \"REG_MULTI_SZ\"\n ,\n \"%%1883\", \"REG_QWORD\"\n];\n union isfuzzy=false\n (\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4663 and ObjectType == \"Key\"\n | where (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or (strcat(SubjectDomainName, '\\\\', SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(registryvalue_has_any) == 0) and\n (array_length(registrydata_has_any) == 0) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | lookup Event4663TypeLookup on AccessMask\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | invoke ASIM_ParseSecurityEvents()\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type\n ),\n (\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4657\n | where (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or (strcat(SubjectDomainName, '\\\\', SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(registryvalue_has_any) == 0 or (ObjectValueName) has_any (registrydata_has_any)) and\n (array_length(registrydata_has_any) == 0 or (NewValue) has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | invoke ASIM_ParseSecurityEvents()\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | extend\n EventOriginalSubType = OperationType\n ,\n RegistryValue = ObjectValueName\n | lookup Event4567TypeLookup on EventOriginalSubType\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type,\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue,\n RegistryValue\n )\n | lookup RegistryType on $left.NewValueType == $right.TypeCode\n | project-rename RegistryValueType = TypeName\n | lookup RegistryType on $left.OldValueType == $right.TypeCode\n | project-rename RegistryPreviousValueType = TypeName\n | extend\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue)\n ,\n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\")\n ,\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\")\n ,\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\n | project-away\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n | invoke _ASIM_ResolveFQDN (\"Computer\")\n | extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\")\n | project-rename\n DvcDomainType = DomainType\n ,\n DvcHostname = ExtractedHostname\n | extend\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\n ,\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n ,\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\n | extend\n User = ActorUsername\n ,\n UserId = ActorUserId\n ,\n ActorUserSid = ActorUserId\n ,\n Process = ActingProcessName\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventOriginalType = tostring(EventID)\n | extend\n EventSchemaVersion = \"0.1\"\n ,\n EventSchema = \"RegistryEvent\"\n ,\n EventCount = toint(1)\n ,\n EventResult = \"Success\"\n ,\n EventVendor = \"Microsoft\"\n ,\n EventProduct = \"Security Events\"\n ,\n DvcOs = \"Windows\"\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM filtering parser for Microsoft Windows Events and Security Events (registry creation event)", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventMicrosoftSecurityEvent", + "query": "let parser = (\nstarttime: datetime=datetime(null),\nendtime: datetime=datetime(null),\neventtype_in: dynamic=dynamic([]),\nactorusername_has_any: dynamic=dynamic([]),\nregistrykey_has_any: dynamic =dynamic([]),\nregistryvalue_has_any: dynamic =dynamic([]),\nregistrydata_has_any: dynamic =dynamic([]),\ndvchostname_has_any: dynamic=dynamic([]),\ndisabled: bool=false\n) {\nlet ASIM_GetAccountType = (sid: string) {\niif (\nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\n\"Simple\"\n ,\n\"Windows\"\n)\n};\n let ASIM_ParseSecurityEvents = (SecurityEvent: (SubjectDomainName: string, SubjectUserName: string, ProcessId: string, ObjectName: string, SubjectUserSid: string, SubjectLogonId: string, ProcessName: string)) {\n SecurityEvent\n | project-rename\n ActorUsername = SubjectUserName\n ,\n ActorUserId = SubjectUserSid\n ,\n ActorSessionId = SubjectLogonId\n ,\n ActingProcessName = ProcessName\n ,\n ActorDomainName = SubjectDomainName\n | extend\n ActorUsername = iif(isnotempty(ActorDomainName), strcat(ActorDomainName, @'\\', ActorUsername), ActorUsername)\n ,\n ActingProcessId = tostring(toint(tolong(ProcessId)))\n ,\n RegistryKey = iif(\n ObjectName startswith @\"\\REGISTRY\\MACHINE\",\n replace_string(ObjectName, @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\n ,\n replace_string(ObjectName, @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\n )\n};\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"RegistryValueRead\"\n ,\n \"0x10\", \"RegistryKeyNotify\"\n ,\n \"0x10000\", \"RegistryKeyDeleted\"\n ,\n \"0x2\", \"RegistryValueSet\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x20006\", \"RegistryValueSet\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x8\", \"RegistrySubkeyEnumerated\"\n];\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\n [\n \"%%1904\", \"RegistryValueSet\"\n ,\n \"%%1905\", \"RegistryValueSet\"\n ,\n \"%%1906\", \"RegistryValueDeleted\"\n];\n let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"%%1872\", \"REG_NONE\"\n ,\n \"%%1873\", \"REG_SZ\"\n ,\n \"%%1874\", \"REG_EXPAND_SZ\"\n ,\n \"%%1875\", \"REG_BINARY\"\n ,\n \"%%1876\", \"REG_DWORD\"\n ,\n \"%%1879\", \"REG_MULTI_SZ\"\n ,\n \"%%1883\", \"REG_QWORD\"\n];\n union isfuzzy=false\n (\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4663 and ObjectType == \"Key\"\n | where (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or (strcat(SubjectDomainName, '\\\\', SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(registryvalue_has_any) == 0) and\n (array_length(registrydata_has_any) == 0) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | lookup Event4663TypeLookup on AccessMask\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | invoke ASIM_ParseSecurityEvents()\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type\n ),\n (\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4657\n | where (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or (strcat(SubjectDomainName, '\\\\', SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(registryvalue_has_any) == 0 or (ObjectValueName) has_any (registrydata_has_any)) and\n (array_length(registrydata_has_any) == 0 or (NewValue) has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | invoke ASIM_ParseSecurityEvents()\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | extend\n EventOriginalSubType = OperationType\n ,\n RegistryValue = ObjectValueName\n | lookup Event4567TypeLookup on EventOriginalSubType\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type,\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue,\n RegistryValue\n )\n | lookup RegistryType on $left.NewValueType == $right.TypeCode\n | project-rename RegistryValueType = TypeName\n | lookup RegistryType on $left.OldValueType == $right.TypeCode\n | project-rename RegistryPreviousValueType = TypeName\n | extend\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue)\n ,\n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\")\n ,\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\")\n ,\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\n | project-away\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n | invoke _ASIM_ResolveFQDN (\"Computer\")\n | extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\")\n | project-rename\n DvcDomainType = DomainType\n ,\n DvcHostname = ExtractedHostname\n | extend\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\n ,\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n ,\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\n | extend\n User = ActorUsername\n ,\n UserId = ActorUserId\n ,\n ActorUserSid = ActorUserId\n ,\n Process = ActingProcessName\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventOriginalType = tostring(EventID)\n | extend\n EventSchemaVersion = \"0.1\"\n ,\n EventSchema = \"RegistryEvent\"\n ,\n EventCount = toint(1)\n ,\n EventResult = \"Success\"\n ,\n EventVendor = \"Microsoft\"\n ,\n EventProduct = \"Security Events\"\n ,\n DvcOs = \"Windows\"\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSysmon/vimRegistryEventMicrosoftSysmon.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSysmon/vimRegistryEventMicrosoftSysmon.json index 46964ba043a..4f7ba7e947b 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSysmon/vimRegistryEventMicrosoftSysmon.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSysmon/vimRegistryEventMicrosoftSysmon.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventMicrosoftSysmon')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventMicrosoftSysmon", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM filtering parser for Microsoft Sysmon (registry creation event)", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventMicrosoftSysmon", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let RegistryAction = datatable (EventType: string, NewEventType: string)\n [\n \"CreateKey\", \"RegistryKeyCreated\",\n \"DeleteKey\", \"RegistryKeyDeleted\",\n \"DeleteValue\", \"RegistryValueDeleted\", \n \"SetValue\", \"RegistryValueSet\",\n \"RenameKey\", \"RegistryKeyRenamed\"\n ]; \n let Hives = datatable (KeyPrefix: string, Hive: string)\n [\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\", \n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \n ];\n // this is the parser for sysmon from Event table\n // Create the raw table from the raw XML file structure\n let ParsedRegistryEvent_Event=() {\n Event\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\n | where (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(registrydata_has_any) == 0 or EventData has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | parse EventData with \n * ''RuleName // parsing the XML using the original fields name - for readibliy \n ''EventType\n ''UtcTime\n '{'ProcessGuid\n '}'ProcessId\n ''Image\n ''TargetObject\n '' EventDataRemainder \n | parse EventDataRemainder with '' Parameter '' ActorUsername '' *\n | where (array_length(actorusername_has_any) == 0 or (ActorUsername has_any (actorusername_has_any)))\n | project-away EventDataRemainder\n // End of XML parse\n | extend \n EventStartTime = todatetime(TimeGenerated), \n EventEndTime = todatetime(TimeGenerated), \n EventCount = int(1), \n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\", \n EventProduct = \"Sysmon\",\n EventOriginalType = tostring(EventID), \n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\n | project-rename \n EventMessage = RenderedDescription, \n DvcHostName = Computer, \n ActingProcessId = ProcessId,\n ActingProcessGuid = ProcessGuid, \n ActingProcessName = Image \n // Lookup Event Type\n | lookup RegistryAction on EventType \n | project-rename EventOriginalSubType = EventType\n | project-rename EventType = NewEventType\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n // Normalize Key Hive\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\n | project-away KeyPrefix, KeyMain, Hive\n // Split Key and Value for relevant events \n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\n | extend NewKey = ParsedKey[0][0]\n | extend NewValue = ParsedKey[0][1]\n | project-away ParsedKey, TargetObject, NewName\n // Set normalized registry fields\n | extend\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\")\n | where (array_length(registrykey_has_any) == 0 or (RegistryKey has_any (registrykey_has_any))) and \n (array_length(registryvalue_has_any) == 0 or (RegistryValue has_any (registryvalue_has_any))) and \n (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any))\n | extend // aliases\n User = ActorUsername,\n Process = ActingProcessName,\n Dvc = DvcHostName,\n EventResult = \"Success\",\n EventSchema = \"RegistryEvent\",\n Rule = RuleName\n | project-away\n Parameter,\n Value,\n Key,\n NewKey,\n NewValue,\n EventData,\n ParameterXml,\n AzureDeploymentID,DvcHostName,EventCategory,EventID,EventLevelName,EventLevel,EventLog,Hive1,MG,ManagementGroupName,Message,RegistryKeyModified,_ResourceId,RegistryValueModified,Role,SourceSystem,Source,TenantId,UserName,UtcTime\n };\n ParsedRegistryEvent_Event \n };\n parser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM filtering parser for Microsoft Sysmon (registry creation event)", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventMicrosoftSysmon", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let RegistryAction = datatable (EventType: string, NewEventType: string)\n [\n \"CreateKey\", \"RegistryKeyCreated\",\n \"DeleteKey\", \"RegistryKeyDeleted\",\n \"DeleteValue\", \"RegistryValueDeleted\", \n \"SetValue\", \"RegistryValueSet\",\n \"RenameKey\", \"RegistryKeyRenamed\"\n ]; \n let Hives = datatable (KeyPrefix: string, Hive: string)\n [\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\", \n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \n ];\n // this is the parser for sysmon from Event table\n // Create the raw table from the raw XML file structure\n let ParsedRegistryEvent_Event=() {\n Event\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\n | where (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(registrydata_has_any) == 0 or EventData has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | parse EventData with \n * ''RuleName // parsing the XML using the original fields name - for readibliy \n ''EventType\n ''UtcTime\n '{'ProcessGuid\n '}'ProcessId\n ''Image\n ''TargetObject\n '' EventDataRemainder \n | parse EventDataRemainder with '' Parameter '' ActorUsername '' *\n | where (array_length(actorusername_has_any) == 0 or (ActorUsername has_any (actorusername_has_any)))\n | project-away EventDataRemainder\n // End of XML parse\n | extend \n EventStartTime = todatetime(TimeGenerated), \n EventEndTime = todatetime(TimeGenerated), \n EventCount = int(1), \n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\", \n EventProduct = \"Sysmon\",\n EventOriginalType = tostring(EventID), \n DvcOs = \"Windows\",\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\n | project-rename \n EventMessage = RenderedDescription, \n DvcHostName = Computer, \n ActingProcessId = ProcessId,\n ActingProcessGuid = ProcessGuid, \n ActingProcessName = Image \n // Lookup Event Type\n | lookup RegistryAction on EventType \n | project-rename EventOriginalSubType = EventType\n | project-rename EventType = NewEventType\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n // Normalize Key Hive\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\n | project-away KeyPrefix, KeyMain, Hive\n // Split Key and Value for relevant events \n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\n | extend NewKey = ParsedKey[0][0]\n | extend NewValue = ParsedKey[0][1]\n | project-away ParsedKey, TargetObject, NewName\n // Set normalized registry fields\n | extend\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\")\n | where (array_length(registrykey_has_any) == 0 or (RegistryKey has_any (registrykey_has_any))) and \n (array_length(registryvalue_has_any) == 0 or (RegistryValue has_any (registryvalue_has_any))) and \n (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any))\n | extend // aliases\n User = ActorUsername,\n Process = ActingProcessName,\n Dvc = DvcHostName,\n EventResult = \"Success\",\n EventSchema = \"RegistryEvent\",\n Rule = RuleName\n | project-away\n Parameter,\n Value,\n Key,\n NewKey,\n NewValue,\n EventData,\n ParameterXml,\n AzureDeploymentID,DvcHostName,EventCategory,EventID,EventLevelName,EventLevel,EventLog,Hive1,MG,ManagementGroupName,Message,RegistryKeyModified,_ResourceId,RegistryValueModified,Role,SourceSystem,Source,TenantId,UserName,UtcTime\n };\n ParsedRegistryEvent_Event \n };\n parser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSysmonWindowsEvent/vimRegistryEventMicrosoftSysmonWindowsEvent.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSysmonWindowsEvent/vimRegistryEventMicrosoftSysmonWindowsEvent.json index 66add29da4f..fc16eb206c3 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSysmonWindowsEvent/vimRegistryEventMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftSysmonWindowsEvent/vimRegistryEventMicrosoftSysmonWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventMicrosoftSysmonWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventMicrosoftSysmonWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM filtering parser for Microsoft Sysmon (registry creation event)", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventMicrosoftSysmonWindowsEvent", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let RegistryAction = datatable (EventType: string, NewEventType: string)\n [\n \"CreateKey\", \"RegistryKeyCreated\",\n \"DeleteKey\", \"RegistryKeyDeleted\",\n \"DeleteValue\", \"RegistryValueDeleted\", \n \"SetValue\", \"RegistryValueSet\",\n \"RenameKey\", \"RegistryKeyRenamed\"\n ]; \n let Hives = datatable (KeyPrefix: string, Hive: string)\n [\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\", \n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \n ];\n // this is the parser for sysmon from WindowsEvent table\n let ParsedRegistryEvent_WindowsEvent=() {\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\n | where (array_length(actorusername_has_any) == 0 or (tostring(EventData.User) has_any (actorusername_has_any))) and\n (array_length(registrydata_has_any) == 0 or (tostring(EventData.Parameter) has_any (registrydata_has_any))) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | extend \n EventStartTime = todatetime(TimeGenerated), \n EventEndTime = todatetime(TimeGenerated), \n EventCount = int(1), \n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\", \n EventProduct = \"Sysmon\",\n EventOriginalType = tostring(EventID),\n EventType = tostring(EventData.EventType),\n DvcOs = \"Windows\",\n EventMessage = tostring(EventData.RenderedDescription), \n ActorUsername = tostring(EventData.User),\n ActingProcessId = tostring(EventData.ProcessId),\n ActingProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\n ActingProcessName = tostring(EventData.Image),\n TargetObject = tostring(EventData.TargetObject),\n Parameter = tostring(EventData.Parameter)\n | project-rename\n DvcHostName = Computer \n | lookup RegistryAction on EventType\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | project-rename EventOriginalSubType = EventType\n | project-rename EventType = NewEventType\n // Normalize Key Hive\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\n | project-away KeyPrefix, KeyMain, Hive\n // Split Key and Value for relevant events \n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\n | extend NewKey = ParsedKey[0][0]\n | extend NewValue = ParsedKey[0][1]\n | project-away ParsedKey, TargetObject, NewName\n // Set normalized registry fields\n | extend\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\n | where (array_length(registrykey_has_any) == 0 or (RegistryKey has_any (registrykey_has_any))) and \n (array_length(registryvalue_has_any) == 0 or (RegistryValue has_any (registryvalue_has_any))) and \n (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any))\n | extend // aliases\n User = ActorUsername,\n Process = ActingProcessName,\n Dvc = DvcHostName,\n EventResult = \"Success\",\n EventSchema = \"RegistryEvent\"\n | project-away\n Parameter,\n Value,\n Key,\n NewKey,\n NewValue,\n EventData,\n Channel,Correlation,Data,DvcHostName,EventID,EventLevelName,EventLevel,EventOriginId,EventRecordId,Hive1,Keywords,ManagementGroupName,_ResourceId,Opcode,Provider,RawEventData,RegistryKeyModified,RegistryValueModified,SourceSystem,SystemProcessId,SystemThreadId,SystemUserId,Task,TenantId,TimeCreated,Version,_ResourceId\n };\n ParsedRegistryEvent_WindowsEvent\n };\n parser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n )\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM filtering parser for Microsoft Sysmon (registry creation event)", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventMicrosoftSysmonWindowsEvent", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let RegistryAction = datatable (EventType: string, NewEventType: string)\n [\n \"CreateKey\", \"RegistryKeyCreated\",\n \"DeleteKey\", \"RegistryKeyDeleted\",\n \"DeleteValue\", \"RegistryValueDeleted\", \n \"SetValue\", \"RegistryValueSet\",\n \"RenameKey\", \"RegistryKeyRenamed\"\n ]; \n let Hives = datatable (KeyPrefix: string, Hive: string)\n [\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\", \n \"HKCR\", \"HKEY_LOCAL_MACHINE\\\\Classes\" \n ];\n // this is the parser for sysmon from WindowsEvent table\n let ParsedRegistryEvent_WindowsEvent=() {\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID in (12, 13, 14)\n | where (array_length(actorusername_has_any) == 0 or (tostring(EventData.User) has_any (actorusername_has_any))) and\n (array_length(registrydata_has_any) == 0 or (tostring(EventData.Parameter) has_any (registrydata_has_any))) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | extend \n EventStartTime = todatetime(TimeGenerated), \n EventEndTime = todatetime(TimeGenerated), \n EventCount = int(1), \n EventVendor = \"Microsoft\",\n EventSchemaVersion = \"0.1.0\", \n EventProduct = \"Sysmon\",\n EventOriginalType = tostring(EventID),\n EventType = tostring(EventData.EventType),\n DvcOs = \"Windows\",\n EventMessage = tostring(EventData.RenderedDescription), \n ActorUsername = tostring(EventData.User),\n ActingProcessId = tostring(EventData.ProcessId),\n ActingProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\n ActingProcessName = tostring(EventData.Image),\n TargetObject = tostring(EventData.TargetObject),\n Parameter = tostring(EventData.Parameter)\n | project-rename\n DvcHostName = Computer \n | lookup RegistryAction on EventType\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | project-rename EventOriginalSubType = EventType\n | project-rename EventType = NewEventType\n // Normalize Key Hive\n | parse TargetObject with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend Key = strcat (Hive, \"\\\\\", KeyMain)\n | parse Parameter with KeyPrefix \"\\\\\" KeyMain\n | lookup Hives on KeyPrefix\n | extend NewName = strcat (Hive, \"\\\\\", KeyMain)\n | project-away KeyPrefix, KeyMain, Hive\n // Split Key and Value for relevant events \n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", Key)\n | extend Key = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][0], Key)\n | extend Value = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), ParsedKey[0][1], \"\")\n | extend ParsedKey = extract_all (@\"^(.+)\\\\(.+)$\", NewName)\n | extend NewKey = ParsedKey[0][0]\n | extend NewValue = ParsedKey[0][1]\n | project-away ParsedKey, TargetObject, NewName\n // Set normalized registry fields\n | extend\n RegistryKey = iff (EventType == \"RegistryKeyRenamed\", NewKey, Key),\n RegistryKeyModified = iff (EventType in (\"RegistryKeyRenamed\", \"RegistryValueSet\"), Key, \"\"),\n RegistryValue = iff (EventType in (\"RegistryValueSet\", \"RegistryValueDeleted\"), Value, \"\"),\n RegistryValueModified = iff (EventType == \"RegistryValueSet\", Value, \"\"),\n RegistryValueData = iff (EventType == \"RegistryValueSet\", Parameter, \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', '')\n | where (array_length(registrykey_has_any) == 0 or (RegistryKey has_any (registrykey_has_any))) and \n (array_length(registryvalue_has_any) == 0 or (RegistryValue has_any (registryvalue_has_any))) and \n (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any))\n | extend // aliases\n User = ActorUsername,\n Process = ActingProcessName,\n Dvc = DvcHostName,\n EventResult = \"Success\",\n EventSchema = \"RegistryEvent\"\n | project-away\n Parameter,\n Value,\n Key,\n NewKey,\n NewValue,\n EventData,\n Channel,Correlation,Data,DvcHostName,EventID,EventLevelName,EventLevel,EventOriginId,EventRecordId,Hive1,Keywords,ManagementGroupName,_ResourceId,Opcode,Provider,RawEventData,RegistryKeyModified,RegistryValueModified,SourceSystem,SystemProcessId,SystemThreadId,SystemUserId,Task,TenantId,TimeCreated,Version,_ResourceId\n };\n ParsedRegistryEvent_WindowsEvent\n };\n parser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n )\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftWindowsEvent/vimRegistryEventMicrosoftWindowsEvent.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftWindowsEvent/vimRegistryEventMicrosoftWindowsEvent.json index 7237edc547c..39ea666b297 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftWindowsEvent/vimRegistryEventMicrosoftWindowsEvent.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventMicrosoftWindowsEvent/vimRegistryEventMicrosoftWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventMicrosoftWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventMicrosoftWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM filtering parser for Microsoft Windows Events and Security Events (registry creation event)", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventMicrosoftWindowsEvent", - "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\neventtype_in: dynamic=dynamic([]),\nactorusername_has_any: dynamic=dynamic([]),\nregistrykey_has_any: dynamic =dynamic([]),\nregistryvalue_has_any: dynamic =dynamic([]),\nregistrydata_has_any: dynamic =dynamic([]),\ndvchostname_has_any: dynamic=dynamic([]),\ndisabled: bool=false\n) {\nlet ASIM_GetAccountType = (sid: string) { \niif ( \nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\n\"Simple\"\n ,\n\"Windows\"\n)\n};\n let ASIM_ParseWindowsEvents = (WindowsEvent: (EventData: dynamic)) {\n WindowsEvent\n | extend\n ActorUsername = iif(isnotempty(EventData.SubjectDomainName), strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), EventData.SubjectUserName)\n ,\n ActorDomainName = tostring(EventData.SubjectDomainName)\n ,\n ActorUserId = tostring(EventData.SubjectUserSid)\n ,\n ActorSessionId = tostring(EventData.SubjectLogonId)\n ,\n ActingProcessName = tostring(EventData.ProcessName)\n ,\n ActingProcessId = tostring(toint(tolong(EventData.ProcessId)))\n ,\n RegistryKey = iif(\n EventData.ObjectName startswith @\"\\REGISTRY\\MACHINE\",\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\n ,\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\n )\n};\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"RegistryValueRead\"\n ,\n \"0x10\", \"RegistryKeyNotify\"\n ,\n \"0x10000\", \"RegistryKeyDeleted\"\n ,\n \"0x2\", \"RegistryValueSet\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x20006\", \"RegistryValueSet\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x8\", \"RegistrySubkeyEnumerated\"\n];\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\n [\n \"%%1904\", \"RegistryValueSet\"\n ,\n \"%%1905\", \"RegistryValueSet\"\n ,\n \"%%1906\", \"RegistryValueDeleted\"\n];\n let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"%%1872\", \"REG_NONE\"\n ,\n \"%%1873\", \"REG_SZ\"\n ,\n \"%%1874\", \"REG_EXPAND_SZ\"\n ,\n \"%%1875\", \"REG_BINARY\"\n ,\n \"%%1876\", \"REG_DWORD\"\n ,\n \"%%1879\", \"REG_MULTI_SZ\"\n ,\n \"%%1883\", \"REG_QWORD\"\n];\n union isfuzzy=false\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4663 and EventData.ObjectType == \"Key\"\n | where (array_length(actorusername_has_any) == 0 or (EventData.SubjectDomainName has_any (actorusername_has_any)) or (EventData.SubjectUserName has_any (actorusername_has_any)) or (strcat(EventData.SubjectDomainName, '\\\\', EventData.SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(registryvalue_has_any) == 0) and \n (array_length(registrydata_has_any) == 0) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | extend\n AccessMask = tostring(EventData.AccessMask)\n ,\n Type = \"WindowsEvent\"\n | lookup Event4663TypeLookup on AccessMask\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | invoke ASIM_ParseWindowsEvents()\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type\n ),\n (\n union isfuzzy=false\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4657\n | where (array_length(actorusername_has_any) == 0 or (EventData.SubjectDomainName has_any (actorusername_has_any)) or (EventData.SubjectUserName has_any (actorusername_has_any)) or (strcat(EventData.SubjectDomainName, '\\\\', EventData.SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(registryvalue_has_any) == 0 or (EventData.ObjectValueName) has_any (registryvalue_has_any)) and \n (array_length(registrydata_has_any) == 0 or (EventData.NewValue) has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | invoke ASIM_ParseWindowsEvents()\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | extend\n EventOriginalSubType = tostring(EventData.OperationType)\n ,\n OldValue = tostring(EventData.OldValue)\n ,\n NewValue = tostring(EventData.NewValue)\n ,\n RegistryValue = tostring(EventData.ObjectValueName)\n ,\n NewValueType = tostring(EventData.NewValueType)\n ,\n OldValueType = tostring(EventData.OldValueType)\n | lookup Event4567TypeLookup on EventOriginalSubType\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n RegistryValue,\n Type,\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n )\n | lookup RegistryType on $left.NewValueType == $right.TypeCode\n | project-rename RegistryValueType = TypeName\n | lookup RegistryType on $left.OldValueType == $right.TypeCode\n | project-rename RegistryPreviousValueType = TypeName\n | extend\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue)\n ,\n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\")\n ,\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\")\n ,\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\n | project-away\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n )\n | invoke _ASIM_ResolveFQDN (\"Computer\")\n | extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\")\n | project-rename\n DvcDomainType = DomainType\n ,\n DvcHostname = ExtractedHostname\n | extend\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\n ,\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n ,\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\n | extend\n User = ActorUsername\n ,\n UserId = ActorUserId\n ,\n ActorUserSid = ActorUserId\n ,\n Process = ActingProcessName\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventOriginalType = tostring(EventID)\n | extend\n EventSchemaVersion = \"0.1\" \n ,\n EventSchema = \"RegistryEvent\"\n ,\n EventCount = toint(1)\n ,\n EventResult = \"Success\"\n ,\n EventVendor = \"Microsoft\"\n ,\n EventProduct = \"Security Events\" \n ,\n DvcOs = \"Windows\"\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM filtering parser for Microsoft Windows Events and Security Events (registry creation event)", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventMicrosoftWindowsEvent", + "query": "let parser = (\nstarttime: datetime=datetime(null), \nendtime: datetime=datetime(null),\neventtype_in: dynamic=dynamic([]),\nactorusername_has_any: dynamic=dynamic([]),\nregistrykey_has_any: dynamic =dynamic([]),\nregistryvalue_has_any: dynamic =dynamic([]),\nregistrydata_has_any: dynamic =dynamic([]),\ndvchostname_has_any: dynamic=dynamic([]),\ndisabled: bool=false\n) {\nlet ASIM_GetAccountType = (sid: string) { \niif ( \nsid in (\"S-1-0-0\", \"S-1-5-18\", \"S-1-5-19\", \"S-1-5-20\"),\n\"Simple\"\n ,\n\"Windows\"\n)\n};\n let ASIM_ParseWindowsEvents = (WindowsEvent: (EventData: dynamic)) {\n WindowsEvent\n | extend\n ActorUsername = iif(isnotempty(EventData.SubjectDomainName), strcat(EventData.SubjectDomainName, @'\\', EventData.SubjectUserName), EventData.SubjectUserName)\n ,\n ActorDomainName = tostring(EventData.SubjectDomainName)\n ,\n ActorUserId = tostring(EventData.SubjectUserSid)\n ,\n ActorSessionId = tostring(EventData.SubjectLogonId)\n ,\n ActingProcessName = tostring(EventData.ProcessName)\n ,\n ActingProcessId = tostring(toint(tolong(EventData.ProcessId)))\n ,\n RegistryKey = iif(\n EventData.ObjectName startswith @\"\\REGISTRY\\MACHINE\",\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\MACHINE\", \"HKEY_LOCAL_MACHINE\")\n ,\n replace_string(tostring(EventData.ObjectName), @\"\\REGISTRY\\USER\", \"HKEY_USERS\")\n )\n};\n let Event4663TypeLookup = datatable (AccessMask: string, EventType: string)\n [\n \"0x1\", \"RegistryValueRead\"\n ,\n \"0x10\", \"RegistryKeyNotify\"\n ,\n \"0x10000\", \"RegistryKeyDeleted\"\n ,\n \"0x2\", \"RegistryValueSet\"\n ,\n \"0x20000\", \"MetadataAccessed\"\n ,\n \"0x20006\", \"RegistryValueSet\"\n ,\n \"0x40000\", \"MetadataModified\"\n ,\n \"0x8\", \"RegistrySubkeyEnumerated\"\n];\n let Event4567TypeLookup = datatable (EventOriginalSubType: string, EventType: string)\n [\n \"%%1904\", \"RegistryValueSet\"\n ,\n \"%%1905\", \"RegistryValueSet\"\n ,\n \"%%1906\", \"RegistryValueDeleted\"\n];\n let RegistryType = datatable (TypeCode: string, TypeName: string)\n [\n \"%%1872\", \"REG_NONE\"\n ,\n \"%%1873\", \"REG_SZ\"\n ,\n \"%%1874\", \"REG_EXPAND_SZ\"\n ,\n \"%%1875\", \"REG_BINARY\"\n ,\n \"%%1876\", \"REG_DWORD\"\n ,\n \"%%1879\", \"REG_MULTI_SZ\"\n ,\n \"%%1883\", \"REG_QWORD\"\n];\n union isfuzzy=false\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4663 and EventData.ObjectType == \"Key\"\n | where (array_length(actorusername_has_any) == 0 or (EventData.SubjectDomainName has_any (actorusername_has_any)) or (EventData.SubjectUserName has_any (actorusername_has_any)) or (strcat(EventData.SubjectDomainName, '\\\\', EventData.SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(registryvalue_has_any) == 0) and \n (array_length(registrydata_has_any) == 0) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | extend\n AccessMask = tostring(EventData.AccessMask)\n ,\n Type = \"WindowsEvent\"\n | lookup Event4663TypeLookup on AccessMask\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | invoke ASIM_ParseWindowsEvents()\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n Type\n ),\n (\n union isfuzzy=false\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID == 4657\n | where (array_length(actorusername_has_any) == 0 or (EventData.SubjectDomainName has_any (actorusername_has_any)) or (EventData.SubjectUserName has_any (actorusername_has_any)) or (strcat(EventData.SubjectDomainName, '\\\\', EventData.SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(registryvalue_has_any) == 0 or (EventData.ObjectValueName) has_any (registryvalue_has_any)) and \n (array_length(registrydata_has_any) == 0 or (EventData.NewValue) has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n | invoke ASIM_ParseWindowsEvents()\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | extend\n EventOriginalSubType = tostring(EventData.OperationType)\n ,\n OldValue = tostring(EventData.OldValue)\n ,\n NewValue = tostring(EventData.NewValue)\n ,\n RegistryValue = tostring(EventData.ObjectValueName)\n ,\n NewValueType = tostring(EventData.NewValueType)\n ,\n OldValueType = tostring(EventData.OldValueType)\n | lookup Event4567TypeLookup on EventOriginalSubType\n | extend EventType = iif(isempty(EventType), \"Other\", EventType)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | project\n TimeGenerated,\n Computer,\n EventID,\n EventType,\n ActorUsername,\n ActorDomainName,\n ActorUserId,\n ActorSessionId,\n ActingProcessName,\n ActingProcessId,\n RegistryKey,\n _ResourceId,\n RegistryValue,\n Type,\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n )\n | lookup RegistryType on $left.NewValueType == $right.TypeCode\n | project-rename RegistryValueType = TypeName\n | lookup RegistryType on $left.OldValueType == $right.TypeCode\n | project-rename RegistryPreviousValueType = TypeName\n | extend\n RegistryValueData = iff (EventOriginalSubType == \"%%1906\", OldValue, NewValue)\n ,\n RegistryPreviousKey = iff (EventOriginalSubType == \"%%1905\", RegistryKey, \"\")\n ,\n RegistryPreviousValue = iff (EventOriginalSubType == \"%%1905\", RegistryValue, \"\")\n ,\n RegistryPreviousValueData = iff (EventOriginalSubType == \"%%1905\", OldValue, \"\")\n | project-away\n NewValueType,\n OldValueType,\n EventOriginalSubType,\n OldValue,\n NewValue\n )\n | invoke _ASIM_ResolveFQDN (\"Computer\")\n | extend\n ActorUserIdType = iff (ActorUserId <> \"S-1-0-0\", \"SID\", \"\"),\n ActorUserId = iff (ActorUserId <> \"S-1-0-0\", ActorUserId, \"\")\n | project-rename\n DvcDomainType = DomainType\n ,\n DvcHostname = ExtractedHostname\n | extend\n DvcFQDN = iif(DvcDomainType == \"FQDN\", FQDN, \"\")\n ,\n DvcDomain = iif(isnotempty(Domain), Domain, \"\")\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", FQDN, \"DvcHostname\")\n | extend\n ActorUserType = _ASIM_GetWindowsUserType(ActorUsername, ActorUserId)\n ,\n ActorUsernameType = ASIM_GetAccountType(ActorUserId)\n | extend\n User = ActorUsername\n ,\n UserId = ActorUserId\n ,\n ActorUserSid = ActorUserId\n ,\n Process = ActingProcessName\n ,\n Dvc = iif(DvcDomainType == \"FQDN\", Computer, \"\")\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n EventOriginalType = tostring(EventID)\n | extend\n EventSchemaVersion = \"0.1\" \n ,\n EventSchema = \"RegistryEvent\"\n ,\n EventCount = toint(1)\n ,\n EventResult = \"Success\"\n ,\n EventVendor = \"Microsoft\"\n ,\n EventProduct = \"Security Events\" \n ,\n DvcOs = \"Windows\"\n | project-away ActorDomainName,ActorUserSid,ActorUserType,Computer,Domain,DvcDomainType,DvcDomain,DvcFQDN,EventID,FQDN,UserId,_ResourceId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventNative/vimRegistryEventNative.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventNative/vimRegistryEventNative.json index 8b5d85cafb1..63eb195004c 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventNative/vimRegistryEventNative.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventNative/vimRegistryEventNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM filtering parser for Microsoft Sentinel native Registry Event table", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventNative", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n ASimRegistryEventLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)) and\n (array_length(actorusername_has_any) == 0 or (ActorUsername has_any (actorusername_has_any))) and\n ((array_length(registrykey_has_any)) == 0 or (RegistryKey has_any (registrykey_has_any))) and \n ((array_length(registryvalue_has_any)) == 0 or (RegistryValue has_any (registryvalue_has_any))) and \n (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or DvcHostname has_any (dvchostname_has_any))\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"RegistryEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n User = ActorUsername,\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n Process = ActingProcessName\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM filtering parser for Microsoft Sentinel native Registry Event table", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventNative", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n ASimRegistryEventLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)) and\n (array_length(actorusername_has_any) == 0 or (ActorUsername has_any (actorusername_has_any))) and\n ((array_length(registrykey_has_any)) == 0 or (RegistryKey has_any (registrykey_has_any))) and \n ((array_length(registryvalue_has_any)) == 0 or (RegistryValue has_any (registryvalue_has_any))) and \n (array_length(registrydata_has_any) == 0 or RegistryValueData has_any (registrydata_has_any)) and\n (array_length(dvchostname_has_any) == 0 or DvcHostname has_any (dvchostname_has_any))\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"RegistryEvent\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n User = ActorUsername,\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n Process = ActingProcessName\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventSentinelOne/vimRegistryEventSentinelOne.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventSentinelOne/vimRegistryEventSentinelOne.json index 2566e201525..9dad566879a 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventSentinelOne/vimRegistryEventSentinelOne.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventSentinelOne/vimRegistryEventSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM Parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventSentinelOne", - "query": "let EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"REGVALUEMODIFIED\", \"RegistryValueSet\",\n \"REGVALUECREATE\", \"RegistryValueSet\",\n \"REGKEYCREATE\", \"RegistryKeyCreated\",\n \"REGKEYDELETE\", \"RegistryKeyDeleted\",\n \"REGVALUEDELETE\", \"RegistryValueDeleted\",\n \"REGKEYRENAME\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable (\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)\n [\n \"MACHINE\", \"HKEY_LOCAL_MACHINE\",\n \"USER\", \"HKEY_USERS\",\n \"CONFIG\", \"HKEY_CURRENT_CONFIG\",\n \"ROOT\", \"HKEY_CLASSES_ROOT\"\n];\nlet RegistryPreviousValueTypeLookup = datatable (\n alertInfo_registryOldValueType_s: string,\n RegistryPreviousValueType_lookup: string\n)\n [\n \"BINARY\", \"Reg_Binary\",\n \"DWORD\", \"Reg_DWord\",\n \"QWORD\", \"Reg_QWord\",\n \"SZ\", \"Reg_Sz\",\n \"EXPAND_SZ\", \"Reg_Expand_Sz\",\n \"MULTI_SZ\", \"Reg_Multi_Sz\",\n \"DWORD_BIG_ENDIAN\", \"Reg_DWord\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) { \n let alldata = \n SentinelOne_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(actorusername_has_any) == 0) or (sourceProcessInfo_user_s has_any (actorusername_has_any)))\n and ((array_length(registrydata_has_any) == 0) or (alertInfo_registryValue_s has_any (registrydata_has_any)))\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\", \"REGKEYCREATE\", \"REGKEYDELETE\", \"REGVALUEDELETE\", \"REGKEYRENAME\")\n | lookup EventTypeLookup on alertInfo_eventType_s\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | lookup RegistryPreviousValueTypeLookup on alertInfo_registryOldValueType_s;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | where (array_length(dvchostname_has_any) == 0 or DvcHostname has_any (dvchostname_has_any))\n | extend RegistryKeyPrefix = tostring(split(alertInfo_registryKeyPath_s, @'\\')[0])\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend RegistryKey = replace_string(alertInfo_registryKeyPath_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\n | where ((array_length(registrykey_has_any) == 0) or (RegistryKey has_any (registrykey_has_any)))\n | extend RegistryValue = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\", \"REGVALUEDELETE\"), tostring(split(alertInfo_registryKeyPath_s, @'\\')[-1]), \"\")\n | where ((array_length(registryvalue_has_any) == 0) or (RegistryValue has_any (registryvalue_has_any)))\n | extend RegistryValueType = case(\n alertInfo_registryValue_s matches regex '^[0-9]+$',\n \"Reg_Dword\",\n alertInfo_registryValue_s startswith \"0x\" and strlen(alertInfo_registryValue_s) <= 10,\n \"Reg_DWord\",\n alertInfo_registryValue_s startswith \"0x\" and strlen(alertInfo_registryValue_s) > 10,\n \"Reg_QWord\",\n alertInfo_registryValue_s matches regex '^[A-Fa-f0-9]+$',\n \"Reg_Binary\",\n \"\"\n )\n | extend\n RegistryValueType = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\") and isempty(RegistryValueType), \"Reg_Sz\", RegistryValueType),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n ActingProcessId = sourceProcessInfo_pid_s,\n ActorUsername = sourceProcessInfo_user_s,\n EventStartTime= sourceProcessInfo_pidStarttime_t,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventUid = _ItemId,\n ParentProcessId = sourceParentProcessInfo_pid_s,\n ActingProcessName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n ParentProcessName = sourceParentProcessInfo_name_s,\n RegistryValueData = alertInfo_registryValue_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\"\n | extend\n Dvc = coalesce(DvcHostname, EventProduct), \n EventEndTime = EventStartTime,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n RegistryPreviousKey = RegistryKey,\n RegistryPreviousValueData = coalesce(alertInfo_registryOldValue_s, RegistryValueData),\n RegistryPreviousValueType = coalesce(RegistryPreviousValueType_lookup, RegistryValueType),\n RegistryPreviousValue = RegistryValue,\n Process = ActingProcessName,\n User = ActorUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n Rule = RuleName\n | project-away \n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n RegistryKeyPrefix,\n RegistryKeyNormalizedPrefix,\n RegistryPreviousValueType_lookup,\n ThreatConfidence_*\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventSentinelOne", + "query": "let EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"REGVALUEMODIFIED\", \"RegistryValueSet\",\n \"REGVALUECREATE\", \"RegistryValueSet\",\n \"REGKEYCREATE\", \"RegistryKeyCreated\",\n \"REGKEYDELETE\", \"RegistryKeyDeleted\",\n \"REGVALUEDELETE\", \"RegistryValueDeleted\",\n \"REGKEYRENAME\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable (\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)\n [\n \"MACHINE\", \"HKEY_LOCAL_MACHINE\",\n \"USER\", \"HKEY_USERS\",\n \"CONFIG\", \"HKEY_CURRENT_CONFIG\",\n \"ROOT\", \"HKEY_CLASSES_ROOT\"\n];\nlet RegistryPreviousValueTypeLookup = datatable (\n alertInfo_registryOldValueType_s: string,\n RegistryPreviousValueType_lookup: string\n)\n [\n \"BINARY\", \"Reg_Binary\",\n \"DWORD\", \"Reg_DWord\",\n \"QWORD\", \"Reg_QWord\",\n \"SZ\", \"Reg_Sz\",\n \"EXPAND_SZ\", \"Reg_Expand_Sz\",\n \"MULTI_SZ\", \"Reg_Multi_Sz\",\n \"DWORD_BIG_ENDIAN\", \"Reg_DWord\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n registrykey_has_any: dynamic =dynamic([]),\n registryvalue_has_any: dynamic =dynamic([]),\n registrydata_has_any: dynamic =dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) { \n let alldata = \n SentinelOne_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(actorusername_has_any) == 0) or (sourceProcessInfo_user_s has_any (actorusername_has_any)))\n and ((array_length(registrydata_has_any) == 0) or (alertInfo_registryValue_s has_any (registrydata_has_any)))\n and event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\", \"REGKEYCREATE\", \"REGKEYDELETE\", \"REGVALUEDELETE\", \"REGKEYRENAME\")\n | lookup EventTypeLookup on alertInfo_eventType_s\n | where (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | lookup RegistryPreviousValueTypeLookup on alertInfo_registryOldValueType_s;\n let undefineddata = alldata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alldata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | where (array_length(dvchostname_has_any) == 0 or DvcHostname has_any (dvchostname_has_any))\n | extend RegistryKeyPrefix = tostring(split(alertInfo_registryKeyPath_s, @'\\')[0])\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend RegistryKey = replace_string(alertInfo_registryKeyPath_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\n | where ((array_length(registrykey_has_any) == 0) or (RegistryKey has_any (registrykey_has_any)))\n | extend RegistryValue = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\", \"REGVALUEDELETE\"), tostring(split(alertInfo_registryKeyPath_s, @'\\')[-1]), \"\")\n | where ((array_length(registryvalue_has_any) == 0) or (RegistryValue has_any (registryvalue_has_any)))\n | extend RegistryValueType = case(\n alertInfo_registryValue_s matches regex '^[0-9]+$',\n \"Reg_Dword\",\n alertInfo_registryValue_s startswith \"0x\" and strlen(alertInfo_registryValue_s) <= 10,\n \"Reg_DWord\",\n alertInfo_registryValue_s startswith \"0x\" and strlen(alertInfo_registryValue_s) > 10,\n \"Reg_QWord\",\n alertInfo_registryValue_s matches regex '^[A-Fa-f0-9]+$',\n \"Reg_Binary\",\n \"\"\n )\n | extend\n RegistryValueType = iff(alertInfo_eventType_s in (\"REGVALUEMODIFIED\", \"REGVALUECREATE\") and isempty(RegistryValueType), \"Reg_Sz\", RegistryValueType),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n ActingProcessId = sourceProcessInfo_pid_s,\n ActorUsername = sourceProcessInfo_user_s,\n EventStartTime= sourceProcessInfo_pidStarttime_t,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventUid = _ItemId,\n ParentProcessId = sourceParentProcessInfo_pid_s,\n ActingProcessName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalType = alertInfo_eventType_s,\n ParentProcessName = sourceParentProcessInfo_name_s,\n RegistryValueData = alertInfo_registryValue_s,\n EventOriginalUid = alertInfo_dvEventId_s,\n RuleName = ruleInfo_name_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\"\n | extend\n Dvc = coalesce(DvcHostname, EventProduct), \n EventEndTime = EventStartTime,\n EventSeverity = iff(EventOriginalSeverity == \"Critical\", \"High\", EventOriginalSeverity),\n RegistryPreviousKey = RegistryKey,\n RegistryPreviousValueData = coalesce(alertInfo_registryOldValue_s, RegistryValueData),\n RegistryPreviousValueType = coalesce(RegistryPreviousValueType_lookup, RegistryValueType),\n RegistryPreviousValue = RegistryValue,\n Process = ActingProcessName,\n User = ActorUsername,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n Rule = RuleName\n | project-away \n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n RegistryKeyPrefix,\n RegistryKeyNormalizedPrefix,\n RegistryPreviousValueType_lookup,\n ThreatConfidence_*\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n registrykey_has_any = registrykey_has_any,\n registryvalue_has_any = registryvalue_has_any,\n registrydata_has_any = registrydata_has_any,\n dvchostname_has_any= dvchostname_has_any,\n disabled = disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registrydata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventTrendMicroVisionOne/vimRegistryEventTrendMicroVisionOne.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventTrendMicroVisionOne/vimRegistryEventTrendMicroVisionOne.json index 4bb74e13e65..3444e8a31ca 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventTrendMicroVisionOne/vimRegistryEventTrendMicroVisionOne.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventTrendMicroVisionOne/vimRegistryEventTrendMicroVisionOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventTrendMicroVisionOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventTrendMicroVisionOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM Parser for Trend Micro Vision One", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventTrendMicroVisionOne", - "query": "let EventTypeLookup = datatable(detail_eventSubId_s: string, EventType: string)[\n \"TELEMETRY_REGISTRY_CREATE\", \"RegistryKeyCreated\",\n \"TELEMETRY_REGISTRY_SET\", \"RegistryValueSet\",\n \"TELEMETRY_REGISTRY_DELETE\", \"RegistryKeyDeleted\",\n \"TELEMETRY_REGISTRY_RENAME\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet RegistryValueTypeLookup = datatable (detail_objectRegType_d: real, RegistryValueType: string)[\n 0, \"Reg_None\",\n 1, \"Reg_Sz\",\n 2, \"Reg_Expand_Sz\",\n 3, \"Reg_Binary\",\n 4, \"Reg_DWord\",\n 5, \"Reg_DWord\",\n 7, \"Reg_Multi_Sz\",\n 11, \"Reg_QWord\"\n];\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\n \"low\", \"Low\",\n \"medium\", \"Medium\",\n \"high\", \"High\",\n \"info\", \"Informational\",\n \"critical\", \"High\"\n];\nlet parser = (starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), registrykey_has_any: dynamic=dynamic([]), registryvalue_has_any: dynamic=dynamic([]), registryvaluedata_has_any: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false) {\n TrendMicro_XDR_OAT_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime))\n | where detail_eventId_s == \"TELEMETRY_REGISTRY\"\n | where (array_length(actorusername_has_any) == 0 or detail_processUser_s has_any (actorusername_has_any))\n and (array_length(registryvalue_has_any) == 0 or detail_objectRegistryValue_s has_any (registryvalue_has_any))\n and (array_length(registryvaluedata_has_any) == 0 or detail_objectRegistryData_s has_any (registryvaluedata_has_any))\n and (array_length(dvchostname_has_any) == 0 or detail_endpointHostName_s has_any (dvchostname_has_any))\n | parse filters_s with * \"[\" filters: string \"]\"\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventTypeLookup on detail_eventSubId_s\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\n | extend RegistryKeyPrefix = tostring(split(detail_objectRegistryKeyHandle_s, @'\\')[0])\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend \n RegistryKey = replace_string(detail_objectRegistryKeyHandle_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\n | lookup RegistryValueTypeLookup on detail_objectRegType_d\n | extend \n ActingProcessId = tostring(toint(detail_processPid_d)),\n ParentProcessId = tostring(toint(detail_parentPid_d)),\n ActorSessionId = tostring(toint(detail_authId_d)),\n AdditionalFields = bag_pack(\n \"name\", name,\n \"tags\", detail_tags_s,\n \"objectRegType\", detail_objectRegType_d\n )\n | extend\n EventCount = int(1),\n EventProduct = \"Vision One\",\n EventVendor = \"Trend Micro\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\"\n | project-rename\n ActorUsername = detail_processUser_s,\n EventStartTime = detail_eventTimeDT_t,\n RegistryValue = detail_objectRegistryValue_s,\n RegistryValueData = detail_objectRegistryData_s,\n ActingProcessName = detail_processName_s,\n DvcId = detail_endpointGuid_g,\n DvcOs = detail_osName_s,\n DvcOsVersion = detail_osVer_s,\n EventUid = _ItemId,\n EventOriginalSubType = detail_eventSubId_s,\n EventOriginalType = detail_eventId_s,\n EventOriginalUid = detail_uuid_g,\n EventOriginalSeverity = detail_filterRiskLevel_s,\n EventProductVersion = detail_pver_s,\n EventMessage = description\n | extend\n User = ActorUsername,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n Process = ActingProcessName,\n EventEndTime = EventStartTime,\n RegistryPreviousKey = RegistryKey,\n RegistryPreviousValue = RegistryValue,\n RegistryPreviousValueData = RegistryValueData,\n RegistryPreviousValueType = RegistryValueType\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n name,\n filters,\n *Prefix\n};\nparser(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, actorusername_has_any=actorusername_has_any, registrykey_has_any=registrykey_has_any, registryvalue_has_any=registryvalue_has_any, registryvaluedata_has_any=registryvaluedata_has_any, dvchostname_has_any=dvchostname_has_any, disabled = disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registryvaluedata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser for Trend Micro Vision One", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventTrendMicroVisionOne", + "query": "let EventTypeLookup = datatable(detail_eventSubId_s: string, EventType: string)[\n \"TELEMETRY_REGISTRY_CREATE\", \"RegistryKeyCreated\",\n \"TELEMETRY_REGISTRY_SET\", \"RegistryValueSet\",\n \"TELEMETRY_REGISTRY_DELETE\", \"RegistryKeyDeleted\",\n \"TELEMETRY_REGISTRY_RENAME\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet RegistryValueTypeLookup = datatable (detail_objectRegType_d: real, RegistryValueType: string)[\n 0, \"Reg_None\",\n 1, \"Reg_Sz\",\n 2, \"Reg_Expand_Sz\",\n 3, \"Reg_Binary\",\n 4, \"Reg_DWord\",\n 5, \"Reg_DWord\",\n 7, \"Reg_Multi_Sz\",\n 11, \"Reg_QWord\"\n];\nlet EventSeverityLookup = datatable(detail_filterRiskLevel_s: string, EventSeverity: string)[\n \"low\", \"Low\",\n \"medium\", \"Medium\",\n \"high\", \"High\",\n \"info\", \"Informational\",\n \"critical\", \"High\"\n];\nlet parser = (starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventtype_in: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), registrykey_has_any: dynamic=dynamic([]), registryvalue_has_any: dynamic=dynamic([]), registryvaluedata_has_any: dynamic=dynamic([]), dvchostname_has_any: dynamic=dynamic([]), disabled: bool=false) {\n TrendMicro_XDR_OAT_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime))\n | where detail_eventId_s == \"TELEMETRY_REGISTRY\"\n | where (array_length(actorusername_has_any) == 0 or detail_processUser_s has_any (actorusername_has_any))\n and (array_length(registryvalue_has_any) == 0 or detail_objectRegistryValue_s has_any (registryvalue_has_any))\n and (array_length(registryvaluedata_has_any) == 0 or detail_objectRegistryData_s has_any (registryvaluedata_has_any))\n and (array_length(dvchostname_has_any) == 0 or detail_endpointHostName_s has_any (dvchostname_has_any))\n | parse filters_s with * \"[\" filters: string \"]\"\n | parse-kv filters as (description: string, name: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventTypeLookup on detail_eventSubId_s\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | invoke _ASIM_ResolveDvcFQDN('detail_endpointHostName_s')\n | extend RegistryKeyPrefix = tostring(split(detail_objectRegistryKeyHandle_s, @'\\')[0])\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend \n RegistryKey = replace_string(detail_objectRegistryKeyHandle_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\n | where (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | lookup EventSeverityLookup on detail_filterRiskLevel_s\n | lookup RegistryValueTypeLookup on detail_objectRegType_d\n | extend \n ActingProcessId = tostring(toint(detail_processPid_d)),\n ParentProcessId = tostring(toint(detail_parentPid_d)),\n ActorSessionId = tostring(toint(detail_authId_d)),\n AdditionalFields = bag_pack(\n \"name\", name,\n \"tags\", detail_tags_s,\n \"objectRegType\", detail_objectRegType_d\n )\n | extend\n EventCount = int(1),\n EventProduct = \"Vision One\",\n EventVendor = \"Trend Micro\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\"\n | project-rename\n ActorUsername = detail_processUser_s,\n EventStartTime = detail_eventTimeDT_t,\n RegistryValue = detail_objectRegistryValue_s,\n RegistryValueData = detail_objectRegistryData_s,\n ActingProcessName = detail_processName_s,\n DvcId = detail_endpointGuid_g,\n DvcOs = detail_osName_s,\n DvcOsVersion = detail_osVer_s,\n EventUid = _ItemId,\n EventOriginalSubType = detail_eventSubId_s,\n EventOriginalType = detail_eventId_s,\n EventOriginalUid = detail_uuid_g,\n EventOriginalSeverity = detail_filterRiskLevel_s,\n EventProductVersion = detail_pver_s,\n EventMessage = description\n | extend\n User = ActorUsername,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n Process = ActingProcessName,\n EventEndTime = EventStartTime,\n RegistryPreviousKey = RegistryKey,\n RegistryPreviousValue = RegistryValue,\n RegistryPreviousValueData = RegistryValueData,\n RegistryPreviousValueType = RegistryValueType\n | project-away\n *_d,\n *_s,\n *_g,\n *_t,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n name,\n filters,\n *Prefix\n};\nparser(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, actorusername_has_any=actorusername_has_any, registrykey_has_any=registrykey_has_any, registryvalue_has_any=registryvalue_has_any, registryvaluedata_has_any=registryvaluedata_has_any, dvchostname_has_any=dvchostname_has_any, disabled = disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registryvaluedata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventVMwareCarbonBlackCloud/vimRegistryEventVMwareCarbonBlackCloud.json b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventVMwareCarbonBlackCloud/vimRegistryEventVMwareCarbonBlackCloud.json index 9a7b23cbdbe..4500281a9a3 100644 --- a/Parsers/ASimRegistryEvent/ARM/vimRegistryEventVMwareCarbonBlackCloud/vimRegistryEventVMwareCarbonBlackCloud.json +++ b/Parsers/ASimRegistryEvent/ARM/vimRegistryEventVMwareCarbonBlackCloud/vimRegistryEventVMwareCarbonBlackCloud.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimRegistryEventVMwareCarbonBlackCloud')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimRegistryEventVMwareCarbonBlackCloud", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Registry Event ASIM Parser for VMware Carbon Black Cloud", - "category": "ASIM", - "FunctionAlias": "vimRegistryEventVMwareCarbonBlackCloud", - "query": "let EventTypeLookup = datatable (temp_action: string, EventType: string)\n [\n \"ACTION_WRITE_VALUE\", \"RegistryValueSet\",\n \"ACTION_CREATE_KEY\", \"RegistryKeyCreated\",\n \"ACTION_DELETE_KEY\", \"RegistryKeyDeleted\",\n \"ACTION_DELETE_VALUE\", \"RegistryValueDeleted\",\n \"ACTION_RENAME_KEY\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet actionvalues = dynamic([\"ACTION_WRITE_VALUE\", \"ACTION_CREATE_KEY\", \"ACTION_DELETE_KEY\", \"ACTION_DELETE_VALUE\", \"ACTION_RENAME_KEY\"]);\nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventtype_in: dynamic=dynamic([]), \n actorusername_has_any: dynamic=dynamic([]), \n registrykey_has_any: dynamic=dynamic([]), \n registryvalue_has_any: dynamic=dynamic([]), \n registryvaluedata_has_any: dynamic=dynamic([]), \n dvchostname_has_any: dynamic=dynamic([]), \n disabled: bool=false\n ) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime))\n and eventType_s == \"endpoint.event.regmod\"\n and isnotempty(regmod_name_s)\n | where array_length(registryvalue_has_any) == 0\n and array_length(registryvaluedata_has_any) == 0\n and (array_length(actorusername_has_any) == 0 or process_username_s has_any (actorusername_has_any))\n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n | extend\n temp_action = case(\n action_s has \"|\" and action_s has \"delete\",\n \"ACTION_DELETE_KEY\",\n action_s has \"|\" and action_s !has \"delete\",\n \"ACTION_CREATE_KEY\",\n action_s\n ),\n RegistryKeyPrefix = tostring(split(regmod_name_s, @'\\')[0])\n | where temp_action in (actionvalues)\n | lookup EventTypeLookup on temp_action\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend RegistryKey = replace_string(regmod_name_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | extend\n ActingProcessId = tostring(toint(process_pid_d)),\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields = bag_pack(\n \"process_guid\", process_guid_s,\n \"parent_guid\", parent_guid_s \n )\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n EventUid = _ItemId,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = processDetails_parentName_s,\n ActorScopeId = org_key_s\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend\n EventCount = toint(1),\n EventProduct = \"Carbon Black Cloud\",\n EventVendor = \"VMware\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\"\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n EventEndTime = EventStartTime,\n Process = ActingProcessName,\n User = ActorUsername,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp_action,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n RegistryKeyPrefix,\n RegistryKeyNormalizedPrefix\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in, \n actorusername_has_any=actorusername_has_any, \n registrykey_has_any=registrykey_has_any, \n registryvalue_has_any=registryvalue_has_any, \n registryvaluedata_has_any=registryvaluedata_has_any, \n dvchostname_has_any=dvchostname_has_any, \n disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registryvaluedata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Registry Event ASIM Parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimRegistryEventVMwareCarbonBlackCloud", + "query": "let EventTypeLookup = datatable (temp_action: string, EventType: string)\n [\n \"ACTION_WRITE_VALUE\", \"RegistryValueSet\",\n \"ACTION_CREATE_KEY\", \"RegistryKeyCreated\",\n \"ACTION_DELETE_KEY\", \"RegistryKeyDeleted\",\n \"ACTION_DELETE_VALUE\", \"RegistryValueDeleted\",\n \"ACTION_RENAME_KEY\", \"RegistryKeyRenamed\"\n];\nlet RegistryKeyPrefixLookup = datatable(\n RegistryKeyPrefix: string,\n RegistryKeyNormalizedPrefix: string\n)[\n \"HKLM\", \"HKEY_LOCAL_MACHINE\",\n \"HKU\", \"HKEY_USERS\",\n \"HKCU\", \"HKEY_CURRENT_USER\",\n \"HKCR\", \"HKEY_CLASSES_ROOT\",\n \"HKCC\", \"HKEY_CURRENT_CONFIG\"\n];\nlet actionvalues = dynamic([\"ACTION_WRITE_VALUE\", \"ACTION_CREATE_KEY\", \"ACTION_DELETE_KEY\", \"ACTION_DELETE_VALUE\", \"ACTION_RENAME_KEY\"]);\nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventtype_in: dynamic=dynamic([]), \n actorusername_has_any: dynamic=dynamic([]), \n registrykey_has_any: dynamic=dynamic([]), \n registryvalue_has_any: dynamic=dynamic([]), \n registryvaluedata_has_any: dynamic=dynamic([]), \n dvchostname_has_any: dynamic=dynamic([]), \n disabled: bool=false\n ) {\n CarbonBlackEvents_CL\n | where not(disabled)\n | where ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime))\n and eventType_s == \"endpoint.event.regmod\"\n and isnotempty(regmod_name_s)\n | where array_length(registryvalue_has_any) == 0\n and array_length(registryvaluedata_has_any) == 0\n and (array_length(actorusername_has_any) == 0 or process_username_s has_any (actorusername_has_any))\n and (array_length(dvchostname_has_any) == 0 or device_name_s has_any (dvchostname_has_any))\n | extend\n temp_action = case(\n action_s has \"|\" and action_s has \"delete\",\n \"ACTION_DELETE_KEY\",\n action_s has \"|\" and action_s !has \"delete\",\n \"ACTION_CREATE_KEY\",\n action_s\n ),\n RegistryKeyPrefix = tostring(split(regmod_name_s, @'\\')[0])\n | where temp_action in (actionvalues)\n | lookup EventTypeLookup on temp_action\n | lookup RegistryKeyPrefixLookup on RegistryKeyPrefix\n | extend RegistryKey = replace_string(regmod_name_s, RegistryKeyPrefix, RegistryKeyNormalizedPrefix)\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (array_length(registrykey_has_any) == 0 or RegistryKey has_any (registrykey_has_any))\n | extend\n ActingProcessId = tostring(toint(process_pid_d)),\n EventStartTime = todatetime(split(createTime_s, '+')[0]),\n ParentProcessId = tostring(toint(parent_pid_d)),\n AdditionalFields = bag_pack(\n \"process_guid\", process_guid_s,\n \"parent_guid\", parent_guid_s \n )\n | project-rename\n ActorUsername = process_username_s,\n DvcIpAddr = device_external_ip_s,\n DvcScope = device_group_s,\n EventUid = _ItemId,\n ActingProcessName = process_path_s,\n DvcId = device_id_s,\n DvcOs = device_os_s,\n EventMessage = event_description_s,\n EventOriginalType = action_s,\n EventOriginalUid = event_id_g,\n EventOwner = event_origin_s,\n ParentProcessName = processDetails_parentName_s,\n ActorScopeId = org_key_s\n | invoke _ASIM_ResolveDvcFQDN('device_name_s')\n | extend\n EventCount = toint(1),\n EventProduct = \"Carbon Black Cloud\",\n EventVendor = \"VMware\",\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSchema = \"RegistryEvent\",\n EventSchemaVersion = \"0.1.2\"\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n EventEndTime = EventStartTime,\n Process = ActingProcessName,\n User = ActorUsername,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\")\n | project-away\n *_d,\n *_s,\n *_g,\n *_b,\n temp_action,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n RegistryKeyPrefix,\n RegistryKeyNormalizedPrefix\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in, \n actorusername_has_any=actorusername_has_any, \n registrykey_has_any=registrykey_has_any, \n registryvalue_has_any=registryvalue_has_any, \n registryvaluedata_has_any=registryvaluedata_has_any, \n dvchostname_has_any=dvchostname_has_any, \n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),registrykey_has_any:dynamic=dynamic([]),registryvalue_has_any:dynamic=dynamic([]),registryvaluedata_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json b/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json index 8721d7ef40a..f35d28b7a68 100644 --- a/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimUserManagement')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimUserManagement", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimUserManagement", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludeASimUserManagement')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n pack: bool=false\n ) {\n union isfuzzy=true\n vimUserManagementEmpty,\n ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),\n ASimUserManagementMicrosoftWindowsEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftWindowsEvent' in (DisabledParsers))),\n ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE' in (DisabledParsers))),\n ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne' in (DisabledParsers))),\n ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers))),\n ASimUserManagementNative (ASimBuiltInDisabled or ('ExcludeASimUserManagementNative' in (DisabledParsers)))\n}; \nparser (\n pack=pack\n)", - "version": 1, - "functionParameters": "pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimUserManagement", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludeASimUserManagement')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n pack: bool=false\n ) {\n union isfuzzy=true\n vimUserManagementEmpty,\n ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),\n ASimUserManagementMicrosoftWindowsEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftWindowsEvent' in (DisabledParsers))),\n ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE' in (DisabledParsers))),\n ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne' in (DisabledParsers))),\n ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers))),\n ASimUserManagementNative (ASimBuiltInDisabled or ('ExcludeASimUserManagementNative' in (DisabledParsers)))\n}; \nparser (\n pack=pack\n)", + "version": 1, + "functionParameters": "pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementCiscoISE/ASimUserManagementCiscoISE.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementCiscoISE/ASimUserManagementCiscoISE.json index 873ef667c81..a01896b0bb1 100644 --- a/Parsers/ASimUserManagement/ARM/ASimUserManagementCiscoISE/ASimUserManagementCiscoISE.json +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementCiscoISE/ASimUserManagementCiscoISE.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimUserManagementCiscoISE')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimUserManagementCiscoISE", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser for Cisco ISE", - "category": "ASIM", - "FunctionAlias": "ASimUserManagementCiscoISE", - "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventResult: string,\nEventType: string,\nEventResultDetails: string,\nEventSubType: string,\nEventSeverity: string,\nEventOriginalSeverity: string,\nEventMessage: string\n)[\n\"25000\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"ISE server password update succeeded\",\n\"25001\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"AD: ISE account password update failed.\",\n\"51101\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password is too short\",\n\"51102\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Too many repeating characters\",\n\"51103\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Missing required character type\",\n\"51104\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains username\",\n\"51105\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains reserved word\",\n\"51107\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password\",\n\"51115\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"The new password is invalid. This password has been previously used.\",\n\"51116\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password must not contain dictionary words or their characters in reverse order\",\n\"58019\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"ISE administrator password reset\",\n\"60460\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to inactivity\",\n\"60461\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to user level date expiry\",\n\"60462\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level date expiry\",\n\"60463\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level days expiry\",\n\"10013\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set as 'never disabled'\",\n\"10014\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set to change password on next login\",\n\"5415\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Change password failed\",\n\"86002\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has suspended a guest user account\",\n\"86003\", \"Success\", \"UserEnabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has enabled a guest user account\",\n\"86004\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user has changed the password\",\n\"86006\", \"Success\", \"UserCreated\", \"\", \"UserCreated\", \"Informational\", \"INFO\", \"Guest user account is created\",\n\"86007\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is updated\",\n\"86008\", \"Success\", \"UserDeleted\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is deleted\",\n\"86015\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"INFO\", \"Invalid Password Change\",\n\"24059\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User password change ended with an error\",\n\"24064\", \"Failure\", \"PasswordChanged\", \"NotAuthorized\", \"UserModified\", \"Low\", \"WARN\", \"The user doesn't have sufficient rights to change password\",\n\"24065\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"WARN\", \"The new password does not conform to LDAP password policy\",\n\"24066\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User password change succeeded\",\n\"24205\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Could not change password to new password\",\n\"24206\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User disabled\",\n\"24347\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account disabled\",\n\"24348\", \"Success\", \"UserLocked\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account locked\",\n\"24370\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"User credentials have been revoked.\",\n\"24425\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User change password against Active Directory succeeded\",\n\"24426\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User change password against Active Directory failed\",\n\"24455\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Change password against Active Directory failed because of a timeout error\",\n\"33108\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Reset admin password to its default value\",\n\"5204\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"Change password succeeded\"\n];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEUsrMgmtParser=(disabled: bool=false) {\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType(\"CiscoISE\"))\n | where not(disabled)\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n SrcIpAddr=['Remote-Address']\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \n | extend\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"UserManagement\"\n , EventSchemaVersion = \"0.1.1\"\n // ***************** ********************\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\n | extend \n Hostname = DvcHostname\n , IpAddr = SrcIpAddr\n , Src = SrcIpAddr\n , UpdatedPropertyName = EventSubType\n , User = ActorUsername\n // ***************** *******************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n NetworkDeviceName,\n dvcHostname,\n ['User-Name'],\n UserName\n};\nCiscoISEUsrMgmtParser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "ASimUserManagementCiscoISE", + "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventResult: string,\nEventType: string,\nEventResultDetails: string,\nEventSubType: string,\nEventSeverity: string,\nEventOriginalSeverity: string,\nEventMessage: string\n)[\n\"25000\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"ISE server password update succeeded\",\n\"25001\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"AD: ISE account password update failed.\",\n\"51101\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password is too short\",\n\"51102\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Too many repeating characters\",\n\"51103\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Missing required character type\",\n\"51104\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains username\",\n\"51105\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains reserved word\",\n\"51107\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password\",\n\"51115\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"The new password is invalid. This password has been previously used.\",\n\"51116\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password must not contain dictionary words or their characters in reverse order\",\n\"58019\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"ISE administrator password reset\",\n\"60460\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to inactivity\",\n\"60461\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to user level date expiry\",\n\"60462\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level date expiry\",\n\"60463\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level days expiry\",\n\"10013\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set as 'never disabled'\",\n\"10014\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set to change password on next login\",\n\"5415\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Change password failed\",\n\"86002\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has suspended a guest user account\",\n\"86003\", \"Success\", \"UserEnabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has enabled a guest user account\",\n\"86004\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user has changed the password\",\n\"86006\", \"Success\", \"UserCreated\", \"\", \"UserCreated\", \"Informational\", \"INFO\", \"Guest user account is created\",\n\"86007\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is updated\",\n\"86008\", \"Success\", \"UserDeleted\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is deleted\",\n\"86015\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"INFO\", \"Invalid Password Change\",\n\"24059\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User password change ended with an error\",\n\"24064\", \"Failure\", \"PasswordChanged\", \"NotAuthorized\", \"UserModified\", \"Low\", \"WARN\", \"The user doesn't have sufficient rights to change password\",\n\"24065\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"WARN\", \"The new password does not conform to LDAP password policy\",\n\"24066\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User password change succeeded\",\n\"24205\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Could not change password to new password\",\n\"24206\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User disabled\",\n\"24347\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account disabled\",\n\"24348\", \"Success\", \"UserLocked\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account locked\",\n\"24370\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"User credentials have been revoked.\",\n\"24425\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User change password against Active Directory succeeded\",\n\"24426\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User change password against Active Directory failed\",\n\"24455\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Change password against Active Directory failed because of a timeout error\",\n\"33108\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Reset admin password to its default value\",\n\"5204\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"Change password succeeded\"\n];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEUsrMgmtParser=(disabled: bool=false) {\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType(\"CiscoISE\"))\n | where not(disabled)\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n SrcIpAddr=['Remote-Address']\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \n | extend\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"UserManagement\"\n , EventSchemaVersion = \"0.1.1\"\n // ***************** ********************\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\n | extend \n Hostname = DvcHostname\n , IpAddr = SrcIpAddr\n , Src = SrcIpAddr\n , UpdatedPropertyName = EventSubType\n , User = ActorUsername\n // ***************** *******************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n NetworkDeviceName,\n dvcHostname,\n ['User-Name'],\n UserName\n};\nCiscoISEUsrMgmtParser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementLinuxAuthpriv/ASimUserManagementLinuxAuthpriv.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementLinuxAuthpriv/ASimUserManagementLinuxAuthpriv.json index fda5ece200a..1b42529bf65 100644 --- a/Parsers/ASimUserManagement/ARM/ASimUserManagementLinuxAuthpriv/ASimUserManagementLinuxAuthpriv.json +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementLinuxAuthpriv/ASimUserManagementLinuxAuthpriv.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimUserManagementLinuxAuthpriv')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimUserManagementLinuxAuthpriv", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser for Linux Authpriv logs", - "category": "ASIM", - "FunctionAlias": "ASimUserManagementLinuxAuthpriv", - "query": "let parser = (\n disabled:bool = false\n) {\nlet ActionLookup = datatable (Action:string, EventType:string)\n[\n \"added\", \"UserAddedToGroup\",\n \"removed\",\"UserRemovedFromGroup\"\n];\nlet SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)\n[\n \"info\", \"Informational\",\n \"warn\", \"Low\",\n \"err\", \"Medium\",\n \"crit\", \"High\"\n]; \nlet ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {\n T\n | lookup SeverityLookup on SeverityLevel\n | extend ActingAppId = tostring(ProcessID)\n | project-away SyslogMessage,SeverityLevel, ProcessID\n};\nlet SyslogParsed = (\n Syslog\n | where not(disabled)\n | where Computer in (_ASIM_GetSourceBySourceType('LinuxAuthpriv'))\n | where Facility == \"authpriv\"\n and ProcessName in (\"useradd\",\"usermod\",\"userdel\",\"groupadd\",\"groupmod\",\"groupdel\",\"gpasswd\")\n | project-away EventTime,Facility,MG,CollectorHostName,SourceSystem,TenantId\n);\nunion (\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new user: name=\"\n | parse SyslogMessage with \"new user: name=\" TargetUsername \", UID=\" TargetUserId \", GID=\" GroupId \", \" *\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"failed adding user '\"\n | parse SyslogMessage with \"failed adding user '\" TargetUsername \"', exit code: \" EventOriginalResultDetails\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"Other\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new user: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName ==\"useradd\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | extend \n EventType = \"UserCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user name '\"\n | parse SyslogMessage with \"change user name '\" TargetUsername \"'\" *\n | extend \n EventType = \"UserModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName ==\"usermod\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | extend \n EventType = \"UserAddedToGroup\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and not (SyslogMessage endswith \"' password\")\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType \" from '\" PreviousPropertyValue \"' to '\" NewPropertyValue \"'\"\n | extend \n EventType = case (\n EventSubType == \"expiration\" and PreviousPropertyValue == \"never\", \"UserDisabled\",\n EventSubType == \"expiration\" and NewPropertyValue == \"never\", \"UserEnabled\",\n \"UserModified\"\n ),\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and SyslogMessage endswith \"password\"\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType\n | extend \n EventType = \"PasswordChanged\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"lock user '\"\n and SyslogMessage endswith \"' password\"\n | parse SyslogMessage with \"lock user '\" TargetUsername \"' password\"\n | extend \n EventType = \"UserLocked\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete '\"\n | parse SyslogMessage with \"delete '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" *\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete user '\"\n | parse SyslogMessage with \"delete user '\" TargetUsername \"'\" *\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and (SyslogMessage startswith \"removed group '\" \n or SyslogMessage startswith \"removed shadow group '\")\n | parse SyslogMessage with \"removed\" * \"group '\" GroupName \"' owned by '\" TargetUsername \"'\"\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and SyslogMessage has \"GID=\"\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and not(SyslogMessage has \"GID=\")\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new group: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"GroupCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"group changed in \"\n | parse SyslogMessage with \"group changed in \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend \n split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"failed to change \"\n | parse SyslogMessage with \"failed to change \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Failure\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupdel\"\n | parse SyslogMessage with \"group '\" GroupName \"' removed\" *\n | extend \n EventType = \"GroupDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"gpasswd\"\n | parse SyslogMessage with \"user \" TargetUsername \" \" Action \" by \" ActorUsername \" \" * \" group \" GroupName\n | lookup ActionLookup on Action\n | project-away Action\n | extend \n EventResult = \"Success\"\n | invoke ItemParser()\n)\n| invoke _ASIM_ResolveDvcFQDN (\"HostName\")\n| project-rename \n ActingAppName = ProcessName,\n DvcId = _ResourceId,\n EventUid = _ItemId\n| extend\n ActingAppType = \"Process\",\n ActorUsernameType = iif(isnotempty(ActorUsername), \"Simple\", \"\"),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n DvcIpAddr = iif(HostIP == \"Unknown IP\",\"\",HostIP),\n DvcOs = \"Linux\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Authpriv\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventStartTime = TimeGenerated,\n EventVendor = \"Linux\",\n GroupIdType = iif(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iif(isnotempty(GroupName), \"Simple\", \"\"),\n Hostname = DvcHostname,\n TargetUserIdType = iif(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = iif(isnotempty(TargetUsername), \"Simple\", \"\"),\n UpdatedPropertyName = EventSubType,\n User = ActorUsername\n | extend SrcIpAddr = DvcIpAddr\n| project-away Computer, HostIP, HostName\n};\nparser (\n disabled = disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser for Linux Authpriv logs", + "category": "ASIM", + "FunctionAlias": "ASimUserManagementLinuxAuthpriv", + "query": "let parser = (\n disabled:bool = false\n) {\nlet ActionLookup = datatable (Action:string, EventType:string)\n[\n \"added\", \"UserAddedToGroup\",\n \"removed\",\"UserRemovedFromGroup\"\n];\nlet SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)\n[\n \"info\", \"Informational\",\n \"warn\", \"Low\",\n \"err\", \"Medium\",\n \"crit\", \"High\"\n]; \nlet ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {\n T\n | lookup SeverityLookup on SeverityLevel\n | extend ActingAppId = tostring(ProcessID)\n | project-away SyslogMessage,SeverityLevel, ProcessID\n};\nlet SyslogParsed = (\n Syslog\n | where not(disabled)\n | where Computer in (_ASIM_GetSourceBySourceType('LinuxAuthpriv'))\n | where Facility == \"authpriv\"\n and ProcessName in (\"useradd\",\"usermod\",\"userdel\",\"groupadd\",\"groupmod\",\"groupdel\",\"gpasswd\")\n | project-away EventTime,Facility,MG,CollectorHostName,SourceSystem,TenantId\n);\nunion (\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new user: name=\"\n | parse SyslogMessage with \"new user: name=\" TargetUsername \", UID=\" TargetUserId \", GID=\" GroupId \", \" *\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"failed adding user '\"\n | parse SyslogMessage with \"failed adding user '\" TargetUsername \"', exit code: \" EventOriginalResultDetails\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"Other\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new user: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName ==\"useradd\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | extend \n EventType = \"UserCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user name '\"\n | parse SyslogMessage with \"change user name '\" TargetUsername \"'\" *\n | extend \n EventType = \"UserModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName ==\"usermod\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | extend \n EventType = \"UserAddedToGroup\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and not (SyslogMessage endswith \"' password\")\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType \" from '\" PreviousPropertyValue \"' to '\" NewPropertyValue \"'\"\n | extend \n EventType = case (\n EventSubType == \"expiration\" and PreviousPropertyValue == \"never\", \"UserDisabled\",\n EventSubType == \"expiration\" and NewPropertyValue == \"never\", \"UserEnabled\",\n \"UserModified\"\n ),\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and SyslogMessage endswith \"password\"\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType\n | extend \n EventType = \"PasswordChanged\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"lock user '\"\n and SyslogMessage endswith \"' password\"\n | parse SyslogMessage with \"lock user '\" TargetUsername \"' password\"\n | extend \n EventType = \"UserLocked\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete '\"\n | parse SyslogMessage with \"delete '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" *\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete user '\"\n | parse SyslogMessage with \"delete user '\" TargetUsername \"'\" *\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and (SyslogMessage startswith \"removed group '\" \n or SyslogMessage startswith \"removed shadow group '\")\n | parse SyslogMessage with \"removed\" * \"group '\" GroupName \"' owned by '\" TargetUsername \"'\"\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and SyslogMessage has \"GID=\"\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and not(SyslogMessage has \"GID=\")\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new group: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"GroupCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"group changed in \"\n | parse SyslogMessage with \"group changed in \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend \n split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"failed to change \"\n | parse SyslogMessage with \"failed to change \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Failure\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupdel\"\n | parse SyslogMessage with \"group '\" GroupName \"' removed\" *\n | extend \n EventType = \"GroupDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"gpasswd\"\n | parse SyslogMessage with \"user \" TargetUsername \" \" Action \" by \" ActorUsername \" \" * \" group \" GroupName\n | lookup ActionLookup on Action\n | project-away Action\n | extend \n EventResult = \"Success\"\n | invoke ItemParser()\n)\n| invoke _ASIM_ResolveDvcFQDN (\"HostName\")\n| project-rename \n ActingAppName = ProcessName,\n DvcId = _ResourceId,\n EventUid = _ItemId\n| extend\n ActingAppType = \"Process\",\n ActorUsernameType = iif(isnotempty(ActorUsername), \"Simple\", \"\"),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n DvcIpAddr = iif(HostIP == \"Unknown IP\",\"\",HostIP),\n DvcOs = \"Linux\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Authpriv\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventStartTime = TimeGenerated,\n EventVendor = \"Linux\",\n GroupIdType = iif(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iif(isnotempty(GroupName), \"Simple\", \"\"),\n Hostname = DvcHostname,\n TargetUserIdType = iif(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = iif(isnotempty(TargetUsername), \"Simple\", \"\"),\n UpdatedPropertyName = EventSubType,\n User = ActorUsername\n | extend SrcIpAddr = DvcIpAddr\n| project-away Computer, HostIP, HostName\n};\nparser (\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementMicrosoftSecurityEvent/ASimUserManagementMicrosoftSecurityEvent.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementMicrosoftSecurityEvent/ASimUserManagementMicrosoftSecurityEvent.json index 9f936f54aff..1c0ce778c73 100644 --- a/Parsers/ASimUserManagement/ARM/ASimUserManagementMicrosoftSecurityEvent/ASimUserManagementMicrosoftSecurityEvent.json +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementMicrosoftSecurityEvent/ASimUserManagementMicrosoftSecurityEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimUserManagementMicrosoftSecurityEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimUserManagementMicrosoftSecurityEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser for Microsoft Security Event logs", - "category": "ASIM", - "FunctionAlias": "ASimUserManagementMicrosoftSecurityEvent", - "query": "let parser = (\n disabled:bool = false\n) {\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where EventSubType in(\"UserCreated\",\"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \n | summarize make_set(EventID)\n );\n union (\n SecurityEvent\n | where not(disabled)\n | where EventID in(UserEventID)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n TargetDomain = TargetDomainName,\n TargetUserId = TargetSid,\n TargetUsername = TargetUserName,\n EventMessage = Activity\n | parse-kv EventData as \n (\n OldTargetUserName:string,\n NewTargetUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n SecurityEvent\n | where not(disabled)\n | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))\n | where EventID in(GroupEventID)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n ),(\n SecurityEvent\n | where not(disabled)\n | where EventID in (4744, 4748, 4749, 4753, 4759, 4763)\n | parse-kv EventData as \n (\n TargetUserName:string,\n TargetDomainName:string,\n TargetSid:string,\n SubjectUserSid:string,\n AccountType:string,\n SubjectLogonId:string,\n SubjectDomainName:string,\n SubjectUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n )\n| lookup EventIDLookup on EventID\n| extend UpdatedPropertyName = EventSubType\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n| lookup UserTypeLookup on ActorOriginalUserType\n| extend \n DvcId = coalesce(_ResourceId, SourceComputerId),\n EventOriginalType = tostring(EventID)\n| project-rename \n EventUid = _ItemId\n| extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname, \n ActorUserIdType=\"SID\"\n| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID\n| extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\n User = ActorUsername\n};\n parser (\n disabled = disabled\n )", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser for Microsoft Security Event logs", + "category": "ASIM", + "FunctionAlias": "ASimUserManagementMicrosoftSecurityEvent", + "query": "let parser = (\n disabled:bool = false\n) {\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where EventSubType in(\"UserCreated\",\"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \n | summarize make_set(EventID)\n );\n union (\n SecurityEvent\n | where not(disabled)\n | where EventID in(UserEventID)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n TargetDomain = TargetDomainName,\n TargetUserId = TargetSid,\n TargetUsername = TargetUserName,\n EventMessage = Activity\n | parse-kv EventData as \n (\n OldTargetUserName:string,\n NewTargetUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n SecurityEvent\n | where not(disabled)\n | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))\n | where EventID in(GroupEventID)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n ),(\n SecurityEvent\n | where not(disabled)\n | where EventID in (4744, 4748, 4749, 4753, 4759, 4763)\n | parse-kv EventData as \n (\n TargetUserName:string,\n TargetDomainName:string,\n TargetSid:string,\n SubjectUserSid:string,\n AccountType:string,\n SubjectLogonId:string,\n SubjectDomainName:string,\n SubjectUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n )\n| lookup EventIDLookup on EventID\n| extend UpdatedPropertyName = EventSubType\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n| lookup UserTypeLookup on ActorOriginalUserType\n| extend \n DvcId = coalesce(_ResourceId, SourceComputerId),\n EventOriginalType = tostring(EventID)\n| project-rename \n EventUid = _ItemId\n| extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname, \n ActorUserIdType=\"SID\"\n| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID\n| extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\n User = ActorUsername\n};\n parser (\n disabled = disabled\n )", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementMicrosoftWindowsEvent/ASimUserManagementMicrosoftWindowsEvent.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementMicrosoftWindowsEvent/ASimUserManagementMicrosoftWindowsEvent.json index b0687706173..219ba7433cd 100644 --- a/Parsers/ASimUserManagement/ARM/ASimUserManagementMicrosoftWindowsEvent/ASimUserManagementMicrosoftWindowsEvent.json +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementMicrosoftWindowsEvent/ASimUserManagementMicrosoftWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimUserManagementMicrosoftWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimUserManagementMicrosoftWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser for Microsoft Windows Event logs", - "category": "ASIM", - "FunctionAlias": "ASimUserManagementMicrosoftWindowsEvent", - "query": "let parser = (\n disabled:bool = false\n) {\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where EventSubType in(\"UserCreated\",\"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \n | summarize make_set(EventID)\n );\n union (\n WindowsEvent\n | where not(disabled)\n | where EventID in(UserEventID)\n | extend\n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n TargetDomain = tostring(EventData.TargetDomainName),\n TargetUserId = tostring(EventData.TargetSid),\n TargetUsername = tostring(EventData.TargetUserName),\n EventMessage = tostring(EventData.Activity)\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n WindowsEvent\n | where not(disabled)\n | where EventID in(GroupEventID)\n | extend \n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n GroupDomain = tostring(EventData.TargetDomainName),\n GroupId = tostring(EventData.TargetSid),\n GroupName = tostring(EventData.TargetUserName),\n MemberName = tostring(EventData.MemberName),\n MemberSid = tostring(EventData.MemberSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n EventMessage = tostring(EventData.Activity)\n | extend \n GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName)),\n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n )\n| lookup EventIDLookup on EventID\n| extend UpdatedPropertyName = EventSubType\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n| lookup UserTypeLookup on ActorOriginalUserType\n| extend EventOriginalType = tostring(EventID)\n| project-rename \n EventUid = _ItemId\n| extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname,\n ActorUserIdType=\"SID\"\n| project-away Subject*, Computer, _ResourceId,EventID\n| extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\n User = ActorUsername\n};\n parser (disabled = disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser for Microsoft Windows Event logs", + "category": "ASIM", + "FunctionAlias": "ASimUserManagementMicrosoftWindowsEvent", + "query": "let parser = (\n disabled:bool = false\n) {\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where EventSubType in(\"UserCreated\",\"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \n | summarize make_set(EventID)\n );\n union (\n WindowsEvent\n | where not(disabled)\n | where EventID in(UserEventID)\n | extend\n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n TargetDomain = tostring(EventData.TargetDomainName),\n TargetUserId = tostring(EventData.TargetSid),\n TargetUsername = tostring(EventData.TargetUserName),\n EventMessage = tostring(EventData.Activity)\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n WindowsEvent\n | where not(disabled)\n | where EventID in(GroupEventID)\n | extend \n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n GroupDomain = tostring(EventData.TargetDomainName),\n GroupId = tostring(EventData.TargetSid),\n GroupName = tostring(EventData.TargetUserName),\n MemberName = tostring(EventData.MemberName),\n MemberSid = tostring(EventData.MemberSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n EventMessage = tostring(EventData.Activity)\n | extend \n GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName)),\n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n )\n| lookup EventIDLookup on EventID\n| extend UpdatedPropertyName = EventSubType\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n| lookup UserTypeLookup on ActorOriginalUserType\n| extend EventOriginalType = tostring(EventID)\n| project-rename \n EventUid = _ItemId\n| extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname,\n ActorUserIdType=\"SID\"\n| project-away Subject*, Computer, _ResourceId,EventID\n| extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\n User = ActorUsername\n};\n parser (disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/ASimUserManagementNative.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/ASimUserManagementNative.json index edadff7825a..c0b2e572372 100644 --- a/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/ASimUserManagementNative.json +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/ASimUserManagementNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimUserManagementNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimUserManagementNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management activity ASIM parser for Microsoft Sentinel native User Management activity table", - "category": "ASIM", - "FunctionAlias": "ASimUserManagementNative", - "query": "let parser = (\n disabled:bool = false\n)\n{\n ASimUserManagementActivityLogs\n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"UserManagement\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = coalesce (SrcHostname,SrcIpAddr, SrcDvcId),\n UpdatedPropertyName = EventSubType\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (disabled = disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management activity ASIM parser for Microsoft Sentinel native User Management activity table", + "category": "ASIM", + "FunctionAlias": "ASimUserManagementNative", + "query": "let parser = (\n disabled:bool = false\n)\n{\n ASimUserManagementActivityLogs\n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"UserManagement\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = coalesce (SrcHostname,SrcIpAddr, SrcDvcId),\n UpdatedPropertyName = EventSubType\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (disabled = disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementSentinelOne/ASimUserManagementSentinelOne.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementSentinelOne/ASimUserManagementSentinelOne.json index c252d8b13dc..c32a549e351 100644 --- a/Parsers/ASimUserManagement/ARM/ASimUserManagementSentinelOne/ASimUserManagementSentinelOne.json +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementSentinelOne/ASimUserManagementSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimUserManagementSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimUserManagementSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "ASimUserManagementSentinelOne", - "query": "let EventTypeLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventOriginalType: string,\n EventSubType: string\n)[\n 23, \"UserCreated\", \"User Added\", \"\",\n 24, \"UserModified\", \"User Modified\", \"MultipleProperties\",\n 25, \"UserDeleted\", \"User Deleted\", \"\",\n 37, \"UserModified\", \"User modified\", \"MultipleProperties\",\n 102, \"UserDeleted\", \"User Deleted\", \"\",\n 110, \"UserModified\", \"Enable API Token Generation\", \"NewPermissions\",\n 111, \"UserModified\", \"Disable API Token Generation\", \"PreviousPermissions\",\n 140, \"UserCreated\", \"Service User creation\", \"\",\n 141, \"UserModified\", \"Service User modification\", \"MultipleProperties\",\n 142, \"UserDeleted\", \"Service User deletion\", \"\",\n 3522, \"GroupCreated\", \"Ranger Deploy - Credential Group Created\", \"\",\n 3523, \"GroupModified\", \"Ranger Deploy -Credential Group Edited\", \"MultipleProperties\",\n 3524, \"GroupDeleted\", \"Ranger Deploy - Credential Group Deleted\", \"\",\n 3710, \"PasswordReset\", \"User Reset Password with Forgot Password from the Login\", \"\",\n 3711, \"PasswordChanged\", \"User Changed Their Password\", \"\",\n 3715, \"PasswordReset\", \"User Reset Password by Admin Request\", \"\",\n 5006, \"GroupDeleted\", \"Group Deleted\", \"\",\n 5008, \"GroupCreated\", \"User created a Manual or Pinned Group\", \"\",\n 5011, \"GroupModified\", \"Group Policy Reverted\", \"Newpolicy\",\n 67, \"\", \"User 2FA Modified\", \"\",\n 145, \"UserModified\", \"Enroll 2FA\", \"\",\n 146, \"UserModified\", \"Reset 2FA\", \"\",\n 42, \"\", \"Global 2FA modified\", \"\",\n 147, \"UserModified\", \"User Configured 2FA\", \"\"\n];\nlet UsermanagementactivityIds = dynamic([23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011, 67, 145, 146, 42, 147]);\nlet parser = (disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s == \"Activities.\"\n and activityType_d in (UsermanagementactivityIds)\n | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | parse modifiedFields with 'Modified fields: ' ModifiedFields: string\n | parse description_s with * \"with id=\" id: string \",\" restOfMessage\n | lookup EventTypeLookup on activityType_d\n | extend\n EventType = case (\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"UserEnabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"UserDisabled\",\n EventType\n ),\n PreviousPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"disabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"enabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n oldDescription, \n activityType_d == 141 and descriptionChanged == \"false\",\n oldRole,\n \"\"\n ),\n NewPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"enabled\", \n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"disabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n description, \n activityType_d == 141 and descriptionChanged == \"false\",\n role,\n \"\"\n ),\n ActorUsername = iff(activityType_d == 102, \"SentinelOne\", coalesce(byUser, username, email)), \n GroupName = coalesce(group, groupName, name),\n TargetUsername = iff(isnotempty(byUser) or activityType_d in (147, 42), username, \"\")\n | extend GroupName = iff(GroupName == \"null\", \"\", GroupName)\n | project-rename\n EventStartTime = createdAt_t,\n SrcIpAddr = ipAddress,\n EventUid = _ItemId,\n ActorUserId = id,\n GroupId = groupId_s,\n EventMessage = primaryDescription_s,\n EventOriginalUid = activityUuid_g\n | extend\n EventCount = int(1),\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSeverity = \"Informational\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResultDetails = \"Other\"\n | extend\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n User = ActorUsername,\n UpdatedPropertyName = EventSubType,\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n GroupIdType = iff(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iff(isnotempty(GroupName), \"Simple\", \"\"),\n GroupType = iff(isnotempty(groupType), \"Other\", \"\"),\n GroupOriginalType = groupType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n AdditionalFields = bag_pack(\n \"userScope\", userScope,\n \"scopeLevelName\", scopeLevelName,\n \"scopeName\", scopeName,\n \"modifiedFields\", modifiedFields,\n \"roleName\", roleName,\n \"deactivationPeriodInDays\", deactivationPeriodInDays,\n \"descriptionChanged\", descriptionChanged\n )\n | project-away \n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n byUser,\n username,\n email,\n group,\n groupName,\n groupType,\n name,\n oldDescription,\n oldRole,\n description,\n role,\n userScope,\n scopeLevelName,\n scopeName,\n roleName,\n modifiedFields,\n ModifiedFields,\n deactivationPeriodInDays,\n descriptionChanged,\n restOfMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n newValue\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "ASimUserManagementSentinelOne", + "query": "let EventTypeLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventOriginalType: string,\n EventSubType: string\n)[\n 23, \"UserCreated\", \"User Added\", \"\",\n 24, \"UserModified\", \"User Modified\", \"MultipleProperties\",\n 25, \"UserDeleted\", \"User Deleted\", \"\",\n 37, \"UserModified\", \"User modified\", \"MultipleProperties\",\n 102, \"UserDeleted\", \"User Deleted\", \"\",\n 110, \"UserModified\", \"Enable API Token Generation\", \"NewPermissions\",\n 111, \"UserModified\", \"Disable API Token Generation\", \"PreviousPermissions\",\n 140, \"UserCreated\", \"Service User creation\", \"\",\n 141, \"UserModified\", \"Service User modification\", \"MultipleProperties\",\n 142, \"UserDeleted\", \"Service User deletion\", \"\",\n 3522, \"GroupCreated\", \"Ranger Deploy - Credential Group Created\", \"\",\n 3523, \"GroupModified\", \"Ranger Deploy -Credential Group Edited\", \"MultipleProperties\",\n 3524, \"GroupDeleted\", \"Ranger Deploy - Credential Group Deleted\", \"\",\n 3710, \"PasswordReset\", \"User Reset Password with Forgot Password from the Login\", \"\",\n 3711, \"PasswordChanged\", \"User Changed Their Password\", \"\",\n 3715, \"PasswordReset\", \"User Reset Password by Admin Request\", \"\",\n 5006, \"GroupDeleted\", \"Group Deleted\", \"\",\n 5008, \"GroupCreated\", \"User created a Manual or Pinned Group\", \"\",\n 5011, \"GroupModified\", \"Group Policy Reverted\", \"Newpolicy\",\n 67, \"\", \"User 2FA Modified\", \"\",\n 145, \"UserModified\", \"Enroll 2FA\", \"\",\n 146, \"UserModified\", \"Reset 2FA\", \"\",\n 42, \"\", \"Global 2FA modified\", \"\",\n 147, \"UserModified\", \"User Configured 2FA\", \"\"\n];\nlet UsermanagementactivityIds = dynamic([23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011, 67, 145, 146, 42, 147]);\nlet parser = (disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s == \"Activities.\"\n and activityType_d in (UsermanagementactivityIds)\n | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | parse modifiedFields with 'Modified fields: ' ModifiedFields: string\n | parse description_s with * \"with id=\" id: string \",\" restOfMessage\n | lookup EventTypeLookup on activityType_d\n | extend\n EventType = case (\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"UserEnabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"UserDisabled\",\n EventType\n ),\n PreviousPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"disabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"enabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n oldDescription, \n activityType_d == 141 and descriptionChanged == \"false\",\n oldRole,\n \"\"\n ),\n NewPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"enabled\", \n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"disabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n description, \n activityType_d == 141 and descriptionChanged == \"false\",\n role,\n \"\"\n ),\n ActorUsername = iff(activityType_d == 102, \"SentinelOne\", coalesce(byUser, username, email)), \n GroupName = coalesce(group, groupName, name),\n TargetUsername = iff(isnotempty(byUser) or activityType_d in (147, 42), username, \"\")\n | extend GroupName = iff(GroupName == \"null\", \"\", GroupName)\n | project-rename\n EventStartTime = createdAt_t,\n SrcIpAddr = ipAddress,\n EventUid = _ItemId,\n ActorUserId = id,\n GroupId = groupId_s,\n EventMessage = primaryDescription_s,\n EventOriginalUid = activityUuid_g\n | extend\n EventCount = int(1),\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSeverity = \"Informational\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResultDetails = \"Other\"\n | extend\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n User = ActorUsername,\n UpdatedPropertyName = EventSubType,\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n GroupIdType = iff(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iff(isnotempty(GroupName), \"Simple\", \"\"),\n GroupType = iff(isnotempty(groupType), \"Other\", \"\"),\n GroupOriginalType = groupType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n AdditionalFields = bag_pack(\n \"userScope\", userScope,\n \"scopeLevelName\", scopeLevelName,\n \"scopeName\", scopeName,\n \"modifiedFields\", modifiedFields,\n \"roleName\", roleName,\n \"deactivationPeriodInDays\", deactivationPeriodInDays,\n \"descriptionChanged\", descriptionChanged\n )\n | project-away \n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n byUser,\n username,\n email,\n group,\n groupName,\n groupType,\n name,\n oldDescription,\n oldRole,\n description,\n role,\n userScope,\n scopeLevelName,\n scopeName,\n roleName,\n modifiedFields,\n ModifiedFields,\n deactivationPeriodInDays,\n descriptionChanged,\n restOfMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n newValue\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json b/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json index 77b8084b591..ba7b0a4098a 100644 --- a/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json +++ b/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imUserManagement')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imUserManagement", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM filtering parser", - "category": "ASIM", - "FunctionAlias": "imUserManagement", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludevimUserManagement')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser\n | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n pack: bool=false) {\n union isfuzzy=true\n vimUserManagementEmpty,\n vimUserManagementMicrosoftSecurityEvent(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent' in (DisabledParsers)))),\n vimUserManagementMicrosoftWindowsEvent(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftWindowsEvent' in (DisabledParsers)))),\n vimUserManagementCiscoISE(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers)))),\n vimUserManagementSentinelOne(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementSentinelOne' in (DisabledParsers)))),\n vimUserManagementLinuxAuthpriv(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementLinuxAuthpriv' in (DisabledParsers)))),\n vimUserManagementNative(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementNative' in (DisabledParsers))))\n}; \nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any, \n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n pack=pack\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM filtering parser", + "category": "ASIM", + "FunctionAlias": "imUserManagement", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludevimUserManagement')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser\n | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n pack: bool=false) {\n union isfuzzy=true\n vimUserManagementEmpty,\n vimUserManagementMicrosoftSecurityEvent(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent' in (DisabledParsers)))),\n vimUserManagementMicrosoftWindowsEvent(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftWindowsEvent' in (DisabledParsers)))),\n vimUserManagementCiscoISE(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers)))),\n vimUserManagementSentinelOne(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementSentinelOne' in (DisabledParsers)))),\n vimUserManagementLinuxAuthpriv(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementLinuxAuthpriv' in (DisabledParsers)))),\n vimUserManagementNative(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementNative' in (DisabledParsers))))\n}; \nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any, \n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n pack=pack\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json b/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json index ec869750b60..9adbe52ec43 100644 --- a/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimUserManagementCiscoISE')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimUserManagementCiscoISE", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM filtering parser for Cisco ISE", - "category": "ASIM", - "FunctionAlias": "vimUserManagementCiscoISE", - "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventResult: string,\nEventType: string,\nEventResultDetails: string,\nEventSubType: string,\nEventSeverity: string,\nEventOriginalSeverity: string,\nEventMessage: string\n)[\n\"25000\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"ISE server password update succeeded\",\n\"25001\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"AD: ISE account password update failed.\",\n\"51101\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password is too short\",\n\"51102\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Too many repeating characters\",\n\"51103\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Missing required character type\",\n\"51104\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains username\",\n\"51105\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains reserved word\",\n\"51107\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password\",\n\"51115\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"The new password is invalid. This password has been previously used.\",\n\"51116\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password must not contain dictionary words or their characters in reverse order\",\n\"58019\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"ISE administrator password reset\",\n\"60460\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to inactivity\",\n\"60461\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to user level date expiry\",\n\"60462\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level date expiry\",\n\"60463\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level days expiry\",\n\"10013\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set as 'never disabled'\",\n\"10014\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set to change password on next login\",\n\"5415\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Change password failed\",\n\"86002\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has suspended a guest user account\",\n\"86003\", \"Success\", \"UserEnabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has enabled a guest user account\",\n\"86004\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user has changed the password\",\n\"86006\", \"Success\", \"UserCreated\", \"\", \"UserCreated\", \"Informational\", \"INFO\", \"Guest user account is created\",\n\"86007\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is updated\",\n\"86008\", \"Success\", \"UserDeleted\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is deleted\",\n\"86015\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"INFO\", \"Invalid Password Change\",\n\"24059\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User password change ended with an error\",\n\"24064\", \"Failure\", \"PasswordChanged\", \"NotAuthorized\", \"UserModified\", \"Low\", \"WARN\", \"The user doesn't have sufficient rights to change password\",\n\"24065\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"WARN\", \"The new password does not conform to LDAP password policy\",\n\"24066\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User password change succeeded\",\n\"24205\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Could not change password to new password\",\n\"24206\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User disabled\",\n\"24347\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account disabled\",\n\"24348\", \"Success\", \"UserLocked\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account locked\",\n\"24370\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"User credentials have been revoked.\",\n\"24425\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User change password against Active Directory succeeded\",\n\"24426\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User change password against Active Directory failed\",\n\"24455\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Change password against Active Directory failed because of a timeout error\",\n\"33108\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Reset admin password to its default value\",\n\"5204\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"Change password succeeded\"\n];\nlet CiscoISEUsrMgmtParser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetusername_has_any: dynamic=dynamic([]),\n disabled: bool = false\n) {\n let EventOriginalTypeList = toscalar(EventFieldsLookup\n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n | summarize make_set(EventOriginalType));\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType(\"CiscoISE\"))\n | where not(disabled)\n //***************************** **************************\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or SyslogMessage has_any (actorusername_has_any))\n and (array_length(targetusername_has_any) == 0)\n //***************************** *************************\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n | where EventOriginalType in (EventOriginalTypeList)\n | project\n TimeGenerated,\n EventTime,\n EventOriginalType,\n Computer,\n SyslogMessage,\n HostName,\n HostIP\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n SrcIpAddr=['Remote-Address']\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any)) \n | extend\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"UserManagement\"\n , EventSchemaVersion = \"0.1.1\"\n // ***************** ********************\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\n | extend \n Hostname = DvcHostname\n , IpAddr = SrcIpAddr\n , Src = SrcIpAddr\n , UpdatedPropertyName = EventSubType\n , User = ActorUsername\n // ***************** *******************\n | project-away\n Computer,\n SyslogMessage,\n HostIP,\n NetworkDeviceName,\n HostName,\n dvcHostname,\n ['User-Name'],\n UserName\n}; \nCiscoISEUsrMgmtParser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n targetusername_has_any = targetusername_has_any,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM filtering parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "vimUserManagementCiscoISE", + "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventResult: string,\nEventType: string,\nEventResultDetails: string,\nEventSubType: string,\nEventSeverity: string,\nEventOriginalSeverity: string,\nEventMessage: string\n)[\n\"25000\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"ISE server password update succeeded\",\n\"25001\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"AD: ISE account password update failed.\",\n\"51101\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password is too short\",\n\"51102\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Too many repeating characters\",\n\"51103\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Missing required character type\",\n\"51104\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains username\",\n\"51105\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains reserved word\",\n\"51107\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password\",\n\"51115\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"The new password is invalid. This password has been previously used.\",\n\"51116\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password must not contain dictionary words or their characters in reverse order\",\n\"58019\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"ISE administrator password reset\",\n\"60460\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to inactivity\",\n\"60461\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to user level date expiry\",\n\"60462\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level date expiry\",\n\"60463\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level days expiry\",\n\"10013\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set as 'never disabled'\",\n\"10014\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set to change password on next login\",\n\"5415\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Change password failed\",\n\"86002\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has suspended a guest user account\",\n\"86003\", \"Success\", \"UserEnabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has enabled a guest user account\",\n\"86004\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user has changed the password\",\n\"86006\", \"Success\", \"UserCreated\", \"\", \"UserCreated\", \"Informational\", \"INFO\", \"Guest user account is created\",\n\"86007\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is updated\",\n\"86008\", \"Success\", \"UserDeleted\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is deleted\",\n\"86015\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"INFO\", \"Invalid Password Change\",\n\"24059\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User password change ended with an error\",\n\"24064\", \"Failure\", \"PasswordChanged\", \"NotAuthorized\", \"UserModified\", \"Low\", \"WARN\", \"The user doesn't have sufficient rights to change password\",\n\"24065\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"WARN\", \"The new password does not conform to LDAP password policy\",\n\"24066\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User password change succeeded\",\n\"24205\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Could not change password to new password\",\n\"24206\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User disabled\",\n\"24347\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account disabled\",\n\"24348\", \"Success\", \"UserLocked\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account locked\",\n\"24370\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"User credentials have been revoked.\",\n\"24425\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User change password against Active Directory succeeded\",\n\"24426\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User change password against Active Directory failed\",\n\"24455\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Change password against Active Directory failed because of a timeout error\",\n\"33108\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Reset admin password to its default value\",\n\"5204\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"Change password succeeded\"\n];\nlet CiscoISEUsrMgmtParser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetusername_has_any: dynamic=dynamic([]),\n disabled: bool = false\n) {\n let EventOriginalTypeList = toscalar(EventFieldsLookup\n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n | summarize make_set(EventOriginalType));\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType(\"CiscoISE\"))\n | where not(disabled)\n //***************************** **************************\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or SyslogMessage has_any (actorusername_has_any))\n and (array_length(targetusername_has_any) == 0)\n //***************************** *************************\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n | where EventOriginalType in (EventOriginalTypeList)\n | project\n TimeGenerated,\n EventTime,\n EventOriginalType,\n Computer,\n SyslogMessage,\n HostName,\n HostIP\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n SrcIpAddr=['Remote-Address']\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any)) \n | extend\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"UserManagement\"\n , EventSchemaVersion = \"0.1.1\"\n // ***************** ********************\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\n | extend \n Hostname = DvcHostname\n , IpAddr = SrcIpAddr\n , Src = SrcIpAddr\n , UpdatedPropertyName = EventSubType\n , User = ActorUsername\n // ***************** *******************\n | project-away\n Computer,\n SyslogMessage,\n HostIP,\n NetworkDeviceName,\n HostName,\n dvcHostname,\n ['User-Name'],\n UserName\n}; \nCiscoISEUsrMgmtParser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n targetusername_has_any = targetusername_has_any,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementEmpty/vimUserManagementEmpty.json b/Parsers/ASimUserManagement/ARM/vimUserManagementEmpty/vimUserManagementEmpty.json index 1eb97d0db03..b165547f5d1 100644 --- a/Parsers/ASimUserManagement/ARM/vimUserManagementEmpty/vimUserManagementEmpty.json +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementEmpty/vimUserManagementEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimUserManagementEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimUserManagementEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimUserManagementEmpty", - "query": "let parser=datatable(\n TimeGenerated:datetime,\n _ResourceId:string,\n Type:string,\n //****** Event fields ******\n EventCount:int,\n EventEndTime:datetime,\n EventProduct:string,\n EventResult:string,\n EventSchema:string,\n EventSchemaVersion:string,\n EventSeverity:string,\n EventStartTime:datetime,\n EventType:string,\n EventVendor:string,\n EventResultDetails:string,\n EventUid:string,\n EventMessage:string,\n EventOriginalResultDetails:string,\n EventOriginalSeverity:string,\n EventOriginalSubType:string,\n EventOriginalType:string,\n EventOriginalUid:string,\n EventOwner:string,\n EventProductVersion:string,\n EventReportUrl:string,\n EventSubType:string,\n AdditionalFields:dynamic,\n // ****** Device fields ******\n Dvc:string,\n DvcAction:string,\n DvcDomain:string,\n DvcDomainType:string,\n DvcFQDN:string,\n DvcHostname:string,\n DvcId:string,\n DvcIdType:string,\n DvcIpAddr:string,\n DvcDescription:string,\n DvcInterface:string,\n DvcMacAddr:string,\n DvcOriginalAction:string,\n DvcOs:string,\n DvcOsVersion:string,\n DvcScope:string,\n DvcScopeId:string,\n DvcZone:string,\n Src:string,\n SrcDomain:string,\n SrcDomainType:string,\n SrcHostname:string,\n SrcIpAddr:string,\n //****** Actor fields ******\n ActorUsername:string,\n ActorUsernameType:string,\n ActorOriginalUserType:string,\n ActorSessionId:string,\n ActorUserId:string,\n ActorUserIdType:string,\n ActorUserType:string,\n ActingAppId:string,\n ActingAppType:string,\n ActingOriginalAppType:string,\n ActingAppName:string,\n ActorUserAadId:string,\n ActorUserSid:string,\n ActorScopeId:string,\n ActorScope:string,\n //****** Group fields ******\n GroupId:string,\n GroupIdType:string,\n GroupName:string,\n GroupNameType:string,\n GroupOriginalType:string,\n GroupType:string,\n HttpUserAgent:string,\n NewPropertyValue:string,\n PreviousPropertyValue:string,\n SrcDeviceType:string,\n SrcDvcId:string,\n SrcDvcIdType:string,\n SrcDvcScope:string,\n SrcDvcScopeId:string,\n SrcFQDN:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude:real,\n SrcGeoLongitude:real,\n SrcGeoRegion:string,\n SrcMacAddr:string,\n SrcPortNumber :int,\n SrcDescription:string,\n SrcRiskLevel:int,\n SrcOriginalRiskLevel:string,\n //****** Target fields ******\n TargetOriginalUserType:string,\n TargetUserId:string,\n TargetUserIdType:string,\n TargetUsername:string,\n TargetUsernameType:string,\n TargetUserType:string,\n TargetUserUid:string,\n TargetUserScopeId:string,\n TargetUserScope:string,\n TargetUserSessionId:string,\n // ****** Inspection fields ******\n RuleName:string,\n RuleNumber:int,\n ThreatId:string,\n ThreatName:string,\n ThreatCategory:string,\n ThreatRiskLevel:int,\n ThreatOriginalRiskLevel:string,\n ThreatConfidence:int,\n ThreatOriginalConfidence:string,\n ThreatIsActive:bool,\n ThreatFirstReportedTime:datetime,\n ThreatLastReportedTime:datetime,\n ThreatField:string,\n //****** aliases ******\n Hostname:string,\n IpAddr:string,\n UpdatedPropertyName:string,\n User:string,\n Dst:string\n )[];\n parser", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimUserManagementEmpty", + "query": "let parser=datatable(\n TimeGenerated:datetime,\n _ResourceId:string,\n Type:string,\n //****** Event fields ******\n EventCount:int,\n EventEndTime:datetime,\n EventProduct:string,\n EventResult:string,\n EventSchema:string,\n EventSchemaVersion:string,\n EventSeverity:string,\n EventStartTime:datetime,\n EventType:string,\n EventVendor:string,\n EventResultDetails:string,\n EventUid:string,\n EventMessage:string,\n EventOriginalResultDetails:string,\n EventOriginalSeverity:string,\n EventOriginalSubType:string,\n EventOriginalType:string,\n EventOriginalUid:string,\n EventOwner:string,\n EventProductVersion:string,\n EventReportUrl:string,\n EventSubType:string,\n AdditionalFields:dynamic,\n // ****** Device fields ******\n Dvc:string,\n DvcAction:string,\n DvcDomain:string,\n DvcDomainType:string,\n DvcFQDN:string,\n DvcHostname:string,\n DvcId:string,\n DvcIdType:string,\n DvcIpAddr:string,\n DvcDescription:string,\n DvcInterface:string,\n DvcMacAddr:string,\n DvcOriginalAction:string,\n DvcOs:string,\n DvcOsVersion:string,\n DvcScope:string,\n DvcScopeId:string,\n DvcZone:string,\n Src:string,\n SrcDomain:string,\n SrcDomainType:string,\n SrcHostname:string,\n SrcIpAddr:string,\n //****** Actor fields ******\n ActorUsername:string,\n ActorUsernameType:string,\n ActorOriginalUserType:string,\n ActorSessionId:string,\n ActorUserId:string,\n ActorUserIdType:string,\n ActorUserType:string,\n ActingAppId:string,\n ActingAppType:string,\n ActingOriginalAppType:string,\n ActingAppName:string,\n ActorUserAadId:string,\n ActorUserSid:string,\n ActorScopeId:string,\n ActorScope:string,\n //****** Group fields ******\n GroupId:string,\n GroupIdType:string,\n GroupName:string,\n GroupNameType:string,\n GroupOriginalType:string,\n GroupType:string,\n HttpUserAgent:string,\n NewPropertyValue:string,\n PreviousPropertyValue:string,\n SrcDeviceType:string,\n SrcDvcId:string,\n SrcDvcIdType:string,\n SrcDvcScope:string,\n SrcDvcScopeId:string,\n SrcFQDN:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude:real,\n SrcGeoLongitude:real,\n SrcGeoRegion:string,\n SrcMacAddr:string,\n SrcPortNumber :int,\n SrcDescription:string,\n SrcRiskLevel:int,\n SrcOriginalRiskLevel:string,\n //****** Target fields ******\n TargetOriginalUserType:string,\n TargetUserId:string,\n TargetUserIdType:string,\n TargetUsername:string,\n TargetUsernameType:string,\n TargetUserType:string,\n TargetUserUid:string,\n TargetUserScopeId:string,\n TargetUserScope:string,\n TargetUserSessionId:string,\n // ****** Inspection fields ******\n RuleName:string,\n RuleNumber:int,\n ThreatId:string,\n ThreatName:string,\n ThreatCategory:string,\n ThreatRiskLevel:int,\n ThreatOriginalRiskLevel:string,\n ThreatConfidence:int,\n ThreatOriginalConfidence:string,\n ThreatIsActive:bool,\n ThreatFirstReportedTime:datetime,\n ThreatLastReportedTime:datetime,\n ThreatField:string,\n //****** aliases ******\n Hostname:string,\n IpAddr:string,\n UpdatedPropertyName:string,\n User:string,\n Dst:string\n )[];\n parser", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementLinuxAuthpriv/vimUserManagementLinuxAuthpriv.json b/Parsers/ASimUserManagement/ARM/vimUserManagementLinuxAuthpriv/vimUserManagementLinuxAuthpriv.json index 2e7e36b99f4..c5a66bae9b5 100644 --- a/Parsers/ASimUserManagement/ARM/vimUserManagementLinuxAuthpriv/vimUserManagementLinuxAuthpriv.json +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementLinuxAuthpriv/vimUserManagementLinuxAuthpriv.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimUserManagementLinuxAuthpriv')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimUserManagementLinuxAuthpriv", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser for Linux Authpriv logs", - "category": "ASIM", - "FunctionAlias": "vimUserManagementLinuxAuthpriv", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\nlet ActionLookup = datatable (Action:string, EventType:string)\n[\n \"added\", \"UserAddedToGroup\",\n \"removed\",\"UserRemovedFromGroup\"\n];\nlet SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)\n[\n \"info\", \"Informational\",\n \"warn\", \"Low\",\n \"err\", \"Medium\",\n \"crit\", \"High\"\n]; \nlet ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {\n T\n | lookup SeverityLookup on SeverityLevel\n | extend ActingAppId = tostring(ProcessID)\n | project-away SyslogMessage,SeverityLevel, ProcessID\n};\nlet SyslogParsed = (\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix)) and\n (array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (SyslogMessage has_any(actorusername_has_any)))\n | where Computer in (_ASIM_GetSourceBySourceType('LinuxAuthpriv'))\n | where Facility == \"authpriv\"\n and ProcessName in (\"useradd\",\"usermod\",\"userdel\",\"groupadd\",\"groupmod\",\"groupdel\",\"gpasswd\")\n | project-away EventTime,Facility,MG,CollectorHostName,SourceSystem,TenantId\n);\nunion (\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new user: name=\"\n | parse SyslogMessage with \"new user: name=\" TargetUsername \", UID=\" TargetUserId \", GID=\" GroupId \", \" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"failed adding user '\"\n | parse SyslogMessage with \"failed adding user '\" TargetUsername \"', exit code: \" EventOriginalResultDetails\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"Other\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new user: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName ==\"useradd\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserModified\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user name '\"\n | parse SyslogMessage with \"change user name '\" TargetUsername \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserAddedToGroup\" in (eventtype_in)))\n | where ProcessName ==\"usermod\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserAddedToGroup\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDisabled\" in (eventtype_in)) or (\"UserEnabled\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and not (SyslogMessage endswith \"' password\")\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType \" from '\" PreviousPropertyValue \"' to '\" NewPropertyValue \"'\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = case (\n EventSubType == \"expiration\" and PreviousPropertyValue == \"never\", \"UserDisabled\",\n EventSubType == \"expiration\" and NewPropertyValue == \"never\", \"UserEnabled\",\n \"UserModified\"\n ),\n EventResult = \"Success\"\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"PasswordChanged\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and SyslogMessage endswith \"password\"\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"PasswordChanged\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserLocked\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"lock user '\"\n and SyslogMessage endswith \"' password\"\n | parse SyslogMessage with \"lock user '\" TargetUsername \"' password\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserLocked\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete '\"\n | parse SyslogMessage with \"delete '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete user '\"\n | parse SyslogMessage with \"delete user '\" TargetUsername \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and (SyslogMessage startswith \"removed group '\" \n or SyslogMessage startswith \"removed shadow group '\")\n | parse SyslogMessage with \"removed\" * \"group '\" GroupName \"' owned by '\" TargetUsername \"'\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and SyslogMessage has \"GID=\"\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and not(SyslogMessage has \"GID=\")\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new group: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"GroupCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupModified\" in (eventtype_in)))\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"group changed in \"\n | parse SyslogMessage with \"group changed in \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend \n split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupModified\" in (eventtype_in)))\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"failed to change \"\n | parse SyslogMessage with \"failed to change \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Failure\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupDeleted\" in (eventtype_in)))\n | where ProcessName == \"groupdel\"\n | parse SyslogMessage with \"group '\" GroupName \"' removed\" *\n | extend \n EventType = \"GroupDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(eventtype_in) == 0 or (\"UserAddedToGroup\" in (eventtype_in)) or (\"UserRemovedFromGroup\" in (eventtype_in)))\n | where ProcessName == \"gpasswd\"\n | parse SyslogMessage with \"user \" TargetUsername \" \" Action \" by \" ActorUsername \" \" * \" group \" GroupName\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (ActorUsername has_any(actorusername_has_any)))\n | lookup ActionLookup on Action\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | project-away Action\n | extend \n EventResult = \"Success\"\n | invoke ItemParser()\n)\n| invoke _ASIM_ResolveDvcFQDN (\"HostName\")\n| project-rename \n ActingAppName = ProcessName,\n DvcId = _ResourceId,\n EventUid = _ItemId\n| extend\n ActingAppType = \"Process\",\n ActorUsernameType = iif(isnotempty(ActorUsername), \"Simple\", \"\"),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n DvcIpAddr = iif(HostIP == \"Unknown IP\",\"\",HostIP),\n DvcOs = \"Linux\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Authpriv\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventStartTime = TimeGenerated,\n EventVendor = \"Linux\",\n GroupIdType = iif(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iif(isnotempty(GroupName), \"Simple\", \"\"),\n Hostname = DvcHostname,\n TargetUserIdType = iif(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = iif(isnotempty(TargetUsername), \"Simple\", \"\"),\n UpdatedPropertyName = EventSubType,\n User = ActorUsername\n | extend SrcIpAddr = DvcIpAddr\n| project-away Computer, HostIP, HostName\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser for Linux Authpriv logs", + "category": "ASIM", + "FunctionAlias": "vimUserManagementLinuxAuthpriv", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\nlet ActionLookup = datatable (Action:string, EventType:string)\n[\n \"added\", \"UserAddedToGroup\",\n \"removed\",\"UserRemovedFromGroup\"\n];\nlet SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)\n[\n \"info\", \"Informational\",\n \"warn\", \"Low\",\n \"err\", \"Medium\",\n \"crit\", \"High\"\n]; \nlet ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {\n T\n | lookup SeverityLookup on SeverityLevel\n | extend ActingAppId = tostring(ProcessID)\n | project-away SyslogMessage,SeverityLevel, ProcessID\n};\nlet SyslogParsed = (\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix)) and\n (array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (SyslogMessage has_any(actorusername_has_any)))\n | where Computer in (_ASIM_GetSourceBySourceType('LinuxAuthpriv'))\n | where Facility == \"authpriv\"\n and ProcessName in (\"useradd\",\"usermod\",\"userdel\",\"groupadd\",\"groupmod\",\"groupdel\",\"gpasswd\")\n | project-away EventTime,Facility,MG,CollectorHostName,SourceSystem,TenantId\n);\nunion (\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new user: name=\"\n | parse SyslogMessage with \"new user: name=\" TargetUsername \", UID=\" TargetUserId \", GID=\" GroupId \", \" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"failed adding user '\"\n | parse SyslogMessage with \"failed adding user '\" TargetUsername \"', exit code: \" EventOriginalResultDetails\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"Other\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new user: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName ==\"useradd\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserModified\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user name '\"\n | parse SyslogMessage with \"change user name '\" TargetUsername \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserAddedToGroup\" in (eventtype_in)))\n | where ProcessName ==\"usermod\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserAddedToGroup\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDisabled\" in (eventtype_in)) or (\"UserEnabled\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and not (SyslogMessage endswith \"' password\")\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType \" from '\" PreviousPropertyValue \"' to '\" NewPropertyValue \"'\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = case (\n EventSubType == \"expiration\" and PreviousPropertyValue == \"never\", \"UserDisabled\",\n EventSubType == \"expiration\" and NewPropertyValue == \"never\", \"UserEnabled\",\n \"UserModified\"\n ),\n EventResult = \"Success\"\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"PasswordChanged\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and SyslogMessage endswith \"password\"\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"PasswordChanged\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserLocked\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"lock user '\"\n and SyslogMessage endswith \"' password\"\n | parse SyslogMessage with \"lock user '\" TargetUsername \"' password\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserLocked\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete '\"\n | parse SyslogMessage with \"delete '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete user '\"\n | parse SyslogMessage with \"delete user '\" TargetUsername \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and (SyslogMessage startswith \"removed group '\" \n or SyslogMessage startswith \"removed shadow group '\")\n | parse SyslogMessage with \"removed\" * \"group '\" GroupName \"' owned by '\" TargetUsername \"'\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and SyslogMessage has \"GID=\"\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and not(SyslogMessage has \"GID=\")\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new group: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"GroupCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupModified\" in (eventtype_in)))\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"group changed in \"\n | parse SyslogMessage with \"group changed in \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend \n split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupModified\" in (eventtype_in)))\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"failed to change \"\n | parse SyslogMessage with \"failed to change \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Failure\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupDeleted\" in (eventtype_in)))\n | where ProcessName == \"groupdel\"\n | parse SyslogMessage with \"group '\" GroupName \"' removed\" *\n | extend \n EventType = \"GroupDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(eventtype_in) == 0 or (\"UserAddedToGroup\" in (eventtype_in)) or (\"UserRemovedFromGroup\" in (eventtype_in)))\n | where ProcessName == \"gpasswd\"\n | parse SyslogMessage with \"user \" TargetUsername \" \" Action \" by \" ActorUsername \" \" * \" group \" GroupName\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (ActorUsername has_any(actorusername_has_any)))\n | lookup ActionLookup on Action\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | project-away Action\n | extend \n EventResult = \"Success\"\n | invoke ItemParser()\n)\n| invoke _ASIM_ResolveDvcFQDN (\"HostName\")\n| project-rename \n ActingAppName = ProcessName,\n DvcId = _ResourceId,\n EventUid = _ItemId\n| extend\n ActingAppType = \"Process\",\n ActorUsernameType = iif(isnotempty(ActorUsername), \"Simple\", \"\"),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n DvcIpAddr = iif(HostIP == \"Unknown IP\",\"\",HostIP),\n DvcOs = \"Linux\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Authpriv\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventStartTime = TimeGenerated,\n EventVendor = \"Linux\",\n GroupIdType = iif(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iif(isnotempty(GroupName), \"Simple\", \"\"),\n Hostname = DvcHostname,\n TargetUserIdType = iif(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = iif(isnotempty(TargetUsername), \"Simple\", \"\"),\n UpdatedPropertyName = EventSubType,\n User = ActorUsername\n | extend SrcIpAddr = DvcIpAddr\n| project-away Computer, HostIP, HostName\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json b/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json index 5b9ecf96e53..eb7168ddd4f 100644 --- a/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimUserManagementMicrosoftSecurityEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimUserManagementMicrosoftSecurityEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser for Microsoft Security Event logs", - "category": "ASIM", - "FunctionAlias": "vimUserManagementMicrosoftSecurityEvent", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"UserCreated\",\"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \n | summarize make_set(EventID)\n );\n union (\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in(UserEventID)\n | where (array_length(targetusername_has_any) == 0 or (TargetDomainName has_any (targetusername_has_any)) or (TargetUserName has_any (targetusername_has_any)) or (strcat(TargetDomainName,\"\\\\\",TargetUserName) has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n TargetDomain = TargetDomainName,\n TargetUserId = TargetSid,\n TargetUsername = TargetUserName,\n EventMessage = Activity\n | parse-kv EventData as \n (\n OldTargetUserName:string,\n NewTargetUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))\n | where EventID in(GroupEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where EventID in (4744, 4748, 4749, 4753, 4759, 4763)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | parse-kv EventData as \n (\n TargetUserName:string,\n TargetDomainName:string,\n TargetSid:string,\n SubjectUserSid:string,\n AccountType:string,\n SubjectLogonId:string,\n SubjectDomainName:string,\n SubjectUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (TargetDomainName has_any (targetusername_has_any)) or (TargetUserName has_any (targetusername_has_any)) or (strcat(TargetDomainName,\"\\\\\",TargetUserName) has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n )\n| lookup EventIDLookup on EventID\n| extend UpdatedPropertyName = EventSubType\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n| lookup UserTypeLookup on ActorOriginalUserType\n| extend \n DvcId = coalesce(_ResourceId, SourceComputerId),\n EventOriginalType = tostring(EventID)\n| project-rename \n EventUid = _ItemId\n| extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname, \n ActorUserIdType=\"SID\"\n| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID\n| extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\n User = ActorUsername\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser for Microsoft Security Event logs", + "category": "ASIM", + "FunctionAlias": "vimUserManagementMicrosoftSecurityEvent", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"UserCreated\",\"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \n | summarize make_set(EventID)\n );\n union (\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in(UserEventID)\n | where (array_length(targetusername_has_any) == 0 or (TargetDomainName has_any (targetusername_has_any)) or (TargetUserName has_any (targetusername_has_any)) or (strcat(TargetDomainName,\"\\\\\",TargetUserName) has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n TargetDomain = TargetDomainName,\n TargetUserId = TargetSid,\n TargetUsername = TargetUserName,\n EventMessage = Activity\n | parse-kv EventData as \n (\n OldTargetUserName:string,\n NewTargetUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))\n | where EventID in(GroupEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where EventID in (4744, 4748, 4749, 4753, 4759, 4763)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | parse-kv EventData as \n (\n TargetUserName:string,\n TargetDomainName:string,\n TargetSid:string,\n SubjectUserSid:string,\n AccountType:string,\n SubjectLogonId:string,\n SubjectDomainName:string,\n SubjectUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (TargetDomainName has_any (targetusername_has_any)) or (TargetUserName has_any (targetusername_has_any)) or (strcat(TargetDomainName,\"\\\\\",TargetUserName) has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n )\n| lookup EventIDLookup on EventID\n| extend UpdatedPropertyName = EventSubType\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n| lookup UserTypeLookup on ActorOriginalUserType\n| extend \n DvcId = coalesce(_ResourceId, SourceComputerId),\n EventOriginalType = tostring(EventID)\n| project-rename \n EventUid = _ItemId\n| extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname, \n ActorUserIdType=\"SID\"\n| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID\n| extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\n User = ActorUsername\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftWindowsEvent/vimUserManagementMicrosoftWindowsEvent.json b/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftWindowsEvent/vimUserManagementMicrosoftWindowsEvent.json index 24f033e5594..5a5c2db5ad3 100644 --- a/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftWindowsEvent/vimUserManagementMicrosoftWindowsEvent.json +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftWindowsEvent/vimUserManagementMicrosoftWindowsEvent.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimUserManagementMicrosoftWindowsEvent')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimUserManagementMicrosoftWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser for Microsoft Windows Event logs", - "category": "ASIM", - "FunctionAlias": "vimUserManagementMicrosoftWindowsEvent", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let EventIDLookup = datatable(\n EventID: int,\n EventType: string,\n EventSubType: string,\n GroupType: string\n )\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType: string, ActorUserType: string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"UserCreated\", \"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"GroupCreated\", \"GroupModified\") \n | summarize make_set(EventID)\n );\n union\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in(UserEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | extend\n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n TargetDomain = tostring(EventData.TargetDomainName),\n TargetUserId = tostring(EventData.TargetSid),\n TargetUsername = tostring(EventData.TargetUserName),\n EventMessage = tostring(EventData.Activity)\n | where (array_length(targetusername_has_any) == 0 or (TargetDomain has_any (targetusername_has_any)) or (TargetUsername has_any (targetusername_has_any)) or (strcat(TargetDomain, \"\\\\\", TargetUsername) has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or (strcat(SubjectDomainName, \"\\\\\", SubjectUserName) has_any (actorusername_has_any)))\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project\n TimeGenerated,\n EventID,\n Computer,\n _ResourceId,\n TargetDomain,\n TargetUserId,\n TargetUsername,\n ActorUserId,\n SubjectDomainName,\n SubjectUserName,\n ActorOriginalUserType,\n ActorSessionId,\n NewPropertyValue,\n PreviousPropertyValue,\n EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\", \"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where EventID in(GroupEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | extend \n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n GroupDomain = tostring(EventData.TargetDomainName),\n GroupId = tostring(EventData.TargetSid),\n GroupName = tostring(EventData.TargetUserName),\n MemberName = tostring(EventData.MemberName),\n MemberSid = tostring(EventData.MemberSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n EventMessage = tostring(EventData.Activity)\n | where (array_length(targetusername_has_any) == 0 or (NewTargetUserName has_any (targetusername_has_any)) or (OldTargetUserName has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any)))\n | extend \n GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\", GroupName)),\n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project\n TimeGenerated,\n EventID,\n Computer,\n _ResourceId,\n GroupId,\n GroupName,\n ActorUserId,\n SubjectDomainName,\n SubjectUserName,\n ActorOriginalUserType,\n ActorSessionId,\n TargetUsername,\n TargetUserId,\n EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\", \"\")\n )\n | lookup EventIDLookup on EventID\n | extend UpdatedPropertyName = EventSubType\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | lookup UserTypeLookup on ActorOriginalUserType\n | extend EventOriginalType = tostring(EventID)\n | extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname,\n ActorUserIdType=\"SID\"\n | project-away Subject*, Computer, _ResourceId, EventID\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId),\n User = ActorUsername\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser for Microsoft Windows Event logs", + "category": "ASIM", + "FunctionAlias": "vimUserManagementMicrosoftWindowsEvent", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n let EventIDLookup = datatable(\n EventID: int,\n EventType: string,\n EventSubType: string,\n GroupType: string\n )\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType: string, ActorUserType: string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"UserCreated\", \"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"GroupCreated\", \"GroupModified\") \n | summarize make_set(EventID)\n );\n union\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in(UserEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | extend\n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n TargetDomain = tostring(EventData.TargetDomainName),\n TargetUserId = tostring(EventData.TargetSid),\n TargetUsername = tostring(EventData.TargetUserName),\n EventMessage = tostring(EventData.Activity)\n | where (array_length(targetusername_has_any) == 0 or (TargetDomain has_any (targetusername_has_any)) or (TargetUsername has_any (targetusername_has_any)) or (strcat(TargetDomain, \"\\\\\", TargetUsername) has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or (strcat(SubjectDomainName, \"\\\\\", SubjectUserName) has_any (actorusername_has_any)))\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project\n TimeGenerated,\n EventID,\n Computer,\n _ResourceId,\n TargetDomain,\n TargetUserId,\n TargetUsername,\n ActorUserId,\n SubjectDomainName,\n SubjectUserName,\n ActorOriginalUserType,\n ActorSessionId,\n NewPropertyValue,\n PreviousPropertyValue,\n EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\", \"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where EventID in(GroupEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | extend \n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n GroupDomain = tostring(EventData.TargetDomainName),\n GroupId = tostring(EventData.TargetSid),\n GroupName = tostring(EventData.TargetUserName),\n MemberName = tostring(EventData.MemberName),\n MemberSid = tostring(EventData.MemberSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n EventMessage = tostring(EventData.Activity)\n | where (array_length(targetusername_has_any) == 0 or (NewTargetUserName has_any (targetusername_has_any)) or (OldTargetUserName has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any)))\n | extend \n GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\", GroupName)),\n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project\n TimeGenerated,\n EventID,\n Computer,\n _ResourceId,\n GroupId,\n GroupName,\n ActorUserId,\n SubjectDomainName,\n SubjectUserName,\n ActorOriginalUserType,\n ActorSessionId,\n TargetUsername,\n TargetUserId,\n EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\", \"\")\n )\n | lookup EventIDLookup on EventID\n | extend UpdatedPropertyName = EventSubType\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | lookup UserTypeLookup on ActorOriginalUserType\n | extend EventOriginalType = tostring(EventID)\n | extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname,\n ActorUserIdType=\"SID\"\n | project-away Subject*, Computer, _ResourceId, EventID\n | extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId),\n User = ActorUsername\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementNative/vimUserManagementNative.json b/Parsers/ASimUserManagement/ARM/vimUserManagementNative/vimUserManagementNative.json index 39cbda3482a..da1cce6aea7 100644 --- a/Parsers/ASimUserManagement/ARM/vimUserManagementNative/vimUserManagementNative.json +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementNative/vimUserManagementNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimUserManagementNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimUserManagementNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management activity ASIM filtering parser for Microsoft Sentinel native User Management activity table", - "category": "ASIM", - "FunctionAlias": "vimUserManagementNative", - "query": "let parser = (\n starttime:datetime = datetime(null)\n , endtime:datetime = datetime(null)\n , srcipaddr_has_any_prefix:dynamic = dynamic([])\n , targetusername_has_any:dynamic = dynamic([])\n , actorusername_has_any:dynamic = dynamic([])\n , eventtype_in:dynamic = dynamic([])\n , disabled:bool = false\n)\n{\n ASimUserManagementActivityLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n and (array_length(targetusername_has_any) == 0 or TargetUsername has_any (targetusername_has_any))\n and (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"UserManagement\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = coalesce (SrcHostname,SrcIpAddr, SrcDvcId),\n UpdatedPropertyName = EventSubType\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (\n starttime = starttime\n , endtime = endtime\n , srcipaddr_has_any_prefix = srcipaddr_has_any_prefix\n , targetusername_has_any = targetusername_has_any\n , actorusername_has_any = actorusername_has_any\n , eventtype_in = eventtype_in\n , disabled = disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management activity ASIM filtering parser for Microsoft Sentinel native User Management activity table", + "category": "ASIM", + "FunctionAlias": "vimUserManagementNative", + "query": "let parser = (\n starttime:datetime = datetime(null)\n , endtime:datetime = datetime(null)\n , srcipaddr_has_any_prefix:dynamic = dynamic([])\n , targetusername_has_any:dynamic = dynamic([])\n , actorusername_has_any:dynamic = dynamic([])\n , eventtype_in:dynamic = dynamic([])\n , disabled:bool = false\n)\n{\n ASimUserManagementActivityLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n and (array_length(targetusername_has_any) == 0 or TargetUsername has_any (targetusername_has_any))\n and (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"UserManagement\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = coalesce (SrcHostname,SrcIpAddr, SrcDvcId),\n UpdatedPropertyName = EventSubType\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (\n starttime = starttime\n , endtime = endtime\n , srcipaddr_has_any_prefix = srcipaddr_has_any_prefix\n , targetusername_has_any = targetusername_has_any\n , actorusername_has_any = actorusername_has_any\n , eventtype_in = eventtype_in\n , disabled = disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementSentinelOne/vimUserManagementSentinelOne.json b/Parsers/ASimUserManagement/ARM/vimUserManagementSentinelOne/vimUserManagementSentinelOne.json index 910a97a20a8..53d86dbc780 100644 --- a/Parsers/ASimUserManagement/ARM/vimUserManagementSentinelOne/vimUserManagementSentinelOne.json +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementSentinelOne/vimUserManagementSentinelOne.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimUserManagementSentinelOne')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimUserManagementSentinelOne", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "User Management ASIM parser for SentinelOne", - "category": "ASIM", - "FunctionAlias": "vimUserManagementSentinelOne", - "query": "let EventTypeLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventOriginalType: string,\n EventSubType: string\n)[\n 23, \"UserCreated\", \"User Added\", \"\",\n 24, \"UserModified\", \"User Modified\", \"MultipleProperties\",\n 25, \"UserDeleted\", \"User Deleted\", \"\",\n 37, \"UserModified\", \"User modified\", \"MultipleProperties\",\n 102, \"UserDeleted\", \"User Deleted\", \"\",\n 110, \"UserModified\", \"Enable API Token Generation\", \"NewPermissions\",\n 111, \"UserModified\", \"Disable API Token Generation\", \"PreviousPermissions\",\n 140, \"UserCreated\", \"Service User creation\", \"\",\n 141, \"UserModified\", \"Service User modification\", \"MultipleProperties\",\n 142, \"UserDeleted\", \"Service User deletion\", \"\",\n 3522, \"GroupCreated\", \"Ranger Deploy - Credential Group Created\", \"\",\n 3523, \"GroupModified\", \"Ranger Deploy -Credential Group Edited\", \"MultipleProperties\",\n 3524, \"GroupDeleted\", \"Ranger Deploy - Credential Group Deleted\", \"\",\n 3710, \"PasswordReset\", \"User Reset Password with Forgot Password from the Login\", \"\",\n 3711, \"PasswordChanged\", \"User Changed Their Password\", \"\",\n 3715, \"PasswordReset\", \"User Reset Password by Admin Request\", \"\",\n 5006, \"GroupDeleted\", \"Group Deleted\", \"\",\n 5008, \"GroupCreated\", \"User created a Manual or Pinned Group\", \"\",\n 5011, \"GroupModified\", \"Group Policy Reverted\", \"Newpolicy\",\n 67, \"\", \"User 2FA Modified\", \"\",\n 145, \"UserModified\", \"Enroll 2FA\", \"\",\n 146, \"UserModified\", \"Reset 2FA\", \"\",\n 42, \"\", \"Global 2FA modified\", \"\",\n 147, \"UserModified\", \"User Configured 2FA\", \"\"\n];\nlet UsermanagementactivityIds = dynamic([23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011, 67, 145, 146, 42, 147]);\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s == \"Activities.\"\n and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and activityType_d in (UsermanagementactivityIds)\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix))\n and (array_length(targetusername_has_any) == 0 or DataFields_s has_any (targetusername_has_any))\n and (array_length(actorusername_has_any) == 0 or DataFields_s has_any (actorusername_has_any))\n | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | where array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix)\n | parse modifiedFields with 'Modified fields: ' ModifiedFields: string\n | parse description_s with * \"with id=\" id: string \",\" restOfMessage\n | lookup EventTypeLookup on activityType_d\n | extend\n EventType = case (\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"UserEnabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"UserDisabled\",\n EventType\n )\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | extend \n PreviousPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"disabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"enabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n oldDescription, \n activityType_d == 141 and descriptionChanged == \"false\",\n oldRole,\n \"\"\n ),\n NewPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"enabled\", \n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"disabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n description, \n activityType_d == 141 and descriptionChanged == \"false\",\n role,\n \"\"\n ),\n ActorUsername = iff(activityType_d == 102, \"SentinelOne\", coalesce(byUser, username, email)), \n GroupName = coalesce(group, groupName, name),\n TargetUsername = iff(isnotempty(byUser) or activityType_d in (147, 42), username, \"\")\n | where (array_length(targetusername_has_any) == 0 or TargetUsername has_any (targetusername_has_any))\n and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n | extend GroupName = iff(GroupName == \"null\", \"\", GroupName)\n | project-rename\n EventStartTime = createdAt_t,\n SrcIpAddr = ipAddress,\n EventUid = _ItemId,\n ActorUserId = id,\n GroupId = groupId_s,\n EventMessage = primaryDescription_s,\n EventOriginalUid = activityUuid_g\n | extend\n EventCount = int(1),\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSeverity = \"Informational\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResultDetails = \"Other\"\n | extend\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n User = ActorUsername,\n UpdatedPropertyName = EventSubType,\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n GroupIdType = iff(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iff(isnotempty(GroupName), \"Simple\", \"\"),\n GroupType = iff(isnotempty(groupType), \"Other\", \"\"),\n GroupOriginalType = groupType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n AdditionalFields = bag_pack(\n \"userScope\", userScope,\n \"scopeLevelName\", scopeLevelName,\n \"scopeName\", scopeName,\n \"modifiedFields\", modifiedFields,\n \"roleName\", roleName,\n \"deactivationPeriodInDays\", deactivationPeriodInDays,\n \"descriptionChanged\", descriptionChanged\n )\n | project-away \n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n byUser,\n username,\n email,\n group,\n groupName,\n groupType,\n name,\n oldDescription,\n oldRole,\n description,\n role,\n userScope,\n scopeLevelName,\n scopeName,\n roleName,\n modifiedFields,\n ModifiedFields,\n deactivationPeriodInDays,\n descriptionChanged,\n restOfMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n newValue\n};\nparser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "User Management ASIM parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "vimUserManagementSentinelOne", + "query": "let EventTypeLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventOriginalType: string,\n EventSubType: string\n)[\n 23, \"UserCreated\", \"User Added\", \"\",\n 24, \"UserModified\", \"User Modified\", \"MultipleProperties\",\n 25, \"UserDeleted\", \"User Deleted\", \"\",\n 37, \"UserModified\", \"User modified\", \"MultipleProperties\",\n 102, \"UserDeleted\", \"User Deleted\", \"\",\n 110, \"UserModified\", \"Enable API Token Generation\", \"NewPermissions\",\n 111, \"UserModified\", \"Disable API Token Generation\", \"PreviousPermissions\",\n 140, \"UserCreated\", \"Service User creation\", \"\",\n 141, \"UserModified\", \"Service User modification\", \"MultipleProperties\",\n 142, \"UserDeleted\", \"Service User deletion\", \"\",\n 3522, \"GroupCreated\", \"Ranger Deploy - Credential Group Created\", \"\",\n 3523, \"GroupModified\", \"Ranger Deploy -Credential Group Edited\", \"MultipleProperties\",\n 3524, \"GroupDeleted\", \"Ranger Deploy - Credential Group Deleted\", \"\",\n 3710, \"PasswordReset\", \"User Reset Password with Forgot Password from the Login\", \"\",\n 3711, \"PasswordChanged\", \"User Changed Their Password\", \"\",\n 3715, \"PasswordReset\", \"User Reset Password by Admin Request\", \"\",\n 5006, \"GroupDeleted\", \"Group Deleted\", \"\",\n 5008, \"GroupCreated\", \"User created a Manual or Pinned Group\", \"\",\n 5011, \"GroupModified\", \"Group Policy Reverted\", \"Newpolicy\",\n 67, \"\", \"User 2FA Modified\", \"\",\n 145, \"UserModified\", \"Enroll 2FA\", \"\",\n 146, \"UserModified\", \"Reset 2FA\", \"\",\n 42, \"\", \"Global 2FA modified\", \"\",\n 147, \"UserModified\", \"User Configured 2FA\", \"\"\n];\nlet UsermanagementactivityIds = dynamic([23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011, 67, 145, 146, 42, 147]);\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s == \"Activities.\"\n and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and activityType_d in (UsermanagementactivityIds)\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix))\n and (array_length(targetusername_has_any) == 0 or DataFields_s has_any (targetusername_has_any))\n and (array_length(actorusername_has_any) == 0 or DataFields_s has_any (actorusername_has_any))\n | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | where array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix)\n | parse modifiedFields with 'Modified fields: ' ModifiedFields: string\n | parse description_s with * \"with id=\" id: string \",\" restOfMessage\n | lookup EventTypeLookup on activityType_d\n | extend\n EventType = case (\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"UserEnabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"UserDisabled\",\n EventType\n )\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | extend \n PreviousPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"disabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"enabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n oldDescription, \n activityType_d == 141 and descriptionChanged == \"false\",\n oldRole,\n \"\"\n ),\n NewPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"enabled\", \n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"disabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n description, \n activityType_d == 141 and descriptionChanged == \"false\",\n role,\n \"\"\n ),\n ActorUsername = iff(activityType_d == 102, \"SentinelOne\", coalesce(byUser, username, email)), \n GroupName = coalesce(group, groupName, name),\n TargetUsername = iff(isnotempty(byUser) or activityType_d in (147, 42), username, \"\")\n | where (array_length(targetusername_has_any) == 0 or TargetUsername has_any (targetusername_has_any))\n and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n | extend GroupName = iff(GroupName == \"null\", \"\", GroupName)\n | project-rename\n EventStartTime = createdAt_t,\n SrcIpAddr = ipAddress,\n EventUid = _ItemId,\n ActorUserId = id,\n GroupId = groupId_s,\n EventMessage = primaryDescription_s,\n EventOriginalUid = activityUuid_g\n | extend\n EventCount = int(1),\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSeverity = \"Informational\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResultDetails = \"Other\"\n | extend\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n User = ActorUsername,\n UpdatedPropertyName = EventSubType,\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n GroupIdType = iff(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iff(isnotempty(GroupName), \"Simple\", \"\"),\n GroupType = iff(isnotempty(groupType), \"Other\", \"\"),\n GroupOriginalType = groupType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n AdditionalFields = bag_pack(\n \"userScope\", userScope,\n \"scopeLevelName\", scopeLevelName,\n \"scopeName\", scopeName,\n \"modifiedFields\", modifiedFields,\n \"roleName\", roleName,\n \"deactivationPeriodInDays\", deactivationPeriodInDays,\n \"descriptionChanged\", descriptionChanged\n )\n | project-away \n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n byUser,\n username,\n email,\n group,\n groupName,\n groupType,\n name,\n oldDescription,\n oldRole,\n description,\n role,\n userScope,\n scopeLevelName,\n scopeName,\n roleName,\n modifiedFields,\n ModifiedFields,\n deactivationPeriodInDays,\n descriptionChanged,\n restOfMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n newValue\n};\nparser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSession/ASimWebSession.json b/Parsers/ASimWebSession/ARM/ASimWebSession/ASimWebSession.json index 65c35823283..a8ef61ad367 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSession/ASimWebSession.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSession/ASimWebSession.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSession')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSession", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser", - "category": "ASIM", - "FunctionAlias": "ASimWebSession", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimWebSessionEmpty,\n ASimWebSessionSquidProxy (ASimBuiltInDisabled or ('ExcludeASimWebSessionSquidProxy' in (DisabledParsers))),\n ASimWebSessionZscalerZIA (ASimBuiltInDisabled or ('ExcludeASimWebSessionZscalerZIA' in (DisabledParsers))),\n ASimWebSessionNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionNative' in (DisabledParsers)))),\n ASimWebSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionVectraAI' in (DisabledParsers)))),\n ASimWebSessionIIS (disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionIIS' in (DisabledParsers)))),\n ASimWebSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimWebSessionPaloAltoCEF' in (DisabledParsers))),\n ASimWebSessionApacheHTTPServer (ASimBuiltInDisabled or ('ExcludeASimWebSessionApacheHTTPServer' in (DisabledParsers))),\n ASimWebSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimWebSessionFortinetFortiGate' in (DisabledParsers))),\n ASimWebSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimWebSessionCiscoMeraki' in (DisabledParsers))),\n ASimWebSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimWebSessionBarracudaWAF' in (DisabledParsers))),\n ASimWebSessionBarracudaCEF (ASimBuiltInDisabled or ('ExcludeASimWebSessionBarracudaCEF' in (DisabledParsers))),\n ASimWebSessionCitrixNetScaler (ASimBuiltInDisabled or ('ExcludeASimWebSessionCitrixNetScaler' in (DisabledParsers))),\n ASimWebSessionCiscoFirepower (ASimBuiltInDisabled or ('ExcludeASimWebSessionCiscoFirepower' in (DisabledParsers))),\n ASimWebSessionF5ASM (ASimBuiltInDisabled or ('ExcludeASimWebSessionF5ASM' in (DisabledParsers))),\n ASimWebSessionPaloAltoCortexDataLake (ASimBuiltInDisabled or ('ExcludeASimWebSessionPaloAltoCortexDataLake' in (DisabledParsers))),\n ASimWebSessionSonicWallFirewall (ASimBuiltInDisabled or ('ExcludeASimWebSessionSonicWallFirewall' in (DisabledParsers)))\n}; \nparser(pack=pack)\n", - "version": 1, - "functionParameters": "pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser", + "category": "ASIM", + "FunctionAlias": "ASimWebSession", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimWebSessionEmpty,\n ASimWebSessionSquidProxy (ASimBuiltInDisabled or ('ExcludeASimWebSessionSquidProxy' in (DisabledParsers))),\n ASimWebSessionZscalerZIA (ASimBuiltInDisabled or ('ExcludeASimWebSessionZscalerZIA' in (DisabledParsers))),\n ASimWebSessionNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionNative' in (DisabledParsers)))),\n ASimWebSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionVectraAI' in (DisabledParsers)))),\n ASimWebSessionIIS (disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionIIS' in (DisabledParsers)))),\n ASimWebSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimWebSessionPaloAltoCEF' in (DisabledParsers))),\n ASimWebSessionApacheHTTPServer (ASimBuiltInDisabled or ('ExcludeASimWebSessionApacheHTTPServer' in (DisabledParsers))),\n ASimWebSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimWebSessionFortinetFortiGate' in (DisabledParsers))),\n ASimWebSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimWebSessionCiscoMeraki' in (DisabledParsers))),\n ASimWebSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimWebSessionBarracudaWAF' in (DisabledParsers))),\n ASimWebSessionBarracudaCEF (ASimBuiltInDisabled or ('ExcludeASimWebSessionBarracudaCEF' in (DisabledParsers))),\n ASimWebSessionCitrixNetScaler (ASimBuiltInDisabled or ('ExcludeASimWebSessionCitrixNetScaler' in (DisabledParsers))),\n ASimWebSessionCiscoFirepower (ASimBuiltInDisabled or ('ExcludeASimWebSessionCiscoFirepower' in (DisabledParsers))),\n ASimWebSessionF5ASM (ASimBuiltInDisabled or ('ExcludeASimWebSessionF5ASM' in (DisabledParsers))),\n ASimWebSessionPaloAltoCortexDataLake (ASimBuiltInDisabled or ('ExcludeASimWebSessionPaloAltoCortexDataLake' in (DisabledParsers))),\n ASimWebSessionSonicWallFirewall (ASimBuiltInDisabled or ('ExcludeASimWebSessionSonicWallFirewall' in (DisabledParsers)))\n}; \nparser(pack=pack)\n", + "version": 1, + "functionParameters": "pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionApacheHTTPServer/ASimWebSessionApacheHTTPServer.json b/Parsers/ASimWebSession/ARM/ASimWebSessionApacheHTTPServer/ASimWebSessionApacheHTTPServer.json index 31f99abbd1d..9618187d598 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionApacheHTTPServer/ASimWebSessionApacheHTTPServer.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionApacheHTTPServer/ASimWebSessionApacheHTTPServer.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionApacheHTTPServer')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionApacheHTTPServer", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Apache HTTP Server", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionApacheHTTPServer", - "query": "let Parser=(disabled:bool=false){\n ApacheHTTPServer_CL\n | where not(disabled)\n | project RawData, TimeGenerated, Computer, _ResourceId, Type, _ItemId\n | where not (RawData startswith \"[\") \n | where RawData has_any (\"GET\", \"HEAD\", \"POST\", \"PUT\", \"DELETE\", \"CONNECT\", \"OPTIONS\", \"TRACE\", \"PATCH\")\n | parse RawData with * '] ' Temp'\"' *\n | extend DstHostname = tostring(split(trim_end(\" \",Temp),\":\",0)[0])\n | parse RawData with SrcIpAddr \" \" ClientIdentity \" \" SrcUsername \" [\" Date ']' * '\"' HttpRequestMethod \" \" Url \" \" Protocol '\" ' EventResultDetails \" \" DstBytes:long ' \"' HttpReferrer '\" \"' HttpUserAgent '\"' *\n | project-away RawData, Date, ClientIdentity, Temp\n | parse _ResourceId with * \"/subscriptions/\" DvcScopeId \"/\" *\n | project-rename \n DvcHostname = Computer,\n DvcId = _ResourceId,\n EventUid = _ItemId\n | extend \n HttpVersion = tostring(split(Protocol,\"/\")[1]),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\")\n | extend \n HttpStatusCode = EventResultDetails,\n UserAgent = HttpUserAgent,\n EventResult = iff (\n toint(EventResultDetails) < 400, \"Success\", \n \"Failure\"\n ),\n IpAddr = SrcIpAddr,\n Dvc = DvcHostname,\n User = SrcUsername,\n SrcUsername = case(SrcUsername == \"-\", \"\", SrcUsername),\n HttpReferrer = case(HttpReferrer == \"-\", \"\", HttpReferrer),\n HttpUserAgent = case(HttpUserAgent == \"-\", \"\", HttpUserAgent),\n DstHostname = case(DstHostname == \"-\", \"\", DstHostname)\n | extend SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\n | project-away Protocol\n | extend\n EventType = \"WebServerSession\", \n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventCount = int(1),\n EventVendor = \"Apache\",\n EventProduct = \"HTTP Server\",\n EventSeverity = \"Informational\"\n};\nParser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Apache HTTP Server", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionApacheHTTPServer", + "query": "let Parser=(disabled:bool=false){\n ApacheHTTPServer_CL\n | where not(disabled)\n | project RawData, TimeGenerated, Computer, _ResourceId, Type, _ItemId\n | where not (RawData startswith \"[\") \n | where RawData has_any (\"GET\", \"HEAD\", \"POST\", \"PUT\", \"DELETE\", \"CONNECT\", \"OPTIONS\", \"TRACE\", \"PATCH\")\n | parse RawData with * '] ' Temp'\"' *\n | extend DstHostname = tostring(split(trim_end(\" \",Temp),\":\",0)[0])\n | parse RawData with SrcIpAddr \" \" ClientIdentity \" \" SrcUsername \" [\" Date ']' * '\"' HttpRequestMethod \" \" Url \" \" Protocol '\" ' EventResultDetails \" \" DstBytes:long ' \"' HttpReferrer '\" \"' HttpUserAgent '\"' *\n | project-away RawData, Date, ClientIdentity, Temp\n | parse _ResourceId with * \"/subscriptions/\" DvcScopeId \"/\" *\n | project-rename \n DvcHostname = Computer,\n DvcId = _ResourceId,\n EventUid = _ItemId\n | extend \n HttpVersion = tostring(split(Protocol,\"/\")[1]),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\")\n | extend \n HttpStatusCode = EventResultDetails,\n UserAgent = HttpUserAgent,\n EventResult = iff (\n toint(EventResultDetails) < 400, \"Success\", \n \"Failure\"\n ),\n IpAddr = SrcIpAddr,\n Dvc = DvcHostname,\n User = SrcUsername,\n SrcUsername = case(SrcUsername == \"-\", \"\", SrcUsername),\n HttpReferrer = case(HttpReferrer == \"-\", \"\", HttpReferrer),\n HttpUserAgent = case(HttpUserAgent == \"-\", \"\", HttpUserAgent),\n DstHostname = case(DstHostname == \"-\", \"\", DstHostname)\n | extend SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\n | project-away Protocol\n | extend\n EventType = \"WebServerSession\", \n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventCount = int(1),\n EventVendor = \"Apache\",\n EventProduct = \"HTTP Server\",\n EventSeverity = \"Informational\"\n};\nParser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionBarracudaCEF/ASimWebSessionBarracudaCEF.json b/Parsers/ASimWebSession/ARM/ASimWebSessionBarracudaCEF/ASimWebSessionBarracudaCEF.json index 959cec1b450..4247a7e964e 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionBarracudaCEF/ASimWebSessionBarracudaCEF.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionBarracudaCEF/ASimWebSessionBarracudaCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionBarracudaCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionBarracudaCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Barracuda CEF", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionBarracudaCEF", - "query": "let SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultWFLookup = datatable (\n Action_s: string,\n EventResult_WF: string,\n DvcAction: string\n)\n [\n \"LOG\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\",\n \"WARNING\", \"Success\", \"Allow\"\n];\nlet EventTypeLookup = datatable (\n LogType_s: string,\n EventType_lookup: string,\n EventOriginalType: string\n)\n [\n \"WF\", \"HTTPsession\", \"Web Firewall\",\n \"TR\", \"WebServerSession\", \"Access\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory in (\"WF\", \"TR\")\n | lookup EventResultWFLookup on $left.DeviceAction == $right.Action_s\n | lookup EventTypeLookup on $left.DeviceEventCategory == $right.LogType_s\n | extend\n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dst = DestinationIP,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Barracuda\",\n status_code = toint(EventOutcome)\n | extend\n EventResult_TR = case(\n status_code between (200 .. 299),\n \"Success\", \n status_code between (400 .. 599),\n \"Failure\",\n status_code between (300 .. 399),\n \"Partial\",\n \"NA\"\n ),\n RuleName = iff(DeviceEventCategory == \"WF\", DeviceCustomString3, \"\")\n | extend\n Dvc = DeviceName,\n EventResult = iff(DeviceEventCategory == \"TR\", EventResult_TR, EventResult_WF),\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n DstIpAddr = DestinationIP,\n SrcIpAddr = SourceIP,\n DstBytes = tolong(ReceivedBytes),\n DstPortNumber = toint(coalesce(DestinationPort,FieldDeviceCustomNumber1)),\n HttpCookie = RequestCookies,\n HttpReferrer = RequestContext,\n HttpRequestBodyBytes = tolong(ReceivedBytes),\n HttpRequestMethod = RequestMethod,\n HttpResponseBodyBytes = tolong(SentBytes),\n NetworkDuration = toint(FlexNumber2),\n HttpUserAgent = RequestClientApplication,\n NetworkSessionId = SourceUserID,\n Rule = RuleName,\n SrcPortNumber = toint(SourcePort),\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n Url = RequestURL,\n HttpResponseCacheControl = iff(\n FieldDeviceCustomNumber2 == 0,\n \"Response from the server\",\n \"Response from the cache\"\n ),\n AdditionalFields = bag_pack(\n \"ProxyIP\",\n iff(DeviceEventCategory == \"WF\", DeviceCustomString5, DeviceCustomString3),\n \"ProxyPort\",\n FieldDeviceCustomNumber3\n ),\n DvcHostname = DeviceName,\n DvcIpAddr = DeviceAddress,\n EventResultDetails = EventOutcome,\n HttpVersion = FlexString1\n | extend \n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\"),\n DstUsernameType = iff(isnotempty(DstUsername), \"Simple\", \"\")\n | extend\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n EventEndTime = EventStartTime,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n HttpStatusCode = EventResultDetails\n | project-away\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n EventResult_*,\n status_code,\n EventType_lookup,\n TenantId,\n CollectorHostName;\n BarracudaCEF\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Barracuda CEF", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionBarracudaCEF", + "query": "let SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultWFLookup = datatable (\n Action_s: string,\n EventResult_WF: string,\n DvcAction: string\n)\n [\n \"LOG\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\",\n \"WARNING\", \"Success\", \"Allow\"\n];\nlet EventTypeLookup = datatable (\n LogType_s: string,\n EventType_lookup: string,\n EventOriginalType: string\n)\n [\n \"WF\", \"HTTPsession\", \"Web Firewall\",\n \"TR\", \"WebServerSession\", \"Access\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory in (\"WF\", \"TR\")\n | lookup EventResultWFLookup on $left.DeviceAction == $right.Action_s\n | lookup EventTypeLookup on $left.DeviceEventCategory == $right.LogType_s\n | extend\n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dst = DestinationIP,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Barracuda\",\n status_code = toint(EventOutcome)\n | extend\n EventResult_TR = case(\n status_code between (200 .. 299),\n \"Success\", \n status_code between (400 .. 599),\n \"Failure\",\n status_code between (300 .. 399),\n \"Partial\",\n \"NA\"\n ),\n RuleName = iff(DeviceEventCategory == \"WF\", DeviceCustomString3, \"\")\n | extend\n Dvc = DeviceName,\n EventResult = iff(DeviceEventCategory == \"TR\", EventResult_TR, EventResult_WF),\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n DstIpAddr = DestinationIP,\n SrcIpAddr = SourceIP,\n DstBytes = tolong(ReceivedBytes),\n DstPortNumber = toint(coalesce(DestinationPort,FieldDeviceCustomNumber1)),\n HttpCookie = RequestCookies,\n HttpReferrer = RequestContext,\n HttpRequestBodyBytes = tolong(ReceivedBytes),\n HttpRequestMethod = RequestMethod,\n HttpResponseBodyBytes = tolong(SentBytes),\n NetworkDuration = toint(FlexNumber2),\n HttpUserAgent = RequestClientApplication,\n NetworkSessionId = SourceUserID,\n Rule = RuleName,\n SrcPortNumber = toint(SourcePort),\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n Url = RequestURL,\n HttpResponseCacheControl = iff(\n FieldDeviceCustomNumber2 == 0,\n \"Response from the server\",\n \"Response from the cache\"\n ),\n AdditionalFields = bag_pack(\n \"ProxyIP\",\n iff(DeviceEventCategory == \"WF\", DeviceCustomString5, DeviceCustomString3),\n \"ProxyPort\",\n FieldDeviceCustomNumber3\n ),\n DvcHostname = DeviceName,\n DvcIpAddr = DeviceAddress,\n EventResultDetails = EventOutcome,\n HttpVersion = FlexString1\n | extend \n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\"),\n DstUsernameType = iff(isnotempty(DstUsername), \"Simple\", \"\")\n | extend\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n EventEndTime = EventStartTime,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n HttpStatusCode = EventResultDetails\n | project-away\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n EventResult_*,\n status_code,\n EventType_lookup,\n TenantId,\n CollectorHostName;\n BarracudaCEF\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionBarracudaWAF/ASimWebSessionBarracudaWAF.json b/Parsers/ASimWebSession/ARM/ASimWebSessionBarracudaWAF/ASimWebSessionBarracudaWAF.json index 2a05b43f882..d737b1894d1 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionBarracudaWAF/ASimWebSessionBarracudaWAF.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionBarracudaWAF/ASimWebSessionBarracudaWAF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionBarracudaWAF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionBarracudaWAF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionBarracudaWAF", - "query": "let barracudaSchema = datatable(\n ServerIP_s: string,\n UnitName_s: string,\n HTTPStatus_s: string,\n Action_s: string,\n Severity_s: string,\n DeviceReceiptTime_s: string,\n LogType_s: string,\n ClientIP_s: string,\n host_s: string,\n HostIP_s: string,\n BytesReceived_d: real,\n ServerPort_d: real,\n Cookie_s: string,\n Referer_s: string,\n Method_s: string,\n BytesSent_d: real,\n SessionID_s: string,\n ClientPort_d: real,\n AuthenticatedUser_s: string,\n CertificateUser_s: string,\n UserAgent_s: string,\n URL_s: string,\n CacheHit_d: real,\n ProxyIP_s: string,\n ProxyPort_d: real,\n RuleType_s: string,\n ServiceIP_s: string,\n TimeTaken_d: real,\n ServicePort_d: real,\n ProtocolVersion_s: string,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string\n)[];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultWFLookup = datatable (\n Action_s: string,\n EventResult_WF: string,\n DvcAction: string\n)\n [\n \"LOG\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\",\n \"WARNING\", \"Success\", \"Allow\"\n];\nlet EventTypeLookup = datatable (\n LogType_s: string,\n EventType_lookup: string,\n EventOriginalType: string\n)\n [\n \"WF\", \"HTTPsession\", \"Web Firewall\",\n \"TR\", \"WebServerSession\", \"Access\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled) and (LogType_s in (\"WF\", \"TR\"))\n | lookup EventResultWFLookup on Action_s\n | lookup EventTypeLookup on LogType_s\n | extend\n EventType = EventType_lookup,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | extend\n Dst = iff(LogType_s == \"WF\", ServiceIP_s, ServerIP_s),\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Barracuda\",\n status_code = toint(HTTPStatus_s)\n | extend\n EventResult_TR = case(\n status_code between (200 .. 299),\n \"Success\", \n status_code between (400 .. 599),\n \"Failure\",\n status_code between (300 .. 399),\n \"Partial\",\n \"NA\"\n ),\n RuleName = RuleType_s\n | extend\n Dvc = UnitName_s,\n EventResult = iff(LogType_s == \"TR\", EventResult_TR, EventResult_WF),\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n DstIpAddr = ServerIP_s,\n SrcIpAddr = ClientIP_s,\n DstBytes = tolong(BytesReceived_d),\n DstPortNumber = toint(coalesce(ServerPort_d,ServicePort_d)),\n HttpCookie = Cookie_s,\n HttpReferrer = Referer_s,\n HttpRequestBodyBytes = tolong(BytesReceived_d),\n HttpRequestMethod = Method_s,\n HttpResponseBodyBytes = tolong(BytesSent_d),\n NetworkDuration = toint(TimeTaken_d),\n HttpUserAgent = UserAgent_s,\n NetworkSessionId = SessionID_s,\n Rule = RuleName,\n SrcPortNumber = toint(ClientPort_d),\n SrcUsername = CertificateUser_s,\n DstUsername = AuthenticatedUser_s,\n Url = URL_s,\n HttpResponseCacheControl = iff(\n CacheHit_d == 0,\n \"Response from the server\",\n \"Response from the cache\"\n ),\n AdditionalFields = bag_pack(\n \"ProxyIP\",\n ProxyIP_s,\n \"ProxyPort\",\n ProxyPort_d\n ),\n DvcHostname = host_s,\n DvcIpAddr = HostIP_s,\n EventResultDetails = HTTPStatus_s,\n HttpVersion = ProtocolVersion_s\n | extend \n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\"),\n DstUsernameType = iff(isnotempty(DstUsername), \"Simple\", \"\")\n | extend\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n EventEndTime = EventStartTime,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n HttpStatusCode = EventResultDetails\n | project-away\n *_d,\n *_s,\n _ResourceId,\n severity,\n status_code,\n RawData,\n EventResult_*,\n SourceIP,\n Message,\n EventType_lookup,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem;\n BarracudaCustom\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionBarracudaWAF", + "query": "let barracudaSchema = datatable(\n ServerIP_s: string,\n UnitName_s: string,\n HTTPStatus_s: string,\n Action_s: string,\n Severity_s: string,\n DeviceReceiptTime_s: string,\n LogType_s: string,\n ClientIP_s: string,\n host_s: string,\n HostIP_s: string,\n BytesReceived_d: real,\n ServerPort_d: real,\n Cookie_s: string,\n Referer_s: string,\n Method_s: string,\n BytesSent_d: real,\n SessionID_s: string,\n ClientPort_d: real,\n AuthenticatedUser_s: string,\n CertificateUser_s: string,\n UserAgent_s: string,\n URL_s: string,\n CacheHit_d: real,\n ProxyIP_s: string,\n ProxyPort_d: real,\n RuleType_s: string,\n ServiceIP_s: string,\n TimeTaken_d: real,\n ServicePort_d: real,\n ProtocolVersion_s: string,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string\n)[];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultWFLookup = datatable (\n Action_s: string,\n EventResult_WF: string,\n DvcAction: string\n)\n [\n \"LOG\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\",\n \"WARNING\", \"Success\", \"Allow\"\n];\nlet EventTypeLookup = datatable (\n LogType_s: string,\n EventType_lookup: string,\n EventOriginalType: string\n)\n [\n \"WF\", \"HTTPsession\", \"Web Firewall\",\n \"TR\", \"WebServerSession\", \"Access\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled) and (LogType_s in (\"WF\", \"TR\"))\n | lookup EventResultWFLookup on Action_s\n | lookup EventTypeLookup on LogType_s\n | extend\n EventType = EventType_lookup,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | extend\n Dst = iff(LogType_s == \"WF\", ServiceIP_s, ServerIP_s),\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Barracuda\",\n status_code = toint(HTTPStatus_s)\n | extend\n EventResult_TR = case(\n status_code between (200 .. 299),\n \"Success\", \n status_code between (400 .. 599),\n \"Failure\",\n status_code between (300 .. 399),\n \"Partial\",\n \"NA\"\n ),\n RuleName = RuleType_s\n | extend\n Dvc = UnitName_s,\n EventResult = iff(LogType_s == \"TR\", EventResult_TR, EventResult_WF),\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n DstIpAddr = ServerIP_s,\n SrcIpAddr = ClientIP_s,\n DstBytes = tolong(BytesReceived_d),\n DstPortNumber = toint(coalesce(ServerPort_d,ServicePort_d)),\n HttpCookie = Cookie_s,\n HttpReferrer = Referer_s,\n HttpRequestBodyBytes = tolong(BytesReceived_d),\n HttpRequestMethod = Method_s,\n HttpResponseBodyBytes = tolong(BytesSent_d),\n NetworkDuration = toint(TimeTaken_d),\n HttpUserAgent = UserAgent_s,\n NetworkSessionId = SessionID_s,\n Rule = RuleName,\n SrcPortNumber = toint(ClientPort_d),\n SrcUsername = CertificateUser_s,\n DstUsername = AuthenticatedUser_s,\n Url = URL_s,\n HttpResponseCacheControl = iff(\n CacheHit_d == 0,\n \"Response from the server\",\n \"Response from the cache\"\n ),\n AdditionalFields = bag_pack(\n \"ProxyIP\",\n ProxyIP_s,\n \"ProxyPort\",\n ProxyPort_d\n ),\n DvcHostname = host_s,\n DvcIpAddr = HostIP_s,\n EventResultDetails = HTTPStatus_s,\n HttpVersion = ProtocolVersion_s\n | extend \n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\"),\n DstUsernameType = iff(isnotempty(DstUsername), \"Simple\", \"\")\n | extend\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n EventEndTime = EventStartTime,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n HttpStatusCode = EventResultDetails\n | project-away\n *_d,\n *_s,\n _ResourceId,\n severity,\n status_code,\n RawData,\n EventResult_*,\n SourceIP,\n Message,\n EventType_lookup,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem;\n BarracudaCustom\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionCiscoFirepower/ASimWebSessionCiscoFirepower.json b/Parsers/ASimWebSession/ARM/ASimWebSessionCiscoFirepower/ASimWebSessionCiscoFirepower.json index e8bbf61fc43..cdfce8d3a23 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionCiscoFirepower/ASimWebSessionCiscoFirepower.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionCiscoFirepower/ASimWebSessionCiscoFirepower.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionCiscoFirepower')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionCiscoFirepower", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Cisco Firepower", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionCiscoFirepower", - "query": "let EventFieldsLookup = datatable(\n DeviceAction: string, \n DvcAction: string,\n EventResult: string\n )\n [\n \"Detect\", \"Allow\", \"Partial\",\n \"Block\", \"Deny\", \"Failure\",\n \"Malware Cloud Lookup\", \"Deny\", \"Failure\",\n \"Malware Block\", \"Deny\", \"Failure\",\n \"Malware Allow List\", \"Allow\", \"Success\",\n \"Cloud Lookup Timeout\", \"Deny\", \"Failure\",\n \"Custom Detection\", \"Allow\", \"Partial\",\n \"Custom Detection Block\", \"Deny\", \"Failure\",\n \"Archive Block-Depth Exceeded\", \"Deny\", \"Failure\",\n \"Archive Block-Encrypted\", \"Encrypt\", \"Failure\",\n \"Archive Block-Failed to Inspect\", \"Deny\", \"Failure\"\n ];\n let DirectionLookup = datatable (CommunicationDirection: string, NetworkDirection: string)[\n \"1\", \"Inbound\",\n \"2\", \"Outbound\"\n ];\n let parser=(disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled) \n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\n and DeviceEventClassID in(\"File:500:1\", \"FileMalware:502:1\", \"FireAMP:125:1\")\n | parse-kv AdditionalExtensions as (start: long) with (pair_delimiter=';', kv_delimiter='=')\n | extend\n EventMessage = iff(DeviceEventClassID == \"FireAMP:125:1\", DeviceCustomString5, \"\"),\n ThreatName = iff(DeviceEventClassID == \"FireAMP:125:1\", DeviceCustomString2, \"\"),\n Disposition = case(\n DeviceEventClassID == \"FireAMP:125:1\",\n DeviceCustomString3,\n DeviceEventClassID in (\"File:500:1\", \"FileMalware:502:1\"),\n DeviceCustomString2,\n \"\"\n ),\n AdditionalFields = todynamic(\n case(\n DeviceEventClassID == \"FireAMP:125:1\",\n bag_pack(\n \"policy\", DeviceCustomString1,\n \"process\", SourceProcessName,\n \"connectionInstance\", ProcessID,\n \"disposition\", DeviceCustomString3,\n \"event type id\", EventOutcome\n ),\n DeviceEventClassID in (\"File:500:1\", \"FileMalware:502:1\"),\n bag_pack(\n \"connectionInstance\", ProcessID,\n \"signaturedata\", DeviceCustomString4,\n \"disposition\", DeviceCustomString2\n ),\n \"\"\n )\n )\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol)\n | lookup DirectionLookup on CommunicationDirection\n | lookup EventFieldsLookup on DeviceAction\n | extend\n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n EventSeverity = case(\n DvcAction == \"Allow\" and Disposition =~ \"Malware\",\n \"High\",\n DvcAction == \"Deny\" and Disposition =~ \"Malware\",\n \"Medium\",\n DvcAction == \"Deny\" and Disposition !~ \"Malware\",\n \"Low\",\n \"Informational\"\n ),\n EventOriginalType = case(\n DeviceEventClassID has \"File:500:1\",\n \"File Event\",\n DeviceEventClassID has \"FileMalware:502:1\",\n \"FileMalware Event\",\n Activity\n ),\n FileContentType = FileType,\n HttpContentType = FileType,\n FileSize = tolong(FileSize),\n ThreatCategory = iff(Disposition =~ \"Malware\", Disposition, \"\")\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\n | extend\n DvcIpAddr = Ip_device,\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\n | extend host = coalesce(DeviceName, Computer)\n | invoke _ASIM_ResolveDvcFQDN('host')\n | extend \n EventCount = int(1),\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename\n EventVendor = DeviceVendor,\n EventProduct = DeviceProduct,\n EventProductVersion = DeviceVersion,\n DstPortNumber = DestinationPort,\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n Url = RequestURL,\n FileSHA256 = FileHash,\n SrcPortNumber = SourcePort,\n EventOriginalSeverity = LogSeverity,\n EventOriginalUid = ExtID,\n NetworkApplicationProtocol = ApplicationProtocol,\n EventUid = _ItemId,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n HttpUserAgent = RequestClientApplication\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\n HashType = \"SHA256\",\n DvcIdType = \"Other\",\n NetworkProtocolVersion=case(DstIpAddr has \".\", \"IPv4\", DstIpAddr has \":\", \"IPv6\", \"\"),\n IpAddr = SrcIpAddr,\n Hash = FileSHA256,\n User = SrcUsername,\n UserAgent = HttpUserAgent,\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr)\n | project-away\n Source*,\n Destination*,\n Device*,\n start,\n AdditionalExtensions,\n Activity,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n FileID,\n FileModificationTime,\n Old*,\n FileCreateTime,\n FilePermission,\n IndicatorThreatType,\n MaliciousIP*,\n Message,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ThreatDescription,\n ThreatSeverity,\n FilePath,\n FileType,\n Reason,\n ReceiptTime,\n ExternalID,\n ReportReferenceLink,\n Ip_*,\n host*,\n _ResourceId,\n NetworkProtocolNumber,\n Disposition,\n ThreatConfidence\n };\n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Cisco Firepower", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionCiscoFirepower", + "query": "let EventFieldsLookup = datatable(\n DeviceAction: string, \n DvcAction: string,\n EventResult: string\n )\n [\n \"Detect\", \"Allow\", \"Partial\",\n \"Block\", \"Deny\", \"Failure\",\n \"Malware Cloud Lookup\", \"Deny\", \"Failure\",\n \"Malware Block\", \"Deny\", \"Failure\",\n \"Malware Allow List\", \"Allow\", \"Success\",\n \"Cloud Lookup Timeout\", \"Deny\", \"Failure\",\n \"Custom Detection\", \"Allow\", \"Partial\",\n \"Custom Detection Block\", \"Deny\", \"Failure\",\n \"Archive Block-Depth Exceeded\", \"Deny\", \"Failure\",\n \"Archive Block-Encrypted\", \"Encrypt\", \"Failure\",\n \"Archive Block-Failed to Inspect\", \"Deny\", \"Failure\"\n ];\n let DirectionLookup = datatable (CommunicationDirection: string, NetworkDirection: string)[\n \"1\", \"Inbound\",\n \"2\", \"Outbound\"\n ];\n let parser=(disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled) \n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\n and DeviceEventClassID in(\"File:500:1\", \"FileMalware:502:1\", \"FireAMP:125:1\")\n | parse-kv AdditionalExtensions as (start: long) with (pair_delimiter=';', kv_delimiter='=')\n | extend\n EventMessage = iff(DeviceEventClassID == \"FireAMP:125:1\", DeviceCustomString5, \"\"),\n ThreatName = iff(DeviceEventClassID == \"FireAMP:125:1\", DeviceCustomString2, \"\"),\n Disposition = case(\n DeviceEventClassID == \"FireAMP:125:1\",\n DeviceCustomString3,\n DeviceEventClassID in (\"File:500:1\", \"FileMalware:502:1\"),\n DeviceCustomString2,\n \"\"\n ),\n AdditionalFields = todynamic(\n case(\n DeviceEventClassID == \"FireAMP:125:1\",\n bag_pack(\n \"policy\", DeviceCustomString1,\n \"process\", SourceProcessName,\n \"connectionInstance\", ProcessID,\n \"disposition\", DeviceCustomString3,\n \"event type id\", EventOutcome\n ),\n DeviceEventClassID in (\"File:500:1\", \"FileMalware:502:1\"),\n bag_pack(\n \"connectionInstance\", ProcessID,\n \"signaturedata\", DeviceCustomString4,\n \"disposition\", DeviceCustomString2\n ),\n \"\"\n )\n )\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol)\n | lookup DirectionLookup on CommunicationDirection\n | lookup EventFieldsLookup on DeviceAction\n | extend\n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n EventSeverity = case(\n DvcAction == \"Allow\" and Disposition =~ \"Malware\",\n \"High\",\n DvcAction == \"Deny\" and Disposition =~ \"Malware\",\n \"Medium\",\n DvcAction == \"Deny\" and Disposition !~ \"Malware\",\n \"Low\",\n \"Informational\"\n ),\n EventOriginalType = case(\n DeviceEventClassID has \"File:500:1\",\n \"File Event\",\n DeviceEventClassID has \"FileMalware:502:1\",\n \"FileMalware Event\",\n Activity\n ),\n FileContentType = FileType,\n HttpContentType = FileType,\n FileSize = tolong(FileSize),\n ThreatCategory = iff(Disposition =~ \"Malware\", Disposition, \"\")\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\n | extend\n DvcIpAddr = Ip_device,\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\n | extend host = coalesce(DeviceName, Computer)\n | invoke _ASIM_ResolveDvcFQDN('host')\n | extend \n EventCount = int(1),\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename\n EventVendor = DeviceVendor,\n EventProduct = DeviceProduct,\n EventProductVersion = DeviceVersion,\n DstPortNumber = DestinationPort,\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n Url = RequestURL,\n FileSHA256 = FileHash,\n SrcPortNumber = SourcePort,\n EventOriginalSeverity = LogSeverity,\n EventOriginalUid = ExtID,\n NetworkApplicationProtocol = ApplicationProtocol,\n EventUid = _ItemId,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n HttpUserAgent = RequestClientApplication\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\n HashType = \"SHA256\",\n DvcIdType = \"Other\",\n NetworkProtocolVersion=case(DstIpAddr has \".\", \"IPv4\", DstIpAddr has \":\", \"IPv6\", \"\"),\n IpAddr = SrcIpAddr,\n Hash = FileSHA256,\n User = SrcUsername,\n UserAgent = HttpUserAgent,\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr)\n | project-away\n Source*,\n Destination*,\n Device*,\n start,\n AdditionalExtensions,\n Activity,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n FileID,\n FileModificationTime,\n Old*,\n FileCreateTime,\n FilePermission,\n IndicatorThreatType,\n MaliciousIP*,\n Message,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ThreatDescription,\n ThreatSeverity,\n FilePath,\n FileType,\n Reason,\n ReceiptTime,\n ExternalID,\n ReportReferenceLink,\n Ip_*,\n host*,\n _ResourceId,\n NetworkProtocolNumber,\n Disposition,\n ThreatConfidence\n };\n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionCiscoMeraki/ASimWebSessionCiscoMeraki.json b/Parsers/ASimWebSession/ARM/ASimWebSessionCiscoMeraki/ASimWebSessionCiscoMeraki.json index 3493ec240ff..1d1d0829534 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionCiscoMeraki/ASimWebSessionCiscoMeraki.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionCiscoMeraki/ASimWebSessionCiscoMeraki.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionCiscoMeraki')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionCiscoMeraki", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionCiscoMeraki", - "query": "let ActionLookup = datatable (action: string, DvcAction: string, EventResult: string, EventSeverity: string) [\n 'allow', 'Allow', 'Success', 'Informational',\n 'log', 'Allow', 'Success', 'Informational',\n 'accept', 'Allow', 'Success', 'Informational',\n 'block', 'Deny', 'Failure', 'Low',\n 'deny', 'Deny', 'Failure', 'Low',\n 'quarantine', 'Deny', 'Failure', 'Low'\n ];\n let parser=(disabled: bool=false) {\n let allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n ),\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\n let PreFilteredData = allData\n | where not(disabled) and (LogMessage has \"urls\" or LogMessage has_all(\"security_event\", \"security_filtering_file_scanned\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType in (\"security_event\", \"urls\");\n let SecurityEventData = PreFilteredData\n | where LogType == \"security_event\"\n | parse Substring with LogSubType: string \" \" temp_RestMessage: string\n | where LogSubType == \"security_filtering_file_scanned\"\n | parse-kv Substring as (disposition: string, action: string, sha256: string, name: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with * \" sha256\" fsha256: string \" \"restmessage: string\n | extend\n disposition = trim('\"', disposition),\n action = trim('\"', action),\n sha256 = trim('\"', sha256),\n fsha256 = trim('\"', fsha256),\n name = trim('\"', name)\n | lookup ActionLookup on action;\n let UrlsData = PreFilteredData\n | where LogType == \"urls\"\n | parse Substring with * \"request:\" request: string \" \" urls: string;\n union SecurityEventData, UrlsData\n | parse-kv Substring as (src: string, dst: string, url: string, mac: string, agent: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n src = trim('\"', src),\n dst = trim('\"', dst)\n | parse src with * \"[\" temp_srcip: string \"]:\" temp_srcport: string\n | parse dst with * \"[\" temp_dstip: string \"]:\" temp_dstport: string\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend\n EventStartTime = unixtime_seconds_todatetime(tolong(split(Epoch, \".\")[0]))\n | extend agent = trim(\"'\", agent)\n | extend\n agent= trim('\"', agent),\n mac = trim('\"', mac),\n url = trim('\"', url),\n urls = trim('\"', urls)\n | extend Url = coalesce(url, urls)\n | extend\n EventResult=case(\n LogType == \"urls\", \"Success\",\n isempty(EventResult), \"NA\",\n EventResult \n ),\n EventSeverity=case(\n DvcAction == \"Deny\" and disposition == \"malicious\",\n \"Medium\",\n DvcAction == \"Allow\" and disposition == \"malicious\",\n \"High\",\n isnotempty(EventSeverity), EventSeverity,\n \"Informational\"\n )\n | extend SrcIpAddr = iff(\n src has \".\",\n split(src, \":\")[0], \n coalesce(temp_srcip, src)\n )\n | extend SrcPortNumber = toint(\n iff (\n src has \".\",\n split(src, \":\")[1],\n temp_srcport\n )\n )\n | extend DstIpAddr = iff(\n dst has \".\",\n split(dst, \":\")[0], \n coalesce(temp_dstip, dst)\n )\n | extend DstPortNumber = toint(\n iff (\n dst has \".\",\n split(dst, \":\")[1],\n temp_dstport\n )\n )\n | extend\n EventType = \"HTTPsession\",\n HttpUserAgent = agent,\n HttpRequestMethod = request,\n FileSHA256 = coalesce(sha256, fsha256),\n FileName = name,\n DvcMacAddr = mac,\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId \n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n EventEndTime = EventStartTime\n | extend\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\"\n | project-away\n LogMessage,\n Parser,\n LogType,\n LogSubType,\n Epoch,\n Device,\n src,\n dst,\n mac,\n url,\n urls,\n disposition,\n action,\n request,\n name,\n sha256,\n fsha256,\n agent,\n restmessage,\n temp*,\n Substring,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName\n };\n parser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionCiscoMeraki", + "query": "let ActionLookup = datatable (action: string, DvcAction: string, EventResult: string, EventSeverity: string) [\n 'allow', 'Allow', 'Success', 'Informational',\n 'log', 'Allow', 'Success', 'Informational',\n 'accept', 'Allow', 'Success', 'Informational',\n 'block', 'Deny', 'Failure', 'Low',\n 'deny', 'Deny', 'Failure', 'Low',\n 'quarantine', 'Deny', 'Failure', 'Low'\n ];\n let parser=(disabled: bool=false) {\n let allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n ),\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\n let PreFilteredData = allData\n | where not(disabled) and (LogMessage has \"urls\" or LogMessage has_all(\"security_event\", \"security_filtering_file_scanned\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType in (\"security_event\", \"urls\");\n let SecurityEventData = PreFilteredData\n | where LogType == \"security_event\"\n | parse Substring with LogSubType: string \" \" temp_RestMessage: string\n | where LogSubType == \"security_filtering_file_scanned\"\n | parse-kv Substring as (disposition: string, action: string, sha256: string, name: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with * \" sha256\" fsha256: string \" \"restmessage: string\n | extend\n disposition = trim('\"', disposition),\n action = trim('\"', action),\n sha256 = trim('\"', sha256),\n fsha256 = trim('\"', fsha256),\n name = trim('\"', name)\n | lookup ActionLookup on action;\n let UrlsData = PreFilteredData\n | where LogType == \"urls\"\n | parse Substring with * \"request:\" request: string \" \" urls: string;\n union SecurityEventData, UrlsData\n | parse-kv Substring as (src: string, dst: string, url: string, mac: string, agent: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n src = trim('\"', src),\n dst = trim('\"', dst)\n | parse src with * \"[\" temp_srcip: string \"]:\" temp_srcport: string\n | parse dst with * \"[\" temp_dstip: string \"]:\" temp_dstport: string\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend\n EventStartTime = unixtime_seconds_todatetime(tolong(split(Epoch, \".\")[0]))\n | extend agent = trim(\"'\", agent)\n | extend\n agent= trim('\"', agent),\n mac = trim('\"', mac),\n url = trim('\"', url),\n urls = trim('\"', urls)\n | extend Url = coalesce(url, urls)\n | extend\n EventResult=case(\n LogType == \"urls\", \"Success\",\n isempty(EventResult), \"NA\",\n EventResult \n ),\n EventSeverity=case(\n DvcAction == \"Deny\" and disposition == \"malicious\",\n \"Medium\",\n DvcAction == \"Allow\" and disposition == \"malicious\",\n \"High\",\n isnotempty(EventSeverity), EventSeverity,\n \"Informational\"\n )\n | extend SrcIpAddr = iff(\n src has \".\",\n split(src, \":\")[0], \n coalesce(temp_srcip, src)\n )\n | extend SrcPortNumber = toint(\n iff (\n src has \".\",\n split(src, \":\")[1],\n temp_srcport\n )\n )\n | extend DstIpAddr = iff(\n dst has \".\",\n split(dst, \":\")[0], \n coalesce(temp_dstip, dst)\n )\n | extend DstPortNumber = toint(\n iff (\n dst has \".\",\n split(dst, \":\")[1],\n temp_dstport\n )\n )\n | extend\n EventType = \"HTTPsession\",\n HttpUserAgent = agent,\n HttpRequestMethod = request,\n FileSHA256 = coalesce(sha256, fsha256),\n FileName = name,\n DvcMacAddr = mac,\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId \n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n EventEndTime = EventStartTime\n | extend\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\"\n | project-away\n LogMessage,\n Parser,\n LogType,\n LogSubType,\n Epoch,\n Device,\n src,\n dst,\n mac,\n url,\n urls,\n disposition,\n action,\n request,\n name,\n sha256,\n fsha256,\n agent,\n restmessage,\n temp*,\n Substring,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName\n };\n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionCitrixNetScaler/ASimWebSessionCitrixNetScaler.json b/Parsers/ASimWebSession/ARM/ASimWebSessionCitrixNetScaler/ASimWebSessionCitrixNetScaler.json index bb4374f4254..d5d3d2e9c98 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionCitrixNetScaler/ASimWebSessionCitrixNetScaler.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionCitrixNetScaler/ASimWebSessionCitrixNetScaler.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionCitrixNetScaler')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionCitrixNetScaler", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Citrix NetScaler(Web App Firewall)", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionCitrixNetScaler", - "query": "let EventSeverityLookup = datatable (DeviceCustomString4: string, EventSeverity: string)\n[\n \"EMERGENCY\", \"High\",\n \"ALERT\", \"High\",\n \"CRITICAL\", \"High\",\n \"ERROR\", \"Medium\",\n \"WARNING\", \"Low\",\n \"NOTICE\", \"Low\",\n \"INFORMATIONAL\", \"Informational\",\n \"DEBUG\", \"Informational\",\n \"INFO\", \"Informationl\",\n \"WARN\", \"Low\",\n \"ERR\", \"Medium\"\n];\nlet EventFieldsLookup = datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n \"blocked\", \"Deny\", \"Failure\",\n \"not blocked\", \"Allow\", \"Success\",\n \"transformed\", \"Allow\", \"Success\"\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Citrix\" and DeviceProduct == \"NetScaler\"\n | where DeviceEventClassID == \"APPFW\" and Activity has_any (\"APPFW_STARTURL\", \"APPFW_XML_cross-site scripting\", \"APPFW_SAFECOMMERCE\", \"APPFW_SAFECOMMERCE_XFORM\", \"APPFW_SIGNATURE_MATCH\", \"APPFW_XML_ERR_NOT_WELLFORMED\", \"APPFW_FIELDCONSISTENCY\", \"APPFW_SQL\", \"APPFW_BUFFEROVERFLOW_URL\", \"APPFW_BUFFEROVERFLOW_COOKIE\", \"APPFW_cross-site scripting\", \"APPFW_FIELDFORMAT\", \"APPFW_REFERER_HEADER\", \"APPFW_XSS\")\n | parse-kv AdditionalExtensions as (method: string, geolocation: string, script: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | parse RequestURL with * \"://\" host: string \"/\" *\n | extend\n DeviceAction = trim(\"[*]+\", DeviceAction),\n Ip_host = iff(host matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", host, \"\"),\n Ip_computer = iff(Computer matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", Computer, \"\"),\n HttpHost = host\n | lookup EventFieldsLookup on DeviceAction\n | lookup EventSeverityLookup on DeviceCustomString4\n | extend\n host = iff(isempty(Ip_host), host, \"\"),\n Computer = iff(isempty(Ip_computer), Computer, \"\"),\n AdditionalFields = bag_pack(\n \"Script\", script,\n \"Event ID\", FieldDeviceCustomNumber1,\n \"HTTP Transaction ID\", FieldDeviceCustomNumber2,\n \"Profile Name\", DeviceCustomString1,\n \"PPE ID\", DeviceCustomString2,\n \"Signature Violation Category\", DeviceCustomString6\n )\n | invoke _ASIM_ResolveDvcFQDN('Computer')\n | invoke _ASIM_ResolveDstFQDN('host')\n | extend\n DstIpAddr = tostring(split(Ip_host, \":\")[0]),\n DstPortNumber = toint(split(Ip_host, \":\")[1]),\n DvcIpAddr = tostring(split(Ip_computer, \":\")[0])\n | extend \n DstHostname = coalesce(DstIpAddr, DstHostname)\n | extend\n EventProduct = \"NetScaler\",\n EventVendor = \"Citrix\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename\n EventUid = _ItemId,\n SrcIpAddr = SourceIP,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n EventOriginalSeverity = DeviceCustomString4,\n EventProductVersion = DeviceVersion,\n HttpRequestMethod = method,\n NetworkSessionId = DeviceCustomString3,\n SrcPortNumber = SourcePort,\n Url = RequestURL,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSubType = Activity,\n SrcGeoCountry = geolocation\n | extend\n EventEndTime = EventStartTime,\n Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n Indicator*,\n Ip_*,\n LogSeverity,\n _ResourceId,\n host,\n script,\n ExtID\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Citrix NetScaler(Web App Firewall)", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionCitrixNetScaler", + "query": "let EventSeverityLookup = datatable (DeviceCustomString4: string, EventSeverity: string)\n[\n \"EMERGENCY\", \"High\",\n \"ALERT\", \"High\",\n \"CRITICAL\", \"High\",\n \"ERROR\", \"Medium\",\n \"WARNING\", \"Low\",\n \"NOTICE\", \"Low\",\n \"INFORMATIONAL\", \"Informational\",\n \"DEBUG\", \"Informational\",\n \"INFO\", \"Informationl\",\n \"WARN\", \"Low\",\n \"ERR\", \"Medium\"\n];\nlet EventFieldsLookup = datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n \"blocked\", \"Deny\", \"Failure\",\n \"not blocked\", \"Allow\", \"Success\",\n \"transformed\", \"Allow\", \"Success\"\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Citrix\" and DeviceProduct == \"NetScaler\"\n | where DeviceEventClassID == \"APPFW\" and Activity has_any (\"APPFW_STARTURL\", \"APPFW_XML_cross-site scripting\", \"APPFW_SAFECOMMERCE\", \"APPFW_SAFECOMMERCE_XFORM\", \"APPFW_SIGNATURE_MATCH\", \"APPFW_XML_ERR_NOT_WELLFORMED\", \"APPFW_FIELDCONSISTENCY\", \"APPFW_SQL\", \"APPFW_BUFFEROVERFLOW_URL\", \"APPFW_BUFFEROVERFLOW_COOKIE\", \"APPFW_cross-site scripting\", \"APPFW_FIELDFORMAT\", \"APPFW_REFERER_HEADER\", \"APPFW_XSS\")\n | parse-kv AdditionalExtensions as (method: string, geolocation: string, script: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | parse RequestURL with * \"://\" host: string \"/\" *\n | extend\n DeviceAction = trim(\"[*]+\", DeviceAction),\n Ip_host = iff(host matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", host, \"\"),\n Ip_computer = iff(Computer matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", Computer, \"\"),\n HttpHost = host\n | lookup EventFieldsLookup on DeviceAction\n | lookup EventSeverityLookup on DeviceCustomString4\n | extend\n host = iff(isempty(Ip_host), host, \"\"),\n Computer = iff(isempty(Ip_computer), Computer, \"\"),\n AdditionalFields = bag_pack(\n \"Script\", script,\n \"Event ID\", FieldDeviceCustomNumber1,\n \"HTTP Transaction ID\", FieldDeviceCustomNumber2,\n \"Profile Name\", DeviceCustomString1,\n \"PPE ID\", DeviceCustomString2,\n \"Signature Violation Category\", DeviceCustomString6\n )\n | invoke _ASIM_ResolveDvcFQDN('Computer')\n | invoke _ASIM_ResolveDstFQDN('host')\n | extend\n DstIpAddr = tostring(split(Ip_host, \":\")[0]),\n DstPortNumber = toint(split(Ip_host, \":\")[1]),\n DvcIpAddr = tostring(split(Ip_computer, \":\")[0])\n | extend \n DstHostname = coalesce(DstIpAddr, DstHostname)\n | extend\n EventProduct = \"NetScaler\",\n EventVendor = \"Citrix\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename\n EventUid = _ItemId,\n SrcIpAddr = SourceIP,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n EventOriginalSeverity = DeviceCustomString4,\n EventProductVersion = DeviceVersion,\n HttpRequestMethod = method,\n NetworkSessionId = DeviceCustomString3,\n SrcPortNumber = SourcePort,\n Url = RequestURL,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSubType = Activity,\n SrcGeoCountry = geolocation\n | extend\n EventEndTime = EventStartTime,\n Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n Indicator*,\n Ip_*,\n LogSeverity,\n _ResourceId,\n host,\n script,\n ExtID\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionF5ASM/ASimWebSessionF5ASM.json b/Parsers/ASimWebSession/ARM/ASimWebSessionF5ASM/ASimWebSessionF5ASM.json index 99b0c091136..ca3d27502b5 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionF5ASM/ASimWebSessionF5ASM.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionF5ASM/ASimWebSessionF5ASM.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionF5ASM')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionF5ASM", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for F5 BIG-IP Application Security Manager (ASM)", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionF5ASM", - "query": "let DvcActionLookup = datatable (DeviceAction: string, DvcAction: string)\n[\n \"Blocked\", \"Deny\",\n \"blocked\", \"Deny\",\n \"Passed\", \"Allow\",\n \"passed\", \"Allow\",\n \"Alerted\", \"Deny\",\n \"alerted\", \"Deny\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser=(disabled: bool=false) {\n let DeviceEventClassIDList = dynamic([\"Brute Force Attack\", \"IP Enforcer Attack\", \"Web Scraping Attack\", \"DoS Attack\"]);\n let AllData = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"F5\" and DeviceProduct == \"ASM\"\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename DvcIpAddr = DeviceAddress;\n let GeneralEnforcementData = AllData\n | where ((substring(DeviceEventClassID, 0, 1) == \"2\" and strlen(DeviceEventClassID) == 9) or DeviceEventClassID == Activity) \n and DeviceEventClassID !in (DeviceEventClassIDList)\n | parse-kv DeviceCustomString3 as (Host: string, [\"User-Agent\"]: string, Cookie: string, Referer: string) with (pair_delimiter=\"\\\\r\\\\n\", kv_delimiter=\":\")\n | parse DeviceCustomString3 with * \"HTTP/\" HttpVersion: string \"\\\\r\\\\n\" rest: string\n | extend\n EventResultDetails = tostring(FieldDeviceCustomNumber1)\n | project-rename \n DstIpAddr = DestinationIP,\n DstPortNumber = DestinationPort,\n EventOriginalUid = ExtID,\n HttpRequestMethod = RequestMethod,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpCookie = Cookie,\n HttpHost = Host,\n HttpReferrer = Referer,\n HttpUserAgent = ['User-Agent'],\n HttpRequestXff = DeviceCustomString5\n | extend\n EventResult = iff(toint(EventResultDetails) >= 400 or DeviceAction =~ \"blocked\", \"Failure\", \"Success\"),\n HttpStatusCode = EventResultDetails,\n AdditionalFields = bag_pack(\n \"Full Request\", DeviceCustomString3, \n \"Policy Name\", DeviceCustomString1,\n \"Attack Type\", DeviceCustomString4,\n \"Policy Apply Date\", DeviceCustomDate1,\n \"Web Application Name\", DeviceCustomString2\n ),\n Dst = DstIpAddr;\n let AnomalyDetectionData = AllData\n | where DeviceEventClassID in (DeviceEventClassIDList)\n | extend\n EventResult = iff(DeviceAction =~ \"passed\", \"Success\", \"Failure\"),\n AdditionalFields = bag_pack(\n \"Detection Average\", FieldDeviceCustomNumber1,\n \"Dropped Requests\", FieldDeviceCustomNumber2,\n \"Attack Status\", DeviceCustomString4,\n \"Detection Mode\", DeviceCustomString5,\n \"Web Application Name\", DeviceCustomString2\n ),\n ThreatId = tostring(FieldDeviceCustomNumber3)\n | project-away ApplicationProtocol, ExtID;\n union GeneralEnforcementData, AnomalyDetectionData\n | lookup DvcActionLookup on DeviceAction\n | lookup EventSeverityLookup on LogSeverity\n | extend \n EventStartTime = todatetime(ReceiptTime),\n EventOriginalType = iff(isempty(toint(DeviceEventClassID)), DeviceEventClassID, Activity)\n | extend\n EventCount = int(1),\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename \n EventProduct = DeviceProduct,\n EventVendor = DeviceVendor,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n DvcOriginalAction = DeviceAction,\n Url = RequestURL,\n SrcIpAddr = SourceIP,\n SrcGeoCountry = DeviceCustomString6,\n SrcPortNumber = SourcePort,\n SrcUserId = SourceUserID,\n SrcUsername = SourceUserName,\n EventMessage = Message,\n EventProductVersion = DeviceVersion,\n RuleName = DeviceCustomString1\n | extend \n SrcUserIdType = iff(isnotempty(SrcUserId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\n Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n Rule = RuleName\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n Activity,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n IndicatorThreatType,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ThreatDescription,\n ThreatSeverity,\n ThreatConfidence,\n Reason,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n rest,\n _ResourceId\n};\nparser(disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for F5 BIG-IP Application Security Manager (ASM)", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionF5ASM", + "query": "let DvcActionLookup = datatable (DeviceAction: string, DvcAction: string)\n[\n \"Blocked\", \"Deny\",\n \"blocked\", \"Deny\",\n \"Passed\", \"Allow\",\n \"passed\", \"Allow\",\n \"Alerted\", \"Deny\",\n \"alerted\", \"Deny\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser=(disabled: bool=false) {\n let DeviceEventClassIDList = dynamic([\"Brute Force Attack\", \"IP Enforcer Attack\", \"Web Scraping Attack\", \"DoS Attack\"]);\n let AllData = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"F5\" and DeviceProduct == \"ASM\"\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename DvcIpAddr = DeviceAddress;\n let GeneralEnforcementData = AllData\n | where ((substring(DeviceEventClassID, 0, 1) == \"2\" and strlen(DeviceEventClassID) == 9) or DeviceEventClassID == Activity) \n and DeviceEventClassID !in (DeviceEventClassIDList)\n | parse-kv DeviceCustomString3 as (Host: string, [\"User-Agent\"]: string, Cookie: string, Referer: string) with (pair_delimiter=\"\\\\r\\\\n\", kv_delimiter=\":\")\n | parse DeviceCustomString3 with * \"HTTP/\" HttpVersion: string \"\\\\r\\\\n\" rest: string\n | extend\n EventResultDetails = tostring(FieldDeviceCustomNumber1)\n | project-rename \n DstIpAddr = DestinationIP,\n DstPortNumber = DestinationPort,\n EventOriginalUid = ExtID,\n HttpRequestMethod = RequestMethod,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpCookie = Cookie,\n HttpHost = Host,\n HttpReferrer = Referer,\n HttpUserAgent = ['User-Agent'],\n HttpRequestXff = DeviceCustomString5\n | extend\n EventResult = iff(toint(EventResultDetails) >= 400 or DeviceAction =~ \"blocked\", \"Failure\", \"Success\"),\n HttpStatusCode = EventResultDetails,\n AdditionalFields = bag_pack(\n \"Full Request\", DeviceCustomString3, \n \"Policy Name\", DeviceCustomString1,\n \"Attack Type\", DeviceCustomString4,\n \"Policy Apply Date\", DeviceCustomDate1,\n \"Web Application Name\", DeviceCustomString2\n ),\n Dst = DstIpAddr;\n let AnomalyDetectionData = AllData\n | where DeviceEventClassID in (DeviceEventClassIDList)\n | extend\n EventResult = iff(DeviceAction =~ \"passed\", \"Success\", \"Failure\"),\n AdditionalFields = bag_pack(\n \"Detection Average\", FieldDeviceCustomNumber1,\n \"Dropped Requests\", FieldDeviceCustomNumber2,\n \"Attack Status\", DeviceCustomString4,\n \"Detection Mode\", DeviceCustomString5,\n \"Web Application Name\", DeviceCustomString2\n ),\n ThreatId = tostring(FieldDeviceCustomNumber3)\n | project-away ApplicationProtocol, ExtID;\n union GeneralEnforcementData, AnomalyDetectionData\n | lookup DvcActionLookup on DeviceAction\n | lookup EventSeverityLookup on LogSeverity\n | extend \n EventStartTime = todatetime(ReceiptTime),\n EventOriginalType = iff(isempty(toint(DeviceEventClassID)), DeviceEventClassID, Activity)\n | extend\n EventCount = int(1),\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename \n EventProduct = DeviceProduct,\n EventVendor = DeviceVendor,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n DvcOriginalAction = DeviceAction,\n Url = RequestURL,\n SrcIpAddr = SourceIP,\n SrcGeoCountry = DeviceCustomString6,\n SrcPortNumber = SourcePort,\n SrcUserId = SourceUserID,\n SrcUsername = SourceUserName,\n EventMessage = Message,\n EventProductVersion = DeviceVersion,\n RuleName = DeviceCustomString1\n | extend \n SrcUserIdType = iff(isnotempty(SrcUserId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\n Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n Rule = RuleName\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n Activity,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n IndicatorThreatType,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ThreatDescription,\n ThreatSeverity,\n ThreatConfidence,\n Reason,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n rest,\n _ResourceId\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionFortinetFortiGate/ASimWebSessionFortinetFortiGate.json b/Parsers/ASimWebSession/ARM/ASimWebSessionFortinetFortiGate/ASimWebSessionFortinetFortiGate.json index 28c18873cda..cac7468486c 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionFortinetFortiGate/ASimWebSessionFortinetFortiGate.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionFortinetFortiGate/ASimWebSessionFortinetFortiGate.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionFortinetFortiGate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionFortinetFortiGate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Fortinet FortiGate", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionFortinetFortiGate", - "query": "let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string)\n[\n \"passthrough\",\"Allow\",\"Success\"\n , \"blocked\",\"Deny\",\"Failure\"\n];\n// -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\nlet SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n[\n \"1\", \"Informational\", // Debug\n \"2\", \"Informational\", // Information\n \"3\", \"Informational\", // Notification\n \"4\", \"Low\", // Warning\n \"5\", \"Low\", // Error\n \"6\", \"High\", // Critical\n \"7\", \"Medium\", // Alert\n \"8\", \"High\" // Emergency\n];\nlet parser=(disabled:bool=false){\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Fortinet\" \n and DeviceProduct startswith \"Fortigate\"\n and Activity has_all ('webfilter', 'utm')\n | extend \n EventResultDetails = \"NA\"\n | lookup EventLookup on DeviceAction \n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName\n | project-rename \n Url = RequestURL\n , UrlCategory = RequestContext\n , DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , DvcHostname = Computer\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , DvcId = DeviceExternalID\n , EventUid = _ItemId\n , DstHostname = DestinationHostName\n , SrcHostname = SourceHostName\n , SrcUsername = SourceUserName\n , DstUsername = DestinationUserName\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\n | extend \n DstUsernameType = _ASIM_GetUsernameType(DstUsername)\n , SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\n | project-rename DvcOriginalAction = DeviceAction\n | parse-kv AdditionalExtensions as (\n FortinetFortiGatestart:datetime,\n FortinetFortiGatesrcintfrole:string,\n FortinetFortiGatedstintfrole:string,\n FortinetFortiGateexternalID:string,\n FortinetFortiGatepolicyid:int,\n FortinetFortiGatedstcountry:string,\n FortinetFortiGatesrccountry:string,\n FortinetFortiGatecrscore:string,\n FortinetFortiGateduration:int,\n FortinetFortiGatesentpkt:long,\n FortinetFortiGatercvdpkt:long,\n ['ad.referralurl']:string,\n ['ad.httpmethod']:string,\n ['ad.agent']:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | parse AdditionalExtensions with * \"x-forwarded-for=\" HttpRequestXff:string \";\" *\n | project-rename\n HttpReferrer = ['ad.referralurl'],\n HttpRequestMethod = ['ad.httpmethod'],\n HttpUserAgent = ['ad.agent'],\n EventStartTime = FortinetFortiGatestart,\n SrcZone = FortinetFortiGatesrcintfrole,\n DstZone = FortinetFortiGatedstintfrole,\n NetworkSessionId = FortinetFortiGateexternalID,\n RuleNumber = FortinetFortiGatepolicyid,\n NetworkDuration = FortinetFortiGateduration,\n DstGeoCountry = FortinetFortiGatedstcountry,\n SrcGeoCountry = FortinetFortiGatesrccountry,\n ThreatOriginalRiskLevel = FortinetFortiGatecrscore,\n SrcPackets = FortinetFortiGatesentpkt,\n DstPackets = FortinetFortiGatercvdpkt\n | parse AdditionalExtensions with * \"Method=\" temp_HttpRequestMethod \"|User-Agent=\" temp_HttpUserAgent \";\" *\n | extend \n HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod),\n HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent)\n | project-away temp_*\n | extend \n EventCount = int(1)\n , EventSchema = \"WebSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventType = \"HTTPsession\"\n , EventVendor = \"Fortinet\"\n , DvcIdType = \"Other\"\n , NetworkBytes = DstBytes + SrcBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n , UserAgent = HttpUserAgent\n , Dvc = DvcHostname\n , User = SrcUsername\n , Hostname = DstHostname\n | lookup SeverityLookup on EventOriginalSeverity\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration,\n Rule = tostring(RuleNumber)\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber\n};\nparser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Fortinet FortiGate", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionFortinetFortiGate", + "query": "let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string)\n[\n \"passthrough\",\"Allow\",\"Success\"\n , \"blocked\",\"Deny\",\"Failure\"\n];\n// -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\nlet SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n[\n \"1\", \"Informational\", // Debug\n \"2\", \"Informational\", // Information\n \"3\", \"Informational\", // Notification\n \"4\", \"Low\", // Warning\n \"5\", \"Low\", // Error\n \"6\", \"High\", // Critical\n \"7\", \"Medium\", // Alert\n \"8\", \"High\" // Emergency\n];\nlet parser=(disabled:bool=false){\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Fortinet\" \n and DeviceProduct startswith \"Fortigate\"\n and Activity has_all ('webfilter', 'utm')\n | extend \n EventResultDetails = \"NA\"\n | lookup EventLookup on DeviceAction \n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName\n | project-rename \n Url = RequestURL\n , UrlCategory = RequestContext\n , DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , DvcHostname = Computer\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , DvcId = DeviceExternalID\n , EventUid = _ItemId\n , DstHostname = DestinationHostName\n , SrcHostname = SourceHostName\n , SrcUsername = SourceUserName\n , DstUsername = DestinationUserName\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\n | extend \n DstUsernameType = _ASIM_GetUsernameType(DstUsername)\n , SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\n | project-rename DvcOriginalAction = DeviceAction\n | parse-kv AdditionalExtensions as (\n FortinetFortiGatestart:datetime,\n FortinetFortiGatesrcintfrole:string,\n FortinetFortiGatedstintfrole:string,\n FortinetFortiGateexternalID:string,\n FortinetFortiGatepolicyid:int,\n FortinetFortiGatedstcountry:string,\n FortinetFortiGatesrccountry:string,\n FortinetFortiGatecrscore:string,\n FortinetFortiGateduration:int,\n FortinetFortiGatesentpkt:long,\n FortinetFortiGatercvdpkt:long,\n ['ad.referralurl']:string,\n ['ad.httpmethod']:string,\n ['ad.agent']:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | parse AdditionalExtensions with * \"x-forwarded-for=\" HttpRequestXff:string \";\" *\n | project-rename\n HttpReferrer = ['ad.referralurl'],\n HttpRequestMethod = ['ad.httpmethod'],\n HttpUserAgent = ['ad.agent'],\n EventStartTime = FortinetFortiGatestart,\n SrcZone = FortinetFortiGatesrcintfrole,\n DstZone = FortinetFortiGatedstintfrole,\n NetworkSessionId = FortinetFortiGateexternalID,\n RuleNumber = FortinetFortiGatepolicyid,\n NetworkDuration = FortinetFortiGateduration,\n DstGeoCountry = FortinetFortiGatedstcountry,\n SrcGeoCountry = FortinetFortiGatesrccountry,\n ThreatOriginalRiskLevel = FortinetFortiGatecrscore,\n SrcPackets = FortinetFortiGatesentpkt,\n DstPackets = FortinetFortiGatercvdpkt\n | parse AdditionalExtensions with * \"Method=\" temp_HttpRequestMethod \"|User-Agent=\" temp_HttpUserAgent \";\" *\n | extend \n HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod),\n HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent)\n | project-away temp_*\n | extend \n EventCount = int(1)\n , EventSchema = \"WebSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventType = \"HTTPsession\"\n , EventVendor = \"Fortinet\"\n , DvcIdType = \"Other\"\n , NetworkBytes = DstBytes + SrcBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n , UserAgent = HttpUserAgent\n , Dvc = DvcHostname\n , User = SrcUsername\n , Hostname = DstHostname\n | lookup SeverityLookup on EventOriginalSeverity\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration,\n Rule = tostring(RuleNumber)\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionIIS/ASimWebSessionIIS.json b/Parsers/ASimWebSession/ARM/ASimWebSessionIIS/ASimWebSessionIIS.json index e0aac9ac627..9370d9722a1 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionIIS/ASimWebSessionIIS.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionIIS/ASimWebSessionIIS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionIIS')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionIIS", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Windows IIS logs", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionIIS", - "query": "let parser = (disabled: bool = false)\n {\n W3CIISLog\n | where not(disabled)\n | extend\n EventResult = iff ( toint(scStatus) < 400, \"Success\", \"Failure\"),\n EventResultDetails = tostring(scStatus), \n csUriQuery = iff(csUriQuery == \"-\", \"\", csUriQuery),\n csUserName = iff(csUserName == \"-\", \"\", csUserName),\n HttpVersion = iff((csVersion has \"HTTP\"), split(csVersion, \"/\")[1], \"\"), // there is a limited chance that something connects over non-HTTP\n HttpHost = iff (sSiteName in (\"Default Web Site\", \"-\"), \"\", sSiteName)\n | project-rename \n HttpRequestMethod = csMethod,\n User = csUserName, //probably won't have this one often\n Dvc = Computer,\n Dst = sIP,\n Src = cIP,\n UserAgent = csUserAgent,\n ThreatCategory = IndicatorThreatType,\n SrcGeoCountry = RemoteIPCountry,\n SrcGeoLatitude = RemoteIPLatitude,\n SrcGeoLongitude = RemoteIPLongitude,\n ThreatOriginalConfidence = Confidence,\n ThreatIpAddr = MaliciousIP,\n EventReportUrl = ReportReferenceLink,\n EventUid = _ItemId,\n DvcId = _ResourceId\n | extend\n EventOriginalSeverity = tostring(Severity),\n ThreatIsActive = tobool(IsActive),\n ThreatFirstReportedTime = todatetime(FirstReportedDateTime),\n ThreatLastReportedTime = todatetime(LastReportedDateTime),\n SrcUsername = iff ( User == \"-\", \"\", User),\n HttpReferrer = iff ( csReferer == \"-\", \"\", csReferer),\n DvcIdType = \"AzureResourceId\"\n | project-away IsActive, FirstReportedDateTime, LastReportedDateTime, Severity, sSiteName\n | extend \n SrcUsernameType = _ASIM_GetUsernameType (SrcUsername),\n DstNatIpAddr = iff(csHost <> \"\", Dst, \"\"),\n EventType = 'WebServerSession', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.6',\n EventSchema = 'WebSession', \n EventProduct = 'IIS',\n DvcOs = 'Windows',\n EventCount = int(1),\n SrcIpAddr = Src,\n IpAddr = Src,\n HttpUserAgent = UserAgent,\n HttpStatusCode = tostring(EventResultDetails),\n EventStartTime = ( (TimeGenerated) - (TimeTaken * 1ms)), // TimeTaken field is in Milliseconds \n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventResult == \"Success\", \"Low\", \"Informational\"),\n Url = iff(csUriQuery == \"\", csUriStem, strcat(csUriStem,\"?\",csUriQuery)),\n sPort = tostring(sPort),\n HttpHost = iff ( HttpHost == \"-\", \"\", HttpHost),\n csHost = iff ( csHost == \"-\", \"\", csHost), //remove empty values\n EventOriginalResultDetails = iff(scSubStatus <> \"0\", strcat (scStatus, \".\", scSubStatus), scStatus)\n | extend \n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',csHost)[0],\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',csHost)[0],\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',csHost)[0]\n | extend \n DstIpAddr = tostring(coalesce(ipv4_parts[0], ipv6_parts[0])),\n DstPortNumber = toint(coalesce(ipv4_parts[1], ipv6_parts[1], host_parts[1])),\n HttpHost = tostring(coalesce(host_parts[0], HttpHost))\n | project-away ipv4_parts, ipv6_parts, host_parts \n | extend\n DstHostname = HttpHost,\n Hostname = HttpHost\n | extend \n ThreatField = case(\n ThreatIpAddr <> \"\" and ThreatIpAddr == SrcIpAddr, \"SrcIpAddr\"\n ,ThreatIpAddr <> \"\" and ThreatIpAddr == DstIpAddr, \"DstIpAddr\"\n ,\"\")\n | project-away \n AdditionalInformation,\n AzureDeploymentID,\n Date,\n Description,\n DvcOs,\n FileOffset,\n FileUri,\n MG, \n ManagementGroupName,\n Role*,\n sComputerName,\n SourceSystem,\n TLPLevel,\n TenantId,\n TimeTaken,\n Time,\n cs*,\n sPort,\n sc*,\n StorageAccount\n };\n parser (disabled=disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Windows IIS logs", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionIIS", + "query": "let parser = (disabled: bool = false)\n {\n W3CIISLog\n | where not(disabled)\n | extend\n EventResult = iff ( toint(scStatus) < 400, \"Success\", \"Failure\"),\n EventResultDetails = tostring(scStatus), \n csUriQuery = iff(csUriQuery == \"-\", \"\", csUriQuery),\n csUserName = iff(csUserName == \"-\", \"\", csUserName),\n HttpVersion = iff((csVersion has \"HTTP\"), split(csVersion, \"/\")[1], \"\"), // there is a limited chance that something connects over non-HTTP\n HttpHost = iff (sSiteName in (\"Default Web Site\", \"-\"), \"\", sSiteName)\n | project-rename \n HttpRequestMethod = csMethod,\n User = csUserName, //probably won't have this one often\n Dvc = Computer,\n Dst = sIP,\n Src = cIP,\n UserAgent = csUserAgent,\n ThreatCategory = IndicatorThreatType,\n SrcGeoCountry = RemoteIPCountry,\n SrcGeoLatitude = RemoteIPLatitude,\n SrcGeoLongitude = RemoteIPLongitude,\n ThreatOriginalConfidence = Confidence,\n ThreatIpAddr = MaliciousIP,\n EventReportUrl = ReportReferenceLink,\n EventUid = _ItemId,\n DvcId = _ResourceId\n | extend\n EventOriginalSeverity = tostring(Severity),\n ThreatIsActive = tobool(IsActive),\n ThreatFirstReportedTime = todatetime(FirstReportedDateTime),\n ThreatLastReportedTime = todatetime(LastReportedDateTime),\n SrcUsername = iff ( User == \"-\", \"\", User),\n HttpReferrer = iff ( csReferer == \"-\", \"\", csReferer),\n DvcIdType = \"AzureResourceId\"\n | project-away IsActive, FirstReportedDateTime, LastReportedDateTime, Severity, sSiteName\n | extend \n SrcUsernameType = _ASIM_GetUsernameType (SrcUsername),\n DstNatIpAddr = iff(csHost <> \"\", Dst, \"\"),\n EventType = 'WebServerSession', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.6',\n EventSchema = 'WebSession', \n EventProduct = 'IIS',\n DvcOs = 'Windows',\n EventCount = int(1),\n SrcIpAddr = Src,\n IpAddr = Src,\n HttpUserAgent = UserAgent,\n HttpStatusCode = tostring(EventResultDetails),\n EventStartTime = ( (TimeGenerated) - (TimeTaken * 1ms)), // TimeTaken field is in Milliseconds \n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventResult == \"Success\", \"Low\", \"Informational\"),\n Url = iff(csUriQuery == \"\", csUriStem, strcat(csUriStem,\"?\",csUriQuery)),\n sPort = tostring(sPort),\n HttpHost = iff ( HttpHost == \"-\", \"\", HttpHost),\n csHost = iff ( csHost == \"-\", \"\", csHost), //remove empty values\n EventOriginalResultDetails = iff(scSubStatus <> \"0\", strcat (scStatus, \".\", scSubStatus), scStatus)\n | extend \n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',csHost)[0],\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',csHost)[0],\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',csHost)[0]\n | extend \n DstIpAddr = tostring(coalesce(ipv4_parts[0], ipv6_parts[0])),\n DstPortNumber = toint(coalesce(ipv4_parts[1], ipv6_parts[1], host_parts[1])),\n HttpHost = tostring(coalesce(host_parts[0], HttpHost))\n | project-away ipv4_parts, ipv6_parts, host_parts \n | extend\n DstHostname = HttpHost,\n Hostname = HttpHost\n | extend \n ThreatField = case(\n ThreatIpAddr <> \"\" and ThreatIpAddr == SrcIpAddr, \"SrcIpAddr\"\n ,ThreatIpAddr <> \"\" and ThreatIpAddr == DstIpAddr, \"DstIpAddr\"\n ,\"\")\n | project-away \n AdditionalInformation,\n AzureDeploymentID,\n Date,\n Description,\n DvcOs,\n FileOffset,\n FileUri,\n MG, \n ManagementGroupName,\n Role*,\n sComputerName,\n SourceSystem,\n TLPLevel,\n TenantId,\n TimeTaken,\n Time,\n cs*,\n sPort,\n sc*,\n StorageAccount\n };\n parser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionNative/ASimWebSessionNative.json b/Parsers/ASimWebSession/ARM/ASimWebSessionNative/ASimWebSessionNative.json index 23583d10f0d..95830e320a8 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionNative/ASimWebSessionNative.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionNative/ASimWebSessionNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Microsoft Sentinel native Network Session table", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionNative", - "query": "let parser=(disabled:bool=false) \n{\n ASimWebSessionLogs | where not(disabled)\n // \n // -- Schema fixed\n | extend\n FileSize = tolong(FileSize)\n //\n // -- Log Analytics global fields renaming\n | project-rename\n EventUid = _ItemId,\n DvcScopeId = _SubscriptionId\n //\n // -- ASIM Global fields\n | extend \n EventSchema = \"WebSession\"\n | extend\n //\n // -- Default values\n EventEndTime = coalesce (EventEndTime, TimeGenerated),\n EventStartTime = coalesce (EventStartTime, TimeGenerated),\n //\n // -- Multi-source aliases\n Dvc = iff (EventType == 'HTTPSession',\n coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, DstMacAddr, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n coalesce (DvcFQDN, DvcHostname, DstFQDN, DstHostname, DvcIpAddr, DstIpAddr, DvcId, DstDvcId, DstMacAddr, _ResourceId, strcat (EventVendor,'/', EventProduct))\n ),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n //\n // -- Aliases which depend on EventType\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\n //\n // -- Simple aliases\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n UserAgent = HttpUserAgent\n // --\n // -- Aliased fields not implemented in ASimWebSessionLogs yet \n //InnerVlanId = SrcVlanId,\n //OuterVlanId = DstVlanId,\n //DvcInterface = coalesce(DvcInterface, DvcInboundInterface, DvcOutboundInterface), \n | project-away\n TenantId, SourceSystem, _ResourceId\n};\nparser (disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Microsoft Sentinel native Network Session table", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionNative", + "query": "let parser=(disabled:bool=false) \n{\n ASimWebSessionLogs | where not(disabled)\n // \n // -- Schema fixed\n | extend\n FileSize = tolong(FileSize)\n //\n // -- Log Analytics global fields renaming\n | project-rename\n EventUid = _ItemId,\n DvcScopeId = _SubscriptionId\n //\n // -- ASIM Global fields\n | extend \n EventSchema = \"WebSession\"\n | extend\n //\n // -- Default values\n EventEndTime = coalesce (EventEndTime, TimeGenerated),\n EventStartTime = coalesce (EventStartTime, TimeGenerated),\n //\n // -- Multi-source aliases\n Dvc = iff (EventType == 'HTTPSession',\n coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, DstMacAddr, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n coalesce (DvcFQDN, DvcHostname, DstFQDN, DstHostname, DvcIpAddr, DstIpAddr, DvcId, DstDvcId, DstMacAddr, _ResourceId, strcat (EventVendor,'/', EventProduct))\n ),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n //\n // -- Aliases which depend on EventType\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\n //\n // -- Simple aliases\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n UserAgent = HttpUserAgent\n // --\n // -- Aliased fields not implemented in ASimWebSessionLogs yet \n //InnerVlanId = SrcVlanId,\n //OuterVlanId = DstVlanId,\n //DvcInterface = coalesce(DvcInterface, DvcInboundInterface, DvcOutboundInterface), \n | project-away\n TenantId, SourceSystem, _ResourceId\n};\nparser (disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionPaloAltoCEF/ASimWebSessionPaloAltoCEF.json b/Parsers/ASimWebSession/ARM/ASimWebSessionPaloAltoCEF/ASimWebSessionPaloAltoCEF.json index dea480c4233..3b08ecb73b0 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionPaloAltoCEF/ASimWebSessionPaloAltoCEF.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionPaloAltoCEF/ASimWebSessionPaloAltoCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionPaloAltoCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionPaloAltoCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Palo Alto Networks URL Filtering", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionPaloAltoCEF", - "query": "let parser=(disabled:bool=false){\n let EventLookup=datatable(DeviceAction:string, DvcAction:string,EventResult:string,HttpStatusCode:string)\n [\n \"alert\", \"Allow\", \"Success\",\"200\"\n , \"allow\", \"Allow\", \"Success\", \"200\"\n , \"continue\", \"Allow\", \"Success\", \"200\"\n , \"override\", \"Allow\", \"Success\", \"200\"\n , \"block-continue\", \"Allow\", \"Partial\", \"200\"\n , \"block-url\", \"Deny\", \"Failure\", \"503\"\n , \"block-override\", \"Deny\", \"Failure\", \"302\"\n , \"override-lockout\", \"Deny\", \"Failure\",\"503\"\n , \"reset client\", \"Reset Source\", \"Failure\", \"503\"\n , \"reset server\", \"Reset Destination\", \"Failure\", \"503\"\n , \"reset both\", \"Reset\", \"Failure\", \"503\"\n , \"deny\", \"Deny\", \"Failure\", \"503\"\n , \"drop\", \"Drop\", \"Failure\", \"503\"\n , \"drop ICMP\", \"Drop ICMP\", \"Failure\", \"503\"\n ];\n let SeverityLookup=datatable(LogSeverity:string,EventSeverity:string)\n [ 1, \"Informational\" \n , 2, \"Low\" \n , 3, \"Medium\"\n , 4, \"Medium\" \n , 5, \"High\"\n ];\n CommonSecurityLog\n | where DeviceVendor == \"Palo Alto Networks\"\n and DeviceProduct == \"PAN-OS\"\n and Activity == \"THREAT\"\n and DeviceEventClassID == \"url\"\n | parse-kv AdditionalExtensions as (PanOSXForwarderfor:string, PanXFFIP:string, PanOSReferer:string, PanOSRuleUUID:string, PanSrcHostname:string, PanSrcMac:string, PanSrcDeviceCat:string, PanSrcDAG:string, PanOSSrcUUID:string, PanSrcDeviceProf:string, PanSrcDeviceModel:string, PanSrcDeviceVendor:string, PanSrcDeviceOS:string, PanSrcDeviceOSv:string, PanDstHostname:string, PanDstMac:string, PanDstDeviceCat:string, PanDstDAG:string, PanOSDstUUID:string, PanDstDeviceProf:string, PanDstDeviceModel:string, PanDstDeviceVendor:string, PanDstDeviceOS:string, PanDstDeviceOSv:string) with (pair_delimiter=';', kv_delimiter='=')\n | extend \n HttpRequestXff = coalesce(PanOSXForwarderfor, PanXFFIP)\n | lookup EventLookup on DeviceAction\n | lookup SeverityLookup on LogSeverity\n | project-rename \n DvcHostname = Computer\n , HttpReferrer = PanOSReferer\n , DstMacAddr = PanDstMac\n , SrcMacAddr = PanSrcMac\n , DstHostname = PanDstHostname\n , SrcHostname = PanSrcHostname\n , Url = RequestURL\n , DvcId = DeviceExternalID\n , SrcZone = DeviceCustomString4\n , DstZone = DeviceCustomString5\n , UrlCategory = DeviceCustomString2\n , DvcOriginalAction = DeviceAction\n , EventUid = _ItemId\n , EventOriginalSeverity = LogSeverity\n , EventProductVersion = DeviceVersion\n , DvcInboundInterface = DeviceInboundInterface\n , DvcOutboundInterface = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , SrcUsername = SourceUserName\n , DstUsername = DestinationUserName\n , NetworkRuleName = DeviceCustomString1\n , ThreatOriginalConfidence = ThreatConfidence\n , DstNatIpAddr = DestinationTranslatedAddress\n , DstNatPortNumber = DestinationTranslatedPort\n , SrcNatIpAddr = SourceTranslatedAddress\n , SrcNatPortNumber = SourceTranslatedPort\n , HttpUserAgent = RequestClientApplication\n | extend\n Dvc = DvcHostname\n , DvcIdType = \"Other\"\n , EventType = \"HTTPsession\"\n , EventSchema = \"WebSession\"\n , EventSchemaVersion = \"0.2.5\"\n , EventVendor = \"Palo Alto\"\n , EventProduct = \"PanOS\"\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , HttpRequestMethod = toupper(RequestMethod)\n , EventResultDetails = \"NA\"\n , HttpContentFormat = RequestContext\n , DstFQDN = iif(Url contains \":\", split(tostring(split(trim('\"',Url),\"/\")[0]),\":\")[0],tostring(split(trim('\"',Url),\"/\")[0]))\n , DstDomainType = \"FQDN\"\n , Src = SrcIpAddr\n , SrcUsernameType = \"Windows\"\n , DstUsernameType = \"Windows\"\n , NetworkProtocolVersion = case(\n DstIpAddr contains \".\" , \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkDirection = case(\n FlexString2 == \"client-to-server\", \"Outbound\"\n , FlexString2 == \"server-to-client\", \"Inbound\"\n , \"\")\n , IpAddr = SrcIpAddr\n , NetworkProtocol = toupper(Protocol)\n , User = SrcUsername\n , Rule = NetworkRuleName\n , NetworkSessionId = tostring(DeviceCustomNumber1)\n , DvcInterface = DvcInboundInterface\n , Hostname = DstHostname\n , UserAgent = HttpUserAgent\n | extend \n SessionId = NetworkSessionId\n , ThreatField = case(\n isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\")\n , Dst = DstFQDN\n | extend \n ThreatIpAddr = case(\n ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\")\n | project DeviceVendor, Dst, DstDomainType, DstFQDN, DstHostname, DstIpAddr, DstMacAddr, DstNatIpAddr, DstNatPortNumber, DstPortNumber, DstUsername, DstUsernameType, DstZone, Dvc, DvcAction, DvcHostname, DvcId, DvcIdType, DvcInboundInterface, DvcInterface, DvcOriginalAction, DvcOutboundInterface, EventCount, EventEndTime, EventOriginalSeverity, EventProduct, EventProductVersion, EventResult, EventResultDetails, EventSchema, EventSchemaVersion, EventSeverity, EventStartTime, EventType, EventUid, EventVendor, Hostname, HttpContentFormat, HttpRequestMethod, HttpRequestXff, HttpStatusCode, IpAddr, NetworkDirection, NetworkProtocol, NetworkProtocolVersion, NetworkRuleName, NetworkSessionId, Protocol, RequestContext, RequestMethod, Rule, SessionId, Src, SrcHostname, SrcIpAddr, SrcMacAddr, SrcNatIpAddr, SrcNatPortNumber, SrcPortNumber, SrcUsername, SrcUsernameType, SrcZone, ThreatField, ThreatIpAddr, ThreatOriginalConfidence, TimeGenerated, Type, Url, UrlCategory, User, HttpUserAgent, UserAgent\n};\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Palo Alto Networks URL Filtering", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionPaloAltoCEF", + "query": "let parser=(disabled:bool=false){\n let EventLookup=datatable(DeviceAction:string, DvcAction:string,EventResult:string,HttpStatusCode:string)\n [\n \"alert\", \"Allow\", \"Success\",\"200\"\n , \"allow\", \"Allow\", \"Success\", \"200\"\n , \"continue\", \"Allow\", \"Success\", \"200\"\n , \"override\", \"Allow\", \"Success\", \"200\"\n , \"block-continue\", \"Allow\", \"Partial\", \"200\"\n , \"block-url\", \"Deny\", \"Failure\", \"503\"\n , \"block-override\", \"Deny\", \"Failure\", \"302\"\n , \"override-lockout\", \"Deny\", \"Failure\",\"503\"\n , \"reset client\", \"Reset Source\", \"Failure\", \"503\"\n , \"reset server\", \"Reset Destination\", \"Failure\", \"503\"\n , \"reset both\", \"Reset\", \"Failure\", \"503\"\n , \"deny\", \"Deny\", \"Failure\", \"503\"\n , \"drop\", \"Drop\", \"Failure\", \"503\"\n , \"drop ICMP\", \"Drop ICMP\", \"Failure\", \"503\"\n ];\n let SeverityLookup=datatable(LogSeverity:string,EventSeverity:string)\n [ 1, \"Informational\" \n , 2, \"Low\" \n , 3, \"Medium\"\n , 4, \"Medium\" \n , 5, \"High\"\n ];\n CommonSecurityLog\n | where DeviceVendor == \"Palo Alto Networks\"\n and DeviceProduct == \"PAN-OS\"\n and Activity == \"THREAT\"\n and DeviceEventClassID == \"url\"\n | parse-kv AdditionalExtensions as (PanOSXForwarderfor:string, PanXFFIP:string, PanOSReferer:string, PanOSRuleUUID:string, PanSrcHostname:string, PanSrcMac:string, PanSrcDeviceCat:string, PanSrcDAG:string, PanOSSrcUUID:string, PanSrcDeviceProf:string, PanSrcDeviceModel:string, PanSrcDeviceVendor:string, PanSrcDeviceOS:string, PanSrcDeviceOSv:string, PanDstHostname:string, PanDstMac:string, PanDstDeviceCat:string, PanDstDAG:string, PanOSDstUUID:string, PanDstDeviceProf:string, PanDstDeviceModel:string, PanDstDeviceVendor:string, PanDstDeviceOS:string, PanDstDeviceOSv:string) with (pair_delimiter=';', kv_delimiter='=')\n | extend \n HttpRequestXff = coalesce(PanOSXForwarderfor, PanXFFIP)\n | lookup EventLookup on DeviceAction\n | lookup SeverityLookup on LogSeverity\n | project-rename \n DvcHostname = Computer\n , HttpReferrer = PanOSReferer\n , DstMacAddr = PanDstMac\n , SrcMacAddr = PanSrcMac\n , DstHostname = PanDstHostname\n , SrcHostname = PanSrcHostname\n , Url = RequestURL\n , DvcId = DeviceExternalID\n , SrcZone = DeviceCustomString4\n , DstZone = DeviceCustomString5\n , UrlCategory = DeviceCustomString2\n , DvcOriginalAction = DeviceAction\n , EventUid = _ItemId\n , EventOriginalSeverity = LogSeverity\n , EventProductVersion = DeviceVersion\n , DvcInboundInterface = DeviceInboundInterface\n , DvcOutboundInterface = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , SrcUsername = SourceUserName\n , DstUsername = DestinationUserName\n , NetworkRuleName = DeviceCustomString1\n , ThreatOriginalConfidence = ThreatConfidence\n , DstNatIpAddr = DestinationTranslatedAddress\n , DstNatPortNumber = DestinationTranslatedPort\n , SrcNatIpAddr = SourceTranslatedAddress\n , SrcNatPortNumber = SourceTranslatedPort\n , HttpUserAgent = RequestClientApplication\n | extend\n Dvc = DvcHostname\n , DvcIdType = \"Other\"\n , EventType = \"HTTPsession\"\n , EventSchema = \"WebSession\"\n , EventSchemaVersion = \"0.2.5\"\n , EventVendor = \"Palo Alto\"\n , EventProduct = \"PanOS\"\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , HttpRequestMethod = toupper(RequestMethod)\n , EventResultDetails = \"NA\"\n , HttpContentFormat = RequestContext\n , DstFQDN = iif(Url contains \":\", split(tostring(split(trim('\"',Url),\"/\")[0]),\":\")[0],tostring(split(trim('\"',Url),\"/\")[0]))\n , DstDomainType = \"FQDN\"\n , Src = SrcIpAddr\n , SrcUsernameType = \"Windows\"\n , DstUsernameType = \"Windows\"\n , NetworkProtocolVersion = case(\n DstIpAddr contains \".\" , \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkDirection = case(\n FlexString2 == \"client-to-server\", \"Outbound\"\n , FlexString2 == \"server-to-client\", \"Inbound\"\n , \"\")\n , IpAddr = SrcIpAddr\n , NetworkProtocol = toupper(Protocol)\n , User = SrcUsername\n , Rule = NetworkRuleName\n , NetworkSessionId = tostring(DeviceCustomNumber1)\n , DvcInterface = DvcInboundInterface\n , Hostname = DstHostname\n , UserAgent = HttpUserAgent\n | extend \n SessionId = NetworkSessionId\n , ThreatField = case(\n isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\")\n , Dst = DstFQDN\n | extend \n ThreatIpAddr = case(\n ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\")\n | project DeviceVendor, Dst, DstDomainType, DstFQDN, DstHostname, DstIpAddr, DstMacAddr, DstNatIpAddr, DstNatPortNumber, DstPortNumber, DstUsername, DstUsernameType, DstZone, Dvc, DvcAction, DvcHostname, DvcId, DvcIdType, DvcInboundInterface, DvcInterface, DvcOriginalAction, DvcOutboundInterface, EventCount, EventEndTime, EventOriginalSeverity, EventProduct, EventProductVersion, EventResult, EventResultDetails, EventSchema, EventSchemaVersion, EventSeverity, EventStartTime, EventType, EventUid, EventVendor, Hostname, HttpContentFormat, HttpRequestMethod, HttpRequestXff, HttpStatusCode, IpAddr, NetworkDirection, NetworkProtocol, NetworkProtocolVersion, NetworkRuleName, NetworkSessionId, Protocol, RequestContext, RequestMethod, Rule, SessionId, Src, SrcHostname, SrcIpAddr, SrcMacAddr, SrcNatIpAddr, SrcNatPortNumber, SrcPortNumber, SrcUsername, SrcUsernameType, SrcZone, ThreatField, ThreatIpAddr, ThreatOriginalConfidence, TimeGenerated, Type, Url, UrlCategory, User, HttpUserAgent, UserAgent\n};\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionPaloAltoCortexDataLake/ASimWebSessionPaloAltoCortexDataLake.json b/Parsers/ASimWebSession/ARM/ASimWebSessionPaloAltoCortexDataLake/ASimWebSessionPaloAltoCortexDataLake.json index 2a3ddcae4f5..43cf95fd725 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionPaloAltoCortexDataLake/ASimWebSessionPaloAltoCortexDataLake.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionPaloAltoCortexDataLake/ASimWebSessionPaloAltoCortexDataLake.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionPaloAltoCortexDataLake')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionPaloAltoCortexDataLake", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Palo Alto Cortex Data Lake", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionPaloAltoCortexDataLake", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventLookup=datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"alert\", \"Allow\", \"Success\",\n \"continue\", \"Allow\", \"Success\",\n \"override\", \"Allow\", \"Success\",\n \"block-continue\", \"Allow\", \"Partial\",\n \"block-url\", \"Deny\", \"Failure\",\n \"block-override\", \"Deny\", \"Failure\",\n \"override-lockout\", \"Deny\", \"Failure\",\n];\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\n [\n \"1\", 20,\n \"2\", 40,\n \"3\", 60,\n \"4\", 80,\n \"5\", 100\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"THREAT\" and Activity == \"url\"\n | parse-kv AdditionalExtensions as (PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSDestinationDeviceMac: string, PanOSSourceUUID: string, PanOSSourceDeviceMac: string, PanOSReferer: string, PanOSIsClienttoServer: string, PanOSSourceDeviceHost: string, PanOSDestinationDeviceHost: string, start: string, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSApplicationTechnology: string, PanOSDestinationDeviceOS: string, PanOSDestinationDeviceOSFamily: string, PanOSDestinationDeviceOSVersion: string, PanOSHostID: string, PanOSHTTPHeaders: string, PanOSInlineMLVerdict: string, PanOSInboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsType: string, PanOSParentSessionID: string, PanOSContainerName: string, PanOSContainerNameSpace: string, PanOSHTTPRefererFQDN: string, PanOSHTTPRefererPort: string, PanOSHTTPRefererProtocol: string, PanOSHTTPRefererURLPath: string, PanOSRuleUUID: string, PanOSURLCategoryList: string, PanOSURLDomain: string, PanOSURLCounter: string, PanOSUsers: string, PanOSVendorSeverity: string, [\"PanOSX-Forwarded-For\"]: string, [\"PanOSX-Forwarded-ForIP\"]: string, PanOSIsSaaSApplication: string, PanOSLogSource: string, PanOSSourceLocation: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | lookup EventLookup on DeviceAction\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\n | extend\n EventStartTime = todatetime(coalesce(start, ReceiptTime)),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n HttpRequestMethod = toupper(RequestMethod),\n NetworkProtocol = toupper(Protocol),\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\n AdditionalFields = bag_pack(\n \"DirectionOfAttack\",\n FlexString2,\n \"VirtualLocation\",\n DeviceCustomString3,\n \"PanOSApplicationCategory\",\n PanOSApplicationCategory,\n \"PanOSApplicationSubcategory\",\n PanOSApplicationSubcategory,\n \"PanOSApplicationTechnology\",\n PanOSApplicationTechnology,\n \"PanOSDestinationDeviceOS\",\n PanOSDestinationDeviceOS,\n \"PanOSDestinationDeviceOSFamily\",\n PanOSDestinationDeviceOSFamily,\n \"PanOSDestinationDeviceOSVersion\",\n PanOSDestinationDeviceOSVersion,\n \"PanOSHostID\",\n PanOSHostID,\n \"PanOSHTTPHeaders\",\n PanOSHTTPHeaders,\n \"PanOSInlineMLVerdict\",\n PanOSInlineMLVerdict,\n \"PanOSInboundInterfaceDetailsType\",\n PanOSInboundInterfaceDetailsType,\n \"PanOSOutboundInterfaceDetailsType\",\n PanOSOutboundInterfaceDetailsType,\n \"PanOSParentSessionID\",\n PanOSParentSessionID,\n \"PanOSContainerName\",\n PanOSContainerName,\n \"PanOSContainerNameSpace\",\n PanOSContainerNameSpace,\n \"PanOSHTTPRefererFQDN\",\n PanOSHTTPRefererFQDN,\n \"PanOSHTTPRefererPort\",\n PanOSHTTPRefererPort,\n \"PanOSHTTPRefererProtocol\",\n PanOSHTTPRefererProtocol,\n \"PanOSHTTPRefererURLPath\",\n PanOSHTTPRefererURLPath,\n \"PanOSRuleUUID\",\n PanOSRuleUUID,\n \"PanOSURLCategoryList\",\n PanOSURLCategoryList,\n \"PanOSURLDomain\",\n PanOSURLDomain,\n \"PanOSURLCounter\",\n PanOSURLCounter,\n \"PanOSUsers\",\n PanOSUsers,\n \"PanOSVendorSeverity\",\n PanOSVendorSeverity,\n \"PanOSX-Forwarded-For\",\n [\"PanOSX-Forwarded-For\"],\n \"PanOSX-Forwarded-ForIP\",\n [\"PanOSX-Forwarded-ForIP\"],\n \"PanOSLogSource\",\n PanOSLogSource\n ),\n HttpContentType = RequestContext\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DstDvcId = PanOSDestinationUUID,\n DstGeoCountry = PanOSDestinationLocation,\n DstMacAddr = PanOSDestinationDeviceMac,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n DstPortNumber = DestinationPort,\n DstUsername = DestinationUserName,\n DstZone = DeviceCustomString5,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n HttpContentFormat = RequestContext,\n HttpReferrer = PanOSReferer,\n RuleName = DeviceCustomString1,\n SrcDvcId = PanOSSourceUUID,\n SrcMacAddr = PanOSSourceDeviceMac,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n SrcZone = DeviceCustomString4,\n Url = RequestURL,\n UrlCategory = DeviceCustomString2,\n EventOriginalSubType = Activity,\n DvcOutboundInterface = DeviceOutboundInterface,\n DvcInboundInterface = DeviceInboundInterface,\n DstUserId = DestinationUserID,\n SrcUserId = SourceUserID,\n HttpUserAgent = RequestClientApplication,\n SrcGeoCountry = PanOSSourceLocation,\n DvcScopeId = PanOSCortexDataLakeTenantID,\n SrcAppName = ApplicationProtocol,\n ThreatOriginalRiskLevel = PanOSApplicationRisk\n | extend\n Dst = coalesce(DstFQDN, DstDvcId, DstHostname, DstIpAddr),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Src = coalesce(SrcFQDN, SrcDvcId, SrcHostname, SrcIpAddr),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n ),\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\n Rule = RuleName,\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\n DstUserType = _ASIM_GetUserType(DstUsername, DstUserId),\n User = SrcUsername,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId,\n UserAgent = HttpUserAgent,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\n SrcAppType = case(\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\",\n \"SaaS Application\",\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\",\n \"Other\",\n \"\"\n )\n | extend\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n Protocol,\n ExternalID,\n Message,\n start,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity\n};\nparser(disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Palo Alto Cortex Data Lake", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionPaloAltoCortexDataLake", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventLookup=datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"alert\", \"Allow\", \"Success\",\n \"continue\", \"Allow\", \"Success\",\n \"override\", \"Allow\", \"Success\",\n \"block-continue\", \"Allow\", \"Partial\",\n \"block-url\", \"Deny\", \"Failure\",\n \"block-override\", \"Deny\", \"Failure\",\n \"override-lockout\", \"Deny\", \"Failure\",\n];\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\n [\n \"1\", 20,\n \"2\", 40,\n \"3\", 60,\n \"4\", 80,\n \"5\", 100\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"THREAT\" and Activity == \"url\"\n | parse-kv AdditionalExtensions as (PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSDestinationDeviceMac: string, PanOSSourceUUID: string, PanOSSourceDeviceMac: string, PanOSReferer: string, PanOSIsClienttoServer: string, PanOSSourceDeviceHost: string, PanOSDestinationDeviceHost: string, start: string, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSApplicationTechnology: string, PanOSDestinationDeviceOS: string, PanOSDestinationDeviceOSFamily: string, PanOSDestinationDeviceOSVersion: string, PanOSHostID: string, PanOSHTTPHeaders: string, PanOSInlineMLVerdict: string, PanOSInboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsType: string, PanOSParentSessionID: string, PanOSContainerName: string, PanOSContainerNameSpace: string, PanOSHTTPRefererFQDN: string, PanOSHTTPRefererPort: string, PanOSHTTPRefererProtocol: string, PanOSHTTPRefererURLPath: string, PanOSRuleUUID: string, PanOSURLCategoryList: string, PanOSURLDomain: string, PanOSURLCounter: string, PanOSUsers: string, PanOSVendorSeverity: string, [\"PanOSX-Forwarded-For\"]: string, [\"PanOSX-Forwarded-ForIP\"]: string, PanOSIsSaaSApplication: string, PanOSLogSource: string, PanOSSourceLocation: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | lookup EventLookup on DeviceAction\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\n | extend\n EventStartTime = todatetime(coalesce(start, ReceiptTime)),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n HttpRequestMethod = toupper(RequestMethod),\n NetworkProtocol = toupper(Protocol),\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\n AdditionalFields = bag_pack(\n \"DirectionOfAttack\",\n FlexString2,\n \"VirtualLocation\",\n DeviceCustomString3,\n \"PanOSApplicationCategory\",\n PanOSApplicationCategory,\n \"PanOSApplicationSubcategory\",\n PanOSApplicationSubcategory,\n \"PanOSApplicationTechnology\",\n PanOSApplicationTechnology,\n \"PanOSDestinationDeviceOS\",\n PanOSDestinationDeviceOS,\n \"PanOSDestinationDeviceOSFamily\",\n PanOSDestinationDeviceOSFamily,\n \"PanOSDestinationDeviceOSVersion\",\n PanOSDestinationDeviceOSVersion,\n \"PanOSHostID\",\n PanOSHostID,\n \"PanOSHTTPHeaders\",\n PanOSHTTPHeaders,\n \"PanOSInlineMLVerdict\",\n PanOSInlineMLVerdict,\n \"PanOSInboundInterfaceDetailsType\",\n PanOSInboundInterfaceDetailsType,\n \"PanOSOutboundInterfaceDetailsType\",\n PanOSOutboundInterfaceDetailsType,\n \"PanOSParentSessionID\",\n PanOSParentSessionID,\n \"PanOSContainerName\",\n PanOSContainerName,\n \"PanOSContainerNameSpace\",\n PanOSContainerNameSpace,\n \"PanOSHTTPRefererFQDN\",\n PanOSHTTPRefererFQDN,\n \"PanOSHTTPRefererPort\",\n PanOSHTTPRefererPort,\n \"PanOSHTTPRefererProtocol\",\n PanOSHTTPRefererProtocol,\n \"PanOSHTTPRefererURLPath\",\n PanOSHTTPRefererURLPath,\n \"PanOSRuleUUID\",\n PanOSRuleUUID,\n \"PanOSURLCategoryList\",\n PanOSURLCategoryList,\n \"PanOSURLDomain\",\n PanOSURLDomain,\n \"PanOSURLCounter\",\n PanOSURLCounter,\n \"PanOSUsers\",\n PanOSUsers,\n \"PanOSVendorSeverity\",\n PanOSVendorSeverity,\n \"PanOSX-Forwarded-For\",\n [\"PanOSX-Forwarded-For\"],\n \"PanOSX-Forwarded-ForIP\",\n [\"PanOSX-Forwarded-ForIP\"],\n \"PanOSLogSource\",\n PanOSLogSource\n ),\n HttpContentType = RequestContext\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DstDvcId = PanOSDestinationUUID,\n DstGeoCountry = PanOSDestinationLocation,\n DstMacAddr = PanOSDestinationDeviceMac,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n DstPortNumber = DestinationPort,\n DstUsername = DestinationUserName,\n DstZone = DeviceCustomString5,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n HttpContentFormat = RequestContext,\n HttpReferrer = PanOSReferer,\n RuleName = DeviceCustomString1,\n SrcDvcId = PanOSSourceUUID,\n SrcMacAddr = PanOSSourceDeviceMac,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n SrcZone = DeviceCustomString4,\n Url = RequestURL,\n UrlCategory = DeviceCustomString2,\n EventOriginalSubType = Activity,\n DvcOutboundInterface = DeviceOutboundInterface,\n DvcInboundInterface = DeviceInboundInterface,\n DstUserId = DestinationUserID,\n SrcUserId = SourceUserID,\n HttpUserAgent = RequestClientApplication,\n SrcGeoCountry = PanOSSourceLocation,\n DvcScopeId = PanOSCortexDataLakeTenantID,\n SrcAppName = ApplicationProtocol,\n ThreatOriginalRiskLevel = PanOSApplicationRisk\n | extend\n Dst = coalesce(DstFQDN, DstDvcId, DstHostname, DstIpAddr),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Src = coalesce(SrcFQDN, SrcDvcId, SrcHostname, SrcIpAddr),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n ),\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\n Rule = RuleName,\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\n DstUserType = _ASIM_GetUserType(DstUsername, DstUserId),\n User = SrcUsername,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId,\n UserAgent = HttpUserAgent,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\n SrcAppType = case(\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\",\n \"SaaS Application\",\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\",\n \"Other\",\n \"\"\n )\n | extend\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n Protocol,\n ExternalID,\n Message,\n start,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionSonicWallFirewall/ASimWebSessionSonicWallFirewall.json b/Parsers/ASimWebSession/ARM/ASimWebSessionSonicWallFirewall/ASimWebSessionSonicWallFirewall.json index 4276cd16a17..fb21d93a990 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionSonicWallFirewall/ASimWebSessionSonicWallFirewall.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionSonicWallFirewall/ASimWebSessionSonicWallFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionSonicWallFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionSonicWallFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for SonicWall firewalls", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionSonicWallFirewall", - "query": "let parser=(disabled:bool=false){\n let Actions=datatable(fw_action:string, DvcAction:string, EventSeverity:string)\n [ \"\\\"forward\\\"\", \"Allow\", \"Informational\"\n , \"\\\"mgmt\\\"\", \"Other\", \"Informational\"\n , \"\\\"NA\\\"\", \"Other\", \"Informational\"\n , \"\\\"drop\\\"\", \"Drop\", \"Low\"\n ];\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"SonicWall\"\n and DeviceEventClassID in (14, 97)\n and Protocol has_any(dynamic([\"udp/http\", \"tcp/http\", \"udp/https\", \"tcp/https\"]))\n | parse-kv AdditionalExtensions as (['gcat']:string, ['app']:string, ['arg']:string, ['dstV6']:string, ['srcV6']:string, ['snpt']:string, ['dnpt']:string, ['susr']:string,['appName']:string, ['appcat']:string, ['appid']:string, ['sid']:string, ['catid']:string, ['ipscat']:string, ['ipspri']:string, ['spycat']:string, ['spypri']:string, ['fw_action']:string, ['dpi']:string, ['bid']:string, ['af_action']:string, ['af_polid']:string, ['af_policy']:string, ['af_type']:string, ['af_service']:string, ['af_object']:string, ['contentObject']:string, ['fileid']:string, ['uuid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend\n SrcIpAddr = coalesce(SourceIP, srcV6)\n , DstIpAddr = coalesce(DestinationIP, dstV6)\n | where (isnotempty(SrcIpAddr) or isnotempty(DstIpAddr))\n and isnotempty(fw_action)\n | extend RequestURL_ = extract(@\"(?:[.*;]+?)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)(?:;fw_action)\", 1, AdditionalExtensions)\n | extend RequestURL_ = iif(RequestURL_ startswith \"snpt\" or RequestURL_ startswith \"dnpt\" or RequestURL_ startswith \"appid\" or RequestURL_ startswith \"appName\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), RequestURL_)\n | extend RequestURL_ = iif(RequestURL_ matches regex @\"^(.{2,6}=.{1,6})\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), iif(RequestURL_ matches regex @\"^\\w=\\d$\", \"\", RequestURL_))\n | extend RequestURL_ = iif(RequestURL_ has_any(dynamic([\"af_polid=\", \"ipscat=\", \"snpt=\", \"dnpt=\"])), \"\", RequestURL_)\n | extend RequestURL = iif(isnotempty(RequestURL), RequestURL, iif(RequestURL_ contains \"/\" and RequestURL_ contains \".\", RequestURL_, \"\"))\n | where isnotempty(RequestURL)\n | lookup Actions on fw_action\n | extend EventResult = case(DvcAction == \"Allow\", \"Success\",\n DvcAction == \"Management\", \"NA\",\n DvcAction == \"NA\", \"NA\",\n DvcAction == \"Other\", \"NA\",\n \"Failure\"\n )\n | extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\n LogSeverity == 9, \"Alert (1)\",\n LogSeverity == 8, \"Critical (2)\",\n LogSeverity == 7, \"Error (3)\",\n LogSeverity == 6, \"Warning (4)\",\n LogSeverity == 5, \"Notice (5)\",\n LogSeverity == 4, \"Info (6)/Debug (7)\",\n LogSeverity == 3, \"Not Mapped (3)\",\n LogSeverity == 2, \"Not Mapped (2)\",\n LogSeverity == 1, \"Not Mapped (1)\",\n \"Not Mapped\"\n )\n | extend EventSeverity = case(tolong(LogSeverity) <= 4, \"Informational\"\n , tolong(LogSeverity) <= 6, \"Low\"\n , tolong(LogSeverity) <= 8, \"Medium\"\n , tolong(LogSeverity) > 8, \"High\"\n , \"\"\n )\n | extend HttpRequestMethod = case(tolong(RequestMethod) == 0, \"\"\n , tolong(RequestMethod) == 1, \"GET\"\n , tolong(RequestMethod) == 2, \"POST\"\n , tolong(RequestMethod) == 3, \"HEAD\"\n , tolong(RequestMethod) == 4, \"PUT\"\n , tolong(RequestMethod) == 5, \"CONNECT\"\n , tolong(RequestMethod) == 6, \"\"\n , \"\"\n )\n | extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\n , DestinationIP has \":\", \"IPv6\"\n , \"\"\n )\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\n , EventOriginalType = DeviceEventClassID\n | project-rename\n DstMacAddr = DestinationMACAddress\n , SrcMacAddr = SourceMACAddress\n , DstPortNumber = DestinationPort\n , SrcPortNumber = SourcePort\n , EventMessage = Activity\n , sosEventMessageDetail = Message\n , EventProductVersion = DeviceVersion\n , Dvc = Computer\n , DvcOutboundInterface = DeviceOutboundInterface\n , DvcInboundInterface = DeviceInboundInterface\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\n , sosCFSFullString = Reason // CFS Block Category ID and Name\n , RuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\n , SrcZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\n , DstZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\n , SrcUsername = SourceUserName\n , ThreatOriginalConfidence = ThreatConfidence\n , HttpUserAgent = RequestClientApplication\n , Url = RequestURL\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\n gcat == 2, \"Log (2)\",\n gcat == 3, \"Security Services (3)\",\n gcat == 4, \"Users (4)\",\n gcat == 5, \"Firewall Settings (5)\",\n gcat == 6, \"Network (6)\",\n gcat == 7, \"VPN (7)\",\n gcat == 8, \"High Availability (8)\",\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\n gcat == 10, \"Firewall (10)\",\n gcat == 11, \"Wireless (11)\",\n gcat == 12, \"VoIP (12)\",\n gcat == 13, \"SSL VPN (13)\",\n gcat == 14, \"Anti-Spam (14)\",\n gcat == 15, \"WAN Acceleration (15)\",\n gcat == 16, \"Object (16)\",\n gcat == 17, \"SD-WAN (17)\",\n gcat == 18, \"Multi-Instance (18)\",\n gcat == 19, \"Unified Policy Engine (19)\",\n \"Log Category Not Mapped\"\n )\n| extend EventOriginalSubType = case(DeviceEventCategory == 0, \"None (0)\",\n DeviceEventCategory == 1, \"System Maintenance (1)\",\n DeviceEventCategory == 2, \"System Errors (2)\",\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\n DeviceEventCategory == 16, \"User Activity (16)\",\n DeviceEventCategory == 32, \"Attacks (32)\",\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\n DeviceEventCategory == 512, \"Network Debug (512)\",\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\n DeviceEventCategory == 524288, \"System Environment (524288)\",\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\n \"Legacy Category Not Mapped\"\n )\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\n ipspri == 2, \"Medium (2)\",\n ipspri == 3, \"Low (3)\",\n \"\"\n )\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\n spypri == 2, \"Medium (2)\",\n spypri == 3, \"Low (3)\",\n \"\"\n )\n| extend\n EventVendor = \"SonicWall\"\n , EventProduct = \"Firewall\"\n , DvcOs = \"SonicOS\"\n , DvcOsVersion = EventProductVersion\n , DvcIdType = \"Other\"\n , DvcDescription = DeviceProduct\n , Rule = RuleName\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\n , sosIPSFullString = ipscat\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\n , FileSize = tolong(coalesce(FileSize, long(null)))\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\n , HttpReferrer = extract(@'Referer: (.*)\\\"$', 1, coalesce(sosLogMsgNote, \"\"))\n , sosHttpRequestMethod_ = extract(@'Command: (.\\w+)', 1, coalesce(sosLogMsgNote, \"\"))\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\n , EventOriginalSeverity = LogSeverity\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = \"HTTPsession\"\n , EventSchemaVersion = \"0.2.5\"\n , EventSchema = \"WebSession\"\n , EventCount = toint(1)\n , EventUid = _ItemId\n , EventResultDetails = \"\"\n , ASimMatchingIpAddr = \"-\"\n , UserAgent = HttpUserAgent\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\n| extend\n UrlCategory = sosCFSCategoryName\n , HttpRequestMethod = coalesce(HttpRequestMethod, sosHttpRequestMethod_)\n , HttpStatusCode = EventResultDetails\n , SrcUsername = coalesce(susr, SrcUsername)\n , FileName = coalesce(FileName, sosAppControlFileName)\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\n , DstZone == \"MULTICAST\", \"NA\"\n , DstZone == \"WAN\", \"Outbound\"\n , \"Local\"\n )\n| extend\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\n SrcUsername has \"\\\\\", \"Windows\",\n SrcUsername has \"@\", \"UPN\",\n SrcUsername == \"Unknown (external IP)\", \"\",\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"\n )\n , User = SrcUsername\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\"\n )\n| extend\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\"\n )\n| extend\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\n , SrcBytes = case(NetworkDirection == \"Outbound\", tolong(SentBytes)\n , NetworkDirection == \"Inbound\", tolong(ReceivedBytes)\n , NetworkDirection == \"Local\" and SrcZone == \"WAN\", tolong(ReceivedBytes)\n , NetworkDirection == \"Local\" and SrcZone != \"WAN\", tolong(SentBytes)\n , tolong(long(null))\n )\n , DstBytes = case(NetworkDirection == \"Outbound\", tolong(ReceivedBytes)\n , NetworkDirection == \"Inbound\", tolong(SentBytes)\n , NetworkDirection == \"Local\" and DstZone == \"WAN\", tolong(SentBytes)\n , NetworkDirection == \"Local\" and DstZone != \"WAN\", tolong(ReceivedBytes)\n , tolong(long(null))\n )\n| extend\n SrcAppType = case(isempty(SrcAppName), \"\"\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\n , DstAppType = case(isempty(DstAppName), \"\"\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\n| project-rename\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\n| extend\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\n , tolong(long(null))\n )\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\n , tolong(long(null))\n )\n| project-rename\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\n , sosUser = susr // Logged-in username associated with the log event.\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\n , sosAppRuleService = af_service // App Rule Service Name.\n , sosAppRuleType = af_type // App Rule Policy Type.\n , sosAppRuleObject = af_object // App Rule Object Name.\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\n , sosAppRuleAction = af_action\n , sosSourceIPv6Address = srcV6\n , sosDestinationIPv6Address = dstV6\n , sosAppFullString = appcat // The full \" -- \" string.\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\n , sosAppID = appid // Application ID from App Control\n , sosAppCategoryID = catid // Application Category ID\n , sosAppSignatureID = sid // Application Signature ID\n , sosIPSCategoryName = ipscat // IPS Category Name\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\n , sosURLPathName = arg // URL. Represents the URL path name.\n , sosFileIdentifier = fileid // File hash or URL\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\n , DstNatPortNumber = dnpt\n , SrcNatPortNumber = snpt\n , sosBladeID = bid // Blade ID\n , sosUUID = uuid\n , sosFileName = FileName\n , DvcOriginalAction = fw_action\n| extend\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\n , ThreatId = coalesce(sosAppSignatureID, \"\")\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\n , DstNatPortNumber = toint(DstNatPortNumber)\n , SrcNatPortNumber = toint(SrcNatPortNumber)\n| extend AdditionalFields = bag_pack(\n \"AppRulePolicyId\", sosAppRulePolicyId\n , \"AppRulePolicyName\", sosAppRulePolicyName\n , \"AppRuleService\", sosAppRuleService\n , \"AppRuleType\", sosAppRuleType\n , \"AppRuleObject\", sosAppRuleObject\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\n , \"AppRuleAction\", sosAppRuleAction\n , \"AppID\", sosAppID\n , \"AppCategoryID\", sosAppCategoryID\n , \"IPSCategoryName\", sosIPSCategoryName\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\n , \"URLPathName\", sosURLPathName\n , \"FileIdentifier\", sosFileIdentifier\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\n , \"BladeID\", sosBladeID\n , \"UUID\", sosUUID\n , \"FileName\", sosFileName\n , \"FileSize\", FileSize\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\n , \"CFSCategoryID\", sosCFSCategoryID\n , \"CFSCategoryName\", sosCFSCategoryName\n , \"CFSPolicyName\", sosCFSPolicyName\n , \"AppControlFileName\", sosAppControlFileName\n , \"IPSFullString\", sosIPSFullString\n , \"IPSSignatureName\", sosIPSSignatureName\n , \"LogMsgCategory\", sosLogMsgCategory\n , \"LogMsgNote\", sosLogMsgNote\n , \"LogMsgSeverity\", sosLogMsgSeverity\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\n , \"EventMessageDetail\", sosEventMessageDetail\n , \"UserSessionType\", sosUserSessionType\n , \"UserSessionDuration\", sosUserSessionDuration\n )\n| project-away\n DeviceEventCategory\n , gcat\n , RequestMethod\n , RequestURL_\n , ipspri\n , spypri\n , sos*\n , Protocol\n , appName\n , AdditionalExtensions\n , Flex*\n , Indicator*\n , Malicious*\n , Field*\n , DeviceCustom*\n , Old*\n , File*\n , Source*\n , Destination*\n , Device*\n , SimplifiedDeviceAction\n , ExternalID\n , ExtID\n , TenantId\n , ProcessName\n , ProcessID\n , ExtID\n , OriginalLogSeverity\n , LogSeverity\n , EventOutcome\n , StartTime\n , EndTime\n , ReceiptTime\n , Remote*\n , ThreatDescription\n , ThreatSeverity\n , RequestContext\n , RequestCookies\n , CommunicationDirection\n , ReportReferenceLink\n , ReceivedBytes\n , SentBytes\n , _ResourceId\n , _ItemId\n| project-reorder\n TimeGenerated\n , EventVendor\n , EventProduct\n , DvcDescription\n , Dvc\n , DvcOs\n , DvcOsVersion\n};\nparser(disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for SonicWall firewalls", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionSonicWallFirewall", + "query": "let parser=(disabled:bool=false){\n let Actions=datatable(fw_action:string, DvcAction:string, EventSeverity:string)\n [ \"\\\"forward\\\"\", \"Allow\", \"Informational\"\n , \"\\\"mgmt\\\"\", \"Other\", \"Informational\"\n , \"\\\"NA\\\"\", \"Other\", \"Informational\"\n , \"\\\"drop\\\"\", \"Drop\", \"Low\"\n ];\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"SonicWall\"\n and DeviceEventClassID in (14, 97)\n and Protocol has_any(dynamic([\"udp/http\", \"tcp/http\", \"udp/https\", \"tcp/https\"]))\n | parse-kv AdditionalExtensions as (['gcat']:string, ['app']:string, ['arg']:string, ['dstV6']:string, ['srcV6']:string, ['snpt']:string, ['dnpt']:string, ['susr']:string,['appName']:string, ['appcat']:string, ['appid']:string, ['sid']:string, ['catid']:string, ['ipscat']:string, ['ipspri']:string, ['spycat']:string, ['spypri']:string, ['fw_action']:string, ['dpi']:string, ['bid']:string, ['af_action']:string, ['af_polid']:string, ['af_policy']:string, ['af_type']:string, ['af_service']:string, ['af_object']:string, ['contentObject']:string, ['fileid']:string, ['uuid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend\n SrcIpAddr = coalesce(SourceIP, srcV6)\n , DstIpAddr = coalesce(DestinationIP, dstV6)\n | where (isnotempty(SrcIpAddr) or isnotempty(DstIpAddr))\n and isnotempty(fw_action)\n | extend RequestURL_ = extract(@\"(?:[.*;]+?)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)(?:;fw_action)\", 1, AdditionalExtensions)\n | extend RequestURL_ = iif(RequestURL_ startswith \"snpt\" or RequestURL_ startswith \"dnpt\" or RequestURL_ startswith \"appid\" or RequestURL_ startswith \"appName\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), RequestURL_)\n | extend RequestURL_ = iif(RequestURL_ matches regex @\"^(.{2,6}=.{1,6})\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), iif(RequestURL_ matches regex @\"^\\w=\\d$\", \"\", RequestURL_))\n | extend RequestURL_ = iif(RequestURL_ has_any(dynamic([\"af_polid=\", \"ipscat=\", \"snpt=\", \"dnpt=\"])), \"\", RequestURL_)\n | extend RequestURL = iif(isnotempty(RequestURL), RequestURL, iif(RequestURL_ contains \"/\" and RequestURL_ contains \".\", RequestURL_, \"\"))\n | where isnotempty(RequestURL)\n | lookup Actions on fw_action\n | extend EventResult = case(DvcAction == \"Allow\", \"Success\",\n DvcAction == \"Management\", \"NA\",\n DvcAction == \"NA\", \"NA\",\n DvcAction == \"Other\", \"NA\",\n \"Failure\"\n )\n | extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\n LogSeverity == 9, \"Alert (1)\",\n LogSeverity == 8, \"Critical (2)\",\n LogSeverity == 7, \"Error (3)\",\n LogSeverity == 6, \"Warning (4)\",\n LogSeverity == 5, \"Notice (5)\",\n LogSeverity == 4, \"Info (6)/Debug (7)\",\n LogSeverity == 3, \"Not Mapped (3)\",\n LogSeverity == 2, \"Not Mapped (2)\",\n LogSeverity == 1, \"Not Mapped (1)\",\n \"Not Mapped\"\n )\n | extend EventSeverity = case(tolong(LogSeverity) <= 4, \"Informational\"\n , tolong(LogSeverity) <= 6, \"Low\"\n , tolong(LogSeverity) <= 8, \"Medium\"\n , tolong(LogSeverity) > 8, \"High\"\n , \"\"\n )\n | extend HttpRequestMethod = case(tolong(RequestMethod) == 0, \"\"\n , tolong(RequestMethod) == 1, \"GET\"\n , tolong(RequestMethod) == 2, \"POST\"\n , tolong(RequestMethod) == 3, \"HEAD\"\n , tolong(RequestMethod) == 4, \"PUT\"\n , tolong(RequestMethod) == 5, \"CONNECT\"\n , tolong(RequestMethod) == 6, \"\"\n , \"\"\n )\n | extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\n , DestinationIP has \":\", \"IPv6\"\n , \"\"\n )\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\n , EventOriginalType = DeviceEventClassID\n | project-rename\n DstMacAddr = DestinationMACAddress\n , SrcMacAddr = SourceMACAddress\n , DstPortNumber = DestinationPort\n , SrcPortNumber = SourcePort\n , EventMessage = Activity\n , sosEventMessageDetail = Message\n , EventProductVersion = DeviceVersion\n , Dvc = Computer\n , DvcOutboundInterface = DeviceOutboundInterface\n , DvcInboundInterface = DeviceInboundInterface\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\n , sosCFSFullString = Reason // CFS Block Category ID and Name\n , RuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\n , SrcZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\n , DstZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\n , SrcUsername = SourceUserName\n , ThreatOriginalConfidence = ThreatConfidence\n , HttpUserAgent = RequestClientApplication\n , Url = RequestURL\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\n gcat == 2, \"Log (2)\",\n gcat == 3, \"Security Services (3)\",\n gcat == 4, \"Users (4)\",\n gcat == 5, \"Firewall Settings (5)\",\n gcat == 6, \"Network (6)\",\n gcat == 7, \"VPN (7)\",\n gcat == 8, \"High Availability (8)\",\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\n gcat == 10, \"Firewall (10)\",\n gcat == 11, \"Wireless (11)\",\n gcat == 12, \"VoIP (12)\",\n gcat == 13, \"SSL VPN (13)\",\n gcat == 14, \"Anti-Spam (14)\",\n gcat == 15, \"WAN Acceleration (15)\",\n gcat == 16, \"Object (16)\",\n gcat == 17, \"SD-WAN (17)\",\n gcat == 18, \"Multi-Instance (18)\",\n gcat == 19, \"Unified Policy Engine (19)\",\n \"Log Category Not Mapped\"\n )\n| extend EventOriginalSubType = case(DeviceEventCategory == 0, \"None (0)\",\n DeviceEventCategory == 1, \"System Maintenance (1)\",\n DeviceEventCategory == 2, \"System Errors (2)\",\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\n DeviceEventCategory == 16, \"User Activity (16)\",\n DeviceEventCategory == 32, \"Attacks (32)\",\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\n DeviceEventCategory == 512, \"Network Debug (512)\",\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\n DeviceEventCategory == 524288, \"System Environment (524288)\",\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\n \"Legacy Category Not Mapped\"\n )\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\n ipspri == 2, \"Medium (2)\",\n ipspri == 3, \"Low (3)\",\n \"\"\n )\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\n spypri == 2, \"Medium (2)\",\n spypri == 3, \"Low (3)\",\n \"\"\n )\n| extend\n EventVendor = \"SonicWall\"\n , EventProduct = \"Firewall\"\n , DvcOs = \"SonicOS\"\n , DvcOsVersion = EventProductVersion\n , DvcIdType = \"Other\"\n , DvcDescription = DeviceProduct\n , Rule = RuleName\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\n , sosIPSFullString = ipscat\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\n , FileSize = tolong(coalesce(FileSize, long(null)))\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\n , HttpReferrer = extract(@'Referer: (.*)\\\"$', 1, coalesce(sosLogMsgNote, \"\"))\n , sosHttpRequestMethod_ = extract(@'Command: (.\\w+)', 1, coalesce(sosLogMsgNote, \"\"))\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\n , EventOriginalSeverity = LogSeverity\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = \"HTTPsession\"\n , EventSchemaVersion = \"0.2.5\"\n , EventSchema = \"WebSession\"\n , EventCount = toint(1)\n , EventUid = _ItemId\n , EventResultDetails = \"\"\n , ASimMatchingIpAddr = \"-\"\n , UserAgent = HttpUserAgent\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\n| extend\n UrlCategory = sosCFSCategoryName\n , HttpRequestMethod = coalesce(HttpRequestMethod, sosHttpRequestMethod_)\n , HttpStatusCode = EventResultDetails\n , SrcUsername = coalesce(susr, SrcUsername)\n , FileName = coalesce(FileName, sosAppControlFileName)\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\n , DstZone == \"MULTICAST\", \"NA\"\n , DstZone == \"WAN\", \"Outbound\"\n , \"Local\"\n )\n| extend\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\n SrcUsername has \"\\\\\", \"Windows\",\n SrcUsername has \"@\", \"UPN\",\n SrcUsername == \"Unknown (external IP)\", \"\",\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"\n )\n , User = SrcUsername\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\"\n )\n| extend\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\"\n )\n| extend\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\n , SrcBytes = case(NetworkDirection == \"Outbound\", tolong(SentBytes)\n , NetworkDirection == \"Inbound\", tolong(ReceivedBytes)\n , NetworkDirection == \"Local\" and SrcZone == \"WAN\", tolong(ReceivedBytes)\n , NetworkDirection == \"Local\" and SrcZone != \"WAN\", tolong(SentBytes)\n , tolong(long(null))\n )\n , DstBytes = case(NetworkDirection == \"Outbound\", tolong(ReceivedBytes)\n , NetworkDirection == \"Inbound\", tolong(SentBytes)\n , NetworkDirection == \"Local\" and DstZone == \"WAN\", tolong(SentBytes)\n , NetworkDirection == \"Local\" and DstZone != \"WAN\", tolong(ReceivedBytes)\n , tolong(long(null))\n )\n| extend\n SrcAppType = case(isempty(SrcAppName), \"\"\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\n , DstAppType = case(isempty(DstAppName), \"\"\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\n| project-rename\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\n| extend\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\n , tolong(long(null))\n )\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\n , tolong(long(null))\n )\n| project-rename\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\n , sosUser = susr // Logged-in username associated with the log event.\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\n , sosAppRuleService = af_service // App Rule Service Name.\n , sosAppRuleType = af_type // App Rule Policy Type.\n , sosAppRuleObject = af_object // App Rule Object Name.\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\n , sosAppRuleAction = af_action\n , sosSourceIPv6Address = srcV6\n , sosDestinationIPv6Address = dstV6\n , sosAppFullString = appcat // The full \" -- \" string.\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\n , sosAppID = appid // Application ID from App Control\n , sosAppCategoryID = catid // Application Category ID\n , sosAppSignatureID = sid // Application Signature ID\n , sosIPSCategoryName = ipscat // IPS Category Name\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\n , sosURLPathName = arg // URL. Represents the URL path name.\n , sosFileIdentifier = fileid // File hash or URL\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\n , DstNatPortNumber = dnpt\n , SrcNatPortNumber = snpt\n , sosBladeID = bid // Blade ID\n , sosUUID = uuid\n , sosFileName = FileName\n , DvcOriginalAction = fw_action\n| extend\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\n , ThreatId = coalesce(sosAppSignatureID, \"\")\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\n , DstNatPortNumber = toint(DstNatPortNumber)\n , SrcNatPortNumber = toint(SrcNatPortNumber)\n| extend AdditionalFields = bag_pack(\n \"AppRulePolicyId\", sosAppRulePolicyId\n , \"AppRulePolicyName\", sosAppRulePolicyName\n , \"AppRuleService\", sosAppRuleService\n , \"AppRuleType\", sosAppRuleType\n , \"AppRuleObject\", sosAppRuleObject\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\n , \"AppRuleAction\", sosAppRuleAction\n , \"AppID\", sosAppID\n , \"AppCategoryID\", sosAppCategoryID\n , \"IPSCategoryName\", sosIPSCategoryName\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\n , \"URLPathName\", sosURLPathName\n , \"FileIdentifier\", sosFileIdentifier\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\n , \"BladeID\", sosBladeID\n , \"UUID\", sosUUID\n , \"FileName\", sosFileName\n , \"FileSize\", FileSize\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\n , \"CFSCategoryID\", sosCFSCategoryID\n , \"CFSCategoryName\", sosCFSCategoryName\n , \"CFSPolicyName\", sosCFSPolicyName\n , \"AppControlFileName\", sosAppControlFileName\n , \"IPSFullString\", sosIPSFullString\n , \"IPSSignatureName\", sosIPSSignatureName\n , \"LogMsgCategory\", sosLogMsgCategory\n , \"LogMsgNote\", sosLogMsgNote\n , \"LogMsgSeverity\", sosLogMsgSeverity\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\n , \"EventMessageDetail\", sosEventMessageDetail\n , \"UserSessionType\", sosUserSessionType\n , \"UserSessionDuration\", sosUserSessionDuration\n )\n| project-away\n DeviceEventCategory\n , gcat\n , RequestMethod\n , RequestURL_\n , ipspri\n , spypri\n , sos*\n , Protocol\n , appName\n , AdditionalExtensions\n , Flex*\n , Indicator*\n , Malicious*\n , Field*\n , DeviceCustom*\n , Old*\n , File*\n , Source*\n , Destination*\n , Device*\n , SimplifiedDeviceAction\n , ExternalID\n , ExtID\n , TenantId\n , ProcessName\n , ProcessID\n , ExtID\n , OriginalLogSeverity\n , LogSeverity\n , EventOutcome\n , StartTime\n , EndTime\n , ReceiptTime\n , Remote*\n , ThreatDescription\n , ThreatSeverity\n , RequestContext\n , RequestCookies\n , CommunicationDirection\n , ReportReferenceLink\n , ReceivedBytes\n , SentBytes\n , _ResourceId\n , _ItemId\n| project-reorder\n TimeGenerated\n , EventVendor\n , EventProduct\n , DvcDescription\n , Dvc\n , DvcOs\n , DvcOsVersion\n};\nparser(disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json b/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json index 0cafc2433b5..3aec2f4b054 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionSquidProxy/ASimWebSessionSquidProxy.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionSquidProxy')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionSquidProxy", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Squid Proxy", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionSquidProxy", - "query": "let parser=(disabled:bool=false){\nSquidProxy_CL | where not(disabled)\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n | project-rename\n Dvc = Computer\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9])), \n EventResultDetails = tostring(AccessRawLog[4]), \n DstBytes = tolong(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n SrcUsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n FQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\")\n | invoke _ASIM_ResolveDstFQDN ('FQDN')\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData, *_s, MG, ManagementGroupName, SourceSystem, TenantId, DstIpAddrIsHost\n};\nparser (disabled=disabled)\n", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Squid Proxy", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionSquidProxy", + "query": "let parser=(disabled:bool=false){\nSquidProxy_CL | where not(disabled)\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n | project-rename\n Dvc = Computer\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9])), \n EventResultDetails = tostring(AccessRawLog[4]), \n DstBytes = tolong(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n SrcUsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n FQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\")\n | invoke _ASIM_ResolveDstFQDN ('FQDN')\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData, *_s, MG, ManagementGroupName, SourceSystem, TenantId, DstIpAddrIsHost\n};\nparser (disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionVectraAI/ASimWebSessionVectraAI.json b/Parsers/ASimWebSession/ARM/ASimWebSessionVectraAI/ASimWebSessionVectraAI.json index cc05f07fdfc..89eeb9599dc 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionVectraAI/ASimWebSessionVectraAI.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionVectraAI/ASimWebSessionVectraAI.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionVectraAI')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionVectraAI", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Vectra AI streams", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionVectraAI", - "query": "let parser = (disabled: bool = false, pack:bool = false)\n{\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)\n [\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'Local'\n ];\n let NetworkProtocolVersionLookup = datatable(id_ip_ver_s:string, NetworkApplicationProtocol:string)\n [\n 'ipv4', 'IPv4',\n 'ipv6', 'IPv6'\n ];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n VectraStream_CL\n | where metadata_type_s == 'metadata_httpsessioninfo'\n | extend EventResult = iff(tolong(status_code_d) >= 400, \"Failure\", \"Success\")\n | project-rename\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n DstIpAddr = id_resp_h_s,\n EventOriginalUid = uid_s,\n HttpContentType = resp_mime_types_s,\n HttpReferrer = referrer_s,\n HttpRequestMethod = method_s,\n HttpUserAgent = user_agent_s,\n DvcId = sensor_uid_s,\n // -- community id is just a hash of addresses and ports, and not unique for the session\n // NetworkSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n SrcSessionId = orig_sluid_s,\n DstSessionId = resp_sluid_s,\n HttpResponseCacheControl = response_cache_control_s,\n HttpRequestCacheControl = request_cache_control_s,\n HttpCookie = cookie_s,\n HttpResponseExpires = response_expires_s,\n HttpIsProxied = is_proxied_b,\n EventOriginalResultDetails = status_msg_s\n | extend\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n DstBytes = tolong(resp_ip_bytes_d),\n DstPackets = tolong(resp_pkts_d),\n DstPortNumber = toint(id_resp_p_d),\n EventCount = toint(1),\n EventStartTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResultDetails = tostring(toint(status_code_d)),\n HttpRequestBodyBytes = tolong(request_body_len_d),\n HttpResponseBodyBytes = tolong(response_body_len_d),\n HttpRequestHeaderCount = toint(request_header_count_d),\n HttpResponseHeaderCount = toint(response_header_count_d),\n EventSchema = 'WebSession',\n EventSchemaVersion='0.2.3',\n DvcIdType = 'VectraId',\n EventSeverity = iff (EventResult == 'Success', 'Informational', 'Low'),\n EventType = 'HTTPsession',\n EventVendor = 'Vectra AI',\n SrcBytes = tolong(orig_ip_bytes_d),\n SrcPackets = tolong(orig_pkts_d),\n SrcPortNumber = toint(id_orig_p_d),\n Url = strcat('http://', host_s, uri_s)\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\n | lookup NetworkProtocolVersionLookup on id_ip_ver_s\n // -- preserving non-normalized important fields\n | extend AdditionalFields = iff (\n pack, \n bag_pack (\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\n \"orig_huid\", orig_huid_s,\n \"resp_huid\", resp_huid_s,\n \"community_id\", community_id_s,\n \"resp_multihome\", resp_multihomed_b,\n \"host_multihomed\", host_multihomed_b,\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\n ),\n dynamic([])\n )\n | project-away\n *_d, *_s, *_b, *_g, Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n | extend\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n Hostname = DstHostname,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcIpAddr,\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n //SessionId = NetworkSessionId,\n Src = SrcIpAddr,\n UserAgent = HttpUserAgent \n};\nparser (disabled=disabled, pack=pack)", - "version": 1, - "functionParameters": "disabled:bool=False,pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Vectra AI streams", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionVectraAI", + "query": "let parser = (disabled: bool = false, pack:bool = false)\n{\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)\n [\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'Local'\n ];\n let NetworkProtocolVersionLookup = datatable(id_ip_ver_s:string, NetworkApplicationProtocol:string)\n [\n 'ipv4', 'IPv4',\n 'ipv6', 'IPv6'\n ];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n VectraStream_CL\n | where metadata_type_s == 'metadata_httpsessioninfo'\n | extend EventResult = iff(tolong(status_code_d) >= 400, \"Failure\", \"Success\")\n | project-rename\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n DstIpAddr = id_resp_h_s,\n EventOriginalUid = uid_s,\n HttpContentType = resp_mime_types_s,\n HttpReferrer = referrer_s,\n HttpRequestMethod = method_s,\n HttpUserAgent = user_agent_s,\n DvcId = sensor_uid_s,\n // -- community id is just a hash of addresses and ports, and not unique for the session\n // NetworkSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n SrcSessionId = orig_sluid_s,\n DstSessionId = resp_sluid_s,\n HttpResponseCacheControl = response_cache_control_s,\n HttpRequestCacheControl = request_cache_control_s,\n HttpCookie = cookie_s,\n HttpResponseExpires = response_expires_s,\n HttpIsProxied = is_proxied_b,\n EventOriginalResultDetails = status_msg_s\n | extend\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n DstBytes = tolong(resp_ip_bytes_d),\n DstPackets = tolong(resp_pkts_d),\n DstPortNumber = toint(id_resp_p_d),\n EventCount = toint(1),\n EventStartTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResultDetails = tostring(toint(status_code_d)),\n HttpRequestBodyBytes = tolong(request_body_len_d),\n HttpResponseBodyBytes = tolong(response_body_len_d),\n HttpRequestHeaderCount = toint(request_header_count_d),\n HttpResponseHeaderCount = toint(response_header_count_d),\n EventSchema = 'WebSession',\n EventSchemaVersion='0.2.3',\n DvcIdType = 'VectraId',\n EventSeverity = iff (EventResult == 'Success', 'Informational', 'Low'),\n EventType = 'HTTPsession',\n EventVendor = 'Vectra AI',\n SrcBytes = tolong(orig_ip_bytes_d),\n SrcPackets = tolong(orig_pkts_d),\n SrcPortNumber = toint(id_orig_p_d),\n Url = strcat('http://', host_s, uri_s)\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\n | lookup NetworkProtocolVersionLookup on id_ip_ver_s\n // -- preserving non-normalized important fields\n | extend AdditionalFields = iff (\n pack, \n bag_pack (\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\n \"orig_huid\", orig_huid_s,\n \"resp_huid\", resp_huid_s,\n \"community_id\", community_id_s,\n \"resp_multihome\", resp_multihomed_b,\n \"host_multihomed\", host_multihomed_b,\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\n ),\n dynamic([])\n )\n | project-away\n *_d, *_s, *_b, *_g, Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n | extend\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n Hostname = DstHostname,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcIpAddr,\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n //SessionId = NetworkSessionId,\n Src = SrcIpAddr,\n UserAgent = HttpUserAgent \n};\nparser (disabled=disabled, pack=pack)", + "version": 1, + "functionParameters": "disabled:bool=False,pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json b/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json index cfcba2be16e..caa4a9f1cb3 100644 --- a/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json +++ b/Parsers/ASimWebSession/ARM/ASimWebSessionzScalerZIA/ASimWebSessionzScalerZIA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimWebSessionZscalerZIA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "ASimWebSessionZscalerZIA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Zscaler ZIA", - "category": "ASIM", - "FunctionAlias": "ASimWebSessionZscalerZIA", - "query": "let parser=(disabled:bool=false){\nlet DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \n[\n 'Allowed', 'Allow',\n 'Blocked', 'Deny'\n]; \nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n// Event fields\n| extend \n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Proxy\", \n EventSchema = \"WebSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'HTTPsession',\n EventEndTime=TimeGenerated\n| project-rename\n EventProductVersion = DeviceVersion,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpContentType = FileType,\n HttpUserAgent = RequestClientApplication,\n HttpRequestMethod = RequestMethod,\n DstAppName = DestinationServiceName,\n DstIpAddr = DestinationIP,\n DstFQDN = DestinationHostName,\n SrcIpAddr = SourceIP,\n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress,\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n UrlCategory = DeviceCustomString2,\n ThreatName = DeviceCustomString5,\n FileMD5 = DeviceCustomString6,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n// -- Parse\n| parse AdditionalExtensions with \n * \"rulelabel=\" RuleName:string \";\"\n \"ruletype=\" ruletype:string \";\"\n \"urlclass=\" urlclass:string \";\"\n \"devicemodel=\" * \n// -- Calculated fields\n| lookup DvcActionLookup on DeviceAction\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n EventResultDetails = coalesce(\n column_ifexists(\"EventOutcome\", \"\"),\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n ThreatRiskLevel = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n DvcHostname = tostring(Computer),\n SrcBytes = tolong(SentBytes),\n DstBytes = tolong(ReceivedBytes),\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n DstFQDNparts = split (DstFQDN, \".\"),\n DstHostnameNotAddr = DstIpAddr != DstFQDN\n| extend\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \n// -- Enrichment\n| extend\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\n DstAppType = \"SaaS application\",\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\n SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcNatIpAddr,\n Hash = FileMD5,\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away DstFQDNparts\n| project-away AdditionalExtensions, CommunicationDirection, Computer, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, Activity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, urlclass, ruletype, DstHostnameNotAddr\n};\nparser (disabled)", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Zscaler ZIA", + "category": "ASIM", + "FunctionAlias": "ASimWebSessionZscalerZIA", + "query": "let parser=(disabled:bool=false){\nlet DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \n[\n 'Allowed', 'Allow',\n 'Blocked', 'Deny'\n]; \nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n// Event fields\n| extend \n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Proxy\", \n EventSchema = \"WebSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'HTTPsession',\n EventEndTime=TimeGenerated\n| project-rename\n EventProductVersion = DeviceVersion,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpContentType = FileType,\n HttpUserAgent = RequestClientApplication,\n HttpRequestMethod = RequestMethod,\n DstAppName = DestinationServiceName,\n DstIpAddr = DestinationIP,\n DstFQDN = DestinationHostName,\n SrcIpAddr = SourceIP,\n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress,\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n UrlCategory = DeviceCustomString2,\n ThreatName = DeviceCustomString5,\n FileMD5 = DeviceCustomString6,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n// -- Parse\n| parse AdditionalExtensions with \n * \"rulelabel=\" RuleName:string \";\"\n \"ruletype=\" ruletype:string \";\"\n \"urlclass=\" urlclass:string \";\"\n \"devicemodel=\" * \n// -- Calculated fields\n| lookup DvcActionLookup on DeviceAction\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n EventResultDetails = coalesce(\n column_ifexists(\"EventOutcome\", \"\"),\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n ThreatRiskLevel = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n DvcHostname = tostring(Computer),\n SrcBytes = tolong(SentBytes),\n DstBytes = tolong(ReceivedBytes),\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n DstFQDNparts = split (DstFQDN, \".\"),\n DstHostnameNotAddr = DstIpAddr != DstFQDN\n| extend\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \n// -- Enrichment\n| extend\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\n DstAppType = \"SaaS application\",\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\n SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcNatIpAddr,\n Hash = FileMD5,\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away DstFQDNparts\n| project-away AdditionalExtensions, CommunicationDirection, Computer, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, Activity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, urlclass, ruletype, DstHostnameNotAddr\n};\nparser (disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/imWebSession/imWebSession.json b/Parsers/ASimWebSession/ARM/imWebSession/imWebSession.json index 48ba0a4e598..d439f3d5a36 100644 --- a/Parsers/ASimWebSession/ARM/imWebSession/imWebSession.json +++ b/Parsers/ASimWebSession/ARM/imWebSession/imWebSession.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/imWebSession')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imWebSession", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser", - "category": "ASIM", - "FunctionAlias": "imWebSession", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n url_has_any:dynamic=dynamic([]), \n httpuseragent_has_any:dynamic=dynamic([]), \n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimWebSessionEmpty,\n vimWebSessionSquidProxy (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionSquidProxy' in (DisabledParsers)))),\n vimWebSessionZscalerZIA (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionZscalerZIA' in (DisabledParsers)))),\n vimWebSessionNative (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionNative' in (DisabledParsers)))),\n vimWebSessionVectraAI (pack=pack, starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionVectraAI' in (DisabledParsers)))),\n vimWebSessionIIS (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionIIS' in (DisabledParsers)))),\n vimWebSessionPaloAltoCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionPaloAltoCEF' in (DisabledParsers)))),\n vimWebSessionApacheHTTPServer (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionApacheHTTPServer' in (DisabledParsers)))),\n vimWebSessionFortinetFortiGate (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionFortinetFortiGate' in (DisabledParsers)))),\n vimWebSessionCiscoMeraki (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCiscoMeraki' in (DisabledParsers)))),\n vimWebSessionBarracudaWAF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionBarracudaWAF' in (DisabledParsers)))),\n vimWebSessionBarracudaCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionBarracudaCEF' in (DisabledParsers)))),\n vimWebSessionCitrixNetScaler (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCitrixNetScaler' in (DisabledParsers)))),\n vimWebSessionCiscoFirepower (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCiscoFirepower' in (DisabledParsers))))\n ,\n vimWebSessionF5ASM (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionF5ASM' in (DisabledParsers)))),\n vimWebSessionPaloAltoCortexDataLake (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionPaloAltoCortexDataLake' in (DisabledParsers)))),\n vimWebSessionSonicWallFirewall (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionSonicWallFirewall' in (DisabledParsers))))\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',eventresultdetails_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser", + "category": "ASIM", + "FunctionAlias": "imWebSession", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n url_has_any:dynamic=dynamic([]), \n httpuseragent_has_any:dynamic=dynamic([]), \n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimWebSessionEmpty,\n vimWebSessionSquidProxy (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionSquidProxy' in (DisabledParsers)))),\n vimWebSessionZscalerZIA (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionZscalerZIA' in (DisabledParsers)))),\n vimWebSessionNative (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionNative' in (DisabledParsers)))),\n vimWebSessionVectraAI (pack=pack, starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionVectraAI' in (DisabledParsers)))),\n vimWebSessionIIS (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionIIS' in (DisabledParsers)))),\n vimWebSessionPaloAltoCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionPaloAltoCEF' in (DisabledParsers)))),\n vimWebSessionApacheHTTPServer (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionApacheHTTPServer' in (DisabledParsers)))),\n vimWebSessionFortinetFortiGate (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionFortinetFortiGate' in (DisabledParsers)))),\n vimWebSessionCiscoMeraki (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCiscoMeraki' in (DisabledParsers)))),\n vimWebSessionBarracudaWAF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionBarracudaWAF' in (DisabledParsers)))),\n vimWebSessionBarracudaCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionBarracudaCEF' in (DisabledParsers)))),\n vimWebSessionCitrixNetScaler (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCitrixNetScaler' in (DisabledParsers)))),\n vimWebSessionCiscoFirepower (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCiscoFirepower' in (DisabledParsers))))\n ,\n vimWebSessionF5ASM (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionF5ASM' in (DisabledParsers)))),\n vimWebSessionPaloAltoCortexDataLake (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionPaloAltoCortexDataLake' in (DisabledParsers)))),\n vimWebSessionSonicWallFirewall (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionSonicWallFirewall' in (DisabledParsers))))\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',eventresultdetails_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionApacheHTTPServer/vimWebSessionApacheHTTPServer.json b/Parsers/ASimWebSession/ARM/vimWebSessionApacheHTTPServer/vimWebSessionApacheHTTPServer.json index cca9983f47d..5b578118fb9 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionApacheHTTPServer/vimWebSessionApacheHTTPServer.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionApacheHTTPServer/vimWebSessionApacheHTTPServer.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionApacheHTTPServer')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionApacheHTTPServer", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM Filtering parser for Apache HTTP Server", - "category": "ASIM", - "FunctionAlias": "vimWebSessionApacheHTTPServer", - "query": "let Parser=(\n starttime:datetime = datetime(null), \n endtime:datetime = datetime(null),\n srcipaddr_has_any_prefix:dynamic = dynamic([]),\n ipaddr_has_any_prefix:dynamic = dynamic([]), \n url_has_any:dynamic = dynamic([]),\n httpuseragent_has_any:dynamic = dynamic([]),\n eventresultdetails_in:dynamic = dynamic([]),\n eventresult:string = '*',\n disabled:bool = false\n){\n let src_or_any = set_union(\n srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix\n ); \n let remove_protocol_from_list = (list:dynamic)\n {\n print list\n | mv-apply l = print_0 to typeof(string) on\n ( extend l = substring(l,indexof(l,@'//')+2))\n | project l\n };\n ApacheHTTPServer_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)\n | where (array_length(url_has_any) == 0 or RawData has_any (remove_protocol_from_list(url_has_any)))\n | where (array_length(httpuseragent_has_any) == 0 or RawData has_any (httpuseragent_has_any))\n | where (array_length(src_or_any) == 0 or RawData has_any (src_or_any))\n | where (array_length(eventresultdetails_in) == 0 or RawData has_any (eventresultdetails_in))\n | project RawData, TimeGenerated, Computer, _ResourceId, Type, _ItemId\n | where not (RawData startswith \"[\") \n | where RawData has_any (\"GET\", \"HEAD\", \"POST\", \"PUT\", \"DELETE\", \"CONNECT\", \"OPTIONS\", \"TRACE\", \"PATCH\")\n | parse RawData with * '] ' Temp'\"' *\n | where (array_length(url_has_any) == 0 or Temp has_any (remove_protocol_from_list(url_has_any)))\n | extend DstHostname = tostring(split(trim_end(\" \",Temp),\":\",0)[0])\n | parse RawData with SrcIpAddr \" \" ClientIdentity \" \" SrcUsername \" [\" Date ']' * '\"' HttpRequestMethod \" \" Url \" \" Protocol '\" ' EventResultDetails \" \" DstBytes:long ' \"' HttpReferrer '\" \"' HttpUserAgent '\"' *\n | project-away RawData, Date, ClientIdentity, Temp\n | where (array_length(url_has_any) == 0 or Url has_any (remove_protocol_from_list(url_has_any)))\n | where (array_length(httpuseragent_has_any) == 0 or HttpUserAgent has_any (httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) in (eventresultdetails_in))\n | extend \n temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0, \"-\",\n temp_SrcMatch , \"SrcIpAddr\",\n \"No match\") \n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend EventResult = iff (\n toint(EventResultDetails) < 400, \"Success\", \n \"Failure\"\n )\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend SrcUsername = case(SrcUsername == \"-\", \"\", SrcUsername),\n HttpReferrer = case(HttpReferrer == \"-\", \"\", HttpReferrer),\n HttpUserAgent = case(HttpUserAgent == \"-\", \"\", HttpUserAgent),\n DstHostname = case(DstHostname == \"-\", \"\", DstHostname) \n | extend SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\n | parse _ResourceId with * \"/subscriptions/\" DvcScopeId \"/\" *\n | project-rename \n Dst = DstHostname,\n DvcHostname = Computer,\n DvcId = _ResourceId,\n EventUid = _ItemId\n | extend \n HttpVersion = tostring(split(Protocol,\"/\")[1]),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\")\n | extend \n HttpStatusCode = EventResultDetails,\n UserAgent = HttpUserAgent,\n IpAddr = SrcIpAddr,\n Dvc = DvcHostname,\n User = SrcUsername\n | project-away Protocol\n | extend\n EventType = \"WebServerSession\", \n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventCount = int(1),\n EventVendor = \"Apache\",\n EventProduct = \"HTTP Server\",\n EventSeverity = \"Informational\"\n};\nParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM Filtering parser for Apache HTTP Server", + "category": "ASIM", + "FunctionAlias": "vimWebSessionApacheHTTPServer", + "query": "let Parser=(\n starttime:datetime = datetime(null), \n endtime:datetime = datetime(null),\n srcipaddr_has_any_prefix:dynamic = dynamic([]),\n ipaddr_has_any_prefix:dynamic = dynamic([]), \n url_has_any:dynamic = dynamic([]),\n httpuseragent_has_any:dynamic = dynamic([]),\n eventresultdetails_in:dynamic = dynamic([]),\n eventresult:string = '*',\n disabled:bool = false\n){\n let src_or_any = set_union(\n srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix\n ); \n let remove_protocol_from_list = (list:dynamic)\n {\n print list\n | mv-apply l = print_0 to typeof(string) on\n ( extend l = substring(l,indexof(l,@'//')+2))\n | project l\n };\n ApacheHTTPServer_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)\n | where (array_length(url_has_any) == 0 or RawData has_any (remove_protocol_from_list(url_has_any)))\n | where (array_length(httpuseragent_has_any) == 0 or RawData has_any (httpuseragent_has_any))\n | where (array_length(src_or_any) == 0 or RawData has_any (src_or_any))\n | where (array_length(eventresultdetails_in) == 0 or RawData has_any (eventresultdetails_in))\n | project RawData, TimeGenerated, Computer, _ResourceId, Type, _ItemId\n | where not (RawData startswith \"[\") \n | where RawData has_any (\"GET\", \"HEAD\", \"POST\", \"PUT\", \"DELETE\", \"CONNECT\", \"OPTIONS\", \"TRACE\", \"PATCH\")\n | parse RawData with * '] ' Temp'\"' *\n | where (array_length(url_has_any) == 0 or Temp has_any (remove_protocol_from_list(url_has_any)))\n | extend DstHostname = tostring(split(trim_end(\" \",Temp),\":\",0)[0])\n | parse RawData with SrcIpAddr \" \" ClientIdentity \" \" SrcUsername \" [\" Date ']' * '\"' HttpRequestMethod \" \" Url \" \" Protocol '\" ' EventResultDetails \" \" DstBytes:long ' \"' HttpReferrer '\" \"' HttpUserAgent '\"' *\n | project-away RawData, Date, ClientIdentity, Temp\n | where (array_length(url_has_any) == 0 or Url has_any (remove_protocol_from_list(url_has_any)))\n | where (array_length(httpuseragent_has_any) == 0 or HttpUserAgent has_any (httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) in (eventresultdetails_in))\n | extend \n temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0, \"-\",\n temp_SrcMatch , \"SrcIpAddr\",\n \"No match\") \n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend EventResult = iff (\n toint(EventResultDetails) < 400, \"Success\", \n \"Failure\"\n )\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend SrcUsername = case(SrcUsername == \"-\", \"\", SrcUsername),\n HttpReferrer = case(HttpReferrer == \"-\", \"\", HttpReferrer),\n HttpUserAgent = case(HttpUserAgent == \"-\", \"\", HttpUserAgent),\n DstHostname = case(DstHostname == \"-\", \"\", DstHostname) \n | extend SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\n | parse _ResourceId with * \"/subscriptions/\" DvcScopeId \"/\" *\n | project-rename \n Dst = DstHostname,\n DvcHostname = Computer,\n DvcId = _ResourceId,\n EventUid = _ItemId\n | extend \n HttpVersion = tostring(split(Protocol,\"/\")[1]),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\")\n | extend \n HttpStatusCode = EventResultDetails,\n UserAgent = HttpUserAgent,\n IpAddr = SrcIpAddr,\n Dvc = DvcHostname,\n User = SrcUsername\n | project-away Protocol\n | extend\n EventType = \"WebServerSession\", \n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventCount = int(1),\n EventVendor = \"Apache\",\n EventProduct = \"HTTP Server\",\n EventSeverity = \"Informational\"\n};\nParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaCEF/vimWebSessionBarracudaCEF.json b/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaCEF/vimWebSessionBarracudaCEF.json index 2211a5e921a..8ae9d65619a 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaCEF/vimWebSessionBarracudaCEF.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaCEF/vimWebSessionBarracudaCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionBarracudaCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionBarracudaCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Barracuda CEF", - "category": "ASIM", - "FunctionAlias": "vimWebSessionBarracudaCEF", - "query": "let SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultWFLookup = datatable (\n Action_s: string,\n EventResult_WF: string,\n DvcAction: string\n)\n [\n \"LOG\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\",\n \"WARNING\", \"Success\", \"Allow\"\n];\nlet EventTypeLookup = datatable (\n LogType_s: string,\n EventType_lookup: string,\n EventOriginalType: string\n)\n [\n \"WF\", \"HTTPsession\", \"Web Firewall\",\n \"TR\", \"WebServerSession\", \"Access\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]), \n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\nlet src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory in (\"WF\", \"TR\")\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any))\n | where (array_length(httpuseragent_has_any) == 0 or RequestClientApplication has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventOutcome) has_any(eventresultdetails_in))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | lookup EventResultWFLookup on $left.DeviceAction == $right.Action_s\n | extend\n status_code = toint(EventOutcome)\n | extend EventResult_TR = case(\n status_code between (200 .. 299),\n \"Success\", \n status_code between (400 .. 599),\n \"Failure\",\n status_code between (300 .. 399),\n \"Partial\",\n \"NA\"\n )\n | extend EventResult = iff(DeviceEventCategory == \"TR\", EventResult_TR, EventResult_WF)\n | where (eventresult == '*' or EventResult =~ eventresult)\n | lookup EventTypeLookup on $left.DeviceEventCategory == $right.LogType_s\n | extend\n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dst = DestinationIP,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = DeviceName,\n DstIpAddr = DestinationIP,\n SrcIpAddr = SourceIP,\n DstBytes = tolong(ReceivedBytes),\n DstPortNumber = toint(coalesce(DestinationPort,FieldDeviceCustomNumber1)),\n HttpCookie = RequestCookies,\n HttpReferrer = RequestContext,\n HttpRequestBodyBytes = tolong(ReceivedBytes),\n HttpRequestMethod = RequestMethod,\n HttpResponseBodyBytes = tolong(SentBytes),\n NetworkDuration = toint(FlexNumber2),\n HttpUserAgent = RequestClientApplication,\n NetworkSessionId = SourceUserID,\n RuleName = iff(DeviceEventCategory == \"WF\", DeviceCustomString3, \"\"),\n SrcPortNumber = toint(SourcePort),\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n Url = RequestURL,\n HttpResponseCacheControl = iff(\n FieldDeviceCustomNumber2 == 0,\n \"Response from the server\",\n \"Response from the cache\"\n ),\n AdditionalFields = bag_pack(\n \"ProxyIP\",\n iff(DeviceEventCategory == \"WF\", DeviceCustomString5, DeviceCustomString3),\n \"ProxyPort\",\n FieldDeviceCustomNumber3\n ),\n DvcHostname = DeviceName,\n DvcIpAddr = DeviceAddress,\n EventResultDetails = EventOutcome,\n HttpVersion = FlexString1,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend \n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\"),\n DstUsernameType = iff(isnotempty(DstUsername), \"Simple\", \"\"),\n EventEndTime = EventStartTime\n | extend\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n Rule = RuleName,\n SessionId = NetworkSessionId,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n EventResult_*,\n temp_*,\n status_code,\n EventType_lookup,\n TenantId,\n CollectorHostName;\n BarracudaCEF\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Barracuda CEF", + "category": "ASIM", + "FunctionAlias": "vimWebSessionBarracudaCEF", + "query": "let SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultWFLookup = datatable (\n Action_s: string,\n EventResult_WF: string,\n DvcAction: string\n)\n [\n \"LOG\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\",\n \"WARNING\", \"Success\", \"Allow\"\n];\nlet EventTypeLookup = datatable (\n LogType_s: string,\n EventType_lookup: string,\n EventOriginalType: string\n)\n [\n \"WF\", \"HTTPsession\", \"Web Firewall\",\n \"TR\", \"WebServerSession\", \"Access\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]), \n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\nlet src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory in (\"WF\", \"TR\")\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any))\n | where (array_length(httpuseragent_has_any) == 0 or RequestClientApplication has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventOutcome) has_any(eventresultdetails_in))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | lookup EventResultWFLookup on $left.DeviceAction == $right.Action_s\n | extend\n status_code = toint(EventOutcome)\n | extend EventResult_TR = case(\n status_code between (200 .. 299),\n \"Success\", \n status_code between (400 .. 599),\n \"Failure\",\n status_code between (300 .. 399),\n \"Partial\",\n \"NA\"\n )\n | extend EventResult = iff(DeviceEventCategory == \"TR\", EventResult_TR, EventResult_WF)\n | where (eventresult == '*' or EventResult =~ eventresult)\n | lookup EventTypeLookup on $left.DeviceEventCategory == $right.LogType_s\n | extend\n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dst = DestinationIP,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = DeviceName,\n DstIpAddr = DestinationIP,\n SrcIpAddr = SourceIP,\n DstBytes = tolong(ReceivedBytes),\n DstPortNumber = toint(coalesce(DestinationPort,FieldDeviceCustomNumber1)),\n HttpCookie = RequestCookies,\n HttpReferrer = RequestContext,\n HttpRequestBodyBytes = tolong(ReceivedBytes),\n HttpRequestMethod = RequestMethod,\n HttpResponseBodyBytes = tolong(SentBytes),\n NetworkDuration = toint(FlexNumber2),\n HttpUserAgent = RequestClientApplication,\n NetworkSessionId = SourceUserID,\n RuleName = iff(DeviceEventCategory == \"WF\", DeviceCustomString3, \"\"),\n SrcPortNumber = toint(SourcePort),\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n Url = RequestURL,\n HttpResponseCacheControl = iff(\n FieldDeviceCustomNumber2 == 0,\n \"Response from the server\",\n \"Response from the cache\"\n ),\n AdditionalFields = bag_pack(\n \"ProxyIP\",\n iff(DeviceEventCategory == \"WF\", DeviceCustomString5, DeviceCustomString3),\n \"ProxyPort\",\n FieldDeviceCustomNumber3\n ),\n DvcHostname = DeviceName,\n DvcIpAddr = DeviceAddress,\n EventResultDetails = EventOutcome,\n HttpVersion = FlexString1,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend \n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\"),\n DstUsernameType = iff(isnotempty(DstUsername), \"Simple\", \"\"),\n EventEndTime = EventStartTime\n | extend\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n Rule = RuleName,\n SessionId = NetworkSessionId,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n EventResult_*,\n temp_*,\n status_code,\n EventType_lookup,\n TenantId,\n CollectorHostName;\n BarracudaCEF\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaWAF/vimWebSessionBarracudaWAF.json b/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaWAF/vimWebSessionBarracudaWAF.json index 4813869a62d..40b0f6bad29 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaWAF/vimWebSessionBarracudaWAF.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaWAF/vimWebSessionBarracudaWAF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionBarracudaWAF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionBarracudaWAF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "vimWebSessionBarracudaWAF", - "query": "let barracudaSchema = datatable(\n ServerIP_s: string,\n UnitName_s: string,\n HTTPStatus_s: string,\n Action_s: string,\n Severity_s: string,\n DeviceReceiptTime_s: string,\n LogType_s: string,\n ClientIP_s: string,\n host_s: string,\n HostIP_s: string,\n BytesReceived_d: real,\n ServerPort_d: real,\n Cookie_s: string,\n Referer_s: string,\n Method_s: string,\n BytesSent_d: real,\n SessionID_s: string,\n ClientPort_d: real,\n AuthenticatedUser_s: string,\n CertificateUser_s: string,\n UserAgent_s: string,\n URL_s: string,\n CacheHit_d: real,\n ProxyIP_s: string,\n ProxyPort_d: real,\n RuleType_s: string,\n ServiceIP_s: string,\n TimeTaken_d: real,\n ServicePort_d: real,\n ProtocolVersion_s: string,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string,\n TimeGenerated: datetime\n )[];\n let SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n ];\n let EventResultWFLookup = datatable (\n Action_s: string,\n EventResult_WF: string,\n DvcAction: string\n )\n [\n \"LOG\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\",\n \"WARNING\", \"Success\", \"Allow\"\n ];\n let EventTypeLookup = datatable (\n LogType_s: string,\n EventType_lookup: string,\n EventOriginalType: string\n )\n [\n \"WF\", \"HTTPsession\", \"Web Firewall\",\n \"TR\", \"WebServerSession\", \"Access\"\n ];\n let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]), \n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled) and (LogType_s in (\"WF\", \"TR\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(url_has_any) == 0 or URL_s has_any (url_has_any))\n | where (array_length(httpuseragent_has_any) == 0 or UserAgent_s has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(HTTPStatus_s) has_any(eventresultdetails_in))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(ClientIP_s, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(ServerIP_s, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | lookup EventResultWFLookup on Action_s\n | extend\n status_code = toint(HTTPStatus_s)\n | extend EventResult_TR = case(\n status_code between (200 .. 299),\n \"Success\", \n status_code between (400 .. 599),\n \"Failure\",\n status_code between (300 .. 399),\n \"Partial\",\n \"NA\"\n )\n | extend EventResult = iff(LogType_s == \"TR\", EventResult_TR, EventResult_WF)\n | where (eventresult == '*' or EventResult =~ eventresult)\n | lookup EventTypeLookup on LogType_s\n | extend\n EventType = EventType_lookup,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | extend\n Dst = iff(LogType_s == \"WF\", ServiceIP_s, ServerIP_s),\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = UnitName_s,\n DstIpAddr = ServerIP_s,\n SrcIpAddr = ClientIP_s,\n DstBytes = tolong(BytesReceived_d),\n DstPortNumber = toint(coalesce(ServerPort_d,ServicePort_d)),\n HttpCookie = Cookie_s,\n HttpReferrer = Referer_s,\n HttpRequestBodyBytes = tolong(BytesReceived_d),\n HttpRequestMethod = Method_s,\n HttpResponseBodyBytes = tolong(BytesSent_d),\n NetworkDuration = toint(TimeTaken_d),\n HttpUserAgent = UserAgent_s,\n NetworkSessionId = SessionID_s,\n RuleName = RuleType_s,\n SrcPortNumber = toint(ClientPort_d),\n SrcUsername = CertificateUser_s,\n Url = URL_s,\n HttpResponseCacheControl = iff(\n CacheHit_d == 0,\n \"Response from the server\",\n \"Response from the cache\"\n ),\n AdditionalFields = bag_pack(\n \"ProxyIP\",\n ProxyIP_s,\n \"ProxyPort\",\n ProxyPort_d\n ),\n DvcHostname = host_s,\n DvcIpAddr = HostIP_s,\n EventResultDetails = HTTPStatus_s,\n DstUsername = AuthenticatedUser_s,\n HttpVersion = ProtocolVersion_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n | extend \n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\"),\n DstUsernameType = iff(isnotempty(DstUsername), \"Simple\", \"\"),\n EventEndTime = EventStartTime\n | extend\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n Rule = RuleName,\n SessionId = NetworkSessionId,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n *_d,\n *_s,\n _ResourceId,\n severity,\n EventType_lookup,\n status_code,\n RawData,\n EventResult_*,\n SourceIP,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem,\n temp_*;\n BarracudaCustom\n };\n parser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "vimWebSessionBarracudaWAF", + "query": "let barracudaSchema = datatable(\n ServerIP_s: string,\n UnitName_s: string,\n HTTPStatus_s: string,\n Action_s: string,\n Severity_s: string,\n DeviceReceiptTime_s: string,\n LogType_s: string,\n ClientIP_s: string,\n host_s: string,\n HostIP_s: string,\n BytesReceived_d: real,\n ServerPort_d: real,\n Cookie_s: string,\n Referer_s: string,\n Method_s: string,\n BytesSent_d: real,\n SessionID_s: string,\n ClientPort_d: real,\n AuthenticatedUser_s: string,\n CertificateUser_s: string,\n UserAgent_s: string,\n URL_s: string,\n CacheHit_d: real,\n ProxyIP_s: string,\n ProxyPort_d: real,\n RuleType_s: string,\n ServiceIP_s: string,\n TimeTaken_d: real,\n ServicePort_d: real,\n ProtocolVersion_s: string,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string,\n TimeGenerated: datetime\n )[];\n let SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n ];\n let EventResultWFLookup = datatable (\n Action_s: string,\n EventResult_WF: string,\n DvcAction: string\n )\n [\n \"LOG\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\",\n \"WARNING\", \"Success\", \"Allow\"\n ];\n let EventTypeLookup = datatable (\n LogType_s: string,\n EventType_lookup: string,\n EventOriginalType: string\n )\n [\n \"WF\", \"HTTPsession\", \"Web Firewall\",\n \"TR\", \"WebServerSession\", \"Access\"\n ];\n let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]), \n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled) and (LogType_s in (\"WF\", \"TR\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(url_has_any) == 0 or URL_s has_any (url_has_any))\n | where (array_length(httpuseragent_has_any) == 0 or UserAgent_s has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(HTTPStatus_s) has_any(eventresultdetails_in))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(ClientIP_s, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(ServerIP_s, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | lookup EventResultWFLookup on Action_s\n | extend\n status_code = toint(HTTPStatus_s)\n | extend EventResult_TR = case(\n status_code between (200 .. 299),\n \"Success\", \n status_code between (400 .. 599),\n \"Failure\",\n status_code between (300 .. 399),\n \"Partial\",\n \"NA\"\n )\n | extend EventResult = iff(LogType_s == \"TR\", EventResult_TR, EventResult_WF)\n | where (eventresult == '*' or EventResult =~ eventresult)\n | lookup EventTypeLookup on LogType_s\n | extend\n EventType = EventType_lookup,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | extend\n Dst = iff(LogType_s == \"WF\", ServiceIP_s, ServerIP_s),\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = UnitName_s,\n DstIpAddr = ServerIP_s,\n SrcIpAddr = ClientIP_s,\n DstBytes = tolong(BytesReceived_d),\n DstPortNumber = toint(coalesce(ServerPort_d,ServicePort_d)),\n HttpCookie = Cookie_s,\n HttpReferrer = Referer_s,\n HttpRequestBodyBytes = tolong(BytesReceived_d),\n HttpRequestMethod = Method_s,\n HttpResponseBodyBytes = tolong(BytesSent_d),\n NetworkDuration = toint(TimeTaken_d),\n HttpUserAgent = UserAgent_s,\n NetworkSessionId = SessionID_s,\n RuleName = RuleType_s,\n SrcPortNumber = toint(ClientPort_d),\n SrcUsername = CertificateUser_s,\n Url = URL_s,\n HttpResponseCacheControl = iff(\n CacheHit_d == 0,\n \"Response from the server\",\n \"Response from the cache\"\n ),\n AdditionalFields = bag_pack(\n \"ProxyIP\",\n ProxyIP_s,\n \"ProxyPort\",\n ProxyPort_d\n ),\n DvcHostname = host_s,\n DvcIpAddr = HostIP_s,\n EventResultDetails = HTTPStatus_s,\n DstUsername = AuthenticatedUser_s,\n HttpVersion = ProtocolVersion_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n | extend \n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\"),\n DstUsernameType = iff(isnotempty(DstUsername), \"Simple\", \"\"),\n EventEndTime = EventStartTime\n | extend\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n Rule = RuleName,\n SessionId = NetworkSessionId,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n *_d,\n *_s,\n _ResourceId,\n severity,\n EventType_lookup,\n status_code,\n RawData,\n EventResult_*,\n SourceIP,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem,\n temp_*;\n BarracudaCustom\n };\n parser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionCiscoFirepower/vimWebSessionCiscoFirepower.json b/Parsers/ASimWebSession/ARM/vimWebSessionCiscoFirepower/vimWebSessionCiscoFirepower.json index 53a435acc1d..26d07669339 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionCiscoFirepower/vimWebSessionCiscoFirepower.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionCiscoFirepower/vimWebSessionCiscoFirepower.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionCiscoFirepower')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionCiscoFirepower", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Cisco Firepower", - "category": "ASIM", - "FunctionAlias": "vimWebSessionCiscoFirepower", - "query": "let EventFieldsLookup = datatable(\n DeviceAction: string, \n DvcAction: string,\n EventResult: string\n)\n [\n \"Detect\", \"Allow\", \"Partial\",\n \"Block\", \"Deny\", \"Failure\",\n \"Malware Cloud Lookup\", \"Deny\", \"Failure\",\n \"Malware Block\", \"Deny\", \"Failure\",\n \"Malware Allow List\", \"Allow\", \"Success\",\n \"Cloud Lookup Timeout\", \"Deny\", \"Failure\",\n \"Custom Detection\", \"Allow\", \"Partial\",\n \"Custom Detection Block\", \"Deny\", \"Failure\",\n \"Archive Block-Depth Exceeded\", \"Deny\", \"Failure\",\n \"Archive Block-Encrypted\", \"Encrypt\", \"Failure\",\n \"Archive Block-Failed to Inspect\", \"Deny\", \"Failure\"\n];\nlet DirectionLookup = datatable (CommunicationDirection: string, NetworkDirection: string)[\n \"1\", \"Inbound\",\n \"2\", \"Outbound\"\n];\nlet parser=(starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n CommonSecurityLog\n | where not(disabled) \n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\n and DeviceEventClassID in(\"File:500:1\", \"FileMalware:502:1\", \"FireAMP:125:1\")\n and array_length(eventresultdetails_in) == 0\n and array_length(httpuseragent_has_any) == 0\n and ((array_length(url_has_any) == 0) or RequestURL has_any (url_has_any))\n | extend\n temp_isSrcMatch=has_any_ipv4_prefix(SourceIP, src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\", \n temp_isSrcMatch,\n \"SrcIpAddr\",\n temp_isDstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | lookup EventFieldsLookup on DeviceAction\n | where eventresult == '*' or EventResult =~ eventresult\n | parse-kv AdditionalExtensions as (start: long) with (pair_delimiter=';', kv_delimiter='=')\n | extend\n EventMessage = iff(DeviceEventClassID == \"FireAMP:125:1\", DeviceCustomString5, \"\"),\n ThreatName = iff(DeviceEventClassID == \"FireAMP:125:1\", DeviceCustomString2, \"\"),\n Disposition = case(\n DeviceEventClassID == \"FireAMP:125:1\",\n DeviceCustomString3,\n DeviceEventClassID in (\"File:500:1\", \"FileMalware:502:1\"),\n DeviceCustomString2,\n \"\"\n ),\n AdditionalFields = todynamic(\n case(\n DeviceEventClassID == \"FireAMP:125:1\",\n bag_pack(\n \"policy\", DeviceCustomString1,\n \"process\", SourceProcessName,\n \"connectionInstance\", ProcessID,\n \"disposition\", DeviceCustomString3,\n \"event type id\", EventOutcome\n ),\n DeviceEventClassID in (\"File:500:1\", \"FileMalware:502:1\"),\n bag_pack(\n \"connectionInstance\", ProcessID,\n \"signaturedata\", DeviceCustomString4,\n \"disposition\", DeviceCustomString2\n ),\n \"\"\n )\n )\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol)\n | lookup DirectionLookup on CommunicationDirection\n | extend\n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n EventSeverity = case(\n DvcAction == \"Allow\" and Disposition =~ \"Malware\",\n \"High\",\n DvcAction == \"Deny\" and Disposition =~ \"Malware\",\n \"Medium\",\n DvcAction == \"Deny\" and Disposition !~ \"Malware\",\n \"Low\",\n \"Informational\"\n ),\n EventOriginalType = case(\n DeviceEventClassID has \"File:500:1\",\n \"File Event\",\n DeviceEventClassID has \"FileMalware:502:1\",\n \"FileMalware Event\",\n Activity\n ),\n FileContentType = FileType,\n HttpContentType = FileType,\n FileSize = tolong(FileSize),\n ThreatCategory = iff(Disposition =~ \"Malware\", Disposition, \"\")\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\n | extend\n DvcIpAddr = Ip_device,\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\n | extend host = coalesce(DeviceName, Computer)\n | invoke _ASIM_ResolveDvcFQDN('host')\n | extend \n EventCount = int(1),\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename\n EventVendor = DeviceVendor,\n EventProduct = DeviceProduct,\n EventProductVersion = DeviceVersion,\n DstPortNumber = DestinationPort,\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n Url = RequestURL,\n FileSHA256 = FileHash,\n SrcPortNumber = SourcePort,\n EventOriginalSeverity = LogSeverity,\n EventOriginalUid = ExtID,\n NetworkApplicationProtocol = ApplicationProtocol,\n EventUid = _ItemId,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n HttpUserAgent = RequestClientApplication\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\n HashType = \"SHA256\",\n DvcIdType = \"Other\",\n NetworkProtocolVersion=case(DstIpAddr has \".\", \"IPv4\", DstIpAddr has \":\", \"IPv6\", \"\"),\n IpAddr = SrcIpAddr,\n Hash = FileSHA256,\n User = SrcUsername,\n UserAgent = HttpUserAgent,\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr)\n | project-away\n Source*,\n Destination*,\n Device*,\n start,\n AdditionalExtensions,\n Activity,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n FileID,\n FileModificationTime,\n Old*,\n FileCreateTime,\n FilePermission,\n IndicatorThreatType,\n MaliciousIP*,\n Message,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ThreatDescription,\n ThreatSeverity,\n FilePath,\n FileType,\n Reason,\n ReceiptTime,\n ExternalID,\n ReportReferenceLink,\n Ip_*,\n host*,\n _ResourceId,\n temp*,\n NetworkProtocolNumber,\n Disposition,\n ThreatConfidence\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Cisco Firepower", + "category": "ASIM", + "FunctionAlias": "vimWebSessionCiscoFirepower", + "query": "let EventFieldsLookup = datatable(\n DeviceAction: string, \n DvcAction: string,\n EventResult: string\n)\n [\n \"Detect\", \"Allow\", \"Partial\",\n \"Block\", \"Deny\", \"Failure\",\n \"Malware Cloud Lookup\", \"Deny\", \"Failure\",\n \"Malware Block\", \"Deny\", \"Failure\",\n \"Malware Allow List\", \"Allow\", \"Success\",\n \"Cloud Lookup Timeout\", \"Deny\", \"Failure\",\n \"Custom Detection\", \"Allow\", \"Partial\",\n \"Custom Detection Block\", \"Deny\", \"Failure\",\n \"Archive Block-Depth Exceeded\", \"Deny\", \"Failure\",\n \"Archive Block-Encrypted\", \"Encrypt\", \"Failure\",\n \"Archive Block-Failed to Inspect\", \"Deny\", \"Failure\"\n];\nlet DirectionLookup = datatable (CommunicationDirection: string, NetworkDirection: string)[\n \"1\", \"Inbound\",\n \"2\", \"Outbound\"\n];\nlet parser=(starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n CommonSecurityLog\n | where not(disabled) \n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Cisco\" and DeviceProduct == \"Firepower\"\n and DeviceEventClassID in(\"File:500:1\", \"FileMalware:502:1\", \"FireAMP:125:1\")\n and array_length(eventresultdetails_in) == 0\n and array_length(httpuseragent_has_any) == 0\n and ((array_length(url_has_any) == 0) or RequestURL has_any (url_has_any))\n | extend\n temp_isSrcMatch=has_any_ipv4_prefix(SourceIP, src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n (temp_isSrcMatch and temp_isDstMatch),\n \"Both\", \n temp_isSrcMatch,\n \"SrcIpAddr\",\n temp_isDstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | lookup EventFieldsLookup on DeviceAction\n | where eventresult == '*' or EventResult =~ eventresult\n | parse-kv AdditionalExtensions as (start: long) with (pair_delimiter=';', kv_delimiter='=')\n | extend\n EventMessage = iff(DeviceEventClassID == \"FireAMP:125:1\", DeviceCustomString5, \"\"),\n ThreatName = iff(DeviceEventClassID == \"FireAMP:125:1\", DeviceCustomString2, \"\"),\n Disposition = case(\n DeviceEventClassID == \"FireAMP:125:1\",\n DeviceCustomString3,\n DeviceEventClassID in (\"File:500:1\", \"FileMalware:502:1\"),\n DeviceCustomString2,\n \"\"\n ),\n AdditionalFields = todynamic(\n case(\n DeviceEventClassID == \"FireAMP:125:1\",\n bag_pack(\n \"policy\", DeviceCustomString1,\n \"process\", SourceProcessName,\n \"connectionInstance\", ProcessID,\n \"disposition\", DeviceCustomString3,\n \"event type id\", EventOutcome\n ),\n DeviceEventClassID in (\"File:500:1\", \"FileMalware:502:1\"),\n bag_pack(\n \"connectionInstance\", ProcessID,\n \"signaturedata\", DeviceCustomString4,\n \"disposition\", DeviceCustomString2\n ),\n \"\"\n )\n )\n | invoke _ASIM_ResolveNetworkProtocol('Protocol')\n | extend NetworkProtocol = iff(NetworkProtocol == \"Unassigned\" and Protocol !in (63, 68, 99, 114, 253, 254), Protocol, NetworkProtocol)\n | lookup DirectionLookup on CommunicationDirection\n | extend\n EventStartTime = coalesce(unixtime_milliseconds_todatetime(start), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n EventSeverity = case(\n DvcAction == \"Allow\" and Disposition =~ \"Malware\",\n \"High\",\n DvcAction == \"Deny\" and Disposition =~ \"Malware\",\n \"Medium\",\n DvcAction == \"Deny\" and Disposition !~ \"Malware\",\n \"Low\",\n \"Informational\"\n ),\n EventOriginalType = case(\n DeviceEventClassID has \"File:500:1\",\n \"File Event\",\n DeviceEventClassID has \"FileMalware:502:1\",\n \"FileMalware Event\",\n Activity\n ),\n FileContentType = FileType,\n HttpContentType = FileType,\n FileSize = tolong(FileSize),\n ThreatCategory = iff(Disposition =~ \"Malware\", Disposition, \"\")\n | extend Ip_device = iff(DeviceName matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", DeviceName, \"\")\n | extend\n DvcIpAddr = Ip_device,\n DeviceName = iff(isempty(Ip_device), DeviceName, \"\")\n | extend host = coalesce(DeviceName, Computer)\n | invoke _ASIM_ResolveDvcFQDN('host')\n | extend \n EventCount = int(1),\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename\n EventVendor = DeviceVendor,\n EventProduct = DeviceProduct,\n EventProductVersion = DeviceVersion,\n DstPortNumber = DestinationPort,\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n Url = RequestURL,\n FileSHA256 = FileHash,\n SrcPortNumber = SourcePort,\n EventOriginalSeverity = LogSeverity,\n EventOriginalUid = ExtID,\n NetworkApplicationProtocol = ApplicationProtocol,\n EventUid = _ItemId,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n HttpUserAgent = RequestClientApplication\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\"),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n DstUserType = _ASIM_GetUserType(DstUsername, \"\"),\n HashType = \"SHA256\",\n DvcIdType = \"Other\",\n NetworkProtocolVersion=case(DstIpAddr has \".\", \"IPv4\", DstIpAddr has \":\", \"IPv6\", \"\"),\n IpAddr = SrcIpAddr,\n Hash = FileSHA256,\n User = SrcUsername,\n UserAgent = HttpUserAgent,\n EventEndTime = EventStartTime,\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr)\n | project-away\n Source*,\n Destination*,\n Device*,\n start,\n AdditionalExtensions,\n Activity,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n FileID,\n FileModificationTime,\n Old*,\n FileCreateTime,\n FilePermission,\n IndicatorThreatType,\n MaliciousIP*,\n Message,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ThreatDescription,\n ThreatSeverity,\n FilePath,\n FileType,\n Reason,\n ReceiptTime,\n ExternalID,\n ReportReferenceLink,\n Ip_*,\n host*,\n _ResourceId,\n temp*,\n NetworkProtocolNumber,\n Disposition,\n ThreatConfidence\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionCiscoMeraki/vimWebSessionCiscoMeraki.json b/Parsers/ASimWebSession/ARM/vimWebSessionCiscoMeraki/vimWebSessionCiscoMeraki.json index 34fef7a9789..22726499ab9 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionCiscoMeraki/vimWebSessionCiscoMeraki.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionCiscoMeraki/vimWebSessionCiscoMeraki.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionCiscoMeraki')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionCiscoMeraki", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "vimWebSessionCiscoMeraki", - "query": "let ActionLookup = datatable (action: string, DvcAction: string, EventResult: string, EventSeverity: string) [\n 'allow', 'Allow', 'Success', 'Informational',\n 'log', 'Allow', 'Success', 'Informational',\n 'accept', 'Allow', 'Success', 'Informational',\n 'block', 'Deny', 'Failure', 'Low',\n 'deny', 'Deny', 'Failure', 'Low',\n 'quarantine', 'Deny', 'Failure', 'Low'\n ];\n let parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n ),\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\n let PreFilteredData = allData\n | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and (LogMessage has \"urls\" or LogMessage has_all(\"security_event\", \"security_filtering_file_scanned\")) and (array_length(eventresultdetails_in) == 0)\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(split(Epoch, \".\")[0]))\n | where (array_length(url_has_any) == 0 or LogMessage has_any (url_has_any))\n and (array_length(httpuseragent_has_any) == 0 or LogMessage has_any(httpuseragent_has_any))\n | where LogType in (\"security_event\", \"urls\");\n let SecurityEventData = PreFilteredData\n | where LogType == \"security_event\"\n | parse Substring with LogSubType: string \" \" temp_RestMessage: string\n | where LogSubType == \"security_filtering_file_scanned\"\n | parse-kv Substring as (disposition: string, action: string, sha256: string, name: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with * \" sha256\" fsha256: string \" \"restmessage: string\n | extend disposition = trim('\"', disposition),\n action = trim('\"', action),\n sha256 = trim('\"', sha256),\n fsha256 = trim('\"', fsha256),\n name = trim('\"', name)\n | lookup ActionLookup on action;\n let UrlsData = PreFilteredData\n | where LogType == \"urls\"\n | parse Substring with * \"request:\" request: string \" \" urls: string;\n union SecurityEventData, UrlsData\n | parse-kv Substring as (src: string, dst: string, url: string, mac: string, agent: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | where (array_length(httpuseragent_has_any) == 0 or agent has_any(httpuseragent_has_any))\n | extend\n src = trim('\"', src),\n dst = trim('\"', dst),\n url = trim('\"', url),\n urls = trim('\"', urls)\n | extend Url = coalesce(url, urls)\n | where array_length(url_has_any) == 0 or Url has_any (url_has_any)\n | extend EventResult=case(\n LogType == \"urls\", \"Success\",\n isempty(EventResult), \"NA\",\n EventResult \n )\n | where (eventresult == '*' or EventResult =~ eventresult)\n | parse src with * \"[\" temp_srcip: string \"]:\" temp_srcport: string\n | parse dst with * \"[\" temp_dstip: string \"]:\" temp_dstport: string\n | extend\n agent= trim('\"', agent),\n mac = trim('\"', mac)\n | extend SrcIpAddr = iff(\n src has \".\",\n split(src, \":\")[0], \n coalesce(temp_srcip, src)\n )\n | extend DstIpAddr = iff(\n dst has \".\",\n split(dst, \":\")[0], \n coalesce(temp_dstip, dst)\n )\n | extend\n temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr, src_or_any),\n temp_DstMatch=has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend SrcPortNumber = toint(\n iff (\n src has \".\",\n split(src, \":\")[1],\n temp_srcport\n )\n )\n | extend DstPortNumber = toint(\n iff (\n dst has \".\",\n split(dst, \":\")[1],\n temp_dstport\n )\n )\n | extend\n EventSeverity=case(\n DvcAction == \"Deny\" and disposition == \"malicious\",\n \"Medium\",\n DvcAction == \"Allow\" and disposition == \"malicious\",\n \"High\",\n isnotempty(EventSeverity), EventSeverity,\n \"Informational\"\n )\n | extend\n EventType = \"HTTPsession\",\n HttpUserAgent = agent,\n HttpRequestMethod = request,\n FileSHA256 = coalesce(sha256, fsha256),\n FileName = name,\n DvcMacAddr = mac,\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId\n | extend Device = tostring(Parser[1])\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend \n Dst = DstIpAddr,\n Src = SrcIpAddr,\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n EventEndTime = EventStartTime\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"WebSession\",\n EventSchemaVersion=\"0.2.6\"\n | project-away\n LogMessage,\n Parser,\n LogType,\n LogSubType,\n Epoch,\n Device,\n src,\n dst,\n mac,\n url,\n urls,\n disposition,\n action,\n request,\n name,\n sha256,\n fsha256,\n agent,\n restmessage,\n temp*,\n Substring,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName\n };\n parser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "vimWebSessionCiscoMeraki", + "query": "let ActionLookup = datatable (action: string, DvcAction: string, EventResult: string, EventSeverity: string) [\n 'allow', 'Allow', 'Success', 'Informational',\n 'log', 'Allow', 'Success', 'Informational',\n 'accept', 'Allow', 'Success', 'Informational',\n 'block', 'Deny', 'Failure', 'Low',\n 'deny', 'Deny', 'Failure', 'Low',\n 'quarantine', 'Deny', 'Failure', 'Low'\n ];\n let parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]), \n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n ),\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\n let PreFilteredData = allData\n | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and (LogMessage has \"urls\" or LogMessage has_all(\"security_event\", \"security_filtering_file_scanned\")) and (array_length(eventresultdetails_in) == 0)\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(split(Epoch, \".\")[0]))\n | where (array_length(url_has_any) == 0 or LogMessage has_any (url_has_any))\n and (array_length(httpuseragent_has_any) == 0 or LogMessage has_any(httpuseragent_has_any))\n | where LogType in (\"security_event\", \"urls\");\n let SecurityEventData = PreFilteredData\n | where LogType == \"security_event\"\n | parse Substring with LogSubType: string \" \" temp_RestMessage: string\n | where LogSubType == \"security_filtering_file_scanned\"\n | parse-kv Substring as (disposition: string, action: string, sha256: string, name: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with * \" sha256\" fsha256: string \" \"restmessage: string\n | extend disposition = trim('\"', disposition),\n action = trim('\"', action),\n sha256 = trim('\"', sha256),\n fsha256 = trim('\"', fsha256),\n name = trim('\"', name)\n | lookup ActionLookup on action;\n let UrlsData = PreFilteredData\n | where LogType == \"urls\"\n | parse Substring with * \"request:\" request: string \" \" urls: string;\n union SecurityEventData, UrlsData\n | parse-kv Substring as (src: string, dst: string, url: string, mac: string, agent: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | where (array_length(httpuseragent_has_any) == 0 or agent has_any(httpuseragent_has_any))\n | extend\n src = trim('\"', src),\n dst = trim('\"', dst),\n url = trim('\"', url),\n urls = trim('\"', urls)\n | extend Url = coalesce(url, urls)\n | where array_length(url_has_any) == 0 or Url has_any (url_has_any)\n | extend EventResult=case(\n LogType == \"urls\", \"Success\",\n isempty(EventResult), \"NA\",\n EventResult \n )\n | where (eventresult == '*' or EventResult =~ eventresult)\n | parse src with * \"[\" temp_srcip: string \"]:\" temp_srcport: string\n | parse dst with * \"[\" temp_dstip: string \"]:\" temp_dstport: string\n | extend\n agent= trim('\"', agent),\n mac = trim('\"', mac)\n | extend SrcIpAddr = iff(\n src has \".\",\n split(src, \":\")[0], \n coalesce(temp_srcip, src)\n )\n | extend DstIpAddr = iff(\n dst has \".\",\n split(dst, \":\")[0], \n coalesce(temp_dstip, dst)\n )\n | extend\n temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr, src_or_any),\n temp_DstMatch=has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend SrcPortNumber = toint(\n iff (\n src has \".\",\n split(src, \":\")[1],\n temp_srcport\n )\n )\n | extend DstPortNumber = toint(\n iff (\n dst has \".\",\n split(dst, \":\")[1],\n temp_dstport\n )\n )\n | extend\n EventSeverity=case(\n DvcAction == \"Deny\" and disposition == \"malicious\",\n \"Medium\",\n DvcAction == \"Allow\" and disposition == \"malicious\",\n \"High\",\n isnotempty(EventSeverity), EventSeverity,\n \"Informational\"\n )\n | extend\n EventType = \"HTTPsession\",\n HttpUserAgent = agent,\n HttpRequestMethod = request,\n FileSHA256 = coalesce(sha256, fsha256),\n FileName = name,\n DvcMacAddr = mac,\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId\n | extend Device = tostring(Parser[1])\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend \n Dst = DstIpAddr,\n Src = SrcIpAddr,\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n EventEndTime = EventStartTime\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"WebSession\",\n EventSchemaVersion=\"0.2.6\"\n | project-away\n LogMessage,\n Parser,\n LogType,\n LogSubType,\n Epoch,\n Device,\n src,\n dst,\n mac,\n url,\n urls,\n disposition,\n action,\n request,\n name,\n sha256,\n fsha256,\n agent,\n restmessage,\n temp*,\n Substring,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName\n };\n parser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionCitrixNetScaler/vimWebSessionCitrixNetScaler.json b/Parsers/ASimWebSession/ARM/vimWebSessionCitrixNetScaler/vimWebSessionCitrixNetScaler.json index 46ea5ea5e9b..63bd88c5e15 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionCitrixNetScaler/vimWebSessionCitrixNetScaler.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionCitrixNetScaler/vimWebSessionCitrixNetScaler.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionCitrixNetScaler')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionCitrixNetScaler", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Citrix NetScaler(Web App Firewall)", - "category": "ASIM", - "FunctionAlias": "vimWebSessionCitrixNetScaler", - "query": "let EventSeverityLookup = datatable (DeviceCustomString4: string, EventSeverity: string)\n[\n \"EMERGENCY\", \"High\",\n \"ALERT\", \"High\",\n \"CRITICAL\", \"High\",\n \"ERROR\", \"Medium\",\n \"WARNING\", \"Low\",\n \"NOTICE\", \"Low\",\n \"INFORMATIONAL\", \"Informational\",\n \"DEBUG\", \"Informational\",\n \"INFO\", \"Informationl\",\n \"WARN\", \"Low\",\n \"ERR\", \"Medium\"\n];\nlet EventFieldsLookup = datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n \"blocked\", \"Deny\", \"Failure\",\n \"not blocked\", \"Allow\", \"Success\",\n \"transformed\", \"Allow\", \"Success\"\n];\nlet parser = (starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (DeviceVendor == \"Citrix\" and DeviceProduct == \"NetScaler\")\n | where DeviceEventClassID == \"APPFW\" and Activity has_any (\"APPFW_STARTURL\", \"APPFW_XML_cross-site scripting\", \"APPFW_SAFECOMMERCE\", \"APPFW_SAFECOMMERCE_XFORM\", \"APPFW_SIGNATURE_MATCH\", \"APPFW_XML_ERR_NOT_WELLFORMED\", \"APPFW_FIELDCONSISTENCY\", \"APPFW_SQL\", \"APPFW_BUFFEROVERFLOW_URL\", \"APPFW_BUFFEROVERFLOW_COOKIE\", \"APPFW_cross-site scripting\", \"APPFW_FIELDFORMAT\", \"APPFW_REFERER_HEADER\", \"APPFW_XSS\")\n | where array_length(httpuseragent_has_any) == 0\n | where array_length(eventresultdetails_in) == 0\n | where (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any))\n | parse-kv AdditionalExtensions as (method: string, geolocation: string, script: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | parse RequestURL with * \"://\" host: string \"/\" *\n | extend\n DeviceAction = trim(\"[*]+\", DeviceAction),\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(RequestURL, ipaddr_has_any_prefix)\n | lookup EventFieldsLookup on DeviceAction\n | lookup EventSeverityLookup on DeviceCustomString4\n | where eventresult == '*' or EventResult =~ eventresult\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend \n Ip_host = iff(host matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", host, \"\"),\n Ip_computer = iff(Computer matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", Computer, \"\"),\n HttpHost = host\n | extend\n host = iff(isempty(Ip_host), host, \"\"),\n Computer = iff(isempty(Ip_computer), Computer, \"\"),\n AdditionalFields = bag_pack(\n \"Script\", script,\n \"Event ID\", FieldDeviceCustomNumber1,\n \"HTTP Transaction ID\", FieldDeviceCustomNumber2,\n \"Profile Name\", DeviceCustomString1,\n \"PPE ID\", DeviceCustomString2,\n \"Signature Violation Category\", DeviceCustomString6\n )\n | invoke _ASIM_ResolveDvcFQDN('Computer')\n | invoke _ASIM_ResolveDstFQDN('host')\n | extend\n DstIpAddr = tostring(split(Ip_host, \":\")[0]),\n DstPortNumber = toint(split(Ip_host, \":\")[1]),\n DvcIpAddr = tostring(split(Ip_computer, \":\")[0])\n | extend \n DstHostname = coalesce(DstIpAddr, DstHostname)\n | extend\n EventProduct = \"NetScaler\",\n EventVendor = \"Citrix\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename\n EventUid = _ItemId,\n SrcIpAddr = SourceIP,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n EventOriginalSeverity = DeviceCustomString4,\n EventProductVersion = DeviceVersion,\n HttpRequestMethod = method,\n NetworkSessionId = DeviceCustomString3,\n SrcPortNumber = SourcePort,\n Url = RequestURL,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSubType = Activity,\n SrcGeoCountry = geolocation\n | extend\n EventEndTime = EventStartTime,\n Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n Indicator*,\n Ip_*,\n LogSeverity,\n _ResourceId,\n host,\n script,\n temp*,\n ExtID\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Citrix NetScaler(Web App Firewall)", + "category": "ASIM", + "FunctionAlias": "vimWebSessionCitrixNetScaler", + "query": "let EventSeverityLookup = datatable (DeviceCustomString4: string, EventSeverity: string)\n[\n \"EMERGENCY\", \"High\",\n \"ALERT\", \"High\",\n \"CRITICAL\", \"High\",\n \"ERROR\", \"Medium\",\n \"WARNING\", \"Low\",\n \"NOTICE\", \"Low\",\n \"INFORMATIONAL\", \"Informational\",\n \"DEBUG\", \"Informational\",\n \"INFO\", \"Informationl\",\n \"WARN\", \"Low\",\n \"ERR\", \"Medium\"\n];\nlet EventFieldsLookup = datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n[\n \"blocked\", \"Deny\", \"Failure\",\n \"not blocked\", \"Allow\", \"Success\",\n \"transformed\", \"Allow\", \"Success\"\n];\nlet parser = (starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (DeviceVendor == \"Citrix\" and DeviceProduct == \"NetScaler\")\n | where DeviceEventClassID == \"APPFW\" and Activity has_any (\"APPFW_STARTURL\", \"APPFW_XML_cross-site scripting\", \"APPFW_SAFECOMMERCE\", \"APPFW_SAFECOMMERCE_XFORM\", \"APPFW_SIGNATURE_MATCH\", \"APPFW_XML_ERR_NOT_WELLFORMED\", \"APPFW_FIELDCONSISTENCY\", \"APPFW_SQL\", \"APPFW_BUFFEROVERFLOW_URL\", \"APPFW_BUFFEROVERFLOW_COOKIE\", \"APPFW_cross-site scripting\", \"APPFW_FIELDFORMAT\", \"APPFW_REFERER_HEADER\", \"APPFW_XSS\")\n | where array_length(httpuseragent_has_any) == 0\n | where array_length(eventresultdetails_in) == 0\n | where (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any))\n | parse-kv AdditionalExtensions as (method: string, geolocation: string, script: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | parse RequestURL with * \"://\" host: string \"/\" *\n | extend\n DeviceAction = trim(\"[*]+\", DeviceAction),\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(RequestURL, ipaddr_has_any_prefix)\n | lookup EventFieldsLookup on DeviceAction\n | lookup EventSeverityLookup on DeviceCustomString4\n | where eventresult == '*' or EventResult =~ eventresult\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend \n Ip_host = iff(host matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", host, \"\"),\n Ip_computer = iff(Computer matches regex \"(([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.(([0-9]{1,3})))\", Computer, \"\"),\n HttpHost = host\n | extend\n host = iff(isempty(Ip_host), host, \"\"),\n Computer = iff(isempty(Ip_computer), Computer, \"\"),\n AdditionalFields = bag_pack(\n \"Script\", script,\n \"Event ID\", FieldDeviceCustomNumber1,\n \"HTTP Transaction ID\", FieldDeviceCustomNumber2,\n \"Profile Name\", DeviceCustomString1,\n \"PPE ID\", DeviceCustomString2,\n \"Signature Violation Category\", DeviceCustomString6\n )\n | invoke _ASIM_ResolveDvcFQDN('Computer')\n | invoke _ASIM_ResolveDstFQDN('host')\n | extend\n DstIpAddr = tostring(split(Ip_host, \":\")[0]),\n DstPortNumber = toint(split(Ip_host, \":\")[1]),\n DvcIpAddr = tostring(split(Ip_computer, \":\")[0])\n | extend \n DstHostname = coalesce(DstIpAddr, DstHostname)\n | extend\n EventProduct = \"NetScaler\",\n EventVendor = \"Citrix\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename\n EventUid = _ItemId,\n SrcIpAddr = SourceIP,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n EventOriginalSeverity = DeviceCustomString4,\n EventProductVersion = DeviceVersion,\n HttpRequestMethod = method,\n NetworkSessionId = DeviceCustomString3,\n SrcPortNumber = SourcePort,\n Url = RequestURL,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSubType = Activity,\n SrcGeoCountry = geolocation\n | extend\n EventEndTime = EventStartTime,\n Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n Indicator*,\n Ip_*,\n LogSeverity,\n _ResourceId,\n host,\n script,\n temp*,\n ExtID\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionEmpty/vimWebSessionEmpty.json b/Parsers/ASimWebSession/ARM/vimWebSessionEmpty/vimWebSessionEmpty.json index 40f00ad1c19..e34599ba292 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionEmpty/vimWebSessionEmpty.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionEmpty/vimWebSessionEmpty.json @@ -18,28 +18,18 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionEmpty')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimWebSessionEmpty", - "query": "let parser=datatable(\n TimeGenerated:datetime\n , _ResourceId:string\n , Type:string\n // -- Event Fields\n , EventMessage:string // Optional\n , EventCount:int // Mandatory\n , EventStartTime:datetime // Mandatory\n , EventEndTime:datetime // Alias\n , EventType:string // Mandatory\n , EventSubType:string // Optional\n , EventResult:string // Mandatory\n , EventResultDetails:string // Optional\n , EventOriginalResultDetails:string // Optional\n , EventSeverity:string // Mandatory\n , EventOriginalSeverity:string // Optional\n , EventOriginalUid:string // Optional\n , EventOriginalType:string // Optional\n , EventProduct:string // Mandatory\n , EventProductVersion:string // Optional\n , EventVendor:string // Mandatory\n , EventSchema:string // Mandatory\n , EventSchemaVersion:string // Mandatory\n , EventReportUrl:string // Mandatory\n , Dvc:string // Alias\n , DvcIpAddr:string // Mandatory\n , DvcHostname:string // Mandatory\n , DvcDomain:string // Recommended\n , DvcDomainType:string // Recommended\n , DvcFQDN:string // Optional\n , DvcId:string // Optional\n , DvcIdType:string // Optional\n , DvcMacAddr:string // Optional\n , DvcZone:string // Optional \n , DvcAction:string // Optional\n , DvcOriginalAction:string // Optional\n // -- Network Session Fields\n , Dst:string // Alias\n , DstIpAddr:string // Recommended\n , DstPortNumber:int // Optional\n , DstHostname:string // Recommended\n , Hostname:string // Alias\n , DstDomain:string // Recommended\n , DstDomainType:string // Recommended\n , DstFQDN:string // Optional\n , DstDvcId:string // Optional\n , DstDvcIdType:string // Optional\n , DstDeviceType:string // Optional\n , DstUserId:string // Optional\n , DstUserIdType:string // Optional\n , DstUsername:string // Optional\n , User:string // Alias\n , DstUsernameType:string // Alias\n , DstUserType:string // Optional\n , DstOriginalUserType:string // Optional\n , DstUserDomain:string // Optional\n , DstAppName:string // Optional\n , DstAppId:string // Optional\n , DstAppType:string // Optional\n , DstZone:string // Optional\n , DstInterfaceName:string // Optional\n , DstInterfaceGuid:string // Optional\n , DstMacAddr:string // Optional\n , DstGeoCountry:string // Optional\n , DstGeoCity:string // Optional\n , DstGeoLatitude:real // Optional\n , DstGeoLongitude:real // Optional\n , Src:string // Alias\n , SrcIpAddr:string // Recommended\n , SrcPortNumber:int // Optional\n , SrcHostname:string // Recommended\n , SrcDomain:string // Recommended\n , SrcDomainType:string // Recommended\n , SrcFQDN:string // Optional\n , SrcDvcId:string // Optional\n , SrcDvcIdType:string // Optional\n , SrcDeviceType:string // Optional\n , SrcUserId:string // Optional\n , SrcUserIdType:string // Optional\n , SrcUsername:string // Optional\n , SrcUsernameType:string // Alias\n , SrcUserType:string // Optional\n , SrcOriginalUserType:string // Optional\n , SrcUserDomain:string // Optional\n , SrcAppName:string // Optional\n , SrcAppId:string // Optional\n , IpAddr:string // Alias\n , SrcAppType:string // Optional\n , SrcZone:string // Optional\n , SrcInterfaceName:string // Optional\n , SrcInterfaceGuid:string // Optional\n , SrcMacAddr:string // Optional\n , SrcGeoCountry:string // Optional\n , SrcGeoCity:string // Optional\n , SrcGeoLatitude:real // Optional\n , SrcGeoLongitude:real // Optional\n , NetworkApplicationProtocol:string // Optional\n , NetworkProtocol:string // Optional\n , NetworkProtocolVersion:string // Optional\n , NetworkDirection:string // Optional\n , NetworkDuration:int // Optional\n , Duration:int // Alias\n , NetworkIcmpCode:int // Optional\n , NetworkIcmpType:string // Optional\n , DstBytes:long // Optional\n , SrcBytes:long // Optional\n , NetworkBytes:long // Optional\n , DstPackets:long // Optional\n , SrcPackets:long // Optional\n , NetworkPackets:long // Optional\n , NetworkSessionId:string // Optional\n , SessionId:string // Alias\n , NetworkConnectionHistory:string // Optional\n , SrcVlanId:string // Optional\n , DstVlanId:string // Alias\n , InnerVlanId:string // Optional\n , OuterVlanId: string // Alias\n // -- Intermediary device fields\n , DstNatIpAddr:string // Optional\n , DstNatPortNumber:int // Optional\n , SrcNatIpAddr:string // Optional\n , SrcNatPortNumber:int // Optional\n , DvcInboundInterface:string // Optional\n , DvcOutboundInterface:string // Optional\n , DvcInterface:string // Optional\n // -- HTTP session fields\n , Url:string // Mandatory\n , UrlCategory:string // Optional\n , UrlOriginal:string // Optional\n , HttpVersion:string // Optional\n , HttpRequestMethod:string // Optional\n , HttpStatusCode:string // Alias\n , HttpContentType:string // Optional\n , HttpContentFormat:string // Optional\n , HttpReferrer:string // Optional\n , HttpUserAgent:string // Optional\n , UserAgent:string // Alias\n , HttpRequestXff:string // Optional\n , HttpRequestTime:int // Optional\n , HttpResponseTime:int // Optional\n , FileName:string // Optional\n , FileMD5:string // Optional\n , FileSHA1:string // Optional \n , FileSHA256:string // Optional\n , FileSHA512:string // Optional\n , FileSize:long // Optional\n , FileContentType:string // Optional\n , RuleName:string // Optional\n , RuleNumber:int // Optional\n , Rule:string // Alias\n , ThreatId:string // Optional\n , ThreatName:string // Optional\n , ThreatCategory:string // Optional\n , ThreatRiskLevel:int // Optional\n , ThreatOriginalRiskLevel:string // Optional\n , DvcSubscriptionId:string // Optional\n , SrcSubscriptionId:string // Optional\n , DstSubscriptionId:string // Optional \n )[];\n parser", - "version": 1 - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimWebSessionEmpty", + "query": "let parser=datatable(\n TimeGenerated:datetime\n , _ResourceId:string\n , Type:string\n // -- Event Fields\n , EventMessage:string // Optional\n , EventCount:int // Mandatory\n , EventStartTime:datetime // Mandatory\n , EventEndTime:datetime // Alias\n , EventType:string // Mandatory\n , EventSubType:string // Optional\n , EventResult:string // Mandatory\n , EventResultDetails:string // Optional\n , EventOriginalResultDetails:string // Optional\n , EventSeverity:string // Mandatory\n , EventOriginalSeverity:string // Optional\n , EventOriginalUid:string // Optional\n , EventOriginalType:string // Optional\n , EventProduct:string // Mandatory\n , EventProductVersion:string // Optional\n , EventVendor:string // Mandatory\n , EventSchema:string // Mandatory\n , EventSchemaVersion:string // Mandatory\n , EventReportUrl:string // Mandatory\n , Dvc:string // Alias\n , DvcIpAddr:string // Mandatory\n , DvcHostname:string // Mandatory\n , DvcDomain:string // Recommended\n , DvcDomainType:string // Recommended\n , DvcFQDN:string // Optional\n , DvcId:string // Optional\n , DvcIdType:string // Optional\n , DvcMacAddr:string // Optional\n , DvcZone:string // Optional \n , DvcAction:string // Optional\n , DvcOriginalAction:string // Optional\n // -- Network Session Fields\n , Dst:string // Alias\n , DstIpAddr:string // Recommended\n , DstPortNumber:int // Optional\n , DstHostname:string // Recommended\n , Hostname:string // Alias\n , DstDomain:string // Recommended\n , DstDomainType:string // Recommended\n , DstFQDN:string // Optional\n , DstDvcId:string // Optional\n , DstDvcIdType:string // Optional\n , DstDeviceType:string // Optional\n , DstUserId:string // Optional\n , DstUserIdType:string // Optional\n , DstUsername:string // Optional\n , User:string // Alias\n , DstUsernameType:string // Alias\n , DstUserType:string // Optional\n , DstOriginalUserType:string // Optional\n , DstUserDomain:string // Optional\n , DstAppName:string // Optional\n , DstAppId:string // Optional\n , DstAppType:string // Optional\n , DstZone:string // Optional\n , DstInterfaceName:string // Optional\n , DstInterfaceGuid:string // Optional\n , DstMacAddr:string // Optional\n , DstGeoCountry:string // Optional\n , DstGeoCity:string // Optional\n , DstGeoLatitude:real // Optional\n , DstGeoLongitude:real // Optional\n , Src:string // Alias\n , SrcIpAddr:string // Recommended\n , SrcPortNumber:int // Optional\n , SrcHostname:string // Recommended\n , SrcDomain:string // Recommended\n , SrcDomainType:string // Recommended\n , SrcFQDN:string // Optional\n , SrcDvcId:string // Optional\n , SrcDvcIdType:string // Optional\n , SrcDeviceType:string // Optional\n , SrcUserId:string // Optional\n , SrcUserIdType:string // Optional\n , SrcUsername:string // Optional\n , SrcUsernameType:string // Alias\n , SrcUserType:string // Optional\n , SrcOriginalUserType:string // Optional\n , SrcUserDomain:string // Optional\n , SrcAppName:string // Optional\n , SrcAppId:string // Optional\n , IpAddr:string // Alias\n , SrcAppType:string // Optional\n , SrcZone:string // Optional\n , SrcInterfaceName:string // Optional\n , SrcInterfaceGuid:string // Optional\n , SrcMacAddr:string // Optional\n , SrcGeoCountry:string // Optional\n , SrcGeoCity:string // Optional\n , SrcGeoLatitude:real // Optional\n , SrcGeoLongitude:real // Optional\n , NetworkApplicationProtocol:string // Optional\n , NetworkProtocol:string // Optional\n , NetworkProtocolVersion:string // Optional\n , NetworkDirection:string // Optional\n , NetworkDuration:int // Optional\n , Duration:int // Alias\n , NetworkIcmpCode:int // Optional\n , NetworkIcmpType:string // Optional\n , DstBytes:long // Optional\n , SrcBytes:long // Optional\n , NetworkBytes:long // Optional\n , DstPackets:long // Optional\n , SrcPackets:long // Optional\n , NetworkPackets:long // Optional\n , NetworkSessionId:string // Optional\n , SessionId:string // Alias\n , NetworkConnectionHistory:string // Optional\n , SrcVlanId:string // Optional\n , DstVlanId:string // Alias\n , InnerVlanId:string // Optional\n , OuterVlanId: string // Alias\n // -- Intermediary device fields\n , DstNatIpAddr:string // Optional\n , DstNatPortNumber:int // Optional\n , SrcNatIpAddr:string // Optional\n , SrcNatPortNumber:int // Optional\n , DvcInboundInterface:string // Optional\n , DvcOutboundInterface:string // Optional\n , DvcInterface:string // Optional\n // -- HTTP session fields\n , Url:string // Mandatory\n , UrlCategory:string // Optional\n , UrlOriginal:string // Optional\n , HttpVersion:string // Optional\n , HttpRequestMethod:string // Optional\n , HttpStatusCode:string // Alias\n , HttpContentType:string // Optional\n , HttpContentFormat:string // Optional\n , HttpReferrer:string // Optional\n , HttpUserAgent:string // Optional\n , UserAgent:string // Alias\n , HttpRequestXff:string // Optional\n , HttpRequestTime:int // Optional\n , HttpResponseTime:int // Optional\n , FileName:string // Optional\n , FileMD5:string // Optional\n , FileSHA1:string // Optional \n , FileSHA256:string // Optional\n , FileSHA512:string // Optional\n , FileSize:long // Optional\n , FileContentType:string // Optional\n , RuleName:string // Optional\n , RuleNumber:int // Optional\n , Rule:string // Alias\n , ThreatId:string // Optional\n , ThreatName:string // Optional\n , ThreatCategory:string // Optional\n , ThreatRiskLevel:int // Optional\n , ThreatOriginalRiskLevel:string // Optional\n , DvcSubscriptionId:string // Optional\n , SrcSubscriptionId:string // Optional\n , DstSubscriptionId:string // Optional \n )[];\n parser", + "version": 1 + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionF5ASM/vimWebSessionF5ASM.json b/Parsers/ASimWebSession/ARM/vimWebSessionF5ASM/vimWebSessionF5ASM.json index c2f0b378843..afa944a95bf 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionF5ASM/vimWebSessionF5ASM.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionF5ASM/vimWebSessionF5ASM.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionF5ASM')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionF5ASM", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for F5 BIG-IP Application Security Manager (ASM)", - "category": "ASIM", - "FunctionAlias": "vimWebSessionF5ASM", - "query": "let DvcActionLookup = datatable (DeviceAction: string, DvcAction: string)\n[\n \"Blocked\", \"Deny\",\n \"blocked\", \"Deny\",\n \"Passed\", \"Allow\",\n \"passed\", \"Allow\",\n \"Alerted\", \"Deny\",\n \"alerted\", \"Deny\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let DeviceEventClassIDList = dynamic([\"Brute Force Attack\", \"IP Enforcer Attack\", \"Web Scraping Attack\", \"DoS Attack\"]);\n let AllData = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"F5\"\n and DeviceProduct == \"ASM\"\n | where ((substring(DeviceEventClassID, 0, 1) == \"2\" and strlen(DeviceEventClassID) == 9) or (DeviceEventClassID == Activity)) or (DeviceEventClassID in (DeviceEventClassIDList))\n | where (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any)\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename DvcIpAddr = DeviceAddress;\n let GeneralEnforcementData = AllData\n | where ((substring(DeviceEventClassID, 0, 1) == \"2\" and strlen(DeviceEventClassID) == 9) or (DeviceEventClassID == Activity)) and (DeviceEventClassID !in (DeviceEventClassIDList))\n | where (array_length(httpuseragent_has_any) == 0 or DeviceCustomString3 has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(FieldDeviceCustomNumber1) has_any(eventresultdetails_in))\n | extend temp_DstMatch1 = has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch1,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch1,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse-kv DeviceCustomString3 as (Host: string, [\"User-Agent\"]: string, Cookie: string, Referer: string) with (pair_delimiter=\"\\\\r\\\\n\", kv_delimiter=\":\")\n | parse DeviceCustomString3 with * \"HTTP/\" HttpVersion: string \"\\\\r\\\\n\" rest: string\n | extend\n EventResultDetails = tostring(FieldDeviceCustomNumber1)\n | extend\n EventResult = iff(toint(EventResultDetails) >= 400 or DeviceAction =~ \"blocked\", \"Failure\", \"Success\")\n | where eventresult == '*' or EventResult =~ eventresult\n | project-rename \n DstIpAddr = DestinationIP,\n DstPortNumber = DestinationPort,\n EventOriginalUid = ExtID,\n HttpRequestMethod = RequestMethod,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpCookie = Cookie,\n HttpHost = Host,\n HttpReferrer = Referer,\n HttpUserAgent = ['User-Agent'],\n HttpRequestXff = DeviceCustomString5\n | extend\n HttpStatusCode = EventResultDetails,\n AdditionalFields = bag_pack(\n \"Full Request\", DeviceCustomString3,\n \"Attack Type\", DeviceCustomString4,\n \"Policy Apply Date\", DeviceCustomDate1,\n \"Web Application Name\",\n DeviceCustomString2\n ),\n Dst = DstIpAddr;\n let AnomalyDetectionData = AllData\n | where DeviceEventClassID in (DeviceEventClassIDList)\n | where array_length(httpuseragent_has_any) == 0 \n | where array_length(eventresultdetails_in) == 0\n | extend temp_DstMatch2 = has_any_ipv4_prefix(DvcIpAddr, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch2,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch2,\n \"DstIpAddr\",\n \"No match\"\n ),\n EventResult = iff(DeviceAction =~ \"passed\", \"Success\", \"Failure\")\n | where ASimMatchingIpAddr != \"No match\"\n | where eventresult == '*' or EventResult =~ eventresult\n | extend\n AdditionalFields = bag_pack(\n \"Detection Average\",\n FieldDeviceCustomNumber1,\n \"Dropped Requests\",\n FieldDeviceCustomNumber2,\n \"Attack Status\",\n DeviceCustomString4,\n \"Detection Mode\",\n DeviceCustomString5,\n \"Web Application Name\",\n DeviceCustomString2\n ),\n ThreatId = tostring(FieldDeviceCustomNumber3)\n | project-away ApplicationProtocol, ExtID;\n union GeneralEnforcementData, AnomalyDetectionData\n | lookup DvcActionLookup on DeviceAction\n | lookup EventSeverityLookup on LogSeverity\n | extend \n EventStartTime = todatetime(ReceiptTime),\n EventOriginalType = iff(isempty(toint(DeviceEventClassID)), DeviceEventClassID, Activity)\n | extend\n EventCount = int(1),\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename \n EventProduct = DeviceProduct,\n EventVendor = DeviceVendor,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n DvcOriginalAction = DeviceAction,\n Url = RequestURL,\n SrcIpAddr = SourceIP,\n SrcGeoCountry = DeviceCustomString6,\n SrcPortNumber = SourcePort,\n SrcUserId = SourceUserID,\n SrcUsername = SourceUserName,\n EventMessage = Message,\n EventProductVersion = DeviceVersion,\n RuleName = DeviceCustomString1\n | extend \n SrcUserIdType = iff(isnotempty(SrcUserId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\n Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n Rule = RuleName\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n Activity,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n IndicatorThreatType,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ThreatDescription,\n ThreatSeverity,\n ThreatConfidence,\n Reason,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n rest,\n temp_*,\n _ResourceId\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for F5 BIG-IP Application Security Manager (ASM)", + "category": "ASIM", + "FunctionAlias": "vimWebSessionF5ASM", + "query": "let DvcActionLookup = datatable (DeviceAction: string, DvcAction: string)\n[\n \"Blocked\", \"Deny\",\n \"blocked\", \"Deny\",\n \"Passed\", \"Allow\",\n \"passed\", \"Allow\",\n \"Alerted\", \"Deny\",\n \"alerted\", \"Deny\"\n];\nlet EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let DeviceEventClassIDList = dynamic([\"Brute Force Attack\", \"IP Enforcer Attack\", \"Web Scraping Attack\", \"DoS Attack\"]);\n let AllData = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"F5\"\n and DeviceProduct == \"ASM\"\n | where ((substring(DeviceEventClassID, 0, 1) == \"2\" and strlen(DeviceEventClassID) == 9) or (DeviceEventClassID == Activity)) or (DeviceEventClassID in (DeviceEventClassIDList))\n | where (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any)\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | project-rename DvcIpAddr = DeviceAddress;\n let GeneralEnforcementData = AllData\n | where ((substring(DeviceEventClassID, 0, 1) == \"2\" and strlen(DeviceEventClassID) == 9) or (DeviceEventClassID == Activity)) and (DeviceEventClassID !in (DeviceEventClassIDList))\n | where (array_length(httpuseragent_has_any) == 0 or DeviceCustomString3 has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(FieldDeviceCustomNumber1) has_any(eventresultdetails_in))\n | extend temp_DstMatch1 = has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch1,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch1,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse-kv DeviceCustomString3 as (Host: string, [\"User-Agent\"]: string, Cookie: string, Referer: string) with (pair_delimiter=\"\\\\r\\\\n\", kv_delimiter=\":\")\n | parse DeviceCustomString3 with * \"HTTP/\" HttpVersion: string \"\\\\r\\\\n\" rest: string\n | extend\n EventResultDetails = tostring(FieldDeviceCustomNumber1)\n | extend\n EventResult = iff(toint(EventResultDetails) >= 400 or DeviceAction =~ \"blocked\", \"Failure\", \"Success\")\n | where eventresult == '*' or EventResult =~ eventresult\n | project-rename \n DstIpAddr = DestinationIP,\n DstPortNumber = DestinationPort,\n EventOriginalUid = ExtID,\n HttpRequestMethod = RequestMethod,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpCookie = Cookie,\n HttpHost = Host,\n HttpReferrer = Referer,\n HttpUserAgent = ['User-Agent'],\n HttpRequestXff = DeviceCustomString5\n | extend\n HttpStatusCode = EventResultDetails,\n AdditionalFields = bag_pack(\n \"Full Request\", DeviceCustomString3,\n \"Attack Type\", DeviceCustomString4,\n \"Policy Apply Date\", DeviceCustomDate1,\n \"Web Application Name\",\n DeviceCustomString2\n ),\n Dst = DstIpAddr;\n let AnomalyDetectionData = AllData\n | where DeviceEventClassID in (DeviceEventClassIDList)\n | where array_length(httpuseragent_has_any) == 0 \n | where array_length(eventresultdetails_in) == 0\n | extend temp_DstMatch2 = has_any_ipv4_prefix(DvcIpAddr, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch2,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch2,\n \"DstIpAddr\",\n \"No match\"\n ),\n EventResult = iff(DeviceAction =~ \"passed\", \"Success\", \"Failure\")\n | where ASimMatchingIpAddr != \"No match\"\n | where eventresult == '*' or EventResult =~ eventresult\n | extend\n AdditionalFields = bag_pack(\n \"Detection Average\",\n FieldDeviceCustomNumber1,\n \"Dropped Requests\",\n FieldDeviceCustomNumber2,\n \"Attack Status\",\n DeviceCustomString4,\n \"Detection Mode\",\n DeviceCustomString5,\n \"Web Application Name\",\n DeviceCustomString2\n ),\n ThreatId = tostring(FieldDeviceCustomNumber3)\n | project-away ApplicationProtocol, ExtID;\n union GeneralEnforcementData, AnomalyDetectionData\n | lookup DvcActionLookup on DeviceAction\n | lookup EventSeverityLookup on LogSeverity\n | extend \n EventStartTime = todatetime(ReceiptTime),\n EventOriginalType = iff(isempty(toint(DeviceEventClassID)), DeviceEventClassID, Activity)\n | extend\n EventCount = int(1),\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-rename \n EventProduct = DeviceProduct,\n EventVendor = DeviceVendor,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n DvcOriginalAction = DeviceAction,\n Url = RequestURL,\n SrcIpAddr = SourceIP,\n SrcGeoCountry = DeviceCustomString6,\n SrcPortNumber = SourcePort,\n SrcUserId = SourceUserID,\n SrcUsername = SourceUserName,\n EventMessage = Message,\n EventProductVersion = DeviceVersion,\n RuleName = DeviceCustomString1\n | extend \n SrcUserIdType = iff(isnotempty(SrcUserId), \"Other\", \"\"),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\n Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n Rule = RuleName\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n Activity,\n CommunicationDirection,\n Computer,\n EndTime,\n EventOutcome,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n IndicatorThreatType,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ThreatDescription,\n ThreatSeverity,\n ThreatConfidence,\n Reason,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n rest,\n temp_*,\n _ResourceId\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionFortinetFortiGate/vimWebSessionFortinetFortiGate.json b/Parsers/ASimWebSession/ARM/vimWebSessionFortinetFortiGate/vimWebSessionFortinetFortiGate.json index 51c419d55c6..30186ecb1f6 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionFortinetFortiGate/vimWebSessionFortinetFortiGate.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionFortinetFortiGate/vimWebSessionFortinetFortiGate.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionFortinetFortiGate')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionFortinetFortiGate", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Fortinet FortiGate", - "category": "ASIM", - "FunctionAlias": "vimWebSessionFortinetFortiGate", - "query": "let parser=(\n starttime:datetime = datetime(null), \n endtime:datetime = datetime(null),\n srcipaddr_has_any_prefix:dynamic = dynamic([]),\n ipaddr_has_any_prefix:dynamic = dynamic([]), \n url_has_any:dynamic = dynamic([]),\n httpuseragent_has_any:dynamic = dynamic([]),\n eventresultdetails_in:dynamic = dynamic([]),\n eventresult:string = '*',\n disabled:bool = false\n){\n let src_or_any = set_union(\n srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix\n ); \n let remove_protocol_from_list = (list:dynamic)\n {\n print list\n | mv-apply l = print_0 to typeof(string) on\n ( extend l = substring(l,indexof(l,@'//')+2))\n | project l\n };\n let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string)\n [\n \"passthrough\",\"Allow\",\"Success\"\n , \"blocked\",\"Deny\",\"Failure\"\n ];\n // -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n [\n \"1\", \"Informational\", // Debug\n \"2\", \"Informational\", // Information\n \"3\", \"Informational\", // Notification\n \"4\", \"Low\", // Warning\n \"5\", \"Low\", // Error\n \"6\", \"High\", // Critical\n \"7\", \"Medium\", // Alert\n \"8\", \"High\" // Emergency\n ]; \n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)\n | where DeviceVendor == \"Fortinet\" \n and DeviceProduct startswith \"Fortigate\"\n and Activity has_all ('webfilter', 'utm')\n | where (array_length(url_has_any) == 0 or RequestURL has_any (remove_protocol_from_list(url_has_any)))\n | where (array_length(httpuseragent_has_any) == 0 or AdditionalExtensions has_any(httpuseragent_has_any))\n | extend temp_SrcMatch = has_any_ipv4_prefix(SourceIP,src_or_any)\n | extend temp_DstMatch = has_any_ipv4_prefix(DestinationIP,ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0, \"-\",\n temp_DstMatch and temp_SrcMatch, \"Both\",\n temp_SrcMatch , \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\") \n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend \n EventResultDetails = \"NA\"\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) has_any(eventresultdetails_in)) \n | lookup EventLookup on DeviceAction \n | where (eventresult == '*' or EventResult =~ eventresult)\n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName, ASimMatchingIpAddr\n | project-rename \n Url = RequestURL\n , UrlCategory = RequestContext\n , DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , DvcHostname = Computer\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , DvcId = DeviceExternalID\n , EventUid = _ItemId\n , DstHostname = DestinationHostName\n , SrcHostname = SourceHostName\n , SrcUsername = SourceUserName\n , DstUsername = DestinationUserName\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\n | extend \n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\n | project-rename DvcOriginalAction = DeviceAction\n | parse-kv AdditionalExtensions as (\n FortinetFortiGatestart:datetime,\n FortinetFortiGatesrcintfrole:string,\n FortinetFortiGatedstintfrole:string,\n FortinetFortiGateexternalID:string,\n FortinetFortiGatepolicyid:int,\n FortinetFortiGatedstcountry:string,\n FortinetFortiGatesrccountry:string,\n FortinetFortiGatecrscore:string,\n FortinetFortiGateduration:int,\n FortinetFortiGatesentpkt:long,\n FortinetFortiGatercvdpkt:long,\n ['ad.referralurl']:string,\n ['ad.httpmethod']:string,\n ['ad.agent']:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | parse AdditionalExtensions with * \"x-forwarded-for=\" HttpRequestXff:string \";\" *\n | project-rename\n HttpReferrer = ['ad.referralurl'],\n HttpRequestMethod = ['ad.httpmethod'],\n HttpUserAgent = ['ad.agent'],\n EventStartTime = FortinetFortiGatestart,\n SrcZone = FortinetFortiGatesrcintfrole,\n DstZone = FortinetFortiGatedstintfrole,\n NetworkSessionId = FortinetFortiGateexternalID,\n RuleNumber = FortinetFortiGatepolicyid,\n NetworkDuration = FortinetFortiGateduration,\n DstGeoCountry = FortinetFortiGatedstcountry,\n SrcGeoCountry = FortinetFortiGatesrccountry,\n ThreatOriginalRiskLevel = FortinetFortiGatecrscore,\n SrcPackets = FortinetFortiGatesentpkt,\n DstPackets = FortinetFortiGatercvdpkt\n | parse AdditionalExtensions with * \"Method=\" temp_HttpRequestMethod \"|User-Agent=\" temp_HttpUserAgent \";\" *\n | extend \n HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod),\n HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent)\n | project-away temp_*\n | where (array_length(httpuseragent_has_any) == 0 or HttpUserAgent has_any(httpuseragent_has_any))\n | extend \n EventCount = int(1)\n , EventSchema = \"WebSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventType = \"HTTPsession\"\n , EventVendor = \"Fortinet\"\n , DvcIdType = \"Other\"\n , NetworkBytes = DstBytes + SrcBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n , UserAgent = HttpUserAgent\n , Dvc = DvcHostname\n , User = SrcUsername\n , Hostname = DstHostname\n | lookup SeverityLookup on EventOriginalSeverity\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration,\n Rule = tostring(RuleNumber)\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Fortinet FortiGate", + "category": "ASIM", + "FunctionAlias": "vimWebSessionFortinetFortiGate", + "query": "let parser=(\n starttime:datetime = datetime(null), \n endtime:datetime = datetime(null),\n srcipaddr_has_any_prefix:dynamic = dynamic([]),\n ipaddr_has_any_prefix:dynamic = dynamic([]), \n url_has_any:dynamic = dynamic([]),\n httpuseragent_has_any:dynamic = dynamic([]),\n eventresultdetails_in:dynamic = dynamic([]),\n eventresult:string = '*',\n disabled:bool = false\n){\n let src_or_any = set_union(\n srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix\n ); \n let remove_protocol_from_list = (list:dynamic)\n {\n print list\n | mv-apply l = print_0 to typeof(string) on\n ( extend l = substring(l,indexof(l,@'//')+2))\n | project l\n };\n let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string)\n [\n \"passthrough\",\"Allow\",\"Success\"\n , \"blocked\",\"Deny\",\"Failure\"\n ];\n // -- See https://docs.fortinet.com/document/fortigate/7.2.4/fortios-log-message-reference/671442/cef-priority-levels\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n [\n \"1\", \"Informational\", // Debug\n \"2\", \"Informational\", // Information\n \"3\", \"Informational\", // Notification\n \"4\", \"Low\", // Warning\n \"5\", \"Low\", // Error\n \"6\", \"High\", // Critical\n \"7\", \"Medium\", // Alert\n \"8\", \"High\" // Emergency\n ]; \n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) and (isnull(endtime) or TimeGenerated<=endtime)\n | where DeviceVendor == \"Fortinet\" \n and DeviceProduct startswith \"Fortigate\"\n and Activity has_all ('webfilter', 'utm')\n | where (array_length(url_has_any) == 0 or RequestURL has_any (remove_protocol_from_list(url_has_any)))\n | where (array_length(httpuseragent_has_any) == 0 or AdditionalExtensions has_any(httpuseragent_has_any))\n | extend temp_SrcMatch = has_any_ipv4_prefix(SourceIP,src_or_any)\n | extend temp_DstMatch = has_any_ipv4_prefix(DestinationIP,ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0, \"-\",\n temp_DstMatch and temp_SrcMatch, \"Both\",\n temp_SrcMatch , \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\") \n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend \n EventResultDetails = \"NA\"\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) has_any(eventresultdetails_in)) \n | lookup EventLookup on DeviceAction \n | where (eventresult == '*' or EventResult =~ eventresult)\n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated, DeviceExternalID, Type, _ItemId, Computer, EventResult, EventResultDetails, DvcAction, RequestURL, RequestContext, DestinationHostName, SourceHostName, SourceUserName, DestinationUserName, ASimMatchingIpAddr\n | project-rename \n Url = RequestURL\n , UrlCategory = RequestContext\n , DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , DvcHostname = Computer\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n , DvcId = DeviceExternalID\n , EventUid = _ItemId\n , DstHostname = DestinationHostName\n , SrcHostname = SourceHostName\n , SrcUsername = SourceUserName\n , DstUsername = DestinationUserName\n | invoke _ASIM_ResolveNetworkProtocol ('Protocol')\n | extend \n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername)\n | project-rename DvcOriginalAction = DeviceAction\n | parse-kv AdditionalExtensions as (\n FortinetFortiGatestart:datetime,\n FortinetFortiGatesrcintfrole:string,\n FortinetFortiGatedstintfrole:string,\n FortinetFortiGateexternalID:string,\n FortinetFortiGatepolicyid:int,\n FortinetFortiGatedstcountry:string,\n FortinetFortiGatesrccountry:string,\n FortinetFortiGatecrscore:string,\n FortinetFortiGateduration:int,\n FortinetFortiGatesentpkt:long,\n FortinetFortiGatercvdpkt:long,\n ['ad.referralurl']:string,\n ['ad.httpmethod']:string,\n ['ad.agent']:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | parse AdditionalExtensions with * \"x-forwarded-for=\" HttpRequestXff:string \";\" *\n | project-rename\n HttpReferrer = ['ad.referralurl'],\n HttpRequestMethod = ['ad.httpmethod'],\n HttpUserAgent = ['ad.agent'],\n EventStartTime = FortinetFortiGatestart,\n SrcZone = FortinetFortiGatesrcintfrole,\n DstZone = FortinetFortiGatedstintfrole,\n NetworkSessionId = FortinetFortiGateexternalID,\n RuleNumber = FortinetFortiGatepolicyid,\n NetworkDuration = FortinetFortiGateduration,\n DstGeoCountry = FortinetFortiGatedstcountry,\n SrcGeoCountry = FortinetFortiGatesrccountry,\n ThreatOriginalRiskLevel = FortinetFortiGatecrscore,\n SrcPackets = FortinetFortiGatesentpkt,\n DstPackets = FortinetFortiGatercvdpkt\n | parse AdditionalExtensions with * \"Method=\" temp_HttpRequestMethod \"|User-Agent=\" temp_HttpUserAgent \";\" *\n | extend \n HttpRequestMethod = coalesce(temp_HttpRequestMethod,HttpRequestMethod),\n HttpUserAgent = coalesce(temp_HttpUserAgent,HttpUserAgent)\n | project-away temp_*\n | where (array_length(httpuseragent_has_any) == 0 or HttpUserAgent has_any(httpuseragent_has_any))\n | extend \n EventCount = int(1)\n , EventSchema = \"WebSession\"\n , EventSchemaVersion = \"0.2.6\"\n , EventType = \"HTTPsession\"\n , EventVendor = \"Fortinet\"\n , DvcIdType = \"Other\"\n , NetworkBytes = DstBytes + SrcBytes\n , EventEndTime = TimeGenerated\n , EventStartTime = coalesce(EventStartTime, TimeGenerated)\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n , UserAgent = HttpUserAgent\n , Dvc = DvcHostname\n , User = SrcUsername\n , Hostname = DstHostname\n | lookup SeverityLookup on EventOriginalSeverity\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Duration = NetworkDuration,\n Rule = tostring(RuleNumber)\n | project-away Protocol, AdditionalExtensions, NetworkProtocolNumber\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionIIS/vimWebSessionIIS.json b/Parsers/ASimWebSession/ARM/vimWebSessionIIS/vimWebSessionIIS.json index 9cced5a3fae..587f5ac494e 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionIIS/vimWebSessionIIS.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionIIS/vimWebSessionIIS.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionIIS')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionIIS", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Windows IIS logs", - "category": "ASIM", - "FunctionAlias": "vimWebSessionIIS", - "query": "let parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n W3CIISLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | extend\n EventResult = iff ( toint(scStatus) < 400, \"Success\", \"Failure\")\n | where (eventresult == '*' or EventResult =~ eventresult)\n | where (array_length(url_has_any) == 0 or csUriStem has_any (url_has_any) or csUriQuery has_any (url_has_any))\n | where (array_length(httpuseragent_has_any) == 0 or csUserAgent has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or scStatus has_any (eventresultdetails_in))\n | extend temp_SrcMatch=has_any_ipv4_prefix(cIP,src_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 ,\"-\",\n temp_SrcMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend\n EventResult = iff ( toint(scStatus) < 400, \"Success\", \"Failure\"),\n EventResultDetails = tostring(scStatus), \n csUriQuery = iff(csUriQuery == \"-\", \"\", csUriQuery),\n csUserName = iff(csUserName == \"-\", \"\", csUserName),\n HttpVersion = iff((csVersion has \"HTTP\"), split(csVersion, \"/\")[1], \"\"), // there is a limited chance that something connects over non-HTTP\n HttpHost = iff (sSiteName in (\"Default Web Site\", \"-\"), \"\", sSiteName)\n | project-rename \n HttpRequestMethod = csMethod,\n User = csUserName, //probably won't have this one often\n Dvc = Computer,\n Dst = sIP,\n Src = cIP,\n UserAgent = csUserAgent,\n ThreatCategory = IndicatorThreatType,\n SrcGeoCountry = RemoteIPCountry,\n SrcGeoLatitude = RemoteIPLatitude,\n SrcGeoLongitude = RemoteIPLongitude,\n ThreatOriginalConfidence = Confidence,\n ThreatIpAddr = MaliciousIP,\n EventReportUrl = ReportReferenceLink,\n EventUid = _ItemId,\n DvcId = _ResourceId\n | extend\n EventOriginalSeverity = tostring(Severity),\n ThreatIsActive = tobool(IsActive),\n ThreatFirstReportedTime = todatetime(FirstReportedDateTime),\n ThreatLastReportedTime = todatetime(LastReportedDateTime),\n SrcUsername = iff ( User == \"-\", \"\", User),\n HttpReferrer = iff ( csReferer == \"-\", \"\", csReferer),\n DvcIdType = \"AzureResourceId\"\n | project-away IsActive, FirstReportedDateTime, LastReportedDateTime, Severity, sSiteName\n | extend \n SrcUsernameType = _ASIM_GetUsernameType (SrcUsername),\n DstNatIpAddr = iff(csHost <> \"\", Dst, \"\"),\n EventType = 'WebServerSession', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.6',\n EventSchema = 'WebSession', \n EventProduct = 'IIS',\n DvcOs = 'Windows',\n EventCount = int(1),\n SrcIpAddr = Src,\n IpAddr = Src,\n HttpUserAgent = UserAgent,\n HttpStatusCode = tostring(EventResultDetails),\n EventStartTime = ( (TimeGenerated) - (TimeTaken * 1ms)), // TimeTaken field is in Milliseconds \n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventResult == \"Success\", \"Low\", \"Informational\"),\n Url = iff(csUriQuery == \"\", csUriStem, strcat(csUriStem,\"?\",csUriQuery)),\n sPort = tostring(sPort),\n HttpHost = iff ( HttpHost == \"-\", \"\", HttpHost),\n csHost = iff ( csHost == \"-\", \"\", csHost), //remove empty values\n EventOriginalResultDetails = iff(scSubStatus <> \"0\", strcat (scStatus, \".\", scSubStatus), scStatus)\n | extend \n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',csHost)[0],\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',csHost)[0],\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',csHost)[0]\n | extend \n DstIpAddr = tostring(coalesce(ipv4_parts[0], ipv6_parts[0])),\n DstPortNumber = toint(coalesce(ipv4_parts[1], ipv6_parts[1], host_parts[1])),\n HttpHost = tostring(coalesce(host_parts[0], HttpHost))\n | project-away ipv4_parts, ipv6_parts, host_parts \n | extend\n DstHostname = HttpHost,\n Hostname = HttpHost\n | extend \n ThreatField = case(\n ThreatIpAddr <> \"\" and ThreatIpAddr == SrcIpAddr, \"SrcIpAddr\"\n ,ThreatIpAddr <> \"\" and ThreatIpAddr == DstIpAddr, \"DstIpAddr\"\n ,\"\")\n | project-away \n AdditionalInformation,\n AzureDeploymentID,\n Date,\n Description,\n DvcOs,\n FileOffset,\n FileUri,\n MG, \n ManagementGroupName,\n Role*,\n sComputerName,\n SourceSystem,\n TLPLevel,\n TenantId,\n TimeTaken,\n Time,\n cs*,\n sPort,\n sc*,\n StorageAccount\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Windows IIS logs", + "category": "ASIM", + "FunctionAlias": "vimWebSessionIIS", + "query": "let parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n W3CIISLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | extend\n EventResult = iff ( toint(scStatus) < 400, \"Success\", \"Failure\")\n | where (eventresult == '*' or EventResult =~ eventresult)\n | where (array_length(url_has_any) == 0 or csUriStem has_any (url_has_any) or csUriQuery has_any (url_has_any))\n | where (array_length(httpuseragent_has_any) == 0 or csUserAgent has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or scStatus has_any (eventresultdetails_in))\n | extend temp_SrcMatch=has_any_ipv4_prefix(cIP,src_or_any)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 ,\"-\",\n temp_SrcMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend\n EventResult = iff ( toint(scStatus) < 400, \"Success\", \"Failure\"),\n EventResultDetails = tostring(scStatus), \n csUriQuery = iff(csUriQuery == \"-\", \"\", csUriQuery),\n csUserName = iff(csUserName == \"-\", \"\", csUserName),\n HttpVersion = iff((csVersion has \"HTTP\"), split(csVersion, \"/\")[1], \"\"), // there is a limited chance that something connects over non-HTTP\n HttpHost = iff (sSiteName in (\"Default Web Site\", \"-\"), \"\", sSiteName)\n | project-rename \n HttpRequestMethod = csMethod,\n User = csUserName, //probably won't have this one often\n Dvc = Computer,\n Dst = sIP,\n Src = cIP,\n UserAgent = csUserAgent,\n ThreatCategory = IndicatorThreatType,\n SrcGeoCountry = RemoteIPCountry,\n SrcGeoLatitude = RemoteIPLatitude,\n SrcGeoLongitude = RemoteIPLongitude,\n ThreatOriginalConfidence = Confidence,\n ThreatIpAddr = MaliciousIP,\n EventReportUrl = ReportReferenceLink,\n EventUid = _ItemId,\n DvcId = _ResourceId\n | extend\n EventOriginalSeverity = tostring(Severity),\n ThreatIsActive = tobool(IsActive),\n ThreatFirstReportedTime = todatetime(FirstReportedDateTime),\n ThreatLastReportedTime = todatetime(LastReportedDateTime),\n SrcUsername = iff ( User == \"-\", \"\", User),\n HttpReferrer = iff ( csReferer == \"-\", \"\", csReferer),\n DvcIdType = \"AzureResourceId\"\n | project-away IsActive, FirstReportedDateTime, LastReportedDateTime, Severity, sSiteName\n | extend \n SrcUsernameType = _ASIM_GetUsernameType (SrcUsername),\n DstNatIpAddr = iff(csHost <> \"\", Dst, \"\"),\n EventType = 'WebServerSession', \n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.2.6',\n EventSchema = 'WebSession', \n EventProduct = 'IIS',\n DvcOs = 'Windows',\n EventCount = int(1),\n SrcIpAddr = Src,\n IpAddr = Src,\n HttpUserAgent = UserAgent,\n HttpStatusCode = tostring(EventResultDetails),\n EventStartTime = ( (TimeGenerated) - (TimeTaken * 1ms)), // TimeTaken field is in Milliseconds \n EventEndTime = TimeGenerated,\n EventSeverity = iff(EventResult == \"Success\", \"Low\", \"Informational\"),\n Url = iff(csUriQuery == \"\", csUriStem, strcat(csUriStem,\"?\",csUriQuery)),\n sPort = tostring(sPort),\n HttpHost = iff ( HttpHost == \"-\", \"\", HttpHost),\n csHost = iff ( csHost == \"-\", \"\", csHost), //remove empty values\n EventOriginalResultDetails = iff(scSubStatus <> \"0\", strcat (scStatus, \".\", scSubStatus), scStatus)\n | extend \n ipv6_parts = extract_all (@'^\\[(.+)\\](?:\\:(\\d+))?$',csHost)[0],\n ipv4_parts = extract_all (@'^(\\d+\\.\\d+\\.\\d+\\.\\d+)(?:\\:(\\d+))?$',csHost)[0],\n host_parts = extract_all (@'^([^\\\\\\d:]+)(?:\\:(\\d+))?$',csHost)[0]\n | extend \n DstIpAddr = tostring(coalesce(ipv4_parts[0], ipv6_parts[0])),\n DstPortNumber = toint(coalesce(ipv4_parts[1], ipv6_parts[1], host_parts[1])),\n HttpHost = tostring(coalesce(host_parts[0], HttpHost))\n | project-away ipv4_parts, ipv6_parts, host_parts \n | extend\n DstHostname = HttpHost,\n Hostname = HttpHost\n | extend \n ThreatField = case(\n ThreatIpAddr <> \"\" and ThreatIpAddr == SrcIpAddr, \"SrcIpAddr\"\n ,ThreatIpAddr <> \"\" and ThreatIpAddr == DstIpAddr, \"DstIpAddr\"\n ,\"\")\n | project-away \n AdditionalInformation,\n AzureDeploymentID,\n Date,\n Description,\n DvcOs,\n FileOffset,\n FileUri,\n MG, \n ManagementGroupName,\n Role*,\n sComputerName,\n SourceSystem,\n TLPLevel,\n TenantId,\n TimeTaken,\n Time,\n cs*,\n sPort,\n sc*,\n StorageAccount\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionNative/vimWebSessionNative.json b/Parsers/ASimWebSession/ARM/vimWebSessionNative/vimWebSessionNative.json index 03ecedc3989..880f43b1375 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionNative/vimWebSessionNative.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionNative/vimWebSessionNative.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionNative')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionNative", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Microsoft Sentinel native Network Session table", - "category": "ASIM", - "FunctionAlias": "vimWebSessionNative", - "query": "let parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n ASimWebSessionLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(url_has_any) == 0 or Url has_any (url_has_any))\n | where (array_length(httpuseragent_has_any) == 0 or HttpUserAgent has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) has_any(eventresultdetails_in))\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DstIpAddr,ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n // \n // -- Schema fixed\n | extend\n FileSize = tolong(FileSize)\n //\n // -- Log Analytics global fields renaming\n | project-rename\n EventUid = _ItemId,\n DvcScopeId = _SubscriptionId\n //\n // -- ASIM Global fields\n | extend \n EventSchema = \"WebSession\"\n | extend\n //\n // -- Default values\n EventEndTime = coalesce (EventEndTime, TimeGenerated),\n EventStartTime = coalesce (EventStartTime, TimeGenerated),\n //\n // -- Multi-source aliases\n Dvc = iff (EventType == 'HTTPSession',\n coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, DstMacAddr, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n coalesce (DvcFQDN, DvcHostname, DstFQDN, DstHostname, DvcIpAddr, DstIpAddr, DvcId, DstDvcId, DstMacAddr, _ResourceId, strcat (EventVendor,'/', EventProduct))\n ),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n //\n // -- Aliases which depend on EventType\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\n //\n // -- Simple aliases\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n UserAgent = HttpUserAgent\n // --\n // -- Aliased fields not implemented in ASimWebSessionLogs yet \n //InnerVlanId = SrcVlanId,\n //OuterVlanId = DstVlanId,\n //DvcInterface = coalesce(DvcInterface, DvcInboundInterface, DvcOutboundInterface), \n | project-away\n TenantId, SourceSystem, _ResourceId\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Microsoft Sentinel native Network Session table", + "category": "ASIM", + "FunctionAlias": "vimWebSessionNative", + "query": "let parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n ASimWebSessionLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(url_has_any) == 0 or Url has_any (url_has_any))\n | where (array_length(httpuseragent_has_any) == 0 or HttpUserAgent has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) has_any(eventresultdetails_in))\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(DstIpAddr,ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n // \n // -- Schema fixed\n | extend\n FileSize = tolong(FileSize)\n //\n // -- Log Analytics global fields renaming\n | project-rename\n EventUid = _ItemId,\n DvcScopeId = _SubscriptionId\n //\n // -- ASIM Global fields\n | extend \n EventSchema = \"WebSession\"\n | extend\n //\n // -- Default values\n EventEndTime = coalesce (EventEndTime, TimeGenerated),\n EventStartTime = coalesce (EventStartTime, TimeGenerated),\n //\n // -- Multi-source aliases\n Dvc = iff (EventType == 'HTTPSession',\n coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, DstMacAddr, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n coalesce (DvcFQDN, DvcHostname, DstFQDN, DstHostname, DvcIpAddr, DstIpAddr, DvcId, DstDvcId, DstMacAddr, _ResourceId, strcat (EventVendor,'/', EventProduct))\n ),\n Dst = coalesce (DstFQDN, DstHostname, DstIpAddr, DstDvcId),\n Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n //\n // -- Aliases which depend on EventType\n Hostname = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), SrcHostname, DstHostname),\n IpAddr = iff (EventType == \"EndpointNetworkSession\" and NetworkDirection == (\"Inbound\"), DstIpAddr, SrcIpAddr),\n //\n // -- Simple aliases\n Duration = NetworkDuration,\n SessionId = NetworkSessionId,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n UserAgent = HttpUserAgent\n // --\n // -- Aliased fields not implemented in ASimWebSessionLogs yet \n //InnerVlanId = SrcVlanId,\n //OuterVlanId = DstVlanId,\n //DvcInterface = coalesce(DvcInterface, DvcInboundInterface, DvcOutboundInterface), \n | project-away\n TenantId, SourceSystem, _ResourceId\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionPaloAltoCEF/vimWebSessionPaloAltoCEF.json b/Parsers/ASimWebSession/ARM/vimWebSessionPaloAltoCEF/vimWebSessionPaloAltoCEF.json index 7d190d66406..dd1db72314a 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionPaloAltoCEF/vimWebSessionPaloAltoCEF.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionPaloAltoCEF/vimWebSessionPaloAltoCEF.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionPaloAltoCEF')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionPaloAltoCEF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM Filtering parser for Palo Alto Networks URL Filtering", - "category": "ASIM", - "FunctionAlias": "vimWebSessionPaloAltoCEF", - "query": "let parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n)\n{\n let src_or_any = set_union(\n srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix\n ); \n let EventLookup=datatable(DeviceAction:string, DvcAction:string,EventResult:string,HttpStatusCode:string)\n [\n \"alert\", \"Allow\", \"Success\",\"200\",\n \"allow\", \"Allow\", \"Success\", \"200\",\n \"continue\", \"Allow\", \"Success\", \"200\",\n \"override\", \"Allow\", \"Success\", \"200\",\n \"block-continue\", \"Allow\", \"Partial\", \"200\",\n \"block-url\", \"Deny\", \"Failure\", \"503\",\n \"block-override\", \"Deny\", \"Failure\", \"302\",\n \"override-lockout\", \"Deny\", \"Failure\",\"503\",\n \"reset client\", \"Reset Source\", \"Failure\", \"503\",\n \"reset server\", \"Reset Destination\", \"Failure\", \"503\",\n \"reset both\", \"Reset\", \"Failure\", \"503\",\n \"deny\", \"Deny\", \"Failure\", \"503\",\n \"drop\", \"Drop\", \"Failure\", \"503\",\n \"drop ICMP\", \"Drop ICMP\", \"Failure\", \"503\"\n ];\n let SeverityLookup=datatable(LogSeverity:string,EventSeverity:string)\n [ \n 1, \"Informational\", \n 2, \"Low\",\n 3, \"Medium\",\n 4, \"Medium\", \n 5, \"High\"\n ];\n let remove_protocol_from_list = (list:dynamic)\n {\n print list\n | mv-apply l = print_0 to typeof(string) on\n ( extend l = replace_regex (tostring(l), \"^(?i:.*?)://\", \"\") )\n | project l\n };\n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Palo Alto Networks\"\n and DeviceProduct == \"PAN-OS\"\n and Activity == \"THREAT\"\n and DeviceEventClassID == \"url\"\n | where (array_length(url_has_any) == 0 or RequestURL has_any (remove_protocol_from_list(url_has_any)))\n | where (array_length(httpuseragent_has_any) == 0 or RequestClientApplication has_any (httpuseragent_has_any))\n | extend temp_SrcMatch = has_any_ipv4_prefix(SourceIP,src_or_any)\n | extend temp_DstMatch = has_any_ipv4_prefix(DestinationIP,ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0, \"-\",\n temp_DstMatch and temp_SrcMatch, \"Both\",\n temp_SrcMatch , \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\") \n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend EventResultDetails = \"NA\"\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) has_any(eventresultdetails_in))\n | lookup EventLookup on DeviceAction\n | where (eventresult == '*' or EventResult =~ eventresult)\n | lookup SeverityLookup on LogSeverity\n | parse-kv AdditionalExtensions as (\n PanOSXForwarderfor:string,\n PanXFFIP:string,\n PanOSReferer:string,\n PanOSRuleUUID:string,\n PanSrcHostname:string,\n PanSrcMac:string,\n PanSrcDeviceCat:string,\n PanSrcDAG:string,\n PanOSSrcUUID:string,\n PanSrcDeviceProf:string,\n PanSrcDeviceModel:string,\n PanSrcDeviceVendor:string,\n PanSrcDeviceOS:string,\n PanSrcDeviceOSv:string,\n PanDstHostname:string,\n PanDstMac:string,\n PanDstDeviceCat:string,\n PanDstDAG:string,\n PanOSDstUUID:string,\n PanDstDeviceProf:string,\n PanDstDeviceModel:string,\n PanDstDeviceVendor:string,\n PanDstDeviceOS:string,\n PanDstDeviceOSv:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | extend \n HttpRequestXff = coalesce(PanOSXForwarderfor, PanXFFIP)\n | project-rename \n DvcHostname = Computer,\n HttpReferrer = PanOSReferer,\n DstMacAddr = PanDstMac,\n SrcMacAddr = PanSrcMac,\n DstHostname = PanDstHostname,\n SrcHostname = PanSrcHostname,\n DvcId = DeviceExternalID,\n SrcZone = DeviceCustomString4,\n DstZone = DeviceCustomString5,\n UrlCategory = DeviceCustomString2,\n DvcOriginalAction = DeviceAction,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n EventProductVersion = DeviceVersion,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n DstIpAddr = DestinationIP,\n DstPortNumber = DestinationPort,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n NetworkRuleName = DeviceCustomString1,\n ThreatOriginalConfidence = ThreatConfidence,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n HttpUserAgent = RequestClientApplication\n | extend\n Dvc = DvcHostname,\n DvcIdType = \"Other\",\n EventType = \"HTTPsession\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.5\",\n EventVendor = \"Palo Alto\",\n EventProduct = \"PanOS\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n HttpRequestMethod = toupper(RequestMethod),\n HttpContentFormat = RequestContext,\n DstDomainType = \"FQDN\",\n Src = SrcIpAddr,\n SrcUsernameType = case(isempty(SrcUsername), \"\", \n \"Windows\"),\n DstUsernameType = case(isempty(DstUsername), \"\", \n \"Windows\"),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\" , \"IPv4\",\n DstIpAddr contains \":\" , \"IPv6\",\n \"\"),\n NetworkDirection = case(\n FlexString2 == \"client-to-server\", \"Outbound\",\n FlexString2 == \"server-to-client\", \"Inbound\",\n \"\"),\n IpAddr = SrcIpAddr,\n NetworkProtocol = toupper(Protocol),\n User = SrcUsername,\n Rule = NetworkRuleName,\n NetworkSessionId = tostring(DeviceCustomNumber1),\n DvcInterface = DvcInboundInterface,\n Hostname = DstHostname,\n Url = trim('\"', RequestURL),\n UserAgent = HttpUserAgent\n | extend\n DstFQDN = iif(Url contains \":\", split(Url, \":\")[0], split(Url, \"/\")[0]),\n SessionId = NetworkSessionId,\n ThreatField = case(\n isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\",\n isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\",\n \"\")\n | extend \n ThreatIpAddr = case(\n ThreatField == \"SrcIpAddr\", SrcIpAddr,\n ThreatField == \"DstIpAddr\", DstIpAddr,\n \"\"),\n Dst = DstFQDN\n | project ASimMatchingIpAddr, DeviceVendor, Dst, DstDomainType, DstFQDN, DstHostname, DstIpAddr, DstMacAddr, DstNatIpAddr, DstNatPortNumber, DstPortNumber, DstUsername, DstUsernameType, DstZone, Dvc, DvcAction, DvcHostname, DvcId, DvcIdType, DvcInboundInterface, DvcInterface, DvcOriginalAction, DvcOutboundInterface, EventCount, EventEndTime, EventOriginalSeverity, EventProduct, EventProductVersion, EventResult, EventResultDetails, EventSchema, EventSchemaVersion, EventSeverity, EventStartTime, EventType, EventUid, EventVendor, Hostname, HttpContentFormat, HttpRequestMethod, HttpRequestXff, HttpStatusCode, IpAddr, NetworkDirection, NetworkProtocol, NetworkProtocolVersion, NetworkRuleName, NetworkSessionId, Protocol, RequestContext, Rule, SessionId, Src, SrcHostname, SrcIpAddr, SrcMacAddr, SrcNatIpAddr, SrcNatPortNumber, SrcPortNumber, SrcUsername, SrcUsernameType, SrcZone, ThreatField, ThreatIpAddr, ThreatOriginalConfidence, TimeGenerated, Type, Url, UrlCategory, User, HttpUserAgent, UserAgent\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM Filtering parser for Palo Alto Networks URL Filtering", + "category": "ASIM", + "FunctionAlias": "vimWebSessionPaloAltoCEF", + "query": "let parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n)\n{\n let src_or_any = set_union(\n srcipaddr_has_any_prefix,\n ipaddr_has_any_prefix\n ); \n let EventLookup=datatable(DeviceAction:string, DvcAction:string,EventResult:string,HttpStatusCode:string)\n [\n \"alert\", \"Allow\", \"Success\",\"200\",\n \"allow\", \"Allow\", \"Success\", \"200\",\n \"continue\", \"Allow\", \"Success\", \"200\",\n \"override\", \"Allow\", \"Success\", \"200\",\n \"block-continue\", \"Allow\", \"Partial\", \"200\",\n \"block-url\", \"Deny\", \"Failure\", \"503\",\n \"block-override\", \"Deny\", \"Failure\", \"302\",\n \"override-lockout\", \"Deny\", \"Failure\",\"503\",\n \"reset client\", \"Reset Source\", \"Failure\", \"503\",\n \"reset server\", \"Reset Destination\", \"Failure\", \"503\",\n \"reset both\", \"Reset\", \"Failure\", \"503\",\n \"deny\", \"Deny\", \"Failure\", \"503\",\n \"drop\", \"Drop\", \"Failure\", \"503\",\n \"drop ICMP\", \"Drop ICMP\", \"Failure\", \"503\"\n ];\n let SeverityLookup=datatable(LogSeverity:string,EventSeverity:string)\n [ \n 1, \"Informational\", \n 2, \"Low\",\n 3, \"Medium\",\n 4, \"Medium\", \n 5, \"High\"\n ];\n let remove_protocol_from_list = (list:dynamic)\n {\n print list\n | mv-apply l = print_0 to typeof(string) on\n ( extend l = replace_regex (tostring(l), \"^(?i:.*?)://\", \"\") )\n | project l\n };\n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Palo Alto Networks\"\n and DeviceProduct == \"PAN-OS\"\n and Activity == \"THREAT\"\n and DeviceEventClassID == \"url\"\n | where (array_length(url_has_any) == 0 or RequestURL has_any (remove_protocol_from_list(url_has_any)))\n | where (array_length(httpuseragent_has_any) == 0 or RequestClientApplication has_any (httpuseragent_has_any))\n | extend temp_SrcMatch = has_any_ipv4_prefix(SourceIP,src_or_any)\n | extend temp_DstMatch = has_any_ipv4_prefix(DestinationIP,ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0, \"-\",\n temp_DstMatch and temp_SrcMatch, \"Both\",\n temp_SrcMatch , \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\") \n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend EventResultDetails = \"NA\"\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) has_any(eventresultdetails_in))\n | lookup EventLookup on DeviceAction\n | where (eventresult == '*' or EventResult =~ eventresult)\n | lookup SeverityLookup on LogSeverity\n | parse-kv AdditionalExtensions as (\n PanOSXForwarderfor:string,\n PanXFFIP:string,\n PanOSReferer:string,\n PanOSRuleUUID:string,\n PanSrcHostname:string,\n PanSrcMac:string,\n PanSrcDeviceCat:string,\n PanSrcDAG:string,\n PanOSSrcUUID:string,\n PanSrcDeviceProf:string,\n PanSrcDeviceModel:string,\n PanSrcDeviceVendor:string,\n PanSrcDeviceOS:string,\n PanSrcDeviceOSv:string,\n PanDstHostname:string,\n PanDstMac:string,\n PanDstDeviceCat:string,\n PanDstDAG:string,\n PanOSDstUUID:string,\n PanDstDeviceProf:string,\n PanDstDeviceModel:string,\n PanDstDeviceVendor:string,\n PanDstDeviceOS:string,\n PanDstDeviceOSv:string\n ) with (pair_delimiter=';', kv_delimiter='=')\n | extend \n HttpRequestXff = coalesce(PanOSXForwarderfor, PanXFFIP)\n | project-rename \n DvcHostname = Computer,\n HttpReferrer = PanOSReferer,\n DstMacAddr = PanDstMac,\n SrcMacAddr = PanSrcMac,\n DstHostname = PanDstHostname,\n SrcHostname = PanSrcHostname,\n DvcId = DeviceExternalID,\n SrcZone = DeviceCustomString4,\n DstZone = DeviceCustomString5,\n UrlCategory = DeviceCustomString2,\n DvcOriginalAction = DeviceAction,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n EventProductVersion = DeviceVersion,\n DvcInboundInterface = DeviceInboundInterface,\n DvcOutboundInterface = DeviceOutboundInterface,\n DstIpAddr = DestinationIP,\n DstPortNumber = DestinationPort,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n NetworkRuleName = DeviceCustomString1,\n ThreatOriginalConfidence = ThreatConfidence,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n HttpUserAgent = RequestClientApplication\n | extend\n Dvc = DvcHostname,\n DvcIdType = \"Other\",\n EventType = \"HTTPsession\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.5\",\n EventVendor = \"Palo Alto\",\n EventProduct = \"PanOS\",\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n HttpRequestMethod = toupper(RequestMethod),\n HttpContentFormat = RequestContext,\n DstDomainType = \"FQDN\",\n Src = SrcIpAddr,\n SrcUsernameType = case(isempty(SrcUsername), \"\", \n \"Windows\"),\n DstUsernameType = case(isempty(DstUsername), \"\", \n \"Windows\"),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\" , \"IPv4\",\n DstIpAddr contains \":\" , \"IPv6\",\n \"\"),\n NetworkDirection = case(\n FlexString2 == \"client-to-server\", \"Outbound\",\n FlexString2 == \"server-to-client\", \"Inbound\",\n \"\"),\n IpAddr = SrcIpAddr,\n NetworkProtocol = toupper(Protocol),\n User = SrcUsername,\n Rule = NetworkRuleName,\n NetworkSessionId = tostring(DeviceCustomNumber1),\n DvcInterface = DvcInboundInterface,\n Hostname = DstHostname,\n Url = trim('\"', RequestURL),\n UserAgent = HttpUserAgent\n | extend\n DstFQDN = iif(Url contains \":\", split(Url, \":\")[0], split(Url, \"/\")[0]),\n SessionId = NetworkSessionId,\n ThreatField = case(\n isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\",\n isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\",\n \"\")\n | extend \n ThreatIpAddr = case(\n ThreatField == \"SrcIpAddr\", SrcIpAddr,\n ThreatField == \"DstIpAddr\", DstIpAddr,\n \"\"),\n Dst = DstFQDN\n | project ASimMatchingIpAddr, DeviceVendor, Dst, DstDomainType, DstFQDN, DstHostname, DstIpAddr, DstMacAddr, DstNatIpAddr, DstNatPortNumber, DstPortNumber, DstUsername, DstUsernameType, DstZone, Dvc, DvcAction, DvcHostname, DvcId, DvcIdType, DvcInboundInterface, DvcInterface, DvcOriginalAction, DvcOutboundInterface, EventCount, EventEndTime, EventOriginalSeverity, EventProduct, EventProductVersion, EventResult, EventResultDetails, EventSchema, EventSchemaVersion, EventSeverity, EventStartTime, EventType, EventUid, EventVendor, Hostname, HttpContentFormat, HttpRequestMethod, HttpRequestXff, HttpStatusCode, IpAddr, NetworkDirection, NetworkProtocol, NetworkProtocolVersion, NetworkRuleName, NetworkSessionId, Protocol, RequestContext, Rule, SessionId, Src, SrcHostname, SrcIpAddr, SrcMacAddr, SrcNatIpAddr, SrcNatPortNumber, SrcPortNumber, SrcUsername, SrcUsernameType, SrcZone, ThreatField, ThreatIpAddr, ThreatOriginalConfidence, TimeGenerated, Type, Url, UrlCategory, User, HttpUserAgent, UserAgent\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionPaloAltoCortexDataLake/vimWebSessionPaloAltoCortexDataLake.json b/Parsers/ASimWebSession/ARM/vimWebSessionPaloAltoCortexDataLake/vimWebSessionPaloAltoCortexDataLake.json index 773b702776d..0a7b5e52a65 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionPaloAltoCortexDataLake/vimWebSessionPaloAltoCortexDataLake.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionPaloAltoCortexDataLake/vimWebSessionPaloAltoCortexDataLake.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionPaloAltoCortexDataLake')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionPaloAltoCortexDataLake", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM parser for Palo Alto Cortex Data Lake", - "category": "ASIM", - "FunctionAlias": "vimWebSessionPaloAltoCortexDataLake", - "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventLookup=datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"alert\", \"Allow\", \"Success\",\n \"continue\", \"Allow\", \"Success\",\n \"override\", \"Allow\", \"Success\",\n \"block-continue\", \"Allow\", \"Partial\",\n \"block-url\", \"Deny\", \"Failure\",\n \"block-override\", \"Deny\", \"Failure\",\n \"override-lockout\", \"Deny\", \"Failure\",\n];\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\n [\n \"1\", 20,\n \"2\", 40,\n \"3\", 60,\n \"4\", 80,\n \"5\", 100\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"THREAT\" and Activity == \"url\"\n and (array_length(httpuseragent_has_any) == 0 or RequestClientApplication has_any (httpuseragent_has_any))\n and array_length(eventresultdetails_in) == 0\n and (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any))\n | parse-kv AdditionalExtensions as (PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSDestinationDeviceMac: string, PanOSSourceUUID: string, PanOSSourceDeviceMac: string, PanOSReferer: string, PanOSIsClienttoServer: string, PanOSSourceDeviceHost: string, PanOSDestinationDeviceHost: string, start: string, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSApplicationTechnology: string, PanOSDestinationDeviceOS: string, PanOSDestinationDeviceOSFamily: string, PanOSDestinationDeviceOSVersion: string, PanOSHostID: string, PanOSHTTPHeaders: string, PanOSInlineMLVerdict: string, PanOSInboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsType: string, PanOSParentSessionID: string, PanOSContainerName: string, PanOSContainerNameSpace: string, PanOSHTTPRefererFQDN: string, PanOSHTTPRefererPort: string, PanOSHTTPRefererProtocol: string, PanOSHTTPRefererURLPath: string, PanOSRuleUUID: string, PanOSURLCategoryList: string, PanOSURLDomain: string, PanOSURLCounter: string, PanOSUsers: string, PanOSVendorSeverity: string, [\"PanOSX-Forwarded-For\"]: string, [\"PanOSX-Forwarded-ForIP\"]: string, PanOSIsSaaSApplication: string, PanOSLogSource: string, PanOSSourceLocation: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | lookup EventLookup on DeviceAction\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(coalesce(DeviceCustomIPv6Address2, SourceIP), src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(coalesce(DeviceCustomIPv6Address3, DestinationIP), ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\n | extend\n EventStartTime = todatetime(coalesce(start, ReceiptTime)),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n HttpRequestMethod = toupper(RequestMethod),\n NetworkProtocol = toupper(Protocol),\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\n AdditionalFields = bag_pack(\n \"DirectionOfAttack\",\n FlexString2,\n \"VirtualLocation\",\n DeviceCustomString3,\n \"PanOSApplicationCategory\",\n PanOSApplicationCategory,\n \"PanOSApplicationSubcategory\",\n PanOSApplicationSubcategory,\n \"PanOSApplicationTechnology\",\n PanOSApplicationTechnology,\n \"PanOSDestinationDeviceOS\",\n PanOSDestinationDeviceOS,\n \"PanOSDestinationDeviceOSFamily\",\n PanOSDestinationDeviceOSFamily,\n \"PanOSDestinationDeviceOSVersion\",\n PanOSDestinationDeviceOSVersion,\n \"PanOSHostID\",\n PanOSHostID,\n \"PanOSHTTPHeaders\",\n PanOSHTTPHeaders,\n \"PanOSInlineMLVerdict\",\n PanOSInlineMLVerdict,\n \"PanOSInboundInterfaceDetailsType\",\n PanOSInboundInterfaceDetailsType,\n \"PanOSOutboundInterfaceDetailsType\",\n PanOSOutboundInterfaceDetailsType,\n \"PanOSParentSessionID\",\n PanOSParentSessionID,\n \"PanOSContainerName\",\n PanOSContainerName,\n \"PanOSContainerNameSpace\",\n PanOSContainerNameSpace,\n \"PanOSHTTPRefererFQDN\",\n PanOSHTTPRefererFQDN,\n \"PanOSHTTPRefererPort\",\n PanOSHTTPRefererPort,\n \"PanOSHTTPRefererProtocol\",\n PanOSHTTPRefererProtocol,\n \"PanOSHTTPRefererURLPath\",\n PanOSHTTPRefererURLPath,\n \"PanOSRuleUUID\",\n PanOSRuleUUID,\n \"PanOSDestinationDeviceOS\",\n PanOSDestinationDeviceOS,\n \"PanOSDestinationDeviceOSFamily\",\n PanOSDestinationDeviceOSFamily,\n \"PanOSDestinationDeviceOSVersion\",\n PanOSDestinationDeviceOSVersion,\n \"PanOSURLCategoryList\",\n PanOSURLCategoryList,\n \"PanOSURLDomain\",\n PanOSURLDomain,\n \"PanOSURLCounter\",\n PanOSURLCounter,\n \"PanOSUsers\",\n PanOSUsers,\n \"PanOSVendorSeverity\",\n PanOSVendorSeverity,\n \"PanOSX-Forwarded-For\",\n [\"PanOSX-Forwarded-For\"],\n \"PanOSX-Forwarded-ForIP\",\n [\"PanOSX-Forwarded-ForIP\"],\n \"PanOSLogSource\",\n PanOSLogSource\n ),\n HttpContentType = RequestContext\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DstDvcId = PanOSDestinationUUID,\n DstGeoCountry = PanOSDestinationLocation,\n DstMacAddr = PanOSDestinationDeviceMac,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n DstPortNumber = DestinationPort,\n DstUsername = DestinationUserName,\n DstZone = DeviceCustomString5,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n HttpContentFormat = RequestContext,\n HttpReferrer = PanOSReferer,\n RuleName = DeviceCustomString1,\n SrcDvcId = PanOSSourceUUID,\n SrcMacAddr = PanOSSourceDeviceMac,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n SrcZone = DeviceCustomString4,\n Url = RequestURL,\n UrlCategory = DeviceCustomString2,\n EventOriginalSubType = Activity,\n DvcOutboundInterface = DeviceOutboundInterface,\n DvcInboundInterface = DeviceInboundInterface,\n DstUserId = DestinationUserID,\n SrcUserId = SourceUserID,\n EventOwner = PanOSLogSource,\n HttpUserAgent = RequestClientApplication,\n SrcGeoCountry = PanOSSourceLocation,\n DvcScopeId = PanOSCortexDataLakeTenantID,\n SrcAppName = ApplicationProtocol,\n ThreatOriginalRiskLevel = PanOSApplicationRisk\n | extend\n Dst = coalesce(DstFQDN, DstDvcId, DstHostname, DstIpAddr),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Src = coalesce(SrcFQDN, SrcDvcId, SrcHostname, SrcIpAddr),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n ),\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\n Rule = RuleName,\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\n DstUserType = _ASIM_GetUserType(DstUsername, DstUserId),\n User = SrcUsername,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId,\n UserAgent = HttpUserAgent,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\n SrcAppType = case(\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\",\n \"SaaS Application\",\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\",\n \"Other\",\n \"\"\n )\n | extend\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n Protocol,\n temp*,\n ExternalID,\n Message,\n start,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM parser for Palo Alto Cortex Data Lake", + "category": "ASIM", + "FunctionAlias": "vimWebSessionPaloAltoCortexDataLake", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet EventLookup=datatable(\n DeviceAction: string,\n DvcAction: string,\n EventResult: string\n)\n [\n \"alert\", \"Allow\", \"Success\",\n \"continue\", \"Allow\", \"Success\",\n \"override\", \"Allow\", \"Success\",\n \"block-continue\", \"Allow\", \"Partial\",\n \"block-url\", \"Deny\", \"Failure\",\n \"block-override\", \"Deny\", \"Failure\",\n \"override-lockout\", \"Deny\", \"Failure\",\n];\nlet ThreatRiskLevelLookup = datatable(PanOSApplicationRisk: string, ThreatRiskLevel: int)\n [\n \"1\", 20,\n \"2\", 40,\n \"3\", 60,\n \"4\", 80,\n \"5\", 100\n];\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n ipaddr_has_any_prefix: dynamic=dynamic([]),\n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"THREAT\" and Activity == \"url\"\n and (array_length(httpuseragent_has_any) == 0 or RequestClientApplication has_any (httpuseragent_has_any))\n and array_length(eventresultdetails_in) == 0\n and (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any))\n | parse-kv AdditionalExtensions as (PanOSDestinationUUID: string, PanOSDestinationLocation: string, PanOSDestinationDeviceMac: string, PanOSSourceUUID: string, PanOSSourceDeviceMac: string, PanOSReferer: string, PanOSIsClienttoServer: string, PanOSSourceDeviceHost: string, PanOSDestinationDeviceHost: string, start: string, PanOSApplicationCategory: string, PanOSApplicationSubcategory: string, PanOSApplicationTechnology: string, PanOSDestinationDeviceOS: string, PanOSDestinationDeviceOSFamily: string, PanOSDestinationDeviceOSVersion: string, PanOSHostID: string, PanOSHTTPHeaders: string, PanOSInlineMLVerdict: string, PanOSInboundInterfaceDetailsType: string, PanOSOutboundInterfaceDetailsType: string, PanOSParentSessionID: string, PanOSContainerName: string, PanOSContainerNameSpace: string, PanOSHTTPRefererFQDN: string, PanOSHTTPRefererPort: string, PanOSHTTPRefererProtocol: string, PanOSHTTPRefererURLPath: string, PanOSRuleUUID: string, PanOSURLCategoryList: string, PanOSURLDomain: string, PanOSURLCounter: string, PanOSUsers: string, PanOSVendorSeverity: string, [\"PanOSX-Forwarded-For\"]: string, [\"PanOSX-Forwarded-ForIP\"]: string, PanOSIsSaaSApplication: string, PanOSLogSource: string, PanOSSourceLocation: string, PanOSCortexDataLakeTenantID: string, PanOSApplicationRisk: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | lookup EventLookup on DeviceAction\n | where (eventresult == '*' or EventResult =~ eventresult)\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(coalesce(DeviceCustomIPv6Address2, SourceIP), src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(coalesce(DeviceCustomIPv6Address3, DestinationIP), ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | invoke _ASIM_ResolveDstFQDN('PanOSDestinationDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | lookup ThreatRiskLevelLookup on PanOSApplicationRisk\n | extend\n EventStartTime = todatetime(coalesce(start, ReceiptTime)),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n DstIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n HttpRequestMethod = toupper(RequestMethod),\n NetworkProtocol = toupper(Protocol),\n NetworkSessionId = tostring(FieldDeviceCustomNumber1),\n SrcDomain = coalesce(SourceNTDomain, SrcDomain),\n DstDomain = coalesce(DestinationNTDomain, DstDomain),\n AdditionalFields = bag_pack(\n \"DirectionOfAttack\",\n FlexString2,\n \"VirtualLocation\",\n DeviceCustomString3,\n \"PanOSApplicationCategory\",\n PanOSApplicationCategory,\n \"PanOSApplicationSubcategory\",\n PanOSApplicationSubcategory,\n \"PanOSApplicationTechnology\",\n PanOSApplicationTechnology,\n \"PanOSDestinationDeviceOS\",\n PanOSDestinationDeviceOS,\n \"PanOSDestinationDeviceOSFamily\",\n PanOSDestinationDeviceOSFamily,\n \"PanOSDestinationDeviceOSVersion\",\n PanOSDestinationDeviceOSVersion,\n \"PanOSHostID\",\n PanOSHostID,\n \"PanOSHTTPHeaders\",\n PanOSHTTPHeaders,\n \"PanOSInlineMLVerdict\",\n PanOSInlineMLVerdict,\n \"PanOSInboundInterfaceDetailsType\",\n PanOSInboundInterfaceDetailsType,\n \"PanOSOutboundInterfaceDetailsType\",\n PanOSOutboundInterfaceDetailsType,\n \"PanOSParentSessionID\",\n PanOSParentSessionID,\n \"PanOSContainerName\",\n PanOSContainerName,\n \"PanOSContainerNameSpace\",\n PanOSContainerNameSpace,\n \"PanOSHTTPRefererFQDN\",\n PanOSHTTPRefererFQDN,\n \"PanOSHTTPRefererPort\",\n PanOSHTTPRefererPort,\n \"PanOSHTTPRefererProtocol\",\n PanOSHTTPRefererProtocol,\n \"PanOSHTTPRefererURLPath\",\n PanOSHTTPRefererURLPath,\n \"PanOSRuleUUID\",\n PanOSRuleUUID,\n \"PanOSDestinationDeviceOS\",\n PanOSDestinationDeviceOS,\n \"PanOSDestinationDeviceOSFamily\",\n PanOSDestinationDeviceOSFamily,\n \"PanOSDestinationDeviceOSVersion\",\n PanOSDestinationDeviceOSVersion,\n \"PanOSURLCategoryList\",\n PanOSURLCategoryList,\n \"PanOSURLDomain\",\n PanOSURLDomain,\n \"PanOSURLCounter\",\n PanOSURLCounter,\n \"PanOSUsers\",\n PanOSUsers,\n \"PanOSVendorSeverity\",\n PanOSVendorSeverity,\n \"PanOSX-Forwarded-For\",\n [\"PanOSX-Forwarded-For\"],\n \"PanOSX-Forwarded-ForIP\",\n [\"PanOSX-Forwarded-ForIP\"],\n \"PanOSLogSource\",\n PanOSLogSource\n ),\n HttpContentType = RequestContext\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DstDvcId = PanOSDestinationUUID,\n DstGeoCountry = PanOSDestinationLocation,\n DstMacAddr = PanOSDestinationDeviceMac,\n DstNatIpAddr = DestinationTranslatedAddress,\n DstNatPortNumber = DestinationTranslatedPort,\n DstPortNumber = DestinationPort,\n DstUsername = DestinationUserName,\n DstZone = DeviceCustomString5,\n DvcId = DeviceExternalID,\n DvcOriginalAction = DeviceAction,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n HttpContentFormat = RequestContext,\n HttpReferrer = PanOSReferer,\n RuleName = DeviceCustomString1,\n SrcDvcId = PanOSSourceUUID,\n SrcMacAddr = PanOSSourceDeviceMac,\n SrcNatIpAddr = SourceTranslatedAddress,\n SrcNatPortNumber = SourceTranslatedPort,\n SrcPortNumber = SourcePort,\n SrcUsername = SourceUserName,\n SrcZone = DeviceCustomString4,\n Url = RequestURL,\n UrlCategory = DeviceCustomString2,\n EventOriginalSubType = Activity,\n DvcOutboundInterface = DeviceOutboundInterface,\n DvcInboundInterface = DeviceInboundInterface,\n DstUserId = DestinationUserID,\n SrcUserId = SourceUserID,\n EventOwner = PanOSLogSource,\n HttpUserAgent = RequestClientApplication,\n SrcGeoCountry = PanOSSourceLocation,\n DvcScopeId = PanOSCortexDataLakeTenantID,\n SrcAppName = ApplicationProtocol,\n ThreatOriginalRiskLevel = PanOSApplicationRisk\n | extend\n Dst = coalesce(DstFQDN, DstDvcId, DstHostname, DstIpAddr),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Src = coalesce(SrcFQDN, SrcDvcId, SrcHostname, SrcIpAddr),\n NetworkProtocolVersion = case(\n DstIpAddr contains \".\",\n \"IPv4\", \n DstIpAddr contains \":\",\n \"IPv6\", \n \"\"\n ),\n NetworkDirection = iff(PanOSIsClienttoServer == \"true\", \"Outbound\", \"Inbound\"),\n Rule = RuleName,\n SrcUserType = _ASIM_GetUserType(SrcUsername, SrcUserId),\n DstUserType = _ASIM_GetUserType(DstUsername, DstUserId),\n User = SrcUsername,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n SessionId = NetworkSessionId,\n UserAgent = HttpUserAgent,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n SrcDvcIdType = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n DstDvcIdType = iff(isnotempty(DstDvcId), \"Other\", \"\"),\n SrcDomainType = iff(isnotempty(SourceNTDomain), \"Windows\", SrcDomainType),\n DstDomainType = iff(isnotempty(DestinationNTDomain), \"Windows\", DstDomainType),\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername),\n SrcUserIdType = iff(isnotempty(SrcUserId), \"UID\", \"\"),\n DstUserIdType = iff(isnotempty(DstUserId), \"UID\", \"\"),\n SrcAppType = case(\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"true\",\n \"SaaS Application\",\n isnotempty(SrcAppName) and PanOSIsSaaSApplication == \"false\",\n \"Other\",\n \"\"\n )\n | extend\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventType = \"HTTPsession\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n Protocol,\n temp*,\n ExternalID,\n Message,\n start,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionSonicWallFirewall/vimWebSessionSonicWallFirewall.json b/Parsers/ASimWebSession/ARM/vimWebSessionSonicWallFirewall/vimWebSessionSonicWallFirewall.json index 6260c563e3d..762de424932 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionSonicWallFirewall/vimWebSessionSonicWallFirewall.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionSonicWallFirewall/vimWebSessionSonicWallFirewall.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionSonicWallFirewall')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionSonicWallFirewall", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for SonicWall firewalls", - "category": "ASIM", - "FunctionAlias": "vimWebSessionSonicWallFirewall", - "query": "let parser=(\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n )\n {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let Actions=datatable(fw_action:string, DvcAction:string, EventSeverity:string)\n [ \"\\\"forward\\\"\", \"Allow\", \"Informational\"\n , \"\\\"mgmt\\\"\", \"Other\", \"Informational\"\n , \"\\\"NA\\\"\", \"Other\", \"Informational\"\n , \"\\\"drop\\\"\", \"Drop\", \"Low\"\n ];\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"SonicWall\"\n and DeviceEventClassID in (14, 97)\n and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(httpuseragent_has_any) == 0 or RequestClientApplication has_any (httpuseragent_has_any))\n and Protocol has_any(dynamic([\"udp/http\", \"tcp/http\", \"udp/https\", \"tcp/https\"]))\n and (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any) or AdditionalExtensions has_any (url_has_any))\n and (array_length(eventresultdetails_in) == 0)\n | parse-kv AdditionalExtensions as (['gcat']:string, ['app']:string, ['arg']:string, ['dstV6']:string, ['srcV6']:string, ['snpt']:string, ['dnpt']:string, ['susr']:string,['appName']:string, ['appcat']:string, ['appid']:string, ['sid']:string, ['catid']:string, ['ipscat']:string, ['ipspri']:string, ['spycat']:string, ['spypri']:string, ['fw_action']:string, ['dpi']:string, ['bid']:string, ['af_action']:string, ['af_polid']:string, ['af_policy']:string, ['af_type']:string, ['af_service']:string, ['af_object']:string, ['contentObject']:string, ['fileid']:string, ['uuid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend\n SrcIpAddr = coalesce(SourceIP, srcV6)\n , DstIpAddr = coalesce(DestinationIP, dstV6)\n | where (isnotempty(SrcIpAddr) or isnotempty(DstIpAddr))\n and isnotempty(fw_action)\n | extend temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr, src_or_any)\n , temp_DstMatch = has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(array_length(src_or_any) == 0, \"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\")\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | extend RequestURL_ = extract(@\"(?:[.*;]+?)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)(?:;fw_action)\", 1, AdditionalExtensions)\n | extend RequestURL_ = iif(RequestURL_ startswith \"snpt\" or RequestURL_ startswith \"dnpt\" or RequestURL_ startswith \"appid\" or RequestURL_ startswith \"appName\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), RequestURL_)\n | extend RequestURL_ = iif(RequestURL_ matches regex @\"^(.{2,6}=.{1,6})\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), iif(RequestURL_ matches regex @\"^\\w=\\d$\", \"\", RequestURL_))\n | extend RequestURL_ = iif(RequestURL_ has_any(dynamic([\"af_polid=\", \"ipscat=\", \"snpt=\", \"dnpt=\"])), \"\", RequestURL_)\n | extend RequestURL = iif(isnotempty(RequestURL), RequestURL, iif(RequestURL_ contains \"/\" and RequestURL_ contains \".\", RequestURL_, \"\"))\n | where isnotempty(RequestURL)\n | lookup Actions on fw_action\n | extend EventResult = case(DvcAction == \"Allow\", \"Success\",\n DvcAction == \"Management\", \"NA\",\n DvcAction == \"NA\", \"NA\",\n DvcAction == \"Other\", \"NA\",\n \"Failure\"\n )\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\n LogSeverity == 9, \"Alert (1)\",\n LogSeverity == 8, \"Critical (2)\",\n LogSeverity == 7, \"Error (3)\",\n LogSeverity == 6, \"Warning (4)\",\n LogSeverity == 5, \"Notice (5)\",\n LogSeverity == 4, \"Info (6)/Debug (7)\",\n LogSeverity == 3, \"Not Mapped (3)\",\n LogSeverity == 2, \"Not Mapped (2)\",\n LogSeverity == 1, \"Not Mapped (1)\",\n \"Not Mapped\"\n )\n | extend EventSeverity = case(tolong(LogSeverity) <= 4, \"Informational\"\n , tolong(LogSeverity) <= 6, \"Low\"\n , tolong(LogSeverity) <= 8, \"Medium\"\n , tolong(LogSeverity) > 8, \"High\"\n , \"\"\n )\n | extend HttpRequestMethod = case(tolong(RequestMethod) == 0, \"\"\n , tolong(RequestMethod) == 1, \"GET\"\n , tolong(RequestMethod) == 2, \"POST\"\n , tolong(RequestMethod) == 3, \"HEAD\"\n , tolong(RequestMethod) == 4, \"PUT\"\n , tolong(RequestMethod) == 5, \"CONNECT\"\n , tolong(RequestMethod) == 6, \"\"\n , \"\"\n )\n | extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\n , DestinationIP has \":\", \"IPv6\"\n , \"\"\n )\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\n , EventOriginalType = DeviceEventClassID\n | project-rename\n DstMacAddr = DestinationMACAddress\n , SrcMacAddr = SourceMACAddress\n , DstPortNumber = DestinationPort\n , SrcPortNumber = SourcePort\n , EventMessage = Activity\n , sosEventMessageDetail = Message\n , EventProductVersion = DeviceVersion\n , Dvc = Computer\n , DvcOutboundInterface = DeviceOutboundInterface\n , DvcInboundInterface = DeviceInboundInterface\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\n , sosCFSFullString = Reason // CFS Block Category ID and Name\n , RuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\n , SrcZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\n , DstZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\n , SrcUsername = SourceUserName\n , ThreatOriginalConfidence = ThreatConfidence\n , HttpUserAgent = RequestClientApplication\n , Url = RequestURL\n| where (array_length(url_has_any) == 0 or Url has_any (url_has_any))\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\n gcat == 2, \"Log (2)\",\n gcat == 3, \"Security Services (3)\",\n gcat == 4, \"Users (4)\",\n gcat == 5, \"Firewall Settings (5)\",\n gcat == 6, \"Network (6)\",\n gcat == 7, \"VPN (7)\",\n gcat == 8, \"High Availability (8)\",\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\n gcat == 10, \"Firewall (10)\",\n gcat == 11, \"Wireless (11)\",\n gcat == 12, \"VoIP (12)\",\n gcat == 13, \"SSL VPN (13)\",\n gcat == 14, \"Anti-Spam (14)\",\n gcat == 15, \"WAN Acceleration (15)\",\n gcat == 16, \"Object (16)\",\n gcat == 17, \"SD-WAN (17)\",\n gcat == 18, \"Multi-Instance (18)\",\n gcat == 19, \"Unified Policy Engine (19)\",\n \"Log Category Not Mapped\"\n )\n| extend EventOriginalSubType = case(DeviceEventCategory == 0, \"None (0)\",\n DeviceEventCategory == 1, \"System Maintenance (1)\",\n DeviceEventCategory == 2, \"System Errors (2)\",\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\n DeviceEventCategory == 16, \"User Activity (16)\",\n DeviceEventCategory == 32, \"Attacks (32)\",\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\n DeviceEventCategory == 512, \"Network Debug (512)\",\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\n DeviceEventCategory == 524288, \"System Environment (524288)\",\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\n \"Legacy Category Not Mapped\"\n )\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\n ipspri == 2, \"Medium (2)\",\n ipspri == 3, \"Low (3)\",\n \"\"\n )\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\n spypri == 2, \"Medium (2)\",\n spypri == 3, \"Low (3)\",\n \"\"\n )\n| extend\n EventVendor = \"SonicWall\"\n , EventProduct = \"Firewall\"\n , DvcOs = \"SonicOS\"\n , DvcOsVersion = EventProductVersion\n , DvcIdType = \"Other\"\n , DvcDescription = DeviceProduct\n , Rule = RuleName\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\n , sosIPSFullString = ipscat\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\n , FileSize = tolong(coalesce(FileSize, long(null)))\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\n , HttpReferrer = extract(@'Referer: (.*)\\\"$', 1, coalesce(sosLogMsgNote, \"\"))\n , sosHttpRequestMethod_ = extract(@'Command: (.\\w+)', 1, coalesce(sosLogMsgNote, \"\"))\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\n , EventOriginalSeverity = LogSeverity\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = \"HTTPsession\"\n , EventSchemaVersion = \"0.2.5\"\n , EventSchema = \"WebSession\"\n , EventCount = toint(1)\n , EventUid = _ItemId\n , UserAgent = HttpUserAgent\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\n| extend\n UrlCategory = sosCFSCategoryName\n , HttpRequestMethod = coalesce(HttpRequestMethod, sosHttpRequestMethod_)\n , EventResultDetails = \"\"\n , HttpStatusCode = \"\"\n , SrcUsername = coalesce(susr, SrcUsername)\n , FileName = coalesce(FileName, sosAppControlFileName)\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\n , DstZone == \"MULTICAST\", \"NA\"\n , DstZone == \"WAN\", \"Outbound\"\n , \"Local\"\n )\n , User = SrcUsername\n| extend\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\n SrcUsername has \"\\\\\", \"Windows\",\n SrcUsername has \"@\", \"UPN\",\n SrcUsername == \"Unknown (external IP)\", \"\",\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"\n )\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\"\n )\n| extend\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\"\n )\n| extend\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\n , SrcBytes = case(NetworkDirection == \"Outbound\", tolong(SentBytes)\n , NetworkDirection == \"Inbound\", tolong(ReceivedBytes)\n , NetworkDirection == \"Local\" and SrcZone == \"WAN\", tolong(ReceivedBytes)\n , NetworkDirection == \"Local\" and SrcZone != \"WAN\", tolong(SentBytes)\n , tolong(long(null))\n )\n , DstBytes = case(NetworkDirection == \"Outbound\", tolong(ReceivedBytes)\n , NetworkDirection == \"Inbound\", tolong(SentBytes)\n , NetworkDirection == \"Local\" and DstZone == \"WAN\", tolong(SentBytes)\n , NetworkDirection == \"Local\" and DstZone != \"WAN\", tolong(ReceivedBytes)\n , tolong(long(null))\n )\n| extend\n SrcAppType = case(isempty(SrcAppName), \"\"\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\n , DstAppType = case(isempty(DstAppName), \"\"\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\n| project-rename\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\n| extend\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\n , tolong(long(null))\n )\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\n , tolong(long(null))\n )\n| project-rename\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\n , sosUser = susr // Logged-in username associated with the log event.\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\n , sosAppRuleService = af_service // App Rule Service Name.\n , sosAppRuleType = af_type // App Rule Policy Type.\n , sosAppRuleObject = af_object // App Rule Object Name.\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\n , sosAppRuleAction = af_action // App Rule Action.\n , sosSourceIPv6Address = srcV6 // Source IPv6 IP\n , sosDestinationIPv6Address = dstV6 // Destination IPv6 IP\n , sosAppFullString = appcat // The full \" -- \" string.\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\n , sosAppID = appid // Application ID from App Control\n , sosAppCategoryID = catid // Application Category ID\n , sosAppSignatureID = sid // Application Signature ID\n , sosIPSCategoryName = ipscat // IPS Category Name\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\n , sosURLPathName = arg // URL. Represents the URL path name.\n , sosFileIdentifier = fileid // File hash or URL\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\n , DstNatPortNumber = dnpt\n , SrcNatPortNumber = snpt\n , sosBladeID = bid // Blade ID\n , sosUUID = uuid\n , sosFileName = FileName\n , DvcOriginalAction = fw_action\n| extend\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\n , ThreatId = coalesce(sosAppSignatureID, \"\")\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\n , DstNatPortNumber = toint(DstNatPortNumber)\n , SrcNatPortNumber = toint(SrcNatPortNumber)\n| extend AdditionalFields = bag_pack(\n \"AppRulePolicyId\", sosAppRulePolicyId\n , \"AppRulePolicyName\", sosAppRulePolicyName\n , \"AppRuleService\", sosAppRuleService\n , \"AppRuleType\", sosAppRuleType\n , \"AppRuleObject\", sosAppRuleObject\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\n , \"AppRuleAction\", sosAppRuleAction\n , \"AppID\", sosAppID\n , \"AppCategoryID\", sosAppCategoryID\n , \"IPSCategoryName\", sosIPSCategoryName\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\n , \"URLPathName\", sosURLPathName\n , \"FileIdentifier\", sosFileIdentifier\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\n , \"BladeID\", sosBladeID\n , \"UUID\", sosUUID\n , \"FileName\", sosFileName\n , \"FileSize\", FileSize\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\n , \"CFSCategoryID\", sosCFSCategoryID\n , \"CFSCategoryName\", sosCFSCategoryName\n , \"CFSPolicyName\", sosCFSPolicyName\n , \"AppControlFileName\", sosAppControlFileName\n , \"IPSFullString\", sosIPSFullString\n , \"IPSSignatureName\", sosIPSSignatureName\n , \"LogMsgCategory\", sosLogMsgCategory\n , \"LogMsgNote\", sosLogMsgNote\n , \"LogMsgSeverity\", sosLogMsgSeverity\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\n , \"EventMessageDetail\", sosEventMessageDetail\n , \"UserSessionType\", sosUserSessionType\n , \"UserSessionDuration\", sosUserSessionDuration\n )\n| project-away\n DeviceEventCategory\n , gcat\n , RequestMethod\n , RequestURL_\n , ipspri\n , spypri\n , sos*\n , Protocol\n , appName\n , AdditionalExtensions\n , Flex*\n , Indicator*\n , Malicious*\n , Field*\n , DeviceCustom*\n , Old*\n , File*\n , Source*\n , Destination*\n , Device*\n , SimplifiedDeviceAction\n , ExternalID\n , ExtID\n , TenantId\n , ProcessName\n , ProcessID\n , ExtID\n , OriginalLogSeverity\n , LogSeverity\n , EventOutcome\n , StartTime\n , EndTime\n , ReceiptTime\n , Remote*\n , ThreatDescription\n , ThreatSeverity\n , RequestContext\n , RequestCookies\n , CommunicationDirection\n , ReportReferenceLink\n , ReceivedBytes\n , SentBytes\n , _ResourceId\n , _ItemId\n| project-reorder\n TimeGenerated\n , EventVendor\n , EventProduct\n , DvcDescription\n , Dvc\n , DvcOs\n , DvcOsVersion\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for SonicWall firewalls", + "category": "ASIM", + "FunctionAlias": "vimWebSessionSonicWallFirewall", + "query": "let parser=(\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n )\n {\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let Actions=datatable(fw_action:string, DvcAction:string, EventSeverity:string)\n [ \"\\\"forward\\\"\", \"Allow\", \"Informational\"\n , \"\\\"mgmt\\\"\", \"Other\", \"Informational\"\n , \"\\\"NA\\\"\", \"Other\", \"Informational\"\n , \"\\\"drop\\\"\", \"Drop\", \"Low\"\n ];\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"SonicWall\"\n and DeviceEventClassID in (14, 97)\n and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(httpuseragent_has_any) == 0 or RequestClientApplication has_any (httpuseragent_has_any))\n and Protocol has_any(dynamic([\"udp/http\", \"tcp/http\", \"udp/https\", \"tcp/https\"]))\n and (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any) or AdditionalExtensions has_any (url_has_any))\n and (array_length(eventresultdetails_in) == 0)\n | parse-kv AdditionalExtensions as (['gcat']:string, ['app']:string, ['arg']:string, ['dstV6']:string, ['srcV6']:string, ['snpt']:string, ['dnpt']:string, ['susr']:string,['appName']:string, ['appcat']:string, ['appid']:string, ['sid']:string, ['catid']:string, ['ipscat']:string, ['ipspri']:string, ['spycat']:string, ['spypri']:string, ['fw_action']:string, ['dpi']:string, ['bid']:string, ['af_action']:string, ['af_polid']:string, ['af_policy']:string, ['af_type']:string, ['af_service']:string, ['af_object']:string, ['contentObject']:string, ['fileid']:string, ['uuid']:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend\n SrcIpAddr = coalesce(SourceIP, srcV6)\n , DstIpAddr = coalesce(DestinationIP, dstV6)\n | where (isnotempty(SrcIpAddr) or isnotempty(DstIpAddr))\n and isnotempty(fw_action)\n | extend temp_SrcMatch = has_any_ipv4_prefix(SrcIpAddr, src_or_any)\n , temp_DstMatch = has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(array_length(src_or_any) == 0, \"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\")\n | where ASimMatchingIpAddr != \"No match\"\n | project-away temp_*\n | extend RequestURL_ = extract(@\"(?:[.*;]+?)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)(?:;fw_action)\", 1, AdditionalExtensions)\n | extend RequestURL_ = iif(RequestURL_ startswith \"snpt\" or RequestURL_ startswith \"dnpt\" or RequestURL_ startswith \"appid\" or RequestURL_ startswith \"appName\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), RequestURL_)\n | extend RequestURL_ = iif(RequestURL_ matches regex @\"^(.{2,6}=.{1,6})\", extract(@\"(?:\\d;|.{1}\\w.{1};)(?P[a-zA-Z0-9_*.,}{&%$~:;\\-=\\/?[:space:]]+)\", 1, RequestURL_), iif(RequestURL_ matches regex @\"^\\w=\\d$\", \"\", RequestURL_))\n | extend RequestURL_ = iif(RequestURL_ has_any(dynamic([\"af_polid=\", \"ipscat=\", \"snpt=\", \"dnpt=\"])), \"\", RequestURL_)\n | extend RequestURL = iif(isnotempty(RequestURL), RequestURL, iif(RequestURL_ contains \"/\" and RequestURL_ contains \".\", RequestURL_, \"\"))\n | where isnotempty(RequestURL)\n | lookup Actions on fw_action\n | extend EventResult = case(DvcAction == \"Allow\", \"Success\",\n DvcAction == \"Management\", \"NA\",\n DvcAction == \"NA\", \"NA\",\n DvcAction == \"Other\", \"NA\",\n \"Failure\"\n )\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend sosLogMsgSeverity = case(LogSeverity == 10, \"Emergency (0)\",\n LogSeverity == 9, \"Alert (1)\",\n LogSeverity == 8, \"Critical (2)\",\n LogSeverity == 7, \"Error (3)\",\n LogSeverity == 6, \"Warning (4)\",\n LogSeverity == 5, \"Notice (5)\",\n LogSeverity == 4, \"Info (6)/Debug (7)\",\n LogSeverity == 3, \"Not Mapped (3)\",\n LogSeverity == 2, \"Not Mapped (2)\",\n LogSeverity == 1, \"Not Mapped (1)\",\n \"Not Mapped\"\n )\n | extend EventSeverity = case(tolong(LogSeverity) <= 4, \"Informational\"\n , tolong(LogSeverity) <= 6, \"Low\"\n , tolong(LogSeverity) <= 8, \"Medium\"\n , tolong(LogSeverity) > 8, \"High\"\n , \"\"\n )\n | extend HttpRequestMethod = case(tolong(RequestMethod) == 0, \"\"\n , tolong(RequestMethod) == 1, \"GET\"\n , tolong(RequestMethod) == 2, \"POST\"\n , tolong(RequestMethod) == 3, \"HEAD\"\n , tolong(RequestMethod) == 4, \"PUT\"\n , tolong(RequestMethod) == 5, \"CONNECT\"\n , tolong(RequestMethod) == 6, \"\"\n , \"\"\n )\n | extend NetworkProtocolVersion = case(DestinationIP has \".\", \"IPv4\"\n , DestinationIP has \":\", \"IPv6\"\n , \"\"\n )\n , NetworkProtocol = toupper(iff(Protocol contains \"-\" and Protocol !contains \"/\", toupper(trim_start(@\".*-\", Protocol)), toupper(trim_end(@\"/.*\", Protocol))))\n , NetworkApplicationProtocol = tostring(toupper(trim_start(@\".*/\", Protocol)))\n , EventOriginalType = DeviceEventClassID\n | project-rename\n DstMacAddr = DestinationMACAddress\n , SrcMacAddr = SourceMACAddress\n , DstPortNumber = DestinationPort\n , SrcPortNumber = SourcePort\n , EventMessage = Activity\n , sosEventMessageDetail = Message\n , EventProductVersion = DeviceVersion\n , Dvc = Computer\n , DvcOutboundInterface = DeviceOutboundInterface\n , DvcInboundInterface = DeviceInboundInterface\n , sosApplicationID = ApplicationProtocol // Application ID number (when Flow Reporting is enabled).\n , sosCFSFullString = Reason // CFS Block Category ID and Name\n , RuleName = DeviceCustomString1 // Rule ID. Identify a policy or rule associated with an event.\n , sosSourceVPNPolicyName = DeviceCustomString2 // Displays the source VPN policy name associated with the event.\n , sosDestinationVPNPolicyName = DeviceCustomString3 // Displays the destination VPN policy name associated with the event.\n , sosLogMsgNote = DeviceCustomString6 // \"Note\" field. Additional information that is application-dependent.\n , SrcNatIpAddr = DeviceCustomString1Label // NAT'ed source IP4/IPv6 address.\n , DstNatIpAddr = DeviceCustomString2Label // NAT'ed destination IPv4/IPv6 address.\n , SrcZone = DeviceCustomString3Label // Source Zone on Gen7. Src Zone Type on Gen6.\n , DstZone = DeviceCustomString4Label // Destination Zone on Gen7. Dest Zone Type (Trusted/Untrusted, etc.) on Gen6.\n , sosUserSessionType = DeviceCustomString5Label // String indicating the user session type, determined by the auth mechanism.\n , sosUserSessionDuration = DeviceCustomString6Label // User session duration in seconds.\n , SrcUsername = SourceUserName\n , ThreatOriginalConfidence = ThreatConfidence\n , HttpUserAgent = RequestClientApplication\n , Url = RequestURL\n| where (array_length(url_has_any) == 0 or Url has_any (url_has_any))\n| extend sosLogMsgCategory = case(gcat == 1, \"System (1)\",\n gcat == 2, \"Log (2)\",\n gcat == 3, \"Security Services (3)\",\n gcat == 4, \"Users (4)\",\n gcat == 5, \"Firewall Settings (5)\",\n gcat == 6, \"Network (6)\",\n gcat == 7, \"VPN (7)\",\n gcat == 8, \"High Availability (8)\",\n gcat == 9, \"3G/4G, Modem, and Module (9)\",\n gcat == 10, \"Firewall (10)\",\n gcat == 11, \"Wireless (11)\",\n gcat == 12, \"VoIP (12)\",\n gcat == 13, \"SSL VPN (13)\",\n gcat == 14, \"Anti-Spam (14)\",\n gcat == 15, \"WAN Acceleration (15)\",\n gcat == 16, \"Object (16)\",\n gcat == 17, \"SD-WAN (17)\",\n gcat == 18, \"Multi-Instance (18)\",\n gcat == 19, \"Unified Policy Engine (19)\",\n \"Log Category Not Mapped\"\n )\n| extend EventOriginalSubType = case(DeviceEventCategory == 0, \"None (0)\",\n DeviceEventCategory == 1, \"System Maintenance (1)\",\n DeviceEventCategory == 2, \"System Errors (2)\",\n DeviceEventCategory == 4, \"Blocked Web Sites (4)\",\n DeviceEventCategory == 8, \"Blocked Java Etc. (8)\",\n DeviceEventCategory == 16, \"User Activity (16)\",\n DeviceEventCategory == 32, \"Attacks (32)\",\n DeviceEventCategory == 64, \"Dropped TCP (64)\",\n DeviceEventCategory == 128, \"Dropped UDP (128)\",\n DeviceEventCategory == 256, \"Dropped ICMP (256)\",\n DeviceEventCategory == 512, \"Network Debug (512)\",\n DeviceEventCategory == 1024, \"Connection Closed (1024)\",\n DeviceEventCategory == 2048, \"Dropped LAN TCP (2048)\",\n DeviceEventCategory == 4096, \"Dropped LAN UDP (4096)\",\n DeviceEventCategory == 8192, \"Dropped LAN ICMP (8192)\",\n DeviceEventCategory == 32768, \"Modem Debug (32768)\",\n DeviceEventCategory == 65536, \"VPN Tunnel Status (65536)\",\n DeviceEventCategory == 131072, \"IEEE 802.11 Management (131072)\",\n DeviceEventCategory == 262144, \"Connection Opened (262144)\",\n DeviceEventCategory == 524288, \"System Environment (524288)\",\n DeviceEventCategory == 1048576, \"Expanded - VoIP Activity (1048576)\",\n DeviceEventCategory == 2097152, \"Expanded - WLAN IDS Activity (2097152)\",\n DeviceEventCategory == 4194304, \"Expanded - SonicPoint Activity (4194304)\",\n DeviceEventCategory == 8388608, \"Expanded - Unified Policy Engine (8388608)\",\n \"Legacy Category Not Mapped\"\n )\n| extend sosIPSPriority = case(ipspri == 1, \"High (1)\",\n ipspri == 2, \"Medium (2)\",\n ipspri == 3, \"Low (3)\",\n \"\"\n )\n| extend sosAntiSpywarePriority = case(spypri == 1, \"High (1)\",\n spypri == 2, \"Medium (2)\",\n spypri == 3, \"Low (3)\",\n \"\"\n )\n| extend\n EventVendor = \"SonicWall\"\n , EventProduct = \"Firewall\"\n , DvcOs = \"SonicOS\"\n , DvcOsVersion = EventProductVersion\n , DvcIdType = \"Other\"\n , DvcDescription = DeviceProduct\n , Rule = RuleName\n , NetworkBytes = tolong(coalesce(toint(ReceivedBytes), 0) + coalesce(toint(SentBytes), 0))\n , sosIPSFullString = ipscat\n , ipscat = extract(@'^\"?([a-zA-Z-\\/]+)', 1, ipscat) // IPS Category/Signature\n , sosIPSSignatureName = extract(@'[ ](.*)\\S', 1, ipscat) // IPS Signature name\n , FileSize = tolong(coalesce(FileSize, long(null)))\n , sosAppControlFileName = extract(@'.*Filename: (.*)\\\"', 1, sosEventMessageDetail) // App Control Filename Logging\n , HttpReferrer = extract(@'Referer: (.*)\\\"$', 1, coalesce(sosLogMsgNote, \"\"))\n , sosHttpRequestMethod_ = extract(@'Command: (.\\w+)', 1, coalesce(sosLogMsgNote, \"\"))\n , sosCFSCategoryID = extract(@'(\\d+)\\s', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSCategoryName = extract(@'.*-(\"(.*))', 1, coalesce(sosCFSFullString, \"\")) // Application Name from App Control\n , sosCFSPolicyName = extract(@'Policy: (.*), Info:', 1, coalesce(sosLogMsgNote, \"\"))\n , sosCaptureATPVerdict = extract(@'Gateway Anti-Virus Status: (.*)\\. ', 1, sosEventMessageDetail)\n , sosGAVSignatureName = extract(@'Gateway Anti-Virus Alert: (.*) blocked\\.', 1, sosEventMessageDetail)\n , sosASWSignatureName = extract(@'Anti-Spyware Detection Alert: (.*)\\. ', 1, sosEventMessageDetail)\n , sosCountry = extract(@'Country Name:(.*)\\\"$', 1, sosEventMessageDetail)\n , EventOriginalSeverity = LogSeverity\n , Dst = DstIpAddr\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = \"HTTPsession\"\n , EventSchemaVersion = \"0.2.5\"\n , EventSchema = \"WebSession\"\n , EventCount = toint(1)\n , EventUid = _ItemId\n , UserAgent = HttpUserAgent\n , ThreatConfidence = coalesce(toint(ThreatOriginalConfidence), int(null))\n| extend\n UrlCategory = sosCFSCategoryName\n , HttpRequestMethod = coalesce(HttpRequestMethod, sosHttpRequestMethod_)\n , EventResultDetails = \"\"\n , HttpStatusCode = \"\"\n , SrcUsername = coalesce(susr, SrcUsername)\n , FileName = coalesce(FileName, sosAppControlFileName)\n , NetworkDirection = case(SrcZone == \"\" and DstZone == \"\", \"NA\"\n , SrcZone == \"WAN\" and (DstZone == \"WAN\" and DstIpAddr !has \".255\"), \"Inbound\"\n , SrcZone == \"WAN\" and DstZone == \"WAN\", \"External\"\n , SrcZone == \"WAN\" and DstZone != \"WAN\", \"Inbound\"\n , SrcZone == \"VPN\" and DstZone == \"WAN\", \"Outbound\"\n , SrcZone == \"VPN\" and DstZone != \"WAN\", \"Inbound\"\n , DstZone == \"MULTICAST\", \"NA\"\n , DstZone == \"WAN\", \"Outbound\"\n , \"Local\"\n )\n , User = SrcUsername\n| extend\n SrcUsernameType = case(SrcUsername has \"=\", \"DN\",\n SrcUsername has \"\\\\\", \"Windows\",\n SrcUsername has \"@\", \"UPN\",\n SrcUsername == \"Unknown (external IP)\", \"\",\n SrcUsername == \"Unknown (SSO bypassed)\", \"\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"\n )\n , ThreatField = case(isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Outbound\", \"SrcIpAddr\"\n , isnotempty(ThreatOriginalConfidence) and NetworkDirection == \"Inbound\", \"DstIpAddr\"\n , \"\"\n )\n| extend\n ThreatIpAddr = case(ThreatField == \"SrcIpAddr\", SrcIpAddr\n , ThreatField == \"DstIpAddr\", DstIpAddr\n , \"\"\n )\n| extend\n SrcGeoCountry = iff(NetworkDirection == \"Inbound\", sosCountry, \"\")\n , DstGeoCountry = iff(NetworkDirection == \"Outbound\", sosCountry, \"\")\n , SrcAppName = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , DstAppName = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), coalesce(appcat, appName), \"\")\n , SrcAppId = iff(NetworkDirection in (\"Inbound\", \"Local\", \"NA\"), sid, \"\")\n , DstAppId = iff(NetworkDirection in (\"Outbound\", \"Local\", \"NA\"), sid, \"\")\n , SrcBytes = case(NetworkDirection == \"Outbound\", tolong(SentBytes)\n , NetworkDirection == \"Inbound\", tolong(ReceivedBytes)\n , NetworkDirection == \"Local\" and SrcZone == \"WAN\", tolong(ReceivedBytes)\n , NetworkDirection == \"Local\" and SrcZone != \"WAN\", tolong(SentBytes)\n , tolong(long(null))\n )\n , DstBytes = case(NetworkDirection == \"Outbound\", tolong(ReceivedBytes)\n , NetworkDirection == \"Inbound\", tolong(SentBytes)\n , NetworkDirection == \"Local\" and DstZone == \"WAN\", tolong(SentBytes)\n , NetworkDirection == \"Local\" and DstZone != \"WAN\", tolong(ReceivedBytes)\n , tolong(long(null))\n )\n| extend\n SrcAppType = case(isempty(SrcAppName), \"\"\n , SrcAppName contains \"\\'General \" or SrcAppName contains \"\\'Service \", \"Service\", \"Other\")\n , DstAppType = case(isempty(DstAppName), \"\"\n , DstAppName contains \"\\'General \" or DstAppName contains \"\\'Service \", \"Service\", \"Other\")\n| project-rename\n sosReceivedPackets = DeviceCustomNumber1Label // DeviceCustomNumberXLabel (cnXLabel=)\n , sosSentPackets = DeviceCustomNumber2Label // DeviceCustomNumberXLabel (cnXLabel=)\n| extend\n DstPackets = case(NetworkDirection == \"Outbound\", tolong(sosReceivedPackets)\n , NetworkDirection == \"Inbound\", tolong(sosSentPackets)\n , tolong(long(null))\n )\n , SrcPackets = case(NetworkDirection == \"Outbound\", tolong(sosSentPackets)\n , NetworkDirection == \"Inbound\", tolong(sosReceivedPackets)\n , tolong(long(null))\n )\n| project-rename\n sosConnectionDuration = DeviceCustomNumber3Label // Applies to \"Connection Closed\"\n , sosUser = susr // Logged-in username associated with the log event.\n , sosAppRulePolicyId = af_polid // App Rule Policy ID.\n , sosAppRulePolicyName = af_policy // App Rule Policy Name.\n , sosAppRuleService = af_service // App Rule Service Name.\n , sosAppRuleType = af_type // App Rule Policy Type.\n , sosAppRuleObject = af_object // App Rule Object Name.\n , sosAppRuleObjectContent = contentObject // App Rule Object Content.\n , sosAppRuleAction = af_action // App Rule Action.\n , sosSourceIPv6Address = srcV6 // Source IPv6 IP\n , sosDestinationIPv6Address = dstV6 // Destination IPv6 IP\n , sosAppFullString = appcat // The full \" -- \" string.\n , sosAppIDNumber = app // Numeric Application ID. Not the same as \"ApplicationProtocol\".\n , sosAppID = appid // Application ID from App Control\n , sosAppCategoryID = catid // Application Category ID\n , sosAppSignatureID = sid // Application Signature ID\n , sosIPSCategoryName = ipscat // IPS Category Name\n , sosAntiSpywareCategory = spycat // Anti-Spyware Category\n , sosURLPathName = arg // URL. Represents the URL path name.\n , sosFileIdentifier = fileid // File hash or URL\n , sosDPIInspectedFlow = dpi // Indicates a flow was inspected by DPI. Applies only to Connection Closed messages.\n , DstNatPortNumber = dnpt\n , SrcNatPortNumber = snpt\n , sosBladeID = bid // Blade ID\n , sosUUID = uuid\n , sosFileName = FileName\n , DvcOriginalAction = fw_action\n| extend\n ThreatName = coalesce(sosASWSignatureName, sosGAVSignatureName, sosIPSSignatureName, \"\")\n , ThreatId = coalesce(sosAppSignatureID, \"\")\n , ThreatCategory = coalesce(sosIPSCategoryName, sosAntiSpywareCategory, \"\")\n , DstNatPortNumber = toint(DstNatPortNumber)\n , SrcNatPortNumber = toint(SrcNatPortNumber)\n| extend AdditionalFields = bag_pack(\n \"AppRulePolicyId\", sosAppRulePolicyId\n , \"AppRulePolicyName\", sosAppRulePolicyName\n , \"AppRuleService\", sosAppRuleService\n , \"AppRuleType\", sosAppRuleType\n , \"AppRuleObject\", sosAppRuleObject\n , \"AppRuleObjectContent\", sosAppRuleObjectContent\n , \"AppRuleAction\", sosAppRuleAction\n , \"AppID\", sosAppID\n , \"AppCategoryID\", sosAppCategoryID\n , \"IPSCategoryName\", sosIPSCategoryName\n , \"AntiSpywareCategory\", sosAntiSpywareCategory\n , \"URLPathName\", sosURLPathName\n , \"FileIdentifier\", sosFileIdentifier\n , \"DPIInspectedFlow\", sosDPIInspectedFlow\n , \"BladeID\", sosBladeID\n , \"UUID\", sosUUID\n , \"FileName\", sosFileName\n , \"FileSize\", FileSize\n , \"CaptureATPVerdict\", sosCaptureATPVerdict\n , \"CFSCategoryID\", sosCFSCategoryID\n , \"CFSCategoryName\", sosCFSCategoryName\n , \"CFSPolicyName\", sosCFSPolicyName\n , \"AppControlFileName\", sosAppControlFileName\n , \"IPSFullString\", sosIPSFullString\n , \"IPSSignatureName\", sosIPSSignatureName\n , \"LogMsgCategory\", sosLogMsgCategory\n , \"LogMsgNote\", sosLogMsgNote\n , \"LogMsgSeverity\", sosLogMsgSeverity\n , \"SourceVPNPolicyName\", sosSourceVPNPolicyName\n , \"DestinationVPNPolicyName\", sosDestinationVPNPolicyName\n , \"EventMessageDetail\", sosEventMessageDetail\n , \"UserSessionType\", sosUserSessionType\n , \"UserSessionDuration\", sosUserSessionDuration\n )\n| project-away\n DeviceEventCategory\n , gcat\n , RequestMethod\n , RequestURL_\n , ipspri\n , spypri\n , sos*\n , Protocol\n , appName\n , AdditionalExtensions\n , Flex*\n , Indicator*\n , Malicious*\n , Field*\n , DeviceCustom*\n , Old*\n , File*\n , Source*\n , Destination*\n , Device*\n , SimplifiedDeviceAction\n , ExternalID\n , ExtID\n , TenantId\n , ProcessName\n , ProcessID\n , ExtID\n , OriginalLogSeverity\n , LogSeverity\n , EventOutcome\n , StartTime\n , EndTime\n , ReceiptTime\n , Remote*\n , ThreatDescription\n , ThreatSeverity\n , RequestContext\n , RequestCookies\n , CommunicationDirection\n , ReportReferenceLink\n , ReceivedBytes\n , SentBytes\n , _ResourceId\n , _ItemId\n| project-reorder\n TimeGenerated\n , EventVendor\n , EventProduct\n , DvcDescription\n , Dvc\n , DvcOs\n , DvcOsVersion\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json b/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json index fda80ba5f93..e5a02451910 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionSquidProxy')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionSquidProxy", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Squid Proxy", - "category": "ASIM", - "FunctionAlias": "vimWebSessionSquidProxy", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n ){\nSquidProxy_CL | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(httpuseragent_has_any) == 0)\n and ((array_length(url_has_any) == 0) or (RawData has_any (url_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and ((array_length(ipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, ipaddr_has_any_prefix))\n and ((array_length(eventresultdetails_in) == 0) or (RawData has_any (eventresultdetails_in)))\n // -- Parse\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n // -- Post filtering\n | extend EventResultDetails = tostring(AccessRawLog[4])\n | where array_length(eventresultdetails_in) == 0 or EventResultDetails in (eventresultdetails_in)\n | extend EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9]))\n | extend EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\")\n | where eventresult == \"*\" or eventresult == EventResult\n // -- Map\n | project-rename\n Dvc = Computer\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n DstBytes = tolong(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n //\n | extend \n ASimMatchingIpAddr = case( \n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\n has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix), \"DstIpAddr\",\n has_any_ipv4_prefix(SrcIpAddr, ipaddr_has_any_prefix), \"SrcIpAddr\"\n , \"No match\"\n )\n // Post Filter\n | where \n (\n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n and (ASimMatchingIpAddr != \"No match\")\n )\n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n SrcUsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n FQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\")\n | invoke _ASIM_ResolveDstFQDN ('FQDN')\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData, *_s, MG, ManagementGroupName, SourceSystem, TenantId, DstIpAddrIsHost\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Squid Proxy", + "category": "ASIM", + "FunctionAlias": "vimWebSessionSquidProxy", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]), \n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n disabled:bool=false\n ){\nSquidProxy_CL | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(httpuseragent_has_any) == 0)\n and ((array_length(url_has_any) == 0) or (RawData has_any (url_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n and ((array_length(ipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, ipaddr_has_any_prefix))\n and ((array_length(eventresultdetails_in) == 0) or (RawData has_any (eventresultdetails_in)))\n // -- Parse\n | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n // -- Post filtering\n | extend EventResultDetails = tostring(AccessRawLog[4])\n | where array_length(eventresultdetails_in) == 0 or EventResultDetails in (eventresultdetails_in)\n | extend EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9]))\n | extend EventResult = iff (EventOriginalResultDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or toint(EventResultDetails) >= 400, \"Failure\", \"Success\")\n | where eventresult == \"*\" or eventresult == EventResult\n // -- Map\n | project-rename\n Dvc = Computer\n | extend\n EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n NetworkDuration = toint(AccessRawLog[1]), \n SrcIpAddr = tostring(AccessRawLog[2]), \n DstBytes = tolong(AccessRawLog[5]), \n HttpRequestMethod = tostring(AccessRawLog[6]), \n // -- Squid URL might be shortened by including ellipsis (...) instead of a section in the middle. This may impact the hostname part as well.\n Url = tostring(AccessRawLog[7]), \n SrcUsername = tostring(AccessRawLog[8]), \n DstIpAddr = tostring(AccessRawLog[10]), \n HttpContentType = tostring(AccessRawLog[11]) \n //\n | extend \n ASimMatchingIpAddr = case( \n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\n has_any_ipv4_prefix(DstIpAddr, ipaddr_has_any_prefix), \"DstIpAddr\",\n has_any_ipv4_prefix(SrcIpAddr, ipaddr_has_any_prefix), \"SrcIpAddr\"\n , \"No match\"\n )\n // Post Filter\n | where \n (\n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n and (ASimMatchingIpAddr != \"No match\")\n )\n // -- Constant fields\n | extend \n EventCount = int(1), \n EventProduct = 'Squid Proxy', \n EventVendor = 'Squid', \n EventSchema = 'WebSession', \n EventSchemaVersion = '0.2.3', \n EventType = 'HTTPsession' \n // -- Value normalization\n | extend\n SrcUsernameType = \"Unknown\",\n SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n DstIpAddrIsHost = DstIpAddr matches regex @\"^[^\\:]*[a-zA-Z]$\"\n | extend \n FQDN = iif (DstIpAddrIsHost, DstIpAddr, tostring(parse_url(Url)[\"Host\"])),\n DstIpAddr = iif (DstIpAddr == \"-\" or DstIpAddrIsHost, \"\", DstIpAddr)\n | extend \n EventSeverity = iff(EventResult == \"Success\", \"Informational\", \"Low\")\n | invoke _ASIM_ResolveDstFQDN ('FQDN')\n // -- aliases\n | extend \n EventStartTime = EventEndTime,\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstHostname,\n Hostname = DstHostname\n | project-away AccessRawLog, RawData, *_s, MG, ManagementGroupName, SourceSystem, TenantId, DstIpAddrIsHost\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionVectraAI/vimWebSessionVectraAI.json b/Parsers/ASimWebSession/ARM/vimWebSessionVectraAI/vimWebSessionVectraAI.json index 5961725dee1..76cb5d4dfaf 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionVectraAI/vimWebSessionVectraAI.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionVectraAI/vimWebSessionVectraAI.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionVectraAI')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionVectraAI", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Vectra AI streams", - "category": "ASIM", - "FunctionAlias": "vimWebSessionVectraAI", - "query": "let parser = (starttime: datetime = datetime(null),\n endtime: datetime = datetime(null),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n ipaddr_has_any_prefix: dynamic = dynamic([]),\n url_has_any: dynamic = dynamic([]),\n httpuseragent_has_any: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool = false,\n pack:bool = false)\n{\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)\n [\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'Local'\n ];\n let NetworkProtocolVersionLookup = datatable(id_ip_ver_s:string, NetworkApplicationProtocol:string)\n [\n 'ipv4', 'IPv4',\n 'ipv6', 'IPv6'\n ];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n let remove_protocol_from_urls = \n materialize (\n print url_has_any \n | mv-apply l = print_0 to typeof(string) on ( \n extend l = extract(@'^(?i:.*?://)?(.*)$', 1, l)\n ) \n | project l\n );\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n VectraStream_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where metadata_type_s == 'metadata_httpsessioninfo'\n | where \n (array_length(url_has_any) == 0 \n or host_s has_any(remove_protocol_from_urls) \n or uri_s has_any (remove_protocol_from_urls) \n or strcat(host_s, uri_s) has_any (remove_protocol_from_urls))\n | where (array_length(httpuseragent_has_any) == 0 or user_agent_s has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(status_code_d) has_any(eventresultdetails_in))\n | extend temp_SrcMatch=has_any_ipv4_prefix(id_orig_h_s,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(id_resp_h_s,ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend EventResult = iff(tolong(status_code_d) >= 400, \"Failure\", \"Success\")\n | where (eventresult == '*' or EventResult =~ eventresult)\n | project-rename\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n DstIpAddr = id_resp_h_s,\n EventOriginalUid = uid_s,\n HttpContentType = resp_mime_types_s,\n HttpReferrer = referrer_s,\n HttpRequestMethod = method_s,\n HttpUserAgent = user_agent_s,\n DvcId = sensor_uid_s,\n // -- community id is just a hash of addresses and ports, and not unique for the session\n // NetworkSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n SrcSessionId = orig_sluid_s,\n DstSessionId = resp_sluid_s,\n HttpResponseCacheControl = response_cache_control_s,\n HttpRequestCacheControl = request_cache_control_s,\n HttpCookie = cookie_s,\n HttpResponseExpires = response_expires_s,\n HttpIsProxied = is_proxied_b,\n EventOriginalStatusDetails = status_msg_s\n | extend\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n DstBytes = tolong(resp_ip_bytes_d),\n DstPackets = tolong(resp_pkts_d),\n DstPortNumber = toint(id_resp_p_d),\n EventCount = toint(1),\n EventStartTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResultDetails = tostring(toint(status_code_d)),\n HttpRequestBodyBytes = tolong(request_body_len_d),\n HttpResponseBodyBytes = tolong(response_body_len_d),\n HttpRequestHeaderCount = toint(request_header_count_d),\n HttpResponseHeaderCount = toint(response_header_count_d),\n EventSchema = 'WebSession',\n EventSchemaVersion='0.2.3',\n DvcIdType = 'VectraId',\n EventSeverity = iff (EventResult == 'Success', 'Informational', 'Low'),\n EventType = 'HTTPsession',\n EventVendor = 'Vectra AI',\n SrcBytes = tolong(orig_ip_bytes_d),\n SrcPackets = tolong(orig_pkts_d),\n SrcPortNumber = toint(id_orig_p_d),\n Url = strcat('http://', host_s, uri_s)\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\n | lookup NetworkProtocolVersionLookup on id_ip_ver_s\n // -- preserving non-normalized important fields\n | extend AdditionalFields = iff (\n pack, \n bag_pack (\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\n \"orig_huid\", orig_huid_s,\n \"resp_huid\", resp_huid_s,\n \"community_id\", community_id_s,\n \"resp_multihome\", resp_multihomed_b,\n \"host_multihomed\", host_multihomed_b,\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\n ),\n dynamic([])\n )\n | project-away\n *_d, *_s, *_b, *_g, Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n | extend\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n Hostname = DstHostname,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcIpAddr,\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n //SessionId = NetworkSessionId,\n Src = SrcIpAddr,\n UserAgent = HttpUserAgent \n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled, pack=pack)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False,pack:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Vectra AI streams", + "category": "ASIM", + "FunctionAlias": "vimWebSessionVectraAI", + "query": "let parser = (starttime: datetime = datetime(null),\n endtime: datetime = datetime(null),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n ipaddr_has_any_prefix: dynamic = dynamic([]),\n url_has_any: dynamic = dynamic([]),\n httpuseragent_has_any: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool = false,\n pack:bool = false)\n{\n let NetworkDirectionLookup = datatable(local_orig_b:bool, local_resp_b:bool, NetworkDirection:string)\n [\n false, true, 'Inbound',\n true, false, 'Outbound',\n true, true, 'Local',\n false, false, 'Local'\n ];\n let NetworkProtocolVersionLookup = datatable(id_ip_ver_s:string, NetworkApplicationProtocol:string)\n [\n 'ipv4', 'IPv4',\n 'ipv6', 'IPv6'\n ];\n let HostnameRegex = @'^[a-zA-Z0-9-]{1,61}$';\n let remove_protocol_from_urls = \n materialize (\n print url_has_any \n | mv-apply l = print_0 to typeof(string) on ( \n extend l = extract(@'^(?i:.*?://)?(.*)$', 1, l)\n ) \n | project l\n );\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n VectraStream_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where metadata_type_s == 'metadata_httpsessioninfo'\n | where \n (array_length(url_has_any) == 0 \n or host_s has_any(remove_protocol_from_urls) \n or uri_s has_any (remove_protocol_from_urls) \n or strcat(host_s, uri_s) has_any (remove_protocol_from_urls))\n | where (array_length(httpuseragent_has_any) == 0 or user_agent_s has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(status_code_d) has_any(eventresultdetails_in))\n | extend temp_SrcMatch=has_any_ipv4_prefix(id_orig_h_s,src_or_any)\n , temp_DstMatch=has_any_ipv4_prefix(id_resp_h_s,ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr=case(\n array_length(src_or_any) == 0 ,\"-\",\n temp_SrcMatch and temp_DstMatch, \"Both\",\n temp_SrcMatch, \"SrcIpAddr\",\n temp_DstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | project-away temp_*\n | extend EventResult = iff(tolong(status_code_d) >= 400, \"Failure\", \"Success\")\n | where (eventresult == '*' or EventResult =~ eventresult)\n | project-rename\n DvcDescription = hostname_s,\n DstDescription = resp_hostname_s,\n SrcDescription = orig_hostname_s,\n DstIpAddr = id_resp_h_s,\n EventOriginalUid = uid_s,\n HttpContentType = resp_mime_types_s,\n HttpReferrer = referrer_s,\n HttpRequestMethod = method_s,\n HttpUserAgent = user_agent_s,\n DvcId = sensor_uid_s,\n // -- community id is just a hash of addresses and ports, and not unique for the session\n // NetworkSessionId = community_id_s,\n SrcIpAddr = id_orig_h_s,\n SrcSessionId = orig_sluid_s,\n DstSessionId = resp_sluid_s,\n HttpResponseCacheControl = response_cache_control_s,\n HttpRequestCacheControl = request_cache_control_s,\n HttpCookie = cookie_s,\n HttpResponseExpires = response_expires_s,\n HttpIsProxied = is_proxied_b,\n EventOriginalStatusDetails = status_msg_s\n | extend\n DstHostname = iff (DstDescription startswith \"IP-\" or not(DstDescription matches regex HostnameRegex), \"\", DstDescription),\n SrcHostname = iff (SrcDescription startswith \"IP-\" or not(SrcDescription matches regex HostnameRegex), \"\", SrcDescription),\n DvcHostname = iff (DvcDescription startswith \"IP-\" or not(DvcDescription matches regex HostnameRegex), \"\", DvcDescription),\n DstBytes = tolong(resp_ip_bytes_d),\n DstPackets = tolong(resp_pkts_d),\n DstPortNumber = toint(id_resp_p_d),\n EventCount = toint(1),\n EventStartTime = unixtime_milliseconds_todatetime(ts_d),\n EventOriginalSubType = tostring(split(metadata_type_s, '_')[1]),\n EventProduct = 'Vectra Stream',\n EventResultDetails = tostring(toint(status_code_d)),\n HttpRequestBodyBytes = tolong(request_body_len_d),\n HttpResponseBodyBytes = tolong(response_body_len_d),\n HttpRequestHeaderCount = toint(request_header_count_d),\n HttpResponseHeaderCount = toint(response_header_count_d),\n EventSchema = 'WebSession',\n EventSchemaVersion='0.2.3',\n DvcIdType = 'VectraId',\n EventSeverity = iff (EventResult == 'Success', 'Informational', 'Low'),\n EventType = 'HTTPsession',\n EventVendor = 'Vectra AI',\n SrcBytes = tolong(orig_ip_bytes_d),\n SrcPackets = tolong(orig_pkts_d),\n SrcPortNumber = toint(id_orig_p_d),\n Url = strcat('http://', host_s, uri_s)\n | lookup NetworkDirectionLookup on local_orig_b, local_resp_b\n | lookup NetworkProtocolVersionLookup on id_ip_ver_s\n // -- preserving non-normalized important fields\n | extend AdditionalFields = iff (\n pack, \n bag_pack (\n \"first_orig_resp_data_pkt\", first_orig_resp_data_pkt_s,\n \"first_resp_orig_data_pkt\", first_resp_orig_data_pkt_s,\n \"orig_huid\", orig_huid_s,\n \"resp_huid\", resp_huid_s,\n \"community_id\", community_id_s,\n \"resp_multihome\", resp_multihomed_b,\n \"host_multihomed\", host_multihomed_b,\n \"first_orig_resp_data_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_data_pkt_time_d),\n \"first_orig_resp_pkt_time\", unixtime_milliseconds_todatetime(first_orig_resp_pkt_time_d),\n \"first_resp_orig_data_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_data_pkt_time_d),\n \"first_resp_orig_pkt_time\", unixtime_milliseconds_todatetime(first_resp_orig_pkt_time_d)\n ),\n dynamic([])\n )\n | project-away\n *_d, *_s, *_b, *_g, Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n | extend\n Dst = DstIpAddr,\n Dvc = DvcId,\n EventEndTime = EventStartTime,\n Hostname = DstHostname,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcIpAddr,\n NetworkBytes = SrcBytes + DstBytes,\n NetworkPackets = SrcPackets + DstPackets,\n //SessionId = NetworkSessionId,\n Src = SrcIpAddr,\n UserAgent = HttpUserAgent \n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled, pack=pack)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False,pack:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json b/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json index 0092886e5ee..7888517bd84 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json @@ -18,29 +18,19 @@ }, "resources": [ { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimWebSessionZscalerZIA')]", "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimWebSessionZscalerZIA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Web Session ASIM filtering parser for Zscaler ZIA", - "category": "ASIM", - "FunctionAlias": "vimWebSessionZscalerZIA", - "query": "let DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \n[\n 'Allowed', 'Allow',\n 'Blocked', 'Deny'\n]; \nlet remove_protocol_from_list = (list:dynamic) \n{\n print list \n | mv-apply l = print_0 to typeof(string) on\n ( extend l = replace_regex (tostring(l), \"^(?i:.*?)://\", \"\") ) \n | project l\n};\nlet parser = (\nstarttime:datetime=datetime(null), \nendtime:datetime=datetime(null),\nsrcipaddr_has_any_prefix:dynamic=dynamic([]), \nipaddr_has_any_prefix:dynamic=dynamic([]), \nurl_has_any:dynamic=dynamic([]),\nhttpuseragent_has_any:dynamic=dynamic([]),\neventresultdetails_in:dynamic=dynamic([]),\neventresult:string='*',\ndisabled:bool=false\n){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n// -- Pre filtering\n| where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(httpuseragent_has_any) == 0) or (RequestClientApplication has_any (httpuseragent_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n| extend \n ASimMatchingIpAddr = case( \n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\n has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix), \"DstIpAddr\",\n has_any_ipv4_prefix(SourceIP, ipaddr_has_any_prefix), \"SrcIpAddr\"\n , \"No match\"\n )\n| where\n (ASimMatchingIpAddr != \"No match\")\n and ((array_length(eventresultdetails_in) == 0) or (AdditionalExtensions has_any (eventresultdetails_in)))\n and ((array_length(url_has_any) == 0) or (RequestURL has_any (remove_protocol_from_list(url_has_any))))\n// -- Parse\n| parse AdditionalExtensions with \n * \"rulelabel=\" RuleName:string \";\"\n \"ruletype=\" ruletype:string \";\"\n \"urlclass=\" urlclass:string \";\"\n \"devicemodel=\" * \n // -- Post filtering\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventResultDetails = coalesce(\n column_ifexists(\"EventOutcome\", \"\"),\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n )\n| where\n ((array_length(eventresultdetails_in) == 0) or (EventResultDetails in (eventresultdetails_in)))\n| extend\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\")\n| where eventresult == \"*\" or eventresult == EventResult\n// -- Event fields\n| lookup DvcActionLookup on DeviceAction\n| extend \n // -- Adjustment to support both old and new CSL fields.\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n ThreatRiskLevel = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Proxy\", \n EventSchema = \"WebSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'HTTPsession',\n EventEndTime=TimeGenerated\n// -- Field mapping\n| project-rename\n EventProductVersion = DeviceVersion,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpContentType = FileType,\n HttpUserAgent = RequestClientApplication,\n HttpRequestMethod = RequestMethod,\n DstAppName = DestinationServiceName,\n DstIpAddr = DestinationIP,\n DstFQDN = DestinationHostName,\n SrcIpAddr = SourceIP,\n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress,\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n UrlCategory = DeviceCustomString2,\n ThreatName = DeviceCustomString5,\n FileMD5 = DeviceCustomString6,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n// -- Calculated fields\n| extend\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n DstFQDNparts = split (DstFQDN, \".\"),\n DstHostnameNotAddr = DstIpAddr != DstFQDN,\n DstBytes = tolong(ReceivedBytes),\n SrcBytes = tolong(SentBytes),\n DvcHostname = tostring(Computer)\n| extend\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \n// -- Enrichment\n| extend\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\n DstAppType = \"SaaS application\",\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\n SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcNatIpAddr,\n Src = SrcNatIpAddr,\n Dst = DstFQDN,\n Hash = FileMD5,\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away DstFQDNparts\n| project-away AdditionalExtensions, CommunicationDirection, Computer, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, Activity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, urlclass, ruletype, DstHostnameNotAddr\n};\nparser (starttime, endtime\n , srcipaddr_has_any_prefix, ipaddr_has_any_prefix\n , url_has_any, httpuseragent_has_any\n , eventresultdetails_in, eventresult, disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" - } - } - ] + "properties": { + "etag": "*", + "displayName": "Web Session ASIM filtering parser for Zscaler ZIA", + "category": "ASIM", + "FunctionAlias": "vimWebSessionZscalerZIA", + "query": "let DvcActionLookup = datatable (DeviceAction:string, DvcAction: string) \n[\n 'Allowed', 'Allow',\n 'Blocked', 'Deny'\n]; \nlet remove_protocol_from_list = (list:dynamic) \n{\n print list \n | mv-apply l = print_0 to typeof(string) on\n ( extend l = replace_regex (tostring(l), \"^(?i:.*?)://\", \"\") ) \n | project l\n};\nlet parser = (\nstarttime:datetime=datetime(null), \nendtime:datetime=datetime(null),\nsrcipaddr_has_any_prefix:dynamic=dynamic([]), \nipaddr_has_any_prefix:dynamic=dynamic([]), \nurl_has_any:dynamic=dynamic([]),\nhttpuseragent_has_any:dynamic=dynamic([]),\neventresultdetails_in:dynamic=dynamic([]),\neventresult:string='*',\ndisabled:bool=false\n){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n// -- Pre filtering\n| where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(httpuseragent_has_any) == 0) or (RequestClientApplication has_any (httpuseragent_has_any)))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n| extend \n ASimMatchingIpAddr = case( \n array_length(ipaddr_has_any_prefix) == 0 , \"-\",\n has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix), \"DstIpAddr\",\n has_any_ipv4_prefix(SourceIP, ipaddr_has_any_prefix), \"SrcIpAddr\"\n , \"No match\"\n )\n| where\n (ASimMatchingIpAddr != \"No match\")\n and ((array_length(eventresultdetails_in) == 0) or (AdditionalExtensions has_any (eventresultdetails_in)))\n and ((array_length(url_has_any) == 0) or (RequestURL has_any (remove_protocol_from_list(url_has_any))))\n// -- Parse\n| parse AdditionalExtensions with \n * \"rulelabel=\" RuleName:string \";\"\n \"ruletype=\" ruletype:string \";\"\n \"urlclass=\" urlclass:string \";\"\n \"devicemodel=\" * \n // -- Post filtering\n| extend\n // -- Adjustment to support both old and new CSL fields.\n EventResultDetails = coalesce(\n column_ifexists(\"EventOutcome\", \"\"),\n extract(@'outcome=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n )\n| where\n ((array_length(eventresultdetails_in) == 0) or (EventResultDetails in (eventresultdetails_in)))\n| extend\n EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\")\n| where eventresult == \"*\" or eventresult == EventResult\n// -- Event fields\n| lookup DvcActionLookup on DeviceAction\n| extend \n // -- Adjustment to support both old and new CSL fields.\n EventOriginalResultDetails = coalesce(\n column_ifexists(\"Reason\", \"\"),\n extract(@'reason=(.*?)(?:;|$)',1, AdditionalExtensions, typeof(string))\n ),\n ThreatRiskLevel = coalesce(\n toint(column_ifexists(\"FieldDeviceCustomNumber1\", int(null))),\n toint(column_ifexists(\"DeviceCustomNumber1\",int(null)))\n ),\n EventCount=int(1), \n EventStartTime=TimeGenerated, \n EventVendor = \"Zscaler\", \n EventProduct = \"ZIA Proxy\", \n EventSchema = \"WebSession\", \n EventSchemaVersion=\"0.2.3\", \n EventType = 'HTTPsession',\n EventEndTime=TimeGenerated\n// -- Field mapping\n| project-rename\n EventProductVersion = DeviceVersion,\n NetworkApplicationProtocol = ApplicationProtocol,\n HttpContentType = FileType,\n HttpUserAgent = RequestClientApplication,\n HttpRequestMethod = RequestMethod,\n DstAppName = DestinationServiceName,\n DstIpAddr = DestinationIP,\n DstFQDN = DestinationHostName,\n SrcIpAddr = SourceIP,\n SrcUsername = SourceUserName,\n SrcNatIpAddr= SourceTranslatedAddress,\n SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n UrlCategory = DeviceCustomString2,\n ThreatName = DeviceCustomString5,\n FileMD5 = DeviceCustomString6,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message\n// -- Calculated fields\n| extend\n Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n DstFQDNparts = split (DstFQDN, \".\"),\n DstHostnameNotAddr = DstIpAddr != DstFQDN,\n DstBytes = tolong(ReceivedBytes),\n SrcBytes = tolong(SentBytes),\n DvcHostname = tostring(Computer)\n| extend\n DstHostname = iff (DstHostnameNotAddr, tostring(DstFQDNparts[0]), DstFQDN),\n DstDomain = iff (DstHostnameNotAddr, strcat_array(array_slice(DstFQDNparts,1,-1),\".\"), \"\"),\n DstFQDN = iff (DstHostnameNotAddr, DstFQDN, \"\") \n// -- Enrichment\n| extend\n EventSeverity = case (ThreatRiskLevel > 90, \"High\", ThreatRiskLevel > 60, \"Medium\", ThreatRiskLevel > 10, \"Low\", \"Informational\"),\n DstAppType = \"SaaS application\",\n DstDomainType = iff (DstHostnameNotAddr, \"FQDN\", \"\"),\n SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n Dvc = DvcHostname,\n Hostname = DstHostname,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n HttpStatusCode = EventResultDetails,\n IpAddr = SrcNatIpAddr,\n Src = SrcNatIpAddr,\n Dst = DstFQDN,\n Hash = FileMD5,\n FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away DstFQDNparts\n| project-away AdditionalExtensions, CommunicationDirection, Computer, Device*, Destination*, EndTime, ExternalID, File*, Flex*, IndicatorThreatType, Malicious*, Old*, OriginalLogSeverity, Process*, Protocol, ReceiptTime, ReceivedBytes, Remote*, Request*, Sent*, SimplifiedDeviceAction, Source*, StartTime, TenantId, ThreatConfidence, ThreatDescription, ThreatSeverity, Activity, EventOutcome, FieldDevice*, ExtID, Reason, ReportReferenceLink, urlclass, ruletype, DstHostnameNotAddr\n};\nparser (starttime, endtime\n , srcipaddr_has_any_prefix, ipaddr_has_any_prefix\n , url_has_any, httpuseragent_has_any\n , eventresultdetails_in, eventresult, disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } } ] -} \ No newline at end of file +} diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_1.png new file mode 100644 index 00000000000..0cda756d0e0 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_10.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_10.png new file mode 100644 index 00000000000..837ce46d03a Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_10.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_11.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_11.png new file mode 100644 index 00000000000..86a3382e2d5 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_11.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_12.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_12.png new file mode 100644 index 00000000000..85e3d9c7363 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_12.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_2.png new file mode 100644 index 00000000000..24252ea46d0 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_3.png new file mode 100644 index 00000000000..b19f0188291 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_3.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_4.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_4.png new file mode 100644 index 00000000000..77fc381dcde Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_4.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_5.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_5.png new file mode 100644 index 00000000000..2863d1ac842 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_5.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_6.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_6.png new file mode 100644 index 00000000000..d6b9217a233 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_6.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_7.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_7.png new file mode 100644 index 00000000000..19bcf49c9bd Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_7.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_8.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_8.png new file mode 100644 index 00000000000..9ebea64504d Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_8.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_9.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_9.png new file mode 100644 index 00000000000..d6eb32c9f27 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_9.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_1.png new file mode 100644 index 00000000000..63bf4b5f260 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_10.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_10.png new file mode 100644 index 00000000000..f72b7e27ea7 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_10.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_11.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_11.png new file mode 100644 index 00000000000..8ddbd7eb2cd Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_11.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_2.png new file mode 100644 index 00000000000..02a3429b4ad Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_3.png new file mode 100644 index 00000000000..627b0cb0228 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_3.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_4.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_4.png new file mode 100644 index 00000000000..ec124b080e7 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_4.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_5.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_5.png new file mode 100644 index 00000000000..7df564b46b6 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_5.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_6.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_6.png new file mode 100644 index 00000000000..8dcb504eebc Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_6.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_7.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_7.png new file mode 100644 index 00000000000..ea41face2ac Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_7.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_8.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_8.png new file mode 100644 index 00000000000..fb02aeadd69 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_8.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_9.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_9.png new file mode 100644 index 00000000000..4e21a9b4b19 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_App_Registration_DCR_9.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_1.png new file mode 100644 index 00000000000..c5cecdfd905 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_2.png new file mode 100644 index 00000000000..f818a4a5569 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_3.png new file mode 100644 index 00000000000..8ad3c16d057 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Azure_Cloud_Shell_3.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_1.png new file mode 100644 index 00000000000..1a8748f2ec3 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_2.png new file mode 100644 index 00000000000..3e23dc79086 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_3.png new file mode 100644 index 00000000000..782e9e39773 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_3.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_4.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_4.png new file mode 100644 index 00000000000..38da0ce277b Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_4.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_5.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_5.png new file mode 100644 index 00000000000..29cc38bc626 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_5.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_6.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_6.png new file mode 100644 index 00000000000..ecdd091f1f0 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Endpoint_6.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_1.png new file mode 100644 index 00000000000..e89e494578a Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_10.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_10.png new file mode 100644 index 00000000000..7bb0650ba55 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_10.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_11.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_11.png new file mode 100644 index 00000000000..867ee398427 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_11.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_12.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_12.png new file mode 100644 index 00000000000..051ef6ee199 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_12.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_13.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_13.png new file mode 100644 index 00000000000..2484c113409 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_13.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_14.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_14.png new file mode 100644 index 00000000000..8731f60625d Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_14.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_15.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_15.png new file mode 100644 index 00000000000..95cbb7a3e2a Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_15.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_2.png new file mode 100644 index 00000000000..db553f2fdc8 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_3.png new file mode 100644 index 00000000000..3a778b991b1 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_3.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_4.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_4.png new file mode 100644 index 00000000000..a830203d727 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_4.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_5.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_5.png new file mode 100644 index 00000000000..d2cf64f8143 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_5.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_6.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_6.png new file mode 100644 index 00000000000..8da7c2a0517 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_6.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_7.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_7.png new file mode 100644 index 00000000000..d46f07773af Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_7.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_8.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_8.png new file mode 100644 index 00000000000..3b8e6678605 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_8.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_9.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_9.png new file mode 100644 index 00000000000..d98ca5ce8da Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Data_Collection_Rule_9.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_1.png new file mode 100644 index 00000000000..95f67d803f7 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_2.png new file mode 100644 index 00000000000..40342d7a05d Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Demo_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_1.png new file mode 100644 index 00000000000..98306cb8fa3 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_2.png new file mode 100644 index 00000000000..1c9beb01edc Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_3.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_3.png new file mode 100644 index 00000000000..2e79ba1093c Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Deploy_3.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_1.png new file mode 100644 index 00000000000..79149ee6e38 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_2.png new file mode 100644 index 00000000000..254c2730ccd Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_1.png new file mode 100644 index 00000000000..e265f03f5bf Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_2.png new file mode 100644 index 00000000000..39a2d12d311 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Key_Vault_Access_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Logic_App_Enable_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Logic_App_Enable_1.png new file mode 100644 index 00000000000..a90000d0353 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Logic_App_Enable_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_1.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_1.png new file mode 100644 index 00000000000..cd07848ab2c Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_1.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_2.png b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_2.png new file mode 100644 index 00000000000..74b925f2766 Binary files /dev/null and b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Images/DCRLogIngestion_Receiving_Key_Vault_2.png differ diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/README.md b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/README.md new file mode 100644 index 00000000000..eea27d50290 --- /dev/null +++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/README.md @@ -0,0 +1,374 @@ + # AS-Microsoft-DCR-Log-Ingestion + +Author: Accelerynt + +For any technical questions, please contact info@accelerynt.com + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Microsoft-DCR-Log-Ingestion%2Fazuredeploy.json) +[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Microsoft-DCR-Log-Ingestion%2Fazuredeploy.json) + +This playbook is intended for multitenant organizations and is designed to run on a timed trigger and pull Microsoft Graph and Microsoft Office logs to Microsoft Sentinel using Data Collection Endpoints and Data Collection Rules. While Microsoft does have built in connectors for this, they do not support multitenant functionality. This playbook is configured to grab the following logs for a tenant of your choosing and send them to another tenant: +* [Microsoft Graph Sign-In Logs](https://learn.microsoft.com/en-us/graph/api/signin-get?view=graph-rest-1.0&tabs=http) +* [Microsoft Graph Audit Logs](https://learn.microsoft.com/en-us/graph/api/directoryaudit-get?view=graph-rest-1.0&tabs=http) +* [Microsoft Office Activity Logs](https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-reference). + +![DCRLogIngestion_Demo_1](Images/DCRLogIngestion_Demo_1.png) + +![DCRLogIngestion_Demo_2](Images/DCRLogIngestion_Demo_2.png) + +> [!NOTE] +> Estimated Time to Complete: 3 hours + +> [!TIP] +> Required deployment variables will be noted throughout the setup. It is recommended that you look at the deployment page and fill out the required fields as you go. + +# +### Requirements + +The following items are required under the template settings during deployment: + +* Note your [subscription ID](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2) for the tenant that will be sending the data +* A Microsoft Entra [app registration](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration) to send data to the DCR with admin consent granted for "**AuditLog.Read.All**" and "**Activity.Feed.Read**" +* A Microsoft Entra [app registration](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration) in the receiving tenant where the DCR is located. This app registration must have the "**Monitoring Metrics Publisher**" role assigned from each DCR you create. +* [App Registration Azure key vault secrets](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration-azure-key-vault-secret) containing your app registration client secrets +* Note your [workspace location](https://portal.azure.com/#browse/Microsoft.OperationalInsights%2Fworkspaces) for the tenant that will be receiving data, as this will need to be the same for Data Collection Rules and Endpoints created in the steps below +* A [Microsoft Data Collection Endpoint](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints) for each of the log sources +* A [Microsoft Data Collection Rule](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules) for each of the log sources +* An [Azure key vault secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-azure-key-vault-secret) containing your client secret for each of your Data Collection Endpoints + +# +### Role Requirements + +If the user that will be performing the setup and deployment steps does not have "**Owner**" or "**Global Administrator**" assigned in both tenants, the following roles may be required: + +The following roles are required in the **sending tenant**: + +* The **Privileged Role Administrator** role will need to be assigned to the user from Entra ID. +* By default, any user can create an app registration, however, if this has been locked down, the "**Application Administrator**" role will need to be assigned from Entra ID. + +The following roles are required in the **receiving tenant**: + +* In order to create and manage secrets within the desired Key Vault, the **Key Vault Secrets Officer** role will need to be assigned to the user from the Key Vault Access control (IAM) page. +* In order to add role assignments to DCRs, the **User Access Admin** and "**Contributor**" roles will need to be assigned to the user from the resource group. + +# +### Setup + +#### Create an App Registration + +From the tenant you wish to **send the Microsoft Graph and Office data from**, navigate to the Microsoft Azure Active Directory app registration page: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade + +Click "**New registration**". + +![DCRLogIngestion_App_Registration_1](Images/DCRLogIngestion_App_Registration_1.png) + +Enter "**AS-Send-Logs-to-DCR**" for the name and select "**Accounts in any organizational directory**" for "**Supported account types**. All else can be left as is. Click "**Register**" + +![DCRLogIngestion_App_Registration_2](Images/DCRLogIngestion_App_Registration_2.png) + +Once the app registration is created, you will be redirected to the "**Overview**" page. Under the "**Essentials**" section, take note of the "**Application (client) ID**" and the "**Directory (tenant) ID**", as both will be needed for deployment. + +![DCRLogIngestion_App_Registration_3](Images/DCRLogIngestion_App_Registration_3.png) + +Next, you will need to add permissions for the app registration to call the Microsoft Graph and Office 365 API endpoints. From the left menu blade, click "**API permissions**" under the "**Manage**" section. Then, click "**Add a permission**". + +![DCRLogIngestion_App_Registration_4](Images/DCRLogIngestion_App_Registration_4.png) + +From the "**Select an API**" pane, click the "**Microsoft APIs**" tab and select "**Microsoft Graph**". + +![DCRLogIngestion_App_Registration_5](Images/DCRLogIngestion_App_Registration_5.png) + +Click "**Application permissions**", then paste "**AuditLog.Read.All**" in the search bar. Click the option matching the search, then click "**Add permission**". + +![DCRLogIngestion_App_Registration_6](Images/DCRLogIngestion_App_Registration_6.png) + +This process will need to be repeated for the Office 365 API. Click "**Add a permission**" once again and from the "**Select an API**" pane, click the "**Microsoft APIs**" tab and select "**Office 365 Management APIs**". + +![DCRLogIngestion_App_Registration_7](Images/DCRLogIngestion_App_Registration_7.png) + +Click "**Application permissions**", then paste "**ActivityFeed.Read**" in the search bar. Click the option matching the search, then click "**Add permission**". + +![DCRLogIngestion_App_Registration_8](Images/DCRLogIngestion_App_Registration_8.png) + +Admin consent will be needed before your app registration can use the assigned permission. Click "**Grant admin consent for (name)**". + +![DCRLogIngestion_App_Registration_9](Images/DCRLogIngestion_App_Registration_9.png) + +Lastly, a client secret will need to be generated for the app registration. From the left menu blade, click "**Certificates & secrets**" under the "**Manage**" section. Then, click "**New client secret**". + +![DCRLogIngestion_App_Registration_10](Images/DCRLogIngestion_App_Registration_10.png) + +Enter a description and select the desired expiration date, then click "**Add**". + +![DCRLogIngestion_App_Registration_11](Images/DCRLogIngestion_App_Registration_11.png) + +Copy the value of the secret that is generated, as this will be needed for [Create an Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-azure-key-vault-secret). + +![DCRLogIngestion_App_Registration_12](Images/DCRLogIngestion_App_Registration_12.png) + +#### Create an App Registration Azure Key Vault Secret + +The secret from the previous step will need to be stored in the **tenant that is to receive the data**, as this is where the logic app will be deployed. Navigate to the Azure key vaults page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults + +Navigate to an existing key vault or create a new one. From the key vault overview page, click the "**Secrets**" menu option, found under the "**Settings**" section. Click "**Generate/Import**". + +![DCRLogIngestion_Key_Vault_1](Images/DCRLogIngestion_Key_Vault_1.png) + +Choose a name for the secret, such as "**DCRLogIngestion-SendingAppRegClientSecret**", taking note of the value used, as it will be needed for deployment. Next enter the client secret copied in the [previous section](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). All other settings can be left as is. Click "**Create**". + +![DCRLogIngestion_Key_Vault_2](Images/DCRLogIngestion_Key_Vault_2.png) + +#### Create the Data Collection Endpoints + +From the **tenant that is to receive the data**, navigate to the Microsoft Data Collection Endpoints page: https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionendpoints + +Click "**Create**". + +![DCRLogIngestion_Data_Collection_Endpoint_1](Images/DCRLogIngestion_Data_Collection_Endpoint_1.png) + +Enter "**EntraSignInLogsDCE**" as the Endpoint Name and select the Subscription and Resource Group. These should match the Subscription and Resource Group of the playbook you will deploy later. Ensure the Region location matches that of your workspace. Click "**Review + create**". + +![DCRLogIngestion_Data_Collection_Endpoint_2](Images/DCRLogIngestion_Data_Collection_Endpoint_2.png) + +Click "**Create**". + +![DCRLogIngestion_Data_Collection_Endpoint_3](Images/DCRLogIngestion_Data_Collection_Endpoint_3.png) + +Repeat this process for "**EntraAuditLogsDCE**". + +![DCRLogIngestion_Data_Collection_Endpoint_4](Images/DCRLogIngestion_Data_Collection_Endpoint_4.png) + +Repeat this process for "**OfficeActivityLogsDCE**". + +![DCRLogIngestion_Data_Collection_Endpoint_5](Images/DCRLogIngestion_Data_Collection_Endpoint_5.png) + +From each of the created Data Collection Endpoint overview pages, take note of the "**Logs Ingestion**" URLs, as they will be needed for deployment. + +![DCRLogIngestion_Data_Collection_Endpoint_6](Images/DCRLogIngestion_Data_Collection_Endpoint_6.png) + +#### Create the Data Collection Rules + +From the **tenant that is to receive the data**, navigate to the Microsoft Log Analytics Workspace page: https://portal.azure.com/#browse/Microsoft.OperationalInsights%2Fworkspaces + +Select the desired workspace. + +![DCRLogIngestion_Data_Collection_Rule_1](Images/DCRLogIngestion_Data_Collection_Rule_1.png) + +From the selected workspace, navigate to "**Tables**" located under settings, click "**Create**" and select "**New custom log (DCR based)**". + +![DCRLogIngestion_Data_Collection_Rule_2](Images/DCRLogIngestion_Data_Collection_Rule_2.png) + +First, click "**Create a new Data Collection Rule**" below the Data Collection Rule field. Then enter "**EntraSignInLogsDCR**" for the name in the window that appears on the right. Ensure the Subscription, Resource Group, and Region all look correct, then click "**Done**". + +![DCRLogIngestion_Data_Collection_Rule_3](Images/DCRLogIngestion_Data_Collection_Rule_3.png) + +Next enter "**EntraSignInLogs**" as the table name and select "**EntraSignInLogsDCE**" from the drop-down list. If this option is not populating, double check the region used for the Data Collection Endpoint created in the previous step. Click "**Next**". + +![DCRLogIngestion_Data_Collection_Rule_4](Images/DCRLogIngestion_Data_Collection_Rule_4.png) + +The next step will prompt you for a data sample. + +![DCRLogIngestion_Data_Collection_Rule_5](Images/DCRLogIngestion_Data_Collection_Rule_5.png) + +Upload the file content located at [Samples/SignInLogsSample.json](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion/blob/main/Samples/SignInLogsSample.json), then click "**Next**". + +![DCRLogIngestion_Data_Collection_Rule_6](Images/DCRLogIngestion_Data_Collection_Rule_6.png) + +Click "**Create**". + +![DCRLogIngestion_Data_Collection_Rule_7](Images/DCRLogIngestion_Data_Collection_Rule_7.png) + +This process will need to be repeated for "**EntraAuditLogsDCR**". After creating the "**EntraAuditLogsDCR**" Data Collection Rule in the way that was shown for "**EntraSignInLogsDCR**", enter "**EntraAuditLogs**" as the table name and select "**EntraAuditLogsDCE**" from the drop-down list. + +![DCRLogIngestion_Data_Collection_Rule_8](Images/DCRLogIngestion_Data_Collection_Rule_8.png) + +Upload the file content located at [Samples/AuditLogsSample.json](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion/blob/main/Samples/AuditLogsSample.json), then click "**Next**". + +![DCRLogIngestion_Data_Collection_Rule_9](Images/DCRLogIngestion_Data_Collection_Rule_9.png) + +Click "**Create**". + +![DCRLogIngestion_Data_Collection_Rule_10](Images/DCRLogIngestion_Data_Collection_Rule_10.png) + +This process will need to be repeated for "**OfficeActivityLogsDCR**". After creating the "**OfficeActivityLogsDCR**" Data Collection Rule in the way that was shown for “**EntraSignInLogsDCR**", enter "**OfficeActivityLogs**" as the table name and select "**OfficeActivityLogsDCE**" from the drop down list. + +![DCRLogIngestion_Data_Collection_Rule_11](Images/DCRLogIngestion_Data_Collection_Rule_11.png) + +Upload the file content located at [Samples/OfficeActivityLogsSample.json](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion/blob/main/Samples/O365GeneralAuditLogsSample.json), then click "**Next**". + +![DCRLogIngestion_Data_Collection_Rule_12](Images/DCRLogIngestion_Data_Collection_Rule_12.png) + +Click "**Create**". + +![DCRLogIngestion_Data_Collection_Rule_13](Images/DCRLogIngestion_Data_Collection_Rule_13.png) + +From each of the created [Data Collection Rule overview pages](https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules), take note of the "**Immutable Id**" values, as they will be needed for deployment. + +![DCRLogIngestion_Data_Collection_Rule_14](Images/DCRLogIngestion_Data_Collection_Rule_14.png) + +Lastly, from each of the created Data Collection Rule data sources pages, take note of the "**Data source**" values, as they will be needed for deployment. + +![DCRLogIngestion_Data_Collection_Rule_15](Images/DCRLogIngestion_Data_Collection_Rule_15.png) + +#### Create an App Registration for the DCRs + +From the **tenant that is to receive the data**, navigate to the Microsoft Azure Active Directory app registration page: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade + +Click "**New registration**". + +![DCRLogIngestion_App_Registration_DCR_1](Images/DCRLogIngestion_App_Registration_DCR_1.png) + +Enter "**DCRLogIngestionAppReg**" for the name and select "**Accounts in this organizational directory only**" for "**Supported account types**. All else can be left as is. Click "**Register**" + +![DCRLogIngestion_App_Registration_DCR_2](Images/DCRLogIngestion_App_Registration_DCR_2.png) + +Once the app registration is created, you will be redirected to the "**Overview**" page. Under the "**Essentials**" section, take note of the "**Application (client) ID**", as this will be needed for deployment. + +![DCRLogIngestion_App_Registration_DCR_3](Images/DCRLogIngestion_App_Registration_DCR_3.png) + +A client secret will need to be generated for the app registration. From the left menu blade, click "**Certificates & secrets**" under the "**Manage**" section. Then, click "**New client secret**”. Enter a description and select the desired expiration date, then click "**Add**". + +![DCRLogIngestion_App_Registration_DCR_4](Images/DCRLogIngestion_App_Registration_DCR_4.png) + +Copy the value of the secret that is generated, as this will be needed for [Create an Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-azure-key-vault-secret). + +![DCRLogIngestion_App_Registration_DCR_5](Images/DCRLogIngestion_App_Registration_DCR_5.png) + +Next, IAM access for this App Registration will need to be added from each of the DCRs created in the previous step. Navigate to the Data Collection Rules page: https://portal.azure.com/#browse/microsoft.insights%2Fdatacollectionrules + +Select the "**EntraSignInLogsDCR**" and select "**Access control (IAM)**". Click "**Add**" and select "**Add role assignment**". + +![DCRLogIngestion_App_Registration_DCR_6](Images/DCRLogIngestion_App_Registration_DCR_6.png) + +Select "**Monitoring Metrics Publisher**" and click "**Next**". + +![DCRLogIngestion_App_Registration_DCR_7](Images/DCRLogIngestion_App_Registration_DCR_7.png) + +Select "**User, group, or service principal**" as the access option, then click "**Select members**". Paste "**DCRLogIngestionAppReg**" into the search bar at the top of the right pane and select the app registration that appears, then click "**Select**". + +![DCRLogIngestion_App_Registration_DCR_8](Images/DCRLogIngestion_App_Registration_DCR_8.png) + +Click "**Review + assign**". + +![DCRLogIngestion_App_Registration_DCR_9](Images/DCRLogIngestion_App_Registration_DCR_9.png) + +Repeat this process for the "**EntraAuditLogsDCR**". + +![DCRLogIngestion_App_Registration_DCR_10](Images/DCRLogIngestion_App_Registration_DCR_10.png) + +Lastly, repeat this process for "**OfficeActivityLogsDCR**". + +![DCRLogIngestion_App_Registration_DCR_11](Images/DCRLogIngestion_App_Registration_DCR_11.png) + +#### Create a Receiving App Registration Azure Key Vault Secret + +As before, secret from the previous step will need to be stored in the **tenant that is to receive the data**. Navigate to the Azure key vaults page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults + +Navigate to an existing key vault or create a new one. From the key vault overview page, click the "**Secrets**" menu option, found under the "**Settings**" section. Click "**Generate/Import**". + +![DCRLogIngestion_Key_Vault_1](Images/DCRLogIngestion_Receiving_Key_Vault_1.png) + +Choose a name for the secret, such as "**DCRLogIngestion-ReceivingAppRegClientSecret**", taking note of the value used, as it will be needed for deployment. Next enter the client secret copied in the [previous section](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). All other settings can be left as is. Click "**Create**". + +![DCRLogIngestion_Key_Vault_2](Images/DCRLogIngestion_Receiving_Key_Vault_2.png) + +# +### Deployment + +To configure and deploy this playbook: + +Open your browser and ensure you are logged into your Microsoft Sentinel workspace from the **tenant that is to receive the data**. In a separate tab, open the link to our playbook on the Accelerynt Security GitHub repository: + +https://github.com/Accelerynt-Security/AS-Microsoft-DCR-Log-Ingestion + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Microsoft-DCR-Log-Ingestion%2Fazuredeploy.json) +[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Microsoft-DCR-Log-Ingestion%2Fazuredeploy.json) + +Click the "**Deploy to Azure**" button at the bottom and it will bring you to the custom deployment template. + +In the **Project Details** section: + +* Select the "**Subscription**" and "**Resource Group**" from the dropdown boxes you would like the playbook deployed to. + +In the **Instance Details** section: + +* **Playbook Name**: This can be left as "**AS-Microsoft-DCR-Log-Ingestion**" or you may change it. + +* **Sending App Registration Tenant Id**: Enter the Directory (tenant) Id of the App Registration that will be used to send data, referenced in [Create an App Registration](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). + +* **Sending App Registration Client Id**: Enter the Application (client) ID of the App Registration that will be used to send data, referenced in [Create an App Registration](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration). + +* **Sending Tenant Subscription ID**: Enter the [subscription ID](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2) of the tenant that will be sending the data. + +* **Receiving App Registration Client Id**: Enter the Application (client) ID of the App Registration that will be used to receive data, referenced in [Create an App Registration for the DCRs](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration-for-the-dcrs). + +* **Key Vault Name**: Enter the name of the key vault referenced in [Create an Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-azure-key-vault-secret). + +* **Sending App Registration Key Vault Secret Name**: Name of Key Vault Secret that contains the sending App Registration client secret, created in [Create an App Registration Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-an-app-registration-azure-key-vault-secret). + +* **Receiving App Registration Key Vault Secret Name**: Name of Key Vault Secret that contains the receiving App Registration client secret, created in [Create a Receiving App Registration Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-a-receiving-app-registration-azure-key-vault-secret). + +* **Entra Sign In Logs Ingestion URL**: Enter the Logs Ingestion URL from the EntraSignInLogs DCE, referenced in [Create the Data Collection Endpoints](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints). + +* **Entra Sign In Logs Immutable Id**: Enter the Logs Ingestion Immutable Id from the EntraSignInLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). + +* **Entra Sign In Logs Data Source**: Enter the Logs Ingestion Data Source from the EntraSignInLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). + +* **Entra Audit Logs Ingestion URL**: Enter the Logs Ingestion URL from the EntraAuditLogs DCE, referenced in [Create the Data Collection Endpoints](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints). + +* **Entra Audit Logs Immutable Id**: Enter the Logs Ingestion Immutable Id from the EntraAuditLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). + +* **Entra Audit Logs Data Source**: Enter the Logs Ingestion Data Source from the EntraAuditLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). + +* **Office Activity Ingestion URL**: Enter the Logs Ingestion URL from the OfficeActivityLogs DCE, referenced in [Create the Data Collection Endpoints](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-endpoints). + +* **Office Activity Immutable Id**: Enter the Logs Ingestion Immutable Id from the OfficeActivityLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). + +* **Office Activity Data Source**: Enter the Logs Ingestion Data Source from the OfficeActivityLogs DCR, referenced in [Create the Data Collection Rules](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion#create-the-data-collection-rules). + +Towards the bottom, click on "**Review + create**". + +![DCRLogIngestion_Deploy_1](Images/DCRLogIngestion_Deploy_1.png) + +Once the resources have validated, click on "**Create**". + +![DCRLogIngestion_Deploy_2](Images/DCRLogIngestion_Deploy_2.png) + +The resources should take around a minute to deploy. Once the deployment is complete, you can expand the "**Deployment details**" section to view them. +Click the one corresponding to the Logic App. + +![DCRLogIngestion_Deploy_3](Images/DCRLogIngestion_Deploy_3.png) + +# +### Granting Access to Azure Key Vault + +Before the Logic App can run successfully, the key vault connection created during deployment must be granted access to the key vault storing your app registration client secrets, located in the **tenant that is to receive the data**. + +From the Logic App menu blade, select the "**Identity**" tab, located under the "**Settings**" section. Click "**Azure role assignments**". + +![DCRLogIngestion_Key_Vault_Access_1](Images/DCRLogIngestion_Key_Vault_Access_1.png) + +Click "**Add role assignment**" then select "**Key Vault**" as the scope, select your Key Vault Name, then select "**Key Vault Secrets User**" for the role. Click "**Save**". + +![DCRLogIngestion_Key_Vault_Access_2](Images/DCRLogIngestion_Key_Vault_Access_2.png) + +# +### Ensuring your Subscription is Enabled + +To ensure the subscription is enabled for the app registration used to access the"**O365 Audit General Logs**", the [OfficeAuditSubscribtionEnable](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Microsoft-DCR-Log-Ingestion/blob/main/Scripts/OfficeAuditSubscribtionEnable.ps1) should be run from an [Azure Cloud Shell Window](https://learn.microsoft.com/en-us/azure/cloud-shell/new-ui-shell-window) from the tenant you wish to **send the Microsoft Graph and Office data from**. + +![DCRLogIngestion_Azure_Cloud_Shell_1](Images/DCRLogIngestion_Azure_Cloud_Shell_1.png) +Click the "**PowerShell**" option, then select the appropriate subscription for the sending tenant. + +![DCRLogIngestion_Azure_Cloud_Shell_2](Images/DCRLogIngestion_Azure_Cloud_Shell_2.png) + +Copy and paste the script into the Azure Cloud Shell PowerShell window and hit enter. You will be prompted to enter your **sending** tenant, as well as the **sending** app registration client ID and client secret. + +![DCRLogIngestion_Azure_Cloud_Shell_3](Images/DCRLogIngestion_Azure_Cloud_Shell_3.png) + +# +### Enable the Logic App + +After all of the above steps are completed, from the Logic App Overview page, click "**Enable**". + +![DCRLogIngestion_Logic_App_Enable_1](Images/DCRLogIngestion_Logic_App_Enable_1.png) diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/AuditLogsSample.json b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/AuditLogsSample.json new file mode 100644 index 00000000000..4bf6318837a --- /dev/null +++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/AuditLogsSample.json @@ -0,0 +1,278 @@ +[ + { + "id": "Directory_sample-id_1", + "category": "Device", + "correlationId": "sample-correlation-id-1", + "result": "success", + "resultReason": "", + "activityDisplayName": "Update device", + "activityDateTime": "2024-09-14T00:46:35.7046089Z", + "TimeGenerated": "2024-09-14T00:46:35.7046089Z", + "loggedByService": "Core Directory", + "operationType": "Update", + "initiatedBy": { + "user": null, + "app": { + "appId": null, + "displayName": "Device Registration Service", + "servicePrincipalId": "sample-service-principal-id-1", + "servicePrincipalName": null + } + }, + "targetResources": [ + { + "id": "sample-resource-id-1", + "displayName": "Device1234", + "type": "Device", + "userPrincipalName": null, + "groupType": null, + "modifiedProperties": [ + { + "displayName": "DeviceOSVersion", + "oldValue": "[\"10.0.19045.4651\"]", + "newValue": "[\"10.0.19045.4780\"]" + }, + { + "displayName": "Included Updated Properties", + "oldValue": null, + "newValue": "\"DeviceOSVersion\"" + }, + { + "displayName": "TargetId.DeviceId", + "oldValue": null, + "newValue": "\"sample-device-id-1\"" + }, + { + "displayName": "TargetId.DeviceOSType", + "oldValue": null, + "newValue": "\"Windows\"" + }, + { + "displayName": "TargetId.DeviceTrustType", + "oldValue": null, + "newValue": "\"ServerAd\"" + } + ] + } + ], + "additionalDetails": [ + { + "key": "DeviceId", + "value": "sample-device-id-1" + }, + { + "key": "DeviceOSType", + "value": "Windows" + }, + { + "key": "DeviceTrustType", + "value": "ServerAd" + }, + { + "key": "User-Agent", + "value": "Microsoft.OData.Client/7.12.5" + } + ] + }, + { + "id": "UserManagement_sample-id_2", + "category": "UserManagement", + "correlationId": "sample-correlation-id-2", + "result": "clientError", + "resultReason": null, + "activityDisplayName": "Invite external user", + "activityDateTime": "2024-09-14T00:46:19.8135019Z", + "TimeGenerated": "2024-09-14T00:46:19.8135019Z", + "loggedByService": "Invited Users", + "operationType": "Add", + "initiatedBy": { + "user": null, + "app": { + "appId": "sample-app-id-2", + "displayName": "Microsoft.Azure.SyncFabric", + "servicePrincipalId": null, + "servicePrincipalName": null + } + }, + "targetResources": [ + { + "id": "sample-resource-id-2", + "displayName": "John Doe (SUP)", + "type": "User", + "userPrincipalName": "john.doe_sample@domain.com", + "groupType": null, + "modifiedProperties": [] + } + ], + "additionalDetails": [ + { + "key": "oid", + "value": "sample-oid-1" + }, + { + "key": "tid", + "value": "sample-tid-1" + }, + { + "key": "ipaddr", + "value": "" + }, + { + "key": "wids", + "value": "sample-wids" + }, + { + "key": "InvitationId", + "value": "sample-invitation-id-1" + }, + { + "key": "invitedUserEmailAddress", + "value": "john.doe_sample@domain.com" + } + ] + }, + { + "id": "ProvisioningManagement_sample-id_3", + "category": "ProvisioningManagement", + "correlationId": "sample-correlation-id-3", + "result": "success", + "resultReason": "User 'sample.user@domain.com' was deleted in Microsoft Entra ID", + "activityDisplayName": "Export", + "activityDateTime": "2024-09-14T00:44:55.9931961Z", + "TimeGenerated": "2024-09-14T00:44:55.9931961Z", + "loggedByService": "Account Provisioning", + "operationType": "", + "initiatedBy": { + "user": null, + "app": { + "appId": null, + "displayName": "Azure AD Cloud Sync", + "servicePrincipalId": null, + "servicePrincipalName": null + } + }, + "targetResources": [ + { + "id": "sample-resource-id-3", + "displayName": "Sample cross-tenant", + "type": "ServicePrincipal", + "userPrincipalName": null, + "groupType": null, + "modifiedProperties": [] + }, + { + "id": null, + "displayName": "sample.user@domain.com", + "type": "User", + "userPrincipalName": null, + "groupType": null, + "modifiedProperties": [] + } + ], + "additionalDetails": [ + { + "key": "Details", + "value": "" + }, + { + "key": "ErrorCode", + "value": "" + }, + { + "key": "EventName", + "value": "EntryExportDelete" + }, + { + "key": "ipaddr", + "value": null + }, + { + "key": "JoiningProperty", + "value": "[Type: 5, Identity Provider: , Key: sample-key]" + }, + { + "key": "oid", + "value": null + }, + { + "key": "SourceAnchor", + "value": "sample-source-anchor" + }, + { + "key": "TargetAnchor", + "value": "sample-target-anchor" + }, + { + "key": "tid", + "value": null + }, + { + "key": "wids", + "value": null + } + ] + }, + { + "id": "ProvisioningManagement_sample-id_4", + "category": "ProvisioningManagement", + "correlationId": "sample-correlation-id-4", + "result": "failure", + "resultReason": "Failed to update User 'jane.doe@domain.com'; Error: The domain portion of the userPrincipalName property is invalid.", + "activityDisplayName": "Export", + "activityDateTime": "2024-09-14T00:44:54.7303184Z", + "TimeGenerated": "2024-09-14T00:44:54.7303184Z", + "loggedByService": "Account Provisioning", + "operationType": "", + "initiatedBy": { + "user": null, + "app": { + "appId": null, + "displayName": "Azure AD Cloud Sync", + "servicePrincipalId": null, + "servicePrincipalName": null + } + }, + "targetResources": [ + { + "id": "sample-resource-id-4", + "displayName": "Sample cross-tenant", + "type": "ServicePrincipal", + "userPrincipalName": null, + "groupType": null, + "modifiedProperties": [ + { + "displayName": "streetAddress", + "oldValue": null, + "newValue": "\"123 Sample St\"" + }, + { + "displayName": "city", + "oldValue": null, + "newValue": "\"Sample City\"" + }, + { + "displayName": "state", + "oldValue": null, + "newValue": "\"Sample State\"" + }, + { + "displayName": "postalCode", + "oldValue": null, + "newValue": "\"12345\"" + }, + { + "displayName": "companyName", + "oldValue": null, + "newValue": "\"Sample Company\"" + }, + { + "displayName": "jobTitle", + "oldValue": null, + "newValue": "\"Sample Title\"" + } + ] + } + ], + "additionalDetails": [] + } +] diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/O365GeneralAuditLogsSample.json b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/O365GeneralAuditLogsSample.json new file mode 100644 index 00000000000..7d8f5cf6aac --- /dev/null +++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/O365GeneralAuditLogsSample.json @@ -0,0 +1,294 @@ +[ + { + "CreationTime": "2024-09-17T00:29:25", + "TimeGenerated": "2024-09-13T01:13:17Z", + "Id": "sample-id-1", + "Operation": "UserLoggedIn", + "OrganizationId": "sample-org-id-1", + "RecordType": 15, + "ResultStatus": "Success", + "UserKey": "sample-user-key-1", + "UserType": 0, + "Version": 1, + "Workload": "AzureActiveDirectory", + "ClientIP": "0.0.0.0", + "ObjectId": "Unknown", + "UserId": "sample.user@domain.com", + "AzureActiveDirectoryEventType": 1, + "ExtendedProperties": [ + { + "Name": "ResultStatusDetail", + "Value": "Success" + }, + { + "Name": "UserAgent", + "Value": "Apple-iPad14C6/2107.93" + }, + { + "Name": "UserAuthenticationMethod", + "Value": "4194304" + }, + { + "Name": "RequestType", + "Value": "OAuth2:Token" + } + ], + "ModifiedProperties": [], + "Actor": [ + { + "ID": "sample-user-key-1", + "Type": 0 + }, + { + "ID": "sample.user@domain.com", + "Type": 5 + } + ], + "ActorContextId": "sample-org-id-1", + "ActorIpAddress": "0.0.0.0", + "InterSystemsId": "sample-intersystems-id-1", + "IntraSystemId": "sample-id-1", + "SupportTicketId": "", + "Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "TargetContextId": "sample-org-id-1", + "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "DeviceProperties": [ + { + "Name": "OS", + "Value": "Ios" + }, + { + "Name": "BrowserType", + "Value": "Other" + }, + { + "Name": "SessionId", + "Value": "sample-session-id-1" + } + ], + "ErrorNumber": "0" + }, + { + "CreationTime": "2024-09-17T00:30:25", + "TimeGenerated": "2024-09-13T01:13:17Z", + "Id": "sample-id-2", + "Operation": "UserLoggedIn", + "OrganizationId": "sample-org-id-1", + "RecordType": 15, + "ResultStatus": "Success", + "UserKey": "sample-user-key-2", + "UserType": 0, + "Version": 1, + "Workload": "AzureActiveDirectory", + "ClientIP": "0:0:0:0:0:0:0:0", + "ObjectId": "sample-object-id-2", + "UserId": "sample.user@domain.com", + "AzureActiveDirectoryEventType": 1, + "ExtendedProperties": [ + { + "Name": "ResultStatusDetail", + "Value": "Redirect" + }, + { + "Name": "UserAgent", + "Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" + }, + { + "Name": "RequestType", + "Value": "OAuth2:Authorize" + } + ], + "ModifiedProperties": [], + "Actor": [ + { + "ID": "sample-user-key-2", + "Type": 0 + }, + { + "ID": "sample.user@domain.com", + "Type": 5 + } + ], + "ActorContextId": "sample-org-id-1", + "ActorIpAddress": "0:0:0:0:0:0:0:0", + "InterSystemsId": "sample-intersystems-id-2", + "IntraSystemId": "sample-id-2", + "SupportTicketId": "", + "Target": [ + { + "ID": "sample-object-id-2", + "Type": 0 + } + ], + "TargetContextId": "sample-org-id-1", + "ApplicationId": "sample-application-id-2", + "DeviceProperties": [ + { + "Name": "OS", + "Value": "Windows10" + }, + { + "Name": "BrowserType", + "Value": "Edge" + }, + { + "Name": "SessionId", + "Value": "sample-session-id-2" + } + ], + "ErrorNumber": "0" + }, + { + "CreationTime": "2024-09-17T00:26:56", + "TimeGenerated": "2024-09-13T01:13:17Z", + "Id": "sample-id-3", + "Operation": "UserLoggedIn", + "OrganizationId": "sample-org-id-1", + "RecordType": 15, + "ResultStatus": "Success", + "UserKey": "sample-user-key-3", + "UserType": 0, + "Version": 1, + "Workload": "AzureActiveDirectory", + "ClientIP": "0:0:0:0:0:0:0:0", + "ObjectId": "Unknown", + "UserId": "sample.user@domain.com", + "AzureActiveDirectoryEventType": 1, + "ExtendedProperties": [ + { + "Name": "ResultStatusDetail", + "Value": "Success" + }, + { + "Name": "UserAgent", + "Value": "Apple-iPhone13C2/2107.93" + }, + { + "Name": "UserAuthenticationMethod", + "Value": "4194304" + }, + { + "Name": "RequestType", + "Value": "OAuth2:Token" + } + ], + "ModifiedProperties": [], + "Actor": [ + { + "ID": "sample-user-key-3", + "Type": 0 + }, + { + "ID": "sample.user@domain.com", + "Type": 5 + } + ], + "ActorContextId": "sample-org-id-1", + "ActorIpAddress": "0:0:0:0:0:0:0:0", + "InterSystemsId": "sample-intersystems-id-3", + "IntraSystemId": "sample-id-3", + "SupportTicketId": "", + "Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "TargetContextId": "sample-org-id-1", + "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "DeviceProperties": [ + { + "Name": "OS", + "Value": "Ios" + }, + { + "Name": "BrowserType", + "Value": "Other" + }, + { + "Name": "SessionId", + "Value": "sample-session-id-3" + } + ], + "ErrorNumber": "0" + }, + { + "CreationTime": "2024-09-17T00:28:55", + "TimeGenerated": "2024-09-13T01:13:17Z", + "Id": "sample-id-4", + "Operation": "UserLoggedIn", + "OrganizationId": "sample-org-id-1", + "RecordType": 15, + "ResultStatus": "Success", + "UserKey": "sample-user-key-4", + "UserType": 0, + "Version": 1, + "Workload": "AzureActiveDirectory", + "ClientIP": "0:0:0:0:0:0:0:0", + "ObjectId": "Unknown", + "UserId": "sample.user@domain.com", + "AzureActiveDirectoryEventType": 1, + "ExtendedProperties": [ + { + "Name": "ResultStatusDetail", + "Value": "Success" + }, + { + "Name": "UserAgent", + "Value": "Apple-iPhone14C6/2107.93" + }, + { + "Name": "UserAuthenticationMethod", + "Value": "4194304" + }, + { + "Name": "RequestType", + "Value": "OAuth2:Token" + } + ], + "ModifiedProperties": [], + "Actor": [ + { + "ID": "sample-user-key-4", + "Type": 0 + }, + { + "ID": "sample.user@domain.com", + "Type": 5 + } + ], + "ActorContextId": "sample-org-id-1", + "ActorIpAddress": "0:0:0:0:0:0:0:0", + "InterSystemsId": "sample-intersystems-id-4", + "IntraSystemId": "sample-id-4", + "SupportTicketId": "", + "Target": [ + { + "ID": "Unknown", + "Type": 0 + } + ], + "TargetContextId": "sample-org-id-1", + "ApplicationId": "00000002-0000-0ff1-ce00-000000000000", + "DeviceProperties": [ + { + "Name": "OS", + "Value": "Ios" + }, + { + "Name": "BrowserType", + "Value": "Other" + }, + { + "Name": "SessionId", + "Value": "sample-session-id-4" + } + ], + "ErrorNumber": "0" + } +] diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/SignInLogsSample.json b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/SignInLogsSample.json new file mode 100644 index 00000000000..49818f544c4 --- /dev/null +++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Samples/SignInLogsSample.json @@ -0,0 +1,146 @@ +[ + { + "id": "SIGNIN_ID_PLACEHOLDER_1", + "createdDateTime": "2024-09-13T01:13:51Z", + "userDisplayName": "User Placeholder", + "userPrincipalName": "user@example.com", + "userId": "USER_ID_PLACEHOLDER_1", + "appId": "APP_ID_PLACEHOLDER_1", + "appDisplayName": "App Placeholder", + "ipAddress": "IP_ADDRESS_PLACEHOLDER", + "clientAppUsed": "Browser", + "correlationId": "CORRELATION_ID_PLACEHOLDER_1", + "conditionalAccessStatus": "success", + "isInteractive": true, + "riskDetail": "none", + "riskLevelAggregated": "none", + "riskLevelDuringSignIn": "none", + "riskState": "none", + "riskEventTypes": [], + "riskEventTypes_v2": [], + "resourceDisplayName": "Resource Placeholder", + "resourceId": "RESOURCE_ID_PLACEHOLDER", + "status": { + "errorCode": 0, + "failureReason": "Other.", + "additionalDetails": "MFA requirement satisfied by claim in the token" + }, + "TimeGenerated": "2024-09-13T01:13:17Z", + "deviceDetail": { + "deviceId": "DEVICE_ID_PLACEHOLDER_1", + "displayName": "Device Placeholder", + "operatingSystem": "Windows10", + "browser": "Edge 128.0.0", + "isCompliant": true, + "isManaged": true, + "trustType": "Azure AD joined" + }, + "location": { + "city": "City Placeholder", + "state": "State Placeholder", + "countryOrRegion": "Country Placeholder", + "geoCoordinates": { + "altitude": null, + "latitude": 0.00000, + "longitude": 0.00000 + } + }, + "appliedConditionalAccessPolicies": [] + }, + { + "id": "SIGNIN_ID_PLACEHOLDER_2", + "createdDateTime": "2024-09-13T01:13:48Z", + "userDisplayName": "User Placeholder", + "userPrincipalName": "user@example.com", + "userId": "USER_ID_PLACEHOLDER_1", + "appId": "APP_ID_PLACEHOLDER_1", + "appDisplayName": "App Placeholder", + "ipAddress": "IP_ADDRESS_PLACEHOLDER", + "clientAppUsed": "Browser", + "correlationId": "CORRELATION_ID_PLACEHOLDER_2", + "conditionalAccessStatus": "success", + "isInteractive": true, + "riskDetail": "none", + "riskLevelAggregated": "none", + "riskLevelDuringSignIn": "none", + "riskState": "none", + "riskEventTypes": [], + "riskEventTypes_v2": [], + "resourceDisplayName": "Resource Placeholder", + "resourceId": "RESOURCE_ID_PLACEHOLDER", + "status": { + "errorCode": 65001, + "failureReason": "The user or administrator has not consented to use the application with ID '{identifier}'{namePhrase}. Send an interactive authorization request for this user and resource.", + "additionalDetails": "MFA requirement satisfied by claim in the token" + }, + "TimeGenerated": "2024-09-13T01:13:17Z", + "deviceDetail": { + "deviceId": "DEVICE_ID_PLACEHOLDER_1", + "displayName": "Device Placeholder", + "operatingSystem": "Windows10", + "browser": "Edge 128.0.0", + "isCompliant": true, + "isManaged": true, + "trustType": "Azure AD joined" + }, + "location": { + "city": "City Placeholder", + "state": "State Placeholder", + "countryOrRegion": "Country Placeholder", + "geoCoordinates": { + "altitude": null, + "latitude": 0.00000, + "longitude": 0.00000 + } + }, + "appliedConditionalAccessPolicies": [] + }, + { + "id": "SIGNIN_ID_PLACEHOLDER_3", + "createdDateTime": "2024-09-13T01:13:20Z", + "userDisplayName": "User Placeholder", + "userPrincipalName": "user@example.com", + "userId": "USER_ID_PLACEHOLDER_1", + "appId": "APP_ID_PLACEHOLDER_1", + "appDisplayName": "App Placeholder", + "ipAddress": "IP_ADDRESS_PLACEHOLDER", + "clientAppUsed": "Browser", + "correlationId": "CORRELATION_ID_PLACEHOLDER_3", + "conditionalAccessStatus": "success", + "isInteractive": true, + "riskDetail": "none", + "riskLevelAggregated": "none", + "riskLevelDuringSignIn": "none", + "riskState": "none", + "riskEventTypes": [], + "riskEventTypes_v2": [], + "resourceDisplayName": "Resource Placeholder", + "resourceId": "RESOURCE_ID_PLACEHOLDER", + "status": { + "errorCode": 0, + "failureReason": "Other.", + "additionalDetails": "MFA requirement satisfied by claim in the token" + }, + "TimeGenerated": "2024-09-13T01:13:17Z", + "deviceDetail": { + "deviceId": "DEVICE_ID_PLACEHOLDER_1", + "displayName": "Device Placeholder", + "operatingSystem": "Windows10", + "browser": "Edge 128.0.0", + "isCompliant": true, + "isManaged": true, + "trustType": "Azure AD joined" + }, + "location": { + "city": "City Placeholder", + "state": "State Placeholder", + "countryOrRegion": "Country Placeholder", + "geoCoordinates": { + "altitude": null, + "latitude": 0.00000, + "longitude": 0.00000 + } + }, + "appliedConditionalAccessPolicies": [] + } +] diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Scripts/OfficeAuditSubscribtionEnable.ps1 b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Scripts/OfficeAuditSubscribtionEnable.ps1 new file mode 100644 index 00000000000..617f3bc6e48 --- /dev/null +++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/Scripts/OfficeAuditSubscribtionEnable.ps1 @@ -0,0 +1,33 @@ +# Prompt for tenantId, clientId, and clientSecret +$tenantId = Read-Host -Prompt "Enter Tenant ID" +$clientId = Read-Host -Prompt "Enter Client ID" +$clientSecret = Read-Host -Prompt "Enter Client Secret Value" + +# Get an OAuth token for the API +$body = @{ + grant_type = "client_credentials" + resource = "https://manage.office.com" + client_id = $clientId + client_secret = $clientSecret +} + +$tokenResponse = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/token" -ContentType "application/x-www-form-urlencoded" -Body $body +$token = $tokenResponse.access_token + +# Check the subscription status +$headers = @{ + Authorization = "Bearer $token" +} + +$uri = "https://manage.office.com/api/v1.0/$tenantId/activity/feed/subscriptions/list" +$subscriptions = Invoke-RestMethod -Uri $uri -Headers $headers +$subscriptions + +# Define the URL for starting the subscription +$startUri = "https://manage.office.com/api/v1.0/$tenantId/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory" + +# Start the subscription +$startSubscription = Invoke-RestMethod -Uri $startUri -Headers $headers -Method POST + +# Output the result +$startSubscription diff --git a/Playbooks/AS-Microsoft-DCR-Log-Ingestion/azuredeploy.json b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/azuredeploy.json new file mode 100644 index 00000000000..4fc210da162 --- /dev/null +++ b/Playbooks/AS-Microsoft-DCR-Log-Ingestion/azuredeploy.json @@ -0,0 +1,482 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "AS-Microsoft-DCR-Log-Ingestion", + "description": "This playbook is intended to be run ", + "preDeployment": ["App registration", "Data collection Endpoints", "Data Collection Rules", "Azure Keyvault Secret"], + "postDeployment": ["Access to the Azure Key Vault must be granted to the playbook"], + "lastUpdateTime": "2024-08-21T17:48:00Z", + "tags": ["Microsoft Graph", "Microsoft Office"], + "support": { + "tier": "partner" + }, + "author": { + "name": "Accelerynt" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "AS-Microsoft-DCR-Log-Ingestion", + "type": "string", + "metadata": { + "description": "Name of the Logic App resource to be created" + } + }, + "SendingAppRegistrationTenantId": { + "type": "string", + "metadata" : { + "description" : "Enter the Directory (tenant) Id of the App Registration that will be used to send data" + } + }, + "SendingAppRegistrationClientID": { + "type": "string", + "metadata" : { + "description" : "Enter the Application (client) ID of the App Registration that will be used to send data" + } + }, + "SendingTenantSubscriptionID": { + "type": "string", + "metadata" : { + "description" : "Enter the subscription ID for the tenant that will send the data" + } + }, + "ReceivingAppRegistrationClientID": { + "type": "string", + "metadata" : { + "description" : "Enter the Application (client) ID of the App Registration that will be used to receive data" + } + }, + "KeyVaultName": { + "type": "string", + "metadata" : { + "description" : "Name of the Key Vault that stores the App Registration client secrets" + } + }, + "SendingAppRegistrationKeyVaultSecretName": { + "type": "string", + "metadata": { + "description": "Name of Key Vault Secret that contains the sending App Registration client secret" + } + }, + "ReceivingAppRegistrationKeyVaultSecretName": { + "type": "string", + "metadata": { + "description": "Name of Key Vault Secret that contains the receiving App Registration client secret" + } + }, + "EntraSignInLogsIngestionURL": { + "type": "string", + "metadata": { + "description": "Enter the Logs Ingestion URL from the EntraSignInLogs DCE" + } + }, + "EntraSignInLogsImmutableId": { + "type": "string", + "metadata": { + "description": "Enter the ImmutableId from the EntraSignInLogs DCR" + } + }, + "EntraSignInLogsDataSource": { + "type": "string", + "metadata": { + "description": "Enter the data source from the EntraSignInLogs DCR" + } + }, + "EntraAuditLogsIngestionURL": { + "type": "string", + "metadata": { + "description": "Enter the Logs Ingestion URL from the EntraAuditLogs DCE" + } + }, + "EntraAuditLogsImmutableId": { + "type": "string", + "metadata": { + "description": "Enter the ImmutableId from the EntraAuditLogs DCR" + } + }, + "EntraAuditLogsDataSource": { + "type": "string", + "metadata": { + "description": "Enter the data source from the EntraAuditLogs DCR" + } + }, + "OfficeActivityIngestionURL": { + "type": "string", + "metadata": { + "description": "Enter the Logs Ingestion URL from the OfficeActivty DCE" + } + }, + "OfficeActivtyImmutableId": { + "type": "string", + "metadata": { + "description": "Enter the ImmutableId from the OfficeActivty DCR" + } + }, + "OfficeActivtyDataSource": { + "type": "string", + "metadata": { + "description": "Enter the data source from the OfficeActivty DCR" + } + } + }, + "variables": { + "keyvault": "[concat('keyvault-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('keyvault')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[parameters('PlaybookName')]", + "parameterValueType": "Alternative", + "alternativeParameterValues": { + "vaultName": "[parameters('KeyVaultName')]" + }, + "customParameterValues": { + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "tags": { + "LogicAppsCategory": "security" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('keyvault'))]" + ], + "properties": { + "state": "Disabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "evaluatedRecurrence": { + "frequency": "Minute", + "interval": 5 + }, + "recurrence": { + "frequency": "Minute", + "interval": 5 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_Each_-_O365_Audit_Logs": { + "actions": { + "For_each_-_Content_URI_Item": { + "actions": { + "HTTP_-_Send_Data_to_Office_Activity_Logs_Data_Collection_Endpoint": { + "inputs": { + "body": [ + "@items('For_each_-_Content_URI_Item')" + ], + "headers": { + "Authorization": "Bearer @{body('HTTP_-_Authenticate_to_OfficeActivityLogs_Data_Collection_Endpoint')?['access_token']}", + "Content-Length": "@{length(string(items('For_each_-_Content_URI_Item')))}", + "Content-Type": "application/json", + "Host": "[parameters('OfficeActivityIngestionURL')]" + }, + "method": "POST", + "uri": "[concat(parameters('OfficeActivityIngestionURL'), '/dataCollectionRules/', parameters('OfficeActivtyImmutableId'), '/streams/', parameters('OfficeActivtyDataSource'), '?api-version=2023-01-01')]" + }, + "runAfter": {}, + "type": "Http" + } + }, + "foreach": "@json(body('HTTP_-_Get_O365_Content'))", + "runAfter": { + "HTTP_-_Get_O365_Content": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "HTTP_-_Get_O365_Content": { + "inputs": { + "authentication": { + "audience": "https://manage.office.com", + "clientId": "[parameters('SendingAppRegistrationClientID')]", + "secret": "@{body('Get_Sending_App_Registration_Client_Secret')?['value']}", + "tenant": "[parameters('SendingAppRegistrationTenantId')]", + "type": "ActiveDirectoryOAuth" + }, + "method": "GET", + "uri": "@{items('For_Each_-_O365_Audit_Logs')?['contentUri']}" + }, + "runAfter": {}, + "type": "Http" + } + }, + "foreach": "@body('HTTP_-_Get_O365_Audit_General_Logs')", + "runAfter": { + "HTTP_-_Authenticate_to_OfficeActivityLogs_Data_Collection_Endpoint": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_-_Entra_Audit_Logs": { + "actions": { + "HTTP_-_Send_Data_to_Entra_Audit_Log_Data_Collection_Endpoint": { + "inputs": { + "body": [ + "@items('For_each_-_Entra_Audit_Logs')" + ], + "headers": { + "Authorization": "Bearer @{body('HTTP-_Authenticate_to_Entra_AuditLogs_Data_Collection_Endpoint')?['access_token']}", + "Content-Length": "@{length(string(items('For_each_-_Entra_Audit_Logs')))}", + "Content-Type": "application/json", + "Host": "[parameters('EntraAuditLogsIngestionURL')]" + }, + "method": "POST", + "uri": "[concat(parameters('EntraAuditLogsIngestionURL'), '/dataCollectionRules/', parameters('EntraAuditLogsImmutableId'), '/streams/', parameters('EntraAuditLogsDataSource'), '?api-version=2023-01-01')]" + }, + "runAfter": {}, + "type": "Http" + } + }, + "foreach": "@body('HTTP_-_Get_Entra_Audit_Logs')?['value']", + "runAfter": { + "HTTP-_Authenticate_to_Entra_AuditLogs_Data_Collection_Endpoint": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_-_Entra_Sign_in_Logs": { + "actions": { + "HTTP_-_Send_Data_to_SignInLog_Data_Collection_Endpoint": { + "inputs": { + "body": [ + "@items('For_each_-_Entra_Sign_in_Logs')" + ], + "headers": { + "Authorization": "Bearer @{body('HTTP_-_Authenticate_to_SignInLogs_Data_Collection_Endpoint')?['access_token']}", + "Content-Length": "@{length(string(items('For_each_-_Entra_Sign_in_Logs')))}", + "Content-Type": "application/json", + "Host": "[parameters('EntraSignInLogsIngestionURL')]" + }, + "method": "POST", + "uri": "[concat(parameters('EntraSignInLogsIngestionURL'), '/dataCollectionRules/', parameters('EntraSignInLogsImmutableId'), '/streams/', parameters('EntraSignInLogsDataSource'), '?api-version=2023-01-01')]" + }, + "runAfter": {}, + "type": "Http" + } + }, + "foreach": "@body('HTTP_-_Get_Entra_SignIn_Logs')?['value']", + "runAfter": { + "HTTP_-_Authenticate_to_SignInLogs_Data_Collection_Endpoint": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "HTTP-_Authenticate_to_Entra_AuditLogs_Data_Collection_Endpoint": { + "inputs": { + "body": "[concat('grant_type=client_credentials&client_id=', parameters('ReceivingAppRegistrationClientID'),'&client_secret=@{body(''Get_Receiving_App_Registration_Client_Secret'')?[''value'']}&scope=https://monitor.azure.com/.default')]", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "method": "POST", + "uri": "[concat('https://login.microsoftonline.com/', subscription().tenantId, '/oauth2/v2.0/token')]" + }, + "runAfter": { + "HTTP_-_Get_Entra_Audit_Logs": [ + "Succeeded" + ] + }, + "type": "Http" + }, + "HTTP_-_Authenticate_to_OfficeActivityLogs_Data_Collection_Endpoint": { + "inputs": { + "body": "[concat('grant_type=client_credentials&client_id=', parameters('ReceivingAppRegistrationClientID'),'&client_secret=@{body(''Get_Receiving_App_Registration_Client_Secret'')?[''value'']}&scope=https://monitor.azure.com/.default')]", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "method": "POST", + "uri": "[concat('https://login.microsoftonline.com/', subscription().tenantId, '/oauth2/v2.0/token')]" + }, + "runAfter": { + "HTTP_-_Get_O365_Audit_General_Logs": [ + "Succeeded" + ] + }, + "type": "Http" + }, + "HTTP_-_Authenticate_to_SignInLogs_Data_Collection_Endpoint": { + "inputs": { + "body": "[concat('grant_type=client_credentials&client_id=', parameters('ReceivingAppRegistrationClientID'),'&client_secret=@{body(''Get_Receiving_App_Registration_Client_Secret'')?[''value'']}&scope=https://monitor.azure.com/.default')]", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "method": "POST", + "uri": "[concat('https://login.microsoftonline.com/', subscription().tenantId, '/oauth2/v2.0/token')]" + }, + "runAfter": { + "HTTP_-_Get_Entra_SignIn_Logs": [ + "Succeeded" + ] + }, + "type": "Http" + }, + "HTTP_-_Get_Entra_Audit_Logs": { + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "clientId": "[parameters('SendingAppRegistrationClientID')]", + "secret": "@{body('Get_Sending_App_Registration_Client_Secret')?['value']}", + "tenant": "[parameters('SendingAppRegistrationTenantId')]", + "type": "ActiveDirectoryOAuth" + }, + "headers": { + "Accept": "application/json", + "Content-Type": "application/json" + }, + "method": "GET", + "uri": "https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=activityDateTime ge @{addMinutes(variables('UTCNow'), -5)}" + }, + "runAfter": { + "Get_Receiving_App_Registration_Client_Secret": [ + "Succeeded" + ] + }, + "type": "Http" + }, + "HTTP_-_Get_Entra_SignIn_Logs": { + "inputs": { + "authentication": { + "audience": "https://graph.microsoft.com", + "clientId": "[parameters('SendingAppRegistrationClientID')]", + "secret": "@{body('Get_Sending_App_Registration_Client_Secret')?['value']}", + "tenant": "[parameters('SendingAppRegistrationTenantId')]", + "type": "ActiveDirectoryOAuth" + }, + "headers": { + "Accept": "application/json", + "Content-Type": "application/json" + }, + "method": "GET", + "uri": "https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=createdDateTime ge @{addMinutes(variables('UTCNow'), -5)}" + }, + "runAfter": { + "For_each_-_Entra_Audit_Logs": [ + "Succeeded" + ] + }, + "type": "Http" + }, + "HTTP_-_Get_O365_Audit_General_Logs": { + "inputs": { + "authentication": { + "audience": "https://manage.office.com", + "clientId": "[parameters('SendingAppRegistrationClientID')]", + "secret": "@{body('Get_Sending_App_Registration_Client_Secret')?['value']}", + "tenant": "[parameters('SendingAppRegistrationTenantId')]", + "type": "ActiveDirectoryOAuth" + }, + "headers": { + "Accept": "application/json", + "Content-Type": "application/json" + }, + "method": "GET", + "uri": "[concat('https://manage.office.com/api/v1.0/', parameters('SendingTenantSubscriptionID'),'/activity/feed/subscriptions/content?contentType=Audit.AzureActiveDirectory&PublisherIdentifier=Microsoft?&startTime=@{addMinutes(variables(''UTCNow''), -5)}&endTime=@{variables(''UTCNow'')}')]" + }, + "runAfter": { + "For_each_-_Entra_Sign_in_Logs": [ + "Succeeded" + ] + }, + "type": "Http" + }, + "Initialize_variable_-_UTC_Now": { + "description": "Get the current time stamp so it is the same in all references", + "inputs": { + "variables": [ + { + "name": "UTCNow", + "type": "string", + "value": "@{utcNow()}" + } + ] + }, + "runAfter": {}, + "type": "InitializeVariable" + }, + "Get_Sending_App_Registration_Client_Secret": { + "runAfter": { + "Initialize_variable_-_UTC_Now": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "[concat('/secrets/@{encodeURIComponent(''', parameters('SendingAppRegistrationKeyVaultSecretName'), ''')}/value')]" + } + }, + "Get_Receiving_App_Registration_Client_Secret": { + "runAfter": { + "Get_Sending_App_Registration_Client_Secret": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "[concat('/secrets/@{encodeURIComponent(''', parameters('ReceivingAppRegistrationKeyVaultSecretName'), ''')}/value')]" + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "keyvault": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('keyvault'))]", + "connectionName": "[variables('keyvault')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId,'/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + } + ] +} diff --git a/Playbooks/MDTI-Actor-Lookup/FunctionApp.zip b/Playbooks/MDTI-Actor-Lookup/FunctionApp.zip new file mode 100644 index 00000000000..9f034c2efbc Binary files /dev/null and b/Playbooks/MDTI-Actor-Lookup/FunctionApp.zip differ diff --git a/Playbooks/MDTI-Actor-Lookup/MDTIAFunc.zip b/Playbooks/MDTI-Actor-Lookup/MDTIAFunc.zip deleted file mode 100644 index 95b538b7762..00000000000 Binary files a/Playbooks/MDTI-Actor-Lookup/MDTIAFunc.zip and /dev/null differ diff --git a/Playbooks/MDTI-Actor-Lookup/azuredeploy.json b/Playbooks/MDTI-Actor-Lookup/azuredeploy.json index 837be74ed75..e8ff60960c0 100644 --- a/Playbooks/MDTI-Actor-Lookup/azuredeploy.json +++ b/Playbooks/MDTI-Actor-Lookup/azuredeploy.json @@ -2,13 +2,13 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { - "title": "", - "description": "", + "title": "MTI Threat Actor Lookup", + "description": "To be deployed with the bundled function app to automate infrastructure chaining with the MTI API", "prerequisites": "", "postDeployment": [ ], "prerequisitesDeployTemplateFile": "", - "lastUpdateTime": "", + "lastUpdateTime": "2024-10-18T09:44:59Z", "entities": [ ], "tags": [ @@ -18,18 +18,24 @@ "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" }, "author": { - "name": "" + "name": "Geoff Roote" } }, "parameters": { "PlaybookName": { "defaultValue": "MDTI-Actor-LookupV2", "type": "string" + }, + "Function App URL": { + "type": "String", + "metadata": { + "description": "Enter value for Function App URL" + } } }, "variables": { "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", - "azuresentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]", + "AzuresentinelConnectionName": "[concat('Azuresentinel-', parameters('PlaybookName'))]", "SecuritycopilotConnectionName": "[concat('Securitycopilot-', parameters('PlaybookName'))]", "KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]" }, @@ -46,6 +52,10 @@ "defaultValue": { }, "type": "Object" + }, + "Function App URL": { + "defaultValue": "[parameters('Function App URL')]", + "type": "String" } }, "triggers": { @@ -121,7 +131,7 @@ }, "Compose_2": { "type": "Compose", - "inputs": "@concat(string(body('Parse_JSON_1')?['name']), ', ', string(body('Parse_JSON_1')?['description']))" + "inputs": "@concat(string(item()?['name']), ', ', string(item()?['description']))" }, "Condition_2": { "actions": { @@ -147,21 +157,9 @@ } }, "Compose_3": { - "runAfter": { - "Join_1": [ - "Succeeded" - ] - }, "type": "Compose", "inputs": "@body('Join_1')" }, - "Join_1": { - "type": "Join", - "inputs": { - "from": "@variables('entity_host')", - "joinWith": "\n" - } - }, "Submit_a_Copilot_for_Security_prompt_2": { "runAfter": { "Compose_3": [ @@ -213,7 +211,7 @@ } }, "runAfter": { - "Append_to_array_variable_1": [ + "Join_1": [ "Succeeded" ] }, @@ -232,6 +230,18 @@ ] }, "type": "If" + }, + "Join_1": { + "runAfter": { + "Append_to_array_variable_1": [ + "Succeeded" + ] + }, + "type": "Join", + "inputs": { + "from": "@variables('entity_host')", + "joinWith": "\n" + } } }, "runAfter": { @@ -355,7 +365,7 @@ }, "Compose": { "type": "Compose", - "inputs": "@concat(string(body('Parse_JSON')?['name']), ', ', string(body('Parse_JSON')?['description']))" + "inputs": "@concat(string(item()?['name']), ', ', string(item()?['description']))" }, "Condition_1": { "actions": { @@ -381,21 +391,9 @@ } }, "Compose_1": { - "runAfter": { - "Join": [ - "Succeeded" - ] - }, "type": "Compose", "inputs": "replace(replace(body('Join'), 'Cyber Threat Intelligence', ''), ',', '')" }, - "Join": { - "type": "Join", - "inputs": { - "from": "@variables('entity_ip')", - "joinWith": "\n" - } - }, "Submit_a_Copilot_for_Security_prompt_1": { "runAfter": { "Compose_1": [ @@ -447,7 +445,7 @@ } }, "runAfter": { - "Append_to_array_variable": [ + "Join": [ "Succeeded" ] }, @@ -466,6 +464,18 @@ ] }, "type": "If" + }, + "Join": { + "runAfter": { + "Append_to_array_variable": [ + "Succeeded" + ] + }, + "type": "Join", + "inputs": { + "from": "@variables('entity_ip')", + "joinWith": "\n" + } } }, "runAfter": { @@ -572,111 +582,222 @@ "For_each_3": { "foreach": "@body('Entities_-_Get_IPs')?['IPs']", "actions": { - "Append_to_array_variable_3": { - "runAfter": { - "Function_App_call": [ - "Succeeded" - ] - }, - "type": "AppendToArrayVariable", + "Function_App_call": { + "type": "Http", "inputs": { - "name": "groups", - "value": "@body('Function_App_call')" - } + "uri": "@{parameters('Function App URL')}item=@{items('For_each_3')?['Address']}\u0026code=@{body('Get_secret')?['value']}", + "method": "POST" + }, + "operationOptions": "DisableAsyncPattern" }, - "For_each_7": { - "foreach": "@variables('groups')", + "Condition_3": { "actions": { - "Compose_6": { - "type": "Compose", - "inputs": "@split(items('For_each_7'), ', ')\r\n" + "Parse_JSON_3": { + "type": "ParseJson", + "inputs": { + "content": "@body('Function_App_call')", + "schema": { + "type": "array", + "items": { + "type": "string" + } + } + } }, - "Compose_7": { + "Select_1": { "runAfter": { - "Compose_6": [ + "Parse_JSON_3": [ "Succeeded" ] }, - "type": "Compose", - "inputs": "@first(outputs('Compose_6'))\r\n" + "type": "Select", + "inputs": { + "from": "@body('Parse_JSON_3')", + "select": { + "Group": "@split(item(), ',')[0]" + } + } + }, + "Select_2": { + "runAfter": { + "Compose_4": [ + "Succeeded" + ] + }, + "type": "Select", + "inputs": { + "from": "@body('Parse_JSON_3')", + "select": { + "Group": "@split(item(), ',')[0]", + "Domain": "@split(item(), ',')[1]" + } + } }, - "Condition": { + "For_each_5": { + "foreach": "@body('Select_2')", "actions": { - "Add_comment_to_incident_(V3)_1": { - "runAfter": { - "Submit_a_Copilot_for_Security_prompt": [ - "Succeeded" - ] - }, - "type": "ApiConnection", + "Append_to_array_variable_3": { + "type": "AppendToArrayVariable", "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "groups", + "value": "@items('For_each_5')" + } + } + }, + "runAfter": { + "Select_2": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Compose_4": { + "runAfter": { + "Select_1": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@union(body('Select_1'), body('Select_1'))" + } + }, + "runAfter": { + "Function_App_call": [ + "Succeeded" + ] + }, + "else": { + "actions": { + } + }, + "expression": { + "and": [ + { + "greater": [ + "@length(body('Function_App_Call'))", + 2 + ] + }, + { + "not": { + "equals": [ + "@body('Function_App_call')", + "" + ] + } + } + ] + }, + "type": "If" + }, + "Condition_9": { + "actions": { + "For_each_7": { + "foreach": "@outputs('Compose_4')", + "actions": { + "Condition": { + "actions": { + "Add_comment_to_incident_(V3)_1": { + "runAfter": { + "Submit_a_Copilot_for_Security_prompt": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "\u003cp class=\"editor-paragraph\"\u003eActor Group Name: @{items('For_each_7')}\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003eCopilot Summary: @{body('Submit_a_Copilot_for_Security_prompt')?['EvaluationResultContent']}\u003c/p\u003e" + }, + "path": "/Incidents/Comment" } }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "\u003cp class=\"editor-paragraph\"\u003eActor Group Name: @{outputs('Compose_7')}\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003eCopilot Summary: @{body('Submit_a_Copilot_for_Security_prompt')?['EvaluationResultContent']}\u003c/p\u003e" - }, - "path": "/Incidents/Comment" - } - }, - "Add_comment_to_incident_(V3)_4": { - "runAfter": { - "Add_comment_to_incident_(V3)_1": [ - "Succeeded" - ] + "Submit_a_Copilot_for_Security_prompt": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['securitycopilot']['connectionId']" + } + }, + "method": "post", + "body": { + "PromptContent": "Provide a summary for actor group @{items('For_each_7')}" + }, + "path": "/process-prompt" + } + } }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "else": { + "actions": { + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_7')", + "" + ] + } + }, + { + "contains": [ + "@items('For_each_7')", + "Group" + ] } - }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "\u003cp class=\"editor-paragraph\"\u003eActor Groups and associated domains:\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003e@{body('Create_HTML_table')}\u003c/p\u003e" - }, - "path": "/Incidents/Comment" - } - }, - "Create_HTML_table": { - "type": "Table", - "inputs": { - "from": "@variables('groups')", - "format": "HTML" - } - }, - "Submit_a_Copilot_for_Security_prompt": { - "runAfter": { - "Create_HTML_table": [ - "Succeeded" ] }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['securitycopilot']['connectionId']" - } - }, - "method": "post", - "body": { - "PromptContent": "Provide a summary for actor group @{outputs('Compose_7')}" - }, - "path": "/process-prompt" + "type": "If" + } + }, + "type": "Foreach" + }, + "Create_HTML_table_2": { + "runAfter": { + "For_each_7": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "from": "@variables('groups')", + "format": "HTML" + } + }, + "Add_comment_to_incident_(V3)_4": { + "runAfter": { + "Create_HTML_table_2": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "\u003cp class=\"editor-paragraph\"\u003eActor Groups and associated domains:\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003e@{body('Create_HTML_table_2')}\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e" + }, + "path": "/Incidents/Comment" + } + }, + "For_each_9": { + "foreach": "@body('Select_1')", + "actions": { "Update_incident_1": { - "runAfter": { - "Add_comment_to_incident_(V3)_4": [ - "Succeeded" - ] - }, "type": "ApiConnection", "inputs": { "host": { @@ -690,7 +811,7 @@ "tagsToAdd": { "TagsToAdd": [ { - "Tag": "@outputs('Compose_7')" + "Tag": "@item()['Group']" } ] }, @@ -702,61 +823,43 @@ } }, "runAfter": { - "Compose_7": [ + "Add_comment_to_incident_(V3)_4": [ "Succeeded" ] }, - "else": { - "actions": { - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@outputs('Compose_7')", - "" - ] - } - }, - { - "not": { - "equals": [ - "@length(outputs('Compose_7'))", - 0 - ] - } - } - ] - }, - "type": "If" + "type": "Foreach" } }, "runAfter": { - "Append_to_array_variable_3": [ + "Condition_3": [ "Succeeded" ] }, - "type": "Foreach" - }, - "Function_App_call": { - "type": "Http", - "inputs": { - "uri": "https://mdti-lookup.azurewebsites.net/api/mdtipdns?item=@{items('For_each_3')?['Address']}\u0026code=@{body('Get_secret')?['value']}", - "method": "POST" - }, - "runtimeConfiguration": { - "contentTransfer": { - "transferMode": "Chunked" - }, - "secureData": { - "properties": [ - "inputs", - "outputs" - ] + "else": { + "actions": { } - } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Select_1')", + "" + ] + } + }, + { + "not": { + "equals": [ + "@length(variables('groups'))", + 0 + ] + } + } + ] + }, + "type": "If" } }, "runAfter": { @@ -764,116 +867,232 @@ "Succeeded" ] }, - "type": "Foreach" + "type": "Foreach", + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } }, "For_each_3-copy": { "foreach": "@body('Entities_-_Get_Hosts')?['Hosts']", "actions": { - "Append_to_array_variable_4": { - "runAfter": { - "Function_App_call_1": [ - "Succeeded" - ] - }, - "type": "AppendToArrayVariable", + "Function_App_call_1": { + "type": "Http", "inputs": { - "name": "hostpivot", - "value": "@body('Function_App_call_1')" - } + "uri": "@{parameters('Function App URL')}item=@{item()?['HostName']}.@{item()?['DnsDomain']}\u0026code=@{body('Get_secret')?['value']}", + "method": "POST" + }, + "operationOptions": "DisableAsyncPattern" }, - "For_each_8": { - "foreach": "@variables('hostpivot')", + "Condition_5": { "actions": { - "Compose_8": { - "type": "Compose", - "inputs": "@split(items('For_each_8'), ', ')\r\n" + "Parse_JSON_2": { + "type": "ParseJson", + "inputs": { + "content": "@body('Function_App_call_1')", + "schema": { + "type": "array", + "items": { + "type": "string" + } + } + } }, - "Compose_9": { + "Select": { "runAfter": { - "Compose_8": [ + "Parse_JSON_2": [ "Succeeded" ] }, - "type": "Compose", - "inputs": "@first(outputs('Compose_8'))\r\n" + "type": "Select", + "inputs": { + "from": "@body('Parse_JSON_2')", + "select": { + "Group": "@split(item(), ',')[0]" + } + } + }, + "Select_4": { + "runAfter": { + "Compose_5": [ + "Succeeded" + ] + }, + "type": "Select", + "inputs": { + "from": "@body('Parse_JSON_2')", + "select": { + "Group": "@split(item(), ',')[0]", + "Domain": "@split(item(), ',')[1]" + } + } }, - "Condition_4": { + "For_each_1": { + "foreach": "@body('Select_4')", "actions": { - "Add_comment_to_incident_(V3)_5": { - "runAfter": { - "Submit_a_Copilot_for_Security_prompt_4": [ - "Succeeded" - ] - }, - "type": "ApiConnection", + "Append_to_array_variable_2": { + "type": "AppendToArrayVariable", "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "name": "hostpivot", + "value": "@items('For_each_1')" + } + } + }, + "runAfter": { + "Select_4": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Compose_5": { + "runAfter": { + "Select": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@union(body('Select'), body('Select'))" + } + }, + "runAfter": { + "Function_App_call_1": [ + "Succeeded" + ] + }, + "else": { + "actions": { + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Function_App_call_1')", + "" + ] + } + }, + { + "greater": [ + "@length(body('Function_App_Call_1'))", + 2 + ] + } + ] + }, + "type": "If" + }, + "Condition_8": { + "actions": { + "For_each_8": { + "foreach": "@outputs('Compose_5')", + "actions": { + "Condition_4": { + "actions": { + "Add_comment_to_incident_(V3)_5": { + "runAfter": { + "Submit_a_Copilot_for_Security_prompt_4": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "\u003cp class=\"editor-paragraph\"\u003eActor Group Name: @{items('For_each_8')}\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003eCopilot Summary: @{body('Submit_a_Copilot_for_Security_prompt_4')?['EvaluationResultContent']}\u003c/p\u003e" + }, + "path": "/Incidents/Comment" } }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "\u003cp class=\"editor-paragraph\"\u003eActor Group Name: @{outputs('Compose_9')}\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003eCopilot Summary: @{body('Submit_a_Copilot_for_Security_prompt_4')?['EvaluationResultContent']}\u003c/p\u003e" - }, - "path": "/Incidents/Comment" - } - }, - "Add_comment_to_incident_(V3)_6": { - "runAfter": { - "Add_comment_to_incident_(V3)_5": [ - "Succeeded" - ] + "Submit_a_Copilot_for_Security_prompt_4": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['securitycopilot']['connectionId']" + } + }, + "method": "post", + "body": { + "PromptContent": "Provide a summary for actor group @{items('For_each_8')}" + }, + "path": "/process-prompt" + } + } }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "else": { + "actions": { + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@items('For_each_8')", + "" + ] + } + }, + { + "contains": [ + "@items('For_each_8')", + "Group" + ] } - }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "\u003cp class=\"editor-paragraph\"\u003eActor Groups and associated domains:\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003e@{body('Create_HTML_table_1')}\u003c/p\u003e" - }, - "path": "/Incidents/Comment" - } - }, - "Create_HTML_table_1": { - "type": "Table", - "inputs": { - "from": "@variables('hostpivot')", - "format": "HTML" - } - }, - "Submit_a_Copilot_for_Security_prompt_4": { - "runAfter": { - "Create_HTML_table_1": [ - "Succeeded" ] }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['securitycopilot']['connectionId']" - } - }, - "method": "post", - "body": { - "PromptContent": "Provide a summary for actor group @{outputs('Compose_9')}" - }, - "path": "/process-prompt" + "type": "If" + } + }, + "type": "Foreach" + }, + "Create_HTML_table_1": { + "runAfter": { + "For_each_8": [ + "Succeeded" + ] + }, + "type": "Table", + "inputs": { + "from": "@variables('hostpivot')", + "format": "HTML" + } + }, + "Add_comment_to_incident_(V3)_6": { + "runAfter": { + "Create_HTML_table_1": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, - "Update_incident_4": { - "runAfter": { - "Add_comment_to_incident_(V3)_6": [ - "Succeeded" - ] - }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "\u003cp class=\"editor-paragraph\"\u003eActor Groups and associated domains:\u003c/p\u003e\u003cbr\u003e\u003cp class=\"editor-paragraph\"\u003e@{body('Create_HTML_table_1')}\u003c/p\u003e" + }, + "path": "/Incidents/Comment" + } + }, + "For_each_10": { + "foreach": "@body('Select')", + "actions": { + "Update_incident_3": { "type": "ApiConnection", "inputs": { "host": { @@ -887,7 +1106,7 @@ "tagsToAdd": { "TagsToAdd": [ { - "Tag": "@outputs('Compose_9')" + "Tag": "@item()['Group']" } ] }, @@ -899,61 +1118,43 @@ } }, "runAfter": { - "Compose_9": [ + "Add_comment_to_incident_(V3)_6": [ "Succeeded" ] }, - "else": { - "actions": { - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@outputs('Compose_9')", - "" - ] - } - }, - { - "not": { - "equals": [ - "@length(outputs('Compose_9'))", - 0 - ] - } - } - ] - }, - "type": "If" + "type": "Foreach" } }, "runAfter": { - "Append_to_array_variable_4": [ + "Condition_5": [ "Succeeded" ] }, - "type": "Foreach" - }, - "Function_App_call_1": { - "type": "Http", - "inputs": { - "uri": "https://mdti-lookup.azurewebsites.net/api/mdtipdns?item=@{item()?['HostName']}.@{item()?['DnsDomain']}\u0026code=@{body('Get_secret')?['value']}", - "method": "POST" - }, - "runtimeConfiguration": { - "contentTransfer": { - "transferMode": "Chunked" - }, - "secureData": { - "properties": [ - "inputs", - "outputs" - ] + "else": { + "actions": { } - } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@body('Select')", + "" + ] + } + }, + { + "not": { + "equals": [ + "@length(variables('hostpivot'))", + 0 + ] + } + } + ] + }, + "type": "If" } }, "runAfter": { @@ -963,20 +1164,6 @@ }, "type": "Foreach" }, - "Get_secret": { - "runAfter": { - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['Keyvault']['connectionId']" - } - }, - "method": "get", - "path": "/secrets/@{encodeURIComponent('MDTI-Function-App')}/value" - } - }, "Initialize_variable": { "runAfter": { "Entities_-_Get_IPs": [ @@ -1082,6 +1269,20 @@ "triggerName": "manual" } } + }, + "Get_secret": { + "runAfter": { + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent('MechanicsDemo-AzureFunction')}/value" + } } }, "outputs": { @@ -1093,29 +1294,24 @@ "azuresentinel": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", "connectionName": "[variables('MicrosoftSentinelConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity" } } }, - "azuresentinel1": { - "connectionId": "[resourceId('Microsoft.Web/connections', variables('azuresentinelConnectionName'))]", - "connectionName": "[variables('azuresentinelConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzuresentinelConnectionName'))]", + "connectionName": "[variables('AzuresentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" }, "securitycopilot": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('SecuritycopilotConnectionName'))]", "connectionName": "[variables('SecuritycopilotConnectionName')]", "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Securitycopilot')]" }, - "": { + "keyvault": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", "connectionName": "[variables('KeyvaultConnectionName')]", "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]", @@ -1133,6 +1329,9 @@ "type": "Microsoft.Logic/workflows", "location": "[resourceGroup().location]", "tags": { + "CreatedDate": "10/17/2024 5:09:07 PM", + "Created By": "u1126", + "CreatorUPN": "u1126@a.alpineskihouse.co", "hidden-SentinelTemplateName": "MDTI-Actor-LookupV2", "hidden-SentinelTemplateVersion": "1.0" }, @@ -1142,7 +1341,7 @@ "apiVersion": "2017-07-01", "dependsOn": [ "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[resourceId('Microsoft.Web/connections', variables('azuresentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('AzuresentinelConnectionName'))]", "[resourceId('Microsoft.Web/connections', variables('SecuritycopilotConnectionName'))]", "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" ] @@ -1159,23 +1358,22 @@ }, "parameterValueType": "Alternative", "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" } } }, { "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", - "name": "[variables('azuresentinelConnectionName')]", + "name": "[variables('AzuresentinelConnectionName')]", "location": "[resourceGroup().location]", "kind": "V1", "properties": { - "displayName": "[variables('azuresentinelConnectionName')]", + "displayName": "[variables('AzuresentinelConnectionName')]", "customParameterValues": { }, - "parameterValueType": "Alternative", "api": { - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" } } }, diff --git a/Playbooks/MDTI-Actor-Lookup/function_app.py b/Playbooks/MDTI-Actor-Lookup/function_app.py index 14bb5e95689..0d8a5e04aa4 100644 --- a/Playbooks/MDTI-Actor-Lookup/function_app.py +++ b/Playbooks/MDTI-Actor-Lookup/function_app.py @@ -75,6 +75,7 @@ def list_grab(item): logging.info(f"Fetched {len(artifact_ids)} artifacts, total so far: {len(artifact_list)}") else: logging.warning(f"'value' key not found in response: {data}") + continue # Check for the presence of @odata.nextLink services = data.get('@odata.nextLink', None) diff --git a/Sample Data/ASIM/Microsoft_Security Events_Authentication_IngestedLogs.csv b/Sample Data/ASIM/Microsoft_Security Events_Authentication_IngestedLogs.csv new file mode 100644 index 00000000000..089e7a41a86 --- /dev/null +++ b/Sample Data/ASIM/Microsoft_Security Events_Authentication_IngestedLogs.csv @@ -0,0 +1,1002 @@ +TenantId,TimeGenerated [UTC],SourceSystem,Account,AccountType,Computer,EventSourceName,Channel,Task,Level,EventData,EventID,Activity,PartitionKey,RowKey,StorageAccount,AzureDeploymentID,AzureTableName,AccessList,AccessMask,AccessReason,AccountDomain,AccountExpires,AccountName,AccountSessionIdentifier,AdditionalInfo,AdditionalInfo2,AllowedToDelegateTo,Attributes,AuditPolicyChanges,AuditsDiscarded,AuthenticationLevel,AuthenticationPackageName,AuthenticationProvider,AuthenticationServer,AuthenticationService,AuthenticationType,CACertificateHash,CalledStationID,CallerProcessId,CallerProcessName,CallingStationID,CAPublicKeyHash,CategoryId,CertificateDatabaseHash,ClassId,ClassName,ClientAddress,ClientIPAddress,ClientName,CommandLine,CompatibleIds,DCDNSName,DeviceDescription,DeviceId,DisplayName,Disposition,DomainBehaviorVersion,DomainName,DomainPolicyChanged,DomainSid,EAPType,ElevatedToken,ErrorCode,ExtendedQuarantineState,FailureReason,FileHash,FilePath,FilePathNoUser,Filter,ForceLogoff,Fqbn,FullyQualifiedSubjectMachineName,FullyQualifiedSubjectUserName,GroupMembership,HandleId,HardwareIds,HomeDirectory,HomePath,ImpersonationLevel,IpAddress,IpPort,KeyLength,LmPackageName,LocationInformation,LockoutDuration,LockoutObservationWindow,LockoutThreshold,LoggingResult,LogonHours,LogonID,LogonProcessName,LogonType,LogonTypeName,MachineAccountQuota,MachineInventory,MachineLogon,MandatoryLabel,MaxPasswordAge,MemberName,MemberSid,MinPasswordAge,MinPasswordLength,MixedDomainMode,NASIdentifier,NASIPv4Address,NASIPv6Address,NASPort,NASPortType,NetworkPolicyName,NewDate,NewMaxUsers,NewProcessId,NewProcessName,NewRemark,NewShareFlags,NewTime,NewUacValue,NewValue,NewValueType,ObjectName,ObjectServer,ObjectType,ObjectValueName,OemInformation,OldMaxUsers,OldRemark,OldShareFlags,OldUacValue,OldValue,OldValueType,OperationType,PackageName,ParentProcessName,PasswordHistoryLength,PasswordLastSet,PasswordProperties,PreviousDate,PreviousTime,PrimaryGroupId,PrivateKeyUsageCount,PrivilegeList,Process,ProcessId,ProcessName,Properties,ProfilePath,ProtocolSequence,ProxyPolicyName,QuarantineHelpURL,QuarantineSessionID,QuarantineSessionIdentifier,QuarantineState,QuarantineSystemHealthResult,RelativeTargetName,RemoteIpAddress,RemotePort,Requester,RequestId,RestrictedAdminMode,RowsDeleted,SamAccountName,ScriptPath,SecurityDescriptor,ServiceAccount,ServiceFileName,ServiceName,ServiceStartType,ServiceType,SessionName,ShareLocalPath,ShareName,SidHistory,Status,SubjectAccount,SubcategoryId,Subject,SubjectDomainName,SubjectKeyIdentifier,SubjectLogonId,SubjectMachineName,SubjectMachineSID,SubjectUserName,SubjectUserSid,SubStatus,TableId,TargetAccount,TargetDomainName,TargetInfo,TargetLinkedLogonId,TargetLogonId,TargetOutboundDomainName,TargetOutboundUserName,TargetServerName,TargetSid,TargetUser,TargetUserName,TargetUserSid,TemplateContent,TemplateDSObjectFQDN,TemplateInternalName,TemplateOID,TemplateSchemaVersion,TemplateVersion,TokenElevationType,TransmittedServices,UserAccountControl,UserParameters,UserPrincipalName,UserWorkstations,VirtualAccount,VendorIds,Workstation,WorkstationName,EventLevelName,EventOriginId,MG,TimeCollected [UTC],ManagementGroupName,SystemUserId,Version,Opcode,Keywords,Correlation,SystemProcessId,SystemThreadId,EventRecordId,Type,_ResourceId +,"10/18/2024, 9:29:21.125 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weatheronline,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{594619fc-5ff6-449c-8620-ebd41c2f919b},720,8812,3287814,SecurityEvent, +,"10/18/2024, 9:29:23.016 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weischermedia,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a9fc1700-34da-4cf1-8065-fa485f6c43c7},720,8812,3287816,SecurityEvent, +,"10/18/2024, 9:29:24.750 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webakebread,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3ca13f6e-a784-4cf3-8e56-e080b658d931},720,8812,3287818,SecurityEvent, +,"10/18/2024, 9:29:26.429 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wehousing,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{23550e9b-b74b-4597-b4da-431e95519db6},720,8812,3287820,SecurityEvent, +,"10/18/2024, 9:29:26.984 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,40.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rivaldiputrad,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8939b926-3750-4850-826d-7e7191bc2e11},720,8812,3287822,SecurityEvent, +,"10/18/2024, 9:29:27.397 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.166,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,onurakgonen,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{265a5c98-e82b-4c6b-9634-893a1e6b571b},720,8812,3287824,SecurityEvent, +,"10/18/2024, 9:29:27.570 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.159,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,tconway29,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ff168f91-ea77-48c9-af46-243b155955f6},720,8812,3287826,SecurityEvent, +,"10/18/2024, 9:29:28.248 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webagenturnord,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{625c3c21-9bd9-4c7d-8b16-88141ce6d00c},720,8812,3287828,SecurityEvent, +,"10/18/2024, 9:29:29.912 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wembli,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a7e099f2-c467-4f12-86ae-ff2d320a51bb},720,8812,3287830,SecurityEvent, +,"10/18/2024, 9:29:31.594 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westpro,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{20fcea2b-dc49-4993-8d06-1971ae3d7156},720,8812,3287834,SecurityEvent, +,"10/18/2024, 9:29:33.241 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weathercraft,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4c81b67e-ec66-4491-8f3b-c78e506bcb0c},720,8812,3287836,SecurityEvent, +,"10/18/2024, 9:29:34.913 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wedj,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8412ad2c-80ec-48c1-858a-496c408e583e},720,8812,3287838,SecurityEvent, +,"10/18/2024, 9:29:36.571 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wellpartner,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{720a257c-1f76-4110-aa72-6a9698cf82e5},720,8812,3287840,SecurityEvent, +,"10/18/2024, 9:29:38.221 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webtimeclock,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:06.110 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bec0be8e-2eef-4db7-8f93-0b736e431c77},720,8812,3287842,SecurityEvent, +,"10/18/2024, 9:29:31.980 AM",OpsManager,NT AUTHORITY\SYSTEM,Machine,VNEVADO-Win11U.vnevado.alpineskihouse.co,Microsoft-Windows-Security-Auditing,Security,12544,0,,4624,4624 - An account was successfully logged on.,,,,,,,,,,,,,,,,,,,,Negotiate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%1842,,,,,,,,,,,,,,,,,%%1833,192.168.1.1,-,0,-,,,,,,,,Advapi ,5,5 - Service,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,SenseIR.exe,0x1080,C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe,,,,,,,,,,,,,,,-,,,,,,,,,,,,,,,VNEVADO\VNEVADO-Win11U$,,,VNEVADO,,0x3e7,,,VNEVADO-Win11U$,S-1-5-18,0x80090325,,NT AUTHORITY\SYSTEM,NT AUTHORITY,,0x0,0x3e7,-,-,,,,SYSTEM,S-1-5-18,,,,,,,,-,,,,,%%1843,,,-,LogAlways,411f600a-a0a4-4572-b678-debfbf4c5d39,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:10.219 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,3,0,0x8020000000000000,{bb4acbd3-e3c8-4ee9-9712-655040305c2b},716,3712,11213538,SecurityEvent, +,"10/18/2024, 9:29:40.057 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,87.120.112.181,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,devops,S-1-0-0,,,,,,,,-,,,,,,,,Number11,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{86d705c4-38c4-4c57-8f3b-fa736af419b8},720,8812,3287844,SecurityEvent, +,"10/18/2024, 9:29:40.130 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wetnoze,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7e515b92-0440-4fb0-8005-823c185ad396},720,8812,3287846,SecurityEvent, +,"10/18/2024, 9:29:41.821 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,winchster,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{002d041c-aa60-4bd9-9064-bcb695dfdeb7},720,8812,3287848,SecurityEvent, +,"10/18/2024, 9:29:43.492 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whitmart,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{353df894-fa7a-46fd-b78e-c1bdefe64725},720,8812,3287850,SecurityEvent, +,"10/18/2024, 9:29:45.114 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.161,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,shiannemilward,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a7821cf6-baf9-40d1-9bc4-067f591ca3bc},720,8812,3287852,SecurityEvent, +,"10/18/2024, 9:29:45.342 AM",OpsManager,NT AUTHORITY\SYSTEM,Machine,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4624,4624 - An account was successfully logged on.,,,,,,,,,,,,,,,,,,,,Negotiate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%1842,,,,,,,,,,,,,,,,,%%1833,192.168.1.1,-,0,-,,,,,,,,Advapi ,5,5 - Service,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,services.exe,0x2c8,C:\Windows\System32\services.exe,,,,,,,,,,,,,,,-,,,,,,,,,,,,,,,WORKGROUP\devops-vm$,,,WORKGROUP,,0x3e7,,,devops-vm$,S-1-5-18,,,NT AUTHORITY\SYSTEM,NT AUTHORITY,,0x0,0x3e7,-,-,,,,SYSTEM,S-1-5-18,,,,,,,,-,,,,,%%1843,,,-,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,2,0,0x8020000000000000,{68c4274d-a32b-4f15-b3fb-218f68ed4336},720,8812,3287854,SecurityEvent, +,"10/18/2024, 9:29:45.409 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wearebattalion,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{18ed46e3-d016-4b19-a2e7-24faa424be1f},720,8812,3287859,SecurityEvent, +,"10/18/2024, 9:29:47.079 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westcoastcc,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{036fe8e6-4a24-47e9-909c-7ca8441c8b38},720,4828,3287862,SecurityEvent, +,"10/18/2024, 9:29:48.758 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webbuilders,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{346a4e53-7bd7-4ef8-a7ad-7abb447bdeed},720,4828,3287864,SecurityEvent, +,"10/18/2024, 9:29:50.434 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wendyworks,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c2ccd2ac-4398-4957-9113-3c7c16eea937},720,4828,3287866,SecurityEvent, +,"10/18/2024, 9:29:52.107 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wiko,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ee7b36b5-beed-463d-b6df-3f5939c46505},720,3372,3287870,SecurityEvent, +,"10/18/2024, 9:29:53.799 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wearesparks,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cf2116ea-cd85-4ba8-8481-52e215cf3175},720,3372,3287872,SecurityEvent, +,"10/18/2024, 9:29:55.450 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wcyk,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1044e467-0f74-4f5e-aec2-f753e4f18142},720,3372,3287874,SecurityEvent, +,"10/18/2024, 9:29:57.186 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whywhisper,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{59782437-956a-4d29-aee1-64634b59e188},720,3372,3287876,SecurityEvent, +,"10/18/2024, 9:29:57.202 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.163,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,darindelelys,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{525ae9e9-73d9-4652-a047-d0089eb0f10d},720,3372,3287878,SecurityEvent, +,"10/18/2024, 9:29:58.834 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wegewerk,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:26.137 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3678b4c8-e825-44aa-af69-4c86151208e9},720,3372,3287880,SecurityEvent, +,"10/18/2024, 9:30:00.510 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webv,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{aa4a2b57-c766-46de-9d55-e1e90eb8a3d2},720,3372,3287882,SecurityEvent, +,"10/18/2024, 9:30:02.160 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westcon,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d9268599-43eb-4a6e-acc9-f778937d920a},720,3372,3287884,SecurityEvent, +,"10/18/2024, 9:30:03.828 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wejzfm,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{82b390f2-28d3-47ab-9649-e1976a4f5736},720,3372,3287886,SecurityEvent, +,"10/18/2024, 9:30:05.565 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whiteoaktrans,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d933e044-b2da-4e93-b7cf-51fa8a7d96dc},720,3372,3287888,SecurityEvent, +,"10/18/2024, 9:30:07.213 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westcliff,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{026d1a7d-f823-4008-bdd0-32bb70c69728},720,3372,3287890,SecurityEvent, +,"10/18/2024, 9:30:09.023 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whealcorp,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9aee2a16-cd63-4e4f-9020-c73d2b7422e4},720,3372,3287892,SecurityEvent, +,"10/18/2024, 9:30:10.731 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whitepine-st,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b743f93d-8292-4cf7-97fb-a46f620611c7},720,3372,3287894,SecurityEvent, +,"10/18/2024, 9:30:12.381 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webmartgifts,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5aa3df17-3c00-43f4-a302-5eb7dcc6419f},720,3372,3287896,SecurityEvent, +,"10/18/2024, 9:30:14.315 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wildcatter,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fd0a0762-46cb-4c38-92ef-abaaef2b0818},720,3372,3287898,SecurityEvent, +,"10/18/2024, 9:30:15.966 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,windrock,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{04ee05a7-27ec-4bed-afb5-0062c511359b},720,3372,3287900,SecurityEvent, +,"10/18/2024, 9:30:17.616 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,winheller,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e0e68126-daf2-4cf5-ad0a-0d3eb51d1d0b},720,3372,3287902,SecurityEvent, +,"10/18/2024, 9:30:19.262 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wilostar3d,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:30:46.108 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5b8003df-2750-48db-8303-334871e8a2fa},720,3372,3287904,SecurityEvent, +,"10/18/2024, 9:30:41.419 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.165,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ikopanas,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f0d8a6f7-bcc9-4e1a-bb4b-f92c8a4e0a9d},720,3372,3287936,SecurityEvent, +,"10/18/2024, 9:30:41.556 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whishbody,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{073eeed6-1782-4689-984a-d4e6a22c592d},720,3372,3287938,SecurityEvent, +,"10/18/2024, 9:30:43.227 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wever,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{68007e54-c372-485b-9700-b837662f5bb0},720,3372,3287940,SecurityEvent, +,"10/18/2024, 9:30:44.892 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wflyfm,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9ad98e0f-f138-4881-9de1-6f57722a6127},720,3372,3287942,SecurityEvent, +,"10/18/2024, 9:30:46.563 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weighting,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{66c1920b-df6f-42b8-8af4-e84019e73953},720,3372,3287944,SecurityEvent, +,"10/18/2024, 9:30:48.338 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webbplaza,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{96b655e1-19da-409b-a534-171bd2e26b02},720,3372,3287946,SecurityEvent, +,"10/18/2024, 9:30:50.085 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,welmark,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{49dc8bb7-38db-42b8-8b29-4e724c3bde9d},720,3372,3287948,SecurityEvent, +,"10/18/2024, 9:30:51.740 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,winky,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{da5d2c41-461c-4080-a062-081a636cc3b2},720,3372,3287950,SecurityEvent, +,"10/18/2024, 9:30:53.408 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wicy,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{25ebb709-96b3-4d82-aaaa-925f19c9ee24},720,3372,3287952,SecurityEvent, +,"10/18/2024, 9:30:55.061 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wingware,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{06f57258-5da7-4256-822a-23505ad06639},720,3372,3287954,SecurityEvent, +,"10/18/2024, 9:30:56.716 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wddata,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d908ea95-cf7e-4894-84f7-bd44988b1400},720,3372,3287956,SecurityEvent, +,"10/18/2024, 9:30:58.372 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westfeild,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:26.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{01f5e379-01f6-47ab-bcca-61ee572f4738},720,3372,3287958,SecurityEvent, +,"10/18/2024, 9:31:00.057 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weathercast,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5a6b71be-6e4c-4127-8265-6b3d3087378b},720,3372,3287962,SecurityEvent, +,"10/18/2024, 9:31:01.968 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wilby,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{26248b05-b224-4538-9a31-6fee0554a05d},720,3372,3287964,SecurityEvent, +,"10/18/2024, 9:31:03.643 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westvesey,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{82e1418e-9573-4249-bf89-fb4b6e67d0db},720,3372,3287966,SecurityEvent, +,"10/18/2024, 9:31:05.377 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whiptydo,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2a804a4b-b1a6-4af2-89e6-d887cf568fe6},720,3372,3287968,SecurityEvent, +,"10/18/2024, 9:31:07.044 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,winemingles,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{529d922e-0068-4951-8f11-28e03e0f0100},720,3800,3287970,SecurityEvent, +,"10/18/2024, 9:31:08.698 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whiskeys,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7d0daf09-0170-4214-8787-b133cfbb2599},720,3800,3287972,SecurityEvent, +,"10/18/2024, 9:31:09.936 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,handlos,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{526d9366-2008-4624-9561-75e4b0548c6f},720,3800,3287974,SecurityEvent, +,"10/18/2024, 9:31:10.352 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wilcocap,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a7422b08-d085-416c-a3b4-077951239d96},720,3800,3287976,SecurityEvent, +,"10/18/2024, 9:31:11.613 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,groupalchemy,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{969ef09b-ec83-42e3-abfa-754c68d72125},720,3800,3287978,SecurityEvent, +,"10/18/2024, 9:31:12.030 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wealthtv,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ed59997c-ada0-4fc3-85b9-0a55ffd92dde},720,3800,3287982,SecurityEvent, +,"10/18/2024, 9:31:13.274 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,haugbeck,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2d338083-d097-428d-a65a-497b746c8af3},720,3800,3287984,SecurityEvent, +,"10/18/2024, 9:31:13.965 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,websnoogie,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1605fecf-ba77-41d2-9998-f45c89bbeb11},720,3800,3287986,SecurityEvent, +,"10/18/2024, 9:31:14.942 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hamiltonlab,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{080992cf-fe0b-4cb5-a59d-723dd59a4566},720,3800,3287988,SecurityEvent, +,"10/18/2024, 9:31:15.642 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,werebear,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d44f2718-4c7f-4f50-b428-d663b936f745},720,3800,3287990,SecurityEvent, +,"10/18/2024, 9:31:16.588 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,handicappers,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f8a4dbca-93c8-43c3-9741-e389289b861e},720,3800,3287992,SecurityEvent, +,"10/18/2024, 9:31:17.443 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westcomp,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2799ea55-3ce4-40d0-b6b3-438214423d47},720,3800,3287994,SecurityEvent, +,"10/18/2024, 9:31:18.238 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hacku,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b7469a00-3261-4748-9d0c-724d39bf9638},720,3800,3287996,SecurityEvent, +,"10/18/2024, 9:31:19.260 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,winchoice,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{734ccf55-367e-4ed1-af2e-222222443213},720,3800,3287998,SecurityEvent, +,"10/18/2024, 9:31:19.919 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,grouplm3,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:31:46.112 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1776fa71-ddbd-4c9c-885d-76ad5130ba9f},720,3800,3288000,SecurityEvent, +,"10/18/2024, 9:31:40.060 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.159,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,woozels,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{93373917-bd79-4c23-8163-04179c2baeaf},720,3800,3288064,SecurityEvent, +,"10/18/2024, 9:31:40.351 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wenlight,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{00a00241-6dd3-4b27-bd1e-56d955ac130c},720,3800,3288066,SecurityEvent, +,"10/18/2024, 9:31:40.516 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gtatravel,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4f2bad0a-37bd-4c66-8461-1da5b27446bf},720,3800,3288068,SecurityEvent, +,"10/18/2024, 9:31:43.045 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wellsplastics,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{82c5ab54-fec8-4113-99cb-cbb209df068c},720,3800,3288073,SecurityEvent, +,"10/18/2024, 9:31:43.268 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,haztek,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{48ba00c9-51a4-481e-96ab-dba25836ba37},720,3800,3288075,SecurityEvent, +,"10/18/2024, 9:31:45.520 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wendellfoster,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c2b360e3-a70b-41a5-8a52-0a326bf2aaa2},720,3800,3288077,SecurityEvent, +,"10/18/2024, 9:31:45.521 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hagley,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b4569aaa-2e84-4c19-bb24-746c780d4d36},720,3800,3288079,SecurityEvent, +,"10/18/2024, 9:31:47.172 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weberflavors,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b8431060-f4b4-43fa-921c-6ae420f90deb},720,3800,3288081,SecurityEvent, +,"10/18/2024, 9:31:47.173 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,haruo,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ca069d3f-ef3d-43c1-8d2b-8f9d7592d71e},720,3800,3288083,SecurityEvent, +,"10/18/2024, 9:31:48.945 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weber-entec,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f0eb89a2-860a-4961-8359-510397604540},720,3800,3288085,SecurityEvent, +,"10/18/2024, 9:31:48.973 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gulfisland,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fa584bb5-437c-4d6e-80f3-910cf7ce679b},720,3800,3288087,SecurityEvent, +,"10/18/2024, 9:31:50.628 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,willowview,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ce675d6c-4e56-4956-861c-72a47f823f83},720,3800,3288089,SecurityEvent, +,"10/18/2024, 9:31:50.637 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gryf,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{718b657b-e2f8-4958-b1ac-fdac51be9514},720,3800,3288091,SecurityEvent, +,"10/18/2024, 9:31:52.277 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,welltechlabs,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{36774591-abe1-4559-b97f-5bf0076b8e0f},720,3800,3288093,SecurityEvent, +,"10/18/2024, 9:31:52.313 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harwest,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{357d73fa-edd0-4795-aa91-a6d179e1e3e7},720,3800,3288095,SecurityEvent, +,"10/18/2024, 9:31:52.705 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,107.150.56.10,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,user,S-1-0-0,,,,,,,,-,,,,,,,,workstation,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0f039a3d-4ff3-4a4c-adcb-775c065b6f98},720,3800,3288097,SecurityEvent, +,"10/18/2024, 9:31:54.027 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weldcote,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ce61316b-2766-45be-a973-d031f56f84e9},720,3800,3288099,SecurityEvent, +,"10/18/2024, 9:31:54.051 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,happycar,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{82bd9fc3-24fe-4c28-98e0-dbfdcd333820},720,3800,3288101,SecurityEvent, +,"10/18/2024, 9:31:55.695 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wholeloans,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0dbb2b9e-c12a-4ae7-8daf-d7c83e3ae2bc},720,3800,3288103,SecurityEvent, +,"10/18/2024, 9:31:55.714 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hasskamp,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{267bd069-5bae-4a7b-8e8e-1bc55989f742},720,3800,3288105,SecurityEvent, +,"10/18/2024, 9:31:57.427 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,guhamajumdar,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1f302c97-8a23-4754-8f30-13387e16e119},720,3800,3288107,SecurityEvent, +,"10/18/2024, 9:31:57.429 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whalls,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f4d08b70-2bb6-4d52-a573-f1f27eae7179},720,3800,3288109,SecurityEvent, +,"10/18/2024, 9:31:57.757 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.161,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,Ashleighliliput,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{654b59f2-2be2-462d-88bb-21600ad585cf},720,3800,3288111,SecurityEvent, +,"10/18/2024, 9:31:59.085 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wernz-elektro,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{551e325e-9314-401c-9e04-d6f259ded957},720,3800,3288113,SecurityEvent, +,"10/18/2024, 9:31:59.104 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harllee,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:32:26.114 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fb127c0c-4606-40ed-a715-96c84c5dd9ad},720,3800,3288115,SecurityEvent, +,"10/18/2024, 9:32:21.032 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gussio,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{91fe03fe-c59f-47a9-8888-41073efd5059},720,3800,3288168,SecurityEvent, +,"10/18/2024, 9:32:21.565 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wigro,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b363e81b-0e27-48ed-bb6b-113ef64f3ad6},720,3800,3288170,SecurityEvent, +,"10/18/2024, 9:32:22.820 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,havens,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8311be64-a7c3-4d5c-9769-c7a0dd2fae72},720,3800,3288172,SecurityEvent, +,"10/18/2024, 9:32:23.224 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,windhill,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c2d15197-4cd7-43b3-a6cf-aa5202fa83da},720,3800,3288174,SecurityEvent, +,"10/18/2024, 9:32:24.469 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harrisontc,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{acfd8a9b-1151-41b9-b63d-308b0cd238db},720,3800,3288176,SecurityEvent, +,"10/18/2024, 9:32:24.893 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whitins,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{06f774da-ec97-4b6d-b138-64ef4e0c64ec},720,3800,3288178,SecurityEvent, +,"10/18/2024, 9:32:26.130 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,growlever,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ebab87cd-8ec0-4294-b1f1-128573bd67c9},720,3800,3288180,SecurityEvent, +,"10/18/2024, 9:32:26.566 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wearetipjar,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9eaa1de0-1777-41ea-ae0c-a2a155a65d97},720,3800,3288182,SecurityEvent, +,"10/18/2024, 9:32:27.810 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,havenyield,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dcb13e8b-56b8-413e-b22d-aac535e5f5f4},720,3800,3288184,SecurityEvent, +,"10/18/2024, 9:32:28.279 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weselyan,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{11bac52d-36d9-4426-ba5b-6b0fc3fb7cf3},720,3800,3288186,SecurityEvent, +,"10/18/2024, 9:32:29.490 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,guyviti,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{adca32dc-3d0f-4949-9226-6225655b4c0c},720,3800,3288188,SecurityEvent, +,"10/18/2024, 9:32:30.035 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wectac,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0c0fa64a-92dc-48a7-91ff-466adfabd22e},720,3800,3288190,SecurityEvent, +,"10/18/2024, 9:32:31.261 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harmonyhit,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4a5c09f7-b836-4c2c-8f52-7854808407c9},720,3800,3288193,SecurityEvent, +,"10/18/2024, 9:32:31.887 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wehealth,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2ff2b6c9-ccc9-4917-962c-39622f105215},720,3800,3288196,SecurityEvent, +,"10/18/2024, 9:32:32.927 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,groceryships,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f04b79be-7190-4d5a-b1dd-9af3b4653b6d},720,3800,3288198,SecurityEvent, +,"10/18/2024, 9:32:34.882 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,guebert,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{145785a7-75d5-4cd1-bc0e-6cd273d63a48},720,3800,3288200,SecurityEvent, +,"10/18/2024, 9:32:36.549 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,grisso,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{af61ab80-0833-42fd-9f42-793a535e703b},720,3800,3288202,SecurityEvent, +,"10/18/2024, 9:32:36.568 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,werboff,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1eba419c-6202-463c-bbe0-267f9d2a1e5a},720,3800,3288204,SecurityEvent, +,"10/18/2024, 9:32:38.222 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,groupnec,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7ae338d1-750f-4567-b1f2-2d2801fe4c2c},720,3800,3288206,SecurityEvent, +,"10/18/2024, 9:32:38.235 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wellssebring,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8c3de598-c6fa-4983-92f7-c6ae146155b9},720,3800,3288208,SecurityEvent, +,"10/18/2024, 9:32:39.964 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wearegftb,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:06.130 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b2353fc4-4a34-4943-96ad-a0534883c76e},720,3800,3288210,SecurityEvent, +,"10/18/2024, 9:32:40.073 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hc-carbon,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c9fa929d-4261-4c8a-9a9c-4573dc4c3467},720,3800,3288212,SecurityEvent, +,"10/18/2024, 9:32:41.629 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webfwd,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c4292ed4-0613-4172-b23f-fb4801f48238},720,3800,3288214,SecurityEvent, +,"10/18/2024, 9:32:41.747 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gweek,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{73b631b1-0f9f-40fd-97b6-cb96bb9bcbce},720,3800,3288216,SecurityEvent, +,"10/18/2024, 9:32:43.298 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weatherwise,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b3833a11-84d6-41bf-8bc6-c074485b578c},720,3800,3288218,SecurityEvent, +,"10/18/2024, 9:32:43.395 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hamburg,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{efa404df-fd20-4776-9cc0-8a8d389b8cdb},720,3800,3288220,SecurityEvent, +,"10/18/2024, 9:32:45.012 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whowontpay,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d596fb84-b054-4927-9e9f-dd137dae282a},720,3800,3288222,SecurityEvent, +,"10/18/2024, 9:32:45.134 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hbk,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{50ca6f2c-a86a-45a2-b4fb-48ae964df5a8},720,3800,3288224,SecurityEvent, +,"10/18/2024, 9:32:46.695 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,windsorfoods,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a337071a-d66e-4ff0-b298-246a9940cd6a},720,3800,3288226,SecurityEvent, +,"10/18/2024, 9:32:46.797 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hardfacing,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1cc910da-45e3-4c5d-aacd-187d6a86c8d5},720,3800,3288228,SecurityEvent, +,"10/18/2024, 9:32:48.348 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,willims,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0f3c127d-f160-4c4e-9356-e5735648c2df},720,3800,3288230,SecurityEvent, +,"10/18/2024, 9:32:48.473 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,group7,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f6d5bd87-2fce-4559-b14b-0ae07b2e627a},720,3800,3288232,SecurityEvent, +,"10/18/2024, 9:32:50.037 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,willamalane,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{22f01e5d-c2ab-4681-965a-9166ce239a53},720,3800,3288234,SecurityEvent, +,"10/18/2024, 9:32:50.147 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gtworld,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1b2fa49e-d2d8-4cd9-b60d-edc29abd5ed9},720,3800,3288236,SecurityEvent, +,"10/18/2024, 9:32:51.732 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,windsweptit,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b662e0c7-975b-4c2f-8108-8e9cb6945f67},720,3800,3288238,SecurityEvent, +,"10/18/2024, 9:32:51.838 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gtsservices,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{66996b30-ab85-4a81-b2cd-3dc44d82dfd3},720,3800,3288240,SecurityEvent, +,"10/18/2024, 9:32:53.388 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weimer,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{61cd379d-6a01-4739-82f4-072f7244ccfc},720,3800,3288242,SecurityEvent, +,"10/18/2024, 9:32:53.505 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hantge,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a85fcb54-39a7-4c49-9c08-45eee80b5641},720,3800,3288244,SecurityEvent, +,"10/18/2024, 9:32:55.055 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wetech,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dea91c8b-2373-410e-b8d1-e31dee9b26c0},720,3800,3288246,SecurityEvent, +,"10/18/2024, 9:32:55.163 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,growingbolder,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c55e5088-4c54-43c1-ad93-fd43748f5260},720,3800,3288248,SecurityEvent, +,"10/18/2024, 9:32:55.920 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.160,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,domdring14,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f4d91fcf-d8bc-4d4c-a931-fbb5e027c256},720,3800,3288250,SecurityEvent, +,"10/18/2024, 9:32:56.805 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wearebestday,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{68b6145f-8f12-41b9-aea4-a3aa4ea3da6c},720,3800,3288252,SecurityEvent, +,"10/18/2024, 9:32:56.822 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,haystravel,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d30a3487-0376-42c8-a31c-8b85c097831c},720,3800,3288254,SecurityEvent, +,"10/18/2024, 9:32:58.471 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,grothjan,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f1483e13-8b12-44f6-b1a7-052a6442a052},720,3800,3288256,SecurityEvent, +,"10/18/2024, 9:32:58.519 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webdesign-grimm,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{307ea978-ef58-4c49-867e-52aa17223d45},720,3800,3288258,SecurityEvent, +,"10/18/2024, 9:32:58.663 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.165,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,oyunicin1453,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:26.120 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{aa6c7955-9202-431d-ba52-dbdbe4c450c1},720,3800,3288260,SecurityEvent, +,"10/18/2024, 9:33:06.408 AM",OpsManager,NT AUTHORITY\SYSTEM,Machine,VNEVADO-Win11T.vnevado.alpineskihouse.co,Microsoft-Windows-Security-Auditing,Security,12544,0,,4624,4624 - An account was successfully logged on.,,,,,,,,,,,,,,,,,,,,Negotiate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%1842,,,,,,,,,,,,,,,,,%%1833,192.168.1.1,-,0,-,,,,,,,,Advapi ,5,5 - Service,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,services.exe,0x2e4,C:\Windows\System32\services.exe,,,,,,,,,,,,,,,-,,,,,,,,,,,,,,,VNEVADO\VNEVADO-Win11T$,,,VNEVADO,,0x3e7,,,VNEVADO-Win11T$,S-1-5-18,,,NT AUTHORITY\SYSTEM,NT AUTHORITY,,0x0,0x3e7,-,-,,,,SYSTEM,S-1-5-18,,,,,,,,-,,,,,%%1843,,,-,LogAlways,c9171ffe-8c3d-49d2-8c8b-fc5af77d39d0,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:45.173 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,3,0,0x8020000000000000,{f14a5193-d9b7-4119-8b21-403a50241ad7},748,3496,10779957,SecurityEvent, +,"10/18/2024, 9:33:08.228 AM",OpsManager,NT AUTHORITY\SYSTEM,Machine,VNEVADO-Win11U.vnevado.alpineskihouse.co,Microsoft-Windows-Security-Auditing,Security,12544,0,,4624,4624 - An account was successfully logged on.,,,,,,,,,,,,,,,,,,,,Negotiate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%1842,,,,,,,,,,,,,,,,,%%1833,192.168.1.1,-,0,-,,,,,,,,Advapi ,5,5 - Service,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,services.exe,0x2c4,C:\Windows\System32\services.exe,,,,,,,,,,,,,,,-,,,,,,,,,,,,,,,VNEVADO\VNEVADO-Win11U$,,,VNEVADO,,0x3e7,,,VNEVADO-Win11U$,S-1-5-18,0xc000006e,,NT AUTHORITY\SYSTEM,NT AUTHORITY,,0x0,0x3e7,-,-,,,,SYSTEM,S-1-5-18,,,,,,,,-,,,,,%%1843,,,-,LogAlways,411f600a-a0a4-4572-b678-debfbf4c5d39,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:33:50.154 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,3,0,0x8020000000000000,{2ed6c066-e0b5-459b-b3fb-c21a0c64b51b},716,1404,11213676,SecurityEvent, +,"10/18/2024, 9:33:40.544 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wegebielefeld,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{95dd45bb-6b11-4f42-b84f-e8bd3d3d42d8},720,3800,3288364,SecurityEvent, +,"10/18/2024, 9:33:40.822 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harren,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f2229eac-5065-4bf0-80a6-679d7f6a2ec6},720,3800,3288366,SecurityEvent, +,"10/18/2024, 9:33:42.284 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westrey,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8289f65d-5bfb-441e-aad1-03402cd2703a},720,3800,3288368,SecurityEvent, +,"10/18/2024, 9:33:42.475 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gsignal,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{de4b3779-a758-4f3b-bfff-a8429380ae99},720,3800,3288370,SecurityEvent, +,"10/18/2024, 9:33:43.936 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wgns,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c79028b0-0611-41e5-9dc2-aa74e4e5a1a7},720,3800,3288372,SecurityEvent, +,"10/18/2024, 9:33:44.221 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harz,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a2e1daf3-9186-4518-aee6-0dd7c4768b4c},720,3800,3288374,SecurityEvent, +,"10/18/2024, 9:33:45.612 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,websutra,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bd5ef7d6-db03-4ec2-bd52-0b2b9f747604},720,3800,3288376,SecurityEvent, +,"10/18/2024, 9:33:45.893 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hanc-sf,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3f650d78-3b14-4fce-85f6-eb33505f721d},720,3800,3288378,SecurityEvent, +,"10/18/2024, 9:33:47.354 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weizman,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fba5f3c6-36f1-4ee7-ba87-3aa0e6554cd7},720,3800,3288380,SecurityEvent, +,"10/18/2024, 9:33:47.588 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gtconsult,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f269e1e5-3a99-4e07-bb0f-51755927869c},720,3800,3288382,SecurityEvent, +,"10/18/2024, 9:33:49.114 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wdp,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{37f051e6-8612-40a2-a4e9-536d3e32545f},720,3800,3288384,SecurityEvent, +,"10/18/2024, 9:33:49.385 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hammerplc,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{22a746b7-ed30-499d-9235-d12dcee61e4e},720,3800,3288386,SecurityEvent, +,"10/18/2024, 9:33:50.763 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westerfield,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ee8a2d09-9d11-4801-80fb-fe7bb48e9cad},720,3800,3288388,SecurityEvent, +,"10/18/2024, 9:33:51.033 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harvestmarks,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{30fd7747-8684-43df-a585-8c2b9763d783},720,3800,3288390,SecurityEvent, +,"10/18/2024, 9:33:52.420 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,windowrama,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b59936c2-c17f-45a7-a165-0923547a2b9d},720,3800,3288392,SecurityEvent, +,"10/18/2024, 9:33:52.690 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,handkeindustrie,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c5e94ec4-13e1-49aa-bfd1-808babe46bb5},720,3800,3288394,SecurityEvent, +,"10/18/2024, 9:33:54.097 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wilburellis,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2441c3c9-5aea-498f-bbbb-a33464a0e3d0},720,3800,3288396,SecurityEvent, +,"10/18/2024, 9:33:54.351 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.166,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,vlekd,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{51043640-2c1c-4a22-98d3-375c56031dce},720,3800,3288398,SecurityEvent, +,"10/18/2024, 9:33:54.360 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,handris,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{26d6fc34-9fb4-4a23-a529-d61da315930d},720,3800,3288400,SecurityEvent, +,"10/18/2024, 9:33:54.362 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.167,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,keeganwb,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1c92001a-c3cb-4352-97b9-78d7ef36f520},720,3800,3288402,SecurityEvent, +,"10/18/2024, 9:33:54.902 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,40.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,marktuedor,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5b294528-0280-4e5a-8e09-b8d4a41537c7},720,3800,3288404,SecurityEvent, +,"10/18/2024, 9:33:55.755 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,werkt,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9a5606ac-6181-48b8-8a8a-4f1a33b77630},720,3800,3288406,SecurityEvent, +,"10/18/2024, 9:33:56.021 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gullickson,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{16a28754-2607-4991-9f74-1e4a9cf73b6d},720,3800,3288408,SecurityEvent, +,"10/18/2024, 9:33:56.585 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.159,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sayers65,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e25a4519-dd69-47dd-a2b9-53996451abdc},720,3800,3288410,SecurityEvent, +,"10/18/2024, 9:33:57.447 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wertios,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0e05192c-e535-4af2-a076-22ceb9db6c97},720,3800,3288412,SecurityEvent, +,"10/18/2024, 9:33:57.671 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hailian,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2cfedb09-3924-4b3b-bf52-d5c8293bb734},720,3800,3288414,SecurityEvent, +,"10/18/2024, 9:33:59.202 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webneed,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{49283701-3569-434d-b40a-450235802733},720,3800,3288416,SecurityEvent, +,"10/18/2024, 9:33:59.393 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,group1201,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 9:34:26.109 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{89352960-2e72-493d-bff0-47ea287d7735},720,3800,3288418,SecurityEvent, +,"10/18/2024, 10:03:00.366 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wildsports,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7ea53d67-841a-4943-9777-1ccf1be3bda6},720,4436,3292816,SecurityEvent, +,"10/18/2024, 10:03:01.064 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gulfexlp,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{99a05f33-cff7-4c78-aa0e-de5d301a94a2},720,4436,3292818,SecurityEvent, +,"10/18/2024, 10:03:02.046 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wczxfm,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4d0ccf87-9561-4752-a660-af9214e07495},720,208,3292820,SecurityEvent, +,"10/18/2024, 10:03:02.750 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hassltd,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{81f4baa0-9573-4f12-9b46-c9c271cbe015},720,208,3292822,SecurityEvent, +,"10/18/2024, 10:03:03.717 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,welearn,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{50bbcaa2-c595-426a-ab5e-7230b9ee9738},720,208,3292824,SecurityEvent, +,"10/18/2024, 10:03:04.397 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gunnarson,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0c6d381b-5d4f-49e2-8605-90c7ca684003},720,208,3292826,SecurityEvent, +,"10/18/2024, 10:03:05.496 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whitecar,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c80737f8-a628-4da5-ac9f-b35c6e19e7f1},720,208,3292828,SecurityEvent, +,"10/18/2024, 10:03:06.083 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,guildery,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e428dba7-bd82-4c6d-8dd7-b13be8b89ec7},720,208,3292830,SecurityEvent, +,"10/18/2024, 10:03:07.166 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,welser,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{abce2439-a679-4d92-bc09-9f76bfcb928f},720,208,3292832,SecurityEvent, +,"10/18/2024, 10:03:07.870 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hartian,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{df4fbaef-1ae8-47d3-9f69-6da13c4cd9ab},720,208,3292834,SecurityEvent, +,"10/18/2024, 10:03:08.827 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,widrick,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5d521701-1e5d-48ad-9b05-94a2d91a40fd},720,208,3292836,SecurityEvent, +,"10/18/2024, 10:03:09.557 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,growthprocess,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{be0cda69-2cb4-47e2-b0a4-677725b1454e},720,208,3292838,SecurityEvent, +,"10/18/2024, 10:03:10.549 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wehrkamp,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{43fc476b-ffa3-444b-9e58-b20cd7a7b61e},720,208,3292840,SecurityEvent, +,"10/18/2024, 10:03:11.223 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hammerquist,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f67e9128-48df-41e3-a2cf-dc4f2441cf8b},720,208,3292842,SecurityEvent, +,"10/18/2024, 10:03:12.202 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weka-media,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5e2e3c0e-aad8-4609-a62d-ee4b1bcb6926},720,208,3292844,SecurityEvent, +,"10/18/2024, 10:03:12.901 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hashpi,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{aadf1c91-d28f-4c5b-aba8-d1040c588f04},720,208,3292846,SecurityEvent, +,"10/18/2024, 10:03:13.867 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wildtrails,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6c529e48-1561-4d78-b125-7dbdc8c96279},720,208,3292848,SecurityEvent, +,"10/18/2024, 10:03:14.676 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gtigrows,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a75c8c73-65e0-43ec-b12c-fcd640673ddf},720,208,3292850,SecurityEvent, +,"10/18/2024, 10:03:15.647 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wesrtchester,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{693f4436-b627-4804-962e-380af14ed731},720,208,3292852,SecurityEvent, +,"10/18/2024, 10:03:16.323 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hayesmichael,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{01a6a3cf-89dc-4cb1-b643-ca09a71eaf67},720,208,3292854,SecurityEvent, +,"10/18/2024, 10:03:17.305 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webcasa,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fcacacb1-4a21-4917-8a40-65b44e50dace},720,208,3292856,SecurityEvent, +,"10/18/2024, 10:03:17.989 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gypsos,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{27c2917d-a6b2-43d6-b1ab-0c19e3cf9055},720,208,3292858,SecurityEvent, +,"10/18/2024, 10:03:19.002 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weilandworks,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{47d16633-eda3-4cd7-9f3b-025945b7bb40},720,208,3292860,SecurityEvent, +,"10/18/2024, 10:03:19.667 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hbus,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:03:46.125 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c2d62d69-de35-42ee-b52b-e2182965e9b0},720,208,3292862,SecurityEvent, +,"10/18/2024, 10:03:20.652 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wearelatech,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{57329ff3-9ebc-4511-bfb7-bf48a3013bb8},720,208,3292864,SecurityEvent, +,"10/18/2024, 10:03:21.409 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,h2out,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{703f7057-7a67-4fb4-99ad-b43d3af63235},720,208,3292866,SecurityEvent, +,"10/18/2024, 10:03:22.342 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,windation,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{385ca489-6cd5-4ede-832c-4cc0e70e75a2},720,208,3292868,SecurityEvent, +,"10/18/2024, 10:03:23.089 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hbmholdings,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{25d8fbc8-84a8-4ce1-9659-add829d4939d},720,208,3292870,SecurityEvent, +,"10/18/2024, 10:03:24.019 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weblerr,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8c5940c3-4ad7-4a21-ae55-f89c0d31fcd5},720,208,3292872,SecurityEvent, +,"10/18/2024, 10:03:24.796 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,happiestbaby,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e8586394-f2a8-48fc-a704-4b47b4e2a8da},720,208,3292874,SecurityEvent, +,"10/18/2024, 10:03:25.684 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whatknots,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7777bdf3-534d-44b7-bfb4-371ff5f75e93},720,208,3292876,SecurityEvent, +,"10/18/2024, 10:03:26.761 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harnel,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{25306541-bf86-4ea2-8766-0fa18d82e2cd},720,208,3292878,SecurityEvent, +,"10/18/2024, 10:03:27.452 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,welchosen,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{52a18228-eb5f-4bec-830e-9dc16cf11a7a},720,208,3292880,SecurityEvent, +,"10/18/2024, 10:03:28.435 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hardyhalpern,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{34e30fa4-ef35-4b62-80af-24637bac234c},720,208,3292882,SecurityEvent, +,"10/18/2024, 10:03:29.123 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wegainformatik,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ff572840-e5cb-4ca5-a3e8-295197ee5fec},720,208,3292884,SecurityEvent, +,"10/18/2024, 10:03:30.107 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gringa,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cd1fe7a5-c9d1-4559-9af4-369f26e53092},720,208,3292886,SecurityEvent, +,"10/18/2024, 10:03:30.792 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,werbeboten,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{49be6feb-1c16-4587-9caa-d2469633ea0a},720,208,3292888,SecurityEvent, +,"10/18/2024, 10:03:31.862 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hardblue,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2ab4c482-80fd-41e2-a8db-0052526637dc},720,208,3292892,SecurityEvent, +,"10/18/2024, 10:03:32.441 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westnetworks,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{04929cfe-05f5-41a3-a8ca-7f25658004a7},720,208,3292894,SecurityEvent, +,"10/18/2024, 10:03:33.064 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,48.218.27.65,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,WPServer-Web01,S-1-0-0,,,,,,,,-,,,,,,,,workstation,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0ac1e889-2d9d-417f-919e-107483b2a3f9},720,208,3292896,SecurityEvent, +,"10/18/2024, 10:03:33.606 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hassenfratz,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c5181d16-43b4-4158-9027-eac4b8166bc5},720,208,3292898,SecurityEvent, +,"10/18/2024, 10:03:34.162 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,welllink,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e2d02e52-8376-4589-b54e-af200f459df2},720,208,3292900,SecurityEvent, +,"10/18/2024, 10:03:35.282 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,haliant,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{aacfb0d9-ffa1-40c7-8538-ce12eede3c2f},720,208,3292902,SecurityEvent, +,"10/18/2024, 10:03:35.835 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wibitsports,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9b29e47c-7c38-4d9a-a231-9a5fcd87ec86},720,208,3292904,SecurityEvent, +,"10/18/2024, 10:03:36.946 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,guestcounts,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a9db4a11-59c6-454f-8d5c-94b311b326b2},720,208,3292906,SecurityEvent, +,"10/18/2024, 10:03:37.486 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wffe,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{24b1b5b2-c32d-434f-9bbd-5f19a466b789},720,208,3292908,SecurityEvent, +,"10/18/2024, 10:03:38.608 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,handeland,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c4835ed8-c68a-4b48-aa51-f899c14fb44a},720,208,3292910,SecurityEvent, +,"10/18/2024, 10:03:39.136 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wesawit,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:04:06.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{51d9d07f-d78f-425c-a229-7696d3716043},720,208,3292912,SecurityEvent, +,"10/18/2024, 10:05:40.088 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,winnfield,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{62a0074a-6af8-4947-a016-5da114c9a42b},720,208,3293219,SecurityEvent, +,"10/18/2024, 10:05:40.659 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,growthnet,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0f1b1fd5-b910-42e5-9e79-fbece9536241},720,208,3293221,SecurityEvent, +,"10/18/2024, 10:05:41.747 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wesla,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a95819cb-acef-44df-910a-80e01c5a9b01},720,208,3293223,SecurityEvent, +,"10/18/2024, 10:05:42.442 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,h2o-diving,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e5c64a36-9ef1-4fcf-9777-5fad15ff56b6},720,208,3293225,SecurityEvent, +,"10/18/2024, 10:05:43.473 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whey,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8a7a2af4-fb64-4c97-8981-a742c62b68cd},720,208,3293227,SecurityEvent, +,"10/18/2024, 10:05:44.097 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,grushgamer,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5ccbc1e2-d8be-4ed0-ae07-b2e6caf6d561},720,208,3293229,SecurityEvent, +,"10/18/2024, 10:05:45.263 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wetnoz,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a8728480-fa12-48d5-ba23-4dbc61f65ee9},720,208,3293231,SecurityEvent, +,"10/18/2024, 10:05:45.766 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hajir,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{be7d41d2-7d62-40b1-af28-5962211eee95},720,208,3293233,SecurityEvent, +,"10/18/2024, 10:05:46.920 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wgdr,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{97aa25db-617a-4485-a064-781b03c253ae},720,208,3293235,SecurityEvent, +,"10/18/2024, 10:05:47.417 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hakone,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e022ff2a-ec65-4164-a1fe-3a974fa46e2f},720,208,3293237,SecurityEvent, +,"10/18/2024, 10:05:48.629 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wienecke,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1f7c1e34-87e1-497f-a1b1-c7877dffb7e5},720,208,3293239,SecurityEvent, +,"10/18/2024, 10:05:48.894 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,35.222.84.199,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,user,S-1-0-0,,,,,,,,-,,,,,,,,workstation,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{17ca5599-23cb-4be7-a4df-a53150615458},720,208,3293241,SecurityEvent, +,"10/18/2024, 10:05:49.072 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,guardianlv,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cfce20f5-c254-4945-a5be-0968e1db7465},720,208,3293243,SecurityEvent, +,"10/18/2024, 10:05:50.335 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whirelandplc,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a996468c-fc91-497a-bc7d-8c2050d09fb2},720,208,3293245,SecurityEvent, +,"10/18/2024, 10:05:50.738 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,haileyville,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4fa861cd-28d5-4a17-b6dd-b155702432b1},720,208,3293247,SecurityEvent, +,"10/18/2024, 10:05:51.989 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,windlers,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cf5df87e-dd55-4920-b4e6-a7dcc9a23689},720,208,3293249,SecurityEvent, +,"10/18/2024, 10:05:52.475 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gynecologic,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ed5d1daa-4ed8-4007-8e99-1fa62b8662f6},720,208,3293251,SecurityEvent, +,"10/18/2024, 10:05:53.652 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webpass,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4a0d0f96-69ea-4146-a2b4-5c8cf4812d81},720,208,3293253,SecurityEvent, +,"10/18/2024, 10:05:54.295 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hagerstownwa,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{23641a2c-2a52-4f87-9c06-668e646a9695},720,208,3293255,SecurityEvent, +,"10/18/2024, 10:05:55.377 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whittmre,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{65de853c-6998-453b-91f9-31d0b6c8ab59},720,208,3293257,SecurityEvent, +,"10/18/2024, 10:05:55.970 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,growlean,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d51f9dff-0735-4109-b424-79552c962fe0},720,208,3293259,SecurityEvent, +,"10/18/2024, 10:05:57.117 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wigan,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{25346c73-66a5-40fd-8f01-14af78ba2734},720,208,3293261,SecurityEvent, +,"10/18/2024, 10:05:57.662 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hamover,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f0490378-e408-4684-9de6-17dab56bfddd},720,208,3293263,SecurityEvent, +,"10/18/2024, 10:05:58.798 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wearehpg,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7a83b182-bf7a-4049-bd99-d7378b60d321},720,208,3293265,SecurityEvent, +,"10/18/2024, 10:05:59.318 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,grippin,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:26.107 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0ea34b20-32ce-4053-96cc-76db212d5bad},720,208,3293267,SecurityEvent, +,"10/18/2024, 10:06:00.477 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westernpi,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6d900579-c658-454d-ae3f-0b3628c25e41},720,208,3293269,SecurityEvent, +,"10/18/2024, 10:06:00.995 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,h2flow,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ab92f70a-8895-4d89-a1db-86364bd7e022},720,208,3293271,SecurityEvent, +,"10/18/2024, 10:06:01.839 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.130.145.160,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,waynehaylett39,S-1-0-0,,,,,,,,-,,,,,,,,HOSTNAME,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2411e007-910d-43bc-9d68-b23346878b7b},720,208,3293273,SecurityEvent, +,"10/18/2024, 10:06:02.173 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wenneker,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b8162a9f-aefd-4ae5-aaf7-9bdf06af4630},720,208,3293275,SecurityEvent, +,"10/18/2024, 10:06:02.809 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,haensel,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2a6dc3ea-1a4f-44fb-88cc-298fadbc76e9},720,208,3293277,SecurityEvent, +,"10/18/2024, 10:06:03.819 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,westdigital,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4c7c4930-28ce-4d85-b172-367c25219d46},720,208,3293279,SecurityEvent, +,"10/18/2024, 10:06:04.475 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harborlink,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4ed28531-a555-4b83-b532-7127892d86e1},720,208,3293281,SecurityEvent, +,"10/18/2024, 10:06:05.570 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whisnant,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8b641fbc-926b-402c-ac86-7cb200204dfe},720,208,3293283,SecurityEvent, +,"10/18/2024, 10:06:06.305 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,grimm-co,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6d461d2f-ac67-4649-8b3c-b2f28437b9a2},720,208,3293285,SecurityEvent, +,"10/18/2024, 10:06:07.413 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,weegro,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{375e4e55-b01b-4884-ae22-ecd8d988eefc},720,208,3293287,SecurityEvent, +,"10/18/2024, 10:06:07.981 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hadly,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{37a0b844-e832-49c1-960d-cb7df0579df3},720,208,3293289,SecurityEvent, +,"10/18/2024, 10:06:09.076 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wgsc,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8932d7fb-5629-405a-a772-2aa15eeb0296},720,208,3293291,SecurityEvent, +,"10/18/2024, 10:06:09.642 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hasson,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bc7085be-92ed-4f20-86a4-3a9255bf657f},720,208,3293293,SecurityEvent, +,"10/18/2024, 10:06:10.879 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,widermere,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{25d1d8a2-8ee2-42d9-befe-90bcdb254489},720,208,3293295,SecurityEvent, +,"10/18/2024, 10:06:11.304 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harmonsolar,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{204ad197-d0c1-4018-9cb3-33c400d56987},720,208,3293297,SecurityEvent, +,"10/18/2024, 10:06:12.596 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,willough,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f93d5420-9f6a-4465-9399-8167f6dbc987},720,208,3293299,SecurityEvent, +,"10/18/2024, 10:06:12.961 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,haas4,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b5303162-c787-45f3-8d3d-b25516ed3b21},720,208,3293301,SecurityEvent, +,"10/18/2024, 10:06:14.342 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,whatnots,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{312e282e-7efa-4813-845e-aef42e8b9e1d},720,208,3293303,SecurityEvent, +,"10/18/2024, 10:06:14.680 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,hardide,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{368580b8-89ff-4571-b92c-aa2b71f1c6da},720,208,3293305,SecurityEvent, +,"10/18/2024, 10:06:16.043 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wgl,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bd8e2b69-66dd-46c1-aac9-d3a9b19ede5e},720,208,3293307,SecurityEvent, +,"10/18/2024, 10:06:16.333 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gtplanet,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8b2f48a9-84ee-4511-959a-9f524ee37288},720,208,3293309,SecurityEvent, +,"10/18/2024, 10:06:17.695 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,webops,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f9dd63a4-794f-4b03-9a98-b4ca8efcc466},720,208,3293311,SecurityEvent, +,"10/18/2024, 10:06:17.982 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,harrisonscott,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{23c33ff5-0b95-4fd2-8fb1-82440053b887},720,208,3293313,SecurityEvent, +,"10/18/2024, 10:06:19.501 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.90.100.200,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,wetch,S-1-0-0,,,,,,,,-,,,,,,,,D-537,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ba15d533-8adb-42d7-abfd-242fc5a12556},720,208,3293315,SecurityEvent, +,"10/18/2024, 10:06:19.690 AM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.7,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,habitheque,S-1-0-0,,,,,,,,-,,,,,,,,D-533,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/18/2024, 10:06:46.119 AM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1d760439-e1ba-4fbe-a2d3-315e0bed7734},720,208,3293317,SecurityEvent, +,"10/17/2024, 4:23:40.089 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sambucos,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ddbbb8dd-3f87-498e-bb90-4ec17114f292},720,8164,3125550,SecurityEvent, +,"10/17/2024, 4:23:40.158 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geety,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{104129de-69b8-4499-b339-746405b3d5c7},720,8164,3125552,SecurityEvent, +,"10/17/2024, 4:23:40.981 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spreetit,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{56bfa301-d54f-473f-8306-9ad256df07ac},720,8164,3125554,SecurityEvent, +,"10/17/2024, 4:23:41.137 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,electracorp,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7399e54e-0829-4c9b-80fd-dfe0f2344ea1},720,8164,3125556,SecurityEvent, +,"10/17/2024, 4:23:41.377 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,boxblaster,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b47802b6-e152-4b40-b4e9-2e661e3a523a},720,8164,3125558,SecurityEvent, +,"10/17/2024, 4:23:41.735 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rshughes,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8870c88d-948e-4639-8e5c-97763c6dd098},720,8164,3125560,SecurityEvent, +,"10/17/2024, 4:23:42.623 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garritys,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f70cfa76-e71c-46e8-a0ac-f587966d007c},720,8164,3125562,SecurityEvent, +,"10/17/2024, 4:23:42.792 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spiritas,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6b0bc714-7c9a-46e3-8754-0440f28adff9},720,8164,3125564,SecurityEvent, +,"10/17/2024, 4:23:42.850 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elbi,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{611e14fe-0c5f-4541-a6e5-5b69da67a013},720,8164,3125566,SecurityEvent, +,"10/17/2024, 4:23:43.045 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bridgemedica,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{23a10083-f673-4547-8682-f7ca84792c91},720,8164,3125568,SecurityEvent, +,"10/17/2024, 4:23:43.398 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safe-esteem,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3330a871-fad7-481f-8acf-10a0f56e28c2},720,8164,3125570,SecurityEvent, +,"10/17/2024, 4:23:44.145 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gistfood,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f84971e5-1ca1-4e74-a689-731492d08a1b},720,8164,3125572,SecurityEvent, +,"10/17/2024, 4:23:44.459 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sparxsports,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2593d07d-11d3-48bb-8d53-52d3509f95e3},720,8164,3125574,SecurityEvent, +,"10/17/2024, 4:23:44.498 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,echosummit,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{baf5f45c-b934-4acd-aa37-323e2edb2f78},720,8164,3125576,SecurityEvent, +,"10/17/2024, 4:23:44.762 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brunschwig,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9a5d3893-4615-4ce0-bede-dabb4a6288c1},720,8164,3125578,SecurityEvent, +,"10/17/2024, 4:23:45.105 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rolfsons,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{816ab1cf-05d4-495f-8fda-293b22d2c7b7},720,8164,3125580,SecurityEvent, +,"10/17/2024, 4:23:45.613 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gemstonehomes,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{901a0372-ba6c-4a6a-8a82-682982a8843b},720,8164,3125582,SecurityEvent, +,"10/17/2024, 4:23:46.105 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,somersetrec,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{00a210f0-eeb5-41bb-b661-996eb5e87abd},720,8164,3125584,SecurityEvent, +,"10/17/2024, 4:23:46.149 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,econclubchi,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c547bdf9-1962-4cc4-87b5-7ebcce0e2cc6},720,8164,3125586,SecurityEvent, +,"10/17/2024, 4:23:46.416 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,burnshire,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c58faaf8-a104-4513-a3e3-ed49a3cd3b5d},720,8164,3125588,SecurityEvent, +,"10/17/2024, 4:23:46.819 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,romantisea,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6f0a58ae-144d-44ce-8361-dc1962fc6b0d},720,8164,3125590,SecurityEvent, +,"10/17/2024, 4:23:47.767 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soundtransit,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{625aa9b8-9199-4eb8-a1fc-aadf2c3add81},720,8164,3125592,SecurityEvent, +,"10/17/2024, 4:23:47.866 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,editline,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{56d5804f-b888-44f3-adf8-4fb660f4cc94},720,8164,3125594,SecurityEvent, +,"10/17/2024, 4:23:48.070 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buena,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f114fde1-2a0e-4e7e-b86d-efa95fb59ef6},720,8164,3125596,SecurityEvent, +,"10/17/2024, 4:23:48.277 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gears,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{997c8964-2789-4671-9ada-65bc91f8323c},720,8164,3125598,SecurityEvent, +,"10/17/2024, 4:23:48.469 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safe-wire,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b8ac437f-fade-45ab-ae46-ca57f23842fc},720,8164,3125600,SecurityEvent, +,"10/17/2024, 4:23:49.459 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,softgain,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2eb6a042-e3ce-4a7b-b135-80b23d1a6bd1},720,8164,3125602,SecurityEvent, +,"10/17/2024, 4:23:49.518 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edcoms,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c9e3c61c-ef9b-4c2a-ac17-f86758901ead},720,8164,3125604,SecurityEvent, +,"10/17/2024, 4:23:49.556 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gintzler,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a0f89029-b6b8-43c6-bf4b-b78d1b3ed286},720,8164,3125606,SecurityEvent, +,"10/17/2024, 4:23:49.702 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,107.150.56.10,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ftpuser,S-1-0-0,,,,,,,,-,,,,,,,,workstation,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1ff9817e-4db4-4ed5-937f-c76279752735},720,8164,3125608,SecurityEvent, +,"10/17/2024, 4:23:49.768 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bouwbedrijf,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{96ab4952-f2de-4352-9a0d-d0512308c4ba},720,8164,3125610,SecurityEvent, +,"10/17/2024, 4:23:50.163 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rs1w,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{44756aa3-f758-41c4-ba5b-f18c600597c6},720,8164,3125612,SecurityEvent, +,"10/17/2024, 4:23:51.112 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spiritos,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9203f662-7f19-43da-ac8a-5044c1b8e8b8},720,8164,3125614,SecurityEvent, +,"10/17/2024, 4:23:51.268 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecodistrict,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1f438c3c-9d7e-4d13-81cd-901940786877},720,8164,3125616,SecurityEvent, +,"10/17/2024, 4:23:51.427 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,breuckelen,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1b3aa0df-13a9-4886-86b2-c8f3dedb2b3f},720,8164,3125618,SecurityEvent, +,"10/17/2024, 4:23:51.817 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,saidph,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{17d5d97f-400c-4f4f-8936-6e27e4ef17ef},720,8164,3125620,SecurityEvent, +,"10/17/2024, 4:23:52.052 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,girlspring,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4b708f64-ee90-427b-90b5-cb45b831f215},720,8164,3125622,SecurityEvent, +,"10/17/2024, 4:23:52.777 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sotis,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e5c512a5-8ab9-4295-be42-8e9c13ab8c11},720,8164,3125624,SecurityEvent, +,"10/17/2024, 4:23:52.919 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edieinc,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cbc274ae-9603-40ca-8a4d-576f9a5c2321},720,8164,3125626,SecurityEvent, +,"10/17/2024, 4:23:53.083 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bunuel,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0722c242-1c2a-4b6c-9505-33506711349b},720,8164,3125628,SecurityEvent, +,"10/17/2024, 4:23:53.433 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garnerit,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6057a212-bc68-458d-8331-5889fbdf11b5},720,8164,3125630,SecurityEvent, +,"10/17/2024, 4:23:53.471 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roizin,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5cea4261-374d-4e39-8ae4-584ab46f158d},720,8164,3125632,SecurityEvent, +,"10/17/2024, 4:23:54.568 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solarlasvegas,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7c908c55-6426-4830-b9cb-1b598f8a6964},720,8164,3125634,SecurityEvent, +,"10/17/2024, 4:23:54.594 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,echofin,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{51ecde13-f074-4899-9275-cb1d62796f94},720,8164,3125636,SecurityEvent, +,"10/17/2024, 4:23:54.737 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brasingtons,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{16c4b491-565b-4291-8b30-34403275c4aa},720,8164,3125638,SecurityEvent, +,"10/17/2024, 4:23:55.035 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gladis,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{23e4e1e8-6d50-485c-8673-28b3d99d84c7},720,8164,3125640,SecurityEvent, +,"10/17/2024, 4:23:55.121 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rombrascom,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5ca7e41e-d53f-495c-9a08-26f20337c166},720,8164,3125642,SecurityEvent, +,"10/17/2024, 4:23:56.232 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spurstaffing,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0c0fc758-0232-4b00-9c5d-507c331e24dd},720,8164,3125644,SecurityEvent, +,"10/17/2024, 4:23:56.244 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,echeverri,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{622d6e62-041d-4ec8-bacb-fe03df9eced8},720,8164,3125646,SecurityEvent, +,"10/17/2024, 4:23:56.388 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brewskeeball,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f48de1b1-5b19-4eab-8402-ab2d1bab556c},720,8164,3125648,SecurityEvent, +,"10/17/2024, 4:23:56.809 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roehm,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5ffccd6e-2b17-4150-ae61-54640fc75c2c},720,8164,3125650,SecurityEvent, +,"10/17/2024, 4:23:56.923 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gersek,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5a2e29f4-c339-4854-a85d-38dfc33aa882},720,8164,3125652,SecurityEvent, +,"10/17/2024, 4:23:57.891 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soscuisine,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3fef4d42-8735-42c6-a42d-68e37d453776},720,8164,3125654,SecurityEvent, +,"10/17/2024, 4:23:58.046 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edensjournal,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{df42bef7-8d1f-4314-974e-9367ce25edf5},720,8164,3125656,SecurityEvent, +,"10/17/2024, 4:23:58.098 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,boylston,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e108cfea-cd62-4bda-b4c0-8d4e81b6344c},720,8164,3125658,SecurityEvent, +,"10/17/2024, 4:23:58.490 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rodier,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8eb17fe4-7796-461f-9ee8-a8632732d72f},720,8164,3125660,SecurityEvent, +,"10/17/2024, 4:23:58.503 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gilson,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fbf4b249-acfd-4da2-9719-df85797b3bca},720,8164,3125662,SecurityEvent, +,"10/17/2024, 4:23:59.619 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,socrystal,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ef17908d-0b96-4cc7-aa8b-9a089b9f6860},720,8164,3125664,SecurityEvent, +,"10/17/2024, 4:23:59.749 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brienen,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{87496ddb-b61a-494a-bcbe-52a44eca7e35},720,8164,3125666,SecurityEvent, +,"10/17/2024, 4:23:59.774 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elring,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{80b02188-9013-4de2-8a8f-8b830bfbe28d},720,8164,3125668,SecurityEvent, +,"10/17/2024, 4:23:59.859 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gc-tronic,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:26.160 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{861ce67a-2274-4af0-890d-e1bb6fef88d4},720,8164,3125670,SecurityEvent, +,"10/17/2024, 4:30:20.007 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brashconcepts,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ac0b92a4-76cb-4d4a-9d6c-8aadc0df4037},720,4832,3127947,SecurityEvent, +,"10/17/2024, 4:30:20.521 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elem3nt,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0ecdc5db-70a2-4219-bf23-bfa0a61063ef},720,4832,3127949,SecurityEvent, +,"10/17/2024, 4:30:20.539 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getcasely,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7147a537-36d9-4023-964b-9d87e27ff239},720,4832,3127951,SecurityEvent, +,"10/17/2024, 4:30:20.611 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rusdun,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9ef15fc6-45b6-400b-abee-6820e463e6a1},720,4832,3127953,SecurityEvent, +,"10/17/2024, 4:30:20.625 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spotlyte,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{90a5a4e2-9259-46dd-bd17-0085aa388ffe},720,4832,3127955,SecurityEvent, +,"10/17/2024, 4:30:21.666 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,burghard,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d64034e7-d2f6-4103-9b7b-23cc098a56d8},720,4832,3127957,SecurityEvent, +,"10/17/2024, 4:30:22.194 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecollections,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2b06b742-f5db-425a-b92e-8ff5353d0395},720,4832,3127959,SecurityEvent, +,"10/17/2024, 4:30:22.286 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spk,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b5c0f8af-a5cc-42bc-ab29-c99bd9ebfb7e},720,4832,3127961,SecurityEvent, +,"10/17/2024, 4:30:22.300 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getfactbox,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c39147e5-2331-4e17-8e26-c77490aee2a9},720,4832,3127963,SecurityEvent, +,"10/17/2024, 4:30:22.504 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,royalabstract,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2f8c5268-9fd7-4b4b-a9bb-d082e28804c6},720,4832,3127965,SecurityEvent, +,"10/17/2024, 4:30:23.327 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bumble-beez,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{082f02c9-7a9d-4b29-8371-fb303b262e50},720,4832,3127967,SecurityEvent, +,"10/17/2024, 4:30:23.375 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gettrik,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8efb57ed-0ab5-46b2-8d5f-a1fa41baa1ae},720,4832,3127969,SecurityEvent, +,"10/17/2024, 4:30:23.857 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eaglebrand,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{12d2b1da-bffe-48d8-8f40-326ef4e913ab},720,4832,3127971,SecurityEvent, +,"10/17/2024, 4:30:23.952 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sokid,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8a98cc20-d86c-4a7f-9705-b34bf5b97859},720,4832,3127973,SecurityEvent, +,"10/17/2024, 4:30:24.475 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rscsrc,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0c6494ec-6ea7-42ea-9d6c-217da64139ba},720,4832,3127975,SecurityEvent, +,"10/17/2024, 4:30:24.970 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brambleenergy,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{36153b5a-b280-443a-825f-59c501ba4916},720,4832,3127977,SecurityEvent, +,"10/17/2024, 4:30:25.614 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,splicetel,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{de16f4c6-bf9e-4d5e-932b-74995460753f},720,4832,3127979,SecurityEvent, +,"10/17/2024, 4:30:25.728 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eden-services,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7b45e004-853a-40c1-9288-30fec9d65df0},720,4832,3127981,SecurityEvent, +,"10/17/2024, 4:30:25.854 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gantrex,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{869817e1-cc55-4973-844f-c987aec1fb15},720,4832,3127983,SecurityEvent, +,"10/17/2024, 4:30:26.240 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rosebaum,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6c617746-56ba-40db-8b19-a3ba29aa9ccf},720,4832,3127985,SecurityEvent, +,"10/17/2024, 4:30:26.633 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bspoketours,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2066d5e7-10ce-4fd1-a1d0-3bf3eec855b2},720,4832,3127987,SecurityEvent, +,"10/17/2024, 4:30:27.268 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,splendidcomms,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{315ee471-271d-49a5-ab4b-088519ab3be0},720,4832,3127989,SecurityEvent, +,"10/17/2024, 4:30:27.389 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eduseed,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f4776e21-5fd3-401f-8dca-43cb1943d9e2},720,4832,3127991,SecurityEvent, +,"10/17/2024, 4:30:27.802 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gamyte,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b14f21c2-c6d0-46e9-9b24-b14dd11d3935},720,4832,3127993,SecurityEvent, +,"10/17/2024, 4:30:28.157 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sabriel,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d35d73f0-b4bc-4a26-b9b5-263977af1ac4},720,4832,3127995,SecurityEvent, +,"10/17/2024, 4:30:28.310 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brandprox,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ee0fbd07-5868-4572-9f96-419fed464cf6},720,4832,3127997,SecurityEvent, +,"10/17/2024, 4:30:28.919 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sophisticode,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a06c9c15-895d-4de5-8460-f692d094708d},720,4832,3127999,SecurityEvent, +,"10/17/2024, 4:30:29.042 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eindhoven,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6e5e7ef9-c2a7-440e-a82c-b98029eb8356},720,4832,3128001,SecurityEvent, +,"10/17/2024, 4:30:29.802 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sabeha,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{26b813ce-6bb2-4924-a9b6-75bf1a33eade},720,4832,3128003,SecurityEvent, +,"10/17/2024, 4:30:29.957 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brandtrip,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{62e555ab-2a0a-472a-a332-27cfe70f41d7},720,4832,3128005,SecurityEvent, +,"10/17/2024, 4:30:30.297 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getgigbook,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{349f8d1b-2592-454e-8f71-bbe1f4939ece},720,4832,3128007,SecurityEvent, +,"10/17/2024, 4:30:30.571 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soundin,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a79a8042-751c-4cc6-9819-6b0f28d6d5cb},720,4832,3128009,SecurityEvent, +,"10/17/2024, 4:30:30.691 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eastvold,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e8d70e8b-fa2e-440c-9206-e6fab7e99c47},720,4832,3128011,SecurityEvent, +,"10/17/2024, 4:30:31.390 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getexpo,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6aceabc9-f649-4b1c-af60-dba618a387af},720,4832,3128015,SecurityEvent, +,"10/17/2024, 4:30:31.835 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brogle-druck,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{46de6c8a-0d50-474d-9e0e-6a821b86139d},720,4832,3128017,SecurityEvent, +,"10/17/2024, 4:30:31.873 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rvfb,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{35adf293-dca8-4790-8ae4-7b7681eefb90},720,4832,3128019,SecurityEvent, +,"10/17/2024, 4:30:32.224 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,somata,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9685ecd2-ce51-4d3f-b4d3-1c8e72b48d88},720,4832,3128021,SecurityEvent, +,"10/17/2024, 4:30:32.360 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elsisi,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6d11a749-9ed7-4bf9-a89c-33cf562b758b},720,4832,3128023,SecurityEvent, +,"10/17/2024, 4:30:32.691 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geosouthern,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f89d2512-eeb1-4946-b306-08b6284091e1},720,4832,3128025,SecurityEvent, +,"10/17/2024, 4:30:33.561 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bueter,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1a151c1f-1af3-4e48-a714-a68242b65cdd},720,4832,3128027,SecurityEvent, +,"10/17/2024, 4:30:33.882 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spinwave,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{95fa9540-67fa-4094-9449-50f513e13c0d},720,4832,3128029,SecurityEvent, +,"10/17/2024, 4:30:34.025 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sabzalimurad,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{52e79494-bcde-47e4-87cf-e6978ce692ff},720,4832,3128031,SecurityEvent, +,"10/17/2024, 4:30:34.036 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,electrooptix,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f1b413f7-224e-45d7-bad0-f45b0f4ae57c},720,4832,3128033,SecurityEvent, +,"10/17/2024, 4:30:34.230 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garvish,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{055d0eb5-194a-4abd-a1af-92fc7a2840c4},720,4832,3128035,SecurityEvent, +,"10/17/2024, 4:30:35.212 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buildgroup,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c999db63-7549-4274-bc9d-8806eb3a121e},720,4832,3128037,SecurityEvent, +,"10/17/2024, 4:30:35.685 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,echodyne,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9d217e08-e7a8-4501-b7f8-228a5042160c},720,4832,3128039,SecurityEvent, +,"10/17/2024, 4:30:35.771 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rodens,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f41b38bf-8241-437e-b8b3-48c9658e95ea},720,4832,3128041,SecurityEvent, +,"10/17/2024, 4:30:35.894 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spfsocial,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6952f824-fb72-4693-84a3-468936bb65b3},720,4832,3128043,SecurityEvent, +,"10/17/2024, 4:30:36.489 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garym,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ec287d43-9b9e-4306-bc6c-10c0db13b39c},720,4832,3128045,SecurityEvent, +,"10/17/2024, 4:30:37.067 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bunos,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3a77e6ec-1d5a-42f4-95aa-1f5ac334e7f2},720,4832,3128047,SecurityEvent, +,"10/17/2024, 4:30:37.478 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eckis,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f741b068-8889-4816-98f7-cddacfefb4c7},720,4832,3128049,SecurityEvent, +,"10/17/2024, 4:30:37.507 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rustempasic,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{78dd8623-f262-497f-84fd-d7feff692039},720,4832,3128051,SecurityEvent, +,"10/17/2024, 4:30:37.693 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sonicare,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dc4ed3f8-3e10-49fa-878f-346dd9113f35},720,4832,3128053,SecurityEvent, +,"10/17/2024, 4:30:38.723 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,build1x,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3d3f7d14-7a5a-46a5-9852-663dba5b5acd},720,4832,3128055,SecurityEvent, +,"10/17/2024, 4:30:38.892 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getmailbird,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{243cf61c-3439-45cc-a533-b63341f2cbb0},720,4832,3128057,SecurityEvent, +,"10/17/2024, 4:30:39.143 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eagleyeit,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{143a9683-37f5-4f5a-bba9-353672da1aa9},720,4832,3128059,SecurityEvent, +,"10/17/2024, 4:30:39.344 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sparkswap,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9db89046-67f5-458d-9d25-4ef764e3f727},720,4832,3128061,SecurityEvent, +,"10/17/2024, 4:30:39.470 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roverapps,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:06.155 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{af98c4d4-9baf-4cbd-87d0-70de179a1dd9},720,4832,3128063,SecurityEvent, +,"10/17/2024, 4:29:20.058 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rsac,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e0e9f42d-046b-48f9-83da-9de8d39b37a4},720,8164,3127593,SecurityEvent, +,"10/17/2024, 4:29:20.289 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sonit,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b2a984dd-5f81-487e-8e0b-72cf1efce72d},720,8164,3127595,SecurityEvent, +,"10/17/2024, 4:29:20.539 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brencam,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dc1a31a3-e32d-436f-8ed6-4ed191a40043},720,8164,3127597,SecurityEvent, +,"10/17/2024, 4:29:21.062 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ganyu,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3191164c-2874-4d8a-ae5b-fec999362608},720,8164,3127599,SecurityEvent, +,"10/17/2024, 4:29:21.654 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecosante,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{26ef764c-f0a6-4171-84b8-f304dad770f2},720,8164,3127601,SecurityEvent, +,"10/17/2024, 4:29:22.024 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spcmechanical,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{97c66420-756b-4a0b-a890-d6d65e63c341},720,8164,3127603,SecurityEvent, +,"10/17/2024, 4:29:22.074 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roomrocket,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{17f42d98-9229-4d29-a20b-4e593958252a},720,8164,3127605,SecurityEvent, +,"10/17/2024, 4:29:22.186 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buffas,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f8ee7922-e1ff-4391-8b98-289fe3e3aa76},720,8164,3127607,SecurityEvent, +,"10/17/2024, 4:29:23.302 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eleff,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6bf5de10-9a1d-4186-ae65-d106f8dd2a07},720,8164,3127609,SecurityEvent, +,"10/17/2024, 4:29:23.320 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geant,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{49cfca62-1e26-4506-9567-38185a8b1f5b},720,8164,3127611,SecurityEvent, +,"10/17/2024, 4:29:23.699 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spssi,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{467b1686-856c-450f-b9d5-91162b5bde8b},720,8164,3127613,SecurityEvent, +,"10/17/2024, 4:29:23.721 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roywell,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{64f084b8-c162-4d14-98f5-c496960fbd3a},720,8164,3127615,SecurityEvent, +,"10/17/2024, 4:29:23.842 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buchinski,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0f4b2156-359a-4ae7-a56b-c3e1f243e76a},720,8164,3127617,SecurityEvent, +,"10/17/2024, 4:29:24.965 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,genengnews,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{533ca304-d96a-49d5-b70c-049531dde1ae},720,8164,3127619,SecurityEvent, +,"10/17/2024, 4:29:24.984 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ejfoundation,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{25181a53-a590-4012-9ce3-e38b07280fef},720,8164,3127621,SecurityEvent, +,"10/17/2024, 4:29:25.343 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spencecare,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{77e7da45-b570-427a-9bdb-50631f80824a},720,8164,3127623,SecurityEvent, +,"10/17/2024, 4:29:25.405 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,runmyerrands,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d0c4bd76-4708-4e09-b736-3b17eb15e404},720,8164,3127625,SecurityEvent, +,"10/17/2024, 4:29:25.520 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brooks-ins,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{66066a00-73f0-4a26-8760-63855ecb3608},720,8164,3127627,SecurityEvent, +,"10/17/2024, 4:29:26.675 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eastville,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{73c2dc96-6d13-401f-9286-1063cb300774},720,8164,3127629,SecurityEvent, +,"10/17/2024, 4:29:27.009 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,southern-it,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c89b79b3-2959-4059-aaf8-5c4ac7bcee38},720,8164,3127631,SecurityEvent, +,"10/17/2024, 4:29:27.050 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rustebakke,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{27c6b6f2-b1e4-480e-b5f4-37491eec0d29},720,8164,3127633,SecurityEvent, +,"10/17/2024, 4:29:27.173 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,boyles,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4c7718e0-9d6e-441c-92da-35ff9b3256c9},720,8164,3127635,SecurityEvent, +,"10/17/2024, 4:29:27.221 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geough,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{28919e57-2851-4919-86c4-5c641e28cce3},720,8164,3127637,SecurityEvent, +,"10/17/2024, 4:29:28.386 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edeveco,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{19aec661-b0aa-466f-adfb-e58e6f57a7df},720,8164,3127639,SecurityEvent, +,"10/17/2024, 4:29:28.659 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solidan,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{aa545584-72c8-4c1d-ab2c-01729efa26e1},720,8164,3127641,SecurityEvent, +,"10/17/2024, 4:29:28.707 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rouchinet,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{162b29d2-1546-4ccd-ae7f-eb6da100990a},720,8164,3127643,SecurityEvent, +,"10/17/2024, 4:29:28.747 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gcsincorp,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5fbbdfc2-4069-46e7-82d0-008114b8e6bb},720,8164,3127645,SecurityEvent, +,"10/17/2024, 4:29:28.828 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brae,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c8c9e8f7-be75-4e17-b03e-c6bb6dff9809},720,8164,3127647,SecurityEvent, +,"10/17/2024, 4:29:29.835 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gamewise,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5a5778a1-5983-4a59-b288-1852a0485fa6},720,8164,3127649,SecurityEvent, +,"10/17/2024, 4:29:30.068 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edcreate,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{99198b43-4f02-4ae0-b9c8-995e69963920},720,8164,3127651,SecurityEvent, +,"10/17/2024, 4:29:30.315 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spectracom,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{05f0129b-49c9-472d-b137-e4eab5f0480f},720,8164,3127653,SecurityEvent, +,"10/17/2024, 4:29:30.498 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safalsoft,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c0a6f89f-9727-477d-a837-b84c9dc92729},720,8164,3127655,SecurityEvent, +,"10/17/2024, 4:29:30.621 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,burrusseed,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0fc53bd3-8aff-4270-a52e-56c00c412b4f},720,8164,3127657,SecurityEvent, +,"10/17/2024, 4:29:31.323 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gcds,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1fd4d0c9-5889-4d7d-b865-40f90feabc3f},720,8164,3127661,SecurityEvent, +,"10/17/2024, 4:29:31.724 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecdi,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f6165820-521b-48c6-b0f9-adbd1097f36d},720,8164,3127663,SecurityEvent, +,"10/17/2024, 4:29:32.124 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sonograms,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a98f7305-0695-4b68-9169-2f9b934681ee},720,8164,3127665,SecurityEvent, +,"10/17/2024, 4:29:32.263 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,broadlink,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{deeafbaa-5904-4b11-b867-b3cc81d8d715},720,8164,3127667,SecurityEvent, +,"10/17/2024, 4:29:32.337 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,samo,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b8edf990-b3ac-4db4-a576-8cbe0e8c2f11},720,8164,3127669,SecurityEvent, +,"10/17/2024, 4:29:33.378 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edgerly,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{45fe64a7-3903-45a4-8ec1-f01517a7b7ee},720,8164,3127671,SecurityEvent, +,"10/17/2024, 4:29:33.752 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garavaglia,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{152087ab-7422-4aae-bd83-8569c97eb2e2},720,8164,3127673,SecurityEvent, +,"10/17/2024, 4:29:33.851 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spothook,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{49c8f826-fb83-44c3-b495-961f37c7daf2},720,8164,3127675,SecurityEvent, +,"10/17/2024, 4:29:33.915 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brandingirons,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0834e2d0-bd5d-4ced-9b19-465bd11ed074},720,8164,3127677,SecurityEvent, +,"10/17/2024, 4:29:34.055 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rushcycle,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ee681b94-b6a9-46bc-a2e0-8ea3e8488cc3},720,8164,3127679,SecurityEvent, +,"10/17/2024, 4:29:35.039 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ekssecurity,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{310e9151-4eb3-475c-add5-624bcc3df65a},720,8164,3127681,SecurityEvent, +,"10/17/2024, 4:29:35.132 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,get2space,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{08f7ec5d-4fde-4900-906d-d1a5db4b1487},720,8164,3127683,SecurityEvent, +,"10/17/2024, 4:29:35.594 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soconord,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{00efa1c5-5f94-4c6e-97cc-5646cbdb0f24},720,8164,3127685,SecurityEvent, +,"10/17/2024, 4:29:35.618 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bufftree,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4c7dac63-520c-4704-b093-5558fee6941b},720,8164,3127687,SecurityEvent, +,"10/17/2024, 4:29:35.737 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rvone,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cbe18140-a3f0-4db9-858b-3edef3fe1f34},720,8164,3127689,SecurityEvent, +,"10/17/2024, 4:29:36.331 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gapyear,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{deef03e9-c31e-4281-ab11-d14ba6579d98},720,8164,3127691,SecurityEvent, +,"10/17/2024, 4:29:36.712 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,econsolution,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ea307a0f-c2f6-4a48-8be5-76b817efb0f6},720,8164,3127693,SecurityEvent, +,"10/17/2024, 4:29:37.324 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,springmillvp,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f83b7df3-afac-4e26-9d6d-806773eaf559},720,8164,3127695,SecurityEvent, +,"10/17/2024, 4:29:37.385 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bounch,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{53fa957d-d85b-4fb0-af74-da44c666ea01},720,8164,3127697,SecurityEvent, +,"10/17/2024, 4:29:37.388 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ryannjhvac,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0917d511-688e-40ae-b140-b3f6b5689d74},720,8164,3127699,SecurityEvent, +,"10/17/2024, 4:29:37.423 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getscopeai,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8f3ab837-9c70-4392-a157-6d3ef5e54bb9},720,8164,3127701,SecurityEvent, +,"10/17/2024, 4:29:38.367 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ellinger,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{11d774d0-8f6a-49ab-a5c3-cbef2496af05},720,8164,3127703,SecurityEvent, +,"10/17/2024, 4:29:39.050 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bridgemakers,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a5357fc0-d29f-4496-8f54-ef4ab392c594},720,8164,3127705,SecurityEvent, +,"10/17/2024, 4:29:39.159 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rschooltoday,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0fecfb76-d05e-4ffc-a24a-29d69f365862},720,8164,3127707,SecurityEvent, +,"10/17/2024, 4:29:39.188 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spreadex,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{945ec1bf-79dc-45d2-9693-98e1045573ed},720,8164,3127709,SecurityEvent, +,"10/17/2024, 4:29:39.643 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gassmanfg,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:30:06.164 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ee87e1c0-3c05-49d0-9ca3-bf1c681f24a8},720,8164,3127711,SecurityEvent, +,"10/17/2024, 4:30:40.098 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garakami,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{380e2e2d-48cc-44a1-92f0-7ec15e8e2c54},720,4832,3128065,SecurityEvent, +,"10/17/2024, 4:30:40.373 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brodowski,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cfbda35b-f75a-4401-92f1-72c4994d1a23},720,4832,3128067,SecurityEvent, +,"10/17/2024, 4:30:40.804 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elationsys,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ae9572eb-2735-4bbe-a30c-a1d42fe3ebc3},720,4832,3128069,SecurityEvent, +,"10/17/2024, 4:30:41.057 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solarcomm,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3e596e41-0d74-48a8-a502-c6caf9fa7c48},720,4832,3128071,SecurityEvent, +,"10/17/2024, 4:30:41.389 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rodanmedia,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b0fa0b02-aad8-4fa3-9584-4fd50b663f3e},720,4832,3128073,SecurityEvent, +,"10/17/2024, 4:30:42.029 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,btbautoparts,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d3765b58-3582-4b76-bbec-b3ccdd8c6c66},720,4832,3128075,SecurityEvent, +,"10/17/2024, 4:30:42.508 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edisonohio,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{43c4ef51-9f52-4524-8b7a-3e95339a339a},720,4832,3128077,SecurityEvent, +,"10/17/2024, 4:30:42.880 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solarline,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{94604428-720d-4d49-8be2-deb7dd45508b},720,4832,3128079,SecurityEvent, +,"10/17/2024, 4:30:42.968 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geosafe,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{83952baf-5ff2-4de2-8a22-e80b941671e2},720,4832,3128081,SecurityEvent, +,"10/17/2024, 4:30:43.051 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ropaar,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d9deb4ca-5057-4e12-975b-e5feef2b675f},720,4832,3128083,SecurityEvent, +,"10/17/2024, 4:30:43.685 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brandsus,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{55adfd25-5b7c-413b-98f1-ea4f2daccce0},720,4832,3128085,SecurityEvent, +,"10/17/2024, 4:30:44.156 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elsor,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2843b6e4-e27c-405e-a89a-a44c0f9ca68e},720,4832,3128087,SecurityEvent, +,"10/17/2024, 4:30:44.653 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solutions4,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ff384cf5-16d4-4a3e-93f9-c062ca352ef5},720,4832,3128089,SecurityEvent, +,"10/17/2024, 4:30:44.746 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rygaard,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4f762004-6fc7-480a-b585-faac613f88df},720,4832,3128091,SecurityEvent, +,"10/17/2024, 4:30:44.924 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gigya,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{71e5b956-c636-4789-894e-616b4dbaaaf1},720,4832,3128093,SecurityEvent, +,"10/17/2024, 4:30:45.514 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brohan,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{df33267c-1c9b-4de6-81d6-cdbe026222ae},720,4832,3128095,SecurityEvent, +,"10/17/2024, 4:30:45.811 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecostaff,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{24d41c94-5a0a-4b51-be51-0def50f1972b},720,4832,3128097,SecurityEvent, +,"10/17/2024, 4:30:46.224 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getinkspired,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f6a9cb0d-17c0-45cc-8a99-8e28ecca08a7},720,4832,3128099,SecurityEvent, +,"10/17/2024, 4:30:46.312 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,springsealinc,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4209ff91-78eb-497b-8146-71c0da3bde83},720,4832,3128101,SecurityEvent, +,"10/17/2024, 4:30:46.565 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rodneys,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0145daeb-99de-48c1-bf79-943d97d7e4f3},720,4832,3128103,SecurityEvent, +,"10/17/2024, 4:30:47.191 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bullard,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9646f2e3-fe4b-4c0a-840d-e152bbefcf16},720,4832,3128105,SecurityEvent, +,"10/17/2024, 4:30:47.585 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eastpac,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{40b05f2a-9510-4a16-9512-603a5ca39e20},720,4832,3128107,SecurityEvent, +,"10/17/2024, 4:30:47.965 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solinfo,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2c0aca9f-90eb-480d-b34a-b50008cab4c4},720,4832,3128109,SecurityEvent, +,"10/17/2024, 4:30:48.081 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gendlin,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{22887002-3581-4079-bff9-b7c328a20a88},720,4832,3128111,SecurityEvent, +,"10/17/2024, 4:30:48.538 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sageitinc,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ed5414fe-140f-436c-b9d1-10604575666c},720,4832,3128113,SecurityEvent, +,"10/17/2024, 4:30:49.062 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brustolon,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{84de2240-418a-435e-a65e-03a18a719d40},720,4832,3128115,SecurityEvent, +,"10/17/2024, 4:30:49.318 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebizzers,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8aa4ef82-1879-4f05-b0be-44b45db17d69},720,4832,3128117,SecurityEvent, +,"10/17/2024, 4:30:49.526 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gessin,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dc73bbef-fb96-4de9-ac00-474083614fe8},720,4832,3128119,SecurityEvent, +,"10/17/2024, 4:30:49.636 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sonnisroy,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3aabe7fc-3ab5-4ebc-b6dd-00424ebbecac},720,4832,3128121,SecurityEvent, +,"10/17/2024, 4:30:50.222 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rymark,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{343c3edd-58dc-4fab-9f4b-f39183dd73b9},720,4832,3128123,SecurityEvent, +,"10/17/2024, 4:30:50.599 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getairsports,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a21066d9-0057-4635-94a4-f186315f367f},720,4832,3128125,SecurityEvent, +,"10/17/2024, 4:30:50.769 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bridgford,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3da3270e-3175-4ac6-91a0-7903170d687c},720,4832,3128127,SecurityEvent, +,"10/17/2024, 4:30:50.983 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ellasmonitor,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{39be8dcf-8f0b-42b3-be40-262f5d8c49a7},720,4832,3128129,SecurityEvent, +,"10/17/2024, 4:30:51.317 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,socialstudio,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1e912da2-64f3-498a-8fe6-6794bd059956},720,4832,3128131,SecurityEvent, +,"10/17/2024, 4:30:52.154 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rubright,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{23152c2d-9687-455e-a65d-ac06872c1e58},720,4832,3128133,SecurityEvent, +,"10/17/2024, 4:30:52.420 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brandflight,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7c326f0d-0735-497d-b663-b9a78c308b94},720,4832,3128135,SecurityEvent, +,"10/17/2024, 4:30:52.645 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecorps,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9465325e-f0cb-4489-9202-efd78bfb77b6},720,4832,3128137,SecurityEvent, +,"10/17/2024, 4:30:52.814 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getfave,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d3f2e791-cdc6-4bca-adda-676d7a656457},720,4832,3128139,SecurityEvent, +,"10/17/2024, 4:30:53.014 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solar-wind,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{84bec143-072b-4254-99dd-5738847a199a},720,4832,3128141,SecurityEvent, +,"10/17/2024, 4:30:53.927 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getunwired,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7434fa72-d024-4b96-ba1f-5e8a280313aa},720,4832,3128143,SecurityEvent, +,"10/17/2024, 4:30:54.139 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rouns,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8d431759-5eaa-4419-a38a-2f83a48b8066},720,2980,3128145,SecurityEvent, +,"10/17/2024, 4:30:54.184 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,builduped1d,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{72c78942-799c-4bdc-8e10-5cbc1d818d7a},720,2980,3128147,SecurityEvent, +,"10/17/2024, 4:30:54.301 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,earnreit,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7e1ef716-97b8-4301-8c23-77750e47fe55},720,2980,3128149,SecurityEvent, +,"10/17/2024, 4:30:54.973 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sparketh,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{98701253-9cf9-40cb-bcd3-aa569c83aa6d},720,2980,3128151,SecurityEvent, +,"10/17/2024, 4:30:55.267 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gammet,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4a6aec33-6fe3-4acd-90dc-b6cbc93ce675},720,2980,3128153,SecurityEvent, +,"10/17/2024, 4:30:55.811 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,salesgym,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{245f91d9-5f3e-4937-91b3-1251b7de5fc0},720,2980,3128155,SecurityEvent, +,"10/17/2024, 4:30:55.846 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bsh-group,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2ab7c1d6-bee1-44e7-933e-2e239c84d1ad},720,2980,3128157,SecurityEvent, +,"10/17/2024, 4:30:55.950 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elegant,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d69013d5-5338-476d-9893-b16db5cd294c},720,2980,3128159,SecurityEvent, +,"10/17/2024, 4:30:56.623 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sontech,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{644fdec2-93e4-4bc7-aa52-88132342e716},720,2980,3128161,SecurityEvent, +,"10/17/2024, 4:30:57.077 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gce,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{18bee206-0ea0-43f4-a9f8-43e6a95972ee},720,2980,3128163,SecurityEvent, +,"10/17/2024, 4:30:57.500 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,braescapital,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ec28b609-8fbe-4cc8-b491-0649ddb64a39},720,2980,3128165,SecurityEvent, +,"10/17/2024, 4:30:57.522 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sailfan,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{550ad90d-f672-4865-b953-42e7199e3653},720,2980,3128167,SecurityEvent, +,"10/17/2024, 4:30:57.610 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ellmaker,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d601bd46-2158-4f8e-924e-ff6685e03835},720,2980,3128169,SecurityEvent, +,"10/17/2024, 4:30:58.278 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sponsels,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b0b0995f-1c90-4efa-b7bf-b7d4d8e502ee},720,2980,3128171,SecurityEvent, +,"10/17/2024, 4:30:58.634 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getuprise,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{500f9d5f-0c8a-467e-bac5-f7bb0bca4ed2},720,2980,3128173,SecurityEvent, +,"10/17/2024, 4:30:59.155 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bsterling,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{134d6a0d-7b8c-4ef2-a73b-2969116b5866},720,2980,3128175,SecurityEvent, +,"10/17/2024, 4:30:59.222 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,saabe,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{296ca78e-c683-4194-bc7f-0a99658bc5db},720,2980,3128177,SecurityEvent, +,"10/17/2024, 4:30:59.317 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eatexplore,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c8dc10a6-3f21-461f-926a-671f49fd4c73},720,2980,3128179,SecurityEvent, +,"10/17/2024, 4:30:59.940 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spagnoli,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:31:26.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9df23aa6-74e1-46cf-b6cc-2d801f109ab1},720,2980,3128182,SecurityEvent, +,"10/17/2024, 4:31:40.427 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,saisi,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ca701d77-fb37-4d2a-9a4d-5353ad4d168c},720,2980,3128435,SecurityEvent, +,"10/17/2024, 4:31:40.688 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soletrakr,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{33a9c485-186e-44f5-8fff-d0efb7753e82},720,2980,3128437,SecurityEvent, +,"10/17/2024, 4:31:41.261 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getgigz,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b03d6589-1bbc-4ab4-848d-0efa3b9274da},720,2980,3128439,SecurityEvent, +,"10/17/2024, 4:31:41.376 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,businesscycle,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{360aeac4-d747-49c5-9fc5-23324e716b51},720,2980,3128441,SecurityEvent, +,"10/17/2024, 4:31:41.659 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eeyorecd,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c9b0796c-3e89-43f9-b7cc-c408ac2eb83f},720,2980,3128443,SecurityEvent, +,"10/17/2024, 4:31:42.086 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rubix-group,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{545af58f-17ff-47d0-bce7-0fbed031e569},720,2980,3128445,SecurityEvent, +,"10/17/2024, 4:31:42.346 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,somerfields,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0d0d339c-51bf-48cd-8da7-93b5cfc9d672},720,2980,3128447,SecurityEvent, +,"10/17/2024, 4:31:42.350 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,giraulo,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{17437c8a-11dc-474b-97eb-9e015d9c9a61},720,2980,3128449,SecurityEvent, +,"10/17/2024, 4:31:43.271 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brondell,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{49211117-3e40-4471-81b4-b79c30b710c4},720,2980,3128451,SecurityEvent, +,"10/17/2024, 4:31:43.305 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edwarddean,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b5306b1b-5636-44be-8349-d7ebd737a860},720,2980,3128453,SecurityEvent, +,"10/17/2024, 4:31:43.735 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gecd307,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{583d5ba9-ab1c-4ced-891f-d8d881dceb69},720,2980,3128455,SecurityEvent, +,"10/17/2024, 4:31:43.744 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rouler,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7b8b7f24-6bc3-4ba9-9d58-22d72ed120b5},720,2980,3128457,SecurityEvent, +,"10/17/2024, 4:31:44.011 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soho,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cb2c211e-902b-44a5-b094-d27c8cc906b2},720,2980,3128459,SecurityEvent, +,"10/17/2024, 4:31:44.843 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gbw,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9128ee4c-e8c3-41a1-b584-4b567a398252},720,2980,3128461,SecurityEvent, +,"10/17/2024, 4:31:44.965 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bryantideas,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4d7bbbde-f5cc-4ef8-88af-37fd7ebec565},720,2980,3128463,SecurityEvent, +,"10/17/2024, 4:31:45.182 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecolonial,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0560bfce-f086-4d08-884f-4ffa8e53d848},720,2980,3128465,SecurityEvent, +,"10/17/2024, 4:31:45.404 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ropeadope,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{070a2e87-6bf2-4131-ba2e-c9bd9476351e},720,2980,3128467,SecurityEvent, +,"10/17/2024, 4:31:45.748 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,speedcard,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8397a6ed-f15b-4fdd-aac9-3a2a4bd237b1},720,2980,3128469,SecurityEvent, +,"10/17/2024, 4:31:46.029 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getimaging,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{858b1779-914f-405d-9100-e384cf39ac1b},720,2980,3128471,SecurityEvent, +,"10/17/2024, 4:31:46.772 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,breadsmith,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{61297f24-503e-4262-b18a-f95daa7b034a},720,2980,3128473,SecurityEvent, +,"10/17/2024, 4:31:46.846 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,efficency,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a0d566bb-14f1-4adf-a647-6597997bb9f7},720,2980,3128475,SecurityEvent, +,"10/17/2024, 4:31:47.129 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sampoll,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e2cf486e-35b5-453f-acf7-b9889aa75b20},720,2980,3128477,SecurityEvent, +,"10/17/2024, 4:31:47.410 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,genomedesigns,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{02339465-63ed-411a-912e-46e88ebc698f},720,2980,3128479,SecurityEvent, +,"10/17/2024, 4:31:47.411 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,splunk,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e328c484-ac22-49be-817a-cce433018f3b},720,2980,3128481,SecurityEvent, +,"10/17/2024, 4:31:48.474 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,breaks,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{88ae1d54-5df7-4c41-a94c-75edb486c0cb},720,2980,3128483,SecurityEvent, +,"10/17/2024, 4:31:48.587 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gaya,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9294ec29-a170-4873-8e1b-c64528ace714},720,2980,3128485,SecurityEvent, +,"10/17/2024, 4:31:48.772 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,royallepagegp,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6b01c4be-ea6e-4d07-a4d0-cb7e65c61e53},720,2980,3128487,SecurityEvent, +,"10/17/2024, 4:31:48.991 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,effektiv,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6c3d4836-2c90-41d0-b3ef-10a6d7ecfab6},720,2980,3128489,SecurityEvent, +,"10/17/2024, 4:31:49.060 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spinc,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{faaddc78-b7e8-4dd7-9d1c-485afe72bccb},720,2980,3128491,SecurityEvent, +,"10/17/2024, 4:31:50.073 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gilltrading,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e9cab0bd-5222-4454-bcc9-243075912cfe},720,2980,3128493,SecurityEvent, +,"10/17/2024, 4:31:50.226 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,breedmatcher,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{492c81b8-0b18-4019-994f-76ac26259957},720,2980,3128495,SecurityEvent, +,"10/17/2024, 4:31:50.420 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rskbsl,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c40a3ade-e3a8-42db-b91b-c125d468c528},720,2980,3128497,SecurityEvent, +,"10/17/2024, 4:31:50.660 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,einbliq-io,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3d67171f-d373-4373-845e-a20bf1668453},720,2980,3128499,SecurityEvent, +,"10/17/2024, 4:31:50.718 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sparkboulder,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b6671159-07a9-49fc-acf7-91ce1d318918},720,2980,3128501,SecurityEvent, +,"10/17/2024, 4:31:51.320 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getproperly,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c7d74daf-1e8c-4c47-8147-622dca3d6f17},720,2980,3128503,SecurityEvent, +,"10/17/2024, 4:31:51.932 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bravocg,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{aabe8cd8-d5c4-471c-b5de-f19ebacf1675},720,2980,3128505,SecurityEvent, +,"10/17/2024, 4:31:52.175 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safely,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{db5b0948-9a39-44d2-845b-2f1f2149435a},720,2980,3128507,SecurityEvent, +,"10/17/2024, 4:31:52.350 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eagleridgegm,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{aa316db8-c4ec-49fa-b0d1-712e2482870c},720,2980,3128509,SecurityEvent, +,"10/17/2024, 4:31:52.373 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,speaktoiot,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a0f7199a-d85c-48b5-a72a-bdfa7b04b292},720,2980,3128511,SecurityEvent, +,"10/17/2024, 4:31:52.639 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gibbins,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c823a46e-09b6-46c7-8065-e126a1617d09},720,2980,3128513,SecurityEvent, +,"10/17/2024, 4:31:53.583 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brrrings,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{aed8b9d6-5970-45ab-9764-19e25c82a7d6},720,2980,3128515,SecurityEvent, +,"10/17/2024, 4:31:53.829 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getfuturebank,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a64457b8-df97-41ca-a151-fd7dea8ebf2f},720,2980,3128517,SecurityEvent, +,"10/17/2024, 4:31:53.830 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,royalcare,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e64df74d-3e13-446f-a704-a7f50bebaca6},720,2980,3128519,SecurityEvent, +,"10/17/2024, 4:31:54.022 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sohls,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3e9982e7-cdf0-480d-8881-b3b4bc3e3e13},720,2980,3128521,SecurityEvent, +,"10/17/2024, 4:31:54.289 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edmonds,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{91bed4d3-892d-4e4d-9500-66294f69264d},720,2980,3128523,SecurityEvent, +,"10/17/2024, 4:31:54.983 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gianna,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e87e6eba-f4a2-415a-8c9c-7b7dc0b1c28b},720,2980,3128525,SecurityEvent, +,"10/17/2024, 4:31:55.281 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,boulay,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b38b89b7-dc9d-41d3-87a5-e0002b264f38},720,2980,3128527,SecurityEvent, +,"10/17/2024, 4:31:55.476 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rsegroup,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{764793e7-6ee3-4311-a5fb-6b0f85609f54},720,2980,3128529,SecurityEvent, +,"10/17/2024, 4:31:55.686 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sprigati,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{47ce24aa-a64e-48a5-94fa-653a6f1db234},720,2980,3128531,SecurityEvent, +,"10/17/2024, 4:31:56.112 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getjerry,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{59f1a17c-d759-44e8-a07c-6b78ca207c29},720,2980,3128533,SecurityEvent, +,"10/17/2024, 4:31:56.118 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eastpro,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{06131d52-cfec-489b-84a1-03087299e0d1},720,2980,3128535,SecurityEvent, +,"10/17/2024, 4:31:56.947 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brochu,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{61a933e5-4b99-4811-89b1-4b46ad2652fe},720,2980,3128537,SecurityEvent, +,"10/17/2024, 4:31:57.229 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gcfga,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3bdaa88a-6ceb-467c-b2d2-bbe86bf77b60},720,2980,3128539,SecurityEvent, +,"10/17/2024, 4:31:57.272 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rowlett,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{91f4eb2b-40ee-4f4a-aebf-7e0266a74601},720,2980,3128541,SecurityEvent, +,"10/17/2024, 4:31:57.424 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soystudio,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5fcd72e4-7d06-4c06-b2ca-c87b089d1c49},720,2980,3128543,SecurityEvent, +,"10/17/2024, 4:31:57.900 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecycles,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5849267a-a77c-4b43-a2a6-76f2b4403a3c},720,2980,3128545,SecurityEvent, +,"10/17/2024, 4:31:58.300 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gavtilo,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cda19309-51cf-43f1-8c73-e69e90625bb0},720,2980,3128547,SecurityEvent, +,"10/17/2024, 4:31:58.727 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brennenkelly,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e32e985c-e383-4c68-85ad-7eba481eac53},720,2980,3128549,SecurityEvent, +,"10/17/2024, 4:31:58.934 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ruptured,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3e65d64b-9f5d-421c-aea1-89c1b06768dc},720,2980,3128551,SecurityEvent, +,"10/17/2024, 4:31:59.134 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spragley,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8d4fed7e-dd5a-45c9-91ee-a85f2005bae3},720,2980,3128553,SecurityEvent, +,"10/17/2024, 4:31:59.557 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,earn4u,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7ee3f48f-9f4d-4ae0-b33b-e931d599add6},720,2980,3128555,SecurityEvent, +,"10/17/2024, 4:31:59.658 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garrettson,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:32:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9bc06d9d-cbc2-4f46-b05a-0ddb85400aed},720,2980,3128557,SecurityEvent, +,"10/17/2024, 4:20:40.037 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spgb,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2af74c4d-0d8d-41bb-90a6-6f9a05094870},720,5448,3124428,SecurityEvent, +,"10/17/2024, 4:20:40.145 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gen5,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{02f20668-f20e-4df8-987c-2890abe6ab5c},720,5448,3124430,SecurityEvent, +,"10/17/2024, 4:20:40.274 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elearningline,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8151fb97-0723-465d-86ec-95e5742f0964},720,5448,3124432,SecurityEvent, +,"10/17/2024, 4:20:41.147 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,saloonmedia,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{50eee1f6-9b45-4413-9f6a-4b2f85e8075d},720,8592,3124434,SecurityEvent, +,"10/17/2024, 4:20:41.348 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buildproto,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{485bb8b9-93c9-42b9-8ab2-dcd17a935f4c},720,8592,3124436,SecurityEvent, +,"10/17/2024, 4:20:41.379 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gengirlmedia,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b4b041ac-a6e1-4da2-9b8f-1d900411ff6d},720,8592,3124438,SecurityEvent, +,"10/17/2024, 4:20:41.928 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edgix,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9ac7777e-62b0-44aa-a681-f50d792d4a30},720,8592,3124440,SecurityEvent, +,"10/17/2024, 4:20:41.943 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solereve,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{914ba202-9a5b-4673-adf5-fdd2bfa860ef},720,8592,3124442,SecurityEvent, +,"10/17/2024, 4:20:42.615 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getitfree,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7b1ec940-2b5f-4619-b09e-1db8225f7915},720,8592,3124444,SecurityEvent, +,"10/17/2024, 4:20:42.806 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rscva,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{64a015eb-be7b-42f0-ae04-fefb548b151a},720,8592,3124446,SecurityEvent, +,"10/17/2024, 4:20:43.043 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bridi,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a850b8e9-b7b5-42d3-843f-4ddc8ca9c96f},720,8592,3124448,SecurityEvent, +,"10/17/2024, 4:20:43.604 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soundfest,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6636b101-ee83-4cab-8937-576575bbe695},720,8592,3124450,SecurityEvent, +,"10/17/2024, 4:20:43.697 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gjsigns,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bfea26e0-e1b6-4eb0-88e4-5317d94211de},720,8592,3124452,SecurityEvent, +,"10/17/2024, 4:20:43.739 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eclub,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{664423f6-3d3f-40b0-b888-91424fec430e},720,8592,3124454,SecurityEvent, +,"10/17/2024, 4:20:44.760 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gesoft,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{00415ae7-7ab6-4d77-b396-34d2317fc295},720,8592,3124456,SecurityEvent, +,"10/17/2024, 4:20:44.771 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,boutayeb,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6a2b79fb-f84d-4630-b7de-344cfc849d73},720,8592,3124458,SecurityEvent, +,"10/17/2024, 4:20:44.824 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rxt,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d774e9d8-a880-428f-88e8-1cac7bfa3d08},720,8592,3124460,SecurityEvent, +,"10/17/2024, 4:20:45.249 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soloworker,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{97761597-ca48-44a3-bd6d-01d21bc01c13},720,8592,3124462,SecurityEvent, +,"10/17/2024, 4:20:45.916 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,efnc,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{36b732e9-8289-46b9-ad5c-f06707593329},720,8592,3124464,SecurityEvent, +,"10/17/2024, 4:20:46.314 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gemalto,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1370b234-8c23-4aa7-8c63-dcec36bb99e2},720,8592,3124466,SecurityEvent, +,"10/17/2024, 4:20:46.427 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bridgers,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{54a974e4-2461-4f69-8ca9-9af8a567d723},720,8592,3124468,SecurityEvent, +,"10/17/2024, 4:20:46.527 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,royalcrawl,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fa1e637f-73df-48f7-ae78-6f591c460b15},720,8592,3124470,SecurityEvent, +,"10/17/2024, 4:20:46.969 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spillman,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6eebc103-2641-40c5-93fb-35dc0dc6f152},720,8592,3124472,SecurityEvent, +,"10/17/2024, 4:20:47.400 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gesundimnorden,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8b5f51e0-c5c1-4621-9eee-7728cb4215a2},720,8592,3124474,SecurityEvent, +,"10/17/2024, 4:20:47.562 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecnp,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{33cbe8fa-c777-4412-9f52-8c6fef3e39d3},720,8592,3124476,SecurityEvent, +,"10/17/2024, 4:20:48.120 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brightcom,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f6a9d4e6-eeb7-4dee-9c1c-3f74d5a3ae9a},720,8592,3124478,SecurityEvent, +,"10/17/2024, 4:20:48.200 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roiltd,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{65b57059-1376-45f4-90b7-73889022bd78},720,8592,3124480,SecurityEvent, +,"10/17/2024, 4:20:48.556 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gemologue,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cd8f3151-057f-43c4-acbe-566f2730f265},720,8592,3124482,SecurityEvent, +,"10/17/2024, 4:20:48.624 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,springuel,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ab04950e-51f0-4d55-b7a3-6ed30fe256de},720,8592,3124484,SecurityEvent, +,"10/17/2024, 4:20:49.300 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecree,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c3e27b5e-98ba-4e07-ad9d-f6bed1c8a9f5},720,8592,3124486,SecurityEvent, +,"10/17/2024, 4:20:49.629 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ghpartnersllc,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{59915cf9-f706-450a-ae24-b03f130952b5},720,8592,3124488,SecurityEvent, +,"10/17/2024, 4:20:49.765 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brafman,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3b3c1d81-9b1c-4572-89c4-df36f131b067},720,8592,3124490,SecurityEvent, +,"10/17/2024, 4:20:50.161 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,salin,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{06995dde-59c0-4675-a87c-4d684b90b8a7},720,8592,3124492,SecurityEvent, +,"10/17/2024, 4:20:50.281 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sorgenfri,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f5bc150d-6af6-4df1-9ef0-c3703655312b},720,8592,3124494,SecurityEvent, +,"10/17/2024, 4:20:50.784 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,genine,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5979808e-6a6d-4b01-a572-e3c824d2156a},720,8592,3124496,SecurityEvent, +,"10/17/2024, 4:20:50.963 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,earin,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cbfbd596-2099-4726-849e-5c0025b95ab7},720,8592,3124498,SecurityEvent, +,"10/17/2024, 4:20:51.421 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,burotechnik,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e1de518c-d4c4-4746-92d4-54d5be668d93},720,8592,3124500,SecurityEvent, +,"10/17/2024, 4:20:51.895 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ruffroofers,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6bdb8db5-642c-41a1-8c6f-626c55dba840},720,8592,3124502,SecurityEvent, +,"10/17/2024, 4:20:52.013 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spork,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{23472f86-1151-4468-80dc-e223b66c7f75},720,8592,3124504,SecurityEvent, +,"10/17/2024, 4:20:52.610 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eaglesblood,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{06e65478-8246-429c-a145-f0ee0fa6839d},720,8592,3124506,SecurityEvent, +,"10/17/2024, 4:20:52.949 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geyrhalter,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a0f1bfe1-483a-418b-b562-e3a358917319},720,8592,3124508,SecurityEvent, +,"10/17/2024, 4:20:53.125 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buchs-sachsse,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{316a390c-977f-4c8e-92b6-9e12a36edc9b},720,8592,3124510,SecurityEvent, +,"10/17/2024, 4:20:53.788 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rubberline,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e2ff1ea0-cdf6-4706-a8f4-404c277bc17a},720,8592,3124512,SecurityEvent, +,"10/17/2024, 4:20:53.924 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sparkdog,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5dd85497-0e66-4bd9-b759-70485fd76548},720,8592,3124514,SecurityEvent, +,"10/17/2024, 4:20:54.054 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gethotspotapp,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3527552b-8bf0-4d2a-98a2-a012be06d92f},720,8592,3124516,SecurityEvent, +,"10/17/2024, 4:20:54.268 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecsc,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e6216f2c-aff9-4a7c-ac33-95e50c6c955c},720,8592,3124518,SecurityEvent, +,"10/17/2024, 4:20:54.904 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bureao,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b071cd0d-cfef-4b99-9b0a-5f29842879f2},720,8592,3124520,SecurityEvent, +,"10/17/2024, 4:20:55.306 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,66.85.229.43,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ftpuser,S-1-0-0,,,,,,,,-,,,,,,,,workstation,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4a90f0c1-f5b2-464a-be0e-f7ef1a43d0cd},720,8592,3124522,SecurityEvent, +,"10/17/2024, 4:20:55.434 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gdsb239,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f236b3ee-36d0-44a4-991d-c446e595b3cf},720,8592,3124524,SecurityEvent, +,"10/17/2024, 4:20:55.520 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rvupgrades,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8565343b-8edf-480a-8662-3baef369a766},720,8592,3124526,SecurityEvent, +,"10/17/2024, 4:20:55.586 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sparkinterfax,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a2ee1524-2a75-4c42-aad6-935becc564b7},720,8592,3124528,SecurityEvent, +,"10/17/2024, 4:20:55.922 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebaaf,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8ac94cd7-378f-4311-91b3-4da21f2e4fb2},720,8592,3124530,SecurityEvent, +,"10/17/2024, 4:20:56.579 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bsa-regal,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{89b88cee-2f78-431c-be08-849322641a71},720,8592,3124532,SecurityEvent, +,"10/17/2024, 4:20:56.889 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gete,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0a27c153-6c28-440a-9961-e89869121225},720,8592,3124534,SecurityEvent, +,"10/17/2024, 4:20:57.185 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rp2global,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fc37dc1a-7a35-49c3-bdfd-c6a30d83dc01},720,8592,3124536,SecurityEvent, +,"10/17/2024, 4:20:57.238 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sonawane,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0f240f3d-84ed-486b-a6ef-e1b827a0afff},720,8592,3124538,SecurityEvent, +,"10/17/2024, 4:20:57.967 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gemmus,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7189464f-9822-4c57-935f-39bc3bfdac9c},720,8592,3124540,SecurityEvent, +,"10/17/2024, 4:20:58.047 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elegantchild,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8f92c08c-3145-4490-9a62-1d911863a3a3},720,8592,3124542,SecurityEvent, +,"10/17/2024, 4:20:58.283 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bucklers,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6656096a-61d7-4213-8ce3-ff960e78b2cd},720,8592,3124544,SecurityEvent, +,"10/17/2024, 4:20:58.845 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roofhawk,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1ad90450-0463-49f0-a057-cb52f7573bb9},720,8592,3124546,SecurityEvent, +,"10/17/2024, 4:20:58.981 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sponsiv,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5f9f4919-dfc1-4e83-98fa-d06394fd64e6},720,8592,3124548,SecurityEvent, +,"10/17/2024, 4:20:59.457 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gibsonia,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{26dbc674-9f26-4a4d-99dc-5c31d279d3be},720,8592,3124550,SecurityEvent, +,"10/17/2024, 4:20:59.706 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecogoodz,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:26.273 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6e07eb3a-dca9-4817-bfe6-32fc08ee1da1},720,8592,3124552,SecurityEvent, +,"10/17/2024, 4:21:01.890 PM",OpsManager,NT AUTHORITY\SYSTEM,Machine,VNEVADO-Win11T.vnevado.alpineskihouse.co,Microsoft-Windows-Security-Auditing,Security,12544,0,,4624,4624 - An account was successfully logged on.,,,,,,,,,,,,,,,,,,,,Negotiate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%1842,,,,,,,,,,,,,,,,,%%1833,192.168.1.1,-,0,-,,,,,,,,Advapi ,5,5 - Service,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,services.exe,0x2c4,C:\Windows\System32\services.exe,,,,,,,,,,,,,,,-,,,,,,,,,,,,,,,VNEVADO\VNEVADO-Win11T$,,,VNEVADO,,0x3e7,,,VNEVADO-Win11T$,S-1-5-18,0xc000006a,,NT AUTHORITY\SYSTEM,NT AUTHORITY,,0x0,0x3e7,-,-,,,,SYSTEM,S-1-5-18,,,,,,,,-,,,,,%%1843,,,-,LogAlways,c9171ffe-8c3d-49d2-8c8b-fc5af77d39d0,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:35.255 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,3,0,0x8020000000000000,{3414e15e-03dc-4cdc-989e-b28967e2e4f7},716,5980,10739457,SecurityEvent, +,"10/17/2024, 4:21:00.039 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,btw-binder,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{99ed130a-19c2-4030-8ae6-bf37f9b9646b},720,8592,3124554,SecurityEvent, +,"10/17/2024, 4:21:00.575 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gbprotect,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8aad4d9e-2ad1-4d00-b078-f932748e52e6},720,8592,3124556,SecurityEvent, +,"10/17/2024, 4:21:00.621 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spindesk,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8718edf2-ca6c-4413-b20a-995f68e3b572},720,8592,3124558,SecurityEvent, +,"10/17/2024, 4:21:00.793 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safefirst,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{edb19d9e-a049-4245-afd6-937096434846},720,8592,3124560,SecurityEvent, +,"10/17/2024, 4:21:01.404 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,earlsorganic,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7d23a416-9b69-4095-9020-a90329da3c35},720,8592,3124562,SecurityEvent, +,"10/17/2024, 4:21:01.699 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bozkurt,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{102b0dbd-fc2d-41c0-a773-5f7db8a2001c},720,8592,3124564,SecurityEvent, +,"10/17/2024, 4:21:02.281 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sokolow,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{44d8aab2-ea90-4189-b663-04d18468af2c},720,8592,3124566,SecurityEvent, +,"10/17/2024, 4:21:02.336 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garfieldpark,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4db774b5-c9b4-4953-9f60-fd2ba01498df},720,8592,3124568,SecurityEvent, +,"10/17/2024, 4:21:02.724 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safes,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{03f6ece4-84f0-4173-bbe4-6bfe4fe83909},720,8592,3124570,SecurityEvent, +,"10/17/2024, 4:21:03.223 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ehsolution,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5dc7084c-9fe2-4410-9456-6ab93b0e3152},720,8592,3124572,SecurityEvent, +,"10/17/2024, 4:21:03.381 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brilin,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1702b838-f14f-446c-8c52-f0b0538e10cd},720,8592,3124574,SecurityEvent, +,"10/17/2024, 4:21:03.417 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gardine,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3dd8c4b9-76a1-4802-a1e1-85e5ab651ce5},720,8592,3124576,SecurityEvent, +,"10/17/2024, 4:21:04.033 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spinner-group,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{09104f4d-7c4e-46db-bf54-5fd58d751fc7},720,8592,3124578,SecurityEvent, +,"10/17/2024, 4:21:04.376 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rogerspc,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7794786c-8c14-490c-ac12-79f1a138c3f4},720,8592,3124580,SecurityEvent, +,"10/17/2024, 4:21:04.486 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,genformation,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{63dca506-96b0-48f5-aefb-33fd678b5c3d},720,8592,3124582,SecurityEvent, +,"10/17/2024, 4:21:05.032 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,broadfording,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{38e81cf2-ea7d-4465-a65e-ad5fe5c2de89},720,8592,3124584,SecurityEvent, +,"10/17/2024, 4:21:05.582 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getdot,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9ee8b10d-900a-48b8-b621-effe51dbdfea},720,8592,3124586,SecurityEvent, +,"10/17/2024, 4:21:05.738 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,easymonitoring,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6cfa6fa0-b2bd-4ca5-8718-d25155ecc007},720,8592,3124588,SecurityEvent, +,"10/17/2024, 4:21:05.780 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solitical,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2a7c855d-bd30-485b-bc10-3e42a35b741a},720,8592,3124590,SecurityEvent, +,"10/17/2024, 4:21:06.035 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,salesnexus,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4a8257f6-60db-494c-80e4-0c1313c5d2d0},720,8592,3124592,SecurityEvent, +,"10/17/2024, 4:21:06.686 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brightflag,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b5370adb-58a0-4305-bf23-6a3958800cc9},720,8592,3124594,SecurityEvent, +,"10/17/2024, 4:21:07.273 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geminipei,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b472e1c9-0a81-4193-b797-be0275016b71},720,8592,3124596,SecurityEvent, +,"10/17/2024, 4:21:07.434 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sourlis,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5a03573b-77eb-43a0-bcd9-ae9422bedbda},720,8592,3124598,SecurityEvent, +,"10/17/2024, 4:21:07.591 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elbkapitaene,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{979a8eb6-4c85-4b66-9aca-cb9426bf7fe1},720,8592,3124600,SecurityEvent, +,"10/17/2024, 4:21:07.805 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safemeds,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f5beabad-bd32-4f7f-87dc-5cc0a56b5a66},720,8592,3124602,SecurityEvent, +,"10/17/2024, 4:21:08.347 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bulkfoods,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b16edc7d-86e2-45d9-b9e6-305daedfd081},720,8592,3124604,SecurityEvent, +,"10/17/2024, 4:21:08.364 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getheirloom,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6a710197-796f-45ea-9850-2ef56ce8ce30},720,8592,3124606,SecurityEvent, +,"10/17/2024, 4:21:09.081 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,southleft,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7e737beb-1d19-4391-8b21-47a9805d4d75},720,8592,3124608,SecurityEvent, +,"10/17/2024, 4:21:09.352 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,efreightship,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{63f41552-baf5-4a20-89d2-cf8efd8999ab},720,8592,3124610,SecurityEvent, +,"10/17/2024, 4:21:09.442 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ghealth,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4116054d-f994-4b94-a0c3-72d22fa4be79},720,8592,3124612,SecurityEvent, +,"10/17/2024, 4:21:09.488 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roomandboard,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c857079d-9116-4929-bd1a-4cc055f21639},720,8592,3124614,SecurityEvent, +,"10/17/2024, 4:21:10.133 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brightideas,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{83419a38-31cb-425b-836c-f28d889f472d},720,8592,3124616,SecurityEvent, +,"10/17/2024, 4:21:10.641 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gammacatering,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ff044a85-b51b-40b8-93ff-59bf6d8c7538},720,8592,3124618,SecurityEvent, +,"10/17/2024, 4:21:10.772 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soundlaw,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4430eda5-ceb8-48d0-a7fd-0c559d9982a5},720,8592,3124620,SecurityEvent, +,"10/17/2024, 4:21:11.039 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eimprovement,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{eead7be0-425f-42f5-970b-d28a83011580},720,8592,3124622,SecurityEvent, +,"10/17/2024, 4:21:11.684 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sackman,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{117661af-91ee-4a93-b399-40a875964559},720,8592,3124626,SecurityEvent, +,"10/17/2024, 4:21:11.903 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brooklyner,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b9febd72-74d5-44c3-a73c-8b64ab901be8},720,8592,3124628,SecurityEvent, +,"10/17/2024, 4:21:11.982 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garaio-ag,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{43948276-40c1-4129-8a23-579e44f1d83b},720,8592,3124630,SecurityEvent, +,"10/17/2024, 4:21:12.426 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,southerland,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7e6f1804-e63f-4baf-8be9-6c2403a5ec1f},720,8592,3124632,SecurityEvent, +,"10/17/2024, 4:21:12.934 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elemon,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4b802bcf-025f-4914-99c7-e264fb8776b0},720,8592,3124634,SecurityEvent, +,"10/17/2024, 4:21:13.063 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,get2living,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cd12c83b-3b0c-4e2f-bde6-37a79feea1e4},720,8592,3124636,SecurityEvent, +,"10/17/2024, 4:21:13.369 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ryght,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c48a3673-87ed-466f-9b5d-92976b52fc5f},720,8592,3124638,SecurityEvent, +,"10/17/2024, 4:21:13.574 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brintons,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ac5eab36-8810-4c33-81ae-d54cbdd724f5},720,8592,3124640,SecurityEvent, +,"10/17/2024, 4:21:14.087 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sogur,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e837e76b-57f6-474b-a49e-05a9102c4a9f},720,8592,3124642,SecurityEvent, +,"10/17/2024, 4:21:14.134 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gigitsecurity,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b64d25be-f82d-46bd-9314-46a28ab3a618},720,8592,3124644,SecurityEvent, +,"10/17/2024, 4:21:14.698 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebersole,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1eea3754-2ba0-4509-8d7a-1854f52d51e3},720,8592,3124646,SecurityEvent, +,"10/17/2024, 4:21:15.031 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roseannas,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4f34c948-7fe7-4ca6-a617-e25255c69f23},720,8592,3124648,SecurityEvent, +,"10/17/2024, 4:21:15.267 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bridgesolutions,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{67edbb0e-07ad-4892-bab9-6a9122317297},720,8592,3124650,SecurityEvent, +,"10/17/2024, 4:21:15.374 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ggphomart,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e2a70743-ea00-4251-8ddf-d2410d1cebbd},720,8592,3124652,SecurityEvent, +,"10/17/2024, 4:21:15.810 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sportsrantz,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{024f0dd9-a0df-40d2-bae6-bb287a9ec891},720,8592,3124654,SecurityEvent, +,"10/17/2024, 4:21:16.588 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eagora,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3a9ef8fb-aafb-46e3-97ec-b0dc59c131fe},720,8592,3124656,SecurityEvent, +,"10/17/2024, 4:21:16.734 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,salom,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8c856140-3031-410c-a978-560fd5429533},720,8592,3124658,SecurityEvent, +,"10/17/2024, 4:21:16.931 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,briefcases,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4c2817f5-6b95-4ff9-af8b-f785147380ee},720,8592,3124660,SecurityEvent, +,"10/17/2024, 4:21:16.996 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gamingarts,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{32375c83-5888-4029-9c3e-0eb23034adcf},720,8592,3124662,SecurityEvent, +,"10/17/2024, 4:21:17.479 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sportsnuts,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{19b8bb04-e5f0-4c76-8a00-a22f86034128},720,8592,3124664,SecurityEvent, +,"10/17/2024, 4:21:18.112 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gija,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ecb8b50a-2e4d-4e09-9612-f21b1337f952},720,8592,3124666,SecurityEvent, +,"10/17/2024, 4:21:18.268 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ectone,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{67096ede-8f0a-4da6-9bfd-b95563ac54d5},720,8592,3124668,SecurityEvent, +,"10/17/2024, 4:21:18.391 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,samlarc,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c5150b9a-f148-4939-a47d-5d73e9070448},720,8592,3124670,SecurityEvent, +,"10/17/2024, 4:21:18.581 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bozhis,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{26c33dd9-d163-4d9c-8e6a-db0dfe12c576},720,8592,3124672,SecurityEvent, +,"10/17/2024, 4:21:19.139 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soul-zen,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{40a556ac-acb9-4722-9d0c-a395d16d43d3},720,8592,3124674,SecurityEvent, +,"10/17/2024, 4:21:19.198 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garmac,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:21:46.129 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d138e8a8-6cb2-4363-b577-e969555b9d4b},720,8592,3124676,SecurityEvent, +,"10/17/2024, 4:21:20.126 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rudelman,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e0352391-3c2d-491d-a758-9c455d5bb06e},720,8592,3124678,SecurityEvent, +,"10/17/2024, 4:21:20.246 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brazoswood,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0a20c3ce-4ef3-4230-ba66-59fbcd83a75e},720,8592,3124680,SecurityEvent, +,"10/17/2024, 4:21:20.358 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geowow,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c0df6830-e993-49d3-9007-25eeb3f6f2b2},720,8592,3124682,SecurityEvent, +,"10/17/2024, 4:21:20.791 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,springside,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d3509e55-74a4-4f6d-a00b-874505586994},720,8592,3124684,SecurityEvent, +,"10/17/2024, 4:21:20.802 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ekalsoft,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6cf3f148-d27f-4519-87c7-b040b729cc46},720,8592,3124686,SecurityEvent, +,"10/17/2024, 4:21:21.640 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gingerblaast,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{713e8a88-fdec-4bca-a783-4219f46682ea},720,8592,3124688,SecurityEvent, +,"10/17/2024, 4:21:21.807 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,saaslabs,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{13668c08-8975-4a84-991c-47f374258959},720,8592,3124690,SecurityEvent, +,"10/17/2024, 4:21:21.964 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brusha,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{524944e7-9077-42dd-b1c4-7bac44ba34d0},720,8592,3124692,SecurityEvent, +,"10/17/2024, 4:21:22.454 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebersohl,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cd7fd538-3825-4d5c-854b-89abc1008c35},720,8592,3124694,SecurityEvent, +,"10/17/2024, 4:21:22.490 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soomaali,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bd7aa3a4-f5e8-4cc3-9077-ddef3af9f122},720,8592,3124696,SecurityEvent, +,"10/17/2024, 4:21:23.081 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gaytanes,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{adfd16be-647c-468c-a855-770c87b0d0a5},720,8592,3124698,SecurityEvent, +,"10/17/2024, 4:21:23.452 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,royautes,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2b5a73de-3691-4f1e-b873-2230a7a617be},720,8592,3124700,SecurityEvent, +,"10/17/2024, 4:21:23.622 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buhs,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0c63ee58-893f-435a-b49f-b34455e593f0},720,8592,3124702,SecurityEvent, +,"10/17/2024, 4:21:24.107 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eaglewindow,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{40843699-2f04-4cab-b6e5-836fc7713e31},720,8592,3124704,SecurityEvent, +,"10/17/2024, 4:21:24.143 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spacesavers,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{77a91b59-40db-48fa-8bc7-e770b52dcd40},720,8592,3124706,SecurityEvent, +,"10/17/2024, 4:21:24.171 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gholson,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{efeedd5d-310a-4fd8-a466-a0b25f5021ad},720,8592,3124708,SecurityEvent, +,"10/17/2024, 4:21:25.139 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ryzome,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4cd89799-6a62-4829-917a-197717d98055},720,8592,3124710,SecurityEvent, +,"10/17/2024, 4:21:25.304 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brakie,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{281a604b-767d-4fc7-a3c1-f426276bb4ea},720,8592,3124712,SecurityEvent, +,"10/17/2024, 4:21:25.348 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,giftdoodle,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dece0e8c-ab86-4577-8f4b-78c01b576a80},720,8592,3124714,SecurityEvent, +,"10/17/2024, 4:21:25.820 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,easirun,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9a3f8590-8a11-482a-ab54-dffcdb07bf72},720,8592,3124716,SecurityEvent, +,"10/17/2024, 4:21:25.831 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sprigeo,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c7cd6f77-0cc5-4077-bc1e-0adae9d5f630},720,8592,3124718,SecurityEvent, +,"10/17/2024, 4:21:26.793 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rrpartners,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4325da1b-36a9-467c-b081-baa9d5a51527},720,8592,3124720,SecurityEvent, +,"10/17/2024, 4:21:26.867 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gehtsoftusa,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5275e6b7-86f5-430e-bb45-6d81a5bf7ab5},720,8592,3124722,SecurityEvent, +,"10/17/2024, 4:21:26.972 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bundesbank,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{866cc814-c694-4a89-9bfe-345cb60c20d1},720,8592,3124724,SecurityEvent, +,"10/17/2024, 4:21:27.620 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spends,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dbb94b25-f773-4fae-82e2-e41f862ebba1},720,8592,3124726,SecurityEvent, +,"10/17/2024, 4:21:28.017 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,generazio,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5c068857-5925-4816-be2c-4c98afcb688a},720,8592,3124728,SecurityEvent, +,"10/17/2024, 4:21:28.209 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edilora,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{70bb4fdc-8ce8-4b48-92e9-bb46da1e8fe0},720,8592,3124730,SecurityEvent, +,"10/17/2024, 4:21:28.441 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rotacare,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bccbe6fd-fc9e-44b8-ae86-45c290e9fb24},720,8592,3124732,SecurityEvent, +,"10/17/2024, 4:21:28.627 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bronfin,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1f97a1db-2912-4f8e-a688-9f6db6e2a3cc},720,8592,3124734,SecurityEvent, +,"10/17/2024, 4:21:29.273 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,socialiqapp,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{716b4b80-0e0b-49af-9e18-cdef58d3f5fc},720,8592,3124736,SecurityEvent, +,"10/17/2024, 4:21:29.408 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gbfstrategy,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{702624ec-aa8f-4074-a8b1-f51357877273},720,8592,3124738,SecurityEvent, +,"10/17/2024, 4:21:30.062 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebricks,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e4a26e77-a3d8-4afa-a230-7bbe927b53cf},720,8592,3124740,SecurityEvent, +,"10/17/2024, 4:21:30.102 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rymax,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fa740742-013e-45ee-8296-7bbbb0b40fba},720,8592,3124742,SecurityEvent, +,"10/17/2024, 4:21:30.373 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brynolf,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8879bf4f-aa3c-4b19-8131-5c1ecb271d8e},720,8592,3124744,SecurityEvent, +,"10/17/2024, 4:21:30.935 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spilled,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d9a45391-c87b-4130-883c-1366d46ac2b3},720,8592,3124746,SecurityEvent, +,"10/17/2024, 4:21:31.576 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garazation,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8f8ebef9-0eec-42f9-9f6f-47231383e5e2},720,8592,3124750,SecurityEvent, +,"10/17/2024, 4:21:31.710 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eblingerpartner,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{70b9b906-3081-418d-8003-70c49bcf58c3},720,8592,3124752,SecurityEvent, +,"10/17/2024, 4:21:31.764 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roirobot,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f9c82a58-be42-4250-9113-ed7511165d12},720,8592,3124754,SecurityEvent, +,"10/17/2024, 4:21:32.020 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brannens,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bb3ec753-e0b2-4182-8ef2-147beeee23f9},720,8592,3124756,SecurityEvent, +,"10/17/2024, 4:21:32.591 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spinalgraft,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b59b760c-ba9b-4014-8584-d8d1897aba62},720,8592,3124758,SecurityEvent, +,"10/17/2024, 4:21:32.650 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getcontracker,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a730061f-02f7-4316-b1cc-e7afca9cbec2},720,8592,3124760,SecurityEvent, +,"10/17/2024, 4:21:33.476 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sadorra,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{42f9a561-5506-4fd7-b5ef-6e936dc0a812},720,8592,3124762,SecurityEvent, +,"10/17/2024, 4:21:33.674 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bunyard,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f9918621-2a23-4810-b86f-24c81b15b820},720,8592,3124764,SecurityEvent, +,"10/17/2024, 4:21:33.724 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geminibe,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e097b306-2d37-4cff-bb9c-ff3ccfa9a075},720,8592,3124766,SecurityEvent, +,"10/17/2024, 4:21:33.750 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecarclub,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7a4d6f48-2065-439a-a587-7b3d6c2e6535},720,8592,3124768,SecurityEvent, +,"10/17/2024, 4:21:34.307 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,speedyclean,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1bba566e-93ef-4100-87ba-28a0b2363557},720,8592,3124770,SecurityEvent, +,"10/17/2024, 4:21:34.813 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gandiva,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{acd62d58-d928-4759-8a09-dbd155566de1},720,8592,3124772,SecurityEvent, +,"10/17/2024, 4:21:35.131 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sajid,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{59ac20e1-2aad-4202-909d-53d57092b352},720,8592,3124774,SecurityEvent, +,"10/17/2024, 4:21:35.335 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brandcrush,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0496143e-d946-4f0a-86b3-898f4c4e818e},720,8592,3124776,SecurityEvent, +,"10/17/2024, 4:21:35.677 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eaternityag,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e7c60fac-7e96-4281-bd45-523ce0c46c8a},720,8592,3124778,SecurityEvent, +,"10/17/2024, 4:21:35.890 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getlockdown,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{816fdf00-173b-4608-ab28-3533dc7e9158},720,8592,3124780,SecurityEvent, +,"10/17/2024, 4:21:35.956 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solomo,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{db555e38-1cd0-48af-9cb9-c2f0915035ee},720,8592,3124782,SecurityEvent, +,"10/17/2024, 4:21:36.825 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sagona,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ed9e2bbe-5f1c-41ee-ae25-382fe37975b3},720,8592,3124784,SecurityEvent, +,"10/17/2024, 4:21:37.002 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brainiackids,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{67de7567-8ac2-4ef3-8774-5939f55aee55},720,8592,3124786,SecurityEvent, +,"10/17/2024, 4:21:37.084 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getman,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f5154446-928e-4377-89fb-bf323efe75c4},720,8592,3124788,SecurityEvent, +,"10/17/2024, 4:21:37.331 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebosgroup,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3631b435-7720-4b07-ac64-fd64261226c0},720,8592,3124790,SecurityEvent, +,"10/17/2024, 4:21:37.605 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soulia,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fa73b8ec-b843-4db8-9e95-01b1d5fc6866},720,8592,3124792,SecurityEvent, +,"10/17/2024, 4:21:38.167 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gen-re,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{27b8c346-0ee0-4a6d-a1ea-5964bc455d17},720,8592,3124794,SecurityEvent, +,"10/17/2024, 4:21:38.476 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,saamya,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{476860b0-6451-414c-bf7a-ca9e9b061c40},720,8592,3124796,SecurityEvent, +,"10/17/2024, 4:21:38.651 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bundlar,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4f7d132d-91e2-415e-a534-87943c47af42},720,8592,3124798,SecurityEvent, +,"10/17/2024, 4:21:39.174 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eisen-fischer,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e7d10526-5acb-4592-802b-07a8371e8b13},720,8592,3124800,SecurityEvent, +,"10/17/2024, 4:21:39.245 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garchen,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a0af42f3-b72c-481f-9f40-8dbf6bcec477},720,8592,3124802,SecurityEvent, +,"10/17/2024, 4:21:39.425 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sprinly,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:06.119 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a475c39f-3270-483c-a01d-0c29dfbaba01},720,8592,3124804,SecurityEvent, +,"10/17/2024, 4:21:40.128 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rosenvick,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ebe09ef6-bff2-473a-96b1-c831f814d27c},720,8592,3124806,SecurityEvent, +,"10/17/2024, 4:21:40.414 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brooklynchic,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{06eda52f-d46e-41c5-9c64-f1293a58cecb},720,8592,3124808,SecurityEvent, +,"10/17/2024, 4:21:40.929 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gios,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{055fbdc7-3b4d-493c-91ac-61845e273f3c},720,8592,3124810,SecurityEvent, +,"10/17/2024, 4:21:41.069 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soulwinning,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{aa23c72f-f69d-4aec-aa46-443a296064df},720,8592,3124812,SecurityEvent, +,"10/17/2024, 4:21:41.786 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elisium,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ce91c38d-eb9a-4671-a044-8feb09e8b0d9},720,8592,3124814,SecurityEvent, +,"10/17/2024, 4:21:41.787 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rqteam,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a7c3a2a4-2cc2-4c9a-bec2-d713c339d98e},720,8592,3124816,SecurityEvent, +,"10/17/2024, 4:21:42.059 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buro-valk,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b96d4911-aa52-412a-849a-e0ca374a3571},720,8592,3124818,SecurityEvent, +,"10/17/2024, 4:21:42.080 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gds2,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cf053a41-d59f-4ae6-be20-3a4af04690a3},720,8592,3124820,SecurityEvent, +,"10/17/2024, 4:21:42.715 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spcc,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3be994fc-e633-4b34-97b4-76e1bd9f10ae},720,8592,3124822,SecurityEvent, +,"10/17/2024, 4:21:43.174 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gavda,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3d18d680-efc6-4867-9c9f-ede3e8ba5572},720,8592,3124824,SecurityEvent, +,"10/17/2024, 4:21:43.443 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elifelimo,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c3892893-ff7b-477b-866e-48263e1fc120},720,8592,3124826,SecurityEvent, +,"10/17/2024, 4:21:43.549 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,salta,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{13d48308-4888-4b30-ba6e-f0df6e4492b0},720,8592,3124828,SecurityEvent, +,"10/17/2024, 4:21:43.721 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,boxcast,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{04afa4bd-9d88-430e-81c3-187e3bb5c3a7},720,8592,3124830,SecurityEvent, +,"10/17/2024, 4:21:44.249 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gemologist,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{46f06495-228c-44d8-bc17-5ca5d1297732},720,8592,3124832,SecurityEvent, +,"10/17/2024, 4:21:44.515 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soleeds,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{98850765-6236-432d-a40a-971d9ccf8e42},720,8592,3124834,SecurityEvent, +,"10/17/2024, 4:21:45.204 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safelagoon,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c09b5e55-7a6e-4d40-98ce-a7f4d58f3e38},720,8592,3124836,SecurityEvent, +,"10/17/2024, 4:21:45.247 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,econiq,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a8295448-3680-4e53-b098-2d65bc3b359e},720,8592,3124838,SecurityEvent, +,"10/17/2024, 4:21:45.374 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,branhams,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b9e4471b-d2de-4664-949c-554f72513998},720,8592,3124840,SecurityEvent, +,"10/17/2024, 4:21:45.724 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,giftos,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4597d188-084d-4d79-902b-9d42aef719b6},720,8592,3124842,SecurityEvent, +,"10/17/2024, 4:21:46.158 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spurwing,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{569a52a3-1f4b-4279-98f4-fc29e05091a8},720,8592,3124844,SecurityEvent, +,"10/17/2024, 4:21:46.901 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,salori,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e6d5b0a0-440e-428f-94cb-ba05964eb8d8},720,8592,3124846,SecurityEvent, +,"10/17/2024, 4:21:46.960 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ectropia,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{332bc5a0-62fb-43aa-97c9-52ffee680b71},720,8592,3124848,SecurityEvent, +,"10/17/2024, 4:21:47.041 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brownmeyers,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6a3afc8e-15d5-4af1-a5e4-ebfdacb53620},720,8592,3124850,SecurityEvent, +,"10/17/2024, 4:21:47.105 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,georadix,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cbe5a415-8791-4dc7-98f2-56e684aff471},720,8592,3124852,SecurityEvent, +,"10/17/2024, 4:21:47.803 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sportcar,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c4ce15f6-dff1-4aac-a529-d74c3bdd0928},720,8592,3124854,SecurityEvent, +,"10/17/2024, 4:21:48.173 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getstarted,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{11a77685-96d0-4218-85ab-441bd83168a8},720,8592,3124856,SecurityEvent, +,"10/17/2024, 4:21:48.641 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ruhrpumpen,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9448d08f-0bf5-4233-a3f1-b7dedea4a59d},720,8592,3124858,SecurityEvent, +,"10/17/2024, 4:21:48.689 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brightsitez,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b004cf1e-f90d-40a1-9e55-4079ced8fc04},720,8592,3124860,SecurityEvent, +,"10/17/2024, 4:21:49.267 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gildemeister,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{79608303-495b-419c-a848-411056704308},720,8592,3124862,SecurityEvent, +,"10/17/2024, 4:21:49.510 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,squalo,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{70573944-54d6-45cc-aa74-b0e9404a6b7e},720,8592,3124864,SecurityEvent, +,"10/17/2024, 4:21:49.612 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecs6be8,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c8534139-2080-41c2-80ef-a1e726cd18c7},720,8592,3124866,SecurityEvent, +,"10/17/2024, 4:21:50.292 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ruwach,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{706761c3-d00c-417e-87a1-25e01b582f13},720,8592,3124868,SecurityEvent, +,"10/17/2024, 4:21:50.333 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bunkerlabs,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1936dbfa-ecc0-4f33-bd00-028e7853af49},720,8592,3124870,SecurityEvent, +,"10/17/2024, 4:21:50.346 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ganksoft,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6d9c09ac-c1f1-4854-abf1-f86c2c20401d},720,8592,3124872,SecurityEvent, +,"10/17/2024, 4:21:51.166 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soluserv,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2664c096-3647-4c7b-82cf-0148825a5a6f},720,8592,3124874,SecurityEvent, +,"10/17/2024, 4:21:51.265 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edcanvas,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f35c48c3-f254-4f16-94b7-67f881d4ba31},720,8592,3124876,SecurityEvent, +,"10/17/2024, 4:21:51.950 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,salwan,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1859b21a-f0b4-4957-b389-f6298f1d9928},720,8592,3124878,SecurityEvent, +,"10/17/2024, 4:21:52.046 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brancore,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fdbc4b36-62a3-4672-9361-fb9ad12d89ef},720,8592,3124880,SecurityEvent, +,"10/17/2024, 4:21:52.155 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getplaintext,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{116727c7-c709-4574-ac51-a627007b5516},720,8592,3124882,SecurityEvent, +,"10/17/2024, 4:21:52.822 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solutionwerx,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{814061da-d920-45c1-9eee-9cf849fe97eb},720,8592,3124884,SecurityEvent, +,"10/17/2024, 4:21:52.915 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,electromn,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{63e6551c-ce68-45a9-be71-988a4922ced6},720,8592,3124886,SecurityEvent, +,"10/17/2024, 4:21:53.253 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gatso,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{19a0d76b-9dbc-4893-983c-ffce7dd6d60a},720,8592,3124888,SecurityEvent, +,"10/17/2024, 4:21:53.717 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brightfieldts,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d79cd764-ece1-47c4-bd1e-07614d9ba5f2},720,8592,3124890,SecurityEvent, +,"10/17/2024, 4:21:53.763 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rolleston,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{04ef5e5d-f3e3-4ce3-9127-60f803aac7c9},720,8592,3124892,SecurityEvent, +,"10/17/2024, 4:21:54.477 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sonotech,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{24d18b85-3470-49c7-8e16-4f519ebc97ed},720,8592,3124894,SecurityEvent, +,"10/17/2024, 4:21:54.550 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gawh,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bf93d7e4-51b1-4af7-b388-62994a64aea8},720,8592,3124896,SecurityEvent, +,"10/17/2024, 4:21:54.851 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,egelston,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f38286fe-8f02-4500-bd24-1aab1043f761},720,8592,3124898,SecurityEvent, +,"10/17/2024, 4:21:55.373 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bumbinos,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a5f1387f-0291-4ddc-8707-9053f6856938},720,8592,3124900,SecurityEvent, +,"10/17/2024, 4:21:55.424 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rollupkungen,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7a2985ae-47da-429e-8c92-96c5a08e8a44},720,8592,3124902,SecurityEvent, +,"10/17/2024, 4:21:55.863 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gendusa,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0542e997-ec7e-4690-a5cd-3761772b2fae},720,8592,3124904,SecurityEvent, +,"10/17/2024, 4:21:56.305 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solatrax,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d2799563-6e5c-4559-95ea-2b7cd795bece},720,8592,3124906,SecurityEvent, +,"10/17/2024, 4:21:56.741 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edvee,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0f708555-18a5-41da-bc2f-d4755632b2b0},720,8592,3124908,SecurityEvent, +,"10/17/2024, 4:21:57.082 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rs21,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9ae2b607-5812-42d5-9d2c-dc7d81cb192b},720,8592,3124910,SecurityEvent, +,"10/17/2024, 4:21:57.088 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,branes,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a53dae79-6be3-4e25-9345-000f17b04b22},720,8592,3124912,SecurityEvent, +,"10/17/2024, 4:21:57.357 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gbaudio,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d699d8ce-35ce-4a5b-b3e3-da0ceaa29dd9},720,8592,3124914,SecurityEvent, +,"10/17/2024, 4:21:57.961 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spickard,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{16e85a86-b86d-4c73-9129-16d5c1de1d00},720,8592,3124916,SecurityEvent, +,"10/17/2024, 4:21:58.391 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,effectual,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1b1b1070-6f51-44f0-9c82-faf51f3690db},720,8592,3124918,SecurityEvent, +,"10/17/2024, 4:21:58.432 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gematsu,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{429bf710-af60-401f-8960-caf525d22c74},720,8592,3124920,SecurityEvent, +,"10/17/2024, 4:21:58.817 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,burgeonvest,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4113d3fb-997a-4a9c-a386-884b3b54baa5},720,8592,3124922,SecurityEvent, +,"10/17/2024, 4:21:58.852 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sagex,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{67955f71-8e59-46c5-be10-2a2d580c6b50},720,8592,3124924,SecurityEvent, +,"10/17/2024, 4:21:59.617 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sqeeqee,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a21f072b-2136-443f-8c7a-dbc0ab2bbc75},720,8592,3124926,SecurityEvent, +,"10/17/2024, 4:21:59.760 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getlivfresh,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:22:26.136 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b99a736e-321d-4b79-9469-bfcfab94ccda},720,8592,3124928,SecurityEvent, +,"10/17/2024, 4:22:20.022 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,softaide,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d6fc6298-f0cf-4b68-aa63-b18f6b7352b5},720,8592,3125052,SecurityEvent, +,"10/17/2024, 4:22:20.243 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gc1,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d3b3b49a-12bc-4597-bb9a-e024d70b9eb7},720,8592,3125054,SecurityEvent, +,"10/17/2024, 4:22:20.333 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elster-group,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9e288be0-27e0-4ab2-bc7a-41e6a5765c81},720,8592,3125056,SecurityEvent, +,"10/17/2024, 4:22:20.518 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bths,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b9038dfb-a091-4458-8a17-45abe3ad44af},720,8592,3125058,SecurityEvent, +,"10/17/2024, 4:22:20.672 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rrawdindds,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2368ad5e-6681-4c16-97e7-ab3b82702085},720,8592,3125060,SecurityEvent, +,"10/17/2024, 4:22:21.675 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sportsgrid,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c3202173-8294-47bf-a85c-b03cf2836c12},720,8592,3125062,SecurityEvent, +,"10/17/2024, 4:22:21.991 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elar,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5af8ab4b-dcdb-4eeb-bf26-c6080f02adcd},720,8592,3125064,SecurityEvent, +,"10/17/2024, 4:22:22.043 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getneema,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{49306eb0-f92c-422b-b6aa-b2960f2b5546},720,8592,3125066,SecurityEvent, +,"10/17/2024, 4:22:22.194 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,britishboxers,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ea400ce4-fb23-4e23-a28c-f8852f658fa8},720,8592,3125068,SecurityEvent, +,"10/17/2024, 4:22:22.330 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sagez,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{818d8262-5a21-4620-a4d8-e273c5b4e80e},720,8592,3125070,SecurityEvent, +,"10/17/2024, 4:22:23.335 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,softlanding,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{58636956-0ac1-4be5-a86e-e5c0048fc643},720,8592,3125072,SecurityEvent, +,"10/17/2024, 4:22:23.353 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garycollins,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{af5e4ad8-65f6-4b0a-95b3-103c462f0664},720,8592,3125074,SecurityEvent, +,"10/17/2024, 4:22:23.676 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecochlor,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dfa3a0b5-b486-4c4f-9d95-49d4ab554dae},720,8592,3125076,SecurityEvent, +,"10/17/2024, 4:22:23.869 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bryntum,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bde391f1-9498-4e03-b0e0-561104d69b57},720,8592,3125078,SecurityEvent, +,"10/17/2024, 4:22:23.988 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roreinc,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{829fe943-817d-40d1-869b-da16593bc2d4},720,8592,3125080,SecurityEvent, +,"10/17/2024, 4:22:24.624 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,georgiy,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{75c079c6-e50f-42d8-a0c9-5e723fff3ba6},720,8592,3125082,SecurityEvent, +,"10/17/2024, 4:22:25.025 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spectramedex,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{905cf9e9-378c-4743-8da1-abc5452cb22f},720,8592,3125084,SecurityEvent, +,"10/17/2024, 4:22:25.382 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elektrospaeni,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b6951f2c-ab9b-44bc-9894-ef954d9a30e1},720,8592,3125086,SecurityEvent, +,"10/17/2024, 4:22:25.531 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bucketlisters,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7a6ab63d-3a34-4761-87e7-55165f102917},720,8592,3125088,SecurityEvent, +,"10/17/2024, 4:22:25.696 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rotisol,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{44d144ec-0e97-4bbd-bccd-6f2f94820a1d},720,8592,3125090,SecurityEvent, +,"10/17/2024, 4:22:25.818 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geturns,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8f7a81be-441f-45e8-9dcc-d883f07dda2b},720,8592,3125092,SecurityEvent, +,"10/17/2024, 4:22:26.675 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solamatrix,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{10d6a318-353d-484b-b26e-c78c346f1461},720,8592,3125094,SecurityEvent, +,"10/17/2024, 4:22:27.040 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eltech,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f1c8ae55-9f9e-4adc-b0a7-37093616e10a},720,8592,3125096,SecurityEvent, +,"10/17/2024, 4:22:27.234 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brickhd,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{96991bb9-9b1b-4ed0-9259-cbc48d344cd0},720,8592,3125098,SecurityEvent, +,"10/17/2024, 4:22:27.358 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rollrr,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cadc2a72-e23e-4518-bcda-c0ac423bddff},720,8592,3125100,SecurityEvent, +,"10/17/2024, 4:22:27.657 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getachoo,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{97cdff46-1432-4082-9a0f-5383e0f8e2a9},720,8592,3125102,SecurityEvent, +,"10/17/2024, 4:22:28.334 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spidrtech,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2990e735-d5c6-437b-a7c9-3ebd3b48d7d3},720,8592,3125104,SecurityEvent, +,"10/17/2024, 4:22:28.727 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gbrx,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e2f27b8a-50e2-4d00-ac79-f709e6aa6605},720,8592,3125106,SecurityEvent, +,"10/17/2024, 4:22:28.748 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eicind,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2e08a80b-9d15-4af9-9a00-8a24f196cff3},720,8592,3125108,SecurityEvent, +,"10/17/2024, 4:22:28.894 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bucheler,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8da42544-8bc6-4f3f-b5d9-8bee57208b4c},720,8592,3125110,SecurityEvent, +,"10/17/2024, 4:22:29.010 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rupalee,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6be8290f-dcee-42d5-9868-7e560a190b4d},720,8592,3125112,SecurityEvent, +,"10/17/2024, 4:22:30.111 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spruceitup,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4de426d7-6d71-49c9-843b-4d6793954d6a},720,8592,3125114,SecurityEvent, +,"10/17/2024, 4:22:30.166 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gastrovision,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3c3e6213-0744-4797-b776-04d0d087368e},720,8592,3125116,SecurityEvent, +,"10/17/2024, 4:22:30.411 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,econorthwest,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{37f310f6-25d4-4f1c-83f6-0a0f8cc7e30d},720,8592,3125118,SecurityEvent, +,"10/17/2024, 4:22:30.577 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bursich,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b92c9df1-755d-4a1f-8e7e-a8627103652c},720,8592,3125120,SecurityEvent, +,"10/17/2024, 4:22:30.660 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rtbrokerage,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3e4c0c70-8a77-4bc4-854d-ba3f1403c6ce},720,8592,3125122,SecurityEvent, +,"10/17/2024, 4:22:31.270 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ghoston,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e43c6496-99df-4588-bb4c-254118daf8b3},720,8592,3125126,SecurityEvent, +,"10/17/2024, 4:22:31.783 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spearinc,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8773c4fc-f8b5-46ba-bcd8-89dfef70a493},720,8592,3125128,SecurityEvent, +,"10/17/2024, 4:22:32.079 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ele-ment,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{210aeb6a-d476-4ffc-bbbf-f0c3a8ed0f77},720,8592,3125130,SecurityEvent, +,"10/17/2024, 4:22:32.233 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bullen,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8b04fddb-3c13-4905-9208-3c85139335c5},720,8592,3125132,SecurityEvent, +,"10/17/2024, 4:22:32.397 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,russi,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8a4c5c2e-d478-4ec9-aec1-feef4386906b},720,8592,3125134,SecurityEvent, +,"10/17/2024, 4:22:32.711 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,genoox,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{52c3cca7-382b-4aa2-976b-9ea305bf8220},720,8592,3125136,SecurityEvent, +,"10/17/2024, 4:22:33.439 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sprocketlab,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{646fb2f1-2d22-4aba-b5b7-6825b85f11b1},720,8592,3125138,SecurityEvent, +,"10/17/2024, 4:22:33.783 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elsis,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ac3dd5f4-1365-4094-ad93-35a2bf8f4a53},720,8592,3125140,SecurityEvent, +,"10/17/2024, 4:22:33.801 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gatefeed,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{137a6445-eb78-4e16-a484-9130af57bcec},720,8592,3125142,SecurityEvent, +,"10/17/2024, 4:22:33.883 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,browdys,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f091b018-bb06-4573-95fd-6e0d724325b8},720,8592,3125144,SecurityEvent, +,"10/17/2024, 4:22:34.073 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,saifs,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f5ed49f7-8cd7-4bd2-b87e-e201021167e1},720,8592,3125146,SecurityEvent, +,"10/17/2024, 4:22:35.186 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,somentec,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0308ddf4-8675-40f7-a513-f2235eacec47},720,8592,3125148,SecurityEvent, +,"10/17/2024, 4:22:35.331 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,giftibly,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b08e1b2b-a063-41fe-922e-9e55efeddba8},720,8592,3125150,SecurityEvent, +,"10/17/2024, 4:22:35.442 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eboard,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2a2428f0-c34e-4c90-9d4d-2c4046ca45cb},720,8592,3125152,SecurityEvent, +,"10/17/2024, 4:22:35.535 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,breannabaker,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{50ba2491-20b3-4c15-b09b-00cd7a82eeb8},720,8592,3125154,SecurityEvent, +,"10/17/2024, 4:22:35.719 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,samaritan,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{956b8c7f-a884-4dd6-be0e-f2eadaae8953},720,8592,3125156,SecurityEvent, +,"10/17/2024, 4:22:36.666 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,98.70.64.41,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ftpuser,S-1-0-0,,,,,,,,-,,,,,,,,workstation,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8f98eaa0-0d26-45ac-aedb-300af8a59bdb},720,8592,3125158,SecurityEvent, +,"10/17/2024, 4:22:36.835 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,glamourcraft,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3b915b0c-0187-4dc9-ad3c-d0e6708affe4},720,8592,3125160,SecurityEvent, +,"10/17/2024, 4:22:36.841 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solidleaders,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{087b8d7f-5dcb-4435-bcf8-0825650516c7},720,8592,3125162,SecurityEvent, +,"10/17/2024, 4:22:37.091 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebssecurity,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9f4ec09e-9fff-42b0-bc52-6e6334ef8f12},720,8592,3125164,SecurityEvent, +,"10/17/2024, 4:22:37.188 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,burtco,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{29519bb0-e5bd-4e24-84ec-83d81975fcb3},720,8592,3125166,SecurityEvent, +,"10/17/2024, 4:22:37.399 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rpi,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dc9251e2-2a93-4f24-92d3-1991ca6d1304},720,8592,3125168,SecurityEvent, +,"10/17/2024, 4:22:38.245 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ghermez,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bf3f3a2b-f67e-4c11-9ad2-ad4f9cdeb5af},720,8592,3125170,SecurityEvent, +,"10/17/2024, 4:22:38.498 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,soothsayre,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2d9562c1-1f64-488d-b0b3-0908d75ad35b},720,8592,3125172,SecurityEvent, +,"10/17/2024, 4:22:38.747 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eldersource,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c215ab1b-d523-46c7-84e1-2bb1cab37074},720,8592,3125174,SecurityEvent, +,"10/17/2024, 4:22:38.842 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,breuning,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4e1e17dc-3338-4139-8cb8-33aa9795cd5f},720,8592,3125176,SecurityEvent, +,"10/17/2024, 4:22:39.050 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roomian,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2d34f1a5-1088-491e-8d0b-6dc789b47437},720,8592,3125178,SecurityEvent, +,"10/17/2024, 4:22:39.888 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gencoshipping,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:06.132 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5c2cc1c5-ae23-4717-85f6-f55e31e1b6f5},720,8592,3125180,SecurityEvent, +,"10/17/2024, 4:22:40.150 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,softcube,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{152bcfbc-502c-489c-9e72-af1baa594770},720,8592,3125182,SecurityEvent, +,"10/17/2024, 4:22:40.429 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,earthblend,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{448bd2d8-bed5-4034-be21-886a90483ff5},720,8592,3125184,SecurityEvent, +,"10/17/2024, 4:22:40.500 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brimore,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f6e040c7-0761-46a2-9363-33915ccf8934},720,8592,3125186,SecurityEvent, +,"10/17/2024, 4:22:40.697 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rondeux,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{612c1d9d-bc0f-49e1-b941-0e5d595a1be1},720,8592,3125188,SecurityEvent, +,"10/17/2024, 4:22:41.685 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gardenghi,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fab44514-030f-4959-952b-73093de50626},720,8592,3125190,SecurityEvent, +,"10/17/2024, 4:22:41.844 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sportyhq,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e0873a47-b106-461f-aba2-ac04322a7bf5},720,8592,3125192,SecurityEvent, +,"10/17/2024, 4:22:42.149 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,breykrause,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ca575b70-bb1b-442c-b44f-c7332288ed86},720,8592,3125194,SecurityEvent, +,"10/17/2024, 4:22:42.149 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elhilow,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5d3b876f-8b56-4b7a-a165-7e0faf2e74d1},720,8592,3125196,SecurityEvent, +,"10/17/2024, 4:22:42.403 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,samsontug,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{07eb3697-77b8-4aec-8042-4d62f900c23b},720,8592,3125198,SecurityEvent, +,"10/17/2024, 4:22:42.761 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getfire,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{019478bf-ced8-4f95-81b6-e782f8f73c45},720,8592,3125200,SecurityEvent, +,"10/17/2024, 4:22:43.491 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spotamate,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d583f888-d269-4733-92de-792cff415361},720,8592,3125202,SecurityEvent, +,"10/17/2024, 4:22:43.811 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elsome,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{08b0cae4-a5f5-4af4-99c9-3f8e81374a42},720,8592,3125204,SecurityEvent, +,"10/17/2024, 4:22:43.813 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bruzel,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{877661f1-7f1d-4b66-92df-4d993eb78848},720,8592,3125206,SecurityEvent, +,"10/17/2024, 4:22:44.060 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safe-banking,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{2af366e9-39da-47da-bdfc-d2df2ead64bf},720,8592,3125208,SecurityEvent, +,"10/17/2024, 4:22:44.734 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gethiyu,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9275ba98-0546-4dff-b3c0-4d9d5bbfd24d},720,8592,3125210,SecurityEvent, +,"10/17/2024, 4:22:45.156 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sonburst,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f613e880-01a7-4cf1-8907-32cbb1b5c782},720,8592,3125212,SecurityEvent, +,"10/17/2024, 4:22:45.458 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eagle-prec,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{269997c9-8f2a-43a6-bafc-b67112ba73f6},720,8592,3125214,SecurityEvent, +,"10/17/2024, 4:22:45.471 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bpassionit,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f72997d8-9738-4f4b-90e1-ddd35034fa26},720,8592,3125216,SecurityEvent, +,"10/17/2024, 4:22:45.706 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,salesmate,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{97d37fbf-dda9-43dc-a224-86da611d9e71},720,8592,3125218,SecurityEvent, +,"10/17/2024, 4:22:46.059 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gancos,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d1a29a36-c897-4955-90f8-ab2d5a647352},720,8592,3125220,SecurityEvent, +,"10/17/2024, 4:22:46.975 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sorma,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{137faf31-7b49-48d8-b7cd-bd9949360116},720,8592,3125222,SecurityEvent, +,"10/17/2024, 4:22:47.114 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eligio,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{36c9de7a-7f7a-4b35-a3aa-860a74ceb218},720,8592,3125224,SecurityEvent, +,"10/17/2024, 4:22:47.126 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buckservices,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{047b68ab-0263-4132-bb31-17675b72205e},720,8592,3125226,SecurityEvent, +,"10/17/2024, 4:22:47.390 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sabourin,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{6244bbca-7e09-477f-bd13-bf77bd9d6967},720,8592,3125228,SecurityEvent, +,"10/17/2024, 4:22:47.584 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gisukltd,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{39286978-8232-40f5-a1ea-7576d72d19d8},720,8592,3125230,SecurityEvent, +,"10/17/2024, 4:22:48.633 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sprylyfe,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3970c11a-98f6-4f3d-8f24-ba374c27d5a7},720,8592,3125232,SecurityEvent, +,"10/17/2024, 4:22:48.792 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eliasarts,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{17b6494d-185c-493f-9e37-147c7215db24},720,8592,3125234,SecurityEvent, +,"10/17/2024, 4:22:48.855 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brandfocusgroup,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{fe5928d5-c054-4b1d-95e3-84e53005e4e1},720,8592,3125236,SecurityEvent, +,"10/17/2024, 4:22:48.907 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gammavacuum,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{03fa6521-0ce0-4d8a-a815-d54b3a9542c7},720,8592,3125238,SecurityEvent, +,"10/17/2024, 4:22:49.069 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rubyseven,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c8f761d7-707d-42d9-82b5-18b0c2945f27},720,8592,3125240,SecurityEvent, +,"10/17/2024, 4:22:50.157 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geeksandgurus,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dadc855a-037c-4598-9a50-cecb624730af},720,8592,3125242,SecurityEvent, +,"10/17/2024, 4:22:50.288 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sprinfield,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cc1aec37-04f2-4f6a-8bce-52071767398a},720,8592,3125244,SecurityEvent, +,"10/17/2024, 4:22:50.501 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brockton,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{0c2f5e7a-277c-4515-9cdb-978e2b464cf1},720,8592,3125246,SecurityEvent, +,"10/17/2024, 4:22:50.595 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edgecase,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9957c744-8073-4d1c-8945-de2d28c1a171},720,8592,3125248,SecurityEvent, +,"10/17/2024, 4:22:50.731 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sahloul,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{99246d5e-a31a-483d-b6e8-c6e831853176},720,8592,3125250,SecurityEvent, +,"10/17/2024, 4:22:51.497 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garison,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{77890354-51a2-435b-bf16-add9d93ee491},720,8592,3125252,SecurityEvent, +,"10/17/2024, 4:22:52.109 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,springan,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e594e294-801e-426a-ace8-5d6c145f7ed5},720,8592,3125254,SecurityEvent, +,"10/17/2024, 4:22:52.279 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,braga,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{53b9846e-2e9b-4fa8-95bd-275be3b3d819},720,8592,3125256,SecurityEvent, +,"10/17/2024, 4:22:52.337 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebuehl,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1a7fb210-30da-49c7-b177-5f3f7b177a84},720,8592,3125258,SecurityEvent, +,"10/17/2024, 4:22:52.384 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rogerswillard,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{55a1f08e-e741-4d7a-be29-3b2506fbaa43},720,8592,3125260,SecurityEvent, +,"10/17/2024, 4:22:52.716 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geskus,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7e0c5687-884e-4d01-af2c-fa21f2607005},720,8592,3125262,SecurityEvent, +,"10/17/2024, 4:22:53.760 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spotterlabs,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{138deac9-d6e6-469d-b909-c77506a8082b},720,8592,3125264,SecurityEvent, +,"10/17/2024, 4:22:53.860 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,genrrate,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e43a1401-3d97-441a-aa54-0e62fffc07b5},720,8592,3125266,SecurityEvent, +,"10/17/2024, 4:22:53.957 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bountea,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7d05a78a-06e4-4b23-af74-2241304c64e6},720,8592,3125268,SecurityEvent, +,"10/17/2024, 4:22:53.995 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebm-gmbh,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{108d5797-68a0-429b-8d58-1ffe2a48f7e0},720,8592,3125270,SecurityEvent, +,"10/17/2024, 4:22:54.179 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rooftek,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{761b3b90-925f-47b9-bf80-7601f1a3d8bd},720,8592,3125272,SecurityEvent, +,"10/17/2024, 4:22:55.326 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gkd-re,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9f0f4841-0e06-4d75-a8ad-0b57816bd469},720,8592,3125274,SecurityEvent, +,"10/17/2024, 4:22:55.416 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sportpharm,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bae202b9-5777-4dd5-846e-183b3301a6e4},720,8592,3125276,SecurityEvent, +,"10/17/2024, 4:22:55.602 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brastrom,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dc9beb8c-7356-4fce-ac1e-33be90d0e667},720,8592,3125278,SecurityEvent, +,"10/17/2024, 4:22:55.648 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ecpnetwork,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a133b605-a964-435c-8e5a-f735aa37618b},720,8592,3125280,SecurityEvent, +,"10/17/2024, 4:22:55.882 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rusd,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8e129976-9e94-4229-b0c5-c3f2915789fd},720,8592,3125282,SecurityEvent, +,"10/17/2024, 4:22:57.115 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,softwaremart,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1c24aeb7-6030-4299-95ea-19ab2fd136a0},720,8592,3125284,SecurityEvent, +,"10/17/2024, 4:22:57.148 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gamified,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c92fe927-ed38-4101-81df-332f3cabc857},720,8592,3125286,SecurityEvent, +,"10/17/2024, 4:22:57.441 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,elcona,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bddb74fe-7da3-4c79-8e24-72cd2e9879d8},720,8592,3125288,SecurityEvent, +,"10/17/2024, 4:22:57.448 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buildr,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{769fbc51-4617-4f1c-84e7-fc616b26f723},720,8592,3125290,SecurityEvent, +,"10/17/2024, 4:22:57.541 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,s2bn,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ba4c6b30-0e85-495f-8bc0-04009c23d048},720,8592,3125292,SecurityEvent, +,"10/17/2024, 4:22:58.282 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gemark,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7094342f-84b4-4f66-9c7a-df5f74c9acdd},720,8592,3125294,SecurityEvent, +,"10/17/2024, 4:22:58.788 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sperry,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{862376ca-50dc-4deb-b12d-8ab61bcfccd9},720,8592,3125296,SecurityEvent, +,"10/17/2024, 4:22:59.100 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eikolytics-ab,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b8ce3ce1-d252-46c1-bbc5-8f09bff21fc0},720,8592,3125298,SecurityEvent, +,"10/17/2024, 4:22:59.190 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rohdes,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dfef14a2-916c-4c97-b8d1-79c9f885e4e7},720,8592,3125300,SecurityEvent, +,"10/17/2024, 4:22:59.234 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,boulderwear,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{737d34ab-7e01-4a4f-a2b3-f004c91b2671},720,8592,3125302,SecurityEvent, +,"10/17/2024, 4:22:59.753 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getasapp,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:23:26.146 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c34fb7bc-4a12-415c-9011-f27ac9c76205},720,8592,3125304,SecurityEvent, +,"10/17/2024, 4:23:20.659 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getpixus,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{cc858f22-c153-4203-8f26-c756e8deb75d},720,8164,3125430,SecurityEvent, +,"10/17/2024, 4:23:20.788 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eckhouse,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{31c6c067-f574-4f16-902d-47111645cf5e},720,8164,3125432,SecurityEvent, +,"10/17/2024, 4:23:20.799 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sodexhp,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{dcfda2b5-78ae-40fa-9fc0-5173e5fb88ee},720,8164,3125434,SecurityEvent, +,"10/17/2024, 4:23:21.272 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bubcart,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{48f59831-ed83-41c2-a057-a50b21b5a35c},720,8164,3125436,SecurityEvent, +,"10/17/2024, 4:23:21.507 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,safetypg,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{adc0ef14-aabc-4e68-a1cd-176e002159a2},720,8164,3125438,SecurityEvent, +,"10/17/2024, 4:23:22.457 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebo,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{689033df-ef9b-4bbc-b569-7633fbc7e067},720,8164,3125440,SecurityEvent, +,"10/17/2024, 4:23:22.458 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spyne,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c155aaba-8aa9-4fc6-9668-d5d7fda258d2},720,8164,3125442,SecurityEvent, +,"10/17/2024, 4:23:22.759 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,getklox,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{923cd4e6-5e44-4267-b140-602e7689d5fc},720,8164,3125444,SecurityEvent, +,"10/17/2024, 4:23:22.925 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brazenglobal,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{03b4fd03-d1c6-450f-9d22-a05ceef09064},720,8164,3125446,SecurityEvent, +,"10/17/2024, 4:23:23.165 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ronsen,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{e99d341f-05ea-4cb8-8160-79af7b96360d},720,8164,3125448,SecurityEvent, +,"10/17/2024, 4:23:24.112 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sonnentaler,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{d5692777-aad4-424c-bd62-48504040a69d},720,8164,3125450,SecurityEvent, +,"10/17/2024, 4:23:24.114 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,eklipse,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a59203fc-4b34-4bc8-af6f-96733ddc054b},720,8164,3125452,SecurityEvent, +,"10/17/2024, 4:23:24.150 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gbrabs,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{555c139f-66ac-432a-9485-f89a51e9142c},720,8164,3125454,SecurityEvent, +,"10/17/2024, 4:23:24.638 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brightkite,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{8d904b7b-a806-472f-84fe-8e9ce8f8aed2},720,8164,3125456,SecurityEvent, +,"10/17/2024, 4:23:24.826 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rygre,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{12e98a88-90c2-41f0-9e7f-af50427975b3},720,8164,3125458,SecurityEvent, +,"10/17/2024, 4:23:25.557 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gilliatte,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{44bc8260-c3b8-413f-b249-89c856b46501},720,8164,3125460,SecurityEvent, +,"10/17/2024, 4:23:25.852 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,solmed,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{001202b6-a5c2-4de8-868d-0d3a0ece68b4},720,8164,3125462,SecurityEvent, +,"10/17/2024, 4:23:26.118 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ehrlinked,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{69c2c90e-9fbe-4d4c-8649-a867d967ef88},720,8164,3125464,SecurityEvent, +,"10/17/2024, 4:23:26.298 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,breathrx,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3f0f28ca-0b64-4f02-b0d1-2254e6556957},720,8164,3125466,SecurityEvent, +,"10/17/2024, 4:23:26.483 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,samsungnext,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{c6575183-e91d-4680-a641-7540a6902a50},720,8164,3125468,SecurityEvent, +,"10/17/2024, 4:23:27.306 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gcmc,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ca94e0f6-7d03-4a8e-8da0-d4cad0cccbd5},720,8164,3125470,SecurityEvent, +,"10/17/2024, 4:23:27.505 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,somes,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b25893e2-58ad-4063-82f8-02544a1eed3c},720,8164,3125472,SecurityEvent, +,"10/17/2024, 4:23:27.765 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,easween,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{753cac7f-96cd-41b4-b065-52ca3af1deaa},720,8164,3125474,SecurityEvent, +,"10/17/2024, 4:23:27.952 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brownmark,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9bda09c7-04ad-4b16-b8b2-f5f190b73418},720,8164,3125476,SecurityEvent, +,"10/17/2024, 4:23:28.261 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ruhlampruhl,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{60142875-616e-4ff5-a13f-f38694b5a7fa},720,8164,3125478,SecurityEvent, +,"10/17/2024, 4:23:29.165 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,spirinet,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{9635f0ca-b3ee-4349-91e9-5a6337715cb0},720,8164,3125480,SecurityEvent, +,"10/17/2024, 4:23:29.422 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,electregy,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a76520e5-a25a-45b0-85cf-e6d82b46154d},720,8164,3125482,SecurityEvent, +,"10/17/2024, 4:23:29.440 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,geovista,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{41b3305a-cbe4-4936-99e0-b2af60b7bb6c},720,8164,3125484,SecurityEvent, +,"10/17/2024, 4:23:29.607 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,brattleworks,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bf74f421-5a20-4c65-be28-dedd44ea8b6d},720,8164,3125486,SecurityEvent, +,"10/17/2024, 4:23:29.978 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,saloonbox,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{528a88e5-000f-4571-b079-725f8e6881b1},720,8164,3125488,SecurityEvent, +,"10/17/2024, 4:23:30.924 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,speedees,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{71333e9c-37f4-495e-b0df-1f1aae7ccab5},720,8164,3125490,SecurityEvent, +,"10/17/2024, 4:23:31.087 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ebed,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{397f3858-d2e6-4f7c-a3f4-5196ff2ea2d5},720,8164,3125494,SecurityEvent, +,"10/17/2024, 4:23:31.243 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,garabar,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{1cea8ab5-0662-4bd3-aaa9-f4cbcbeb21fb},720,8164,3125496,SecurityEvent, +,"10/17/2024, 4:23:31.324 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,buildabrand,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a33e71e0-d722-43c0-90fd-4063bb032188},720,8164,3125498,SecurityEvent, +,"10/17/2024, 4:23:31.637 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rx-precision,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{a9db45f8-15c8-459a-880c-0df2be50025b},720,8164,3125500,SecurityEvent, +,"10/17/2024, 4:23:32.611 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sovie,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{46c4346b-c182-429e-8a9f-10bf72cdc1a2},720,8164,3125502,SecurityEvent, +,"10/17/2024, 4:23:32.614 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,giashi,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7da51b17-c6b0-400a-8c8a-16806a056350},720,8164,3125504,SecurityEvent, +,"10/17/2024, 4:23:32.743 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edine,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{02b55da4-fc1e-4105-aa17-719ac9f5533c},720,8164,3125506,SecurityEvent, +,"10/17/2024, 4:23:33.017 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,bussum,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{bddaaafb-3ffd-4113-8829-814b6075eeb6},720,8164,3125508,SecurityEvent, +,"10/17/2024, 4:23:33.418 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rosewich,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{3e320684-3180-4213-8305-8960fa665a22},720,8164,3125510,SecurityEvent, +,"10/17/2024, 4:23:34.190 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gbbcouncil,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ecc1d784-49f0-484a-9e6f-91864a12dfe7},720,8164,3125512,SecurityEvent, +,"10/17/2024, 4:23:34.266 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,somerdale,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{5cb75a7a-db0e-41f0-8876-0dcde4f4c3cf},720,8164,3125514,SecurityEvent, +,"10/17/2024, 4:23:34.457 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,ellomobile,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{4fbaf032-9416-45ef-9e2b-525dff4ffaad},720,8164,3125516,SecurityEvent, +,"10/17/2024, 4:23:34.671 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,budoff,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f73e7dde-2caa-4be2-8f95-4485438b588e},720,8164,3125518,SecurityEvent, +,"10/17/2024, 4:23:35.072 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,roll20,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b5162fbf-e08d-4b89-9b1c-bdc2d0968d06},720,8164,3125520,SecurityEvent, +,"10/17/2024, 4:23:35.961 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sperlversand,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{b6867541-9802-490a-adc7-6e9b03c2aaae},720,8164,3125522,SecurityEvent, +,"10/17/2024, 4:23:36.027 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gartrellgroup,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7ba50c30-dd48-4699-aca7-24843903db5d},720,8164,3125524,SecurityEvent, +,"10/17/2024, 4:23:36.111 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.17,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,edisonreklam,S-1-0-0,,,,,,,,-,,,,,,,,D-526,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{7ec0409c-7869-4b4d-86f5-fdd6deef5410},720,8164,3125526,SecurityEvent, +,"10/17/2024, 4:23:36.333 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,194.169.175.31,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,building421,S-1-0-0,,,,,,,,-,,,,,,,,D-500,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{11e97a4c-82b6-47d6-b646-b95bab675d63},720,8164,3125528,SecurityEvent, +,"10/17/2024, 4:23:36.793 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.231,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,rushden,S-1-0-0,,,,,,,,-,,,,,,,,D-541,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{180d5d69-98cb-47a2-9a59-041dd284dded},720,8164,3125530,SecurityEvent, +,"10/17/2024, 4:23:37.387 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,45.151.99.126,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,gaum,S-1-0-0,,,,,,,,-,,,,,,,,WIN-7LRNR2HDJR9,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{f4ecac04-2ff5-4979-99b5-5c18af3fef62},720,8164,3125532,SecurityEvent, +,"10/17/2024, 4:23:37.648 PM",OpsManager,#NAME?,User,devops-vm,Microsoft-Windows-Security-Auditing,Security,12544,0,,4625,4625 - An account failed to log on.,,,,,,,,,,,,,,,,,,,,NTLM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,%%2313,,,,,,,,,,,,,,,77.90.185.230,0,0,-,,,,,,,,NtLmSsp ,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,-,0x0,-,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0xc000006d,-\-,,,-,,0x0,,,-,S-1-0-0,0xc0000064,,#NAME?,-,,,,,,,,,sostrom,S-1-0-0,,,,,,,,-,,,,,,,,D-542,LogAlways,64b4cff0-b71b-4e15-a62b-a7fcd21c3c22,00000000-0000-0000-0000-000000000001,"10/17/2024, 4:24:06.125 PM",AOI-e34d562e-ef12-4c4e-9bc0-7c6ae357c015,N/A,0,0,0x8010000000000000,{ba1024bf-5611-4d5c-b90f-aa0d51a9093e},720,8164,3125534,SecurityEvent, +,,,ASHTravel\CPC-U126T-0G49H$,Machine,devops-vm,Microsoft-Windows-Security-Auditing,Security,12545,,,4634,4634 - An account was logged off.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,3 - Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ASHTravel\CPC-U126T-0G49H$,ASHTravel,,,0x9e6cad9,,,,,,CPC-U126T-0G49H$,S-1-5-21-720421519-3183328870-3616890059-4119,,,,,,,,,,,,,,,,,LogAlways,51fccf8c-2834-49f9-b05c-446e5cdefb09,,,,,,,,,844,5988,363506,SecurityEvent, diff --git a/Sample Data/Custom/Mimecast/Audit_CL.csv b/Sample Data/Custom/Mimecast/Audit_CL.csv new file mode 100644 index 00000000000..6ad6cb8b2d4 --- /dev/null +++ b/Sample Data/Custom/Mimecast/Audit_CL.csv @@ -0,0 +1,6 @@ +id_s,auditType_s,user_s,eventTime_t [UTC],eventInfo_s,Category +eNoVjl0LgjAAAP_LXhUqZVpBD1ZYWMzIsoxelltjli3n5lf037P3O-4-oKSplpQTMAXZ2r2FCinrHhnKG5fosJkYRGcjv807bKFHHEMRh_t0Lkm9ubyRTwvHsJe7c34T8DT3ssoNO8zQquiSJE-arWyuA4SdSmPI4OPF3IAXtA0aVs-ACbAmXD0F-8dH0HHsCRzaJkh1qUROZSoI7a8Wx8izx55lub1SUVly8er57w8oBj,Threat Intel Feed Download,api-e500ed91-0490-4fa8-81978058323e@dhmc.b41.one,"7/6/2024, 8:42:28 PM","Threat intel multiple feeds download - malware_grid_csv_202407061642822.zip, Date: 2024-07-06, Time: 20:42:28+0000, IP: 47.198.5.186, Application: B41-Splunk",reporting_logs +eNoVjl0LgjAAAP_LXg1KbWpBD5YYWJh9WUYvS8eYNpebUzP679n7HXcfIHGqBKYZmIPIm2gyYY5XHbb1_uRcIirjWuW6_2Y9MsIijiGPd4d0KbJ2c3uFPq4szfSiK3tweFm6eWPvekTCddUnCUu6reju4xBZjUKQwKIkdkAr_A460i7ACCCV0frJyT-uQ8syZ4Y9HYFUyZozLFKe4eFqdT66puMahj0oDRaS8nLgvz9YTD,Threat Intel Feed Download,api-e500ed91-0fa8-b72e-81978058323e@dhmc.b41.one,"7/6/2024, 8:12:28 PM","Threat intel multiple feeds download - malware_grid_csv_20240701228678.zip, Date: 2024-07-06, Time: 20:12:28+0000, IP: 47.198.5.186, Application: B41-Splunk",reporting_logs +eNoVjkkOgjAAAP_SqyYKpIAmHkBF3MBIRDFeats0gFAplM34d_E-k5kPKCmWgsYEzEHXpWsf2lviuq-g7I8GcrFCZKI4XdYj1UvDEPLQP2NbkGZ_f3sOLfSRtjrdsieHV9tKasPvEfM2RR9FWdQeRPuYeEivJYIMpjkzdnFBu13LmgUYAyRJXL04-8cVqOvaTJmaY4BlWfGMCswJHa6Wl8DSTEtVjUGpqShjng_89wd2JD,Threat Intel Feed Download,api-e500ed91-0490-b72e-81978058323e@dhmc.b41.one,"7/6/2024, 7:42:28 PM","Threat intel multiple feeds download - malware_grid_csv_20240706158505.zip, Date: 2024-07-06, Time: 19:42:28+0000, IP: 47.198.5.186, Application: B41-Splunk",reporting_logs +eNoVjtEKgjAAAP9lrwWZMldBD1oZVJgkWote5jaWmi6nMzP69-z9jrsPqDnViqcMLAAOQpQbJYTG5h41KHh6KKFMZ1PvXfTE9PM4hjI-nqir2Gt_ffoer-yRtQ4uRSLh2XWyFh17Ivxt1WNc4O6gutvEJ3arCRQwLwXapRV_7zrxWoIxIJqlzUOKf3wKbduazefGGFBdN7LgikrGh6tVFDrWzDFNNCgtV3Uqy4H__gAY7j,Threat Intel Feed Download,api-e500ed91-0490-b72e-81978058323e@dhmc.b41.one,"7/6/2024, 7:12:29 PM","Threat intel multiple feeds download - malware_grid_csv_20240706229019.zip, Date: 2024-07-06, Time: 19:12:29+0000, IP: 47.198.5.186, Application: B41-Splunk",reporting_logs +eNoVjtEKgjAAAP9lrwWVMpWgh1kUlc4ysoxe1jaWmS6nMzX69-z9jrsPKDnViicMTEHhr-UO-R4e368jFDine7hfsEo_Jss264iB0yiCMgpC6ir23l5eeMkLa2AudufsJuHJRY_aDjoi8Kro4jiLG0811xEmVq0JFDDNhb1JCt5uGvGegSEgmiXVU4p_fQIty3QcezwEVJeVzLiikvF-a348INNBhmH3Ss1Vmci8578_aJY-,Threat Intel Feed Download,api-e500ed91-0490-b72e-81978058323e@dhmc.b41.one,"7/6/2024, 6:42:29 PM","Threat intel multiple feeds download - malware_grid_csv_20240706229001.zip, Date: 2024-07-06, Time: 18:42:29+0000, IP: 47.198.5.186, Application: B41-Splunk",reporting_logs \ No newline at end of file diff --git a/Sample Data/Custom/Mimecast/Awareness_Performance_Details_CL.csv b/Sample Data/Custom/Mimecast/Awareness_Performance_Details_CL.csv new file mode 100644 index 00000000000..eb861cb072a --- /dev/null +++ b/Sample Data/Custom/Mimecast/Awareness_Performance_Details_CL.csv @@ -0,0 +1,6 @@ +email_s,name_s,department_s,numIncorrect_d,numCorrect_d,numNotWatched_d,userDetails_s,userState_s +user.name1@test.net,user.name1@test.net,,1,0,1,"[{""title"":""Everybody_Say_Simpson"",""category"":""infoprotection"",""timeSent"":""2024-06-11T10:01:16+00:00"",""timeViewed"":""2024-06-11T13:16:39+00:00"",""status"":""Incorrect"",""ack"":false},{""title"":""Go_Grande"",""category"":""infoprotection"",""timeSent"":""2024-07-05T10:00:07+00:00"",""timeViewed"":""1970-01-01T00:00:00+00:00"",""status"":""Not Watched"",""ack"":false}]",ACTIVE +user.name2@test.net,user.name2@test.net,,1,1,2,"[{""title"":""You_Had_Me_at_Hello"",""category"":""passwords"",""timeSent"":""2024-07-30T19:39:00+00:00"",""timeViewed"":""2024-07-30T19:53:02+00:00"",""status"":""Incorrect"",""ack"":false},{""title"":""Everybody_Say_Simpson"",""category"":""infoprotection"",""timeSent"":""2020-07-01T10:02:00+00:00"",""timeViewed"":""2024-06-06T19:47:09+00:00"",""status"":""Correct"",""ack"":false},{""title"":""Free_Cruise_for_Two"",""category"":""phishing"",""timeSent"":""2024-06-10T19:35:00+00:00"",""timeViewed"":""1970-01-01T00:00:00+00:00"",""status"":""Not Watched"",""ack"":false},{""title"":""Go_Grande"",""category"":""infoprotection"",""timeSent"":""2024-07-05T10:00:07+00:00"",""timeViewed"":""1970-01-01T00:00:00+00:00"",""status"":""Not Watched"",""ack"":false}]",ACTIVE +user.name3@test.net,user.name3@test.net,,1,0,1,"[{""title"":""Everybody_Say_Simpson"",""category"":""infoprotection"",""timeSent"":""2024-06-11T10:01:16+00:00"",""timeViewed"":""2024-06-11T13:12:22+00:00"",""status"":""Incorrect"",""ack"":false},{""title"":""Go_Grande"",""category"":""infoprotection"",""timeSent"":""2024-07-05T10:00:07+00:00"",""timeViewed"":""1970-01-01T00:00:00+00:00"",""status"":""Not Watched"",""ack"":false}]",ACTIVE +user.name4@test.net,user.name4@test.net,,1,0,1,"[{""title"":""Everybody_Say_Simpson"",""category"":""infoprotection"",""timeSent"":""2024-06-11T10:01:16+00:00"",""timeViewed"":""2024-06-11T13:15:59+00:00"",""status"":""Incorrect"",""ack"":false},{""title"":""Go_Grande"",""category"":""infoprotection"",""timeSent"":""2024-07-05T10:00:07+00:00"",""timeViewed"":""1970-01-01T00:00:00+00:00"",""status"":""Not Watched"",""ack"":false}]",ACTIVE +user.name5@test.net,user.name5@test.net,,1,1,1,"[{""title"":""You_Had_Me_at_Hello"",""category"":""passwords"",""timeSent"":""2024-07-30T19:39:01+00:00"",""timeViewed"":""2024-07-30T19:54:03+00:00"",""status"":""Incorrect"",""ack"":false},{""title"":""Everybody_Say_Simpson"",""category"":""infoprotection"",""timeSent"":""2024-06-11T10:01:16+00:00"",""timeViewed"":""2024-06-11T13:15:03+00:00"",""status"":""Correct"",""ack"":false},{""title"":""Go_Grande"",""category"":""infoprotection"",""timeSent"":""2024-07-05T10:00:07+00:00"",""timeViewed"":""1970-01-01T00:00:00+00:00"",""status"":""Not Watched"",""ack"":false}]",ACTIVE \ No newline at end of file diff --git a/Sample Data/Custom/Mimecast/Awareness_SafeScore_Details_CL.csv b/Sample Data/Custom/Mimecast/Awareness_SafeScore_Details_CL.csv new file mode 100644 index 00000000000..66110392ad8 --- /dev/null +++ b/Sample Data/Custom/Mimecast/Awareness_SafeScore_Details_CL.csv @@ -0,0 +1,6 @@ +emailAddress_s,name_s,department_s,risk_s,humanError_s,sentiment_s,engagement_s,knowledge_s,userState_s +user.name1@test.net,user.name6@test.one,,F,F,D,F,F,ACTIVE +user.name2@test.net,user.name7@test.one,,C,A,D,F,F,ACTIVE +user.name3@test.net,user.name8@test.one,,C,A,D,F,F,ACTIVE +user.name4@test.net,user.name9@test.one,,F,F,D,F,F,ACTIVE +user.name5@test.net,user.name@test.one,,B,A,D,C,F,ACTIVE \ No newline at end of file diff --git a/Sample Data/Custom/Mimecast/Awareness_User_Data_CL.csv b/Sample Data/Custom/Mimecast/Awareness_User_Data_CL.csv new file mode 100644 index 00000000000..044925d6d03 --- /dev/null +++ b/Sample Data/Custom/Mimecast/Awareness_User_Data_CL.csv @@ -0,0 +1,6 @@ +timeReported_t [UTC],timeScheduled_t [UTC],reactionTime_d,timeOpened_t [UTC],timeClicked_t [UTC],name_s,email_s,templateName_s,department_s,status_s,numCampaignsSent_d,numCampaignsClicked_d,numTrainingModulesAssigned_d,numCorrectAnswers_d,numIncorrectAnswers_d,userState_s,clickedIp_s +,"6/10/2024, 6:11:00 PM",,,,,at.user@hapi1.hamilton321.net,Shipping,,SENT,7,0,6,0,0,ACTIVE, +,"6/10/2024, 6:11:00 PM",96249,"6/10/2024, 6:11:25 PM","6/11/2024, 8:55:35 PM",test user,test.user1@dhmc.b41.one,Coronavirus,,CLICKED,7,2,6,0,2,ACTIVE,54.243.138.178 +,"6/10/2024, 6:11:00 PM",,,,test.user2@hapi1.hamilton321.net,test.user2@hapi1.hamilton321.net,Free Promotions,,SENT,7,0,7,0,0,ACTIVE, +,"6/10/2024, 6:11:00 PM",,,,,test.user3@hapi1.hamilton321.net,Dropbox Sharing,,SENT,7,0,7,0,0,ACTIVE, +,"6/10/2024, 6:11:00 PM",,,,,test.user4@hapi1.hamilton321.net,Onedrive,,SENT,7,1,7,0,0,ACTIVE, \ No newline at end of file diff --git a/Sample Data/Custom/Mimecast/Awareness_Watchlist_Details_CL.csv b/Sample Data/Custom/Mimecast/Awareness_Watchlist_Details_CL.csv new file mode 100644 index 00000000000..305aba44af4 --- /dev/null +++ b/Sample Data/Custom/Mimecast/Awareness_Watchlist_Details_CL.csv @@ -0,0 +1,6 @@ +email_s,name_s,department_s,watchlistCount_d,userState_s +test.user2@hapi1.hamilton321.net,test.user2@hapi1.hamilton321.net,,2,ACTIVE +test.user3@hapi1.hamilton321.net,,,2,ACTIVE +test.user@hapi1.hamilton321.net,Test User HAPI1,,2,ACTIVE +at.user@hapi1.hamilton321.net,,,2,ACTIVE +test.user4@hapi1.hamilton321.net,,,2,ACTIVE \ No newline at end of file diff --git a/Sample Data/Custom/Mimecast/Cloud_Integrated_CL.csv b/Sample Data/Custom/Mimecast/Cloud_Integrated_CL.csv new file mode 100644 index 00000000000..e97860e7bf4 --- /dev/null +++ b/Sample Data/Custom/Mimecast/Cloud_Integrated_CL.csv @@ -0,0 +1,6 @@ +timestamp_d,accountId_s,aggregateId_s,processingId_s,messageId_s,attachments_s,recipients_s,policiesApplied_s,senderIp_s,senderEnvelope_s,subject_s,source_s,threatState_s,threatType_s,direction_s,senderHeader_s,type_s,subtype_s,_offset_d,_partition_d +1722369053950,AUS2475,4WYQnn48jKz5F0r-jx98x57a48qdnkksuhxebr6dc8_17223690,a53a50f0eb95a33724ec61f92d0ce390a1669a13f97fd6510611dc6fa3ae8ff8_17223690,,[],[user.name6@test.one],"[{""action"":""DO_NOTHING"",""mode"":""ACTIVE"",""name"":""Default O365 Mail policy""}]",104.47.58.100,user.name1@test.net,Orci nunc justo commodo.,OFFICE_365_MAIL,DELIVERY_IN_PROGRESS,NO_DETECTIONS,INTERNAL,richard.test@mc-ci.b40.one,entities,NO_DETECTIONS,1360813,53 +1722369053383,AUS2475,4WYQnn0vpXz5F14-fgiknsrigtkphoknuge9wswdmy_17223690,694e799acc4f3ec0f797daff03c55971b02710afaca00f7b148cc809c8bafb6b_17223690,,[],[user.name7@test.one],"[{""action"":""DO_NOTHING"",""mode"":""ACTIVE"",""name"":""Default O365 Mail policy""}]",54.236.186.183,user.name2@test.net,other recommendation,OFFICE_365_MAIL,DELIVERY_IN_PROGRESS,NO_DETECTIONS,INBOUND,,entities,NO_DETECTIONS,1360816,53 +1722369068374,AUS2475,4WYQp34tX6z5F14-13qz3m3x9nbmnt9pa1gwuzu5qf_17223690,361bd315deefe3a1a76e4184de247c6337fc4d93e7f2f6f1cd31fec6246bf373_17223690,,"[""IMG_0050.jpg""]",[user.name8@test.one],"[{""action"":""DO_NOTHING"",""mode"":""ACTIVE"",""name"":""Default O365 Mail policy""}]",54.236.186.183,user.name3@test.net,"RE: Will you be in the office on Friday, 2/7? I'd like to catch up. Sara",OFFICE_365_MAIL,DELIVERY_IN_PROGRESS,NO_DETECTIONS,INBOUND,,entities,NO_DETECTIONS,1360816,53 +1722369177671,AUS2475,4WYQr92g1Fz5F0r-4jj9cwnjho8qtj1hoea74zs61d_17223691,399b73670b26f4ecd3d8fe5f1d9c40b27d9af5e2eff09cc8d9af7f2f6b8347e0_17223691,,[],[user.name9@test.one],"[{""action"":""DO_NOTHING"",""mode"":""ACTIVE"",""name"":""Default O365 Mail policy""}]",54.236.186.183,user.name4@test.net,RE:,OFFICE_365_MAIL,DELIVERY_IN_PROGRESS,NO_DETECTIONS,INBOUND,mike.temp@demovation-ci.b40.one,entities,NO_DETECTIONS,1360816,53 +1722369178836,AUS2475,4WYQrB2tvPz5F13-34rkpremfnusds6yqx95ub83e8_17223691,9776a4b7ad066f7009675ec9422570ef0cbe6bd4b9c6f01c70b775614edb8c87_17223691,<9f32fdea-35b5-7591-fb97-91feafdd6243@demovation-ci.b41.one>,"[""bad qr code.png""]",[user.name@test.one],"[{""action"":""QUARANTINE"",""mode"":""ACTIVE"",""name"":""Default O365 Mail policy""}]",54.236.186.183,user.name5@test.net,Message from Node-RED,OFFICE_365_MAIL,QUARANTINED,PHISHING,INBOUND,,entities,PHISHING,1360816,53 \ No newline at end of file diff --git a/Sample Data/Custom/Mimecast/Seg_Cg_CL.csv b/Sample Data/Custom/Mimecast/Seg_Cg_CL.csv new file mode 100644 index 00000000000..9a31b6e50e8 --- /dev/null +++ b/Sample Data/Custom/Mimecast/Seg_Cg_CL.csv @@ -0,0 +1,6 @@ +delivered_s,deliveryAttempts_s,tlsUsed_s,route_s,deliveryErrors_s,aggregateId_s,processingId_s,accountId_s,timestamp_d,senderEnvelope_s,subject_s,totalSizeAttachments_s,numberAttachments_s,emailSize_s,type_s,subtype_s,_offset_d,_partition_d,recipients_s,direction_s +,,,,,7vDYpKJNObakt9B4uA5i-w_172222203,IWRYWP4JqoLx2ANDVM1Xjj5r_CFHneHAbBKuc5T6XjA_17222220,CUSA38A223,1722222043768,user.name1@test.net,,,,,email_journal,,150729765,259,user.name6@test.one,Internal +FALSE,27,No,Outbound,Domain has no MX records or is invalid,nnOou15sPn6jp__x3hEsH,vBlVsSCPTu8S9cZqJUz-QWZ5hKAQEUYnvhMGUt6iB,CUSA38A223,1722375069728,user.name2@test.net,We found suspicious files in a message,0,0,0,email_delivery,FALSE,151436353,259,user.name7@test.one,Outbound +FALSE,27,No,Outbound,Domain has no MX records or is invalid,nnOou15sPn6jp__x3hEsH,vBlVsSCPTu8S9cZqJUz-QWZ5hKAQEUYnvhMGUt6iB,CUSA38A223,1722375069728,user.name3@test.net,We found suspicious files in a message,0,0,0,email_delivery,FALSE,151436353,259,user.name8@test.one,Outbound +FALSE,27,No,Outbound,Domain has no MX records or is invalid,nnOou15sPn6jp__x3hEsH,vBlVsSCPTu8S9cZqJUz-QWZ5hKAQEUYnvhMGUt6iB,CUSA38A223,1722375069728,user.name4@test.net,We found suspicious files in a message,0,0,0,email_delivery,FALSE,151436353,259,user.name9@test.one,Outbound +FALSE,27,No,Outbound,Domain has no MX records or is invalid,nnOou15sPn6jp__x3hEsH,vBlVsSCPTu8S9cZqJUz-QWZ5hKAQEUYnvhMGUt6iB,CUSA38A223,1722375069728,user.name5@test.net,We found suspicious files in a message,0,0,0,email_delivery,FALSE,151436353,259,user.name@test.one,Outbound \ No newline at end of file diff --git a/Sample Data/Custom/Mimecast/Seg_Dlp_CL.csv b/Sample Data/Custom/Mimecast/Seg_Dlp_CL.csv new file mode 100644 index 00000000000..8cf88c32aac --- /dev/null +++ b/Sample Data/Custom/Mimecast/Seg_Dlp_CL.csv @@ -0,0 +1,6 @@ +senderAddress_s,recipientAddress_s,subject_s,eventTime_t [UTC],route_s,policy_s,action_s,messageId_s +user.name1@test.net,user.name6@test.one,RE:,"7/29/2024, 4:40:59 PM",outbound,Explicit Language,notification,<8a61afe877ff960e-200442@hapi.b41.one> +user.name2@test.net,user.name7@test.one,,"7/29/2024, 9:00:52 PM",outbound,Explicit Language,notification, +user.name3@test.net,user.name8@test.one,,"7/29/2024, 9:00:54 PM",outbound,Explicit Language,notification, +user.name4@test.net,user.name9@test.one,Energy Issues,"7/29/2024, 9:56:24 PM",outbound,Secure Message PII,notification,<295127db38d77eae-175392@hapi.b41.one> +user.name5@test.net,user.name@test.one,Energy Issues,"7/29/2024, 9:56:24 PM",outbound,Secure Message PII,secure_messaging,<295127db38d77eae-175392@hapi.b41.one> \ No newline at end of file diff --git a/Sample Data/Custom/Mimecast/Ttp_Attachment_CL.csv b/Sample Data/Custom/Mimecast/Ttp_Attachment_CL.csv new file mode 100644 index 00000000000..a8cdf486147 --- /dev/null +++ b/Sample Data/Custom/Mimecast/Ttp_Attachment_CL.csv @@ -0,0 +1,11 @@ +senderAddress_s,recipientAddress_s,fileName_s,fileType_s,result_s,actionTriggered_s,date_t [UTC],details_s,route_s,messageId_s,subject_s,fileHash_s,definition_s +user.name1@test.net,user.name6@test.one,zero-day.pdf,application/pdf,malicious,none,"7/30/2024, 9:03:43 PM","[MALICIOUS_ACTIVITY: Exploit: Attempting to exploit CVE-2010-1240 +Time taken: 0 hrs, 0 min, 2 sec]",internal,,Webcast of Conference,22a65c438289353d96c707cf55e26be723e3157f0aa00734843a9bdc8f98ba,Default Attachment Protection Definition +user.name2@test.net,user.name7@test.one,attach-03402210-99a0-4b93-9544-ca5a4d3907ac.pdf,application/pdf,safe,"none, none","7/30/2024, 9:41:00 PM","Safe +Time taken: 0 hrs, 0 min, 2 sec",inbound,,Fwd,48ec551a3401ecf207e57c463e05baca63b3c3be7f96d22a822326f3cfec15,Default Attachment Protection Definition +user.name3@test.net,user.name8@test.one,attach-03402210-99a0-4b93-9544-ca5a4d3907ac.pdf,application/pdf,safe,"none, none","7/30/2024, 9:42:00 PM","Safe +Time taken: 0 hrs, 0 min, 4 sec",inbound,,Fwd,48ec551a3401ecf207e57c463e05baca63b3c3be7f96d22a822326f3cfec15,Default Attachment Protection Definition +user.name4@test.net,user.name9@test.one,mimcast test 6.docx,application/vnd.openxmlformats-officedocument.wordprocessingml.document,safe,"none, none","7/15/2024, 10:50:27 PM","Safe +Time taken: 0 hrs, 0 min, 5 sec",inbound,<0930e8ab2d8f43a0-112282@hapi.b41.one>,Energy and Developing Products Committee Meeting ,0e71202e6f0e1dd047a976573e9706fe23c062f89212f002e1032893c83721,Default Attachment Protection Definition +user.name5@test.net,user.name@test.one,mimcast test 6.docx,application/vnd.openxmlformats-officedocument.wordprocessingml.document,safe,"none, none","7/15/2024, 10:50:27 PM","Safe +Time taken: 0 hrs, 0 min, 4 sec",inbound,<0930e8ab2d8f43a0-112282@hapi.b41.one>,Energy and Developing Products Committee Meeting,0e71202e6f0e1dd047a976573e9706fe23c062f89212f002e1032893c83721,Default Attachment Protection Definition \ No newline at end of file diff --git a/Sample Data/Custom/Mimecast/Ttp_Impersonation_CL.csv b/Sample Data/Custom/Mimecast/Ttp_Impersonation_CL.csv new file mode 100644 index 00000000000..2760be2b589 --- /dev/null +++ b/Sample Data/Custom/Mimecast/Ttp_Impersonation_CL.csv @@ -0,0 +1,6 @@ +id_s,senderAddress_s,recipientAddress_s,subject_s,definition_s,hits_d,identifiers_s,action_s,taggedExternal_b,taggedMalicious_b,senderIpAddress_s,eventTime_t [UTC],impersonationResults_s,messageId_s,_ResourceId +MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnIODXY0tnA0MjJX0lHKTFGyMjU2MLY0MtVRKkstKs7Mz1OyMtRRKskDKzYwMFKqBQCx,user.name1@test.net,user.name6@test.one,Farewell CTS - Hello Vestec!,KPTPDP Hold,1,"[""targeted_threat_dictionary""]",hold,FALSE,TRUE,34.235.45.234,"7/31/2024, 12:57:59 AM","[{""impersonationDomainSource"":""targeted_threat_dictionary"",""stringSimilarToDomain"":""process,please,Please""}]",<1319139aee17fe6e-201603@hapi.b41.one>, +MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnIODXY0tnA0MjJX0lHKTFGyMjU2NDA3NtBRKkstKs7Mz1OyMtRRKskDKzYwMFeqBQCx,user.name2@test.net,user.name7@test.one,Commissioner.COM E-Reports for Big E '01 12/24/01,Low Confidence Phishing Indicators,1,"[""targeted_threat_dictionary""]",none,FALSE,TRUE,34.235.45.234,"7/31/2024, 4:18:02 AM","[{""impersonationDomainSource"":""targeted_threat_dictionary"",""stringSimilarToDomain"":""gift,purchase""}]",<04a1b292c0938658-105755@hapi.b41.one>, +MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnIODXY0tnA0MjJX0lHKTFGyMjWyMDcxtdBRKkstKs7Mz1OyMtRRKskDKzYwMFaqBQCz,user.name3@test.net,user.name8@test.one,Legislative Update,Low Confidence Phishing Indicators,1,"[""targeted_threat_dictionary""]",none,FALSE,TRUE,34.235.45.234,"7/15/2024, 11:19:46 PM","[{""impersonationDomainSource"":""targeted_threat_dictionary"",""stringSimilarToDomain"":""transfer,make""}]",<635290cb0685a09c-45048@hapi.b41.one>, +MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnIODXY0tnA0MjJX0lHKTFGyMjWyMDcxM9BRKkstKs7Mz1OyMtRRKskDKzYwMFaqBQCy,user.name4@test.net,user.name9@test.one,Legislative Update,Low Confidence Phishing Indicators,1,"[""targeted_threat_dictionary""]",none,FALSE,TRUE,34.235.45.234,"7/15/2024, 11:19:46 PM","[{""impersonationDomainSource"":""targeted_threat_dictionary"",""stringSimilarToDomain"":""transfer,make""}]",<635290cb0685a09c-45048@hapi.b41.one>, +MTOKEN:eNqrVkouLS7Jz00tSs5PSVWyUnIODXY0tnA0MjJX0lHKTFGyMjWyMDcxtdRRKkstKs7Mz1OyMtRRKskDKzYwMFaqBQCz,user.name5@test.net,user.name@test.one,Legislative Update,Low Confidence Phishing Indicators,1,"[""targeted_threat_dictionary""]",none,FALSE,TRUE,34.235.45.234,"7/15/2024, 11:19:46 PM","[{""impersonationDomainSource"":""targeted_threat_dictionary"",""stringSimilarToDomain"":""transfer,make""}]",<635290cb0685a09c-45048@hapi.b41.one>, \ No newline at end of file diff --git a/Sample Data/Custom/Mimecast/Ttp_Url_CL.csv b/Sample Data/Custom/Mimecast/Ttp_Url_CL.csv new file mode 100644 index 00000000000..05a6224eece --- /dev/null +++ b/Sample Data/Custom/Mimecast/Ttp_Url_CL.csv @@ -0,0 +1,6 @@ +userEmailAddress_s,fromUserEmailAddress_s,url_s,ttpDefinition_s,subject_s,action_s,adminOverride_s,userOverride_s,scanResult_s,Category,sendingIp_s,userAwarenessAction_s,date_t [UTC],actions_s,route_s,creationMethod_s,emailPartsDescription_s,messageId_s,tagMap_UrlReputationScan_Type_s,tagMap_UrlReputationScan_UrlBlock_s +user.name1@test.net,user.name6@test.one,http://www.test.com/xt_kc.asp,Default URL Protection Definition,Super Savings from Post,allow,N/A,None,clean,Business,34.235.45.234,N/A,"7/15/2024, 9:07:19 PM",Allow,inbound,User Click,"[""Body""]",<05d0bbfb0cab6d76-370146@hapi.b41.one>,, +user.name2@test.net,user.name7@test.one,"http://www.temp.com/temp/0,,MSE3MC03LVdOLU1G",Default URL Protection Definition,TEST FUNDS WEEKLY PRICE (NAV) CLOSINGS,allow,N/A,None,clean,Business,34.235.45.234,N/A,"7/15/2024, 9:12:19 PM",Allow,inbound,User Click,"[""Body""]",,, +user.name3@test.net,user.name8@test.one,http://word.org/word/iracd.ram,Default URL Protection Definition,A.Word.A.Day--icund,allow,N/A,None,clean,Reference,34.235.45.234,N/A,"7/15/2024, 10:04:50 PM",Allow,inbound,User Click,"[""Body""]",<674cee6a703c6324-294869@hapi.b41.one>,, +user.name4@test.net,user.name9@test.one,http://7.T,Default URL Protection Definition,FW,warn,N/A,None,malicious,Phishing & Fraud,Internal IP,N/A,"7/16/2024, 1:24:57 AM","Hold, None",outbound,Entry Scan,"[""Body""]",<09418a924289712d-101872@hapi.b41.one>,"[""Malware, Phishing & Fraud""]","[""ORIGINAL:http://7.T -> ORIGINAL:http://7.t (Blocked as MALWARE,PHISHING)""]" +user.name5@test.net,user.name@test.one,https://demo.b41.one/VTJGc2RHVmtYMTlvUE1tRGJDaWtBbURoOW0xWVBUcFI2MWZy,Default URL Protection Definition,"Go to these links, now!",warn,N/A,None,malicious,Phishing & Fraud,34.235.45.234,N/A,"7/16/2024, 2:39:55 AM",Warn,inbound,User Click,"[""Body""]",<56e4d39a-79f5-7861-cae6-35bce76d73d6@notify.b41.one>,,"[""ORIGINAL:https://demo.b41.one/VTJGc2RHVmtYMTlvUE1tRGJDaWtBbxWVBUcFI2MWZyb2lOYVZCZz0=""]" \ No newline at end of file diff --git a/Sample Data/Custom/Tenable_VM_Compliance_CL.json b/Sample Data/Custom/Tenable_VM_Compliance_CL.json new file mode 100644 index 00000000000..44bedbf0da5 --- /dev/null +++ b/Sample Data/Custom/Tenable_VM_Compliance_CL.json @@ -0,0 +1,4930 @@ +[ + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L1_Server.audit", + "check_id_s": "ece8faf2556e0834dc0eb532431197834b683afa77d7a13aeee19caea576e706", + "check_name_s": "2.2.9 Ensure IMAP and POP3 server is not installed - cyrus-imapd", + "check_info_s": "dovecot is an open source IMAP and POP3 server for Linux based systems.\n\nRationale:\n\nUnless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface.\n\nNote: Several IMAP/POP3 servers exist and can use other service names. These should also be audited and the packages removed if not required.", + "expected_value_s": "operator: lte\nrpm: cyrus-imapd-0.0.0-0\nsystem: Linux", + "actual_value_s": "The package 'cyrus-imapd-0.0.0-0' is not installed", + "status_s": "PASSED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.4.2" + }, + { + "framework": "800-171", + "control": "3.4.6" + }, + { + "framework": "800-171", + "control": "3.4.7" + }, + { + "framework": "800-53", + "control": "CM-6" + }, + { + "framework": "800-53", + "control": "CM-7" + }, + { + "framework": "800-53r5", + "control": "CM-6" + }, + { + "framework": "800-53r5", + "control": "CM-7" + }, + { + "framework": "CSCv7", + "control": "9.2" + }, + { + "framework": "CSCv8", + "control": "4.8" + }, + { + "framework": "CSF", + "control": "PR.IP-1" + }, + { + "framework": "CSF", + "control": "PR.PT-3" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "ITSG-33", + "control": "CM-6" + }, + { + "framework": "ITSG-33", + "control": "CM-7" + }, + { + "framework": "LEVEL", + "control": "1A" + }, + { + "framework": "NIAv2", + "control": "SS15a" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "2.2.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "2.3" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Run the following command to remove dovecot and cyrus-imapd:\n\n# dnf remove dovecot cyrus-imapd\n\nAdditional Information:\n\nNIST SP 800-53 Rev. 5:\n\nCM-7", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "2.2.9 Ensure IMAP and POP3 server is not installed - cyrus-imapd: [PASSED]\"\n\ndovecot is an open source IMAP and POP3 server for Linux based systems.\n\nRationale:\n\nUnless POP3 and/or IMAP servers are to be provided by this system, it is recommended that the package be removed to reduce the potential attack surface.\n\nNote: Several IMAP/POP3 servers exist and can use other service names. These should also be audited and the packages removed if not required.\n\nSolution:\nRun the following command to remove dovecot and cyrus-imapd:\n\n# dnf remove dovecot cyrus-imapd\n\nAdditional Information:\n\nNIST SP 800-53 Rev. 5:\n\nCM-7\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.4.2), ComplianceReference(framework=800-171, control=3.4.6), ComplianceReference(framework=800-171, control=3.4.7), ComplianceReference(framework=800-53, control=CM-6), ComplianceReference(framework=800-53, control=CM-7), ComplianceReference(framework=800-53r5, control=CM-6), ComplianceReference(framework=800-53r5, control=CM-7), ComplianceReference(framework=CSCv7, control=9.2), ComplianceReference(framework=CSCv8, control=4.8), ComplianceReference(framework=CSF, control=PR.IP-1), ComplianceReference(framework=CSF, control=PR.PT-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=ITSG-33, control=CM-6), ComplianceReference(framework=ITSG-33, control=CM-7), ComplianceReference(framework=LEVEL, control=1A), ComplianceReference(framework=NIAv2, control=SS15a), ComplianceReference(framework=PCI-DSSv3.2.1, control=2.2.2), ComplianceReference(framework=SWIFT-CSCv1, control=2.3)}\n\nPolicy Value:\noperator: lte\nrpm: cyrus-imapd-0.0.0-0\nsystem: Linux\n\nActual Value:\n The package 'cyrus-imapd-0.0.0-0' is not installed", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "167059e0b015998cb54749aba770dab01a8762c2a53c731bf68b725f4a00f542", + "compliance_full_id_s": "ece8faf2556e0834dc0eb532431197834b683afa77d7a13aeee19caea576e706", + "compliance_functional_id_s": "885c095206", + "compliance_informational_id_s": "8b88c045fca7d58424b39f8381f12f02b8cc65f8ddcaa96d6b971e37cf7c81ab", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "317423c8e0dc055f4f5617615956199e915d4da4792b458e4d268f825e284498", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:13 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit", + "check_id_s": "71bfad6eaa9f9137543f3f7e31ef0777d2e2c9c59ecc1d151eab065f74c7d031", + "check_name_s": "4.1.3.8 Ensure events that modify user/group information are collected - /etc/security/opasswd", + "check_info_s": "Record events affecting the modification of user or group information, including that of passwords and old passwords if in use.\n\n/etc/group - system groups\n\n/etc/passwd - system users\n\n/etc/gshadow - encrypted password for each group\n\n/etc/shadow - system user passwords\n\n/etc/security/opasswd - storage of old passwords if the relevant PAM module is in use\n\nThe parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.", + "expected_value_s": "cmd: /usr/bin/awk '/^ *-w/ &&/\\/etc\\/security\\/opasswd/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux", + "actual_value_s": "The command '/usr/bin/awk '/^ *-w/ &&/\\/etc\\/security\\/opasswd/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nawk: fatal: cannot open file `/etc/audit/rules.d/*.rules' for reading: No such file or directory\nfail", + "status_s": "FAILED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.3.1" + }, + { + "framework": "800-171", + "control": "3.3.2" + }, + { + "framework": "800-171", + "control": "3.3.6" + }, + { + "framework": "800-53", + "control": "AU-3" + }, + { + "framework": "800-53", + "control": "AU-3(1)" + }, + { + "framework": "800-53", + "control": "AU-7" + }, + { + "framework": "800-53", + "control": "AU-12" + }, + { + "framework": "800-53r5", + "control": "AU-3" + }, + { + "framework": "800-53r5", + "control": "AU-3(1)" + }, + { + "framework": "800-53r5", + "control": "AU-7" + }, + { + "framework": "800-53r5", + "control": "AU-12" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(b)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(c)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(b)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.3(b)" + }, + { + "framework": "CSCv7", + "control": "4.8" + }, + { + "framework": "CSCv8", + "control": "8.5" + }, + { + "framework": "CSF", + "control": "DE.CM-1" + }, + { + "framework": "CSF", + "control": "DE.CM-3" + }, + { + "framework": "CSF", + "control": "DE.CM-7" + }, + { + "framework": "CSF", + "control": "PR.PT-1" + }, + { + "framework": "CSF", + "control": "RS.AN-3" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "HIPAA", + "control": "164.312(b)" + }, + { + "framework": "ITSG-33", + "control": "AU-3" + }, + { + "framework": "ITSG-33", + "control": "AU-3(1)" + }, + { + "framework": "ITSG-33", + "control": "AU-7" + }, + { + "framework": "ITSG-33", + "control": "AU-12" + }, + { + "framework": "LEVEL", + "control": "2A" + }, + { + "framework": "NESA", + "control": "T3.6.2" + }, + { + "framework": "NIAv2", + "control": "AM34a" + }, + { + "framework": "NIAv2", + "control": "AM34b" + }, + { + "framework": "NIAv2", + "control": "AM34c" + }, + { + "framework": "NIAv2", + "control": "AM34d" + }, + { + "framework": "NIAv2", + "control": "AM34e" + }, + { + "framework": "NIAv2", + "control": "AM34f" + }, + { + "framework": "NIAv2", + "control": "AM34g" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.2" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.4" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.5" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.6" + }, + { + "framework": "PCI-DSSv4.0", + "control": "10.2.2" + }, + { + "framework": "QCSC-v1", + "control": "3.2" + }, + { + "framework": "QCSC-v1", + "control": "6.2" + }, + { + "framework": "QCSC-v1", + "control": "8.2.1" + }, + { + "framework": "QCSC-v1", + "control": "10.2.1" + }, + { + "framework": "QCSC-v1", + "control": "11.2" + }, + { + "framework": "QCSC-v1", + "control": "13.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "6.4" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify user/group information.\nExample:\n\n# printf '\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n' >> /etc/audit/rules.d/50-identity.rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "4.1.3.8 Ensure events that modify user/group information are collected - /etc/security/opasswd: [FAILED]\"\n\nRecord events affecting the modification of user or group information, including that of passwords and old passwords if in use.\n\n/etc/group - system groups\n\n/etc/passwd - system users\n\n/etc/gshadow - encrypted password for each group\n\n/etc/shadow - system user passwords\n\n/etc/security/opasswd - storage of old passwords if the relevant PAM module is in use\n\nThe parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify user/group information.\nExample:\n\n# printf '\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n' >> /etc/audit/rules.d/50-identity.rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=4.8), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: /usr/bin/awk '/^ *-w/ &&/\\/etc\\/security\\/opasswd/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command '/usr/bin/awk '/^ *-w/ &&/\\/etc\\/security\\/opasswd/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nawk: fatal: cannot open file `/etc/audit/rules.d/*.rules' for reading: No such file or directory\nfail", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "d61367b397bf263134281345942027fcd798faa4c5d6353b9fe8a10797ae286b", + "compliance_full_id_s": "71bfad6eaa9f9137543f3f7e31ef0777d2e2c9c59ecc1d151eab065f74c7d031", + "compliance_functional_id_s": "c3a3eb27ad", + "compliance_informational_id_s": "0ebdfe8388ad7c316191190c53408a45bb7a19be4b128fbe99e86f6d629f750c", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "ea4f97c2bf9124a3ceb4cd542ac0744a1cfcb3a8bfb022431805863b931dca2f", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit", + "check_id_s": "66e1ced6b3285a29d86ca062d7e03b0e20630d271ea9af9f561bd84a51119227", + "check_name_s": "4.1.3.9 Ensure discretionary access control permission modification events are collected - b32 fchown", + "check_info_s": "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The following commands and system calls effect the permissions, ownership and various attributes of files.\n\nchmod\n\nfchmod\n\nfchmodat\n\nchown\n\nfchown\n\nfchownat\n\nlchown\n\nsetxattr\n\nlsetxattr\n\nfsetxattr\n\nremovexattr\n\nlremovexattr\n\nfremovexattr\n\nIn all cases, an audit record will only be written for non-system user ids and will ignore Daemon events. All audit records will be tagged with the identifier 'perm_mod.'\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.", + "expected_value_s": "cmd: UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/fchown/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"\nexpect: pass\nsystem: Linux", + "actual_value_s": "The command 'UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/fchown/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"' returned : \n\nawk: fatal: cannot open file `/etc/audit/rules.d/*.rules' for reading: No such file or directory\nfail", + "status_s": "FAILED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.3.1" + }, + { + "framework": "800-171", + "control": "3.3.2" + }, + { + "framework": "800-171", + "control": "3.3.6" + }, + { + "framework": "800-53", + "control": "AU-3" + }, + { + "framework": "800-53", + "control": "AU-3(1)" + }, + { + "framework": "800-53", + "control": "AU-7" + }, + { + "framework": "800-53", + "control": "AU-12" + }, + { + "framework": "800-53r5", + "control": "AU-3" + }, + { + "framework": "800-53r5", + "control": "AU-3(1)" + }, + { + "framework": "800-53r5", + "control": "AU-7" + }, + { + "framework": "800-53r5", + "control": "AU-12" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(b)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(c)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(b)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.3(b)" + }, + { + "framework": "CSCv7", + "control": "5.5" + }, + { + "framework": "CSCv8", + "control": "8.5" + }, + { + "framework": "CSF", + "control": "DE.CM-1" + }, + { + "framework": "CSF", + "control": "DE.CM-3" + }, + { + "framework": "CSF", + "control": "DE.CM-7" + }, + { + "framework": "CSF", + "control": "PR.PT-1" + }, + { + "framework": "CSF", + "control": "RS.AN-3" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "HIPAA", + "control": "164.312(b)" + }, + { + "framework": "ITSG-33", + "control": "AU-3" + }, + { + "framework": "ITSG-33", + "control": "AU-3(1)" + }, + { + "framework": "ITSG-33", + "control": "AU-7" + }, + { + "framework": "ITSG-33", + "control": "AU-12" + }, + { + "framework": "LEVEL", + "control": "2A" + }, + { + "framework": "NESA", + "control": "T3.6.2" + }, + { + "framework": "NIAv2", + "control": "AM34a" + }, + { + "framework": "NIAv2", + "control": "AM34b" + }, + { + "framework": "NIAv2", + "control": "AM34c" + }, + { + "framework": "NIAv2", + "control": "AM34d" + }, + { + "framework": "NIAv2", + "control": "AM34e" + }, + { + "framework": "NIAv2", + "control": "AM34f" + }, + { + "framework": "NIAv2", + "control": "AM34g" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.2" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.4" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.5" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.6" + }, + { + "framework": "PCI-DSSv4.0", + "control": "10.2.2" + }, + { + "framework": "QCSC-v1", + "control": "3.2" + }, + { + "framework": "QCSC-v1", + "control": "6.2" + }, + { + "framework": "QCSC-v1", + "control": "8.2.1" + }, + { + "framework": "QCSC-v1", + "control": "10.2.1" + }, + { + "framework": "QCSC-v1", + "control": "11.2" + }, + { + "framework": "QCSC-v1", + "control": "13.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "6.4" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Create audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor discretionary access control permission modification events.\n\n64 Bit systems\n\nExample:\n\n# {\nUID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)\n[ -n '${UID_MIN}' ] && printf '\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n' >> /etc/audit/rules.d/50-perm_mod.rules || printf 'ERROR: Variable 'UID_MIN' is unset.\n'\n}\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "4.1.3.9 Ensure discretionary access control permission modification events are collected - b32 fchown: [FAILED]\"\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The following commands and system calls effect the permissions, ownership and various attributes of files.\n\nchmod\n\nfchmod\n\nfchmodat\n\nchown\n\nfchown\n\nfchownat\n\nlchown\n\nsetxattr\n\nlsetxattr\n\nfsetxattr\n\nremovexattr\n\nlremovexattr\n\nfremovexattr\n\nIn all cases, an audit record will only be written for non-system user ids and will ignore Daemon events. All audit records will be tagged with the identifier 'perm_mod.'\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nCreate audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor discretionary access control permission modification events.\n\n64 Bit systems\n\nExample:\n\n# {\nUID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)\n[ -n '${UID_MIN}' ] && printf '\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n' >> /etc/audit/rules.d/50-perm_mod.rules || printf 'ERROR: Variable 'UID_MIN' is unset.\n'\n}\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=5.5), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/fchown/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command 'UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/fchown/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"' returned : \n\nawk: fatal: cannot open file `/etc/audit/rules.d/*.rules' for reading: No such file or directory\nfail", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "4c2dbe80bcd14254f103bf348d9cba387975439583fe195aaa73b140a8ef1821", + "compliance_full_id_s": "66e1ced6b3285a29d86ca062d7e03b0e20630d271ea9af9f561bd84a51119227", + "compliance_functional_id_s": "dbf310cbed", + "compliance_informational_id_s": "e074a8b93d6e6d39a8f6913ed3652e35ba9acc37aaa09bbff79c41a9aa10dc5d", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "592ae116de7793ad209255dd3007cf0a8e2e218e76760d50a3f15e536e37b519", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L1_Server.audit", + "check_id_s": "6b4bede1185694c0d2200e1bc07bc7ba4ddda7803cebdef10328dc1d8bd17b1a", + "check_name_s": "1.1.2.2 Ensure nodev option set on /tmp partition", + "check_info_s": "The nodev mount option specifies that the filesystem cannot contain special devices.\n\nRationale:\n\nSince the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp.", + "expected_value_s": "cmd: /usr/bin/findmnt --kernel /tmp\nexpect: [\\s]*[,]?nodev\nsystem: Linux", + "actual_value_s": "The command '/usr/bin/findmnt --kernel /tmp' did not return any result", + "status_s": "FAILED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.4.2" + }, + { + "framework": "800-171", + "control": "3.4.6" + }, + { + "framework": "800-171", + "control": "3.4.7" + }, + { + "framework": "800-53", + "control": "CM-6" + }, + { + "framework": "800-53", + "control": "CM-7" + }, + { + "framework": "800-53r5", + "control": "CM-6" + }, + { + "framework": "800-53r5", + "control": "CM-7" + }, + { + "framework": "CSCv7", + "control": "9.2" + }, + { + "framework": "CSCv8", + "control": "4.8" + }, + { + "framework": "CSF", + "control": "PR.IP-1" + }, + { + "framework": "CSF", + "control": "PR.PT-3" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "ITSG-33", + "control": "CM-6" + }, + { + "framework": "ITSG-33", + "control": "CM-7" + }, + { + "framework": "LEVEL", + "control": "1A" + }, + { + "framework": "NIAv2", + "control": "SS15a" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "2.2.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "2.3" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Edit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition.\nExample:\n\n /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0\n\nRun the following command to remount /tmp with the configured options:\n\n# mount -o remount /tmp", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "1.1.2.2 Ensure nodev option set on /tmp partition: [FAILED]\"\n\nThe nodev mount option specifies that the filesystem cannot contain special devices.\n\nRationale:\n\nSince the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot create a block or character special devices in /tmp.\n\nSolution:\nEdit the /etc/fstab file and add nodev to the fourth field (mounting options) for the /tmp partition.\nExample:\n\n /tmp defaults,rw,nosuid,nodev,noexec,relatime 0 0\n\nRun the following command to remount /tmp with the configured options:\n\n# mount -o remount /tmp\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.4.2), ComplianceReference(framework=800-171, control=3.4.6), ComplianceReference(framework=800-171, control=3.4.7), ComplianceReference(framework=800-53, control=CM-6), ComplianceReference(framework=800-53, control=CM-7), ComplianceReference(framework=800-53r5, control=CM-6), ComplianceReference(framework=800-53r5, control=CM-7), ComplianceReference(framework=CSCv7, control=9.2), ComplianceReference(framework=CSCv8, control=4.8), ComplianceReference(framework=CSF, control=PR.IP-1), ComplianceReference(framework=CSF, control=PR.PT-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=ITSG-33, control=CM-6), ComplianceReference(framework=ITSG-33, control=CM-7), ComplianceReference(framework=LEVEL, control=1A), ComplianceReference(framework=NIAv2, control=SS15a), ComplianceReference(framework=PCI-DSSv3.2.1, control=2.2.2), ComplianceReference(framework=SWIFT-CSCv1, control=2.3)}\n\nPolicy Value:\ncmd: /usr/bin/findmnt --kernel /tmp\nexpect: [\\s]*[,]?nodev\nsystem: Linux\n\nActual Value:\n The command '/usr/bin/findmnt --kernel /tmp' did not return any result", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "c21c81eca23d7d2755f3e42c2996803dad7070ac873643cbf4605db9b0f87845", + "compliance_full_id_s": "6b4bede1185694c0d2200e1bc07bc7ba4ddda7803cebdef10328dc1d8bd17b1a", + "compliance_functional_id_s": "fd7a571e5e", + "compliance_informational_id_s": "b0eab6c2dcbafba2ab8e05bbd2af7b42d9c973d65343af6c4b6093deebbe3b7d", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "16f64094cc56e2fa58284a3c74869fc86b82f445602ea2c638c60eb0898d1a1b", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L1_Server.audit", + "check_id_s": "d7adf2fd57203608b90295c6c7c4c1a6fb76399ee9b79cb63f17b564b7b213dd", + "check_name_s": "5.1.1 Ensure cron daemon is enabled", + "check_info_s": "The cron daemon is used to execute batch jobs on the system.\n\nRationale:\n\nWhile there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them.", + "expected_value_s": "cmd: /*******\ndont_echo_cmd: YES\nexpect: enabled\nsystem: Linux", + "actual_value_s": "The command returned : \n\nenabled", + "status_s": "PASSED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.4.8" + }, + { + "framework": "800-53", + "control": "CM-7(5)" + }, + { + "framework": "800-53r5", + "control": "CM-7(5)" + }, + { + "framework": "CSF", + "control": "PR.IP-1" + }, + { + "framework": "CSF", + "control": "PR.PT-3" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "ISO/IEC-27001", + "control": "A.12.5.1" + }, + { + "framework": "ISO/IEC-27001", + "control": "A.12.6.2" + }, + { + "framework": "ITSG-33", + "control": "CM-7" + }, + { + "framework": "LEVEL", + "control": "1A" + }, + { + "framework": "NIAv2", + "control": "SS15a" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "2.2.2" + }, + { + "framework": "QCSC-v1", + "control": "3.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "2.3" + }, + { + "framework": "TBA-FIISB", + "control": "44.2.2" + }, + { + "framework": "TBA-FIISB", + "control": "49.2.3" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Run the following command to enable cron:\n\n# systemctl --now enable crond\n\nAdditional Information:\n\nAdditional methods of enabling a service exist. Consult your distribution documentation for appropriate methods.\n\nNIST SP 800-53 Rev. 5:\n\nCM-1\n\nCM-2\n\nCM-6\n\nCM-7\n\nIA-5\n\nMITRE ATT&CK Mappings:\n\nTechniques / Sub-techniques\n\nTactics\n\nMitigations\n\nT1562, T1562.001\n\nTA0005\n\nM1018", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "5.1.1 Ensure cron daemon is enabled: [PASSED]\"\n\nThe cron daemon is used to execute batch jobs on the system.\n\nRationale:\n\nWhile there may not be user jobs that need to be run on the system, the system does have maintenance jobs that may include security monitoring that have to run, and cron is used to execute them.\n\nSolution:\nRun the following command to enable cron:\n\n# systemctl --now enable crond\n\nAdditional Information:\n\nAdditional methods of enabling a service exist. Consult your distribution documentation for appropriate methods.\n\nNIST SP 800-53 Rev. 5:\n\nCM-1\n\nCM-2\n\nCM-6\n\nCM-7\n\nIA-5\n\nMITRE ATT&CK Mappings:\n\nTechniques / Sub-techniques\n\nTactics\n\nMitigations\n\nT1562, T1562.001\n\nTA0005\n\nM1018\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.4.8), ComplianceReference(framework=800-53, control=CM-7(5)), ComplianceReference(framework=800-53r5, control=CM-7(5)), ComplianceReference(framework=CSF, control=PR.IP-1), ComplianceReference(framework=CSF, control=PR.PT-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=ISO/IEC-27001, control=A.12.5.1), ComplianceReference(framework=ISO/IEC-27001, control=A.12.6.2), ComplianceReference(framework=ITSG-33, control=CM-7), ComplianceReference(framework=LEVEL, control=1A), ComplianceReference(framework=NIAv2, control=SS15a), ComplianceReference(framework=PCI-DSSv3.2.1, control=2.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=SWIFT-CSCv1, control=2.3), ComplianceReference(framework=TBA-FIISB, control=44.2.2), ComplianceReference(framework=TBA-FIISB, control=49.2.3)}\n\nPolicy Value:\ncmd: /*******\ndont_echo_cmd: YES\nexpect: enabled\nsystem: Linux\n\nActual Value:\n The command returned : \n\nenabled", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "75f9187fa5f514629626891335d713da676996a8c24c7e04a3c5aedcbfb88093", + "compliance_full_id_s": "d7adf2fd57203608b90295c6c7c4c1a6fb76399ee9b79cb63f17b564b7b213dd", + "compliance_functional_id_s": "6cba02de15", + "compliance_informational_id_s": "0e35b915f114afc03d7e596c62646c1428f0b0f5afb2e7fc48d73e7f2a65fe72", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "f4270d2538a00348af5b3cc314d2588db370a783bc1feb8b2085bbff7ee58ebc", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:13 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L1_Server.audit", + "check_id_s": "0d6d85ea6242503eb6c928f1776377b8bc7ab16a5b6973c59ca43151a6deb935", + "check_name_s": "3.4.2.3 Ensure nftables base chains exist - firewall misconfigured", + "check_info_s": "Chains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization.\n\nRationale:\n\nIf a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables.\n\nImpact:\n\nIf configuring over ssh, creating a base chain with a policy of drop will cause loss of connectivity.\n\nEnsure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop", + "expected_value_s": "cmd: multiple line script\ndont_echo_cmd: NO\nexpect: (?i)^[\\s]*\\**[\\s]*pass:?[\\s]*\\**$", + "actual_value_s": "The command script with multiple lines returned : \n\n- Audit Results:\n ** Fail **\n - Neither FirewallD or NFTables is installed.", + "status_s": "FAILED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.13.1" + }, + { + "framework": "800-171", + "control": "3.13.5" + }, + { + "framework": "800-171", + "control": "3.13.6" + }, + { + "framework": "800-53", + "control": "CA-9" + }, + { + "framework": "800-53", + "control": "SC-7" + }, + { + "framework": "800-53", + "control": "SC-7(5)" + }, + { + "framework": "800-53r5", + "control": "CA-9" + }, + { + "framework": "800-53r5", + "control": "SC-7" + }, + { + "framework": "800-53r5", + "control": "SC-7(5)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.2(c)" + }, + { + "framework": "CN-L3", + "control": "8.1.10.6(j)" + }, + { + "framework": "CSCv7", + "control": "9.4" + }, + { + "framework": "CSCv8", + "control": "4.4" + }, + { + "framework": "CSF", + "control": "DE.CM-1" + }, + { + "framework": "CSF", + "control": "ID.AM-3" + }, + { + "framework": "CSF", + "control": "PR.AC-5" + }, + { + "framework": "CSF", + "control": "PR.DS-5" + }, + { + "framework": "CSF", + "control": "PR.PT-4" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "GDPR", + "control": "32.1.d" + }, + { + "framework": "GDPR", + "control": "32.2" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "ISO/IEC-27001", + "control": "A.13.1.3" + }, + { + "framework": "ITSG-33", + "control": "SC-7" + }, + { + "framework": "ITSG-33", + "control": "SC-7(5)" + }, + { + "framework": "LEVEL", + "control": "1A" + }, + { + "framework": "NESA", + "control": "T4.5.4" + }, + { + "framework": "NIAv2", + "control": "GS1" + }, + { + "framework": "NIAv2", + "control": "GS2a" + }, + { + "framework": "NIAv2", + "control": "GS2b" + }, + { + "framework": "NIAv2", + "control": "GS7b" + }, + { + "framework": "NIAv2", + "control": "NS25" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "1.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "1.2" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "1.2.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "1.3" + }, + { + "framework": "PCI-DSSv4.0", + "control": "1.2.1" + }, + { + "framework": "PCI-DSSv4.0", + "control": "1.4.1" + }, + { + "framework": "QCSC-v1", + "control": "4.2" + }, + { + "framework": "QCSC-v1", + "control": "5.2.1" + }, + { + "framework": "QCSC-v1", + "control": "5.2.2" + }, + { + "framework": "QCSC-v1", + "control": "5.2.3" + }, + { + "framework": "QCSC-v1", + "control": "6.2" + }, + { + "framework": "QCSC-v1", + "control": "8.2.1" + }, + { + "framework": "SWIFT-CSCv1", + "control": "2.1" + }, + { + "framework": "TBA-FIISB", + "control": "43.1" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Run the following command to create the base chains:\n\n# nft create chain inet { type filter hook <(input|forward|output)> priority 0 ; }\n\nExample:\n\n# nft create chain inet filter input { type filter hook input priority 0 ; }\n# nft create chain inet filter forward { type filter hook forward priority 0 ; }\n# nft create chain inet filter output { type filter hook output priority 0 ; }\n\nAdditional Information:\n\nNIST SP 800-53 Rev. 5:\n\nCA-9", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "3.4.2.3 Ensure nftables base chains exist - firewall misconfigured: [FAILED]\"\n\nChains are containers for rules. They exist in two kinds, base chains and regular chains. A base chain is an entry point for packets from the networking stack, a regular chain may be used as jump target and is used for better rule organization.\n\nRationale:\n\nIf a base chain doesn't exist with a hook for input, forward, and delete, packets that would flow through those chains will not be touched by nftables.\n\nImpact:\n\nIf configuring over ssh, creating a base chain with a policy of drop will cause loss of connectivity.\n\nEnsure that a rule allowing ssh has been added to the base chain prior to setting the base chain's policy to drop\n\nSolution:\nRun the following command to create the base chains:\n\n# nft create chain inet
{ type filter hook <(input|forward|output)> priority 0 ; }\n\nExample:\n\n# nft create chain inet filter input { type filter hook input priority 0 ; }\n# nft create chain inet filter forward { type filter hook forward priority 0 ; }\n# nft create chain inet filter output { type filter hook output priority 0 ; }\n\nAdditional Information:\n\nNIST SP 800-53 Rev. 5:\n\nCA-9\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.13.1), ComplianceReference(framework=800-171, control=3.13.5), ComplianceReference(framework=800-171, control=3.13.6), ComplianceReference(framework=800-53, control=CA-9), ComplianceReference(framework=800-53, control=SC-7), ComplianceReference(framework=800-53, control=SC-7(5)), ComplianceReference(framework=800-53r5, control=CA-9), ComplianceReference(framework=800-53r5, control=SC-7), ComplianceReference(framework=800-53r5, control=SC-7(5)), ComplianceReference(framework=CN-L3, control=7.1.2.2(c)), ComplianceReference(framework=CN-L3, control=8.1.10.6(j)), ComplianceReference(framework=CSCv7, control=9.4), ComplianceReference(framework=CSCv8, control=4.4), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=ID.AM-3), ComplianceReference(framework=CSF, control=PR.AC-5), ComplianceReference(framework=CSF, control=PR.DS-5), ComplianceReference(framework=CSF, control=PR.PT-4), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=GDPR, control=32.1.d), ComplianceReference(framework=GDPR, control=32.2), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=ISO/IEC-27001, control=A.13.1.3), ComplianceReference(framework=ITSG-33, control=SC-7), ComplianceReference(framework=ITSG-33, control=SC-7(5)), ComplianceReference(framework=LEVEL, control=1A), ComplianceReference(framework=NESA, control=T4.5.4), ComplianceReference(framework=NIAv2, control=GS1), ComplianceReference(framework=NIAv2, control=GS2a), ComplianceReference(framework=NIAv2, control=GS2b), ComplianceReference(framework=NIAv2, control=GS7b), ComplianceReference(framework=NIAv2, control=NS25), ComplianceReference(framework=PCI-DSSv3.2.1, control=1.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=1.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=1.2.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=1.3), ComplianceReference(framework=PCI-DSSv4.0, control=1.2.1), ComplianceReference(framework=PCI-DSSv4.0, control=1.4.1), ComplianceReference(framework=QCSC-v1, control=4.2), ComplianceReference(framework=QCSC-v1, control=5.2.1), ComplianceReference(framework=QCSC-v1, control=5.2.2), ComplianceReference(framework=QCSC-v1, control=5.2.3), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=SWIFT-CSCv1, control=2.1), ComplianceReference(framework=TBA-FIISB, control=43.1)}\n\nPolicy Value:\ncmd: multiple line script\ndont_echo_cmd: NO\nexpect: (?i)^[\\s]*\\**[\\s]*pass:?[\\s]*\\**$\n\nActual Value:\n The command script with multiple lines returned : \n\n- Audit Results:\n ** Fail **\n - Neither FirewallD or NFTables is installed.", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "febf648efcfe844dadaf8953d279d2b8064fc2e6cf0b0f8cfc5561e7b17de384", + "compliance_full_id_s": "0d6d85ea6242503eb6c928f1776377b8bc7ab16a5b6973c59ca43151a6deb935", + "compliance_functional_id_s": "9c16d0c9d5", + "compliance_informational_id_s": "2bd1d18d5f1e0106aee51c5e3b32b327b0c6f4b0caf6b690369aae6d0d32cb94", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "05bec6c0f570d510001e5c87b4623da338d0bd49257771e4e9611ff159eee707", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit", + "check_id_s": "c96995aad2b523552eb8523de7ee05751bcccecb975fb32bfd6e5cc8d7efcaeb", + "check_name_s": "4.1.3.8 Ensure events that modify user/group information are collected - auditctl /etc/shadow", + "check_info_s": "Record events affecting the modification of user or group information, including that of passwords and old passwords if in use.\n\n/etc/group - system groups\n\n/etc/passwd - system users\n\n/etc/gshadow - encrypted password for each group\n\n/etc/shadow - system user passwords\n\n/etc/security/opasswd - storage of old passwords if the relevant PAM module is in use\n\nThe parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.", + "expected_value_s": "cmd: auditctl -l | /usr/bin/awk '/^ *-w/ &&/\\/etc\\/shadow/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux", + "actual_value_s": "The command 'auditctl -l | /usr/bin/awk '/^ *-w/ &&/\\/etc\\/shadow/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: auditctl: command not found\nfail", + "status_s": "FAILED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.3.1" + }, + { + "framework": "800-171", + "control": "3.3.2" + }, + { + "framework": "800-171", + "control": "3.3.6" + }, + { + "framework": "800-53", + "control": "AU-3" + }, + { + "framework": "800-53", + "control": "AU-3(1)" + }, + { + "framework": "800-53", + "control": "AU-7" + }, + { + "framework": "800-53", + "control": "AU-12" + }, + { + "framework": "800-53r5", + "control": "AU-3" + }, + { + "framework": "800-53r5", + "control": "AU-3(1)" + }, + { + "framework": "800-53r5", + "control": "AU-7" + }, + { + "framework": "800-53r5", + "control": "AU-12" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(b)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(c)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(b)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.3(b)" + }, + { + "framework": "CSCv7", + "control": "4.8" + }, + { + "framework": "CSCv8", + "control": "8.5" + }, + { + "framework": "CSF", + "control": "DE.CM-1" + }, + { + "framework": "CSF", + "control": "DE.CM-3" + }, + { + "framework": "CSF", + "control": "DE.CM-7" + }, + { + "framework": "CSF", + "control": "PR.PT-1" + }, + { + "framework": "CSF", + "control": "RS.AN-3" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "HIPAA", + "control": "164.312(b)" + }, + { + "framework": "ITSG-33", + "control": "AU-3" + }, + { + "framework": "ITSG-33", + "control": "AU-3(1)" + }, + { + "framework": "ITSG-33", + "control": "AU-7" + }, + { + "framework": "ITSG-33", + "control": "AU-12" + }, + { + "framework": "LEVEL", + "control": "2A" + }, + { + "framework": "NESA", + "control": "T3.6.2" + }, + { + "framework": "NIAv2", + "control": "AM34a" + }, + { + "framework": "NIAv2", + "control": "AM34b" + }, + { + "framework": "NIAv2", + "control": "AM34c" + }, + { + "framework": "NIAv2", + "control": "AM34d" + }, + { + "framework": "NIAv2", + "control": "AM34e" + }, + { + "framework": "NIAv2", + "control": "AM34f" + }, + { + "framework": "NIAv2", + "control": "AM34g" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.2" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.4" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.5" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.6" + }, + { + "framework": "PCI-DSSv4.0", + "control": "10.2.2" + }, + { + "framework": "QCSC-v1", + "control": "3.2" + }, + { + "framework": "QCSC-v1", + "control": "6.2" + }, + { + "framework": "QCSC-v1", + "control": "8.2.1" + }, + { + "framework": "QCSC-v1", + "control": "10.2.1" + }, + { + "framework": "QCSC-v1", + "control": "11.2" + }, + { + "framework": "QCSC-v1", + "control": "13.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "6.4" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify user/group information.\nExample:\n\n# printf '\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n' >> /etc/audit/rules.d/50-identity.rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "4.1.3.8 Ensure events that modify user/group information are collected - auditctl /etc/shadow: [FAILED]\"\n\nRecord events affecting the modification of user or group information, including that of passwords and old passwords if in use.\n\n/etc/group - system groups\n\n/etc/passwd - system users\n\n/etc/gshadow - encrypted password for each group\n\n/etc/shadow - system user passwords\n\n/etc/security/opasswd - storage of old passwords if the relevant PAM module is in use\n\nThe parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier 'identity' in the audit log file.\n\nRationale:\n\nUnexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify user/group information.\nExample:\n\n# printf '\n-w /etc/group -p wa -k identity\n-w /etc/passwd -p wa -k identity\n-w /etc/gshadow -p wa -k identity\n-w /etc/shadow -p wa -k identity\n-w /etc/security/opasswd -p wa -k identity\n' >> /etc/audit/rules.d/50-identity.rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=4.8), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: auditctl -l | /usr/bin/awk '/^ *-w/ &&/\\/etc\\/shadow/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command 'auditctl -l | /usr/bin/awk '/^ *-w/ &&/\\/etc\\/shadow/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: auditctl: command not found\nfail", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "d61367b397bf263134281345942027fcd798faa4c5d6353b9fe8a10797ae286b", + "compliance_full_id_s": "c96995aad2b523552eb8523de7ee05751bcccecb975fb32bfd6e5cc8d7efcaeb", + "compliance_functional_id_s": "33541942ba", + "compliance_informational_id_s": "0ebdfe8388ad7c316191190c53408a45bb7a19be4b128fbe99e86f6d629f750c", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "10e6d79c56e8ec5e92057290f406b125b9b41be6b980d5e1bfa2e28dfc40f342", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L1_Server.audit", + "check_id_s": "ee7e02cc5a08bc60d3f7e01addca8260726187e1df8a688c4842010ed5ca2a08", + "check_name_s": "1.1.5.4 Ensure nosuid option set on /var/log partition", + "check_info_s": "The nosuid mount option specifies that the filesystem cannot contain setuid files.\n\nRationale:\n\nSince the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log.", + "expected_value_s": "cmd: /usr/bin/findmnt --kernel /var/log | /usr/bin/awk '{print} END {if (NR == 0) print \"not mounted\"}'\nexpect: ([\\s]*[,]?nosuid|not mounted)\nsystem: Linux", + "actual_value_s": "The command '/usr/bin/findmnt --kernel /var/log | /usr/bin/awk '{print} END {if (NR == 0) print \"not mounted\"}'' returned : \n\nnot mounted", + "status_s": "PASSED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.1.1" + }, + { + "framework": "800-171", + "control": "3.1.4" + }, + { + "framework": "800-171", + "control": "3.1.5" + }, + { + "framework": "800-171", + "control": "3.8.1" + }, + { + "framework": "800-171", + "control": "3.8.2" + }, + { + "framework": "800-171", + "control": "3.8.3" + }, + { + "framework": "800-53", + "control": "AC-3" + }, + { + "framework": "800-53", + "control": "AC-5" + }, + { + "framework": "800-53", + "control": "AC-6" + }, + { + "framework": "800-53", + "control": "MP-2" + }, + { + "framework": "800-53r5", + "control": "AC-3" + }, + { + "framework": "800-53r5", + "control": "AC-5" + }, + { + "framework": "800-53r5", + "control": "AC-6" + }, + { + "framework": "800-53r5", + "control": "MP-2" + }, + { + "framework": "CN-L3", + "control": "7.1.3.2(b)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.2(g)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.2(d)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.2(f)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.11(b)" + }, + { + "framework": "CN-L3", + "control": "8.1.10.2(c)" + }, + { + "framework": "CN-L3", + "control": "8.1.10.6(a)" + }, + { + "framework": "CN-L3", + "control": "8.5.3.1" + }, + { + "framework": "CN-L3", + "control": "8.5.4.1(a)" + }, + { + "framework": "CSCv7", + "control": "14.6" + }, + { + "framework": "CSCv8", + "control": "3.3" + }, + { + "framework": "CSF", + "control": "PR.AC-4" + }, + { + "framework": "CSF", + "control": "PR.DS-5" + }, + { + "framework": "CSF", + "control": "PR.PT-2" + }, + { + "framework": "CSF", + "control": "PR.PT-3" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "HIPAA", + "control": "164.312(a)(1)" + }, + { + "framework": "ISO/IEC-27001", + "control": "A.6.1.2" + }, + { + "framework": "ISO/IEC-27001", + "control": "A.9.4.1" + }, + { + "framework": "ISO/IEC-27001", + "control": "A.9.4.5" + }, + { + "framework": "ITSG-33", + "control": "AC-3" + }, + { + "framework": "ITSG-33", + "control": "AC-5" + }, + { + "framework": "ITSG-33", + "control": "AC-6" + }, + { + "framework": "ITSG-33", + "control": "MP-2" + }, + { + "framework": "ITSG-33", + "control": "MP-2a." + }, + { + "framework": "LEVEL", + "control": "1A" + }, + { + "framework": "NESA", + "control": "T1.3.2" + }, + { + "framework": "NESA", + "control": "T1.3.3" + }, + { + "framework": "NESA", + "control": "T1.4.1" + }, + { + "framework": "NESA", + "control": "T4.2.1" + }, + { + "framework": "NESA", + "control": "T5.1.1" + }, + { + "framework": "NESA", + "control": "T5.2.2" + }, + { + "framework": "NESA", + "control": "T5.4.1" + }, + { + "framework": "NESA", + "control": "T5.4.4" + }, + { + "framework": "NESA", + "control": "T5.4.5" + }, + { + "framework": "NESA", + "control": "T5.5.4" + }, + { + "framework": "NESA", + "control": "T5.6.1" + }, + { + "framework": "NESA", + "control": "T7.5.2" + }, + { + "framework": "NESA", + "control": "T7.5.3" + }, + { + "framework": "NIAv2", + "control": "AM1" + }, + { + "framework": "NIAv2", + "control": "AM3" + }, + { + "framework": "NIAv2", + "control": "AM23f" + }, + { + "framework": "NIAv2", + "control": "SS13c" + }, + { + "framework": "NIAv2", + "control": "SS15c" + }, + { + "framework": "NIAv2", + "control": "SS29" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "7.1.2" + }, + { + "framework": "PCI-DSSv4.0", + "control": "7.2.1" + }, + { + "framework": "PCI-DSSv4.0", + "control": "7.2.2" + }, + { + "framework": "QCSC-v1", + "control": "3.2" + }, + { + "framework": "QCSC-v1", + "control": "5.2.2" + }, + { + "framework": "QCSC-v1", + "control": "6.2" + }, + { + "framework": "QCSC-v1", + "control": "13.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "5.1" + }, + { + "framework": "TBA-FIISB", + "control": "31.1" + }, + { + "framework": "TBA-FIISB", + "control": "31.4.2" + }, + { + "framework": "TBA-FIISB", + "control": "31.4.3" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition.\nExample:\n\n /var/log defaults,rw,nosuid,nodev,noexec,relatime 0 0\n\nRun the following command to remount /var/log with the configured options:\n\n# mount -o remount /var/log", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "1.1.5.4 Ensure nosuid option set on /var/log partition: [PASSED]\"\n\nThe nosuid mount option specifies that the filesystem cannot contain setuid files.\n\nRationale:\n\nSince the /var/log filesystem is only intended for log files, set this option to ensure that users cannot create setuid files in /var/log.\n\nSolution:\nEdit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/log partition.\nExample:\n\n /var/log defaults,rw,nosuid,nodev,noexec,relatime 0 0\n\nRun the following command to remount /var/log with the configured options:\n\n# mount -o remount /var/log\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.1.1), ComplianceReference(framework=800-171, control=3.1.4), ComplianceReference(framework=800-171, control=3.1.5), ComplianceReference(framework=800-171, control=3.8.1), ComplianceReference(framework=800-171, control=3.8.2), ComplianceReference(framework=800-171, control=3.8.3), ComplianceReference(framework=800-53, control=AC-3), ComplianceReference(framework=800-53, control=AC-5), ComplianceReference(framework=800-53, control=AC-6), ComplianceReference(framework=800-53, control=MP-2), ComplianceReference(framework=800-53r5, control=AC-3), ComplianceReference(framework=800-53r5, control=AC-5), ComplianceReference(framework=800-53r5, control=AC-6), ComplianceReference(framework=800-53r5, control=MP-2), ComplianceReference(framework=CN-L3, control=7.1.3.2(b)), ComplianceReference(framework=CN-L3, control=7.1.3.2(g)), ComplianceReference(framework=CN-L3, control=8.1.4.2(d)), ComplianceReference(framework=CN-L3, control=8.1.4.2(f)), ComplianceReference(framework=CN-L3, control=8.1.4.11(b)), ComplianceReference(framework=CN-L3, control=8.1.10.2(c)), ComplianceReference(framework=CN-L3, control=8.1.10.6(a)), ComplianceReference(framework=CN-L3, control=8.5.3.1), ComplianceReference(framework=CN-L3, control=8.5.4.1(a)), ComplianceReference(framework=CSCv7, control=14.6), ComplianceReference(framework=CSCv8, control=3.3), ComplianceReference(framework=CSF, control=PR.AC-4), ComplianceReference(framework=CSF, control=PR.DS-5), ComplianceReference(framework=CSF, control=PR.PT-2), ComplianceReference(framework=CSF, control=PR.PT-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(a)(1)), ComplianceReference(framework=ISO/IEC-27001, control=A.6.1.2), ComplianceReference(framework=ISO/IEC-27001, control=A.9.4.1), ComplianceReference(framework=ISO/IEC-27001, control=A.9.4.5), ComplianceReference(framework=ITSG-33, control=AC-3), ComplianceReference(framework=ITSG-33, control=AC-5), ComplianceReference(framework=ITSG-33, control=AC-6), ComplianceReference(framework=ITSG-33, control=MP-2), ComplianceReference(framework=ITSG-33, control=MP-2a.), ComplianceReference(framework=LEVEL, control=1A), ComplianceReference(framework=NESA, control=T1.3.2), ComplianceReference(framework=NESA, control=T1.3.3), ComplianceReference(framework=NESA, control=T1.4.1), ComplianceReference(framework=NESA, control=T4.2.1), ComplianceReference(framework=NESA, control=T5.1.1), ComplianceReference(framework=NESA, control=T5.2.2), ComplianceReference(framework=NESA, control=T5.4.1), ComplianceReference(framework=NESA, control=T5.4.4), ComplianceReference(framework=NESA, control=T5.4.5), ComplianceReference(framework=NESA, control=T5.5.4), ComplianceReference(framework=NESA, control=T5.6.1), ComplianceReference(framework=NESA, control=T7.5.2), ComplianceReference(framework=NESA, control=T7.5.3), ComplianceReference(framework=NIAv2, control=AM1), ComplianceReference(framework=NIAv2, control=AM3), ComplianceReference(framework=NIAv2, control=AM23f), ComplianceReference(framework=NIAv2, control=SS13c), ComplianceReference(framework=NIAv2, control=SS15c), ComplianceReference(framework=NIAv2, control=SS29), ComplianceReference(framework=PCI-DSSv3.2.1, control=7.1.2), ComplianceReference(framework=PCI-DSSv4.0, control=7.2.1), ComplianceReference(framework=PCI-DSSv4.0, control=7.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=5.2.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=5.1), ComplianceReference(framework=TBA-FIISB, control=31.1), ComplianceReference(framework=TBA-FIISB, control=31.4.2), ComplianceReference(framework=TBA-FIISB, control=31.4.3)}\n\nPolicy Value:\ncmd: /usr/bin/findmnt --kernel /var/log | /usr/bin/awk '{print} END {if (NR == 0) print \"not mounted\"}'\nexpect: ([\\s]*[,]?nosuid|not mounted)\nsystem: Linux\n\nActual Value:\n The command '/usr/bin/findmnt --kernel /var/log | /usr/bin/awk '{print} END {if (NR == 0) print \"not mounted\"}'' returned : \n\nnot mounted", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "7b47be8c2509338faaf214983b1dc3af4bdcd6e8181aa9411c6f2ef11acefaef", + "compliance_full_id_s": "ee7e02cc5a08bc60d3f7e01addca8260726187e1df8a688c4842010ed5ca2a08", + "compliance_functional_id_s": "1cb51bb766", + "compliance_informational_id_s": "3e150b740e3f60be1af9f8d12f7c117321f71f162e5018ede5f9e28ada80885a", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "3d1a3e0475a7bdc313e2c7dbb8438642d933dc5cc1766b7b559427e6d28d3313", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:13 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit", + "check_id_s": "64e12b3bc42982ade33cf0c3db6eecdc30a76cc7b033cf603961ffbaab4796e8", + "check_name_s": "4.1.3.1 Ensure changes to system administration scope (sudoers) is collected - auditctl /etc/sudoers.d", + "check_info_s": "Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers, or files in /etc/sudoers.d, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier 'scope'.\n\nRationale:\n\nChanges in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity.", + "expected_value_s": "cmd: /usr/sbin/auditctl -l | /usr/bin/awk '/^ *-w/ &&/\\/etc\\/sudoers\\.d/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux", + "actual_value_s": "The command '/usr/sbin/auditctl -l | /usr/bin/awk '/^ *-w/ &&/\\/etc\\/sudoers\\.d/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: /usr/sbin/auditctl: No such file or directory\nfail", + "status_s": "FAILED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.3.1" + }, + { + "framework": "800-171", + "control": "3.3.2" + }, + { + "framework": "800-171", + "control": "3.3.6" + }, + { + "framework": "800-53", + "control": "AU-3" + }, + { + "framework": "800-53", + "control": "AU-3(1)" + }, + { + "framework": "800-53", + "control": "AU-7" + }, + { + "framework": "800-53", + "control": "AU-12" + }, + { + "framework": "800-53r5", + "control": "AU-3" + }, + { + "framework": "800-53r5", + "control": "AU-3(1)" + }, + { + "framework": "800-53r5", + "control": "AU-7" + }, + { + "framework": "800-53r5", + "control": "AU-12" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(b)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(c)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(b)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.3(b)" + }, + { + "framework": "CSCv7", + "control": "4.8" + }, + { + "framework": "CSCv8", + "control": "8.5" + }, + { + "framework": "CSF", + "control": "DE.CM-1" + }, + { + "framework": "CSF", + "control": "DE.CM-3" + }, + { + "framework": "CSF", + "control": "DE.CM-7" + }, + { + "framework": "CSF", + "control": "PR.PT-1" + }, + { + "framework": "CSF", + "control": "RS.AN-3" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "HIPAA", + "control": "164.312(b)" + }, + { + "framework": "ITSG-33", + "control": "AU-3" + }, + { + "framework": "ITSG-33", + "control": "AU-3(1)" + }, + { + "framework": "ITSG-33", + "control": "AU-7" + }, + { + "framework": "ITSG-33", + "control": "AU-12" + }, + { + "framework": "LEVEL", + "control": "2A" + }, + { + "framework": "NESA", + "control": "T3.6.2" + }, + { + "framework": "NIAv2", + "control": "AM34a" + }, + { + "framework": "NIAv2", + "control": "AM34b" + }, + { + "framework": "NIAv2", + "control": "AM34c" + }, + { + "framework": "NIAv2", + "control": "AM34d" + }, + { + "framework": "NIAv2", + "control": "AM34e" + }, + { + "framework": "NIAv2", + "control": "AM34f" + }, + { + "framework": "NIAv2", + "control": "AM34g" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.2" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.4" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.5" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.6" + }, + { + "framework": "PCI-DSSv4.0", + "control": "10.2.2" + }, + { + "framework": "QCSC-v1", + "control": "3.2" + }, + { + "framework": "QCSC-v1", + "control": "6.2" + }, + { + "framework": "QCSC-v1", + "control": "8.2.1" + }, + { + "framework": "QCSC-v1", + "control": "10.2.1" + }, + { + "framework": "QCSC-v1", + "control": "11.2" + }, + { + "framework": "QCSC-v1", + "control": "13.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "6.4" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators.\nExample:\n\n# printf '\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d -p wa -k scope\n' >> /etc/audit/rules.d/50-scope.rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "4.1.3.1 Ensure changes to system administration scope (sudoers) is collected - auditctl /etc/sudoers.d: [FAILED]\"\n\nMonitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers, or files in /etc/sudoers.d, will be written to when the file(s) or related attributes have changed. The audit records will be tagged with the identifier 'scope'.\n\nRationale:\n\nChanges in the /etc/sudoers and /etc/sudoers.d files can indicate that an unauthorized change has been made to the scope of system administrator activity.\n\nSolution:\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor scope changes for system administrators.\nExample:\n\n# printf '\n-w /etc/sudoers -p wa -k scope\n-w /etc/sudoers.d -p wa -k scope\n' >> /etc/audit/rules.d/50-scope.rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=4.8), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: /usr/sbin/auditctl -l | /usr/bin/awk '/^ *-w/ &&/\\/etc\\/sudoers\\.d/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command '/usr/sbin/auditctl -l | /usr/bin/awk '/^ *-w/ &&/\\/etc\\/sudoers\\.d/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: /usr/sbin/auditctl: No such file or directory\nfail", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "42fd0b472509848ca0dde47b4c2d3ee620982c2341e8540c860a1c6346977431", + "compliance_full_id_s": "64e12b3bc42982ade33cf0c3db6eecdc30a76cc7b033cf603961ffbaab4796e8", + "compliance_functional_id_s": "625ad047a6", + "compliance_informational_id_s": "fc40df103751d40c7b8f68660e21c48c0912e6b6c4e26b4bd3e0bac261d027b1", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "39f337ddad726f8a36e01537cb89f6809d2cc1fd8ec98eeab2e1fb895e5782cf", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L1_Server.audit", + "check_id_s": "9ef63551f5f0ff5277942932ff742864d3a7eac24c4a20372c9b0274daec7219", + "check_name_s": "1.3.2 Ensure filesystem integrity is regularly checked - cron", + "check_info_s": "Periodic checking of the filesystem integrity is needed to detect changes to the filesystem.\n\nRationale:\n\nPeriodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion.", + "expected_value_s": "PASSED", + "actual_value_s": "", + "status_s": "PASSED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.1.7" + }, + { + "framework": "800-171", + "control": "3.3.1" + }, + { + "framework": "800-171", + "control": "3.3.2" + }, + { + "framework": "800-53", + "control": "AC-6(9)" + }, + { + "framework": "800-53", + "control": "AU-2" + }, + { + "framework": "800-53", + "control": "AU-12" + }, + { + "framework": "800-53r5", + "control": "AC-6(9)" + }, + { + "framework": "800-53r5", + "control": "AU-2" + }, + { + "framework": "800-53r5", + "control": "AU-12" + }, + { + "framework": "CN-L3", + "control": "7.1.3.2(b)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.2(g)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.2(d)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.3(a)" + }, + { + "framework": "CN-L3", + "control": "8.1.10.6(a)" + }, + { + "framework": "CSCv7", + "control": "14.9" + }, + { + "framework": "CSCv8", + "control": "3.14" + }, + { + "framework": "CSF", + "control": "DE.CM-1" + }, + { + "framework": "CSF", + "control": "DE.CM-3" + }, + { + "framework": "CSF", + "control": "DE.CM-7" + }, + { + "framework": "CSF", + "control": "PR.AC-4" + }, + { + "framework": "CSF", + "control": "PR.PT-1" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "HIPAA", + "control": "164.312(a)(1)" + }, + { + "framework": "HIPAA", + "control": "164.312(b)" + }, + { + "framework": "ISO/IEC-27001", + "control": "A.12.4.3" + }, + { + "framework": "ITSG-33", + "control": "AC-6" + }, + { + "framework": "ITSG-33", + "control": "AU-2" + }, + { + "framework": "ITSG-33", + "control": "AU-12" + }, + { + "framework": "LEVEL", + "control": "1A" + }, + { + "framework": "NESA", + "control": "M1.2.2" + }, + { + "framework": "NESA", + "control": "M5.5.1" + }, + { + "framework": "NESA", + "control": "T5.1.1" + }, + { + "framework": "NESA", + "control": "T5.2.2" + }, + { + "framework": "NESA", + "control": "T5.5.4" + }, + { + "framework": "NESA", + "control": "T7.5.3" + }, + { + "framework": "NIAv2", + "control": "AM1" + }, + { + "framework": "NIAv2", + "control": "AM7" + }, + { + "framework": "NIAv2", + "control": "AM11a" + }, + { + "framework": "NIAv2", + "control": "AM11b" + }, + { + "framework": "NIAv2", + "control": "AM11c" + }, + { + "framework": "NIAv2", + "control": "AM11d" + }, + { + "framework": "NIAv2", + "control": "AM11e" + }, + { + "framework": "NIAv2", + "control": "AM23f" + }, + { + "framework": "NIAv2", + "control": "SS13c" + }, + { + "framework": "NIAv2", + "control": "SS15c" + }, + { + "framework": "NIAv2", + "control": "SS30" + }, + { + "framework": "NIAv2", + "control": "VL8" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "7.1.2" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.1" + }, + { + "framework": "PCI-DSSv4.0", + "control": "7.2.1" + }, + { + "framework": "PCI-DSSv4.0", + "control": "7.2.2" + }, + { + "framework": "QCSC-v1", + "control": "3.2" + }, + { + "framework": "QCSC-v1", + "control": "5.2.2" + }, + { + "framework": "QCSC-v1", + "control": "6.2" + }, + { + "framework": "QCSC-v1", + "control": "8.2.1" + }, + { + "framework": "QCSC-v1", + "control": "13.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "5.1" + }, + { + "framework": "SWIFT-CSCv1", + "control": "6.4" + }, + { + "framework": "TBA-FIISB", + "control": "31.4.2" + }, + { + "framework": "TBA-FIISB", + "control": "31.4.3" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "If cron will be used to schedule and run aide check\nRun the following command:\n\n# crontab -u root -e\n\nAdd the following line to the crontab:\n\n0 5 * * * /usr/sbin/aide --check\n\nOR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check:\nCreate or edit the file /etc/systemd/system/aidecheck.service and add the following lines:\n\n[Unit]\nDescription=Aide Check\n\n[Service]\nType=simple\nExecStart=/usr/sbin/aide --check\n\n[Install]\nWantedBy=multi-user.target\n\nCreate or edit the file /etc/systemd/system/aidecheck.timer and add the following lines:\n\n[Unit]\nDescription=Aide check every day at 5AM\n\n[Timer]\nOnCalendar=*-*-* 05:00:00\nUnit=aidecheck.service\n\n[Install]\nWantedBy=multi-user.target\n\nRun the following commands:\n\n# chown root:root /etc/systemd/system/aidecheck.*\n# chmod 0644 /etc/systemd/system/aidecheck.*\n\n# systemctl daemon-reload\n\n# systemctl enable aidecheck.service\n# systemctl --now enable aidecheck.timer", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "1.3.2 Ensure filesystem integrity is regularly checked - cron: [PASSED]\"\n\nPeriodic checking of the filesystem integrity is needed to detect changes to the filesystem.\n\nRationale:\n\nPeriodic file checking allows the system administrator to determine on a regular basis if critical files have been changed in an unauthorized fashion.\n\nSolution:\nIf cron will be used to schedule and run aide check\nRun the following command:\n\n# crontab -u root -e\n\nAdd the following line to the crontab:\n\n0 5 * * * /usr/sbin/aide --check\n\nOR if aidecheck.service and aidecheck.timer will be used to schedule and run aide check:\nCreate or edit the file /etc/systemd/system/aidecheck.service and add the following lines:\n\n[Unit]\nDescription=Aide Check\n\n[Service]\nType=simple\nExecStart=/usr/sbin/aide --check\n\n[Install]\nWantedBy=multi-user.target\n\nCreate or edit the file /etc/systemd/system/aidecheck.timer and add the following lines:\n\n[Unit]\nDescription=Aide check every day at 5AM\n\n[Timer]\nOnCalendar=*-*-* 05:00:00\nUnit=aidecheck.service\n\n[Install]\nWantedBy=multi-user.target\n\nRun the following commands:\n\n# chown root:root /etc/systemd/system/aidecheck.*\n# chmod 0644 /etc/systemd/system/aidecheck.*\n\n# systemctl daemon-reload\n\n# systemctl enable aidecheck.service\n# systemctl --now enable aidecheck.timer\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.1.7), ComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-53, control=AC-6(9)), ComplianceReference(framework=800-53, control=AU-2), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AC-6(9)), ComplianceReference(framework=800-53r5, control=AU-2), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.3.2(b)), ComplianceReference(framework=CN-L3, control=7.1.3.2(g)), ComplianceReference(framework=CN-L3, control=8.1.4.2(d)), ComplianceReference(framework=CN-L3, control=8.1.4.3(a)), ComplianceReference(framework=CN-L3, control=8.1.10.6(a)), ComplianceReference(framework=CSCv7, control=14.9), ComplianceReference(framework=CSCv8, control=3.14), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.AC-4), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ISO/IEC-27001, control=A.12.4.3), ComplianceReference(framework=ITSG-33, control=AC-6), ComplianceReference(framework=ITSG-33, control=AU-2), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=1A), ComplianceReference(framework=NESA, control=M1.2.2), ComplianceReference(framework=NESA, control=M5.5.1), ComplianceReference(framework=NESA, control=T5.1.1), ComplianceReference(framework=NESA, control=T5.2.2), ComplianceReference(framework=NESA, control=T5.5.4), ComplianceReference(framework=NESA, control=T7.5.3), ComplianceReference(framework=NIAv2, control=AM1), ComplianceReference(framework=NIAv2, control=AM7), ComplianceReference(framework=NIAv2, control=AM11a), ComplianceReference(framework=NIAv2, control=AM11b), ComplianceReference(framework=NIAv2, control=AM11c), ComplianceReference(framework=NIAv2, control=AM11d), ComplianceReference(framework=NIAv2, control=AM11e), ComplianceReference(framework=NIAv2, control=AM23f), ComplianceReference(framework=NIAv2, control=SS13c), ComplianceReference(framework=NIAv2, control=SS15c), ComplianceReference(framework=NIAv2, control=SS30), ComplianceReference(framework=NIAv2, control=VL8), ComplianceReference(framework=PCI-DSSv3.2.1, control=7.1.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv4.0, control=7.2.1), ComplianceReference(framework=PCI-DSSv4.0, control=7.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=5.2.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=5.1), ComplianceReference(framework=SWIFT-CSCv1, control=6.4), ComplianceReference(framework=TBA-FIISB, control=31.4.2), ComplianceReference(framework=TBA-FIISB, control=31.4.3)}\n\nPolicy Value:\nPASSED", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "488a89faad765166b56ed0a55d372f3f2149617eeb250e6ff8b28723692a5179", + "compliance_full_id_s": "9ef63551f5f0ff5277942932ff742864d3a7eac24c4a20372c9b0274daec7219", + "compliance_functional_id_s": "374edc0aee", + "compliance_informational_id_s": "9096a0cff67447bc4b575451886fbc88a210fd0373f1793f559a68dee603e2b2", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "0da2d9a429830621a90d8224327710fe4e2123ae88860b42b48d285447e9aab6", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit", + "check_id_s": "93c6077b23686986392e69868090e482d48b416944f72f1ea76d8c0eaa6d8f34", + "check_name_s": "4.1.3.4 Ensure events that modify date and time information are collected - auditctl stime", + "check_info_s": "Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the;\n\nadjtimex - tune kernel clock\n\nsettimeofday - set time using timeval and timezone structures\n\nstime - using seconds since 1/1/1970\n\nclock_settime - allows for the setting of several internal clocks and timers\n\nsystem calls have been executed. Further, ensure to write an audit record to the configured audit log file upon exit, tagging the records with a unique identifier such as 'time-change'.\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.", + "expected_value_s": "PASSED", + "actual_value_s": "", + "status_s": "PASSED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.3.1" + }, + { + "framework": "800-171", + "control": "3.3.2" + }, + { + "framework": "800-171", + "control": "3.3.6" + }, + { + "framework": "800-53", + "control": "AU-3" + }, + { + "framework": "800-53", + "control": "AU-3(1)" + }, + { + "framework": "800-53", + "control": "AU-7" + }, + { + "framework": "800-53", + "control": "AU-12" + }, + { + "framework": "800-53r5", + "control": "AU-3" + }, + { + "framework": "800-53r5", + "control": "AU-3(1)" + }, + { + "framework": "800-53r5", + "control": "AU-7" + }, + { + "framework": "800-53r5", + "control": "AU-12" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(b)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(c)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(b)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.3(b)" + }, + { + "framework": "CSCv7", + "control": "5.5" + }, + { + "framework": "CSCv8", + "control": "8.5" + }, + { + "framework": "CSF", + "control": "DE.CM-1" + }, + { + "framework": "CSF", + "control": "DE.CM-3" + }, + { + "framework": "CSF", + "control": "DE.CM-7" + }, + { + "framework": "CSF", + "control": "PR.PT-1" + }, + { + "framework": "CSF", + "control": "RS.AN-3" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "HIPAA", + "control": "164.312(b)" + }, + { + "framework": "ITSG-33", + "control": "AU-3" + }, + { + "framework": "ITSG-33", + "control": "AU-3(1)" + }, + { + "framework": "ITSG-33", + "control": "AU-7" + }, + { + "framework": "ITSG-33", + "control": "AU-12" + }, + { + "framework": "LEVEL", + "control": "2A" + }, + { + "framework": "NESA", + "control": "T3.6.2" + }, + { + "framework": "NIAv2", + "control": "AM34a" + }, + { + "framework": "NIAv2", + "control": "AM34b" + }, + { + "framework": "NIAv2", + "control": "AM34c" + }, + { + "framework": "NIAv2", + "control": "AM34d" + }, + { + "framework": "NIAv2", + "control": "AM34e" + }, + { + "framework": "NIAv2", + "control": "AM34f" + }, + { + "framework": "NIAv2", + "control": "AM34g" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.2" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.4" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.5" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.6" + }, + { + "framework": "PCI-DSSv4.0", + "control": "10.2.2" + }, + { + "framework": "QCSC-v1", + "control": "3.2" + }, + { + "framework": "QCSC-v1", + "control": "6.2" + }, + { + "framework": "QCSC-v1", + "control": "8.2.1" + }, + { + "framework": "QCSC-v1", + "control": "10.2.1" + }, + { + "framework": "QCSC-v1", + "control": "11.2" + }, + { + "framework": "QCSC-v1", + "control": "13.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "6.4" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Create audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify date and time information.\n\n64 Bit systems\n\nExample:\n\n# printf '\n-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change\n-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n' >> /etc/audit/rules.d/50-time-change.rules\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64. In addition, add stime to the system call audit. Example:\n\n-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "4.1.3.4 Ensure events that modify date and time information are collected - auditctl stime: [PASSED]\"\n\nCapture events where the system date and/or time has been modified. The parameters in this section are set to determine if the;\n\nadjtimex - tune kernel clock\n\nsettimeofday - set time using timeval and timezone structures\n\nstime - using seconds since 1/1/1970\n\nclock_settime - allows for the setting of several internal clocks and timers\n\nsystem calls have been executed. Further, ensure to write an audit record to the configured audit log file upon exit, tagging the records with a unique identifier such as 'time-change'.\n\nRationale:\n\nUnexpected changes in system date and/or time could be a sign of malicious activity on the system.\n\nSolution:\nCreate audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify date and time information.\n\n64 Bit systems\n\nExample:\n\n# printf '\n-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k time-change\n-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k time-change\n-w /etc/localtime -p wa -k time-change\n' >> /etc/audit/rules.d/50-time-change.rules\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64. In addition, add stime to the system call audit. Example:\n\n-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime,stime -k time-change\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=5.5), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\nPASSED", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "8849242ba0e1b50820fbc8fe66ca64790fec2c5b7fa5489ac0fc11d4bc5f179e", + "compliance_full_id_s": "93c6077b23686986392e69868090e482d48b416944f72f1ea76d8c0eaa6d8f34", + "compliance_functional_id_s": "374edc0aee", + "compliance_informational_id_s": "69e625ed909d53f6e6881fc18b980ee90a69d2d5eba3166079a368e23804c5b2", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "719a30e2486af08b12b596d9c7d028e2e9d2f19051e61e0671efbed18f283550", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit", + "check_id_s": "adb4e5f150c2200323abcd3df361136a1e6e48a974a73ed79e2e03d5a8e0729b", + "check_name_s": "4.1.3.7 Ensure unsuccessful file access attempts are collected - auditctl b32 EPERM", + "check_info_s": "Monitor for unsuccessful attempts to access files. The following parameters are associated with system calls that control files:\n\ncreation - creat\n\nopening - open , openat\n\ntruncation - truncate , ftruncate\n\nAn audit log record will only be written if all of the following criteria is met for the user when trying to access a file:\n\na non-privileged user (auid>=UID_MIN)\n\nis not a Daemon event (auid=4294967295/unset/-1)\n\nif the system call returned EACCES (permission denied) or EPERM (some other permanent error associated with the specific system call)\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.", + "expected_value_s": "cmd: UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && auditctl -l | awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *exit=-EPERM/ &&/ -S/ &&/creat/ &&/open/ &&/truncate/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"\nexpect: pass\nsystem: Linux", + "actual_value_s": "The command 'UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && auditctl -l | awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *exit=-EPERM/ &&/ -S/ &&/creat/ &&/open/ &&/truncate/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"' returned : \n\nbash: line 1: auditctl: command not found\nfail", + "status_s": "FAILED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.3.1" + }, + { + "framework": "800-171", + "control": "3.3.2" + }, + { + "framework": "800-171", + "control": "3.3.6" + }, + { + "framework": "800-53", + "control": "AU-3" + }, + { + "framework": "800-53", + "control": "AU-3(1)" + }, + { + "framework": "800-53", + "control": "AU-7" + }, + { + "framework": "800-53", + "control": "AU-12" + }, + { + "framework": "800-53r5", + "control": "AU-3" + }, + { + "framework": "800-53r5", + "control": "AU-3(1)" + }, + { + "framework": "800-53r5", + "control": "AU-7" + }, + { + "framework": "800-53r5", + "control": "AU-12" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(b)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(c)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(b)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.3(b)" + }, + { + "framework": "CSCv7", + "control": "14.9" + }, + { + "framework": "CSCv8", + "control": "8.5" + }, + { + "framework": "CSF", + "control": "DE.CM-1" + }, + { + "framework": "CSF", + "control": "DE.CM-3" + }, + { + "framework": "CSF", + "control": "DE.CM-7" + }, + { + "framework": "CSF", + "control": "PR.PT-1" + }, + { + "framework": "CSF", + "control": "RS.AN-3" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "HIPAA", + "control": "164.312(b)" + }, + { + "framework": "ITSG-33", + "control": "AU-3" + }, + { + "framework": "ITSG-33", + "control": "AU-3(1)" + }, + { + "framework": "ITSG-33", + "control": "AU-7" + }, + { + "framework": "ITSG-33", + "control": "AU-12" + }, + { + "framework": "LEVEL", + "control": "2A" + }, + { + "framework": "NESA", + "control": "T3.6.2" + }, + { + "framework": "NIAv2", + "control": "AM34a" + }, + { + "framework": "NIAv2", + "control": "AM34b" + }, + { + "framework": "NIAv2", + "control": "AM34c" + }, + { + "framework": "NIAv2", + "control": "AM34d" + }, + { + "framework": "NIAv2", + "control": "AM34e" + }, + { + "framework": "NIAv2", + "control": "AM34f" + }, + { + "framework": "NIAv2", + "control": "AM34g" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.2" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.4" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.5" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.6" + }, + { + "framework": "PCI-DSSv4.0", + "control": "10.2.2" + }, + { + "framework": "QCSC-v1", + "control": "3.2" + }, + { + "framework": "QCSC-v1", + "control": "6.2" + }, + { + "framework": "QCSC-v1", + "control": "8.2.1" + }, + { + "framework": "QCSC-v1", + "control": "10.2.1" + }, + { + "framework": "QCSC-v1", + "control": "11.2" + }, + { + "framework": "QCSC-v1", + "control": "13.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "6.4" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Create audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor unsuccessful file access attempts.\n\n64 Bit systems\n\nExample:\n\n# {\nUID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)\n[ -n '${UID_MIN}' ] && printf '\n-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${UID_MIN} -F auid!=unset -k access\n-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${UID_MIN} -F auid!=unset -k access\n-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${UID_MIN} -F auid!=unset -k access\n-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${UID_MIN} -F auid!=unset -k access\n' >> /etc/audit/rules.d/50-access.rules || printf 'ERROR: Variable 'UID_MIN' is unset.\n'\n}\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "4.1.3.7 Ensure unsuccessful file access attempts are collected - auditctl b32 EPERM: [FAILED]\"\n\nMonitor for unsuccessful attempts to access files. The following parameters are associated with system calls that control files:\n\ncreation - creat\n\nopening - open , openat\n\ntruncation - truncate , ftruncate\n\nAn audit log record will only be written if all of the following criteria is met for the user when trying to access a file:\n\na non-privileged user (auid>=UID_MIN)\n\nis not a Daemon event (auid=4294967295/unset/-1)\n\nif the system call returned EACCES (permission denied) or EPERM (some other permanent error associated with the specific system call)\n\nRationale:\n\nFailed attempts to open, create or truncate files could be an indication that an individual or process is trying to gain unauthorized access to the system.\n\nSolution:\nCreate audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor unsuccessful file access attempts.\n\n64 Bit systems\n\nExample:\n\n# {\nUID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)\n[ -n '${UID_MIN}' ] && printf '\n-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${UID_MIN} -F auid!=unset -k access\n-a always,exit -F arch=b64 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${UID_MIN} -F auid!=unset -k access\n-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=${UID_MIN} -F auid!=unset -k access\n-a always,exit -F arch=b32 -S creat,open,openat,truncate,ftruncate -F exit=-EPERM -F auid>=${UID_MIN} -F auid!=unset -k access\n' >> /etc/audit/rules.d/50-access.rules || printf 'ERROR: Variable 'UID_MIN' is unset.\n'\n}\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=14.9), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && auditctl -l | awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *exit=-EPERM/ &&/ -S/ &&/creat/ &&/open/ &&/truncate/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command 'UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && auditctl -l | awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -F *auid>=${UID_MIN}/ &&/ -F *exit=-EPERM/ &&/ -S/ &&/creat/ &&/open/ &&/truncate/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"' returned : \n\nbash: line 1: auditctl: command not found\nfail", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "05ab0742844e8a5dd5c67c3856f19b6f73d648a6ce878e346ec4f086fa760f35", + "compliance_full_id_s": "adb4e5f150c2200323abcd3df361136a1e6e48a974a73ed79e2e03d5a8e0729b", + "compliance_functional_id_s": "cc0d904652", + "compliance_informational_id_s": "651163f64225b456b7522d87eb316a93c44ec1b30d9d0b68f04fefe6b06f0c70", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "3f4148c46504b71acc104a6852ce904dc27bfc3f9f1ba60fdfa96b6a6d3612cd", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:12 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit", + "check_id_s": "38cddbb9fb71c45b36936134700b6be3d1137904b9358311d996a57c44ad25ae", + "check_name_s": "4.1.3.9 Ensure discretionary access control permission modification events are collected - auditctl b64 fchmodat", + "check_info_s": "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The following commands and system calls effect the permissions, ownership and various attributes of files.\n\nchmod\n\nfchmod\n\nfchmodat\n\nchown\n\nfchown\n\nfchownat\n\nlchown\n\nsetxattr\n\nlsetxattr\n\nfsetxattr\n\nremovexattr\n\nlremovexattr\n\nfremovexattr\n\nIn all cases, an audit record will only be written for non-system user ids and will ignore Daemon events. All audit records will be tagged with the identifier 'perm_mod.'\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.", + "expected_value_s": "cmd: UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && auditctl -l | awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b64/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/fchmodat/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"\nexpect: pass\nsystem: Linux", + "actual_value_s": "The command 'UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && auditctl -l | awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b64/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/fchmodat/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"' returned : \n\nbash: line 1: auditctl: command not found\nfail", + "status_s": "FAILED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.3.1" + }, + { + "framework": "800-171", + "control": "3.3.2" + }, + { + "framework": "800-171", + "control": "3.3.6" + }, + { + "framework": "800-53", + "control": "AU-3" + }, + { + "framework": "800-53", + "control": "AU-3(1)" + }, + { + "framework": "800-53", + "control": "AU-7" + }, + { + "framework": "800-53", + "control": "AU-12" + }, + { + "framework": "800-53r5", + "control": "AU-3" + }, + { + "framework": "800-53r5", + "control": "AU-3(1)" + }, + { + "framework": "800-53r5", + "control": "AU-7" + }, + { + "framework": "800-53r5", + "control": "AU-12" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(b)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(c)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(b)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.3(b)" + }, + { + "framework": "CSCv7", + "control": "5.5" + }, + { + "framework": "CSCv8", + "control": "8.5" + }, + { + "framework": "CSF", + "control": "DE.CM-1" + }, + { + "framework": "CSF", + "control": "DE.CM-3" + }, + { + "framework": "CSF", + "control": "DE.CM-7" + }, + { + "framework": "CSF", + "control": "PR.PT-1" + }, + { + "framework": "CSF", + "control": "RS.AN-3" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "HIPAA", + "control": "164.312(b)" + }, + { + "framework": "ITSG-33", + "control": "AU-3" + }, + { + "framework": "ITSG-33", + "control": "AU-3(1)" + }, + { + "framework": "ITSG-33", + "control": "AU-7" + }, + { + "framework": "ITSG-33", + "control": "AU-12" + }, + { + "framework": "LEVEL", + "control": "2A" + }, + { + "framework": "NESA", + "control": "T3.6.2" + }, + { + "framework": "NIAv2", + "control": "AM34a" + }, + { + "framework": "NIAv2", + "control": "AM34b" + }, + { + "framework": "NIAv2", + "control": "AM34c" + }, + { + "framework": "NIAv2", + "control": "AM34d" + }, + { + "framework": "NIAv2", + "control": "AM34e" + }, + { + "framework": "NIAv2", + "control": "AM34f" + }, + { + "framework": "NIAv2", + "control": "AM34g" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.2" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.4" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.5" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.6" + }, + { + "framework": "PCI-DSSv4.0", + "control": "10.2.2" + }, + { + "framework": "QCSC-v1", + "control": "3.2" + }, + { + "framework": "QCSC-v1", + "control": "6.2" + }, + { + "framework": "QCSC-v1", + "control": "8.2.1" + }, + { + "framework": "QCSC-v1", + "control": "10.2.1" + }, + { + "framework": "QCSC-v1", + "control": "11.2" + }, + { + "framework": "QCSC-v1", + "control": "13.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "6.4" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Create audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor discretionary access control permission modification events.\n\n64 Bit systems\n\nExample:\n\n# {\nUID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)\n[ -n '${UID_MIN}' ] && printf '\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n' >> /etc/audit/rules.d/50-perm_mod.rules || printf 'ERROR: Variable 'UID_MIN' is unset.\n'\n}\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "4.1.3.9 Ensure discretionary access control permission modification events are collected - auditctl b64 fchmodat: [FAILED]\"\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The following commands and system calls effect the permissions, ownership and various attributes of files.\n\nchmod\n\nfchmod\n\nfchmodat\n\nchown\n\nfchown\n\nfchownat\n\nlchown\n\nsetxattr\n\nlsetxattr\n\nfsetxattr\n\nremovexattr\n\nlremovexattr\n\nfremovexattr\n\nIn all cases, an audit record will only be written for non-system user ids and will ignore Daemon events. All audit records will be tagged with the identifier 'perm_mod.'\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nCreate audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor discretionary access control permission modification events.\n\n64 Bit systems\n\nExample:\n\n# {\nUID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)\n[ -n '${UID_MIN}' ] && printf '\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n' >> /etc/audit/rules.d/50-perm_mod.rules || printf 'ERROR: Variable 'UID_MIN' is unset.\n'\n}\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=5.5), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && auditctl -l | awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b64/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/fchmodat/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command 'UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && auditctl -l | awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b64/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/fchmodat/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"' returned : \n\nbash: line 1: auditctl: command not found\nfail", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "4c2dbe80bcd14254f103bf348d9cba387975439583fe195aaa73b140a8ef1821", + "compliance_full_id_s": "38cddbb9fb71c45b36936134700b6be3d1137904b9358311d996a57c44ad25ae", + "compliance_functional_id_s": "55e120b210", + "compliance_informational_id_s": "e074a8b93d6e6d39a8f6913ed3652e35ba9acc37aaa09bbff79c41a9aa10dc5d", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "97445f25f1c84207f53821767d304663ab918e6be2eb318421e652bd98c50046", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L1_Server.audit", + "check_id_s": "4afbe7720967dd60debd35feb0e4eef4e91de7da4a0fa96e8c34e4467a0dace0", + "check_name_s": "6.1.10 Ensure no unowned files or directories exist", + "check_info_s": "Sometimes when administrators delete users from the password file, they neglect to remove all files owned by those users from the system.\n\nRationale:\n\nA new user who is assigned the deleted user's user ID or group ID may then end up 'owning' these files, and thus have more access on the system than was intended.", + "expected_value_s": "find_option: nouser\nname: find_orphan_files\nsystem: Linux\ntimeout: 7200", + "actual_value_s": "No issues found.", + "status_s": "PASSED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.1.1" + }, + { + "framework": "800-171", + "control": "3.1.4" + }, + { + "framework": "800-171", + "control": "3.1.5" + }, + { + "framework": "800-171", + "control": "3.8.1" + }, + { + "framework": "800-171", + "control": "3.8.2" + }, + { + "framework": "800-171", + "control": "3.8.3" + }, + { + "framework": "800-53", + "control": "AC-3" + }, + { + "framework": "800-53", + "control": "AC-5" + }, + { + "framework": "800-53", + "control": "AC-6" + }, + { + "framework": "800-53", + "control": "MP-2" + }, + { + "framework": "800-53r5", + "control": "AC-3" + }, + { + "framework": "800-53r5", + "control": "AC-5" + }, + { + "framework": "800-53r5", + "control": "AC-6" + }, + { + "framework": "800-53r5", + "control": "MP-2" + }, + { + "framework": "CN-L3", + "control": "7.1.3.2(b)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.2(g)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.2(d)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.2(f)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.11(b)" + }, + { + "framework": "CN-L3", + "control": "8.1.10.2(c)" + }, + { + "framework": "CN-L3", + "control": "8.1.10.6(a)" + }, + { + "framework": "CN-L3", + "control": "8.5.3.1" + }, + { + "framework": "CN-L3", + "control": "8.5.4.1(a)" + }, + { + "framework": "CSCv7", + "control": "13.2" + }, + { + "framework": "CSCv8", + "control": "3.3" + }, + { + "framework": "CSF", + "control": "PR.AC-4" + }, + { + "framework": "CSF", + "control": "PR.DS-5" + }, + { + "framework": "CSF", + "control": "PR.PT-2" + }, + { + "framework": "CSF", + "control": "PR.PT-3" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "HIPAA", + "control": "164.312(a)(1)" + }, + { + "framework": "ISO/IEC-27001", + "control": "A.6.1.2" + }, + { + "framework": "ISO/IEC-27001", + "control": "A.9.4.1" + }, + { + "framework": "ISO/IEC-27001", + "control": "A.9.4.5" + }, + { + "framework": "ITSG-33", + "control": "AC-3" + }, + { + "framework": "ITSG-33", + "control": "AC-5" + }, + { + "framework": "ITSG-33", + "control": "AC-6" + }, + { + "framework": "ITSG-33", + "control": "MP-2" + }, + { + "framework": "ITSG-33", + "control": "MP-2a." + }, + { + "framework": "LEVEL", + "control": "1A" + }, + { + "framework": "NESA", + "control": "T1.3.2" + }, + { + "framework": "NESA", + "control": "T1.3.3" + }, + { + "framework": "NESA", + "control": "T1.4.1" + }, + { + "framework": "NESA", + "control": "T4.2.1" + }, + { + "framework": "NESA", + "control": "T5.1.1" + }, + { + "framework": "NESA", + "control": "T5.2.2" + }, + { + "framework": "NESA", + "control": "T5.4.1" + }, + { + "framework": "NESA", + "control": "T5.4.4" + }, + { + "framework": "NESA", + "control": "T5.4.5" + }, + { + "framework": "NESA", + "control": "T5.5.4" + }, + { + "framework": "NESA", + "control": "T5.6.1" + }, + { + "framework": "NESA", + "control": "T7.5.2" + }, + { + "framework": "NESA", + "control": "T7.5.3" + }, + { + "framework": "NIAv2", + "control": "AM1" + }, + { + "framework": "NIAv2", + "control": "AM3" + }, + { + "framework": "NIAv2", + "control": "AM23f" + }, + { + "framework": "NIAv2", + "control": "SS13c" + }, + { + "framework": "NIAv2", + "control": "SS15c" + }, + { + "framework": "NIAv2", + "control": "SS29" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "7.1.2" + }, + { + "framework": "PCI-DSSv4.0", + "control": "7.2.1" + }, + { + "framework": "PCI-DSSv4.0", + "control": "7.2.2" + }, + { + "framework": "QCSC-v1", + "control": "3.2" + }, + { + "framework": "QCSC-v1", + "control": "5.2.2" + }, + { + "framework": "QCSC-v1", + "control": "6.2" + }, + { + "framework": "QCSC-v1", + "control": "13.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "5.1" + }, + { + "framework": "TBA-FIISB", + "control": "31.1" + }, + { + "framework": "TBA-FIISB", + "control": "31.4.2" + }, + { + "framework": "TBA-FIISB", + "control": "31.4.3" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Locate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate.\n\nAdditional Information:\n\nNIST SP 800-53 Rev. 5:\n\nAC-3\n\nMP-2", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "6.1.10 Ensure no unowned files or directories exist: [PASSED]\"\n\nSometimes when administrators delete users from the password file, they neglect to remove all files owned by those users from the system.\n\nRationale:\n\nA new user who is assigned the deleted user's user ID or group ID may then end up 'owning' these files, and thus have more access on the system than was intended.\n\nSolution:\nLocate files that are owned by users or groups not listed in the system configuration files, and reset the ownership of these files to some active user on the system as appropriate.\n\nAdditional Information:\n\nNIST SP 800-53 Rev. 5:\n\nAC-3\n\nMP-2\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.1.1), ComplianceReference(framework=800-171, control=3.1.4), ComplianceReference(framework=800-171, control=3.1.5), ComplianceReference(framework=800-171, control=3.8.1), ComplianceReference(framework=800-171, control=3.8.2), ComplianceReference(framework=800-171, control=3.8.3), ComplianceReference(framework=800-53, control=AC-3), ComplianceReference(framework=800-53, control=AC-5), ComplianceReference(framework=800-53, control=AC-6), ComplianceReference(framework=800-53, control=MP-2), ComplianceReference(framework=800-53r5, control=AC-3), ComplianceReference(framework=800-53r5, control=AC-5), ComplianceReference(framework=800-53r5, control=AC-6), ComplianceReference(framework=800-53r5, control=MP-2), ComplianceReference(framework=CN-L3, control=7.1.3.2(b)), ComplianceReference(framework=CN-L3, control=7.1.3.2(g)), ComplianceReference(framework=CN-L3, control=8.1.4.2(d)), ComplianceReference(framework=CN-L3, control=8.1.4.2(f)), ComplianceReference(framework=CN-L3, control=8.1.4.11(b)), ComplianceReference(framework=CN-L3, control=8.1.10.2(c)), ComplianceReference(framework=CN-L3, control=8.1.10.6(a)), ComplianceReference(framework=CN-L3, control=8.5.3.1), ComplianceReference(framework=CN-L3, control=8.5.4.1(a)), ComplianceReference(framework=CSCv7, control=13.2), ComplianceReference(framework=CSCv8, control=3.3), ComplianceReference(framework=CSF, control=PR.AC-4), ComplianceReference(framework=CSF, control=PR.DS-5), ComplianceReference(framework=CSF, control=PR.PT-2), ComplianceReference(framework=CSF, control=PR.PT-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(a)(1)), ComplianceReference(framework=ISO/IEC-27001, control=A.6.1.2), ComplianceReference(framework=ISO/IEC-27001, control=A.9.4.1), ComplianceReference(framework=ISO/IEC-27001, control=A.9.4.5), ComplianceReference(framework=ITSG-33, control=AC-3), ComplianceReference(framework=ITSG-33, control=AC-5), ComplianceReference(framework=ITSG-33, control=AC-6), ComplianceReference(framework=ITSG-33, control=MP-2), ComplianceReference(framework=ITSG-33, control=MP-2a.), ComplianceReference(framework=LEVEL, control=1A), ComplianceReference(framework=NESA, control=T1.3.2), ComplianceReference(framework=NESA, control=T1.3.3), ComplianceReference(framework=NESA, control=T1.4.1), ComplianceReference(framework=NESA, control=T4.2.1), ComplianceReference(framework=NESA, control=T5.1.1), ComplianceReference(framework=NESA, control=T5.2.2), ComplianceReference(framework=NESA, control=T5.4.1), ComplianceReference(framework=NESA, control=T5.4.4), ComplianceReference(framework=NESA, control=T5.4.5), ComplianceReference(framework=NESA, control=T5.5.4), ComplianceReference(framework=NESA, control=T5.6.1), ComplianceReference(framework=NESA, control=T7.5.2), ComplianceReference(framework=NESA, control=T7.5.3), ComplianceReference(framework=NIAv2, control=AM1), ComplianceReference(framework=NIAv2, control=AM3), ComplianceReference(framework=NIAv2, control=AM23f), ComplianceReference(framework=NIAv2, control=SS13c), ComplianceReference(framework=NIAv2, control=SS15c), ComplianceReference(framework=NIAv2, control=SS29), ComplianceReference(framework=PCI-DSSv3.2.1, control=7.1.2), ComplianceReference(framework=PCI-DSSv4.0, control=7.2.1), ComplianceReference(framework=PCI-DSSv4.0, control=7.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=5.2.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=5.1), ComplianceReference(framework=TBA-FIISB, control=31.1), ComplianceReference(framework=TBA-FIISB, control=31.4.2), ComplianceReference(framework=TBA-FIISB, control=31.4.3)}\n\nPolicy Value:\nfind_option: nouser\nname: find_orphan_files\nsystem: Linux\ntimeout: 7200\n\nActual Value:\n No issues found.", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "c1ebc86879aece17e2c9aacd2c9867ab8e6912cea44b60ea658e94f83973b6d5", + "compliance_full_id_s": "4afbe7720967dd60debd35feb0e4eef4e91de7da4a0fa96e8c34e4467a0dace0", + "compliance_functional_id_s": "32bc4eabac", + "compliance_informational_id_s": "d44b06c8d59b8c3147b606a96ae721500314a4c551fe1d5d69b450510febecb5", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "3dc39890e6a852a58e3abc3175d72f50eb7342f0a560c083e53d2b9ceebd62bc", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit", + "check_id_s": "a87cbed4210eecf2d468be5a0255922a2e3871df7a82ca7faa988ff224ea197c", + "check_name_s": "4.1.3.9 Ensure discretionary access control permission modification events are collected - b32 chmod", + "check_info_s": "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The following commands and system calls effect the permissions, ownership and various attributes of files.\n\nchmod\n\nfchmod\n\nfchmodat\n\nchown\n\nfchown\n\nfchownat\n\nlchown\n\nsetxattr\n\nlsetxattr\n\nfsetxattr\n\nremovexattr\n\nlremovexattr\n\nfremovexattr\n\nIn all cases, an audit record will only be written for non-system user ids and will ignore Daemon events. All audit records will be tagged with the identifier 'perm_mod.'\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.", + "expected_value_s": "cmd: UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/chmod/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"\nexpect: pass\nsystem: Linux", + "actual_value_s": "The command 'UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/chmod/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"' returned : \n\nawk: fatal: cannot open file `/etc/audit/rules.d/*.rules' for reading: No such file or directory\nfail", + "status_s": "FAILED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.3.1" + }, + { + "framework": "800-171", + "control": "3.3.2" + }, + { + "framework": "800-171", + "control": "3.3.6" + }, + { + "framework": "800-53", + "control": "AU-3" + }, + { + "framework": "800-53", + "control": "AU-3(1)" + }, + { + "framework": "800-53", + "control": "AU-7" + }, + { + "framework": "800-53", + "control": "AU-12" + }, + { + "framework": "800-53r5", + "control": "AU-3" + }, + { + "framework": "800-53r5", + "control": "AU-3(1)" + }, + { + "framework": "800-53r5", + "control": "AU-7" + }, + { + "framework": "800-53r5", + "control": "AU-12" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(b)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(c)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(b)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.3(b)" + }, + { + "framework": "CSCv7", + "control": "5.5" + }, + { + "framework": "CSCv8", + "control": "8.5" + }, + { + "framework": "CSF", + "control": "DE.CM-1" + }, + { + "framework": "CSF", + "control": "DE.CM-3" + }, + { + "framework": "CSF", + "control": "DE.CM-7" + }, + { + "framework": "CSF", + "control": "PR.PT-1" + }, + { + "framework": "CSF", + "control": "RS.AN-3" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "HIPAA", + "control": "164.312(b)" + }, + { + "framework": "ITSG-33", + "control": "AU-3" + }, + { + "framework": "ITSG-33", + "control": "AU-3(1)" + }, + { + "framework": "ITSG-33", + "control": "AU-7" + }, + { + "framework": "ITSG-33", + "control": "AU-12" + }, + { + "framework": "LEVEL", + "control": "2A" + }, + { + "framework": "NESA", + "control": "T3.6.2" + }, + { + "framework": "NIAv2", + "control": "AM34a" + }, + { + "framework": "NIAv2", + "control": "AM34b" + }, + { + "framework": "NIAv2", + "control": "AM34c" + }, + { + "framework": "NIAv2", + "control": "AM34d" + }, + { + "framework": "NIAv2", + "control": "AM34e" + }, + { + "framework": "NIAv2", + "control": "AM34f" + }, + { + "framework": "NIAv2", + "control": "AM34g" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.2" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.4" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.5" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.6" + }, + { + "framework": "PCI-DSSv4.0", + "control": "10.2.2" + }, + { + "framework": "QCSC-v1", + "control": "3.2" + }, + { + "framework": "QCSC-v1", + "control": "6.2" + }, + { + "framework": "QCSC-v1", + "control": "8.2.1" + }, + { + "framework": "QCSC-v1", + "control": "10.2.1" + }, + { + "framework": "QCSC-v1", + "control": "11.2" + }, + { + "framework": "QCSC-v1", + "control": "13.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "6.4" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Create audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor discretionary access control permission modification events.\n\n64 Bit systems\n\nExample:\n\n# {\nUID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)\n[ -n '${UID_MIN}' ] && printf '\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n' >> /etc/audit/rules.d/50-perm_mod.rules || printf 'ERROR: Variable 'UID_MIN' is unset.\n'\n}\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "4.1.3.9 Ensure discretionary access control permission modification events are collected - b32 chmod: [FAILED]\"\n\nMonitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The following commands and system calls effect the permissions, ownership and various attributes of files.\n\nchmod\n\nfchmod\n\nfchmodat\n\nchown\n\nfchown\n\nfchownat\n\nlchown\n\nsetxattr\n\nlsetxattr\n\nfsetxattr\n\nremovexattr\n\nlremovexattr\n\nfremovexattr\n\nIn all cases, an audit record will only be written for non-system user ids and will ignore Daemon events. All audit records will be tagged with the identifier 'perm_mod.'\n\nRationale:\n\nMonitoring for changes in file attributes could alert a system administrator to activity that could indicate intruder activity or policy violation.\n\nSolution:\nCreate audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor discretionary access control permission modification events.\n\n64 Bit systems\n\nExample:\n\n# {\nUID_MIN=$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)\n[ -n '${UID_MIN}' ] && printf '\n-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=${UID_MIN} -F auid!=unset -F key=perm_mod\n' >> /etc/audit/rules.d/50-perm_mod.rules || printf 'ERROR: Variable 'UID_MIN' is unset.\n'\n}\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=5.5), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/chmod/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command 'UID_MIN=$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs); [ -n \"${UID_MIN}\" ] && awk \"(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&(/ -F *auid!=unset/||/ -F *auid!=-1/||/ -F *auid!=4294967295/) &&/ -S/ &&/ -F *auid>=${UID_MIN}/ &&/chmod/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)\" /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}' || printf \"ERROR: Variable 'UID_MIN' is unset.\\n\"' returned : \n\nawk: fatal: cannot open file `/etc/audit/rules.d/*.rules' for reading: No such file or directory\nfail", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "4c2dbe80bcd14254f103bf348d9cba387975439583fe195aaa73b140a8ef1821", + "compliance_full_id_s": "a87cbed4210eecf2d468be5a0255922a2e3871df7a82ca7faa988ff224ea197c", + "compliance_functional_id_s": "f49eb64418", + "compliance_informational_id_s": "e074a8b93d6e6d39a8f6913ed3652e35ba9acc37aaa09bbff79c41a9aa10dc5d", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "92c55495acfd968a7fab5040d7962b0040fe5e4b034964b19ba519f8e0bdb855", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:13 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L1_Server.audit", + "check_id_s": "b4e31100ce9201c99ddb73ce469f21c2a88743219e266d2206fc38e99d3fee2c", + "check_name_s": "2.2.7 Ensure TFTP Server is not installed", + "check_info_s": "Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files.\n\nRationale:\n\nUnless there is a need to run the system as a TFTP server, it is recommended that the package be removed to reduce the potential attack surface.\n\nTFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files\n\nImpact:\n\nTFTP is often used to provide files for network booting such as for PXE based installation of servers.", + "expected_value_s": "operator: lte\nrpm: tftp-server-0.0.0-0\nsystem: Linux", + "actual_value_s": "The package 'tftp-server-0.0.0-0' is not installed", + "status_s": "PASSED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.4.2" + }, + { + "framework": "800-171", + "control": "3.4.6" + }, + { + "framework": "800-171", + "control": "3.4.7" + }, + { + "framework": "800-53", + "control": "CM-6" + }, + { + "framework": "800-53", + "control": "CM-7" + }, + { + "framework": "800-53r5", + "control": "CM-6" + }, + { + "framework": "800-53r5", + "control": "CM-7" + }, + { + "framework": "CSCv7", + "control": "9.2" + }, + { + "framework": "CSCv8", + "control": "4.8" + }, + { + "framework": "CSF", + "control": "PR.IP-1" + }, + { + "framework": "CSF", + "control": "PR.PT-3" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "ITSG-33", + "control": "CM-6" + }, + { + "framework": "ITSG-33", + "control": "CM-7" + }, + { + "framework": "LEVEL", + "control": "1A" + }, + { + "framework": "NIAv2", + "control": "SS15a" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "2.2.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "2.3" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Run the following command to remove tftp-server:\n\n# dnf remove tftp-server\n\nAdditional Information:\n\nNIST SP 800-53 Rev. 5:\n\nCM-7", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "2.2.7 Ensure TFTP Server is not installed: [PASSED]\"\n\nTrivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files.\n\nRationale:\n\nUnless there is a need to run the system as a TFTP server, it is recommended that the package be removed to reduce the potential attack surface.\n\nTFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files\n\nImpact:\n\nTFTP is often used to provide files for network booting such as for PXE based installation of servers.\n\nSolution:\nRun the following command to remove tftp-server:\n\n# dnf remove tftp-server\n\nAdditional Information:\n\nNIST SP 800-53 Rev. 5:\n\nCM-7\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.4.2), ComplianceReference(framework=800-171, control=3.4.6), ComplianceReference(framework=800-171, control=3.4.7), ComplianceReference(framework=800-53, control=CM-6), ComplianceReference(framework=800-53, control=CM-7), ComplianceReference(framework=800-53r5, control=CM-6), ComplianceReference(framework=800-53r5, control=CM-7), ComplianceReference(framework=CSCv7, control=9.2), ComplianceReference(framework=CSCv8, control=4.8), ComplianceReference(framework=CSF, control=PR.IP-1), ComplianceReference(framework=CSF, control=PR.PT-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=ITSG-33, control=CM-6), ComplianceReference(framework=ITSG-33, control=CM-7), ComplianceReference(framework=LEVEL, control=1A), ComplianceReference(framework=NIAv2, control=SS15a), ComplianceReference(framework=PCI-DSSv3.2.1, control=2.2.2), ComplianceReference(framework=SWIFT-CSCv1, control=2.3)}\n\nPolicy Value:\noperator: lte\nrpm: tftp-server-0.0.0-0\nsystem: Linux\n\nActual Value:\n The package 'tftp-server-0.0.0-0' is not installed", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "35a2c0121f3938a3ac63113a3ab7ee7b0003c80fdc1ce93face3540cd1ef52b7", + "compliance_full_id_s": "b4e31100ce9201c99ddb73ce469f21c2a88743219e266d2206fc38e99d3fee2c", + "compliance_functional_id_s": "0e708ddcee", + "compliance_informational_id_s": "f6fdc376a9aa47dc1b142bb100afb263c8883654d581f411bc5a55c1320647e2", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "444626bcfa5ab25a46b7f17f0b976b6f26678c6dfe3f967f1d67b258db13045e", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit", + "check_id_s": "9f36e15fb46e36d1b9d873349f6c60bb256b5682576d6b00454e3722feff74ed", + "check_name_s": "4.1.3.5 Ensure events that modify the system's network environment are collected - auditctl b32 sethostname", + "check_info_s": "Record changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit:\n\nsethostname - set the systems host name\n\nsetdomainname - set the systems domain name\n\nThe files being monitored are:\n\n/etc/issue and /etc/issue.net - messages displayed pre-login\n\n/etc/hosts - file containing host names and associated IP addresses\n\n/etc/sysconfig/network - additional information that is valid to all network interfaces\n\n/etc/sysconfig/network-scripts/ - directory containing network interface scripts and configurations files\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domain name of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them.", + "expected_value_s": "cmd: auditctl -l | /usr/bin/awk '(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&/ -S/ &&/sethostname/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux", + "actual_value_s": "The command 'auditctl -l | /usr/bin/awk '(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&/ -S/ &&/sethostname/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: auditctl: command not found\nfail", + "status_s": "FAILED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.3.1" + }, + { + "framework": "800-171", + "control": "3.3.2" + }, + { + "framework": "800-171", + "control": "3.3.6" + }, + { + "framework": "800-53", + "control": "AU-3" + }, + { + "framework": "800-53", + "control": "AU-3(1)" + }, + { + "framework": "800-53", + "control": "AU-7" + }, + { + "framework": "800-53", + "control": "AU-12" + }, + { + "framework": "800-53r5", + "control": "AU-3" + }, + { + "framework": "800-53r5", + "control": "AU-3(1)" + }, + { + "framework": "800-53r5", + "control": "AU-7" + }, + { + "framework": "800-53r5", + "control": "AU-12" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(b)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(c)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(b)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.3(b)" + }, + { + "framework": "CSCv7", + "control": "5.5" + }, + { + "framework": "CSCv8", + "control": "8.5" + }, + { + "framework": "CSF", + "control": "DE.CM-1" + }, + { + "framework": "CSF", + "control": "DE.CM-3" + }, + { + "framework": "CSF", + "control": "DE.CM-7" + }, + { + "framework": "CSF", + "control": "PR.PT-1" + }, + { + "framework": "CSF", + "control": "RS.AN-3" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "HIPAA", + "control": "164.312(b)" + }, + { + "framework": "ITSG-33", + "control": "AU-3" + }, + { + "framework": "ITSG-33", + "control": "AU-3(1)" + }, + { + "framework": "ITSG-33", + "control": "AU-7" + }, + { + "framework": "ITSG-33", + "control": "AU-12" + }, + { + "framework": "LEVEL", + "control": "2A" + }, + { + "framework": "NESA", + "control": "T3.6.2" + }, + { + "framework": "NIAv2", + "control": "AM34a" + }, + { + "framework": "NIAv2", + "control": "AM34b" + }, + { + "framework": "NIAv2", + "control": "AM34c" + }, + { + "framework": "NIAv2", + "control": "AM34d" + }, + { + "framework": "NIAv2", + "control": "AM34e" + }, + { + "framework": "NIAv2", + "control": "AM34f" + }, + { + "framework": "NIAv2", + "control": "AM34g" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.2" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.4" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.5" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.6" + }, + { + "framework": "PCI-DSSv4.0", + "control": "10.2.2" + }, + { + "framework": "QCSC-v1", + "control": "3.2" + }, + { + "framework": "QCSC-v1", + "control": "6.2" + }, + { + "framework": "QCSC-v1", + "control": "8.2.1" + }, + { + "framework": "QCSC-v1", + "control": "10.2.1" + }, + { + "framework": "QCSC-v1", + "control": "11.2" + }, + { + "framework": "QCSC-v1", + "control": "13.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "6.4" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Create audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment.\n\n64 Bit systems\n\nExample:\n\n# printf '\n-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/sysconfig/network -p wa -k system-locale\n-w /etc/sysconfig/network-scripts/ -p wa -k system-locale\n' >> /etc/audit/rules.d/50-system_local.rules\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "4.1.3.5 Ensure events that modify the system's network environment are collected - auditctl b32 sethostname: [FAILED]\"\n\nRecord changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit:\n\nsethostname - set the systems host name\n\nsetdomainname - set the systems domain name\n\nThe files being monitored are:\n\n/etc/issue and /etc/issue.net - messages displayed pre-login\n\n/etc/hosts - file containing host names and associated IP addresses\n\n/etc/sysconfig/network - additional information that is valid to all network interfaces\n\n/etc/sysconfig/network-scripts/ - directory containing network interface scripts and configurations files\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domain name of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them.\n\nSolution:\nCreate audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment.\n\n64 Bit systems\n\nExample:\n\n# printf '\n-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/sysconfig/network -p wa -k system-locale\n-w /etc/sysconfig/network-scripts/ -p wa -k system-locale\n' >> /etc/audit/rules.d/50-system_local.rules\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=5.5), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: auditctl -l | /usr/bin/awk '(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&/ -S/ &&/sethostname/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command 'auditctl -l | /usr/bin/awk '(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&/ -S/ &&/sethostname/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: auditctl: command not found\nfail", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "fe51e331db5b070110d5d608b8ae634ad8a9b017a8c4a905bb22a649fe6eb7fb", + "compliance_full_id_s": "9f36e15fb46e36d1b9d873349f6c60bb256b5682576d6b00454e3722feff74ed", + "compliance_functional_id_s": "185a8d6bfd", + "compliance_informational_id_s": "301152ec9950c19790c8ba131b425e63067643485eb582a727a448651d10ea1b", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "499fac5cf56471d7df4699c72eb8da1ce9565a8717881ac8b16bb378012cf93a", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:11 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit", + "check_id_s": "d914818afd1deed40e6125f90b3bf16b1f6d626608f222b63fbb8bf906ec0323", + "check_name_s": "4.1.3.5 Ensure events that modify the system's network environment are collected - auditctl b32 setdomainname", + "check_info_s": "Record changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit:\n\nsethostname - set the systems host name\n\nsetdomainname - set the systems domain name\n\nThe files being monitored are:\n\n/etc/issue and /etc/issue.net - messages displayed pre-login\n\n/etc/hosts - file containing host names and associated IP addresses\n\n/etc/sysconfig/network - additional information that is valid to all network interfaces\n\n/etc/sysconfig/network-scripts/ - directory containing network interface scripts and configurations files\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domain name of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them.", + "expected_value_s": "cmd: auditctl -l | /usr/bin/awk '(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&/ -S/ &&/setdomainname/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux", + "actual_value_s": "The command 'auditctl -l | /usr/bin/awk '(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&/ -S/ &&/setdomainname/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: auditctl: command not found\nfail", + "status_s": "FAILED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.3.1" + }, + { + "framework": "800-171", + "control": "3.3.2" + }, + { + "framework": "800-171", + "control": "3.3.6" + }, + { + "framework": "800-53", + "control": "AU-3" + }, + { + "framework": "800-53", + "control": "AU-3(1)" + }, + { + "framework": "800-53", + "control": "AU-7" + }, + { + "framework": "800-53", + "control": "AU-12" + }, + { + "framework": "800-53r5", + "control": "AU-3" + }, + { + "framework": "800-53r5", + "control": "AU-3(1)" + }, + { + "framework": "800-53r5", + "control": "AU-7" + }, + { + "framework": "800-53r5", + "control": "AU-12" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(b)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(c)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(b)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.3(b)" + }, + { + "framework": "CSCv7", + "control": "5.5" + }, + { + "framework": "CSCv8", + "control": "8.5" + }, + { + "framework": "CSF", + "control": "DE.CM-1" + }, + { + "framework": "CSF", + "control": "DE.CM-3" + }, + { + "framework": "CSF", + "control": "DE.CM-7" + }, + { + "framework": "CSF", + "control": "PR.PT-1" + }, + { + "framework": "CSF", + "control": "RS.AN-3" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "HIPAA", + "control": "164.312(b)" + }, + { + "framework": "ITSG-33", + "control": "AU-3" + }, + { + "framework": "ITSG-33", + "control": "AU-3(1)" + }, + { + "framework": "ITSG-33", + "control": "AU-7" + }, + { + "framework": "ITSG-33", + "control": "AU-12" + }, + { + "framework": "LEVEL", + "control": "2A" + }, + { + "framework": "NESA", + "control": "T3.6.2" + }, + { + "framework": "NIAv2", + "control": "AM34a" + }, + { + "framework": "NIAv2", + "control": "AM34b" + }, + { + "framework": "NIAv2", + "control": "AM34c" + }, + { + "framework": "NIAv2", + "control": "AM34d" + }, + { + "framework": "NIAv2", + "control": "AM34e" + }, + { + "framework": "NIAv2", + "control": "AM34f" + }, + { + "framework": "NIAv2", + "control": "AM34g" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.2" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.4" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.5" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.6" + }, + { + "framework": "PCI-DSSv4.0", + "control": "10.2.2" + }, + { + "framework": "QCSC-v1", + "control": "3.2" + }, + { + "framework": "QCSC-v1", + "control": "6.2" + }, + { + "framework": "QCSC-v1", + "control": "8.2.1" + }, + { + "framework": "QCSC-v1", + "control": "10.2.1" + }, + { + "framework": "QCSC-v1", + "control": "11.2" + }, + { + "framework": "QCSC-v1", + "control": "13.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "6.4" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Create audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment.\n\n64 Bit systems\n\nExample:\n\n# printf '\n-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/sysconfig/network -p wa -k system-locale\n-w /etc/sysconfig/network-scripts/ -p wa -k system-locale\n' >> /etc/audit/rules.d/50-system_local.rules\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "4.1.3.5 Ensure events that modify the system's network environment are collected - auditctl b32 setdomainname: [FAILED]\"\n\nRecord changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit:\n\nsethostname - set the systems host name\n\nsetdomainname - set the systems domain name\n\nThe files being monitored are:\n\n/etc/issue and /etc/issue.net - messages displayed pre-login\n\n/etc/hosts - file containing host names and associated IP addresses\n\n/etc/sysconfig/network - additional information that is valid to all network interfaces\n\n/etc/sysconfig/network-scripts/ - directory containing network interface scripts and configurations files\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domain name of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them.\n\nSolution:\nCreate audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment.\n\n64 Bit systems\n\nExample:\n\n# printf '\n-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/sysconfig/network -p wa -k system-locale\n-w /etc/sysconfig/network-scripts/ -p wa -k system-locale\n' >> /etc/audit/rules.d/50-system_local.rules\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=5.5), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: auditctl -l | /usr/bin/awk '(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&/ -S/ &&/setdomainname/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command 'auditctl -l | /usr/bin/awk '(/^ *-a *always,exit/||/^ *-a *exit,always/) &&/ -F *arch=b32/ &&/ -S/ &&/setdomainname/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: auditctl: command not found\nfail", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "fe51e331db5b070110d5d608b8ae634ad8a9b017a8c4a905bb22a649fe6eb7fb", + "compliance_full_id_s": "d914818afd1deed40e6125f90b3bf16b1f6d626608f222b63fbb8bf906ec0323", + "compliance_functional_id_s": "8a9f15d206", + "compliance_informational_id_s": "301152ec9950c19790c8ba131b425e63067643485eb582a727a448651d10ea1b", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "a45648ae2c2dc7956be17092dd049978b059e5c0d93c198cde482a11a2ffbac3", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:12 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit", + "check_id_s": "e32e32f47a6d99ba538a2f3b15eb10cafee844dd2c27595fce4c6dbbeca6b9f3", + "check_name_s": "4.1.1.2 Ensure auditing for processes that start prior to auditd is enabled", + "check_info_s": "Configure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.\n\nRationale:\n\nAudit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected.", + "expected_value_s": "cmd: /usr/sbin/grubby --info=ALL | /usr/bin/grep 'audit=1' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux", + "actual_value_s": "The command '/usr/sbin/grubby --info=ALL | /usr/bin/grep 'audit=1' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: /usr/sbin/grubby: No such file or directory\nfail", + "status_s": "FAILED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.3.1" + }, + { + "framework": "800-171", + "control": "3.3.2" + }, + { + "framework": "800-171", + "control": "3.3.6" + }, + { + "framework": "800-53", + "control": "AU-2" + }, + { + "framework": "800-53", + "control": "AU-7" + }, + { + "framework": "800-53", + "control": "AU-12" + }, + { + "framework": "800-53r5", + "control": "AU-2" + }, + { + "framework": "800-53r5", + "control": "AU-7" + }, + { + "framework": "800-53r5", + "control": "AU-12" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(c)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.3(a)" + }, + { + "framework": "CSCv7", + "control": "6.2" + }, + { + "framework": "CSCv8", + "control": "8.2" + }, + { + "framework": "CSF", + "control": "DE.CM-1" + }, + { + "framework": "CSF", + "control": "DE.CM-3" + }, + { + "framework": "CSF", + "control": "DE.CM-7" + }, + { + "framework": "CSF", + "control": "PR.PT-1" + }, + { + "framework": "CSF", + "control": "RS.AN-3" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "HIPAA", + "control": "164.312(b)" + }, + { + "framework": "ITSG-33", + "control": "AU-2" + }, + { + "framework": "ITSG-33", + "control": "AU-7" + }, + { + "framework": "ITSG-33", + "control": "AU-12" + }, + { + "framework": "LEVEL", + "control": "2A" + }, + { + "framework": "NESA", + "control": "M1.2.2" + }, + { + "framework": "NESA", + "control": "M5.5.1" + }, + { + "framework": "NIAv2", + "control": "AM7" + }, + { + "framework": "NIAv2", + "control": "AM11a" + }, + { + "framework": "NIAv2", + "control": "AM11b" + }, + { + "framework": "NIAv2", + "control": "AM11c" + }, + { + "framework": "NIAv2", + "control": "AM11d" + }, + { + "framework": "NIAv2", + "control": "AM11e" + }, + { + "framework": "NIAv2", + "control": "SS30" + }, + { + "framework": "NIAv2", + "control": "VL8" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.1" + }, + { + "framework": "QCSC-v1", + "control": "3.2" + }, + { + "framework": "QCSC-v1", + "control": "6.2" + }, + { + "framework": "QCSC-v1", + "control": "8.2.1" + }, + { + "framework": "QCSC-v1", + "control": "10.2.1" + }, + { + "framework": "QCSC-v1", + "control": "11.2" + }, + { + "framework": "QCSC-v1", + "control": "13.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "6.4" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Run the following command to update the grub2 configuration with audit=1:\n\n# grubby --update-kernel ALL --args 'audit=1'\n\nAdditional Information:\n\nThis recommendation is designed around the grub2 bootloader, if another bootloader is in use in your environment enact equivalent settings.", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "4.1.1.2 Ensure auditing for processes that start prior to auditd is enabled: [FAILED]\"\n\nConfigure grub2 so that processes that are capable of being audited can be audited even if they start up prior to auditd startup.\n\nRationale:\n\nAudit events need to be captured on processes that start up prior to auditd , so that potential malicious activity cannot go undetected.\n\nSolution:\nRun the following command to update the grub2 configuration with audit=1:\n\n# grubby --update-kernel ALL --args 'audit=1'\n\nAdditional Information:\n\nThis recommendation is designed around the grub2 bootloader, if another bootloader is in use in your environment enact equivalent settings.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-2), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-2), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=8.1.4.3(a)), ComplianceReference(framework=CSCv7, control=6.2), ComplianceReference(framework=CSCv8, control=8.2), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-2), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=M1.2.2), ComplianceReference(framework=NESA, control=M5.5.1), ComplianceReference(framework=NIAv2, control=AM7), ComplianceReference(framework=NIAv2, control=AM11a), ComplianceReference(framework=NIAv2, control=AM11b), ComplianceReference(framework=NIAv2, control=AM11c), ComplianceReference(framework=NIAv2, control=AM11d), ComplianceReference(framework=NIAv2, control=AM11e), ComplianceReference(framework=NIAv2, control=SS30), ComplianceReference(framework=NIAv2, control=VL8), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: /usr/sbin/grubby --info=ALL | /usr/bin/grep 'audit=1' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command '/usr/sbin/grubby --info=ALL | /usr/bin/grep 'audit=1' | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nbash: line 1: /usr/sbin/grubby: No such file or directory\nfail", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "1de91f94bc9b0b8564058b0c0706d6e2eca4ca99678f6f4a4b60ddf5bf0ca024", + "compliance_full_id_s": "e32e32f47a6d99ba538a2f3b15eb10cafee844dd2c27595fce4c6dbbeca6b9f3", + "compliance_functional_id_s": "7624c51610", + "compliance_informational_id_s": "965a708e71b616eb4fa05e1142d058c9c2c48ae85c26aa78a836ebf259e45986", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "6924bd59f0536d98cd1445e345bd6a43fdd80f078b25cac4c356469263b0ab66", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:13 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + }, + { + "TimeGenerated [UTC]": "10/21/2024, 11:21:15 AM", + "asset_uuid_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "first_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "last_seen_t [UTC]": "6/26/2024, 7:00:58 PM", + "audit_file_s": "CIS_Oracle_Linux_9_v1.0.0_L2_Server.audit", + "check_id_s": "ab902bd88b00350f4257a421fb43f1726b28b4a7a7e0415d0fd27f5e90760327", + "check_name_s": "4.1.3.5 Ensure events that modify the system's network environment are collected - /etc/issue", + "check_info_s": "Record changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit:\n\nsethostname - set the systems host name\n\nsetdomainname - set the systems domain name\n\nThe files being monitored are:\n\n/etc/issue and /etc/issue.net - messages displayed pre-login\n\n/etc/hosts - file containing host names and associated IP addresses\n\n/etc/sysconfig/network - additional information that is valid to all network interfaces\n\n/etc/sysconfig/network-scripts/ - directory containing network interface scripts and configurations files\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domain name of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them.", + "expected_value_s": "cmd: /usr/bin/awk '/^ *-w/ &&/\\/etc\\/issue/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux", + "actual_value_s": "The command '/usr/bin/awk '/^ *-w/ &&/\\/etc\\/issue/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nawk: fatal: cannot open file `/etc/audit/rules.d/*.rules' for reading: No such file or directory\nfail", + "status_s": "FAILED", + "reference_s": [ + { + "framework": "800-171", + "control": "3.3.1" + }, + { + "framework": "800-171", + "control": "3.3.2" + }, + { + "framework": "800-171", + "control": "3.3.6" + }, + { + "framework": "800-53", + "control": "AU-3" + }, + { + "framework": "800-53", + "control": "AU-3(1)" + }, + { + "framework": "800-53", + "control": "AU-7" + }, + { + "framework": "800-53", + "control": "AU-12" + }, + { + "framework": "800-53r5", + "control": "AU-3" + }, + { + "framework": "800-53r5", + "control": "AU-3(1)" + }, + { + "framework": "800-53r5", + "control": "AU-7" + }, + { + "framework": "800-53r5", + "control": "AU-12" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(b)" + }, + { + "framework": "CN-L3", + "control": "7.1.2.3(c)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(a)" + }, + { + "framework": "CN-L3", + "control": "7.1.3.3(b)" + }, + { + "framework": "CN-L3", + "control": "8.1.4.3(b)" + }, + { + "framework": "CSCv7", + "control": "5.5" + }, + { + "framework": "CSCv8", + "control": "8.5" + }, + { + "framework": "CSF", + "control": "DE.CM-1" + }, + { + "framework": "CSF", + "control": "DE.CM-3" + }, + { + "framework": "CSF", + "control": "DE.CM-7" + }, + { + "framework": "CSF", + "control": "PR.PT-1" + }, + { + "framework": "CSF", + "control": "RS.AN-3" + }, + { + "framework": "GDPR", + "control": "32.1.b" + }, + { + "framework": "HIPAA", + "control": "164.306(a)(1)" + }, + { + "framework": "HIPAA", + "control": "164.312(b)" + }, + { + "framework": "ITSG-33", + "control": "AU-3" + }, + { + "framework": "ITSG-33", + "control": "AU-3(1)" + }, + { + "framework": "ITSG-33", + "control": "AU-7" + }, + { + "framework": "ITSG-33", + "control": "AU-12" + }, + { + "framework": "LEVEL", + "control": "2A" + }, + { + "framework": "NESA", + "control": "T3.6.2" + }, + { + "framework": "NIAv2", + "control": "AM34a" + }, + { + "framework": "NIAv2", + "control": "AM34b" + }, + { + "framework": "NIAv2", + "control": "AM34c" + }, + { + "framework": "NIAv2", + "control": "AM34d" + }, + { + "framework": "NIAv2", + "control": "AM34e" + }, + { + "framework": "NIAv2", + "control": "AM34f" + }, + { + "framework": "NIAv2", + "control": "AM34g" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.1" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.2" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.3" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.4" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.5" + }, + { + "framework": "PCI-DSSv3.2.1", + "control": "10.3.6" + }, + { + "framework": "PCI-DSSv4.0", + "control": "10.2.2" + }, + { + "framework": "QCSC-v1", + "control": "3.2" + }, + { + "framework": "QCSC-v1", + "control": "6.2" + }, + { + "framework": "QCSC-v1", + "control": "8.2.1" + }, + { + "framework": "QCSC-v1", + "control": "10.2.1" + }, + { + "framework": "QCSC-v1", + "control": "11.2" + }, + { + "framework": "QCSC-v1", + "control": "13.2" + }, + { + "framework": "SWIFT-CSCv1", + "control": "6.4" + } + ], + "see_also_s": "https://workbench.cisecurity.org/files/4239", + "solution_s": "Create audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment.\n\n64 Bit systems\n\nExample:\n\n# printf '\n-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/sysconfig/network -p wa -k system-locale\n-w /etc/sysconfig/network-scripts/ -p wa -k system-locale\n' >> /etc/audit/rules.d/50-system_local.rules\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.", + "plugin_id_d": 21157, + "state_s": "NEW", + "description_s": "4.1.3.5 Ensure events that modify the system's network environment are collected - /etc/issue: [FAILED]\"\n\nRecord changes to network environment files or system calls. The below parameters monitors the following system calls, and write an audit event on system call exit:\n\nsethostname - set the systems host name\n\nsetdomainname - set the systems domain name\n\nThe files being monitored are:\n\n/etc/issue and /etc/issue.net - messages displayed pre-login\n\n/etc/hosts - file containing host names and associated IP addresses\n\n/etc/sysconfig/network - additional information that is valid to all network interfaces\n\n/etc/sysconfig/network-scripts/ - directory containing network interface scripts and configurations files\n\nRationale:\n\nMonitoring sethostname and setdomainname will identify potential unauthorized changes to host and domain name of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.net is important, as intruders could put disinformation into those files and trick users into providing information to the intruder. Monitoring /etc/sysconfig/network is important as it can show if network interfaces or scripts are being modified in a way that can lead to the machine becoming unavailable or compromised. All audit records should have a relevant tag associated with them.\n\nSolution:\nCreate audit rules\n\nEdit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor events that modify the system's network environment.\n\n64 Bit systems\n\nExample:\n\n# printf '\n-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale\n-a always,exit -F arch=b32 -S sethostname,setdomainname -k system-locale\n-w /etc/issue -p wa -k system-locale\n-w /etc/issue.net -p wa -k system-locale\n-w /etc/hosts -p wa -k system-locale\n-w /etc/sysconfig/network -p wa -k system-locale\n-w /etc/sysconfig/network-scripts/ -p wa -k system-locale\n' >> /etc/audit/rules.d/50-system_local.rules\n\nLoad audit rules\n\nMerge and load the rules into active configuration:\n\n# augenrules --load\n\nCheck if reboot is required.\n\n# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules\n'; fi\n\n32 Bit systems\n\nFollow the same procedures as for 64 bit systems and ignore any entries with b64.\n\nAdditional Information:\n\nPotential reboot required\n\nIf the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.\n\nSystem call structure\n\nFor performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.\n\nSee Also:\nhttps://workbench.cisecurity.org/files/4239\n\nReference:\nComplianceReference(framework=800-171, control=3.3.1), ComplianceReference(framework=800-171, control=3.3.2), ComplianceReference(framework=800-171, control=3.3.6), ComplianceReference(framework=800-53, control=AU-3), ComplianceReference(framework=800-53, control=AU-3(1)), ComplianceReference(framework=800-53, control=AU-7), ComplianceReference(framework=800-53, control=AU-12), ComplianceReference(framework=800-53r5, control=AU-3), ComplianceReference(framework=800-53r5, control=AU-3(1)), ComplianceReference(framework=800-53r5, control=AU-7), ComplianceReference(framework=800-53r5, control=AU-12), ComplianceReference(framework=CN-L3, control=7.1.2.3(a)), ComplianceReference(framework=CN-L3, control=7.1.2.3(b)), ComplianceReference(framework=CN-L3, control=7.1.2.3(c)), ComplianceReference(framework=CN-L3, control=7.1.3.3(a)), ComplianceReference(framework=CN-L3, control=7.1.3.3(b)), ComplianceReference(framework=CN-L3, control=8.1.4.3(b)), ComplianceReference(framework=CSCv7, control=5.5), ComplianceReference(framework=CSCv8, control=8.5), ComplianceReference(framework=CSF, control=DE.CM-1), ComplianceReference(framework=CSF, control=DE.CM-3), ComplianceReference(framework=CSF, control=DE.CM-7), ComplianceReference(framework=CSF, control=PR.PT-1), ComplianceReference(framework=CSF, control=RS.AN-3), ComplianceReference(framework=GDPR, control=32.1.b), ComplianceReference(framework=HIPAA, control=164.306(a)(1)), ComplianceReference(framework=HIPAA, control=164.312(b)), ComplianceReference(framework=ITSG-33, control=AU-3), ComplianceReference(framework=ITSG-33, control=AU-3(1)), ComplianceReference(framework=ITSG-33, control=AU-7), ComplianceReference(framework=ITSG-33, control=AU-12), ComplianceReference(framework=LEVEL, control=2A), ComplianceReference(framework=NESA, control=T3.6.2), ComplianceReference(framework=NIAv2, control=AM34a), ComplianceReference(framework=NIAv2, control=AM34b), ComplianceReference(framework=NIAv2, control=AM34c), ComplianceReference(framework=NIAv2, control=AM34d), ComplianceReference(framework=NIAv2, control=AM34e), ComplianceReference(framework=NIAv2, control=AM34f), ComplianceReference(framework=NIAv2, control=AM34g), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.1), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.2), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.3), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.4), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.5), ComplianceReference(framework=PCI-DSSv3.2.1, control=10.3.6), ComplianceReference(framework=PCI-DSSv4.0, control=10.2.2), ComplianceReference(framework=QCSC-v1, control=3.2), ComplianceReference(framework=QCSC-v1, control=6.2), ComplianceReference(framework=QCSC-v1, control=8.2.1), ComplianceReference(framework=QCSC-v1, control=10.2.1), ComplianceReference(framework=QCSC-v1, control=11.2), ComplianceReference(framework=QCSC-v1, control=13.2), ComplianceReference(framework=SWIFT-CSCv1, control=6.4)}\n\nPolicy Value:\ncmd: /usr/bin/awk '/^ *-w/ &&/\\/etc\\/issue/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'\nexpect: pass\nsystem: Linux\n\nActual Value:\n The command '/usr/bin/awk '/^ *-w/ &&/\\/etc\\/issue/ &&/ +-p *wa/ &&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules | /usr/bin/awk '{print} END {if (NR != 0) print \"pass\" ; else print \"fail\"}'' returned : \n\nawk: fatal: cannot open file `/etc/audit/rules.d/*.rules' for reading: No such file or directory\nfail", + "compliance_benchmark_name_s": "CIS Oracle Linux 9", + "compliance_benchmark_version_s": "1.0.0", + "compliance_control_id_s": "fe51e331db5b070110d5d608b8ae634ad8a9b017a8c4a905bb22a649fe6eb7fb", + "compliance_full_id_s": "ab902bd88b00350f4257a421fb43f1726b28b4a7a7e0415d0fd27f5e90760327", + "compliance_functional_id_s": "98f1326b05", + "compliance_informational_id_s": "301152ec9950c19790c8ba131b425e63067643485eb582a727a448651d10ea1b", + "synopsis_s": "Compliance checks for Unix systems", + "last_observed_t [UTC]": "6/26/2024, 7:00:58 PM", + "metadata_id_s": "f45a0261af18cea213e43f4422c7af65a52caf61e12c0084aa19a4924564011f", + "uname_output_s": "Linux ol9-test 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux", + "indexed_at_t [UTC]": "6/26/2024, 7:01:13 PM", + "plugin_name_s": "Unix Compliance Checks", + "asset_id_g": "c5e7f41f-c68e-4d60-8c56-eefe2fea2008", + "asset_ipv4_addresses_s": [ + "1.1.1.1" + ], + "asset_ipv6_addresses_s": [], + "asset_fqdns_s": [], + "asset_name_s": "1.1.1.1", + "asset_agent_uuid_g": "02905194-b636-40ec-95fb-db25b7a64222", + "asset_tags_s": [], + "asset_mac_addresses_s": [ + "00:16:3e:a4:e5:80" + ], + "asset_operating_systems_s": [ + "Linux Kernel 5.15.0-102-generic on Oracle Linux Server release 9.4" + ], + "asset_system_type_s": "general-purpose", + "asset_network_id_g": "00000000-0000-0000-0000-000000000000", + "asset_agent_name_s": "" + } +] \ No newline at end of file diff --git a/Solutions/1Password/Data Connectors/1Password_ccpv2/1Password_DCR.json b/Solutions/1Password/Data Connectors/1Password_ccpv2/1Password_DCR.json new file mode 100644 index 00000000000..f7759c3c29d --- /dev/null +++ b/Solutions/1Password/Data Connectors/1Password_ccpv2/1Password_DCR.json @@ -0,0 +1,29 @@ +{ + "name": "1PasswordDCR", + "apiVersion": "2021-09-01-preview", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "{{location}}", + "properties": { + "dataCollectionEndpointId": "{{dataCollectionEndpointId}}", + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "{{workspaceResourceId}}", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-OnePasswordEventLogs_CL" + ], + "destinations": [ + "clv2ws1" + ], + "outputStream": "Custom-OnePasswordEventLogs_CL", + "transformKql": "source | extend TimeGenerated = now(), log_source = case(isnotempty(used_version) or isnotempty(aux_id), 'itemusages', isnotempty(country), 'signinattempts', isempty(used_version) and isempty(aux_id) and isempty(country), 'auditevents', 'unknown')" + } + ] + } +} \ No newline at end of file diff --git a/Solutions/1Password/Data Connectors/1Password_ccpv2/1Password_DataConnectorDefinition.json b/Solutions/1Password/Data Connectors/1Password_ccpv2/1Password_DataConnectorDefinition.json new file mode 100644 index 00000000000..c395113acea --- /dev/null +++ b/Solutions/1Password/Data Connectors/1Password_ccpv2/1Password_DataConnectorDefinition.json @@ -0,0 +1,115 @@ +{ + "name": "1PasswordCCPDefinition", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectorDefinitions", + "location": "{{location}}", + "kind": "Customizable", + "availability": { + "isPreview": true + }, + "properties": { + "connectorUiConfig": { + "title": "1Password (Serverless)", + "publisher": "1Password", + "id": "1PasswordCCPDefinition", + "descriptionMarkdown": "The 1Password CCP connector allows the user to ingest 1Password Audit, Signin & ItemUsage events into Microsoft Sentinel.", + "graphQueriesTableName": "OnePasswordEventLogs_CL", + "graphQueries": [ + { + "metricName": "Total Sign In Attempts received", + "legend": "SignIn Attempts", + "baseQuery": "{{graphQueriesTableName}} | where log_source == 'signinattempts'" + }, + { + "metricName": "Total Audit Events received", + "legend": "Audit Events", + "baseQuery": "{{graphQueriesTableName}} | where log_source == 'auditevents'" + }, + { + "metricName": "Total Item Usage Events received", + "legend": "Item Usage Events", + "baseQuery": "{{graphQueriesTableName}} | where log_source == 'itemusages'" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of 1Password events", + "query": "{{graphQueriesTableName}}\n | take 10" + } + ], + "dataTypes": [ + { + "name": "OnePasswordEventLogs_CL", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "1Password API token", + "description": "A 1Password API Token is required. See the [1Password documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) on how to create an API token." + } + ] + }, + "instructionSteps": [ + { + "title": "STEP 1 - Create a 1Password API token:", + "description": "Follow the [1Password documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) for guidance on this step." + }, + { + "title": "STEP 2 - Choose the correct base URL:", + "description": "There are multiple 1Password servers which might host your events. The correct server depends on your license and region. Follow the [1Password documentation](https://developer.1password.com/docs/events-api/reference/#servers) to choose the correct server. Input the base URL as displayed by the documentation (including 'https://' and without a trailing '/')." + }, + { + "title": "STEP 3 - Enter your 1Password Details:", + "description": "Enter the 1Password base URL & API Token below:", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Base Url", + "placeholder": "Enter your Base Url", + "type": "text", + "name": "BaseUrl" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "API Token", + "placeholder": "Enter your API Token", + "type": "password", + "name": "ApiToken" + } + }, + { + "type": "ConnectionToggleButton", + "parameters": { + "connectLabel": "connect", + "name": "connect" + } + } + ] + } + ] + } + } +} \ No newline at end of file diff --git a/Solutions/1Password/Data Connectors/1Password_ccpv2/1Password_PollingConfig.json b/Solutions/1Password/Data Connectors/1Password_ccpv2/1Password_PollingConfig.json new file mode 100644 index 00000000000..d6fa99ee5d3 --- /dev/null +++ b/Solutions/1Password/Data Connectors/1Password_ccpv2/1Password_PollingConfig.json @@ -0,0 +1,146 @@ +[ + { + "name": "OnePasswordSignInEvents", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "location": "{{location}}", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "1PasswordCCPDefinition", + "dataType": "OnePasswordEventLogs_CL", + "dcrConfig": { + "streamName": "Custom-OnePasswordEventLogs_CL", + "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", + "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}" + }, + "auth": { + "type": "APIKey", + "ApiKey": "{{ApiToken}}", + "ApiKeyName": "Authorization", + "ApiKeyIdentifier": "Bearer" + }, + "request": { + "apiEndpoint": "[[format('{0}/api/v1/signinattempts', {{baseUrl}})]", + "httpMethod": "Post", + "queryWindowInMin": 5, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 1, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Content-Type": "application/json" + }, + "queryParametersTemplate": "{\"limit\": 1000, \"start_time\": \"{_QueryWindowStartTime}\", \"end_time\": \"{_QueryWindowEndTime}\" }", + "isPostPayloadJson": true + }, + "response": { + "format": "json", + "eventsJsonPaths": [ + "$.items" + ] + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageParaName": "cursor", + "nextPageTokenJsonPath": "$.cursor", + "hasNextFlagJsonPath": "$.has_more" + } + } + }, + { + "name": "OnePasswordAuditEvents", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "location": "{{location}}", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "1PasswordCCPDefinition", + "dataType": "OnePasswordEventLogs_CL", + "dcrConfig": { + "streamName": "Custom-OnePasswordEventLogs_CL", + "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", + "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}" + }, + "auth": { + "type": "APIKey", + "ApiKey": "{{ApiToken}}", + "ApiKeyName": "Authorization", + "ApiKeyIdentifier": "Bearer" + }, + "request": { + "apiEndpoint": "[[format('{0}/api/v1/auditevents', {{BasrUrl}})]", + "httpMethod": "Post", + "queryWindowInMin": 5, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 1, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Content-Type": "application/json" + }, + "queryParametersTemplate": "{\"limit\": 1000, \"start_time\": \"{_QueryWindowStartTime}\", \"end_time\": \"{_QueryWindowEndTime}\" }", + "isPostPayloadJson": true + }, + "response": { + "format": "json", + "eventsJsonPaths": [ + "$.items" + ] + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageParaName": "cursor", + "nextPageTokenJsonPath": "$.cursor", + "hasNextFlagJsonPath": "$.has_more" + } + } + }, + { + "name": "OnePasswordItemUsageEvents", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.SecurityInsights/dataConnectors", + "location": "{{location}}", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "1PasswordCCPDefinition", + "dataType": "OnePasswordEventLogs_CL", + "dcrConfig": { + "streamName": "Custom-OnePasswordEventLogs_CL", + "dataCollectionEndpoint": "{{dataCollectionEndpoint}}", + "dataCollectionRuleImmutableId": "{{dataCollectionRuleImmutableId}}" + }, + "auth": { + "type": "APIKey", + "ApiKey": "{{ApiToken}}", + "ApiKeyName": "Authorization", + "ApiKeyIdentifier": "Bearer" + }, + "request": { + "apiEndpoint": "[[format('{0}/api/v1/itemusages', {{BaseUrl}})]", + "httpMethod": "Post", + "queryWindowInMin": 1, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 5, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Content-Type": "application/json" + }, + "queryParametersTemplate": "{\"limit\": 1000, \"start_time\": \"{_QueryWindowStartTime}\", \"end_time\": \"{_QueryWindowEndTime}\" }", + "isPostPayloadJson": true + }, + "response": { + "format": "json", + "eventsJsonPaths": [ + "$.items" + ] + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageParaName": "cursor", + "nextPageTokenJsonPath": "$.cursor", + "hasNextFlagJsonPath": "$.has_more" + } + } + } +] \ No newline at end of file diff --git a/Solutions/1Password/Data Connectors/1Password_ccpv2/1Password_tables.json b/Solutions/1Password/Data Connectors/1Password_ccpv2/1Password_tables.json new file mode 100644 index 00000000000..4f4ee98bfe3 --- /dev/null +++ b/Solutions/1Password/Data Connectors/1Password_ccpv2/1Password_tables.json @@ -0,0 +1,125 @@ +{ + "name": "OnePasswordEventLogs_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "{{location}}", + "properties": { + "schema": { + "name": "OnePasswordEventLogs_CL", + "columns": [ + { + "name": "SourceSystem", + "type": "string" + }, + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "uuid_s", + "type": "string" + }, + { + "name": "session_uuid", + "type": "string" + }, + { + "name": "timestamp", + "type": "datetime" + }, + { + "name": "country", + "type": "string" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "action_type", + "type": "string" + }, + { + "name": "details", + "type": "dynamic" + }, + { + "name": "target_user", + "type": "dynamic" + }, + { + "name": "client", + "type": "dynamic" + }, + { + "name": "location", + "type": "dynamic" + }, + { + "name": "actor_uuid", + "type": "string" + }, + { + "name": "actor_details", + "type": "dynamic" + }, + { + "name": "action", + "type": "string" + }, + { + "name": "object_type", + "type": "string" + }, + { + "name": "object_uuid", + "type": "string" + }, + { + "name": "object_details", + "type": "dynamic" + }, + { + "name": "aux_id", + "type": "int" + }, + { + "name": "aux_uuid", + "type": "string" + }, + { + "name": "aux_details", + "type": "dynamic" + }, + { + "name": "aux_info", + "type": "string" + }, + { + "name": "session", + "type": "dynamic" + }, + { + "name": "used_version", + "type": "int" + }, + { + "name": "vault_uuid", + "type": "string" + }, + { + "name": "item_uuid", + "type": "string" + }, + { + "name": "user", + "type": "dynamic" + }, + { + "name": "log_source", + "type": "string" + } + ] + } + } +} \ No newline at end of file diff --git a/Solutions/1Password/Data Connectors/1Password_ccpv2/azuredeploy_1Password_poller_connector.json b/Solutions/1Password/Data Connectors/1Password_ccpv2/azuredeploy_1Password_poller_connector.json new file mode 100644 index 00000000000..4949b4cf9dd --- /dev/null +++ b/Solutions/1Password/Data Connectors/1Password_ccpv2/azuredeploy_1Password_poller_connector.json @@ -0,0 +1,682 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "defaultValue": "[resourceGroup().location]", + "minLength": 1, + "type": "String", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace": { + "defaultValue": "", + "type": "String", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "_solutionName": "OnePassword", + "_solutionVersion": "3.0.0", + "_solutionAuthor": "Rogier Dijkman", + "_solutionPublisher": "1Password", + "_solutionTier": "Community", + "solutionId": "1Password_Azurekid", + "_solutionId": "[variables('solutionId')]", + "dataConnectorVersionConnections": "1.0.0", + "_dataConnectorContentIdConnectorDefinition": "1Password-CodelessConnector", + "dataConnectorTemplateNameConnectorDefinition": "[format('contentTemplate-{0}', uniquestring(variables('_dataConnectorContentIdConnectorDefinition')))]", + "_dataConnectorContentIdConnections": "1PasswordEvents", + "dataConnectorTemplateNameConnections": "[format('{0}-dc-{1}', parameters('workspace'), uniquestring(variables('_dataConnectorContentIdConnections')))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[format('{0}/Microsoft.SecurityInsights/{1}-v{2}', parameters('workspace'), variables('dataConnectorTemplateNameConnectorDefinition'), variables('dataConnectorVersionConnections'))]", + "location": "[parameters('location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "displayName": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "contentKind": "DataConnector", + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition'),'-', variables('dataConnectorVersionConnections'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorVersionConnections')]", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersionConnections')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[format('{0}/Microsoft.SecurityInsights/DataConnector-{1}', parameters('workspace'), variables('_dataConnectorContentIdConnectorDefinition'))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersionConnections')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "[variables('_solutionAuthor')]" + }, + "support": { + "name": "[variables('_solutionAuthor')]", + "tier": "[variables('_solutionTier')]" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections')]", + "contentId": "[variables('_dataConnectorContentIdConnections')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.Insights/dataCollectionRules", + "apiVersion": "2021-09-01-preview", + "name": "1Password", + "location": "[parameters('location')]", + "properties": { + "dataCollectionEndpointId": "[format('{0}/providers/Microsoft.Insights/dataCollectionEndpoints/{1}', resourceGroup().id, parameters('workspace'))]", + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace'))]", + "name": "[parameters('workspace')]" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-OnePasswordEventLogs_CL" + ], + "destinations": [ + "[parameters('workspace')]" + ], + "outputStream": "Custom-OnePasswordEventLogs_CL", + "transformKql": "source | extend TimeGenerated = now(), log_source = case(isnotempty(used_version) or isnotempty(aux_id), 'itemusages', isnotempty(country), 'signinattempts', isempty(used_version) and isempty(aux_id) and isempty(country), 'auditevents', 'unknown')" + } + ] + } + }, + { + "name": "OnePasswordEventLogs_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('location')]", + "kind": null, + "properties": { + "schema": { + "name": "OnePasswordEventLogs_CL", + "columns": [ + { + "name": "SourceSystem", + "type": "string" + }, + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "uuid_s", + "type": "string" + }, + { + "name": "session_uuid", + "type": "string" + }, + { + "name": "timestamp", + "type": "datetime" + }, + { + "name": "country", + "type": "string" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "action_type", + "type": "string" + }, + { + "name": "details", + "type": "dynamic" + }, + { + "name": "target_user", + "type": "dynamic" + }, + { + "name": "client", + "type": "dynamic" + }, + { + "name": "location", + "type": "dynamic" + }, + { + "name": "actor_uuid", + "type": "string" + }, + { + "name": "actor_details", + "type": "dynamic" + }, + { + "name": "action", + "type": "string" + }, + { + "name": "object_type", + "type": "string" + }, + { + "name": "object_uuid", + "type": "string" + }, + { + "name": "object_details", + "type": "dynamic" + }, + { + "name": "aux_id", + "type": "int" + }, + { + "name": "aux_uuid", + "type": "string" + }, + { + "name": "aux_details", + "type": "dynamic" + }, + { + "name": "aux_info", + "type": "string" + }, + { + "name": "session", + "type": "dynamic" + }, + { + "name": "used_version", + "type": "int" + }, + { + "name": "vault_uuid", + "type": "string" + }, + { + "name": "item_uuid", + "type": "string" + }, + { + "name": "user", + "type": "dynamic" + }, + { + "name": "log_source", + "type": "string" + } + ] + } + } + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "apiVersion": "2022-09-01-preview", + "name": "[format('{0}/Microsoft.SecurityInsights/{1}', parameters('workspace'), variables('_dataConnectorContentIdConnectorDefinition'))]", + "location": "[parameters('location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "id": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "title": "1Password (Serverless)", + "publisher": "[variables('_solutionPublisher')]", + "descriptionMarkdown": "The 1Password CCP connector allows the user to ingest 1Password Audit, Signin & ItemUsage events into Microsoft Sentinel.", + "graphQueriesTableName": "OnePasswordEventLogs_CL", + "graphQueries": [ + { + "metricName": "Total Sign In Attempts received", + "legend": "SignIn Attempts", + "baseQuery": "{{graphQueriesTableName}} | where log_source == 'signinattempts'" + }, + { + "metricName": "Total Audit Events received", + "legend": "Audit Events", + "baseQuery": "{{graphQueriesTableName}} | where log_source == 'auditevents'" + }, + { + "metricName": "Total Item Usage Events received", + "legend": "Item Usage Events", + "baseQuery": "{{graphQueriesTableName}} | where log_source == 'itemusages'" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of 1Password events", + "query": "{{graphQueriesTableName}}\n | take 10" + } + ], + "dataTypes": [ + { + "name": "OnePasswordEventLogs_CL", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "availability": { + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "1Password API token", + "description": "A 1Password API Token is required. See the [1Password documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) on how to create an API token." + } + ] + }, + "instructionSteps": [ + { + "title": "STEP 1 - Create a 1Password API token:", + "description": "Follow the [1Password documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) for guidance on this step." + }, + { + "title": "STEP 2 - Choose the correct base URL:", + "description": "There are multiple 1Password servers which might host your events. The correct server depends on your license and region. Follow the [1Password documentation](https://developer.1password.com/docs/events-api/reference/#servers) to choose the correct server. Input the base URL as displayed by the documentation (including 'https://' and without a trailing '/')." + }, + { + "title": "STEP 3 - Enter your 1Password Details:", + "description": "Enter the 1Password base URL & API Token below:", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Base Url", + "placeholder": "Enter your Base Url", + "type": "text", + "name": "BaseUrl" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "API Token", + "placeholder": "Enter your API Token", + "type": "password", + "name": "ApiToken" + } + }, + { + "type": "ConnectionToggleButton", + "parameters": { + "connectLabel": "connect", + "name": "connect" + } + } + ] + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[format('{0}/Microsoft.SecurityInsights/DataConnector-{1}', parameters('workspace'), variables('_dataConnectorContentIdConnectorDefinition'))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersionConnections')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "[variables('_solutionAuthor')]" + }, + "support": { + "name": "[variables('_solutionAuthor')]", + "tier": "[variables('_solutionTier')]" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorVersionConnections')]", + "contentId": "[variables('_dataConnectorContentIdConnections')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[format('{0}/Microsoft.SecurityInsights/{1}{2}', parameters('workspace'), variables('dataConnectorTemplateNameConnections'), variables('dataConnectorVersionConnections'))]", + "location": "[parameters('location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections')]", + "displayName": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "contentKind": "ResourcesDataConnector", + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections'),'-', variables('dataConnectorVersionConnections'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorVersionConnections')]", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersionConnections')]", + "parameters": { + "BaseUrl": { + "defaultValue": "-NA-", + "type": "string", + "minLength": 1 + }, + "ApiToken": { + "defaultValue": "-NA-", + "type": "securestring", + "minLength": 1 + }, + "connectorDefinitionName": { + "defaultValue": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + }, + "AuthorizationCode": { + "defaultValue": "-NA-", + "type": "securestring", + "minLength": 1 + } + }, + "variables": { + "_dataConnectorContentIdConnections": "[variables('_dataConnectorContentIdConnections')]" + }, + "resources": [ + { + "name": "[format('{0}/Microsoft.SecurityInsights/DataConnector-{1}', parameters('workspace'), variables('_dataConnectorContentIdConnections'))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections'))]", + "contentId": "[variables('_dataConnectorContentIdConnections')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorVersionConnections')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "[variables('_solutionAuthor')]" + }, + "support": { + "name": "[variables('_solutionAuthor')]", + "tier": "[variables('_solutionTier')]" + } + } + }, + { + "name": "[format('{0}/Microsoft.SecurityInsights/OnePasswordSignInEvents', parameters('workspace'))]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "dataType": "OnePasswordEventLogs_CL", + "dcrConfig": { + "streamName": "Custom-OnePasswordEventLogs_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('ApiToken')]", + "ApiKeyName": "Authorization", + "ApiKeyIdentifier": "Bearer" + }, + "request": { + "apiEndpoint": "[[format('{0}/api/v1/signinattempts', parameters('BaseUrl'))]", + "httpMethod": "Post", + "queryWindowInMin": 5, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 1, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Content-Type": "application/json" + }, + "queryParametersTemplate": "{\"limit\": 1000, \"start_time\": \"{_QueryWindowStartTime}\", \"end_time\": \"{_QueryWindowEndTime}\" }", + "isPostPayloadJson": true + }, + "response": { + "format": "json", + "eventsJsonPaths": [ + "$.items" + ] + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageParaName": "cursor", + "nextPageTokenJsonPath": "$.cursor", + "hasNextFlagJsonPath": "$.has_more" + } + } + }, + { + "name": "[format('{0}/Microsoft.SecurityInsights/OnePasswordAuditEvents', parameters('workspace'))]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "dataType": "OnePasswordEventLogs_CL", + "dcrConfig": { + "streamName": "Custom-OnePasswordEventLogs_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('ApiToken')]", + "ApiKeyName": "Authorization", + "ApiKeyIdentifier": "Bearer" + }, + "request": { + "apiEndpoint": "[[format('{0}/api/v1/auditevents', parameters('BaseUrl'))]", + "httpMethod": "Post", + "queryWindowInMin": 5, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 1, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Content-Type": "application/json" + }, + "queryParametersTemplate": "{\"limit\": 1000, \"start_time\": \"{_QueryWindowStartTime}\", \"end_time\": \"{_QueryWindowEndTime}\" }", + "isPostPayloadJson": true + }, + "response": { + "format": "json", + "eventsJsonPaths": [ + "$.items" + ] + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageParaName": "cursor", + "nextPageTokenJsonPath": "$.cursor", + "hasNextFlagJsonPath": "$.has_more" + } + } + }, + { + "name": "[format('{0}/Microsoft.SecurityInsights/OnePasswordItemUsageEvents', parameters('workspace'))]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "[variables('_dataConnectorContentIdConnectorDefinition')]", + "dataType": "OnePasswordEventLogs_CL", + "dcrConfig": { + "streamName": "Custom-OnePasswordEventLogs_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('ApiToken')]", + "ApiKeyName": "Authorization", + "ApiKeyIdentifier": "Bearer" + }, + "request": { + "apiEndpoint": "[[format('{0}/api/v1/itemusages', parameters('BaseUrl'))]", + "httpMethod": "Post", + "queryWindowInMin": 1, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 5, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Content-Type": "application/json" + }, + "queryParametersTemplate": "{\"limit\": 1000, \"start_time\": \"{_QueryWindowStartTime}\", \"end_time\": \"{_QueryWindowEndTime}\" }", + "isPostPayloadJson": true + }, + "response": { + "format": "json", + "eventsJsonPaths": [ + "$.items" + ] + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageParaName": "cursor", + "nextPageTokenJsonPath": "$.cursor", + "hasNextFlagJsonPath": "$.has_more" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "name": "[format('{0}/Microsoft.SecurityInsights/{1}', parameters('workspace'), variables('_solutionId'))]", + "location": "[parameters('location')]", + "properties": { + "version": "1.0.3", + "kind": "Solution", + "contentSchemaVersion": "1.0.0", + "displayName": "[variables('_solutionName')]", + "publisherDisplayName": "[variables('_solutionPublisher')]", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "1Password", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "[variables('_solutionAuthor')]" + }, + "support": { + "name": "[variables('_solutionAuthor')]", + "tier": "[variables('_solutionTier')]" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections')]", + "version": "[variables('dataConnectorVersionConnections')]" + } + ] + }, + "firstPublishDate": "2024-03-01", + "providers": [ + "1Password" + ], + "categories": { + "domains": [ + "Security - Threat Protection" + ] + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/Solutions/1Password/Data/Solution_1Password.json b/Solutions/1Password/Data/Solution_1Password.json index 814849f6e08..7051b731545 100644 --- a/Solutions/1Password/Data/Solution_1Password.json +++ b/Solutions/1Password/Data/Solution_1Password.json @@ -5,7 +5,9 @@ "Description": "The [1Password](https://www.1password.com) solution for Microsoft Sentinel enables you to ingest sign-in attempts, item usage, and audit events from your 1Password Business account using the [1Password Events Reporting API](https://developer.1password.com/docs/events-api). This allows you to monitor and investigate events in 1Password in Microsoft Sentinel along with the other applications and services your organization uses.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution depends on the following technologies, and some of which may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or may incur additional ingestion or operational costs:\n\na. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)", "WorkbookBladeDescription": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and creating rich visual reports within the Azure portal. They allow you to combine one or more data sources from Microsoft Sentinel into unified interactive experience.", "Data Connectors": [ + "Data Connectors/1Password_ccpv2/1Password_DataConnectorDefinition.json", "Data Connectors/1Password_API_FunctionApp.json" + ], "Workbooks": [ "Workbooks/1Password.json" @@ -31,9 +33,9 @@ "Analytics Rules/1Password - Vault export prior to account suspension or deletion.yaml", "Analytics Rules/1Password - Vault export.yaml" ], - "BasePath": "C:\\1Password", - "Version": "1.0.0", + "BasePath": "C:\\GitHub\\azure-Sentinel\\Solutions\\1Password", + "Version": "3.0.2", "Metadata": "SolutionMetadata.json", - "TemplateSpec": false, + "TemplateSpec": true, "Is1PConnector": false } \ No newline at end of file diff --git a/Solutions/1Password/Package/3.0.2.zip b/Solutions/1Password/Package/3.0.2.zip new file mode 100644 index 00000000000..5874b55b357 Binary files /dev/null and b/Solutions/1Password/Package/3.0.2.zip differ diff --git a/Solutions/1Password/Package/createUiDefinition.json b/Solutions/1Password/Package/createUiDefinition.json index d75070e5633..789d789259f 100644 --- a/Solutions/1Password/Package/createUiDefinition.json +++ b/Solutions/1Password/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/1Password/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [1Password](https://www.1password.com) solution for Microsoft Sentinel enables you to ingest sign-in attempts, item usage, and audit events from your 1Password Business account using the [1Password Events Reporting API](https://developer.1password.com/docs/events-api). This allows you to monitor and investigate events in 1Password in Microsoft Sentinel along with the other applications and services your organization uses.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution depends on the following technologies, and some of which may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or may incur additional ingestion or operational costs:\n\na. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 18\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/1Password/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [1Password](https://www.1password.com) solution for Microsoft Sentinel enables you to ingest sign-in attempts, item usage, and audit events from your 1Password Business account using the [1Password Events Reporting API](https://developer.1password.com/docs/events-api). This allows you to monitor and investigate events in 1Password in Microsoft Sentinel along with the other applications and services your organization uses.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution depends on the following technologies, and some of which may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or may incur additional ingestion or operational costs:\n\na. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 2, **Workbooks:** 1, **Analytic Rules:** 18\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -59,6 +59,23 @@ { "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for 1Password. You can get 1Password data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + }, + { + "name": "dataconnectors2-text", + "type": "Microsoft.Common.TextBlock", "options": { "text": "This Solution installs the data connector for 1Password. You can get 1Password custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } diff --git a/Solutions/1Password/Package/mainTemplate.json b/Solutions/1Password/Package/mainTemplate.json index fea4bc3a7c7..a15afd820e8 100644 --- a/Solutions/1Password/Package/mainTemplate.json +++ b/Solutions/1Password/Package/mainTemplate.json @@ -28,6 +28,20 @@ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + }, "workbook1-name": { "type": "string", "defaultValue": "1Password Events Workbook", @@ -39,24 +53,31 @@ }, "variables": { "_solutionName": "1Password", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "1password1617200969773.azure-sentinel-solution-1password", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "1Password", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "1Password", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "dataConnectorCCPVersion": "1.0.0", + "_dataConnectorContentIdConnectorDefinition1": "1PasswordCCPDefinition", + "dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]", + "_dataConnectorContentIdConnections1": "1PasswordCCPDefinitionConnections", + "dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]", + "dataCollectionEndpointId1": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]", + "blanks": "[replace('b', 'b', '')]", + "uiConfigId2": "1Password", + "_uiConfigId2": "[variables('uiConfigId2')]", + "dataConnectorContentId2": "1Password", + "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", + "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "_dataConnectorId2": "[variables('dataConnectorId2')]", + "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", + "dataConnectorVersion2": "1.0.0", + "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "workbookVersion1": "1.0.0", "workbookContentId1": "1PasswordWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "analyticRuleObject1": { "analyticRuleVersion1": "1.0.0", @@ -190,28 +211,739 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password data connector with template version 3.0.1", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "displayName": "1Password (Serverless)", + "contentKind": "DataConnector", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", + "contentVersion": "[variables('dataConnectorCCPVersion')]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "title": "1Password (Serverless)", + "publisher": "1Password", + "id": "1PasswordCCPDefinition", + "descriptionMarkdown": "The 1Password CCP connector allows the user to ingest 1Password Audit, Signin & ItemUsage events into Microsoft Sentinel.", + "graphQueriesTableName": "OnePasswordEventLogs_CL", + "graphQueries": [ + { + "metricName": "Total Sign In Attempts received", + "legend": "SignIn Attempts", + "baseQuery": "{{graphQueriesTableName}} | where log_source == 'signinattempts'" + }, + { + "metricName": "Total Audit Events received", + "legend": "Audit Events", + "baseQuery": "{{graphQueriesTableName}} | where log_source == 'auditevents'" + }, + { + "metricName": "Total Item Usage Events received", + "legend": "Item Usage Events", + "baseQuery": "{{graphQueriesTableName}} | where log_source == 'itemusages'" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of 1Password events", + "query": "{{graphQueriesTableName}}\n | take 10" + } + ], + "dataTypes": [ + { + "name": "OnePasswordEventLogs_CL", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "1Password API token", + "description": "A 1Password API Token is required. See the [1Password documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) on how to create an API token." + } + ] + }, + "instructionSteps": [ + { + "title": "STEP 1 - Create a 1Password API token:", + "description": "Follow the [1Password documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) for guidance on this step." + }, + { + "title": "STEP 2 - Choose the correct base URL:", + "description": "There are multiple 1Password servers which might host your events. The correct server depends on your license and region. Follow the [1Password documentation](https://developer.1password.com/docs/events-api/reference/#servers) to choose the correct server. Input the base URL as displayed by the documentation (including 'https://' and without a trailing '/')." + }, + { + "title": "STEP 3 - Enter your 1Password Details:", + "description": "Enter the 1Password base URL & API Token below:", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Base Url", + "placeholder": "Enter your Base Url", + "type": "text", + "name": "BaseUrl" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "API Token", + "placeholder": "Enter your API Token", + "type": "password", + "name": "ApiToken" + } + }, + { + "type": "ConnectionToggleButton", + "parameters": { + "connectLabel": "connect", + "name": "connect" + } + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Rogier Dijkman (SecureHats)" + }, + "support": { + "name": "1Password", + "tier": "Partner", + "link": "https://support.1password.com/" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "name": "1PasswordDCR", + "apiVersion": "2022-06-01", + "type": "Microsoft.Insights/dataCollectionRules", + "location": "[parameters('workspace-location')]", + "kind": "[variables('blanks')]", + "properties": { + "dataCollectionEndpointId": "[variables('dataCollectionEndpointId1')]", + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaceResourceId')]", + "name": "clv2ws1" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "Custom-OnePasswordEventLogs_CL" + ], + "destinations": [ + "clv2ws1" + ], + "outputStream": "Custom-OnePasswordEventLogs_CL", + "transformKql": "source | extend TimeGenerated = now(), log_source = case(isnotempty(used_version) or isnotempty(aux_id), 'itemusages', isnotempty(country), 'signinattempts', isempty(used_version) and isempty(aux_id) and isempty(country), 'auditevents', 'unknown')" + } + ] + } + }, + { + "name": "OnePasswordEventLogs_CL", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/tables", + "location": "[parameters('workspace-location')]", + "kind": null, + "properties": { + "schema": { + "name": "OnePasswordEventLogs_CL", + "columns": [ + { + "name": "SourceSystem", + "type": "string" + }, + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "uuid_s", + "type": "string" + }, + { + "name": "session_uuid", + "type": "string" + }, + { + "name": "timestamp", + "type": "datetime" + }, + { + "name": "country", + "type": "string" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "action_type", + "type": "string" + }, + { + "name": "details", + "type": "dynamic" + }, + { + "name": "target_user", + "type": "dynamic" + }, + { + "name": "client", + "type": "dynamic" + }, + { + "name": "location", + "type": "dynamic" + }, + { + "name": "actor_uuid", + "type": "string" + }, + { + "name": "actor_details", + "type": "dynamic" + }, + { + "name": "action", + "type": "string" + }, + { + "name": "object_type", + "type": "string" + }, + { + "name": "object_uuid", + "type": "string" + }, + { + "name": "object_details", + "type": "dynamic" + }, + { + "name": "aux_id", + "type": "int" + }, + { + "name": "aux_uuid", + "type": "string" + }, + { + "name": "aux_details", + "type": "dynamic" + }, + { + "name": "aux_info", + "type": "string" + }, + { + "name": "session", + "type": "dynamic" + }, + { + "name": "used_version", + "type": "int" + }, + { + "name": "vault_uuid", + "type": "string" + }, + { + "name": "item_uuid", + "type": "string" + }, + { + "name": "user", + "type": "dynamic" + }, + { + "name": "log_source", + "type": "string" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", + "apiVersion": "2022-09-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", + "location": "[parameters('workspace-location')]", + "kind": "Customizable", + "properties": { + "connectorUiConfig": { + "title": "1Password (Serverless)", + "publisher": "1Password", + "id": "1PasswordCCPDefinition", + "descriptionMarkdown": "The 1Password CCP connector allows the user to ingest 1Password Audit, Signin & ItemUsage events into Microsoft Sentinel.", + "graphQueriesTableName": "OnePasswordEventLogs_CL", + "graphQueries": [ + { + "metricName": "Total Sign In Attempts received", + "legend": "SignIn Attempts", + "baseQuery": "{{graphQueriesTableName}} | where log_source == 'signinattempts'" + }, + { + "metricName": "Total Audit Events received", + "legend": "Audit Events", + "baseQuery": "{{graphQueriesTableName}} | where log_source == 'auditevents'" + }, + { + "metricName": "Total Item Usage Events received", + "legend": "Item Usage Events", + "baseQuery": "{{graphQueriesTableName}} | where log_source == 'itemusages'" + } + ], + "sampleQueries": [ + { + "description": "Get Sample of 1Password events", + "query": "{{graphQueriesTableName}}\n | take 10" + } + ], + "dataTypes": [ + { + "name": "OnePasswordEventLogs_CL", + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriteria": [ + { + "type": "HasDataConnectors" + } + ], + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "Read and Write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + } + ], + "customs": [ + { + "name": "1Password API token", + "description": "A 1Password API Token is required. See the [1Password documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) on how to create an API token." + } + ] + }, + "instructionSteps": [ + { + "title": "STEP 1 - Create a 1Password API token:", + "description": "Follow the [1Password documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) for guidance on this step." + }, + { + "title": "STEP 2 - Choose the correct base URL:", + "description": "There are multiple 1Password servers which might host your events. The correct server depends on your license and region. Follow the [1Password documentation](https://developer.1password.com/docs/events-api/reference/#servers) to choose the correct server. Input the base URL as displayed by the documentation (including 'https://' and without a trailing '/')." + }, + { + "title": "STEP 3 - Enter your 1Password Details:", + "description": "Enter the 1Password base URL & API Token below:", + "instructions": [ + { + "type": "Textbox", + "parameters": { + "label": "Base Url", + "placeholder": "Enter your Base Url", + "type": "text", + "name": "BaseUrl" + } + }, + { + "type": "Textbox", + "parameters": { + "label": "API Token", + "placeholder": "Enter your API Token", + "type": "password", + "name": "ApiToken" + } + }, + { + "type": "ConnectionToggleButton", + "parameters": { + "connectLabel": "connect", + "name": "connect" + } + } + ] + } + ] + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", + "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Rogier Dijkman (SecureHats)" + }, + "support": { + "name": "1Password", + "tier": "Partner", + "link": "https://support.1password.com/" + }, + "dependencies": { + "criteria": [ + { + "version": "[variables('dataConnectorCCPVersion')]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "displayName": "1Password (Serverless)", + "contentKind": "ResourcesDataConnector", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorCCPVersion')]", + "parameters": { + "apikey": { + "defaultValue": "-NA-", + "type": "securestring", + "minLength": 1 + }, + "baseUrl": { + "defaultValue": "Enter baseUrl value", + "type": "string", + "minLength": 1 + }, + "BasrUrl": { + "defaultValue": "Enter BasrUrl value", + "type": "string", + "minLength": 1 + }, + "connectorDefinitionName": { + "defaultValue": "1Password (Serverless)", + "type": "string", + "minLength": 1 + }, + "workspace": { + "defaultValue": "[parameters('workspace')]", + "type": "string" + }, + "dcrConfig": { + "defaultValue": { + "dataCollectionEndpoint": "data collection Endpoint", + "dataCollectionRuleImmutableId": "data collection rule immutableId" + }, + "type": "object" + }, + "ApiToken": { + "defaultValue": "ApiToken", + "type": "string", + "minLength": 1 + } + }, + "variables": { + "_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]" + }, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]", + "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]", + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "kind": "ResourcesDataConnector", + "version": "[variables('dataConnectorCCPVersion')]", + "source": { + "sourceId": "[variables('_solutionId')]", + "name": "[variables('_solutionName')]", + "kind": "Solution" + }, + "author": { + "name": "Rogier Dijkman (SecureHats)" + }, + "support": { + "name": "1Password", + "tier": "Partner", + "link": "https://support.1password.com/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'OnePasswordSignInEvents')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "1PasswordCCPDefinition", + "dataType": "OnePasswordEventLogs_CL", + "dcrConfig": { + "streamName": "Custom-OnePasswordEventLogs_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('apikey')]", + "ApiKeyName": "Authorization", + "ApiKeyIdentifier": "Bearer" + }, + "request": { + "apiEndpoint": "[[concat('[[format('{0}/api/v1/signinattempts', ', parameters('baseUrl'), ')]')]", + "httpMethod": "Post", + "queryWindowInMin": 5, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 1, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Content-Type": "application/json" + }, + "queryParametersTemplate": "{\"limit\": 1000, \"start_time\": \"{_QueryWindowStartTime}\", \"end_time\": \"{_QueryWindowEndTime}\" }", + "isPostPayloadJson": true + }, + "response": { + "format": "json", + "eventsJsonPaths": [ + "$.items" + ] + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageParaName": "cursor", + "nextPageTokenJsonPath": "$.cursor", + "hasNextFlagJsonPath": "$.has_more" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'OnePasswordAuditEvents')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "1PasswordCCPDefinition", + "dataType": "OnePasswordEventLogs_CL", + "dcrConfig": { + "streamName": "Custom-OnePasswordEventLogs_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('apikey')]", + "ApiKeyName": "Authorization", + "ApiKeyIdentifier": "Bearer" + }, + "request": { + "apiEndpoint": "[[concat('[[format('{0}/api/v1/auditevents', ', parameters('BasrUrl'), ')]')]", + "httpMethod": "Post", + "queryWindowInMin": 5, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 1, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Content-Type": "application/json" + }, + "queryParametersTemplate": "{\"limit\": 1000, \"start_time\": \"{_QueryWindowStartTime}\", \"end_time\": \"{_QueryWindowEndTime}\" }", + "isPostPayloadJson": true + }, + "response": { + "format": "json", + "eventsJsonPaths": [ + "$.items" + ] + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageParaName": "cursor", + "nextPageTokenJsonPath": "$.cursor", + "hasNextFlagJsonPath": "$.has_more" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'OnePasswordItemUsageEvents')]", + "apiVersion": "2023-02-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "RestApiPoller", + "properties": { + "connectorDefinitionName": "1PasswordCCPDefinition", + "dataType": "OnePasswordEventLogs_CL", + "dcrConfig": { + "streamName": "Custom-OnePasswordEventLogs_CL", + "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", + "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" + }, + "auth": { + "type": "APIKey", + "ApiKey": "[[parameters('apikey')]", + "ApiKeyName": "Authorization", + "ApiKeyIdentifier": "Bearer" + }, + "request": { + "apiEndpoint": "[[concat('[[format('{0}/api/v1/itemusages', ', parameters('BaseUrl'), ')]')]", + "httpMethod": "Post", + "queryWindowInMin": 1, + "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", + "rateLimitQps": 5, + "retryCount": 3, + "timeoutInSeconds": 60, + "headers": { + "Content-Type": "application/json" + }, + "queryParametersTemplate": "{\"limit\": 1000, \"start_time\": \"{_QueryWindowStartTime}\", \"end_time\": \"{_QueryWindowEndTime}\" }", + "isPostPayloadJson": true + }, + "response": { + "format": "json", + "eventsJsonPaths": [ + "$.items" + ] + }, + "paging": { + "pagingType": "NextPageToken", + "nextPageParaName": "cursor", + "nextPageTokenJsonPath": "$.cursor", + "hasNextFlagJsonPath": "$.has_more" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "version": "[variables('dataConnectorCCPVersion')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "1Password data connector with template version 3.0.2", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", "apiVersion": "2021-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", "kind": "GenericUI", "properties": { "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", + "id": "[variables('_uiConfigId2')]", "title": "1Password (using Azure Functions)", "publisher": "1Password", "descriptionMarkdown": "The [1Password](https://www.1password.com) solution for Microsoft Sentinel enables you to ingest sign-in attempts, item usage, and audit events from your 1Password Business account using the [1Password Events Reporting API](https://developer.1password.com/docs/events-api). This allows you to monitor and investigate events in 1Password in Microsoft Sentinel along with the other applications and services your organization uses.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution depends on the following technologies, and some of which may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or may incur additional ingestion or operational costs:\n\n- [Azure Functions](https://azure.microsoft.com/services/functions/#overview)", @@ -296,12 +1028,12 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", + "version": "[variables('dataConnectorVersion2')]", "source": { "kind": "Solution", "name": "1Password", @@ -324,27 +1056,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", + "contentId": "[variables('_dataConnectorContentId2')]", "contentKind": "DataConnector", "displayName": "1Password (using Azure Functions)", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" + "contentProductId": "[variables('_dataConnectorcontentProductId2')]", + "id": "[variables('_dataConnectorcontentProductId2')]", + "version": "[variables('dataConnectorVersion2')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", "dependsOn": [ - "[variables('_dataConnectorId1')]" + "[variables('_dataConnectorId2')]" ], "location": "[parameters('workspace-location')]", "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", + "version": "[variables('dataConnectorVersion2')]", "source": { "kind": "Solution", "name": "1Password", @@ -361,7 +1093,7 @@ } }, { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", "apiVersion": "2021-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", @@ -445,7 +1177,7 @@ "title": "Option 1 - Azure Resource Manager (ARM) Template" } ], - "id": "[variables('_uiConfigId1')]", + "id": "[variables('_uiConfigId2')]", "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution." } } @@ -459,7 +1191,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password Workbook with template version 3.0.1", + "description": "1Password Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -545,7 +1277,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password - Changes to firewall rules_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "1Password - Changes to firewall rules_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -573,10 +1305,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "1Password", "dataTypes": [ "OnePasswordEventLogs_CL" - ], - "connectorId": "1Password" + ] } ], "tactics": [ @@ -610,10 +1342,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "1h", "enabled": true, "matchingMethod": "AllEntities", - "reopenClosedIncident": false + "reopenClosedIncident": false, + "lookbackDuration": "1h" }, "createIncident": true } @@ -668,7 +1400,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password - Changes to SSO configuration_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "1Password - Changes to SSO configuration_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -696,10 +1428,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "1Password", "dataTypes": [ "OnePasswordEventLogs_CL" - ], - "connectorId": "1Password" + ] } ], "tactics": [ @@ -736,10 +1468,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "1h", "enabled": true, "matchingMethod": "AllEntities", - "reopenClosedIncident": false + "reopenClosedIncident": false, + "lookbackDuration": "1h" }, "createIncident": true } @@ -794,7 +1526,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password - Disable MFA factor or type for all user accounts_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "1Password - Disable MFA factor or type for all user accounts_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -822,10 +1554,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "1Password", "dataTypes": [ "OnePasswordEventLogs_CL" - ], - "connectorId": "1Password" + ] } ], "tactics": [ @@ -859,10 +1591,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "1h", "enabled": true, "matchingMethod": "AllEntities", - "reopenClosedIncident": false + "reopenClosedIncident": false, + "lookbackDuration": "1h" }, "createIncident": true } @@ -917,7 +1649,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password - Log Ingestion Failure_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "1Password - Log Ingestion Failure_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -945,10 +1677,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "1Password", "dataTypes": [ "OnePasswordEventLogs_CL" - ], - "connectorId": "1Password" + ] } ], "tactics": [ @@ -962,10 +1694,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "5h", "enabled": false, "matchingMethod": "AllEntities", - "reopenClosedIncident": false + "reopenClosedIncident": false, + "lookbackDuration": "5h" }, "createIncident": true } @@ -1020,7 +1752,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password - Manual account creation_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "1Password - Manual account creation_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -1048,10 +1780,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "1Password", "dataTypes": [ "OnePasswordEventLogs_CL" - ], - "connectorId": "1Password" + ] } ], "tactics": [ @@ -1094,10 +1826,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "1h", "enabled": true, "matchingMethod": "AnyAlert", - "reopenClosedIncident": false + "reopenClosedIncident": false, + "lookbackDuration": "1h" }, "createIncident": true } @@ -1152,7 +1884,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password - New service account integration created_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "1Password - New service account integration created_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -1180,10 +1912,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "1Password", "dataTypes": [ "OnePasswordEventLogs_CL" - ], - "connectorId": "1Password" + ] } ], "tactics": [ @@ -1217,10 +1949,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "1h", "enabled": true, "matchingMethod": "AllEntities", - "reopenClosedIncident": false + "reopenClosedIncident": false, + "lookbackDuration": "1h" }, "createIncident": true } @@ -1275,7 +2007,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password - Non-privileged vault user permission change_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "1Password - Non-privileged vault user permission change_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -1303,10 +2035,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "1Password", "dataTypes": [ "OnePasswordEventLogs_CL" - ], - "connectorId": "1Password" + ] } ], "tactics": [ @@ -1349,10 +2081,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "1h", "enabled": true, "matchingMethod": "AllEntities", - "reopenClosedIncident": false + "reopenClosedIncident": false, + "lookbackDuration": "1h" }, "createIncident": true } @@ -1407,7 +2139,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password - Potential insider privilege escalation via group_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "1Password - Potential insider privilege escalation via group_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1435,10 +2167,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "1Password", "dataTypes": [ "OnePasswordEventLogs_CL" - ], - "connectorId": "1Password" + ] } ], "tactics": [ @@ -1481,10 +2213,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "1h", "enabled": true, "matchingMethod": "AllEntities", - "reopenClosedIncident": false + "reopenClosedIncident": false, + "lookbackDuration": "1h" }, "createIncident": true } @@ -1539,7 +2271,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password - Potential insider privilege escalation via vault_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "1Password - Potential insider privilege escalation via vault_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -1567,10 +2299,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "1Password", "dataTypes": [ "OnePasswordEventLogs_CL" - ], - "connectorId": "1Password" + ] } ], "tactics": [ @@ -1613,10 +2345,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "1h", "enabled": true, "matchingMethod": "AllEntities", - "reopenClosedIncident": false + "reopenClosedIncident": false, + "lookbackDuration": "1h" }, "createIncident": true } @@ -1671,7 +2403,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password - Privileged vault permission change_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "1Password - Privileged vault permission change_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -1699,10 +2431,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "1Password", "dataTypes": [ "OnePasswordEventLogs_CL" - ], - "connectorId": "1Password" + ] } ], "tactics": [ @@ -1745,10 +2477,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "1h", "enabled": true, "matchingMethod": "AllEntities", - "reopenClosedIncident": false + "reopenClosedIncident": false, + "lookbackDuration": "1h" }, "createIncident": true } @@ -1803,7 +2535,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password - Secret extraction post vault access change by administrator_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "1Password - Secret extraction post vault access change by administrator_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -1831,10 +2563,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "1Password", "dataTypes": [ "OnePasswordEventLogs_CL" - ], - "connectorId": "1Password" + ] } ], "tactics": [ @@ -1868,10 +2600,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "1h", "enabled": true, "matchingMethod": "AllEntities", - "reopenClosedIncident": false + "reopenClosedIncident": false, + "lookbackDuration": "1h" }, "createIncident": true } @@ -1926,7 +2658,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password - Service account integration token adjustment_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "1Password - Service account integration token adjustment_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", @@ -1954,10 +2686,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "1Password", "dataTypes": [ "OnePasswordEventLogs_CL" - ], - "connectorId": "1Password" + ] } ], "tactics": [ @@ -1991,10 +2723,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "1h", "enabled": true, "matchingMethod": "AllEntities", - "reopenClosedIncident": false + "reopenClosedIncident": false, + "lookbackDuration": "1h" }, "createIncident": true } @@ -2049,7 +2781,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password - Successful anomalous sign-in_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "1Password - Successful anomalous sign-in_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", @@ -2077,10 +2809,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "1Password", "dataTypes": [ "OnePasswordEventLogs_CL" - ], - "connectorId": "1Password" + ] } ], "tactics": [ @@ -2117,10 +2849,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "1h", "enabled": false, "matchingMethod": "AllEntities", - "reopenClosedIncident": false + "reopenClosedIncident": false, + "lookbackDuration": "1h" }, "createIncident": true } @@ -2175,7 +2907,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password - User account MFA settings changed_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "1Password - User account MFA settings changed_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", @@ -2203,10 +2935,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "1Password", "dataTypes": [ "OnePasswordEventLogs_CL" - ], - "connectorId": "1Password" + ] } ], "tactics": [ @@ -2241,10 +2973,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "1h", "enabled": true, "matchingMethod": "AllEntities", - "reopenClosedIncident": false + "reopenClosedIncident": false, + "lookbackDuration": "1h" }, "createIncident": true } @@ -2299,7 +3031,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password - User added to privileged group_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "1Password - User added to privileged group_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", @@ -2327,10 +3059,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "1Password", "dataTypes": [ "OnePasswordEventLogs_CL" - ], - "connectorId": "1Password" + ] } ], "tactics": [ @@ -2373,10 +3105,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "30m", "enabled": true, "matchingMethod": "AllEntities", - "reopenClosedIncident": false + "reopenClosedIncident": false, + "lookbackDuration": "30m" }, "createIncident": true } @@ -2431,7 +3163,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password - Vault export post account creation_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "1Password - Vault export post account creation_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", @@ -2459,10 +3191,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "1Password", "dataTypes": [ "OnePasswordEventLogs_CL" - ], - "connectorId": "1Password" + ] } ], "tactics": [ @@ -2498,10 +3230,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "1h", "enabled": true, "matchingMethod": "AllEntities", - "reopenClosedIncident": false + "reopenClosedIncident": false, + "lookbackDuration": "1h" }, "createIncident": true } @@ -2556,7 +3288,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password - Vault export prior to account suspension or deletion_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "1Password - Vault export prior to account suspension or deletion_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", @@ -2584,10 +3316,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "1Password", "dataTypes": [ "OnePasswordEventLogs_CL" - ], - "connectorId": "1Password" + ] } ], "tactics": [ @@ -2621,10 +3353,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "1h", "enabled": true, "matchingMethod": "AllEntities", - "reopenClosedIncident": false + "reopenClosedIncident": false, + "lookbackDuration": "1h" }, "createIncident": true } @@ -2679,7 +3411,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "1Password - Vault export_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "1Password - Vault export_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", @@ -2707,10 +3439,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "1Password", "dataTypes": [ "OnePasswordEventLogs_CL" - ], - "connectorId": "1Password" + ] } ], "tactics": [ @@ -2744,10 +3476,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - "lookbackDuration": "1h", "enabled": true, "matchingMethod": "AllEntities", - "reopenClosedIncident": false + "reopenClosedIncident": false, + "lookbackDuration": "1h" }, "createIncident": true } @@ -2798,12 +3530,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "1Password", "publisherDisplayName": "1Password", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The 1Password solution for Microsoft Sentinel enables you to ingest sign-in attempts, item usage, and audit events from your 1Password Business account using the 1Password Events Reporting API. This allows you to monitor and investigate events in 1Password in Microsoft Sentinel along with the other applications and services your organization uses.

\n

Underlying Microsoft Technologies used:

\n

This solution depends on the following technologies, and some of which may be in Preview state or may incur additional ingestion or operational costs:

\n
    \n
  1. Azure Functions
    2. \n
\n

Data Connectors: 1, Workbooks: 1, Analytic Rules: 18

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The 1Password solution for Microsoft Sentinel enables you to ingest sign-in attempts, item usage, and audit events from your 1Password Business account using the 1Password Events Reporting API. This allows you to monitor and investigate events in 1Password in Microsoft Sentinel along with the other applications and services your organization uses.

\n

Underlying Microsoft Technologies used:

\n

This solution depends on the following technologies, and some of which may be in Preview state or may incur additional ingestion or operational costs:

\n
    \n
  1. Azure Functions
    2. \n
\n

Data Connectors: 2, Workbooks: 1, Analytic Rules: 18

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2828,8 +3560,13 @@ "criteria": [ { "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" + "contentId": "[variables('_dataConnectorContentIdConnections1')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId2')]", + "version": "[variables('dataConnectorVersion2')]" }, { "kind": "Workbook", diff --git a/Solutions/1Password/Package/testParameters.json b/Solutions/1Password/Package/testParameters.json index 4d12986a8bc..180dfe587e4 100644 --- a/Solutions/1Password/Package/testParameters.json +++ b/Solutions/1Password/Package/testParameters.json @@ -21,6 +21,20 @@ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + }, "workbook1-name": { "type": "string", "defaultValue": "1Password Events Workbook", diff --git a/Solutions/1Password/ReleaseNotes.md b/Solutions/1Password/ReleaseNotes.md index c9d2ebed8fe..41febda6206 100644 --- a/Solutions/1Password/ReleaseNotes.md +++ b/Solutions/1Password/ReleaseNotes.md @@ -1,4 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|----------------------------------------| +| 3.0.2 | 17-09-2024 | Added Codeless connector | | 3.0.1 | 27-06-2024 | Fixed typo error in **Analytic Rule** 1Password - Changes to SSO configuration.yaml
Fixed Logo link and typo in CreateUI | | 3.0.0 | 12-06-2024 | Initial Solution Release | \ No newline at end of file diff --git a/Solutions/AbnormalSecurity/.gitignore b/Solutions/AbnormalSecurity/.gitignore new file mode 100644 index 00000000000..31fccd62be0 --- /dev/null +++ b/Solutions/AbnormalSecurity/.gitignore @@ -0,0 +1,2 @@ +.vscode +.python_packages \ No newline at end of file diff --git a/Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurityConn.zip b/Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurityConn.zip index 01e90cb1bb1..1b9bdb6e51d 100644 Binary files a/Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurityConn.zip and b/Solutions/AbnormalSecurity/Data Connectors/AbnormalSecurityConn.zip differ diff --git a/Solutions/AbnormalSecurity/Data Connectors/SentinelFunctionsOrchestrator/__init__.py b/Solutions/AbnormalSecurity/Data Connectors/SentinelFunctionsOrchestrator/__init__.py index 92f58c4f5d5..a290670f2f9 100644 --- a/Solutions/AbnormalSecurity/Data Connectors/SentinelFunctionsOrchestrator/__init__.py +++ b/Solutions/AbnormalSecurity/Data Connectors/SentinelFunctionsOrchestrator/__init__.py @@ -10,11 +10,19 @@ import asyncio import os import re - +import sys import azure.durable_functions as df from .soar_connector_async import AbnormalSoarConnectorAsync from .sentinel_connector_async import AzureSentinelConnectorAsync +from .soar_connector_async_v2 import get_cases, get_threats +from .utils import ( + get_context, + should_use_v2_logic, + set_date_on_entity, + TIME_FORMAT, + Resource, +) RESET_ORCHESTRATION = os.environ.get("RESET_OPERATION", "false") PERSIST_TO_SENTINEL = os.environ.get("PERSIST_TO_SENTINEL", "true") @@ -44,7 +52,26 @@ def orchestrator_function(context: df.DurableOrchestrationContext): logging.info(f"Retrieved stored cases datetime: {stored_cases_datetime}") current_datetime = datetime.datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ") - + + logging.info(f"Current python version:: {sys.version}") + if should_use_v2_logic(): + logging.info( + f"Using v2 fetching logic with inputs (threats, cases):: ({stored_threats_datetime},{stored_cases_datetime})" + ) + asyncio.run( + fetch_and_store_abnormal_data_v2( + context=context, + stored_threats_datetime=stored_threats_datetime, + stored_cases_datetime=stored_cases_datetime, + ) + ) + logging.info("Finished v2 fetching") + return + else: + logging.info( + f"Running legacy logic with inputs (threats, cases):: ({stored_threats_datetime},{stored_cases_datetime})" + ) + asyncio.run(transfer_abnormal_data_to_sentinel(stored_threats_datetime, stored_cases_datetime, current_datetime, context)) logging.info("Orchestrator execution finished") @@ -83,4 +110,68 @@ async def consume(sentinel_connector, queue): logging.error(f"Sentinel send request Failed. Err: {e}") queue.task_done() +async def fetch_and_store_abnormal_data_v2( + context: df.DurableOrchestrationContext, + stored_threats_datetime: str, + stored_cases_datetime: str, +): + queue = asyncio.Queue() + try: + threats_ctx = get_context(stored_date_time=stored_threats_datetime) + + logging.info(f"Logging out threats ctx:: {threats_ctx.json(exclude={'API_TOKEN'})}") + logging.info( + f"Threats Timestamps (stored, current): ({stored_threats_datetime}, {threats_ctx.CURRENT_TIME})" + ) + + await get_threats(ctx=threats_ctx, output_queue=queue) + logging.info("Fetching v2 threats completed") + + except Exception as e: + logging.error("Failed to process v2 threats", exc_info=e) + finally: + threats_time = threats_ctx.CURRENT_TIME.strftime(TIME_FORMAT) + set_date_on_entity( + context=context, + time=threats_time, + resource=Resource.threats, + ) + logging.info(f"Stored new v2 threats date: {threats_time}") + + try: + cases_ctx = get_context(stored_date_time=stored_cases_datetime) + + logging.info(f"Logging out cases ctx:: {cases_ctx.json(exclude={'API_TOKEN'})}") + logging.info( + f"Cases Timestamps (stored, current): ({stored_cases_datetime}, {cases_ctx.CURRENT_TIME})" + ) + + await get_cases(ctx=cases_ctx, output_queue=queue) + logging.info("Fetching v2 cases completed") + + except Exception as e: + logging.error("Failed to process v2 cases", exc_info=e) + finally: + cases_time = cases_ctx.CURRENT_TIME.strftime(TIME_FORMAT) + set_date_on_entity( + context=context, + time=cases_time, + resource=Resource.cases, + ) + logging.info(f"Stored new v2 cases date: {cases_time}") + + if should_persist_data_to_sentinel(): + logging.info("Persisting to sentinel") + sentinel_connector = AzureSentinelConnectorAsync( + LOG_ANALYTICS_URI, SENTINEL_WORKSPACE_ID, SENTINEL_SHARED_KEY + ) + consumers = [ + asyncio.create_task(consume(sentinel_connector, queue)) for _ in range(3) + ] + await queue.join() # Implicitly awaits consumers, too + for c in consumers: + c.cancel() + await sentinel_connector.flushall() + + main = df.Orchestrator.create(orchestrator_function) \ No newline at end of file diff --git a/Solutions/AbnormalSecurity/Data Connectors/SentinelFunctionsOrchestrator/soar_connector_async.py b/Solutions/AbnormalSecurity/Data Connectors/SentinelFunctionsOrchestrator/soar_connector_async.py index cd6a601a5bb..723155e75a6 100644 --- a/Solutions/AbnormalSecurity/Data Connectors/SentinelFunctionsOrchestrator/soar_connector_async.py +++ b/Solutions/AbnormalSecurity/Data Connectors/SentinelFunctionsOrchestrator/soar_connector_async.py @@ -48,7 +48,7 @@ def _get_header(self): return { "Authorization": f"Bearer {self.api_key}", "Soar-Integration-Origin": "AZURE SENTINEL", - "Azure-Sentinel-Version": "2024-05-29" + "Azure-Sentinel-Version": "2024-10-03" } def _get_filter_query(self, filter_param, gte_datetime=None, lte_datetime=None): diff --git a/Solutions/AbnormalSecurity/Data Connectors/SentinelFunctionsOrchestrator/soar_connector_async_v2.py b/Solutions/AbnormalSecurity/Data Connectors/SentinelFunctionsOrchestrator/soar_connector_async_v2.py new file mode 100644 index 00000000000..22981bd74c1 --- /dev/null +++ b/Solutions/AbnormalSecurity/Data Connectors/SentinelFunctionsOrchestrator/soar_connector_async_v2.py @@ -0,0 +1,268 @@ +import json +from urllib.parse import urlencode, urljoin +import aiohttp +import logging +import asyncio +import itertools +from typing import Dict, List +from base64 import b64encode +from .utils import ( + OptionalEndTimeRange, + FilterParam, + MAP_RESOURCE_TO_LOGTYPE, + Resource, + TIME_FORMAT, + compute_intervals, + Context, + try_str_to_datetime, +) + + +def get_query_params( + filter_param: FilterParam, interval: OptionalEndTimeRange +) -> Dict[str, str]: + filter = filter_param.name + filter += f" gte {interval.start.strftime(TIME_FORMAT)}" + if interval.end is not None: + filter += f" lte {interval.end.strftime(TIME_FORMAT)}" + + return {"filter": filter} + + +def get_headers(ctx: Context) -> Dict[str, str]: + sentinel_ctx = b64encode(ctx.json(exclude={'API_TOKEN'}).encode()).decode() + return { + "X-Sentinel-Context": sentinel_ctx, + "X-Abnormal-Trace-Id": str(ctx.TRACE_ID), + "Authorization": f"Bearer {ctx.API_TOKEN}", + "Soar-Integration-Origin": "AZURE SENTINEL", + "Azure-Sentinel-Version": "2024-10-03 V2", + } + + +def compute_url(base_url: str, pathname: str, params: Dict[str, str]) -> str: + endpoint = urljoin(base_url, pathname) + + params_str = urlencode(params) + if params_str: + endpoint += f"?{params_str}" + + return endpoint + + +async def fetch_with_retries(url, retries=3, backoff=4, timeout=10, headers=None): + logging.info(f"Fetching url: {url}") + async def fetch(session, url): + async with session.get(url, headers=headers, timeout=timeout) as response: + if 500 <= response.status < 600: + raise aiohttp.ClientResponseError( + request_info=response.request_info, + history=response.history, + code=response.status, + message=response.reason, + headers=response.headers, + ) + # response.raise_for_status() + text = await response.text() + logging.debug(f"API Response for URL: `{url}` is: `{text}`") + logging.info(f"API Response Status for URL: `{url}` is `{response.status}`") + return json.loads(text) + + async with aiohttp.ClientSession() as session: + for attempt in range(1, retries + 1): + try: + response = await fetch(session, url) + return response + except aiohttp.ClientResponseError as e: + if 500 <= e.status < 600: + logging.error("Attempt {attempt} failed with error", exc_info=e) + if attempt == retries: + raise + else: + await asyncio.sleep(backoff**attempt) + else: + raise + except aiohttp.ClientError as e: + logging.error("Request failed with non-retryable error", exc_info=e) + raise + + +async def call_threat_campaigns_endpoint( + ctx: Context, interval: OptionalEndTimeRange, semaphore: asyncio.Semaphore +) -> List[str]: + async with semaphore: + params = get_query_params( + filter_param=FilterParam.latestTimeRemediated, interval=interval + ) + + threat_campaigns = set() + + nextPageNumber = 1 + while nextPageNumber: + params["pageNumber"] = nextPageNumber + endpoint = compute_url(ctx.BASE_URL, "/v1/threats", params) + headers = get_headers(ctx) + + response = await fetch_with_retries(url=endpoint, headers=headers) + total = response["total"] + assert total >= 0 + + threat_campaigns.update( + [threat["threatId"] for threat in response.get("threats", [])] + ) + + nextPageNumber = response.get("nextPageNumber") + assert nextPageNumber is None or nextPageNumber > 0 + + if nextPageNumber is None or nextPageNumber > ctx.MAX_PAGE_NUMBER: + break + + return list(threat_campaigns) + + +async def call_cases_endpoint( + ctx: Context, interval: OptionalEndTimeRange, semaphore: asyncio.Semaphore +) -> List[str]: + async with semaphore: + params = get_query_params( + filter_param=FilterParam.customerVisibleTime, interval=interval + ) + + case_ids = set() + + nextPageNumber = 1 + while nextPageNumber: + params["pageNumber"] = nextPageNumber + endpoint = compute_url(ctx.BASE_URL, "/v1/cases", params) + headers = get_headers(ctx) + + response = await fetch_with_retries(url=endpoint, headers=headers) + total = response["total"] + assert total >= 0 + + case_ids.update([case["caseId"] for case in response.get("cases", [])]) + + nextPageNumber = response.get("nextPageNumber") + assert nextPageNumber is None or nextPageNumber > 0 + + if nextPageNumber is None or nextPageNumber > ctx.MAX_PAGE_NUMBER: + break + + return list(case_ids) + + +async def call_single_threat_endpoint( + ctx: Context, threat_id: str, semaphore: asyncio.Semaphore +) -> List[str]: + async with semaphore: + endpoint = compute_url(ctx.BASE_URL, f"/v1/threats/{threat_id}", params={}) + headers = get_headers(ctx) + + response = await fetch_with_retries(url=endpoint, headers=headers) + + filtered_messages = [] + for message in response["messages"]: + message_id = message["abxMessageId"] + remediation_time_str = message["remediationTimestamp"] + + remediation_time = try_str_to_datetime(remediation_time_str) + if ( + remediation_time >= ctx.CLIENT_FILTER_TIME_RANGE.start + and remediation_time < ctx.CLIENT_FILTER_TIME_RANGE.end + ): + filtered_messages.append(json.dumps(message, sort_keys=True)) + logging.info(f"Successfully processed v2 threat message: {message_id}") + else: + logging.warning(f"Skipped processing v2 threat message: {message_id}") + + return filtered_messages + + +async def call_single_case_endpoint( + ctx: Context, case_id: str, semaphore: asyncio.Semaphore +) -> str: + async with semaphore: + endpoint = compute_url(ctx.BASE_URL, f"/v1/cases/{case_id}", params={}) + headers = get_headers(ctx) + + response = await fetch_with_retries(url=endpoint, headers=headers) + + return json.dumps(response, sort_keys=True) + + +async def get_threats(ctx: Context, output_queue: asyncio.Queue) -> asyncio.Queue: + intervals = compute_intervals(ctx) + logging.info( + "Computed threats intervals\n" + + "\n".join(map(lambda x: f"{str(x.start)} : {str(x.end)}", intervals)) + ) + + assert len(intervals) <= 5, "Intervals more than 5" + semaphore = asyncio.Semaphore(ctx.NUM_CONCURRENCY) + + campaign_result = await asyncio.gather( + *[ + call_threat_campaigns_endpoint( + ctx=ctx, interval=interval, semaphore=semaphore + ) + for interval in intervals + ] + ) + threat_ids = set(itertools.chain(*campaign_result)) + + single_result = await asyncio.gather( + *[ + call_single_threat_endpoint( + ctx=ctx, threat_id=threat_id, semaphore=semaphore + ) + for threat_id in threat_ids + ] + ) + messages = set(itertools.chain(*single_result)) + + for message in messages: + record = (MAP_RESOURCE_TO_LOGTYPE[Resource.threats], json.loads(message)) + logging.debug(f"Inserting threat message record {record}") + await output_queue.put(record) + + return + + +async def get_cases(ctx: Context, output_queue: asyncio.Queue) -> asyncio.Queue: + intervals = compute_intervals(ctx) + logging.info( + "Computed cases intervals\n" + + "\n".join(map(lambda x: f"{str(x.start)} : {str(x.end)}", intervals)) + ) + + assert len(intervals) <= 5, "Intervals more than 5" + semaphore = asyncio.Semaphore(ctx.NUM_CONCURRENCY) + + result = await asyncio.gather( + *[ + call_cases_endpoint(ctx=ctx, interval=interval, semaphore=semaphore) + for interval in intervals + ] + ) + case_ids = set(itertools.chain(*result)) + + cases = await asyncio.gather( + *[ + call_single_case_endpoint(ctx=ctx, case_id=case_id, semaphore=semaphore) + for case_id in case_ids + ] + ) + + for case in cases: + loaded_case = json.loads(case) + record = (MAP_RESOURCE_TO_LOGTYPE[Resource.cases], loaded_case) + visible_time = try_str_to_datetime(loaded_case["customerVisibleTime"]) + if visible_time >= ctx.CLIENT_FILTER_TIME_RANGE.start and visible_time < ctx.CLIENT_FILTER_TIME_RANGE.end: + logging.info(f"Successfully processed v2 case id {loaded_case['caseId']}") + await output_queue.put(record) + else: + logging.warning(f"Skipped processing v2 case id {loaded_case['caseId']}") + + return + + diff --git a/Solutions/AbnormalSecurity/Data Connectors/SentinelFunctionsOrchestrator/soar_connector_async_v2_local_run.py b/Solutions/AbnormalSecurity/Data Connectors/SentinelFunctionsOrchestrator/soar_connector_async_v2_local_run.py new file mode 100644 index 00000000000..a7f283591aa --- /dev/null +++ b/Solutions/AbnormalSecurity/Data Connectors/SentinelFunctionsOrchestrator/soar_connector_async_v2_local_run.py @@ -0,0 +1,100 @@ +import logging +import os +import asyncio +import time +from datetime import datetime, timedelta +from .soar_connector_async_v2 import get_cases, get_threats +from .utils import get_context, TIME_FORMAT + +def find_duplicates(arr): + from collections import Counter + + counts = Counter(arr) + return [item for item, count in counts.items() if count > 1] + + +if __name__ == "__main__": + logging.getLogger().setLevel(logging.INFO) + os.environ["ABNORMAL_SECURITY_REST_API_TOKEN"] = "121" + os.environ["API_HOST"] = "http://localhost:3000" + os.environ["ABNORMAL_LAG_ON_BACKEND_SEC"] = "10" + os.environ["ABNORMAL_FREQUENCY_MIN"] = "1" + os.environ["ABNORMAL_LIMIT_MIN"] = "2" + + stored_threat_time = datetime.now() - timedelta(minutes=3) + stored_cases_time = datetime.now() - timedelta(minutes=3) + output_threats_queue = asyncio.Queue() + output_cases_queue = asyncio.Queue() + try: + while True: + threats_ctx = get_context(stored_date_time=stored_threat_time.strftime(TIME_FORMAT)) + logging.info( + f"Filtering messages in range {threats_ctx.CLIENT_FILTER_TIME_RANGE.start} : {threats_ctx.CLIENT_FILTER_TIME_RANGE.end}" + ) + asyncio.run(get_threats(ctx=threats_ctx, output_queue=output_threats_queue)) + + stored_threat_time = threats_ctx.CURRENT_TIME + logging.info(f"Sleeping for {threats_ctx.FREQUENCY.total_seconds()} seconds\n\n") + + + cases_ctx = get_context(stored_date_time=stored_cases_time.strftime(TIME_FORMAT)) + logging.info( + f"Filtering messages in range {cases_ctx.CLIENT_FILTER_TIME_RANGE.start} : {cases_ctx.CLIENT_FILTER_TIME_RANGE.end}" + ) + asyncio.run(get_cases(ctx=cases_ctx, output_queue=output_cases_queue)) + + stored_cases_time = cases_ctx.CURRENT_TIME + logging.info(f"Sleeping for {cases_ctx.FREQUENCY.total_seconds()} seconds\n\n") + time.sleep(cases_ctx.FREQUENCY.total_seconds()) + + + + + except KeyboardInterrupt: + pass + + idlist = [] + while not output_threats_queue.empty(): + current = output_threats_queue.get_nowait() + logging.info(current) + idlist.append(current[1]["abxMessageId"]) + + idset = set(idlist) + maxid = max(idlist) + duplicates = find_duplicates(idlist) + missedids = list(filter(lambda x: x not in idset, list(range(1, maxid + 1)))) + + logging.info("\n\n\nSummary of the operation") + + logging.info("Ingested values", idlist) + logging.info(f"Max ID: {maxid}") + logging.info(f"Duplicates: {duplicates}") + logging.info(f"Missed IDs: {missedids}") + + assert len(idset) == len(idlist), "Duplicates threats exist" + assert len(duplicates) == 0, "There are duplicates threats" + assert len(missedids) == 0, "There are missed threats IDs" + + + + idlist = [] + while not output_cases_queue.empty(): + current = output_cases_queue.get_nowait() + logging.info(current) + idlist.append(current[1]["caseId"]) + + idset = set(idlist) + maxid = max(idlist) + duplicates = find_duplicates(idlist) + missedids = list(filter(lambda x: x not in idset, list(range(1, maxid + 1)))) + + logging.info("\n\n\nSummary of the operation") + + logging.info("Ingested values", idlist) + logging.info(f"Max ID: {maxid}") + logging.info(f"Duplicates: {duplicates}") + logging.info(f"Missed IDs: {missedids}") + + assert len(idset) == len(idlist), "Duplicate cases exist" + assert len(duplicates) == 0, "There are duplicates cases" + assert len(missedids) == 0, "There are missed cases IDs" diff --git a/Solutions/AbnormalSecurity/Data Connectors/SentinelFunctionsOrchestrator/utils.py b/Solutions/AbnormalSecurity/Data Connectors/SentinelFunctionsOrchestrator/utils.py new file mode 100644 index 00000000000..42308eb6aae --- /dev/null +++ b/Solutions/AbnormalSecurity/Data Connectors/SentinelFunctionsOrchestrator/utils.py @@ -0,0 +1,183 @@ +from datetime import datetime, timedelta +from enum import Enum +from typing import List, Optional +import os +from uuid import uuid4, UUID +from pydantic import BaseModel, root_validator +import azure.durable_functions as df +import logging +import sys + +TIME_FORMAT = "%Y-%m-%dT%H:%M:%SZ" +TIME_FORMAT_WITHMS = "%Y-%m-%dT%H:%M:%S.%fZ" + + +def try_str_to_datetime(time: str) -> datetime: + try: + return datetime.strptime(time, TIME_FORMAT) + except Exception as _: + pass + return datetime.strptime(time, TIME_FORMAT_WITHMS) + + +class TimeRange(BaseModel): + start: datetime + end: datetime + + @root_validator + def check_start_less_than_end(cls, values): + start = values.get("start") + end = values.get("end") + + if start > end: + raise ValueError(f"Start time {start} is greater than end time {end}") + return values + + +class OptionalEndTimeRange(BaseModel): + start: datetime + end: Optional[datetime] + + @root_validator + def check_start_less_than_end(cls, values): + start = values.get("start") + end = values.get("end") + + if end is not None and start > end: + raise ValueError(f"Start time {start} is greater than end time {end}") + return values + + +class Context(BaseModel): + LAG_ON_BACKEND: timedelta + OUTAGE_TIME: timedelta + FREQUENCY: timedelta + LIMIT: timedelta + NUM_CONCURRENCY: int + MAX_PAGE_NUMBER: int + BASE_URL: str + API_TOKEN: str + TIME_RANGE: TimeRange + CLIENT_FILTER_TIME_RANGE: TimeRange + STORED_TIME: datetime + CURRENT_TIME: datetime + TRACE_ID: UUID + PYTHON_VERSION: str + + +class Resource(Enum): + threats = 0 + cases = 1 + + +class FilterParam(Enum): + receivedTime = 0 + createdTime = 1 + firstObserved = 2 + latestTimeRemediated = 3 + customerVisibleTime = 4 + + +MAP_RESOURCE_TO_LOGTYPE = { + Resource.threats: "ABNORMAL_THREAT_MESSAGES", + Resource.cases: "ABNORMAL_CASES", +} + +MAP_RESOURCE_TO_ENTITY_VALUE = { + Resource.threats: "threats_date", + Resource.cases: "cases_date", +} + + +def compute_intervals(ctx: Context) -> List[OptionalEndTimeRange]: + """ + Function that returns for a time range [X, Y] + It returns an array of intervals of frequency size by accounting for lag_on_backend and outage_time. + timerange.start must be greater than 15 mins + [ + [X - lag_on_backend, X - lag_on_backend + 5] + ... + [Z, None] + ] + """ + timerange = ctx.TIME_RANGE + + start_time, current_time = timerange.start, timerange.end + logging.info(f"Specified timerange: {start_time} : {current_time}") + + if current_time - start_time > ctx.OUTAGE_TIME: + start_time = current_time - ctx.OUTAGE_TIME + + assert current_time - start_time <= ctx.OUTAGE_TIME + + start = start_time.replace() - ctx.LAG_ON_BACKEND + current = current_time.replace() + + logging.info(f"Modified timerange: {start} : {current}") + + assert current > start + + limit = ctx.LIMIT + add = ctx.FREQUENCY + + assert limit >= add + + intervals: List[OptionalEndTimeRange] = [] + while current - start > limit: + intervals.append(OptionalEndTimeRange(start=start, end=start + add)) + start = start + add + + intervals.append(OptionalEndTimeRange(start=start, end=None)) + + return intervals + + +def should_use_v2_logic() -> bool: + return bool(os.environ.get("ABNORMAL_ENABLE_V2_LOGIC")) + + +def get_context(stored_date_time: str) -> Context: + BASE_URL = os.environ.get("API_HOST", "https://api.abnormalplatform.com/v1") + API_TOKEN = os.environ["ABNORMAL_SECURITY_REST_API_TOKEN"] + OUTAGE_TIME = timedelta( + minutes=int(os.environ.get("ABNORMAL_OUTAGE_TIME_MIN", "15")) + ) + LAG_ON_BACKEND = timedelta( + seconds=int(os.environ.get("ABNORMAL_LAG_ON_BACKEND_SEC", "30")) + ) + FREQUENCY = timedelta(minutes=int(os.environ.get("ABNORMAL_FREQUENCY_MIN", "5"))) + LIMIT = timedelta(minutes=int(os.environ.get("ABNORMAL_LIMIT_MIN", "6"))) + NUM_CONCURRENCY = int(os.environ.get("ABNORMAL_NUM_CONCURRENCY", "5")) + MAX_PAGE_NUMBER = int(os.environ.get("ABNORMAL_MAX_PAGE_NUMBER", "3")) + + STORED_TIME = try_str_to_datetime(stored_date_time) + CURRENT_TIME = try_str_to_datetime(datetime.now().strftime(TIME_FORMAT)) + TIME_RANGE = TimeRange(start=STORED_TIME, end=CURRENT_TIME) + CLIENT_FILTER_TIME_RANGE = TimeRange( + start=STORED_TIME - LAG_ON_BACKEND, end=CURRENT_TIME - LAG_ON_BACKEND + ) + + return Context( + LAG_ON_BACKEND=LAG_ON_BACKEND, + OUTAGE_TIME=OUTAGE_TIME, + NUM_CONCURRENCY=NUM_CONCURRENCY, + FREQUENCY=FREQUENCY, + BASE_URL=BASE_URL, + API_TOKEN=API_TOKEN, + TIME_RANGE=TIME_RANGE, + CLIENT_FILTER_TIME_RANGE=CLIENT_FILTER_TIME_RANGE, + MAX_PAGE_NUMBER=MAX_PAGE_NUMBER, + STORED_TIME=STORED_TIME, + CURRENT_TIME=CURRENT_TIME, + LIMIT=LIMIT, + TRACE_ID=uuid4(), + PYTHON_VERSION=sys.version + ) + + +def set_date_on_entity( + context: df.DurableOrchestrationContext, time: str, resource: Resource +): + entity_value = MAP_RESOURCE_TO_ENTITY_VALUE[resource] + datetimeEntityId = df.EntityId("SoarDatetimeEntity", "latestDatetime") + context.signal_entity(datetimeEntityId, "set", {"type": entity_value, "date": time}) diff --git a/Solutions/AbnormalSecurity/Data Connectors/Tests/run_tests.sh b/Solutions/AbnormalSecurity/Data Connectors/Tests/run_tests.sh new file mode 100755 index 00000000000..0b2953a477b --- /dev/null +++ b/Solutions/AbnormalSecurity/Data Connectors/Tests/run_tests.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env sh + +source .python_packages/bin/activate + +export ABNORMAL_SECURITY_REST_API_TOKEN=123 +export SENTINEL_WORKSPACE_ID=123 +export SENTINEL_SHARED_KEY=123 + +pip install pytest-asyncio pytest pytest-aiohttp + +pytest \ No newline at end of file diff --git a/Solutions/AbnormalSecurity/Data Connectors/Tests/soar_connector_async_test.py b/Solutions/AbnormalSecurity/Data Connectors/Tests/soar_connector_async_test.py index 1344ea695eb..c006de1f59a 100644 --- a/Solutions/AbnormalSecurity/Data Connectors/Tests/soar_connector_async_test.py +++ b/Solutions/AbnormalSecurity/Data Connectors/Tests/soar_connector_async_test.py @@ -1,5 +1,5 @@ import unittest -from ..SentinelFunctionsOrchestrator.soar_connector_async import AbnormalSoarConnectorAsync +from SentinelFunctionsOrchestrator.soar_connector_async import AbnormalSoarConnectorAsync from copy import deepcopy DUMMY_API_KEY = "DUMMY_API_KEY" diff --git a/Solutions/AbnormalSecurity/Data Connectors/Tests/soar_connector_async_v2_test.py b/Solutions/AbnormalSecurity/Data Connectors/Tests/soar_connector_async_v2_test.py new file mode 100644 index 00000000000..e3a71fffeea --- /dev/null +++ b/Solutions/AbnormalSecurity/Data Connectors/Tests/soar_connector_async_v2_test.py @@ -0,0 +1,390 @@ +import os + +os.environ["ABNORMAL_SECURITY_REST_API_TOKEN"] = "123" + +import unittest +from SentinelFunctionsOrchestrator.utils import ( + FilterParam, + OptionalEndTimeRange, + Context, + TimeRange, + try_str_to_datetime, +) +from datetime import datetime, timedelta +from uuid import UUID +import pytest +import aiohttp +from aiohttp import web +from unittest.mock import patch, MagicMock, AsyncMock +import json +import asyncio + +from SentinelFunctionsOrchestrator.soar_connector_async_v2 import ( + get_query_params, + get_headers, + compute_url, + fetch_with_retries, + get_threats, + get_cases, +) + + +class TestGetQueryParams(unittest.TestCase): + def test_query_params_with_end_time(self): + # Test case where interval has both start and end times + filter_param = FilterParam.receivedTime + interval = OptionalEndTimeRange( + start=datetime(2024, 10, 1, 12, 0, 0), end=datetime(2024, 10, 1, 13, 0, 0) + ) + query_params = get_query_params(filter_param, interval) + expected_filter = ( + "receivedTime gte 2024-10-01T12:00:00Z lte 2024-10-01T13:00:00Z" + ) + self.assertEqual(query_params, {"filter": expected_filter}) + + def test_query_params_without_end_time(self): + # Test case where interval has only the start time + filter_param = FilterParam.createdTime + interval = OptionalEndTimeRange(start=datetime(2024, 10, 1, 12, 0, 0), end=None) + query_params = get_query_params(filter_param, interval) + expected_filter = "createdTime gte 2024-10-01T12:00:00Z" + self.assertEqual(query_params, {"filter": expected_filter}) + + def test_empty_filter_param_name(self): + # Test case where filter_param name is empty + filter_param = FilterParam.customerVisibleTime + interval = OptionalEndTimeRange( + start=datetime(2024, 10, 1, 12, 0, 0), end=datetime(2024, 10, 1, 13, 0, 0) + ) + query_params = get_query_params(filter_param, interval) + expected_filter = ( + "customerVisibleTime gte 2024-10-01T12:00:00Z lte 2024-10-01T13:00:00Z" + ) + self.assertEqual(query_params, {"filter": expected_filter}) + + def test_start_and_end_time_are_the_same(self): + # Test case where interval start and end times are the same + filter_param = FilterParam.firstObserved + interval = OptionalEndTimeRange( + start=datetime(2024, 10, 1, 12, 0, 0), end=datetime(2024, 10, 1, 12, 0, 0) + ) + query_params = get_query_params(filter_param, interval) + expected_filter = ( + "firstObserved gte 2024-10-01T12:00:00Z lte 2024-10-01T12:00:00Z" + ) + self.assertEqual(query_params, {"filter": expected_filter}) + + +class TestGetHeaders(unittest.TestCase): + def setUp(self): + # Common data used in multiple test cases + self.trace_id = UUID("bdb2a127-ed3d-464a-b205-3820ccf6d3f2") + self.api_token = "exampletoken" + self.ctx = Context( + LAG_ON_BACKEND=timedelta(seconds=30), + OUTAGE_TIME=timedelta(minutes=15), + FREQUENCY=timedelta(minutes=5), + LIMIT=timedelta(minutes=6), + NUM_CONCURRENCY=5, + MAX_PAGE_NUMBER=100, + BASE_URL="http://example.com", + API_TOKEN="exampletoken", + TIME_RANGE=TimeRange( + start=datetime(2024, 10, 1, 12, 55), end=datetime(2024, 10, 1, 13, 0) + ), + CLIENT_FILTER_TIME_RANGE=TimeRange( + start=datetime(2024, 10, 1, 12, 54, 30), + end=datetime(2024, 10, 1, 12, 59, 30), + ), + STORED_TIME=datetime(2024, 10, 1, 12, 55), + CURRENT_TIME=datetime(2024, 10, 1, 13, 0), + TRACE_ID=self.trace_id, + PYTHON_VERSION="3.11" + ) + + def test_valid_headers(self): + # Test case for valid headers + headers = get_headers(self.ctx) + expected_headers = { + "X-Sentinel-Context": "eyJMQUdfT05fQkFDS0VORCI6IDMwLjAsICJPVVRBR0VfVElNRSI6IDkwMC4wLCAiRlJFUVVFTkNZIjogMzAwLjAsICJMSU1JVCI6IDM2MC4wLCAiTlVNX0NPTkNVUlJFTkNZIjogNSwgIk1BWF9QQUdFX05VTUJFUiI6IDEwMCwgIkJBU0VfVVJMIjogImh0dHA6Ly9leGFtcGxlLmNvbSIsICJUSU1FX1JBTkdFIjogeyJzdGFydCI6ICIyMDI0LTEwLTAxVDEyOjU1OjAwIiwgImVuZCI6ICIyMDI0LTEwLTAxVDEzOjAwOjAwIn0sICJDTElFTlRfRklMVEVSX1RJTUVfUkFOR0UiOiB7InN0YXJ0IjogIjIwMjQtMTAtMDFUMTI6NTQ6MzAiLCAiZW5kIjogIjIwMjQtMTAtMDFUMTI6NTk6MzAifSwgIlNUT1JFRF9USU1FIjogIjIwMjQtMTAtMDFUMTI6NTU6MDAiLCAiQ1VSUkVOVF9USU1FIjogIjIwMjQtMTAtMDFUMTM6MDA6MDAiLCAiVFJBQ0VfSUQiOiAiYmRiMmExMjctZWQzZC00NjRhLWIyMDUtMzgyMGNjZjZkM2YyIiwgIlBZVEhPTl9WRVJTSU9OIjogIjMuMTEifQ==", + "X-Abnormal-Trace-Id": str(self.trace_id), + "Authorization": f"Bearer {self.api_token}", + "Soar-Integration-Origin": "AZURE SENTINEL", + "Azure-Sentinel-Version": "2024-10-03 V2", + } + self.maxDiff = None + self.assertEqual(headers, expected_headers) + + +class TestComputeUrl(unittest.TestCase): + def test_compute_url_with_params(self): + # Test case with query parameters + base_url = "https://example.com" + pathname = "/api/resource" + params = { + "filter": "customerVisibleTime gte 2024-10-01T12:00:00Z lte 2024-10-01T13:00:00Z", + "pageNumber": "2", + } + result = compute_url(base_url, pathname, params) + expected = f"{base_url}{pathname}?filter=customerVisibleTime+gte+2024-10-01T12%3A00%3A00Z+lte+2024-10-01T13%3A00%3A00Z&pageNumber=2" + self.assertEqual(result, expected) + + def test_compute_url_without_params(self): + # Test case with no query parameters + base_url = "https://example.com" + pathname = "/api/resource" + params = {} + result = compute_url(base_url, pathname, params) + expected = f"{base_url}{pathname}" + self.assertEqual(result, expected) + + def test_compute_url_with_encoded_params(self): + # Test case with query parameters that need encoding explicitly + base_url = "https://example.com" + pathname = "/api/resource" + params = { + "filter": "customerVisibleTime gte 2024-10-01T12:00:00Z lte 2024-10-01T13:00:00Z" + } + result = compute_url(base_url, pathname, params) + expected = f"{base_url}{pathname}?filter=customerVisibleTime+gte+2024-10-01T12%3A00%3A00Z+lte+2024-10-01T13%3A00%3A00Z" + self.assertEqual(result, expected) + + def test_compute_url_with_complex_pathname(self): + # Test case with a pathname that includes folders and filename + base_url = "https://example.com" + pathname = "/api/resource/subresource" + params = { + "filter": "customerVisibleTime gte 2024-10-01T12:00:00Z lte 2024-10-01T13:00:00Z", + "pageNumber": "2", + } + result = compute_url(base_url, pathname, params) + expected = f"{base_url}{pathname}?filter=customerVisibleTime+gte+2024-10-01T12%3A00%3A00Z+lte+2024-10-01T13%3A00%3A00Z&pageNumber=2" + self.assertEqual(result, expected) + + def test_compute_url_with_port_in_base_url(self): + # Test case with port in base URL + base_url = "https://example.com:8080" + pathname = "/api/resource" + params = { + "filter": "customerVisibleTime gte 2024-10-01T12:00:00Z lte 2024-10-01T13:00:00Z", + "pageNumber": "2", + } + result = compute_url(base_url, pathname, params) + expected = f"{base_url}{pathname}?filter=customerVisibleTime+gte+2024-10-01T12%3A00%3A00Z+lte+2024-10-01T13%3A00%3A00Z&pageNumber=2" + self.assertEqual(result, expected) + + +# Tests using pytest and unittest.mock for properly mocking aiohttp + +# @pytest.mark.asyncio +# @patch('aiohttp.ClientSession.get', new_callable=AsyncMock) +# async def test_fetch_with_retries_success(mock_get): +# url = "http://test.com/success" +# headers = {"Authorization": "Bearer token"} +# response_data = {"key": "value"} + +# mock_response = MagicMock() +# mock_response.status = 200 +# mock_response.text = AsyncMock(return_value=json.dumps(response_data)) +# mock_get.return_value.__aenter__.return_value = mock_response + +# result = await fetch_with_retries(url, headers=headers) +# assert result == response_data + +# @pytest.mark.asyncio +# @patch('aiohttp.ClientSession.get', new_callable=AsyncMock) +# async def test_fetch_with_retries_server_error(mock_get): +# url = "http://test.com/server-error" + +# mock_response = MagicMock() +# mock_response.status = 500 +# mock_response.reason = "Server Error" +# mock_response.request_info = None +# mock_response.history = None +# mock_response.headers = None +# mock_get.return_value.__aenter__.return_value = mock_response + +# with pytest.raises(aiohttp.ClientResponseError): +# await fetch_with_retries(url) + +# @pytest.mark.asyncio +# @patch('aiohttp.ClientSession.get', new_callable=AsyncMock) +# async def test_fetch_with_retries_non_retryable_error(mock_get): +# url = "http://test.com/non-retryable-error" + +# mock_response = MagicMock() +# mock_response.status = 404 +# mock_response.reason = "Not Found" +# mock_response.request_info = None +# mock_response.history = None +# mock_response.headers = None +# mock_get.return_value.__aenter__.return_value = mock_response + +# with pytest.raises(aiohttp.ClientError) as exc_info: +# await fetch_with_retries(url) +# assert exc_info.value.status == 404 + +# @pytest.mark.asyncio +# @patch('aiohttp.ClientSession.get', new_callable=AsyncMock) +# async def test_fetch_with_retries_eventually_succeeds(mock_get): +# url = "http://test.com/eventually-succeeds" +# headers = {"Authorization": "Bearer token"} +# response_data = {"key": "value"} +# attempts = 0 + +# async def mock_get_function(url, headers=None, timeout=None): +# nonlocal attempts +# attempts += 1 +# if attempts < 3: +# mock_response = MagicMock() +# mock_response.status = 500 +# mock_response.reason = "Server Error" +# mock_response.request_info = None +# mock_response.history = None +# mock_response.headers = None +# else: +# mock_response = MagicMock() +# mock_response.status = 200 +# mock_response.text = AsyncMock(return_value=json.dumps(response_data)) + +# return MagicMock(__aenter__=AsyncMock(return_value=mock_response), __aexit__=AsyncMock()) + +# mock_get.side_effect = mock_get_function + +# result = await fetch_with_retries(url, headers=headers, retries=3, backoff=0.01) +# assert result == response_data +# assert attempts == 3 + + +@pytest.mark.asyncio +@patch( + "SentinelFunctionsOrchestrator.soar_connector_async_v2.fetch_with_retries", + new_callable=AsyncMock, +) +async def test_get_threats(mock_fetch): + mock_intervals = [ + MagicMock(start="2024-10-01T13:00:00Z", end=None), + ] + + mock_threat_campaign_response = { + "total": 1, + "threats": [{"threatId": "threat1"}], + "nextPageNumber": None, + } + + mock_single_threat_response = { + "messages": [ + {"abxMessageId": "message1", "remediationTimestamp": "2024-10-01T12:30:00Z"} + ] + } + + # Mock the context and output queue + ctx = MagicMock() + ctx.BASE_URL = "http://example.com" + ctx.MAX_PAGE_NUMBER = 10 + ctx.NUM_CONCURRENCY = 2 + ctx.CLIENT_FILTER_TIME_RANGE.start = try_str_to_datetime("2024-10-01T12:00:00Z") + ctx.CLIENT_FILTER_TIME_RANGE.end = try_str_to_datetime("2024-10-01T13:00:00Z") + + output_queue = asyncio.Queue() + + # Mock the functions and methods used in get_threats + mock_fetch.side_effect = [ + mock_threat_campaign_response, + mock_single_threat_response, + ] + + with patch( + "SentinelFunctionsOrchestrator.soar_connector_async_v2.compute_intervals", + return_value=mock_intervals, + ): + with patch( + "SentinelFunctionsOrchestrator.soar_connector_async_v2.get_query_params" + ) as mock_get_query_params: + with patch( + "SentinelFunctionsOrchestrator.soar_connector_async_v2.get_headers", + return_value={"Authorization": "Bearer token"}, + ): + await get_threats(ctx, output_queue) + + # Ensure fetch_with_retries was called with expected values + assert mock_fetch.call_count == 2 + + # Ensure the messages were put into the output queue + assert output_queue.qsize() == 1 + + # Validate the content of the output queue + output_message = await output_queue.get() + expected_record = ( + "ABNORMAL_THREAT_MESSAGES", + {"abxMessageId": "message1", "remediationTimestamp": "2024-10-01T12:30:00Z"}, + ) + assert output_message == expected_record + assert output_queue.empty() + + +@pytest.mark.asyncio +@patch( + "SentinelFunctionsOrchestrator.soar_connector_async_v2.fetch_with_retries", + new_callable=AsyncMock, +) +async def test_get_cases(mock_fetch): + # Mock the context and output queue + ctx = MagicMock() + ctx.BASE_URL = "http://example.com" + ctx.MAX_PAGE_NUMBER = 10 + ctx.NUM_CONCURRENCY = 2 + ctx.CLIENT_FILTER_TIME_RANGE.start = try_str_to_datetime("2024-10-01T12:00:00Z") + ctx.CLIENT_FILTER_TIME_RANGE.end = try_str_to_datetime("2024-10-01T13:00:00Z") + + output_queue = asyncio.Queue() + + mock_intervals = [ + MagicMock(start="2024-10-01T13:00:00Z", end=None), + ] + + mock_cases_response = { + "total": 1, + "cases": [{"caseId": "case1"}], + "nextPageNumber": None, + } + + mock_single_case_response = { + "caseId": "case1", + "customerVisibleTime": "2024-10-01T12:30:00Z", + } + + # Mock the functions and methods used in get_cases + mock_fetch.side_effect = [mock_cases_response, mock_single_case_response] + + with patch( + "SentinelFunctionsOrchestrator.soar_connector_async_v2.compute_intervals", + return_value=mock_intervals, + ): + with patch( + "SentinelFunctionsOrchestrator.soar_connector_async_v2.get_query_params" + ) as mock_get_query_params: + with patch( + "SentinelFunctionsOrchestrator.soar_connector_async_v2.get_headers", + return_value={"Authorization": "Bearer token"}, + ): + await get_cases(ctx, output_queue) + + # Ensure fetch_with_retries was called with expected values + assert mock_fetch.call_count == 2 + + # Ensure the cases were put into the output queue + assert output_queue.qsize() == 1 + + # Validate the content of the output queue + output_message = await output_queue.get() + expected_record = ( + "ABNORMAL_CASES", + {"caseId": "case1", "customerVisibleTime": "2024-10-01T12:30:00Z"}, + ) + assert output_message == expected_record + + +if __name__ == "__main__": + unittest.main() + pytest.main() diff --git a/Solutions/AbnormalSecurity/Data Connectors/Tests/utils_test.py b/Solutions/AbnormalSecurity/Data Connectors/Tests/utils_test.py new file mode 100644 index 00000000000..2f4185567d5 --- /dev/null +++ b/Solutions/AbnormalSecurity/Data Connectors/Tests/utils_test.py @@ -0,0 +1,200 @@ +import unittest +from datetime import datetime, timedelta +from SentinelFunctionsOrchestrator.utils import ( + TIME_FORMAT_WITHMS, + TIME_FORMAT, + try_str_to_datetime, + TimeRange, + OptionalEndTimeRange, + compute_intervals, + Context, +) +from pydantic import ValidationError +from uuid import uuid4 + + +class TestTryStrToDateTime(unittest.TestCase): + def test_format_without_ms(self): + # Test case for format without milliseconds + time_str = "2024-10-01T12:34:56Z" + expected = datetime.strptime(time_str, TIME_FORMAT) + result = try_str_to_datetime(time_str) + self.assertEqual(result, expected) + + def test_format_with_ms(self): + # Test case for format with milliseconds + time_str = "2024-10-01T12:34:56.123456Z" + expected = datetime.strptime(time_str, TIME_FORMAT_WITHMS) + result = try_str_to_datetime(time_str) + self.assertEqual(result, expected) + + def test_invalid_format(self): + # Test case for invalid format + time_str = "2024-10-01 12:34:56" + with self.assertRaises(ValueError): + try_str_to_datetime(time_str) + + def test_incomplete_date(self): + # Test case for incomplete date + time_str = "2024-10-01T12:34" + with self.assertRaises(ValueError): + try_str_to_datetime(time_str) + + def test_empty_string(self): + # Test case for empty string + time_str = "" + with self.assertRaises(ValueError): + try_str_to_datetime(time_str) + + +class TestTimeRange(unittest.TestCase): + def test_valid_timerange(self): + # Test case where start is before end + start = datetime(2024, 10, 1, 12, 0) + end = datetime(2024, 10, 1, 13, 0) + time_range = TimeRange(start=start, end=end) + self.assertEqual(time_range.start, start) + self.assertEqual(time_range.end, end) + + def test_invalid_timerange(self): + # Test case where start is after end + start = datetime(2024, 10, 1, 14, 0) + end = datetime(2024, 10, 1, 13, 0) + with self.assertRaises(ValidationError) as context: + TimeRange(start=start, end=end) + self.assertIn("Start time", str(context.exception)) + + def test_start_equal_to_end(self): + # Test case where start is equal to end + start = end = datetime(2024, 10, 1, 12, 0) + time_range = TimeRange(start=start, end=end) + self.assertEqual(time_range.start, start) + self.assertEqual(time_range.end, end) + + def test_missing_start(self): + # Test case where start is missing + end = datetime(2024, 10, 1, 13, 0) + with self.assertRaises(ValidationError): + TimeRange(end=end) + + def test_missing_end(self): + # Test case where end is missing + start = datetime(2024, 10, 1, 12, 0) + with self.assertRaises(ValidationError): + TimeRange(start=start) + + +class TestOptionalEndTimeRange(unittest.TestCase): + def test_valid_timerange_with_end(self): + # Test case where start is before end + start = datetime(2024, 10, 1, 12, 0) + end = datetime(2024, 10, 1, 13, 0) + time_range = OptionalEndTimeRange(start=start, end=end) + self.assertEqual(time_range.start, start) + self.assertEqual(time_range.end, end) + + def test_valid_timerange_without_end(self): + # Test case where end is None + start = datetime(2024, 10, 1, 12, 0) + time_range = OptionalEndTimeRange(start=start, end=None) + self.assertEqual(time_range.start, start) + self.assertIsNone(time_range.end) + + def test_invalid_timerange(self): + # Test case where start is after end + start = datetime(2024, 10, 1, 14, 0) + end = datetime(2024, 10, 1, 13, 0) + with self.assertRaises(ValidationError) as context: + OptionalEndTimeRange(start=start, end=end) + self.assertIn("Start time", str(context.exception)) + + def test_start_equal_to_end(self): + # Test case where start is equal to end + start = end = datetime(2024, 10, 1, 12, 0) + time_range = OptionalEndTimeRange(start=start, end=end) + self.assertEqual(time_range.start, start) + self.assertEqual(time_range.end, end) + + def test_missing_start(self): + # Test case where start is missing + end = datetime(2024, 10, 1, 13, 0) + with self.assertRaises(ValidationError): + OptionalEndTimeRange(end=end) + + +class TestComputeIntervals(unittest.TestCase): + def setUp(self): + # Common data used in multiple test cases + self.ctx = Context( + LAG_ON_BACKEND=timedelta(seconds=30), + OUTAGE_TIME=timedelta(minutes=15), + FREQUENCY=timedelta(minutes=5), + LIMIT=timedelta(minutes=6), + NUM_CONCURRENCY=5, + MAX_PAGE_NUMBER=100, + BASE_URL="http://example.com", + API_TOKEN="exampletoken", + TIME_RANGE=TimeRange( + start=datetime(2024, 10, 1, 12, 55), end=datetime(2024, 10, 1, 13, 0) + ), + CLIENT_FILTER_TIME_RANGE=TimeRange( + start=datetime(2024, 10, 1, 12, 54, 30), + end=datetime(2024, 10, 1, 12, 59, 30), + ), + STORED_TIME=datetime(2024, 10, 1, 12, 55), + CURRENT_TIME=datetime(2024, 10, 1, 13, 0), + TRACE_ID=uuid4(), + PYTHON_VERSION="3.11" + ) + + def test_valid_intervals(self): + # Test case for valid intervals + intervals = compute_intervals(self.ctx) + expected_intervals = [ + OptionalEndTimeRange(start=datetime(2024, 10, 1, 12, 54, 30), end=None) + ] + self.assertEqual(intervals, expected_intervals) + + def test_valid_intervals_2(self): + # Test case for valid intervals + self.ctx.TIME_RANGE = TimeRange( + start=datetime(2024, 10, 1, 12, 54), end=datetime(2024, 10, 1, 13, 0) + ) + intervals = compute_intervals(self.ctx) + expected_intervals = [ + OptionalEndTimeRange( + start=datetime(2024, 10, 1, 12, 53, 30), + end=datetime(2024, 10, 1, 12, 58, 30), + ), + OptionalEndTimeRange(start=datetime(2024, 10, 1, 12, 58, 30), end=None), + ] + self.assertEqual(intervals, expected_intervals) + + def test_valid_intervals_3(self): + # Test case for valid intervals + self.ctx.TIME_RANGE = TimeRange( + start=datetime(2024, 10, 1, 12, 0), end=datetime(2024, 10, 1, 13, 0) + ) + intervals = compute_intervals(self.ctx) + expected_intervals = [ + OptionalEndTimeRange( + start=datetime(2024, 10, 1, 12, 44, 30), + end=datetime(2024, 10, 1, 12, 49, 30), + ), + OptionalEndTimeRange( + start=datetime(2024, 10, 1, 12, 49, 30), + end=datetime(2024, 10, 1, 12, 54, 30), + ), + OptionalEndTimeRange(start=datetime(2024, 10, 1, 12, 54, 30), end=None), + ] + self.assertEqual(intervals, expected_intervals) + + def test_frequency_greater_than_limit(self): + # Test case where frequency is greater than limit + self.ctx.FREQUENCY = timedelta(hours=3) + with self.assertRaises(AssertionError): + compute_intervals(self.ctx) + + +if __name__ == "__main__": + unittest.main() diff --git a/Solutions/AbnormalSecurity/Data Connectors/package.sh b/Solutions/AbnormalSecurity/Data Connectors/package.sh new file mode 100644 index 00000000000..bef1f668b67 --- /dev/null +++ b/Solutions/AbnormalSecurity/Data Connectors/package.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +set -e +set -x + +rm -rf .python_packages + +# Get the version of Python 3 +PYTHON_VERSION=$(python3 --version 2>&1) + +# Check if it contains "Python 3.8" +if [[ $PYTHON_VERSION == "Python 3.8."* ]]; then + echo "Python 3.8 is being used." +else + echo "Python 3.8 is NOT being used." + exit 1 +fi + +if [[ "$(uname)" == "Linux" ]]; then + echo "The operating system is Linux." +else + echo "Assertion failed: The operating system is not Linux." + exit 1 +fi + +python3 -m venv .python_packages +source .python_packages/bin/activate +pip install -r requirements.txt + +cd .python_packages/lib +ln -s python3.8/site-packages site-packages +cd ../.. + +git checkout origin/master AbnormalSecurityConn.zip + +zip -r AbnormalSecurityConn.zip SentinelFunctionsOrchestrator .python_packages/lib/site-packages requirements.txt + +git add AbnormalSecurityConn.zip \ No newline at end of file diff --git a/Solutions/AbnormalSecurity/Data Connectors/requirements.txt b/Solutions/AbnormalSecurity/Data Connectors/requirements.txt index a0a6779521b..c6dcb0b1d9e 100644 --- a/Solutions/AbnormalSecurity/Data Connectors/requirements.txt +++ b/Solutions/AbnormalSecurity/Data Connectors/requirements.txt @@ -4,4 +4,5 @@ azure-functions==1.8.0 azure-functions-durable==1.1.3 -requests==2.26.0 \ No newline at end of file +requests==2.26.0 +pydantic==1.10.18 diff --git a/Solutions/Akamai Security Events/Data/Solution_Akamai.json b/Solutions/Akamai Security Events/Data/Solution_Akamai.json index f162224ef00..6ffdae2f887 100644 --- a/Solutions/Akamai Security Events/Data/Solution_Akamai.json +++ b/Solutions/Akamai Security Events/Data/Solution_Akamai.json @@ -3,10 +3,6 @@ "Author": "Microsoft - support@microsoft.com", "Logo": "", "Description": "The Akamai Security Solution for Microsoft Sentinel enables ingestion of [Akamai Security Solutions](https://www.akamai.com/solutions/security) events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**", - "Data Connectors": [ - "Data Connectors/Connector_CEF_Akamai.json", - "Data Connectors/template_AkamaiSecurityEventsAMA.json" - ], "Parsers": [ "Parsers/AkamaiSIEMEvent.yaml" ], @@ -15,7 +11,7 @@ ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Akamai Security Events", - "Version": "3.0.1", + "Version": "3.0.2", "TemplateSpec": true, "Is1PConnector": false } \ No newline at end of file diff --git a/Solutions/Akamai Security Events/Package/3.0.2.zip b/Solutions/Akamai Security Events/Package/3.0.2.zip new file mode 100644 index 00000000000..7bf2e0e84ca Binary files /dev/null and b/Solutions/Akamai Security Events/Package/3.0.2.zip differ diff --git a/Solutions/Akamai Security Events/Package/createUiDefinition.json b/Solutions/Akamai Security Events/Package/createUiDefinition.json index eddebc64f60..028d0161297 100644 --- a/Solutions/Akamai Security Events/Package/createUiDefinition.json +++ b/Solutions/Akamai Security Events/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Akamai%20Security%20Events/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Akamai Security Solution for Microsoft Sentinel enables ingestion of [Akamai Security Solutions](https://www.akamai.com/solutions/security) events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Akamai%20Security%20Events/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Akamai Security Solution for Microsoft Sentinel enables ingestion of [Akamai Security Solutions](https://www.akamai.com/solutions/security) events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024.**\n\n **Data connector:** 1,**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -50,39 +50,7 @@ "visible": true } ], - "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for Akamai Security Events. You can get Akamai Security Events CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-parser-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - } - ], + "steps": [{}], "outputs": { "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", "location": "[location()]", diff --git a/Solutions/Akamai Security Events/Package/mainTemplate.json b/Solutions/Akamai Security Events/Package/mainTemplate.json index dd39eb4fe02..ad2858a91af 100644 --- a/Solutions/Akamai Security Events/Package/mainTemplate.json +++ b/Solutions/Akamai Security Events/Package/mainTemplate.json @@ -33,27 +33,9 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Akamai Security Events", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "azuresentinel.azure-sentinel-solution-akamai", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "AkamaiSecurityEvents", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "AkamaiSecurityEvents", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "AkamaiSecurityEventsAma", - "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "AkamaiSecurityEventsAma", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", - "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "parserObject1": { "_parserName1": "[concat(parameters('workspace'),'/','AkamaiSIEMEvent')]", "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AkamaiSIEMEvent')]", @@ -64,672 +46,6 @@ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Akamai Security Events data connector with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] Akamai Security Events via Legacy Agent", - "publisher": "Akamai", - "descriptionMarkdown": "Akamai Solution for Microsoft Sentinel provides the capability to ingest [Akamai Security Events](https://www.akamai.com/us/en/products/security/) into Microsoft Sentinel. Refer to [Akamai SIEM Integration documentation](https://developer.akamai.com/tools/integrations/siem) for more information.", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "AkamaiSecurityEvents", - "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Akamai\"\n| where DeviceProduct == \"akamai_siem\"" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Countries", - "query": "AkamaiSIEMEvent\n | summarize count() by SrcGeoCountry\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (AkamaiSecurityEvents)", - "lastDataReceivedQuery": "CommonSecurityLog\n | where DeviceVendor == \"Akamai\"\n | where DeviceProduct == \"akamai_siem\"\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n | where DeviceVendor == \"Akamai\"\n | where DeviceProduct == \"akamai_siem\"\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Akamai Security Events and load the function code or click [here](https://aka.ms/sentinel-akamaisecurityevents-parser), on the second line of the query, enter the hostname(s) of your Akamai Security Events device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "[Follow these steps](https://developer.akamai.com/tools/integrations/siem) to configure Akamai CEF connector to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.", - "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Akamai Security Events", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Akamai Security Events via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Akamai Security Events", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Akamai Security Events via Legacy Agent", - "publisher": "Akamai", - "descriptionMarkdown": "Akamai Solution for Microsoft Sentinel provides the capability to ingest [Akamai Security Events](https://www.akamai.com/us/en/products/security/) into Microsoft Sentinel. Refer to [Akamai SIEM Integration documentation](https://developer.akamai.com/tools/integrations/siem) for more information.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "AkamaiSecurityEvents", - "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Akamai\"\n| where DeviceProduct == \"akamai_siem\"" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (AkamaiSecurityEvents)", - "lastDataReceivedQuery": "CommonSecurityLog\n | where DeviceVendor == \"Akamai\"\n | where DeviceProduct == \"akamai_siem\"\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n | where DeviceVendor == \"Akamai\"\n | where DeviceProduct == \"akamai_siem\"\n | summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Countries", - "query": "AkamaiSIEMEvent\n | summarize count() by SrcGeoCountry\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Akamai Security Events and load the function code or click [here](https://aka.ms/sentinel-akamaisecurityevents-parser), on the second line of the query, enter the hostname(s) of your Akamai Security Events device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "[Follow these steps](https://developer.akamai.com/tools/integrations/siem) to configure Akamai CEF connector to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.", - "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution." - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Akamai Security Events data connector with template version 3.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "[Deprecated] Akamai Security Events via AMA", - "publisher": "Akamai", - "descriptionMarkdown": "Akamai Solution for Microsoft Sentinel provides the capability to ingest [Akamai Security Events](https://www.akamai.com/us/en/products/security/) into Microsoft Sentinel. Refer to [Akamai SIEM Integration documentation](https://developer.akamai.com/tools/integrations/siem) for more information.", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "AkamaiSecurityEvents", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Akamai' \n |where DeviceProduct =~ 'akamai_siem'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Countries", - "query": "AkamaiSIEMEvent\n | summarize count() by SrcGeoCountry\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (AkamaiSecurityEvents)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Akamai' \n |where DeviceProduct =~ 'akamai_siem'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Akamai' \n |where DeviceProduct =~ 'akamai_siem'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Akamai Security Events and load the function code or click [here](https://aka.ms/sentinel-akamaisecurityevents-parser), on the second line of the query, enter the hostname(s) of your Akamai Security Events device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "[Follow these steps](https://developer.akamai.com/tools/integrations/siem) to configure Akamai CEF connector to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Akamai Security Events", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Akamai Security Events via AMA", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Akamai Security Events", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Akamai Security Events via AMA", - "publisher": "Akamai", - "descriptionMarkdown": "Akamai Solution for Microsoft Sentinel provides the capability to ingest [Akamai Security Events](https://www.akamai.com/us/en/products/security/) into Microsoft Sentinel. Refer to [Akamai SIEM Integration documentation](https://developer.akamai.com/tools/integrations/siem) for more information.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "AkamaiSecurityEvents", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Akamai' \n |where DeviceProduct =~ 'akamai_siem'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (AkamaiSecurityEvents)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Akamai' \n |where DeviceProduct =~ 'akamai_siem'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Akamai' \n |where DeviceProduct =~ 'akamai_siem'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Countries", - "query": "AkamaiSIEMEvent\n | summarize count() by SrcGeoCountry\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Akamai Security Events and load the function code or click [here](https://aka.ms/sentinel-akamaisecurityevents-parser), on the second line of the query, enter the hostname(s) of your Akamai Security Events device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "[Follow these steps](https://developer.akamai.com/tools/integrations/siem) to configure Akamai CEF connector to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "id": "[variables('_uiConfigId2')]", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution." - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -739,7 +55,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AkamaiSIEMEvent Data Parser with template version 3.0.1", + "description": "AkamaiSIEMEvent Data Parser with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -867,12 +183,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Akamai Security Events", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Akamai Security Solution for Microsoft Sentinel enables ingestion of Akamai Security Solutions events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring.

\n\n\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 2, Parsers: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Akamai Security Solution for Microsoft Sentinel enables ingestion of Akamai Security Solutions events using the Common Event Format (CEF) into Microsoft Sentinel for Security Monitoring.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connector: 1,Parsers: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -896,16 +212,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/Akamai Security Events/ReleaseNotes.md b/Solutions/Akamai Security Events/ReleaseNotes.md index da13b3127d1..b2d8a50d734 100644 --- a/Solutions/Akamai Security Events/ReleaseNotes.md +++ b/Solutions/Akamai Security Events/ReleaseNotes.md @@ -1,4 +1,5 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 3.0.1 | 08-07-2024 | Deprecated **Data Connector** | -| 3.0.0 | 20-09-2023 | Addition of new Akamai Security Events AMA **Data Connector** | \ No newline at end of file +| 3.0.2 | 12-11-2024 | Removed Deprecated **Data Connector** | +| 3.0.1 | 08-07-2024 | Deprecated **Data Connector** | +| 3.0.0 | 20-09-2023 | Addition of new Akamai Security Events AMA **Data Connector** | \ No newline at end of file diff --git a/Solutions/Amazon Web Services/Analytic Rules/AWS_OverlyPermessiveKMS.yaml b/Solutions/Amazon Web Services/Analytic Rules/AWS_OverlyPermessiveKMS.yaml index 59b7ca93ff6..db6501a26ea 100644 --- a/Solutions/Amazon Web Services/Analytic Rules/AWS_OverlyPermessiveKMS.yaml +++ b/Solutions/Amazon Web Services/Analytic Rules/AWS_OverlyPermessiveKMS.yaml @@ -17,12 +17,13 @@ tactics: relevantTechniques: - T1486 query: | + let kmsActions = dynamic(["kms:Encrypt", "kms:*"]); AWSCloudTrail | where EventName in ("CreateKey","PutKeyPolicy") and isempty(ErrorCode) and isempty(ErrorMessage) | extend Statement = parse_json(tostring((parse_json(RequestParameters).policy))).Statement | mvexpand Statement | extend Action = tostring(parse_json(Statement).Action), Effect = tostring(parse_json(Statement).Effect), Principal = iff(isnotempty(tostring(parse_json(Statement).Principal.AWS)),tostring(parse_json(Statement).Principal.AWS), tostring(parse_json(Statement).Principal)) - | where Effect =~ "Allow" and (Action == "kms:Encrypt" or Action == "kms:*") and Principal == "*" + | where Effect =~ "Allow" and Action has_any (kmsActions) and Principal == "*" | extend UserIdentityArn = iif(isempty(UserIdentityArn), tostring(parse_json(Resources)[0].ARN), UserIdentityArn) | extend UserName = tostring(split(UserIdentityArn, '/')[-1]) | extend AccountName = case( UserIdentityPrincipalid == "Anonymous", "Anonymous", isempty(UserIdentityUserName), UserName, UserIdentityUserName) @@ -42,5 +43,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: SourceIpAddress -version: 1.0.2 +version: 1.0.3 kind: Scheduled diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/__init__.py b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/__init__.py index b12deb66a85..5e90b419b58 100644 --- a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/__init__.py +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/__init__.py @@ -5,6 +5,7 @@ import azure.functions as func import json from .sentinel import AzureSentinel +from .exports_store import ExportsTableStore from Exceptions.ArmisExceptions import ArmisException, ArmisDataNotFoundException from .utils import Utils from . import consts @@ -38,16 +39,10 @@ def get_alert_data(self, parameter): headers=self.header, retry_401=consts.RETRY_COUNT_401, ) - if results["data"]["count"] == 0: + if ("data" in results) and ("count" in results["data"]) and (results["data"].get("count") == 0): raise ArmisDataNotFoundException(consts.LOG_FORMAT.format(__method_name, "Alert Data not found.")) - if ( - "data" in results - and "results" in results["data"] - and "total" in results["data"] - and "count" in results["data"] - and "next" in results["data"] - ): + if (("results" in results["data"]) and ("total" in results["data"]) and ("next" in results["data"])): count_per_frame_data = results["data"]["count"] data = results["data"]["results"] for i in data: @@ -105,16 +100,10 @@ def get_activity_data(self, activity_uuids): headers=self.header, retry_401=consts.RETRY_COUNT_401, ) - if results["data"]["count"] == 0: + if ("data" in results) and ("count" in results["data"]) and (results["data"].get("count") == 0): logging.warning(consts.LOG_FORMAT.format(__method_name, "Activity Data not found.")) return [] - if ( - "data" in results - and "results" in results["data"] - and "total" in results["data"] - and "count" in results["data"] - and "next" in results["data"] - ): + if (("results" in results["data"]) and ("total" in results["data"]) and ("next" in results["data"])): data = results["data"]["results"] for i in data: i["armis_activity_time"] = i["time"] @@ -134,7 +123,9 @@ def get_activity_data(self, activity_uuids): logging.error(consts.LOG_FORMAT.format(__method_name, "Error while fetching Activity : {}.".format(err))) raise ArmisException() - def post_alert_activity_data(self, alerts_data_to_post, activity_uuid_list): + def post_alert_activity_data( + self, alerts_data_to_post, activity_uuid_list, offset_to_post, checkpoint_table_object: ExportsTableStore + ): """Post alert and activity data to respective table in sentinel. Args: @@ -165,7 +156,14 @@ def post_alert_activity_data(self, alerts_data_to_post, activity_uuid_list): __method_name, "Posted Alerts count : {}.".format(len(alerts_data_to_post)) ) ) - self.post_alert_checkpoint(alerts_data_to_post[-1]) + offset_to_post += len(alerts_data_to_post) + logging.info( + consts.LOG_FORMAT.format(__method_name, "Saving offset '{}' in checkpoint".format(offset_to_post)) + ) + checkpoint_table_object.merge( + "armisalertactivity", "alertactivitycheckpoint", {"offset": offset_to_post} + ) + return offset_to_post except ArmisException: raise ArmisException() except Exception as err: @@ -176,7 +174,7 @@ def post_alert_activity_data(self, alerts_data_to_post, activity_uuid_list): ) raise ArmisException() - def process_alerts_data(self, alerts): + def process_alerts_data(self, alerts, offset_to_post, checkpoint_table_object: ExportsTableStore): """Process alerts data to fetch related activity. Args: @@ -192,13 +190,19 @@ def process_alerts_data(self, alerts): activity_uuid_list.extend(activity_uuids) alerts_data_to_post.append(alert) else: - self.post_alert_activity_data(alerts_data_to_post, activity_uuid_list) + offset_to_post = self.post_alert_activity_data( + alerts_data_to_post, activity_uuid_list, offset_to_post, checkpoint_table_object + ) alerts_data_to_post = [] activity_uuid_list = [] if len(activity_uuids) < consts.CHUNK_SIZE: activity_uuid_list.extend(activity_uuids) alerts_data_to_post.append(alert) else: + logging.info( + consts.LOG_FORMAT.format( + __method_name, "Chunk size is greater than {}.".format(consts.CHUNK_SIZE)) + ) for index in range(0, len(activity_uuids), consts.CHUNK_SIZE): chunk_of_activity_uuids = activity_uuids[index: index + consts.CHUNK_SIZE] activity_data = self.get_activity_data(chunk_of_activity_uuids) @@ -216,10 +220,20 @@ def process_alerts_data(self, alerts): self.azuresentinel.post_data( json.dumps([alert], indent=2), consts.ARMIS_ALERTS_TABLE, "armis_alert_time" ) - self.total_alerts_posted += 1 logging.info(consts.LOG_FORMAT.format(__method_name, "Posted Alerts count : 1.")) - self.post_alert_checkpoint(alert) - self.post_alert_activity_data(alerts_data_to_post, activity_uuid_list) + self.total_alerts_posted += 1 + offset_to_post += 1 + logging.info( + consts.LOG_FORMAT.format( + __method_name, "Saving offset '{}' in checkpoint".format(offset_to_post) + ) + ) + checkpoint_table_object.merge( + "armisalertactivity", "alertactivitycheckpoint", {"offset": offset_to_post} + ) + self.post_alert_activity_data( + alerts_data_to_post, activity_uuid_list, offset_to_post, checkpoint_table_object + ) except ArmisException: raise ArmisException() @@ -231,60 +245,50 @@ def process_alerts_data(self, alerts): ) raise ArmisException() - def fetch_alert_data(self, type_data, is_checkpoint_not_exist, last_time=None): + def fetch_alert_data( + self, alert_parameter, is_checkpoint_not_exist, checkpoint_table_object: ExportsTableStore, last_time=None + ): """Fetch_alert_data is used to push all the data into table. Args: - type_data (json): will contain the json data to use in parameters. + alert_parameter (json): will contain the json data to use in parameters. is_checkpoint_not_exist (bool): it is a flag that contains the value if checkpoint exists or not. last_time (String): it will contain checkpoint time stamp. """ __method_name = inspect.currentframe().f_code.co_name try: if is_checkpoint_not_exist: - aql_data = """{}""".format(type_data["aql"]) + aql_data = "in:alerts" else: - aql_data = """{} after:{}""".format(type_data["aql"], last_time) - type_data["aql"] = aql_data + aql_data = """{} after:{}""".format("in:alerts", last_time) + alert_parameter["aql"] = aql_data + alert_parameter["length"] = 1000 while self.data_alert_from is not None: - parameter_alert = { - "aql": type_data["aql"], - "from": self.data_alert_from, - "orderBy": "time", - "length": 1000, - "fields": type_data["fields"], - } - logging.info(consts.LOG_FORMAT.format(__method_name, "Fetching alerts data.")) + alert_parameter.update({"from": self.data_alert_from}) + offset_to_post = self.data_alert_from + logging.info(consts.LOG_FORMAT.format(__method_name, "Fetching alerts data with parameters = {}.".format(alert_parameter))) ( data, alert_time, count_per_frame_data, - ) = self.get_alert_data(parameter_alert) - self.process_alerts_data(data) + ) = self.get_alert_data(alert_parameter) + self.process_alerts_data(data, offset_to_post, checkpoint_table_object) logging.info( consts.LOG_FORMAT.format( __method_name, "Collected {} alert data from alerts api.".format(count_per_frame_data), ) ) - - if str(consts.IS_AVOID_DUPLICATES).lower() == "true": - alert_time = datetime.datetime.strptime(alert_time, "%Y-%m-%dT%H:%M:%S") - alert_time += datetime.timedelta(seconds=1) - alert_time = alert_time.strftime("%Y-%m-%dT%H:%M:%S") - logging.info( - consts.LOG_FORMAT.format( - __method_name, "Last timestamp with plus one second that is added : {}".format(alert_time) - ) - ) - self.state_manager_obj.post(str(alert_time)) - logging.info( - consts.LOG_FORMAT.format( - __method_name, - "" + "Last timestamp is added with plus one second into the StateManager successfully.", - ) - ) - + alert_time = datetime.datetime.strptime(alert_time, "%Y-%m-%dT%H:%M:%S") + alert_time += datetime.timedelta(seconds=1) + alert_time = alert_time.strftime("%Y-%m-%dT%H:%M:%S") + logging.info(consts.LOG_FORMAT.format(__method_name, "Saving offset '0' in checkpoint")) + logging.info( + consts.LOG_FORMAT.format(__method_name, "Adding last timestamp in checkpoint: {}".format(alert_time)) + ) + checkpoint_table_object.merge( + "armisalertactivity", "alertactivitycheckpoint", {"time": alert_time, "offset": 0} + ) except ArmisException: raise ArmisException() @@ -300,31 +304,64 @@ def check_data_exists_or_not_alert(self): __method_name = inspect.currentframe().f_code.co_name try: parameter_alert = { - "aql": "in:alerts", "orderBy": "time", "fields": ",".join(consts.ALERT_FIELDS), } last_time_alerts = self.state_manager_obj.get() - if last_time_alerts is None: + checkpoint_table = ExportsTableStore( + connection_string=consts.CONNECTION_STRING, table_name=consts.CHECKPOINT_TABLE_NAME + ) + + if last_time_alerts is not None: logging.info( - consts.LOG_FORMAT.format(__method_name, "The checkpoint timestamp is not available for the alerts!") + consts.LOG_FORMAT.format( + __method_name, "The checkpoint file is available for alerts. time: {}.".format(last_time_alerts) + ) + ) + checkpoint_table.create() + checkpoint_table.merge( + "armisalertactivity", "alertactivitycheckpoint", {"time": last_time_alerts, "offset": 0} ) + self.state_manager_obj.delete() + logging.info(consts.LOG_FORMAT.format(__method_name, "checkpoint file deleted from fileshare.")) self.fetch_alert_data( parameter_alert, - True, + False, + checkpoint_table, last_time_alerts, ) + return + record = checkpoint_table.get("armisalertactivity", "alertactivitycheckpoint") + fetch_data_from_scratch = False + if not record: + checkpoint_table.create() + checkpoint_table.post("armisalertactivity", "alertactivitycheckpoint", {"offset": 0}) + fetch_data_from_scratch = True else: + logging.info(consts.LOG_FORMAT.format(__method_name, "Fetching Entity from checkpoint table")) + last_time_alerts = record.get("time") + self.data_alert_from = record.get("offset") if record.get("offset") else 0 logging.info( consts.LOG_FORMAT.format( - __method_name, "The checkpoint is available for alerts: {}.".format(last_time_alerts) + __method_name, + "Checkpoint table: Last timestamp: {}, Offset: {}".format( + last_time_alerts, self.data_alert_from + ), ) ) - self.fetch_alert_data( - parameter_alert, - False, - last_time_alerts, - ) + if last_time_alerts is None: + logging.info( + consts.LOG_FORMAT.format( + __method_name, "time value not available in checkpoint table. Setting time as None." + ) + ) + fetch_data_from_scratch = True + self.fetch_alert_data( + parameter_alert, + fetch_data_from_scratch, + checkpoint_table, + last_time_alerts, + ) logging.info( consts.LOG_FORMAT.format( __method_name, diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/consts.py b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/consts.py index 11ef7d4f818..d1422b6d712 100644 --- a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/consts.py +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/consts.py @@ -25,11 +25,12 @@ CONNECTION_STRING = os.environ.get("AzureWebJobsStorage", "") ARMIS_ALERTS_TABLE = os.environ.get("ArmisAlertsTableName", "") ARMIS_ACTIVITIES_TABLE = os.environ.get("ArmisActivitiesTableName", "") -IS_AVOID_DUPLICATES = os.environ.get("AvoidDuplicates", "") WORKSPACE_ID = os.environ.get("WorkspaceID", "") WORKSPACE_KEY = os.environ.get("WorkspaceKey", "") CHUNK_SIZE = 35 FILE_SHARE = "funcstatemarkershare" -CHECKPOINT_FILE = "funcarmisalertsfile" +CHECKPOINT_FILE_TIME = "funcarmisalertsfile" +CHECKPOINT_FILE_OFFSET = "armisalertoffset" LOG_FORMAT = "Armis Alerts Activities Connector: (method = {}) : {}" REQUEST_TIMEOUT = 300 +CHECKPOINT_TABLE_NAME = "ArmisAlertActivityCheckpoint" diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/exports_store.py b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/exports_store.py new file mode 100644 index 00000000000..a560b5baea0 --- /dev/null +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/exports_store.py @@ -0,0 +1,87 @@ +import logging + +from azure.data.tables import TableClient, UpdateMode +from azure.core.exceptions import ResourceNotFoundError, ResourceExistsError, HttpResponseError + + +class ExportsTableStore: + + def __init__(self, connection_string, table_name): + self.connection_string = connection_string + self.table_name = table_name + + def create(self): + with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client: + try: + table_client.create_table() + logging.info("Checkpoint Table created") + except ResourceExistsError: + logging.warning("Checkpoint Table already exists") + + def post(self, pk: str, rk: str, data: dict = None): + with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client: + entity_template = { + "PartitionKey": pk, + "RowKey": rk, + } + if data is not None: + entity_template.update(data) + try: + table_client.create_entity(entity_template) + except Exception as e: + logging.warning("could not post entity to table") + logging.warning(e) + raise e + + def get(self, pk: str, rk: str): + with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client: + try: + logging.info("looking for {} - {} on table {}".format(pk, rk, self.table_name)) + return table_client.get_entity(pk, rk) + except ResourceNotFoundError: + return None + + def upsert(self, pk: str, rk: str, data: dict = None): + with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client: + logging.info("upserting {} - {} on table {}".format(pk, rk, self.table_name)) + entity_template = { + "PartitionKey": pk, + "RowKey": rk, + } + if data is not None: + entity_template.update(data) + return table_client.upsert_entity(mode=UpdateMode.REPLACE, entity=entity_template) + + def update_if_found(self, pk: str, rk: str, data: dict = None): + if self.get(pk, rk) is not None: + self.merge(pk, rk, data) + + def query_by_partition_key(self, pk): + table_client = TableClient.from_connection_string( + self.connection_string, self.table_name) + parameters = {u"key": pk} + name_filter = u"PartitionKey eq @key" + try: + return table_client.query_entities(name_filter, parameters=parameters) + except HttpResponseError as e: + print(e.message) + return [] + + def batch(self, operations): + with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client: + return table_client.submit_transaction(operations=operations) + + def list_all(self): + table_client = TableClient.from_connection_string(self.connection_string, self.table_name) + return table_client.list_entities() + + def merge(self, pk: str, rk: str, data: dict = None): + with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client: + logging.info("upserting {} - {} on table {}".format(pk, rk, self.table_name)) + entity_template = { + "PartitionKey": pk, + "RowKey": rk, + } + if data is not None: + entity_template.update(data) + return table_client.upsert_entity(mode=UpdateMode.MERGE, entity=entity_template) diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/state_manager.py b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/state_manager.py index 624a40b0665..111d99a58a2 100644 --- a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/state_manager.py +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/state_manager.py @@ -1,4 +1,5 @@ """This module will help to save file to statemanager.""" + from azure.storage.fileshare import ShareClient from azure.storage.fileshare import ShareFileClient from azure.core.exceptions import ResourceNotFoundError @@ -36,3 +37,13 @@ def get(self): return self.file_cli.download_file().readall().decode() except ResourceNotFoundError: return None + + def delete(self): + """Delete method for deleting the data from Azure Storage. + + This method will delete the file from Azure Storage. + """ + try: + self.file_cli.delete_file() + except ResourceNotFoundError: + raise ResourceNotFoundError("File not found to be deleted.") diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/utils.py b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/utils.py index ba868876765..b4f7aedfc3a 100644 --- a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/utils.py +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertActivitySentinelConnector/utils.py @@ -22,7 +22,6 @@ def __init__(self) -> None: {"WorkspaceKey": consts.WORKSPACE_KEY}, {"ArmisSecretKey": consts.API_KEY}, {"AzureWebJobsStorage": consts.CONNECTION_STRING}, - {"AvoidDuplicates": consts.IS_AVOID_DUPLICATES}, {"ArmisAlertsTableName": consts.ARMIS_ALERTS_TABLE}, {"ArmisActivitiesTableName": consts.ARMIS_ACTIVITIES_TABLE}, ] @@ -30,7 +29,7 @@ def __init__(self) -> None: self._secret_key = consts.API_KEY self.get_access_token() self.state_manager_obj = StateManager( - connection_string=consts.CONNECTION_STRING, file_path=consts.CHECKPOINT_FILE + connection_string=consts.CONNECTION_STRING, file_path=consts.CHECKPOINT_FILE_TIME ) def check_environment_var_exist(self, environment_var): @@ -78,10 +77,10 @@ def make_rest_call(self, method, url, params=None, headers=None, data=None, retr """ __method_name = inspect.currentframe().f_code.co_name try: - response = requests.request( - method, url, headers=headers, params=params, data=data, timeout=consts.REQUEST_TIMEOUT - ) for _ in range(retry_401 + 1): + response = requests.request( + method, url, headers=self.header, params=params, data=data, timeout=consts.REQUEST_TIMEOUT + ) if response.status_code == 200: response_json = response.json() logging.info( @@ -222,32 +221,6 @@ def get_formatted_time(self, alert_time): ) raise ArmisException() - def post_alert_checkpoint(self, alert): - """Post alert checkpoint. - - Args: - alert (dict): last alert from data - """ - __method_name = inspect.currentframe().f_code.co_name - try: - alert_time = self.get_formatted_time(alert["time"][:19]) - self.state_manager_obj.post(str(alert_time)) - logging.info( - consts.LOG_FORMAT.format(__method_name, "Alerts checkpoint updated : {}.".format(str(alert_time))) - ) - except KeyError as err: - logging.error(consts.LOG_FORMAT.format(__method_name, "Key error : {}.".format(err))) - raise ArmisException() - - except ArmisException: - raise ArmisException() - - except Exception as err: - logging.error( - consts.LOG_FORMAT.format(__method_name, "Error while posting alerts checkpoint : {}.".format(err)) - ) - raise ArmisException() - def get_access_token(self): """get_access_token method will fetch the access token using api and set it in header for further use.""" __method_name = inspect.currentframe().f_code.co_name @@ -255,7 +228,7 @@ def get_access_token(self): body = {"secret_key": self._secret_key} logging.info(consts.LOG_FORMAT.format(__method_name, "Getting access token.")) response = self.make_rest_call(method="POST", url=consts.URL + consts.ACCESS_TOKEN_SUFFIX, data=body) - access_token = response["data"]["access_token"] + access_token = response.get("data", {}).get("access_token") self.header.update({"Authorization": access_token}) logging.info(consts.LOG_FORMAT.format(__method_name, "Generated access token Successfully.")) except KeyError as err: diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertsActivitiesSentinelConn.zip b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertsActivitiesSentinelConn.zip index f7219c0f5be..0c15733685a 100644 Binary files a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertsActivitiesSentinelConn.zip and b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/ArmisAlertsActivitiesSentinelConn.zip differ diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/azuredeploy_Connector_ArmisAlertsActivitiesAPI_AzureFunction.json b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/azuredeploy_Connector_ArmisAlertsActivitiesAPI_AzureFunction.json index 5b927cf63a3..7a3f4cf8b4d 100644 --- a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/azuredeploy_Connector_ArmisAlertsActivitiesAPI_AzureFunction.json +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/azuredeploy_Connector_ArmisAlertsActivitiesAPI_AzureFunction.json @@ -10,35 +10,50 @@ }, "WorkspaceID": { "type": "string", - "defaultValue": "" + "minLength": 1, + "metadata": { + "description": "Enter Workspace ID of Log Analytics Workspace" + } }, "WorkspaceKey": { "type": "securestring", - "defaultValue": "" + "minLength": 1, + "metadata": { + "description": "Enter Primary Key of Log Analytics Workspace" + } }, "ArmisSecretKey": { "type": "securestring", - "defaultValue": "" + "metadata": { + "description": "Enter Armis Secret Key for Authentication" + } }, - "ArmisURL":{ + "ArmisBaseURL":{ "type": "string", - "defaultValue": "" + "metadata": { + "description": "Enter Base URL starting with \"https://\" followed by hostname(Example: https://[armis-instance].armis.com/api/v1)" + } }, "ArmisAlertsTableName":{ "type": "string", - "defaultValue": "Armis_Alerts_CL" + "defaultValue": "Armis_Alerts_CL", + "metadata": { + "description": "Enter name of the table used to store Armis Alerts logs. Default is 'Armis_Alerts_CL'" + } }, "ArmisActivitiesTableName":{ "type": "string", - "defaultValue": "Armis_Activities_CL" + "defaultValue": "Armis_Activities_CL", + "metadata": { + "description": "Enter name of the table used to store Armis Activities logs. Default is 'Armis_Activities_CL'" + } }, "ArmisSchedule":{ "type": "string", - "defaultValue": "" - }, - "AvoidDuplicates":{ - "type": "bool", - "defaultValue": true + "defaultValue": "0 */15 * * * *", + "metadata": { + "description": "Enter a valid Quartz Cron-Expression (Example: 0 0 0 * * *)" + } }, "AppInsightsWorkspaceResourceID": { "type": "string", @@ -95,7 +110,8 @@ } }, "keySource": "Microsoft.Storage" - } + }, + "minimumTlsVersion": "TLS1_2" } }, { @@ -176,11 +192,10 @@ "WorkspaceID": "[parameters('WorkspaceID')]", "WorkspaceKey": "[parameters('WorkspaceKey')]", "ArmisSecretKey": "[parameters('ArmisSecretKey')]", - "ArmisURL": "[parameters('ArmisURL')]", + "ArmisURL": "[parameters('ArmisBaseURL')]", "ArmisAlertsTableName": "[parameters('ArmisAlertsTableName')]", "ArmisActivitiesTableName": "[parameters('ArmisActivitiesTableName')]", "Schedule": "[parameters('ArmisSchedule')]", - "AvoidDuplicates": "[parameters('AvoidDuplicates')]", "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-ArmisAlertsActivities-functionapp" } } diff --git a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/requirements.txt b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/requirements.txt index 19af94f97bf..52584d6099a 100644 --- a/Solutions/Armis/Data Connectors/ArmisAlertsActivities/requirements.txt +++ b/Solutions/Armis/Data Connectors/ArmisAlertsActivities/requirements.txt @@ -4,4 +4,5 @@ azure-functions azure-storage-file-share==12.3.0 -requests \ No newline at end of file +requests +azure-data-tables==12.1.0 diff --git a/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConn.zip b/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConn.zip index ed587195be0..52989053567 100644 Binary files a/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConn.zip and b/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConn.zip differ diff --git a/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/__init__.py b/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/__init__.py index affc715087b..1cf4cbfa52d 100644 --- a/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/__init__.py +++ b/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/__init__.py @@ -1,4 +1,5 @@ """This __init__ file will be called once the trigger is generated.""" + import datetime import logging import azure.functions as func @@ -7,17 +8,23 @@ import hmac import json import os +import time import requests from .state_manager import StateManager -from Exceptions.ArmisExceptions import ArmisException, ArmisDataNotFoundException +from .exports_store import ExportsTableStore +from Exceptions.ArmisExceptions import ( + ArmisException, + ArmisDataNotFoundException, + ArmisTimeOutException, +) + API_KEY = os.environ["ArmisSecretKey"] url = os.environ["ArmisURL"] connection_string = os.environ["AzureWebJobsStorage"] customer_id = os.environ["WorkspaceID"] shared_key = os.environ["WorkspaceKey"] -armis_devices = os.environ["ArmisDeviceTableName"] -is_avoid_duplicates = os.environ["AvoidDuplicates"] +armis_devices_table_name = os.environ["ArmisDeviceTableName"] HTTP_ERRORS = { 400: "Armis Device Connector: Bad request: Missing aql parameter.", @@ -28,19 +35,47 @@ "HOST_CONNECTION_ERROR": "Armis Device Connector: Invalid host while verifying 'armis account'.", } +CHECKPOINT_TABLE_NAME = "ArmisDeviceCheckpoint" +DEVICE_FIELD_LIST = [ + "accessSwitch", + "category", + "firstSeen", + "id", + "ipAddress", + "lastSeen", + "macAddress", + "manufacturer", + "model", + "name", + "operatingSystem", + "operatingSystemVersion", + "riskLevel", + "sensor", + "site", + "tags", + "type", + "user", + "visibility", + "serialNumber", + "plcModule", + "purdueLevel", + "firmwareVersion", +] +MAX_RETRY = 5 +FUNCTION_APP_TIMEOUT_SECONDS = 570 body = "" class ArmisDevice: """This class will process the Device data and post it into the Microsoft sentinel.""" - def __init__(self): + def __init__(self, start_time): """__init__ method will initialize object of class.""" + self.start_time = start_time self._link = url self._header = {} self._secret_key = API_KEY self._data_device_from = 0 - self._retry_device_token = 1 def _get_access_token_device(self, armis_link_suffix): """ @@ -53,36 +88,68 @@ def _get_access_token_device(self, armis_link_suffix): if self._secret_key is not None and self._link is not None: body = {"secret_key": self._secret_key} try: - response = requests.post( - (self._link + armis_link_suffix), data=body - ) + response = requests.post((self._link + armis_link_suffix), data=body) if response.status_code == 200: logging.info("Armis Device Connector: Getting access token.") - _access_token = json.loads(response.text)["data"]["access_token"] + response = response.json() + _access_token = response.get("data", {}).get("access_token") self._header.update({"Authorization": _access_token}) elif response.status_code == 400: raise ArmisException( "Armis Device Connector: Please check either armis URL or armis secret key is wrong." ) - else: raise ArmisException( - "Armis Device Connector: Error while generating the access token. error code: {}.".format( - response.status_code + "Armis Device Connector: Error while generating the access token. Code: {} Message: {}.".format( + response.status_code, response.text ) ) - except ArmisException as err: logging.error(err) raise ArmisException( "Armis Device Connector: Error while generating the access token." ) - else: raise ArmisException( "Armis Device Connector: The secret key or link has not been initialized." ) + def validate_timestamp(self, last_seen_time): + """function is used to validate the timestamp format. The timestamp should be in + ISO 8601 format 'YYYY-MM-DDTHH:MM:SS'. If the timestamp is not in correct format, it will + be formatted according to the given timestamp format. + + Args: + last_seen_time (String): Timestamp string to be validated. + + Returns: + String: Validated timestamp string. + """ + try: + if len(last_seen_time) != 19: + if len(last_seen_time) == 10: + last_seen_time += "T00:00:00" + logging.info( + "Armis Device Connector: 'T:00:00:00' added as only date is available." + ) + else: + splited_time = last_seen_time.split("T") + if len(splited_time[1]) == 5: + splited_time[1] += ":00" + logging.info( + "Armis Device Connector: ':00' added as seconds not available." + ) + elif len(splited_time[1]) == 2: + splited_time[1] += ":00:00" + logging.info( + "Armis Device Connector: ':00:00' added as only hour is available." + ) + last_seen_time = "T".join(splited_time) + return last_seen_time + except Exception as err: + logging.error("Armis Device Connector: Error occurred: {}".format(err)) + raise ArmisException(err) + def _get_device_data(self, armis_link_suffix, parameter): """Get_device_data is used to get data using api. @@ -93,80 +160,82 @@ def _get_device_data(self, armis_link_suffix, parameter): """ try: + for i in range(MAX_RETRY + 1): + response = requests.get( + (self._link + armis_link_suffix), + params=parameter, + headers=self._header, + ) + if response.status_code == 200: + logging.info("Armis Device Connector: Status Code : 200") + results = response.json() - response = requests.get( - (self._link + armis_link_suffix), params=parameter, headers=self._header - ) - if response.status_code == 200: - logging.info("API connected successfully with Armis to fetch the data.") - results = json.loads(response.text) + if results["data"]["count"] == 0: + raise ArmisDataNotFoundException( + "Armis Device Connector: Data not found." + ) + + if ( + "data" in results + and "results" in results["data"] + and "total" in results["data"] + and "count" in results["data"] + and "next" in results["data"] + ): + total_data_length = results["data"]["total"] + count_per_frame_data = results["data"]["count"] + data = results["data"]["results"] + + for i in data: + i["armis_device_time"] = i["lastSeen"] + + logging.info( + "Armis Device Connector: From {}, total length {}".format( + self._data_device_from, total_data_length + ) + ) + self._data_device_from = results["data"]["next"] + last_seen_time = data[-1]["lastSeen"][:19] + last_seen_time = self.validate_timestamp(last_seen_time) + + return ( + data, + last_seen_time, + total_data_length, + count_per_frame_data, + ) + else: + raise ArmisException( + "Armis Device Connector: There are no proper keys in data." + ) - if(results["data"]["count"] == 0): - raise ArmisDataNotFoundException( - "Armis Device Connector: Data not found." + elif response.status_code == 400: + logging.error( + "Armis Device Connector: Status Code : 400, Error: {}".format( + HTTP_ERRORS[400] + ) ) + raise ArmisException(HTTP_ERRORS[400]) - if ( - "data" in results - and "results" in results["data"] - and "total" in results["data"] - and "count" in results["data"] - and "next" in results["data"] - ): - total_data_length = results["data"]["total"] - count_per_frame_data = results["data"]["count"] - data = results["data"]["results"] - - for i in data: - i["armis_device_time"] = i["lastSeen"] - - body = json.dumps(data) + elif response.status_code == 401: logging.info( - "Armis Device Connector: From %s length 1000", - self._data_device_from, + "Armis Device Connector: Retry number: {}".format(str(i + 1)) ) - self._data_device_from = results["data"]["next"] - current_time = data[-1]["lastSeen"][:19] - if len(current_time) != 19: - if len(current_time) == 10: - current_time += "T00:00:00" - logging.info("Armis Device Connector: 'T:00:00:00' added as only date is available.") - else: - splited_time = current_time.split('T') - if len(splited_time[1]) == 5: - splited_time[1] += ":00" - logging.info("Armis Device Connector: ':00' added as seconds not available.") - elif len(splited_time[1]) == 2: - splited_time[1] += ":00:00" - logging.info("Armis Device Connector: ':00:00' added as only hour is available.") - current_time = "T".join(splited_time) - - return body, current_time, total_data_length, count_per_frame_data + logging.error( + "Armis Device Connector: Status Code : 401, Error: {}".format( + HTTP_ERRORS[401] + ) + ) + self._get_access_token_device("/access_token/") + continue else: raise ArmisException( - "Armis Device Connector: There are no proper keys in data." - ) - - elif response.status_code == 400: - raise ArmisException(HTTP_ERRORS[400]) - - elif response.status_code == 401 and self._retry_device_token <= 3: - logging.info( - "Armis Device Connector: Retry number: {}".format( - str(self._retry_device_token) - ) - ) - self._retry_device_token += 1 - logging.error(HTTP_ERRORS[401]) - logging.info("Armis Device Connector: Generating access token again!") - self._get_access_token_device("/access_token/") - return self._get_device_data(armis_link_suffix, parameter) - else: - raise ArmisException( - "Armis Device Connector: Error while fetching data. status Code:{} error message:{}.".format( - response.status_code, response.text + "Armis Device Connector: Error while fetching data. status Code:{} error message:{}.".format( + response.status_code, response.text + ) ) - ) + logging.error("Armis Device Connector: Max retry reached.") + raise ArmisException("Armis Device Connector: Max retry reached.") except requests.exceptions.ConnectionError: logging.error(ERROR_MESSAGES["HOST_CONNECTION_ERROR"]) @@ -191,41 +260,42 @@ def _get_device_data(self, armis_link_suffix, parameter): raise ArmisDataNotFoundException() def _fetch_device_data( - self, type_data, state, table_name, is_table_not_exist, last_time=None + self, + checkpoint_table_object: ExportsTableStore, + table_name, + last_seen_not_available, + last_time=None, ): """Fetch_device_data is used to push all the data into table. Args: - self: Armis object. - type_data (json): will contain the json data to use in the _get_links function. - state (object): StateManager object. + checkpoint_table_object (object): Azure Storage table object. table_name (String): table name to store the data in microsoft sentinel. - is_table_not_exist (bool): it is a flag that contains the value if table exists or not. + last_seen_not_available (bool): it is a flag that contains the value if last seen exists or not. last_time (String): it will contain latest time stamp. """ try: - self._get_access_token_device("/access_token/") - if is_table_not_exist: - aql_data = """{}""".format(type_data["aql"]) + if last_seen_not_available: + aql_data = "in:devices" else: - aql_data = """{} after:{}""".format(type_data["aql"], last_time) - type_data["aql"] = aql_data - logging.info( - "Armis Device Connector: aql data new " + str(type_data["aql"]) - ) + aql_data = "in:devices after:{}".format(last_time) + logging.info("Armis Device Connector: aql query: " + aql_data) + self._get_access_token_device("/access_token/") azuresentinel = AzureSentinel() + parameter_device = { + "aql": aql_data, + "orderBy": "lastSeen", + "length": 1000, + "fields": ",".join(DEVICE_FIELD_LIST), + } while self._data_device_from is not None: - parameter_device = { - "aql": type_data["aql"], - "from": self._data_device_from, - "orderBy": "lastSeen", - "length": 1000, - "fields": type_data["fields"], - } + if int(time.time()) >= self.start_time + FUNCTION_APP_TIMEOUT_SECONDS: + raise ArmisTimeOutException() + parameter_device.update({"from": self._data_device_from}) ( - body, - current_time, + data, + last_seen_time, total_data_length, count_per_frame_data, ) = self._get_device_data("/search/", parameter_device) @@ -233,37 +303,51 @@ def _fetch_device_data( "Armis Device Connector: Total length of data is %s ", total_data_length, ) - logging.info("Armis Device Connector: Data collection is done successfully.") - azuresentinel.post_data(customer_id, body, table_name) + azuresentinel.post_data(customer_id, json.dumps(data), table_name) logging.info( - "Armis Device Connector: Collected %s device data into microsoft sentinel.", + "Armis Device Connector: Collected %s device data and ingested into sentinel.", count_per_frame_data, ) - state.post(str(current_time)) - logging.info( - "Armis Device Connector: Timestamp added at: " + str(current_time) - ) - logging.info( - "Armis Device Connector: Timestamp added into the StateManager successfully." - ) - if(str(is_avoid_duplicates).lower() == "true"): - current_time = datetime.datetime.strptime(current_time, '%Y-%m-%dT%H:%M:%S') - current_time += datetime.timedelta(seconds=1) - current_time = current_time.strftime('%Y-%m-%dT%H:%M:%S') - state.post(str(current_time)) - logging.info("Armis Device Connector: Last timestamp with plus one second that is added at: {}".format( - current_time) + if self._data_device_from is not None: + checkpoint_table_object.merge( + "armisdevice", + "devicecheckpoint", + {"offset": self._data_device_from}, + ) + logging.info( + "Armis Device Connector: Offset updated in Checkpoint table as: " + + str(self._data_device_from) + ) + + logging.info( + "Armis Device Connector: Data collection and ingestion is completed till last_seen: {}".format( + last_seen_time + ) + ) + last_seen_time = datetime.datetime.strptime( + last_seen_time, "%Y-%m-%dT%H:%M:%S" + ) + last_seen_time += datetime.timedelta(seconds=1) + last_seen_time = last_seen_time.strftime("%Y-%m-%dT%H:%M:%S") + checkpoint_table_object.merge( + "armisdevice", + "devicecheckpoint", + {"last_seen": last_seen_time, "offset": 0}, + ) + logging.info( + "Armis Device Connector: Set last_seen '{}' and offset '0' in Checkpoint table".format( + last_seen_time ) - logging.info("Armis Device Connector: " - + "Last timestamp is added with plus one second into the StateManager successfully.") + ) except ArmisException as err: logging.error(err) raise ArmisException( "Armis Device Connector: Error while processing the data." ) - + except ArmisTimeOutException: + raise ArmisTimeOutException() except ArmisDataNotFoundException: raise ArmisDataNotFoundException() @@ -274,50 +358,100 @@ def check_data_exists_or_not_device(self): self: Armis object. """ - device_field_list = ["accessSwitch", "category", "firstSeen", "id", "ipAddress", "lastSeen", - "macAddress", "manufacturer", "model", "name", "operatingSystem", - "operatingSystemVersion", "riskLevel", "sensor", "site", "tags", "type", "user", - "visibility", "serialNumber", "plcModule", "purdueLevel", "firmwareVersion"] + try: - parameter_devices = { - "aql": "in:devices", - "orderBy": "lastSeen", - "fields": ','.join(device_field_list), - } - state_devices = StateManager( + self.state_devices = StateManager( connection_string=connection_string, file_path="funcarmisdevicesfile" ) - last_time_devices = state_devices.get() - if last_time_devices is None: + checkpoint_table_obj = ExportsTableStore( + connection_string=connection_string, table_name=CHECKPOINT_TABLE_NAME + ) + last_time_devices = self.state_devices.get() + + if last_time_devices is not None: logging.info( - "Armis Device Connector: The last run timestamp is not available for the devices!" + "Armis Device Connector: The checkpoint file in file share is available for device endpoint." ) - self._fetch_device_data( - parameter_devices, - state_devices, - armis_devices, - True, - last_time_devices, + logging.info( + "Armis Device Connector: Last timestamp stored in file for devices: {}".format( + last_time_devices + ) ) - logging.info("Armis Device Connector: Data ingestion initiated.") - else: + logging.info("Armis Device Connector: Creating Checkpoint table.") + checkpoint_table_obj.create() + logging.info( - "Armis Device Connector: The last time point is available in devices: {}.".format( + "Armis Device Connector: Storing value in Checkpoint table - last_seen: {}, offset: 0".format( last_time_devices ) ) + checkpoint_table_obj.merge( + "armisdevice", + "devicecheckpoint", + {"last_seen": last_time_devices, "offset": 0}, + ) + self.state_devices.delete() + logging.info( + "Armis Device Connector: Checkpoint file deleted from fileshare." + ) self._fetch_device_data( - parameter_devices, - state_devices, - armis_devices, + checkpoint_table_obj, + armis_devices_table_name, False, last_time_devices, ) + return + + # last_time_devices is None + is_last_seen_not_available = False + record = checkpoint_table_obj.get("armisdevice", "devicecheckpoint") + if not record: + # first iteration and start from the beginning + logging.info("Armis Device Connector: Creating Checkpoint table.") + checkpoint_table_obj.create() + checkpoint_table_obj.post( + "armisdevice", "devicecheckpoint", {"offset": 0} + ) + is_last_seen_not_available = True + else: + logging.info( + "Armis Device Connector: Fetching Entity from Checkpoint table: {}".format( + CHECKPOINT_TABLE_NAME + ) + ) + last_time_devices = record.get("last_seen") + self._data_device_from = ( + record.get("offset") if record.get("offset") else 0 + ) logging.info( - "Armis Device Connector: Data added when logs was already in %s.", - armis_devices, + "Armis Device Connector: Checkpoint table: {} last_seen: {}, offset: {}".format( + armis_devices_table_name, + last_time_devices, + self._data_device_from, + ) ) - logging.info("Armis Device Connector: Device data added successfully !") + if last_time_devices is None: + logging.info( + "Armis Device Connector: last_seen value not available in checkpoint table." + ) + is_last_seen_not_available = True + else: + logging.info( + "Armis Device Connector: last_seen value is available in checkpoint table." + ) + + self._fetch_device_data( + checkpoint_table_obj, + armis_devices_table_name, + is_last_seen_not_available, + last_time_devices, + ) + + except ArmisTimeOutException: + logging.info( + "Armis Device Connector: 9:30 mins executed hence stopping the execution" + ) + return except ArmisException as err: logging.error(err) raise ArmisException( @@ -368,7 +502,7 @@ def post_data(self, customer_id, body, log_type): resource = "/api/logs" rfc1123date = datetime.datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT") content_length = len(body) - timestamp_date = 'armis_device_time' + timestamp_date = "armis_device_time" try: signature = self.build_signature( rfc1123date, @@ -433,8 +567,8 @@ def main(mytimer: func.TimerRequest) -> None: "Armis Device Connector: Python timer trigger function ran at %s", utc_timestamp, ) - - armis_obj = ArmisDevice() + start_time = time.time() + armis_obj = ArmisDevice(start_time) try: armis_obj.check_data_exists_or_not_device() except ArmisDataNotFoundException: diff --git a/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/exports_store.py b/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/exports_store.py new file mode 100644 index 00000000000..cf138d51f14 --- /dev/null +++ b/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/exports_store.py @@ -0,0 +1,88 @@ +import logging +from azure.data.tables import TableClient, UpdateMode +from azure.core.exceptions import ResourceNotFoundError, ResourceExistsError, HttpResponseError + + +class ExportsTableStore: + + def __init__(self, connection_string, table_name): + self.connection_string = connection_string + self.table_name = table_name + + def create(self): + with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client: + try: + table_client.create_table() + logging.info("Checkpoint Table created") + except ResourceExistsError: + logging.warning("Table already exists") + + def post(self, pk: str, rk: str, data: dict = None): + with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client: + entity_template = { + "PartitionKey": pk, + "RowKey": rk, + } + if data is not None: + entity_template.update(data) + try: + table_client.create_entity(entity_template) + except Exception as e: + logging.warning("could not post entity to table") + logging.warning(e) + raise e + + def get(self, pk: str, rk: str): + with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client: + try: + logging.info( + "looking for {} - {} on table {}".format(pk, rk, self.table_name)) + return table_client.get_entity(pk, rk) + except ResourceNotFoundError: + return None + + def upsert(self, pk: str, rk: str, data: dict = None): + with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client: + logging.info("upserting {} - {} on table {}".format(pk, rk, self.table_name)) + entity_template = { + "PartitionKey": pk, + "RowKey": rk, + } + if data is not None: + entity_template.update(data) + return table_client.upsert_entity(mode=UpdateMode.REPLACE, entity=entity_template) + + def update_if_found(self, pk: str, rk: str, data: dict = None): + if self.get(pk, rk) is not None: + self.merge(pk, rk, data) + + def query_by_partition_key(self, pk): + table_client = TableClient.from_connection_string( + self.connection_string, self.table_name) + parameters = {u"key": pk} + name_filter = u"PartitionKey eq @key" + try: + return table_client.query_entities(name_filter, parameters=parameters) + except HttpResponseError as e: + print(e.message) + return [] + + def batch(self, operations): + with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client: + return table_client.submit_transaction(operations=operations) + + def list_all(self): + table_client = TableClient.from_connection_string( + self.connection_string, self.table_name) + return table_client.list_entities() + + def merge(self, pk: str, rk: str, data: dict = None): + with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client: + logging.info("upserting {} - {} on table {}".format(pk, rk, self.table_name)) + entity_template = { + "PartitionKey": pk, + "RowKey": rk, + } + if data is not None: + entity_template.update(data) + return table_client.upsert_entity(mode=UpdateMode.MERGE, entity=entity_template) diff --git a/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/state_manager.py b/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/state_manager.py index 92eac7ac99b..50a6fbeed8e 100644 --- a/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/state_manager.py +++ b/Solutions/Armis/Data Connectors/ArmisDevice/ArmisDeviceSentinelConnector/state_manager.py @@ -35,3 +35,13 @@ def get(self): return self.file_cli.download_file().readall().decode() except ResourceNotFoundError: return None + + def delete(self): + """Delete method for deleting the data from Azure Storage. + + This method will delete the file from Azure Storage. + """ + try: + self.file_cli.delete_file() + except ResourceNotFoundError: + raise ResourceNotFoundError("File not found to be deleted.") diff --git a/Solutions/Armis/Data Connectors/ArmisDevice/Exceptions/ArmisExceptions.py b/Solutions/Armis/Data Connectors/ArmisDevice/Exceptions/ArmisExceptions.py index 511169b052f..8e999d742e7 100644 --- a/Solutions/Armis/Data Connectors/ArmisDevice/Exceptions/ArmisExceptions.py +++ b/Solutions/Armis/Data Connectors/ArmisDevice/Exceptions/ArmisExceptions.py @@ -11,3 +11,9 @@ class ArmisDataNotFoundException(Exception): """ArmisDataNotFoundException class will inherit Exception class.""" pass + + +class ArmisTimeOutException(Exception): + """ArmisTimeOutException class will inherit Exception class.""" + + pass diff --git a/Solutions/Armis/Data Connectors/ArmisDevice/azuredeploy_Connector_ArmisDeviceAPI_AzureFunction.json b/Solutions/Armis/Data Connectors/ArmisDevice/azuredeploy_Connector_ArmisDeviceAPI_AzureFunction.json index a3787ccad14..0c48580a92a 100644 --- a/Solutions/Armis/Data Connectors/ArmisDevice/azuredeploy_Connector_ArmisDeviceAPI_AzureFunction.json +++ b/Solutions/Armis/Data Connectors/ArmisDevice/azuredeploy_Connector_ArmisDeviceAPI_AzureFunction.json @@ -10,31 +10,43 @@ }, "WorkspaceID": { "type": "string", - "defaultValue": "" + "minLength": 1, + "metadata": { + "description": "Enter Workspace ID of Log Analytics Workspace" + } }, "WorkspaceKey": { "type": "securestring", - "defaultValue": "" + "minLength": 1, + "metadata": { + "description": "Enter Primary Key of Log Analytics Workspace" + } }, "ArmisSecretKey": { "type": "securestring", - "defaultValue": "" + "metadata": { + "description": "Enter Armis Secret Key for Authentication" + } }, - "ArmisURL":{ + "ArmisBaseURL":{ "type": "string", - "defaultValue": "" + "metadata": { + "description": "Enter Base URL starting with \"https://\" followed by hostname(Example: https://[armis-instance].armis.com/api/v1)" + } }, "ArmisDeviceTableName":{ "type": "string", - "defaultValue": "Armis_Devices_CL" + "defaultValue": "Armis_Devices_CL", + "metadata": { + "description": "Enter name of the table used to store Armis Devices logs. Default is 'Armis_Devices_CL'" + } }, "ArmisSchedule":{ "type": "string", - "defaultValue": "" - }, - "AvoidDuplicates":{ - "type": "bool", - "defaultValue": true + "defaultValue": "0 */25 * * * *", + "metadata": { + "description": "Enter a valid Quartz Cron-Expression (Example: 0 0 0 * * *)" + } }, "AppInsightsWorkspaceResourceID": { "type": "string", @@ -91,7 +103,8 @@ } }, "keySource": "Microsoft.Storage" - } + }, + "minimumTlsVersion": "TLS1_2" } }, { @@ -172,10 +185,9 @@ "WorkspaceID": "[parameters('WorkspaceID')]", "WorkspaceKey": "[parameters('WorkspaceKey')]", "ArmisSecretKey": "[parameters('ArmisSecretKey')]", - "ArmisURL": "[parameters('ArmisURL')]", + "ArmisURL": "[parameters('ArmisBaseURL')]", "ArmisDeviceTableName": "[parameters('ArmisDeviceTableName')]", "Schedule": "[parameters('ArmisSchedule')]", - "AvoidDuplicates": "[parameters('AvoidDuplicates')]", "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-ArmisDevice-functionapp" } } diff --git a/Solutions/Armis/Data Connectors/ArmisDevice/requirements.txt b/Solutions/Armis/Data Connectors/ArmisDevice/requirements.txt index a1e7bb9f903..52584d6099a 100644 --- a/Solutions/Armis/Data Connectors/ArmisDevice/requirements.txt +++ b/Solutions/Armis/Data Connectors/ArmisDevice/requirements.txt @@ -5,3 +5,4 @@ azure-functions azure-storage-file-share==12.3.0 requests +azure-data-tables==12.1.0 diff --git a/Solutions/Aruba ClearPass/Data/Solution_Aruba.json b/Solutions/Aruba ClearPass/Data/Solution_Aruba.json index 17ed368107c..34fba0cdff9 100644 --- a/Solutions/Aruba ClearPass/Data/Solution_Aruba.json +++ b/Solutions/Aruba ClearPass/Data/Solution_Aruba.json @@ -3,10 +3,6 @@ "Author": "Aruba Networks", "Logo": "", "Description": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) solution allows you to easily connect your Aruba ClearPass with Microsoft Sentinel. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.", - "Data Connectors": [ - "Solutions/Aruba ClearPass/Data Connectors/Connector_Syslog_ArubaClearPass.json", - "Solutions/Aruba ClearPass/Data Connectors/template_ArubaClearPassAMA.json" - ], "Parsers": [ "Solutions/Aruba ClearPass/Parsers/ArubaClearPass.yaml" ], @@ -14,7 +10,7 @@ "azuresentinel.azure-sentinel-solution-commoneventformat" ], "BasePath": "C:\\GitHub\\Azure-Sentinel", - "Version": "3.0.1", + "Version": "3.0.3", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/Aruba ClearPass/Package/3.0.3.zip b/Solutions/Aruba ClearPass/Package/3.0.3.zip new file mode 100644 index 00000000000..1227c21231c Binary files /dev/null and b/Solutions/Aruba ClearPass/Package/3.0.3.zip differ diff --git a/Solutions/Aruba ClearPass/Package/createUiDefinition.json b/Solutions/Aruba ClearPass/Package/createUiDefinition.json index dcc50bb28da..e9aa46783ff 100644 --- a/Solutions/Aruba ClearPass/Package/createUiDefinition.json +++ b/Solutions/Aruba ClearPass/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Aruba%20ClearPass/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) solution allows you to easily connect your Aruba ClearPass with Microsoft Sentinel. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Aruba%20ClearPass/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) solution allows you to easily connect your Aruba ClearPass with Microsoft Sentinel. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -50,39 +50,7 @@ "visible": true } ], - "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for Aruba ClearPass. You can get Aruba ClearPass CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-parser-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - } - ], + "steps": [{}], "outputs": { "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", "location": "[location()]", diff --git a/Solutions/Aruba ClearPass/Package/mainTemplate.json b/Solutions/Aruba ClearPass/Package/mainTemplate.json index 5c9917dc07c..2baa6a4591d 100644 --- a/Solutions/Aruba ClearPass/Package/mainTemplate.json +++ b/Solutions/Aruba ClearPass/Package/mainTemplate.json @@ -31,27 +31,9 @@ }, "variables": { "_solutionName": "Aruba ClearPass", - "_solutionVersion": "3.0.2", + "_solutionVersion": "3.0.3", "solutionId": "azuresentinel.azure-sentinel-solution-arubaclearpass", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "ArubaClearPass", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "ArubaClearPass", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "ArubaClearPassAma", - "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "ArubaClearPassAma", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", - "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "parserObject1": { "_parserName1": "[concat(parameters('workspace'),'/','ArubaClearPass')]", "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ArubaClearPass')]", @@ -62,684 +44,6 @@ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Aruba ClearPass data connector with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] Aruba ClearPass via Legacy Agent", - "publisher": "Aruba Networks", - "descriptionMarkdown": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) connector allows you to easily connect your Aruba ClearPass with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "ArubaClearPass", - "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Aruba Networks\" and DeviceProduct == \"ClearPass\"" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Events by Username", - "query": "ArubaClearPass \n | summarize count() by UserName \n| top 10 by count_" - }, - { - "description": "Top 10 Error Codes", - "query": "ArubaClearPass \n | summarize count() by ErrorCode \n| top 10 by count_" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n| where DeviceVendor == \"Aruba Networks\" and DeviceProduct == \"ClearPass\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (ArubaClearPass)", - "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Aruba Networks\" and DeviceProduct == \"ClearPass\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://aka.ms/sentinel-arubaclearpass-parser).The function usually takes 10-15 minutes to activate after solution installation/update." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Configure Aruba ClearPass to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/syslogExportFilters_add_syslog_filter_general.htm) to configure the Aruba ClearPass to forward syslog.\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.", - "title": "2. Forward Aruba ClearPass logs to a Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Aruba ClearPass", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Aruba Networks" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Aruba ClearPass via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Aruba ClearPass", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Aruba Networks" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Aruba ClearPass via Legacy Agent", - "publisher": "Aruba Networks", - "descriptionMarkdown": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) connector allows you to easily connect your Aruba ClearPass with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "ArubaClearPass", - "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Aruba Networks\" and DeviceProduct == \"ClearPass\"" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (ArubaClearPass)", - "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Aruba Networks\" and DeviceProduct == \"ClearPass\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n| where DeviceVendor == \"Aruba Networks\" and DeviceProduct == \"ClearPass\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Events by Username", - "query": "ArubaClearPass \n | summarize count() by UserName \n| top 10 by count_" - }, - { - "description": "Top 10 Error Codes", - "query": "ArubaClearPass \n | summarize count() by ErrorCode \n| top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://aka.ms/sentinel-arubaclearpass-parser).The function usually takes 10-15 minutes to activate after solution installation/update." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Configure Aruba ClearPass to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/syslogExportFilters_add_syslog_filter_general.htm) to configure the Aruba ClearPass to forward syslog.\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.", - "title": "2. Forward Aruba ClearPass logs to a Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution." - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Aruba ClearPass data connector with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "[Deprecated] Aruba ClearPass via AMA", - "publisher": "Aruba Networks", - "descriptionMarkdown": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) connector allows you to easily connect your Aruba ClearPass with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "ArubaClearPass", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Events by Username", - "query": "ArubaClearPass \n | summarize count() by UserName \n| top 10 by count_" - }, - { - "description": "Top 10 Error Codes", - "query": "ArubaClearPass \n | summarize count() by ErrorCode \n| top 10 by count_" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (ArubaClearPass)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://aka.ms/sentinel-arubaclearpass-parser).The function usually takes 10-15 minutes to activate after solution installation/update.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Aruba ClearPass logs to a Syslog agent", - "description": "Configure Aruba ClearPass to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/syslogExportFilters_add_syslog_filter_general.htm) to configure the Aruba ClearPass to forward syslog.\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Aruba ClearPass", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Aruba Networks" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Aruba ClearPass via AMA", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Aruba ClearPass", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Aruba Networks" - }, - "support": { - "tier": "Microsoft", - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "link": "https://support.microsoft.com/" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Aruba ClearPass via AMA", - "publisher": "Aruba Networks", - "descriptionMarkdown": "The [Aruba ClearPass](https://www.arubanetworks.com/products/security/network-access-control/secure-access/) connector allows you to easily connect your Aruba ClearPass with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "ArubaClearPass", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (ArubaClearPass)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Aruba Networks'\n |where DeviceProduct =~ 'ClearPass'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Events by Username", - "query": "ArubaClearPass \n | summarize count() by UserName \n| top 10 by count_" - }, - { - "description": "Top 10 Error Codes", - "query": "ArubaClearPass \n | summarize count() by ErrorCode \n| top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ArubaClearPass and load the function code or click [here](https://aka.ms/sentinel-arubaclearpass-parser).The function usually takes 10-15 minutes to activate after solution installation/update.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Aruba ClearPass logs to a Syslog agent", - "description": "Configure Aruba ClearPass to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/syslogExportFilters_add_syslog_filter_general.htm) to configure the Aruba ClearPass to forward syslog.\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "id": "[variables('_uiConfigId2')]", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution." - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -749,7 +53,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ArubaClearPass Data Parser with template version 3.0.2", + "description": "ArubaClearPass Data Parser with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -875,12 +179,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.2", + "version": "3.0.3", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Aruba ClearPass", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Aruba ClearPass solution allows you to easily connect your Aruba ClearPass with Microsoft Sentinel.

\n\n\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 2, Parsers: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Aruba ClearPass solution allows you to easily connect your Aruba ClearPass with Microsoft Sentinel.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Parsers: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -903,16 +207,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/Aruba ClearPass/ReleaseNotes.md b/Solutions/Aruba ClearPass/ReleaseNotes.md index e4f3a9e93bb..5db4a4c9d07 100644 --- a/Solutions/Aruba ClearPass/ReleaseNotes.md +++ b/Solutions/Aruba ClearPass/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.3 | 13-11-2024 | Removed Deprecated **Data Connectors** | | 3.0.2 | 08-07-2024 | Deprecating **Data Connector** | -| 3.0.1 | 26-09-2023 | Parser link update | +| 3.0.1 | 26-09-2023 | Parser link update | | 3.0.0 | 21-09-2023 | Addition of new Aruba ClearPass AMA **Data Connector** | \ No newline at end of file diff --git a/Solutions/Azure Key Vault/Data/Solution_Azure Key Vault.json b/Solutions/Azure Key Vault/Data/Solution_Azure Key Vault.json index dcd9becf56e..b0a458f3586 100644 --- a/Solutions/Azure Key Vault/Data/Solution_Azure Key Vault.json +++ b/Solutions/Azure Key Vault/Data/Solution_Azure Key Vault.json @@ -16,7 +16,7 @@ "Workbooks/AzureKeyVaultWorkbook.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Azure Key Vault", - "Version": "3.0.2", + "Version": "3.0.3", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "StaticDataConnectorIds": [ diff --git a/Solutions/Azure Key Vault/Package/3.0.3.zip b/Solutions/Azure Key Vault/Package/3.0.3.zip new file mode 100644 index 00000000000..3d363788769 Binary files /dev/null and b/Solutions/Azure Key Vault/Package/3.0.3.zip differ diff --git a/Solutions/Azure Key Vault/Package/createUiDefinition.json b/Solutions/Azure Key Vault/Package/createUiDefinition.json index 1911cd6292c..611179ced7e 100644 --- a/Solutions/Azure Key Vault/Package/createUiDefinition.json +++ b/Solutions/Azure Key Vault/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20Key%20Vault/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Azure Key Vault](https://azure.microsoft.com/services/key-vault/) Solution for Microsoft Sentinel enables you to stream Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 4\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20Key%20Vault/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Azure Key Vault](https://azure.microsoft.com/services/key-vault/) Solution for Microsoft Sentinel enables you to stream Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 4\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -166,7 +166,7 @@ "name": "analytic2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies mass secret retrieval from Azure Key Vault observed by a single user. \nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \nYou can tweak the EventCountThreshold based on average count seen in your environment \nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise" + "text": "Identifies mass secret retrieval from Azure Key Vault observed by a single user. \nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \nYou can tweak the EventCountThreshold based on average count seen in your environment and also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise" } } ] @@ -180,7 +180,7 @@ "name": "analytic3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052" + "text": "Identifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm to find large deviations from baseline Azure Key Vault access patterns.\nAny sudden increase in the count of Azure Key Vault accesses can be an indication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052" } } ] diff --git a/Solutions/Azure Key Vault/Package/mainTemplate.json b/Solutions/Azure Key Vault/Package/mainTemplate.json index e2ee7101852..015ceca609d 100644 --- a/Solutions/Azure Key Vault/Package/mainTemplate.json +++ b/Solutions/Azure Key Vault/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Azure Key Vault", - "_solutionVersion": "3.0.2", + "_solutionVersion": "3.0.3", "solutionId": "azuresentinel.azure-sentinel-solution-azurekeyvault", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "AzureKeyVault", @@ -61,18 +61,18 @@ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d6491be0-ab2d-439d-95d6-ad8ea39277c5','-', '1.0.4')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.7", + "analyticRuleVersion2": "1.0.8", "_analyticRulecontentId2": "24f8c234-d1ff-40ec-8b73-96b17a3a9c1c", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '24f8c234-d1ff-40ec-8b73-96b17a3a9c1c')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('24f8c234-d1ff-40ec-8b73-96b17a3a9c1c')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','24f8c234-d1ff-40ec-8b73-96b17a3a9c1c','-', '1.0.7')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','24f8c234-d1ff-40ec-8b73-96b17a3a9c1c','-', '1.0.8')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.5", + "analyticRuleVersion3": "1.0.6", "_analyticRulecontentId3": "0914adab-90b5-47a3-a79f-7cdcac843aa7", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0914adab-90b5-47a3-a79f-7cdcac843aa7')]", "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0914adab-90b5-47a3-a79f-7cdcac843aa7')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0914adab-90b5-47a3-a79f-7cdcac843aa7','-', '1.0.5')))]" + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0914adab-90b5-47a3-a79f-7cdcac843aa7','-', '1.0.6')))]" }, "analyticRuleObject4": { "analyticRuleVersion4": "1.0.2", @@ -100,7 +100,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Azure Key Vault data connector with template version 3.0.2", + "description": "Azure Key Vault data connector with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -259,7 +259,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "KeyVaultSensitiveOperations_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "KeyVaultSensitiveOperations_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -269,7 +269,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -303,16 +303,16 @@ { "fieldMappings": [ { - "columnName": "AadUserId", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "AadUserId" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -320,8 +320,8 @@ { "fieldMappings": [ { - "columnName": "CallerIPMax", - "identifier": "Address" + "identifier": "Address", + "columnName": "CallerIPMax" } ], "entityType": "IP" @@ -380,7 +380,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "KeyvaultMassSecretRetrieval_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "KeyvaultMassSecretRetrieval_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -390,11 +390,11 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Identifies mass secret retrieval from Azure Key Vault observed by a single user. \nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \nYou can tweak the EventCountThreshold based on average count seen in your environment \nand also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise", + "description": "Identifies mass secret retrieval from Azure Key Vault observed by a single user. \nMass secret retrival crossing a certain threshold is an indication of credential dump operations or mis-configured applications. \nYou can tweak the EventCountThreshold based on average count seen in your environment and also filter any known sources (IP/Account) and useragent combinations based on historical analysis to further reduce noise", "displayName": "Mass secret retrieval from Azure Key Vault", "enabled": false, "query": "let DistinctSecretsThreshold = 10;\nlet EventCountThreshold = 50;\n// To avoid any False Positives, filtering using AppId is recommended.\n// The AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\n// The AppId 8cae6e77-e04e-42ce-b5cb-50d82bce26b1 has been added as it correspond to Microsoft Policy Insights Provider Data Plane performing VaultGet operations for policies checks.\nlet AllowedAppId = dynamic([\"509e4652-da8d-478d-a730-e9d4a1996ca4\",\"8cae6e77-e04e-42ce-b5cb-50d82bce26b1\"]);\nlet OperationList = dynamic([\"SecretGet\", \"KeyGet\", \"VaultGet\"]);\nAzureDiagnostics\n| where OperationName in (OperationList) and ResourceType =~ \"VAULTS\"\n| where not(identity_claim_appid_g in (AllowedAppId) and OperationName == 'VaultGet')\n| extend\n ResourceId,\n ResultType = column_ifexists(\"ResultType\", \"\"),\n identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"\"),\n identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s = column_ifexists(\"identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s\", \"\"),\n identity_claim_oid_g = column_ifexists(\"identity_claim_oid_g\", \"\"),\n identity_claim_upn_s = column_ifexists(\"identity_claim_upn_s\", \"\")\n| extend\n CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\n CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\n| as _Retrievals\n| where CallerObjectId in (toscalar(\n _Retrievals\n | where ResultType == \"Success\"\n | summarize Count = dcount(requestUri_s) by OperationName, CallerObjectId\n | where Count > DistinctSecretsThreshold\n | summarize make_set(CallerObjectId,10000)\n))\n| extend\n requestUri_s = column_ifexists(\"requestUri_s\", \"\"),\n id_s = column_ifexists(\"id_s\", \"\"),\n CallerIPAddress = column_ifexists(\"CallerIPAddress\", \"\"),\n clientInfo_s = column_ifexists(\"clientInfo_s\", \"\")\n| summarize\n EventCount = count(),\n StartTime = min(TimeGenerated),\n EndTime = max(TimeGenerated),\n ResourceList = make_set(Resource, 50),\n OperationNameList = make_set(OperationName, 50),\n RequestURLList = make_set(requestUri_s, 50),\n ResourceId = max(ResourceId),\n CallerIPList = make_set(CallerIPAddress, 50),\n clientInfo_sList = make_set(clientInfo_s, 50),\n CallerIPMax = max(CallerIPAddress)\n by ResourceType, ResultType, identity_claim_appid_g, CallerObjectId, CallerObjectUPN\n | where EventCount > EventCountThreshold\n| project-reorder StartTime, EndTime, EventCount, ResourceId,ResourceType,identity_claim_appid_g, CallerObjectId, CallerObjectUPN, ResultType, ResourceList, OperationNameList, RequestURLList, CallerIPList, clientInfo_sList\n| extend timestamp = EndTime\n", @@ -424,8 +424,8 @@ { "fieldMappings": [ { - "columnName": "CallerObjectId", - "identifier": "Name" + "identifier": "Name", + "columnName": "CallerObjectId" } ], "entityType": "Account" @@ -433,8 +433,8 @@ { "fieldMappings": [ { - "columnName": "CallerIPMax", - "identifier": "Address" + "identifier": "Address", + "columnName": "CallerIPMax" } ], "entityType": "IP" @@ -493,7 +493,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TimeSeriesKeyvaultAccessAnomaly_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "TimeSeriesKeyvaultAccessAnomaly_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -503,11 +503,11 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Indentifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm\nto find large deviations from baseline Azure Key Vault access patterns. Any sudden increase in the count of Azure Key Vault accesses can be an\nindication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052", + "description": "Identifies a sudden increase in count of Azure Key Vault secret or vault access operations by CallerIPAddress. The query leverages a built-in KQL anomaly detection algorithm to find large deviations from baseline Azure Key Vault access patterns.\nAny sudden increase in the count of Azure Key Vault accesses can be an indication of adversary dumping credentials via automated methods. If you are seeing any noise, try filtering known source(IP/Account) and user-agent combinations.\nTimeSeries Reference Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/looking-for-unknown-anomalies-what-is-normal-time-series/ba-p/555052", "displayName": "Azure Key Vault access TimeSeries anomaly", "enabled": false, "query": "let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 25;\n// To avoid any False Positives, filtering using AppId is recommended. For example the AppId 509e4652-da8d-478d-a730-e9d4a1996ca4 has been added in the query as it corresponds\n// to Azure Resource Graph performing VaultGet operations for indexing and syncing all tracked resources across Azure.\nlet Allowedappid = dynamic([\"509e4652-da8d-478d-a730-e9d4a1996ca4\"]);\nlet OperationList = dynamic(\n[\"SecretGet\", \"KeyGet\", \"VaultGet\"]);\nlet TimeSeriesData = AzureDiagnostics\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n | where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList)\n| extend ResultType = column_ifexists(\"ResultType\", \"None\"), CallerIPAddress = column_ifexists(\"CallerIPAddress\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by CallerIPAddress;\n//Filter anomolies against TimeSeriesData\nlet TimeSeriesAlerts = TimeSeriesData\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| where baseline > baselinethreshold // Filtering low count events per baselinethreshold\n| project CallerIPAddress, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\n// Filter the alerts since specified timeframe\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n// Join against base logs since specified timeframe to retrive records associated with the hour of anomoly\n| join kind = innerunique (\nAzureDiagnostics\n| where TimeGenerated > ago(2d)\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList)\n| extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour\n| where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours\n| extend ResultType = column_ifexists(\"ResultType\", \"NoResultType\")\n| extend requestUri_s = column_ifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\"),identity_claim_oid_g = column_ifexists(\"identity_claim_oid_g\", \"\"),\n identity_claim_upn_s = column_ifexists(\"identity_claim_upn_s\", \"\")\n| extend\n CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\n CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\n| extend id_s = column_ifexists(\"id_s\", \"None\"), CallerIPAddress = column_ifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = column_ifexists(\"clientInfo_s\", \"None\")\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g, requestUri_s, clientInfo_s\n) on CallerIPAddress\n| extend\n CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\n CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\n| summarize EventCount=count(), OperationNameList = make_set(OperationName,1000), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(CallerObjectId, 100), AccountMax = arg_max(CallerObjectId,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\n| extend timestamp = LatestAnomalyTime\n", @@ -537,8 +537,8 @@ { "fieldMappings": [ { - "columnName": "AccountMax", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountMax" } ], "entityType": "Account" @@ -546,8 +546,8 @@ { "fieldMappings": [ { - "columnName": "CallerIPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "CallerIPAddress" } ], "entityType": "IP" @@ -606,7 +606,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_KeyVaultSensitiveOperations_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "NRT_KeyVaultSensitiveOperations_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -616,7 +616,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "NRT", "location": "[parameters('workspace-location')]", "properties": { @@ -646,16 +646,16 @@ { "fieldMappings": [ { - "columnName": "AadUserId", - "identifier": "AadUserId" + "identifier": "AadUserId", + "columnName": "AadUserId" }, { - "columnName": "Name", - "identifier": "Name" + "identifier": "Name", + "columnName": "Name" }, { - "columnName": "UPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" } ], "entityType": "Account" @@ -663,8 +663,8 @@ { "fieldMappings": [ { - "columnName": "CallerIPMax", - "identifier": "Address" + "identifier": "Address", + "columnName": "CallerIPMax" } ], "entityType": "IP" @@ -723,7 +723,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AzureKeyVaultWorkbook Workbook with template version 3.0.2", + "description": "AzureKeyVaultWorkbook Workbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -815,12 +815,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.2", + "version": "3.0.3", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Azure Key Vault", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Azure Key Vault Solution for Microsoft Sentinel enables you to stream Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.

\n

Data Connectors: 1, Workbooks: 1, Analytic Rules: 4

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Azure Key Vault Solution for Microsoft Sentinel enables you to stream Azure Key Vault diagnostics logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.

\n

Data Connectors: 1, Workbooks: 1, Analytic Rules: 4

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", diff --git a/Solutions/Azure Key Vault/ReleaseNotes.md b/Solutions/Azure Key Vault/ReleaseNotes.md index 415bb430e2c..aa377b06a6f 100644 --- a/Solutions/Azure Key Vault/ReleaseNotes.md +++ b/Solutions/Azure Key Vault/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|--------------------------------------------------------------------------| +|-------------|--------------------------------|--------------------------------------------------------------------------| +| 3.0.3 | 25-10-2024 | Updated description of CreateUi and **Analytic Rule** | | 3.0.2 | 14-02-2024 | Updated Entity Mapping for KeyVaultSensitiveOperations and NRT_KeyVaultSensitiveOperations **Analytic Rules** to render the GUID information correctly| | 3.0.1 | 01-02-2024 | Updated ObjectGuid Identifier with Name (KeyvaultMassSecretRetrieval) **Analytic Rule** to render the GUID information correctly| | 3.0.0 | 03-01-2024 | Added field ResourceId in (KeyvaultMassSecretRetrieval) **Analytic Rule** for proper Entity Mapping| diff --git a/Solutions/Azure SQL Database solution for sentinel/Data/Solution_AzureSQLDatabasesolutionforsentinel.json b/Solutions/Azure SQL Database solution for sentinel/Data/Solution_AzureSQLDatabasesolutionforsentinel.json index 723b7d6fbe4..9b3b76b66a4 100644 --- a/Solutions/Azure SQL Database solution for sentinel/Data/Solution_AzureSQLDatabasesolutionforsentinel.json +++ b/Solutions/Azure SQL Database solution for sentinel/Data/Solution_AzureSQLDatabasesolutionforsentinel.json @@ -33,7 +33,7 @@ ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Azure SQL Database solution for sentinel", - "Version": "2.0.2", + "Version": "3.0.0", "TemplateSpec": true, "StaticDataConnectorIds": [ "AzureSql" diff --git a/Solutions/Azure SQL Database solution for sentinel/Package/3.0.0.zip b/Solutions/Azure SQL Database solution for sentinel/Package/3.0.0.zip new file mode 100644 index 00000000000..c1f27fdb92d Binary files /dev/null and b/Solutions/Azure SQL Database solution for sentinel/Package/3.0.0.zip differ diff --git a/Solutions/Azure SQL Database solution for sentinel/Package/createUiDefinition.json b/Solutions/Azure SQL Database solution for sentinel/Package/createUiDefinition.json index 634c34dc2f3..9eb10a7f8cc 100644 --- a/Solutions/Azure SQL Database solution for sentinel/Package/createUiDefinition.json +++ b/Solutions/Azure SQL Database solution for sentinel/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Azure SQL Database](https://azure.microsoft.com/products/azure-sql/) solution for Microsoft Sentinel enables you to stream Azure SQL database audit and diagnostic logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. \r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor Resource Diagnostics ](https://docs.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Azure%20SQL%20Database%20solution%20for%20sentinel/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Azure SQL Database](https://azure.microsoft.com/products/azure-sql/) solution for Microsoft Sentinel enables you to stream Azure SQL database audit and diagnostic logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances. \r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Azure Monitor Resource Diagnostics ](https://docs.microsoft.com/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,7 +60,7 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs the data connector for ingesting Azure SQL Database audit and diagnostic logs into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This Solution installs the data connector for Azure SQL Database solution for sentinel. You can get Azure SQL Database solution for sentinel custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { @@ -264,7 +264,7 @@ "name": "analytic9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Goal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database. The detection is calculated inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window \n (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher threshold will detect only more severe anomalies)." + "text": "Goal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database.\nThe detection is calculated inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher threshold will detect only more severe anomalies)." } } ] @@ -278,7 +278,7 @@ "name": "analytic10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database.\n The calculation is made inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window \n (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher thresholds will detect only more severe anomalies)." + "text": "Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database.\n The calculation is made inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher thresholds will detect only more severe anomalies)." } } ] diff --git a/Solutions/Azure SQL Database solution for sentinel/Package/mainTemplate.json b/Solutions/Azure SQL Database solution for sentinel/Package/mainTemplate.json index c26dec754fb..cc6b49ef992 100644 --- a/Solutions/Azure SQL Database solution for sentinel/Package/mainTemplate.json +++ b/Solutions/Azure SQL Database solution for sentinel/Package/mainTemplate.json @@ -38,144 +38,151 @@ } }, "variables": { - "solutionId": "sentinel4sql.sentinel4sql", - "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", + "_solutionName": "Azure SQL Database solution for sentinel", + "_solutionVersion": "3.0.0", + "solutionId": "sentinel4sql.sentinel4sql", + "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", "workbookContentId1": "AzureSQLSecurityWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "analyticRuleVersion1": "1.1.1", - "analyticRulecontentId1": "daa32afa-b5b6-427d-93e9-e32f3f359dd7", - "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]", - "analyticRuleVersion2": "1.1.1", - "analyticRulecontentId2": "20f87813-3de0-4a9f-a8c0-6aaa3187be08", - "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]", - "analyticRuleVersion3": "1.1.1", - "analyticRulecontentId3": "c815008d-f4d1-4645-b13b-8b4bc188d5de", - "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]", - "analyticRuleVersion4": "1.1.1", - "analyticRulecontentId4": "237c3855-138c-4588-a68f-b870abd3bfc9", - "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]", - "analyticRuleVersion5": "1.1.1", - "analyticRulecontentId5": "3367fd5e-44b3-4746-a9a5-dc15c8202490", - "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]", - "analyticRuleVersion6": "1.1.1", - "analyticRulecontentId6": "05030ca6-ef66-42ca-b672-2e84d4aaf5d7", - "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]", - "analyticRuleVersion7": "1.1.1", - "analyticRulecontentId7": "dabd7284-004b-4237-b5ee-a22acab19eb2", - "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]", - "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]", - "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7')))]", - "analyticRuleVersion8": "1.1.1", - "analyticRulecontentId8": "c105513d-e398-4a02-bd91-54b9b2d6fa7d", - "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]", - "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]", - "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8')))]", - "analyticRuleVersion9": "1.1.1", - "analyticRulecontentId9": "2a632013-379d-4993-956f-615063d31e10", - "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]", - "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]", - "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9')))]", - "analyticRuleVersion10": "1.1.1", - "analyticRulecontentId10": "9851c360-5fd5-4bae-a117-b66d8476bf5e", - "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]", - "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]", - "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10')))]", - "huntingQueryVersion1": "1.0.1", - "huntingQuerycontentId1": "724c7010-0afe-4d46-95ab-32f6737e658b", - "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", - "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1')))]", - "huntingQueryVersion2": "1.0.1", - "huntingQuerycontentId2": "4cda0673-37f9-4765-af1f-556de2295cd7", - "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", - "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2')))]", - "huntingQueryVersion3": "1.0.0", - "huntingQuerycontentId3": "af55d5b0-6b4a-4874-8299-9d845bf7c1fd", - "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]", - "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3')))]", - "huntingQueryVersion4": "1.0.1", - "huntingQuerycontentId4": "2a21303e-be48-404f-a6f6-883a6acfe5ad", - "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]", - "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4')))]", - "huntingQueryVersion5": "1.0.1", - "huntingQuerycontentId5": "db5b0a77-1b1d-4a31-8ebb-c508ebc3bb38", - "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]", - "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5')))]", - "huntingQueryVersion6": "1.0.1", - "huntingQuerycontentId6": "e0944dec-3c92-4b2d-8e81-a950afeaba69", - "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]", - "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]", - "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6')))]", - "huntingQueryVersion7": "1.0.1", - "huntingQuerycontentId7": "9670ac84-e035-47f5-8eb5-9d863a8a7893", - "_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]", - "huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]", - "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7')))]", - "huntingQueryVersion8": "1.0.1", - "huntingQuerycontentId8": "137tyi7c-7225-434b-8bfc-fea28v95ebd8", - "_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]", - "huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]", - "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8')))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.1.1", + "_analyticRulecontentId1": "daa32afa-b5b6-427d-93e9-e32f3f359dd7", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'daa32afa-b5b6-427d-93e9-e32f3f359dd7')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('daa32afa-b5b6-427d-93e9-e32f3f359dd7')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','daa32afa-b5b6-427d-93e9-e32f3f359dd7','-', '1.1.1')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.1.1", + "_analyticRulecontentId2": "20f87813-3de0-4a9f-a8c0-6aaa3187be08", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '20f87813-3de0-4a9f-a8c0-6aaa3187be08')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('20f87813-3de0-4a9f-a8c0-6aaa3187be08')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','20f87813-3de0-4a9f-a8c0-6aaa3187be08','-', '1.1.1')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.1.1", + "_analyticRulecontentId3": "c815008d-f4d1-4645-b13b-8b4bc188d5de", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c815008d-f4d1-4645-b13b-8b4bc188d5de')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c815008d-f4d1-4645-b13b-8b4bc188d5de')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c815008d-f4d1-4645-b13b-8b4bc188d5de','-', '1.1.1')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "1.1.1", + "_analyticRulecontentId4": "237c3855-138c-4588-a68f-b870abd3bfc9", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '237c3855-138c-4588-a68f-b870abd3bfc9')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('237c3855-138c-4588-a68f-b870abd3bfc9')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','237c3855-138c-4588-a68f-b870abd3bfc9','-', '1.1.1')))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "1.1.1", + "_analyticRulecontentId5": "3367fd5e-44b3-4746-a9a5-dc15c8202490", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3367fd5e-44b3-4746-a9a5-dc15c8202490')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3367fd5e-44b3-4746-a9a5-dc15c8202490')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3367fd5e-44b3-4746-a9a5-dc15c8202490','-', '1.1.1')))]" + }, + "analyticRuleObject6": { + "analyticRuleVersion6": "1.1.1", + "_analyticRulecontentId6": "05030ca6-ef66-42ca-b672-2e84d4aaf5d7", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '05030ca6-ef66-42ca-b672-2e84d4aaf5d7')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('05030ca6-ef66-42ca-b672-2e84d4aaf5d7')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','05030ca6-ef66-42ca-b672-2e84d4aaf5d7','-', '1.1.1')))]" + }, + "analyticRuleObject7": { + "analyticRuleVersion7": "1.1.1", + "_analyticRulecontentId7": "dabd7284-004b-4237-b5ee-a22acab19eb2", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dabd7284-004b-4237-b5ee-a22acab19eb2')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dabd7284-004b-4237-b5ee-a22acab19eb2')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dabd7284-004b-4237-b5ee-a22acab19eb2','-', '1.1.1')))]" + }, + "analyticRuleObject8": { + "analyticRuleVersion8": "1.1.1", + "_analyticRulecontentId8": "c105513d-e398-4a02-bd91-54b9b2d6fa7d", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c105513d-e398-4a02-bd91-54b9b2d6fa7d')]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c105513d-e398-4a02-bd91-54b9b2d6fa7d')))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c105513d-e398-4a02-bd91-54b9b2d6fa7d','-', '1.1.1')))]" + }, + "analyticRuleObject9": { + "analyticRuleVersion9": "1.1.2", + "_analyticRulecontentId9": "2a632013-379d-4993-956f-615063d31e10", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2a632013-379d-4993-956f-615063d31e10')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2a632013-379d-4993-956f-615063d31e10')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2a632013-379d-4993-956f-615063d31e10','-', '1.1.2')))]" + }, + "analyticRuleObject10": { + "analyticRuleVersion10": "1.1.2", + "_analyticRulecontentId10": "9851c360-5fd5-4bae-a117-b66d8476bf5e", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9851c360-5fd5-4bae-a117-b66d8476bf5e')]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9851c360-5fd5-4bae-a117-b66d8476bf5e')))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9851c360-5fd5-4bae-a117-b66d8476bf5e','-', '1.1.2')))]" + }, + "huntingQueryObject1": { + "huntingQueryVersion1": "1.0.1", + "_huntingQuerycontentId1": "724c7010-0afe-4d46-95ab-32f6737e658b", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('724c7010-0afe-4d46-95ab-32f6737e658b')))]" + }, + "huntingQueryObject2": { + "huntingQueryVersion2": "1.0.1", + "_huntingQuerycontentId2": "4cda0673-37f9-4765-af1f-556de2295cd7", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('4cda0673-37f9-4765-af1f-556de2295cd7')))]" + }, + "huntingQueryObject3": { + "huntingQueryVersion3": "1.0.0", + "_huntingQuerycontentId3": "af55d5b0-6b4a-4874-8299-9d845bf7c1fd", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('af55d5b0-6b4a-4874-8299-9d845bf7c1fd')))]" + }, + "huntingQueryObject4": { + "huntingQueryVersion4": "1.0.1", + "_huntingQuerycontentId4": "2a21303e-be48-404f-a6f6-883a6acfe5ad", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('2a21303e-be48-404f-a6f6-883a6acfe5ad')))]" + }, + "huntingQueryObject5": { + "huntingQueryVersion5": "1.0.1", + "_huntingQuerycontentId5": "db5b0a77-1b1d-4a31-8ebb-c508ebc3bb38", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('db5b0a77-1b1d-4a31-8ebb-c508ebc3bb38')))]" + }, + "huntingQueryObject6": { + "huntingQueryVersion6": "1.0.1", + "_huntingQuerycontentId6": "e0944dec-3c92-4b2d-8e81-a950afeaba69", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('e0944dec-3c92-4b2d-8e81-a950afeaba69')))]" + }, + "huntingQueryObject7": { + "huntingQueryVersion7": "1.0.1", + "_huntingQuerycontentId7": "9670ac84-e035-47f5-8eb5-9d863a8a7893", + "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('9670ac84-e035-47f5-8eb5-9d863a8a7893')))]" + }, + "huntingQueryObject8": { + "huntingQueryVersion8": "1.0.1", + "_huntingQuerycontentId8": "137tyi7c-7225-434b-8bfc-fea28v95ebd8", + "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('137tyi7c-7225-434b-8bfc-fea28v95ebd8')))]" + }, "uiConfigId1": "AzureSql", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "AzureSql", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", - "dataConnectorVersion1": "1.0.0" + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('workbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Workbook with template", - "displayName": "Azure SQL Database solution for sentinel workbook template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Workbook-AzureSQLSecurityWorkbook Workbook with template version 2.0.2", + "description": "Workbook-AzureSQLSecurity Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -248,47 +255,40 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Analytics Rule 1 with template", - "displayName": "Azure SQL Database solution for sentinel AR template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Detection-ErrorsCredentialStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "Detection-ErrorsCredentialStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion1')]", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId1')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -306,10 +306,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureSql", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureSql" } ], "tactics": [ @@ -320,7 +320,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -330,43 +329,44 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIp" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "CloudApplication", "fieldMappings": [ { "identifier": "Name", "columnName": "ApplicationName" } - ] + ], + "entityType": "CloudApplication" }, { - "entityType": "AzureResource", "fieldMappings": [ { "identifier": "ResourceId", "columnName": "ResourceId" } - ] + ], + "entityType": "AzureResource" } ] } @@ -374,13 +374,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", "properties": { "description": "Azure SQL Database solution for sentinel Analytics Rule 1", - "parentId": "[variables('analyticRuleId1')]", - "contentId": "[variables('_analyticRulecontentId1')]", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion1')]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", "source": { "kind": "Solution", "name": "Azure SQL Database solution for sentinel", @@ -399,47 +399,40 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Analytics Rule 2 with template", - "displayName": "Azure SQL Database solution for sentinel AR template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "Credential errors stateful anomaly on database", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Detection-ErrorsFirewallStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "Detection-ErrorsFirewallStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion2')]", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId2')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -457,10 +450,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureSql", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureSql" } ], "tactics": [ @@ -471,7 +464,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -481,43 +473,44 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIp" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "CloudApplication", "fieldMappings": [ { "identifier": "Name", "columnName": "ApplicationName" } - ] + ], + "entityType": "CloudApplication" }, { - "entityType": "AzureResource", "fieldMappings": [ { "identifier": "ResourceId", "columnName": "ResourceId" } - ] + ], + "entityType": "AzureResource" } ] } @@ -525,13 +518,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", "properties": { "description": "Azure SQL Database solution for sentinel Analytics Rule 2", - "parentId": "[variables('analyticRuleId2')]", - "contentId": "[variables('_analyticRulecontentId2')]", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion2')]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", "source": { "kind": "Solution", "name": "Azure SQL Database solution for sentinel", @@ -550,47 +543,40 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Analytics Rule 3 with template", - "displayName": "Azure SQL Database solution for sentinel AR template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "Firewall errors stateful anomaly on database", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Detection-ErrorsSyntaxStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "Detection-ErrorsSyntaxStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion3')]", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId3')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -608,10 +594,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureSql", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureSql" } ], "tactics": [ @@ -622,7 +608,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -632,43 +617,44 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIp" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "CloudApplication", "fieldMappings": [ { "identifier": "Name", "columnName": "ApplicationName" } - ] + ], + "entityType": "CloudApplication" }, { - "entityType": "AzureResource", "fieldMappings": [ { "identifier": "ResourceId", "columnName": "ResourceId" } - ] + ], + "entityType": "AzureResource" } ] } @@ -676,13 +662,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", "properties": { "description": "Azure SQL Database solution for sentinel Analytics Rule 3", - "parentId": "[variables('analyticRuleId3')]", - "contentId": "[variables('_analyticRulecontentId3')]", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion3')]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", "source": { "kind": "Solution", "name": "Azure SQL Database solution for sentinel", @@ -701,47 +687,40 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Analytics Rule 4 with template", - "displayName": "Azure SQL Database solution for sentinel AR template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentKind": "AnalyticsRule", + "displayName": "Syntax errors stateful anomaly on database", + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Detection-HotwordsDropStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "Detection-HotwordsDropStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion4')]", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId4')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -759,10 +738,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureSql", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureSql" } ], "tactics": [ @@ -773,7 +752,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -783,43 +761,44 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIp" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "CloudApplication", "fieldMappings": [ { "identifier": "Name", "columnName": "ApplicationName" } - ] + ], + "entityType": "CloudApplication" }, { - "entityType": "AzureResource", "fieldMappings": [ { "identifier": "ResourceId", "columnName": "ResourceId" } - ] + ], + "entityType": "AzureResource" } ] } @@ -827,13 +806,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", "properties": { "description": "Azure SQL Database solution for sentinel Analytics Rule 4", - "parentId": "[variables('analyticRuleId4')]", - "contentId": "[variables('_analyticRulecontentId4')]", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion4')]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", "source": { "kind": "Solution", "name": "Azure SQL Database solution for sentinel", @@ -852,47 +831,40 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Analytics Rule 5 with template", - "displayName": "Azure SQL Database solution for sentinel AR template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "contentKind": "AnalyticsRule", + "displayName": "Drop attempts stateful anomaly on database", + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Detection-HotwordsExecutionStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "Detection-HotwordsExecutionStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion5')]", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId5')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -910,10 +882,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureSql", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureSql" } ], "tactics": [ @@ -924,7 +896,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -934,43 +905,44 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIp" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "CloudApplication", "fieldMappings": [ { "identifier": "Name", "columnName": "ApplicationName" } - ] + ], + "entityType": "CloudApplication" }, { - "entityType": "AzureResource", "fieldMappings": [ { "identifier": "ResourceId", "columnName": "ResourceId" } - ] + ], + "entityType": "AzureResource" } ] } @@ -978,13 +950,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", "properties": { "description": "Azure SQL Database solution for sentinel Analytics Rule 5", - "parentId": "[variables('analyticRuleId5')]", - "contentId": "[variables('_analyticRulecontentId5')]", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion5')]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", "source": { "kind": "Solution", "name": "Azure SQL Database solution for sentinel", @@ -1003,47 +975,40 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName6')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Analytics Rule 6 with template", - "displayName": "Azure SQL Database solution for sentinel AR template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "contentKind": "AnalyticsRule", + "displayName": "Execution attempts stateful anomaly on database", + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Detection-HotwordsFirewallRuleStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "Detection-HotwordsFirewallRuleStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion6')]", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId6')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -1061,10 +1026,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureSql", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureSql" } ], "tactics": [ @@ -1075,7 +1040,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -1085,43 +1049,44 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIp" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "CloudApplication", "fieldMappings": [ { "identifier": "Name", "columnName": "ApplicationName" } - ] + ], + "entityType": "CloudApplication" }, { - "entityType": "AzureResource", "fieldMappings": [ { "identifier": "ResourceId", "columnName": "ResourceId" } - ] + ], + "entityType": "AzureResource" } ] } @@ -1129,13 +1094,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", "properties": { "description": "Azure SQL Database solution for sentinel Analytics Rule 6", - "parentId": "[variables('analyticRuleId6')]", - "contentId": "[variables('_analyticRulecontentId6')]", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion6')]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", "source": { "kind": "Solution", "name": "Azure SQL Database solution for sentinel", @@ -1154,47 +1119,40 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName7')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Analytics Rule 7 with template", - "displayName": "Azure SQL Database solution for sentinel AR template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "contentKind": "AnalyticsRule", + "displayName": "Firewall rule manipulation attempts stateful anomaly on database", + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName7'),'/',variables('analyticRuleVersion7'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName7'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Detection-HotwordsOLEObjectStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "Detection-HotwordsOLEObjectStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion7')]", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId7')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -1212,10 +1170,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureSql", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureSql" } ], "tactics": [ @@ -1226,7 +1184,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -1236,43 +1193,44 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIp" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "CloudApplication", "fieldMappings": [ { "identifier": "Name", "columnName": "ApplicationName" } - ] + ], + "entityType": "CloudApplication" }, { - "entityType": "AzureResource", "fieldMappings": [ { "identifier": "ResourceId", "columnName": "ResourceId" } - ] + ], + "entityType": "AzureResource" } ] } @@ -1280,13 +1238,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", "properties": { "description": "Azure SQL Database solution for sentinel Analytics Rule 7", - "parentId": "[variables('analyticRuleId7')]", - "contentId": "[variables('_analyticRulecontentId7')]", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion7')]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", "source": { "kind": "Solution", "name": "Azure SQL Database solution for sentinel", @@ -1305,47 +1263,40 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName8')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Analytics Rule 8 with template", - "displayName": "Azure SQL Database solution for sentinel AR template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "contentKind": "AnalyticsRule", + "displayName": "OLE object manipulation attempts stateful anomaly on database", + "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName8'),'/',variables('analyticRuleVersion8'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName8'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Detection-HotwordsOutgoingStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "Detection-HotwordsOutgoingStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion8')]", + "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId8')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -1363,10 +1314,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureSql", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureSql" } ], "tactics": [ @@ -1377,7 +1328,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -1387,43 +1337,44 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIp" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "CloudApplication", "fieldMappings": [ { "identifier": "Name", "columnName": "ApplicationName" } - ] + ], + "entityType": "CloudApplication" }, { - "entityType": "AzureResource", "fieldMappings": [ { "identifier": "ResourceId", "columnName": "ResourceId" } - ] + ], + "entityType": "AzureResource" } ] } @@ -1431,13 +1382,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", "properties": { "description": "Azure SQL Database solution for sentinel Analytics Rule 8", - "parentId": "[variables('analyticRuleId8')]", - "contentId": "[variables('_analyticRulecontentId8')]", + "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion8')]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", "source": { "kind": "Solution", "name": "Azure SQL Database solution for sentinel", @@ -1456,51 +1407,44 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName9')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Analytics Rule 9 with template", - "displayName": "Azure SQL Database solution for sentinel AR template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "contentKind": "AnalyticsRule", + "displayName": "Outgoing connection attempts stateful anomaly on database", + "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName9'),'/',variables('analyticRuleVersion9'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName9'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Detection-VolumeAffectedRowsStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "Detection-VolumeAffectedRowsStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion9')]", + "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId9')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Goal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database. The detection is calculated inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window \n (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher threshold will detect only more severe anomalies).", + "description": "Goal: To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows, which is significantly higher than normal for this database.\nThe detection is calculated inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher threshold will detect only more severe anomalies).", "displayName": "Affected rows stateful anomaly on database", "enabled": false, "query": "let volumeThresholdZ = 3.0; // Minimal threshold for the Zscore to trigger anomaly (number of standard deviations above mean). If set higher, only very significant alerts will fire.\nlet volumeThresholdQ = volumeThresholdZ; // Minimal threshold for the Qscore to trigger anomaly (number of Inter-Percentile Ranges above high percentile). If set higher, only very significant alerts will fire.\nlet volumeThresholdHardcoded = 500; // Minimal value for the volume metric to trigger anomaly.\nlet detectionWindow = 1h; // The size of the recent detection window for detecting anomalies. \nlet trainingWindow = detectionWindow + 14d; // The size of the training window before the detection window for learning the normal state.\nlet monitoredColumn = 'AffectedRows'; // The name of the column for volumetric anomalies.\nlet processedData = materialize (\n AzureDiagnostics\n | where TimeGenerated >= ago(trainingWindow)\n | where Category == 'SQLSecurityAuditEvents' and action_id_s has_any (\"RCM\", \"BCM\") // Keep only SQL affected rows\n | project TimeGenerated, PrincipalName = server_principal_name_s, ClientIp = client_ip_s, HostName = host_name_s, ResourceId,\n ApplicationName = application_name_s, ActionName = action_name_s, Database = strcat(LogicalServerName_s, '/', database_name_s),\n IsSuccess = succeeded_s, AffectedRows = affected_rows_d,\n ResponseRows = response_rows_d, Statement = statement_s\n | extend QuantityColumn = column_ifexists(monitoredColumn, 0)\n | extend WindowType = case( TimeGenerated >= ago(detectionWindow), 'detection',\n (ago(trainingWindow) <= TimeGenerated and TimeGenerated < ago(detectionWindow)), 'training', 'other')\n | where WindowType in ('detection', 'training'));\nlet trainingSet =\n processedData\n | where WindowType == 'training'\n | summarize AvgVal = round(avg(QuantityColumn), 2), StdVal = round(stdev(QuantityColumn), 2), N = count(),\n P99Val = round(percentile(QuantityColumn, 99), 2), P50Val = round(percentile(QuantityColumn, 50), 2)\n by Database;\nprocessedData\n| where WindowType == 'detection'\n| join kind = inner (trainingSet) on Database\n| extend ZScoreVal = iff(N >= 20, round(todouble(QuantityColumn - AvgVal) / todouble(StdVal + 1), 2), 0.00),\n QScoreVal = iff(N >= 20, round(todouble(QuantityColumn - P99Val) / todouble(P99Val - P50Val + 1), 2), 0.00)\n| extend IsVolumeAnomalyOnVal = iff((ZScoreVal > volumeThresholdZ and QScoreVal > volumeThresholdQ and QuantityColumn > volumeThresholdHardcoded), true, false), AnomalyScore = round((ZScoreVal + QScoreVal)/2, 0)\n| project TimeGenerated, Database, PrincipalName, ClientIp, HostName, ApplicationName, ActionName, Statement,\n IsSuccess, ResponseRows, AffectedRows, IsVolumeAnomalyOnVal, AnomalyScore,ResourceId\n| where IsVolumeAnomalyOnVal == 'true'\n| sort by AnomalyScore desc, TimeGenerated desc\n| extend Name = tostring(split(PrincipalName,'@',0)[0]), UPNSuffix = tostring(split(PrincipalName,'@',1)[0])\n", @@ -1514,10 +1458,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureSql", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureSql" } ], "tactics": [ @@ -1530,7 +1474,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -1540,43 +1483,44 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIp" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "CloudApplication", "fieldMappings": [ { "identifier": "Name", "columnName": "ApplicationName" } - ] + ], + "entityType": "CloudApplication" }, { - "entityType": "AzureResource", "fieldMappings": [ { "identifier": "ResourceId", "columnName": "ResourceId" } - ] + ], + "entityType": "AzureResource" } ] } @@ -1584,13 +1528,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", "properties": { "description": "Azure SQL Database solution for sentinel Analytics Rule 9", - "parentId": "[variables('analyticRuleId9')]", - "contentId": "[variables('_analyticRulecontentId9')]", + "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion9')]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", "source": { "kind": "Solution", "name": "Azure SQL Database solution for sentinel", @@ -1609,51 +1553,44 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('analyticRuleTemplateSpecName10')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Analytics Rule 10 with template", - "displayName": "Azure SQL Database solution for sentinel AR template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "contentKind": "AnalyticsRule", + "displayName": "Affected rows stateful anomaly on database", + "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('analyticRuleTemplateSpecName10'),'/',variables('analyticRuleVersion10'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "AnalyticsRule" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName10'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Detection-VolumeResponseRowsStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 2.0.2", + "description": "Detection-VolumeResponseRowsStatefulAnomalyOnDatabase_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion10')]", + "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('AnalyticRulecontentId10')]", - "apiVersion": "2022-04-01-preview", + "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database.\n The calculation is made inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window \n (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher thresholds will detect only more severe anomalies).", + "description": "Goal: To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows, which is significantly higher than normal for this database.\n The calculation is made inside recent time window (defined by 'detectionWindow' parameter), and the anomaly is calculated based on previous training window (defined by 'trainingWindow' parameter). The user can set the minimal threshold for anomaly by changing the threshold parameters volThresholdZ and volThresholdQ (higher thresholds will detect only more severe anomalies).", "displayName": "Response rows stateful anomaly on database", "enabled": false, "query": "let volumeThresholdZ = 3.0; // Minimal threshold for the Zscore to trigger anomaly (number of standard deviations above mean). If set higher, only very significant alerts will fire.\nlet volumeThresholdQ = volumeThresholdZ; // Minimal threshold for the Qscore to trigger anomaly (number of Inter-Percentile Ranges above high percentile). If set higher, only very significant alerts will fire.\nlet volumeThresholdHardcoded = 500; // Minimal value for the volume metric to trigger anomaly.\nlet detectionWindow = 1h; // The size of the recent detection window for detecting anomalies. \nlet trainingWindow = detectionWindow + 14d; // The size of the training window before the detection window for learning the normal state.\nlet monitoredColumn = 'ResponseRows'; // The name of the column for volumetric anomalies.\nlet processedData = materialize (\n AzureDiagnostics\n | where TimeGenerated >= ago(trainingWindow)\n | where Category == 'SQLSecurityAuditEvents' and action_id_s has_any (\"RCM\", \"BCM\") // Keep only SQL affected rows\n | project TimeGenerated, PrincipalName = server_principal_name_s, ClientIp = client_ip_s, HostName = host_name_s, ResourceId,\n ApplicationName = application_name_s, ActionName = action_name_s, Database = strcat(LogicalServerName_s, '/', database_name_s),\n IsSuccess = succeeded_s, AffectedRows = affected_rows_d,\n ResponseRows = response_rows_d, Statement = statement_s\n | extend QuantityColumn = column_ifexists(monitoredColumn, 0)\n | extend WindowType = case( TimeGenerated >= ago(detectionWindow), 'detection',\n (ago(trainingWindow) <= TimeGenerated and TimeGenerated < ago(detectionWindow)), 'training', 'other')\n | where WindowType in ('detection', 'training'));\nlet trainingSet =\n processedData\n | where WindowType == 'training'\n | summarize AvgVal = round(avg(QuantityColumn), 2), StdVal = round(stdev(QuantityColumn), 2), N = count(),\n P99Val = round(percentile(QuantityColumn, 99), 2), P50Val = round(percentile(QuantityColumn, 50), 2)\n by Database;\nprocessedData\n| where WindowType == 'detection'\n| join kind = inner (trainingSet) on Database\n| extend ZScoreVal = iff(N >= 20, round(todouble(QuantityColumn - AvgVal) / todouble(StdVal + 1), 2), 0.00),\n QScoreVal = iff(N >= 20, round(todouble(QuantityColumn - P99Val) / todouble(P99Val - P50Val + 1), 2), 0.00)\n| extend IsVolumeAnomalyOnVal = iff((ZScoreVal > volumeThresholdZ and QScoreVal > volumeThresholdQ and QuantityColumn > volumeThresholdHardcoded), true, false), AnomalyScore = round((ZScoreVal + QScoreVal)/2, 0)\n| project TimeGenerated, Database, PrincipalName, ClientIp, HostName, ApplicationName, ActionName, Statement,\n IsSuccess, ResponseRows, AffectedRows, IsVolumeAnomalyOnVal, AnomalyScore, ResourceId\n| where IsVolumeAnomalyOnVal == 'true'\n| sort by AnomalyScore desc, TimeGenerated desc\n| extend Name = tostring(split(PrincipalName,'@',0)[0]), UPNSuffix = tostring(split(PrincipalName,'@',1)[0])\n", @@ -1667,10 +1604,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "AzureSql", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureSql" } ], "tactics": [ @@ -1682,7 +1619,6 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -1692,43 +1628,44 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "ClientIp" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", "columnName": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "CloudApplication", "fieldMappings": [ { "identifier": "Name", "columnName": "ApplicationName" } - ] + ], + "entityType": "CloudApplication" }, { - "entityType": "AzureResource", "fieldMappings": [ { "identifier": "ResourceId", "columnName": "ResourceId" } - ] + ], + "entityType": "AzureResource" } ] } @@ -1736,13 +1673,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", "properties": { "description": "Azure SQL Database solution for sentinel Analytics Rule 10", - "parentId": "[variables('analyticRuleId10')]", - "contentId": "[variables('_analyticRulecontentId10')]", + "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion10')]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", "source": { "kind": "Solution", "name": "Azure SQL Database solution for sentinel", @@ -1761,46 +1698,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Hunting Query 1 with template", - "displayName": "Azure SQL Database solution for sentinel Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "contentKind": "AnalyticsRule", + "displayName": "Response rows stateful anomaly on database", + "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName1'),'/',variables('huntingQueryVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "HuntingQuery-AffectedRowAnomaly_HuntingQueries Hunting Query with template version 2.0.2", + "description": "HuntingQuery-AffectedRowAnomaly_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion1')]", + "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_1", "location": "[parameters('workspace-location')]", "properties": { @@ -1828,13 +1758,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]", "properties": { "description": "Azure SQL Database solution for sentinel Hunting Query 1", - "parentId": "[variables('huntingQueryId1')]", - "contentId": "[variables('_huntingQuerycontentId1')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion1')]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]", "source": { "kind": "Solution", "name": "Azure SQL Database solution for sentinel", @@ -1853,53 +1783,46 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Hunting Query 2 with template", - "displayName": "Azure SQL Database solution for sentinel Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "contentKind": "HuntingQuery", + "displayName": "Anomalous Query Execution Time", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]", + "version": "1.0.1" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName2'),'/',variables('huntingQueryVersion2'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "HuntingQuery-BooleanBlindSQLi_HuntingQueries Hunting Query with template version 2.0.2", + "description": "HuntingQuery-BooleanBlindSQLi_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion2')]", + "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_2", "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", "displayName": "Boolean Blind SQL Injection", "category": "Hunting Queries", - "query": "let timeRange = 7d;\n//How frequently the query averages data for an average execution time\nlet timeSliceSize = 1h;\n//Anomaly decompose threshold, 2 by default\nlet scoreThreshold = 2;\nlet processedData = materialize (\n AzureDiagnostics\n | where TimeGenerated > ago(timeRange)\n | where Category == 'SQLSecurityAuditEvents' and action_id_s has_any (\"RCM\", \"BCM\") // Keep only SQL affected rows\n | project TimeGenerated, PrincipalName = server_principal_name_s, ClientIp = client_ip_s, HostName = host_name_s, ResourceId,\n ApplicationName = application_name_s, ActionName = action_name_s, Database = strcat(LogicalServerName_s, '/', database_name_s),\n IsSuccess = succeeded_s, DurationMs = duration_milliseconds_d, AffectedRows = affected_rows_d,\n ResponseRows = response_rows_d, Statement = statement_s,\n Error = case( additional_information_s has 'error_code', toint(extract(\"([0-9.]+)\", 1, additional_information_s))\n , additional_information_s has 'failure_reason', toint(extract(\"Err ([0-9.]+)\", 1, additional_information_s))\n , 0),\n State = case( additional_information_s has 'error_state', toint(extract(\"([0-9.]+)\", 1, additional_information_s))\n , additional_information_s has 'failure_reason', toint(extract(\"Err ([0-9.]+), Level ([0-9.]+)\", 2, additional_information_s))\n , 0),\n AdditionalInfo = additional_information_s, timeSlice = floor(TimeGenerated, timeSliceSize));\nlet queryData = processedData\n| where Statement contains \"=\"\n| extend extract_equals = extract_all(@\"([a-zA-Z0-9\\-\\']+\\s?=\\s?[a-zA-Z0-9\\-\\']+)\", Statement)\n| where extract_equals != \"\"\n| mv-expand extract_equals\n| extend left = tostring(split(extract_equals, \"=\", 0)[0])\n| extend right = tostring(split(extract_equals, \"=\", 1)[0]);\nlet cleanData = queryData\n| where left !has \"'\" and right !has \"'\";\n//Data has a quote in both sides, we need to parse this properly\n//We only care when the query is balanced e.g. '1'='1', so both sides will have a quote\n//This allows us to drop some results early\nlet quoteData = queryData\n| where left has \"'\" and right has \"'\"\n| extend extract_equals = extract_all(@\"(\\'.+\\'\\s?=\\s?\\'.+\\')\", Statement)\n| extend left = tostring(split(extract_equals, \"=\", 0)[0])\n| extend right = tostring(split(extract_equals, \"=\", 1)[0]);\ncleanData\n| union quoteData\n| where left == right\n| extend alertText = strcat(left, \"=\", right)\n| summarize AlertText=make_list(alertText, 10000) by TimeGenerated, Database, ClientIp, PrincipalName, Statement, ApplicationName, ResourceId\n| extend Name = tostring(split(PrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(PrincipalName, '@', 1)[0])\n| extend Account_0_Name = Name\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend IP_0_Address = ClientIp\n| extend Host_0_Hostname = HostName\n| extend CloudApplication_0_Name = ApplicationName\n| extend AzureResource_0_ResourceId = ResourceId\n", + "query": "let timeRange = 7d;\n//How frequently the query averages data for an average execution time\nlet timeSliceSize = 1h;\n//Anomaly decompose threshold, 2 by default\nlet scoreThreshold = 2;\nlet processedData = materialize (\n AzureDiagnostics\n | where TimeGenerated > ago(timeRange)\n | where Category == 'SQLSecurityAuditEvents' and action_id_s has_any (\"RCM\", \"BCM\") // Keep only SQL affected rows\n | project TimeGenerated, PrincipalName = server_principal_name_s, ClientIp = client_ip_s, HostName = host_name_s, ResourceId,\n ApplicationName = application_name_s, ActionName = action_name_s, Database = strcat(LogicalServerName_s, '/', database_name_s),\n IsSuccess = succeeded_s, DurationMs = duration_milliseconds_d, AffectedRows = affected_rows_d,\n ResponseRows = response_rows_d, Statement = statement_s,\n Error = case( additional_information_s has 'error_code', toint(extract(\"([0-9.]+)\", 1, additional_information_s))\n , additional_information_s has 'failure_reason', toint(extract(\"Err ([0-9.]+)\", 1, additional_information_s))\n , 0),\n State = case( additional_information_s has 'error_state', toint(extract(\"([0-9.]+)\", 1, additional_information_s))\n , additional_information_s has 'failure_reason', toint(extract(\"Err ([0-9.]+), Level ([0-9.]+)\", 2, additional_information_s))\n , 0),\n AdditionalInfo = additional_information_s, timeSlice = floor(TimeGenerated, timeSliceSize));\nlet queryData = processedData\n| where Statement contains \"=\"\n| extend extract_equals = extract_all(@\"([a-zA-Z0-9\\-\\']+\\s?=\\s?[a-zA-Z0-9\\-\\']+)\", Statement)\n| where extract_equals != \"\"\n| mv-expand extract_equals\n| extend left = tostring(split(extract_equals, \"=\", 0)[0])\n| extend right = tostring(split(extract_equals, \"=\", 1)[0]);\nlet cleanData = queryData\n| where left !has \"'\" and right !has \"'\";\n//Data has a quote in both sides, we need to parse this properly\n//We only care when the query is balanced e.g. '1'='1', so both sides will have a quote\n//This allows us to drop some results early\nlet quoteData = queryData\n| where left has \"'\" and right has \"'\"\n| extend extract_equals = extract_all(@\"(\\'.+\\'\\s?=\\s?\\'.+\\')\", Statement)\n| extend left = tostring(split(extract_equals, \"=\", 0)[0])\n| extend right = tostring(split(extract_equals, \"=\", 1)[0]);\ncleanData\n| union quoteData\n| where left == right\n| extend alertText = strcat(left, \"=\", right)\n| summarize AlertText=make_list(alertText, 10000) by TimeGenerated, Database, ClientIp, PrincipalName, Statement, ApplicationName, ResourceId, HostName\n| extend Name = tostring(split(PrincipalName, '@', 0)[0]), UPNSuffix = tostring(split(PrincipalName, '@', 1)[0])\n| extend Account_0_Name = Name\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend IP_0_Address = ClientIp\n| extend Host_0_Hostname = HostName\n| extend CloudApplication_0_Name = ApplicationName\n| extend AzureResource_0_ResourceId = ResourceId\n", "version": 2, "tags": [ { @@ -1920,13 +1843,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]", "properties": { "description": "Azure SQL Database solution for sentinel Hunting Query 2", - "parentId": "[variables('huntingQueryId2')]", - "contentId": "[variables('_huntingQuerycontentId2')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion2')]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]", "source": { "kind": "Solution", "name": "Azure SQL Database solution for sentinel", @@ -1945,46 +1868,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Hunting Query 3 with template", - "displayName": "Azure SQL Database solution for sentinel Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "contentKind": "HuntingQuery", + "displayName": "Boolean Blind SQL Injection", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.1')))]", + "version": "1.0.1" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName3'),'/',variables('huntingQueryVersion3'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName3'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "HuntingQuery-ExecutionTimeAnomaly_HuntingQueries Hunting Query with template version 2.0.2", + "description": "HuntingQuery-ExecutionTimeAnomaly_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion3')]", + "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_3", "location": "[parameters('workspace-location')]", "properties": { @@ -2012,13 +1928,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]", "properties": { "description": "Azure SQL Database solution for sentinel Hunting Query 3", - "parentId": "[variables('huntingQueryId3')]", - "contentId": "[variables('_huntingQuerycontentId3')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion3')]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]", "source": { "kind": "Solution", "name": "Azure SQL Database solution for sentinel", @@ -2037,46 +1953,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Hunting Query 4 with template", - "displayName": "Azure SQL Database solution for sentinel Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "contentKind": "HuntingQuery", + "displayName": "Anomalous Query Execution Time", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "version": "1.0.0" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName4'),'/',variables('huntingQueryVersion4'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName4'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "HuntingQuery-PrevalenceBasedQuerySizeAnomaly_HuntingQueries Hunting Query with template version 2.0.2", + "description": "HuntingQuery-PrevalenceBasedQuerySizeAnomaly_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion4')]", + "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_4", "location": "[parameters('workspace-location')]", "properties": { @@ -2104,13 +2013,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]", "properties": { "description": "Azure SQL Database solution for sentinel Hunting Query 4", - "parentId": "[variables('huntingQueryId4')]", - "contentId": "[variables('_huntingQuerycontentId4')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion4')]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]", "source": { "kind": "Solution", "name": "Azure SQL Database solution for sentinel", @@ -2129,46 +2038,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName5')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Hunting Query 5 with template", - "displayName": "Azure SQL Database solution for sentinel Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "contentKind": "HuntingQuery", + "displayName": "Prevalence Based SQL Query Size Anomaly", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.1')))]", + "version": "1.0.1" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName5'),'/',variables('huntingQueryVersion5'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName5'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "HuntingQuery-SuspiciousStoredProcedures_HuntingQueries Hunting Query with template version 2.0.2", + "description": "HuntingQuery-SuspiciousStoredProcedures_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion5')]", + "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_5", "location": "[parameters('workspace-location')]", "properties": { @@ -2196,13 +2098,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]", "properties": { "description": "Azure SQL Database solution for sentinel Hunting Query 5", - "parentId": "[variables('huntingQueryId5')]", - "contentId": "[variables('_huntingQuerycontentId5')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion5')]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]", "source": { "kind": "Solution", "name": "Azure SQL Database solution for sentinel", @@ -2221,46 +2123,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName6')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Hunting Query 6 with template", - "displayName": "Azure SQL Database solution for sentinel Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "contentKind": "HuntingQuery", + "displayName": "Suspicious SQL Stored Procedures", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.1')))]", + "version": "1.0.1" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName6'),'/',variables('huntingQueryVersion6'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName6'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "HuntingQuery-TimeBasedQuerySizeAnomaly_HuntingQueries Hunting Query with template version 2.0.2", + "description": "HuntingQuery-TimeBasedQuerySizeAnomaly_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion6')]", + "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_6", "location": "[parameters('workspace-location')]", "properties": { @@ -2288,13 +2183,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]", "properties": { "description": "Azure SQL Database solution for sentinel Hunting Query 6", - "parentId": "[variables('huntingQueryId6')]", - "contentId": "[variables('_huntingQuerycontentId6')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion6')]", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]", "source": { "kind": "Solution", "name": "Azure SQL Database solution for sentinel", @@ -2313,46 +2208,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName7')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Hunting Query 7 with template", - "displayName": "Azure SQL Database solution for sentinel Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "contentKind": "HuntingQuery", + "displayName": "Time Based SQL Query Size Anomaly", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.1')))]", + "version": "1.0.1" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName7'),'/',variables('huntingQueryVersion7'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject7').huntingQueryTemplateSpecName7]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName7'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "HuntingQuery-VolumeAffectedRowsStatefulAnomalyOnDatabase_HuntingQueries Hunting Query with template version 2.0.2", + "description": "HuntingQuery-VolumeAffectedRowsStatefulAnomalyOnDatabase_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion7')]", + "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_7", "location": "[parameters('workspace-location')]", "properties": { @@ -2380,13 +2268,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7),'/'))))]", "properties": { "description": "Azure SQL Database solution for sentinel Hunting Query 7", - "parentId": "[variables('huntingQueryId7')]", - "contentId": "[variables('_huntingQuerycontentId7')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject7')._huntingQuerycontentId7)]", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion7')]", + "version": "[variables('huntingQueryObject7').huntingQueryVersion7]", "source": { "kind": "Solution", "name": "Azure SQL Database solution for sentinel", @@ -2405,46 +2293,39 @@ } } ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('huntingQueryTemplateSpecName8')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel Hunting Query 8 with template", - "displayName": "Azure SQL Database solution for sentinel Hunting Query template" + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "contentKind": "HuntingQuery", + "displayName": "Affected rows stateful anomaly on database - hunting query", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject7')._huntingQuerycontentId7,'-', '1.0.1')))]", + "version": "1.0.1" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('huntingQueryTemplateSpecName8'),'/',variables('huntingQueryVersion8'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject8').huntingQueryTemplateSpecName8]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "HuntingQuery" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('huntingQueryTemplateSpecName8'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "HuntingQuery-VolumeResponseRowsStatefulAnomalyOnDatabase_HuntingQueries Hunting Query with template version 2.0.2", + "description": "HuntingQuery-VolumeResponseRowsStatefulAnomalyOnDatabase_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion8')]", + "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.OperationalInsights/savedSearches", - "apiVersion": "2020-08-01", + "apiVersion": "2022-10-01", "name": "Azure_SQL_Database_solution_for_sentinel_Hunting_Query_8", "location": "[parameters('workspace-location')]", "properties": { @@ -2472,13 +2353,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8),'/'))))]", "properties": { "description": "Azure SQL Database solution for sentinel Hunting Query 8", - "parentId": "[variables('huntingQueryId8')]", - "contentId": "[variables('_huntingQuerycontentId8')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject8')._huntingQuerycontentId8)]", + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion8')]", + "version": "[variables('huntingQueryObject8').huntingQueryVersion8]", "source": { "kind": "Solution", "name": "Azure SQL Database solution for sentinel", @@ -2497,37 +2378,30 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", + "contentKind": "HuntingQuery", + "displayName": "Response rows stateful anomaly on database - hunting query", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.1')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject8')._huntingQuerycontentId8,'-', '1.0.1')))]", + "version": "1.0.1" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "Azure SQL Database solution for sentinel data connector with template", - "displayName": "Azure SQL Database solution for sentinel template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Azure SQL Database solution for sentinel data connector with template version 2.0.2", + "description": "Azure SQL Database solution for sentinel data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -2692,7 +2566,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", @@ -2717,12 +2591,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Azure SQL Databases", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "dependsOn": [ "[variables('_dataConnectorId1')]" @@ -2907,13 +2792,20 @@ } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.2", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "Azure SQL Database solution for sentinel", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Azure SQL Database solution for Microsoft Sentinel enables you to stream Azure SQL database audit and diagnostic logs into Microsoft Sentinel, allowing you to continuously monitor activity in all your instances.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Azure Monitor Resource Diagnostics
    2. \n
\n

Data Connectors: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 8

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { @@ -2941,93 +2833,93 @@ }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId2')]", - "version": "[variables('analyticRuleVersion2')]" + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId5')]", - "version": "[variables('analyticRuleVersion5')]" + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId6')]", - "version": "[variables('analyticRuleVersion6')]" + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId7')]", - "version": "[variables('analyticRuleVersion7')]" + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId8')]", - "version": "[variables('analyticRuleVersion8')]" + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId9')]", - "version": "[variables('analyticRuleVersion9')]" + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId10')]", - "version": "[variables('analyticRuleVersion10')]" + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId1')]", - "version": "[variables('huntingQueryVersion1')]" + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId2')]", - "version": "[variables('huntingQueryVersion2')]" + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId3')]", - "version": "[variables('huntingQueryVersion3')]" + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId4')]", - "version": "[variables('huntingQueryVersion4')]" + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId5')]", - "version": "[variables('huntingQueryVersion5')]" + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId6')]", - "version": "[variables('huntingQueryVersion6')]" + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId7')]", - "version": "[variables('huntingQueryVersion7')]" + "contentId": "[variables('huntingQueryObject7')._huntingQuerycontentId7]", + "version": "[variables('huntingQueryObject7').huntingQueryVersion7]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId8')]", - "version": "[variables('huntingQueryVersion8')]" + "contentId": "[variables('huntingQueryObject8')._huntingQuerycontentId8]", + "version": "[variables('huntingQueryObject8').huntingQueryVersion8]" }, { "kind": "DataConnector", diff --git a/Solutions/Azure SQL Database solution for sentinel/Package/testParameters.json b/Solutions/Azure SQL Database solution for sentinel/Package/testParameters.json new file mode 100644 index 00000000000..f4f45342aa2 --- /dev/null +++ b/Solutions/Azure SQL Database solution for sentinel/Package/testParameters.json @@ -0,0 +1,32 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Azure SQL Database Workbook", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } +} diff --git a/Solutions/Azure SQL Database solution for sentinel/ReleaseNotes.md b/Solutions/Azure SQL Database solution for sentinel/ReleaseNotes.md new file mode 100644 index 00000000000..44c537020ef --- /dev/null +++ b/Solutions/Azure SQL Database solution for sentinel/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------------| +| 3.0.0 | 25-10-2024 | Updated description of CreateUi and **Analytic Rule** | \ No newline at end of file diff --git a/Solutions/BitSight/Data Connectors/BitSightDataConnector/AlertsGraphStatisticsDetails/bitsight_statistics.py b/Solutions/BitSight/Data Connectors/BitSightDataConnector/AlertsGraphStatisticsDetails/bitsight_statistics.py index 1da5bc69269..d92c0914b64 100644 --- a/Solutions/BitSight/Data Connectors/BitSightDataConnector/AlertsGraphStatisticsDetails/bitsight_statistics.py +++ b/Solutions/BitSight/Data Connectors/BitSightDataConnector/AlertsGraphStatisticsDetails/bitsight_statistics.py @@ -354,6 +354,7 @@ def get_alerts_details(self, company_name, company_guid): next_link = response.get("links").get("next") alerts_data = [] c_data = {} + query_parameter["offset"] = 0 while next_link: query_parameter["offset"] += query_parameter.get("limit") c_data["next1"] = self.get_bitsight_data(url, query_parameter) diff --git a/Solutions/BitSight/Data Connectors/BitSightDataConnector/BitSight.zip b/Solutions/BitSight/Data Connectors/BitSightDataConnector/BitSight.zip index 90f55d30dbc..e471b0a9431 100644 Binary files a/Solutions/BitSight/Data Connectors/BitSightDataConnector/BitSight.zip and b/Solutions/BitSight/Data Connectors/BitSightDataConnector/BitSight.zip differ diff --git a/Solutions/BitSight/Data Connectors/BitSightDataConnector/SharedCode/bitsight_client.py b/Solutions/BitSight/Data Connectors/BitSightDataConnector/SharedCode/bitsight_client.py index baa87858f4f..5ed1f7b9f70 100644 --- a/Solutions/BitSight/Data Connectors/BitSightDataConnector/SharedCode/bitsight_client.py +++ b/Solutions/BitSight/Data Connectors/BitSightDataConnector/SharedCode/bitsight_client.py @@ -72,8 +72,8 @@ def generate_auth_token(self): user_and_pass = base64.b64encode(api.encode()).decode("ascii") headers = { "Accept": "application/json", - "X-BITSIGHT-CONNECTOR-NAME-VERSION": "BitSight Security Performance Management for Microsoft Sentinel Data Connector 1.0.0", "X-BITSIGHT-CALLING-PLATFORM-VERSION": "Microsoft-Sentinel", + "X-BITSIGHT-CONNECTOR-NAME-VERSION": "3.0.2" } headers["Authorization"] = "Basic %s" % user_and_pass self.headers = headers diff --git a/Solutions/BitSight/Data Connectors/BitSightDataConnector/azuredeploy_BitSight_API_FunctionApp.json b/Solutions/BitSight/Data Connectors/BitSightDataConnector/azuredeploy_BitSight_API_FunctionApp.json index 87b83635bc0..8c33eec6a01 100644 --- a/Solutions/BitSight/Data Connectors/BitSightDataConnector/azuredeploy_BitSight_API_FunctionApp.json +++ b/Solutions/BitSight/Data Connectors/BitSightDataConnector/azuredeploy_BitSight_API_FunctionApp.json @@ -40,7 +40,7 @@ "type": "string", "defaultValue": "ALL", "metadata": { - "description": "Please add valid company names separated by slash(*). For example: Actors Films*Goliath Investments LLC*HCL Group*Saperix, Inc." + "description": "Please add valid company names separated by asterisk(*). For example: Actors Films*Goliath Investments LLC*HCL Group*Saperix, Inc." } }, "WorkspaceID": { @@ -59,51 +59,99 @@ }, "Portfolio_Companies_Table_Name":{ "type": "string", - "defaultValue": "Portfolio_Companies" + "defaultValue": "Portfolio_Companies", + "minLength": 1, + "metadata": { + "description": "Please do not keep this field as empty else you will get validation error" + } }, "Alerts_Table_Name":{ "type": "string", - "defaultValue": "Alerts_data" + "defaultValue": "Alerts_data", + "minLength": 1, + "metadata": { + "description": "Please do not keep this field as empty else you will get validation error" + } }, "Breaches_Table_Name":{ "type": "string", - "defaultValue": "BitsightBreaches_data" + "defaultValue": "BitsightBreaches_data", + "minLength": 1, + "metadata": { + "description": "Please do not keep this field as empty else you will get validation error" + } }, "Company_Table_Name":{ "type": "string", - "defaultValue": "BitsightCompany_details" + "defaultValue": "BitsightCompany_details", + "minLength": 1, + "metadata": { + "description": "Please do not keep this field as empty else you will get validation error" + } }, "Company_Rating_Details_Table_Name":{ "type": "string", - "defaultValue": "BitsightCompany_rating_details" + "defaultValue": "BitsightCompany_rating_details", + "minLength": 1, + "metadata": { + "description": "Please do not keep this field as empty else you will get validation error" + } }, "Diligence_Historical_Statistics_Table_Name":{ "type": "string", - "defaultValue": "BitsightDiligence_historical_statistics" + "defaultValue": "BitsightDiligence_historical_statistics", + "minLength": 1, + "metadata": { + "description": "Please do not keep this field as empty else you will get validation error" + } }, "Diligence_Statistics_Table_Name":{ "type": "string", - "defaultValue": "BitsightDiligence_statistics" + "defaultValue": "BitsightDiligence_statistics", + "minLength": 1, + "metadata": { + "description": "Please do not keep this field as empty else you will get validation error" + } }, "Findings_Summary_Table_Name":{ "type": "string", - "defaultValue": "BitsightFindings_summary" + "defaultValue": "BitsightFindings_summary", + "minLength": 1, + "metadata": { + "description": "Please do not keep this field as empty else you will get validation error" + } }, "Findings_Table_Name":{ "type": "string", - "defaultValue": "BitsightFindings_data" + "defaultValue": "BitsightFindings_data", + "minLength": 1, + "metadata": { + "description": "Please do not keep this field as empty else you will get validation error" + } }, "Graph_Table_Name":{ "type": "string", - "defaultValue": "BitsightGraph_data" + "defaultValue": "BitsightGraph_data", + "minLength": 1, + "metadata": { + "description": "Please do not keep this field as empty else you will get validation error" + } }, "Industrial_Statistics_Table_Name":{ "type": "string", - "defaultValue": "BitsightIndustrial_statistics" + "defaultValue": "BitsightIndustrial_statistics", + "minLength": 1, + "metadata": { + "description": "Please do not keep this field as empty else you will get validation error" + } }, "Observation_Statistics_Table_Name":{ "type": "string", - "defaultValue": "BitsightObservation_statistics" + "defaultValue": "BitsightObservation_statistics", + "minLength": 1, + "metadata": { + "description": "Please do not keep this field as empty else you will get validation error" + } }, "LogLevel":{ "type": "string", @@ -128,7 +176,7 @@ "type": "string", "defaultValue": "0 */30 * * * *", "metadata": { - "description": "Please enter a valid Quartz cron-expression. (Example: 0 */30 * * * *)" + "description": "Please enter a valid Quartz cron-expression. (Example: 0 */30 * * * *)" } }, "AppInsightsWorkspaceResourceID": { @@ -186,7 +234,8 @@ } }, "keySource": "Microsoft.Storage" - } + }, + "minimumTlsVersion": "TLS1_2" } }, { diff --git a/Solutions/Bitglass/Data/Solution_Bitglass.json b/Solutions/Bitglass/Data/Solution_Bitglass.json index ebd1f301a94..c53604a7baf 100644 --- a/Solutions/Bitglass/Data/Solution_Bitglass.json +++ b/Solutions/Bitglass/Data/Solution_Bitglass.json @@ -2,7 +2,7 @@ "Name": "Bitglass", "Author": "Microsoft - support@microsoft.com", "Logo": "", - "Description": "The [Bitglass](https://www.bitglass.com/) solution provides the capability to retrieve security event logs of the Bitglass services and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \r\n \r\n b. [Azure Functions ](https://azure.microsoft.com/services/functions/#overview)", + "Description": "The [Bitglass](https://www.forcepoint.com/bitglass) solution provides the capability to retrieve security event logs of the Bitglass services and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \r\n \r\n b. [Azure Functions ](https://azure.microsoft.com/services/functions/#overview)", "Workbooks": [ "Workbooks/Bitglass.json" ], diff --git a/Solutions/Bitglass/Package/3.0.0.zip b/Solutions/Bitglass/Package/3.0.0.zip index 41df3dcf65a..9ecbe05de19 100644 Binary files a/Solutions/Bitglass/Package/3.0.0.zip and b/Solutions/Bitglass/Package/3.0.0.zip differ diff --git a/Solutions/Bitglass/Package/createUiDefinition.json b/Solutions/Bitglass/Package/createUiDefinition.json index 8e96a14100b..fc2315a735d 100644 --- a/Solutions/Bitglass/Package/createUiDefinition.json +++ b/Solutions/Bitglass/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Bitglass/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Bitglass](https://www.bitglass.com/) solution provides the capability to retrieve security event logs of the Bitglass services and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \r\n \r\n b. [Azure Functions ](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Bitglass/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Bitglass](https://www.forcepoint.com/bitglass) solution provides the capability to retrieve security event logs of the Bitglass services and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n \r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n \r\n a. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api) \r\n \r\n b. [Azure Functions ](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/Bitglass/Package/mainTemplate.json b/Solutions/Bitglass/Package/mainTemplate.json index c9b66989525..fa3b59d4e88 100644 --- a/Solutions/Bitglass/Package/mainTemplate.json +++ b/Solutions/Bitglass/Package/mainTemplate.json @@ -1287,7 +1287,7 @@ "id": "[variables('_uiConfigId1')]", "title": "Bitglass (using Azure Functions)", "publisher": "Bitglass", - "descriptionMarkdown": "The [Bitglass](https://www.bitglass.com/) data connector provides the capability to retrieve security event logs of the Bitglass services and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", + "descriptionMarkdown": "The [Bitglass](https://www.forcepoint.com/bitglass) data connector provides the capability to retrieve security event logs of the Bitglass services and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", "additionalRequirementBanner": ">This data connector depends on a parser based on a Kusto Function to work as expected [**Bitglass**](https://aka.ms/sentinel-bitglass-parser) which is deployed with the Microsoft Sentinel Solution.", "graphQueries": [ { @@ -1365,7 +1365,7 @@ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**Bitglass**](https://aka.ms/sentinel-bitglass-parser) which is deployed with the Microsoft Sentinel Solution." }, { - "description": "**STEP 1 - Configuration steps for the Bitglass Log Retrieval API**\n\n Follow the instructions to obtain the credentials.\n\n1. Please contact Bitglass [support](https://pages.bitglass.com/Contact.html) and obtain the **BitglassToken** and **BitglassServiceURL** ntation].\n2. Save credentials for using in the data connector." + "description": "**STEP 1 - Configuration steps for the Bitglass Log Retrieval API**\n\n Follow the instructions to obtain the credentials.\n\n1. Please contact Bitglass [support](https://www.forcepoint.com/company/contact-us) and obtain the **BitglassToken** and **BitglassServiceURL** ntation].\n2. Save credentials for using in the data connector." }, { "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Bitglass data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", @@ -1489,7 +1489,7 @@ "connectorUiConfig": { "title": "Bitglass (using Azure Functions)", "publisher": "Bitglass", - "descriptionMarkdown": "The [Bitglass](https://www.bitglass.com/) data connector provides the capability to retrieve security event logs of the Bitglass services and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", + "descriptionMarkdown": "The [Bitglass](https://www.forcepoint.com/bitglass) data connector provides the capability to retrieve security event logs of the Bitglass services and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", "graphQueries": [ { "metricName": "Total data received", @@ -1566,7 +1566,7 @@ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**Bitglass**](https://aka.ms/sentinel-bitglass-parser) which is deployed with the Microsoft Sentinel Solution." }, { - "description": "**STEP 1 - Configuration steps for the Bitglass Log Retrieval API**\n\n Follow the instructions to obtain the credentials.\n\n1. Please contact Bitglass [support](https://pages.bitglass.com/Contact.html) and obtain the **BitglassToken** and **BitglassServiceURL** ntation].\n2. Save credentials for using in the data connector." + "description": "**STEP 1 - Configuration steps for the Bitglass Log Retrieval API**\n\n Follow the instructions to obtain the credentials.\n\n1. Please contact Bitglass [support](https://www.forcepoint.com/company/contact-us) and obtain the **BitglassToken** and **BitglassServiceURL** ntation].\n2. Save credentials for using in the data connector." }, { "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the Bitglass data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", @@ -1662,13 +1662,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "Account" } ] } @@ -1766,13 +1766,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "Account" } ] } @@ -1870,13 +1870,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "Account" } ] } @@ -1974,13 +1974,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "Account" } ] } @@ -2078,13 +2078,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "Account" } ] } @@ -2182,13 +2182,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "Account" } ] } @@ -2286,13 +2286,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -2390,13 +2390,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "Account" } ] } @@ -2494,22 +2494,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "Account" }, { - "entityType": "File", "fieldMappings": [ { - "identifier": "Name", - "columnName": "FileCustomEntity" + "columnName": "FileCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "File" } ] } @@ -2607,13 +2607,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } - ] + ], + "entityType": "Account" } ] } @@ -2670,7 +2670,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "Bitglass", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Bitglass solution provides the capability to retrieve security event logs of the Bitglass services and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Bitglass solution provides the capability to retrieve security event logs of the Bitglass services and more events into Microsoft Sentinel through the REST API. The connector provides ability to get events which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", diff --git a/Solutions/Bitglass/ReleaseNotes.md b/Solutions/Bitglass/ReleaseNotes.md index 045a358b890..a9fd322af45 100644 --- a/Solutions/Bitglass/ReleaseNotes.md +++ b/Solutions/Bitglass/ReleaseNotes.md @@ -1,3 +1,3 @@ -| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|---------------------------------------------| -| 3.0.0 | 28-08-2024 | Updated the python runtime version to **3.11** | +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------------| +| 3.0.0 | 21-10-2024 | Updated the python runtime version to **3.11** and updated functional URL| diff --git a/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml b/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml new file mode 100644 index 00000000000..319148d15da --- /dev/null +++ b/Solutions/CTERA/Analytic Rules/RansomwareDetected.yaml @@ -0,0 +1,52 @@ +id: 7a075edf-1cf2-4038-ba9c-c354db6409de +name: Ransom Protect Detected a Ransomware Attack +description: 'This analytics rule monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine. Once detected the following information will be exposed Virtual portal, Edge Filer, IP, User, Incident Type, Start and end time' +kind: Scheduled +severity: High +status: Available +requiredDataConnectors: + - connectorId: CTERA + dataTypes: + - Syslog +queryFrequency: 5m +queryPeriod: 5m +triggerOperator: GreaterThan +triggerThreshold: 0 +tactics: + - Impact +relevantTechniques: + - T1486 +query: | + Syslog + | where SyslogMessage contains "[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransomware incident detected" + | extend + Portal = extract("portal:(\\w+)", 1, SyslogMessage), + EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage), + IP = extract("\\(IP:([0-9.]+)\\)", 1, SyslogMessage), + User = extract("user:(\\w+)", 1, SyslogMessage), + IncidentType = extract("Incident type:(\\w+)", 1, SyslogMessage), + StartTime = extract("started at \"([^\"]+)\"", 1, SyslogMessage), + EndTime = extract("ended at \"([^\"]+)\"", 1, SyslogMessage) + | project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime +suppressionDuration: PT5H +suppressionEnabled: false +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: PT5H + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert +alertDetailsOverride: + alertnameFormat: 'CTERA Ransom Protect Detected a Ransomware Attack.' + alertDescriptionFormat: CTERA Ransom Protect Detected a Ransomware Attack at {{TimeGenerated}}. +customDetails: + EdgeFiler: EdgeFiler +entityMappings: +- entityType: Host + fieldMappings: + - identifier: HostName + columnName: EdgeFiler +version: 1.0.0 \ No newline at end of file diff --git a/Solutions/CTERA/Analytic Rules/RansomwareUserBlocked.yaml b/Solutions/CTERA/Analytic Rules/RansomwareUserBlocked.yaml new file mode 100644 index 00000000000..64078eaaadd --- /dev/null +++ b/Solutions/CTERA/Analytic Rules/RansomwareUserBlocked.yaml @@ -0,0 +1,54 @@ +id: d5d4766b-e547-44da-9d85-48ff393db201 +name: Ransom Protect User Blocked +description: 'Detects malicious users blocked by CTERA Ransom Protect AI engine.' +kind: Scheduled +severity: High +status: Available +requiredDataConnectors: + - connectorId: CTERA + dataTypes: + - Syslog +queryFrequency: 5m +queryPeriod: 5m +triggerOperator: GreaterThan +triggerThreshold: 0 +tactics: + - Impact +relevantTechniques: + - T1486 +query: | + Syslog + | where SyslogMessage contains "[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransom Protect mechanism blocked" + | extend + Portal = extract("portal:(\\w+)", 1, SyslogMessage), + EdgeFiler = extract("Edge Filer:(\\w+-\\d+)", 1, SyslogMessage), + IP = extract("IP:([0-9.]+)", 1, SyslogMessage), + User = extract("user:(\\w+)", 1, SyslogMessage), + BlockedTime = extract("at ([^ ]+)", 1, SyslogMessage) + | project TimeGenerated, Portal, EdgeFiler, IP, User, BlockedTime +suppressionDuration: PT5H +suppressionEnabled: false +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: PT5H + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert +alertDetailsOverride: + alertnameFormat: 'CTERA Ransom Protect User Blocked' + alertDescriptionFormat: CTERA Ransom Protect blocked a malicious user at {{TimeGenerated}}. +customDetails: + EdgeFiler: EdgeFiler +entityMappings: +- entityType: Account + fieldMappings: + - identifier: FullName + columnName: User +- entityType: IP + fieldMappings: + - identifier: Address + columnName: IP +version: 1.0.0 diff --git a/Solutions/CTERA/Data Connectors/CTERA_Data_Connector.json b/Solutions/CTERA/Data Connectors/CTERA_Data_Connector.json new file mode 100644 index 00000000000..1273c5e1c29 --- /dev/null +++ b/Solutions/CTERA/Data Connectors/CTERA_Data_Connector.json @@ -0,0 +1,128 @@ +{ + "id": "CTERA", + "title": "CTERA Syslog", + "publisher": "CTERA Networks Ltd", + "descriptionMarkdown": "The CTERA Data Connector for Microsoft Sentinel offers monitoring and threat detection capabilities for your CTERA solution.\n It includes a workbook visualizing the sum of all operations per type, deletions, and denied access operations.\n It also provides analytic rules which detects ransomware incidents and alert you when a user is blocked due to suspicious ransomware activity.\n Additionally, it helps you identify critical patterns such as mass access denied events, mass deletions, and mass permission changes, enabling proactive threat management and response.", + "additionalRequirementBanner": "None", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "CTERA Events", + "baseQuery": "Syslog" + } + ], + "sampleQueries": [ + { + "description": "Query to find all denied operations.", + "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| where Permission matches regex @\"(?i).*denied.*\"\n| summarize Count = count() by Permission" + }, + { + "description": "Query to find all delete operations.", + "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| where Permission == \"op=delete\"\n| summarize Count = count() by Permission" + }, + { + "description": "Query to summarize operations by user.", + "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| summarize Count = count() by UserName, Permission" + }, + { + "description": "Query to summarize operations by a portal tenant.", + "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| summarize Count = count() by TenantName, Permission" + }, + { + "description": "Query to find operations performed by a specific user.", + "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| where UserName == 'user=specific_user'\n| summarize Count = count() by Permission" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Syslog\n | where TimeGenerated > ago(3d)\n |take 1\n | project IsConnected = true" + ] + } + ], + "dataTypes": [ + { + "name": "Syslog", + "lastDataReceivedQuery": "Syslog\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "write permission is required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "delete": true + } + } + ] + }, + "instructionSteps": [ + { + "title": "Step 1: Connect CTERA Platform to Syslog", + "description": "Set up your CTERA portal syslog connection and Edge-Filer Syslog connector", + "instructions": [ + { + "parameters": { + "title": "CTERA Syslog Configuration", + "instructionSteps": [ + { + "title": "Portal Syslog connection", + "description": "Connect CTERA Portal to syslog server, see instructions https://kb.ctera.com/v1/docs/en/managing-log-settings?highlight=logg" + }, + { + "title": "Edge Filer Audit logs", + "description": "Enable Audit logs on the desired Edge-filers" + }, + { + "title": "Edge-Filer Syslog Service", + "description": "Enable Edge-Filer Syslog service, see instructions https://kb.ctera.com/v1/docs/en/setting-up-the-edge-filer-syslog-service-2?highlight=Edge%20Filer%20Syslog" + } + ] + } + } + ] + }, + { + "title": "Step 2: Install Azure Monitor Agent (AMA) on Syslog Server", + "description": "Install the Azure Monitor Agent (AMA) on your syslog server to enable data collection.", + "instructions": [ + { + "parameters": { + "title": "Install Azure Monitor Agent", + "instructionSteps": [ + { + "title": "Log in to Azure Portal", + "description": "Use your Azure credentials to log in to the Azure Portal." + }, + { + "title": "Navigate to Azure Arc", + "description": "In the Azure Portal, go to 'Azure Arc' and select your connected syslog server." + }, + { + "title": "Select Extensions", + "description": "In the Azure Arc settings for your syslog server, navigate to the 'Extensions' section." + }, + { + "title": "Add Extension", + "description": "Click on 'Add' and select 'Azure Monitor Agent' from the list of available extensions." + }, + { + "title": "Install AMA", + "description": "Follow the prompts to install the Azure Monitor Agent on your syslog server. For detailed instructions, refer to the official documentation: [Install Azure Monitor Agent](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal)" + } + ] + } + } + ] + } + ] +} diff --git a/Solutions/CTERA/Data/Solution_CTERA.json b/Solutions/CTERA/Data/Solution_CTERA.json new file mode 100644 index 00000000000..06d0008e9f9 --- /dev/null +++ b/Solutions/CTERA/Data/Solution_CTERA.json @@ -0,0 +1,26 @@ +{ + "Name": "CTERA", + "Author": "CTERA Networks - support@ctera.com", + "Logo": "", + "Description": "The CTERA solution allows you to ingest and analyze events from CTERA Edge Filers and Portal to Microsoft Sentinel. It detects ransomware incidents and potentially attacking users, abnormal user and excessive deletions .\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "Data Connectors": [ + "Data Connectors/CTERA_Data_Connector.json" + ], + "Workbooks": [ + "Workbooks/CTERA_Workbook.json" + ], + "Analytic Rules": [ + "Analytic Rules/RansomwareUserBlocked.yaml", + "Analytic Rules/RansomwareDetected.yaml" + ], + "Hunting Queries": [ + "Hunting Queries/MassDeletions.yaml", + "Hunting Queries/MassAccessDenied.yaml", + "Hunting Queries/MassPermissionChanges.yaml" + ], + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CTERA", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false +} \ No newline at end of file diff --git a/Solutions/CTERA/Hunting Queries/MassAccessDenied.yaml b/Solutions/CTERA/Hunting Queries/MassAccessDenied.yaml new file mode 100644 index 00000000000..b673ac63196 --- /dev/null +++ b/Solutions/CTERA/Hunting Queries/MassAccessDenied.yaml @@ -0,0 +1,40 @@ +id: 26f7d89a-b7b7-47cb-ad11-281f66c17c3d +name: CTERA Mass Access Denied Detection +description: 'This query detects access denied events generated by the CTERA Edge Filer' +requiredDataConnectors: + - connectorId: CTERA + dataTypes: + - Syslog +tactics: + - Defense Evasion +relevantTechniques: + - T1562 +query: | + Syslog + | where ProcessName == 'gw-audit' + | extend + TenantName = extract("\"vportal\":\"([^\"]*)\"", 1, SyslogMessage), + UserName = extract("user=([^|]*)", 1, SyslogMessage), + Operation = extract("op=([^|]*)", 1, SyslogMessage), + EdgeFiler = extract("\"client\":\"([^\"]*)\"", 1, SyslogMessage), + RootPath = extract("rootPath=([^|]*)", 1, SyslogMessage), + Share = extract("share=([^|]*)", 1, SyslogMessage), + LocalPath = extract("path=([^|]*)", 1, SyslogMessage), + Timestamp = todatetime(extract("\"@timestamp\":\"([^\"]*)\"", 1, SyslogMessage)) + | where Operation in ('OpenDenied', 'createDenied', 'OpenDenied', 'setsd', 'AclDenied', 'chown', 'AclDenied', 'deleteDenied') + | summarize Count = count() by UserName, bin(Timestamp, 2m) + | where Count > 10 +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: UserName + - entityType: IP + fieldMappings: + - identifier: Address + columnName: Timestamp + - entityType: File + fieldMappings: + - identifier: Name + columnName: Timestamp +version: 1.0.0 \ No newline at end of file diff --git a/Solutions/CTERA/Hunting Queries/MassDeletions.yaml b/Solutions/CTERA/Hunting Queries/MassDeletions.yaml new file mode 100644 index 00000000000..7b3ec66861d --- /dev/null +++ b/Solutions/CTERA/Hunting Queries/MassDeletions.yaml @@ -0,0 +1,40 @@ +id: 23206903-0c36-4d68-ba4b-169c67355b53 +name: CTERA Mass File Deletions Detection +description: 'This query detects file deletions generated by the CTERA Edge Filer.' +requiredDataConnectors: + - connectorId: CTERA + dataTypes: + - Syslog +tactics: + - Impact +relevantTechniques: + - T1485 +query: | + Syslog + | where ProcessName == 'gw-audit' + | extend + TenantName = extract("\"vportal\":\"([^\"]*)\"", 1, SyslogMessage), + UserName = extract("user=([^|]*)", 1, SyslogMessage), + Permission = extract("op=([^|]*)", 1, SyslogMessage), + EdgeFiler = extract("\"client\":\"([^\"]*)\"", 1, SyslogMessage), + RootPath = extract("rootPath=([^|]*)", 1, SyslogMessage), + Share = extract("share=([^|]*)", 1, SyslogMessage), + LocalPath = extract("path=([^|]*)", 1, SyslogMessage), + Timestamp = todatetime(extract("\"@timestamp\":\"([^\"]*)\"", 1, SyslogMessage)) + | where Permission == 'delete' + | summarize Count = count() by UserName, bin(Timestamp, 2m) + | where Count > 10 +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: UserName + - entityType: IP + fieldMappings: + - identifier: Address + columnName: Timestamp + - entityType: File + fieldMappings: + - identifier: Name + columnName: Timestamp +version: 1.0.0 \ No newline at end of file diff --git a/Solutions/CTERA/Hunting Queries/MassPermissionChanges.yaml b/Solutions/CTERA/Hunting Queries/MassPermissionChanges.yaml new file mode 100644 index 00000000000..3d81fc082a9 --- /dev/null +++ b/Solutions/CTERA/Hunting Queries/MassPermissionChanges.yaml @@ -0,0 +1,40 @@ +id: 694ce74e-968b-4ca0-ae24-53bcfd87bf0a +name: CTERA Mass Permission Change Detection +description: 'This query detects permission changes generated by the CTERA Edge Filer.' +requiredDataConnectors: + - connectorId: CTERA + dataTypes: + - Syslog +tactics: + - Privilege Escalation +relevantTechniques: + - T1068 +query: | + Syslog + | where ProcessName == 'gw-audit' + | extend + TenantName = extract("\"vportal\":\"([^\"]*)\"", 1, SyslogMessage), + UserName = extract("user=([^|]*)", 1, SyslogMessage), + Operation = extract("op=([^|]*)", 1, SyslogMessage), + EdgeFiler = extract("\"client\":\"([^\"]*)\"", 1, SyslogMessage), + RootPath = extract("rootPath=([^|]*)", 1, SyslogMessage), + Share = extract("share=([^|]*)", 1, SyslogMessage), + LocalPath = extract("path=([^|]*)", 1, SyslogMessage), + Timestamp = todatetime(extract("\"@timestamp\":\"([^\"]*)\"", 1, SyslogMessage)) + | where Operation in ('ACLAdded', 'ACLDeleted', 'ACLProtectionAdded', 'ACLProtectionDeleted', 'ACEChanged', 'setdacl') + | summarize Count = count() by UserName, bin(Timestamp, 2m) + | where Count > 10 +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: UserName + - entityType: IP + fieldMappings: + - identifier: Address + columnName: Timestamp + - entityType: File + fieldMappings: + - identifier: Name + columnName: Timestamp +version: 1.0.0 \ No newline at end of file diff --git a/Solutions/CTERA/Package/3.0.0.zip b/Solutions/CTERA/Package/3.0.0.zip new file mode 100644 index 00000000000..f0721dfac20 Binary files /dev/null and b/Solutions/CTERA/Package/3.0.0.zip differ diff --git a/Solutions/CTERA/Package/createUiDefinition.json b/Solutions/CTERA/Package/createUiDefinition.json new file mode 100644 index 00000000000..23f1b2c687f --- /dev/null +++ b/Solutions/CTERA/Package/createUiDefinition.json @@ -0,0 +1,249 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CTERA/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe CTERA solution allows you to ingest and analyze events from CTERA Edge Filers and Portal to Microsoft Sentinel. It detects ransomware incidents and potentially attacking users, abnormal user and excessive deletions .\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 2, **Hunting Queries:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for CTERA. You can get CTERA Syslog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "CTERA Audit Logs Ingestion", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Workbook provides an overview of CTERA log ingestion and operations, offering insights into various activities and potential security incidents." + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Ransom Protect User Blocked", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects malicious users blocked by CTERA Ransom Protect AI engine." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Ransom Protect Detected a Ransomware Attack", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This analytics rule monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine. Once detected the following information will be exposed Virtual portal, Edge Filer, IP, User, Incident Type, Start and end time" + } + } + ] + } + ] + }, + { + "name": "huntingqueries", + "label": "Hunting Queries", + "bladeTitle": "Hunting Queries", + "elements": [ + { + "name": "huntingqueries-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. " + } + }, + { + "name": "huntingqueries-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/hunting" + } + } + }, + { + "name": "huntingquery1", + "type": "Microsoft.Common.Section", + "label": "CTERA Mass File Deletions Detection", + "elements": [ + { + "name": "huntingquery1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query detects file deletions generated by the CTERA Edge Filer. This hunting query depends on CTERA data connector (Syslog Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery2", + "type": "Microsoft.Common.Section", + "label": "CTERA Mass Access Denied Detection", + "elements": [ + { + "name": "huntingquery2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query detects access denied events generated by the CTERA Edge Filer This hunting query depends on CTERA data connector (Syslog Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery3", + "type": "Microsoft.Common.Section", + "label": "CTERA Mass Permission Change Detection", + "elements": [ + { + "name": "huntingquery3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query detects permission changes generated by the CTERA Edge Filer. This hunting query depends on CTERA data connector (Syslog Parser or Table)" + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/CTERA/Package/mainTemplate.json b/Solutions/CTERA/Package/mainTemplate.json new file mode 100644 index 00000000000..f0b0178e978 --- /dev/null +++ b/Solutions/CTERA/Package/mainTemplate.json @@ -0,0 +1,1140 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "CTERA Networks - support@ctera.com", + "comments": "Solution template for CTERA" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "CTERA Audit Logs Ingestion", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } + }, + "variables": { + "email": "support@ctera.com", + "_email": "[variables('email')]", + "_solutionName": "CTERA", + "_solutionVersion": "3.0.0", + "solutionId": "cteranetworksltd1651947437632.microsoft-sentinel-solution-ctera", + "_solutionId": "[variables('solutionId')]", + "uiConfigId1": "CTERA", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "CTERA", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "workbookVersion1": "1.0.0", + "workbookContentId1": "CTERA_Workbook", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.0", + "_analyticRulecontentId1": "d5d4766b-e547-44da-9d85-48ff393db201", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd5d4766b-e547-44da-9d85-48ff393db201')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d5d4766b-e547-44da-9d85-48ff393db201')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d5d4766b-e547-44da-9d85-48ff393db201','-', '1.0.0')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.0", + "_analyticRulecontentId2": "7a075edf-1cf2-4038-ba9c-c354db6409de", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7a075edf-1cf2-4038-ba9c-c354db6409de')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7a075edf-1cf2-4038-ba9c-c354db6409de')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7a075edf-1cf2-4038-ba9c-c354db6409de','-', '1.0.0')))]" + }, + "huntingQueryObject1": { + "huntingQueryVersion1": "1.0.0", + "_huntingQuerycontentId1": "23206903-0c36-4d68-ba4b-169c67355b53", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('23206903-0c36-4d68-ba4b-169c67355b53')))]" + }, + "huntingQueryObject2": { + "huntingQueryVersion2": "1.0.0", + "_huntingQuerycontentId2": "26f7d89a-b7b7-47cb-ad11-281f66c17c3d", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('26f7d89a-b7b7-47cb-ad11-281f66c17c3d')))]" + }, + "huntingQueryObject3": { + "huntingQueryVersion3": "1.0.0", + "_huntingQuerycontentId3": "694ce74e-968b-4ca0-ae24-53bcfd87bf0a", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('694ce74e-968b-4ca0-ae24-53bcfd87bf0a')))]" + }, + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CTERA data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "CTERA Syslog", + "publisher": "CTERA Networks Ltd", + "descriptionMarkdown": "The CTERA Data Connector for Microsoft Sentinel offers monitoring and threat detection capabilities for your CTERA solution.\n It includes a workbook visualizing the sum of all operations per type, deletions, and denied access operations.\n It also provides analytic rules which detects ransomware incidents and alert you when a user is blocked due to suspicious ransomware activity.\n Additionally, it helps you identify critical patterns such as mass access denied events, mass deletions, and mass permission changes, enabling proactive threat management and response.", + "additionalRequirementBanner": "None", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "CTERA Events", + "baseQuery": "Syslog" + } + ], + "sampleQueries": [ + { + "description": "Query to find all denied operations.", + "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| where Permission matches regex @\"(?i).*denied.*\"\n| summarize Count = count() by Permission" + }, + { + "description": "Query to find all delete operations.", + "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| where Permission == \"op=delete\"\n| summarize Count = count() by Permission" + }, + { + "description": "Query to summarize operations by user.", + "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| summarize Count = count() by UserName, Permission" + }, + { + "description": "Query to summarize operations by a portal tenant.", + "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| summarize Count = count() by TenantName, Permission" + }, + { + "description": "Query to find operations performed by a specific user.", + "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| where UserName == 'user=specific_user'\n| summarize Count = count() by Permission" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Syslog\n | where TimeGenerated > ago(3d)\n |take 1\n | project IsConnected = true" + ] + } + ], + "dataTypes": [ + { + "name": "Syslog", + "lastDataReceivedQuery": "Syslog\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "write permission is required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "delete": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "Set up your CTERA portal syslog connection and Edge-Filer Syslog connector", + "instructions": [ + { + "parameters": { + "title": "CTERA Syslog Configuration", + "instructionSteps": [ + { + "title": "Portal Syslog connection", + "description": "Connect CTERA Portal to syslog server, see instructions https://kb.ctera.com/v1/docs/en/managing-log-settings?highlight=logg" + }, + { + "title": "Edge Filer Audit logs", + "description": "Enable Audit logs on the desired Edge-filers" + }, + { + "title": "Edge-Filer Syslog Service", + "description": "Enable Edge-Filer Syslog service, see instructions https://kb.ctera.com/v1/docs/en/setting-up-the-edge-filer-syslog-service-2?highlight=Edge%20Filer%20Syslog" + } + ] + } + } + ], + "title": "Step 1: Connect CTERA Platform to Syslog" + }, + { + "description": "Install the Azure Monitor Agent (AMA) on your syslog server to enable data collection.", + "instructions": [ + { + "parameters": { + "title": "Install Azure Monitor Agent", + "instructionSteps": [ + { + "title": "Log in to Azure Portal", + "description": "Use your Azure credentials to log in to the Azure Portal." + }, + { + "title": "Navigate to Azure Arc", + "description": "In the Azure Portal, go to 'Azure Arc' and select your connected syslog server." + }, + { + "title": "Select Extensions", + "description": "In the Azure Arc settings for your syslog server, navigate to the 'Extensions' section." + }, + { + "title": "Add Extension", + "description": "Click on 'Add' and select 'Azure Monitor Agent' from the list of available extensions." + }, + { + "title": "Install AMA", + "description": "Follow the prompts to install the Azure Monitor Agent on your syslog server. For detailed instructions, refer to the official documentation: [Install Azure Monitor Agent](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal)" + } + ] + } + } + ], + "title": "Step 2: Install Azure Monitor Agent (AMA) on Syslog Server" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "CTERA", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CTERA Networks", + "email": "[variables('_email')]" + }, + "support": { + "name": "CTERA", + "tier": "Partner", + "email": "support@ctera.com", + "link": "https://www.ctera.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "CTERA Syslog", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "CTERA", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CTERA Networks", + "email": "[variables('_email')]" + }, + "support": { + "name": "CTERA", + "tier": "Partner", + "email": "support@ctera.com", + "link": "https://www.ctera.com/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "CTERA Syslog", + "publisher": "CTERA Networks Ltd", + "descriptionMarkdown": "The CTERA Data Connector for Microsoft Sentinel offers monitoring and threat detection capabilities for your CTERA solution.\n It includes a workbook visualizing the sum of all operations per type, deletions, and denied access operations.\n It also provides analytic rules which detects ransomware incidents and alert you when a user is blocked due to suspicious ransomware activity.\n Additionally, it helps you identify critical patterns such as mass access denied events, mass deletions, and mass permission changes, enabling proactive threat management and response.", + "graphQueries": [ + { + "metricName": "Total events received", + "legend": "CTERA Events", + "baseQuery": "Syslog" + } + ], + "dataTypes": [ + { + "name": "Syslog", + "lastDataReceivedQuery": "Syslog\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Syslog\n | where TimeGenerated > ago(3d)\n |take 1\n | project IsConnected = true" + ] + } + ], + "sampleQueries": [ + { + "description": "Query to find all denied operations.", + "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| where Permission matches regex @\"(?i).*denied.*\"\n| summarize Count = count() by Permission" + }, + { + "description": "Query to find all delete operations.", + "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| where Permission == \"op=delete\"\n| summarize Count = count() by Permission" + }, + { + "description": "Query to summarize operations by user.", + "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| summarize Count = count() by UserName, Permission" + }, + { + "description": "Query to summarize operations by a portal tenant.", + "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| summarize Count = count() by TenantName, Permission" + }, + { + "description": "Query to find operations performed by a specific user.", + "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage), UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\n| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\n| where UserName == 'user=specific_user'\n| summarize Count = count() by Permission" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "write permission is required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "delete": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "Set up your CTERA portal syslog connection and Edge-Filer Syslog connector", + "instructions": [ + { + "parameters": { + "title": "CTERA Syslog Configuration", + "instructionSteps": [ + { + "title": "Portal Syslog connection", + "description": "Connect CTERA Portal to syslog server, see instructions https://kb.ctera.com/v1/docs/en/managing-log-settings?highlight=logg" + }, + { + "title": "Edge Filer Audit logs", + "description": "Enable Audit logs on the desired Edge-filers" + }, + { + "title": "Edge-Filer Syslog Service", + "description": "Enable Edge-Filer Syslog service, see instructions https://kb.ctera.com/v1/docs/en/setting-up-the-edge-filer-syslog-service-2?highlight=Edge%20Filer%20Syslog" + } + ] + } + } + ], + "title": "Step 1: Connect CTERA Platform to Syslog" + }, + { + "description": "Install the Azure Monitor Agent (AMA) on your syslog server to enable data collection.", + "instructions": [ + { + "parameters": { + "title": "Install Azure Monitor Agent", + "instructionSteps": [ + { + "title": "Log in to Azure Portal", + "description": "Use your Azure credentials to log in to the Azure Portal." + }, + { + "title": "Navigate to Azure Arc", + "description": "In the Azure Portal, go to 'Azure Arc' and select your connected syslog server." + }, + { + "title": "Select Extensions", + "description": "In the Azure Arc settings for your syslog server, navigate to the 'Extensions' section." + }, + { + "title": "Add Extension", + "description": "Click on 'Add' and select 'Azure Monitor Agent' from the list of available extensions." + }, + { + "title": "Install AMA", + "description": "Follow the prompts to install the Azure Monitor Agent on your syslog server. For detailed instructions, refer to the official documentation: [Install Azure Monitor Agent](https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal)" + } + ] + } + } + ], + "title": "Step 2: Install Azure Monitor Agent (AMA) on Syslog Server" + } + ], + "id": "[variables('_uiConfigId1')]", + "additionalRequirementBanner": "None" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "CTERA_Workbook Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "This Workbook provides an overview of CTERA log ingestion and operations, offering insights into various activities and potential security incidents." + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Welcome to your CTERA workbook. This area will display relevant graphs and metrics for the CTERA workspace.\\n\\n\\nWe've included relevant graphs of your SMB audit logs collected from the selected filers.\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tSyslog\\r\\n\\t| where ProcessName == 'gw-audit'\\r\\n\\t| extend\\r\\n\\t TenantName = extract(\\\"(\\\\\\\"vportal\\\\\\\":\\\\\\\"[^\\\\\\\"]*\\\\\\\")\\\", 1, SyslogMessage),\\r\\n\\t UserName = extract(\\\"(user=[^|]*)\\\", 1, SyslogMessage)\\r\\n\\t| extend Permission = extract(\\\"(op=[^|]*)\\\", 1, SyslogMessage)\\r\\n | where Permission matches regex @\\\"(?i).*denied.*\\\" or Permission == \\\"op=delete\\\" // Regex pattern to filter denied operations\\r\\n | summarize Count = count() by Permission\",\"size\":1,\"title\":\"Denied Operations and Deletions Count\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Permission\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 1 (Denied Operations and Deletions Count)\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tSyslog\\r\\n\\t| where ProcessName == 'gw-audit'\\r\\n\\t| extend user = extract(\\\"user=([^|]*)\\\", 1, SyslogMessage)\\r\\n\\t| extend operation = extract(\\\"op=([^|]*)\\\", 1, SyslogMessage)\\r\\n | where operation matches regex @\\\"(?i).*denied.*\\\"\\r\\n\\t| summarize operation_count=count() by bin(TimeGenerated, 1m), user\\r\\n\\t| project TimeGenerated, user, operation_count\\r\\n\",\"size\":0,\"title\":\"Denied Operations Count per User\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\"},\"name\":\"query - 2 (Denied Operations per User)\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\tSyslog\\r\\n\\t| where SyslogMessage contains \\\"ctera_audit\\\" and SyslogMessage contains \\\"op=delete\\\"\\r\\n\\t| extend user = extract(\\\"user=([^|]*)\\\", 1, SyslogMessage)\\r\\n\\t| extend timestamp = extract(\\\"timestamp=([^|]*)\\\", 1, SyslogMessage)\\r\\n\\t| extend TimeGenerated = todatetime(timestamp)\\r\\n\\t| summarize deletion_count = count() by bin(TimeGenerated, 1m), user\\r\\n\\t| where deletion_count > 1\\r\\n| project TimeGenerated, user, deletion_count\",\"size\":1,\"title\":\"Deleted Operations per User\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 3 (Deleted Operation)\"}],\"fromTemplateId\":\"2941ad84-e8df-4f19-b360-bae6cd104f2f\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=CTERA_Workbook; logoFileName=CTERA_Logo.svg; description=This Workbook provides an overview of CTERA log ingestion and operations, offering insights into various activities and potential security incidents.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=CTERA Audit Logs Ingestion; templateRelativePath=CTERA_Workbook.json; provider=CTERA}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "CTERA", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CTERA Networks", + "email": "[variables('_email')]" + }, + "support": { + "name": "CTERA", + "tier": "Partner", + "email": "support@ctera.com", + "link": "https://www.ctera.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "Syslog", + "kind": "DataType" + }, + { + "contentId": "CTERA", + "kind": "DataConnector" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RansomwareUserBlocked_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects malicious users blocked by CTERA Ransom Protect AI engine.", + "displayName": "Ransom Protect User Blocked", + "enabled": false, + "query": "Syslog\n| where SyslogMessage contains \"[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransom Protect mechanism blocked\"\n| extend \n Portal = extract(\"portal:(\\\\w+)\", 1, SyslogMessage),\n EdgeFiler = extract(\"Edge Filer:(\\\\w+-\\\\d+)\", 1, SyslogMessage),\n IP = extract(\"IP:([0-9.]+)\", 1, SyslogMessage),\n User = extract(\"user:(\\\\w+)\", 1, SyslogMessage),\n BlockedTime = extract(\"at ([^ ]+)\", 1, SyslogMessage)\n| project TimeGenerated, Portal, EdgeFiler, IP, User, BlockedTime\n", + "queryFrequency": "PT5M", + "queryPeriod": "PT5M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CTERA", + "dataTypes": [ + "Syslog" + ] + } + ], + "tactics": [ + "Impact" + ], + "techniques": [ + "T1486" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "User", + "identifier": "FullName" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "columnName": "IP", + "identifier": "Address" + } + ], + "entityType": "IP" + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "customDetails": { + "EdgeFiler": "EdgeFiler" + }, + "alertDetailsOverride": { + "alertnameFormat": "CTERA Ransom Protect User Blocked", + "alertDescriptionFormat": "CTERA Ransom Protect blocked a malicious user at {{TimeGenerated}}." + }, + "incidentConfiguration": { + "groupingConfiguration": { + "enabled": false, + "matchingMethod": "AllEntities", + "reopenClosedIncident": false, + "lookbackDuration": "PT5H" + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "CTERA Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "CTERA", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CTERA Networks", + "email": "[variables('_email')]" + }, + "support": { + "name": "CTERA", + "tier": "Partner", + "email": "support@ctera.com", + "link": "https://www.ctera.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "Ransom Protect User Blocked", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RansomwareDetected_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This analytics rule monitors CTERA platform to detect potential ransomware attacks detected by CTERA Ransom Protect AI engine. Once detected the following information will be exposed Virtual portal, Edge Filer, IP, User, Incident Type, Start and end time", + "displayName": "Ransom Protect Detected a Ransomware Attack", + "enabled": false, + "query": "Syslog\n| where SyslogMessage contains \"[com.ctera.db.jpa.log.RansomLogEntityListener] - Ransomware incident detected\"\n| extend \nPortal = extract(\"portal:(\\\\w+)\", 1, SyslogMessage),\nEdgeFiler = extract(\"Edge Filer:(\\\\w+-\\\\d+)\", 1, SyslogMessage),\nIP = extract(\"\\\\(IP:([0-9.]+)\\\\)\", 1, SyslogMessage),\nUser = extract(\"user:(\\\\w+)\", 1, SyslogMessage),\nIncidentType = extract(\"Incident type:(\\\\w+)\", 1, SyslogMessage),\nStartTime = extract(\"started at \\\"([^\\\"]+)\\\"\", 1, SyslogMessage),\nEndTime = extract(\"ended at \\\"([^\\\"]+)\\\"\", 1, SyslogMessage)\n| project TimeGenerated, Portal, EdgeFiler, IP, User, IncidentType, StartTime, EndTime\n", + "queryFrequency": "PT5M", + "queryPeriod": "PT5M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CTERA", + "dataTypes": [ + "Syslog" + ] + } + ], + "tactics": [ + "Impact" + ], + "techniques": [ + "T1486" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "columnName": "EdgeFiler", + "identifier": "HostName" + } + ], + "entityType": "Host" + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "customDetails": { + "EdgeFiler": "EdgeFiler" + }, + "alertDetailsOverride": { + "alertnameFormat": "CTERA Ransom Protect Detected a Ransomware Attack.", + "alertDescriptionFormat": "CTERA Ransom Protect Detected a Ransomware Attack at {{TimeGenerated}}." + }, + "incidentConfiguration": { + "groupingConfiguration": { + "enabled": false, + "matchingMethod": "AllEntities", + "reopenClosedIncident": false, + "lookbackDuration": "PT5H" + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", + "properties": { + "description": "CTERA Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "source": { + "kind": "Solution", + "name": "CTERA", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CTERA Networks", + "email": "[variables('_email')]" + }, + "support": { + "name": "CTERA", + "tier": "Partner", + "email": "support@ctera.com", + "link": "https://www.ctera.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "Ransom Protect Detected a Ransomware Attack", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MassDeletions_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "CTERA_Hunting_Query_1", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "CTERA Mass File Deletions Detection", + "category": "Hunting Queries", + "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend\n TenantName = extract(\"\\\"vportal\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage),\n UserName = extract(\"user=([^|]*)\", 1, SyslogMessage),\n Permission = extract(\"op=([^|]*)\", 1, SyslogMessage),\n EdgeFiler = extract(\"\\\"client\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage),\n RootPath = extract(\"rootPath=([^|]*)\", 1, SyslogMessage),\n Share = extract(\"share=([^|]*)\", 1, SyslogMessage),\n LocalPath = extract(\"path=([^|]*)\", 1, SyslogMessage),\n Timestamp = todatetime(extract(\"\\\"@timestamp\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage))\n| where Permission == 'delete'\n| summarize Count = count() by UserName, bin(Timestamp, 2m)\n| where Count > 10\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query detects file deletions generated by the CTERA Edge Filer." + }, + { + "name": "tactics", + "value": "Impact" + }, + { + "name": "techniques", + "value": "T1485" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]", + "properties": { + "description": "CTERA Hunting Query 1", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]", + "source": { + "kind": "Solution", + "name": "CTERA", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CTERA Networks", + "email": "[variables('_email')]" + }, + "support": { + "name": "CTERA", + "tier": "Partner", + "email": "support@ctera.com", + "link": "https://www.ctera.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "contentKind": "HuntingQuery", + "displayName": "CTERA Mass File Deletions Detection", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MassAccessDenied_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "CTERA_Hunting_Query_2", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "CTERA Mass Access Denied Detection", + "category": "Hunting Queries", + "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend\n TenantName = extract(\"\\\"vportal\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage),\n UserName = extract(\"user=([^|]*)\", 1, SyslogMessage),\n Operation = extract(\"op=([^|]*)\", 1, SyslogMessage),\n EdgeFiler = extract(\"\\\"client\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage),\n RootPath = extract(\"rootPath=([^|]*)\", 1, SyslogMessage),\n Share = extract(\"share=([^|]*)\", 1, SyslogMessage),\n LocalPath = extract(\"path=([^|]*)\", 1, SyslogMessage),\n Timestamp = todatetime(extract(\"\\\"@timestamp\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage))\n| where Operation in ('OpenDenied', 'createDenied', 'OpenDenied', 'setsd', 'AclDenied', 'chown', 'AclDenied', 'deleteDenied')\n| summarize Count = count() by UserName, bin(Timestamp, 2m)\n| where Count > 10\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query detects access denied events generated by the CTERA Edge Filer" + }, + { + "name": "tactics", + "value": "DefenseEvasion" + }, + { + "name": "techniques", + "value": "T1562" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]", + "properties": { + "description": "CTERA Hunting Query 2", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]", + "source": { + "kind": "Solution", + "name": "CTERA", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CTERA Networks", + "email": "[variables('_email')]" + }, + "support": { + "name": "CTERA", + "tier": "Partner", + "email": "support@ctera.com", + "link": "https://www.ctera.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "contentKind": "HuntingQuery", + "displayName": "CTERA Mass Access Denied Detection", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MassPermissionChanges_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "CTERA_Hunting_Query_3", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "CTERA Mass Permission Change Detection", + "category": "Hunting Queries", + "query": "Syslog\n| where ProcessName == 'gw-audit'\n| extend\n TenantName = extract(\"\\\"vportal\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage),\n UserName = extract(\"user=([^|]*)\", 1, SyslogMessage),\n Operation = extract(\"op=([^|]*)\", 1, SyslogMessage),\n EdgeFiler = extract(\"\\\"client\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage),\n RootPath = extract(\"rootPath=([^|]*)\", 1, SyslogMessage),\n Share = extract(\"share=([^|]*)\", 1, SyslogMessage),\n LocalPath = extract(\"path=([^|]*)\", 1, SyslogMessage),\n Timestamp = todatetime(extract(\"\\\"@timestamp\\\":\\\"([^\\\"]*)\\\"\", 1, SyslogMessage))\n| where Operation in ('ACLAdded', 'ACLDeleted', 'ACLProtectionAdded', 'ACLProtectionDeleted', 'ACEChanged', 'setdacl')\n| summarize Count = count() by UserName, bin(Timestamp, 2m)\n| where Count > 10\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query detects permission changes generated by the CTERA Edge Filer." + }, + { + "name": "tactics", + "value": "PrivilegeEscalation" + }, + { + "name": "techniques", + "value": "T1068" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]", + "properties": { + "description": "CTERA Hunting Query 3", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]", + "source": { + "kind": "Solution", + "name": "CTERA", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CTERA Networks", + "email": "[variables('_email')]" + }, + "support": { + "name": "CTERA", + "tier": "Partner", + "email": "support@ctera.com", + "link": "https://www.ctera.com/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "contentKind": "HuntingQuery", + "displayName": "CTERA Mass Permission Change Detection", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "CTERA", + "publisherDisplayName": "CTERA", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The CTERA solution allows you to ingest and analyze events from CTERA Edge Filers and Portal to Microsoft Sentinel. It detects ransomware incidents and potentially attacking users, abnormal user and excessive deletions .

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n

Data Connectors: 1, Workbooks: 1, Analytic Rules: 2, Hunting Queries: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "CTERA", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "CTERA Networks", + "email": "[variables('_email')]" + }, + "support": { + "name": "CTERA", + "email": "support@ctera.com", + "tier": "Partner", + "link": "https://www.ctera.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]" + } + ] + }, + "firstPublishDate": "2024-07-28", + "providers": [ + "CTERA Networks Ltd" + ], + "categories": { + "domains": [ + "Storage" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/CTERA/Package/testParameters.json b/Solutions/CTERA/Package/testParameters.json new file mode 100644 index 00000000000..f83f18fc3cc --- /dev/null +++ b/Solutions/CTERA/Package/testParameters.json @@ -0,0 +1,32 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "CTERA Audit Logs Ingestion", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } +} diff --git a/Solutions/CTERA/ReleaseNotes.md b/Solutions/CTERA/ReleaseNotes.md new file mode 100644 index 00000000000..45d77687c1f --- /dev/null +++ b/Solutions/CTERA/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.0 | 21-10-2024 | Initial Solution Release | \ No newline at end of file diff --git a/Solutions/CTERA/SolutionMetadata.json b/Solutions/CTERA/SolutionMetadata.json new file mode 100644 index 00000000000..2d6620abeee --- /dev/null +++ b/Solutions/CTERA/SolutionMetadata.json @@ -0,0 +1,16 @@ +{ + "publisherId": "cteranetworksltd1651947437632", + "offerId": "microsoft-sentinel-solution-ctera", + "firstPublishDate": "2024-07-28", + "providers": ["CTERA Networks Ltd"], + "categories": { + "domains": ["Storage"], + "verticals": [] + }, + "support": { + "name": "CTERA", + "tier": "Partner", + "email": "support@ctera.com", + "link": "https://www.ctera.com/" + } +} diff --git a/Solutions/CTERA/Workbooks/CTERA_Workbook.json b/Solutions/CTERA/Workbooks/CTERA_Workbook.json new file mode 100644 index 00000000000..f905e7eda50 --- /dev/null +++ b/Solutions/CTERA/Workbooks/CTERA_Workbook.json @@ -0,0 +1,84 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "Welcome to your CTERA workbook. This area will display relevant graphs and metrics for the CTERA workspace.\n\n\nWe've included relevant graphs of your SMB audit logs collected from the selected filers." + }, + "name": "text - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\tSyslog\r\n\t| where ProcessName == 'gw-audit'\r\n\t| extend\r\n\t TenantName = extract(\"(\\\"vportal\\\":\\\"[^\\\"]*\\\")\", 1, SyslogMessage),\r\n\t UserName = extract(\"(user=[^|]*)\", 1, SyslogMessage)\r\n\t| extend Permission = extract(\"(op=[^|]*)\", 1, SyslogMessage)\r\n | where Permission matches regex @\"(?i).*denied.*\" or Permission == \"op=delete\" // Regex pattern to filter denied operations\r\n | summarize Count = count() by Permission", + "size": 1, + "title": "Denied Operations and Deletions Count", + "timeContext": { + "durationMs": 2592000000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "areachart", + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "Permission", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "name": "query - 1 (Denied Operations and Deletions Count)" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\tSyslog\r\n\t| where ProcessName == 'gw-audit'\r\n\t| extend user = extract(\"user=([^|]*)\", 1, SyslogMessage)\r\n\t| extend operation = extract(\"op=([^|]*)\", 1, SyslogMessage)\r\n | where operation matches regex @\"(?i).*denied.*\"\r\n\t| summarize operation_count=count() by bin(TimeGenerated, 1m), user\r\n\t| project TimeGenerated, user, operation_count\r\n", + "size": 0, + "title": "Denied Operations Count per User", + "timeContext": { + "durationMs": 2592000000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "linechart" + }, + "name": "query - 2 (Denied Operations per User)" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\tSyslog\r\n\t| where SyslogMessage contains \"ctera_audit\" and SyslogMessage contains \"op=delete\"\r\n\t| extend user = extract(\"user=([^|]*)\", 1, SyslogMessage)\r\n\t| extend timestamp = extract(\"timestamp=([^|]*)\", 1, SyslogMessage)\r\n\t| extend TimeGenerated = todatetime(timestamp)\r\n\t| summarize deletion_count = count() by bin(TimeGenerated, 1m), user\r\n\t| where deletion_count > 1\r\n| project TimeGenerated, user, deletion_count", + "size": 1, + "title": "Deleted Operations per User", + "timeContext": { + "durationMs": 2592000000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "name": "query - 3 (Deleted Operation)" + } + ], + "fallbackResourceIds": [], + "fromTemplateId": "2941ad84-e8df-4f19-b360-bae6cd104f2f", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/CTERA/Workbooks/Images/Preview/CTERASMBLogsWorkbookBlack.png b/Solutions/CTERA/Workbooks/Images/Preview/CTERASMBLogsWorkbookBlack.png new file mode 100644 index 00000000000..f652810301b Binary files /dev/null and b/Solutions/CTERA/Workbooks/Images/Preview/CTERASMBLogsWorkbookBlack.png differ diff --git a/Solutions/CTERA/Workbooks/Images/Preview/CTERASMBLogsWorkbookWhite.png b/Solutions/CTERA/Workbooks/Images/Preview/CTERASMBLogsWorkbookWhite.png new file mode 100644 index 00000000000..cf4c9ef91ba Binary files /dev/null and b/Solutions/CTERA/Workbooks/Images/Preview/CTERASMBLogsWorkbookWhite.png differ diff --git a/Solutions/CTM360/Package/3.0.2.zip b/Solutions/CTM360/Package/3.0.2.zip index f3b9a1ae09b..e13fc77161e 100644 Binary files a/Solutions/CTM360/Package/3.0.2.zip and b/Solutions/CTM360/Package/3.0.2.zip differ diff --git a/Solutions/CTM360/Package/mainTemplate.json b/Solutions/CTM360/Package/mainTemplate.json index 0214b342b28..7dfcf0679ee 100644 --- a/Solutions/CTM360/Package/mainTemplate.json +++ b/Solutions/CTM360/Package/mainTemplate.json @@ -1046,13 +1046,13 @@ ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "subject_s" + "columnName": "subject_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -1060,10 +1060,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -1167,13 +1167,13 @@ ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "subject_s" + "columnName": "subject_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -1181,10 +1181,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": true, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -1288,13 +1288,13 @@ ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "subject_s" + "columnName": "subject_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -1302,10 +1302,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -1409,13 +1409,13 @@ ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "subject_s" + "columnName": "subject_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -1423,10 +1423,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -1525,13 +1525,13 @@ ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "subject_s" + "columnName": "subject_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -1539,10 +1539,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -1641,13 +1641,13 @@ ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "subject_s" + "columnName": "subject_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -1655,10 +1655,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -1760,31 +1760,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -1792,10 +1792,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -1895,31 +1895,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ], "eventGroupingSettings": { @@ -1927,10 +1927,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -2029,31 +2029,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ], "eventGroupingSettings": { @@ -2061,10 +2061,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -2163,31 +2163,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -2195,10 +2195,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -2299,13 +2299,13 @@ ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "subject_s" + "columnName": "subject_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -2313,10 +2313,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -2415,13 +2415,13 @@ ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "subject_s" + "columnName": "subject_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -2429,10 +2429,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -2531,31 +2531,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ], "eventGroupingSettings": { @@ -2566,10 +2566,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -2671,14 +2671,14 @@ ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { + "identifier": "Url", "suppressionDuration": "5h", - "columnName": "subject_s", - "identifier": "Url" + "columnName": "subject_s" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -2686,10 +2686,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -2788,31 +2788,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -2820,10 +2820,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -2923,31 +2923,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -2955,10 +2955,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -3058,31 +3058,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -3090,10 +3090,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -3193,31 +3193,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ], "eventGroupingSettings": { @@ -3225,10 +3225,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -3327,31 +3327,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ], "eventGroupingSettings": { @@ -3359,10 +3359,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -3461,31 +3461,31 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -3493,10 +3493,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -3595,31 +3595,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -3627,10 +3627,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -3729,31 +3729,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -3761,10 +3761,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -3863,31 +3863,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ], "eventGroupingSettings": { @@ -3895,10 +3895,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -3998,10 +3998,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -4098,13 +4098,13 @@ ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "subject_s" + "columnName": "subject_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -4112,10 +4112,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -4212,31 +4212,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -4244,10 +4244,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -4344,31 +4344,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -4376,10 +4376,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -4486,10 +4486,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -4588,31 +4588,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ], "eventGroupingSettings": { @@ -4620,10 +4620,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -4726,13 +4726,13 @@ ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "subject_s" + "columnName": "subject_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -4740,10 +4740,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -4846,13 +4846,13 @@ ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "subject_s" + "columnName": "subject_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -4860,10 +4860,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -4964,31 +4964,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -4996,10 +4996,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -5103,31 +5103,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -5135,10 +5135,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -5242,31 +5242,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ], "eventGroupingSettings": { @@ -5274,10 +5274,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -5381,31 +5381,31 @@ ], "entityMappings": [ { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ], "eventGroupingSettings": { @@ -5413,10 +5413,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -5520,31 +5520,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -5555,10 +5555,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -5662,31 +5662,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ], "eventGroupingSettings": { @@ -5694,11 +5694,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { - + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } @@ -5802,31 +5801,31 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "meta_resolved_ip_s" + "columnName": "meta_resolved_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "meta_host_s" + "columnName": "meta_host_s", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "hackerview_link_s" + "columnName": "hackerview_link_s", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "eventGroupingSettings": { @@ -5834,10 +5833,10 @@ }, "incidentConfiguration": { "groupingConfiguration": { + "matchingMethod": "AllEntities", "enabled": false, - "reopenClosedIncident": false, "lookbackDuration": "PT5H", - "matchingMethod": "AllEntities" + "reopenClosedIncident": false }, "createIncident": true } diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGDLPViolation.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGDLPViolation.yaml index 0d7127fbc55..645e31995a7 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGDLPViolation.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGDLPViolation.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -34,5 +28,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMaliciousAttachmentNotBlocked.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMaliciousAttachmentNotBlocked.yaml index ef0407f709c..6d033afb010 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMaliciousAttachmentNotBlocked.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMaliciousAttachmentNotBlocked.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -35,5 +29,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMultipleLargeEmails.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMultipleLargeEmails.yaml index 62609fa48d7..39547460627 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMultipleLargeEmails.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMultipleLargeEmails.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -39,5 +33,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMultipleSuspiciousEmails.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMultipleSuspiciousEmails.yaml index 60660cb0c60..81d017cf500 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMultipleSuspiciousEmails.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGMultipleSuspiciousEmails.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -36,5 +30,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGPossibleOutbreak.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGPossibleOutbreak.yaml index 206b19b5eb4..01e5368eb73 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGPossibleOutbreak.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGPossibleOutbreak.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -34,5 +28,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGPotentialLinkToMalwareDownload.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGPotentialLinkToMalwareDownload.yaml index 6e7d6531fae..308c1324431 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGPotentialLinkToMalwareDownload.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGPotentialLinkToMalwareDownload.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -35,5 +29,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGSuspiciousLink.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGSuspiciousLink.yaml index 74aede49b4f..4a4e025eaec 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGSuspiciousLink.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGSuspiciousLink.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -35,5 +29,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGSuspiciousSenderDomain.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGSuspiciousSenderDomain.yaml index 8a431c94708..31b6b3f0ee7 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGSuspiciousSenderDomain.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGSuspiciousSenderDomain.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -41,5 +35,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnclassifiedLink.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnclassifiedLink.yaml index ccf2a9ad3ba..46e73b082b8 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnclassifiedLink.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnclassifiedLink.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -35,5 +29,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnexpextedAttachment.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnexpextedAttachment.yaml index 00fdac34ef5..99fd6f8d62c 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnexpextedAttachment.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnexpextedAttachment.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -34,5 +28,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnscannableAttachment.yaml b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnscannableAttachment.yaml index 4cabfb98f17..3d1de333957 100755 --- a/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnscannableAttachment.yaml +++ b/Solutions/CiscoSEG/Analytic Rules/CiscoSEGUnscannableAttachment.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -34,5 +28,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CiscoSEG/Data/Solution_CiscoSEG.json b/Solutions/CiscoSEG/Data/Solution_CiscoSEG.json index 8989e1c0df4..618647955ec 100644 --- a/Solutions/CiscoSEG/Data/Solution_CiscoSEG.json +++ b/Solutions/CiscoSEG/Data/Solution_CiscoSEG.json @@ -31,10 +31,6 @@ "Parsers": [ "Parsers/CiscoSEGEvent.yaml" ], - "Data Connectors": [ - "Data Connectors/Connector_Cisco_SEG_CEF.json", - "Data Connectors/template_CiscoSEGAMA.json" - ], "Workbooks": [ "Workbooks/CiscoSEG.json" ], diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGDroppedInMails.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGDroppedInMails.yaml index affa167f12d..d6926f6c51d 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGDroppedInMails.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGDroppedInMails.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for dropped mails.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGDroppedOutMails.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGDroppedOutMails.yaml index 76877ba77b0..1b91f9bf996 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGDroppedOutMails.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGDroppedOutMails.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for dropped outgoing mails.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedDKIMFailure.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedDKIMFailure.yaml index 17c1561866c..2c4c13d5667 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedDKIMFailure.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedDKIMFailure.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for mails with DKIM failure status.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedDMARKFailure.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedDMARKFailure.yaml index 21973e5a8c5..702748f4afa 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedDMARKFailure.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedDMARKFailure.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for mails with DMARK failure status.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedSPFFailure.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedSPFFailure.yaml index 3714e7e398b..b72e32e2c57 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedSPFFailure.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedSPFFailure.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for mails with SPF failure status.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedTLSIn.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedTLSIn.yaml index 2dda211f041..7be0d49f304 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedTLSIn.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedTLSIn.yaml @@ -4,12 +4,6 @@ description: | 'Query searches failed TLS incoming connections.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedTLSOut.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedTLSOut.yaml index 80a6f5d1825..b4d66992035 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedTLSOut.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGFailedTLSOut.yaml @@ -4,12 +4,6 @@ description: | 'Query searches failed TLS outgoing connections.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGInsecureProtocol.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGInsecureProtocol.yaml index c73fde8b77d..17bb2c836ac 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGInsecureProtocol.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGInsecureProtocol.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for connections with insecure protocol.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGSpamMails.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGSpamMails.yaml index b2ec7d26a8d..97c4a48ba13 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGSpamMails.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGSpamMails.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for sources of spam mails.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGUsersReceivedSpam.yaml b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGUsersReceivedSpam.yaml index 2ffe28e1b34..80918da63b7 100755 --- a/Solutions/CiscoSEG/Hunting Queries/CiscoSEGUsersReceivedSpam.yaml +++ b/Solutions/CiscoSEG/Hunting Queries/CiscoSEGUsersReceivedSpam.yaml @@ -4,12 +4,6 @@ description: | 'Query searches for top users receiving spam mails.' severity: Medium requiredDataConnectors: - - connectorId: CiscoSEG - dataTypes: - - CiscoSEGEvent - - connectorId: CiscoSEGAma - dataTypes: - - CiscoSEGEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/CiscoSEG/Package/3.0.4.zip b/Solutions/CiscoSEG/Package/3.0.4.zip new file mode 100644 index 00000000000..bab6c83b9ae Binary files /dev/null and b/Solutions/CiscoSEG/Package/3.0.4.zip differ diff --git a/Solutions/CiscoSEG/Package/createUiDefinition.json b/Solutions/CiscoSEG/Package/createUiDefinition.json index 3269d4d8e92..3e9fb919532 100644 --- a/Solutions/CiscoSEG/Package/createUiDefinition.json +++ b/Solutions/CiscoSEG/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CiscoSEG/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) solution provides the capability to ingest [Cisco SEG Consolidated Event Logs](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1061902) into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CiscoSEG/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) solution provides the capability to ingest [Cisco SEG Consolidated Event Logs](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1061902) into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 11, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,37 +51,6 @@ } ], "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for CiscoSEG. You can get CiscoSEG CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-parser-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, { "name": "workbooks", "label": "Workbooks", @@ -337,7 +306,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for dropped mails. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for dropped mails. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -351,7 +320,7 @@ "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for dropped outgoing mails. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for dropped outgoing mails. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -365,7 +334,7 @@ "name": "huntingquery3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for mails with DKIM failure status. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for mails with DKIM failure status. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -379,7 +348,7 @@ "name": "huntingquery4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for mails with DMARK failure status. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for mails with DMARK failure status. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -393,7 +362,7 @@ "name": "huntingquery5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for mails with SPF failure status. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for mails with SPF failure status. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -407,7 +376,7 @@ "name": "huntingquery6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches failed TLS incoming connections. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)" + "text": "Query searches failed TLS incoming connections. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -421,7 +390,7 @@ "name": "huntingquery7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches failed TLS outgoing connections. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)" + "text": "Query searches failed TLS outgoing connections. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -435,7 +404,7 @@ "name": "huntingquery8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for connections with insecure protocol. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for connections with insecure protocol. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -449,7 +418,7 @@ "name": "huntingquery9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for sources of spam mails. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for sources of spam mails. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -463,7 +432,7 @@ "name": "huntingquery10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches for top users receiving spam mails. This hunting query depends on CiscoSEG CiscoSEGAma CefAma data connector (CiscoSEGEvent CiscoSEGEvent CommonSecurityLog Parser or Table)" + "text": "Query searches for top users receiving spam mails. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] diff --git a/Solutions/CiscoSEG/Package/mainTemplate.json b/Solutions/CiscoSEG/Package/mainTemplate.json index 4fdd7082a10..60be5dfe577 100644 --- a/Solutions/CiscoSEG/Package/mainTemplate.json +++ b/Solutions/CiscoSEG/Package/mainTemplate.json @@ -41,85 +41,85 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "CiscoSEG", - "_solutionVersion": "3.0.3", + "_solutionVersion": "3.0.4", "solutionId": "azuresentinel.azure-sentinel-solution-ciscoseg", "_solutionId": "[variables('solutionId')]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.2", + "analyticRuleVersion1": "1.0.3", "_analyticRulecontentId1": "df5c34dd-e1e6-4e07-90b1-4309ebfe754c", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'df5c34dd-e1e6-4e07-90b1-4309ebfe754c')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('df5c34dd-e1e6-4e07-90b1-4309ebfe754c')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','df5c34dd-e1e6-4e07-90b1-4309ebfe754c','-', '1.0.2')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','df5c34dd-e1e6-4e07-90b1-4309ebfe754c','-', '1.0.3')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.2", + "analyticRuleVersion2": "1.0.3", "_analyticRulecontentId2": "236e872c-31d1-4b45-ac2a-fda3af465c97", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '236e872c-31d1-4b45-ac2a-fda3af465c97')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('236e872c-31d1-4b45-ac2a-fda3af465c97')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','236e872c-31d1-4b45-ac2a-fda3af465c97','-', '1.0.2')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','236e872c-31d1-4b45-ac2a-fda3af465c97','-', '1.0.3')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.2", + "analyticRuleVersion3": "1.0.3", "_analyticRulecontentId3": "1399a9a5-6200-411e-8c34-ca5658754cf7", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1399a9a5-6200-411e-8c34-ca5658754cf7')]", "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1399a9a5-6200-411e-8c34-ca5658754cf7')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1399a9a5-6200-411e-8c34-ca5658754cf7','-', '1.0.2')))]" + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1399a9a5-6200-411e-8c34-ca5658754cf7','-', '1.0.3')))]" }, "analyticRuleObject4": { - "analyticRuleVersion4": "1.0.2", + "analyticRuleVersion4": "1.0.3", "_analyticRulecontentId4": "dfdb9a73-4335-4bb4-b29b-eb713bce61a6", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dfdb9a73-4335-4bb4-b29b-eb713bce61a6')]", "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dfdb9a73-4335-4bb4-b29b-eb713bce61a6')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dfdb9a73-4335-4bb4-b29b-eb713bce61a6','-', '1.0.2')))]" + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dfdb9a73-4335-4bb4-b29b-eb713bce61a6','-', '1.0.3')))]" }, "analyticRuleObject5": { - "analyticRuleVersion5": "1.0.2", + "analyticRuleVersion5": "1.0.3", "_analyticRulecontentId5": "53242559-95ea-4d4c-b003-107e8f06304b", "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '53242559-95ea-4d4c-b003-107e8f06304b')]", "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('53242559-95ea-4d4c-b003-107e8f06304b')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','53242559-95ea-4d4c-b003-107e8f06304b','-', '1.0.2')))]" + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','53242559-95ea-4d4c-b003-107e8f06304b','-', '1.0.3')))]" }, "analyticRuleObject6": { - "analyticRuleVersion6": "1.0.2", + "analyticRuleVersion6": "1.0.3", "_analyticRulecontentId6": "2e5158e1-9fc2-40ff-a909-c701a13a0405", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2e5158e1-9fc2-40ff-a909-c701a13a0405')]", "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2e5158e1-9fc2-40ff-a909-c701a13a0405')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2e5158e1-9fc2-40ff-a909-c701a13a0405','-', '1.0.2')))]" + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2e5158e1-9fc2-40ff-a909-c701a13a0405','-', '1.0.3')))]" }, "analyticRuleObject7": { - "analyticRuleVersion7": "1.0.2", + "analyticRuleVersion7": "1.0.3", "_analyticRulecontentId7": "506291dd-8050-4c98-a92f-58e376080a0a", "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '506291dd-8050-4c98-a92f-58e376080a0a')]", "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('506291dd-8050-4c98-a92f-58e376080a0a')))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','506291dd-8050-4c98-a92f-58e376080a0a','-', '1.0.2')))]" + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','506291dd-8050-4c98-a92f-58e376080a0a','-', '1.0.3')))]" }, "analyticRuleObject8": { - "analyticRuleVersion8": "1.0.2", + "analyticRuleVersion8": "1.0.3", "_analyticRulecontentId8": "ef0a253c-95b5-48e1-8ebc-dbeb073b9338", "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ef0a253c-95b5-48e1-8ebc-dbeb073b9338')]", "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ef0a253c-95b5-48e1-8ebc-dbeb073b9338')))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ef0a253c-95b5-48e1-8ebc-dbeb073b9338','-', '1.0.2')))]" + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ef0a253c-95b5-48e1-8ebc-dbeb073b9338','-', '1.0.3')))]" }, "analyticRuleObject9": { - "analyticRuleVersion9": "1.0.2", + "analyticRuleVersion9": "1.0.3", "_analyticRulecontentId9": "9cb4a02d-3708-42ba-b33b-0fdd360ce4b6", "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9cb4a02d-3708-42ba-b33b-0fdd360ce4b6')]", "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9cb4a02d-3708-42ba-b33b-0fdd360ce4b6')))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9cb4a02d-3708-42ba-b33b-0fdd360ce4b6','-', '1.0.2')))]" + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9cb4a02d-3708-42ba-b33b-0fdd360ce4b6','-', '1.0.3')))]" }, "analyticRuleObject10": { - "analyticRuleVersion10": "1.0.2", + "analyticRuleVersion10": "1.0.3", "_analyticRulecontentId10": "f8ba18c4-81e3-4db0-8f85-4989f2ed2ade", "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f8ba18c4-81e3-4db0-8f85-4989f2ed2ade')]", "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f8ba18c4-81e3-4db0-8f85-4989f2ed2ade')))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f8ba18c4-81e3-4db0-8f85-4989f2ed2ade','-', '1.0.2')))]" + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f8ba18c4-81e3-4db0-8f85-4989f2ed2ade','-', '1.0.3')))]" }, "analyticRuleObject11": { - "analyticRuleVersion11": "1.0.2", + "analyticRuleVersion11": "1.0.3", "_analyticRulecontentId11": "c66b8ced-8c76-415b-a0f3-08c7030a857d", "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c66b8ced-8c76-415b-a0f3-08c7030a857d')]", "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c66b8ced-8c76-415b-a0f3-08c7030a857d')))]", - "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c66b8ced-8c76-415b-a0f3-08c7030a857d','-', '1.0.2')))]" + "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c66b8ced-8c76-415b-a0f3-08c7030a857d','-', '1.0.3')))]" }, "huntingQueryObject1": { "huntingQueryVersion1": "1.0.0", @@ -178,24 +178,6 @@ "parserVersion1": "1.0.0", "parserContentId1": "CiscoSEGEvent-Parser" }, - "uiConfigId1": "CiscoSEG", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "CiscoSEG", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "CiscoSEGAma", - "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "CiscoSEGAma", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", - "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "workbookVersion1": "1.0.0", "workbookContentId1": "CiscoSEGWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", @@ -215,7 +197,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGDLPViolation_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "CiscoSEGDLPViolation_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -242,18 +224,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEG" - }, - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEGAma" - }, { "dataTypes": [ "CommonSecurityLog" @@ -269,13 +239,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -331,7 +301,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGMaliciousAttachmentNotBlocked_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "CiscoSEGMaliciousAttachmentNotBlocked_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -358,18 +328,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEG" - }, - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEGAma" - }, { "dataTypes": [ "CommonSecurityLog" @@ -385,13 +343,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -447,7 +405,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGMultipleLargeEmails_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "CiscoSEGMultipleLargeEmails_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -474,18 +432,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEG" - }, - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEGAma" - }, { "dataTypes": [ "CommonSecurityLog" @@ -501,13 +447,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -563,7 +509,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGMultipleSuspiciousEmails_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "CiscoSEGMultipleSuspiciousEmails_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -590,18 +536,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEG" - }, - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEGAma" - }, { "dataTypes": [ "CommonSecurityLog" @@ -617,13 +551,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -679,7 +613,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGPossibleOutbreak_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "CiscoSEGPossibleOutbreak_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -706,18 +640,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEG" - }, - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEGAma" - }, { "dataTypes": [ "CommonSecurityLog" @@ -733,13 +655,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -795,7 +717,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGPotentialLinkToMalwareDownload_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "CiscoSEGPotentialLinkToMalwareDownload_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -822,18 +744,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEG" - }, - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEGAma" - }, { "dataTypes": [ "CommonSecurityLog" @@ -849,13 +759,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -911,7 +821,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGSuspiciousLink_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "CiscoSEGSuspiciousLink_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -938,18 +848,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEG" - }, - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEGAma" - }, { "dataTypes": [ "CommonSecurityLog" @@ -965,13 +863,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1027,7 +925,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGSuspiciousSenderDomain_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "CiscoSEGSuspiciousSenderDomain_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1054,18 +952,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEG" - }, - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEGAma" - }, { "dataTypes": [ "CommonSecurityLog" @@ -1081,13 +967,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1143,7 +1029,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGUnclassifiedLink_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "CiscoSEGUnclassifiedLink_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -1170,18 +1056,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEG" - }, - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEGAma" - }, { "dataTypes": [ "CommonSecurityLog" @@ -1197,13 +1071,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1259,7 +1133,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGUnexpextedAttachment_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "CiscoSEGUnexpextedAttachment_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -1286,18 +1160,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEG" - }, - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEGAma" - }, { "dataTypes": [ "CommonSecurityLog" @@ -1313,13 +1175,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1375,7 +1237,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGUnscannableAttachment_AnalyticalRules Analytics Rule with template version 3.0.3", + "description": "CiscoSEGUnscannableAttachment_AnalyticalRules Analytics Rule with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -1402,18 +1264,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEG" - }, - { - "dataTypes": [ - "CiscoSEGEvent" - ], - "connectorId": "CiscoSEGAma" - }, { "dataTypes": [ "CommonSecurityLog" @@ -1429,13 +1279,13 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "columnName": "AccountCustomEntity", "identifier": "Name" } - ], - "entityType": "Account" + ] } ] } @@ -1491,7 +1341,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGDroppedInMails_HuntingQueries Hunting Query with template version 3.0.3", + "description": "CiscoSEGDroppedInMails_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -1576,7 +1426,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGDroppedOutMails_HuntingQueries Hunting Query with template version 3.0.3", + "description": "CiscoSEGDroppedOutMails_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -1661,7 +1511,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGFailedDKIMFailure_HuntingQueries Hunting Query with template version 3.0.3", + "description": "CiscoSEGFailedDKIMFailure_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -1746,7 +1596,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGFailedDMARKFailure_HuntingQueries Hunting Query with template version 3.0.3", + "description": "CiscoSEGFailedDMARKFailure_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -1831,7 +1681,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGFailedSPFFailure_HuntingQueries Hunting Query with template version 3.0.3", + "description": "CiscoSEGFailedSPFFailure_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -1916,7 +1766,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGFailedTLSIn_HuntingQueries Hunting Query with template version 3.0.3", + "description": "CiscoSEGFailedTLSIn_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -2001,7 +1851,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGFailedTLSOut_HuntingQueries Hunting Query with template version 3.0.3", + "description": "CiscoSEGFailedTLSOut_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -2086,7 +1936,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGInsecureProtocol_HuntingQueries Hunting Query with template version 3.0.3", + "description": "CiscoSEGInsecureProtocol_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -2171,7 +2021,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGSpamMails_HuntingQueries Hunting Query with template version 3.0.3", + "description": "CiscoSEGSpamMails_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -2256,7 +2106,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGUsersReceivedSpam_HuntingQueries Hunting Query with template version 3.0.3", + "description": "CiscoSEGUsersReceivedSpam_HuntingQueries Hunting Query with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -2341,7 +2191,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEGEvent Data Parser with template version 3.0.3", + "description": "CiscoSEGEvent Data Parser with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -2464,678 +2314,6 @@ } } }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CiscoSEG data connector with template version 3.0.3", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] Cisco Secure Email Gateway via Legacy Agent", - "publisher": "Cisco", - "descriptionMarkdown": "The [Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) data connector provides the capability to ingest [Cisco SEG Consolidated Event Logs](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1061902) into Microsoft Sentinel.", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "CiscoSEG", - "baseQuery": "CiscoSEGEvent" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Senders", - "query": "CiscoSEGEvent\n | where isnotempty(SrcUserName)\n | summarize count() by SrcUserName\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (CiscoSEG)", - "lastDataReceivedQuery": "CiscoSEGEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CiscoSEGEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": ">**NOTE:** This data connector has been developed using AsyncOS 14.0 for Cisco Secure Email Gateway" - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Follow these steps to configure Cisco Secure Email Gateway to forward logs via syslog:\n\n2.1. Configure [Log Subscription](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1134718)\n\n>**NOTE:** Select **Consolidated Event Logs** in Log Type field.", - "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "CiscoSEG", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Cisco Secure Email Gateway via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "CiscoSEG", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Cisco Secure Email Gateway via Legacy Agent", - "publisher": "Cisco", - "descriptionMarkdown": "The [Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) data connector provides the capability to ingest [Cisco SEG Consolidated Event Logs](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1061902) into Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "CiscoSEG", - "baseQuery": "CiscoSEGEvent" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (CiscoSEG)", - "lastDataReceivedQuery": "CiscoSEGEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CiscoSEGEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Senders", - "query": "CiscoSEGEvent\n | where isnotempty(SrcUserName)\n | summarize count() by SrcUserName\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": ">**NOTE:** This data connector has been developed using AsyncOS 14.0 for Cisco Secure Email Gateway" - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Follow these steps to configure Cisco Secure Email Gateway to forward logs via syslog:\n\n2.1. Configure [Log Subscription](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1134718)\n\n>**NOTE:** Select **Consolidated Event Logs** in Log Type field.", - "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution." - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CiscoSEG data connector with template version 3.0.3", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "[Deprecated] Cisco Secure Email Gateway via AMA", - "publisher": "Cisco", - "descriptionMarkdown": "The [Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) data connector provides the capability to ingest [Cisco SEG Consolidated Event Logs](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1061902) into Microsoft Sentinel.", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "CiscoSEG", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cisco'\n |where DeviceProduct =~ 'ESA_CONSOLIDATED_LOG_EVENT'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Senders", - "query": "CiscoSEGEvent\n | where isnotempty(SrcUserName)\n | summarize count() by SrcUserName\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (CiscoSEG)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cisco'\n |where DeviceProduct =~ 'ESA_CONSOLIDATED_LOG_EVENT'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Cisco'\n |where DeviceProduct =~ 'ESA_CONSOLIDATED_LOG_EVENT'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "Follow these steps to configure Cisco Secure Email Gateway to forward logs via syslog:\n\n Configure [Log Subscription](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1134718)\n\n>**NOTE:** Select **Consolidated Event Logs** in Log Type field." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "2Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "CiscoSEG", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Cisco Secure Email Gateway via AMA", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "CiscoSEG", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Cisco Secure Email Gateway via AMA", - "publisher": "Cisco", - "descriptionMarkdown": "The [Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) data connector provides the capability to ingest [Cisco SEG Consolidated Event Logs](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1061902) into Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "CiscoSEG", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cisco'\n |where DeviceProduct =~ 'ESA_CONSOLIDATED_LOG_EVENT'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (CiscoSEG)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cisco'\n |where DeviceProduct =~ 'ESA_CONSOLIDATED_LOG_EVENT'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Cisco'\n |where DeviceProduct =~ 'ESA_CONSOLIDATED_LOG_EVENT'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Senders", - "query": "CiscoSEGEvent\n | where isnotempty(SrcUserName)\n | summarize count() by SrcUserName\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "Follow these steps to configure Cisco Secure Email Gateway to forward logs via syslog:\n\n Configure [Log Subscription](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1134718)\n\n>**NOTE:** Select **Consolidated Event Logs** in Log Type field." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "2Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "id": "[variables('_uiConfigId2')]", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution." - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -3145,7 +2323,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CiscoSEG Workbook with template version 3.0.3", + "description": "CiscoSEG Workbook with template version 3.0.4", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -3202,11 +2380,7 @@ "kind": "DataType" }, { - "contentId": "CiscoSEG", - "kind": "DataConnector" - }, - { - "contentId": "CiscoSEGAma", + "contentId": "CefAma", "kind": "DataConnector" } ] @@ -3233,12 +2407,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.3", + "version": "3.0.4", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "CiscoSEG", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Cisco Secure Email Gateway (SEG) solution provides the capability to ingest Cisco SEG Consolidated Event Logs into Microsoft Sentinel.

\n\n\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Cisco Secure Email Gateway (SEG) solution provides the capability to ingest Cisco SEG Consolidated Event Logs into Microsoft Sentinel.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3372,16 +2546,6 @@ "contentId": "[variables('parserObject1').parserContentId1]", "version": "[variables('parserObject1').parserVersion1]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", diff --git a/Solutions/CiscoSEG/ReleaseNotes.md b/Solutions/CiscoSEG/ReleaseNotes.md index f42f3649670..fb57a6e0dc4 100644 --- a/Solutions/CiscoSEG/ReleaseNotes.md +++ b/Solutions/CiscoSEG/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.4 | 14-11-2024 | Removed Deprecated **Data Connector** | | 3.0.3 | 08-07-2024 | Deprecated **Data Connector** | | 3.0.2 | 03-05-2024 | Repackaged for parser issue fix on reinstall | | 3.0.1 | 30-04-2024 | Updated the **Data Connector** to fix conectivity criteria query | diff --git a/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrellaConn.zip b/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrellaConn.zip index 67b5ff25943..89dbcb71e6d 100644 Binary files a/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrellaConn.zip and b/Solutions/CiscoUmbrella/Data Connectors/CiscoUmbrellaConn.zip differ diff --git a/Solutions/CiscoUmbrella/Data Connectors/requirements.txt b/Solutions/CiscoUmbrella/Data Connectors/requirements.txt index 1642f88f05f..7a187d0377e 100644 --- a/Solutions/CiscoUmbrella/Data Connectors/requirements.txt +++ b/Solutions/CiscoUmbrella/Data Connectors/requirements.txt @@ -24,4 +24,4 @@ requests-oauthlib==1.3.1 s3transfer==0.2.1 six==1.16.0 typing_extensions==4.0.0 -urllib3==1.25.11 \ No newline at end of file +urllib3==1.26.19 \ No newline at end of file diff --git a/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/function.json b/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/function.json index feddd04c9d8..52e3b3e020f 100644 --- a/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/function.json +++ b/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/function.json @@ -1,12 +1,12 @@ { - "scriptFile": "main.py", - "bindings": [ - { - "name": "mytimer", - "type": "timerTrigger", - "direction": "in", - "schedule": "0 */3 * * * *", - "runOnStartup": false - } - ] - } + "scriptFile": "main.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "0 */5 * * * *", + "runOnStartup": false + } + ] +} \ No newline at end of file diff --git a/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/main.py b/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/main.py index 88ce4897ebc..94c620b4122 100644 --- a/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/main.py +++ b/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/main.py @@ -1,3 +1,5 @@ +# This is function version 2.0.0 supporting python > 3.9 + import os import asyncio from azure.storage.blob.aio import ContainerClient @@ -28,11 +30,11 @@ SHARED_KEY = os.environ['SHARED_KEY'] LOG_TYPE = 'Cloudflare' LINE_SEPARATOR = os.environ.get( - 'lineSeparator', '[\n\r\x0b\v\x0c\f\x1c\x1d\x85\x1e\u2028\u2029]+') + 'lineSeparator', '[\n\r]+') # Defines how many files can be processed simultaneously MAX_CONCURRENT_PROCESSING_FILES = int( - os.environ.get('MAX_CONCURRENT_PROCESSING_FILES', 10)) + os.environ.get('MAX_CONCURRENT_PROCESSING_FILES', 5)) # Defines page size while listing files from blob storage. New page is not processed while old page is processing. MAX_PAGE_SIZE = int(MAX_CONCURRENT_PROCESSING_FILES * 20) @@ -41,7 +43,7 @@ MAX_BUCKET_SIZE = int(os.environ.get('MAX_BUCKET_SIZE', 2000)) # Defines max chunk download size for blob storage in MB -MAX_CHUNK_SIZE_MB = int(os.environ.get('MAX_CHUNK_SIZE_MB', 1)) +MAX_CHUNK_SIZE_MB = int(os.environ.get('MAX_CHUNK_SIZE_MB', 30)) LOG_ANALYTICS_URI = os.environ.get('logAnalyticsUri') @@ -69,11 +71,9 @@ async def main(mytimer: func.TimerRequest): try: cor = conn.process_blob(blob, container_client, session) cors.append(cor) - logging.info(f'len(cors) is {len(cors)}') except Exception as e: logging.error(f'Exception in processing blob is {e}') if len(cors) >= MAX_PAGE_SIZE: - logging.info(f'len(cors) is {len(cors)}') await asyncio.gather(*cors) cors = [] if conn.check_if_script_runs_too_long(): @@ -107,8 +107,8 @@ def _create_container_client(self): return ContainerClient.from_connection_string(self.__conn_string, self.__container_name, logging_enable=False, max_single_get_size=MAX_CHUNK_SIZE_MB*1024*1024, max_chunk_get_size=MAX_CHUNK_SIZE_MB*1024*1024) except Exception as ex: logging.error('An error occurred in _create_container_client: {}'.format(str(ex))) - logging.error(traceback.format_exc()) - return None + logging.error(traceback.format_exc()) + return None async def get_blobs(self): try: @@ -161,6 +161,7 @@ async def process_blob(self, blob, container_client, session: aiohttp.ClientSess except JSONDecodeError as je: logging.error('JSONDecode error while loading json event at line value {}. blob name: {}. Error {}'.format( line, blob['name'], str(je))) + raise je except ValueError as e: logging.error('Error while loading json Event at line value {}. blob name: {}. Error: {}'.format( line, blob['name'], str(e))) @@ -173,6 +174,7 @@ async def process_blob(self, blob, container_client, session: aiohttp.ClientSess except JSONDecodeError as je: logging.error('JSONDecode error while loading json event at line value {}. blob name: {}. Error {}'.format( line, blob['name'], str(je))) + raise je except ValueError as e: logging.error('Error while loading json Event at s value {}. blob name: {}. Error: {}'.format( line, blob['name'], str(e))) diff --git a/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/sentinel_connector_async.py b/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/sentinel_connector_async.py index 41fcf2ce9b0..c132131e7c6 100644 --- a/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/sentinel_connector_async.py +++ b/Solutions/Cloudflare/Data Connectors/AzureFunctionCloudflare/sentinel_connector_async.py @@ -104,4 +104,4 @@ def _split_big_request(self, queue): else: middle = int(len(queue) / 2) queues_list = [queue[:middle], queue[middle:]] - return self._split_big_request(queues_list[0]) + self._split_big_request(queues_list[1]) + return self._split_big_request(queues_list[0]) + self._split_big_request(queues_list[1]) \ No newline at end of file diff --git a/Solutions/Cloudflare/Data Connectors/CloudflareConn.zip b/Solutions/Cloudflare/Data Connectors/CloudflareConn.zip index 4f3dc7b57d3..8920b5c6d72 100644 Binary files a/Solutions/Cloudflare/Data Connectors/CloudflareConn.zip and b/Solutions/Cloudflare/Data Connectors/CloudflareConn.zip differ diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceDataConnector.zip b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceDataConnector.zip index 54e7ec2b8b8..5548f750bff 100644 Binary files a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceDataConnector.zip and b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligenceDataConnector.zip differ diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligence_API_FunctionApp.json b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligence_API_FunctionApp.json index 5963f895e4a..ba25365a329 100644 --- a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligence_API_FunctionApp.json +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/CofenseIntelligence_API_FunctionApp.json @@ -158,7 +158,7 @@ }, { "title": "", - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseIntelligence-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseIntelligence-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." }, { "title": "", diff --git a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/azuredeploy_Connector_CofenseIntelligence_AzureFunction.json b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/azuredeploy_Connector_CofenseIntelligence_AzureFunction.json index 77eba707943..b57053a9434 100644 --- a/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/azuredeploy_Connector_CofenseIntelligence_AzureFunction.json +++ b/Solutions/CofenseIntelligence/Data Connectors/CofenseIntelligenceDataConnector/azuredeploy_Connector_CofenseIntelligence_AzureFunction.json @@ -274,7 +274,7 @@ "alwaysOn": true, "reserved": true, "siteConfig": { - "linuxFxVersion": "python|3.8" + "linuxFxVersion": "python|3.11" } }, "resources": [ diff --git a/Solutions/CofenseIntelligence/Package/3.0.0.zip b/Solutions/CofenseIntelligence/Package/3.0.0.zip index 157bdb03d41..0b0bb9dd97a 100644 Binary files a/Solutions/CofenseIntelligence/Package/3.0.0.zip and b/Solutions/CofenseIntelligence/Package/3.0.0.zip differ diff --git a/Solutions/CofenseIntelligence/Package/createUiDefinition.json b/Solutions/CofenseIntelligence/Package/createUiDefinition.json index 8f5c0c9abcf..17565951197 100644 --- a/Solutions/CofenseIntelligence/Package/createUiDefinition.json +++ b/Solutions/CofenseIntelligence/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CofenseIntelligence/ReleaseNotes.md)\r \n • _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Cofense-Intelligence solution provides the capability to ingest Threat Indicators from the Cofense Intelligence platform to Threat Intelligence Indicators in Microsoft Sentinel and Cofense Intelligence Threat Intelligence Indicators from Microsoft Sentinel Threat Intelligence to Microsoft Defender for Endpoints. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/products/functions/#overview)\n\nc. [Microsoft Threat Intelligence Indicator API](https://learn.microsoft.com/en-us/rest/api/securityinsights/preview/threat-intelligence-indicator)\n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CofenseIntelligence/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Cofense-Intelligence solution provides the capability to ingest Threat Indicators from the Cofense Intelligence platform to Threat Intelligence Indicators in Microsoft Sentinel and Cofense Intelligence Threat Intelligence Indicators from Microsoft Sentinel Threat Intelligence to Microsoft Defender for Endpoints. \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in \n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na.[Azure Monitor HTTP Data Collector API](https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb.[Azure Functions](https://azure.microsoft.com/products/functions/#overview)\n\nc.[Microsoft Threat Intelligence Indicator API](https://learn.microsoft.com/en-us/rest/api/securityinsights/preview/threat-intelligence-indicator)\n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/CofenseIntelligence/Package/mainTemplate.json b/Solutions/CofenseIntelligence/Package/mainTemplate.json index 84d8c265e6a..f1e85c593d0 100644 --- a/Solutions/CofenseIntelligence/Package/mainTemplate.json +++ b/Solutions/CofenseIntelligence/Package/mainTemplate.json @@ -72,7 +72,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CofenseIntelligenceThreatIndicatorsWorkbook Workbook with template version 3.0.0", + "description": "CofenseIntelligenceThreatIndicators Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -90,7 +90,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"# [Cofense Intelligence Threat Indicators](https://www.threathq.com)\\n---\\n\\nCofense Intelligence is a human-vetted phishing-threat intelligence service that provides accurate and timely alerts and in-depth analysis to strengthen your enterprise's ability to quickly identify and respond to phishing attacks in progress.\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"79\",\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Cofense Intelligence Logo](https://cdn.splunkbase.splunk.com/media/public/icons/da85629e-b54b-11ec-90ee-aa325d5405c9.svg?width=200&height=100)\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"20\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h),SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Intelligence Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Intelligence Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Intelligence Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Intelligence Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| where ConfidenceScore != \\\"\\\"\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":3,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Intelligence Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelligenceIndicator\\r\\n | where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n // latest data of cofense indicator to avoid duplicates\\r\\n | summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Cofense Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n| where Tags != \\\"\\\"\\r\\n| parse Tags with * \\\"[\\\\\\\"threatID-\\\" threat_id \\\"\\\\\\\"]\\\"\\r\\n| extend threat_id = toreal(threat_id)\\r\\n| join kind=inner Malware_Data_CL on $left.threat_id == $right.id_d\\r\\n// latest data of cofense indicator to avoid duplicates \\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| extend Ioc = case(ThreatType == \\\"File\\\", FileHashValue, \\r\\n ThreatType == \\\"URL\\\", Url,\\r\\n DomainName)\\r\\n| order by TimeGenerated desc\\r\\n| project [\\\"Threat ID\\\"]=threat_id, [\\\"Confidence Score\\\"]=ConfidenceScore, [\\\"Threat Type\\\"]=ThreatType, [\\\"IOC\\\"]=Ioc, Label=label_s, [\\\"Last Published\\\"]=unixtime_microseconds_todatetime(lastPublished_d*1000), [\\\"First Published\\\"]=unixtime_microseconds_todatetime(firstPublished_d*1000), [\\\"Threat Detail URL\\\"]=threatDetailURL_s, [\\\"Download Report (HTML)\\\"]=ReportDownload_HTML__s, [\\\"Download Report (PDF)\\\"]=ReportDownload_PDF__s, [\\\"Executive Summary\\\"]=executiveSummary_s\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cofense Intelligence Threat Indicators Data\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Confidence Score\",\"formatter\":1},{\"columnMatch\":\"Threat Detail URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"Download Report (HTML)\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Download HTML Report\"}},{\"columnMatch\":\"Download Report (PDF)\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Download PDF Report\"}},{\"columnMatch\":\"threat Detail URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"Report URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"Threat Indicator Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 6\"}]},\"name\":\"Indicators Ingestion\"}],\"fromTemplateId\":\"sentinel-CofenseIntelligenceThreatIndicators\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"# [Cofense Intelligence Threat Indicators](https://www.threathq.com)\\n---\\n\\nCofense Intelligence is a human-vetted phishing-threat intelligence service that provides accurate and timely alerts and in-depth analysis to strengthen your enterprise's ability to quickly identify and respond to phishing attacks in progress.\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"79\",\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Cofense Intelligence Logo](https://cdn.splunkbase.splunk.com/media/public/icons/da85629e-b54b-11ec-90ee-aa325d5405c9.svg?width=200&height=100)\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"20\",\"name\":\"Microsoft Sentinel Logo\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h),SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Intelligence Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"SourceSystem\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Cofense Intelligence Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Intelligence Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Intelligence Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select Cofense indicators from the table\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| where ConfidenceScore != \\\"\\\"\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":3,\"showAnalytics\":true,\"title\":\"Number of Active Cofense Intelligence Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n// latest data of cofense indicator to avoid duplicates\\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelligenceIndicator\\r\\n | where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n // latest data of cofense indicator to avoid duplicates\\r\\n | summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Cofense Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Source_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where SourceSystem == \\\"Cofense Intelligence\\\"\\r\\n| where Tags != \\\"\\\"\\r\\n| parse Tags with * \\\"[\\\\\\\"threatID-\\\" threat_id \\\"\\\\\\\"]\\\"\\r\\n| extend threat_id = toreal(threat_id)\\r\\n| join kind=inner Malware_Data_CL on $left.threat_id == $right.id_d\\r\\n// latest data of cofense indicator to avoid duplicates \\r\\n| summarize arg_max(TimeGenerated,*) by ExternalIndicatorId\\r\\n| extend Ioc = case(ThreatType == \\\"File\\\", FileHashValue, \\r\\n ThreatType == \\\"URL\\\", Url,\\r\\n DomainName)\\r\\n| order by TimeGenerated desc\\r\\n| project [\\\"Threat ID\\\"]=threat_id, [\\\"Confidence Score\\\"]=ConfidenceScore, [\\\"Threat Type\\\"]=ThreatType, [\\\"IOC\\\"]=Ioc, Label=label_s, [\\\"Last Published\\\"]=unixtime_microseconds_todatetime(lastPublished_d*1000), [\\\"First Published\\\"]=unixtime_microseconds_todatetime(firstPublished_d*1000), [\\\"Threat Detail URL\\\"]=threatDetailURL_s, [\\\"Download Report (HTML)\\\"]=ReportDownload_HTML__s, [\\\"Download Report (PDF)\\\"]=ReportDownload_PDF__s, [\\\"Executive Summary\\\"]=executiveSummary_s\",\"size\":0,\"showAnalytics\":true,\"title\":\"Cofense Intelligence Threat Indicators Data\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Confidence Score\",\"formatter\":1},{\"columnMatch\":\"Threat Detail URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"Download Report (HTML)\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Download HTML Report\"}},{\"columnMatch\":\"Download Report (PDF)\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Download PDF Report\"}},{\"columnMatch\":\"threat Detail URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"Report URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"Threat Indicator Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 6\"}]},\"name\":\"Indicators Ingestion\"}],\"fromTemplateId\":\"sentinel-CofenseIntelligenceThreatIndicators\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -329,7 +329,7 @@ "title": "Option 2 - Manual Deployment of Azure Functions" }, { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseIntelligence-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseIntelligence-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." }, { "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tCofense BaseURL (https:///) \n\t\tCofense Username \n\t\tCofense Password \n\t\tAzure Client ID \n\t\tAzure Client Secret \n\t\tAzure Tenant ID \n\t\tAzure Resource Group Name \n\t\tAzure Workspace Name \n\t\tFunction App Name \n\t\tAzure Subscription ID \n\t\tRequireProxy \n\t\tProxy Username (optional) \n\t\tProxy Password (optional) \n\t\tProxy URL (optional) \n\t\tProxy Port (optional) \n\t\tLogLevel (optional) \n\t\tMalware_Data_Table_name\n\t\tSendCofenseIndicatorToDefender \n\t\tSchedule \n4. Once all application settings have been entered, click **Save**." @@ -566,7 +566,7 @@ "title": "Option 2 - Manual Deployment of Azure Functions" }, { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseIntelligence-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseIntelligence-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." }, { "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tCofense BaseURL (https:///) \n\t\tCofense Username \n\t\tCofense Password \n\t\tAzure Client ID \n\t\tAzure Client Secret \n\t\tAzure Tenant ID \n\t\tAzure Resource Group Name \n\t\tAzure Workspace Name \n\t\tFunction App Name \n\t\tAzure Subscription ID \n\t\tRequireProxy \n\t\tProxy Username (optional) \n\t\tProxy Password (optional) \n\t\tProxy URL (optional) \n\t\tProxy Port (optional) \n\t\tLogLevel (optional) \n\t\tMalware_Data_Table_name\n\t\tSendCofenseIndicatorToDefender \n\t\tSchedule \n4. Once all application settings have been entered, click **Save**." @@ -586,7 +586,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "CofenseIntelligence", "publisherDisplayName": "Cofense Support", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Cofense-Intelligence solution provides the capability to ingest Threat Indicators from the Cofense Intelligence platform to Threat Intelligence Indicators in Microsoft Sentinel and Cofense Intelligence Threat Intelligence Indicators from Microsoft Sentinel Threat Intelligence to Microsoft Defender for Endpoints.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n

a.Azure Monitor HTTP Data Collector API

\n

b.Azure Functions

\n

c.Microsoft Threat Intelligence Indicator API

\n

Data Connectors: 1, Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Cofense-Intelligence solution provides the capability to ingest Threat Indicators from the Cofense Intelligence platform to Threat Intelligence Indicators in Microsoft Sentinel and Cofense Intelligence Threat Intelligence Indicators from Microsoft Sentinel Threat Intelligence to Microsoft Defender for Endpoints.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n

a.Azure Monitor HTTP Data Collector API

\n

b.Azure Functions

\n

c.Microsoft Threat Intelligence Indicator API

\n

Data Connectors: 1, Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", diff --git a/Solutions/CofenseIntelligence/Package/testParameters.json b/Solutions/CofenseIntelligence/Package/testParameters.json new file mode 100644 index 00000000000..101581b42ca --- /dev/null +++ b/Solutions/CofenseIntelligence/Package/testParameters.json @@ -0,0 +1,32 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "CofenseIntelligenceThreatIndicators", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } +} diff --git a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseTriageDataConnector.zip b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseTriageDataConnector.zip index d652d19a876..d2c0386b065 100644 Binary files a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseTriageDataConnector.zip and b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseTriageDataConnector.zip differ diff --git a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseTriage_API_FunctionApp.json b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseTriage_API_FunctionApp.json index ec694cb28ce..46663bea0c5 100644 --- a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseTriage_API_FunctionApp.json +++ b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/CofenseTriage_API_FunctionApp.json @@ -192,7 +192,7 @@ }, { "title": "", - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseThreatIndicatorsAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseThreatIndicatorsAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." }, { "title": "", diff --git a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/README.md b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/README.md index 085909527b7..51376430846 100644 --- a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/README.md +++ b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/README.md @@ -169,7 +169,7 @@ Use the following step-by-step instructions to deploy the Cofense Threat Indicat 2. Select Subscription: Choose the subscription to use. 3. Select Create new Function App in Azure (Don't choose the Advanced option) 4. Enter a globally unique name for the function app: Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX). - 5. Select a runtime: Choose Python 3.8 or above. + 5. Select a runtime: Choose Python 3.11 6. Select a location for new resources. For better performance and lower costs choose the same region where Microsoft Sentinel is located. 6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied. 7. Go to Azure Portal for the Function App configuration. diff --git a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/azuredeploy_CofenseTriage_API_AzureFunction.json b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/azuredeploy_CofenseTriage_API_AzureFunction.json index 3433150906f..ac07e804e9f 100644 --- a/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/azuredeploy_CofenseTriage_API_AzureFunction.json +++ b/Solutions/CofenseTriage/Data Connectors/CofenseTriageDataConnector/azuredeploy_CofenseTriage_API_AzureFunction.json @@ -278,7 +278,7 @@ "alwaysOn": true, "reserved": true, "siteConfig": { - "linuxFxVersion": "python|3.8" + "linuxFxVersion": "python|3.11" } }, "resources": [ diff --git a/Solutions/CofenseTriage/Package/3.0.0.zip b/Solutions/CofenseTriage/Package/3.0.0.zip index 148e6d36fd0..b9a02a11dcc 100644 Binary files a/Solutions/CofenseTriage/Package/3.0.0.zip and b/Solutions/CofenseTriage/Package/3.0.0.zip differ diff --git a/Solutions/CofenseTriage/Package/mainTemplate.json b/Solutions/CofenseTriage/Package/mainTemplate.json index 6ccebe09aaf..47fffb5a090 100644 --- a/Solutions/CofenseTriage/Package/mainTemplate.json +++ b/Solutions/CofenseTriage/Package/mainTemplate.json @@ -363,7 +363,7 @@ "title": "Option 2 - Manual Deployment of Azure Functions" }, { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseThreatIndicatorsAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseThreatIndicatorsAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." }, { "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tCofense URL (https:///) \n\t\tCofense Client ID \n\t\tCofense Client Secret \n\t\tAzure Client ID \n\t\tAzure Client Secret \n\t\tAzure Tenant ID \n\t\tAzure Resource Group Name \n\t\tAzure Workspace Name \n\t\tAzure Subscription ID \n\t\tThreat Level \n\t\tProxy Username (optional) \n\t\tProxy Password (optional) \n\t\tProxy URL (optional) \n\t\tProxy Port (optional) \n\t\tThrottle Limit for Non-Cofense Indicators (optional) \n\t\tLogLevel (optional) \n\t\tReports Table Name \n\t\tSchedule \n\t\tlogAnalyticsUri (optional) \n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." @@ -634,7 +634,7 @@ "title": "Option 2 - Manual Deployment of Azure Functions" }, { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseThreatIndicatorsAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CofenseThreatIndicatorsAPI-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CofenseXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11 or above.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." }, { "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **+ New application setting**.\n3. Add each of the following application settings individually, with their respective values (case-sensitive): \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tCofense URL (https:///) \n\t\tCofense Client ID \n\t\tCofense Client Secret \n\t\tAzure Client ID \n\t\tAzure Client Secret \n\t\tAzure Tenant ID \n\t\tAzure Resource Group Name \n\t\tAzure Workspace Name \n\t\tAzure Subscription ID \n\t\tThreat Level \n\t\tProxy Username (optional) \n\t\tProxy Password (optional) \n\t\tProxy URL (optional) \n\t\tProxy Port (optional) \n\t\tThrottle Limit for Non-Cofense Indicators (optional) \n\t\tLogLevel (optional) \n\t\tReports Table Name \n\t\tSchedule \n\t\tlogAnalyticsUri (optional) \n - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." diff --git a/Solutions/CohesitySecurity/Data Connectors/Helios2Sentinel/IncidentProducer/IncidentProducer.cs b/Solutions/CohesitySecurity/Data Connectors/Helios2Sentinel/IncidentProducer/IncidentProducer.cs index d27a84081da..3cf6af2b47a 100644 --- a/Solutions/CohesitySecurity/Data Connectors/Helios2Sentinel/IncidentProducer/IncidentProducer.cs +++ b/Solutions/CohesitySecurity/Data Connectors/Helios2Sentinel/IncidentProducer/IncidentProducer.cs @@ -352,7 +352,7 @@ public static async Task RunAsync( private static async Task FetchAlerts(long startDateUsecs, long endDateUsecs, ILogger log) { - string requestUriString = $"https://helios-sandbox2.cohesity.com/v2/mcm/alert-service/alerts?startTimeUsecs={startDateUsecs}&maxAlerts=1000&endTimeUsecs={endDateUsecs}&alertCategoryList=Security"; + string requestUriString = $"https://helios.cohesity.com/v2/mcm/alert-service/alerts?startTimeUsecs={startDateUsecs}&maxAlerts=1000&endTimeUsecs={endDateUsecs}&alertCategoryList=Security"; log.LogInformation("requestUriString --> " + requestUriString); using HttpClient client = new(); client.DefaultRequestHeaders.Accept.Clear(); diff --git a/Solutions/CohesitySecurity/Data/Solution_CohesitySecurity.json b/Solutions/CohesitySecurity/Data/Solution_CohesitySecurity.json index 408b99c0d77..e305e627920 100644 --- a/Solutions/CohesitySecurity/Data/Solution_CohesitySecurity.json +++ b/Solutions/CohesitySecurity/Data/Solution_CohesitySecurity.json @@ -14,7 +14,7 @@ "Playbooks/Cohesity_Delete_Incident_Blobs/azuredeploy.json" ], "BasePath": "/home/cohesity/workspace/Azure-Sentinel/Solutions/CohesitySecurity", - "Version": "3.1.1", + "Version": "3.1.2", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/CohesitySecurity/Package/3.1.2.zip b/Solutions/CohesitySecurity/Package/3.1.2.zip new file mode 100644 index 00000000000..c2c19f13b93 Binary files /dev/null and b/Solutions/CohesitySecurity/Package/3.1.2.zip differ diff --git a/Solutions/CohesitySecurity/Package/mainTemplate.json b/Solutions/CohesitySecurity/Package/mainTemplate.json index 1ca5d07d6e6..4eb6d94ff43 100644 --- a/Solutions/CohesitySecurity/Package/mainTemplate.json +++ b/Solutions/CohesitySecurity/Package/mainTemplate.json @@ -33,7 +33,7 @@ "email": "support@cohesity.com", "_email": "[variables('email')]", "_solutionName": "CohesitySecurity", - "_solutionVersion": "3.1.1", + "_solutionVersion": "3.1.2", "solutionId": "cohesitydev1592001764720.cohesity_sentinel_data_connector", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "CohesityDataConnector", @@ -99,7 +99,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CohesitySecurity data connector with template version 3.1.1", + "description": "CohesitySecurity data connector with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -390,7 +390,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "My_Cohesity_Send_Incident_Email Playbook with template version 3.1.1", + "description": "My_Cohesity_Send_Incident_Email Playbook with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -639,7 +639,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "My_Cohesity_Restore_From_Last_Snapshot Playbook with template version 3.1.1", + "description": "My_Cohesity_Restore_From_Last_Snapshot Playbook with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -871,7 +871,7 @@ "name": "Sentinel_triggered_restore_task_@{body('Get_object_from_blob_content')}", "objects": [ { - "job_id": "@int(string(body('Get_job_id_from_blob_content')))", + "jobId": "@int(string(body('Get_job_id_from_blob_content')))", "jobRunId": "@int(string(body('Get_job_instance_id_from_blob_content')))", "protectionSourceId": "@int(string(body('Get_entity_id_from_blob_content')))", "sourceName": "@{body('Get_object_from_blob_content')}", @@ -1082,7 +1082,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "My_Cohesity_Close_Helios_Incident Playbook with template version 3.1.1", + "description": "My_Cohesity_Close_Helios_Incident Playbook with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -1355,7 +1355,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "My_Cohesity_CreateOrUpdate_ServiceNow_Incident Playbook with template version 3.1.1", + "description": "My_Cohesity_CreateOrUpdate_ServiceNow_Incident Playbook with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -2136,7 +2136,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "My_Cohesity_Delete_Incident_Blobs Playbook with template version 3.1.1", + "description": "My_Cohesity_Delete_Incident_Blobs Playbook with template version 3.1.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", @@ -2419,7 +2419,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.1.1", + "version": "3.1.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "CohesitySecurity", diff --git a/Solutions/CohesitySecurity/Playbooks/Cohesity_Restore_From_Last_Snapshot/azuredeploy.json b/Solutions/CohesitySecurity/Playbooks/Cohesity_Restore_From_Last_Snapshot/azuredeploy.json index 60879db09e3..0246b05ad55 100644 --- a/Solutions/CohesitySecurity/Playbooks/Cohesity_Restore_From_Last_Snapshot/azuredeploy.json +++ b/Solutions/CohesitySecurity/Playbooks/Cohesity_Restore_From_Last_Snapshot/azuredeploy.json @@ -235,7 +235,7 @@ "body": { "name": "Sentinel_triggered_restore_task_@{body('Get_object_from_blob_content')}", "objects": [{ - "job_id": "@int(string(body('Get_job_id_from_blob_content')))", + "jobId": "@int(string(body('Get_job_id_from_blob_content')))", "jobRunId": "@int(string(body('Get_job_instance_id_from_blob_content')))", "protectionSourceId": "@int(string(body('Get_entity_id_from_blob_content')))", "sourceName": "@{body('Get_object_from_blob_content')}", diff --git a/Solutions/CohesitySecurity/ReleaseNotes.md b/Solutions/CohesitySecurity/ReleaseNotes.md index c92998a554c..185c5ee3371 100644 --- a/Solutions/CohesitySecurity/ReleaseNotes.md +++ b/Solutions/CohesitySecurity/ReleaseNotes.md @@ -1,3 +1,6 @@ -| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|---------------------------------------------| +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------------------| +| 3.1.2 | 21-10-2024 | Corrected Param for JobId for recovery API | +| 3.1.1 | 10-10-2024 | Updating Solution with fix for Restore **Playbook** | +| 3.1.0 | 19-07-2024 | added missing helioID using anomaly strength | | 3.0.0 | 29-06-2023 | Updating Azure Function to Azure Functions in **Data Connector** Description | diff --git a/Solutions/Corelight/Data/Solution_Corelight.json b/Solutions/Corelight/Data/Solution_Corelight.json index abcccaa7753..2ffaed6de60 100644 --- a/Solutions/Corelight/Data/Solution_Corelight.json +++ b/Solutions/Corelight/Data/Solution_Corelight.json @@ -145,7 +145,7 @@ "Hunting Queries/CorelightRepetitiveDnsFailures.yaml" ], "BasePath": "C:/Github/Azure-Sentinel/Solutions/Corelight", - "Version": "3.0.2", + "Version": "3.1.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/Corelight/Package/3.1.0.zip b/Solutions/Corelight/Package/3.1.0.zip new file mode 100644 index 00000000000..380db02a8f9 Binary files /dev/null and b/Solutions/Corelight/Package/3.1.0.zip differ diff --git a/Solutions/Corelight/Package/mainTemplate.json b/Solutions/Corelight/Package/mainTemplate.json index 6ce52ebe978..8bb61958937 100644 --- a/Solutions/Corelight/Package/mainTemplate.json +++ b/Solutions/Corelight/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "info@corelight.com", "_email": "[variables('email')]", "_solutionName": "Corelight", - "_solutionVersion": "3.0.2", + "_solutionVersion": "3.1.0", "solutionId": "corelightinc1584998267292.corelight-for-azure-sentinel", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", @@ -52,11 +52,11 @@ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "2.1.0", + "analyticRuleVersion1": "2.1.1", "_analyticRulecontentId1": "8eaa2268-74ee-492c-b869-450eff707fef", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8eaa2268-74ee-492c-b869-450eff707fef')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8eaa2268-74ee-492c-b869-450eff707fef')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8eaa2268-74ee-492c-b869-450eff707fef','-', '2.1.0')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8eaa2268-74ee-492c-b869-450eff707fef','-', '2.1.1')))]" }, "analyticRuleObject2": { "analyticRuleVersion2": "2.1.0", @@ -73,11 +73,11 @@ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','73f23aa2-5cc4-4507-940b-75c9092e9e01','-', '2.1.0')))]" }, "analyticRuleObject4": { - "analyticRuleVersion4": "2.1.0", + "analyticRuleVersion4": "2.1.1", "_analyticRulecontentId4": "4e55e306-3022-43a1-870a-41c4d5116079", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4e55e306-3022-43a1-870a-41c4d5116079')]", "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4e55e306-3022-43a1-870a-41c4d5116079')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4e55e306-3022-43a1-870a-41c4d5116079','-', '2.1.0')))]" + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4e55e306-3022-43a1-870a-41c4d5116079','-', '2.1.1')))]" }, "analyticRuleObject5": { "analyticRuleVersion5": "2.1.0", @@ -162,7 +162,7 @@ "_parserName5": "[concat(parameters('workspace'),'/','corelight_conn')]", "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'corelight_conn')]", "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('corelight_conn-Parser')))]", - "parserVersion5": "1.0.0", + "parserVersion5": "1.1.0", "parserContentId5": "corelight_conn-Parser" }, "parserObject6": { @@ -239,7 +239,7 @@ "_parserName16": "[concat(parameters('workspace'),'/','corelight_dns')]", "_parserId16": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'corelight_dns')]", "parserTemplateSpecName16": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('corelight_dns-Parser')))]", - "parserVersion16": "1.0.0", + "parserVersion16": "1.1.0", "parserContentId16": "corelight_dns-Parser" }, "parserObject17": { @@ -288,14 +288,14 @@ "_parserName23": "[concat(parameters('workspace'),'/','corelight_etc_viz')]", "_parserId23": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'corelight_etc_viz')]", "parserTemplateSpecName23": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('corelight_etc_viz-Parser')))]", - "parserVersion23": "1.0.0", + "parserVersion23": "1.1.0", "parserContentId23": "corelight_etc_viz-Parser" }, "parserObject24": { "_parserName24": "[concat(parameters('workspace'),'/','corelight_files')]", "_parserId24": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'corelight_files')]", "parserTemplateSpecName24": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('corelight_files-Parser')))]", - "parserVersion24": "1.0.0", + "parserVersion24": "1.1.0", "parserContentId24": "corelight_files-Parser" }, "parserObject25": { @@ -309,7 +309,7 @@ "_parserName26": "[concat(parameters('workspace'),'/','corelight_ftp')]", "_parserId26": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'corelight_ftp')]", "parserTemplateSpecName26": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('corelight_ftp-Parser')))]", - "parserVersion26": "1.0.0", + "parserVersion26": "1.1.0", "parserContentId26": "corelight_ftp-Parser" }, "parserObject27": { @@ -330,7 +330,7 @@ "_parserName29": "[concat(parameters('workspace'),'/','corelight_http')]", "_parserId29": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'corelight_http')]", "parserTemplateSpecName29": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('corelight_http-Parser')))]", - "parserVersion29": "1.0.0", + "parserVersion29": "1.1.0", "parserContentId29": "corelight_http-Parser" }, "parserObject30": { @@ -589,7 +589,7 @@ "_parserName66": "[concat(parameters('workspace'),'/','corelight_rdp')]", "_parserId66": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'corelight_rdp')]", "parserTemplateSpecName66": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('corelight_rdp-Parser')))]", - "parserVersion66": "1.0.0", + "parserVersion66": "1.1.0", "parserContentId66": "corelight_rdp-Parser" }, "parserObject67": { @@ -701,14 +701,14 @@ "_parserName82": "[concat(parameters('workspace'),'/','corelight_ssh')]", "_parserId82": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'corelight_ssh')]", "parserTemplateSpecName82": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('corelight_ssh-Parser')))]", - "parserVersion82": "1.0.0", + "parserVersion82": "1.1.0", "parserContentId82": "corelight_ssh-Parser" }, "parserObject83": { "_parserName83": "[concat(parameters('workspace'),'/','corelight_ssl')]", "_parserId83": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'corelight_ssl')]", "parserTemplateSpecName83": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('corelight_ssl-Parser')))]", - "parserVersion83": "1.0.0", + "parserVersion83": "1.1.0", "parserContentId83": "corelight_ssl-Parser" }, "parserObject84": { @@ -834,7 +834,7 @@ "_parserName101": "[concat(parameters('workspace'),'/','corelight_vpn')]", "_parserId101": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'corelight_vpn')]", "parserTemplateSpecName101": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('corelight_vpn-Parser')))]", - "parserVersion101": "1.0.0", + "parserVersion101": "1.1.0", "parserContentId101": "corelight_vpn-Parser" }, "parserObject102": { @@ -869,7 +869,7 @@ "_parserName106": "[concat(parameters('workspace'),'/','corelight_x509')]", "_parserId106": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'corelight_x509')]", "parserTemplateSpecName106": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('corelight_x509-Parser')))]", - "parserVersion106": "1.0.0", + "parserVersion106": "1.1.0", "parserContentId106": "corelight_x509-Parser" }, "parserObject107": { @@ -948,7 +948,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Corelight Workbook with template version 3.0.2", + "description": "Corelight Workbook with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -966,7 +966,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\">**NOTE:** This workbook depends on a parser based on a Kusto Function to work as expected [**Corelight**](https://aka.ms/sentinel-Corelight-parser) which is deployed with the Microsoft Sentinel Solution.\"},\"name\":\"text - 23\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c64d5d3d-90c6-484a-ab88-c70652b75b6e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"a076210e-a47c-43c2-97e1-1f663fedbd01\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Sensor\",\"label\":\"Corelight Sensor\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"union corelight_conn, corelight_conn_red\\n| distinct _system_name\\n| sort by _system_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"d723eef6-b3f0-40be-9a56-125421b32619\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Corelight Main Dashboard\",\"subTarget\":\"corelight_main_dashboard\",\"style\":\"link\"},{\"id\":\"5736d4f4-bd4c-4a49-bea7-00da2bbc7fd9\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Corelight Connections\",\"subTarget\":\"corelight_connections\",\"style\":\"link\"},{\"id\":\"5336f601-4da3-4da0-8196-332a97636047\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Corelight DNS\",\"subTarget\":\"corelight_dns\",\"style\":\"link\"},{\"id\":\"b0e6ac55-179e-4fb5-80ff-ec84edb35324\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Corelight HTTP\",\"subTarget\":\"corelight_http\",\"style\":\"link\"}]},\"name\":\"links - 24\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Corelight Main Dashboard\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union Corelight_v2_*_CL\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name_s in ({Sensor})\\n| where TimeGenerated {TimeRange}\\n|make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by _path_s;\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensor Events Timechart\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"corelight_main_dashboard\"},\"name\":\"Sensor Events Timechart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union Corelight_v2_*_CL\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name_s in ({Sensor})\\n| where TimeGenerated {TimeRange}\\n| summarize Count=count() by _path_s | sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensor Events Count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"corelight_main_dashboard\"},\"name\":\"Sensor Events Count\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"corelight_main_dashboard\"},\"name\":\"corelight_main_dashboard_group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Events\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(corelight_notice\\r\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\r\\n//| where note != \\\"LongConnection::found\\\" and note != \\\"SSL::Invalid_Server_Cert\\\"\\r\\n//| project-rename Alert = note \\r\\n| union corelight_suricata_corelight)\\r\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\r\\n//| where alert_category != \\\"Not Suspicious Traffic\\\" and alert_category != \\\"Attempted Information Leak\\\" and alert_category != \\\"Potentially Bad Traffic\\\"\\r\\n//| where _path_s == \\\"notice\\\"\\r\\n//| project-rename Alert = alert_category\\r\\n| extend Category = coalesce(note, alert_category), Alert = coalesce(msg, alert_signature), Severity=coalesce(severity_level, alert_severity, 7.), Type = _path\\r\\n| extend PartitionKey = case(_path == \\\"suricata_corelight\\\", Alert, Category)\\r\\n| where (isnotempty(uid) or isnotempty(community_id))\\r\\n| partition hint.strategy=native by PartitionKey\\r\\n(\\r\\n top 10 by TimeGenerated\\r\\n)\\r\\n| order by Severity asc, TimeGenerated\\r\\n\\r\\n// hack to hide empty columns\\r\\n| evaluate narrow()\\r\\n| where isnotempty(Value) and Value != \\\"##(null)\\\" or Column == \\\"_system_name_s\\\"\\r\\n| evaluate pivot(Column, any(Value), Row)\\r\\n\\r\\n| project-reorder TimeGenerated, Type, Category, Alert, Severity, uid, id_orig_h, id_resp_h, id_resp_p\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recent Events Summary (10 most recent per message type)\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"uid\",\"exportParameterName\":\"Selected_uid\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"events_summary_recent\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union Corelight_v2_*_CL\\r\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name_s in ({Sensor})\\r\\n| where (isnotempty(\\\"{Selected_uid}\\\") and (uid_s == \\\"{Selected_uid}\\\" or conn_uids_s contains_cs \\\"{Selected_uid}\\\"))\\r\\n| top 300 by TimeGenerated\\r\\n// hack to hide empty columns\\r\\n| evaluate narrow()\\r\\n| where isnotempty(Value) and Value != \\\"##(null)\\\" or Column == \\\"_system_name_s\\\"\\r\\n| evaluate pivot(Column, any(Value), Row)\\r\\n| project-reorder TimeGenerated, _path_s, id_orig_h_s, id_resp_h_s, id_resp_p_d, _system_name_s\\r\\n| project-away Row\",\"size\":0,\"showAnalytics\":true,\"title\":\"Related paths (select in Events Summary)\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"_path_s\",\"exportParameterName\":\"Selected_path\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"_path_s\",\"label\":\"Path\"}]}},\"name\":\"events_related_entries\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_suricata_corelight\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| summarize alert_count=count() by source_ip=id_orig_h, alert_signature, severity=alert_severity\\n| top 10 by alert_count\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Suricata Top Alerts by Source\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"events_suricata_most_hits_src\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"corelight_main_dashboard\"},\"name\":\"tme_events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Corelight Connections\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_conn, corelight_conn_red\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where local_resp == true and (proto == \\\"tcp\\\" or (proto == \\\"udp\\\" and orig_bytes > 0 and resp_bytes > 0))\\n| where conn_state != \\\"S0\\\"\\n| summarize count() by id_resp_h, id_resp_p, service\\n| summarize Count=count() by service\\n| top 20 by Count\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Local Hosts Seen Offering Services\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"local_host_offering_services\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_conn, corelight_conn_red\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where proto==\\\"tcp\\\" or (proto==\\\"udp\\\" and orig_pkts>0 and resp_pkts>0)\\n| where conn_state != \\\"S0\\\"\\n| where local_resp==true\\n| summarize Count=count() by portproto=strcat(tostring(toint(id_resp_p)), \\\"/\\\", proto)\\n| top 15 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top Responder Ports\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"top_responder_ports\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_conn, corelight_conn_red\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where local_orig == false and local_resp == true\\n| where proto==\\\"tcp\\\" or (proto==\\\"udp\\\" and orig_pkts>0 and resp_pkts>0)\\n| where conn_state!=\\\"S0\\\"\\n| summarize number_of_conns=count(), orig_bytes_sum=sum(orig_bytes) by id_orig_h, service\\n| extend orig_data = format_bytes(orig_bytes_sum, 2)\\n| order by orig_bytes_sum desc\\n| top 20 by orig_bytes_sum desc\\n| project-away orig_bytes_sum\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Inbound Data Flows by Originator\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"top_inbound_by_orig\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_conn, corelight_conn_red\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where proto == \\\"tcp\\\" or (proto == \\\"udp\\\" and orig_pkts>0 and resp_pkts>0)\\n| where local_orig==true and local_resp==false\\n| where conn_state != \\\"S0\\\"\\n| summarize number_of_conns=count(), orig_bytes_sum=sum(orig_bytes) by id_orig_h, service\\n| extend orig_data = format_bytes(orig_bytes_sum, 2)\\n| order by orig_bytes_sum desc\\n| project-away orig_bytes_sum\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Outbound Data Flows by Originator\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"top_outbound_bytes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_conn, corelight_conn_red\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where conn_state==\\\"S0\\\"\\n| summarize Count=count() by id_orig_h, id_resp_p, service\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Hosts Generating S0 (possible scan) Traffic\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"possible_scan_connections\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_conn, corelight_conn_red\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where proto==\\\"tcp\\\" or (proto==\\\"udp\\\" and orig_pkts>0 and resp_pkts>0)\\n| where conn_state != \\\"S0\\\"\\n| summarize number_of_conns=count(), orig_bytes_sum=sum(orig_bytes), resp_bytes_sum=sum(resp_bytes) by id_orig_h, id_resp_h, id_resp_p, proto\\n| extend total_bytes_sum = orig_bytes_sum + resp_bytes_sum\\n| extend total_data = format_bytes(total_bytes_sum, 2)\\n| top 20 by total_bytes_sum desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Largest transfers between host/port pairs\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"largest_transfers_by_host_port\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_conn, corelight_conn_red\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where local_resp == true and conn_state == \\\"S0\\\"\\n| summarize Count=count() by id_resp_h, id_resp_p, service\\n| top 30 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Possible Down Services\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"25\",\"name\":\"possible_down_services\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_conn, corelight_conn_red\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| summarize Count=count() by history\\n| top 20 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor Health Asymmetry (All UPPER or lower is bad)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"25\",\"name\":\"monitor_health_asymmetry\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_conn, corelight_conn_red\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where local_orig == false and local_resp == false\\n| summarize Count=count() by id_orig_h, id_resp_h, id_resp_p, service\\n| top 20 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Remote to Remote Connections\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"remote_to_remote_connections\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_notice\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where note == \\\"LongConnection::found\\\"\\n| summarize Count=count(1), arg_max(TimeGenerated, id_orig_h, id_resp_h, id_resp_p, sub, msg) by uid\\n| extend seconds=sub\\n| top 20 by seconds desc\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Longest Lived Connections, (May have already closed)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"longest_lived_connections\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_conn, corelight_conn_red\\n| where TimeGenerated {TimeRange}\\n//| where EventType startswith \\\"conn\\\"\\n| where isnotempty(service)\\n| summarize count() by tostring(service) | take 10\",\"size\":3,\"title\":\"Top Services\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"name\":\"Top Services\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_conn, corelight_conn_red\\n| where TimeGenerated {TimeRange}\\n//| where EventType startswith \\\"conn\\\"\\n| where isnotempty(id_resp_p)\\n| extend dstprt = tostring(toint(id_resp_p))\\n| summarize Count=count() by dstprt | sort by Count desc |take 10\",\"size\":3,\"title\":\"Top Responder Ports\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"name\":\"Top Responder Ports\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_conn, corelight_conn_red\\n//| where TimeGenerated {TimeRange}\\n//| where EventType startswith \\\"conn\\\"\\n//| extend NetworkDirection = case(LocalOrig == true,\\\"outbound\\\", LocalOrig == false, \\\"inbound\\\",'')\\n| where local_orig == true and local_resp == false\\n//| where isnotempty(SrcIpAddr) and isnotempty(DstIpAddr) and isnotempty(SrcIpBytes) and isnotempty(DstIpBytes)\\n| extend bytes = toint(orig_bytes_d) + toint(resp_bytes_d)\\n| summarize Bytes=sum(bytes) by id_orig_h, id_resp_h, proto | sort by Bytes desc | take 15\",\"size\":0,\"title\":\"Top Outbound Data Flows by Originator Bytes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Top Outbound Data Flows by Originator Bytes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_conn, corelight_conn_red\\n//| where TimeGenerated {TimeRange}\\n//| where EventType startswith \\\"conn\\\"\\n//| extend NetworkDirection = case(LocalOrig == true,\\\"outbound\\\", LocalOrig == false, \\\"inbound\\\",'')\\n| where local_orig == false and local_resp == true\\n//| where isnotempty(SrcIpAddr) and isnotempty(DstIpAddr) and isnotempty(SrcIpBytes) and isnotempty(DstIpBytes)\\n| extend bytes = toint(orig_bytes_d) + toint(resp_bytes_d)\\n| summarize Bytes=sum(bytes) by id_orig_h, id_resp_h, proto | sort by Bytes desc | take 15\",\"size\":0,\"title\":\"Top Inbound Data Flows by Originator Bytes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Top Inbound Data Flows by Originator Bytes - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_conn, corelight_conn_red\\n//| where EventType startswith \\\"conn\\\"\\n| where TimeGenerated {TimeRange} \\n| summarize Count=count() by id_orig_h | sort by Count\",\"size\":3,\"title\":\"Top Originators (sources) by # of connections\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"Top Originators (sources) by # of connections\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_conn, corelight_conn_red\\n//| where EventType startswith \\\"conn\\\"\\n| where TimeGenerated {TimeRange} \\n| summarize Count=count() by id_resp_h | sort by Count\",\"size\":3,\"title\":\"Top Responders (destinations) by # of connections\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"Top Responders (destinations) by # of connections - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_conn, corelight_conn_red\\n//| where EventType startswith \\\"conn\\\"\\n| where TimeGenerated {TimeRange}\\n| where isnotempty(id_orig_h) and isnotempty(id_resp_h) and isnotempty(service) and isnotempty(id_orig_p) and isnotempty(id_resp_p)\\n| summarize Duration=avg(toint(duration)), make_list(id_orig_h), make_list(id_resp_h), make_list(proto) by uid | sort by Duration desc | take 50\",\"size\":0,\"title\":\"Open/Active Long Lived Connections (requires Long Connections Pkg)\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Open/Active Long Lived Connections (requires Long Connections Pkg)\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"deprecated\"},\"name\":\"deprecated_conn\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"corelight_connections\"},\"name\":\"corelight_connections_group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Corelight DNS\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_dns, corelight_dns_red\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n//| where is_broadcast_b!=true\\n| summarize Count=count() by qtype_name\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top Query Types\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"dns_top_query_types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_dns, corelight_dns_red\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where (rcode_name==\\\"NXDOMAIN\\\" or rcode==3) and qtype_name != \\\"PTR\\\"\\n| summarize Count=count() by qtype_name\\n| top 20 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"No response DNS query by type\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"dns_nx_by_type\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_dns, corelight_dns_red\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where id_resp_p == 53 and (rcode_name == \\\"NXDOMAIN\\\" or rcode == 3) and qtype_name != \\\"PTR\\\"\\n| summarize Count=count() by query\\n| top 100 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Queries by Count to Non-Existent Domains\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"dns_top_nxdomain_by_count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_dns, corelight_dns_red\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where id_resp_p == 53\\n| summarize Count=count() by id_orig_h\\n| top 20 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Originators by Count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"25\",\"name\":\"dns_top_originators\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_dns, corelight_dns_red\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where id_resp_p == 53 and qtype_name != \\\"ptr\\\"\\n| summarize Count=count() by query\\n| top 100 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Queries by Count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"dns_top_queries_by_count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_dns, corelight_dns_red\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where id_resp_p==53 and qtype_name==\\\"PTR\\\" and (rcode_name==\\\"NOERROR\\\" or rcode==0)\\n| summarize Count=count() by query\\n| top 100 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Successful Reverse Queries by Count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"dns_top_ptr_by_count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_dns, corelight_dns_red\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where id_resp_p == 53 and (rcode_name == \\\"NXDOMAIN\\\" or rcode == 3) and qtype_name != \\\"PTR\\\"\\n| summarize Count=count() by id_orig_h\\n| top 20 by Count\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Host querying Non-Existent Domains\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"25\",\"name\":\"dns_top_hosts_querying_nxdomain\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_dns, corelight_dns_red\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where id_resp_p == 53 and qtype_name == \\\"PTR\\\" and (rcode_name == \\\"NXDOMAIN\\\" or rcode == 3)\\n| summarize Count=count() by query\\n| top 100 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Reverse Queries by Count to Non-Existent Domains\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"dns_top_ptr_nxdomain\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_dns, corelight_dns_red\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| extend query_length = string_size(query)\\n| summarize Count=count() by id_orig_h, query_length, query\\n| order by query_length desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS by Query Length\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"dns_by_query_length\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"corelight_dns\"},\"name\":\"corelight_dns_group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Corelight Files\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Deprecated files queries\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_files\\n| where TimeGenerated {TimeRange}\\n//| where EventType startswith \\\"files\\\"\\n| where isnotempty(mime_type)\\n| where mime_type != \\\"application/pkix-cert\\\"\\n| summarize Count=count() by mime_type | sort by Count desc | take 20\\n\",\"size\":0,\"title\":\"Top 20 Mime Types by File Count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"name\":\"Top 20 Mime Types by File Count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_files\\n| where TimeGenerated {TimeRange}\\n//| where EventType startswith \\\"files\\\"\\n| where isnotempty(mime_type)\\n| where mime_type != \\\"application/pkix-cert\\\"\\n| summarize [\\\"File Count\\\"]=count() by source | sort by [\\\"File Count\\\"] desc | take 15\\n\",\"size\":0,\"title\":\"Top File Protocols by File Count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"name\":\"Top File Protocols by File Count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_files\\n//| where EventType startswith \\\"files\\\"\\n| where isnotempty(mime_type)\\n| where mime_type != \\\"application/pkix-cert\\\"\\n| extend NetworkDirection = case(local_orig == \\\"true\\\", \\\"outbound\\\", local_orig == \\\"false\\\", \\\"inbound\\\", \\\"\\\" )\\n|make-series [\\\"Files Sent\\\"]=countif(NetworkDirection==\\\"outbound\\\"), [\\\"Files Received\\\"]=countif(NetworkDirection==\\\"inbound\\\") on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by _path | project [\\\"Files Sent\\\"], [\\\"Files Received\\\"], TimeGenerated\",\"size\":0,\"title\":\"File Flow - # of Files\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0}},\"customWidth\":\"50\",\"name\":\"File Flow - # of Files\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_files\\n//| where EventType startswith \\\"files\\\"\\n| where isnotempty(mime_type)\\n| where mime_type != \\\"application/pkix-cert\\\"\\n//| extend NetworkDirection = case(local_orig == true, \\\"outbound\\\", local_orig == false, \\\"inbound\\\", \\\"\\\" )\\n// fixme: drop _d\\n|make-series [\\\"Bytes Sent\\\"]=sumif(toint(seen_bytes_d), local_orig == true), [\\\"Bytes Received\\\"]=sumif(toint(seen_bytes_d),local_orig == false) on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType\",\"size\":0,\"title\":\"File Flow - Bytes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0}},\"customWidth\":\"50\",\"name\":\"File Flow - Bytes\"}]},\"name\":\"deprecated_files\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"corelight_files\"},\"name\":\"corelight_files_group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Corelight HTTP\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where host != \\\"control\\\"\\n| summarize distinct_referrers=count_distinct(referrer)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Distinct Referrers\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"16\",\"name\":\"http_distinct_referrers\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where host != \\\"control\\\"\\n| summarize distinct_user_agents=count_distinct(user_agent)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Distinct User Agents\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"16\",\"name\":\"http_distinct_user_agents\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where host != \\\"control\\\"\\n| summarize count_distinct(host)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Distinct Hosts\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"16\",\"name\":\"http_distinct_hosts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where host != \\\"control\\\"\\n| summarize distinct_connections=count_distinct(uid)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Distinct Connections\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"16\",\"name\":\"http_distinct_connections\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where host != \\\"control\\\"\\n| summarize avg = format_bytes(avg(response_body_len), 2)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Average Body Length\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"16\",\"name\":\"http_avg_response_len\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where host != \\\"control\\\"\\n| extend ua_length = strlen(user_agent)\\n| summarize avg_ua_length = round(avg(ua_length))\",\"size\":3,\"showAnalytics\":true,\"title\":\"Average User Agent Length\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"16\",\"name\":\"http_avg_ua_length\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where host != \\\"control\\\"\\n| summarize Count=count() by host\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Host Headers by Count\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"customWidth\":\"33\",\"name\":\"http_top_hosts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where host != \\\"control\\\"\\n| summarize Count=count() by status_msg\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"HTTP Status Code Breakdown\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"http_status_code_chart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where host != \\\"control\\\"\\n| summarize Count=count() by id_orig_h\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Originators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"33\",\"name\":\"http_top_originators\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where host != \\\"control\\\"\\n| summarize Count=count() by user_agent\\n| top 10 by Count asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Rare User Agents\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"70\",\"name\":\"http_rare_ua\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where \\\"(all values)\\\" == \\\"{Sensor}\\\" or _system_name in ({Sensor})\\n| where host != \\\"control\\\"\\n| summarize Count=count() by host, status_code\\n| top 10 by Count asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Rare Host Headers\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"25\",\"name\":\"http_rare_hosts\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"corelight_http\"},\"name\":\"corelight_http_group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Corelight Software\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Deprecated software queries\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_software\\n//| where EventType startswith \\\"software\\\"\\n| where TimeGenerated {TimeRange}\\n//| where isnotempty(SoftwareType)\\n| summarize Count=count() by name | sort by Count | take 20\\n\",\"size\":0,\"title\":\"Top Software\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"name\":\"Top Software\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_software\\n//| where TimeGenerated {TimeRange}\\n//| where EventType startswith \\\"software\\\"\\n| where isnotempty(software_type)\\n| summarize Count=count() by name, unparsed_version | sort by Count\",\"size\":0,\"title\":\"Top Software Versions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Name\",\"formatter\":5}],\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Name\"],\"expandTopLevel\":true}}},\"customWidth\":\"50\",\"name\":\"Top Software Versions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_software\\n//| where EventType startswith \\\"software\\\"\\n| where isnotempty(software_type)\\n| summarize Count=count() by software_type | sort by Count\",\"size\":0,\"title\":\"Top Software Types\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Name\",\"formatter\":5}],\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Name\"],\"expandTopLevel\":true}}},\"customWidth\":\"50\",\"name\":\"Top Software Types\"}]},\"name\":\"deprecated_software\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"corelight_software\"},\"name\":\"corelight_software_group\"}],\"fromTemplateId\":\"sentinel-CorelightWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\">**NOTE:** This workbook depends on a parser based on a Kusto Function to work as expected [**Corelight**](https://aka.ms/sentinel-Corelight-parser) which is deployed with the Microsoft Sentinel Solution.\"},\"name\":\"text - 23\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c64d5d3d-90c6-484a-ab88-c70652b75b6e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"GlobalTimeRestriction\",\"label\":\"Global Time Restriction\",\"type\":4,\"description\":\"Select Time Range\",\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"a076210e-a47c-43c2-97e1-1f663fedbd01\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Sensor\",\"label\":\"Corelight Sensor\",\"type\":2,\"description\":\"Select Corelight Sensor\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"corelight_conn\\n| distinct sensor_name\\n| sort by sensor_name\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"tabStyle\":\"bigger\",\"links\":[{\"id\":\"2e4f43b5-1def-42b3-bee5-d84912ae6115\",\"cellValue\":\"dashboard\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Data Explorer\",\"subTarget\":\"DataExplorer\",\"preText\":\"Data Explorer\",\"style\":\"link\"},{\"id\":\"0b72c376-8bd9-4896-a3b3-8994f028e1b4\",\"cellValue\":\"dashboard\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Security Workflows\",\"subTarget\":\"SecurityWorkflows\",\"style\":\"link\"}]},\"name\":\"links - 14\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"d723eef6-b3f0-40be-9a56-125421b32619\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Corelight Main Dashboard\",\"subTarget\":\"corelight_main_dashboard\",\"style\":\"link\"},{\"id\":\"5736d4f4-bd4c-4a49-bea7-00da2bbc7fd9\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Corelight Connections\",\"subTarget\":\"corelight_connections\",\"style\":\"link\"},{\"id\":\"5336f601-4da3-4da0-8196-332a97636047\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Corelight DNS\",\"subTarget\":\"corelight_dns\",\"style\":\"link\"},{\"id\":\"b0e6ac55-179e-4fb5-80ff-ec84edb35324\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Corelight HTTP\",\"subTarget\":\"corelight_http\",\"style\":\"link\"}]},\"name\":\"links - 24\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Corelight Main Dashboard\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union Corelight_v2_*_CL\\n| where ('*' in ({Sensor}) or _system_name_s in ({Sensor}))\\n| where TimeGenerated {GlobalTimeRestriction}\\n|make-series Trend = count() on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step {GlobalTimeRestriction:grain} by _path_s;\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensor Events Timechart\",\"noDataMessage\":\"No data found.\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"corelight_main_dashboard\"},\"name\":\"Sensor Events Timechart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union Corelight_v2_*_CL\\n| where ('*' in ({Sensor}) or _system_name_s in ({Sensor}))\\n| where TimeGenerated {GlobalTimeRestriction}\\n| summarize Count=count() by _path_s | sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Sensor Events Count\",\"noDataMessage\":\"No data found.\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"corelight_main_dashboard\"},\"name\":\"Sensor Events Count\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"corelight_main_dashboard\"},\"name\":\"corelight_main_dashboard_group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Events\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let QueryResults = ((corelight_notice\\r\\n| where ('*' in ({Sensor}) or _system_name in ({Sensor}))\\r\\n//| where note != \\\"LongConnection::found\\\" and note != \\\"SSL::Invalid_Server_Cert\\\"\\r\\n//| project-rename Alert = note \\r\\n| union corelight_suricata_corelight)\\r\\n| where ('*' in ({Sensor}) or _system_name in ({Sensor}))\\r\\n//| where alert_category != \\\"Not Suspicious Traffic\\\" and alert_category != \\\"Attempted Information Leak\\\" and alert_category != \\\"Potentially Bad Traffic\\\"\\r\\n//| where _path_s == \\\"notice\\\"\\r\\n//| project-rename Alert = alert_category\\r\\n| extend\\r\\n Category = coalesce(note, alert_category),\\r\\n Alert = coalesce(msg, alert_signature),\\r\\n Severity=coalesce(severity_level, alert_severity, 7.),\\r\\n Type = _path\\r\\n| extend PartitionKey = case(_path == \\\"suricata_corelight\\\", Alert, Category)\\r\\n| where (isnotempty(uid) or isnotempty(community_id))\\r\\n| partition hint.strategy=native by PartitionKey\\r\\n (\\r\\n top 10 by TimeGenerated\\r\\n )\\r\\n| order by Severity asc, TimeGenerated\\r\\n// hack to hide empty columns\\r\\n| evaluate narrow()\\r\\n| where isnotempty(Value) and Value != \\\"##(null)\\\" or Column == \\\"_system_name_s\\\"\\r\\n| evaluate pivot(Column, any(Value), Row)\\r\\n);\\r\\nlet QueryCount=QueryResults\\r\\n| summarize count()\\r\\n| project count_;\\r\\nlet NoResults = datatable(TimeGenerated: string , Type: string , Category: string, Alert: string, Severity: string, uid: string, id_orig_h: string, id_resp_h: string, id_resp_p: string )[];\\r\\nunion isfuzzy=true\\r\\n(QueryResults| where toscalar(QueryCount) != 0),\\r\\n(NoResults| where toscalar(QueryCount) == 0)\\r\\n| project-reorder\\r\\n TimeGenerated,\\r\\n Type,\\r\\n Category,\\r\\n Alert,\\r\\n Severity,\\r\\n uid,\\r\\n id_orig_h,\\r\\n id_resp_h,\\r\\n id_resp_p\",\"size\":0,\"showAnalytics\":true,\"title\":\"Recent Events Summary (10 most recent per message type)\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"exportFieldName\":\"uid\",\"exportParameterName\":\"Selected_uid\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"events_summary_recent\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union Corelight_v2_*_CL\\r\\n| where ('*' in ({Sensor}) or _system_name_s in ({Sensor}))\\r\\n| where (isnotempty(\\\"{Selected_uid}\\\") and (uid_s == \\\"{Selected_uid}\\\" or conn_uids_s contains_cs \\\"{Selected_uid}\\\"))\\r\\n| top 300 by TimeGenerated\\r\\n// hack to hide empty columns\\r\\n| evaluate narrow()\\r\\n| where isnotempty(Value) and Value != \\\"##(null)\\\" or Column == \\\"_system_name_s\\\"\\r\\n| evaluate pivot(Column, any(Value), Row)\\r\\n| project-reorder TimeGenerated, _path_s, id_orig_h_s, id_resp_h_s, id_resp_p_d, _system_name_s\\r\\n| project-away Row\",\"size\":0,\"showAnalytics\":true,\"title\":\"Related paths (select in Events Summary)\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"exportFieldName\":\"_path_s\",\"exportParameterName\":\"Selected_path\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"_path_s\",\"label\":\"Path\"}]}},\"name\":\"events_related_entries\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_suricata_corelight\\r\\n| where ('*' in ({Sensor}) or _system_name in ({Sensor}))\\r\\n| summarize alert_count=count() by source_ip=id_orig_h, alert_signature, severity=alert_severity\\r\\n| top 10 by alert_count\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Suricata Top Alerts by Source\",\"noDataMessage\":\"No data found.\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"events_suricata_most_hits_src\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"corelight_main_dashboard\"},\"name\":\"tme_events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Corelight Connections\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_conn\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where local_resp == true and (proto == \\\"tcp\\\" or (proto == \\\"udp\\\" and orig_bytes > 0 and resp_bytes > 0))\\n| where conn_state != \\\"S0\\\"\\n| summarize count() by id_resp_h, id_resp_p, service\\n| summarize Count=count() by service\\n| top 20 by Count\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Local Hosts Seen Offering Services\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"local_host_offering_services\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_conn\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where proto==\\\"tcp\\\" or (proto==\\\"udp\\\" and orig_pkts>0 and resp_pkts>0)\\n| where conn_state != \\\"S0\\\"\\n| where local_resp==true\\n| summarize Count=count() by portproto=strcat(tostring(toint(id_resp_p)), \\\"/\\\", proto)\\n| top 15 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top Responder Ports\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"top_responder_ports\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_conn\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where local_orig == false and local_resp == true\\n| where proto==\\\"tcp\\\" or (proto==\\\"udp\\\" and orig_pkts>0 and resp_pkts>0)\\n| where conn_state!=\\\"S0\\\"\\n| summarize number_of_conns=count(), orig_bytes_sum=sum(orig_bytes) by id_orig_h, service\\n| extend orig_data = format_bytes(orig_bytes_sum, 2)\\n| order by orig_bytes_sum desc\\n| top 20 by orig_bytes_sum desc\\n| project-away orig_bytes_sum\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Inbound Data Flows by Originator\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"33\",\"name\":\"top_inbound_by_orig\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_conn\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where proto == \\\"tcp\\\" or (proto == \\\"udp\\\" and orig_pkts>0 and resp_pkts>0)\\n| where local_orig==true and local_resp==false\\n| where conn_state != \\\"S0\\\"\\n| summarize number_of_conns=count(), orig_bytes_sum=sum(orig_bytes) by id_orig_h, service\\n| extend orig_data = format_bytes(orig_bytes_sum, 2)\\n| order by orig_bytes_sum desc\\n| project-away orig_bytes_sum\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Outbound Data Flows by Originator\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"33\",\"name\":\"top_outbound_bytes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_conn\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where conn_state==\\\"S0\\\"\\n| summarize Count=count() by id_orig_h, id_resp_p, service\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Hosts Generating S0 (possible scan) Traffic\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"33\",\"name\":\"possible_scan_connections\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_conn\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where proto==\\\"tcp\\\" or (proto==\\\"udp\\\" and orig_pkts>0 and resp_pkts>0)\\n| where conn_state != \\\"S0\\\"\\n| summarize number_of_conns=count(), orig_bytes_sum=sum(orig_bytes), resp_bytes_sum=sum(resp_bytes) by id_orig_h, id_resp_h, id_resp_p, proto\\n| extend total_bytes_sum = orig_bytes_sum + resp_bytes_sum\\n| extend total_data = format_bytes(total_bytes_sum, 2)\\n| top 20 by total_bytes_sum desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Largest transfers between host/port pairs\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"largest_transfers_by_host_port\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_conn\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where local_resp == true and conn_state == \\\"S0\\\"\\n| summarize Count=count() by id_resp_h, id_resp_p, service\\n| top 30 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Possible Down Services\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"25\",\"name\":\"possible_down_services\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_conn\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| summarize Count=count() by history\\n| top 20 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitor Health Asymmetry (All UPPER or lower is bad)\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"25\",\"name\":\"monitor_health_asymmetry\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_conn\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where local_orig == false and local_resp == false\\n| summarize Count=count() by id_orig_h, id_resp_h, id_resp_p, service\\n| top 20 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Remote to Remote Connections\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"remote_to_remote_connections\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_notice\\n| where ('*' in ({Sensor}) or _system_name in ({Sensor}))\\n| where note == \\\"LongConnection::found\\\"\\n| summarize Count=count(1), arg_max(TimeGenerated, id_orig_h, id_resp_h, id_resp_p, sub, msg) by uid\\n| extend seconds=sub\\n| top 20 by seconds desc\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Longest Lived Connections, (May have already closed)\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"longest_lived_connections\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_conn\\n| where TimeGenerated {GlobalTimeRestriction}\\n//| where EventType startswith \\\"conn\\\"\\n| where isnotempty(service)\\n| summarize count() by tostring(service) | take 10\",\"size\":3,\"title\":\"Top Services\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"name\":\"Top Services\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_conn\\n| where TimeGenerated {GlobalTimeRestriction}\\n//| where EventType startswith \\\"conn\\\"\\n| where isnotempty(id_resp_p)\\n| extend dstprt = tostring(toint(id_resp_p))\\n| summarize Count=count() by dstprt | sort by Count desc |take 10\",\"size\":3,\"title\":\"Top Responder Ports\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"name\":\"Top Responder Ports\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_conn\\n//| where TimeGenerated {GlobalTimeRestriction}\\n//| where EventType startswith \\\"conn\\\"\\n//| extend NetworkDirection = case(LocalOrig == true,\\\"outbound\\\", LocalOrig == false, \\\"inbound\\\",'')\\n| where local_orig == true and local_resp == false\\n//| where isnotempty(SrcIpAddr) and isnotempty(DstIpAddr) and isnotempty(SrcIpBytes) and isnotempty(DstIpBytes)\\n| extend bytes = toint(orig_bytes) + toint(resp_bytes)\\n| summarize Bytes=sum(bytes) by id_orig_h, id_resp_h, proto | sort by Bytes desc | take 15\",\"size\":0,\"title\":\"Top Outbound Data Flows by Originator Bytes\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Top Outbound Data Flows by Originator Bytes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_conn\\n//| where TimeGenerated {GlobalTimeRestriction}\\n//| where EventType startswith \\\"conn\\\"\\n//| extend NetworkDirection = case(LocalOrig == true,\\\"outbound\\\", LocalOrig == false, \\\"inbound\\\",'')\\n| where local_orig == false and local_resp == true\\n//| where isnotempty(SrcIpAddr) and isnotempty(DstIpAddr) and isnotempty(SrcIpBytes) and isnotempty(DstIpBytes)\\n| extend bytes = toint(orig_bytes) + toint(resp_bytes)\\n| summarize Bytes=sum(bytes) by id_orig_h, id_resp_h, proto | sort by Bytes desc | take 15\",\"size\":0,\"title\":\"Top Inbound Data Flows by Originator Bytes\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Top Inbound Data Flows by Originator Bytes - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_conn\\n//| where EventType startswith \\\"conn\\\"\\n| where TimeGenerated {GlobalTimeRestriction} \\n| summarize Count=count() by id_orig_h | sort by Count\",\"size\":3,\"title\":\"Top Originators (sources) by # of connections\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"Top Originators (sources) by # of connections\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_conn\\n//| where EventType startswith \\\"conn\\\"\\n| where TimeGenerated {GlobalTimeRestriction} \\n| summarize Count=count() by id_resp_h | sort by Count\",\"size\":3,\"title\":\"Top Responders (destinations) by # of connections\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"Top Responders (destinations) by # of connections - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_conn\\n//| where EventType startswith \\\"conn\\\"\\n| where TimeGenerated {GlobalTimeRestriction}\\n| where isnotempty(id_orig_h) and isnotempty(id_resp_h) and isnotempty(service) and isnotempty(id_orig_p) and isnotempty(id_resp_p)\\n| summarize Duration=avg(toint(duration)), make_list(id_orig_h), make_list(id_resp_h), make_list(proto) by uid | sort by Duration desc | take 50\",\"size\":0,\"title\":\"Open/Active Long Lived Connections (requires Long Connections Pkg)\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Open/Active Long Lived Connections (requires Long Connections Pkg)\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"deprecated\"},\"name\":\"deprecated_conn\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"corelight_connections\"},\"name\":\"corelight_connections_group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Corelight DNS\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n//| where is_broadcast_b!=true\\n| summarize Count=count() by qtype_name\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top Query Types\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"dns_top_query_types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where (rcode_name==\\\"NXDOMAIN\\\" or rcode==3) and qtype_name != \\\"PTR\\\"\\n| summarize Count=count() by qtype_name\\n| top 20 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"No response DNS query by type\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"dns_nx_by_type\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where id_resp_p == 53 and (rcode_name == \\\"NXDOMAIN\\\" or rcode == 3) and qtype_name != \\\"PTR\\\"\\n| summarize Count=count() by query\\n| top 100 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Queries by Count to Non-Existent Domains\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"33\",\"name\":\"dns_top_nxdomain_by_count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where id_resp_p == 53\\n| summarize Count=count() by id_orig_h\\n| top 20 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Originators by Count\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"25\",\"name\":\"dns_top_originators\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where id_resp_p == 53 and qtype_name != \\\"ptr\\\"\\n| summarize Count=count() by query\\n| top 100 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Queries by Count\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"33\",\"name\":\"dns_top_queries_by_count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where id_resp_p==53 and qtype_name==\\\"PTR\\\" and (rcode_name==\\\"NOERROR\\\" or rcode==0)\\n| summarize Count=count() by query\\n| top 100 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Successful Reverse Queries by Count\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"33\",\"name\":\"dns_top_ptr_by_count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where id_resp_p == 53 and (rcode_name == \\\"NXDOMAIN\\\" or rcode == 3) and qtype_name != \\\"PTR\\\"\\n| summarize Count=count() by id_orig_h\\n| top 20 by Count\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Host querying Non-Existent Domains\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"25\",\"name\":\"dns_top_hosts_querying_nxdomain\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where id_resp_p == 53 and qtype_name == \\\"PTR\\\" and (rcode_name == \\\"NXDOMAIN\\\" or rcode == 3)\\n| summarize Count=count() by query\\n| top 100 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Reverse Queries by Count to Non-Existent Domains\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"33\",\"name\":\"dns_top_ptr_nxdomain\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| extend query_length = string_size(query)\\n| summarize Count=count() by id_orig_h, query_length, query\\n| order by query_length desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS by Query Length\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"dns_by_query_length\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"corelight_dns\"},\"name\":\"corelight_dns_group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Corelight Files\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Deprecated files queries\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_files\\n| where TimeGenerated {GlobalTimeRestriction}\\n//| where EventType startswith \\\"files\\\"\\n| where isnotempty(mime_type)\\n| where mime_type != \\\"application/pkix-cert\\\"\\n| summarize Count=count() by mime_type | sort by Count desc | take 20\\n\",\"size\":0,\"title\":\"Top 20 Mime Types by File Count\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"name\":\"Top 20 Mime Types by File Count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_files\\n| where TimeGenerated {GlobalTimeRestriction}\\n//| where EventType startswith \\\"files\\\"\\n| where isnotempty(mime_type)\\n| where mime_type != \\\"application/pkix-cert\\\"\\n| summarize [\\\"File Count\\\"]=count() by source | sort by [\\\"File Count\\\"] desc | take 15\\n\",\"size\":0,\"title\":\"Top File Protocols by File Count\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"name\":\"Top File Protocols by File Count\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_files\\n//| where EventType startswith \\\"files\\\"\\n| where isnotempty(mime_type)\\n| where mime_type != \\\"application/pkix-cert\\\"\\n| extend NetworkDirection = case(local_orig == \\\"true\\\", \\\"outbound\\\", local_orig == \\\"false\\\", \\\"inbound\\\", \\\"\\\" )\\n|make-series [\\\"Files Sent\\\"]=countif(NetworkDirection==\\\"outbound\\\"), [\\\"Files Received\\\"]=countif(NetworkDirection==\\\"inbound\\\") on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step {GlobalTimeRestriction:grain} by path | project [\\\"Files Sent\\\"], [\\\"Files Received\\\"], TimeGenerated\",\"size\":0,\"title\":\"File Flow - # of Files\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0}},\"customWidth\":\"50\",\"name\":\"File Flow - # of Files\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_files\\n//| where EventType startswith \\\"files\\\"\\n| where isnotempty(mime_type)\\n| where mime_type != \\\"application/pkix-cert\\\"\\n//| extend NetworkDirection = case(local_orig == true, \\\"outbound\\\", local_orig == false, \\\"inbound\\\", \\\"\\\" )\\n// fixme: drop _d\\n|make-series [\\\"Bytes Sent\\\"]=sumif(toint(seen_bytes), local_orig == true), [\\\"Bytes Received\\\"]=sumif(toint(seen_bytes),local_orig == false) on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step {GlobalTimeRestriction:grain} by EventType\",\"size\":0,\"title\":\"File Flow - Bytes\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":0}},\"customWidth\":\"50\",\"name\":\"File Flow - Bytes\"}]},\"name\":\"deprecated_files\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"corelight_files\"},\"name\":\"corelight_files_group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Corelight HTTP\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where host != \\\"control\\\"\\n| summarize distinct_referrers=count_distinct(referrer)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Distinct Referrers\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"16\",\"name\":\"http_distinct_referrers\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where host != \\\"control\\\"\\n| summarize distinct_user_agents=count_distinct(user_agent)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Distinct User Agents\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"16\",\"name\":\"http_distinct_user_agents\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where host != \\\"control\\\"\\n| summarize count_distinct(host)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Distinct Hosts\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"16\",\"name\":\"http_distinct_hosts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where host != \\\"control\\\"\\n| summarize distinct_connections=count_distinct(uid)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Distinct Connections\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"16\",\"name\":\"http_distinct_connections\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where host != \\\"control\\\"\\n| summarize avg = format_bytes(avg(response_body_len), 2)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Average Body Length\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"16\",\"name\":\"http_avg_response_len\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where host != \\\"control\\\"\\n| extend ua_length = strlen(user_agent)\\n| summarize avg_ua_length = round(avg(ua_length))\",\"size\":3,\"showAnalytics\":true,\"title\":\"Average User Agent Length\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"customWidth\":\"16\",\"name\":\"http_avg_ua_length\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where host != \\\"control\\\"\\n| summarize Count=count() by host\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Host Headers by Count\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":1}]},\"customWidth\":\"33\",\"name\":\"http_top_hosts\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where host != \\\"control\\\"\\n| summarize Count=count() by status_msg\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"HTTP Status Code Breakdown\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"http_status_code_chart\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where host != \\\"control\\\"\\n| summarize Count=count() by id_orig_h\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top Originators\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"33\",\"name\":\"http_top_originators\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where host != \\\"control\\\"\\n| summarize Count=count() by user_agent\\n| top 10 by Count asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Rare User Agents\",\"noDataMessage\":\"No data found.\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"70\",\"name\":\"http_rare_ua\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_http\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\n| where host != \\\"control\\\"\\n| summarize Count=count() by host, status_code\\n| top 10 by Count asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Rare Host Headers\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"25\",\"name\":\"http_rare_hosts\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"corelight_http\"},\"name\":\"corelight_http_group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Corelight Software\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Deprecated software queries\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_software\\n//| where EventType startswith \\\"software\\\"\\n| where TimeGenerated {GlobalTimeRestriction}\\n//| where isnotempty(SoftwareType)\\n| summarize Count=count() by name | sort by Count | take 20\\n\",\"size\":0,\"title\":\"Top Software\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"name\":\"Top Software\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_software\\n//| where TimeGenerated {GlobalTimeRestriction}\\n//| where EventType startswith \\\"software\\\"\\n| where isnotempty(software_type)\\n| summarize Count=count() by name, unparsed_version | sort by Count\",\"size\":0,\"title\":\"Top Software Versions\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Name\",\"formatter\":5}],\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Name\"],\"expandTopLevel\":true}}},\"customWidth\":\"50\",\"name\":\"Top Software Versions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_software\\n//| where EventType startswith \\\"software\\\"\\n| where isnotempty(software_type)\\n| summarize Count=count() by software_type | sort by Count\",\"size\":0,\"title\":\"Top Software Types\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Name\",\"formatter\":5}],\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Name\"],\"expandTopLevel\":true}}},\"customWidth\":\"50\",\"name\":\"Top Software Types\"}]},\"name\":\"deprecated_software\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"corelight_software\"},\"name\":\"corelight_software_group\"}]},\"conditionalVisibility\":{\"parameterName\":\"dashboard\",\"comparison\":\"isEqualTo\",\"value\":\"DataExplorer\"},\"name\":\"Data Explorer\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"458c9ad4-de32-4629-a33c-bd6e24126dd8\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Security Posture\",\"subTarget\":\"SecurityPosture\",\"style\":\"link\"},{\"id\":\"cd6cc63c-c1a8-49fc-89c7-b2ae5e0674d9\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Secure Channel Insights\",\"subTarget\":\"SecureChannelInsights\",\"style\":\"link\"},{\"id\":\"c2140a1d-ad51-4d22-a0ed-b433d3131b54\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Name Resolution Insights\",\"subTarget\":\"NameResolutionInsights\",\"style\":\"link\"},{\"id\":\"cf92c03c-d98e-4a02-bc53-b127708c83f8\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Remote Activity Insights\",\"subTarget\":\"RemoteActivityInsights\",\"style\":\"link\"}]},\"name\":\"links - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Security Posture\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Encrypted Traffic Hygiene\\r\\n---\"},\"name\":\"text - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\\r\\nlet SSL=corelight_ssl\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where is_self_signed==\\\"yes\\\" and is_dest_internal_ip==\\\"true\\\";\\r\\nlet trendline=toscalar(\\r\\nSSL\\r\\n| summarize arg_max(TimeGenerated, *) by ssl_subject_common_name\\r\\n| make-series Trend = dcount(ssl_subject_common_name) default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration\\r\\n| project Trend);\\r\\nSSL\\r\\n| summarize Count=dcount(ssl_subject_common_name)\\r\\n| extend Trend = trendline\",\"size\":4,\"showAnalytics\":true,\"title\":\"Self Signed Certs\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"greenDark\"}},\"showBorder\":true}},\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\\r\\nlet X509=corelight_x509\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| extend key_length = toint(certificate_key_length)\\r\\n| where key_length < 2048;\\r\\nlet trendline=toscalar(\\r\\nX509\\r\\n| summarize arg_max(TimeGenerated, *) by ssl_hash\\r\\n| make-series Trend = dcount(ssl_hash) default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration\\r\\n| project Trend);\\r\\nX509\\r\\n| summarize Count = dcount(ssl_hash)\\r\\n| extend Trend = trendline\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Certs w/ Low Keys\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"greenDark\"}},\"showBorder\":true}},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_x509\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where days_to_expiry > 0 and days_to_expiry <= 15\\r\\n| summarize [\\\"Distinct Certs\\\"] = dcount(ssl_hash)\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Expiring Certs.\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Distinct Certs\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":true}},\"name\":\"query - 2\"}]},\"customWidth\":\"25\",\"name\":\"Encrypted Traffic Hygiene Tiles\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\\r\\ncorelight_ssl\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| make-series ['Encrypted Traffic Volume']=count() default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration\",\"size\":2,\"showAnalytics\":true,\"title\":\"Encrypted Traffic Over Time\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Count\",\"color\":\"green\"},{\"seriesName\":\"Encrypted Traffic Volume\",\"color\":\"green\"}],\"xSettings\":{\"label\":\"Time\"},\"ySettings\":{\"label\":\"Encrypted traffic Volume\"}}},\"customWidth\":\"75\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_ssl\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| extend version_status=case(version==\\\"TLSv13\\\", \\\"Most Secure\\\", \\r\\n version==\\\"TLSv12\\\", \\\"Secure\\\", \\r\\n version==\\\"DTLSv12\\\", \\\"Secure\\\", \\r\\n version==\\\"unknown-64282\\\", \\\"Unknown\\\", \\r\\n \\\"Old Version\\\")\\r\\n| summarize Count= count() by version_status\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"TLS Versions\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"version_status\",\"createOtherGroup\":0}},\"customWidth\":\"40\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_ssl\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| extend src_internal=iff(isnull(is_src_internal_ip) or is_src_internal_ip==\\\"false\\\", \\\"External\\\", \\\"Internal\\\"), dest_internal=iff(isnull(is_dest_internal_ip) or is_dest_internal_ip==\\\"false\\\", \\\"External\\\", \\\"Internal\\\")\\r\\n| where src_internal==\\\"Internal\\\" \\r\\n| extend version_status=case(version==\\\"TLSv13\\\", \\\"Most Secure\\\", \\r\\n version==\\\"TLSv12\\\", \\\"Secure\\\", \\r\\n version==\\\"DTLSv12\\\", \\\"Secure\\\", \\r\\n version==\\\"unknown-64282\\\", \\\"Unknown\\\", \\r\\n \\\"Old Version\\\")\\r\\n| summarize Count= count() by version_status\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Internal TLS Version Profile\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true,\"xSettings\":{\"label\":\"TLS Version\"},\"ySettings\":{\"label\":\"Count\"}}},\"customWidth\":\"60\",\"name\":\"query - 5\"}]},\"name\":\"Encrypted Traffic Hygiene\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Unencrypted Traffic Hygiene - Indicators\\r\\n---\"},\"name\":\"text - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\\r\\nlet UnencryptedConnection=corelight_etc_viz\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where viz_stat in (\\\"C\\\", \\\"Cc\\\", \\\"C!\\\", \\\"cc\\\");\\r\\nlet trendline=toscalar(\\r\\nUnencryptedConnection \\r\\n| make-series Trend = count() default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration by server_a, server_p\\r\\n| project Trend);\\r\\nUnencryptedConnection \\r\\n| summarize Count = count() by server_a, server_p\\r\\n| summarize Sum = sum(Count)\\r\\n| extend Trend=trendline\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Unencrypted Connections\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"exportFieldName\":\"Sum\",\"exportParameterName\":\"sum\",\"exportDefaultValue\":\"none\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Sum\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":true}},\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### Click on the count in the above panel **Unencrypted Connections** to view more information.\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true\\r\\ncorelight_http,\\r\\ncorelight_conn,\\r\\ncorelight_dns,\\r\\ncorelight_ssl,\\r\\ncorelight_files\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where id_resp_p == 23\\r\\n| summarize Count = count()\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Telnet Sessions\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"exportFieldName\":\"Count\",\"exportParameterName\":\"telnet_count\",\"exportDefaultValue\":\"none\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false}}},\"showBorder\":true}},\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"#### Click on the count in the above panel **Telnet Sessions** to view more information.\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_ftp\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| summarize Count = count()\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"FTP Sessions\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"exportFieldName\":\"Count\",\"exportParameterName\":\"ftp_count\",\"exportDefaultValue\":\"none\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"#### Click on the count in the above panel **FTP Sessions** to view more information.\",\"style\":\"info\"},\"name\":\"text - 3\"}],\"exportParameters\":true},\"customWidth\":\"25\",\"name\":\"Unencrypted Traffic Hygiene - Indicators - Tiles\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\\r\\nunion isfuzzy=true\\r\\ncorelight_http,\\r\\ncorelight_conn,\\r\\ncorelight_dns,\\r\\ncorelight_ssl,\\r\\ncorelight_files\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where isnotempty(service) and service !in ('ssl', 'tls', 'dns', \\\"ssl,http\\\", \\\"http,ssl\\\")\\r\\n| make-series [\\\"Unencrypted Traffic Volume\\\"]=count() default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration by service\",\"size\":2,\"showAnalytics\":true,\"title\":\"Top Unencrypted Protocols Used\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"service\",\"exportDefaultValue\":\"none\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"group\":\"service\",\"createOtherGroup\":0,\"showLegend\":true}},\"customWidth\":\"75\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"#### Click on the datapoints in the above panel **Top Unencrypted Protocols Used** to view more information.\\r\\n\",\"style\":\"info\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_etc_viz\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where viz_stat in (\\\"C\\\", \\\"Cc\\\", \\\"C!\\\", \\\"cc\\\") \\r\\n| summarize Count = count() by server_a, server_p\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Details of Unencrypted Connections\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"sum\",\"comparison\":\"isNotEqualTo\",\"value\":\"none\"},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union corelight_http,\\r\\ncorelight_conn,\\r\\ncorelight_dns,\\r\\ncorelight_ssl,\\r\\ncorelight_files\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where id_resp_p == 23\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Details of Telnet Sessions\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"telnet_count\",\"comparison\":\"isNotEqualTo\",\"value\":\"none\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_ftp\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Details of FTP Sessions\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"ftp_count\",\"comparison\":\"isNotEqualTo\",\"value\":\"none\"},\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true\\r\\ncorelight_http,\\r\\ncorelight_conn,\\r\\ncorelight_dns,\\r\\ncorelight_ssl,\\r\\ncorelight_files\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where service == '{service}'\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Details of Top Unencrypted Protocols Used\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"service\",\"comparison\":\"isNotEqualTo\",\"value\":\"none\"},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Unencrypted Traffic Hygiene - Indicators\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### DNS Hygiene\\r\\n---\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\\r\\nlet FailedDNS=corelight_dns\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where rcode_name in ('SERVFAIL', 'REFUSED', 'FORMERR' ,'NOTIMP' ,'NOTAUTH');\\r\\nlet trendline=toscalar(\\r\\nFailedDNS\\r\\n| make-series Trend = count() default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration\\r\\n| project Trend);\\r\\nFailedDNS\\r\\n| summarize dns_fails = count()\\r\\n| extend Trend = trendline\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Failed DNS Queries\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"rcode_name\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dns_fails\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":true}},\"customWidth\":\"25\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\\r\\nlet UnusualQtypes=corelight_dns\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where qtype_name in (\\\"AXFR\\\", \\\"IXFR\\\", \\\"ANY\\\", \\\"TXT\\\");\\r\\nlet trendline=toscalar(\\r\\nUnusualQtypes\\r\\n| make-series Trend = count() default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration\\r\\n);\\r\\nUnusualQtypes\\r\\n| summarize failed_q=count() by bin(TimeGenerated, 1d)\\r\\n| summarize total = sum(failed_q) by TimeGenerated\\r\\n| extend today = iff(TimeGenerated==(startofday(now())), total, 0)\\r\\n| extend yesterday = iff(TimeGenerated==(startofday(now())-1d), total, 0)\\r\\n| extend Trend = trendline\\r\\n| serialize\\r\\n| order by TimeGenerated desc\\r\\n| extend nextyesterday = iff((today == 0 and yesterday > 0), yesterday, iff(isempty(next(yesterday)), 0, next(yesterday)))\\r\\n| limit 1\\r\\n| extend percentage = case(nextyesterday == 0 and today == 0, 0.0, \\r\\n nextyesterday == 0 and today !=0, todouble(today)*100, \\r\\n (todouble(today-nextyesterday)/nextyesterday)*100)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Unusual Qtypes\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"exportFieldName\":\"failed_q\",\"exportParameterName\":\"failed_count\",\"exportDefaultValue\":\"none\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"today\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"rightContent\":{\"columnMatch\":\"percentage\",\"formatter\":12,\"formatOptions\":{\"palette\":\"none\"},\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\"}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":true,\"size\":\"full\"}},\"customWidth\":\"25\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\\r\\nlet NxdomainResponses=corelight_dns\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where rcode_name in ('NXDOMAIN', 'NOERROR');\\r\\nlet trendline=toscalar(\\r\\nNxdomainResponses\\r\\n| make-series Trend = count() default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration\\r\\n);\\r\\nNxdomainResponses\\r\\n| summarize Count=count() by bin(TimeGenerated, 1d)\\r\\n| summarize total = sum(Count) by TimeGenerated\\r\\n| extend today = iff(TimeGenerated==(startofday(now())), total, 0)\\r\\n| extend yesterday = iff(TimeGenerated==(startofday(now())-1d), total, 0)\\r\\n| extend Trend = trendline\\r\\n| serialize\\r\\n| order by TimeGenerated desc\\r\\n| extend nextyesterday = iff((today == 0 and yesterday > 0), yesterday, iff(isempty(next(yesterday)), 0, next(yesterday)))\\r\\n| limit 1\\r\\n| extend percentage = case(nextyesterday == 0 and today == 0, 0.0, \\r\\n nextyesterday == 0 and today !=0, todouble(today)*100, \\r\\n (todouble(today-nextyesterday)/nextyesterday)*100)\",\"size\":3,\"showAnalytics\":true,\"title\":\"NXDOMAIN Responses\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"today\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"rightContent\":{\"columnMatch\":\"percentage\",\"formatter\":12,\"formatOptions\":{\"palette\":\"none\"},\"numberFormat\":{\"unit\":1,\"options\":{\"style\":\"decimal\"}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\"}},\"showBorder\":true,\"size\":\"full\"}},\"customWidth\":\"25\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where isnotempty(dest_ip) and dest_port in (53, 5353) and is_dest_internal_ip==\\\"true\\\"\\r\\n| summarize NumberOfInternalDnsServers = dcount(dest_ip)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Internal DNS Servers\",\"noDataMessage\":\"Nodata found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"NumberOfInternalDnsServers\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"25\",\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"#### Click on the count in the above panel **Unusual Qtypes** to view more information.\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where qtype_name in (\\\"AXFR\\\", \\\"IXFR\\\", \\\"ANY\\\", \\\"TXT\\\")\\r\\n| summarize unique_sessions=dcount(uid), query_list = strcat_array(make_list(query), \\\", \\\"), qtype_names = strcat_array(make_list(qtype_name), \\\", \\\") by id_orig_h, id_resp_h\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Details of Unusual Qtypes\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"failed_count\",\"comparison\":\"isNotEqualTo\",\"value\":\"none\"},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| extend iplocation=geo_info_from_ip_address(dest_ip)\\r\\n| extend latitude=iplocation.latitude, longitude=iplocation.longitude\\r\\n| extend Country = coalesce(iplocation.country, \\\"No Country\\\")\\r\\n| summarize Count = count() by tostring(latitude), tostring(longitude), Country\\r\\n| extend coordinates= iff(Country!=\\\"No Country\\\", strcat(\\\"Country: \\\",Country, \\\"\\\\nLatitude: \\\", latitude, \\\"\\\\nLongitude:\\\", longitude), Country)\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Geolocation of DNS Responses\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"latitude\":\"latitude\",\"longitude\":\"longitude\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Max\",\"labelSettings\":\"coordinates\",\"legendMetric\":\"Count\",\"numberOfMetrics\":0,\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"Count\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 0\"}]},\"name\":\"DNS Hygiene\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Remote Management Hygiene\\r\\n---\"},\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let TopVPN=corelight_vpn\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| extend iplocation=geo_info_from_ip_address(dest_ip)\\r\\n| extend country=iplocation.country\\r\\n| extend Country=coalesce(country, \\\"No Country\\\")\\r\\n| summarize arg_max(TimeGenerated, *) by dest_ip, tostring(Country)\\r\\n| summarize Count=count() by Country;\\r\\nlet totalcount=(\\r\\nTopVPN\\r\\n| summarize TotalCount = sum(Count));\\r\\nTopVPN\\r\\n| extend Percentage=(Count * 100.0)/toscalar(totalcount)\\r\\n| sort by Percentage desc\",\"size\":0,\"aggregation\":2,\"showAnalytics\":true,\"title\":\"Top VPN destinations by Country\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"xAxis\":\"Country\",\"yAxis\":[\"Percentage\",\"Count\"],\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Percentage\",\"color\":\"green\"},{\"seriesName\":\"Count\",\"color\":\"greenDarkDark\"}],\"ySettings\":{\"numberFormatSettings\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}},\"label\":\"Percentage\"}}},\"customWidth\":\"50\",\"name\":\"Top VPN destinations by Country\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<90, 7d, 31d);\\r\\ncorelight_vpn\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where is_dest_internal_ip == \\\"false\\\"\\r\\n| make-series [\\\"Outbound VPN Connections\\\"]=count() default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration\",\"size\":0,\"showAnalytics\":true,\"title\":\"Outbound VPN Connections\",\"color\":\"green\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Outbound VPN Connections\",\"color\":\"green\"}],\"showDataPoints\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":1,\"content\":{\"json\":\"#### Metrics shows the count and percentage for the country with maximum value as default. To view the count or percentage for a particular country hover over the bar in Top VPN destinations by Country Panel.\",\"style\":\"upsell\"},\"name\":\"Tooltip for Top VPN destinations by Country Panel\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\\r\\ncorelight_rdp\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where isnotempty(auth_success)\\r\\n| extend auth_result = iff(auth_success==\\\"true\\\",\\\"Success\\\",\\\"Failure\\\") \\r\\n| make-series Count=count() default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration by auth_result\",\"size\":0,\"showAnalytics\":true,\"title\":\"RDP Authentication Attempts\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"auth\",\"exportDefaultValue\":\"none\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"group\":\"auth_result\",\"createOtherGroup\":0,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Failure\",\"color\":\"redBright\"},{\"seriesName\":\"Success\",\"color\":\"green\"}],\"showDataPoints\":true}},\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"#### Click on the datapoints in the above panel **RDP Authentication Attempts** to view more information.\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_rdp\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| extend auth_result = iff(auth_success==\\\"true\\\",\\\"Success\\\",\\\"Failure\\\") \\r\\n| where auth_result == '{auth}'\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Details of RDP Authentication Attempts\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"auth\",\"comparison\":\"isNotEqualTo\",\"value\":\"none\"},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Remote Management Hygiene\"}]},\"name\":\"group - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"SecurityPosture\"},\"name\":\"Security Posture\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Secure Channel Insights\\r\\n#### Deep dive from Security Posture Encrypted, non-encrypted SSL, SSH, TLS and x509 facts.\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"### Encrypted Traffic Notables\\r\\n----\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Weak Certs. Used Internally\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_x509\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| extend key_length=certificate_key_length, match_fingerprint=fingerprint\\r\\n| where toint(key_length) < 2048\\r\\n| project match_fingerprint, key_length, TimeGenerated\\r\\n| join kind=inner (\\r\\n corelight_ssl\\r\\n | where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n | mv-expand todynamic(cert_chain_fps)\\r\\n | extend match_fingerprint=cert_chain_fps\\r\\n | project tostring(match_fingerprint), uid, src_ip, dest_ip, id_resp_p, is_dest_internal_ip, server_name, TimeGenerated)\\r\\n on match_fingerprint\\r\\n| summarize arg_max(TimeGenerated, *) by match_fingerprint\\r\\n| extend Host_Type=iff(is_dest_internal_ip==\\\"true\\\", \\\"Internal\\\", \\\"External\\\"), Resp_port=id_resp_p\\r\\n| where Host_Type == \\\"Internal\\\"\\r\\n| summarize Count= count() by server_name, dest_ip, Resp_port, key_length, Host_Type\\r\\n| summarize Sum = count()\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"server_name\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Sum\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true}},\"customWidth\":\"40\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### SSL/TLS sessions utilizing weak keys are vulnerable to cryptographic attacks. This traffic may indicate the presence of old and/or unpatched resources on the network. It could also be the result of a successful downgrade attack.\"},\"customWidth\":\"60\",\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CertResults = corelight_x509\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| extend key_length=certificate_key_length\\r\\n| extend match_fingerprint=fingerprint\\r\\n| where toint(key_length) < 2048\\r\\n| project match_fingerprint, key_length, TimeGenerated\\r\\n| join kind=inner ( \\r\\n corelight_ssl\\r\\n | where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n | mv-expand todynamic(cert_chain_fps)\\r\\n | extend match_fingerprint=cert_chain_fps\\r\\n | project tostring(match_fingerprint), uid, src_ip, dest_ip, id_resp_p, is_dest_internal_ip, server_name, TimeGenerated)\\r\\n on match_fingerprint\\r\\n| summarize arg_max(TimeGenerated, *) by match_fingerprint\\r\\n| extend [\\\"Host Type\\\"]=iff(is_dest_internal_ip==\\\"true\\\", \\\"Internal\\\", \\\"External\\\"), Resp_Port=id_resp_p, Dest_Host=dest_ip, [\\\"Key Length\\\"]=key_length, [\\\"Server Name\\\"]=server_name\\r\\n| where [\\\"Host Type\\\"] == \\\"Internal\\\"\\r\\n| summarize Count= count() by [\\\"Server Name\\\"], Dest_Host, Resp_Port, [\\\"Key Length\\\"], [\\\"Host Type\\\"]\\r\\n| sort by [\\\"Server Name\\\"] desc;\\r\\nlet CertCount = CertResults\\r\\n| summarize count()\\r\\n| project count_;\\r\\nlet NoResults = datatable([\\\"Server Name\\\"]: string, Dest_Host: string, Resp_Port: string, [\\\"Key Length\\\"]: string, [\\\"Host Type\\\"]: string, Count: long)\\r\\n[\\\"No Results\\\", \\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", 0];\\r\\nunion isfuzzy=true\\r\\n(CertResults| where toscalar(CertCount) != 0),\\r\\n(NoResults| where toscalar(CertCount) == 0)\\r\\n| extend Resp_Port = coalesce(tostring(toint(Resp_Port_real)), Resp_Port_string)\\r\\n| extend [\\\"Key Length\\\"] = coalesce(tostring(toint(['Key Length_real'])), ['Key Length_string'])\\r\\n| project-away Resp_Port_*, [\\\"Key Length_*\\\"]\\r\\n| project-reorder [\\\"Server Name\\\"], Dest_Host, Resp_Port, [\\\"Key Length\\\"], [\\\"Host Type\\\"], Count\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Evidence for Weak Key Length Certs\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"group - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Less Secure Ciphers\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_ssl\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where cipher matches regex (\\\"RC4|DES|3DES|MD5|NULL|EXPORT\\\")\\r\\n| extend Host_Type=iff(is_src_internal_ip==\\\"true\\\", \\\"Internal\\\", \\\"External\\\")\\r\\n| extend Direction=iff(is_src_internal_ip==\\\"true\\\" and is_dest_internal_ip==\\\"false\\\", \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n| summarize Unique_Conns=dcount(uid), Count=count() by cipher\\r\\n| summarize TotalCount = count()\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"TotalCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"40\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### SSL/TLS sessions utilizing weak cipher suites (eg. RC4) are easily decrypted. This traffic may indicate the presence of old and/or unpatched resources on the network. It could also be the result of a successful downgrade attack.\"},\"customWidth\":\"60\",\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let QueryResults = corelight_ssl\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where cipher matches regex (\\\"RC4|DES|3DES|MD5|NULL|EXPORT\\\")\\r\\n| extend Host_Type=iff(is_src_internal_ip==\\\"true\\\", \\\"Internal\\\", \\\"External\\\")\\r\\n| extend Direction=iff(is_src_internal_ip==\\\"true\\\" and is_dest_internal_ip==\\\"false\\\", \\\"Outbound\\\", \\\"Inbound\\\")\\r\\n| summarize dest_ip = make_list(dest_ip)[-1], Unique_Conns=dcount(uid), Host_Type=strcat_array(make_set(Host_Type), \\\",\\\"), Direction=strcat_array(make_set(Direction), \\\",\\\"), Count=count() by cipher\\r\\n| project-rename Cipher=cipher\\r\\n| sort by Unique_Conns desc, Count desc;\\r\\nlet QueryCount = QueryResults\\r\\n| summarize count()\\r\\n| project count_;\\r\\nlet NoResults = datatable(Cipher: string, dest_ip: dynamic, Unique_Conns: string, Host_Type: string, Direction: string, Count: long)\\r\\n[\\\"No Results\\\", \\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", 0];\\r\\nunion isfuzzy=true\\r\\n(QueryResults| where toscalar(QueryCount) != 0),\\r\\n(NoResults| where toscalar(QueryCount) == 0)\\r\\n| extend Unique_Conns = coalesce(tostring(tolong(Unique_Conns_long)), Unique_Conns_string)\\r\\n| project-away Unique_Conns_*\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Less Secure Ciphers seen in the period\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Connections using Less Secure TLS Versions (< TLS1.2)\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0054d601-4a2f-41d2-8f2b-5633e412ff29\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TrafficDirection\",\"label\":\"Traffic Direction\",\"type\":2,\"description\":\"Select Traffic Direction\",\"isRequired\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"jsonData\":\"[\\\"Inbound\\\", \\\"Outbound\\\", \\\"Internal\\\", \\\"EEther\\\"]\\r\\n\",\"timeContext\":{\"durationMs\":86400000},\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"defaultValue\":\"value::all\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_ssl\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where isnotempty(src_ip) and isnotempty(version)\\r\\n| extend ip_class = iff(is_dest_internal_ip == \\\"true\\\", \\\"Internal\\\", \\\"External\\\")\\r\\n| extend src_int = iff(isnull(is_src_internal_ip) or is_src_internal_ip==\\\"false\\\", \\\"f\\\", \\\"t\\\"), \\r\\n dst_int = iff(isnull(is_dest_internal_ip) or is_dest_internal_ip==\\\"false\\\", \\\"f\\\", \\\"t\\\") \\r\\n| extend \\r\\n connection_type=case(\\r\\n src_int==\\\"t\\\" and dst_int==\\\"f\\\", \\\"Outbound\\\",\\r\\n src_int==\\\"f\\\" and dst_int==\\\"t\\\", \\\"Inbound\\\",\\r\\n src_int==\\\"t\\\" and dst_int==\\\"t\\\", \\\"Internal\\\",\\r\\n \\\"EEther\\\"\\r\\n ),\\r\\n version_status=case(\\r\\n version==\\\"TLSv13\\\", \\\"Most Secure (v1.3)\\\",\\r\\n version==\\\"TLSv12\\\", \\\"Secure (v1.2)\\\",\\r\\n version==\\\"DTLSv12\\\", \\\"Secure (v1.2)\\\", \\r\\n version==\\\"unknown-64282\\\", \\\"Unknown\\\",\\r\\n \\\"Old Version < (v1.2)\\\") \\r\\n| extend Classification=version_status, [\\\"Traffic Direction\\\"]=connection_type, Version=version\\r\\n| where ('*' == ('{TrafficDirection}') or [\\\"Traffic Direction\\\"] == ('{TrafficDirection}'))\\r\\n| where Classification !contains \\\"Secure\\\"\\r\\n| summarize Counter=dcount(uid) by tostring(Version), Classification, \\\"Traffic Direction\\\"\\r\\n| summarize Sum=sum(Counter)\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Sum\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"40\",\"name\":\"query - 1\"},{\"type\":1,\"content\":{\"json\":\"#### Connections employing TLS versions older than 1.2 are recognized as less secure, presenting a higher risk of being compromised. These outdated protocols may indicate legacy systems with configurations that are not aligned with modern security standards.\"},\"customWidth\":\"60\",\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SSHResults = corelight_ssl\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where isnotempty(src_ip) and isnotempty(version)\\r\\n| extend ip_class = iff(is_dest_internal_ip == \\\"true\\\", \\\"Internal\\\", \\\"External\\\")\\r\\n| extend src_int = iff(isnull(is_src_internal_ip) or is_src_internal_ip==\\\"false\\\", \\\"f\\\", \\\"t\\\"), \\r\\n dst_int = iff(isnull(is_dest_internal_ip) or is_dest_internal_ip==\\\"false\\\", \\\"f\\\", \\\"t\\\") \\r\\n| extend \\r\\n connection_type=case(\\r\\n src_int==\\\"t\\\" and dst_int==\\\"f\\\", \\\"Outbound\\\",\\r\\n src_int==\\\"f\\\" and dst_int==\\\"t\\\", \\\"Inbound\\\",\\r\\n src_int==\\\"t\\\" and dst_int==\\\"t\\\", \\\"Internal\\\",\\r\\n \\\"EEther\\\"\\r\\n ),\\r\\n version_status=case(\\r\\n version==\\\"TLSv13\\\", \\\"Most Secure (v1.3)\\\",\\r\\n version==\\\"TLSv12\\\", \\\"Secure (v1.2)\\\",\\r\\n version==\\\"DTLSv12\\\", \\\"Secure (v1.2)\\\", \\r\\n version==\\\"unknown-64282\\\", \\\"Unknown\\\",\\r\\n \\\"Old Version < (v1.2)\\\") \\r\\n| extend Classification=version_status, [\\\"Traffic Direction\\\"]=connection_type, Version=version\\r\\n| where ('*' == ('{TrafficDirection}') or [\\\"Traffic Direction\\\"] == ('{TrafficDirection}'))\\r\\n| summarize Counter=dcount(uid), [\\\"Responder Location\\\"] = strcat_array(make_set(ip_class), \\\",\\\") by tostring(Version), Classification, [\\\"Traffic Direction\\\"]\\r\\n| project-reorder Version, [\\\"Traffic Direction\\\"], Counter, [\\\"Responder Location\\\"], Classification\\r\\n| sort by Counter desc;\\r\\nlet SSHCount = SSHResults\\r\\n| summarize count()\\r\\n| project count_;\\r\\nlet NoResults = datatable(Version: string, Counter: long)\\r\\n[\\\"No Results Found\\\", 0];\\r\\nunion isfuzzy=true\\r\\n(SSHResults| where toscalar(SSHCount) != 0),\\r\\n(NoResults| where toscalar(SSHCount) == 0)\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Evidence for All TLS versions seen (Classification based on Industry best practices)\",\"noDataMessage\":\"No data found\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Version\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Version\",\"sortOrder\":1}]},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"group - 2-Connections using Less Secure TLS Versions (< TLS1.2)\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Interactive Sessions and Keystrokes\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_ssh \\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| mv-expand todynamic(Inferences), todynamic(Descriptions)\\r\\n| where Inferences in (\\\"KS\\\", \\\"AUTO\\\") \\r\\n| summarize arg_max(TimeGenerated, *) by uid\\r\\n| extend src_ip = id_orig_h, dest_ip = id_resp_h, Inference=Inferences, Description=Descriptions\\r\\n| summarize Count = count() by uid, src_ip, dest_ip, tostring(Inference), tostring(Description) \\r\\n| summarize TotalCount = count()\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"TotalCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"40\",\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"60px 0px 0px 0px\"}},{\"type\":1,\"content\":{\"json\":\"#### Highlight interactive sessions (KS) and automated interactions (AUTO) to understand the nature of SSH traffic — manual vs. automated.\\r\\n\"},\"customWidth\":\"60\",\"name\":\"text - 2\",\"styleSettings\":{\"margin\":\"60px 0px 0px 0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SSHResults = corelight_ssh \\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| mv-expand todynamic(Inferences), todynamic(Descriptions)\\r\\n| where Inferences in (\\\"KS\\\", \\\"AUTO\\\") \\r\\n| summarize arg_max(TimeGenerated, *) by uid\\r\\n| extend src_ip = id_orig_h, dest_ip = id_resp_h, Inference=Inferences, Description=Descriptions\\r\\n| summarize Count = count() by uid, src_ip, dest_ip, tostring(Inference), tostring(Description);\\r\\nlet SSHCount = SSHResults\\r\\n| summarize count()\\r\\n| project count_;\\r\\nlet NoResults = datatable(uid: string, src_ip: string, dest_ip: string, Inference: string, Description: string, Count: long)\\r\\n[\\\"No Results\\\", \\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", 0];\\r\\nunion isfuzzy=true\\r\\n(SSHResults| where toscalar(SSHCount) != 0),\\r\\n(NoResults| where toscalar(SSHCount) == 0)\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Evidence for Interactive Sessions and Keystrokes - SSH Inferences\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"margin\":\"2px 0px 0px 0px\",\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Self Signed Certs\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_ssl\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where validation_status==\\\"self signed certificate\\\" and is_dest_internal_ip==\\\"true\\\" and isnotempty(dest_ip)\\r\\n| extend Source_Host_Type = case(is_src_internal_ip==\\\"true\\\", \\\"Internal\\\",is_src_internal_ip==\\\"false\\\", \\\"External\\\", \\\"Undefined\\\") , \\r\\nDestination_Host_Type = case(is_dest_internal_ip==\\\"true\\\", \\\"Internal\\\",is_dest_internal_ip==\\\"false\\\", \\\"External\\\", \\\"Undefined\\\")\\r\\n| extend Traffic_Direction = case(Source_Host_Type==\\\"Internal\\\" and Destination_Host_Type==\\\"External\\\", \\\"Outbound\\\",Source_Host_Type==\\\"External\\\" and Destination_Host_Type==\\\"Internal\\\", \\\"Inbound\\\",Source_Host_Type==\\\"Internal\\\" and Destination_Host_Type==\\\"Internal\\\", \\\"East-West\\\",Source_Host_Type==\\\"External\\\" and Destination_Host_Type==\\\"External\\\", \\\"Ether\\\",\\\"Undefined\\\") \\r\\n| summarize count() by ssl_subject_common_name, dest_ip \\r\\n| count \",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"40\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### This dashboard panel identifies self-signed certificates in use within internal networks, highlighting a key security concern due to their lack of third-party validation. Addressing this issue by transitioning to certificates from trusted authorities enhances network security and trustworthiness.\"},\"customWidth\":\"60\",\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SSHResults = corelight_ssl\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where validation_status==\\\"self signed certificate\\\" and is_dest_internal_ip==\\\"true\\\" and isnotempty(dest_ip)\\r\\n| extend Source_Host_Type = case(is_src_internal_ip==\\\"true\\\", \\\"Internal\\\",is_src_internal_ip==\\\"false\\\", \\\"External\\\", \\\"Undefined\\\") , \\r\\nDestination_Host_Type = case(is_dest_internal_ip==\\\"true\\\", \\\"Internal\\\",is_dest_internal_ip==\\\"false\\\", \\\"External\\\", \\\"Undefined\\\")\\r\\n| extend Traffic_Direction = case(Source_Host_Type==\\\"Internal\\\" and Destination_Host_Type==\\\"External\\\", \\\"Outbound\\\",Source_Host_Type==\\\"External\\\" and Destination_Host_Type==\\\"Internal\\\", \\\"Inbound\\\",Source_Host_Type==\\\"Internal\\\" and Destination_Host_Type==\\\"Internal\\\", \\\"East-West\\\",Source_Host_Type==\\\"External\\\" and Destination_Host_Type==\\\"External\\\", \\\"Ether\\\",\\\"Undefined\\\") \\r\\n| summarize Destination_Host_Type=strcat_array(make_set(Destination_Host_Type), \\\",\\\"), Status=strcat_array(make_set(validation_status), \\\",\\\"), Traffic_Direction=strcat_array(make_set(Traffic_Direction), \\\",\\\") \\r\\n by ssl_subject_common_name, dest_ip \\r\\n| project Subject=ssl_subject_common_name, Destination=dest_ip, Status, Destination_Host_Type, Traffic_Direction;\\r\\nlet SSHCount = SSHResults\\r\\n| summarize count()\\r\\n| project count_;\\r\\nlet NoResults = datatable(Subject: string)\\r\\n[\\\"No Results Found\\\"];\\r\\nunion isfuzzy=true\\r\\n(SSHResults| where toscalar(SSHCount) != 0),\\r\\n(NoResults| where toscalar(SSHCount) == 0)\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Evidence for Self Signed Internal Certificates\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Subject\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Subject\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"group - 4-Self Signed Certs\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Possible File Uploaded\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_ssh\\r\\n| where ('*' == ('*') or sensor_name == ('*'))\\r\\n| mv-expand todynamic(Inferences), todynamic(Descriptions)\\r\\n| where Inferences in (\\\"SFD\\\", \\\"LFD\\\", \\\"SFU\\\", \\\"LFU\\\")\\r\\n| summarize arg_max(TimeGenerated, *) by uid\\r\\n| project-rename\\r\\n Inference = Inferences,\\r\\n Description = Descriptions\\r\\n| summarize Count = count() by uid, src_ip, dest_ip,tostring(Inference), tostring(Description)\\r\\n| summarize TotalCount = count()\\r\\n\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"TotalCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"40\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### This use case tracks SSH file transfer activity (inferences SFD, LFD, SFU, LFU). It uncovers potential data exfiltration by attackers or the introduction of malicious files. Focus on file names, sizes, unusual source IPs, and sensitive destination systems.\"},\"customWidth\":\"60\",\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SSHResults = corelight_ssh\\r\\n| where ('*' == ('*') or sensor_name == ('*'))\\r\\n| mv-expand todynamic(Inferences), todynamic(Descriptions)\\r\\n| where Inferences in (\\\"SFD\\\", \\\"LFD\\\", \\\"SFU\\\", \\\"LFU\\\")\\r\\n| summarize arg_max(TimeGenerated, *) by uid\\r\\n| project-rename\\r\\n Inference = Inferences,\\r\\n Description = Descriptions\\r\\n| summarize Count = count() by uid, src_ip, dest_ip,tostring(Inference), tostring(Description);\\r\\nlet SSHCount = SSHResults\\r\\n| summarize count()\\r\\n| project count_;\\r\\nlet NoResults = datatable(uid: string, src_ip: string, dest_ip: string, Inference: string, Description: string, Count: long)\\r\\n[\\\"No Results\\\", \\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", 0];\\r\\nunion isfuzzy=true\\r\\n(SSHResults| where toscalar(SSHCount) != 0),\\r\\n(NoResults| where toscalar(SSHCount) == 0)\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Possible File Transfer\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"group - 5-Possible File Uploaded\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Certificates about to Expire\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_ssl\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where is_dest_internal_ip==\\\"true\\\"\\r\\n| mv-expand todynamic(fingerprint)\\r\\n| extend fingerprint=tostring(fingerprint)\\r\\n| join kind=inner \\r\\n (corelight_x509\\r\\n | where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n | where days_to_expiry > 0 and days_to_expiry < 30)\\r\\n on fingerprint\\r\\n| summarize count() by ssl_subject, dest_ip\\r\\n| count\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"40\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### A SSL certificate that is about to expire (default window is 30 days) was observed. Expiration of an SSL certificate may result in unexpected behaviour such as refused network connections or unencrypted network traffic.\\r\\n\"},\"customWidth\":\"60\",\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SSHResults = corelight_ssl\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where is_dest_internal_ip==\\\"true\\\"\\r\\n| mv-expand todynamic(fingerprint)\\r\\n| extend fingerprint=tostring(fingerprint)\\r\\n| join kind=inner \\r\\n (corelight_x509\\r\\n | where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n | where days_to_expiry > 0 and days_to_expiry < 30)\\r\\n on fingerprint\\r\\n| summarize Port = strcat_array(make_list(toint(dest_port)), \\\",\\\"), [\\\"Not Valid After\\\"] = strcat_array(make_list(not_valid_after), \\\",\\\"), [\\\"Days to Expire\\\"] = strcat_array(make_list(days_to_expiry), \\\",\\\") by ssl_subject, dest_ip\\r\\n| project-rename Subject = ssl_subject, Host = dest_ip\\r\\n| sort by tostring([\\\"Days to Expire\\\"]) desc; \\r\\nlet SSHCount = SSHResults\\r\\n| summarize count()\\r\\n| project count_;\\r\\nlet NoResults = datatable(Subject: string)\\r\\n[\\\"No Results Found\\\"];\\r\\nunion isfuzzy=true\\r\\n(SSHResults| where toscalar(SSHCount) != 0),\\r\\n(NoResults| where toscalar(SSHCount) == 0)\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Evidence for Self Signed Internal Certificates\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"group - 6-Certificates about to Expire\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Potential Security Risks\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_ssh\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| mv-expand todynamic(Inferences)\\r\\n| where Inferences in (\\\"SC\\\", \\\"SP\\\", \\\"SV\\\", \\\"SA\\\", \\\"AFR\\\", \\\"BAN\\\") \\r\\n| summarize Count = count() by uid, src_ip, dest_ip, tostring(Inferences) \\r\\n| summarize TotalCount = count()\\r\\n\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"TotalCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"40\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### Monitors for signs of scanning (SC, SP, SV, SA), banner messages (BAN), and agent forwarding (AFR) for compliance and security risk identification.\"},\"customWidth\":\"60\",\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SSHResults = corelight_ssh\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| mv-expand todynamic(Inferences)\\r\\n| where Inferences in (\\\"SC\\\", \\\"SP\\\", \\\"SV\\\", \\\"SA\\\", \\\"AFR\\\", \\\"BAN\\\") \\r\\n| summarize Count = count() by uid, src_ip, dest_ip, tostring(Inferences)\\r\\n| project-reorder uid, src_ip, dest_ip, Count, Inferences;\\r\\nlet SSHCount = SSHResults\\r\\n| summarize count()\\r\\n| project count_;\\r\\nlet NoResults = datatable(uid: string)\\r\\n[\\\"No Results\\\"];\\r\\nunion isfuzzy=true\\r\\n(SSHResults| where toscalar(SSHCount) != 0),\\r\\n(NoResults| where toscalar(SSHCount) == 0)\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"SSH Inferences for Potential Security Risks\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"group - 7-Potential Security Risks\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Automated SSH Session Indicators\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_ssh\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| mv-expand todynamic(Inferences)\\r\\n| where Inferences in (\\\"PKA\\\", \\\"AUTO\\\", \\\"KS\\\", \\\"CTS\\\")\\r\\n| summarize\\r\\n src_ip = strcat_array(make_list(id_orig_h), \\\",\\\"),\\r\\n dest_ip = strcat_array(make_list(id_resp_h), \\\",\\\"),\\r\\n Inferences = strcat_array(make_list(Inferences), \\\",\\\"),\\r\\n Count = count()\\r\\n by uid\\r\\n| summarize TotalCount = count()\\r\\n\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"TotalCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"40\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### Tracks automated SSH sessions to enhance security and operational efficiency, highlighting potential risks and compliance issues. It identifies anomalies and unauthorized activities, ensuring that automation tools are used securely and efficiently. This tool is crucial for SOC analysts to monitor for security breaches and optimize system management.\"},\"customWidth\":\"60\",\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SSHResults = corelight_ssh\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| mv-expand todynamic(Inferences)\\r\\n| where Inferences in (\\\"PKA\\\", \\\"AUTO\\\", \\\"KS\\\", \\\"CTS\\\")\\r\\n| summarize\\r\\n src_ip = strcat_array(make_list(id_orig_h), \\\",\\\"),\\r\\n dest_ip = strcat_array(make_list(id_resp_h), \\\",\\\"),\\r\\n Inferences = strcat_array(make_list(Inferences), \\\",\\\"),\\r\\n Count = count()\\r\\n by uid;\\r\\nlet SSHCount = SSHResults\\r\\n| summarize count()\\r\\n| project count_;\\r\\nlet NoResults = datatable(uid: string, src_ip: string, dest_ip: string, Inferences: string, Count: long)\\r\\n[\\\"No Results\\\", \\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", 0];\\r\\nunion isfuzzy=true\\r\\n(SSHResults| where toscalar(SSHCount) != 0),\\r\\n(NoResults| where toscalar(SSHCount) == 0)\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"SSH Session Inferences\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"group - 8 - Automated SSH Session Indicators\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Advanced Threat Indicators\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_ssh\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| mv-expand todynamic(Inferences)\\r\\n| where Inferences in (\\\"ABP\\\", \\\"RSP\\\", \\\"RSI\\\", \\\"RSIA\\\", \\\"RSL\\\", \\\"RSK\\\")\\r\\n| summarize arg_max(TimeGenerated, *) by uid\\r\\n| summarize Count = count() by uid, id_orig_h, id_resp_h, tostring(Inferences)\\r\\n| summarize TotalCount = count()\\r\\n\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"uid\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true}},\"customWidth\":\"40\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### Helps to identify potential advanced threat indicators such as Client Authentication Bypass (ABP) and Reverse SSH tunneling activities (RSP, RSI, RSIA, RSL, RSK) for in-depth investigation.\"},\"customWidth\":\"60\",\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SSHResults = corelight_ssh\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| mv-expand todynamic(Inferences)\\r\\n| where Inferences in (\\\"ABP\\\", \\\"RSP\\\", \\\"RSI\\\", \\\"RSIA\\\", \\\"RSL\\\", \\\"RSK\\\")\\r\\n| summarize arg_max(TimeGenerated, *) by uid\\r\\n| summarize Count = count() by uid, id_orig_h, id_resp_h, tostring(Inferences)\\r\\n| project-rename Inference = Inferences, src_ip = id_orig_h , dest_ip = id_resp_h;\\r\\nlet SSHCount = SSHResults\\r\\n| summarize count()\\r\\n| project count_;\\r\\nlet NoResults = datatable(uid: string, src_ip: string, dest_ip: string, Inference: string, Count: long)\\r\\n[\\\"No Results\\\", \\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", 0];\\r\\nunion isfuzzy=true\\r\\n(SSHResults| where toscalar(SSHCount) != 0),\\r\\n(NoResults| where toscalar(SSHCount) == 0)\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"SSH Advanced Threats Inferences\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"group - 9 - Advanced Threat Indicators\"}]},\"name\":\"group - Encrypted Traffic Notables\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"SecureChannelInsights\"},\"name\":\"Secure Channel Insights\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Name Resolution Insights\\r\\n##### Insights on Name Resolution (DNS)\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### DNS Hygiene\\r\\n----\"},\"name\":\"text - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Responding DNS Servers\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| summarize count() by dest_ip\\r\\n| count\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"35\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### DNS servers actively responding in the network are key to secure operations, translating domain names to IP addresses and directing traffic. It also logs the number of queries and unique clients interacting with the DNS servers, offering insights into possible rogue DNS servers and detecting patterns that may suggest data exfiltration attempts.\"},\"customWidth\":\"65\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"11px\",\"padding\":\"10px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| extend IPInfo = geo_info_from_ip_address(dest_ip)\\r\\n| summarize\\r\\n [\\\"# of Queries\\\"] = count(),\\r\\n [\\\"# of Unique Clients\\\"] = dcount(src_ip),\\r\\n Country = any(IPInfo.country),\\r\\n any(is_dest_internal_ip)\\r\\n by dest_ip\\r\\n| extend\\r\\n Internal = iff(\\r\\n any_is_dest_internal_ip == \\\"true\\\",\\r\\n \\\"Yes\\\",\\r\\n \\\"No\\\"\\r\\n ),\\r\\n Country = iff(isempty(Country), \\\"Unknown\\\", Country)\\r\\n| project\\r\\n Destination = dest_ip,\\r\\n ['# of Queries'],\\r\\n ['# of Unique Clients'],\\r\\n Country,\\r\\n Internal\\r\\n| sort by ['# of Queries'], ['# of Unique Clients'] desc \",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Servers actively responding to queries\",\"noDataMessage\":\"No data found\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"responding dns servers\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Unusual Qtypes\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where qtype_name in (\\\"AXFR\\\", \\\"IXFR\\\", \\\"ANY\\\", \\\"TXT\\\")\\r\\n| summarize count() by qtype_name, dest_ip\\r\\n| summarize Count = sum(count_)\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"35\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### Unusual DNS query types can indicate misconfigurations, experimental features, or potential security threats like data exfiltration or tunneling. Analysts should scrutinize such queries for anomalies and address identified risks to safeguard network security.\"},\"customWidth\":\"65\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"21px\",\"padding\":\"10px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FilteredDNS = (\\r\\ncorelight_dns\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where qtype_name in (\\\"AXFR\\\", \\\"IXFR\\\", \\\"ANY\\\", \\\"TXT\\\")\\r\\n);\\r\\nlet DNSRecords = (\\r\\nFilteredDNS\\r\\n| summarize count() by qtype_name, dest_ip\\r\\n);\\r\\nFilteredDNS\\r\\n| join kind=leftouter(DNSRecords) on $left.qtype_name == $right.qtype_name, $left.dest_ip == $right.dest_ip\\r\\n| summarize arg_max(TimeGenerated, *) by qtype_name, dest_ip\\r\\n| project Qtype = qtype_name, Responder = dest_ip, Source = src_ip, Query = query, Count = count_\\r\\n| sort by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Unusual Query Types found\",\"noDataMessage\":\"No data found\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"unusual qtypes\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"NXDOMAIN Responses\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where tolower(rcode_name) in (\\\"nxdomain\\\", \\\"noerror\\\")\\r\\n| extend query_rejected = iff(rejected == true, \\\"Yes\\\", \\\"No\\\")\\r\\n| summarize count() by src_ip, dest_ip, query, query_rejected\\r\\n| summarize sum(count_)\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"sum_count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"35\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### High rates of DNS NXDOMAIN responses might suggest misconfigured domains, typographical errors in network requests, or malicious activities such as DNS reconnaissance. Close examination is advised to correct configurations or identify security incidents. Review DNS logs for patterns, validate domain configurations, and check endpoint security for signs of malware.\"},\"customWidth\":\"65\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"7px\",\"padding\":\"10px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where tolower(rcode_name) in (\\\"nxdomain\\\", \\\"noerror\\\")\\r\\n| extend query_rejected = iff(rejected == true, \\\"Yes\\\", \\\"No\\\")\\r\\n| summarize count() by src_ip, dest_ip, query, query_rejected\\r\\n| project Source = src_ip, Responder = dest_ip, Query = query, Rejected = query_rejected, Count = count_\\r\\n| sort by Count desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Evidence for NXDOMAIN Responses\",\"noDataMessage\":\"No data found\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"nxdomain responses\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Monitoring DNS Query Response Times > 15ms\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| summarize avg_rtt = avg(todouble(rtt)) by query, dest_ip\\r\\n| where avg_rtt > 0.015\\r\\n| extend avg_rtt = round(avg_rtt*1000, 2)\\r\\n| count \",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"35\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### Long DNS query response times may indicate network congestion, server performance issues, or potential security threats. Timely analysis is crucial for maintaining optimal network performance and security. Investigate extended response times by examining server configurations, network traffic, and potential external attacks.\"},\"customWidth\":\"65\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"19px\",\"padding\":\"10px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| summarize avg_rtt = avg(todouble(rtt)) by query, dest_ip\\r\\n| where avg_rtt > 0.015\\r\\n| extend avg_rtt = round(avg_rtt*1000, 2)\\r\\n| project Query = query, Responder = dest_ip, [\\\"Avg. Response Time (ms)\\\"] = avg_rtt\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitoring DNS Query Types by AVG time\",\"noDataMessage\":\"No data found\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"monitoring DNS query response times > 15ms\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Failed DNS Queries\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_dns\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where tolower(rcode_name) in (\\\"servfail\\\", \\\"refused\\\", \\\"formerr\\\", \\\"notimp\\\", \\\"notauth\\\")\\r\\n| summarize count() by rcode_name\\r\\n| count\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"35\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### Failed DNS queries may point to misconfigurations, outdated systems, or security threats such as network infiltration or DNS poisoning. Analysts should investigate the sources and patterns of these failures to identify and remediate underlying causes, thereby ensuring network integrity and security.\"},\"customWidth\":\"65\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"10px\",\"padding\":\"10px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FilteredDNS = (\\r\\n corelight_dns\\r\\n | where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n | where tolower(rcode_name) in (\\\"servfail\\\", \\\"refused\\\", \\\"formerr\\\", \\\"notimp\\\", \\\"notauth\\\")\\r\\n );\\r\\nlet RcodeCount = (\\r\\n FilteredDNS\\r\\n | summarize count() by rcode_name, dest_ip, src_ip\\r\\n );\\r\\nFilteredDNS\\r\\n| join kind=innerunique (RcodeCount) on rcode_name, dest_ip, src_ip\\r\\n| project\\r\\n Source = src_ip,\\r\\n Responder = dest_ip,\\r\\n Query = query,\\r\\n [\\\"Response Code\\\"] = toupper(rcode_name),\\r\\n Count = count_\\r\\n| sort by Count desc \",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Evidence for Failed DNS Queries\",\"noDataMessage\":\"No data found\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Count\",\"sortOrder\":2}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"failed DNS queries\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"DNS Query Volume Over Time\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_conn\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where service == \\\"dns\\\"\\r\\n| summarize TotalTraffic = sum(todouble(orig_bytes))\",\"size\":3,\"showAnalytics\":true,\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"TotalTraffic\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":2,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"35\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### Monitor total DNS-related network traffic in MB/GB. Sudden spikes or unusual patterns could signal configuration errors, compromised devices making excessive queries, or potential data exfiltration attempts.\"},\"customWidth\":\"65\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"18px\",\"padding\":\"10px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\\r\\ncorelight_dns\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| summarize Count = count() by bin(TimeGenerated, bin_duration), uid\",\"size\":0,\"showAnalytics\":true,\"title\":\"Monitoring Query Types by AVG time\",\"noDataMessage\":\"No data found\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"yAxis\":[\"Count\"],\"group\":\"uid\",\"createOtherGroup\":99}},\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"10px\"}}]},\"customWidth\":\"50\",\"name\":\"DNS query volume over time\"}]},\"name\":\"dns hygiene\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"NameResolutionInsights\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Remote Activity Insights\"},\"name\":\"title\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Remote Access Hygiene\\r\\n---\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"RDP Authentication Attempts\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Total count of RDP success and failed actions within the specified time.\\r\\n\\r\\n\"},\"name\":\"text - 0\"}]},\"name\":\"group - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_rdp\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where action != \\\"unknown\\\"\\r\\n| summarize count() by action\\r\\n| summarize Total = sum(count_)\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"exportFieldName\":\"Total\",\"exportParameterName\":\"count\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Total\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"35\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### Monitoring RDP authentications is crucial for identifying unauthorized access and distinguishing between successful and failed login attempts. Security teams should analyze trends and cross-reference user activity for rapid response and mitigation.\"},\"customWidth\":\"65\",\"name\":\"text - 2\",\"styleSettings\":{\"margin\":\"36px 36px 0px 0px\",\"padding\":\"0px 0px 30px 0px\"}},{\"type\":1,\"content\":{\"json\":\"#### Click on the Count in above tile to view more information.\",\"style\":\"info\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_rdp\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where action != \\\"unknown\\\"\",\"size\":0,\"showAnalytics\":true,\"title\":\"Details of RDP Authentication Attempts\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"action\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}},{\"columnMatch\":\"Count\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"rowLimit\":10000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"action\",\"label\":\"Action\"}]}},\"conditionalVisibility\":{\"parameterName\":\"count\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\\r\\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\\r\\ncorelight_rdp\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where action != \\\"unknown\\\"\\r\\n| make-series Count=count() default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration by action\",\"size\":0,\"showAnalytics\":true,\"title\":\"Failed vs Successful Authentications\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"exportedParameters\":[{\"fieldName\":\"x\",\"parameterName\":\"Time\",\"defaultValue\":\"none\"},{\"fieldName\":\"series\",\"parameterName\":\"Action\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"action\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"action\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"xAxis\":\"TimeGenerated\",\"group\":\"action\",\"createOtherGroup\":0,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"success\",\"color\":\"green\"},{\"seriesName\":\"failure\",\"color\":\"redBright\"}],\"ySettings\":{\"label\":\"Count\"}}},\"name\":\"query - 1\",\"styleSettings\":{\"padding\":\"10px\"}},{\"type\":1,\"content\":{\"json\":\"#### Click on the datapoints in panel Failed vs Successful Authentications above to view more information.\",\"style\":\"info\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_rdp\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where action == \\\"{Action}\\\"\",\"size\":0,\"showAnalytics\":true,\"title\":\"Details of Failed vs Successful Authentications\",\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Time\",\"comparison\":\"isNotEqualTo\",\"value\":\"none\"},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"rdp authentication attempts\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Identifying Failed RDP Logins\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Total count of users with login failures within the specified time.\\r\\n\\r\\n\"},\"name\":\"text - 0\"}]},\"name\":\"group - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_rdp\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where action == \\\"failure\\\" or auth_success == \\\"false\\\"\\r\\n| where isnotempty(cookie)\\r\\n| extend User = cookie\\r\\n| summarize dcount(User)\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"dcount_User\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"35\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### Monitoring failed RDP logins is essential for detecting unauthorized access attempts. Security teams should analyze patterns of failed entries against user and IP data to identify potential breaches. This focus helps in quickly addressing vulnerabilities in RDP security. Effective monitoring of these incidents is crucial for maintaining system integrity.\"},\"customWidth\":\"65\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"25px\",\"padding\":\"0px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FilteredRDP = (\\r\\ncorelight_rdp\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where action == \\\"failure\\\" or auth_success == \\\"false\\\"\\r\\n| where isnotempty(cookie)\\r\\n);\\r\\nlet CookieCount = (\\r\\nFilteredRDP\\r\\n| summarize Count = count() by cookie\\r\\n);\\r\\nlet QueryResult = (\\r\\nFilteredRDP\\r\\n| join kind=leftouter(CookieCount) on $left.cookie == $right.cookie\\r\\n| extend User = cookie, Source = src_ip, Responder = dest_ip, Auth_Success = tostring(auth_success), Result = result\\r\\n| summarize arg_max(TimeGenerated, *) by User\\r\\n| project User, Source, Responder, ['Auth Success'] = Auth_Success, Result, Count\\r\\n| sort by Count\\r\\n);\\r\\nlet QueryCount = (\\r\\nQueryResult\\r\\n| count\\r\\n);\\r\\nlet NoResults = (\\r\\ndatatable ( User: string, Source: string, Responder: string, ['Auth Success']: string, Result: string, Count: long) [ \\\"No Results\\\", \\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", 0]\\r\\n);\\r\\nunion isfuzzy=true \\r\\n(QueryResult| where toscalar(QueryCount) != 0),\\r\\n(NoResults | where toscalar (QueryCount) == 0)\",\"size\":0,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"identifying failed rdp logins\"}]},\"name\":\"remote access hygiene\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### VPN Insights\\r\\n---\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Unusual Remote Activity\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Total count of VPN connections that have the following inferences NSP - Non-Standard Port RW - Road warrior configuration detected (i.e. Cisco Anyconnect) COM - Commercial VPN service occurring at the same time which is deemed suspicious.\\r\\n\\r\\n\"},\"name\":\"text - 0\"}]},\"name\":\"group - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_vpn\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where Inferences has_all (\\\"COM\\\", \\\"RW\\\", \\\"NSP\\\")\\r\\n| summarize count() by src_ip, dest_ip, tostring(Inferences), vpn_type\\r\\n| count\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"exportFieldName\":\"Count\",\"exportParameterName\":\"Count\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"35\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### The combination of the \\\"COM\\\", \\\"RW\\\", and \\\"NSP\\\" inferences in a single VPN connection raises questions: Policy Violation: Is the use of commercial VPNs allowed in your organization's security policy? If not, this could indicate a violation. Hidden Activity: Is the non-standard port usage an attempt to mask other activities happening over the VPN tunnel?\"},\"customWidth\":\"65\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"34px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FilteredVPN = (\\r\\n corelight_vpn\\r\\n | where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n | where Inferences has_all (\\\"COM\\\", \\\"RW\\\", \\\"NSP\\\")\\r\\n );\\r\\nlet VPNCount = (\\r\\n FilteredVPN\\r\\n | extend Inferences = tostring(Inferences)\\r\\n | summarize Count = count() by src_ip, dest_ip, Inferences, vpn_type\\r\\n | project src_ip, dest_ip, Inferences, vpn_type, Count\\r\\n );\\r\\nlet QueryResults = (\\r\\nFilteredVPN\\r\\n| extend Inferences_string = tostring(Inferences)\\r\\n| join kind=innerunique(VPNCount)\\r\\n on\\r\\n $left.src_ip == $right.src_ip,\\r\\n $left.dest_ip == $right.dest_ip,\\r\\n $left.Inferences_string == $right.Inferences,\\r\\n $left.vpn_type == $right.vpn_type\\r\\n| extend\\r\\n Source = src_ip,\\r\\n Responder = dest_ip,\\r\\n [\\\"VPN Type\\\"] = vpn_type,\\r\\n Count\\r\\n| extend NewInferences = strcat_array(Inferences, \\\",\\\")\\r\\n| project Source, Responder, Inferences = NewInferences, ['VPN Type'], Count\\r\\n| sort by Count\\r\\n);\\r\\nlet QueryCount = (\\r\\nQueryResults\\r\\n| count\\r\\n);\\r\\nlet NoResults = (\\r\\ndatatable ( Source: string, Responder: string , Inferences: string, ['VPN Type']: string, Count: long)\\r\\n[\\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", 0]\\r\\n);\\r\\nunion isfuzzy=true \\r\\n(QueryResults | where toscalar(QueryCount) != 0),\\r\\n(NoResults | where toscalar(QueryCount) == 0)\",\"size\":0,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"VPN Type\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"15%\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"unusual remote activity\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Suspected Data Exfiltration\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Total count of VPN connections using potentially unusual connection configurations such as static TLS key auth.\"},\"name\":\"text - 0\"}]},\"name\":\"group - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_vpn\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where Inferences has_any (\\\"TLS\\\", \\\"SK\\\")\\r\\n| summarize count() by src_ip, dest_ip\\r\\n| count\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"customWidth\":\"35\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### Unmonitored commercial VPNs with a typical traffic patterns or static keys could be used to bypass security controls for data theft.\\r\\n\\r\\n#### **Investigate:** Examine VPN sessions with large outgoing transfers, focusing on unusual destinations or protocols.\"},\"customWidth\":\"65\",\"name\":\"text - 1\",\"styleSettings\":{\"margin\":\"30px\",\"padding\":\"10px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FilteredVPN = (\\r\\n corelight_vpn\\r\\n | where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n | where Inferences has_any (\\\"TLS\\\", \\\"SK\\\")\\r\\n );\\r\\nlet VPNCount = ( \\r\\n FilteredVPN\\r\\n | summarize Count = count() by src_ip, dest_ip\\r\\n );\\r\\nlet QueryResults = (\\r\\nFilteredVPN\\r\\n| extend inferences_string = tostring(replace(\\\",\\\", \\\":\\\", strcat_array(Inferences, \\\":\\\")))\\r\\n| join kind=leftouter(VPNCount) on src_ip, dest_ip\\r\\n| summarize arg_max(TimeGenerated, *) by src_ip, dest_ip\\r\\n| project\\r\\n Source = src_ip,\\r\\n Responder = dest_ip,\\r\\n Inferences = inferences_string,\\r\\n [\\\"Responder Country\\\"] = resp_cc,\\r\\n [\\\"VPN Type\\\"] = vpn_type,\\r\\n Count\\r\\n| sort by Count\\r\\n);\\r\\nlet QueryCount = (\\r\\nVPNCount\\r\\n| count \\r\\n);\\r\\nlet NoResults = (\\r\\ndatatable ( Source: string, Responder: string, Inferences: string, [\\\"Responder Country\\\"]: string, [\\\"VPN Type\\\"]: string, Count: long)\\r\\n[\\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", 0]\\r\\n);\\r\\nunion isfuzzy=true \\r\\n(QueryResults | where toscalar(QueryCount) != 0),\\r\\n(NoResults | where toscalar(QueryCount) == 0)\",\"size\":0,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Responder Country\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"3%\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"12px\",\"showBorder\":true}}]},\"customWidth\":\"50\",\"name\":\"suspected data exfiltration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Possible Unauthorized Remote Access Attempts\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Total count of VPN connections that are using the RW- Road warrior configuration detected (i.e. Cisco Anyconnect) and FW - Firewall subversion inferences.\"},\"name\":\"text - 0\"}]},\"name\":\"group - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"corelight_vpn\\r\\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n| where Inferences has_any (\\\"RW\\\", \\\"FW\\\")\\r\\n| summarize count() by uid\\r\\n| count\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"greenRed\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true}},\"customWidth\":\"30\",\"name\":\"query - 0\"},{\"type\":1,\"content\":{\"json\":\"#### Monitoring for \\\"RW\\\" (Road Warrior) and \\\"FW\\\" (Firewall subversion) inferences is crucial for detecting potential unauthorized access, as these patterns may indicate attempts to bypass security controls. Security teams should prioritize correlating these inferences with internal IP ranges and device logs to identify suspicious activities.\"},\"customWidth\":\"70\",\"name\":\"text - 1\",\"styleSettings\":{\"padding\":\"50px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let FilteredVPN = (\\r\\n corelight_vpn\\r\\n | where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\\r\\n | where Inferences has_any (\\\"RW\\\", \\\"FW\\\")\\r\\n );\\r\\nlet VPNCount = ( \\r\\n FilteredVPN\\r\\n | summarize Count = count() by uid\\r\\n );\\r\\nlet QueryResults = (\\r\\nFilteredVPN\\r\\n| join kind=leftouter(VPNCount) on uid\\r\\n| summarize arg_max(TimeGenerated, *) by uid\\r\\n| extend\\r\\n Source = src_ip,\\r\\n Responder = dest_ip,\\r\\n Proto = proto,\\r\\n Inferences = Inferences,\\r\\n Bytes = orig_bytes\\r\\n| extend NewInferences = strcat_array(todynamic(Inferences), \\\",\\\")\\r\\n| project\\r\\n Source,\\r\\n Responder,\\r\\n Proto,\\r\\n Inferences = NewInferences,\\r\\n [\\\"Dest Port\\\"] = dest_port,\\r\\n Bytes,\\r\\n Count\\r\\n| sort by Count\\r\\n);\\r\\nlet QueryCount = (\\r\\nVPNCount\\r\\n| count \\r\\n);\\r\\nlet NoResults = (\\r\\ndatatable ( Source: string, Responder: string, Proto: string, Inferences: string, [\\\"Dest Port\\\"]: string, Bytes: string , Count: long)\\r\\n[\\\"No Results\\\", \\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", \\\"N/A\\\", 0]\\r\\n);\\r\\nunion isfuzzy=true \\r\\n(QueryResults | where toscalar(QueryCount) != 0),\\r\\n(NoResults | where toscalar(QueryCount) == 0)\\r\\n| extend [\\\"Dest Port\\\"] = coalesce(tostring(tolong(['Dest Port_real'])), ['Dest Port_string']), Bytes = coalesce(tostring(tolong(Bytes_real)), Bytes_string)\\r\\n| project-away ['Dest Port_*'], Bytes_*\\r\\n| project-reorder \\r\\n Source,\\r\\n Responder,\\r\\n Proto,\\r\\n Inferences,\\r\\n [\\\"Dest Port\\\"],\\r\\n Bytes,\\r\\n Count\",\"size\":0,\"showAnalytics\":true,\"noDataMessage\":\"No data found.\",\"timeContextFromParameter\":\"GlobalTimeRestriction\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"possible unauthorized remote access attempts\"}]},\"name\":\"vpn insights\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"RemoteActivityInsights\"},\"name\":\"group - 14\"}]},\"conditionalVisibility\":{\"parameterName\":\"dashboard\",\"comparison\":\"isEqualTo\",\"value\":\"SecurityWorkflows\"},\"name\":\"Security Workflows\"}],\"fromTemplateId\":\"sentinel-Corelight\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -1036,7 +1036,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightC2RepetitiveFailures_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CorelightC2RepetitiveFailures_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -1064,27 +1064,30 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Corelight", "dataTypes": [ "Corelight_v2_dns", "Corelight_v2_dns_red", "corelight_dns", "corelight_dns_red" - ], - "connectorId": "Corelight" + ] } ], "tactics": [ "CommandAndControl" ], + "techniques": [ + "T1568" + ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "id_orig_h" + "columnName": "id_orig_h", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1139,7 +1142,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightExternalProxyDetected_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CorelightExternalProxyDetected_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -1167,11 +1170,11 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Corelight", "dataTypes": [ "Corelight_v2_http", "corelight_http" - ], - "connectorId": "Corelight" + ] } ], "tactics": [ @@ -1183,13 +1186,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "id_orig_h" + "columnName": "id_orig_h", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1244,7 +1247,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightForcedExternalOutboundSMB_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CorelightForcedExternalOutboundSMB_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -1272,13 +1275,13 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Corelight", "dataTypes": [ "Corelight_v2_conn", "Corelight_v2_conn_red", "corelight_conn", "corelight_conn_red" - ], - "connectorId": "Corelight" + ] } ], "tactics": [ @@ -1289,13 +1292,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "id_orig_h" + "columnName": "id_orig_h", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1350,7 +1353,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightMultipleCompressedFilesTransferredOverHTTP_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CorelightMultipleCompressedFilesTransferredOverHTTP_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -1378,25 +1381,28 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Corelight", "dataTypes": [ "Corelight_v2_http", "corelight_http" - ], - "connectorId": "Corelight" + ] } ], "tactics": [ "Exfiltration" ], + "techniques": [ + "T1567" + ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "id_orig_h" + "columnName": "id_orig_h", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1451,7 +1457,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightMultipleFilesSentOverHTTPAbnormalRequests_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CorelightMultipleFilesSentOverHTTPAbnormalRequests_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -1479,11 +1485,11 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Corelight", "dataTypes": [ "Corelight_v2_http", "corelight_http" - ], - "connectorId": "Corelight" + ] } ], "tactics": [ @@ -1494,13 +1500,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "id_orig_h" + "columnName": "id_orig_h", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1555,7 +1561,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightNetworkServiceScanning_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CorelightNetworkServiceScanning_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -1583,13 +1589,13 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Corelight", "dataTypes": [ "Corelight_v2_conn", "Corelight_v2_conn_red", "corelight_conn", "corelight_conn_red" - ], - "connectorId": "Corelight" + ] } ], "tactics": [ @@ -1600,13 +1606,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "id_orig_h" + "columnName": "id_orig_h", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1661,7 +1667,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightPossibleWebshell_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CorelightPossibleWebshell_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -1689,11 +1695,11 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Corelight", "dataTypes": [ "Corelight_v2_http", "corelight_http" - ], - "connectorId": "Corelight" + ] } ], "tactics": [ @@ -1704,13 +1710,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "id_orig_h" + "columnName": "id_orig_h", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1765,7 +1771,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightPossibleWebshellRarePOST_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CorelightPossibleWebshellRarePOST_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1793,11 +1799,11 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Corelight", "dataTypes": [ "Corelight_v2_http", "corelight_http" - ], - "connectorId": "Corelight" + ] } ], "tactics": [ @@ -1808,13 +1814,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "id_orig_h" + "columnName": "id_orig_h", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -1869,7 +1875,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightSMTPEmailSubjectNonAsciiCharacters_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CorelightSMTPEmailSubjectNonAsciiCharacters_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -1897,11 +1903,11 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Corelight", "dataTypes": [ "Corelight_v2_smtp", "corelight_smtp" - ], - "connectorId": "Corelight" + ] } ], "tactics": [ @@ -1912,13 +1918,13 @@ ], "entityMappings": [ { - "entityType": "MailMessage", "fieldMappings": [ { - "identifier": "Recipient", - "columnName": "_to" + "columnName": "_to", + "identifier": "Recipient" } - ] + ], + "entityType": "MailMessage" } ] } @@ -1973,7 +1979,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightTypoSquattingOrPunycodePhishingHTTPRequest_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CorelightTypoSquattingOrPunycodePhishingHTTPRequest_AnalyticalRules Analytics Rule with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -2001,11 +2007,11 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Corelight", "dataTypes": [ "Corelight_v2_http", "corelight_http" - ], - "connectorId": "Corelight" + ] } ], "tactics": [ @@ -2016,13 +2022,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "id_orig_h" + "columnName": "id_orig_h", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -2077,7 +2083,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Corelight data connector with template version 3.0.2", + "description": "Corelight data connector with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -3268,7 +3274,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Corelight Data Parser with template version 3.0.2", + "description": "Corelight Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -3398,7 +3404,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_bacnet Data Parser with template version 3.0.2", + "description": "corelight_bacnet Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject2').parserVersion2]", @@ -3528,7 +3534,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_capture_loss Data Parser with template version 3.0.2", + "description": "corelight_capture_loss Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject3').parserVersion3]", @@ -3658,7 +3664,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_cip Data Parser with template version 3.0.2", + "description": "corelight_cip Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject4').parserVersion4]", @@ -3788,7 +3794,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_conn Data Parser with template version 3.0.2", + "description": "corelight_conn Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject5').parserVersion5]", @@ -3805,7 +3811,7 @@ "displayName": "corelight_conn parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_conn", - "query": "let corelight_conn = view () {\n Corelight_v2_conn_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n uid=uid_s,\n id_orig_h=id_orig_h_s,\n id_orig_p=id_orig_p_d,\n id_resp_h=id_resp_h_s,\n id_resp_p=id_resp_p_d,\n proto=proto_s,\n service=service_s,\n duration=duration_d,\n orig_bytes=orig_bytes_d,\n resp_bytes=resp_bytes_d,\n conn_state=conn_state_s,\n local_orig=local_orig_b,\n local_resp=local_resp_b,\n missed_bytes=missed_bytes_d,\n history=history_s,\n orig_pkts=orig_pkts_d,\n orig_ip_bytes=orig_ip_bytes_d,\n resp_pkts=resp_pkts_d,\n resp_ip_bytes=resp_ip_bytes_d,\n tunnel_parents=tunnel_parents_s,\n orig_cc=orig_cc_s,\n resp_cc=resp_cc_s,\n suri_ids=suri_ids_s,\n spcap_url=spcap_url_s,\n spcap_rule=spcap_rule_d,\n spcap_trigger=spcap_trigger_s,\n app=app_s,\n corelight_shunted=corelight_shunted_b,\n orig_shunted_pkts=orig_shunted_pkts_d,\n orig_shunted_bytes=orig_shunted_bytes_d,\n resp_shunted_pkts=resp_shunted_pkts_d,\n resp_shunted_bytes=resp_shunted_bytes_d,\n orig_l2_addr=orig_l2_addr_s,\n resp_l2_addr=resp_l2_addr_s,\n id_orig_h_n_src=id_orig_h_n_src_s,\n id_orig_h_n_vals=id_orig_h_n_vals_s,\n id_resp_h_n_src=id_resp_h_n_src_s,\n id_resp_h_n_vals=id_resp_h_n_vals_s,\n vlan=vlan_d,\n inner_vlan=inner_vlan_d,\n community_id=community_id_s\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"conn\",\n ts=TimeGenerated\n};\ncorelight_conn\n\n", + "query": "let ConnStateLookup = datatable(\n conn_state: string,\n conn_state_desc: string,\n action: string\n)[\n \"S0\",\"Connection attempt seen, no reply.\",\"teardown\",\n \"S1\",\"Connection established, not terminated.\",\"allowed\",\n \"SF\",\"Normal establishment and termination.\",\"allowed\",\n \"REJ\",\"Connection attempt rejected.\",\"blocked\",\n \"S2\",\"Connection established and close attempt by originator seen (but no reply from responder).\",\"allowed\",\n \"S3\",\"Connection established and close attempt by responder seen (but no reply from originator).\",\"allowed\",\n \"RSTO\",\"Connection established, originator aborted (sent a RST).\",\"allowed\",\n \"RSTR\",\"Established, responder aborted.\",\"allowed\",\n \"RSTOS0\",\"Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.\",\"teardown\",\n \"RSTRH\",\"Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.\",\"teardown\",\n \"SH\",\"Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open).\",\"teardown\",\n \"SHR\",\"Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator.\",\"teardown\",\n \"OTH\",\"No SYN seen, just midstream traffic (a 'partial connection' that was not later closed).\",\"allowed\"\n];\nlet dummy_table = datatable(TimeGenerated: datetime, uid_s: string) [];\nlet corelight_conn = view () {\n union isfuzzy=true dummy_table,\n Corelight_v2_conn_CL,\n Corelight_v2_conn_red_CL,\n Corelight_v2_conn_long_CL\n | summarize arg_max(TimeGenerated, *) by uid_s\n | extend \n path=column_ifexists(\"_path_s\", \"\"),\n system_name=column_ifexists(\"_system_name_s\", \"\"),\n write_ts=column_ifexists(\"_write_ts_t\", \"\"),\n uid=column_ifexists(\"uid_s\", \"\"),\n id_orig_h=column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p=column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h=column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p=column_ifexists(\"id_resp_p_d\", real(null)),\n proto=column_ifexists(\"proto_s\", \"\"),\n service=column_ifexists(\"service_s\", \"\"),\n duration=column_ifexists(\"duration_d\", real(null)),\n orig_bytes=column_ifexists(\"orig_bytes_d\", real(null)),\n resp_bytes=column_ifexists(\"resp_bytes_d\", real(null)),\n conn_state=column_ifexists(\"conn_state_s\", \"\"),\n local_orig=column_ifexists(\"local_orig_b\", \"\"),\n local_resp=column_ifexists(\"local_resp_b\", \"\"),\n missed_bytes=column_ifexists(\"missed_bytes_d\", real(null)),\n history=column_ifexists(\"history_s\", \"\"),\n orig_pkts=column_ifexists(\"orig_pkts_d\", real(null)),\n orig_ip_bytes=column_ifexists(\"orig_ip_bytes_d\", real(null)),\n resp_pkts=column_ifexists(\"resp_pkts_d\", real(null)),\n resp_ip_bytes=column_ifexists(\"resp_ip_bytes_d\", real(null)),\n tunnel_parents=column_ifexists(\"tunnel_parents_s\", \"\"),\n orig_cc=column_ifexists(\"orig_cc_s\", \"\"),\n resp_cc=column_ifexists(\"resp_cc_s\", \"\"),\n suri_ids=column_ifexists(\"suri_ids_s\", \"\"),\n spcap_url=column_ifexists(\"spcap_url_s\", \"\"),\n spcap_rule=column_ifexists(\"spcap_rule_d\", real(null)),\n spcap_trigger=column_ifexists(\"spcap_trigger_s\", \"\"),\n apps=column_ifexists(\"app_s\", \"\"),\n corelight_shunted=column_ifexists(\"corelight_shunted_b\", \"\"),\n orig_shunted_pkts=column_ifexists(\"orig_shunted_pkts_d\", real(null)),\n orig_shunted_bytes=column_ifexists(\"orig_shunted_bytes_d\", real(null)),\n resp_shunted_pkts=column_ifexists(\"resp_shunted_pkts_d\", real(null)),\n resp_shunted_bytes=column_ifexists(\"resp_shunted_bytes_d\", real(null)),\n orig_l2_addr=column_ifexists(\"orig_l2_addr_s\", \"\"),\n resp_l2_addr=column_ifexists(\"resp_l2_addr_s\",\"\"),\n id_orig_h_n_src=column_ifexists(\"id_orig_h_n_src_s\",\"\"),\n id_orig_h_n_vals=column_ifexists(\"id_orig_h_n_vals_s\",\"\"),\n id_resp_h_n_src=column_ifexists(\"id_resp_h_n_src_s\",\"\"),\n id_resp_h_n_vals=column_ifexists(\"id_resp_h_n_vals_s\",\"\"),\n vlan=column_ifexists(\"vlan_d\", real(null)),\n inner_vlan=column_ifexists(\"inner_vlan_d\", real(null)),\n community_id=column_ifexists(\"community_id_s\",\"\"),\n pcr=column_ifexists(\"pcr_d\", real(null)),\n id_vlan=column_ifexists(\"id_vlan_d\", real(null)),\n packets=column_ifexists(\"packets_d\", real(null))\n | lookup ConnStateLookup on conn_state\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"conn\",\n ts=TimeGenerated,\n src=id_orig_h,\n src_ip=id_orig_h,\n src_port=id_orig_p,\n dest=id_resp_h,\n dest_ip=id_resp_h,\n dest_port=id_resp_p,\n bytes_out=orig_ip_bytes,\n src_mac=orig_l2_addr,\n dvc=orig_l2_addr,\n packets_out=orig_pkts,\n bytes_in=resp_ip_bytes,\n dest_mac=resp_l2_addr,\n dst_mac=resp_l2_addr,\n packets_in=resp_pkts,\n session_id=uid,\n src_country=orig_cc,\n dest_country=resp_cc,\n bytes=resp_ip_bytes + orig_ip_bytes,\n sensor_name = coalesce(system_name, \"unknown\"),\n transport=iff(proto=='icmp' and id_orig_h matches regex \".*:.*\", \"icmp6\", proto),\n app=split(service, \",\")\n | extend \n is_broadcast = iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"),\"true\",\"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\"),\n is_dest_internal_ip = iff(local_resp == true, \"true\", \"false\"),\n direction=case(local_orig==\"true\" and local_resp==\"true\", \"internal\", local_orig==\"true\" and local_resp==\"false\", \"outbound\", local_orig==\"false\" and local_resp==\"false\", \"external\", local_orig==\"false\" and local_resp==\"true\", \"inbound\", \"unknown\"),\n packets=coalesce(toreal(packets), packets_in+packets_out)\n | project \n TimeGenerated,\n path,\n system_name,\n write_ts,\n uid,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n proto,\n service,\n duration,\n orig_bytes,\n resp_bytes,\n conn_state,\n local_orig,\n local_resp,\n missed_bytes,\n history,\n orig_pkts,\n orig_ip_bytes,\n resp_pkts,\n resp_ip_bytes,\n tunnel_parents,\n orig_cc,\n resp_cc,\n suri_ids,\n spcap_url,\n spcap_rule,\n spcap_trigger,\n apps,\n corelight_shunted,\n orig_shunted_pkts,\n orig_shunted_bytes,\n resp_shunted_pkts,\n resp_shunted_bytes,\n orig_l2_addr,\n resp_l2_addr,\n id_orig_h_n_src,\n id_orig_h_n_vals,\n id_resp_h_n_src,\n id_resp_h_n_vals,\n vlan,\n inner_vlan,\n community_id,\n pcr,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n bytes_out,\n src_mac,\n dvc,\n packets_out,\n bytes_in,\n dest_mac,\n dst_mac,\n packets_in,\n session_id,\n src_country,\n dest_country,\n bytes,\n sensor_name,\n is_broadcast,\n is_src_internal_ip,\n is_dest_internal_ip,\n direction,\n id_vlan,\n packets,\n transport,\n app,\n conn_state_desc,\n action\n};\ncorelight_conn\n", "functionParameters": "", "version": 2, "tags": [ @@ -3854,8 +3860,8 @@ "contentId": "[variables('parserObject5').parserContentId5]", "contentKind": "Parser", "displayName": "corelight_conn parser for Corelight", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.1.0')))]", "version": "[variables('parserObject5').parserVersion5]" } }, @@ -3869,7 +3875,7 @@ "displayName": "corelight_conn parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_conn", - "query": "let corelight_conn = view () {\n Corelight_v2_conn_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n uid=uid_s,\n id_orig_h=id_orig_h_s,\n id_orig_p=id_orig_p_d,\n id_resp_h=id_resp_h_s,\n id_resp_p=id_resp_p_d,\n proto=proto_s,\n service=service_s,\n duration=duration_d,\n orig_bytes=orig_bytes_d,\n resp_bytes=resp_bytes_d,\n conn_state=conn_state_s,\n local_orig=local_orig_b,\n local_resp=local_resp_b,\n missed_bytes=missed_bytes_d,\n history=history_s,\n orig_pkts=orig_pkts_d,\n orig_ip_bytes=orig_ip_bytes_d,\n resp_pkts=resp_pkts_d,\n resp_ip_bytes=resp_ip_bytes_d,\n tunnel_parents=tunnel_parents_s,\n orig_cc=orig_cc_s,\n resp_cc=resp_cc_s,\n suri_ids=suri_ids_s,\n spcap_url=spcap_url_s,\n spcap_rule=spcap_rule_d,\n spcap_trigger=spcap_trigger_s,\n app=app_s,\n corelight_shunted=corelight_shunted_b,\n orig_shunted_pkts=orig_shunted_pkts_d,\n orig_shunted_bytes=orig_shunted_bytes_d,\n resp_shunted_pkts=resp_shunted_pkts_d,\n resp_shunted_bytes=resp_shunted_bytes_d,\n orig_l2_addr=orig_l2_addr_s,\n resp_l2_addr=resp_l2_addr_s,\n id_orig_h_n_src=id_orig_h_n_src_s,\n id_orig_h_n_vals=id_orig_h_n_vals_s,\n id_resp_h_n_src=id_resp_h_n_src_s,\n id_resp_h_n_vals=id_resp_h_n_vals_s,\n vlan=vlan_d,\n inner_vlan=inner_vlan_d,\n community_id=community_id_s\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"conn\",\n ts=TimeGenerated\n};\ncorelight_conn\n\n", + "query": "let ConnStateLookup = datatable(\n conn_state: string,\n conn_state_desc: string,\n action: string\n)[\n \"S0\",\"Connection attempt seen, no reply.\",\"teardown\",\n \"S1\",\"Connection established, not terminated.\",\"allowed\",\n \"SF\",\"Normal establishment and termination.\",\"allowed\",\n \"REJ\",\"Connection attempt rejected.\",\"blocked\",\n \"S2\",\"Connection established and close attempt by originator seen (but no reply from responder).\",\"allowed\",\n \"S3\",\"Connection established and close attempt by responder seen (but no reply from originator).\",\"allowed\",\n \"RSTO\",\"Connection established, originator aborted (sent a RST).\",\"allowed\",\n \"RSTR\",\"Established, responder aborted.\",\"allowed\",\n \"RSTOS0\",\"Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.\",\"teardown\",\n \"RSTRH\",\"Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.\",\"teardown\",\n \"SH\",\"Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open).\",\"teardown\",\n \"SHR\",\"Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator.\",\"teardown\",\n \"OTH\",\"No SYN seen, just midstream traffic (a 'partial connection' that was not later closed).\",\"allowed\"\n];\nlet dummy_table = datatable(TimeGenerated: datetime, uid_s: string) [];\nlet corelight_conn = view () {\n union isfuzzy=true dummy_table,\n Corelight_v2_conn_CL,\n Corelight_v2_conn_red_CL,\n Corelight_v2_conn_long_CL\n | summarize arg_max(TimeGenerated, *) by uid_s\n | extend \n path=column_ifexists(\"_path_s\", \"\"),\n system_name=column_ifexists(\"_system_name_s\", \"\"),\n write_ts=column_ifexists(\"_write_ts_t\", \"\"),\n uid=column_ifexists(\"uid_s\", \"\"),\n id_orig_h=column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p=column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h=column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p=column_ifexists(\"id_resp_p_d\", real(null)),\n proto=column_ifexists(\"proto_s\", \"\"),\n service=column_ifexists(\"service_s\", \"\"),\n duration=column_ifexists(\"duration_d\", real(null)),\n orig_bytes=column_ifexists(\"orig_bytes_d\", real(null)),\n resp_bytes=column_ifexists(\"resp_bytes_d\", real(null)),\n conn_state=column_ifexists(\"conn_state_s\", \"\"),\n local_orig=column_ifexists(\"local_orig_b\", \"\"),\n local_resp=column_ifexists(\"local_resp_b\", \"\"),\n missed_bytes=column_ifexists(\"missed_bytes_d\", real(null)),\n history=column_ifexists(\"history_s\", \"\"),\n orig_pkts=column_ifexists(\"orig_pkts_d\", real(null)),\n orig_ip_bytes=column_ifexists(\"orig_ip_bytes_d\", real(null)),\n resp_pkts=column_ifexists(\"resp_pkts_d\", real(null)),\n resp_ip_bytes=column_ifexists(\"resp_ip_bytes_d\", real(null)),\n tunnel_parents=column_ifexists(\"tunnel_parents_s\", \"\"),\n orig_cc=column_ifexists(\"orig_cc_s\", \"\"),\n resp_cc=column_ifexists(\"resp_cc_s\", \"\"),\n suri_ids=column_ifexists(\"suri_ids_s\", \"\"),\n spcap_url=column_ifexists(\"spcap_url_s\", \"\"),\n spcap_rule=column_ifexists(\"spcap_rule_d\", real(null)),\n spcap_trigger=column_ifexists(\"spcap_trigger_s\", \"\"),\n apps=column_ifexists(\"app_s\", \"\"),\n corelight_shunted=column_ifexists(\"corelight_shunted_b\", \"\"),\n orig_shunted_pkts=column_ifexists(\"orig_shunted_pkts_d\", real(null)),\n orig_shunted_bytes=column_ifexists(\"orig_shunted_bytes_d\", real(null)),\n resp_shunted_pkts=column_ifexists(\"resp_shunted_pkts_d\", real(null)),\n resp_shunted_bytes=column_ifexists(\"resp_shunted_bytes_d\", real(null)),\n orig_l2_addr=column_ifexists(\"orig_l2_addr_s\", \"\"),\n resp_l2_addr=column_ifexists(\"resp_l2_addr_s\",\"\"),\n id_orig_h_n_src=column_ifexists(\"id_orig_h_n_src_s\",\"\"),\n id_orig_h_n_vals=column_ifexists(\"id_orig_h_n_vals_s\",\"\"),\n id_resp_h_n_src=column_ifexists(\"id_resp_h_n_src_s\",\"\"),\n id_resp_h_n_vals=column_ifexists(\"id_resp_h_n_vals_s\",\"\"),\n vlan=column_ifexists(\"vlan_d\", real(null)),\n inner_vlan=column_ifexists(\"inner_vlan_d\", real(null)),\n community_id=column_ifexists(\"community_id_s\",\"\"),\n pcr=column_ifexists(\"pcr_d\", real(null)),\n id_vlan=column_ifexists(\"id_vlan_d\", real(null)),\n packets=column_ifexists(\"packets_d\", real(null))\n | lookup ConnStateLookup on conn_state\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"conn\",\n ts=TimeGenerated,\n src=id_orig_h,\n src_ip=id_orig_h,\n src_port=id_orig_p,\n dest=id_resp_h,\n dest_ip=id_resp_h,\n dest_port=id_resp_p,\n bytes_out=orig_ip_bytes,\n src_mac=orig_l2_addr,\n dvc=orig_l2_addr,\n packets_out=orig_pkts,\n bytes_in=resp_ip_bytes,\n dest_mac=resp_l2_addr,\n dst_mac=resp_l2_addr,\n packets_in=resp_pkts,\n session_id=uid,\n src_country=orig_cc,\n dest_country=resp_cc,\n bytes=resp_ip_bytes + orig_ip_bytes,\n sensor_name = coalesce(system_name, \"unknown\"),\n transport=iff(proto=='icmp' and id_orig_h matches regex \".*:.*\", \"icmp6\", proto),\n app=split(service, \",\")\n | extend \n is_broadcast = iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"),\"true\",\"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\"),\n is_dest_internal_ip = iff(local_resp == true, \"true\", \"false\"),\n direction=case(local_orig==\"true\" and local_resp==\"true\", \"internal\", local_orig==\"true\" and local_resp==\"false\", \"outbound\", local_orig==\"false\" and local_resp==\"false\", \"external\", local_orig==\"false\" and local_resp==\"true\", \"inbound\", \"unknown\"),\n packets=coalesce(toreal(packets), packets_in+packets_out)\n | project \n TimeGenerated,\n path,\n system_name,\n write_ts,\n uid,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n proto,\n service,\n duration,\n orig_bytes,\n resp_bytes,\n conn_state,\n local_orig,\n local_resp,\n missed_bytes,\n history,\n orig_pkts,\n orig_ip_bytes,\n resp_pkts,\n resp_ip_bytes,\n tunnel_parents,\n orig_cc,\n resp_cc,\n suri_ids,\n spcap_url,\n spcap_rule,\n spcap_trigger,\n apps,\n corelight_shunted,\n orig_shunted_pkts,\n orig_shunted_bytes,\n resp_shunted_pkts,\n resp_shunted_bytes,\n orig_l2_addr,\n resp_l2_addr,\n id_orig_h_n_src,\n id_orig_h_n_vals,\n id_resp_h_n_src,\n id_resp_h_n_vals,\n vlan,\n inner_vlan,\n community_id,\n pcr,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n bytes_out,\n src_mac,\n dvc,\n packets_out,\n bytes_in,\n dest_mac,\n dst_mac,\n packets_in,\n session_id,\n src_country,\n dest_country,\n bytes,\n sensor_name,\n is_broadcast,\n is_src_internal_ip,\n is_dest_internal_ip,\n direction,\n id_vlan,\n packets,\n transport,\n app,\n conn_state_desc,\n action\n};\ncorelight_conn\n", "functionParameters": "", "version": 2, "tags": [ @@ -3918,7 +3924,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_conn_long Data Parser with template version 3.0.2", + "description": "corelight_conn_long Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject6').parserVersion6]", @@ -4048,7 +4054,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_conn_red Data Parser with template version 3.0.2", + "description": "corelight_conn_red Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject7').parserVersion7]", @@ -4178,7 +4184,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_corelight_burst Data Parser with template version 3.0.2", + "description": "corelight_corelight_burst Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject8').parserVersion8]", @@ -4308,7 +4314,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_corelight_overall_capture_loss Data Parser with template version 3.0.2", + "description": "corelight_corelight_overall_capture_loss Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject9').parserVersion9]", @@ -4438,7 +4444,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_corelight_profiling Data Parser with template version 3.0.2", + "description": "corelight_corelight_profiling Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject10').parserVersion10]", @@ -4568,7 +4574,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_datared Data Parser with template version 3.0.2", + "description": "corelight_datared Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject11').parserVersion11]", @@ -4698,7 +4704,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_dce_rpc Data Parser with template version 3.0.2", + "description": "corelight_dce_rpc Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject12').parserVersion12]", @@ -4828,7 +4834,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_dga Data Parser with template version 3.0.2", + "description": "corelight_dga Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject13').parserVersion13]", @@ -4958,7 +4964,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_dhcp Data Parser with template version 3.0.2", + "description": "corelight_dhcp Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject14').parserVersion14]", @@ -5088,7 +5094,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_dnp3 Data Parser with template version 3.0.2", + "description": "corelight_dnp3 Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject15').parserVersion15]", @@ -5218,7 +5224,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_dns Data Parser with template version 3.0.2", + "description": "corelight_dns Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject16').parserVersion16]", @@ -5235,7 +5241,7 @@ "displayName": "corelight_dns parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_dns", - "query": "let corelight_dns = view () {\n Corelight_v2_dns_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n uid=uid_s,\n id_orig_h=id_orig_h_s,\n id_orig_p=id_orig_p_d,\n id_resp_h=id_resp_h_s,\n id_resp_p=id_resp_p_d,\n proto=proto_s,\n trans_id=trans_id_d,\n rtt=rtt_d,\n query=query_s,\n qclass=qclass_d,\n qclass_name=qclass_name_s,\n qtype=qtype_d,\n qtype_name=qtype_name_s,\n rcode=rcode_d,\n rcode_name=rcode_name_s,\n AA=AA_b,\n TC=TC_b,\n RD=RD_b,\n RA=RA_b,\n Z=Z_d,\n answers=answers_s,\n TTLs=TTLs_s,\n rejected=rejected_b\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"dns\",\n ts=TimeGenerated\n};\ncorelight_dns\n\n", + "query": "let DNSLookup = datatable(\n rcode: int,\n reply_code: string,\n cim_reply_code: string\n)[\n 0,\"NOERROR\",\"No Error\",\n 1,\"FORMERR\",\"FormErr\",\n 2,\"SERVFAIL\",\"ServFail\",\n 3,\"NXDOMAIN\",\"NXDomain\",\n 4,\"NOTIMP\",\"NotImp\",\n 5,\"REFUSED\",\"Refused\"\n];\nlet dummy_table = datatable(TimeGenerated: datetime, uid_s: string) [];\nlet corelight_dns = view () {\n union isfuzzy=true Corelight_v2_dns_CL, Corelight_v2_dns_red_CL, dummy_table\n | summarize arg_max(TimeGenerated, *) by uid_s\n | join kind=leftouter \n ( corelight_conn\n | project uid, local_orig, local_resp \n ) on $left.uid_s == $right.uid\n | project-away uid\n | extend\n path = column_ifexists(\"_path_s\", \"\"),\n system_name = column_ifexists(\"_system_name_s\", \"\"),\n write_ts = column_ifexists(\"_write_ts_t\", \"\"),\n AA = column_ifexists(\"AA_b\", \"\"),\n RA = column_ifexists(\"RA_b\", \"\"),\n RD = column_ifexists(\"RD_b\", \"\"),\n TC = column_ifexists(\"TC_b\", \"\"),\n TTLs = column_ifexists(\"TTLs_s\", \"\"),\n Z = column_ifexists(\"Z_d\", real(null)),\n answers = column_ifexists(\"answers_s\", \"\"),\n id_orig_h = column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p = column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h = column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p = column_ifexists(\"id_resp_p_d\", real(null)),\n proto = column_ifexists(\"proto_s\", \"\"),\n qclass = column_ifexists(\"qclass_d\", real(null)),\n qclass_name = column_ifexists(\"qclass_name_s\", \"\"),\n qtype = column_ifexists(\"qtype_d\", real(null)),\n qtype_name = column_ifexists(\"qtype_name_s\", \"\"),\n query = column_ifexists(\"query_s\", \"\"),\n rcode = column_ifexists(\"rcode_d\", long(null)),\n rcode_name = column_ifexists(\"rcode_name_s\", \"\"),\n rejected = column_ifexists(\"rejected_b\", \"\"),\n rtt = column_ifexists(\"rtt_d\", real(null)),\n trans_id = column_ifexists(\"trans_id_d\", \"\"),\n uid = column_ifexists(\"uid_s\", \"\"),\n num = column_ifexists(\"num_d\", real(null)),\n icann_domain = column_ifexists(\"icann_domain_s\", \"\"),\n icann_host_subdomain = column_ifexists(\"icann_host_subdomain_s\", \"\"),\n icann_tld = column_ifexists(\"icann_tld_s\", \"\"),\n is_trusted_domain = column_ifexists(\"is_trusted_domain_b\", \"\")\n | extend rcode = toint(rcode)\n | lookup DNSLookup on rcode\n | extend\n EventVendor = \"Corelight\",\n EventProduct = \"CorelightSensor\",\n EventType = \"dns\",\n ts = TimeGenerated,\n dns_flags_authoritative_answer = AA,\n dns_flags_recursion_available = RA,\n dns_flags_truncated_response = TC,\n ttl = TTLs,\n src = id_orig_h,\n src_ip = id_orig_h,\n src_port = id_orig_p,\n dest = id_resp_h,\n dest_ip = id_resp_h,\n dest_port = id_resp_p,\n record_class = qclass_name,\n record_type = qtype_name,\n reply_code_id = rcode,\n dns_flags_rejected = rejected,\n duration = rtt,\n response_time = rtt,\n transaction_id = trans_id,\n session_id = uid,\n answer_count = array_length(todynamic(answers)),\n query_count = array_length(todynamic(query)),\n sensor_name = coalesce(system_name, \"unknown\"),\n reply_code = cim_reply_code\n | extend\n is_broadcast =iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"),\"true\",\"false\"),\n is_dest_internal_ip = iff(local_resp == true, \"true\", \"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\"),\n transport = iff(proto == \"icmp\" and id_orig_h matches regex \".*:.*\", \"icmp6\", proto),\n query_length = strlen(query),\n answer_length = iff(answer_count == 1, strlen(answers), tolong('')),\n message_type = iff(isnotnull(rcode), \"Response\", \"Query\")\n | project\n TimeGenerated,\n path,\n system_name,\n write_ts,\n AA,\n RA,\n RD,\n TC,\n TTLs,\n Z,\n answers,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n proto,\n qclass,\n qclass_name,\n qtype,\n qtype_name,\n query,\n rcode,\n rcode_name,\n rejected,\n rtt,\n trans_id,\n uid,\n num,\n icann_domain,\n icann_host_subdomain,\n icann_tld,\n is_trusted_domain,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n dns_flags_authoritative_answer,\n dns_flags_recursion_available,\n dns_flags_truncated_response,\n ttl,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n record_class,\n record_type,\n reply_code_id,\n dns_flags_rejected,\n duration,\n response_time,\n transaction_id,\n session_id,\n answer_count,\n query_count,\n sensor_name,\n is_broadcast,\n is_dest_internal_ip,\n is_src_internal_ip,\n transport,\n query_length,\n answer_length,\n message_type,\n reply_code\n};\ncorelight_dns\n", "functionParameters": "", "version": 2, "tags": [ @@ -5284,8 +5290,8 @@ "contentId": "[variables('parserObject16').parserContentId16]", "contentKind": "Parser", "displayName": "corelight_dns parser for Corelight", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject16').parserContentId16,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject16').parserContentId16,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject16').parserContentId16,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject16').parserContentId16,'-', '1.1.0')))]", "version": "[variables('parserObject16').parserVersion16]" } }, @@ -5299,7 +5305,7 @@ "displayName": "corelight_dns parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_dns", - "query": "let corelight_dns = view () {\n Corelight_v2_dns_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n uid=uid_s,\n id_orig_h=id_orig_h_s,\n id_orig_p=id_orig_p_d,\n id_resp_h=id_resp_h_s,\n id_resp_p=id_resp_p_d,\n proto=proto_s,\n trans_id=trans_id_d,\n rtt=rtt_d,\n query=query_s,\n qclass=qclass_d,\n qclass_name=qclass_name_s,\n qtype=qtype_d,\n qtype_name=qtype_name_s,\n rcode=rcode_d,\n rcode_name=rcode_name_s,\n AA=AA_b,\n TC=TC_b,\n RD=RD_b,\n RA=RA_b,\n Z=Z_d,\n answers=answers_s,\n TTLs=TTLs_s,\n rejected=rejected_b\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"dns\",\n ts=TimeGenerated\n};\ncorelight_dns\n\n", + "query": "let DNSLookup = datatable(\n rcode: int,\n reply_code: string,\n cim_reply_code: string\n)[\n 0,\"NOERROR\",\"No Error\",\n 1,\"FORMERR\",\"FormErr\",\n 2,\"SERVFAIL\",\"ServFail\",\n 3,\"NXDOMAIN\",\"NXDomain\",\n 4,\"NOTIMP\",\"NotImp\",\n 5,\"REFUSED\",\"Refused\"\n];\nlet dummy_table = datatable(TimeGenerated: datetime, uid_s: string) [];\nlet corelight_dns = view () {\n union isfuzzy=true Corelight_v2_dns_CL, Corelight_v2_dns_red_CL, dummy_table\n | summarize arg_max(TimeGenerated, *) by uid_s\n | join kind=leftouter \n ( corelight_conn\n | project uid, local_orig, local_resp \n ) on $left.uid_s == $right.uid\n | project-away uid\n | extend\n path = column_ifexists(\"_path_s\", \"\"),\n system_name = column_ifexists(\"_system_name_s\", \"\"),\n write_ts = column_ifexists(\"_write_ts_t\", \"\"),\n AA = column_ifexists(\"AA_b\", \"\"),\n RA = column_ifexists(\"RA_b\", \"\"),\n RD = column_ifexists(\"RD_b\", \"\"),\n TC = column_ifexists(\"TC_b\", \"\"),\n TTLs = column_ifexists(\"TTLs_s\", \"\"),\n Z = column_ifexists(\"Z_d\", real(null)),\n answers = column_ifexists(\"answers_s\", \"\"),\n id_orig_h = column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p = column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h = column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p = column_ifexists(\"id_resp_p_d\", real(null)),\n proto = column_ifexists(\"proto_s\", \"\"),\n qclass = column_ifexists(\"qclass_d\", real(null)),\n qclass_name = column_ifexists(\"qclass_name_s\", \"\"),\n qtype = column_ifexists(\"qtype_d\", real(null)),\n qtype_name = column_ifexists(\"qtype_name_s\", \"\"),\n query = column_ifexists(\"query_s\", \"\"),\n rcode = column_ifexists(\"rcode_d\", long(null)),\n rcode_name = column_ifexists(\"rcode_name_s\", \"\"),\n rejected = column_ifexists(\"rejected_b\", \"\"),\n rtt = column_ifexists(\"rtt_d\", real(null)),\n trans_id = column_ifexists(\"trans_id_d\", \"\"),\n uid = column_ifexists(\"uid_s\", \"\"),\n num = column_ifexists(\"num_d\", real(null)),\n icann_domain = column_ifexists(\"icann_domain_s\", \"\"),\n icann_host_subdomain = column_ifexists(\"icann_host_subdomain_s\", \"\"),\n icann_tld = column_ifexists(\"icann_tld_s\", \"\"),\n is_trusted_domain = column_ifexists(\"is_trusted_domain_b\", \"\")\n | extend rcode = toint(rcode)\n | lookup DNSLookup on rcode\n | extend\n EventVendor = \"Corelight\",\n EventProduct = \"CorelightSensor\",\n EventType = \"dns\",\n ts = TimeGenerated,\n dns_flags_authoritative_answer = AA,\n dns_flags_recursion_available = RA,\n dns_flags_truncated_response = TC,\n ttl = TTLs,\n src = id_orig_h,\n src_ip = id_orig_h,\n src_port = id_orig_p,\n dest = id_resp_h,\n dest_ip = id_resp_h,\n dest_port = id_resp_p,\n record_class = qclass_name,\n record_type = qtype_name,\n reply_code_id = rcode,\n dns_flags_rejected = rejected,\n duration = rtt,\n response_time = rtt,\n transaction_id = trans_id,\n session_id = uid,\n answer_count = array_length(todynamic(answers)),\n query_count = array_length(todynamic(query)),\n sensor_name = coalesce(system_name, \"unknown\"),\n reply_code = cim_reply_code\n | extend\n is_broadcast =iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"),\"true\",\"false\"),\n is_dest_internal_ip = iff(local_resp == true, \"true\", \"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\"),\n transport = iff(proto == \"icmp\" and id_orig_h matches regex \".*:.*\", \"icmp6\", proto),\n query_length = strlen(query),\n answer_length = iff(answer_count == 1, strlen(answers), tolong('')),\n message_type = iff(isnotnull(rcode), \"Response\", \"Query\")\n | project\n TimeGenerated,\n path,\n system_name,\n write_ts,\n AA,\n RA,\n RD,\n TC,\n TTLs,\n Z,\n answers,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n proto,\n qclass,\n qclass_name,\n qtype,\n qtype_name,\n query,\n rcode,\n rcode_name,\n rejected,\n rtt,\n trans_id,\n uid,\n num,\n icann_domain,\n icann_host_subdomain,\n icann_tld,\n is_trusted_domain,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n dns_flags_authoritative_answer,\n dns_flags_recursion_available,\n dns_flags_truncated_response,\n ttl,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n record_class,\n record_type,\n reply_code_id,\n dns_flags_rejected,\n duration,\n response_time,\n transaction_id,\n session_id,\n answer_count,\n query_count,\n sensor_name,\n is_broadcast,\n is_dest_internal_ip,\n is_src_internal_ip,\n transport,\n query_length,\n answer_length,\n message_type,\n reply_code\n};\ncorelight_dns\n", "functionParameters": "", "version": 2, "tags": [ @@ -5348,7 +5354,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_dns_red Data Parser with template version 3.0.2", + "description": "corelight_dns_red Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject17').parserVersion17]", @@ -5478,7 +5484,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_dpd Data Parser with template version 3.0.2", + "description": "corelight_dpd Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject18').parserVersion18]", @@ -5608,7 +5614,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_encrypted_dns Data Parser with template version 3.0.2", + "description": "corelight_encrypted_dns Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject19').parserVersion19]", @@ -5738,7 +5744,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_enip Data Parser with template version 3.0.2", + "description": "corelight_enip Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject20').parserVersion20]", @@ -5868,7 +5874,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_enip_debug Data Parser with template version 3.0.2", + "description": "corelight_enip_debug Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject21').parserVersion21]", @@ -5998,7 +6004,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_enip_list_identity Data Parser with template version 3.0.2", + "description": "corelight_enip_list_identity Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject22').parserVersion22]", @@ -6128,7 +6134,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_etc_viz Data Parser with template version 3.0.2", + "description": "corelight_etc_viz Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject23').parserVersion23]", @@ -6145,7 +6151,7 @@ "displayName": "corelight_etc_viz parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_etc_viz", - "query": "let corelight_etc_viz = view () {\n Corelight_v2_etc_viz_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n uid=uid_s,\n server_a=server_a_s,\n server_p=server_p_d,\n service=service_s,\n viz_stat=viz_stat_s,\n c2s_viz_size=c2s_viz_size_d,\n c2s_viz_enc_dev=c2s_viz_enc_dev_d,\n c2s_viz_enc_frac=c2s_viz_enc_frac_d,\n c2s_viz_pdu1_enc=c2s_viz_pdu1_enc_b,\n c2s_viz_clr_frac=c2s_viz_clr_frac_d,\n c2s_viz_clr_ex=c2s_viz_clr_ex_s,\n s2c_viz_size=s2c_viz_size_d,\n s2c_viz_enc_dev=s2c_viz_enc_dev_d,\n s2c_viz_enc_frac=s2c_viz_enc_frac_d,\n s2c_viz_pdu1_enc=s2c_viz_pdu1_enc_b,\n s2c_viz_clr_frac=s2c_viz_clr_frac_d,\n s2c_viz_clr_ex=s2c_viz_clr_ex_s\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"etc_viz\",\n ts=TimeGenerated\n};\ncorelight_etc_viz\n\n", + "query": "let dummy_table = datatable(TimeGenerated: datetime, uid_s: string) [];\nlet corelight_etc_viz = view () {\n union isfuzzy=true Corelight_v2_etc_viz_CL, dummy_table\n | summarize arg_max(TimeGenerated, *) by uid_s\n | join kind=leftouter \n ( corelight_conn\n | project uid, local_orig, local_resp\n ) on $left.uid_s == $right.uid\n |project-away uid\n | extend\n path = column_ifexists(\"_path_s\", \"\"),\n system_name = column_ifexists(\"_system_name_s\", \"\"),\n write_ts = column_ifexists(\"_write_ts_t\", \"\"),\n uid = column_ifexists(\"uid_s\", \"\"),\n server_a = column_ifexists(\"server_a_s\", \"\"),\n server_p = column_ifexists(\"server_p_d\", real(null)),\n service = column_ifexists(\"service_s\", \"\"),\n viz_stat = column_ifexists(\"viz_stat_s\", \"\"),\n c2s_viz_size = column_ifexists(\"c2s_viz_size_d\", real(null)),\n c2s_viz_enc_dev = column_ifexists(\"c2s_viz_enc_dev_d\", real(null)),\n c2s_viz_enc_frac = column_ifexists(\"c2s_viz_enc_frac_d\", real(null)),\n c2s_viz_pdu1_enc = column_ifexists(\"c2s_viz_pdu1_enc_b\", \"\"),\n c2s_viz_clr_frac = column_ifexists(\"c2s_viz_clr_frac_d\", real(null)),\n c2s_viz_clr_ex = column_ifexists(\"c2s_viz_clr_ex_s\", \"\"),\n s2c_viz_size = column_ifexists(\"s2c_viz_size_d\", real(null)),\n s2c_viz_enc_dev = column_ifexists(\"s2c_viz_enc_dev_d\", real(null)),\n s2c_viz_enc_frac = column_ifexists(\"s2c_viz_enc_frac_d\", real(null)),\n s2c_viz_pdu1_enc = column_ifexists(\"s2c_viz_pdu1_enc_b\", \"\"),\n s2c_viz_clr_frac = column_ifexists(\"s2c_viz_clr_frac_d\", real(null)),\n s2c_viz_clr_ex = column_ifexists(\"s2c_viz_clr_ex_s\", \"\"),\n id_orig_h = column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p = column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h = column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p = column_ifexists(\"id_resp_p_d\", real(null))\n | extend\n EventVendor = \"Corelight\",\n EventProduct = \"CorelightSensor\",\n EventType = \"etc_viz\",\n ts = TimeGenerated,\n session_id = uid,\n status = viz_stat,\n src = id_orig_h,\n src_ip = id_orig_h,\n src_port = id_orig_p,\n dest = id_resp_h,\n dest_ip = id_resp_h,\n dest_port = id_resp_p,\n bytes_out = tolong(c2s_viz_size),\n bytes_in = tolong(s2c_viz_size),\n sensor_name = coalesce(system_name, \"unknown\")\n | extend\n bytes = bytes_in + bytes_out,\n is_broadcast =iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"),\"true\",\"false\"),\n is_dest_internal_ip = iff(local_resp == true, \"true\", \"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\")\n | project\n TimeGenerated,\n path,\n system_name,\n write_ts,\n uid,\n server_a,\n server_p,\n service,\n viz_stat,\n c2s_viz_size,\n c2s_viz_enc_dev,\n c2s_viz_enc_frac,\n c2s_viz_pdu1_enc,\n c2s_viz_clr_frac,\n c2s_viz_clr_ex,\n s2c_viz_size,\n s2c_viz_enc_dev,\n s2c_viz_enc_frac,\n s2c_viz_pdu1_enc,\n s2c_viz_clr_frac,\n s2c_viz_clr_ex,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n session_id,\n status,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n bytes_out,\n bytes_in,\n sensor_name,\n bytes,\n is_broadcast,\n is_dest_internal_ip,\n is_src_internal_ip\n};\ncorelight_etc_viz\n", "functionParameters": "", "version": 2, "tags": [ @@ -6194,8 +6200,8 @@ "contentId": "[variables('parserObject23').parserContentId23]", "contentKind": "Parser", "displayName": "corelight_etc_viz parser for Corelight", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject23').parserContentId23,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject23').parserContentId23,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject23').parserContentId23,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject23').parserContentId23,'-', '1.1.0')))]", "version": "[variables('parserObject23').parserVersion23]" } }, @@ -6209,7 +6215,7 @@ "displayName": "corelight_etc_viz parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_etc_viz", - "query": "let corelight_etc_viz = view () {\n Corelight_v2_etc_viz_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n uid=uid_s,\n server_a=server_a_s,\n server_p=server_p_d,\n service=service_s,\n viz_stat=viz_stat_s,\n c2s_viz_size=c2s_viz_size_d,\n c2s_viz_enc_dev=c2s_viz_enc_dev_d,\n c2s_viz_enc_frac=c2s_viz_enc_frac_d,\n c2s_viz_pdu1_enc=c2s_viz_pdu1_enc_b,\n c2s_viz_clr_frac=c2s_viz_clr_frac_d,\n c2s_viz_clr_ex=c2s_viz_clr_ex_s,\n s2c_viz_size=s2c_viz_size_d,\n s2c_viz_enc_dev=s2c_viz_enc_dev_d,\n s2c_viz_enc_frac=s2c_viz_enc_frac_d,\n s2c_viz_pdu1_enc=s2c_viz_pdu1_enc_b,\n s2c_viz_clr_frac=s2c_viz_clr_frac_d,\n s2c_viz_clr_ex=s2c_viz_clr_ex_s\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"etc_viz\",\n ts=TimeGenerated\n};\ncorelight_etc_viz\n\n", + "query": "let dummy_table = datatable(TimeGenerated: datetime, uid_s: string) [];\nlet corelight_etc_viz = view () {\n union isfuzzy=true Corelight_v2_etc_viz_CL, dummy_table\n | summarize arg_max(TimeGenerated, *) by uid_s\n | join kind=leftouter \n ( corelight_conn\n | project uid, local_orig, local_resp\n ) on $left.uid_s == $right.uid\n |project-away uid\n | extend\n path = column_ifexists(\"_path_s\", \"\"),\n system_name = column_ifexists(\"_system_name_s\", \"\"),\n write_ts = column_ifexists(\"_write_ts_t\", \"\"),\n uid = column_ifexists(\"uid_s\", \"\"),\n server_a = column_ifexists(\"server_a_s\", \"\"),\n server_p = column_ifexists(\"server_p_d\", real(null)),\n service = column_ifexists(\"service_s\", \"\"),\n viz_stat = column_ifexists(\"viz_stat_s\", \"\"),\n c2s_viz_size = column_ifexists(\"c2s_viz_size_d\", real(null)),\n c2s_viz_enc_dev = column_ifexists(\"c2s_viz_enc_dev_d\", real(null)),\n c2s_viz_enc_frac = column_ifexists(\"c2s_viz_enc_frac_d\", real(null)),\n c2s_viz_pdu1_enc = column_ifexists(\"c2s_viz_pdu1_enc_b\", \"\"),\n c2s_viz_clr_frac = column_ifexists(\"c2s_viz_clr_frac_d\", real(null)),\n c2s_viz_clr_ex = column_ifexists(\"c2s_viz_clr_ex_s\", \"\"),\n s2c_viz_size = column_ifexists(\"s2c_viz_size_d\", real(null)),\n s2c_viz_enc_dev = column_ifexists(\"s2c_viz_enc_dev_d\", real(null)),\n s2c_viz_enc_frac = column_ifexists(\"s2c_viz_enc_frac_d\", real(null)),\n s2c_viz_pdu1_enc = column_ifexists(\"s2c_viz_pdu1_enc_b\", \"\"),\n s2c_viz_clr_frac = column_ifexists(\"s2c_viz_clr_frac_d\", real(null)),\n s2c_viz_clr_ex = column_ifexists(\"s2c_viz_clr_ex_s\", \"\"),\n id_orig_h = column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p = column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h = column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p = column_ifexists(\"id_resp_p_d\", real(null))\n | extend\n EventVendor = \"Corelight\",\n EventProduct = \"CorelightSensor\",\n EventType = \"etc_viz\",\n ts = TimeGenerated,\n session_id = uid,\n status = viz_stat,\n src = id_orig_h,\n src_ip = id_orig_h,\n src_port = id_orig_p,\n dest = id_resp_h,\n dest_ip = id_resp_h,\n dest_port = id_resp_p,\n bytes_out = tolong(c2s_viz_size),\n bytes_in = tolong(s2c_viz_size),\n sensor_name = coalesce(system_name, \"unknown\")\n | extend\n bytes = bytes_in + bytes_out,\n is_broadcast =iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"),\"true\",\"false\"),\n is_dest_internal_ip = iff(local_resp == true, \"true\", \"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\")\n | project\n TimeGenerated,\n path,\n system_name,\n write_ts,\n uid,\n server_a,\n server_p,\n service,\n viz_stat,\n c2s_viz_size,\n c2s_viz_enc_dev,\n c2s_viz_enc_frac,\n c2s_viz_pdu1_enc,\n c2s_viz_clr_frac,\n c2s_viz_clr_ex,\n s2c_viz_size,\n s2c_viz_enc_dev,\n s2c_viz_enc_frac,\n s2c_viz_pdu1_enc,\n s2c_viz_clr_frac,\n s2c_viz_clr_ex,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n session_id,\n status,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n bytes_out,\n bytes_in,\n sensor_name,\n bytes,\n is_broadcast,\n is_dest_internal_ip,\n is_src_internal_ip\n};\ncorelight_etc_viz\n", "functionParameters": "", "version": 2, "tags": [ @@ -6258,7 +6264,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_files Data Parser with template version 3.0.2", + "description": "corelight_files Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject24').parserVersion24]", @@ -6275,7 +6281,7 @@ "displayName": "corelight_files parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_files", - "query": "let corelight_files = view () {\n Corelight_v2_files_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n fuid=fuid_s,\n tx_hosts=tx_hosts_s,\n rx_hosts=rx_hosts_s,\n conn_uids=conn_uids_s,\n source=source_s,\n depth=depth_d,\n analyzers=analyzers_s,\n mime_type=mime_type_s,\n filename=filename_s,\n duration=duration_d,\n local_orig=local_orig_b,\n is_orig=is_orig_b,\n seen_bytes=seen_bytes_d,\n total_bytes=total_bytes_d,\n missing_bytes=missing_bytes_d,\n overflow_bytes=overflow_bytes_d,\n timedout=timedout_b,\n parent_fuid=parent_fuid_s,\n sha1=sha1_s,\n sha256=sha256_s,\n extracted=extracted_s,\n extracted_cutoff=extracted_cutoff_b,\n extracted_size=extracted_size_d\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"files\",\n ts=TimeGenerated\n};\ncorelight_files\n\n", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet corelight_files = view () {\n union isfuzzy=true Corelight_v2_files_CL,\n Corelight_v2_files_red_CL, dummy_table\n | extend\n path = column_ifexists(\"_path_s\", \"\"),\n system_name = column_ifexists(\"_system_name_s\", \"\"),\n write_ts = column_ifexists(\"_write_ts_t\", \"\"),\n analyzers = column_ifexists(\"analyzers_s\", \"\"),\n conn_uids = column_ifexists(\"conn_uids_s\", \"\"),\n depth = column_ifexists(\"depth_d\", real(null)),\n duration = column_ifexists(\"duration_d\", real(null)),\n fuid = column_ifexists(\"fuid_s\", \"\"),\n is_orig = column_ifexists(\"is_orig_b\", \"\"),\n local_orig = column_ifexists(\"local_orig_b\", \"\"),\n md5 = column_ifexists(\"md5_s\", \"\"),\n mime_type = column_ifexists(\"mime_type_s\", \"\"),\n missing_bytes = column_ifexists(\"missing_bytes_d\", real(null)),\n overflow_bytes = column_ifexists(\"overflow_bytes_d\", real(null)),\n rx_hosts = column_ifexists(\"rx_hosts_s\", \"\"),\n seen_bytes = column_ifexists(\"seen_bytes_d\", real(null)),\n sha1 = column_ifexists(\"sha1_s\", \"\"),\n sha256 = column_ifexists(\"sha256_s\", \"\"),\n source = column_ifexists(\"source_s\", \"\"),\n timedout = column_ifexists(\"timedout_b\", \"\"),\n total_bytes = column_ifexists(\"total_bytes_d\", real(null)),\n tx_hosts = column_ifexists(\"tx_hosts_s\", \"\"),\n vlan = column_ifexists(\"vlan_d\", real(null)),\n filename = column_ifexists(\"filename_s\", \"\"),\n parent_fuid = column_ifexists(\"parent_fuid_s\", \"\"),\n extracted = column_ifexists(\"extracted_s\", \"\"),\n extracted_cutoff = column_ifexists(\"extracted_cutoff_b\", \"\"),\n extracted_size = column_ifexists(\"extracted_size_d\", real(null)),\n id_orig_h = column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p = column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h = column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p = column_ifexists(\"id_resp_p_d\", real(null)),\n num = column_ifexists(\"num_d\", real(null))\n | extend\n EventVendor = \"Corelight\",\n EventProduct = \"CorelightSensor\",\n EventType = \"files\",\n ts = TimeGenerated,\n uid = conn_uids,\n dest_host = rx_hosts,\n bytes = seen_bytes,\n file_size = total_bytes,\n src_host = tx_hosts,\n file_name = filename,\n object = filename,\n src = id_orig_h,\n src_ip = id_orig_h,\n src_port = id_orig_p,\n dest = id_resp_h,\n dest_ip = id_resp_h,\n dest_port = id_resp_p,\n app = source,\n file_hash = coalesce(md5, sha1, sha256, \"unknown\"),\n sensor_name = coalesce(system_name, \"unknown\")\n | extend\n is_broadcast =iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"),\"true\",\"false\"),\n is_dest_internal_ip = iff(ipv4_is_in_range( dest, \"10.0.0.0/8\") or ipv4_is_in_range( dest, \"172.16.0.0/12\") or ipv4_is_in_range( dest, \"192.168.0.0/16\"), \"true\", \"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\")\n | project\n TimeGenerated,\n path,\n system_name,\n write_ts,\n analyzers,\n conn_uids,\n depth,\n duration,\n fuid,\n is_orig,\n local_orig,\n md5,\n mime_type,\n missing_bytes,\n overflow_bytes,\n rx_hosts,\n seen_bytes,\n sha1,\n sha256,\n source,\n timedout,\n total_bytes,\n tx_hosts,\n vlan,\n filename,\n parent_fuid,\n extracted,\n extracted_cutoff,\n extracted_size,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n num,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n uid,\n dest_host,\n bytes,\n file_size,\n src_host,\n file_name,\n object,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n app,\n file_hash,\n sensor_name,\n is_broadcast,\n is_dest_internal_ip,\n is_src_internal_ip\n};\ncorelight_files\n", "functionParameters": "", "version": 2, "tags": [ @@ -6324,8 +6330,8 @@ "contentId": "[variables('parserObject24').parserContentId24]", "contentKind": "Parser", "displayName": "corelight_files parser for Corelight", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject24').parserContentId24,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject24').parserContentId24,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject24').parserContentId24,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject24').parserContentId24,'-', '1.1.0')))]", "version": "[variables('parserObject24').parserVersion24]" } }, @@ -6339,7 +6345,7 @@ "displayName": "corelight_files parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_files", - "query": "let corelight_files = view () {\n Corelight_v2_files_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n fuid=fuid_s,\n tx_hosts=tx_hosts_s,\n rx_hosts=rx_hosts_s,\n conn_uids=conn_uids_s,\n source=source_s,\n depth=depth_d,\n analyzers=analyzers_s,\n mime_type=mime_type_s,\n filename=filename_s,\n duration=duration_d,\n local_orig=local_orig_b,\n is_orig=is_orig_b,\n seen_bytes=seen_bytes_d,\n total_bytes=total_bytes_d,\n missing_bytes=missing_bytes_d,\n overflow_bytes=overflow_bytes_d,\n timedout=timedout_b,\n parent_fuid=parent_fuid_s,\n sha1=sha1_s,\n sha256=sha256_s,\n extracted=extracted_s,\n extracted_cutoff=extracted_cutoff_b,\n extracted_size=extracted_size_d\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"files\",\n ts=TimeGenerated\n};\ncorelight_files\n\n", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet corelight_files = view () {\n union isfuzzy=true Corelight_v2_files_CL,\n Corelight_v2_files_red_CL, dummy_table\n | extend\n path = column_ifexists(\"_path_s\", \"\"),\n system_name = column_ifexists(\"_system_name_s\", \"\"),\n write_ts = column_ifexists(\"_write_ts_t\", \"\"),\n analyzers = column_ifexists(\"analyzers_s\", \"\"),\n conn_uids = column_ifexists(\"conn_uids_s\", \"\"),\n depth = column_ifexists(\"depth_d\", real(null)),\n duration = column_ifexists(\"duration_d\", real(null)),\n fuid = column_ifexists(\"fuid_s\", \"\"),\n is_orig = column_ifexists(\"is_orig_b\", \"\"),\n local_orig = column_ifexists(\"local_orig_b\", \"\"),\n md5 = column_ifexists(\"md5_s\", \"\"),\n mime_type = column_ifexists(\"mime_type_s\", \"\"),\n missing_bytes = column_ifexists(\"missing_bytes_d\", real(null)),\n overflow_bytes = column_ifexists(\"overflow_bytes_d\", real(null)),\n rx_hosts = column_ifexists(\"rx_hosts_s\", \"\"),\n seen_bytes = column_ifexists(\"seen_bytes_d\", real(null)),\n sha1 = column_ifexists(\"sha1_s\", \"\"),\n sha256 = column_ifexists(\"sha256_s\", \"\"),\n source = column_ifexists(\"source_s\", \"\"),\n timedout = column_ifexists(\"timedout_b\", \"\"),\n total_bytes = column_ifexists(\"total_bytes_d\", real(null)),\n tx_hosts = column_ifexists(\"tx_hosts_s\", \"\"),\n vlan = column_ifexists(\"vlan_d\", real(null)),\n filename = column_ifexists(\"filename_s\", \"\"),\n parent_fuid = column_ifexists(\"parent_fuid_s\", \"\"),\n extracted = column_ifexists(\"extracted_s\", \"\"),\n extracted_cutoff = column_ifexists(\"extracted_cutoff_b\", \"\"),\n extracted_size = column_ifexists(\"extracted_size_d\", real(null)),\n id_orig_h = column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p = column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h = column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p = column_ifexists(\"id_resp_p_d\", real(null)),\n num = column_ifexists(\"num_d\", real(null))\n | extend\n EventVendor = \"Corelight\",\n EventProduct = \"CorelightSensor\",\n EventType = \"files\",\n ts = TimeGenerated,\n uid = conn_uids,\n dest_host = rx_hosts,\n bytes = seen_bytes,\n file_size = total_bytes,\n src_host = tx_hosts,\n file_name = filename,\n object = filename,\n src = id_orig_h,\n src_ip = id_orig_h,\n src_port = id_orig_p,\n dest = id_resp_h,\n dest_ip = id_resp_h,\n dest_port = id_resp_p,\n app = source,\n file_hash = coalesce(md5, sha1, sha256, \"unknown\"),\n sensor_name = coalesce(system_name, \"unknown\")\n | extend\n is_broadcast =iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"),\"true\",\"false\"),\n is_dest_internal_ip = iff(ipv4_is_in_range( dest, \"10.0.0.0/8\") or ipv4_is_in_range( dest, \"172.16.0.0/12\") or ipv4_is_in_range( dest, \"192.168.0.0/16\"), \"true\", \"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\")\n | project\n TimeGenerated,\n path,\n system_name,\n write_ts,\n analyzers,\n conn_uids,\n depth,\n duration,\n fuid,\n is_orig,\n local_orig,\n md5,\n mime_type,\n missing_bytes,\n overflow_bytes,\n rx_hosts,\n seen_bytes,\n sha1,\n sha256,\n source,\n timedout,\n total_bytes,\n tx_hosts,\n vlan,\n filename,\n parent_fuid,\n extracted,\n extracted_cutoff,\n extracted_size,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n num,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n uid,\n dest_host,\n bytes,\n file_size,\n src_host,\n file_name,\n object,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n app,\n file_hash,\n sensor_name,\n is_broadcast,\n is_dest_internal_ip,\n is_src_internal_ip\n};\ncorelight_files\n", "functionParameters": "", "version": 2, "tags": [ @@ -6388,7 +6394,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_files_red Data Parser with template version 3.0.2", + "description": "corelight_files_red Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject25').parserVersion25]", @@ -6518,7 +6524,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_ftp Data Parser with template version 3.0.2", + "description": "corelight_ftp Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject26').parserVersion26]", @@ -6535,7 +6541,7 @@ "displayName": "corelight_ftp parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_ftp", - "query": "let corelight_ftp = view () {\n Corelight_v2_ftp_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n uid=uid_s,\n id_orig_h=id_orig_h_s,\n id_orig_p=id_orig_p_d,\n id_resp_h=id_resp_h_s,\n id_resp_p=id_resp_p_d,\n user=user_s,\n password=password_s,\n command=command_s,\n arg=arg_s,\n mime_type=mime_type_s,\n file_size=file_size_d,\n reply_code=reply_code_d,\n reply_msg=reply_msg_s,\n data_channel_passive=data_channel_passive_b,\n data_channel_orig_h=data_channel_orig_h_s,\n data_channel_resp_h=data_channel_resp_h_s,\n data_channel_resp_p=data_channel_resp_p_d,\n fuid=fuid_s\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"ftp\",\n ts=TimeGenerated\n};\ncorelight_ftp\n\n", + "query": "let dummy_table = datatable(TimeGenerated: datetime, uid_s: string) [];\nlet corelight_ftp = view () {\n union isfuzzy=true Corelight_v2_ftp_CL, dummy_table\n | summarize arg_max(TimeGenerated, *) by uid_s\n | join kind=leftouter \n ( corelight_conn\n | project uid, local_orig, local_resp\n ) on $left.uid_s == $right.uid\n | project-away uid\n | extend\n path = column_ifexists(\"_path_s\", \"\"),\n system_name = column_ifexists(\"_system_name_s\", \"\"),\n write_ts = column_ifexists(\"_write_ts_t\", \"\"),\n command = column_ifexists(\"command_s\", \"\"),\n data_channel_orig_h = column_ifexists(\"data_channel_orig_h_s\", \"\"),\n data_channel_passive = column_ifexists(\"data_channel_passive_b\", \"\"),\n data_channel_resp_h = column_ifexists(\"data_channel_resp_h_s\", \"\"),\n arg = column_ifexists(\"arg_s\", \"\"),\n data_channel_resp_p = column_ifexists(\"data_channel_resp_p_d\", real(null)),\n err = column_ifexists(\"err_s\", \"\"),\n id_orig_h = column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p = column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h = column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p = column_ifexists(\"id_resp_p_d\", real(null)),\n password = column_ifexists(\"password_s\", \"\"),\n reply_code = column_ifexists(\"reply_code_d\", real(null)),\n reply_msg = column_ifexists(\"reply_msg_s\", \"\"),\n uid = column_ifexists(\"uid_s\", \"\"),\n user = column_ifexists(\"user_s\", \"\"),\n mime_type = column_ifexists(\"mime_type_s\", \"\"),\n file_size = column_ifexists(\"file_size_d\", real(null)),\n fuid = column_ifexists(\"fuid_s\", \"\")\n | extend\n EventVendor = \"Corelight\",\n EventProduct = \"CorelightSensor\",\n EventType = \"ftp\",\n ts = TimeGenerated,\n signature_id = toint(reply_code),\n signature = reply_msg,\n src = id_orig_h,\n src_ip = id_orig_h,\n src_port = id_orig_p,\n dest = id_resp_h,\n dest_ip = id_resp_h,\n dest_port = id_resp_p,\n sensor_name = coalesce(system_name, \"unknown\")\n | extend \n extract_user = extract(\"user/(?\\\\w+)\", 1, user),\n action = case(signature_id<300, \"Success\", \"Failure\"),\n object = split(arg, '/')[-1],\n is_broadcast =iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"),\"true\",\"false\"),\n is_dest_internal_ip = iff(local_resp == true, \"true\", \"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\")\n | project\n TimeGenerated,\n path,\n system_name,\n write_ts,\n command,\n data_channel_orig_h,\n data_channel_passive,\n data_channel_resp_h,\n arg,\n data_channel_resp_p,\n err,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n password,\n reply_code,\n reply_msg,\n uid,\n user,\n mime_type,\n file_size,\n fuid,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n signature_id,\n signature,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n sensor_name,\n extract_user,\n action,\n object,\n is_broadcast,\n is_dest_internal_ip,\n is_src_internal_ip\n};\ncorelight_ftp\n", "functionParameters": "", "version": 2, "tags": [ @@ -6584,8 +6590,8 @@ "contentId": "[variables('parserObject26').parserContentId26]", "contentKind": "Parser", "displayName": "corelight_ftp parser for Corelight", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject26').parserContentId26,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject26').parserContentId26,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject26').parserContentId26,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject26').parserContentId26,'-', '1.1.0')))]", "version": "[variables('parserObject26').parserVersion26]" } }, @@ -6599,7 +6605,7 @@ "displayName": "corelight_ftp parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_ftp", - "query": "let corelight_ftp = view () {\n Corelight_v2_ftp_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n uid=uid_s,\n id_orig_h=id_orig_h_s,\n id_orig_p=id_orig_p_d,\n id_resp_h=id_resp_h_s,\n id_resp_p=id_resp_p_d,\n user=user_s,\n password=password_s,\n command=command_s,\n arg=arg_s,\n mime_type=mime_type_s,\n file_size=file_size_d,\n reply_code=reply_code_d,\n reply_msg=reply_msg_s,\n data_channel_passive=data_channel_passive_b,\n data_channel_orig_h=data_channel_orig_h_s,\n data_channel_resp_h=data_channel_resp_h_s,\n data_channel_resp_p=data_channel_resp_p_d,\n fuid=fuid_s\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"ftp\",\n ts=TimeGenerated\n};\ncorelight_ftp\n\n", + "query": "let dummy_table = datatable(TimeGenerated: datetime, uid_s: string) [];\nlet corelight_ftp = view () {\n union isfuzzy=true Corelight_v2_ftp_CL, dummy_table\n | summarize arg_max(TimeGenerated, *) by uid_s\n | join kind=leftouter \n ( corelight_conn\n | project uid, local_orig, local_resp\n ) on $left.uid_s == $right.uid\n | project-away uid\n | extend\n path = column_ifexists(\"_path_s\", \"\"),\n system_name = column_ifexists(\"_system_name_s\", \"\"),\n write_ts = column_ifexists(\"_write_ts_t\", \"\"),\n command = column_ifexists(\"command_s\", \"\"),\n data_channel_orig_h = column_ifexists(\"data_channel_orig_h_s\", \"\"),\n data_channel_passive = column_ifexists(\"data_channel_passive_b\", \"\"),\n data_channel_resp_h = column_ifexists(\"data_channel_resp_h_s\", \"\"),\n arg = column_ifexists(\"arg_s\", \"\"),\n data_channel_resp_p = column_ifexists(\"data_channel_resp_p_d\", real(null)),\n err = column_ifexists(\"err_s\", \"\"),\n id_orig_h = column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p = column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h = column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p = column_ifexists(\"id_resp_p_d\", real(null)),\n password = column_ifexists(\"password_s\", \"\"),\n reply_code = column_ifexists(\"reply_code_d\", real(null)),\n reply_msg = column_ifexists(\"reply_msg_s\", \"\"),\n uid = column_ifexists(\"uid_s\", \"\"),\n user = column_ifexists(\"user_s\", \"\"),\n mime_type = column_ifexists(\"mime_type_s\", \"\"),\n file_size = column_ifexists(\"file_size_d\", real(null)),\n fuid = column_ifexists(\"fuid_s\", \"\")\n | extend\n EventVendor = \"Corelight\",\n EventProduct = \"CorelightSensor\",\n EventType = \"ftp\",\n ts = TimeGenerated,\n signature_id = toint(reply_code),\n signature = reply_msg,\n src = id_orig_h,\n src_ip = id_orig_h,\n src_port = id_orig_p,\n dest = id_resp_h,\n dest_ip = id_resp_h,\n dest_port = id_resp_p,\n sensor_name = coalesce(system_name, \"unknown\")\n | extend \n extract_user = extract(\"user/(?\\\\w+)\", 1, user),\n action = case(signature_id<300, \"Success\", \"Failure\"),\n object = split(arg, '/')[-1],\n is_broadcast =iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"),\"true\",\"false\"),\n is_dest_internal_ip = iff(local_resp == true, \"true\", \"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\")\n | project\n TimeGenerated,\n path,\n system_name,\n write_ts,\n command,\n data_channel_orig_h,\n data_channel_passive,\n data_channel_resp_h,\n arg,\n data_channel_resp_p,\n err,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n password,\n reply_code,\n reply_msg,\n uid,\n user,\n mime_type,\n file_size,\n fuid,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n signature_id,\n signature,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n sensor_name,\n extract_user,\n action,\n object,\n is_broadcast,\n is_dest_internal_ip,\n is_src_internal_ip\n};\ncorelight_ftp\n", "functionParameters": "", "version": 2, "tags": [ @@ -6648,7 +6654,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_generic_dns_tunnels Data Parser with template version 3.0.2", + "description": "corelight_generic_dns_tunnels Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject27').parserVersion27]", @@ -6778,7 +6784,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_generic_icmp_tunnels Data Parser with template version 3.0.2", + "description": "corelight_generic_icmp_tunnels Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject28').parserVersion28]", @@ -6908,7 +6914,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_http Data Parser with template version 3.0.2", + "description": "corelight_http Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject29').parserVersion29]", @@ -6925,7 +6931,7 @@ "displayName": "corelight_http parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_http", - "query": "let corelight_http = view () {\n Corelight_v2_http_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n uid=uid_s,\n id_orig_h=id_orig_h_s,\n id_orig_p=id_orig_p_d,\n id_resp_h=id_resp_h_s,\n id_resp_p=id_resp_p_d,\n trans_depth=trans_depth_d,\n method=method_s,\n host=host_s,\n uri=uri_s,\n referrer=referrer_s,\n version=version_s,\n user_agent=user_agent_s,\n origin=origin_s,\n request_body_len=request_body_len_d,\n response_body_len=response_body_len_d,\n status_code=status_code_d,\n status_msg=status_msg_s,\n info_code=info_code_d,\n info_msg=info_msg_s,\n tags=tags_s,\n username=username_s,\n password=password_s,\n proxied=proxied_s,\n orig_fuids=orig_fuids_s,\n orig_filenames=orig_filenames_s,\n orig_mime_types=orig_mime_types_s,\n resp_fuids=resp_fuids_s,\n resp_filenames=resp_filenames_s,\n resp_mime_types=resp_mime_types_s,\n post_body=post_body_s\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"http\",\n ts=TimeGenerated\n};\ncorelight_http\n\n", + "query": "let StatusLookup = datatable(\n status: string,\n action: string\n)[\n \"success\",\"allowed\",\n \"failure\",\"blocked\",\n \"200\",\"success\",\n \"204\",\"success\",\n \"206\",\"success\",\n \"207\",\"success\",\n \"301\",\"success\",\n \"302\",\"success\",\n \"303\",\"success\",\n \"304\",\"success\",\n \"307\",\"success\",\n \"400\",\"failure\",\n \"401\",\"failure\",\n \"403\",\"failure\",\n \"404\",\"failure\",\n \"408\",\"failure\",\n \"500\",\"failure\",\n \"503\",\"failure\",\n \"504\",\"failure\"\n];\nlet dummy_table = datatable(TimeGenerated: datetime, uid_s: string) [];\nlet corelight_http = view () {\n union isfuzzy=true Corelight_v2_http_CL, Corelight_v2_http_red_CL, Corelight_v2_http2_CL, dummy_table\n | summarize arg_max(TimeGenerated, *) by uid_s\n | join kind=leftouter \n ( corelight_conn\n | project uid, local_orig, local_resp\n ) on $left.uid_s == $right.uid\n | project-away uid\n | extend\n path = column_ifexists(\"_path_s\", \"\"),\n system_name = column_ifexists(\"_system_name_s\", \"\"),\n write_ts = column_ifexists(\"_write_ts_t\", \"\"),\n host = column_ifexists(\"host_s\", \"\"),\n id_orig_h = column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p = column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h = column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p = column_ifexists(\"id_resp_p_d\", real(null)),\n id_vlan = column_ifexists(\"id_vlan_d\", real(null)),\n method = column_ifexists(\"method_s\", \"\"),\n orig_fuids = column_ifexists(\"orig_fuids_s\", \"\"),\n post_body = column_ifexists(\"post_body_s\", \"\"),\n request_body_len = column_ifexists(\"request_body_len_d\", real(null)),\n resp_fuids = column_ifexists(\"resp_fuids_s\", \"\"),\n response_body_len = column_ifexists(\"response_body_len_d\", real(null)),\n status_code = column_ifexists(\"status_code_d\", real(null)),\n status_msg = column_ifexists(\"status_msg_s\", \"\"),\n tags = column_ifexists(\"tags_s\", \"\"),\n trans_depth = column_ifexists(\"trans_depth_d\", real(null)),\n uid = column_ifexists(\"uid_s\", \"\"),\n uri = column_ifexists(\"uri_s\", \"\"),\n version = column_ifexists(\"version_s\", \"\"),\n resp_filenames = column_ifexists(\"resp_filenames_s\", \"\"),\n user_agent = column_ifexists(\"user_agent_s\", \"\"),\n referrer = column_ifexists(\"referrer_s\", \"\"),\n origin = column_ifexists(\"origin_s\", \"\"),\n info_code = column_ifexists(\"info_code_d\", real(null)),\n info_msg = column_ifexists(\"info_msg_s\", \"\"),\n username = column_ifexists(\"username_s\", \"\"),\n password = column_ifexists(\"password_s\", \"\"),\n proxied = column_ifexists(\"proxied_s\", \"\"),\n orig_filenames = column_ifexists(\"orig_filenames_s\", \"\"),\n orig_mime_types = column_ifexists(\"orig_mime_types_s\", \"\"),\n resp_mime_types = column_ifexists(\"resp_mime_types_s\", \"\"),\n push = column_ifexists(\"push_b\", \"\"),\n encoding = column_ifexists(\"encoding_s\", \"\"),\n stream_id = column_ifexists(\"stream_id_d\", real(null))\n | extend status_code = tostring(toint(status_code))\n | lookup StatusLookup on $left.status_code == $right.status\n | extend\n EventVendor = \"Corelight\",\n EventProduct = \"CorelightSensor\",\n EventType = \"http\",\n ts = TimeGenerated,\n dest_host = host,\n src = id_orig_h,\n src_ip = id_orig_h,\n src_port = id_orig_p,\n dest = id_resp_h,\n dest_ip = id_resp_h,\n dest_port = id_resp_p,\n http_method = method,\n bytes_in = request_body_len,\n bytes_out = response_body_len,\n status = status_code,\n vendor_action = status_msg,\n uri_path = uri,\n object = resp_filenames,\n http_user_agent = user_agent,\n http_referrer = referrer,\n http_content_type = orig_mime_types,\n sensor_name = coalesce(system_name, \"unknown\"),\n http_version = version,\n http_username = username,\n http_password = password,\n http_encoding = encoding\n | extend\n http_user_agent_length = strlen(http_user_agent),\n bytes = bytes_in + bytes_out,\n is_broadcast =iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"),\"true\",\"false\"),\n is_dest_internal_ip = iff(local_resp == true, \"true\", \"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\"),\n host_header=dest_host,\n referrer_domain_domain=parse_url(referrer).Host,\n referrer_domain_ip=strcat(parse_url(referrer).Host, \":\", parse_url(referrer).Port)\n | extend \n url = strcat(\"http://\",host_header,uri),\n url_domain = host_header\n | project\n TimeGenerated,\n path,\n system_name,\n write_ts,\n host,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n id_vlan,\n method,\n orig_fuids,\n post_body,\n request_body_len,\n resp_fuids,\n response_body_len,\n status_code,\n status_msg,\n tags,\n trans_depth,\n uid,\n uri,\n version,\n resp_filenames,\n user_agent,\n referrer,\n origin,\n info_code,\n info_msg,\n username,\n password,\n proxied,\n orig_filenames,\n orig_mime_types,\n resp_mime_types,\n push,\n encoding,\n stream_id,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n dest_host,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n http_method,\n bytes_in,\n bytes_out,\n status,\n vendor_action,\n uri_path,\n object,\n http_user_agent,\n http_referrer,\n http_content_type,\n sensor_name,\n http_version,\n http_username,\n http_password,\n http_encoding,\n http_user_agent_length,\n bytes,\n is_broadcast,\n is_dest_internal_ip,\n is_src_internal_ip,\n host_header,\n referrer_domain_domain,\n referrer_domain_ip,\n url,\n url_domain,\n action\n};\ncorelight_http\n", "functionParameters": "", "version": 2, "tags": [ @@ -6974,8 +6980,8 @@ "contentId": "[variables('parserObject29').parserContentId29]", "contentKind": "Parser", "displayName": "corelight_http parser for Corelight", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject29').parserContentId29,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject29').parserContentId29,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject29').parserContentId29,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject29').parserContentId29,'-', '1.1.0')))]", "version": "[variables('parserObject29').parserVersion29]" } }, @@ -6989,7 +6995,7 @@ "displayName": "corelight_http parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_http", - "query": "let corelight_http = view () {\n Corelight_v2_http_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n uid=uid_s,\n id_orig_h=id_orig_h_s,\n id_orig_p=id_orig_p_d,\n id_resp_h=id_resp_h_s,\n id_resp_p=id_resp_p_d,\n trans_depth=trans_depth_d,\n method=method_s,\n host=host_s,\n uri=uri_s,\n referrer=referrer_s,\n version=version_s,\n user_agent=user_agent_s,\n origin=origin_s,\n request_body_len=request_body_len_d,\n response_body_len=response_body_len_d,\n status_code=status_code_d,\n status_msg=status_msg_s,\n info_code=info_code_d,\n info_msg=info_msg_s,\n tags=tags_s,\n username=username_s,\n password=password_s,\n proxied=proxied_s,\n orig_fuids=orig_fuids_s,\n orig_filenames=orig_filenames_s,\n orig_mime_types=orig_mime_types_s,\n resp_fuids=resp_fuids_s,\n resp_filenames=resp_filenames_s,\n resp_mime_types=resp_mime_types_s,\n post_body=post_body_s\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"http\",\n ts=TimeGenerated\n};\ncorelight_http\n\n", + "query": "let StatusLookup = datatable(\n status: string,\n action: string\n)[\n \"success\",\"allowed\",\n \"failure\",\"blocked\",\n \"200\",\"success\",\n \"204\",\"success\",\n \"206\",\"success\",\n \"207\",\"success\",\n \"301\",\"success\",\n \"302\",\"success\",\n \"303\",\"success\",\n \"304\",\"success\",\n \"307\",\"success\",\n \"400\",\"failure\",\n \"401\",\"failure\",\n \"403\",\"failure\",\n \"404\",\"failure\",\n \"408\",\"failure\",\n \"500\",\"failure\",\n \"503\",\"failure\",\n \"504\",\"failure\"\n];\nlet dummy_table = datatable(TimeGenerated: datetime, uid_s: string) [];\nlet corelight_http = view () {\n union isfuzzy=true Corelight_v2_http_CL, Corelight_v2_http_red_CL, Corelight_v2_http2_CL, dummy_table\n | summarize arg_max(TimeGenerated, *) by uid_s\n | join kind=leftouter \n ( corelight_conn\n | project uid, local_orig, local_resp\n ) on $left.uid_s == $right.uid\n | project-away uid\n | extend\n path = column_ifexists(\"_path_s\", \"\"),\n system_name = column_ifexists(\"_system_name_s\", \"\"),\n write_ts = column_ifexists(\"_write_ts_t\", \"\"),\n host = column_ifexists(\"host_s\", \"\"),\n id_orig_h = column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p = column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h = column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p = column_ifexists(\"id_resp_p_d\", real(null)),\n id_vlan = column_ifexists(\"id_vlan_d\", real(null)),\n method = column_ifexists(\"method_s\", \"\"),\n orig_fuids = column_ifexists(\"orig_fuids_s\", \"\"),\n post_body = column_ifexists(\"post_body_s\", \"\"),\n request_body_len = column_ifexists(\"request_body_len_d\", real(null)),\n resp_fuids = column_ifexists(\"resp_fuids_s\", \"\"),\n response_body_len = column_ifexists(\"response_body_len_d\", real(null)),\n status_code = column_ifexists(\"status_code_d\", real(null)),\n status_msg = column_ifexists(\"status_msg_s\", \"\"),\n tags = column_ifexists(\"tags_s\", \"\"),\n trans_depth = column_ifexists(\"trans_depth_d\", real(null)),\n uid = column_ifexists(\"uid_s\", \"\"),\n uri = column_ifexists(\"uri_s\", \"\"),\n version = column_ifexists(\"version_s\", \"\"),\n resp_filenames = column_ifexists(\"resp_filenames_s\", \"\"),\n user_agent = column_ifexists(\"user_agent_s\", \"\"),\n referrer = column_ifexists(\"referrer_s\", \"\"),\n origin = column_ifexists(\"origin_s\", \"\"),\n info_code = column_ifexists(\"info_code_d\", real(null)),\n info_msg = column_ifexists(\"info_msg_s\", \"\"),\n username = column_ifexists(\"username_s\", \"\"),\n password = column_ifexists(\"password_s\", \"\"),\n proxied = column_ifexists(\"proxied_s\", \"\"),\n orig_filenames = column_ifexists(\"orig_filenames_s\", \"\"),\n orig_mime_types = column_ifexists(\"orig_mime_types_s\", \"\"),\n resp_mime_types = column_ifexists(\"resp_mime_types_s\", \"\"),\n push = column_ifexists(\"push_b\", \"\"),\n encoding = column_ifexists(\"encoding_s\", \"\"),\n stream_id = column_ifexists(\"stream_id_d\", real(null))\n | extend status_code = tostring(toint(status_code))\n | lookup StatusLookup on $left.status_code == $right.status\n | extend\n EventVendor = \"Corelight\",\n EventProduct = \"CorelightSensor\",\n EventType = \"http\",\n ts = TimeGenerated,\n dest_host = host,\n src = id_orig_h,\n src_ip = id_orig_h,\n src_port = id_orig_p,\n dest = id_resp_h,\n dest_ip = id_resp_h,\n dest_port = id_resp_p,\n http_method = method,\n bytes_in = request_body_len,\n bytes_out = response_body_len,\n status = status_code,\n vendor_action = status_msg,\n uri_path = uri,\n object = resp_filenames,\n http_user_agent = user_agent,\n http_referrer = referrer,\n http_content_type = orig_mime_types,\n sensor_name = coalesce(system_name, \"unknown\"),\n http_version = version,\n http_username = username,\n http_password = password,\n http_encoding = encoding\n | extend\n http_user_agent_length = strlen(http_user_agent),\n bytes = bytes_in + bytes_out,\n is_broadcast =iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"),\"true\",\"false\"),\n is_dest_internal_ip = iff(local_resp == true, \"true\", \"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\"),\n host_header=dest_host,\n referrer_domain_domain=parse_url(referrer).Host,\n referrer_domain_ip=strcat(parse_url(referrer).Host, \":\", parse_url(referrer).Port)\n | extend \n url = strcat(\"http://\",host_header,uri),\n url_domain = host_header\n | project\n TimeGenerated,\n path,\n system_name,\n write_ts,\n host,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n id_vlan,\n method,\n orig_fuids,\n post_body,\n request_body_len,\n resp_fuids,\n response_body_len,\n status_code,\n status_msg,\n tags,\n trans_depth,\n uid,\n uri,\n version,\n resp_filenames,\n user_agent,\n referrer,\n origin,\n info_code,\n info_msg,\n username,\n password,\n proxied,\n orig_filenames,\n orig_mime_types,\n resp_mime_types,\n push,\n encoding,\n stream_id,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n dest_host,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n http_method,\n bytes_in,\n bytes_out,\n status,\n vendor_action,\n uri_path,\n object,\n http_user_agent,\n http_referrer,\n http_content_type,\n sensor_name,\n http_version,\n http_username,\n http_password,\n http_encoding,\n http_user_agent_length,\n bytes,\n is_broadcast,\n is_dest_internal_ip,\n is_src_internal_ip,\n host_header,\n referrer_domain_domain,\n referrer_domain_ip,\n url,\n url_domain,\n action\n};\ncorelight_http\n", "functionParameters": "", "version": 2, "tags": [ @@ -7038,7 +7044,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_http2 Data Parser with template version 3.0.2", + "description": "corelight_http2 Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject30').parserVersion30]", @@ -7168,7 +7174,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_http_red Data Parser with template version 3.0.2", + "description": "corelight_http_red Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject31').parserVersion31]", @@ -7298,7 +7304,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_icmp_specific_tunnels Data Parser with template version 3.0.2", + "description": "corelight_icmp_specific_tunnels Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject32').parserVersion32]", @@ -7428,7 +7434,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_intel Data Parser with template version 3.0.2", + "description": "corelight_intel Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject33').parserVersion33]", @@ -7558,7 +7564,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_ipsec Data Parser with template version 3.0.2", + "description": "corelight_ipsec Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject34').parserVersion34]", @@ -7688,7 +7694,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_irc Data Parser with template version 3.0.2", + "description": "corelight_irc Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject35').parserVersion35]", @@ -7818,7 +7824,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_iso_cotp Data Parser with template version 3.0.2", + "description": "corelight_iso_cotp Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject36').parserVersion36]", @@ -7948,7 +7954,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_kerberos Data Parser with template version 3.0.2", + "description": "corelight_kerberos Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject37').parserVersion37]", @@ -8078,7 +8084,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_known_certs Data Parser with template version 3.0.2", + "description": "corelight_known_certs Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject38').parserVersion38]", @@ -8208,7 +8214,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_known_devices Data Parser with template version 3.0.2", + "description": "corelight_known_devices Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject39').parserVersion39]", @@ -8338,7 +8344,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_known_domains Data Parser with template version 3.0.2", + "description": "corelight_known_domains Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject40').parserVersion40]", @@ -8468,7 +8474,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_known_hosts Data Parser with template version 3.0.2", + "description": "corelight_known_hosts Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject41').parserVersion41]", @@ -8598,7 +8604,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_known_names Data Parser with template version 3.0.2", + "description": "corelight_known_names Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject42').parserVersion42]", @@ -8728,7 +8734,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_known_remotes Data Parser with template version 3.0.2", + "description": "corelight_known_remotes Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject43').parserVersion43]", @@ -8858,7 +8864,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_known_services Data Parser with template version 3.0.2", + "description": "corelight_known_services Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject44').parserVersion44]", @@ -8988,7 +8994,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_known_users Data Parser with template version 3.0.2", + "description": "corelight_known_users Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject45').parserVersion45]", @@ -9118,7 +9124,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_local_subnets Data Parser with template version 3.0.2", + "description": "corelight_local_subnets Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject46').parserVersion46]", @@ -9248,7 +9254,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_local_subnets_dj Data Parser with template version 3.0.2", + "description": "corelight_local_subnets_dj Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject47').parserVersion47]", @@ -9378,7 +9384,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_local_subnets_graphs Data Parser with template version 3.0.2", + "description": "corelight_local_subnets_graphs Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject48').parserVersion48]", @@ -9508,7 +9514,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_log4shell Data Parser with template version 3.0.2", + "description": "corelight_log4shell Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject49').parserVersion49]", @@ -9638,7 +9644,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_modbus Data Parser with template version 3.0.2", + "description": "corelight_modbus Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject50').parserVersion50]", @@ -9768,7 +9774,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_mqtt_connect Data Parser with template version 3.0.2", + "description": "corelight_mqtt_connect Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject51').parserVersion51]", @@ -9898,7 +9904,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_mqtt_publish Data Parser with template version 3.0.2", + "description": "corelight_mqtt_publish Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject52').parserVersion52]", @@ -10028,7 +10034,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_mqtt_subscribe Data Parser with template version 3.0.2", + "description": "corelight_mqtt_subscribe Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject53').parserVersion53]", @@ -10158,7 +10164,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_mysql Data Parser with template version 3.0.2", + "description": "corelight_mysql Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject54').parserVersion54]", @@ -10288,7 +10294,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_notice Data Parser with template version 3.0.2", + "description": "corelight_notice Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject55').parserVersion55]", @@ -10418,7 +10424,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_ntlm Data Parser with template version 3.0.2", + "description": "corelight_ntlm Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject56').parserVersion56]", @@ -10548,7 +10554,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_ntp Data Parser with template version 3.0.2", + "description": "corelight_ntp Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject57').parserVersion57]", @@ -10678,7 +10684,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_ocsp Data Parser with template version 3.0.2", + "description": "corelight_ocsp Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject58').parserVersion58]", @@ -10808,7 +10814,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_openflow Data Parser with template version 3.0.2", + "description": "corelight_openflow Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject59').parserVersion59]", @@ -10938,7 +10944,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_packet_filter Data Parser with template version 3.0.2", + "description": "corelight_packet_filter Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject60').parserVersion60]", @@ -11068,7 +11074,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_pe Data Parser with template version 3.0.2", + "description": "corelight_pe Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject61').parserVersion61]", @@ -11198,7 +11204,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_profinet Data Parser with template version 3.0.2", + "description": "corelight_profinet Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject62').parserVersion62]", @@ -11328,7 +11334,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_profinet_dce_rpc Data Parser with template version 3.0.2", + "description": "corelight_profinet_dce_rpc Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject63').parserVersion63]", @@ -11458,7 +11464,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_profinet_debug Data Parser with template version 3.0.2", + "description": "corelight_profinet_debug Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject64').parserVersion64]", @@ -11588,7 +11594,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_radius Data Parser with template version 3.0.2", + "description": "corelight_radius Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject65').parserVersion65]", @@ -11718,7 +11724,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_rdp Data Parser with template version 3.0.2", + "description": "corelight_rdp Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject66').parserVersion66]", @@ -11735,7 +11741,7 @@ "displayName": "corelight_rdp parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_rdp", - "query": "let corelight_rdp = view () {\n Corelight_v2_rdp_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n uid=uid_s,\n id_orig_h=id_orig_h_s,\n id_orig_p=id_orig_p_d,\n id_resp_h=id_resp_h_s,\n id_resp_p=id_resp_p_d,\n cookie=cookie_s,\n result=result_s,\n security_protocol=security_protocol_s,\n client_channels=client_channels_s,\n keyboard_layout=keyboard_layout_s,\n client_build=client_build_s,\n client_name=client_name_s,\n client_dig_product_id=client_dig_product_id_s,\n desktop_width=desktop_width_d,\n desktop_height=desktop_height_d,\n requested_color_depth=requested_color_depth_s,\n cert_type=cert_type_s,\n cert_count=cert_count_d,\n cert_permanent=cert_permanent_b,\n encryption_level=encryption_level_s,\n encryption_method=encryption_method_s,\n auth_success=auth_success_b,\n channels_joined=channels_joined_d,\n inferences=inferences_s,\n rdpeudp_uid=rdpeudp_uid_s,\n rdfp_string=rdfp_string_s,\n rdfp_hash=rdfp_hash_s\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"rdp\",\n ts=TimeGenerated\n};\ncorelight_rdp\n\n", + "query": "let dummy_table = datatable(TimeGenerated: datetime, uid_s: string) [];\nlet corelight_rdp = view () {\n union isfuzzy=true Corelight_v2_rdp_CL, dummy_table\n | summarize arg_max(TimeGenerated, *) by uid_s\n | join kind=leftouter \n ( corelight_conn\n | project uid, local_orig, local_resp\n ) on $left.uid_s == $right.uid\n | project-away uid\n | extend\n path = column_ifexists(\"_path_s\", \"\"),\n system_name = column_ifexists(\"_system_name_s\", \"\"),\n write_ts = column_ifexists(\"_write_ts_t\", \"\"),\n auth_success = column_ifexists(\"auth_success_b\", \"\"),\n cert_count = column_ifexists(\"cert_count_d\", real(null)),\n channels_joined = column_ifexists(\"channels_joined_d\", real(null)),\n cookie = column_ifexists(\"cookie_s\", \"\"),\n id_orig_h = column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p = column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h = column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p = column_ifexists(\"id_resp_p_d\", real(null)),\n inferences = column_ifexists(\"inferences_s\", \"\"),\n result = column_ifexists(\"result_s\", \"\"),\n security_protocol = column_ifexists(\"security_protocol_s\", \"\"),\n uid = column_ifexists(\"uid_s\", \"\"),\n client_channels = column_ifexists(\"client_channels_s\", \"\"),\n keyboard_layout = column_ifexists(\"keyboard_layout_s\", \"\"),\n client_build = column_ifexists(\"client_build_s\", \"\"),\n client_name = column_ifexists(\"client_name_s\", \"\"),\n client_dig_product_id = column_ifexists(\"client_dig_product_id_s\", \"\"),\n desktop_width = column_ifexists(\"desktop_width_d\", real(null)),\n desktop_height = column_ifexists(\"desktop_height_d\", real(null)),\n requested_color_depth = column_ifexists(\"requested_color_depth_s\", \"\"),\n cert_type = column_ifexists(\"cert_type_s\", \"\"),\n cert_permanent = column_ifexists(\"cert_permanent_b\", \"\"),\n encryption_level = column_ifexists(\"encryption_level_s\", \"\"),\n encryption_method = column_ifexists(\"encryption_method_s\", \"\"),\n rdpeudp_uid = column_ifexists(\"rdpeudp_uid_s\", \"\"),\n rdfp_string = column_ifexists(\"rdfp_string_s\", \"\"),\n rdfp_hash = column_ifexists(\"rdfp_hash_s\", \"\")\n | extend\n EventVendor = \"Corelight\",\n EventProduct = \"CorelightSensor\",\n EventType = \"rdp\",\n ts = TimeGenerated,\n src = id_orig_h,\n src_ip = id_orig_h,\n src_port = id_orig_p,\n dest = id_resp_h,\n dest_ip = id_resp_h,\n dest_port = id_resp_p,\n app = security_protocol,\n sensor_name = coalesce(system_name, \"unknown\")\n | extend \n action = case(result == \"Success\", \"success\", result == \"SSL_NOT_ALLOWED_BY_SERVER\", \"failure\", auth_success == \"true\", \"success\", auth_success == \"false\", \"failure\", \"unknown\"),\n is_broadcast =iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"),\"true\",\"false\"),\n is_dest_internal_ip = iff(local_resp == true, \"true\", \"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\")\n | project\n TimeGenerated,\n path,\n system_name,\n write_ts,\n auth_success,\n cert_count,\n channels_joined,\n cookie,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n inferences,\n result,\n security_protocol,\n uid,\n client_channels,\n keyboard_layout,\n client_build,\n client_name,\n client_dig_product_id,\n desktop_width,\n desktop_height,\n requested_color_depth,\n cert_type,\n cert_permanent,\n encryption_level,\n encryption_method,\n rdpeudp_uid,\n rdfp_string,\n rdfp_hash,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n app,\n sensor_name,\n action,\n is_broadcast,\n is_dest_internal_ip,\n is_src_internal_ip\n};\ncorelight_rdp\n", "functionParameters": "", "version": 2, "tags": [ @@ -11784,8 +11790,8 @@ "contentId": "[variables('parserObject66').parserContentId66]", "contentKind": "Parser", "displayName": "corelight_rdp parser for Corelight", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject66').parserContentId66,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject66').parserContentId66,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject66').parserContentId66,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject66').parserContentId66,'-', '1.1.0')))]", "version": "[variables('parserObject66').parserVersion66]" } }, @@ -11799,7 +11805,7 @@ "displayName": "corelight_rdp parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_rdp", - "query": "let corelight_rdp = view () {\n Corelight_v2_rdp_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n uid=uid_s,\n id_orig_h=id_orig_h_s,\n id_orig_p=id_orig_p_d,\n id_resp_h=id_resp_h_s,\n id_resp_p=id_resp_p_d,\n cookie=cookie_s,\n result=result_s,\n security_protocol=security_protocol_s,\n client_channels=client_channels_s,\n keyboard_layout=keyboard_layout_s,\n client_build=client_build_s,\n client_name=client_name_s,\n client_dig_product_id=client_dig_product_id_s,\n desktop_width=desktop_width_d,\n desktop_height=desktop_height_d,\n requested_color_depth=requested_color_depth_s,\n cert_type=cert_type_s,\n cert_count=cert_count_d,\n cert_permanent=cert_permanent_b,\n encryption_level=encryption_level_s,\n encryption_method=encryption_method_s,\n auth_success=auth_success_b,\n channels_joined=channels_joined_d,\n inferences=inferences_s,\n rdpeudp_uid=rdpeudp_uid_s,\n rdfp_string=rdfp_string_s,\n rdfp_hash=rdfp_hash_s\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"rdp\",\n ts=TimeGenerated\n};\ncorelight_rdp\n\n", + "query": "let dummy_table = datatable(TimeGenerated: datetime, uid_s: string) [];\nlet corelight_rdp = view () {\n union isfuzzy=true Corelight_v2_rdp_CL, dummy_table\n | summarize arg_max(TimeGenerated, *) by uid_s\n | join kind=leftouter \n ( corelight_conn\n | project uid, local_orig, local_resp\n ) on $left.uid_s == $right.uid\n | project-away uid\n | extend\n path = column_ifexists(\"_path_s\", \"\"),\n system_name = column_ifexists(\"_system_name_s\", \"\"),\n write_ts = column_ifexists(\"_write_ts_t\", \"\"),\n auth_success = column_ifexists(\"auth_success_b\", \"\"),\n cert_count = column_ifexists(\"cert_count_d\", real(null)),\n channels_joined = column_ifexists(\"channels_joined_d\", real(null)),\n cookie = column_ifexists(\"cookie_s\", \"\"),\n id_orig_h = column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p = column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h = column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p = column_ifexists(\"id_resp_p_d\", real(null)),\n inferences = column_ifexists(\"inferences_s\", \"\"),\n result = column_ifexists(\"result_s\", \"\"),\n security_protocol = column_ifexists(\"security_protocol_s\", \"\"),\n uid = column_ifexists(\"uid_s\", \"\"),\n client_channels = column_ifexists(\"client_channels_s\", \"\"),\n keyboard_layout = column_ifexists(\"keyboard_layout_s\", \"\"),\n client_build = column_ifexists(\"client_build_s\", \"\"),\n client_name = column_ifexists(\"client_name_s\", \"\"),\n client_dig_product_id = column_ifexists(\"client_dig_product_id_s\", \"\"),\n desktop_width = column_ifexists(\"desktop_width_d\", real(null)),\n desktop_height = column_ifexists(\"desktop_height_d\", real(null)),\n requested_color_depth = column_ifexists(\"requested_color_depth_s\", \"\"),\n cert_type = column_ifexists(\"cert_type_s\", \"\"),\n cert_permanent = column_ifexists(\"cert_permanent_b\", \"\"),\n encryption_level = column_ifexists(\"encryption_level_s\", \"\"),\n encryption_method = column_ifexists(\"encryption_method_s\", \"\"),\n rdpeudp_uid = column_ifexists(\"rdpeudp_uid_s\", \"\"),\n rdfp_string = column_ifexists(\"rdfp_string_s\", \"\"),\n rdfp_hash = column_ifexists(\"rdfp_hash_s\", \"\")\n | extend\n EventVendor = \"Corelight\",\n EventProduct = \"CorelightSensor\",\n EventType = \"rdp\",\n ts = TimeGenerated,\n src = id_orig_h,\n src_ip = id_orig_h,\n src_port = id_orig_p,\n dest = id_resp_h,\n dest_ip = id_resp_h,\n dest_port = id_resp_p,\n app = security_protocol,\n sensor_name = coalesce(system_name, \"unknown\")\n | extend \n action = case(result == \"Success\", \"success\", result == \"SSL_NOT_ALLOWED_BY_SERVER\", \"failure\", auth_success == \"true\", \"success\", auth_success == \"false\", \"failure\", \"unknown\"),\n is_broadcast =iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"),\"true\",\"false\"),\n is_dest_internal_ip = iff(local_resp == true, \"true\", \"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\")\n | project\n TimeGenerated,\n path,\n system_name,\n write_ts,\n auth_success,\n cert_count,\n channels_joined,\n cookie,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n inferences,\n result,\n security_protocol,\n uid,\n client_channels,\n keyboard_layout,\n client_build,\n client_name,\n client_dig_product_id,\n desktop_width,\n desktop_height,\n requested_color_depth,\n cert_type,\n cert_permanent,\n encryption_level,\n encryption_method,\n rdpeudp_uid,\n rdfp_string,\n rdfp_hash,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n app,\n sensor_name,\n action,\n is_broadcast,\n is_dest_internal_ip,\n is_src_internal_ip\n};\ncorelight_rdp\n", "functionParameters": "", "version": 2, "tags": [ @@ -11848,7 +11854,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_reporter Data Parser with template version 3.0.2", + "description": "corelight_reporter Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject67').parserVersion67]", @@ -11978,7 +11984,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_rfb Data Parser with template version 3.0.2", + "description": "corelight_rfb Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject68').parserVersion68]", @@ -12108,7 +12114,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_s7comm Data Parser with template version 3.0.2", + "description": "corelight_s7comm Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject69').parserVersion69]", @@ -12238,7 +12244,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_signatures Data Parser with template version 3.0.2", + "description": "corelight_signatures Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject70').parserVersion70]", @@ -12368,7 +12374,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_sip Data Parser with template version 3.0.2", + "description": "corelight_sip Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject71').parserVersion71]", @@ -12498,7 +12504,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_smartpcap Data Parser with template version 3.0.2", + "description": "corelight_smartpcap Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject72').parserVersion72]", @@ -12628,7 +12634,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_smartpcap_stats Data Parser with template version 3.0.2", + "description": "corelight_smartpcap_stats Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject73').parserVersion73]", @@ -12758,7 +12764,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_smb_files Data Parser with template version 3.0.2", + "description": "corelight_smb_files Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject74').parserVersion74]", @@ -12888,7 +12894,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_smb_mapping Data Parser with template version 3.0.2", + "description": "corelight_smb_mapping Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject75').parserVersion75]", @@ -13018,7 +13024,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_smtp Data Parser with template version 3.0.2", + "description": "corelight_smtp Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject76').parserVersion76]", @@ -13148,7 +13154,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_smtp_links Data Parser with template version 3.0.2", + "description": "corelight_smtp_links Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject77').parserVersion77]", @@ -13278,7 +13284,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_snmp Data Parser with template version 3.0.2", + "description": "corelight_snmp Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject78').parserVersion78]", @@ -13408,7 +13414,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_socks Data Parser with template version 3.0.2", + "description": "corelight_socks Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject79').parserVersion79]", @@ -13538,7 +13544,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_software Data Parser with template version 3.0.2", + "description": "corelight_software Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject80').parserVersion80]", @@ -13668,7 +13674,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_specific_dns_tunnels Data Parser with template version 3.0.2", + "description": "corelight_specific_dns_tunnels Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject81').parserVersion81]", @@ -13798,7 +13804,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_ssh Data Parser with template version 3.0.2", + "description": "corelight_ssh Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject82').parserVersion82]", @@ -13815,7 +13821,7 @@ "displayName": "corelight_ssh parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_ssh", - "query": "let corelight_ssh = view () {\n Corelight_v2_ssh_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n uid=uid_s,\n id_orig_h=id_orig_h_s,\n id_orig_p=id_orig_p_d,\n id_resp_h=id_resp_h_s,\n id_resp_p=id_resp_p_d,\n version=version_d,\n auth_success=auth_success_b,\n auth_attempts=auth_attempts_d,\n direction=direction_s,\n client=client_s,\n server=server_s,\n cipher_alg=cipher_alg_s,\n mac_alg=mac_alg_s,\n compression_alg=compression_alg_s,\n kex_alg=kex_alg_s,\n host_key_alg=host_key_alg_s,\n host_key=host_key_s,\n remote_location_country_code=remote_location_country_code_s,\n remote_location_region=remote_location_region_s,\n remote_location_city=remote_location_city_s,\n remote_location_latitude=remote_location_latitude_d,\n remote_location_longitude=remote_location_longitude_d,\n hasshVersion=hasshVersion_s,\n cshka=cshka_s,\n hasshAlgorithms=hasshAlgorithms_s,\n sshka=sshka_s,\n hasshServerAlgorithms=hasshServerAlgorithms_s,\n inferences=inferences_s\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"ssh\",\n ts=TimeGenerated\n};\ncorelight_ssh\n\n", + "query": "let InferencesLookup = datatable(\n InferenceName: string,\n inferences: string,\n Description: string\n)[\n \"Client Authentication Bypass Exploit\",\"ABP\",\"The client did not complete the SSH state machine for authentication and likely sent the server an exploit\",\n \"Keystrokes\",\"KS\",\"Interactive session\",\n \"Client Bruteforce Guessing\",\"BF\",\"The client failed to authenticate more than the configured threshold\",\n \"Client Bruteforce Success\",\"BFS\",\"The client failed to authenticate more than the configured threshold but then successfully authenticated\",\n \"Client Scanner Version\",\"SV\",\"This indicates a connection/scan attempt which terminated after server responded with version. nmap -p 22 localhost --script=ssh-hostkey\",\n \"Client Scanner Capabilities\",\"SC\",\"This indicates a connection/scan attempt which terminated after server responded with capabilities. nmap -p 22 localhost --script=ssh2-enum-algos\",\n \"Client Scanner Port\",\"SP\",\"Probes for SSH ports. nmap -p 22 -sV localhost\",\n \"Client Scanner Authentication\",\"SA\",\"SSH clients which scanned the server for supported authentication methods. nmap -p 22 localhost --script=ssh-auth-methods\",\n \"Small File Upload\",\"SFU\",\"This indicates a small file upload.\",\n \"Small File Download\",\"SFD\",\"This indicates a small file download.\",\n \"Large File Upload\",\"LFU\",\"This indicates a non interactive session where a file was possibly uploaded.\",\n \"Large File Download\",\"LFD\",\"This indicates a non interactive session where a file was possibly downloaded.\",\n \"Automated Password Authentication\",\"APWA\",\"The client auth'd with an automated password tool (like sshpass). This inference applies to only the auth type that succeeded. Before it, publickey or password authentication attempts could have occurred.\",\n \"Interactive Password Authentication\",\"IPWA\",\"The client interactively typed their password to auth. The first authentication attempt which succeeded was interactive. This could mean that a tool such as winSCP was used to automatically authenticate but the tool was provided an incorrect password, prompted the user for a different password, and then the user authenticated.\",\n \"Public Key Authentication\",\"PKA\",\"The client automatically auth'd using pubkey auth. This inference applies to only the auth type that succeeded. Before it, publickey or password authentication attempts could have occurred.\",\n \"None Authentication\",\"NA\",\"The client successfully authenticated using the None method\",\n \"Multifactor authentication\",\"MFA\",\"After a password or public key was accepted, the server required a second form of auth (a code) and the client successfully provided it\",\n \"Unknown authentication\",\"UA\",\"We weren't able to determine the authentication method. Telemetry around these could be used to improve authentication inferences.\",\n \"Automated interaction\",\"AUTO\",\"The client was a script or automated utility and not driven by a user\",\n \"Server Banner\",\"BAN\",\"The server sent the client a pre-authentication banner, likely for legal reasons\",\n \"Client trusted server\",\"CTS\",\"The client likely already had an entry in its known_hosts file for this server\",\n \"Client untrusted server\",\"CUS\",\"The client likely did NOT already have an entry in its known_hosts file for this server\",\n \"Reverse SSH Provisioned (ssh -R)\",\"RSP\",\"The client connected with a -R flag, which provisions the ports to be used for a Reverse Session to be set up at any point onwards. ssh -R 31337:localhost:22 user@192.168.20.33\",\n \"Reverse SSH Initiated\",\"RSI\",\"The Reverse session is inititated from the server back to the Client. This initiation can be done at any stage during the session. From the Server, the attacker would initiate the Reverse session by e.g.ssh victim@localhost -p 31337\",\n \"Reverse SSH Initiation Automated\",\"RSIA\",\"Indicates that the initiation of the Reverse session happened very early in the packet stream, indicating automation\",\n \"Reverse SSH Logged in\",\"RSL\",\"The Reverse tunnel login login has succeeded, the attacker now has shell on the victim's device\",\n \"Reverse SSH Keystrokes\",\"RSK\",\"Keystrokes are detected within the Reverse tunnel\",\n \"No Remote Command (ssh -N)\",\"NRC\",\"The -N flag was used in the SSH session. This is used when no interactivity is required/desired and that only the ports necessary for tunelling are transmitted. If this inference is seen with any of the R* inferences, it would be extremely suspicious. e.g ssh -N -R 31337:localhost:22 attacker@192.168.20.12\",\n \"SSH Agent Forwarding Requested\",\"AFR\",\"Agent forwarding was requested by the Client e.g ssh -A -i ~/.ssh/id_1_rsa user@192.168.20.33\"\n];\nlet dummy_table = datatable(TimeGenerated: datetime, uid_s: string) [];\nlet corelight_ssh = view () {\n union isfuzzy=true Corelight_v2_ssh_CL, dummy_table\n | summarize arg_max(TimeGenerated, *) by uid_s\n | join kind=leftouter\n ( corelight_conn\n | project uid, local_orig, local_resp\n ) on $left.uid_s == $right.uid\n |project-away uid\n | extend\n path = column_ifexists(\"_path_s\", \"\"),\n system_name = column_ifexists(\"_system_name_s\", \"\"),\n write_ts = column_ifexists(\"_write_ts_t\", \"\"),\n auth_attempts = column_ifexists(\"auth_attempts_d\", real(null)),\n auth_success = column_ifexists(\"auth_success_b\", \"\"),\n cipher_alg = column_ifexists(\"cipher_alg_s\", \"\"),\n client = column_ifexists(\"client_s\", \"\"),\n compression_alg = column_ifexists(\"compression_alg_s\", \"\"),\n cshka = column_ifexists(\"cshka_s\", \"\"),\n hassh = column_ifexists(\"hassh_s\", \"\"),\n hasshAlgorithms = column_ifexists(\"hasshAlgorithms_s\", \"\"),\n hasshServer = column_ifexists(\"hasshServer_s\", \"\"),\n hasshServerAlgorithms = column_ifexists(\"hasshServerAlgorithms_s\", \"\"),\n hasshVersion = column_ifexists(\"hasshVersion_s\", \"\"),\n host_key = column_ifexists(\"host_key_s\", \"\"),\n host_key_alg = column_ifexists(\"host_key_alg_s\", \"\"),\n id_orig_h = column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p = column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h = column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p = column_ifexists(\"id_resp_p_d\", real(null)),\n inferences = column_ifexists(\"inferences_s\", \"\"),\n kex_alg = column_ifexists(\"kex_alg_s\", \"\"),\n mac_alg = column_ifexists(\"mac_alg_s\", \"\"),\n server = column_ifexists(\"server_s\", \"\"),\n sshka = column_ifexists(\"sshka_s\", \"\"),\n uid = column_ifexists(\"uid_s\", \"\"),\n version = column_ifexists(\"version_d\", real(null)),\n remote_location_country_code = column_ifexists(\"remote_location_country_code_s\", \"\"),\n remote_location_region = column_ifexists(\"remote_location_region_s\", \"\"),\n remote_location_city = column_ifexists(\"remote_location_city_s\", \"\"),\n remote_location_latitude = column_ifexists(\"remote_location_latitude_d\", real(null)),\n remote_location_longitude = column_ifexists(\"remote_location_longitude_d\", real(null)),\n direction = column_ifexists(\"direction_s\", \"\")\n | mv-expand todynamic(inferences)\n | extend inferences_string = tostring(inferences)\n | lookup kind=leftouter InferencesLookup on $left.inferences_string == $right.inferences\n | summarize InferenceNames = make_list(InferenceName), Descriptions = make_list(Description), Inferences = make_list(inferences_string), arg_max(TimeGenerated, *) by uid\n | extend\n EventVendor =\"Corelight\",\n EventProduct =\"CorelightSensor\",\n EventType =\"ssh\",\n ts = TimeGenerated,\n src = id_orig_h,\n src_ip = id_orig_h,\n src_port = id_orig_p,\n dest = id_resp_h,\n dest_ip = id_resp_h,\n dest_port = id_resp_p,\n sensor_name = coalesce(system_name, \"unknown\"),\n action = iff(auth_success == \"true\", \"Success\", \"Failure\")\n | extend\n is_broadcast =iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"), \"true\", \"false\"),\n is_dest_internal_ip = iff(local_resp == true, \"true\", \"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\")\n | project\n TimeGenerated,\n path,\n system_name,\n write_ts,\n auth_attempts,\n auth_success,\n cipher_alg,\n client,\n compression_alg,\n cshka,\n hassh,\n hasshAlgorithms,\n hasshServer,\n hasshServerAlgorithms,\n hasshVersion,\n host_key,\n host_key_alg,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n Inferences,\n kex_alg,\n mac_alg,\n server,\n sshka,\n uid,\n version,\n remote_location_country_code,\n remote_location_region,\n remote_location_city,\n remote_location_latitude,\n remote_location_longitude,\n direction,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n sensor_name,\n action,\n is_broadcast,\n is_dest_internal_ip,\n is_src_internal_ip,\n InferenceNames,\n Descriptions\n};\ncorelight_ssh\n", "functionParameters": "", "version": 2, "tags": [ @@ -13864,8 +13870,8 @@ "contentId": "[variables('parserObject82').parserContentId82]", "contentKind": "Parser", "displayName": "corelight_ssh parser for Corelight", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject82').parserContentId82,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject82').parserContentId82,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject82').parserContentId82,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject82').parserContentId82,'-', '1.1.0')))]", "version": "[variables('parserObject82').parserVersion82]" } }, @@ -13879,7 +13885,7 @@ "displayName": "corelight_ssh parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_ssh", - "query": "let corelight_ssh = view () {\n Corelight_v2_ssh_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n uid=uid_s,\n id_orig_h=id_orig_h_s,\n id_orig_p=id_orig_p_d,\n id_resp_h=id_resp_h_s,\n id_resp_p=id_resp_p_d,\n version=version_d,\n auth_success=auth_success_b,\n auth_attempts=auth_attempts_d,\n direction=direction_s,\n client=client_s,\n server=server_s,\n cipher_alg=cipher_alg_s,\n mac_alg=mac_alg_s,\n compression_alg=compression_alg_s,\n kex_alg=kex_alg_s,\n host_key_alg=host_key_alg_s,\n host_key=host_key_s,\n remote_location_country_code=remote_location_country_code_s,\n remote_location_region=remote_location_region_s,\n remote_location_city=remote_location_city_s,\n remote_location_latitude=remote_location_latitude_d,\n remote_location_longitude=remote_location_longitude_d,\n hasshVersion=hasshVersion_s,\n cshka=cshka_s,\n hasshAlgorithms=hasshAlgorithms_s,\n sshka=sshka_s,\n hasshServerAlgorithms=hasshServerAlgorithms_s,\n inferences=inferences_s\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"ssh\",\n ts=TimeGenerated\n};\ncorelight_ssh\n\n", + "query": "let InferencesLookup = datatable(\n InferenceName: string,\n inferences: string,\n Description: string\n)[\n \"Client Authentication Bypass Exploit\",\"ABP\",\"The client did not complete the SSH state machine for authentication and likely sent the server an exploit\",\n \"Keystrokes\",\"KS\",\"Interactive session\",\n \"Client Bruteforce Guessing\",\"BF\",\"The client failed to authenticate more than the configured threshold\",\n \"Client Bruteforce Success\",\"BFS\",\"The client failed to authenticate more than the configured threshold but then successfully authenticated\",\n \"Client Scanner Version\",\"SV\",\"This indicates a connection/scan attempt which terminated after server responded with version. nmap -p 22 localhost --script=ssh-hostkey\",\n \"Client Scanner Capabilities\",\"SC\",\"This indicates a connection/scan attempt which terminated after server responded with capabilities. nmap -p 22 localhost --script=ssh2-enum-algos\",\n \"Client Scanner Port\",\"SP\",\"Probes for SSH ports. nmap -p 22 -sV localhost\",\n \"Client Scanner Authentication\",\"SA\",\"SSH clients which scanned the server for supported authentication methods. nmap -p 22 localhost --script=ssh-auth-methods\",\n \"Small File Upload\",\"SFU\",\"This indicates a small file upload.\",\n \"Small File Download\",\"SFD\",\"This indicates a small file download.\",\n \"Large File Upload\",\"LFU\",\"This indicates a non interactive session where a file was possibly uploaded.\",\n \"Large File Download\",\"LFD\",\"This indicates a non interactive session where a file was possibly downloaded.\",\n \"Automated Password Authentication\",\"APWA\",\"The client auth'd with an automated password tool (like sshpass). This inference applies to only the auth type that succeeded. Before it, publickey or password authentication attempts could have occurred.\",\n \"Interactive Password Authentication\",\"IPWA\",\"The client interactively typed their password to auth. The first authentication attempt which succeeded was interactive. This could mean that a tool such as winSCP was used to automatically authenticate but the tool was provided an incorrect password, prompted the user for a different password, and then the user authenticated.\",\n \"Public Key Authentication\",\"PKA\",\"The client automatically auth'd using pubkey auth. This inference applies to only the auth type that succeeded. Before it, publickey or password authentication attempts could have occurred.\",\n \"None Authentication\",\"NA\",\"The client successfully authenticated using the None method\",\n \"Multifactor authentication\",\"MFA\",\"After a password or public key was accepted, the server required a second form of auth (a code) and the client successfully provided it\",\n \"Unknown authentication\",\"UA\",\"We weren't able to determine the authentication method. Telemetry around these could be used to improve authentication inferences.\",\n \"Automated interaction\",\"AUTO\",\"The client was a script or automated utility and not driven by a user\",\n \"Server Banner\",\"BAN\",\"The server sent the client a pre-authentication banner, likely for legal reasons\",\n \"Client trusted server\",\"CTS\",\"The client likely already had an entry in its known_hosts file for this server\",\n \"Client untrusted server\",\"CUS\",\"The client likely did NOT already have an entry in its known_hosts file for this server\",\n \"Reverse SSH Provisioned (ssh -R)\",\"RSP\",\"The client connected with a -R flag, which provisions the ports to be used for a Reverse Session to be set up at any point onwards. ssh -R 31337:localhost:22 user@192.168.20.33\",\n \"Reverse SSH Initiated\",\"RSI\",\"The Reverse session is inititated from the server back to the Client. This initiation can be done at any stage during the session. From the Server, the attacker would initiate the Reverse session by e.g.ssh victim@localhost -p 31337\",\n \"Reverse SSH Initiation Automated\",\"RSIA\",\"Indicates that the initiation of the Reverse session happened very early in the packet stream, indicating automation\",\n \"Reverse SSH Logged in\",\"RSL\",\"The Reverse tunnel login login has succeeded, the attacker now has shell on the victim's device\",\n \"Reverse SSH Keystrokes\",\"RSK\",\"Keystrokes are detected within the Reverse tunnel\",\n \"No Remote Command (ssh -N)\",\"NRC\",\"The -N flag was used in the SSH session. This is used when no interactivity is required/desired and that only the ports necessary for tunelling are transmitted. If this inference is seen with any of the R* inferences, it would be extremely suspicious. e.g ssh -N -R 31337:localhost:22 attacker@192.168.20.12\",\n \"SSH Agent Forwarding Requested\",\"AFR\",\"Agent forwarding was requested by the Client e.g ssh -A -i ~/.ssh/id_1_rsa user@192.168.20.33\"\n];\nlet dummy_table = datatable(TimeGenerated: datetime, uid_s: string) [];\nlet corelight_ssh = view () {\n union isfuzzy=true Corelight_v2_ssh_CL, dummy_table\n | summarize arg_max(TimeGenerated, *) by uid_s\n | join kind=leftouter\n ( corelight_conn\n | project uid, local_orig, local_resp\n ) on $left.uid_s == $right.uid\n |project-away uid\n | extend\n path = column_ifexists(\"_path_s\", \"\"),\n system_name = column_ifexists(\"_system_name_s\", \"\"),\n write_ts = column_ifexists(\"_write_ts_t\", \"\"),\n auth_attempts = column_ifexists(\"auth_attempts_d\", real(null)),\n auth_success = column_ifexists(\"auth_success_b\", \"\"),\n cipher_alg = column_ifexists(\"cipher_alg_s\", \"\"),\n client = column_ifexists(\"client_s\", \"\"),\n compression_alg = column_ifexists(\"compression_alg_s\", \"\"),\n cshka = column_ifexists(\"cshka_s\", \"\"),\n hassh = column_ifexists(\"hassh_s\", \"\"),\n hasshAlgorithms = column_ifexists(\"hasshAlgorithms_s\", \"\"),\n hasshServer = column_ifexists(\"hasshServer_s\", \"\"),\n hasshServerAlgorithms = column_ifexists(\"hasshServerAlgorithms_s\", \"\"),\n hasshVersion = column_ifexists(\"hasshVersion_s\", \"\"),\n host_key = column_ifexists(\"host_key_s\", \"\"),\n host_key_alg = column_ifexists(\"host_key_alg_s\", \"\"),\n id_orig_h = column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p = column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h = column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p = column_ifexists(\"id_resp_p_d\", real(null)),\n inferences = column_ifexists(\"inferences_s\", \"\"),\n kex_alg = column_ifexists(\"kex_alg_s\", \"\"),\n mac_alg = column_ifexists(\"mac_alg_s\", \"\"),\n server = column_ifexists(\"server_s\", \"\"),\n sshka = column_ifexists(\"sshka_s\", \"\"),\n uid = column_ifexists(\"uid_s\", \"\"),\n version = column_ifexists(\"version_d\", real(null)),\n remote_location_country_code = column_ifexists(\"remote_location_country_code_s\", \"\"),\n remote_location_region = column_ifexists(\"remote_location_region_s\", \"\"),\n remote_location_city = column_ifexists(\"remote_location_city_s\", \"\"),\n remote_location_latitude = column_ifexists(\"remote_location_latitude_d\", real(null)),\n remote_location_longitude = column_ifexists(\"remote_location_longitude_d\", real(null)),\n direction = column_ifexists(\"direction_s\", \"\")\n | mv-expand todynamic(inferences)\n | extend inferences_string = tostring(inferences)\n | lookup kind=leftouter InferencesLookup on $left.inferences_string == $right.inferences\n | summarize InferenceNames = make_list(InferenceName), Descriptions = make_list(Description), Inferences = make_list(inferences_string), arg_max(TimeGenerated, *) by uid\n | extend\n EventVendor =\"Corelight\",\n EventProduct =\"CorelightSensor\",\n EventType =\"ssh\",\n ts = TimeGenerated,\n src = id_orig_h,\n src_ip = id_orig_h,\n src_port = id_orig_p,\n dest = id_resp_h,\n dest_ip = id_resp_h,\n dest_port = id_resp_p,\n sensor_name = coalesce(system_name, \"unknown\"),\n action = iff(auth_success == \"true\", \"Success\", \"Failure\")\n | extend\n is_broadcast =iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"), \"true\", \"false\"),\n is_dest_internal_ip = iff(local_resp == true, \"true\", \"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\")\n | project\n TimeGenerated,\n path,\n system_name,\n write_ts,\n auth_attempts,\n auth_success,\n cipher_alg,\n client,\n compression_alg,\n cshka,\n hassh,\n hasshAlgorithms,\n hasshServer,\n hasshServerAlgorithms,\n hasshVersion,\n host_key,\n host_key_alg,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n Inferences,\n kex_alg,\n mac_alg,\n server,\n sshka,\n uid,\n version,\n remote_location_country_code,\n remote_location_region,\n remote_location_city,\n remote_location_latitude,\n remote_location_longitude,\n direction,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n sensor_name,\n action,\n is_broadcast,\n is_dest_internal_ip,\n is_src_internal_ip,\n InferenceNames,\n Descriptions\n};\ncorelight_ssh\n", "functionParameters": "", "version": 2, "tags": [ @@ -13928,7 +13934,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_ssl Data Parser with template version 3.0.2", + "description": "corelight_ssl Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject83').parserVersion83]", @@ -13945,7 +13951,7 @@ "displayName": "corelight_ssl parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_ssl", - "query": "let corelight_ssl = view () {\n Corelight_v2_ssl_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n uid=uid_s,\n id_orig_h=id_orig_h_s,\n id_orig_p=id_orig_p_d,\n id_resp_h=id_resp_h_s,\n id_resp_p=id_resp_p_d,\n version=version_s,\n cipher=cipher_s,\n curve=curve_s,\n server_name=server_name_s,\n resumed=resumed_b,\n last_alert=last_alert_s,\n next_protocol=next_protocol_s,\n established=established_b,\n ssl_history=ssl_history_s,\n cert_chain_fps=cert_chain_fps_s,\n client_cert_chain_fps=client_cert_chain_fps_s,\n sni_matches_cert=sni_matches_cert_b,\n validation_status=validation_status_s\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"ssl\",\n ts=TimeGenerated\n};\ncorelight_ssl\n\n", + "query": "let dummy_table = datatable(TimeGenerated: datetime, uid_s: string) [];\nlet corelight_ssl = view () {\n union isfuzzy=true Corelight_v2_ssl_CL,\n Corelight_v2_ssl_red_CL, dummy_table\n | summarize arg_max(TimeGenerated, *) by uid_s\n | join kind=leftouter \n (corelight_conn\n | project uid, local_orig, local_resp \n ) on $left.uid_s == $right.uid\n | project-away uid\n | extend \n path=column_ifexists(\"_path_s\", \"\"),\n system_name=column_ifexists(\"_system_name_s\", \"\"),\n write_ts=column_ifexists(\"_write_ts_t\", \"\"),\n cert_chain_fps=column_ifexists(\"cert_chain_fps_s\", \"\"),\n cipher=column_ifexists(\"cipher_s\", \"\"),\n client_cert_chain_fps=column_ifexists(\"client_cert_chain_fps_s\", \"\"),\n curve=column_ifexists(\"curve_s\", \"\"),\n established=column_ifexists(\"established_b\", \"\"),\n id_orig_h=column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p=column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h=column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p=column_ifexists(\"id_resp_p_d\", real(null)),\n id_vlan=column_ifexists(\"id_vlan_d\", real(null)),\n ja3=column_ifexists(\"ja3_s\", \"\"),\n ja3s=column_ifexists(\"ja3s_s\", \"\"),\n resumed=column_ifexists(\"resumed_b\", \"\"),\n server_name=column_ifexists(\"server_name_s\", \"\"),\n sni_matches_cert=column_ifexists(\"sni_matches_cert_b\", \"\"),\n ssl_history=column_ifexists(\"ssl_history_s\", \"\"),\n uid=column_ifexists(\"uid_s\", \"\"),\n validation_status=column_ifexists(\"validation_status_s\", \"\"),\n version=column_ifexists(\"version_s\", \"\"),\n last_alert=column_ifexists(\"last_alert_s\", \"\"),\n next_protocol=column_ifexists(\"next_protocol_s\", \"\"),\n issuer=column_ifexists(\"issuer_s\", \"\"),\n subject=column_ifexists(\"subject_s\", \"\")\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"ssl\",\n ts = TimeGenerated,\n src=id_orig_h,\n src_ip=id_orig_h,\n src_port=id_orig_p,\n dest=id_resp_h,\n dest_ip=id_resp_h,\n dest_port=id_resp_p,\n ssl_cipher=cipher,\n ssl_curve=curve,\n ssl_subject_common_name=server_name,\n fingerprint=cert_chain_fps,\n is_self_signed = iff(validation_status==\"self signed certificate\", \"yes\", \"no\"),\n action = iff(established==\"true\",\"success\",\"failure\"),\n sensor_name = coalesce(system_name, \"unknown\"),\n signature=validation_status,\n ssl_version = version,\n ssl_issuer=issuer,\n ssl_subject=subject\n | extend \n is_broadcast = iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"),\"true\",\"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\"),\n is_dest_internal_ip = iff(local_resp == true, \"true\", \"false\"),\n ssl_issuer_common_name = extract('CN=(?[^,\"]+)', 1, issuer), \n ssl_issuer_email_domain = extract('emailAddress=[0-9A-Za-z_]+@(?[0-9A-Za-z_]+.[0-9A-Za-z_]+)', 1, issuer), \n ssl_subject_email_domain = extract('emailAddress=[0-9A-Za-z_]+@(?[0-9A-Za-z_]+.[0-9A-Za-z_]+)', 1, subject) \n | project \n TimeGenerated,\n path,\n system_name,\n write_ts,\n uid,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n version,\n cipher,\n curve,\n server_name,\n resumed,\n last_alert,\n next_protocol,\n established,\n ssl_history,\n cert_chain_fps,\n client_cert_chain_fps,\n sni_matches_cert,\n validation_status,\n ja3,\n ja3s,\n id_vlan,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n ssl_cipher,\n ssl_curve,\n ssl_subject_common_name,\n fingerprint,\n is_self_signed,\n action,\n sensor_name,\n signature,\n ssl_version,\n is_broadcast,\n is_src_internal_ip,\n is_dest_internal_ip,\n ssl_issuer_common_name,\n ssl_issuer_email_domain,\n ssl_subject_email_domain\n};\ncorelight_ssl\n", "functionParameters": "", "version": 2, "tags": [ @@ -13994,8 +14000,8 @@ "contentId": "[variables('parserObject83').parserContentId83]", "contentKind": "Parser", "displayName": "corelight_ssl parser for Corelight", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject83').parserContentId83,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject83').parserContentId83,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject83').parserContentId83,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject83').parserContentId83,'-', '1.1.0')))]", "version": "[variables('parserObject83').parserVersion83]" } }, @@ -14009,7 +14015,7 @@ "displayName": "corelight_ssl parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_ssl", - "query": "let corelight_ssl = view () {\n Corelight_v2_ssl_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n uid=uid_s,\n id_orig_h=id_orig_h_s,\n id_orig_p=id_orig_p_d,\n id_resp_h=id_resp_h_s,\n id_resp_p=id_resp_p_d,\n version=version_s,\n cipher=cipher_s,\n curve=curve_s,\n server_name=server_name_s,\n resumed=resumed_b,\n last_alert=last_alert_s,\n next_protocol=next_protocol_s,\n established=established_b,\n ssl_history=ssl_history_s,\n cert_chain_fps=cert_chain_fps_s,\n client_cert_chain_fps=client_cert_chain_fps_s,\n sni_matches_cert=sni_matches_cert_b,\n validation_status=validation_status_s\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"ssl\",\n ts=TimeGenerated\n};\ncorelight_ssl\n\n", + "query": "let dummy_table = datatable(TimeGenerated: datetime, uid_s: string) [];\nlet corelight_ssl = view () {\n union isfuzzy=true Corelight_v2_ssl_CL,\n Corelight_v2_ssl_red_CL, dummy_table\n | summarize arg_max(TimeGenerated, *) by uid_s\n | join kind=leftouter \n (corelight_conn\n | project uid, local_orig, local_resp \n ) on $left.uid_s == $right.uid\n | project-away uid\n | extend \n path=column_ifexists(\"_path_s\", \"\"),\n system_name=column_ifexists(\"_system_name_s\", \"\"),\n write_ts=column_ifexists(\"_write_ts_t\", \"\"),\n cert_chain_fps=column_ifexists(\"cert_chain_fps_s\", \"\"),\n cipher=column_ifexists(\"cipher_s\", \"\"),\n client_cert_chain_fps=column_ifexists(\"client_cert_chain_fps_s\", \"\"),\n curve=column_ifexists(\"curve_s\", \"\"),\n established=column_ifexists(\"established_b\", \"\"),\n id_orig_h=column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p=column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h=column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p=column_ifexists(\"id_resp_p_d\", real(null)),\n id_vlan=column_ifexists(\"id_vlan_d\", real(null)),\n ja3=column_ifexists(\"ja3_s\", \"\"),\n ja3s=column_ifexists(\"ja3s_s\", \"\"),\n resumed=column_ifexists(\"resumed_b\", \"\"),\n server_name=column_ifexists(\"server_name_s\", \"\"),\n sni_matches_cert=column_ifexists(\"sni_matches_cert_b\", \"\"),\n ssl_history=column_ifexists(\"ssl_history_s\", \"\"),\n uid=column_ifexists(\"uid_s\", \"\"),\n validation_status=column_ifexists(\"validation_status_s\", \"\"),\n version=column_ifexists(\"version_s\", \"\"),\n last_alert=column_ifexists(\"last_alert_s\", \"\"),\n next_protocol=column_ifexists(\"next_protocol_s\", \"\"),\n issuer=column_ifexists(\"issuer_s\", \"\"),\n subject=column_ifexists(\"subject_s\", \"\")\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"ssl\",\n ts = TimeGenerated,\n src=id_orig_h,\n src_ip=id_orig_h,\n src_port=id_orig_p,\n dest=id_resp_h,\n dest_ip=id_resp_h,\n dest_port=id_resp_p,\n ssl_cipher=cipher,\n ssl_curve=curve,\n ssl_subject_common_name=server_name,\n fingerprint=cert_chain_fps,\n is_self_signed = iff(validation_status==\"self signed certificate\", \"yes\", \"no\"),\n action = iff(established==\"true\",\"success\",\"failure\"),\n sensor_name = coalesce(system_name, \"unknown\"),\n signature=validation_status,\n ssl_version = version,\n ssl_issuer=issuer,\n ssl_subject=subject\n | extend \n is_broadcast = iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"),\"true\",\"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\"),\n is_dest_internal_ip = iff(local_resp == true, \"true\", \"false\"),\n ssl_issuer_common_name = extract('CN=(?[^,\"]+)', 1, issuer), \n ssl_issuer_email_domain = extract('emailAddress=[0-9A-Za-z_]+@(?[0-9A-Za-z_]+.[0-9A-Za-z_]+)', 1, issuer), \n ssl_subject_email_domain = extract('emailAddress=[0-9A-Za-z_]+@(?[0-9A-Za-z_]+.[0-9A-Za-z_]+)', 1, subject) \n | project \n TimeGenerated,\n path,\n system_name,\n write_ts,\n uid,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n version,\n cipher,\n curve,\n server_name,\n resumed,\n last_alert,\n next_protocol,\n established,\n ssl_history,\n cert_chain_fps,\n client_cert_chain_fps,\n sni_matches_cert,\n validation_status,\n ja3,\n ja3s,\n id_vlan,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n ssl_cipher,\n ssl_curve,\n ssl_subject_common_name,\n fingerprint,\n is_self_signed,\n action,\n sensor_name,\n signature,\n ssl_version,\n is_broadcast,\n is_src_internal_ip,\n is_dest_internal_ip,\n ssl_issuer_common_name,\n ssl_issuer_email_domain,\n ssl_subject_email_domain\n};\ncorelight_ssl\n", "functionParameters": "", "version": 2, "tags": [ @@ -14058,7 +14064,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_ssl_red Data Parser with template version 3.0.2", + "description": "corelight_ssl_red Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject84').parserVersion84]", @@ -14188,7 +14194,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_stats Data Parser with template version 3.0.2", + "description": "corelight_stats Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject85').parserVersion85]", @@ -14318,7 +14324,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_stepping Data Parser with template version 3.0.2", + "description": "corelight_stepping Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject86').parserVersion86]", @@ -14448,7 +14454,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_stun Data Parser with template version 3.0.2", + "description": "corelight_stun Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject87').parserVersion87]", @@ -14578,7 +14584,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_stun_nat Data Parser with template version 3.0.2", + "description": "corelight_stun_nat Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject88').parserVersion88]", @@ -14708,7 +14714,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_suricata_corelight Data Parser with template version 3.0.2", + "description": "corelight_suricata_corelight Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject89').parserVersion89]", @@ -14838,7 +14844,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_suricata_eve Data Parser with template version 3.0.2", + "description": "corelight_suricata_eve Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject90').parserVersion90]", @@ -14968,7 +14974,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_suricata_stats Data Parser with template version 3.0.2", + "description": "corelight_suricata_stats Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject91').parserVersion91]", @@ -15098,7 +15104,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_suricata_zeek_stats Data Parser with template version 3.0.2", + "description": "corelight_suricata_zeek_stats Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject92').parserVersion92]", @@ -15228,7 +15234,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_syslog Data Parser with template version 3.0.2", + "description": "corelight_syslog Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject93').parserVersion93]", @@ -15358,7 +15364,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_tds Data Parser with template version 3.0.2", + "description": "corelight_tds Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject94').parserVersion94]", @@ -15488,7 +15494,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_tds_rpc Data Parser with template version 3.0.2", + "description": "corelight_tds_rpc Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject95').parserVersion95]", @@ -15618,7 +15624,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_tds_sql_batch Data Parser with template version 3.0.2", + "description": "corelight_tds_sql_batch Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject96').parserVersion96]", @@ -15748,7 +15754,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_traceroute Data Parser with template version 3.0.2", + "description": "corelight_traceroute Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject97').parserVersion97]", @@ -15878,7 +15884,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_tunnel Data Parser with template version 3.0.2", + "description": "corelight_tunnel Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject98').parserVersion98]", @@ -16008,7 +16014,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_unknown_smartpcap Data Parser with template version 3.0.2", + "description": "corelight_unknown_smartpcap Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject99').parserVersion99]", @@ -16138,7 +16144,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_util_stats Data Parser with template version 3.0.2", + "description": "corelight_util_stats Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject100').parserVersion100]", @@ -16268,7 +16274,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_vpn Data Parser with template version 3.0.2", + "description": "corelight_vpn Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject101').parserVersion101]", @@ -16285,7 +16291,7 @@ "displayName": "corelight_vpn parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_vpn", - "query": "let corelight_vpn = view () {\n Corelight_v2_vpn_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n uid=uid_s,\n id_orig_h=id_orig_h_s,\n id_orig_p=id_orig_p_d,\n id_resp_h=id_resp_h_s,\n id_resp_p=id_resp_p_d,\n proto=proto_s,\n vpn_type=vpn_type_s,\n service=service_s,\n inferences=inferences_s,\n server_name=server_name_s,\n client_info=client_info_s,\n duration=duration_d,\n orig_bytes=orig_bytes_d,\n resp_bytes=resp_bytes_d,\n orig_cc=orig_cc_s,\n orig_region=orig_region_s,\n orig_city=orig_city_s,\n resp_cc=resp_cc_s,\n resp_region=resp_region_s,\n resp_city=resp_city_s,\n subject=subject_s,\n issuer=issuer_s\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"vpn\",\n ts=TimeGenerated\n};\ncorelight_vpn\n\n", + "query": "let VpnInferencesLookup = datatable(\n Code: string,\n Name: string,\n Description: string\n)[\n \"ABP Authentication Bypass\",\"N/A\",\"A client wasn't adhering to expectations of SSH either through server exploit or by the client and server switching to a protocol other than SSH after encryption begins.\",\n \"BF Brute Force Guessing\",\"N/A\",\"A client made a number of authentication attempts that exceeded some configured per-connection threshold.\",\n \"BFS Brute Force Success\",\"N/A\",\"A client made a number of authentication attempts that exceeded some configured per-connection threshold.\",\n \"SFD\",\"Small Client File Download\",\"A file transfer occurred in which the server sent a sequence of bytes to the client.\",\n \"LFD\",\"Large Client File Download\",\"A file transfer occurred in which the server sent a sequence of bytes to the client. Large files are identified dynamically based on trains of MTU-sized packets.\",\n \"SFU\",\"Small Client File Upload\",\"A file transfer occurred in which the client sent a sequence of bytes to the server.\",\n \"LFU\",\"Large Client File Upload\",\"A file transfer occurred in which the client sent a sequence of bytes to the server. Large files are identified dynamically based on trains of MTU-sized packets.\",\n \"KS\",\"Keystrokes\",\"An interactive session occurred in which the client set user-driven keystrokes to the server.\",\n \"SC\",\"Capabilities Scan- ning\",\"A client exchanged capabilities with the server and then disconnected.\",\n \"SP\",\"Other Scanning\",\"A client and server didn't exchange encrypted packets but the client wasn't a version or capabilities scanner.\",\n \"SV\",\"Version Scanning\",\"A client exchanged version strings with the server and then disconnected.\",\n \"SA Scanning\",\"N/A\",\"The client scanned authentication methods with the server and then disconnected.\",\n \"APWA\",\"Automated Password Authentication\",\"The client authenticated with an automated password tool (like sshpass).\",\n \"IPWA\",\"Interactive Password Authentication\",\"The client interactively typed their password to authenticate.\",\n \"PKA\",\"Public Key Authentication\",\"The client automatically authenticated using pubkey authentication.\",\n \"NA\",\"None Authentication\",\"The client successfully authenticated using the None method.\",\n \"MFA\",\"Multifactor authentication\",\"The server required a second form of authentication (a code) after a password or public key was accepted and the client successfully provided it.\",\n \"UA\",\"Unknown authentication\",\"The authentication method is not determined or is unknown.\",\n \"AUTO\",\"Automated interaction\",\"The client is a script or automated utility and not driven by a user.\",\n \"BAN\",\"Server Banner\",\"The server sent the client a pre-authentication banner likely for legal reasons.\",\n \"CTS trusted server\",\"N/A\",\"The client already has an entry in its known_hosts file for this server.\",\n \"CUS untrusted server\",\"N/A\",\"The client did not have an entry in its known_hosts file for this server.\",\n \"RSP\",\"Reverse SSH Provisioned\",\"The client connected with a -R flag which provisions the ports to be used for a Reverse Session set up at any future time.\",\n \"RSI\",\"Reverse SSH Initiated\",\"The Reverse session is initiated from the server back to the Client.\",\n \"RSIA\",\"Reverse SSH Initiation Automated\",\"The initiation of the Reverse session happened very early in the packet stream indicating automation.\",\n \"RSL\",\"Reverse SSH Logged I'n\",\"The Reverse tunnel login has succeeded.\",\n \"RSK\",\"Reverse SSH Keystrokes\",\"Keystrokes are detected within the Reverse tunnel.\",\n \"NRC\",\"No Remote Com- mand\",\"The -N flag was used in the SSH session.\",\n \"AFR\",\"SSH Agent For- warding Requested\",\"Agent forwarding is requested by the Client.\",\n \"FC\",\"FreeRDP Driven Client\",\"Indicates a CLI tool client (likely FreeRDP-based). This inference doesn't require that the client successfully authenticated to the server.\",\n \"MSC\",\"Metasploit Scanner Client\",\"Indicates a Metasploit client.\",\n \"HBC\",\"THC-Hydra Bruteforce Client\",\"Indicates a Hydra client.\",\n \"CBC\",\"Crowbar Bruteforce Client\",\"Indicates a Crowbar client.\",\n \"SLC\",\"SharpRDP Lateral Movement Client\",\"Indicates a SharpRDP client.\",\n \"SOC\",\"Scanner Other Client\",\"Indicates that the client is likely a scanner or exploit tool that the package can't specifically identify (for example, rdpscan or impacket).\"\n \"RCGA\",\"Remote Credential Guard Authentication\",\"Indicates that the client authenticated using Restricted Admin Mode.\",\n \"RAMA\",\"Restricted Admin Mode Authentication\",\"Indicates a Metasploit client.\",\n \"APWA\",\"Automated NTLM Password Authentication\",\"Indicates that the client authenticated using an NTLM password that was provided before the connection was initiated.\",\n \"IPWA\",\"Interactive NTLM Password Authentication\",\"Indicates that the client authenticated using an NTLM password that was provided after the connection was initiated, suggesting a human-driven connection.\"\n \"SLH\",\"Slow Handshake\",\"Indicates that the handshake (RDPBCGR connection sequence) took an unusually long time to complete.\",\n \"COM\",\"N/A\",\"Indicates the presence of a commercial VPN service (such as PrivateInternetAccess or NordVPN).\"\n \"NSP\",\"N/A\",\"Non Standard Port. FW - Using a port to subvert a firewall (i.e. 53/udp).\",\n \"RW\",\"N/A\",\"Road warrior configuration detected (i.e. Cisco Anyconnect).\",\n \"SK\",\"N/A\",\"Static Key\",\n \"TLS\",\"N/A\",\"TLS Auth\",\n \"FW\",\"N/A\",\"Indicates that the VPN might be trying to subvert network security by using a port that is usually allowed.\"\n];\nlet dummy_table = datatable(TimeGenerated: datetime, uid_s: string) [];\nlet corelight_vpn = view () {\n union isfuzzy=true Corelight_v2_vpn_CL, dummy_table\n | summarize arg_max(TimeGenerated, *) by uid_s\n | join kind=leftouter \n ( corelight_conn\n | project uid, local_orig, local_resp\n ) on $left.uid_s == $right.uid\n | project-away uid\n | extend\n path = column_ifexists(\"_path_s\", \"\"),\n system_name = column_ifexists(\"_system_name_s\", \"\"),\n write_ts = column_ifexists(\"_write_ts_t\", \"\"),\n client_info = column_ifexists(\"client_info_s\", \"\"),\n duration = column_ifexists(\"duration_d\", real(null)),\n id_orig_h = column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p = column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h = column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p = column_ifexists(\"id_resp_p_d\", real(null)),\n inferences = column_ifexists(\"inferences_s\", \"\"),\n issuer = column_ifexists(\"issuer_s\", \"\"),\n ja3 = column_ifexists(\"ja3_s\", \"\"),\n ja3s = column_ifexists(\"ja3s_s\", \"\"),\n orig_bytes = column_ifexists(\"orig_bytes_d\", real(null)),\n orig_cc = column_ifexists(\"orig_cc_s\", \"\"),\n orig_city = column_ifexists(\"orig_city_s\", \"\"),\n orig_region = column_ifexists(\"orig_region_s\", \"\"),\n proto = column_ifexists(\"proto_s\", \"\"),\n resp_bytes = column_ifexists(\"resp_bytes_d\", real(null)),\n resp_cc = column_ifexists(\"resp_cc_s\", \"\"),\n resp_city = column_ifexists(\"resp_city_s\", \"\"),\n resp_region = column_ifexists(\"resp_region_s\", \"\"),\n server_name = column_ifexists(\"server_name_s\", \"\"),\n service = column_ifexists(\"service_s\", \"\"),\n subject = column_ifexists(\"subject_s\", \"\"),\n uid = column_ifexists(\"uid_s\", \"\"),\n vpn_type = column_ifexists(\"vpn_type_s\", \"\")\n | mv-expand todynamic(inferences)\n | extend code_string = tostring(inferences)\n | lookup kind=leftouter VpnInferencesLookup on $left.code_string == $right.Code\n | summarize Inferences = make_list(code_string), Names = make_list(Name), Descriptions = make_list(Description), arg_max(TimeGenerated, *) by uid\n | extend\n EventVendor = \"Corelight\",\n EventProduct = \"CorelightSensor\",\n EventType = \"vpn\",\n ts = TimeGenerated,\n src = id_orig_h,\n src_ip = id_orig_h,\n src_port = id_orig_p,\n dest = id_resp_h,\n dest_ip = id_resp_h,\n dest_port = id_resp_p,\n bytes_out = orig_bytes,\n transport = proto,\n bytes_in = resp_bytes,\n signature = vpn_type,\n sensor_name = coalesce(system_name, \"unknown\")\n | extend\n bytes = bytes_in + bytes_out,\n services = split(service, ','),\n is_broadcast =iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"), \"true\", \"false\"),\n is_dest_internal_ip = iff(local_resp == true, \"true\", \"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\")\n | project\n TimeGenerated,\n path,\n system_name,\n write_ts,\n client_info,\n duration,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n Inferences,\n issuer,\n ja3,\n ja3s,\n orig_bytes,\n orig_cc,\n orig_city,\n orig_region,\n proto,\n resp_bytes,\n resp_cc,\n resp_city,\n resp_region,\n server_name,\n service,\n subject,\n uid,\n vpn_type,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n bytes_out,\n transport,\n bytes_in,\n signature,\n sensor_name,\n bytes,\n services,\n is_broadcast,\n is_dest_internal_ip,\n is_src_internal_ip,\n Names,\n Descriptions\n};\ncorelight_vpn\n", "functionParameters": "", "version": 2, "tags": [ @@ -16334,8 +16340,8 @@ "contentId": "[variables('parserObject101').parserContentId101]", "contentKind": "Parser", "displayName": "corelight_vpn parser for Corelight", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject101').parserContentId101,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject101').parserContentId101,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject101').parserContentId101,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject101').parserContentId101,'-', '1.1.0')))]", "version": "[variables('parserObject101').parserVersion101]" } }, @@ -16349,7 +16355,7 @@ "displayName": "corelight_vpn parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_vpn", - "query": "let corelight_vpn = view () {\n Corelight_v2_vpn_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n uid=uid_s,\n id_orig_h=id_orig_h_s,\n id_orig_p=id_orig_p_d,\n id_resp_h=id_resp_h_s,\n id_resp_p=id_resp_p_d,\n proto=proto_s,\n vpn_type=vpn_type_s,\n service=service_s,\n inferences=inferences_s,\n server_name=server_name_s,\n client_info=client_info_s,\n duration=duration_d,\n orig_bytes=orig_bytes_d,\n resp_bytes=resp_bytes_d,\n orig_cc=orig_cc_s,\n orig_region=orig_region_s,\n orig_city=orig_city_s,\n resp_cc=resp_cc_s,\n resp_region=resp_region_s,\n resp_city=resp_city_s,\n subject=subject_s,\n issuer=issuer_s\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"vpn\",\n ts=TimeGenerated\n};\ncorelight_vpn\n\n", + "query": "let VpnInferencesLookup = datatable(\n Code: string,\n Name: string,\n Description: string\n)[\n \"ABP Authentication Bypass\",\"N/A\",\"A client wasn't adhering to expectations of SSH either through server exploit or by the client and server switching to a protocol other than SSH after encryption begins.\",\n \"BF Brute Force Guessing\",\"N/A\",\"A client made a number of authentication attempts that exceeded some configured per-connection threshold.\",\n \"BFS Brute Force Success\",\"N/A\",\"A client made a number of authentication attempts that exceeded some configured per-connection threshold.\",\n \"SFD\",\"Small Client File Download\",\"A file transfer occurred in which the server sent a sequence of bytes to the client.\",\n \"LFD\",\"Large Client File Download\",\"A file transfer occurred in which the server sent a sequence of bytes to the client. Large files are identified dynamically based on trains of MTU-sized packets.\",\n \"SFU\",\"Small Client File Upload\",\"A file transfer occurred in which the client sent a sequence of bytes to the server.\",\n \"LFU\",\"Large Client File Upload\",\"A file transfer occurred in which the client sent a sequence of bytes to the server. Large files are identified dynamically based on trains of MTU-sized packets.\",\n \"KS\",\"Keystrokes\",\"An interactive session occurred in which the client set user-driven keystrokes to the server.\",\n \"SC\",\"Capabilities Scan- ning\",\"A client exchanged capabilities with the server and then disconnected.\",\n \"SP\",\"Other Scanning\",\"A client and server didn't exchange encrypted packets but the client wasn't a version or capabilities scanner.\",\n \"SV\",\"Version Scanning\",\"A client exchanged version strings with the server and then disconnected.\",\n \"SA Scanning\",\"N/A\",\"The client scanned authentication methods with the server and then disconnected.\",\n \"APWA\",\"Automated Password Authentication\",\"The client authenticated with an automated password tool (like sshpass).\",\n \"IPWA\",\"Interactive Password Authentication\",\"The client interactively typed their password to authenticate.\",\n \"PKA\",\"Public Key Authentication\",\"The client automatically authenticated using pubkey authentication.\",\n \"NA\",\"None Authentication\",\"The client successfully authenticated using the None method.\",\n \"MFA\",\"Multifactor authentication\",\"The server required a second form of authentication (a code) after a password or public key was accepted and the client successfully provided it.\",\n \"UA\",\"Unknown authentication\",\"The authentication method is not determined or is unknown.\",\n \"AUTO\",\"Automated interaction\",\"The client is a script or automated utility and not driven by a user.\",\n \"BAN\",\"Server Banner\",\"The server sent the client a pre-authentication banner likely for legal reasons.\",\n \"CTS trusted server\",\"N/A\",\"The client already has an entry in its known_hosts file for this server.\",\n \"CUS untrusted server\",\"N/A\",\"The client did not have an entry in its known_hosts file for this server.\",\n \"RSP\",\"Reverse SSH Provisioned\",\"The client connected with a -R flag which provisions the ports to be used for a Reverse Session set up at any future time.\",\n \"RSI\",\"Reverse SSH Initiated\",\"The Reverse session is initiated from the server back to the Client.\",\n \"RSIA\",\"Reverse SSH Initiation Automated\",\"The initiation of the Reverse session happened very early in the packet stream indicating automation.\",\n \"RSL\",\"Reverse SSH Logged I'n\",\"The Reverse tunnel login has succeeded.\",\n \"RSK\",\"Reverse SSH Keystrokes\",\"Keystrokes are detected within the Reverse tunnel.\",\n \"NRC\",\"No Remote Com- mand\",\"The -N flag was used in the SSH session.\",\n \"AFR\",\"SSH Agent For- warding Requested\",\"Agent forwarding is requested by the Client.\",\n \"FC\",\"FreeRDP Driven Client\",\"Indicates a CLI tool client (likely FreeRDP-based). This inference doesn't require that the client successfully authenticated to the server.\",\n \"MSC\",\"Metasploit Scanner Client\",\"Indicates a Metasploit client.\",\n \"HBC\",\"THC-Hydra Bruteforce Client\",\"Indicates a Hydra client.\",\n \"CBC\",\"Crowbar Bruteforce Client\",\"Indicates a Crowbar client.\",\n \"SLC\",\"SharpRDP Lateral Movement Client\",\"Indicates a SharpRDP client.\",\n \"SOC\",\"Scanner Other Client\",\"Indicates that the client is likely a scanner or exploit tool that the package can't specifically identify (for example, rdpscan or impacket).\"\n \"RCGA\",\"Remote Credential Guard Authentication\",\"Indicates that the client authenticated using Restricted Admin Mode.\",\n \"RAMA\",\"Restricted Admin Mode Authentication\",\"Indicates a Metasploit client.\",\n \"APWA\",\"Automated NTLM Password Authentication\",\"Indicates that the client authenticated using an NTLM password that was provided before the connection was initiated.\",\n \"IPWA\",\"Interactive NTLM Password Authentication\",\"Indicates that the client authenticated using an NTLM password that was provided after the connection was initiated, suggesting a human-driven connection.\"\n \"SLH\",\"Slow Handshake\",\"Indicates that the handshake (RDPBCGR connection sequence) took an unusually long time to complete.\",\n \"COM\",\"N/A\",\"Indicates the presence of a commercial VPN service (such as PrivateInternetAccess or NordVPN).\"\n \"NSP\",\"N/A\",\"Non Standard Port. FW - Using a port to subvert a firewall (i.e. 53/udp).\",\n \"RW\",\"N/A\",\"Road warrior configuration detected (i.e. Cisco Anyconnect).\",\n \"SK\",\"N/A\",\"Static Key\",\n \"TLS\",\"N/A\",\"TLS Auth\",\n \"FW\",\"N/A\",\"Indicates that the VPN might be trying to subvert network security by using a port that is usually allowed.\"\n];\nlet dummy_table = datatable(TimeGenerated: datetime, uid_s: string) [];\nlet corelight_vpn = view () {\n union isfuzzy=true Corelight_v2_vpn_CL, dummy_table\n | summarize arg_max(TimeGenerated, *) by uid_s\n | join kind=leftouter \n ( corelight_conn\n | project uid, local_orig, local_resp\n ) on $left.uid_s == $right.uid\n | project-away uid\n | extend\n path = column_ifexists(\"_path_s\", \"\"),\n system_name = column_ifexists(\"_system_name_s\", \"\"),\n write_ts = column_ifexists(\"_write_ts_t\", \"\"),\n client_info = column_ifexists(\"client_info_s\", \"\"),\n duration = column_ifexists(\"duration_d\", real(null)),\n id_orig_h = column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p = column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h = column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p = column_ifexists(\"id_resp_p_d\", real(null)),\n inferences = column_ifexists(\"inferences_s\", \"\"),\n issuer = column_ifexists(\"issuer_s\", \"\"),\n ja3 = column_ifexists(\"ja3_s\", \"\"),\n ja3s = column_ifexists(\"ja3s_s\", \"\"),\n orig_bytes = column_ifexists(\"orig_bytes_d\", real(null)),\n orig_cc = column_ifexists(\"orig_cc_s\", \"\"),\n orig_city = column_ifexists(\"orig_city_s\", \"\"),\n orig_region = column_ifexists(\"orig_region_s\", \"\"),\n proto = column_ifexists(\"proto_s\", \"\"),\n resp_bytes = column_ifexists(\"resp_bytes_d\", real(null)),\n resp_cc = column_ifexists(\"resp_cc_s\", \"\"),\n resp_city = column_ifexists(\"resp_city_s\", \"\"),\n resp_region = column_ifexists(\"resp_region_s\", \"\"),\n server_name = column_ifexists(\"server_name_s\", \"\"),\n service = column_ifexists(\"service_s\", \"\"),\n subject = column_ifexists(\"subject_s\", \"\"),\n uid = column_ifexists(\"uid_s\", \"\"),\n vpn_type = column_ifexists(\"vpn_type_s\", \"\")\n | mv-expand todynamic(inferences)\n | extend code_string = tostring(inferences)\n | lookup kind=leftouter VpnInferencesLookup on $left.code_string == $right.Code\n | summarize Inferences = make_list(code_string), Names = make_list(Name), Descriptions = make_list(Description), arg_max(TimeGenerated, *) by uid\n | extend\n EventVendor = \"Corelight\",\n EventProduct = \"CorelightSensor\",\n EventType = \"vpn\",\n ts = TimeGenerated,\n src = id_orig_h,\n src_ip = id_orig_h,\n src_port = id_orig_p,\n dest = id_resp_h,\n dest_ip = id_resp_h,\n dest_port = id_resp_p,\n bytes_out = orig_bytes,\n transport = proto,\n bytes_in = resp_bytes,\n signature = vpn_type,\n sensor_name = coalesce(system_name, \"unknown\")\n | extend\n bytes = bytes_in + bytes_out,\n services = split(service, ','),\n is_broadcast =iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"), \"true\", \"false\"),\n is_dest_internal_ip = iff(local_resp == true, \"true\", \"false\"),\n is_src_internal_ip = iff(local_orig == true, \"true\", \"false\")\n | project\n TimeGenerated,\n path,\n system_name,\n write_ts,\n client_info,\n duration,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n Inferences,\n issuer,\n ja3,\n ja3s,\n orig_bytes,\n orig_cc,\n orig_city,\n orig_region,\n proto,\n resp_bytes,\n resp_cc,\n resp_city,\n resp_region,\n server_name,\n service,\n subject,\n uid,\n vpn_type,\n EventVendor,\n EventProduct,\n EventType,\n ts,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n bytes_out,\n transport,\n bytes_in,\n signature,\n sensor_name,\n bytes,\n services,\n is_broadcast,\n is_dest_internal_ip,\n is_src_internal_ip,\n Names,\n Descriptions\n};\ncorelight_vpn\n", "functionParameters": "", "version": 2, "tags": [ @@ -16398,7 +16404,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_weird Data Parser with template version 3.0.2", + "description": "corelight_weird Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject102').parserVersion102]", @@ -16528,7 +16534,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_weird_red Data Parser with template version 3.0.2", + "description": "corelight_weird_red Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject103').parserVersion103]", @@ -16658,7 +16664,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_weird_stats Data Parser with template version 3.0.2", + "description": "corelight_weird_stats Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject104').parserVersion104]", @@ -16788,7 +16794,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_wireguard Data Parser with template version 3.0.2", + "description": "corelight_wireguard Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject105').parserVersion105]", @@ -16918,7 +16924,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_x509 Data Parser with template version 3.0.2", + "description": "corelight_x509 Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject106').parserVersion106]", @@ -16935,7 +16941,7 @@ "displayName": "corelight_x509 parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_x509", - "query": "let corelight_x509 = view () {\n Corelight_v2_x509_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n fingerprint=fingerprint_s,\n certificate_version=certificate_version_d,\n certificate_serial=certificate_serial_s,\n certificate_subject=certificate_subject_s,\n certificate_issuer=certificate_issuer_s,\n certificate_not_valid_before=certificate_not_valid_before_t,\n certificate_not_valid_after=certificate_not_valid_after_t,\n certificate_key_alg=certificate_key_alg_s,\n certificate_sig_alg=certificate_sig_alg_s,\n certificate_key_type=certificate_key_type_s,\n certificate_key_length=certificate_key_length_d,\n certificate_exponent=certificate_exponent_s,\n certificate_curve=certificate_curve_s,\n san_dns=san_dns_s,\n san_uri=san_uri_s,\n san_email=san_email_s,\n san_ip=san_ip_s,\n basic_constraints_ca=basic_constraints_ca_b,\n basic_constraints_path_len=basic_constraints_path_len_d,\n host_cert=host_cert_b,\n client_cert=client_cert_b\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"x509\",\n ts=TimeGenerated\n};\ncorelight_x509\n\n", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet corelight_x509 = view () {\n union isfuzzy=true Corelight_v2_x509_CL, Corelight_v2_x509_red_CL, dummy_table\n | extend \n path=column_ifexists(\"_path_s\", \"\"),\n system_name=column_ifexists(\"_system_name_s\", \"\"),\n write_ts=column_ifexists(\"_write_ts_t\", \"\"),\n fingerprint=column_ifexists(\"fingerprint_s\", \"\"),\n certificate_version=column_ifexists(\"certificate_version_d\", real(null)),\n certificate_serial=column_ifexists(\"certificate_serial_s\", \"\"),\n certificate_subject=column_ifexists(\"certificate_subject_s\", \"\"),\n certificate_issuer=column_ifexists(\"certificate_issuer_s\", \"\"),\n certificate_not_valid_before=column_ifexists(\"certificate_not_valid_before_t\", \"\"),\n certificate_not_valid_after=column_ifexists(\"certificate_not_valid_after_t\", \"\"),\n certificate_key_alg=column_ifexists(\"certificate_key_alg_s\", \"\"),\n certificate_sig_alg=column_ifexists(\"certificate_sig_alg_s\", \"\"),\n certificate_key_type=column_ifexists(\"certificate_key_type_s\", \"\"),\n certificate_key_length=column_ifexists(\"certificate_key_length_d\", real(null)),\n certificate_exponent=column_ifexists(\"certificate_exponent_s\", \"\"),\n certificate_curve=column_ifexists(\"certificate_curve_s\", \"\"),\n san_dns=column_ifexists(\"san_dns_s\", \"\"),\n san_uri=column_ifexists(\"san_uri_s\", \"\"),\n san_email=column_ifexists(\"san_email_s\", \"\"),\n san_ip=column_ifexists(\"san_ip_s\", \"\"),\n basic_constraints_ca=column_ifexists(\"basic_constraints_ca_b\", \"\"),\n basic_constraints_path_len=column_ifexists(\"basic_constraints_path_len_d\", real(null)),\n host_cert=column_ifexists(\"host_cert_b\", \"\"),\n client_cert=column_ifexists(\"client_cert_b\", \"\"),\n vlan=column_ifexists(\"vlan_d\", real(null)),\n id_orig_h=column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p=column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h=column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p=column_ifexists(\"id_resp_p_d\", real(null))\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"x509\",\n ssl_issuer=certificate_issuer,\n ssl_publickey_algorithm=certificate_key_alg,\n not_valid_after=certificate_not_valid_after,\n ssl_end_time=certificate_not_valid_after,\n ssl_start_time=certificate_not_valid_before,\n ssl_serial=certificate_serial,\n ssl_signature_algorithm=certificate_sig_alg,\n ssl_subject=certificate_subject,\n ssl_version=certificate_version,\n ssl_hash = fingerprint,\n ts=TimeGenerated,\n sensor_name=coalesce(system_name, \"unknown\"),\n src=id_orig_h,\n src_ip=id_orig_h,\n src_port=id_orig_p,\n dest=id_resp_h,\n dest_ip=id_resp_h,\n dest_port=id_resp_p\n | extend \n days_to_expiry = datetime_diff('day', todatetime(not_valid_after), now()),\n ssl_validity_window=datetime_diff('day', todatetime(ssl_end_time), todatetime(ssl_start_time)),\n ssl_is_valid = iff(ts > todatetime(ssl_start_time) and ts < todatetime(ssl_end_time), \"true\", \"false\"),\n ssl_issuer_email_domain = extract('emailAddress=[0-9A-Za-z_]+@(?[0-9A-Za-z_]+.[0-9A-Za-z_]+)', 1, ssl_issuer),\n ssl_subject_email_domain = extract('emailAddress=[0-9A-Za-z_]+@(?[0-9A-Za-z_]+.[0-9A-Za-z_]+)', 1, ssl_subject),\n ssl_subject_common_name = extract('CN=(?[^,\"]+)', 1, ssl_subject),\n ssl_issuer_common_name=extract('CN=(?[^,\"]+)', 1, ssl_issuer),\n ssl_issuer_organization = extract('O=(?[^,]+)', 1, ssl_issuer),\n ssl_issuer_unit = extract('OU=(?[^,]+)', 1, ssl_issuer),\n ssl_issuer_locality = extract('L=(?[^,]+)', 1, ssl_issuer),\n ssl_issuer_state = extract('ST=(?[^,]+)', 1, ssl_issuer),\n ssl_issuer_country = extract('C=(?[^,]+)', 1, ssl_issuer),\n ssl_subject_organization = extract('O=(?[^,]+)', 1, ssl_subject),\n ssl_subject_unit = extract('OU=(?[^,]+)', 1, ssl_subject),\n ssl_subject_locality = extract('L=(?[^,]+)', 1, ssl_subject),\n ssl_subject_state = extract('ST=(?[^,]+)', 1, ssl_subject),\n ssl_subject_country = extract('C=(?[^,]+)', 1, ssl_subject),\n ssl_issuer_email = extract('emailAddress=(?[^,]+)', 1, ssl_issuer),\n ssl_subject_email = extract('emailAddress=(?[^,]+)', 1, ssl_subject),\n ssl_issuer_domain = extract('DC=(?[^,]+)', 1, ssl_issuer),\n ssl_name = extract('title=(?[^,]+)', 1, ssl_issuer),\n ssl_subject_domain = extract('DC=(?[^,]+)', 1, ssl_subject),\n ssl_subject_name = extract('title=(?[^,]+)', 1, ssl_subject),\n is_broadcast = iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"), \"true\", \"false\"),\n is_src_internal_ip = iff(ipv4_is_in_any_range(src, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\"), \"true\", \"false\"),\n is_dest_internal_ip = iff(ipv4_is_in_any_range(dest, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\"), \"true\", \"false\")\n | project \n TimeGenerated,\n path,\n system_name,\n write_ts,\n fingerprint,\n certificate_version,\n certificate_serial,\n certificate_subject,\n certificate_issuer,\n certificate_not_valid_before,\n certificate_not_valid_after,\n certificate_key_alg,\n certificate_sig_alg,\n certificate_key_type,\n certificate_key_length,\n certificate_exponent,\n certificate_curve,\n san_dns,\n san_uri,\n san_email,\n san_ip,\n basic_constraints_ca,\n basic_constraints_path_len,\n host_cert,\n client_cert,\n vlan,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n EventVendor,\n EventProduct,\n EventType,\n ssl_issuer,\n ssl_publickey_algorithm,\n not_valid_after,\n ssl_end_time,\n ssl_start_time,\n ssl_serial,\n ssl_signature_algorithm,\n ssl_subject,\n ssl_version,\n ssl_hash,\n ts,\n sensor_name,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n days_to_expiry,\n ssl_validity_window,\n ssl_is_valid,\n ssl_issuer_email_domain,\n ssl_subject_email_domain,\n ssl_subject_common_name,\n ssl_issuer_common_name,\n ssl_issuer_organization,\n ssl_issuer_unit,\n ssl_issuer_locality,\n ssl_issuer_state,\n ssl_issuer_country,\n ssl_subject_organization,\n ssl_subject_unit,\n ssl_subject_locality,\n ssl_subject_state,\n ssl_subject_country,\n ssl_issuer_email,\n ssl_subject_email,\n ssl_issuer_domain,\n ssl_name,\n ssl_subject_domain,\n ssl_subject_name,\n is_broadcast,\n is_src_internal_ip,\n is_dest_internal_ip\n};\ncorelight_x509\n", "functionParameters": "", "version": 2, "tags": [ @@ -16984,8 +16990,8 @@ "contentId": "[variables('parserObject106').parserContentId106]", "contentKind": "Parser", "displayName": "corelight_x509 parser for Corelight", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject106').parserContentId106,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject106').parserContentId106,'-', '1.0.0')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject106').parserContentId106,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject106').parserContentId106,'-', '1.1.0')))]", "version": "[variables('parserObject106').parserVersion106]" } }, @@ -16999,7 +17005,7 @@ "displayName": "corelight_x509 parser for Corelight", "category": "Microsoft Sentinel Parser", "functionAlias": "corelight_x509", - "query": "let corelight_x509 = view () {\n Corelight_v2_x509_CL\n | project-rename\n _path=_path_s,\n _system_name=_system_name_s,\n _write_ts=_write_ts_t,\n fingerprint=fingerprint_s,\n certificate_version=certificate_version_d,\n certificate_serial=certificate_serial_s,\n certificate_subject=certificate_subject_s,\n certificate_issuer=certificate_issuer_s,\n certificate_not_valid_before=certificate_not_valid_before_t,\n certificate_not_valid_after=certificate_not_valid_after_t,\n certificate_key_alg=certificate_key_alg_s,\n certificate_sig_alg=certificate_sig_alg_s,\n certificate_key_type=certificate_key_type_s,\n certificate_key_length=certificate_key_length_d,\n certificate_exponent=certificate_exponent_s,\n certificate_curve=certificate_curve_s,\n san_dns=san_dns_s,\n san_uri=san_uri_s,\n san_email=san_email_s,\n san_ip=san_ip_s,\n basic_constraints_ca=basic_constraints_ca_b,\n basic_constraints_path_len=basic_constraints_path_len_d,\n host_cert=host_cert_b,\n client_cert=client_cert_b\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"x509\",\n ts=TimeGenerated\n};\ncorelight_x509\n\n", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet corelight_x509 = view () {\n union isfuzzy=true Corelight_v2_x509_CL, Corelight_v2_x509_red_CL, dummy_table\n | extend \n path=column_ifexists(\"_path_s\", \"\"),\n system_name=column_ifexists(\"_system_name_s\", \"\"),\n write_ts=column_ifexists(\"_write_ts_t\", \"\"),\n fingerprint=column_ifexists(\"fingerprint_s\", \"\"),\n certificate_version=column_ifexists(\"certificate_version_d\", real(null)),\n certificate_serial=column_ifexists(\"certificate_serial_s\", \"\"),\n certificate_subject=column_ifexists(\"certificate_subject_s\", \"\"),\n certificate_issuer=column_ifexists(\"certificate_issuer_s\", \"\"),\n certificate_not_valid_before=column_ifexists(\"certificate_not_valid_before_t\", \"\"),\n certificate_not_valid_after=column_ifexists(\"certificate_not_valid_after_t\", \"\"),\n certificate_key_alg=column_ifexists(\"certificate_key_alg_s\", \"\"),\n certificate_sig_alg=column_ifexists(\"certificate_sig_alg_s\", \"\"),\n certificate_key_type=column_ifexists(\"certificate_key_type_s\", \"\"),\n certificate_key_length=column_ifexists(\"certificate_key_length_d\", real(null)),\n certificate_exponent=column_ifexists(\"certificate_exponent_s\", \"\"),\n certificate_curve=column_ifexists(\"certificate_curve_s\", \"\"),\n san_dns=column_ifexists(\"san_dns_s\", \"\"),\n san_uri=column_ifexists(\"san_uri_s\", \"\"),\n san_email=column_ifexists(\"san_email_s\", \"\"),\n san_ip=column_ifexists(\"san_ip_s\", \"\"),\n basic_constraints_ca=column_ifexists(\"basic_constraints_ca_b\", \"\"),\n basic_constraints_path_len=column_ifexists(\"basic_constraints_path_len_d\", real(null)),\n host_cert=column_ifexists(\"host_cert_b\", \"\"),\n client_cert=column_ifexists(\"client_cert_b\", \"\"),\n vlan=column_ifexists(\"vlan_d\", real(null)),\n id_orig_h=column_ifexists(\"id_orig_h_s\", \"\"),\n id_orig_p=column_ifexists(\"id_orig_p_d\", real(null)),\n id_resp_h=column_ifexists(\"id_resp_h_s\", \"\"),\n id_resp_p=column_ifexists(\"id_resp_p_d\", real(null))\n | extend\n EventVendor=\"Corelight\",\n EventProduct=\"CorelightSensor\",\n EventType=\"x509\",\n ssl_issuer=certificate_issuer,\n ssl_publickey_algorithm=certificate_key_alg,\n not_valid_after=certificate_not_valid_after,\n ssl_end_time=certificate_not_valid_after,\n ssl_start_time=certificate_not_valid_before,\n ssl_serial=certificate_serial,\n ssl_signature_algorithm=certificate_sig_alg,\n ssl_subject=certificate_subject,\n ssl_version=certificate_version,\n ssl_hash = fingerprint,\n ts=TimeGenerated,\n sensor_name=coalesce(system_name, \"unknown\"),\n src=id_orig_h,\n src_ip=id_orig_h,\n src_port=id_orig_p,\n dest=id_resp_h,\n dest_ip=id_resp_h,\n dest_port=id_resp_p\n | extend \n days_to_expiry = datetime_diff('day', todatetime(not_valid_after), now()),\n ssl_validity_window=datetime_diff('day', todatetime(ssl_end_time), todatetime(ssl_start_time)),\n ssl_is_valid = iff(ts > todatetime(ssl_start_time) and ts < todatetime(ssl_end_time), \"true\", \"false\"),\n ssl_issuer_email_domain = extract('emailAddress=[0-9A-Za-z_]+@(?[0-9A-Za-z_]+.[0-9A-Za-z_]+)', 1, ssl_issuer),\n ssl_subject_email_domain = extract('emailAddress=[0-9A-Za-z_]+@(?[0-9A-Za-z_]+.[0-9A-Za-z_]+)', 1, ssl_subject),\n ssl_subject_common_name = extract('CN=(?[^,\"]+)', 1, ssl_subject),\n ssl_issuer_common_name=extract('CN=(?[^,\"]+)', 1, ssl_issuer),\n ssl_issuer_organization = extract('O=(?[^,]+)', 1, ssl_issuer),\n ssl_issuer_unit = extract('OU=(?[^,]+)', 1, ssl_issuer),\n ssl_issuer_locality = extract('L=(?[^,]+)', 1, ssl_issuer),\n ssl_issuer_state = extract('ST=(?[^,]+)', 1, ssl_issuer),\n ssl_issuer_country = extract('C=(?[^,]+)', 1, ssl_issuer),\n ssl_subject_organization = extract('O=(?[^,]+)', 1, ssl_subject),\n ssl_subject_unit = extract('OU=(?[^,]+)', 1, ssl_subject),\n ssl_subject_locality = extract('L=(?[^,]+)', 1, ssl_subject),\n ssl_subject_state = extract('ST=(?[^,]+)', 1, ssl_subject),\n ssl_subject_country = extract('C=(?[^,]+)', 1, ssl_subject),\n ssl_issuer_email = extract('emailAddress=(?[^,]+)', 1, ssl_issuer),\n ssl_subject_email = extract('emailAddress=(?[^,]+)', 1, ssl_subject),\n ssl_issuer_domain = extract('DC=(?[^,]+)', 1, ssl_issuer),\n ssl_name = extract('title=(?[^,]+)', 1, ssl_issuer),\n ssl_subject_domain = extract('DC=(?[^,]+)', 1, ssl_subject),\n ssl_subject_name = extract('title=(?[^,]+)', 1, ssl_subject),\n is_broadcast = iff(src in(\"0.0.0.0\", \"255.255.255.255\") or dest in(\"255.255.255.255\", \"0.0.0.0\"), \"true\", \"false\"),\n is_src_internal_ip = iff(ipv4_is_in_any_range(src, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\"), \"true\", \"false\"),\n is_dest_internal_ip = iff(ipv4_is_in_any_range(dest, \"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\"), \"true\", \"false\")\n | project \n TimeGenerated,\n path,\n system_name,\n write_ts,\n fingerprint,\n certificate_version,\n certificate_serial,\n certificate_subject,\n certificate_issuer,\n certificate_not_valid_before,\n certificate_not_valid_after,\n certificate_key_alg,\n certificate_sig_alg,\n certificate_key_type,\n certificate_key_length,\n certificate_exponent,\n certificate_curve,\n san_dns,\n san_uri,\n san_email,\n san_ip,\n basic_constraints_ca,\n basic_constraints_path_len,\n host_cert,\n client_cert,\n vlan,\n id_orig_h,\n id_orig_p,\n id_resp_h,\n id_resp_p,\n EventVendor,\n EventProduct,\n EventType,\n ssl_issuer,\n ssl_publickey_algorithm,\n not_valid_after,\n ssl_end_time,\n ssl_start_time,\n ssl_serial,\n ssl_signature_algorithm,\n ssl_subject,\n ssl_version,\n ssl_hash,\n ts,\n sensor_name,\n src,\n src_ip,\n src_port,\n dest,\n dest_ip,\n dest_port,\n days_to_expiry,\n ssl_validity_window,\n ssl_is_valid,\n ssl_issuer_email_domain,\n ssl_subject_email_domain,\n ssl_subject_common_name,\n ssl_issuer_common_name,\n ssl_issuer_organization,\n ssl_issuer_unit,\n ssl_issuer_locality,\n ssl_issuer_state,\n ssl_issuer_country,\n ssl_subject_organization,\n ssl_subject_unit,\n ssl_subject_locality,\n ssl_subject_state,\n ssl_subject_country,\n ssl_issuer_email,\n ssl_subject_email,\n ssl_issuer_domain,\n ssl_name,\n ssl_subject_domain,\n ssl_subject_name,\n is_broadcast,\n is_src_internal_ip,\n is_dest_internal_ip\n};\ncorelight_x509\n", "functionParameters": "", "version": 2, "tags": [ @@ -17048,7 +17054,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_x509_red Data Parser with template version 3.0.2", + "description": "corelight_x509_red Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject107').parserVersion107]", @@ -17178,7 +17184,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "corelight_zeek_doctor Data Parser with template version 3.0.2", + "description": "corelight_zeek_doctor Data Parser with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject108').parserVersion108]", @@ -17308,7 +17314,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightAbnormalEmailSubject_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CorelightAbnormalEmailSubject_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -17392,7 +17398,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightCompressedFilesTransferredOverHTTP_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CorelightCompressedFilesTransferredOverHTTP_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -17476,7 +17482,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightDataTransferedByIp_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CorelightDataTransferedByIp_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -17560,7 +17566,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightExternalServices_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CorelightExternalServices_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -17644,7 +17650,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightFilesSeen_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CorelightFilesSeen_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -17728,7 +17734,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightFilesTransferedByIp_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CorelightFilesTransferedByIp_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -17812,7 +17818,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightMultipleRemoteSMBConnectionsFromSingleIP_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CorelightMultipleRemoteSMBConnectionsFromSingleIP_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -17896,7 +17902,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightObfuscatedBinary_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CorelightObfuscatedBinary_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -17980,7 +17986,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightRarePOST_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CorelightRarePOST_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -18064,7 +18070,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CorelightRepetitiveDnsFailures_HuntingQueries Hunting Query with template version 3.0.2", + "description": "CorelightRepetitiveDnsFailures_HuntingQueries Hunting Query with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -18144,7 +18150,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.2", + "version": "3.1.0", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Corelight", diff --git a/Solutions/Corelight/Parsers/corelight_conn.yaml b/Solutions/Corelight/Parsers/corelight_conn.yaml index dee77116c3f..fe4534b1d1c 100644 --- a/Solutions/Corelight/Parsers/corelight_conn.yaml +++ b/Solutions/Corelight/Parsers/corelight_conn.yaml @@ -1,65 +1,198 @@ -id: a2f78162-d882-5bee-bf38-22db728bc9eb +id: 974718ae-c0a5-4d4a-bb42-63a0f394d66f Function: - Title: corelight_conn parser for Corelight - Version: 1.0.0 - LastUpdated: '2023-09-25' + Title: Corelight Connection Events + Version: '1.1.0' + LastUpdated: '2024-08-09' Category: Microsoft Sentinel Parser FunctionName: corelight_conn FunctionAlias: corelight_conn -FunctionQuery: |+ - let corelight_conn = view () { - Corelight_v2_conn_CL - | project-rename - _path=_path_s, - _system_name=_system_name_s, - _write_ts=_write_ts_t, - uid=uid_s, - id_orig_h=id_orig_h_s, - id_orig_p=id_orig_p_d, - id_resp_h=id_resp_h_s, - id_resp_p=id_resp_p_d, - proto=proto_s, - service=service_s, - duration=duration_d, - orig_bytes=orig_bytes_d, - resp_bytes=resp_bytes_d, - conn_state=conn_state_s, - local_orig=local_orig_b, - local_resp=local_resp_b, - missed_bytes=missed_bytes_d, - history=history_s, - orig_pkts=orig_pkts_d, - orig_ip_bytes=orig_ip_bytes_d, - resp_pkts=resp_pkts_d, - resp_ip_bytes=resp_ip_bytes_d, - tunnel_parents=tunnel_parents_s, - orig_cc=orig_cc_s, - resp_cc=resp_cc_s, - suri_ids=suri_ids_s, - spcap_url=spcap_url_s, - spcap_rule=spcap_rule_d, - spcap_trigger=spcap_trigger_s, - app=app_s, - corelight_shunted=corelight_shunted_b, - orig_shunted_pkts=orig_shunted_pkts_d, - orig_shunted_bytes=orig_shunted_bytes_d, - resp_shunted_pkts=resp_shunted_pkts_d, - resp_shunted_bytes=resp_shunted_bytes_d, - orig_l2_addr=orig_l2_addr_s, - resp_l2_addr=resp_l2_addr_s, - id_orig_h_n_src=id_orig_h_n_src_s, - id_orig_h_n_vals=id_orig_h_n_vals_s, - id_resp_h_n_src=id_resp_h_n_src_s, - id_resp_h_n_vals=id_resp_h_n_vals_s, - vlan=vlan_d, - inner_vlan=inner_vlan_d, - community_id=community_id_s - | extend - EventVendor="Corelight", - EventProduct="CorelightSensor", - EventType="conn", - ts=TimeGenerated - }; - corelight_conn - -... +FunctionQuery: | + let ConnStateLookup = datatable( + conn_state: string, + conn_state_desc: string, + action: string + )[ + "S0","Connection attempt seen, no reply.","teardown", + "S1","Connection established, not terminated.","allowed", + "SF","Normal establishment and termination.","allowed", + "REJ","Connection attempt rejected.","blocked", + "S2","Connection established and close attempt by originator seen (but no reply from responder).","allowed", + "S3","Connection established and close attempt by responder seen (but no reply from originator).","allowed", + "RSTO","Connection established, originator aborted (sent a RST).","allowed", + "RSTR","Established, responder aborted.","allowed", + "RSTOS0","Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.","teardown", + "RSTRH","Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.","teardown", + "SH","Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open).","teardown", + "SHR","Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator.","teardown", + "OTH","No SYN seen, just midstream traffic (a 'partial connection' that was not later closed).","allowed" + ]; + let dummy_table = datatable(TimeGenerated: datetime, uid_s: string) []; + let corelight_conn = view () { + union isfuzzy=true dummy_table, + Corelight_v2_conn_CL, + Corelight_v2_conn_red_CL, + Corelight_v2_conn_long_CL + | summarize arg_max(TimeGenerated, *) by uid_s + | extend + path=column_ifexists("_path_s", ""), + system_name=column_ifexists("_system_name_s", ""), + write_ts=column_ifexists("_write_ts_t", ""), + uid=column_ifexists("uid_s", ""), + id_orig_h=column_ifexists("id_orig_h_s", ""), + id_orig_p=column_ifexists("id_orig_p_d", real(null)), + id_resp_h=column_ifexists("id_resp_h_s", ""), + id_resp_p=column_ifexists("id_resp_p_d", real(null)), + proto=column_ifexists("proto_s", ""), + service=column_ifexists("service_s", ""), + duration=column_ifexists("duration_d", real(null)), + orig_bytes=column_ifexists("orig_bytes_d", real(null)), + resp_bytes=column_ifexists("resp_bytes_d", real(null)), + conn_state=column_ifexists("conn_state_s", ""), + local_orig=column_ifexists("local_orig_b", ""), + local_resp=column_ifexists("local_resp_b", ""), + missed_bytes=column_ifexists("missed_bytes_d", real(null)), + history=column_ifexists("history_s", ""), + orig_pkts=column_ifexists("orig_pkts_d", real(null)), + orig_ip_bytes=column_ifexists("orig_ip_bytes_d", real(null)), + resp_pkts=column_ifexists("resp_pkts_d", real(null)), + resp_ip_bytes=column_ifexists("resp_ip_bytes_d", real(null)), + tunnel_parents=column_ifexists("tunnel_parents_s", ""), + orig_cc=column_ifexists("orig_cc_s", ""), + resp_cc=column_ifexists("resp_cc_s", ""), + suri_ids=column_ifexists("suri_ids_s", ""), + spcap_url=column_ifexists("spcap_url_s", ""), + spcap_rule=column_ifexists("spcap_rule_d", real(null)), + spcap_trigger=column_ifexists("spcap_trigger_s", ""), + apps=column_ifexists("app_s", ""), + corelight_shunted=column_ifexists("corelight_shunted_b", ""), + orig_shunted_pkts=column_ifexists("orig_shunted_pkts_d", real(null)), + orig_shunted_bytes=column_ifexists("orig_shunted_bytes_d", real(null)), + resp_shunted_pkts=column_ifexists("resp_shunted_pkts_d", real(null)), + resp_shunted_bytes=column_ifexists("resp_shunted_bytes_d", real(null)), + orig_l2_addr=column_ifexists("orig_l2_addr_s", ""), + resp_l2_addr=column_ifexists("resp_l2_addr_s",""), + id_orig_h_n_src=column_ifexists("id_orig_h_n_src_s",""), + id_orig_h_n_vals=column_ifexists("id_orig_h_n_vals_s",""), + id_resp_h_n_src=column_ifexists("id_resp_h_n_src_s",""), + id_resp_h_n_vals=column_ifexists("id_resp_h_n_vals_s",""), + vlan=column_ifexists("vlan_d", real(null)), + inner_vlan=column_ifexists("inner_vlan_d", real(null)), + community_id=column_ifexists("community_id_s",""), + pcr=column_ifexists("pcr_d", real(null)), + id_vlan=column_ifexists("id_vlan_d", real(null)), + packets=column_ifexists("packets_d", real(null)) + | lookup ConnStateLookup on conn_state + | extend + EventVendor="Corelight", + EventProduct="CorelightSensor", + EventType="conn", + ts=TimeGenerated, + src=id_orig_h, + src_ip=id_orig_h, + src_port=id_orig_p, + dest=id_resp_h, + dest_ip=id_resp_h, + dest_port=id_resp_p, + bytes_out=orig_ip_bytes, + src_mac=orig_l2_addr, + dvc=orig_l2_addr, + packets_out=orig_pkts, + bytes_in=resp_ip_bytes, + dest_mac=resp_l2_addr, + dst_mac=resp_l2_addr, + packets_in=resp_pkts, + session_id=uid, + src_country=orig_cc, + dest_country=resp_cc, + bytes=resp_ip_bytes + orig_ip_bytes, + sensor_name = coalesce(system_name, "unknown"), + transport=iff(proto=='icmp' and id_orig_h matches regex ".*:.*", "icmp6", proto), + app=split(service, ",") + | extend + is_broadcast = iff(src in("0.0.0.0", "255.255.255.255") or dest in("255.255.255.255", "0.0.0.0"),"true","false"), + is_src_internal_ip = iff(local_orig == true, "true", "false"), + is_dest_internal_ip = iff(local_resp == true, "true", "false"), + direction=case(local_orig=="true" and local_resp=="true", "internal", local_orig=="true" and local_resp=="false", "outbound", local_orig=="false" and local_resp=="false", "external", local_orig=="false" and local_resp=="true", "inbound", "unknown"), + packets=coalesce(toreal(packets), packets_in+packets_out) + | project + TimeGenerated, + path, + system_name, + write_ts, + uid, + id_orig_h, + id_orig_p, + id_resp_h, + id_resp_p, + proto, + service, + duration, + orig_bytes, + resp_bytes, + conn_state, + local_orig, + local_resp, + missed_bytes, + history, + orig_pkts, + orig_ip_bytes, + resp_pkts, + resp_ip_bytes, + tunnel_parents, + orig_cc, + resp_cc, + suri_ids, + spcap_url, + spcap_rule, + spcap_trigger, + apps, + corelight_shunted, + orig_shunted_pkts, + orig_shunted_bytes, + resp_shunted_pkts, + resp_shunted_bytes, + orig_l2_addr, + resp_l2_addr, + id_orig_h_n_src, + id_orig_h_n_vals, + id_resp_h_n_src, + id_resp_h_n_vals, + vlan, + inner_vlan, + community_id, + pcr, + EventVendor, + EventProduct, + EventType, + ts, + src, + src_ip, + src_port, + dest, + dest_ip, + dest_port, + bytes_out, + src_mac, + dvc, + packets_out, + bytes_in, + dest_mac, + dst_mac, + packets_in, + session_id, + src_country, + dest_country, + bytes, + sensor_name, + is_broadcast, + is_src_internal_ip, + is_dest_internal_ip, + direction, + id_vlan, + packets, + transport, + app, + conn_state_desc, + action + }; + corelight_conn \ No newline at end of file diff --git a/Solutions/Corelight/Parsers/corelight_dns.yaml b/Solutions/Corelight/Parsers/corelight_dns.yaml index 52ed8292ced..6e1a0462fe6 100644 --- a/Solutions/Corelight/Parsers/corelight_dns.yaml +++ b/Solutions/Corelight/Parsers/corelight_dns.yaml @@ -1,47 +1,167 @@ -id: 99bd6f78-9c1c-5068-bc19-1d00b5bad6d8 +id: 974718ae-c0a5-4d4a-bb42-63a0f394d66f Function: - Title: corelight_dns parser for Corelight - Version: 1.0.0 - LastUpdated: '2023-09-25' + Title: Corelight DNS Events + Version: '1.1.0' + LastUpdated: '2024-08-09' Category: Microsoft Sentinel Parser FunctionName: corelight_dns FunctionAlias: corelight_dns -FunctionQuery: |+ - let corelight_dns = view () { - Corelight_v2_dns_CL - | project-rename - _path=_path_s, - _system_name=_system_name_s, - _write_ts=_write_ts_t, - uid=uid_s, - id_orig_h=id_orig_h_s, - id_orig_p=id_orig_p_d, - id_resp_h=id_resp_h_s, - id_resp_p=id_resp_p_d, - proto=proto_s, - trans_id=trans_id_d, - rtt=rtt_d, - query=query_s, - qclass=qclass_d, - qclass_name=qclass_name_s, - qtype=qtype_d, - qtype_name=qtype_name_s, - rcode=rcode_d, - rcode_name=rcode_name_s, - AA=AA_b, - TC=TC_b, - RD=RD_b, - RA=RA_b, - Z=Z_d, - answers=answers_s, - TTLs=TTLs_s, - rejected=rejected_b - | extend - EventVendor="Corelight", - EventProduct="CorelightSensor", - EventType="dns", - ts=TimeGenerated - }; - corelight_dns - -... +FunctionQuery: | + let DNSLookup = datatable( + rcode: int, + reply_code: string, + cim_reply_code: string + )[ + 0,"NOERROR","No Error", + 1,"FORMERR","FormErr", + 2,"SERVFAIL","ServFail", + 3,"NXDOMAIN","NXDomain", + 4,"NOTIMP","NotImp", + 5,"REFUSED","Refused" + ]; + let dummy_table = datatable(TimeGenerated: datetime, uid_s: string) []; + let corelight_dns = view () { + union isfuzzy=true Corelight_v2_dns_CL, Corelight_v2_dns_red_CL, dummy_table + | summarize arg_max(TimeGenerated, *) by uid_s + | join kind=leftouter + ( corelight_conn + | project uid, local_orig, local_resp + ) on $left.uid_s == $right.uid + | project-away uid + | extend + path = column_ifexists("_path_s", ""), + system_name = column_ifexists("_system_name_s", ""), + write_ts = column_ifexists("_write_ts_t", ""), + AA = column_ifexists("AA_b", ""), + RA = column_ifexists("RA_b", ""), + RD = column_ifexists("RD_b", ""), + TC = column_ifexists("TC_b", ""), + TTLs = column_ifexists("TTLs_s", ""), + Z = column_ifexists("Z_d", real(null)), + answers = column_ifexists("answers_s", ""), + id_orig_h = column_ifexists("id_orig_h_s", ""), + id_orig_p = column_ifexists("id_orig_p_d", real(null)), + id_resp_h = column_ifexists("id_resp_h_s", ""), + id_resp_p = column_ifexists("id_resp_p_d", real(null)), + proto = column_ifexists("proto_s", ""), + qclass = column_ifexists("qclass_d", real(null)), + qclass_name = column_ifexists("qclass_name_s", ""), + qtype = column_ifexists("qtype_d", real(null)), + qtype_name = column_ifexists("qtype_name_s", ""), + query = column_ifexists("query_s", ""), + rcode = column_ifexists("rcode_d", long(null)), + rcode_name = column_ifexists("rcode_name_s", ""), + rejected = column_ifexists("rejected_b", ""), + rtt = column_ifexists("rtt_d", real(null)), + trans_id = column_ifexists("trans_id_d", ""), + uid = column_ifexists("uid_s", ""), + num = column_ifexists("num_d", real(null)), + icann_domain = column_ifexists("icann_domain_s", ""), + icann_host_subdomain = column_ifexists("icann_host_subdomain_s", ""), + icann_tld = column_ifexists("icann_tld_s", ""), + is_trusted_domain = column_ifexists("is_trusted_domain_b", "") + | extend rcode = toint(rcode) + | lookup DNSLookup on rcode + | extend + EventVendor = "Corelight", + EventProduct = "CorelightSensor", + EventType = "dns", + ts = TimeGenerated, + dns_flags_authoritative_answer = AA, + dns_flags_recursion_available = RA, + dns_flags_truncated_response = TC, + ttl = TTLs, + src = id_orig_h, + src_ip = id_orig_h, + src_port = id_orig_p, + dest = id_resp_h, + dest_ip = id_resp_h, + dest_port = id_resp_p, + record_class = qclass_name, + record_type = qtype_name, + reply_code_id = rcode, + dns_flags_rejected = rejected, + duration = rtt, + response_time = rtt, + transaction_id = trans_id, + session_id = uid, + answer_count = array_length(todynamic(answers)), + query_count = array_length(todynamic(query)), + sensor_name = coalesce(system_name, "unknown"), + reply_code = cim_reply_code + | extend + is_broadcast =iff(src in("0.0.0.0", "255.255.255.255") or dest in("255.255.255.255", "0.0.0.0"),"true","false"), + is_dest_internal_ip = iff(local_resp == true, "true", "false"), + is_src_internal_ip = iff(local_orig == true, "true", "false"), + transport = iff(proto == "icmp" and id_orig_h matches regex ".*:.*", "icmp6", proto), + query_length = strlen(query), + answer_length = iff(answer_count == 1, strlen(answers), tolong('')), + message_type = iff(isnotnull(rcode), "Response", "Query") + | project + TimeGenerated, + path, + system_name, + write_ts, + AA, + RA, + RD, + TC, + TTLs, + Z, + answers, + id_orig_h, + id_orig_p, + id_resp_h, + id_resp_p, + proto, + qclass, + qclass_name, + qtype, + qtype_name, + query, + rcode, + rcode_name, + rejected, + rtt, + trans_id, + uid, + num, + icann_domain, + icann_host_subdomain, + icann_tld, + is_trusted_domain, + EventVendor, + EventProduct, + EventType, + ts, + dns_flags_authoritative_answer, + dns_flags_recursion_available, + dns_flags_truncated_response, + ttl, + src, + src_ip, + src_port, + dest, + dest_ip, + dest_port, + record_class, + record_type, + reply_code_id, + dns_flags_rejected, + duration, + response_time, + transaction_id, + session_id, + answer_count, + query_count, + sensor_name, + is_broadcast, + is_dest_internal_ip, + is_src_internal_ip, + transport, + query_length, + answer_length, + message_type, + reply_code + }; + corelight_dns \ No newline at end of file diff --git a/Solutions/Corelight/Parsers/corelight_etc_viz.yaml b/Solutions/Corelight/Parsers/corelight_etc_viz.yaml index cde0eb4792f..51d450d008e 100644 --- a/Solutions/Corelight/Parsers/corelight_etc_viz.yaml +++ b/Solutions/Corelight/Parsers/corelight_etc_viz.yaml @@ -1,41 +1,111 @@ -id: 25285280-bdee-55e0-ae75-62df9bfa3ee2 +id: 974718ae-c0a5-4d4a-bb42-63a0f394d66f Function: - Title: corelight_etc_viz parser for Corelight - Version: 1.0.0 - LastUpdated: '2023-09-25' + Title: Corelight etc viz Events + Version: '1.1.0' + LastUpdated: '2024-08-09' Category: Microsoft Sentinel Parser FunctionName: corelight_etc_viz FunctionAlias: corelight_etc_viz -FunctionQuery: |+ - let corelight_etc_viz = view () { - Corelight_v2_etc_viz_CL - | project-rename - _path=_path_s, - _system_name=_system_name_s, - _write_ts=_write_ts_t, - uid=uid_s, - server_a=server_a_s, - server_p=server_p_d, - service=service_s, - viz_stat=viz_stat_s, - c2s_viz_size=c2s_viz_size_d, - c2s_viz_enc_dev=c2s_viz_enc_dev_d, - c2s_viz_enc_frac=c2s_viz_enc_frac_d, - c2s_viz_pdu1_enc=c2s_viz_pdu1_enc_b, - c2s_viz_clr_frac=c2s_viz_clr_frac_d, - c2s_viz_clr_ex=c2s_viz_clr_ex_s, - s2c_viz_size=s2c_viz_size_d, - s2c_viz_enc_dev=s2c_viz_enc_dev_d, - s2c_viz_enc_frac=s2c_viz_enc_frac_d, - s2c_viz_pdu1_enc=s2c_viz_pdu1_enc_b, - s2c_viz_clr_frac=s2c_viz_clr_frac_d, - s2c_viz_clr_ex=s2c_viz_clr_ex_s - | extend - EventVendor="Corelight", - EventProduct="CorelightSensor", - EventType="etc_viz", - ts=TimeGenerated - }; - corelight_etc_viz - -... +FunctionQuery: | + let dummy_table = datatable(TimeGenerated: datetime, uid_s: string) []; + let corelight_etc_viz = view () { + union isfuzzy=true Corelight_v2_etc_viz_CL, dummy_table + | summarize arg_max(TimeGenerated, *) by uid_s + | join kind=leftouter + ( corelight_conn + | project uid, local_orig, local_resp + ) on $left.uid_s == $right.uid + |project-away uid + | extend + path = column_ifexists("_path_s", ""), + system_name = column_ifexists("_system_name_s", ""), + write_ts = column_ifexists("_write_ts_t", ""), + uid = column_ifexists("uid_s", ""), + server_a = column_ifexists("server_a_s", ""), + server_p = column_ifexists("server_p_d", real(null)), + service = column_ifexists("service_s", ""), + viz_stat = column_ifexists("viz_stat_s", ""), + c2s_viz_size = column_ifexists("c2s_viz_size_d", real(null)), + c2s_viz_enc_dev = column_ifexists("c2s_viz_enc_dev_d", real(null)), + c2s_viz_enc_frac = column_ifexists("c2s_viz_enc_frac_d", real(null)), + c2s_viz_pdu1_enc = column_ifexists("c2s_viz_pdu1_enc_b", ""), + c2s_viz_clr_frac = column_ifexists("c2s_viz_clr_frac_d", real(null)), + c2s_viz_clr_ex = column_ifexists("c2s_viz_clr_ex_s", ""), + s2c_viz_size = column_ifexists("s2c_viz_size_d", real(null)), + s2c_viz_enc_dev = column_ifexists("s2c_viz_enc_dev_d", real(null)), + s2c_viz_enc_frac = column_ifexists("s2c_viz_enc_frac_d", real(null)), + s2c_viz_pdu1_enc = column_ifexists("s2c_viz_pdu1_enc_b", ""), + s2c_viz_clr_frac = column_ifexists("s2c_viz_clr_frac_d", real(null)), + s2c_viz_clr_ex = column_ifexists("s2c_viz_clr_ex_s", ""), + id_orig_h = column_ifexists("id_orig_h_s", ""), + id_orig_p = column_ifexists("id_orig_p_d", real(null)), + id_resp_h = column_ifexists("id_resp_h_s", ""), + id_resp_p = column_ifexists("id_resp_p_d", real(null)) + | extend + EventVendor = "Corelight", + EventProduct = "CorelightSensor", + EventType = "etc_viz", + ts = TimeGenerated, + session_id = uid, + status = viz_stat, + src = id_orig_h, + src_ip = id_orig_h, + src_port = id_orig_p, + dest = id_resp_h, + dest_ip = id_resp_h, + dest_port = id_resp_p, + bytes_out = tolong(c2s_viz_size), + bytes_in = tolong(s2c_viz_size), + sensor_name = coalesce(system_name, "unknown") + | extend + bytes = bytes_in + bytes_out, + is_broadcast =iff(src in("0.0.0.0", "255.255.255.255") or dest in("255.255.255.255", "0.0.0.0"),"true","false"), + is_dest_internal_ip = iff(local_resp == true, "true", "false"), + is_src_internal_ip = iff(local_orig == true, "true", "false") + | project + TimeGenerated, + path, + system_name, + write_ts, + uid, + server_a, + server_p, + service, + viz_stat, + c2s_viz_size, + c2s_viz_enc_dev, + c2s_viz_enc_frac, + c2s_viz_pdu1_enc, + c2s_viz_clr_frac, + c2s_viz_clr_ex, + s2c_viz_size, + s2c_viz_enc_dev, + s2c_viz_enc_frac, + s2c_viz_pdu1_enc, + s2c_viz_clr_frac, + s2c_viz_clr_ex, + id_orig_h, + id_orig_p, + id_resp_h, + id_resp_p, + EventVendor, + EventProduct, + EventType, + ts, + session_id, + status, + src, + src_ip, + src_port, + dest, + dest_ip, + dest_port, + bytes_out, + bytes_in, + sensor_name, + bytes, + is_broadcast, + is_dest_internal_ip, + is_src_internal_ip + }; + corelight_etc_viz \ No newline at end of file diff --git a/Solutions/Corelight/Parsers/corelight_files.yaml b/Solutions/Corelight/Parsers/corelight_files.yaml index 10d4a499b7f..a9538f9afaf 100644 --- a/Solutions/Corelight/Parsers/corelight_files.yaml +++ b/Solutions/Corelight/Parsers/corelight_files.yaml @@ -1,47 +1,132 @@ -id: 8442fb62-5dcc-550e-afbf-a0e70b1a2745 +id: 974718ae-c0a5-4d4a-bb42-63a0f394d66f Function: - Title: corelight_files parser for Corelight - Version: 1.0.0 - LastUpdated: '2023-09-25' + Title: Corelight Files Events + Version: '1.1.0' + LastUpdated: '2024-08-09' Category: Microsoft Sentinel Parser FunctionName: corelight_files FunctionAlias: corelight_files -FunctionQuery: |+ - let corelight_files = view () { - Corelight_v2_files_CL - | project-rename - _path=_path_s, - _system_name=_system_name_s, - _write_ts=_write_ts_t, - fuid=fuid_s, - tx_hosts=tx_hosts_s, - rx_hosts=rx_hosts_s, - conn_uids=conn_uids_s, - source=source_s, - depth=depth_d, - analyzers=analyzers_s, - mime_type=mime_type_s, - filename=filename_s, - duration=duration_d, - local_orig=local_orig_b, - is_orig=is_orig_b, - seen_bytes=seen_bytes_d, - total_bytes=total_bytes_d, - missing_bytes=missing_bytes_d, - overflow_bytes=overflow_bytes_d, - timedout=timedout_b, - parent_fuid=parent_fuid_s, - sha1=sha1_s, - sha256=sha256_s, - extracted=extracted_s, - extracted_cutoff=extracted_cutoff_b, - extracted_size=extracted_size_d - | extend - EventVendor="Corelight", - EventProduct="CorelightSensor", - EventType="files", - ts=TimeGenerated - }; - corelight_files - -... +FunctionQuery: | + let dummy_table = datatable(TimeGenerated: datetime) []; + let corelight_files = view () { + union isfuzzy=true Corelight_v2_files_CL, + Corelight_v2_files_red_CL, dummy_table + | extend + path = column_ifexists("_path_s", ""), + system_name = column_ifexists("_system_name_s", ""), + write_ts = column_ifexists("_write_ts_t", ""), + analyzers = column_ifexists("analyzers_s", ""), + conn_uids = column_ifexists("conn_uids_s", ""), + depth = column_ifexists("depth_d", real(null)), + duration = column_ifexists("duration_d", real(null)), + fuid = column_ifexists("fuid_s", ""), + is_orig = column_ifexists("is_orig_b", ""), + local_orig = column_ifexists("local_orig_b", ""), + md5 = column_ifexists("md5_s", ""), + mime_type = column_ifexists("mime_type_s", ""), + missing_bytes = column_ifexists("missing_bytes_d", real(null)), + overflow_bytes = column_ifexists("overflow_bytes_d", real(null)), + rx_hosts = column_ifexists("rx_hosts_s", ""), + seen_bytes = column_ifexists("seen_bytes_d", real(null)), + sha1 = column_ifexists("sha1_s", ""), + sha256 = column_ifexists("sha256_s", ""), + source = column_ifexists("source_s", ""), + timedout = column_ifexists("timedout_b", ""), + total_bytes = column_ifexists("total_bytes_d", real(null)), + tx_hosts = column_ifexists("tx_hosts_s", ""), + vlan = column_ifexists("vlan_d", real(null)), + filename = column_ifexists("filename_s", ""), + parent_fuid = column_ifexists("parent_fuid_s", ""), + extracted = column_ifexists("extracted_s", ""), + extracted_cutoff = column_ifexists("extracted_cutoff_b", ""), + extracted_size = column_ifexists("extracted_size_d", real(null)), + id_orig_h = column_ifexists("id_orig_h_s", ""), + id_orig_p = column_ifexists("id_orig_p_d", real(null)), + id_resp_h = column_ifexists("id_resp_h_s", ""), + id_resp_p = column_ifexists("id_resp_p_d", real(null)), + num = column_ifexists("num_d", real(null)) + | extend + EventVendor = "Corelight", + EventProduct = "CorelightSensor", + EventType = "files", + ts = TimeGenerated, + uid = conn_uids, + dest_host = rx_hosts, + bytes = seen_bytes, + file_size = total_bytes, + src_host = tx_hosts, + file_name = filename, + object = filename, + src = id_orig_h, + src_ip = id_orig_h, + src_port = id_orig_p, + dest = id_resp_h, + dest_ip = id_resp_h, + dest_port = id_resp_p, + app = source, + file_hash = coalesce(md5, sha1, sha256, "unknown"), + sensor_name = coalesce(system_name, "unknown") + | extend + is_broadcast =iff(src in("0.0.0.0", "255.255.255.255") or dest in("255.255.255.255", "0.0.0.0"),"true","false"), + is_dest_internal_ip = iff(ipv4_is_in_range( dest, "10.0.0.0/8") or ipv4_is_in_range( dest, "172.16.0.0/12") or ipv4_is_in_range( dest, "192.168.0.0/16"), "true", "false"), + is_src_internal_ip = iff(local_orig == true, "true", "false") + | project + TimeGenerated, + path, + system_name, + write_ts, + analyzers, + conn_uids, + depth, + duration, + fuid, + is_orig, + local_orig, + md5, + mime_type, + missing_bytes, + overflow_bytes, + rx_hosts, + seen_bytes, + sha1, + sha256, + source, + timedout, + total_bytes, + tx_hosts, + vlan, + filename, + parent_fuid, + extracted, + extracted_cutoff, + extracted_size, + id_orig_h, + id_orig_p, + id_resp_h, + id_resp_p, + num, + EventVendor, + EventProduct, + EventType, + ts, + uid, + dest_host, + bytes, + file_size, + src_host, + file_name, + object, + src, + src_ip, + src_port, + dest, + dest_ip, + dest_port, + app, + file_hash, + sensor_name, + is_broadcast, + is_dest_internal_ip, + is_src_internal_ip + }; + corelight_files \ No newline at end of file diff --git a/Solutions/Corelight/Parsers/corelight_ftp.yaml b/Solutions/Corelight/Parsers/corelight_ftp.yaml index c8be1529e14..80a08b181bc 100644 --- a/Solutions/Corelight/Parsers/corelight_ftp.yaml +++ b/Solutions/Corelight/Parsers/corelight_ftp.yaml @@ -1,42 +1,107 @@ -id: 6f65ae78-2a9f-5252-9ce1-573b9ad1fe77 +id: 974718ae-c0a5-4d4a-bb42-63a0f394d66f Function: - Title: corelight_ftp parser for Corelight - Version: 1.0.0 - LastUpdated: '2023-09-25' + Title: Corelight FTP Events + Version: '1.1.0' + LastUpdated: '2024-08-09' Category: Microsoft Sentinel Parser FunctionName: corelight_ftp FunctionAlias: corelight_ftp -FunctionQuery: |+ - let corelight_ftp = view () { - Corelight_v2_ftp_CL - | project-rename - _path=_path_s, - _system_name=_system_name_s, - _write_ts=_write_ts_t, - uid=uid_s, - id_orig_h=id_orig_h_s, - id_orig_p=id_orig_p_d, - id_resp_h=id_resp_h_s, - id_resp_p=id_resp_p_d, - user=user_s, - password=password_s, - command=command_s, - arg=arg_s, - mime_type=mime_type_s, - file_size=file_size_d, - reply_code=reply_code_d, - reply_msg=reply_msg_s, - data_channel_passive=data_channel_passive_b, - data_channel_orig_h=data_channel_orig_h_s, - data_channel_resp_h=data_channel_resp_h_s, - data_channel_resp_p=data_channel_resp_p_d, - fuid=fuid_s - | extend - EventVendor="Corelight", - EventProduct="CorelightSensor", - EventType="ftp", - ts=TimeGenerated - }; - corelight_ftp - -... +FunctionQuery: | + let dummy_table = datatable(TimeGenerated: datetime, uid_s: string) []; + let corelight_ftp = view () { + union isfuzzy=true Corelight_v2_ftp_CL, dummy_table + | summarize arg_max(TimeGenerated, *) by uid_s + | join kind=leftouter + ( corelight_conn + | project uid, local_orig, local_resp + ) on $left.uid_s == $right.uid + | project-away uid + | extend + path = column_ifexists("_path_s", ""), + system_name = column_ifexists("_system_name_s", ""), + write_ts = column_ifexists("_write_ts_t", ""), + command = column_ifexists("command_s", ""), + data_channel_orig_h = column_ifexists("data_channel_orig_h_s", ""), + data_channel_passive = column_ifexists("data_channel_passive_b", ""), + data_channel_resp_h = column_ifexists("data_channel_resp_h_s", ""), + arg = column_ifexists("arg_s", ""), + data_channel_resp_p = column_ifexists("data_channel_resp_p_d", real(null)), + err = column_ifexists("err_s", ""), + id_orig_h = column_ifexists("id_orig_h_s", ""), + id_orig_p = column_ifexists("id_orig_p_d", real(null)), + id_resp_h = column_ifexists("id_resp_h_s", ""), + id_resp_p = column_ifexists("id_resp_p_d", real(null)), + password = column_ifexists("password_s", ""), + reply_code = column_ifexists("reply_code_d", real(null)), + reply_msg = column_ifexists("reply_msg_s", ""), + uid = column_ifexists("uid_s", ""), + user = column_ifexists("user_s", ""), + mime_type = column_ifexists("mime_type_s", ""), + file_size = column_ifexists("file_size_d", real(null)), + fuid = column_ifexists("fuid_s", "") + | extend + EventVendor = "Corelight", + EventProduct = "CorelightSensor", + EventType = "ftp", + ts = TimeGenerated, + signature_id = toint(reply_code), + signature = reply_msg, + src = id_orig_h, + src_ip = id_orig_h, + src_port = id_orig_p, + dest = id_resp_h, + dest_ip = id_resp_h, + dest_port = id_resp_p, + sensor_name = coalesce(system_name, "unknown") + | extend + extract_user = extract("user/(?\\w+)", 1, user), + action = case(signature_id<300, "Success", "Failure"), + object = split(arg, '/')[-1], + is_broadcast =iff(src in("0.0.0.0", "255.255.255.255") or dest in("255.255.255.255", "0.0.0.0"),"true","false"), + is_dest_internal_ip = iff(local_resp == true, "true", "false"), + is_src_internal_ip = iff(local_orig == true, "true", "false") + | project + TimeGenerated, + path, + system_name, + write_ts, + command, + data_channel_orig_h, + data_channel_passive, + data_channel_resp_h, + arg, + data_channel_resp_p, + err, + id_orig_h, + id_orig_p, + id_resp_h, + id_resp_p, + password, + reply_code, + reply_msg, + uid, + user, + mime_type, + file_size, + fuid, + EventVendor, + EventProduct, + EventType, + ts, + signature_id, + signature, + src, + src_ip, + src_port, + dest, + dest_ip, + dest_port, + sensor_name, + extract_user, + action, + object, + is_broadcast, + is_dest_internal_ip, + is_src_internal_ip + }; + corelight_ftp \ No newline at end of file diff --git a/Solutions/Corelight/Parsers/corelight_http.yaml b/Solutions/Corelight/Parsers/corelight_http.yaml index f523ff62133..e7ee0c640f0 100644 --- a/Solutions/Corelight/Parsers/corelight_http.yaml +++ b/Solutions/Corelight/Parsers/corelight_http.yaml @@ -1,54 +1,199 @@ -id: adcfcc08-8c0a-50d3-aad2-9ed6b04f7b62 +id: 974718ae-c0a5-4d4a-bb42-63a0f394d66f Function: - Title: corelight_http parser for Corelight - Version: 1.0.0 - LastUpdated: '2023-09-25' + Title: Corelight HTTP Events + Version: '1.1.0' + LastUpdated: '2024-08-09' Category: Microsoft Sentinel Parser FunctionName: corelight_http FunctionAlias: corelight_http -FunctionQuery: |+ - let corelight_http = view () { - Corelight_v2_http_CL - | project-rename - _path=_path_s, - _system_name=_system_name_s, - _write_ts=_write_ts_t, - uid=uid_s, - id_orig_h=id_orig_h_s, - id_orig_p=id_orig_p_d, - id_resp_h=id_resp_h_s, - id_resp_p=id_resp_p_d, - trans_depth=trans_depth_d, - method=method_s, - host=host_s, - uri=uri_s, - referrer=referrer_s, - version=version_s, - user_agent=user_agent_s, - origin=origin_s, - request_body_len=request_body_len_d, - response_body_len=response_body_len_d, - status_code=status_code_d, - status_msg=status_msg_s, - info_code=info_code_d, - info_msg=info_msg_s, - tags=tags_s, - username=username_s, - password=password_s, - proxied=proxied_s, - orig_fuids=orig_fuids_s, - orig_filenames=orig_filenames_s, - orig_mime_types=orig_mime_types_s, - resp_fuids=resp_fuids_s, - resp_filenames=resp_filenames_s, - resp_mime_types=resp_mime_types_s, - post_body=post_body_s - | extend - EventVendor="Corelight", - EventProduct="CorelightSensor", - EventType="http", - ts=TimeGenerated - }; - corelight_http - -... +FunctionQuery: | + let StatusLookup = datatable( + status: string, + action: string + )[ + "success","allowed", + "failure","blocked", + "200","success", + "204","success", + "206","success", + "207","success", + "301","success", + "302","success", + "303","success", + "304","success", + "307","success", + "400","failure", + "401","failure", + "403","failure", + "404","failure", + "408","failure", + "500","failure", + "503","failure", + "504","failure" + ]; + let dummy_table = datatable(TimeGenerated: datetime, uid_s: string) []; + let corelight_http = view () { + union isfuzzy=true Corelight_v2_http_CL, Corelight_v2_http_red_CL, Corelight_v2_http2_CL, dummy_table + | summarize arg_max(TimeGenerated, *) by uid_s + | join kind=leftouter + ( corelight_conn + | project uid, local_orig, local_resp + ) on $left.uid_s == $right.uid + | project-away uid + | extend + path = column_ifexists("_path_s", ""), + system_name = column_ifexists("_system_name_s", ""), + write_ts = column_ifexists("_write_ts_t", ""), + host = column_ifexists("host_s", ""), + id_orig_h = column_ifexists("id_orig_h_s", ""), + id_orig_p = column_ifexists("id_orig_p_d", real(null)), + id_resp_h = column_ifexists("id_resp_h_s", ""), + id_resp_p = column_ifexists("id_resp_p_d", real(null)), + id_vlan = column_ifexists("id_vlan_d", real(null)), + method = column_ifexists("method_s", ""), + orig_fuids = column_ifexists("orig_fuids_s", ""), + post_body = column_ifexists("post_body_s", ""), + request_body_len = column_ifexists("request_body_len_d", real(null)), + resp_fuids = column_ifexists("resp_fuids_s", ""), + response_body_len = column_ifexists("response_body_len_d", real(null)), + status_code = column_ifexists("status_code_d", real(null)), + status_msg = column_ifexists("status_msg_s", ""), + tags = column_ifexists("tags_s", ""), + trans_depth = column_ifexists("trans_depth_d", real(null)), + uid = column_ifexists("uid_s", ""), + uri = column_ifexists("uri_s", ""), + version = column_ifexists("version_s", ""), + resp_filenames = column_ifexists("resp_filenames_s", ""), + user_agent = column_ifexists("user_agent_s", ""), + referrer = column_ifexists("referrer_s", ""), + origin = column_ifexists("origin_s", ""), + info_code = column_ifexists("info_code_d", real(null)), + info_msg = column_ifexists("info_msg_s", ""), + username = column_ifexists("username_s", ""), + passwd = column_ifexists("password_s", ""), + proxied = column_ifexists("proxied_s", ""), + orig_filenames = column_ifexists("orig_filenames_s", ""), + orig_mime_types = column_ifexists("orig_mime_types_s", ""), + resp_mime_types = column_ifexists("resp_mime_types_s", ""), + push = column_ifexists("push_b", ""), + encoding = column_ifexists("encoding_s", ""), + stream_id = column_ifexists("stream_id_d", real(null)) + | extend status_code = tostring(toint(status_code)) + | lookup StatusLookup on $left.status_code == $right.status + | extend + EventVendor = "Corelight", + EventProduct = "CorelightSensor", + EventType = "http", + ts = TimeGenerated, + dest_host = host, + src = id_orig_h, + src_ip = id_orig_h, + src_port = id_orig_p, + dest = id_resp_h, + dest_ip = id_resp_h, + dest_port = id_resp_p, + http_method = method, + bytes_in = request_body_len, + bytes_out = response_body_len, + status = status_code, + vendor_action = status_msg, + uri_path = uri, + object = resp_filenames, + http_user_agent = user_agent, + http_referrer = referrer, + http_content_type = orig_mime_types, + sensor_name = coalesce(system_name, "unknown"), + http_version = version, + http_username = username, + http_password = passwd, + http_encoding = encoding + | extend + http_user_agent_length = strlen(http_user_agent), + bytes = bytes_in + bytes_out, + is_broadcast =iff(src in("0.0.0.0", "255.255.255.255") or dest in("255.255.255.255", "0.0.0.0"),"true","false"), + is_dest_internal_ip = iff(local_resp == true, "true", "false"), + is_src_internal_ip = iff(local_orig == true, "true", "false"), + host_header=dest_host, + referrer_domain_domain=parse_url(referrer).Host, + referrer_domain_ip=strcat(parse_url(referrer).Host, ":", parse_url(referrer).Port) + | extend + url = strcat("http://",host_header,uri), + url_domain = host_header + | project + TimeGenerated, + path, + system_name, + write_ts, + host, + id_orig_h, + id_orig_p, + id_resp_h, + id_resp_p, + id_vlan, + method, + orig_fuids, + post_body, + request_body_len, + resp_fuids, + response_body_len, + status_code, + status_msg, + tags, + trans_depth, + uid, + uri, + version, + resp_filenames, + user_agent, + referrer, + origin, + info_code, + info_msg, + username, + passwd, + proxied, + orig_filenames, + orig_mime_types, + resp_mime_types, + push, + encoding, + stream_id, + EventVendor, + EventProduct, + EventType, + ts, + dest_host, + src, + src_ip, + src_port, + dest, + dest_ip, + dest_port, + http_method, + bytes_in, + bytes_out, + status, + vendor_action, + uri_path, + object, + http_user_agent, + http_referrer, + http_content_type, + sensor_name, + http_version, + http_username, + http_password, + http_encoding, + http_user_agent_length, + bytes, + is_broadcast, + is_dest_internal_ip, + is_src_internal_ip, + host_header, + referrer_domain_domain, + referrer_domain_ip, + url, + url_domain, + action + }; + corelight_http \ No newline at end of file diff --git a/Solutions/Corelight/Parsers/corelight_rdp.yaml b/Solutions/Corelight/Parsers/corelight_rdp.yaml index 0e87ac93060..674400c1405 100644 --- a/Solutions/Corelight/Parsers/corelight_rdp.yaml +++ b/Solutions/Corelight/Parsers/corelight_rdp.yaml @@ -1,51 +1,117 @@ -id: a4c5a7cc-6cf0-574a-af3b-b4636a240b79 +id: 974718ae-c0a5-4d4a-bb42-63a0f394d66f Function: - Title: corelight_rdp parser for Corelight - Version: 1.0.0 - LastUpdated: '2023-09-25' + Title: Corelight RDP Events + Version: '1.1.0' + LastUpdated: '2024-08-09' Category: Microsoft Sentinel Parser FunctionName: corelight_rdp FunctionAlias: corelight_rdp -FunctionQuery: |+ - let corelight_rdp = view () { - Corelight_v2_rdp_CL - | project-rename - _path=_path_s, - _system_name=_system_name_s, - _write_ts=_write_ts_t, - uid=uid_s, - id_orig_h=id_orig_h_s, - id_orig_p=id_orig_p_d, - id_resp_h=id_resp_h_s, - id_resp_p=id_resp_p_d, - cookie=cookie_s, - result=result_s, - security_protocol=security_protocol_s, - client_channels=client_channels_s, - keyboard_layout=keyboard_layout_s, - client_build=client_build_s, - client_name=client_name_s, - client_dig_product_id=client_dig_product_id_s, - desktop_width=desktop_width_d, - desktop_height=desktop_height_d, - requested_color_depth=requested_color_depth_s, - cert_type=cert_type_s, - cert_count=cert_count_d, - cert_permanent=cert_permanent_b, - encryption_level=encryption_level_s, - encryption_method=encryption_method_s, - auth_success=auth_success_b, - channels_joined=channels_joined_d, - inferences=inferences_s, - rdpeudp_uid=rdpeudp_uid_s, - rdfp_string=rdfp_string_s, - rdfp_hash=rdfp_hash_s - | extend - EventVendor="Corelight", - EventProduct="CorelightSensor", - EventType="rdp", - ts=TimeGenerated - }; - corelight_rdp - -... +FunctionQuery: | + let dummy_table = datatable(TimeGenerated: datetime, uid_s: string) []; + let corelight_rdp = view () { + union isfuzzy=true Corelight_v2_rdp_CL, dummy_table + | summarize arg_max(TimeGenerated, *) by uid_s + | join kind=leftouter + ( corelight_conn + | project uid, local_orig, local_resp + ) on $left.uid_s == $right.uid + | project-away uid + | extend + path = column_ifexists("_path_s", ""), + system_name = column_ifexists("_system_name_s", ""), + write_ts = column_ifexists("_write_ts_t", ""), + auth_success = column_ifexists("auth_success_b", ""), + cert_count = column_ifexists("cert_count_d", real(null)), + channels_joined = column_ifexists("channels_joined_d", real(null)), + cookie = column_ifexists("cookie_s", ""), + id_orig_h = column_ifexists("id_orig_h_s", ""), + id_orig_p = column_ifexists("id_orig_p_d", real(null)), + id_resp_h = column_ifexists("id_resp_h_s", ""), + id_resp_p = column_ifexists("id_resp_p_d", real(null)), + inferences = column_ifexists("inferences_s", ""), + result = column_ifexists("result_s", ""), + security_protocol = column_ifexists("security_protocol_s", ""), + uid = column_ifexists("uid_s", ""), + client_channels = column_ifexists("client_channels_s", ""), + keyboard_layout = column_ifexists("keyboard_layout_s", ""), + client_build = column_ifexists("client_build_s", ""), + client_name = column_ifexists("client_name_s", ""), + client_dig_product_id = column_ifexists("client_dig_product_id_s", ""), + desktop_width = column_ifexists("desktop_width_d", real(null)), + desktop_height = column_ifexists("desktop_height_d", real(null)), + requested_color_depth = column_ifexists("requested_color_depth_s", ""), + cert_type = column_ifexists("cert_type_s", ""), + cert_permanent = column_ifexists("cert_permanent_b", ""), + encryption_level = column_ifexists("encryption_level_s", ""), + encryption_method = column_ifexists("encryption_method_s", ""), + rdpeudp_uid = column_ifexists("rdpeudp_uid_s", ""), + rdfp_string = column_ifexists("rdfp_string_s", ""), + rdfp_hash = column_ifexists("rdfp_hash_s", "") + | extend + EventVendor = "Corelight", + EventProduct = "CorelightSensor", + EventType = "rdp", + ts = TimeGenerated, + src = id_orig_h, + src_ip = id_orig_h, + src_port = id_orig_p, + dest = id_resp_h, + dest_ip = id_resp_h, + dest_port = id_resp_p, + app = security_protocol, + sensor_name = coalesce(system_name, "unknown") + | extend + action = case(result == "Success", "success", result == "SSL_NOT_ALLOWED_BY_SERVER", "failure", auth_success == "true", "success", auth_success == "false", "failure", "unknown"), + is_broadcast =iff(src in("0.0.0.0", "255.255.255.255") or dest in("255.255.255.255", "0.0.0.0"),"true","false"), + is_dest_internal_ip = iff(local_resp == true, "true", "false"), + is_src_internal_ip = iff(local_orig == true, "true", "false") + | project + TimeGenerated, + path, + system_name, + write_ts, + auth_success, + cert_count, + channels_joined, + cookie, + id_orig_h, + id_orig_p, + id_resp_h, + id_resp_p, + inferences, + result, + security_protocol, + uid, + client_channels, + keyboard_layout, + client_build, + client_name, + client_dig_product_id, + desktop_width, + desktop_height, + requested_color_depth, + cert_type, + cert_permanent, + encryption_level, + encryption_method, + rdpeudp_uid, + rdfp_string, + rdfp_hash, + EventVendor, + EventProduct, + EventType, + ts, + src, + src_ip, + src_port, + dest, + dest_ip, + dest_port, + app, + sensor_name, + action, + is_broadcast, + is_dest_internal_ip, + is_src_internal_ip + }; + corelight_rdp \ No newline at end of file diff --git a/Solutions/Corelight/Parsers/corelight_ssh.yaml b/Solutions/Corelight/Parsers/corelight_ssh.yaml index dfc81c8408d..294a22944b3 100644 --- a/Solutions/Corelight/Parsers/corelight_ssh.yaml +++ b/Solutions/Corelight/Parsers/corelight_ssh.yaml @@ -1,52 +1,162 @@ -id: ad1a5565-cc66-5ed2-bd32-85187d574bce +id: 974718ae-c0a5-4d4a-bb42-63a0f394d66f Function: - Title: corelight_ssh parser for Corelight - Version: 1.0.0 - LastUpdated: '2023-09-25' + Title: Corelight SSH Events + Version: '1.1.0' + LastUpdated: '2024-08-09' Category: Microsoft Sentinel Parser FunctionName: corelight_ssh FunctionAlias: corelight_ssh -FunctionQuery: |+ - let corelight_ssh = view () { - Corelight_v2_ssh_CL - | project-rename - _path=_path_s, - _system_name=_system_name_s, - _write_ts=_write_ts_t, - uid=uid_s, - id_orig_h=id_orig_h_s, - id_orig_p=id_orig_p_d, - id_resp_h=id_resp_h_s, - id_resp_p=id_resp_p_d, - version=version_d, - auth_success=auth_success_b, - auth_attempts=auth_attempts_d, - direction=direction_s, - client=client_s, - server=server_s, - cipher_alg=cipher_alg_s, - mac_alg=mac_alg_s, - compression_alg=compression_alg_s, - kex_alg=kex_alg_s, - host_key_alg=host_key_alg_s, - host_key=host_key_s, - remote_location_country_code=remote_location_country_code_s, - remote_location_region=remote_location_region_s, - remote_location_city=remote_location_city_s, - remote_location_latitude=remote_location_latitude_d, - remote_location_longitude=remote_location_longitude_d, - hasshVersion=hasshVersion_s, - cshka=cshka_s, - hasshAlgorithms=hasshAlgorithms_s, - sshka=sshka_s, - hasshServerAlgorithms=hasshServerAlgorithms_s, - inferences=inferences_s - | extend - EventVendor="Corelight", - EventProduct="CorelightSensor", - EventType="ssh", - ts=TimeGenerated - }; - corelight_ssh - -... +FunctionQuery: | + let InferencesLookup = datatable( + InferenceName: string, + inferences: string, + Description: string + )[ + "Client Authentication Bypass Exploit","ABP","The client did not complete the SSH state machine for authentication and likely sent the server an exploit", + "Keystrokes","KS","Interactive session", + "Client Bruteforce Guessing","BF","The client failed to authenticate more than the configured threshold", + "Client Bruteforce Success","BFS","The client failed to authenticate more than the configured threshold but then successfully authenticated", + "Client Scanner Version","SV","This indicates a connection/scan attempt which terminated after server responded with version. nmap -p 22 localhost --script=ssh-hostkey", + "Client Scanner Capabilities","SC","This indicates a connection/scan attempt which terminated after server responded with capabilities. nmap -p 22 localhost --script=ssh2-enum-algos", + "Client Scanner Port","SP","Probes for SSH ports. nmap -p 22 -sV localhost", + "Client Scanner Authentication","SA","SSH clients which scanned the server for supported authentication methods. nmap -p 22 localhost --script=ssh-auth-methods", + "Small File Upload","SFU","This indicates a small file upload.", + "Small File Download","SFD","This indicates a small file download.", + "Large File Upload","LFU","This indicates a non interactive session where a file was possibly uploaded.", + "Large File Download","LFD","This indicates a non interactive session where a file was possibly downloaded.", + "Automated Password Authentication","APWA","The client auth'd with an automated password tool (like sshpass). This inference applies to only the auth type that succeeded. Before it, publickey or password authentication attempts could have occurred.", + "Interactive Password Authentication","IPWA","The client interactively typed their password to auth. The first authentication attempt which succeeded was interactive. This could mean that a tool such as winSCP was used to automatically authenticate but the tool was provided an incorrect password, prompted the user for a different password, and then the user authenticated.", + "Public Key Authentication","PKA","The client automatically auth'd using pubkey auth. This inference applies to only the auth type that succeeded. Before it, publickey or password authentication attempts could have occurred.", + "None Authentication","NA","The client successfully authenticated using the None method", + "Multifactor authentication","MFA","After a password or public key was accepted, the server required a second form of auth (a code) and the client successfully provided it", + "Unknown authentication","UA","We weren't able to determine the authentication method. Telemetry around these could be used to improve authentication inferences.", + "Automated interaction","AUTO","The client was a script or automated utility and not driven by a user", + "Server Banner","BAN","The server sent the client a pre-authentication banner, likely for legal reasons", + "Client trusted server","CTS","The client likely already had an entry in its known_hosts file for this server", + "Client untrusted server","CUS","The client likely did NOT already have an entry in its known_hosts file for this server", + "Reverse SSH Provisioned (ssh -R)","RSP","The client connected with a -R flag, which provisions the ports to be used for a Reverse Session to be set up at any point onwards. ssh -R 31337:localhost:22 user@192.168.20.33", + "Reverse SSH Initiated","RSI","The Reverse session is inititated from the server back to the Client. This initiation can be done at any stage during the session. From the Server, the attacker would initiate the Reverse session by e.g.ssh victim@localhost -p 31337", + "Reverse SSH Initiation Automated","RSIA","Indicates that the initiation of the Reverse session happened very early in the packet stream, indicating automation", + "Reverse SSH Logged in","RSL","The Reverse tunnel login login has succeeded, the attacker now has shell on the victim's device", + "Reverse SSH Keystrokes","RSK","Keystrokes are detected within the Reverse tunnel", + "No Remote Command (ssh -N)","NRC","The -N flag was used in the SSH session. This is used when no interactivity is required/desired and that only the ports necessary for tunelling are transmitted. If this inference is seen with any of the R* inferences, it would be extremely suspicious. e.g ssh -N -R 31337:localhost:22 attacker@192.168.20.12", + "SSH Agent Forwarding Requested","AFR","Agent forwarding was requested by the Client e.g ssh -A -i ~/.ssh/id_1_rsa user@192.168.20.33" + ]; + let dummy_table = datatable(TimeGenerated: datetime, uid_s: string) []; + let corelight_ssh = view () { + union isfuzzy=true Corelight_v2_ssh_CL, dummy_table + | summarize arg_max(TimeGenerated, *) by uid_s + | join kind=leftouter + ( corelight_conn + | project uid, local_orig, local_resp + ) on $left.uid_s == $right.uid + |project-away uid + | extend + path = column_ifexists("_path_s", ""), + system_name = column_ifexists("_system_name_s", ""), + write_ts = column_ifexists("_write_ts_t", ""), + auth_attempts = column_ifexists("auth_attempts_d", real(null)), + auth_success = column_ifexists("auth_success_b", ""), + cipher_alg = column_ifexists("cipher_alg_s", ""), + client = column_ifexists("client_s", ""), + compression_alg = column_ifexists("compression_alg_s", ""), + cshka = column_ifexists("cshka_s", ""), + hassh = column_ifexists("hassh_s", ""), + hasshAlgorithms = column_ifexists("hasshAlgorithms_s", ""), + hasshServer = column_ifexists("hasshServer_s", ""), + hasshServerAlgorithms = column_ifexists("hasshServerAlgorithms_s", ""), + hasshVersion = column_ifexists("hasshVersion_s", ""), + host_key = column_ifexists("host_key_s", ""), + host_key_alg = column_ifexists("host_key_alg_s", ""), + id_orig_h = column_ifexists("id_orig_h_s", ""), + id_orig_p = column_ifexists("id_orig_p_d", real(null)), + id_resp_h = column_ifexists("id_resp_h_s", ""), + id_resp_p = column_ifexists("id_resp_p_d", real(null)), + inferences = column_ifexists("inferences_s", ""), + kex_alg = column_ifexists("kex_alg_s", ""), + mac_alg = column_ifexists("mac_alg_s", ""), + server = column_ifexists("server_s", ""), + sshka = column_ifexists("sshka_s", ""), + uid = column_ifexists("uid_s", ""), + version = column_ifexists("version_d", real(null)), + remote_location_country_code = column_ifexists("remote_location_country_code_s", ""), + remote_location_region = column_ifexists("remote_location_region_s", ""), + remote_location_city = column_ifexists("remote_location_city_s", ""), + remote_location_latitude = column_ifexists("remote_location_latitude_d", real(null)), + remote_location_longitude = column_ifexists("remote_location_longitude_d", real(null)), + direction = column_ifexists("direction_s", "") + | mv-expand todynamic(inferences) + | extend inferences_string = tostring(inferences) + | lookup kind=leftouter InferencesLookup on $left.inferences_string == $right.inferences + | summarize InferenceNames = make_list(InferenceName), Descriptions = make_list(Description), Inferences = make_list(inferences_string), arg_max(TimeGenerated, *) by uid + | extend + EventVendor ="Corelight", + EventProduct ="CorelightSensor", + EventType ="ssh", + ts = TimeGenerated, + src = id_orig_h, + src_ip = id_orig_h, + src_port = id_orig_p, + dest = id_resp_h, + dest_ip = id_resp_h, + dest_port = id_resp_p, + sensor_name = coalesce(system_name, "unknown"), + action = iff(auth_success == "true", "Success", "Failure") + | extend + is_broadcast =iff(src in("0.0.0.0", "255.255.255.255") or dest in("255.255.255.255", "0.0.0.0"), "true", "false"), + is_dest_internal_ip = iff(local_resp == true, "true", "false"), + is_src_internal_ip = iff(local_orig == true, "true", "false") + | project + TimeGenerated, + path, + system_name, + write_ts, + auth_attempts, + auth_success, + cipher_alg, + client, + compression_alg, + cshka, + hassh, + hasshAlgorithms, + hasshServer, + hasshServerAlgorithms, + hasshVersion, + host_key, + host_key_alg, + id_orig_h, + id_orig_p, + id_resp_h, + id_resp_p, + Inferences, + kex_alg, + mac_alg, + server, + sshka, + uid, + version, + remote_location_country_code, + remote_location_region, + remote_location_city, + remote_location_latitude, + remote_location_longitude, + direction, + EventVendor, + EventProduct, + EventType, + ts, + src, + src_ip, + src_port, + dest, + dest_ip, + dest_port, + sensor_name, + action, + is_broadcast, + is_dest_internal_ip, + is_src_internal_ip, + InferenceNames, + Descriptions + }; + corelight_ssh \ No newline at end of file diff --git a/Solutions/Corelight/Parsers/corelight_ssl.yaml b/Solutions/Corelight/Parsers/corelight_ssl.yaml index a06e4626766..7a76363228c 100644 --- a/Solutions/Corelight/Parsers/corelight_ssl.yaml +++ b/Solutions/Corelight/Parsers/corelight_ssl.yaml @@ -1,42 +1,128 @@ -id: b7ce3da1-d617-5bf7-ba51-b7e966bcde11 +id: 974718ae-c0a5-4d4a-bb42-63a0f394d66f Function: - Title: corelight_ssl parser for Corelight - Version: 1.0.0 - LastUpdated: '2023-09-25' + Title: Corelight SSL Events + Version: '1.1.0' + LastUpdated: '2024-08-09' Category: Microsoft Sentinel Parser FunctionName: corelight_ssl FunctionAlias: corelight_ssl -FunctionQuery: |+ - let corelight_ssl = view () { - Corelight_v2_ssl_CL - | project-rename - _path=_path_s, - _system_name=_system_name_s, - _write_ts=_write_ts_t, - uid=uid_s, - id_orig_h=id_orig_h_s, - id_orig_p=id_orig_p_d, - id_resp_h=id_resp_h_s, - id_resp_p=id_resp_p_d, - version=version_s, - cipher=cipher_s, - curve=curve_s, - server_name=server_name_s, - resumed=resumed_b, - last_alert=last_alert_s, - next_protocol=next_protocol_s, - established=established_b, - ssl_history=ssl_history_s, - cert_chain_fps=cert_chain_fps_s, - client_cert_chain_fps=client_cert_chain_fps_s, - sni_matches_cert=sni_matches_cert_b, - validation_status=validation_status_s - | extend - EventVendor="Corelight", - EventProduct="CorelightSensor", - EventType="ssl", - ts=TimeGenerated - }; - corelight_ssl - -... +FunctionQuery: | + let dummy_table = datatable(TimeGenerated: datetime, uid_s: string) []; + let corelight_ssl = view () { + union isfuzzy=true Corelight_v2_ssl_CL, + Corelight_v2_ssl_red_CL, dummy_table + | summarize arg_max(TimeGenerated, *) by uid_s + | join kind=leftouter + (corelight_conn + | project uid, local_orig, local_resp + ) on $left.uid_s == $right.uid + | project-away uid + | extend + path=column_ifexists("_path_s", ""), + system_name=column_ifexists("_system_name_s", ""), + write_ts=column_ifexists("_write_ts_t", ""), + cert_chain_fps=column_ifexists("cert_chain_fps_s", ""), + cipher=column_ifexists("cipher_s", ""), + client_cert_chain_fps=column_ifexists("client_cert_chain_fps_s", ""), + curve=column_ifexists("curve_s", ""), + established=column_ifexists("established_b", ""), + id_orig_h=column_ifexists("id_orig_h_s", ""), + id_orig_p=column_ifexists("id_orig_p_d", real(null)), + id_resp_h=column_ifexists("id_resp_h_s", ""), + id_resp_p=column_ifexists("id_resp_p_d", real(null)), + id_vlan=column_ifexists("id_vlan_d", real(null)), + ja3=column_ifexists("ja3_s", ""), + ja3s=column_ifexists("ja3s_s", ""), + resumed=column_ifexists("resumed_b", ""), + server_name=column_ifexists("server_name_s", ""), + sni_matches_cert=column_ifexists("sni_matches_cert_b", ""), + ssl_history=column_ifexists("ssl_history_s", ""), + uid=column_ifexists("uid_s", ""), + validation_status=column_ifexists("validation_status_s", ""), + version=column_ifexists("version_s", ""), + last_alert=column_ifexists("last_alert_s", ""), + next_protocol=column_ifexists("next_protocol_s", ""), + issuer=column_ifexists("issuer_s", ""), + subject=column_ifexists("subject_s", "") + | extend + EventVendor="Corelight", + EventProduct="CorelightSensor", + EventType="ssl", + ts = TimeGenerated, + src=id_orig_h, + src_ip=id_orig_h, + src_port=id_orig_p, + dest=id_resp_h, + dest_ip=id_resp_h, + dest_port=id_resp_p, + ssl_cipher=cipher, + ssl_curve=curve, + ssl_subject_common_name=server_name, + fingerprint=cert_chain_fps, + is_self_signed = iff(validation_status=="self signed certificate", "yes", "no"), + action = iff(established=="true","success","failure"), + sensor_name = coalesce(system_name, "unknown"), + signature=validation_status, + ssl_version = version, + ssl_issuer=issuer, + ssl_subject=subject + | extend + is_broadcast = iff(src in("0.0.0.0", "255.255.255.255") or dest in("255.255.255.255", "0.0.0.0"),"true","false"), + is_src_internal_ip = iff(local_orig == true, "true", "false"), + is_dest_internal_ip = iff(local_resp == true, "true", "false"), + ssl_issuer_common_name = extract('CN=(?[^,"]+)', 1, issuer), + ssl_issuer_email_domain = extract('emailAddress=[0-9A-Za-z_]+@(?[0-9A-Za-z_]+.[0-9A-Za-z_]+)', 1, issuer), + ssl_subject_email_domain = extract('emailAddress=[0-9A-Za-z_]+@(?[0-9A-Za-z_]+.[0-9A-Za-z_]+)', 1, subject) + | project + TimeGenerated, + path, + system_name, + write_ts, + uid, + id_orig_h, + id_orig_p, + id_resp_h, + id_resp_p, + version, + cipher, + curve, + server_name, + resumed, + last_alert, + next_protocol, + established, + ssl_history, + cert_chain_fps, + client_cert_chain_fps, + sni_matches_cert, + validation_status, + ja3, + ja3s, + id_vlan, + EventVendor, + EventProduct, + EventType, + ts, + src, + src_ip, + src_port, + dest, + dest_ip, + dest_port, + ssl_cipher, + ssl_curve, + ssl_subject_common_name, + fingerprint, + is_self_signed, + action, + sensor_name, + signature, + ssl_version, + is_broadcast, + is_src_internal_ip, + is_dest_internal_ip, + ssl_issuer_common_name, + ssl_issuer_email_domain, + ssl_subject_email_domain + }; + corelight_ssl \ No newline at end of file diff --git a/Solutions/Corelight/Parsers/corelight_vpn.yaml b/Solutions/Corelight/Parsers/corelight_vpn.yaml index c6540b50659..f3d537f9523 100644 --- a/Solutions/Corelight/Parsers/corelight_vpn.yaml +++ b/Solutions/Corelight/Parsers/corelight_vpn.yaml @@ -1,46 +1,177 @@ -id: 248afb3d-8823-5834-a1b8-97ca829ae0f7 +id: 974718ae-c0a5-4d4a-bb42-63a0f394d66f Function: - Title: corelight_vpn parser for Corelight - Version: 1.0.0 - LastUpdated: '2023-09-25' + Title: Corelight VPN Events + Version: '1.1.0' + LastUpdated: '2024-08-09' Category: Microsoft Sentinel Parser FunctionName: corelight_vpn FunctionAlias: corelight_vpn -FunctionQuery: |+ - let corelight_vpn = view () { - Corelight_v2_vpn_CL - | project-rename - _path=_path_s, - _system_name=_system_name_s, - _write_ts=_write_ts_t, - uid=uid_s, - id_orig_h=id_orig_h_s, - id_orig_p=id_orig_p_d, - id_resp_h=id_resp_h_s, - id_resp_p=id_resp_p_d, - proto=proto_s, - vpn_type=vpn_type_s, - service=service_s, - inferences=inferences_s, - server_name=server_name_s, - client_info=client_info_s, - duration=duration_d, - orig_bytes=orig_bytes_d, - resp_bytes=resp_bytes_d, - orig_cc=orig_cc_s, - orig_region=orig_region_s, - orig_city=orig_city_s, - resp_cc=resp_cc_s, - resp_region=resp_region_s, - resp_city=resp_city_s, - subject=subject_s, - issuer=issuer_s - | extend - EventVendor="Corelight", - EventProduct="CorelightSensor", - EventType="vpn", - ts=TimeGenerated - }; - corelight_vpn - -... +FunctionQuery: | + let VpnInferencesLookup = datatable( + Code: string, + Name: string, + Description: string + )[ + "ABP Authentication Bypass","N/A","A client wasn't adhering to expectations of SSH either through server exploit or by the client and server switching to a protocol other than SSH after encryption begins.", + "BF Brute Force Guessing","N/A","A client made a number of authentication attempts that exceeded some configured per-connection threshold.", + "BFS Brute Force Success","N/A","A client made a number of authentication attempts that exceeded some configured per-connection threshold.", + "SFD","Small Client File Download","A file transfer occurred in which the server sent a sequence of bytes to the client.", + "LFD","Large Client File Download","A file transfer occurred in which the server sent a sequence of bytes to the client. Large files are identified dynamically based on trains of MTU-sized packets.", + "SFU","Small Client File Upload","A file transfer occurred in which the client sent a sequence of bytes to the server.", + "LFU","Large Client File Upload","A file transfer occurred in which the client sent a sequence of bytes to the server. Large files are identified dynamically based on trains of MTU-sized packets.", + "KS","Keystrokes","An interactive session occurred in which the client set user-driven keystrokes to the server.", + "SC","Capabilities Scan- ning","A client exchanged capabilities with the server and then disconnected.", + "SP","Other Scanning","A client and server didn't exchange encrypted packets but the client wasn't a version or capabilities scanner.", + "SV","Version Scanning","A client exchanged version strings with the server and then disconnected.", + "SA Scanning","N/A","The client scanned authentication methods with the server and then disconnected.", + "APWA","Automated Password Authentication","The client authenticated with an automated password tool (like sshpass).", + "IPWA","Interactive Password Authentication","The client interactively typed their password to authenticate.", + "PKA","Public Key Authentication","The client automatically authenticated using pubkey authentication.", + "NA","None Authentication","The client successfully authenticated using the None method.", + "MFA","Multifactor authentication","The server required a second form of authentication (a code) after a password or public key was accepted and the client successfully provided it.", + "UA","Unknown authentication","The authentication method is not determined or is unknown.", + "AUTO","Automated interaction","The client is a script or automated utility and not driven by a user.", + "BAN","Server Banner","The server sent the client a pre-authentication banner likely for legal reasons.", + "CTS trusted server","N/A","The client already has an entry in its known_hosts file for this server.", + "CUS untrusted server","N/A","The client did not have an entry in its known_hosts file for this server.", + "RSP","Reverse SSH Provisioned","The client connected with a -R flag which provisions the ports to be used for a Reverse Session set up at any future time.", + "RSI","Reverse SSH Initiated","The Reverse session is initiated from the server back to the Client.", + "RSIA","Reverse SSH Initiation Automated","The initiation of the Reverse session happened very early in the packet stream indicating automation.", + "RSL","Reverse SSH Logged I'n","The Reverse tunnel login has succeeded.", + "RSK","Reverse SSH Keystrokes","Keystrokes are detected within the Reverse tunnel.", + "NRC","No Remote Com- mand","The -N flag was used in the SSH session.", + "AFR","SSH Agent For- warding Requested","Agent forwarding is requested by the Client.", + "FC","FreeRDP Driven Client","Indicates a CLI tool client (likely FreeRDP-based). This inference doesn't require that the client successfully authenticated to the server.", + "MSC","Metasploit Scanner Client","Indicates a Metasploit client.", + "HBC","THC-Hydra Bruteforce Client","Indicates a Hydra client.", + "CBC","Crowbar Bruteforce Client","Indicates a Crowbar client.", + "SLC","SharpRDP Lateral Movement Client","Indicates a SharpRDP client.", + "SOC","Scanner Other Client","Indicates that the client is likely a scanner or exploit tool that the package can't specifically identify (for example, rdpscan or impacket)." + "RCGA","Remote Credential Guard Authentication","Indicates that the client authenticated using Restricted Admin Mode.", + "RAMA","Restricted Admin Mode Authentication","Indicates a Metasploit client.", + "APWA","Automated NTLM Password Authentication","Indicates that the client authenticated using an NTLM password that was provided before the connection was initiated.", + "IPWA","Interactive NTLM Password Authentication","Indicates that the client authenticated using an NTLM password that was provided after the connection was initiated, suggesting a human-driven connection." + "SLH","Slow Handshake","Indicates that the handshake (RDPBCGR connection sequence) took an unusually long time to complete.", + "COM","N/A","Indicates the presence of a commercial VPN service (such as PrivateInternetAccess or NordVPN)." + "NSP","N/A","Non Standard Port. FW - Using a port to subvert a firewall (i.e. 53/udp).", + "RW","N/A","Road warrior configuration detected (i.e. Cisco Anyconnect).", + "SK","N/A","Static Key", + "TLS","N/A","TLS Auth", + "FW","N/A","Indicates that the VPN might be trying to subvert network security by using a port that is usually allowed." + ]; + let dummy_table = datatable(TimeGenerated: datetime, uid_s: string) []; + let corelight_vpn = view () { + union isfuzzy=true Corelight_v2_vpn_CL, dummy_table + | summarize arg_max(TimeGenerated, *) by uid_s + | join kind=leftouter + ( corelight_conn + | project uid, local_orig, local_resp + ) on $left.uid_s == $right.uid + | project-away uid + | extend + path = column_ifexists("_path_s", ""), + system_name = column_ifexists("_system_name_s", ""), + write_ts = column_ifexists("_write_ts_t", ""), + client_info = column_ifexists("client_info_s", ""), + duration = column_ifexists("duration_d", real(null)), + id_orig_h = column_ifexists("id_orig_h_s", ""), + id_orig_p = column_ifexists("id_orig_p_d", real(null)), + id_resp_h = column_ifexists("id_resp_h_s", ""), + id_resp_p = column_ifexists("id_resp_p_d", real(null)), + inferences = column_ifexists("inferences_s", ""), + issuer = column_ifexists("issuer_s", ""), + ja3 = column_ifexists("ja3_s", ""), + ja3s = column_ifexists("ja3s_s", ""), + orig_bytes = column_ifexists("orig_bytes_d", real(null)), + orig_cc = column_ifexists("orig_cc_s", ""), + orig_city = column_ifexists("orig_city_s", ""), + orig_region = column_ifexists("orig_region_s", ""), + proto = column_ifexists("proto_s", ""), + resp_bytes = column_ifexists("resp_bytes_d", real(null)), + resp_cc = column_ifexists("resp_cc_s", ""), + resp_city = column_ifexists("resp_city_s", ""), + resp_region = column_ifexists("resp_region_s", ""), + server_name = column_ifexists("server_name_s", ""), + service = column_ifexists("service_s", ""), + subject = column_ifexists("subject_s", ""), + uid = column_ifexists("uid_s", ""), + vpn_type = column_ifexists("vpn_type_s", "") + | mv-expand todynamic(inferences) + | extend code_string = tostring(inferences) + | lookup kind=leftouter VpnInferencesLookup on $left.code_string == $right.Code + | summarize Inferences = make_list(code_string), Names = make_list(Name), Descriptions = make_list(Description), arg_max(TimeGenerated, *) by uid + | extend + EventVendor = "Corelight", + EventProduct = "CorelightSensor", + EventType = "vpn", + ts = TimeGenerated, + src = id_orig_h, + src_ip = id_orig_h, + src_port = id_orig_p, + dest = id_resp_h, + dest_ip = id_resp_h, + dest_port = id_resp_p, + bytes_out = orig_bytes, + transport = proto, + bytes_in = resp_bytes, + signature = vpn_type, + sensor_name = coalesce(system_name, "unknown") + | extend + bytes = bytes_in + bytes_out, + services = split(service, ','), + is_broadcast =iff(src in("0.0.0.0", "255.255.255.255") or dest in("255.255.255.255", "0.0.0.0"), "true", "false"), + is_dest_internal_ip = iff(local_resp == true, "true", "false"), + is_src_internal_ip = iff(local_orig == true, "true", "false") + | project + TimeGenerated, + path, + system_name, + write_ts, + client_info, + duration, + id_orig_h, + id_orig_p, + id_resp_h, + id_resp_p, + Inferences, + issuer, + ja3, + ja3s, + orig_bytes, + orig_cc, + orig_city, + orig_region, + proto, + resp_bytes, + resp_cc, + resp_city, + resp_region, + server_name, + service, + subject, + uid, + vpn_type, + EventVendor, + EventProduct, + EventType, + ts, + src, + src_ip, + src_port, + dest, + dest_ip, + dest_port, + bytes_out, + transport, + bytes_in, + signature, + sensor_name, + bytes, + services, + is_broadcast, + is_dest_internal_ip, + is_src_internal_ip, + Names, + Descriptions + }; + corelight_vpn \ No newline at end of file diff --git a/Solutions/Corelight/Parsers/corelight_x509.yaml b/Solutions/Corelight/Parsers/corelight_x509.yaml index 48d0e4361bc..bca930541da 100644 --- a/Solutions/Corelight/Parsers/corelight_x509.yaml +++ b/Solutions/Corelight/Parsers/corelight_x509.yaml @@ -1,45 +1,171 @@ -id: db403e46-8af0-55b0-9918-9196166ea280 +id: 974718ae-c0a5-4d4a-bb42-63a0f394d66f Function: - Title: corelight_x509 parser for Corelight - Version: 1.0.0 - LastUpdated: '2023-09-25' + Title: Corelight x509 Events + Version: '1.1.0' + LastUpdated: '2024-08-09' Category: Microsoft Sentinel Parser FunctionName: corelight_x509 FunctionAlias: corelight_x509 -FunctionQuery: |+ - let corelight_x509 = view () { - Corelight_v2_x509_CL - | project-rename - _path=_path_s, - _system_name=_system_name_s, - _write_ts=_write_ts_t, - fingerprint=fingerprint_s, - certificate_version=certificate_version_d, - certificate_serial=certificate_serial_s, - certificate_subject=certificate_subject_s, - certificate_issuer=certificate_issuer_s, - certificate_not_valid_before=certificate_not_valid_before_t, - certificate_not_valid_after=certificate_not_valid_after_t, - certificate_key_alg=certificate_key_alg_s, - certificate_sig_alg=certificate_sig_alg_s, - certificate_key_type=certificate_key_type_s, - certificate_key_length=certificate_key_length_d, - certificate_exponent=certificate_exponent_s, - certificate_curve=certificate_curve_s, - san_dns=san_dns_s, - san_uri=san_uri_s, - san_email=san_email_s, - san_ip=san_ip_s, - basic_constraints_ca=basic_constraints_ca_b, - basic_constraints_path_len=basic_constraints_path_len_d, - host_cert=host_cert_b, - client_cert=client_cert_b - | extend - EventVendor="Corelight", - EventProduct="CorelightSensor", - EventType="x509", - ts=TimeGenerated - }; - corelight_x509 - -... +FunctionQuery: | + let dummy_table = datatable(TimeGenerated: datetime) []; + let corelight_x509 = view () { + union isfuzzy=true Corelight_v2_x509_CL, Corelight_v2_x509_red_CL, dummy_table + | extend + path=column_ifexists("_path_s", ""), + system_name=column_ifexists("_system_name_s", ""), + write_ts=column_ifexists("_write_ts_t", ""), + fingerprint=column_ifexists("fingerprint_s", ""), + certificate_version=column_ifexists("certificate_version_d", real(null)), + certificate_serial=column_ifexists("certificate_serial_s", ""), + certificate_subject=column_ifexists("certificate_subject_s", ""), + certificate_issuer=column_ifexists("certificate_issuer_s", ""), + certificate_not_valid_before=column_ifexists("certificate_not_valid_before_t", ""), + certificate_not_valid_after=column_ifexists("certificate_not_valid_after_t", ""), + certificate_key_alg=column_ifexists("certificate_key_alg_s", ""), + certificate_sig_alg=column_ifexists("certificate_sig_alg_s", ""), + certificate_key_type=column_ifexists("certificate_key_type_s", ""), + certificate_key_length=column_ifexists("certificate_key_length_d", real(null)), + certificate_exponent=column_ifexists("certificate_exponent_s", ""), + certificate_curve=column_ifexists("certificate_curve_s", ""), + san_dns=column_ifexists("san_dns_s", ""), + san_uri=column_ifexists("san_uri_s", ""), + san_email=column_ifexists("san_email_s", ""), + san_ip=column_ifexists("san_ip_s", ""), + basic_constraints_ca=column_ifexists("basic_constraints_ca_b", ""), + basic_constraints_path_len=column_ifexists("basic_constraints_path_len_d", real(null)), + host_cert=column_ifexists("host_cert_b", ""), + client_cert=column_ifexists("client_cert_b", ""), + vlan=column_ifexists("vlan_d", real(null)), + id_orig_h=column_ifexists("id_orig_h_s", ""), + id_orig_p=column_ifexists("id_orig_p_d", real(null)), + id_resp_h=column_ifexists("id_resp_h_s", ""), + id_resp_p=column_ifexists("id_resp_p_d", real(null)) + | extend + EventVendor="Corelight", + EventProduct="CorelightSensor", + EventType="x509", + ssl_issuer=certificate_issuer, + ssl_publickey_algorithm=certificate_key_alg, + not_valid_after=certificate_not_valid_after, + ssl_end_time=certificate_not_valid_after, + ssl_start_time=certificate_not_valid_before, + ssl_serial=certificate_serial, + ssl_signature_algorithm=certificate_sig_alg, + ssl_subject=certificate_subject, + ssl_version=certificate_version, + ssl_hash = fingerprint, + ts=TimeGenerated, + sensor_name=coalesce(system_name, "unknown"), + src=id_orig_h, + src_ip=id_orig_h, + src_port=id_orig_p, + dest=id_resp_h, + dest_ip=id_resp_h, + dest_port=id_resp_p + | extend + days_to_expiry = datetime_diff('day', todatetime(not_valid_after), now()), + ssl_validity_window=datetime_diff('day', todatetime(ssl_end_time), todatetime(ssl_start_time)), + ssl_is_valid = iff(ts > todatetime(ssl_start_time) and ts < todatetime(ssl_end_time), "true", "false"), + ssl_issuer_email_domain = extract('emailAddress=[0-9A-Za-z_]+@(?[0-9A-Za-z_]+.[0-9A-Za-z_]+)', 1, ssl_issuer), + ssl_subject_email_domain = extract('emailAddress=[0-9A-Za-z_]+@(?[0-9A-Za-z_]+.[0-9A-Za-z_]+)', 1, ssl_subject), + ssl_subject_common_name = extract('CN=(?[^,"]+)', 1, ssl_subject), + ssl_issuer_common_name=extract('CN=(?[^,"]+)', 1, ssl_issuer), + ssl_issuer_organization = extract('O=(?[^,]+)', 1, ssl_issuer), + ssl_issuer_unit = extract('OU=(?[^,]+)', 1, ssl_issuer), + ssl_issuer_locality = extract('L=(?[^,]+)', 1, ssl_issuer), + ssl_issuer_state = extract('ST=(?[^,]+)', 1, ssl_issuer), + ssl_issuer_country = extract('C=(?[^,]+)', 1, ssl_issuer), + ssl_subject_organization = extract('O=(?[^,]+)', 1, ssl_subject), + ssl_subject_unit = extract('OU=(?[^,]+)', 1, ssl_subject), + ssl_subject_locality = extract('L=(?[^,]+)', 1, ssl_subject), + ssl_subject_state = extract('ST=(?[^,]+)', 1, ssl_subject), + ssl_subject_country = extract('C=(?[^,]+)', 1, ssl_subject), + ssl_issuer_email = extract('emailAddress=(?[^,]+)', 1, ssl_issuer), + ssl_subject_email = extract('emailAddress=(?[^,]+)', 1, ssl_subject), + ssl_issuer_domain = extract('DC=(?[^,]+)', 1, ssl_issuer), + ssl_name = extract('title=(?[^,]+)', 1, ssl_issuer), + ssl_subject_domain = extract('DC=(?[^,]+)', 1, ssl_subject), + ssl_subject_name = extract('title=(?[^,]+)', 1, ssl_subject), + is_broadcast = iff(src in("0.0.0.0", "255.255.255.255") or dest in("255.255.255.255", "0.0.0.0"), "true", "false"), + is_src_internal_ip = iff(ipv4_is_in_any_range(src, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"), "true", "false"), + is_dest_internal_ip = iff(ipv4_is_in_any_range(dest, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"), "true", "false") + | project + TimeGenerated, + path, + system_name, + write_ts, + fingerprint, + certificate_version, + certificate_serial, + certificate_subject, + certificate_issuer, + certificate_not_valid_before, + certificate_not_valid_after, + certificate_key_alg, + certificate_sig_alg, + certificate_key_type, + certificate_key_length, + certificate_exponent, + certificate_curve, + san_dns, + san_uri, + san_email, + san_ip, + basic_constraints_ca, + basic_constraints_path_len, + host_cert, + client_cert, + vlan, + id_orig_h, + id_orig_p, + id_resp_h, + id_resp_p, + EventVendor, + EventProduct, + EventType, + ssl_issuer, + ssl_publickey_algorithm, + not_valid_after, + ssl_end_time, + ssl_start_time, + ssl_serial, + ssl_signature_algorithm, + ssl_subject, + ssl_version, + ssl_hash, + ts, + sensor_name, + src, + src_ip, + src_port, + dest, + dest_ip, + dest_port, + days_to_expiry, + ssl_validity_window, + ssl_is_valid, + ssl_issuer_email_domain, + ssl_subject_email_domain, + ssl_subject_common_name, + ssl_issuer_common_name, + ssl_issuer_organization, + ssl_issuer_unit, + ssl_issuer_locality, + ssl_issuer_state, + ssl_issuer_country, + ssl_subject_organization, + ssl_subject_unit, + ssl_subject_locality, + ssl_subject_state, + ssl_subject_country, + ssl_issuer_email, + ssl_subject_email, + ssl_issuer_domain, + ssl_name, + ssl_subject_domain, + ssl_subject_name, + is_broadcast, + is_src_internal_ip, + is_dest_internal_ip + }; + corelight_x509 \ No newline at end of file diff --git a/Solutions/Corelight/ReleaseNotes.md b/Solutions/Corelight/ReleaseNotes.md index 8524a49acac..049fb990bce 100644 --- a/Solutions/Corelight/ReleaseNotes.md +++ b/Solutions/Corelight/ReleaseNotes.md @@ -1,6 +1,7 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 3.0.2 | 03-05-2024 | Repacakged for parser issue fix while reinstallation | +| 3.1.0 | 27-09-2024 | Updated Parsers and added new tabs in Workbook. +| 3.0.2 | 31-01-2024 | Updated **Parser** Corelight
Updated tactics of **Hunting Query** Corelight - Repetitive DNS Failures | | 3.0.1 | 16-11-2023 | Updated package mainTemplate variables | | 3.0.0 | 20-09-2023 | Changed backend format to use separate tables with parsed values | | 2.0.0 | 10-06-2022 | Updated **Workbooks** | diff --git a/Solutions/Corelight/Workbooks/Corelight.json b/Solutions/Corelight/Workbooks/Corelight.json index b7b202724ce..e0d96b2c4ec 100644 --- a/Solutions/Corelight/Workbooks/Corelight.json +++ b/Solutions/Corelight/Workbooks/Corelight.json @@ -16,12 +16,11 @@ { "id": "c64d5d3d-90c6-484a-ab88-c70652b75b6e", "version": "KqlParameterItem/1.0", - "name": "TimeRange", + "name": "GlobalTimeRestriction", + "label": "Global Time Restriction", "type": 4, + "description": "Select Time Range", "isRequired": true, - "value": { - "durationMs": 86400000 - }, "typeSettings": { "selectableValues": [ { @@ -74,6 +73,9 @@ }, "timeContext": { "durationMs": 86400000 + }, + "value": { + "durationMs": 86400000 } }, { @@ -82,21 +84,23 @@ "name": "Sensor", "label": "Corelight Sensor", "type": 2, + "description": "Select Corelight Sensor", "isRequired": true, "multiSelect": true, "quote": "'", "delimiter": ",", - "query": "union corelight_conn, corelight_conn_red\n| distinct _system_name\n| sort by _system_name", + "query": "corelight_conn\n| distinct sensor_name\n| sort by sensor_name", "typeSettings": { "additionalResourceOptions": [ "value::all" ], + "selectAllValue": "*", "showDefault": false }, "timeContext": { - "durationMs": 86400000 + "durationMs": 0 }, - "timeContextFromParameter": "TimeRange", + "timeContextFromParameter": "GlobalTimeRestriction", "defaultValue": "value::all", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -116,1055 +120,4595 @@ "content": { "version": "LinkItem/1.0", "style": "tabs", + "tabStyle": "bigger", "links": [ { - "id": "d723eef6-b3f0-40be-9a56-125421b32619", - "cellValue": "Tab", - "linkTarget": "parameter", - "linkLabel": "Corelight Main Dashboard", - "subTarget": "corelight_main_dashboard", - "style": "link" - }, - { - "id": "5736d4f4-bd4c-4a49-bea7-00da2bbc7fd9", - "cellValue": "Tab", - "linkTarget": "parameter", - "linkLabel": "Corelight Connections", - "subTarget": "corelight_connections", - "style": "link" - }, - { - "id": "5336f601-4da3-4da0-8196-332a97636047", - "cellValue": "Tab", + "id": "2e4f43b5-1def-42b3-bee5-d84912ae6115", + "cellValue": "dashboard", "linkTarget": "parameter", - "linkLabel": "Corelight DNS", - "subTarget": "corelight_dns", + "linkLabel": "Data Explorer", + "subTarget": "DataExplorer", + "preText": "Data Explorer", "style": "link" }, { - "id": "b0e6ac55-179e-4fb5-80ff-ec84edb35324", - "cellValue": "Tab", + "id": "0b72c376-8bd9-4896-a3b3-8994f028e1b4", + "cellValue": "dashboard", "linkTarget": "parameter", - "linkLabel": "Corelight HTTP", - "subTarget": "corelight_http", + "linkLabel": "Security Workflows", + "subTarget": "SecurityWorkflows", "style": "link" } ] }, - "name": "links - 24" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "title": "Corelight Main Dashboard", - "items": [ - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union Corelight_v2_*_CL\n| where \"(all values)\" == \"{Sensor}\" or _system_name_s in ({Sensor})\n| where TimeGenerated {TimeRange}\n|make-series Trend = count() on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by _path_s;", - "size": 0, - "showAnalytics": true, - "title": "Sensor Events Timechart", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "areachart" - }, - "customWidth": "50", - "conditionalVisibility": { - "parameterName": "Tab", - "comparison": "isEqualTo", - "value": "corelight_main_dashboard" - }, - "name": "Sensor Events Timechart" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union Corelight_v2_*_CL\n| where \"(all values)\" == \"{Sensor}\" or _system_name_s in ({Sensor})\n| where TimeGenerated {TimeRange}\n| summarize Count=count() by _path_s | sort by Count desc", - "size": 0, - "showAnalytics": true, - "title": "Sensor Events Count", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "categoricalbar" - }, - "customWidth": "50", - "conditionalVisibility": { - "parameterName": "Tab", - "comparison": "isEqualTo", - "value": "corelight_main_dashboard" - }, - "name": "Sensor Events Count" - } - ] - }, - "conditionalVisibility": { - "parameterName": "Tab", - "comparison": "isEqualTo", - "value": "corelight_main_dashboard" - }, - "name": "corelight_main_dashboard_group" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "title": "Events", - "items": [ - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "(corelight_notice\r\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\r\n//| where note != \"LongConnection::found\" and note != \"SSL::Invalid_Server_Cert\"\r\n//| project-rename Alert = note \r\n| union corelight_suricata_corelight)\r\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\r\n//| where alert_category != \"Not Suspicious Traffic\" and alert_category != \"Attempted Information Leak\" and alert_category != \"Potentially Bad Traffic\"\r\n//| where _path_s == \"notice\"\r\n//| project-rename Alert = alert_category\r\n| extend Category = coalesce(note, alert_category), Alert = coalesce(msg, alert_signature), Severity=coalesce(severity_level, alert_severity, 7.), Type = _path\r\n| extend PartitionKey = case(_path == \"suricata_corelight\", Alert, Category)\r\n| where (isnotempty(uid) or isnotempty(community_id))\r\n| partition hint.strategy=native by PartitionKey\r\n(\r\n top 10 by TimeGenerated\r\n)\r\n| order by Severity asc, TimeGenerated\r\n\r\n// hack to hide empty columns\r\n| evaluate narrow()\r\n| where isnotempty(Value) and Value != \"##(null)\" or Column == \"_system_name_s\"\r\n| evaluate pivot(Column, any(Value), Row)\r\n\r\n| project-reorder TimeGenerated, Type, Category, Alert, Severity, uid, id_orig_h, id_resp_h, id_resp_p\r\n", - "size": 0, - "showAnalytics": true, - "title": "Recent Events Summary (10 most recent per message type)", - "timeContextFromParameter": "TimeRange", - "exportFieldName": "uid", - "exportParameterName": "Selected_uid", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "events_summary_recent" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union Corelight_v2_*_CL\r\n| where \"(all values)\" == \"{Sensor}\" or _system_name_s in ({Sensor})\r\n| where (isnotempty(\"{Selected_uid}\") and (uid_s == \"{Selected_uid}\" or conn_uids_s contains_cs \"{Selected_uid}\"))\r\n| top 300 by TimeGenerated\r\n// hack to hide empty columns\r\n| evaluate narrow()\r\n| where isnotempty(Value) and Value != \"##(null)\" or Column == \"_system_name_s\"\r\n| evaluate pivot(Column, any(Value), Row)\r\n| project-reorder TimeGenerated, _path_s, id_orig_h_s, id_resp_h_s, id_resp_p_d, _system_name_s\r\n| project-away Row", - "size": 0, - "showAnalytics": true, - "title": "Related paths (select in Events Summary)", - "timeContextFromParameter": "TimeRange", - "exportFieldName": "_path_s", - "exportParameterName": "Selected_path", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "labelSettings": [ - { - "columnId": "_path_s", - "label": "Path" - } - ] - } - }, - "name": "events_related_entries" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "corelight_suricata_corelight\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| summarize alert_count=count() by source_ip=id_orig_h, alert_signature, severity=alert_severity\n| top 10 by alert_count\n", - "size": 0, - "showAnalytics": true, - "title": "Suricata Top Alerts by Source", - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "customWidth": "50", - "name": "events_suricata_most_hits_src" - } - ] - }, - "conditionalVisibility": { - "parameterName": "Tab", - "comparison": "isEqualTo", - "value": "corelight_main_dashboard" - }, - "name": "tme_events" + "name": "links - 14" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Corelight Connections", "items": [ { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_conn, corelight_conn_red\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where local_resp == true and (proto == \"tcp\" or (proto == \"udp\" and orig_bytes > 0 and resp_bytes > 0))\n| where conn_state != \"S0\"\n| summarize count() by id_resp_h, id_resp_p, service\n| summarize Count=count() by service\n| top 20 by Count\n", - "size": 3, - "showAnalytics": true, - "title": "Local Hosts Seen Offering Services", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" - }, - "customWidth": "50", - "name": "local_host_offering_services" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_conn, corelight_conn_red\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where proto==\"tcp\" or (proto==\"udp\" and orig_pkts>0 and resp_pkts>0)\n| where conn_state != \"S0\"\n| where local_resp==true\n| summarize Count=count() by portproto=strcat(tostring(toint(id_resp_p)), \"/\", proto)\n| top 15 by Count", - "size": 3, - "showAnalytics": true, - "title": "Top Responder Ports", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" - }, - "customWidth": "50", - "name": "top_responder_ports" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_conn, corelight_conn_red\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where local_orig == false and local_resp == true\n| where proto==\"tcp\" or (proto==\"udp\" and orig_pkts>0 and resp_pkts>0)\n| where conn_state!=\"S0\"\n| summarize number_of_conns=count(), orig_bytes_sum=sum(orig_bytes) by id_orig_h, service\n| extend orig_data = format_bytes(orig_bytes_sum, 2)\n| order by orig_bytes_sum desc\n| top 20 by orig_bytes_sum desc\n| project-away orig_bytes_sum\n", - "size": 0, - "showAnalytics": true, - "title": "Top Inbound Data Flows by Originator", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "customWidth": "33", - "name": "top_inbound_by_orig" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_conn, corelight_conn_red\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where proto == \"tcp\" or (proto == \"udp\" and orig_pkts>0 and resp_pkts>0)\n| where local_orig==true and local_resp==false\n| where conn_state != \"S0\"\n| summarize number_of_conns=count(), orig_bytes_sum=sum(orig_bytes) by id_orig_h, service\n| extend orig_data = format_bytes(orig_bytes_sum, 2)\n| order by orig_bytes_sum desc\n| project-away orig_bytes_sum", - "size": 0, - "showAnalytics": true, - "title": "Top Outbound Data Flows by Originator", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "customWidth": "33", - "name": "top_outbound_bytes" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_conn, corelight_conn_red\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where conn_state==\"S0\"\n| summarize Count=count() by id_orig_h, id_resp_p, service\n| order by Count desc", - "size": 0, - "showAnalytics": true, - "title": "Hosts Generating S0 (possible scan) Traffic", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "customWidth": "33", - "name": "possible_scan_connections" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_conn, corelight_conn_red\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where proto==\"tcp\" or (proto==\"udp\" and orig_pkts>0 and resp_pkts>0)\n| where conn_state != \"S0\"\n| summarize number_of_conns=count(), orig_bytes_sum=sum(orig_bytes), resp_bytes_sum=sum(resp_bytes) by id_orig_h, id_resp_h, id_resp_p, proto\n| extend total_bytes_sum = orig_bytes_sum + resp_bytes_sum\n| extend total_data = format_bytes(total_bytes_sum, 2)\n| top 20 by total_bytes_sum desc", - "size": 0, - "showAnalytics": true, - "title": "Largest transfers between host/port pairs", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "largest_transfers_by_host_port" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_conn, corelight_conn_red\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where local_resp == true and conn_state == \"S0\"\n| summarize Count=count() by id_resp_h, id_resp_p, service\n| top 30 by Count", - "size": 0, - "showAnalytics": true, - "title": "Possible Down Services", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "customWidth": "25", - "name": "possible_down_services" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_conn, corelight_conn_red\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| summarize Count=count() by history\n| top 20 by Count", - "size": 0, - "showAnalytics": true, - "title": "Monitor Health Asymmetry (All UPPER or lower is bad)", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "customWidth": "25", - "name": "monitor_health_asymmetry" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_conn, corelight_conn_red\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where local_orig == false and local_resp == false\n| summarize Count=count() by id_orig_h, id_resp_h, id_resp_p, service\n| top 20 by Count", - "size": 0, - "showAnalytics": true, - "title": "Remote to Remote Connections", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "customWidth": "50", - "name": "remote_to_remote_connections" - }, - { - "type": 3, + "type": 11, "content": { - "version": "KqlItem/1.0", - "query": "corelight_notice\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where note == \"LongConnection::found\"\n| summarize Count=count(1), arg_max(TimeGenerated, id_orig_h, id_resp_h, id_resp_p, sub, msg) by uid\n| extend seconds=sub\n| top 20 by seconds desc\n", - "size": 0, - "showAnalytics": true, - "title": "Longest Lived Connections, (May have already closed)", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "d723eef6-b3f0-40be-9a56-125421b32619", + "cellValue": "Tab", + "linkTarget": "parameter", + "linkLabel": "Corelight Main Dashboard", + "subTarget": "corelight_main_dashboard", + "style": "link" + }, + { + "id": "5736d4f4-bd4c-4a49-bea7-00da2bbc7fd9", + "cellValue": "Tab", + "linkTarget": "parameter", + "linkLabel": "Corelight Connections", + "subTarget": "corelight_connections", + "style": "link" + }, + { + "id": "5336f601-4da3-4da0-8196-332a97636047", + "cellValue": "Tab", + "linkTarget": "parameter", + "linkLabel": "Corelight DNS", + "subTarget": "corelight_dns", + "style": "link" + }, + { + "id": "b0e6ac55-179e-4fb5-80ff-ec84edb35324", + "cellValue": "Tab", + "linkTarget": "parameter", + "linkLabel": "Corelight HTTP", + "subTarget": "corelight_http", + "style": "link" + } + ] }, - "name": "longest_lived_connections" + "name": "links - 24" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", + "title": "Corelight Main Dashboard", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union corelight_conn, corelight_conn_red\n| where TimeGenerated {TimeRange}\n//| where EventType startswith \"conn\"\n| where isnotempty(service)\n| summarize count() by tostring(service) | take 10", - "size": 3, - "title": "Top Services", - "timeContextFromParameter": "TimeRange", + "query": "union Corelight_v2_*_CL\n| where ('*' in ({Sensor}) or _system_name_s in ({Sensor}))\n| where TimeGenerated {GlobalTimeRestriction}\n|make-series Trend = count() on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step {GlobalTimeRestriction:grain} by _path_s;", + "size": 0, + "showAnalytics": true, + "title": "Sensor Events Timechart", + "noDataMessage": "No data found.", + "showRefreshButton": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart", - "chartSettings": { - "showMetrics": false, - "showLegend": true, - "ySettings": { - "numberFormatSettings": { - "unit": 0, - "options": { - "style": "decimal", - "useGrouping": true - } - } - } - } + "visualization": "areachart" }, "customWidth": "50", - "name": "Top Services" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_conn, corelight_conn_red\n| where TimeGenerated {TimeRange}\n//| where EventType startswith \"conn\"\n| where isnotempty(id_resp_p)\n| extend dstprt = tostring(toint(id_resp_p))\n| summarize Count=count() by dstprt | sort by Count desc |take 10", - "size": 3, - "title": "Top Responder Ports", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart", - "chartSettings": { - "showMetrics": false, - "showLegend": true, - "ySettings": { - "numberFormatSettings": { - "unit": 0, - "options": { - "style": "decimal", - "useGrouping": true - } - } - } - } + "conditionalVisibility": { + "parameterName": "Tab", + "comparison": "isEqualTo", + "value": "corelight_main_dashboard" }, - "customWidth": "50", - "name": "Top Responder Ports" + "name": "Sensor Events Timechart" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union corelight_conn, corelight_conn_red\n//| where TimeGenerated {TimeRange}\n//| where EventType startswith \"conn\"\n//| extend NetworkDirection = case(LocalOrig == true,\"outbound\", LocalOrig == false, \"inbound\",'')\n| where local_orig == true and local_resp == false\n//| where isnotempty(SrcIpAddr) and isnotempty(DstIpAddr) and isnotempty(SrcIpBytes) and isnotempty(DstIpBytes)\n| extend bytes = toint(orig_bytes_d) + toint(resp_bytes_d)\n| summarize Bytes=sum(bytes) by id_orig_h, id_resp_h, proto | sort by Bytes desc | take 15", + "query": "union Corelight_v2_*_CL\n| where ('*' in ({Sensor}) or _system_name_s in ({Sensor}))\n| where TimeGenerated {GlobalTimeRestriction}\n| summarize Count=count() by _path_s | sort by Count desc", "size": 0, - "title": "Top Outbound Data Flows by Originator Bytes", - "timeContextFromParameter": "TimeRange", + "showAnalytics": true, + "title": "Sensor Events Count", + "noDataMessage": "No data found.", + "showRefreshButton": true, "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" }, "customWidth": "50", - "name": "Top Outbound Data Flows by Originator Bytes" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_conn, corelight_conn_red\n//| where TimeGenerated {TimeRange}\n//| where EventType startswith \"conn\"\n//| extend NetworkDirection = case(LocalOrig == true,\"outbound\", LocalOrig == false, \"inbound\",'')\n| where local_orig == false and local_resp == true\n//| where isnotempty(SrcIpAddr) and isnotempty(DstIpAddr) and isnotempty(SrcIpBytes) and isnotempty(DstIpBytes)\n| extend bytes = toint(orig_bytes_d) + toint(resp_bytes_d)\n| summarize Bytes=sum(bytes) by id_orig_h, id_resp_h, proto | sort by Bytes desc | take 15", - "size": 0, - "title": "Top Inbound Data Flows by Originator Bytes", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "conditionalVisibility": { + "parameterName": "Tab", + "comparison": "isEqualTo", + "value": "corelight_main_dashboard" }, - "customWidth": "50", - "name": "Top Inbound Data Flows by Originator Bytes - Copy" - }, + "name": "Sensor Events Count" + } + ] + }, + "conditionalVisibility": { + "parameterName": "Tab", + "comparison": "isEqualTo", + "value": "corelight_main_dashboard" + }, + "name": "corelight_main_dashboard_group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Events", + "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union corelight_conn, corelight_conn_red\n//| where EventType startswith \"conn\"\n| where TimeGenerated {TimeRange} \n| summarize Count=count() by id_orig_h | sort by Count", - "size": 3, - "title": "Top Originators (sources) by # of connections", - "timeContextFromParameter": "TimeRange", + "query": "let QueryResults = ((corelight_notice\r\n| where ('*' in ({Sensor}) or _system_name in ({Sensor}))\r\n//| where note != \"LongConnection::found\" and note != \"SSL::Invalid_Server_Cert\"\r\n//| project-rename Alert = note \r\n| union corelight_suricata_corelight)\r\n| where ('*' in ({Sensor}) or _system_name in ({Sensor}))\r\n//| where alert_category != \"Not Suspicious Traffic\" and alert_category != \"Attempted Information Leak\" and alert_category != \"Potentially Bad Traffic\"\r\n//| where _path_s == \"notice\"\r\n//| project-rename Alert = alert_category\r\n| extend\r\n Category = coalesce(note, alert_category),\r\n Alert = coalesce(msg, alert_signature),\r\n Severity=coalesce(severity_level, alert_severity, 7.),\r\n Type = _path\r\n| extend PartitionKey = case(_path == \"suricata_corelight\", Alert, Category)\r\n| where (isnotempty(uid) or isnotempty(community_id))\r\n| partition hint.strategy=native by PartitionKey\r\n (\r\n top 10 by TimeGenerated\r\n )\r\n| order by Severity asc, TimeGenerated\r\n// hack to hide empty columns\r\n| evaluate narrow()\r\n| where isnotempty(Value) and Value != \"##(null)\" or Column == \"_system_name_s\"\r\n| evaluate pivot(Column, any(Value), Row)\r\n);\r\nlet QueryCount=QueryResults\r\n| summarize count()\r\n| project count_;\r\nlet NoResults = datatable(TimeGenerated: string , Type: string , Category: string, Alert: string, Severity: string, uid: string, id_orig_h: string, id_resp_h: string, id_resp_p: string )[];\r\nunion isfuzzy=true\r\n(QueryResults| where toscalar(QueryCount) != 0),\r\n(NoResults| where toscalar(QueryCount) == 0)\r\n| project-reorder\r\n TimeGenerated,\r\n Type,\r\n Category,\r\n Alert,\r\n Severity,\r\n uid,\r\n id_orig_h,\r\n id_resp_h,\r\n id_resp_p", + "size": 0, + "showAnalytics": true, + "title": "Recent Events Summary (10 most recent per message type)", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "exportFieldName": "uid", + "exportParameterName": "Selected_uid", + "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" + "gridSettings": { + "rowLimit": 10000, + "filter": true + } }, - "customWidth": "50", - "name": "Top Originators (sources) by # of connections" + "name": "events_summary_recent" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union corelight_conn, corelight_conn_red\n//| where EventType startswith \"conn\"\n| where TimeGenerated {TimeRange} \n| summarize Count=count() by id_resp_h | sort by Count", - "size": 3, - "title": "Top Responders (destinations) by # of connections", - "timeContextFromParameter": "TimeRange", + "query": "union Corelight_v2_*_CL\r\n| where ('*' in ({Sensor}) or _system_name_s in ({Sensor}))\r\n| where (isnotempty(\"{Selected_uid}\") and (uid_s == \"{Selected_uid}\" or conn_uids_s contains_cs \"{Selected_uid}\"))\r\n| top 300 by TimeGenerated\r\n// hack to hide empty columns\r\n| evaluate narrow()\r\n| where isnotempty(Value) and Value != \"##(null)\" or Column == \"_system_name_s\"\r\n| evaluate pivot(Column, any(Value), Row)\r\n| project-reorder TimeGenerated, _path_s, id_orig_h_s, id_resp_h_s, id_resp_p_d, _system_name_s\r\n| project-away Row", + "size": 0, + "showAnalytics": true, + "title": "Related paths (select in Events Summary)", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "exportFieldName": "_path_s", + "exportParameterName": "Selected_path", + "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" + "gridSettings": { + "rowLimit": 10000, + "filter": true, + "labelSettings": [ + { + "columnId": "_path_s", + "label": "Path" + } + ] + } }, - "customWidth": "50", - "name": "Top Responders (destinations) by # of connections - Copy" + "name": "events_related_entries" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "union corelight_conn, corelight_conn_red\n//| where EventType startswith \"conn\"\n| where TimeGenerated {TimeRange}\n| where isnotempty(id_orig_h) and isnotempty(id_resp_h) and isnotempty(service) and isnotempty(id_orig_p) and isnotempty(id_resp_p)\n| summarize Duration=avg(toint(duration)), make_list(id_orig_h), make_list(id_resp_h), make_list(proto) by uid | sort by Duration desc | take 50", + "query": "corelight_suricata_corelight\r\n| where ('*' in ({Sensor}) or _system_name in ({Sensor}))\r\n| summarize alert_count=count() by source_ip=id_orig_h, alert_signature, severity=alert_severity\r\n| top 10 by alert_count\r\n", "size": 0, - "title": "Open/Active Long Lived Connections (requires Long Connections Pkg)", - "timeContextFromParameter": "TimeRange", + "showAnalytics": true, + "title": "Suricata Top Alerts by Source", + "noDataMessage": "No data found.", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "sortBy": [] + "gridSettings": { + "rowLimit": 10000, + "filter": true + } }, "customWidth": "50", - "name": "Open/Active Long Lived Connections (requires Long Connections Pkg)" + "name": "events_suricata_most_hits_src" } ] }, "conditionalVisibility": { "parameterName": "Tab", "comparison": "isEqualTo", - "value": "deprecated" - }, - "name": "deprecated_conn" - } - ] - }, - "conditionalVisibility": { - "parameterName": "Tab", - "comparison": "isEqualTo", - "value": "corelight_connections" - }, - "name": "corelight_connections_group" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "title": "Corelight DNS", - "items": [ - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_dns, corelight_dns_red\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n//| where is_broadcast_b!=true\n| summarize Count=count() by qtype_name\n| top 10 by Count", - "size": 3, - "showAnalytics": true, - "title": "Top Query Types", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" - }, - "customWidth": "33", - "name": "dns_top_query_types" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_dns, corelight_dns_red\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where (rcode_name==\"NXDOMAIN\" or rcode==3) and qtype_name != \"PTR\"\n| summarize Count=count() by qtype_name\n| top 20 by Count", - "size": 3, - "showAnalytics": true, - "title": "No response DNS query by type", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" - }, - "customWidth": "33", - "name": "dns_nx_by_type" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_dns, corelight_dns_red\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where id_resp_p == 53 and (rcode_name == \"NXDOMAIN\" or rcode == 3) and qtype_name != \"PTR\"\n| summarize Count=count() by query\n| top 100 by Count", - "size": 0, - "showAnalytics": true, - "title": "Top Queries by Count to Non-Existent Domains", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "customWidth": "33", - "name": "dns_top_nxdomain_by_count" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_dns, corelight_dns_red\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where id_resp_p == 53\n| summarize Count=count() by id_orig_h\n| top 20 by Count", - "size": 0, - "showAnalytics": true, - "title": "Top Originators by Count", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "customWidth": "25", - "name": "dns_top_originators" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_dns, corelight_dns_red\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where id_resp_p == 53 and qtype_name != \"ptr\"\n| summarize Count=count() by query\n| top 100 by Count", - "size": 0, - "showAnalytics": true, - "title": "Top Queries by Count", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "customWidth": "33", - "name": "dns_top_queries_by_count" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_dns, corelight_dns_red\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where id_resp_p==53 and qtype_name==\"PTR\" and (rcode_name==\"NOERROR\" or rcode==0)\n| summarize Count=count() by query\n| top 100 by Count", - "size": 0, - "showAnalytics": true, - "title": "Top Successful Reverse Queries by Count", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "customWidth": "33", - "name": "dns_top_ptr_by_count" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_dns, corelight_dns_red\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where id_resp_p == 53 and (rcode_name == \"NXDOMAIN\" or rcode == 3) and qtype_name != \"PTR\"\n| summarize Count=count() by id_orig_h\n| top 20 by Count\n", - "size": 0, - "showAnalytics": true, - "title": "Top Host querying Non-Existent Domains", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "customWidth": "25", - "name": "dns_top_hosts_querying_nxdomain" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_dns, corelight_dns_red\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where id_resp_p == 53 and qtype_name == \"PTR\" and (rcode_name == \"NXDOMAIN\" or rcode == 3)\n| summarize Count=count() by query\n| top 100 by Count", - "size": 0, - "showAnalytics": true, - "title": "Top Reverse Queries by Count to Non-Existent Domains", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "value": "corelight_main_dashboard" }, - "customWidth": "33", - "name": "dns_top_ptr_nxdomain" + "name": "tme_events" }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "union corelight_dns, corelight_dns_red\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| extend query_length = string_size(query)\n| summarize Count=count() by id_orig_h, query_length, query\n| order by query_length desc", - "size": 0, - "showAnalytics": true, - "title": "DNS by Query Length", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "dns_by_query_length" - } - ] - }, - "conditionalVisibility": { - "parameterName": "Tab", - "comparison": "isEqualTo", - "value": "corelight_dns" - }, - "name": "corelight_dns_group" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "title": "Corelight Files", - "items": [ { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Deprecated files queries", + "title": "Corelight Connections", "items": [ { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "corelight_files\n| where TimeGenerated {TimeRange}\n//| where EventType startswith \"files\"\n| where isnotempty(mime_type)\n| where mime_type != \"application/pkix-cert\"\n| summarize Count=count() by mime_type | sort by Count desc | take 20\n", - "size": 0, - "title": "Top 20 Mime Types by File Count", - "timeContextFromParameter": "TimeRange", + "query": "corelight_conn\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where local_resp == true and (proto == \"tcp\" or (proto == \"udp\" and orig_bytes > 0 and resp_bytes > 0))\n| where conn_state != \"S0\"\n| summarize count() by id_resp_h, id_resp_p, service\n| summarize Count=count() by service\n| top 20 by Count\n", + "size": 3, + "showAnalytics": true, + "title": "Local Hosts Seen Offering Services", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "categoricalbar" + "visualization": "piechart" }, - "name": "Top 20 Mime Types by File Count" + "customWidth": "50", + "name": "local_host_offering_services" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "corelight_files\n| where TimeGenerated {TimeRange}\n//| where EventType startswith \"files\"\n| where isnotempty(mime_type)\n| where mime_type != \"application/pkix-cert\"\n| summarize [\"File Count\"]=count() by source | sort by [\"File Count\"] desc | take 15\n", - "size": 0, - "title": "Top File Protocols by File Count", - "timeContextFromParameter": "TimeRange", + "query": "corelight_conn\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where proto==\"tcp\" or (proto==\"udp\" and orig_pkts>0 and resp_pkts>0)\n| where conn_state != \"S0\"\n| where local_resp==true\n| summarize Count=count() by portproto=strcat(tostring(toint(id_resp_p)), \"/\", proto)\n| top 15 by Count", + "size": 3, + "showAnalytics": true, + "title": "Top Responder Ports", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "categoricalbar" + "visualization": "piechart" }, - "name": "Top File Protocols by File Count" + "customWidth": "50", + "name": "top_responder_ports" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "corelight_files\n//| where EventType startswith \"files\"\n| where isnotempty(mime_type)\n| where mime_type != \"application/pkix-cert\"\n| extend NetworkDirection = case(local_orig == \"true\", \"outbound\", local_orig == \"false\", \"inbound\", \"\" )\n|make-series [\"Files Sent\"]=countif(NetworkDirection==\"outbound\"), [\"Files Received\"]=countif(NetworkDirection==\"inbound\") on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by _path | project [\"Files Sent\"], [\"Files Received\"], TimeGenerated", + "query": "corelight_conn\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where local_orig == false and local_resp == true\n| where proto==\"tcp\" or (proto==\"udp\" and orig_pkts>0 and resp_pkts>0)\n| where conn_state!=\"S0\"\n| summarize number_of_conns=count(), orig_bytes_sum=sum(orig_bytes) by id_orig_h, service\n| extend orig_data = format_bytes(orig_bytes_sum, 2)\n| order by orig_bytes_sum desc\n| top 20 by orig_bytes_sum desc\n| project-away orig_bytes_sum\n", "size": 0, - "title": "File Flow - # of Files", - "timeContextFromParameter": "TimeRange", + "showAnalytics": true, + "title": "Top Inbound Data Flows by Originator", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "areachart", - "tileSettings": { - "showBorder": false - }, - "graphSettings": { - "type": 0 + "gridSettings": { + "rowLimit": 10000, + "filter": true } }, - "customWidth": "50", - "name": "File Flow - # of Files" + "customWidth": "33", + "name": "top_inbound_by_orig" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "corelight_files\n//| where EventType startswith \"files\"\n| where isnotempty(mime_type)\n| where mime_type != \"application/pkix-cert\"\n//| extend NetworkDirection = case(local_orig == true, \"outbound\", local_orig == false, \"inbound\", \"\" )\n// fixme: drop _d\n|make-series [\"Bytes Sent\"]=sumif(toint(seen_bytes_d), local_orig == true), [\"Bytes Received\"]=sumif(toint(seen_bytes_d),local_orig == false) on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType", + "query": "corelight_conn\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where proto == \"tcp\" or (proto == \"udp\" and orig_pkts>0 and resp_pkts>0)\n| where local_orig==true and local_resp==false\n| where conn_state != \"S0\"\n| summarize number_of_conns=count(), orig_bytes_sum=sum(orig_bytes) by id_orig_h, service\n| extend orig_data = format_bytes(orig_bytes_sum, 2)\n| order by orig_bytes_sum desc\n| project-away orig_bytes_sum", "size": 0, - "title": "File Flow - Bytes", - "timeContextFromParameter": "TimeRange", + "showAnalytics": true, + "title": "Top Outbound Data Flows by Originator", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "areachart", - "tileSettings": { - "showBorder": false - }, - "graphSettings": { - "type": 0 + "gridSettings": { + "rowLimit": 10000, + "filter": true } }, - "customWidth": "50", - "name": "File Flow - Bytes" - } + "customWidth": "33", + "name": "top_outbound_bytes" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_conn\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where conn_state==\"S0\"\n| summarize Count=count() by id_orig_h, id_resp_p, service\n| order by Count desc", + "size": 0, + "showAnalytics": true, + "title": "Hosts Generating S0 (possible scan) Traffic", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "33", + "name": "possible_scan_connections" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_conn\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where proto==\"tcp\" or (proto==\"udp\" and orig_pkts>0 and resp_pkts>0)\n| where conn_state != \"S0\"\n| summarize number_of_conns=count(), orig_bytes_sum=sum(orig_bytes), resp_bytes_sum=sum(resp_bytes) by id_orig_h, id_resp_h, id_resp_p, proto\n| extend total_bytes_sum = orig_bytes_sum + resp_bytes_sum\n| extend total_data = format_bytes(total_bytes_sum, 2)\n| top 20 by total_bytes_sum desc", + "size": 0, + "showAnalytics": true, + "title": "Largest transfers between host/port pairs", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "largest_transfers_by_host_port" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_conn\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where local_resp == true and conn_state == \"S0\"\n| summarize Count=count() by id_resp_h, id_resp_p, service\n| top 30 by Count", + "size": 0, + "showAnalytics": true, + "title": "Possible Down Services", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "25", + "name": "possible_down_services" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_conn\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| summarize Count=count() by history\n| top 20 by Count", + "size": 0, + "showAnalytics": true, + "title": "Monitor Health Asymmetry (All UPPER or lower is bad)", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "25", + "name": "monitor_health_asymmetry" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_conn\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where local_orig == false and local_resp == false\n| summarize Count=count() by id_orig_h, id_resp_h, id_resp_p, service\n| top 20 by Count", + "size": 0, + "showAnalytics": true, + "title": "Remote to Remote Connections", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "50", + "name": "remote_to_remote_connections" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_notice\n| where ('*' in ({Sensor}) or _system_name in ({Sensor}))\n| where note == \"LongConnection::found\"\n| summarize Count=count(1), arg_max(TimeGenerated, id_orig_h, id_resp_h, id_resp_p, sub, msg) by uid\n| extend seconds=sub\n| top 20 by seconds desc\n", + "size": 0, + "showAnalytics": true, + "title": "Longest Lived Connections, (May have already closed)", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "longest_lived_connections" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_conn\n| where TimeGenerated {GlobalTimeRestriction}\n//| where EventType startswith \"conn\"\n| where isnotempty(service)\n| summarize count() by tostring(service) | take 10", + "size": 3, + "title": "Top Services", + "timeContextFromParameter": "GlobalTimeRestriction", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true, + "ySettings": { + "numberFormatSettings": { + "unit": 0, + "options": { + "style": "decimal", + "useGrouping": true + } + } + } + } + }, + "customWidth": "50", + "name": "Top Services" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_conn\n| where TimeGenerated {GlobalTimeRestriction}\n//| where EventType startswith \"conn\"\n| where isnotempty(id_resp_p)\n| extend dstprt = tostring(toint(id_resp_p))\n| summarize Count=count() by dstprt | sort by Count desc |take 10", + "size": 3, + "title": "Top Responder Ports", + "timeContextFromParameter": "GlobalTimeRestriction", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true, + "ySettings": { + "numberFormatSettings": { + "unit": 0, + "options": { + "style": "decimal", + "useGrouping": true + } + } + } + } + }, + "customWidth": "50", + "name": "Top Responder Ports" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_conn\n//| where TimeGenerated {GlobalTimeRestriction}\n//| where EventType startswith \"conn\"\n//| extend NetworkDirection = case(LocalOrig == true,\"outbound\", LocalOrig == false, \"inbound\",'')\n| where local_orig == true and local_resp == false\n//| where isnotempty(SrcIpAddr) and isnotempty(DstIpAddr) and isnotempty(SrcIpBytes) and isnotempty(DstIpBytes)\n| extend bytes = toint(orig_bytes) + toint(resp_bytes)\n| summarize Bytes=sum(bytes) by id_orig_h, id_resp_h, proto | sort by Bytes desc | take 15", + "size": 0, + "title": "Top Outbound Data Flows by Originator Bytes", + "timeContextFromParameter": "GlobalTimeRestriction", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "Top Outbound Data Flows by Originator Bytes" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_conn\n//| where TimeGenerated {GlobalTimeRestriction}\n//| where EventType startswith \"conn\"\n//| extend NetworkDirection = case(LocalOrig == true,\"outbound\", LocalOrig == false, \"inbound\",'')\n| where local_orig == false and local_resp == true\n//| where isnotempty(SrcIpAddr) and isnotempty(DstIpAddr) and isnotempty(SrcIpBytes) and isnotempty(DstIpBytes)\n| extend bytes = toint(orig_bytes) + toint(resp_bytes)\n| summarize Bytes=sum(bytes) by id_orig_h, id_resp_h, proto | sort by Bytes desc | take 15", + "size": 0, + "title": "Top Inbound Data Flows by Originator Bytes", + "timeContextFromParameter": "GlobalTimeRestriction", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "Top Inbound Data Flows by Originator Bytes - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_conn\n//| where EventType startswith \"conn\"\n| where TimeGenerated {GlobalTimeRestriction} \n| summarize Count=count() by id_orig_h | sort by Count", + "size": 3, + "title": "Top Originators (sources) by # of connections", + "timeContextFromParameter": "GlobalTimeRestriction", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "50", + "name": "Top Originators (sources) by # of connections" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_conn\n//| where EventType startswith \"conn\"\n| where TimeGenerated {GlobalTimeRestriction} \n| summarize Count=count() by id_resp_h | sort by Count", + "size": 3, + "title": "Top Responders (destinations) by # of connections", + "timeContextFromParameter": "GlobalTimeRestriction", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "50", + "name": "Top Responders (destinations) by # of connections - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_conn\n//| where EventType startswith \"conn\"\n| where TimeGenerated {GlobalTimeRestriction}\n| where isnotempty(id_orig_h) and isnotempty(id_resp_h) and isnotempty(service) and isnotempty(id_orig_p) and isnotempty(id_resp_p)\n| summarize Duration=avg(toint(duration)), make_list(id_orig_h), make_list(id_resp_h), make_list(proto) by uid | sort by Duration desc | take 50", + "size": 0, + "title": "Open/Active Long Lived Connections (requires Long Connections Pkg)", + "timeContextFromParameter": "GlobalTimeRestriction", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "sortBy": [] + }, + "customWidth": "50", + "name": "Open/Active Long Lived Connections (requires Long Connections Pkg)" + } + ] + }, + "conditionalVisibility": { + "parameterName": "Tab", + "comparison": "isEqualTo", + "value": "deprecated" + }, + "name": "deprecated_conn" + } ] }, - "name": "deprecated_files" - } - ] - }, - "conditionalVisibility": { - "parameterName": "Tab", - "comparison": "isEqualTo", - "value": "corelight_files" - }, - "name": "corelight_files_group" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "title": "Corelight HTTP", - "items": [ - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "corelight_http\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where host != \"control\"\n| summarize distinct_referrers=count_distinct(referrer)", - "size": 3, - "showAnalytics": true, - "title": "Distinct Referrers", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "card", - "textSettings": { - "style": "bignumber" - } - }, - "customWidth": "16", - "name": "http_distinct_referrers" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "corelight_http\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where host != \"control\"\n| summarize distinct_user_agents=count_distinct(user_agent)", - "size": 3, - "showAnalytics": true, - "title": "Distinct User Agents", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "card", - "textSettings": { - "style": "bignumber" - } + "conditionalVisibility": { + "parameterName": "Tab", + "comparison": "isEqualTo", + "value": "corelight_connections" }, - "customWidth": "16", - "name": "http_distinct_user_agents" + "name": "corelight_connections_group" }, { - "type": 3, + "type": 12, "content": { - "version": "KqlItem/1.0", - "query": "corelight_http\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where host != \"control\"\n| summarize count_distinct(host)", - "size": 3, - "showAnalytics": true, - "title": "Distinct Hosts", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "card", - "textSettings": { - "style": "bignumber" - } + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Corelight DNS", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n//| where is_broadcast_b!=true\n| summarize Count=count() by qtype_name\n| top 10 by Count", + "size": 3, + "showAnalytics": true, + "title": "Top Query Types", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "33", + "name": "dns_top_query_types" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where (rcode_name==\"NXDOMAIN\" or rcode==3) and qtype_name != \"PTR\"\n| summarize Count=count() by qtype_name\n| top 20 by Count", + "size": 3, + "showAnalytics": true, + "title": "No response DNS query by type", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "33", + "name": "dns_nx_by_type" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where id_resp_p == 53 and (rcode_name == \"NXDOMAIN\" or rcode == 3) and qtype_name != \"PTR\"\n| summarize Count=count() by query\n| top 100 by Count", + "size": 0, + "showAnalytics": true, + "title": "Top Queries by Count to Non-Existent Domains", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "33", + "name": "dns_top_nxdomain_by_count" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where id_resp_p == 53\n| summarize Count=count() by id_orig_h\n| top 20 by Count", + "size": 0, + "showAnalytics": true, + "title": "Top Originators by Count", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "25", + "name": "dns_top_originators" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where id_resp_p == 53 and qtype_name != \"ptr\"\n| summarize Count=count() by query\n| top 100 by Count", + "size": 0, + "showAnalytics": true, + "title": "Top Queries by Count", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "33", + "name": "dns_top_queries_by_count" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where id_resp_p==53 and qtype_name==\"PTR\" and (rcode_name==\"NOERROR\" or rcode==0)\n| summarize Count=count() by query\n| top 100 by Count", + "size": 0, + "showAnalytics": true, + "title": "Top Successful Reverse Queries by Count", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "33", + "name": "dns_top_ptr_by_count" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where id_resp_p == 53 and (rcode_name == \"NXDOMAIN\" or rcode == 3) and qtype_name != \"PTR\"\n| summarize Count=count() by id_orig_h\n| top 20 by Count\n", + "size": 0, + "showAnalytics": true, + "title": "Top Host querying Non-Existent Domains", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "25", + "name": "dns_top_hosts_querying_nxdomain" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where id_resp_p == 53 and qtype_name == \"PTR\" and (rcode_name == \"NXDOMAIN\" or rcode == 3)\n| summarize Count=count() by query\n| top 100 by Count", + "size": 0, + "showAnalytics": true, + "title": "Top Reverse Queries by Count to Non-Existent Domains", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "33", + "name": "dns_top_ptr_nxdomain" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| extend query_length = string_size(query)\n| summarize Count=count() by id_orig_h, query_length, query\n| order by query_length desc", + "size": 0, + "showAnalytics": true, + "title": "DNS by Query Length", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "dns_by_query_length" + } + ] }, - "customWidth": "16", - "name": "http_distinct_hosts" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "corelight_http\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where host != \"control\"\n| summarize distinct_connections=count_distinct(uid)", - "size": 3, - "showAnalytics": true, - "title": "Distinct Connections", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "card", - "textSettings": { - "style": "bignumber" - } + "conditionalVisibility": { + "parameterName": "Tab", + "comparison": "isEqualTo", + "value": "corelight_dns" }, - "customWidth": "16", - "name": "http_distinct_connections" + "name": "corelight_dns_group" }, { - "type": 3, + "type": 12, "content": { - "version": "KqlItem/1.0", - "query": "corelight_http\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where host != \"control\"\n| summarize avg = format_bytes(avg(response_body_len), 2)", - "size": 3, - "showAnalytics": true, - "title": "Average Body Length", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "card", - "textSettings": { - "style": "bignumber" - } + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Corelight Files", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Deprecated files queries", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_files\n| where TimeGenerated {GlobalTimeRestriction}\n//| where EventType startswith \"files\"\n| where isnotempty(mime_type)\n| where mime_type != \"application/pkix-cert\"\n| summarize Count=count() by mime_type | sort by Count desc | take 20\n", + "size": 0, + "title": "Top 20 Mime Types by File Count", + "timeContextFromParameter": "GlobalTimeRestriction", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" + }, + "name": "Top 20 Mime Types by File Count" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_files\n| where TimeGenerated {GlobalTimeRestriction}\n//| where EventType startswith \"files\"\n| where isnotempty(mime_type)\n| where mime_type != \"application/pkix-cert\"\n| summarize [\"File Count\"]=count() by source | sort by [\"File Count\"] desc | take 15\n", + "size": 0, + "title": "Top File Protocols by File Count", + "timeContextFromParameter": "GlobalTimeRestriction", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" + }, + "name": "Top File Protocols by File Count" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_files\n//| where EventType startswith \"files\"\n| where isnotempty(mime_type)\n| where mime_type != \"application/pkix-cert\"\n| extend NetworkDirection = case(local_orig == \"true\", \"outbound\", local_orig == \"false\", \"inbound\", \"\" )\n|make-series [\"Files Sent\"]=countif(NetworkDirection==\"outbound\"), [\"Files Received\"]=countif(NetworkDirection==\"inbound\") on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step {GlobalTimeRestriction:grain} by path | project [\"Files Sent\"], [\"Files Received\"], TimeGenerated", + "size": 0, + "title": "File Flow - # of Files", + "timeContextFromParameter": "GlobalTimeRestriction", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "areachart", + "tileSettings": { + "showBorder": false + }, + "graphSettings": { + "type": 0 + } + }, + "customWidth": "50", + "name": "File Flow - # of Files" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_files\n//| where EventType startswith \"files\"\n| where isnotempty(mime_type)\n| where mime_type != \"application/pkix-cert\"\n//| extend NetworkDirection = case(local_orig == true, \"outbound\", local_orig == false, \"inbound\", \"\" )\n// fixme: drop _d\n|make-series [\"Bytes Sent\"]=sumif(toint(seen_bytes), local_orig == true), [\"Bytes Received\"]=sumif(toint(seen_bytes),local_orig == false) on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step {GlobalTimeRestriction:grain} by EventType", + "size": 0, + "title": "File Flow - Bytes", + "timeContextFromParameter": "GlobalTimeRestriction", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "areachart", + "tileSettings": { + "showBorder": false + }, + "graphSettings": { + "type": 0 + } + }, + "customWidth": "50", + "name": "File Flow - Bytes" + } + ] + }, + "name": "deprecated_files" + } + ] }, - "customWidth": "16", - "name": "http_avg_response_len" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "corelight_http\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where host != \"control\"\n| extend ua_length = strlen(user_agent)\n| summarize avg_ua_length = round(avg(ua_length))", - "size": 3, - "showAnalytics": true, - "title": "Average User Agent Length", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "card", - "textSettings": { - "style": "bignumber" - } + "conditionalVisibility": { + "parameterName": "Tab", + "comparison": "isEqualTo", + "value": "corelight_files" }, - "customWidth": "16", - "name": "http_avg_ua_length" + "name": "corelight_files_group" }, { - "type": 3, + "type": 12, "content": { - "version": "KqlItem/1.0", - "query": "corelight_http\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where host != \"control\"\n| summarize Count=count() by host\n| top 10 by Count", - "size": 0, - "showAnalytics": true, - "title": "Top Host Headers by Count", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "sortBy": [ - { - "itemKey": "Count", - "sortOrder": 1 - } - ] - }, - "sortBy": [ - { - "itemKey": "Count", - "sortOrder": 1 + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Corelight HTTP", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_http\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where host != \"control\"\n| summarize distinct_referrers=count_distinct(referrer)", + "size": 3, + "showAnalytics": true, + "title": "Distinct Referrers", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "16", + "name": "http_distinct_referrers" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_http\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where host != \"control\"\n| summarize distinct_user_agents=count_distinct(user_agent)", + "size": 3, + "showAnalytics": true, + "title": "Distinct User Agents", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "16", + "name": "http_distinct_user_agents" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_http\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where host != \"control\"\n| summarize count_distinct(host)", + "size": 3, + "showAnalytics": true, + "title": "Distinct Hosts", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "16", + "name": "http_distinct_hosts" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_http\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where host != \"control\"\n| summarize distinct_connections=count_distinct(uid)", + "size": 3, + "showAnalytics": true, + "title": "Distinct Connections", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "16", + "name": "http_distinct_connections" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_http\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where host != \"control\"\n| summarize avg = format_bytes(avg(response_body_len), 2)", + "size": 3, + "showAnalytics": true, + "title": "Average Body Length", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "16", + "name": "http_avg_response_len" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_http\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where host != \"control\"\n| extend ua_length = strlen(user_agent)\n| summarize avg_ua_length = round(avg(ua_length))", + "size": 3, + "showAnalytics": true, + "title": "Average User Agent Length", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "16", + "name": "http_avg_ua_length" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_http\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where host != \"control\"\n| summarize Count=count() by host\n| top 10 by Count", + "size": 0, + "showAnalytics": true, + "title": "Top Host Headers by Count", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true, + "sortBy": [ + { + "itemKey": "Count", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "Count", + "sortOrder": 1 + } + ] + }, + "customWidth": "33", + "name": "http_top_hosts" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_http\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where host != \"control\"\n| summarize Count=count() by status_msg\n| top 10 by Count", + "size": 3, + "showAnalytics": true, + "title": "HTTP Status Code Breakdown", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "33", + "name": "http_status_code_chart" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_http\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where host != \"control\"\n| summarize Count=count() by id_orig_h\n| top 10 by Count", + "size": 0, + "showAnalytics": true, + "title": "Top Originators", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "33", + "name": "http_top_originators" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_http\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where host != \"control\"\n| summarize Count=count() by user_agent\n| top 10 by Count asc", + "size": 0, + "showAnalytics": true, + "title": "Rare User Agents", + "noDataMessage": "No data found.", + "timeContext": { + "durationMs": 86400000 + }, + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "70", + "name": "http_rare_ua" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_http\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\n| where host != \"control\"\n| summarize Count=count() by host, status_code\n| top 10 by Count asc", + "size": 0, + "showAnalytics": true, + "title": "Rare Host Headers", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "25", + "name": "http_rare_hosts" } ] }, - "customWidth": "33", - "name": "http_top_hosts" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "corelight_http\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where host != \"control\"\n| summarize Count=count() by status_msg\n| top 10 by Count", - "size": 3, - "showAnalytics": true, - "title": "HTTP Status Code Breakdown", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" - }, - "customWidth": "33", - "name": "http_status_code_chart" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "corelight_http\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where host != \"control\"\n| summarize Count=count() by id_orig_h\n| top 10 by Count", - "size": 0, - "showAnalytics": true, - "title": "Top Originators", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "conditionalVisibility": { + "parameterName": "Tab", + "comparison": "isEqualTo", + "value": "corelight_http" }, - "customWidth": "33", - "name": "http_top_originators" + "name": "corelight_http_group" }, { - "type": 3, + "type": 12, "content": { - "version": "KqlItem/1.0", - "query": "corelight_http\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where host != \"control\"\n| summarize Count=count() by user_agent\n| top 10 by Count asc", - "size": 0, - "showAnalytics": true, - "title": "Rare User Agents", - "timeContext": { - "durationMs": 86400000 - }, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Corelight Software", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Deprecated software queries", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_software\n//| where EventType startswith \"software\"\n| where TimeGenerated {GlobalTimeRestriction}\n//| where isnotempty(SoftwareType)\n| summarize Count=count() by name | sort by Count | take 20\n", + "size": 0, + "title": "Top Software", + "timeContextFromParameter": "GlobalTimeRestriction", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" + }, + "name": "Top Software" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_software\n//| where TimeGenerated {GlobalTimeRestriction}\n//| where EventType startswith \"software\"\n| where isnotempty(software_type)\n| summarize Count=count() by name, unparsed_version | sort by Count", + "size": 0, + "title": "Top Software Versions", + "timeContextFromParameter": "GlobalTimeRestriction", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Name", + "formatter": 5 + } + ], + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "Name" + ], + "expandTopLevel": true + } + } + }, + "customWidth": "50", + "name": "Top Software Versions" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_software\n//| where EventType startswith \"software\"\n| where isnotempty(software_type)\n| summarize Count=count() by software_type | sort by Count", + "size": 0, + "title": "Top Software Types", + "timeContextFromParameter": "GlobalTimeRestriction", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Name", + "formatter": 5 + } + ], + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "Name" + ], + "expandTopLevel": true + } + } + }, + "customWidth": "50", + "name": "Top Software Types" + } + ] + }, + "name": "deprecated_software" + } + ] }, - "customWidth": "70", - "name": "http_rare_ua" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "corelight_http\n| where \"(all values)\" == \"{Sensor}\" or _system_name in ({Sensor})\n| where host != \"control\"\n| summarize Count=count() by host, status_code\n| top 10 by Count asc", - "size": 0, - "showAnalytics": true, - "title": "Rare Host Headers", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "conditionalVisibility": { + "parameterName": "Tab", + "comparison": "isEqualTo", + "value": "corelight_software" }, - "customWidth": "25", - "name": "http_rare_hosts" + "name": "corelight_software_group" } ] }, "conditionalVisibility": { - "parameterName": "Tab", + "parameterName": "dashboard", "comparison": "isEqualTo", - "value": "corelight_http" + "value": "DataExplorer" }, - "name": "corelight_http_group" + "name": "Data Explorer" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Corelight Software", "items": [ + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "458c9ad4-de32-4629-a33c-bd6e24126dd8", + "cellValue": "Tab", + "linkTarget": "parameter", + "linkLabel": "Security Posture", + "subTarget": "SecurityPosture", + "style": "link" + }, + { + "id": "cd6cc63c-c1a8-49fc-89c7-b2ae5e0674d9", + "cellValue": "Tab", + "linkTarget": "parameter", + "linkLabel": "Secure Channel Insights", + "subTarget": "SecureChannelInsights", + "style": "link" + }, + { + "id": "c2140a1d-ad51-4d22-a0ed-b433d3131b54", + "cellValue": "Tab", + "linkTarget": "parameter", + "linkLabel": "Name Resolution Insights", + "subTarget": "NameResolutionInsights", + "style": "link" + }, + { + "id": "cf92c03c-d98e-4a02-bc53-b127708c83f8", + "cellValue": "Tab", + "linkTarget": "parameter", + "linkLabel": "Remote Activity Insights", + "subTarget": "RemoteActivityInsights", + "style": "link" + } + ] + }, + "name": "links - 0" + }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Deprecated software queries", "items": [ { - "type": 3, + "type": 1, "content": { - "version": "KqlItem/1.0", - "query": "corelight_software\n//| where EventType startswith \"software\"\n| where TimeGenerated {TimeRange}\n//| where isnotempty(SoftwareType)\n| summarize Count=count() by name | sort by Count | take 20\n", - "size": 0, - "title": "Top Software", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "categoricalbar" + "json": "## Security Posture" }, - "name": "Top Software" + "name": "text - 0" }, { - "type": 3, + "type": 12, "content": { - "version": "KqlItem/1.0", - "query": "corelight_software\n//| where TimeGenerated {TimeRange}\n//| where EventType startswith \"software\"\n| where isnotempty(software_type)\n| summarize Count=count() by name, unparsed_version | sort by Count", - "size": 0, - "title": "Top Software Versions", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Name", - "formatter": 5 - } - ], - "hierarchySettings": { - "treeType": 1, - "groupBy": [ - "Name" - ], - "expandTopLevel": true + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "### Encrypted Traffic Hygiene\r\n---" + }, + "name": "text - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\r\nlet SSL=corelight_ssl\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where is_self_signed==\"yes\" and is_dest_internal_ip==\"true\";\r\nlet trendline=toscalar(\r\nSSL\r\n| summarize arg_max(TimeGenerated, *) by ssl_subject_common_name\r\n| make-series Trend = dcount(ssl_subject_common_name) default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration\r\n| project Trend);\r\nSSL\r\n| summarize Count=dcount(ssl_subject_common_name)\r\n| extend Trend = trendline", + "size": 4, + "showAnalytics": true, + "title": "Self Signed Certs", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "greenDark" + } + }, + "showBorder": true + } + }, + "name": "query - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\r\nlet X509=corelight_x509\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| extend key_length = toint(certificate_key_length)\r\n| where key_length < 2048;\r\nlet trendline=toscalar(\r\nX509\r\n| summarize arg_max(TimeGenerated, *) by ssl_hash\r\n| make-series Trend = dcount(ssl_hash) default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration\r\n| project Trend);\r\nX509\r\n| summarize Count = dcount(ssl_hash)\r\n| extend Trend = trendline\r\n\r\n", + "size": 3, + "showAnalytics": true, + "title": "Certs w/ Low Keys", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "greenDark" + } + }, + "showBorder": true + } + }, + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_x509\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where days_to_expiry > 0 and days_to_expiry <= 15\r\n| summarize [\"Distinct Certs\"] = dcount(ssl_hash)\r\n", + "size": 4, + "showAnalytics": true, + "title": "Expiring Certs.", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Distinct Certs", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": true + } + }, + "name": "query - 2" + } + ] + }, + "customWidth": "25", + "name": "Encrypted Traffic Hygiene Tiles" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\r\ncorelight_ssl\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| make-series ['Encrypted Traffic Volume']=count() default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration", + "size": 2, + "showAnalytics": true, + "title": "Encrypted Traffic Over Time", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "areachart", + "chartSettings": { + "xAxis": "TimeGenerated", + "showLegend": true, + "seriesLabelSettings": [ + { + "seriesName": "Count", + "color": "green" + }, + { + "seriesName": "Encrypted Traffic Volume", + "color": "green" + } + ], + "xSettings": { + "label": "Time" + }, + "ySettings": { + "label": "Encrypted traffic Volume" + } + } + }, + "customWidth": "75", + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_ssl\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| extend version_status=case(version==\"TLSv13\", \"Most Secure\", \r\n version==\"TLSv12\", \"Secure\", \r\n version==\"DTLSv12\", \"Secure\", \r\n version==\"unknown-64282\", \"Unknown\", \r\n \"Old Version\")\r\n| summarize Count= count() by version_status\r\n| sort by Count desc", + "size": 0, + "showAnalytics": true, + "title": "TLS Versions", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "version_status", + "createOtherGroup": 0 + } + }, + "customWidth": "40", + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_ssl\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| extend src_internal=iff(isnull(is_src_internal_ip) or is_src_internal_ip==\"false\", \"External\", \"Internal\"), dest_internal=iff(isnull(is_dest_internal_ip) or is_dest_internal_ip==\"false\", \"External\", \"Internal\")\r\n| where src_internal==\"Internal\" \r\n| extend version_status=case(version==\"TLSv13\", \"Most Secure\", \r\n version==\"TLSv12\", \"Secure\", \r\n version==\"DTLSv12\", \"Secure\", \r\n version==\"unknown-64282\", \"Unknown\", \r\n \"Old Version\")\r\n| summarize Count= count() by version_status\r\n| sort by Count desc", + "size": 0, + "showAnalytics": true, + "title": "Internal TLS Version Profile", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "chartSettings": { + "showLegend": true, + "xSettings": { + "label": "TLS Version" + }, + "ySettings": { + "label": "Count" + } + } + }, + "customWidth": "60", + "name": "query - 5" + } + ] + }, + "name": "Encrypted Traffic Hygiene" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "### Unencrypted Traffic Hygiene - Indicators\r\n---" + }, + "name": "text - 8" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\r\nlet UnencryptedConnection=corelight_etc_viz\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where viz_stat in (\"C\", \"Cc\", \"C!\", \"cc\");\r\nlet trendline=toscalar(\r\nUnencryptedConnection \r\n| make-series Trend = count() default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration by server_a, server_p\r\n| project Trend);\r\nUnencryptedConnection \r\n| summarize Count = count() by server_a, server_p\r\n| summarize Sum = sum(Count)\r\n| extend Trend=trendline\r\n", + "size": 3, + "showAnalytics": true, + "title": "Unencrypted Connections", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "exportFieldName": "Sum", + "exportParameterName": "sum", + "exportDefaultValue": "none", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Sum", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": true + } + }, + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### Click on the count in the above panel **Unencrypted Connections** to view more information.", + "style": "info" + }, + "name": "text - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "union isfuzzy=true\r\ncorelight_http,\r\ncorelight_conn,\r\ncorelight_dns,\r\ncorelight_ssl,\r\ncorelight_files\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where id_resp_p == 23\r\n| summarize Count = count()\r\n", + "size": 3, + "showAnalytics": true, + "title": "Telnet Sessions", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "exportFieldName": "Count", + "exportParameterName": "telnet_count", + "exportDefaultValue": "none", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "useGrouping": false + } + } + }, + "showBorder": true + } + }, + "name": "query - 3" + }, + { + "type": 1, + "content": { + "json": "#### Click on the count in the above panel **Telnet Sessions** to view more information.", + "style": "info" + }, + "name": "text - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_ftp\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| summarize Count = count()\r\n", + "size": 3, + "showAnalytics": true, + "title": "FTP Sessions", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "exportFieldName": "Count", + "exportParameterName": "ftp_count", + "exportDefaultValue": "none", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "name": "query - 3" + }, + { + "type": 1, + "content": { + "json": "#### Click on the count in the above panel **FTP Sessions** to view more information.", + "style": "info" + }, + "name": "text - 3" + } + ], + "exportParameters": true + }, + "customWidth": "25", + "name": "Unencrypted Traffic Hygiene - Indicators - Tiles" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\r\nunion isfuzzy=true\r\ncorelight_http,\r\ncorelight_conn,\r\ncorelight_dns,\r\ncorelight_ssl,\r\ncorelight_files\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where isnotempty(service) and service !in ('ssl', 'tls', 'dns', \"ssl,http\", \"http,ssl\")\r\n| make-series [\"Unencrypted Traffic Volume\"]=count() default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration by service", + "size": 2, + "showAnalytics": true, + "title": "Top Unencrypted Protocols Used", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "exportFieldName": "series", + "exportParameterName": "service", + "exportDefaultValue": "none", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "areachart", + "chartSettings": { + "group": "service", + "createOtherGroup": 0, + "showLegend": true + } + }, + "customWidth": "75", + "name": "query - 2" + }, + { + "type": 1, + "content": { + "json": "#### Click on the datapoints in the above panel **Top Unencrypted Protocols Used** to view more information.\r\n", + "style": "info" + }, + "name": "text - 7" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_etc_viz\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where viz_stat in (\"C\", \"Cc\", \"C!\", \"cc\") \r\n| summarize Count = count() by server_a, server_p\r\n", + "size": 0, + "showAnalytics": true, + "title": "Details of Unencrypted Connections", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "100", + "conditionalVisibility": { + "parameterName": "sum", + "comparison": "isNotEqualTo", + "value": "none" + }, + "name": "query - 4", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "union corelight_http,\r\ncorelight_conn,\r\ncorelight_dns,\r\ncorelight_ssl,\r\ncorelight_files\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where id_resp_p == 23\r\n", + "size": 0, + "showAnalytics": true, + "title": "Details of Telnet Sessions", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "telnet_count", + "comparison": "isNotEqualTo", + "value": "none" + }, + "name": "query - 5", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_ftp\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n", + "size": 0, + "showAnalytics": true, + "title": "Details of FTP Sessions", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "ftp_count", + "comparison": "isNotEqualTo", + "value": "none" + }, + "name": "query - 6", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "union isfuzzy=true\r\ncorelight_http,\r\ncorelight_conn,\r\ncorelight_dns,\r\ncorelight_ssl,\r\ncorelight_files\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where service == '{service}'\r\n", + "size": 0, + "showAnalytics": true, + "title": "Details of Top Unencrypted Protocols Used", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "service", + "comparison": "isNotEqualTo", + "value": "none" + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "name": "Unencrypted Traffic Hygiene - Indicators" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "### DNS Hygiene\r\n---" + }, + "name": "text - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\r\nlet FailedDNS=corelight_dns\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where rcode_name in ('SERVFAIL', 'REFUSED', 'FORMERR' ,'NOTIMP' ,'NOTAUTH');\r\nlet trendline=toscalar(\r\nFailedDNS\r\n| make-series Trend = count() default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration\r\n| project Trend);\r\nFailedDNS\r\n| summarize dns_fails = count()\r\n| extend Trend = trendline\r\n", + "size": 3, + "showAnalytics": true, + "title": "Failed DNS Queries", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "rcode_name", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "dns_fails", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": true + } + }, + "customWidth": "25", + "name": "query - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\r\nlet UnusualQtypes=corelight_dns\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where qtype_name in (\"AXFR\", \"IXFR\", \"ANY\", \"TXT\");\r\nlet trendline=toscalar(\r\nUnusualQtypes\r\n| make-series Trend = count() default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration\r\n);\r\nUnusualQtypes\r\n| summarize failed_q=count() by bin(TimeGenerated, 1d)\r\n| summarize total = sum(failed_q) by TimeGenerated\r\n| extend today = iff(TimeGenerated==(startofday(now())), total, 0)\r\n| extend yesterday = iff(TimeGenerated==(startofday(now())-1d), total, 0)\r\n| extend Trend = trendline\r\n| serialize\r\n| order by TimeGenerated desc\r\n| extend nextyesterday = iff((today == 0 and yesterday > 0), yesterday, iff(isempty(next(yesterday)), 0, next(yesterday)))\r\n| limit 1\r\n| extend percentage = case(nextyesterday == 0 and today == 0, 0.0, \r\n nextyesterday == 0 and today !=0, todouble(today)*100, \r\n (todouble(today-nextyesterday)/nextyesterday)*100)", + "size": 3, + "showAnalytics": true, + "title": "Unusual Qtypes", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "exportFieldName": "failed_q", + "exportParameterName": "failed_count", + "exportDefaultValue": "none", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "today", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "rightContent": { + "columnMatch": "percentage", + "formatter": 12, + "formatOptions": { + "palette": "none" + }, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal" + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": true, + "size": "full" + } + }, + "customWidth": "25", + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\r\nlet NxdomainResponses=corelight_dns\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where rcode_name in ('NXDOMAIN', 'NOERROR');\r\nlet trendline=toscalar(\r\nNxdomainResponses\r\n| make-series Trend = count() default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration\r\n);\r\nNxdomainResponses\r\n| summarize Count=count() by bin(TimeGenerated, 1d)\r\n| summarize total = sum(Count) by TimeGenerated\r\n| extend today = iff(TimeGenerated==(startofday(now())), total, 0)\r\n| extend yesterday = iff(TimeGenerated==(startofday(now())-1d), total, 0)\r\n| extend Trend = trendline\r\n| serialize\r\n| order by TimeGenerated desc\r\n| extend nextyesterday = iff((today == 0 and yesterday > 0), yesterday, iff(isempty(next(yesterday)), 0, next(yesterday)))\r\n| limit 1\r\n| extend percentage = case(nextyesterday == 0 and today == 0, 0.0, \r\n nextyesterday == 0 and today !=0, todouble(today)*100, \r\n (todouble(today-nextyesterday)/nextyesterday)*100)", + "size": 3, + "showAnalytics": true, + "title": "NXDOMAIN Responses", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "today", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "rightContent": { + "columnMatch": "percentage", + "formatter": 12, + "formatOptions": { + "palette": "none" + }, + "numberFormat": { + "unit": 1, + "options": { + "style": "decimal" + } + } + }, + "secondaryContent": { + "columnMatch": "Trend", + "formatter": 9, + "formatOptions": { + "palette": "green" + } + }, + "showBorder": true, + "size": "full" + } + }, + "customWidth": "25", + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where isnotempty(dest_ip) and dest_port in (53, 5353) and is_dest_internal_ip==\"true\"\r\n| summarize NumberOfInternalDnsServers = dcount(dest_ip)", + "size": 3, + "showAnalytics": true, + "title": "Internal DNS Servers", + "noDataMessage": "Nodata found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "NumberOfInternalDnsServers", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "25", + "name": "query - 3" + }, + { + "type": 1, + "content": { + "json": "#### Click on the count in the above panel **Unusual Qtypes** to view more information.", + "style": "info" + }, + "name": "text - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where qtype_name in (\"AXFR\", \"IXFR\", \"ANY\", \"TXT\")\r\n| summarize unique_sessions=dcount(uid), query_list = strcat_array(make_list(query), \", \"), qtype_names = strcat_array(make_list(qtype_name), \", \") by id_orig_h, id_resp_h\r\n", + "size": 0, + "showAnalytics": true, + "title": "Details of Unusual Qtypes", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "failed_count", + "comparison": "isNotEqualTo", + "value": "none" + }, + "name": "query - 4", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| extend iplocation=geo_info_from_ip_address(dest_ip)\r\n| extend latitude=iplocation.latitude, longitude=iplocation.longitude\r\n| extend Country = coalesce(iplocation.country, \"No Country\")\r\n| summarize Count = count() by tostring(latitude), tostring(longitude), Country\r\n| extend coordinates= iff(Country!=\"No Country\", strcat(\"Country: \",Country, \"\\nLatitude: \", latitude, \"\\nLongitude:\", longitude), Country)\r\n", + "size": 3, + "showAnalytics": true, + "title": "Geolocation of DNS Responses", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "map", + "mapSettings": { + "locInfo": "LatLong", + "latitude": "latitude", + "longitude": "longitude", + "sizeSettings": "Count", + "sizeAggregation": "Max", + "labelSettings": "coordinates", + "legendMetric": "Count", + "numberOfMetrics": 0, + "legendAggregation": "Sum", + "itemColorSettings": { + "nodeColorField": "Count", + "colorAggregation": "Sum", + "type": "heatmap", + "heatmapPalette": "greenRed" + } + } + }, + "name": "query - 0" + } + ] + }, + "name": "DNS Hygiene" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "### Remote Management Hygiene\r\n---" + }, + "name": "text - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let TopVPN=corelight_vpn\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| extend iplocation=geo_info_from_ip_address(dest_ip)\r\n| extend country=iplocation.country\r\n| extend Country=coalesce(country, \"No Country\")\r\n| summarize arg_max(TimeGenerated, *) by dest_ip, tostring(Country)\r\n| summarize Count=count() by Country;\r\nlet totalcount=(\r\nTopVPN\r\n| summarize TotalCount = sum(Count));\r\nTopVPN\r\n| extend Percentage=(Count * 100.0)/toscalar(totalcount)\r\n| sort by Percentage desc", + "size": 0, + "aggregation": 2, + "showAnalytics": true, + "title": "Top VPN destinations by Country", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "chartSettings": { + "xAxis": "Country", + "yAxis": [ + "Percentage", + "Count" + ], + "showLegend": true, + "seriesLabelSettings": [ + { + "seriesName": "Percentage", + "color": "green" + }, + { + "seriesName": "Count", + "color": "greenDarkDark" + } + ], + "ySettings": { + "numberFormatSettings": { + "unit": 17, + "options": { + "style": "decimal", + "useGrouping": true + } + }, + "label": "Percentage" + } + } + }, + "customWidth": "50", + "name": "Top VPN destinations by Country" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<90, 7d, 31d);\r\ncorelight_vpn\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where is_dest_internal_ip == \"false\"\r\n| make-series [\"Outbound VPN Connections\"]=count() default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration", + "size": 0, + "showAnalytics": true, + "title": "Outbound VPN Connections", + "color": "green", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "linechart", + "chartSettings": { + "showLegend": true, + "seriesLabelSettings": [ + { + "seriesName": "Outbound VPN Connections", + "color": "green" + } + ], + "showDataPoints": true, + "ySettings": { + "numberFormatSettings": { + "unit": 17, + "options": { + "style": "decimal", + "useGrouping": true + } + } + } + } + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 1, + "content": { + "json": "#### Metrics shows the count and percentage for the country with maximum value as default. To view the count or percentage for a particular country hover over the bar in Top VPN destinations by Country Panel.", + "style": "upsell" + }, + "name": "Tooltip for Top VPN destinations by Country Panel" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\r\ncorelight_rdp\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where isnotempty(auth_success)\r\n| extend auth_result = iff(auth_success==\"true\",\"Success\",\"Failure\") \r\n| make-series Count=count() default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration by auth_result", + "size": 0, + "showAnalytics": true, + "title": "RDP Authentication Attempts", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "exportFieldName": "series", + "exportParameterName": "auth", + "exportDefaultValue": "none", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "chartSettings": { + "group": "auth_result", + "createOtherGroup": 0, + "showLegend": true, + "seriesLabelSettings": [ + { + "seriesName": "Failure", + "color": "redBright" + }, + { + "seriesName": "Success", + "color": "green" + } + ], + "showDataPoints": true + } + }, + "name": "query - 2" + }, + { + "type": 1, + "content": { + "json": "#### Click on the datapoints in the above panel **RDP Authentication Attempts** to view more information.", + "style": "info" + }, + "name": "text - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_rdp\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| extend auth_result = iff(auth_success==\"true\",\"Success\",\"Failure\") \r\n| where auth_result == '{auth}'\r\n", + "size": 0, + "showAnalytics": true, + "title": "Details of RDP Authentication Attempts", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "auth", + "comparison": "isNotEqualTo", + "value": "none" + }, + "name": "query - 3", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "name": "Remote Management Hygiene" } - } + ] }, - "customWidth": "50", - "name": "Top Software Versions" + "name": "group - 2" + } + ] + }, + "conditionalVisibility": { + "parameterName": "Tab", + "comparison": "isEqualTo", + "value": "SecurityPosture" + }, + "name": "Security Posture" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Secure Channel Insights\r\n#### Deep dive from Security Posture Encrypted, non-encrypted SSL, SSH, TLS and x509 facts.\r\n" + }, + "name": "text - 0" }, { - "type": 3, + "type": 1, "content": { - "version": "KqlItem/1.0", - "query": "corelight_software\n//| where EventType startswith \"software\"\n| where isnotempty(software_type)\n| summarize Count=count() by software_type | sort by Count", - "size": 0, - "title": "Top Software Types", - "timeContextFromParameter": "TimeRange", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Name", - "formatter": 5 - } - ], - "hierarchySettings": { - "treeType": 1, - "groupBy": [ - "Name" - ], - "expandTopLevel": true + "json": "### Encrypted Traffic Notables\r\n----" + }, + "name": "text - 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Weak Certs. Used Internally", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_x509\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| extend key_length=certificate_key_length, match_fingerprint=fingerprint\r\n| where toint(key_length) < 2048\r\n| project match_fingerprint, key_length, TimeGenerated\r\n| join kind=inner (\r\n corelight_ssl\r\n | where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n | mv-expand todynamic(cert_chain_fps)\r\n | extend match_fingerprint=cert_chain_fps\r\n | project tostring(match_fingerprint), uid, src_ip, dest_ip, id_resp_p, is_dest_internal_ip, server_name, TimeGenerated)\r\n on match_fingerprint\r\n| summarize arg_max(TimeGenerated, *) by match_fingerprint\r\n| extend Host_Type=iff(is_dest_internal_ip==\"true\", \"Internal\", \"External\"), Resp_port=id_resp_p\r\n| where Host_Type == \"Internal\"\r\n| summarize Count= count() by server_name, dest_ip, Resp_port, key_length, Host_Type\r\n| summarize Sum = count()", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "server_name", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Sum", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": true + } + }, + "customWidth": "40", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### SSL/TLS sessions utilizing weak keys are vulnerable to cryptographic attacks. This traffic may indicate the presence of old and/or unpatched resources on the network. It could also be the result of a successful downgrade attack." + }, + "customWidth": "60", + "name": "text - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let CertResults = corelight_x509\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| extend key_length=certificate_key_length\r\n| extend match_fingerprint=fingerprint\r\n| where toint(key_length) < 2048\r\n| project match_fingerprint, key_length, TimeGenerated\r\n| join kind=inner ( \r\n corelight_ssl\r\n | where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n | mv-expand todynamic(cert_chain_fps)\r\n | extend match_fingerprint=cert_chain_fps\r\n | project tostring(match_fingerprint), uid, src_ip, dest_ip, id_resp_p, is_dest_internal_ip, server_name, TimeGenerated)\r\n on match_fingerprint\r\n| summarize arg_max(TimeGenerated, *) by match_fingerprint\r\n| extend [\"Host Type\"]=iff(is_dest_internal_ip==\"true\", \"Internal\", \"External\"), Resp_Port=id_resp_p, Dest_Host=dest_ip, [\"Key Length\"]=key_length, [\"Server Name\"]=server_name\r\n| where [\"Host Type\"] == \"Internal\"\r\n| summarize Count= count() by [\"Server Name\"], Dest_Host, Resp_Port, [\"Key Length\"], [\"Host Type\"]\r\n| sort by [\"Server Name\"] desc;\r\nlet CertCount = CertResults\r\n| summarize count()\r\n| project count_;\r\nlet NoResults = datatable([\"Server Name\"]: string, Dest_Host: string, Resp_Port: string, [\"Key Length\"]: string, [\"Host Type\"]: string, Count: long)\r\n[\"No Results\", \"N/A\", \"N/A\", \"N/A\", \"N/A\", 0];\r\nunion isfuzzy=true\r\n(CertResults| where toscalar(CertCount) != 0),\r\n(NoResults| where toscalar(CertCount) == 0)\r\n| extend Resp_Port = coalesce(tostring(toint(Resp_Port_real)), Resp_Port_string)\r\n| extend [\"Key Length\"] = coalesce(tostring(toint(['Key Length_real'])), ['Key Length_string'])\r\n| project-away Resp_Port_*, [\"Key Length_*\"]\r\n| project-reorder [\"Server Name\"], Dest_Host, Resp_Port, [\"Key Length\"], [\"Host Type\"], Count\r\n", + "size": 0, + "showAnalytics": true, + "title": "Network Evidence for Weak Key Length Certs", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + }, + "sortBy": [] + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "group - 0" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Less Secure Ciphers", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_ssl\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where cipher matches regex (\"RC4|DES|3DES|MD5|NULL|EXPORT\")\r\n| extend Host_Type=iff(is_src_internal_ip==\"true\", \"Internal\", \"External\")\r\n| extend Direction=iff(is_src_internal_ip==\"true\" and is_dest_internal_ip==\"false\", \"Outbound\", \"Inbound\")\r\n| summarize Unique_Conns=dcount(uid), Count=count() by cipher\r\n| summarize TotalCount = count()", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "TotalCount", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "40", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### SSL/TLS sessions utilizing weak cipher suites (eg. RC4) are easily decrypted. This traffic may indicate the presence of old and/or unpatched resources on the network. It could also be the result of a successful downgrade attack." + }, + "customWidth": "60", + "name": "text - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let QueryResults = corelight_ssl\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where cipher matches regex (\"RC4|DES|3DES|MD5|NULL|EXPORT\")\r\n| extend Host_Type=iff(is_src_internal_ip==\"true\", \"Internal\", \"External\")\r\n| extend Direction=iff(is_src_internal_ip==\"true\" and is_dest_internal_ip==\"false\", \"Outbound\", \"Inbound\")\r\n| summarize dest_ip = make_list(dest_ip)[-1], Unique_Conns=dcount(uid), Host_Type=strcat_array(make_set(Host_Type), \",\"), Direction=strcat_array(make_set(Direction), \",\"), Count=count() by cipher\r\n| project-rename Cipher=cipher\r\n| sort by Unique_Conns desc, Count desc;\r\nlet QueryCount = QueryResults\r\n| summarize count()\r\n| project count_;\r\nlet NoResults = datatable(Cipher: string, dest_ip: dynamic, Unique_Conns: string, Host_Type: string, Direction: string, Count: long)\r\n[\"No Results\", \"N/A\", \"N/A\", \"N/A\", \"N/A\", 0];\r\nunion isfuzzy=true\r\n(QueryResults| where toscalar(QueryCount) != 0),\r\n(NoResults| where toscalar(QueryCount) == 0)\r\n| extend Unique_Conns = coalesce(tostring(tolong(Unique_Conns_long)), Unique_Conns_string)\r\n| project-away Unique_Conns_*\r\n", + "size": 0, + "showAnalytics": true, + "title": "Less Secure Ciphers seen in the period", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "group - 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Connections using Less Secure TLS Versions (< TLS1.2)", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "0054d601-4a2f-41d2-8f2b-5633e412ff29", + "version": "KqlParameterItem/1.0", + "name": "TrafficDirection", + "label": "Traffic Direction", + "type": 2, + "description": "Select Traffic Direction", + "isRequired": true, + "quote": "'", + "delimiter": ",", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "jsonData": "[\"Inbound\", \"Outbound\", \"Internal\", \"EEther\"]\r\n", + "timeContext": { + "durationMs": 86400000 + }, + "timeContextFromParameter": "GlobalTimeRestriction", + "defaultValue": "value::all" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_ssl\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where isnotempty(src_ip) and isnotempty(version)\r\n| extend ip_class = iff(is_dest_internal_ip == \"true\", \"Internal\", \"External\")\r\n| extend src_int = iff(isnull(is_src_internal_ip) or is_src_internal_ip==\"false\", \"f\", \"t\"), \r\n dst_int = iff(isnull(is_dest_internal_ip) or is_dest_internal_ip==\"false\", \"f\", \"t\") \r\n| extend \r\n connection_type=case(\r\n src_int==\"t\" and dst_int==\"f\", \"Outbound\",\r\n src_int==\"f\" and dst_int==\"t\", \"Inbound\",\r\n src_int==\"t\" and dst_int==\"t\", \"Internal\",\r\n \"EEther\"\r\n ),\r\n version_status=case(\r\n version==\"TLSv13\", \"Most Secure (v1.3)\",\r\n version==\"TLSv12\", \"Secure (v1.2)\",\r\n version==\"DTLSv12\", \"Secure (v1.2)\", \r\n version==\"unknown-64282\", \"Unknown\",\r\n \"Old Version < (v1.2)\") \r\n| extend Classification=version_status, [\"Traffic Direction\"]=connection_type, Version=version\r\n| where ('*' == ('{TrafficDirection}') or [\"Traffic Direction\"] == ('{TrafficDirection}'))\r\n| where Classification !contains \"Secure\"\r\n| summarize Counter=dcount(uid) by tostring(Version), Classification, \"Traffic Direction\"\r\n| summarize Sum=sum(Counter)", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Sum", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "40", + "name": "query - 1" + }, + { + "type": 1, + "content": { + "json": "#### Connections employing TLS versions older than 1.2 are recognized as less secure, presenting a higher risk of being compromised. These outdated protocols may indicate legacy systems with configurations that are not aligned with modern security standards." + }, + "customWidth": "60", + "name": "text - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let SSHResults = corelight_ssl\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where isnotempty(src_ip) and isnotempty(version)\r\n| extend ip_class = iff(is_dest_internal_ip == \"true\", \"Internal\", \"External\")\r\n| extend src_int = iff(isnull(is_src_internal_ip) or is_src_internal_ip==\"false\", \"f\", \"t\"), \r\n dst_int = iff(isnull(is_dest_internal_ip) or is_dest_internal_ip==\"false\", \"f\", \"t\") \r\n| extend \r\n connection_type=case(\r\n src_int==\"t\" and dst_int==\"f\", \"Outbound\",\r\n src_int==\"f\" and dst_int==\"t\", \"Inbound\",\r\n src_int==\"t\" and dst_int==\"t\", \"Internal\",\r\n \"EEther\"\r\n ),\r\n version_status=case(\r\n version==\"TLSv13\", \"Most Secure (v1.3)\",\r\n version==\"TLSv12\", \"Secure (v1.2)\",\r\n version==\"DTLSv12\", \"Secure (v1.2)\", \r\n version==\"unknown-64282\", \"Unknown\",\r\n \"Old Version < (v1.2)\") \r\n| extend Classification=version_status, [\"Traffic Direction\"]=connection_type, Version=version\r\n| where ('*' == ('{TrafficDirection}') or [\"Traffic Direction\"] == ('{TrafficDirection}'))\r\n| summarize Counter=dcount(uid), [\"Responder Location\"] = strcat_array(make_set(ip_class), \",\") by tostring(Version), Classification, [\"Traffic Direction\"]\r\n| project-reorder Version, [\"Traffic Direction\"], Counter, [\"Responder Location\"], Classification\r\n| sort by Counter desc;\r\nlet SSHCount = SSHResults\r\n| summarize count()\r\n| project count_;\r\nlet NoResults = datatable(Version: string, Counter: long)\r\n[\"No Results Found\", 0];\r\nunion isfuzzy=true\r\n(SSHResults| where toscalar(SSHCount) != 0),\r\n(NoResults| where toscalar(SSHCount) == 0)\r\n\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Network Evidence for All TLS versions seen (Classification based on Industry best practices)", + "noDataMessage": "No data found", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true, + "sortBy": [ + { + "itemKey": "Version", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "Version", + "sortOrder": 1 + } + ] + }, + "name": "query - 3", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "group - 2-Connections using Less Secure TLS Versions (< TLS1.2)" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Interactive Sessions and Keystrokes", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_ssh \r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| mv-expand todynamic(Inferences), todynamic(Descriptions)\r\n| where Inferences in (\"KS\", \"AUTO\") \r\n| summarize arg_max(TimeGenerated, *) by uid\r\n| extend src_ip = id_orig_h, dest_ip = id_resp_h, Inference=Inferences, Description=Descriptions\r\n| summarize Count = count() by uid, src_ip, dest_ip, tostring(Inference), tostring(Description) \r\n| summarize TotalCount = count()", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "TotalCount", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "40", + "name": "query - 0", + "styleSettings": { + "margin": "60px 0px 0px 0px" + } + }, + { + "type": 1, + "content": { + "json": "#### Highlight interactive sessions (KS) and automated interactions (AUTO) to understand the nature of SSH traffic — manual vs. automated.\r\n" + }, + "customWidth": "60", + "name": "text - 2", + "styleSettings": { + "margin": "60px 0px 0px 0px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let SSHResults = corelight_ssh \r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| mv-expand todynamic(Inferences), todynamic(Descriptions)\r\n| where Inferences in (\"KS\", \"AUTO\") \r\n| summarize arg_max(TimeGenerated, *) by uid\r\n| extend src_ip = id_orig_h, dest_ip = id_resp_h, Inference=Inferences, Description=Descriptions\r\n| summarize Count = count() by uid, src_ip, dest_ip, tostring(Inference), tostring(Description);\r\nlet SSHCount = SSHResults\r\n| summarize count()\r\n| project count_;\r\nlet NoResults = datatable(uid: string, src_ip: string, dest_ip: string, Inference: string, Description: string, Count: long)\r\n[\"No Results\", \"N/A\", \"N/A\", \"N/A\", \"N/A\", 0];\r\nunion isfuzzy=true\r\n(SSHResults| where toscalar(SSHCount) != 0),\r\n(NoResults| where toscalar(SSHCount) == 0)\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Network Evidence for Interactive Sessions and Keystrokes - SSH Inferences", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 1", + "styleSettings": { + "margin": "2px 0px 0px 0px", + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "group - 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Self Signed Certs", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_ssl\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where validation_status==\"self signed certificate\" and is_dest_internal_ip==\"true\" and isnotempty(dest_ip)\r\n| extend Source_Host_Type = case(is_src_internal_ip==\"true\", \"Internal\",is_src_internal_ip==\"false\", \"External\", \"Undefined\") , \r\nDestination_Host_Type = case(is_dest_internal_ip==\"true\", \"Internal\",is_dest_internal_ip==\"false\", \"External\", \"Undefined\")\r\n| extend Traffic_Direction = case(Source_Host_Type==\"Internal\" and Destination_Host_Type==\"External\", \"Outbound\",Source_Host_Type==\"External\" and Destination_Host_Type==\"Internal\", \"Inbound\",Source_Host_Type==\"Internal\" and Destination_Host_Type==\"Internal\", \"East-West\",Source_Host_Type==\"External\" and Destination_Host_Type==\"External\", \"Ether\",\"Undefined\") \r\n| summarize count() by ssl_subject_common_name, dest_ip \r\n| count ", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "40", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### This dashboard panel identifies self-signed certificates in use within internal networks, highlighting a key security concern due to their lack of third-party validation. Addressing this issue by transitioning to certificates from trusted authorities enhances network security and trustworthiness." + }, + "customWidth": "60", + "name": "text - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let SSHResults = corelight_ssl\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where validation_status==\"self signed certificate\" and is_dest_internal_ip==\"true\" and isnotempty(dest_ip)\r\n| extend Source_Host_Type = case(is_src_internal_ip==\"true\", \"Internal\",is_src_internal_ip==\"false\", \"External\", \"Undefined\") , \r\nDestination_Host_Type = case(is_dest_internal_ip==\"true\", \"Internal\",is_dest_internal_ip==\"false\", \"External\", \"Undefined\")\r\n| extend Traffic_Direction = case(Source_Host_Type==\"Internal\" and Destination_Host_Type==\"External\", \"Outbound\",Source_Host_Type==\"External\" and Destination_Host_Type==\"Internal\", \"Inbound\",Source_Host_Type==\"Internal\" and Destination_Host_Type==\"Internal\", \"East-West\",Source_Host_Type==\"External\" and Destination_Host_Type==\"External\", \"Ether\",\"Undefined\") \r\n| summarize Destination_Host_Type=strcat_array(make_set(Destination_Host_Type), \",\"), Status=strcat_array(make_set(validation_status), \",\"), Traffic_Direction=strcat_array(make_set(Traffic_Direction), \",\") \r\n by ssl_subject_common_name, dest_ip \r\n| project Subject=ssl_subject_common_name, Destination=dest_ip, Status, Destination_Host_Type, Traffic_Direction;\r\nlet SSHCount = SSHResults\r\n| summarize count()\r\n| project count_;\r\nlet NoResults = datatable(Subject: string)\r\n[\"No Results Found\"];\r\nunion isfuzzy=true\r\n(SSHResults| where toscalar(SSHCount) != 0),\r\n(NoResults| where toscalar(SSHCount) == 0)\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Network Evidence for Self Signed Internal Certificates", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true, + "sortBy": [ + { + "itemKey": "Subject", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "Subject", + "sortOrder": 1 + } + ] + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "group - 4-Self Signed Certs" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Possible File Uploaded", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_ssh\r\n| where ('*' == ('*') or sensor_name == ('*'))\r\n| mv-expand todynamic(Inferences), todynamic(Descriptions)\r\n| where Inferences in (\"SFD\", \"LFD\", \"SFU\", \"LFU\")\r\n| summarize arg_max(TimeGenerated, *) by uid\r\n| project-rename\r\n Inference = Inferences,\r\n Description = Descriptions\r\n| summarize Count = count() by uid, src_ip, dest_ip,tostring(Inference), tostring(Description)\r\n| summarize TotalCount = count()\r\n", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "TotalCount", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "40", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### This use case tracks SSH file transfer activity (inferences SFD, LFD, SFU, LFU). It uncovers potential data exfiltration by attackers or the introduction of malicious files. Focus on file names, sizes, unusual source IPs, and sensitive destination systems." + }, + "customWidth": "60", + "name": "text - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let SSHResults = corelight_ssh\r\n| where ('*' == ('*') or sensor_name == ('*'))\r\n| mv-expand todynamic(Inferences), todynamic(Descriptions)\r\n| where Inferences in (\"SFD\", \"LFD\", \"SFU\", \"LFU\")\r\n| summarize arg_max(TimeGenerated, *) by uid\r\n| project-rename\r\n Inference = Inferences,\r\n Description = Descriptions\r\n| summarize Count = count() by uid, src_ip, dest_ip,tostring(Inference), tostring(Description);\r\nlet SSHCount = SSHResults\r\n| summarize count()\r\n| project count_;\r\nlet NoResults = datatable(uid: string, src_ip: string, dest_ip: string, Inference: string, Description: string, Count: long)\r\n[\"No Results\", \"N/A\", \"N/A\", \"N/A\", \"N/A\", 0];\r\nunion isfuzzy=true\r\n(SSHResults| where toscalar(SSHCount) != 0),\r\n(NoResults| where toscalar(SSHCount) == 0)\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Possible File Transfer", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "group - 5-Possible File Uploaded" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Certificates about to Expire", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_ssl\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where is_dest_internal_ip==\"true\"\r\n| mv-expand todynamic(fingerprint)\r\n| extend fingerprint=tostring(fingerprint)\r\n| join kind=inner \r\n (corelight_x509\r\n | where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n | where days_to_expiry > 0 and days_to_expiry < 30)\r\n on fingerprint\r\n| summarize count() by ssl_subject, dest_ip\r\n| count\r\n\r\n", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "40", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### A SSL certificate that is about to expire (default window is 30 days) was observed. Expiration of an SSL certificate may result in unexpected behaviour such as refused network connections or unencrypted network traffic.\r\n" + }, + "customWidth": "60", + "name": "text - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let SSHResults = corelight_ssl\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where is_dest_internal_ip==\"true\"\r\n| mv-expand todynamic(fingerprint)\r\n| extend fingerprint=tostring(fingerprint)\r\n| join kind=inner \r\n (corelight_x509\r\n | where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n | where days_to_expiry > 0 and days_to_expiry < 30)\r\n on fingerprint\r\n| summarize Port = strcat_array(make_list(toint(dest_port)), \",\"), [\"Not Valid After\"] = strcat_array(make_list(not_valid_after), \",\"), [\"Days to Expire\"] = strcat_array(make_list(days_to_expiry), \",\") by ssl_subject, dest_ip\r\n| project-rename Subject = ssl_subject, Host = dest_ip\r\n| sort by tostring([\"Days to Expire\"]) desc; \r\nlet SSHCount = SSHResults\r\n| summarize count()\r\n| project count_;\r\nlet NoResults = datatable(Subject: string)\r\n[\"No Results Found\"];\r\nunion isfuzzy=true\r\n(SSHResults| where toscalar(SSHCount) != 0),\r\n(NoResults| where toscalar(SSHCount) == 0)\r\n\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Network Evidence for Self Signed Internal Certificates", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "group - 6-Certificates about to Expire" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Potential Security Risks", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_ssh\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| mv-expand todynamic(Inferences)\r\n| where Inferences in (\"SC\", \"SP\", \"SV\", \"SA\", \"AFR\", \"BAN\") \r\n| summarize Count = count() by uid, src_ip, dest_ip, tostring(Inferences) \r\n| summarize TotalCount = count()\r\n", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "TotalCount", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "40", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### Monitors for signs of scanning (SC, SP, SV, SA), banner messages (BAN), and agent forwarding (AFR) for compliance and security risk identification." + }, + "customWidth": "60", + "name": "text - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let SSHResults = corelight_ssh\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| mv-expand todynamic(Inferences)\r\n| where Inferences in (\"SC\", \"SP\", \"SV\", \"SA\", \"AFR\", \"BAN\") \r\n| summarize Count = count() by uid, src_ip, dest_ip, tostring(Inferences)\r\n| project-reorder uid, src_ip, dest_ip, Count, Inferences;\r\nlet SSHCount = SSHResults\r\n| summarize count()\r\n| project count_;\r\nlet NoResults = datatable(uid: string)\r\n[\"No Results\"];\r\nunion isfuzzy=true\r\n(SSHResults| where toscalar(SSHCount) != 0),\r\n(NoResults| where toscalar(SSHCount) == 0)\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "SSH Inferences for Potential Security Risks", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "group - 7-Potential Security Risks" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Automated SSH Session Indicators", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_ssh\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| mv-expand todynamic(Inferences)\r\n| where Inferences in (\"PKA\", \"AUTO\", \"KS\", \"CTS\")\r\n| summarize\r\n src_ip = strcat_array(make_list(id_orig_h), \",\"),\r\n dest_ip = strcat_array(make_list(id_resp_h), \",\"),\r\n Inferences = strcat_array(make_list(Inferences), \",\"),\r\n Count = count()\r\n by uid\r\n| summarize TotalCount = count()\r\n", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "TotalCount", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "40", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### Tracks automated SSH sessions to enhance security and operational efficiency, highlighting potential risks and compliance issues. It identifies anomalies and unauthorized activities, ensuring that automation tools are used securely and efficiently. This tool is crucial for SOC analysts to monitor for security breaches and optimize system management." + }, + "customWidth": "60", + "name": "text - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let SSHResults = corelight_ssh\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| mv-expand todynamic(Inferences)\r\n| where Inferences in (\"PKA\", \"AUTO\", \"KS\", \"CTS\")\r\n| summarize\r\n src_ip = strcat_array(make_list(id_orig_h), \",\"),\r\n dest_ip = strcat_array(make_list(id_resp_h), \",\"),\r\n Inferences = strcat_array(make_list(Inferences), \",\"),\r\n Count = count()\r\n by uid;\r\nlet SSHCount = SSHResults\r\n| summarize count()\r\n| project count_;\r\nlet NoResults = datatable(uid: string, src_ip: string, dest_ip: string, Inferences: string, Count: long)\r\n[\"No Results\", \"N/A\", \"N/A\", \"N/A\", 0];\r\nunion isfuzzy=true\r\n(SSHResults| where toscalar(SSHCount) != 0),\r\n(NoResults| where toscalar(SSHCount) == 0)\r\n\r\n\r\n\r\n\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "SSH Session Inferences", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "group - 8 - Automated SSH Session Indicators" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Advanced Threat Indicators", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_ssh\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| mv-expand todynamic(Inferences)\r\n| where Inferences in (\"ABP\", \"RSP\", \"RSI\", \"RSIA\", \"RSL\", \"RSK\")\r\n| summarize arg_max(TimeGenerated, *) by uid\r\n| summarize Count = count() by uid, id_orig_h, id_resp_h, tostring(Inferences)\r\n| summarize TotalCount = count()\r\n", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "uid", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "TotalCount", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": true + } + }, + "customWidth": "40", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### Helps to identify potential advanced threat indicators such as Client Authentication Bypass (ABP) and Reverse SSH tunneling activities (RSP, RSI, RSIA, RSL, RSK) for in-depth investigation." + }, + "customWidth": "60", + "name": "text - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let SSHResults = corelight_ssh\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| mv-expand todynamic(Inferences)\r\n| where Inferences in (\"ABP\", \"RSP\", \"RSI\", \"RSIA\", \"RSL\", \"RSK\")\r\n| summarize arg_max(TimeGenerated, *) by uid\r\n| summarize Count = count() by uid, id_orig_h, id_resp_h, tostring(Inferences)\r\n| project-rename Inference = Inferences, src_ip = id_orig_h , dest_ip = id_resp_h;\r\nlet SSHCount = SSHResults\r\n| summarize count()\r\n| project count_;\r\nlet NoResults = datatable(uid: string, src_ip: string, dest_ip: string, Inference: string, Count: long)\r\n[\"No Results\", \"N/A\", \"N/A\", \"N/A\", 0];\r\nunion isfuzzy=true\r\n(SSHResults| where toscalar(SSHCount) != 0),\r\n(NoResults| where toscalar(SSHCount) == 0)\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "SSH Advanced Threats Inferences", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "group - 9 - Advanced Threat Indicators" } - } + ] }, - "customWidth": "50", - "name": "Top Software Types" + "name": "group - Encrypted Traffic Notables" + } + ] + }, + "conditionalVisibility": { + "parameterName": "Tab", + "comparison": "isEqualTo", + "value": "SecureChannelInsights" + }, + "name": "Secure Channel Insights" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Name Resolution Insights\r\n##### Insights on Name Resolution (DNS)" + }, + "name": "text - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "### DNS Hygiene\r\n----" + }, + "name": "text - 6" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Responding DNS Servers", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| summarize count() by dest_ip\r\n| count", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "35", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### DNS servers actively responding in the network are key to secure operations, translating domain names to IP addresses and directing traffic. It also logs the number of queries and unique clients interacting with the DNS servers, offering insights into possible rogue DNS servers and detecting patterns that may suggest data exfiltration attempts." + }, + "customWidth": "65", + "name": "text - 1", + "styleSettings": { + "margin": "11px", + "padding": "10px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| extend IPInfo = geo_info_from_ip_address(dest_ip)\r\n| summarize\r\n [\"# of Queries\"] = count(),\r\n [\"# of Unique Clients\"] = dcount(src_ip),\r\n Country = any(IPInfo.country),\r\n any(is_dest_internal_ip)\r\n by dest_ip\r\n| extend\r\n Internal = iff(\r\n any_is_dest_internal_ip == \"true\",\r\n \"Yes\",\r\n \"No\"\r\n ),\r\n Country = iff(isempty(Country), \"Unknown\", Country)\r\n| project\r\n Destination = dest_ip,\r\n ['# of Queries'],\r\n ['# of Unique Clients'],\r\n Country,\r\n Internal\r\n| sort by ['# of Queries'], ['# of Unique Clients'] desc ", + "size": 0, + "showAnalytics": true, + "title": "DNS Servers actively responding to queries", + "noDataMessage": "No data found", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "responding dns servers" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Unusual Qtypes", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where qtype_name in (\"AXFR\", \"IXFR\", \"ANY\", \"TXT\")\r\n| summarize count() by qtype_name, dest_ip\r\n| summarize Count = sum(count_)", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "35", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### Unusual DNS query types can indicate misconfigurations, experimental features, or potential security threats like data exfiltration or tunneling. Analysts should scrutinize such queries for anomalies and address identified risks to safeguard network security." + }, + "customWidth": "65", + "name": "text - 1", + "styleSettings": { + "margin": "21px", + "padding": "10px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let FilteredDNS = (\r\ncorelight_dns\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where qtype_name in (\"AXFR\", \"IXFR\", \"ANY\", \"TXT\")\r\n);\r\nlet DNSRecords = (\r\nFilteredDNS\r\n| summarize count() by qtype_name, dest_ip\r\n);\r\nFilteredDNS\r\n| join kind=leftouter(DNSRecords) on $left.qtype_name == $right.qtype_name, $left.dest_ip == $right.dest_ip\r\n| summarize arg_max(TimeGenerated, *) by qtype_name, dest_ip\r\n| project Qtype = qtype_name, Responder = dest_ip, Source = src_ip, Query = query, Count = count_\r\n| sort by Count", + "size": 0, + "showAnalytics": true, + "title": "Unusual Query Types found", + "noDataMessage": "No data found", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true, + "sortBy": [ + { + "itemKey": "Count", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "Count", + "sortOrder": 2 + } + ] + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "unusual qtypes" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "NXDOMAIN Responses", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where tolower(rcode_name) in (\"nxdomain\", \"noerror\")\r\n| extend query_rejected = iff(rejected == true, \"Yes\", \"No\")\r\n| summarize count() by src_ip, dest_ip, query, query_rejected\r\n| summarize sum(count_)", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "sum_count_", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "35", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### High rates of DNS NXDOMAIN responses might suggest misconfigured domains, typographical errors in network requests, or malicious activities such as DNS reconnaissance. Close examination is advised to correct configurations or identify security incidents. Review DNS logs for patterns, validate domain configurations, and check endpoint security for signs of malware." + }, + "customWidth": "65", + "name": "text - 1", + "styleSettings": { + "margin": "7px", + "padding": "10px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where tolower(rcode_name) in (\"nxdomain\", \"noerror\")\r\n| extend query_rejected = iff(rejected == true, \"Yes\", \"No\")\r\n| summarize count() by src_ip, dest_ip, query, query_rejected\r\n| project Source = src_ip, Responder = dest_ip, Query = query, Rejected = query_rejected, Count = count_\r\n| sort by Count desc\r\n", + "size": 0, + "showAnalytics": true, + "title": "Network Evidence for NXDOMAIN Responses", + "noDataMessage": "No data found", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "nxdomain responses" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Monitoring DNS Query Response Times > 15ms", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| summarize avg_rtt = avg(todouble(rtt)) by query, dest_ip\r\n| where avg_rtt > 0.015\r\n| extend avg_rtt = round(avg_rtt*1000, 2)\r\n| count ", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "35", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### Long DNS query response times may indicate network congestion, server performance issues, or potential security threats. Timely analysis is crucial for maintaining optimal network performance and security. Investigate extended response times by examining server configurations, network traffic, and potential external attacks." + }, + "customWidth": "65", + "name": "text - 1", + "styleSettings": { + "margin": "19px", + "padding": "10px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| summarize avg_rtt = avg(todouble(rtt)) by query, dest_ip\r\n| where avg_rtt > 0.015\r\n| extend avg_rtt = round(avg_rtt*1000, 2)\r\n| project Query = query, Responder = dest_ip, [\"Avg. Response Time (ms)\"] = avg_rtt", + "size": 0, + "showAnalytics": true, + "title": "Monitoring DNS Query Types by AVG time", + "noDataMessage": "No data found", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "monitoring DNS query response times > 15ms" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Failed DNS Queries", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_dns\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where tolower(rcode_name) in (\"servfail\", \"refused\", \"formerr\", \"notimp\", \"notauth\")\r\n| summarize count() by rcode_name\r\n| count", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "35", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### Failed DNS queries may point to misconfigurations, outdated systems, or security threats such as network infiltration or DNS poisoning. Analysts should investigate the sources and patterns of these failures to identify and remediate underlying causes, thereby ensuring network integrity and security." + }, + "customWidth": "65", + "name": "text - 1", + "styleSettings": { + "margin": "10px", + "padding": "10px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let FilteredDNS = (\r\n corelight_dns\r\n | where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n | where tolower(rcode_name) in (\"servfail\", \"refused\", \"formerr\", \"notimp\", \"notauth\")\r\n );\r\nlet RcodeCount = (\r\n FilteredDNS\r\n | summarize count() by rcode_name, dest_ip, src_ip\r\n );\r\nFilteredDNS\r\n| join kind=innerunique (RcodeCount) on rcode_name, dest_ip, src_ip\r\n| project\r\n Source = src_ip,\r\n Responder = dest_ip,\r\n Query = query,\r\n [\"Response Code\"] = toupper(rcode_name),\r\n Count = count_\r\n| sort by Count desc ", + "size": 0, + "showAnalytics": true, + "title": "Network Evidence for Failed DNS Queries", + "noDataMessage": "No data found", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true, + "sortBy": [ + { + "itemKey": "Count", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "Count", + "sortOrder": 2 + } + ] + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "failed DNS queries" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "DNS Query Volume Over Time", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_conn\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where service == \"dns\"\r\n| summarize TotalTraffic = sum(todouble(orig_bytes))", + "size": 3, + "showAnalytics": true, + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": {}, + "leftContent": { + "columnMatch": "TotalTraffic", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 2, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "35", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### Monitor total DNS-related network traffic in MB/GB. Sudden spikes or unusual patterns could signal configuration errors, compromised devices making excessive queries, or potential data exfiltration attempts." + }, + "customWidth": "65", + "name": "text - 1", + "styleSettings": { + "margin": "18px", + "padding": "10px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\r\ncorelight_dns\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| summarize Count = count() by bin(TimeGenerated, bin_duration), uid", + "size": 0, + "showAnalytics": true, + "title": "Monitoring Query Types by AVG time", + "noDataMessage": "No data found", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "chartSettings": { + "xAxis": "TimeGenerated", + "yAxis": [ + "Count" + ], + "group": "uid", + "createOtherGroup": 99 + } + }, + "name": "query - 2", + "styleSettings": { + "margin": "10px" + } + } + ] + }, + "customWidth": "50", + "name": "DNS query volume over time" + } + ] + }, + "name": "dns hygiene" + } + ] + }, + "conditionalVisibility": { + "parameterName": "Tab", + "comparison": "isEqualTo", + "value": "NameResolutionInsights" + }, + "name": "group - 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Remote Activity Insights" + }, + "name": "title" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "### Remote Access Hygiene\r\n---" + }, + "name": "text - 0" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "RDP Authentication Attempts", + "expandable": true, + "items": [ + { + "type": 1, + "content": { + "json": "Total count of RDP success and failed actions within the specified time.\r\n\r\n" + }, + "name": "text - 0" + } + ] + }, + "name": "group - 7" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_rdp\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where action != \"unknown\"\r\n| summarize count() by action\r\n| summarize Total = sum(count_)", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "exportFieldName": "Total", + "exportParameterName": "count", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "Total", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "35", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### Monitoring RDP authentications is crucial for identifying unauthorized access and distinguishing between successful and failed login attempts. Security teams should analyze trends and cross-reference user activity for rapid response and mitigation." + }, + "customWidth": "65", + "name": "text - 2", + "styleSettings": { + "margin": "36px 36px 0px 0px", + "padding": "0px 0px 30px 0px" + } + }, + { + "type": 1, + "content": { + "json": "#### Click on the Count in above tile to view more information.", + "style": "info" + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_rdp\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where action != \"unknown\"", + "size": 0, + "showAnalytics": true, + "title": "Details of RDP Authentication Attempts", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "action", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "50%" + } + }, + { + "columnMatch": "Count", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "50%" + } + } + ], + "rowLimit": 10000, + "filter": true, + "labelSettings": [ + { + "columnId": "action", + "label": "Action" + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "count", + "comparison": "isNotEqualTo" + }, + "name": "query - 3", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let interval_in_hrs= datetime_diff('hour', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet interval_in_days= datetime_diff('day', {GlobalTimeRestriction:end}, {GlobalTimeRestriction:start});\r\nlet bin_duration=case(interval_in_hrs<=24, 1h, interval_in_days<=30, 1d, interval_in_days>=31 and interval_in_days<=90, 7d, 31d);\r\ncorelight_rdp\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where action != \"unknown\"\r\n| make-series Count=count() default = 0 on TimeGenerated from {GlobalTimeRestriction:start} to {GlobalTimeRestriction:end} step bin_duration by action", + "size": 0, + "showAnalytics": true, + "title": "Failed vs Successful Authentications", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "exportedParameters": [ + { + "fieldName": "x", + "parameterName": "Time", + "defaultValue": "none" + }, + { + "fieldName": "series", + "parameterName": "Action", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "action", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "action", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "count_", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "chartSettings": { + "xAxis": "TimeGenerated", + "group": "action", + "createOtherGroup": 0, + "showLegend": true, + "seriesLabelSettings": [ + { + "seriesName": "success", + "color": "green" + }, + { + "seriesName": "failure", + "color": "redBright" + } + ], + "ySettings": { + "label": "Count" + } + } + }, + "name": "query - 1", + "styleSettings": { + "padding": "10px" + } + }, + { + "type": 1, + "content": { + "json": "#### Click on the datapoints in panel Failed vs Successful Authentications above to view more information.", + "style": "info" + }, + "name": "text - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_rdp\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where action == \"{Action}\"", + "size": 0, + "showAnalytics": true, + "title": "Details of Failed vs Successful Authentications", + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "Time", + "comparison": "isNotEqualTo", + "value": "none" + }, + "name": "query - 4", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "rdp authentication attempts" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Identifying Failed RDP Logins", + "expandable": true, + "items": [ + { + "type": 1, + "content": { + "json": "Total count of users with login failures within the specified time.\r\n\r\n" + }, + "name": "text - 0" + } + ] + }, + "name": "group - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_rdp\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where action == \"failure\" or auth_success == \"false\"\r\n| where isnotempty(cookie)\r\n| extend User = cookie\r\n| summarize dcount(User)", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "dcount_User", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "35", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### Monitoring failed RDP logins is essential for detecting unauthorized access attempts. Security teams should analyze patterns of failed entries against user and IP data to identify potential breaches. This focus helps in quickly addressing vulnerabilities in RDP security. Effective monitoring of these incidents is crucial for maintaining system integrity." + }, + "customWidth": "65", + "name": "text - 1", + "styleSettings": { + "margin": "25px", + "padding": "0px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let FilteredRDP = (\r\ncorelight_rdp\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where action == \"failure\" or auth_success == \"false\"\r\n| where isnotempty(cookie)\r\n);\r\nlet CookieCount = (\r\nFilteredRDP\r\n| summarize Count = count() by cookie\r\n);\r\nlet QueryResult = (\r\nFilteredRDP\r\n| join kind=leftouter(CookieCount) on $left.cookie == $right.cookie\r\n| extend User = cookie, Source = src_ip, Responder = dest_ip, Auth_Success = tostring(auth_success), Result = result\r\n| summarize arg_max(TimeGenerated, *) by User\r\n| project User, Source, Responder, ['Auth Success'] = Auth_Success, Result, Count\r\n| sort by Count\r\n);\r\nlet QueryCount = (\r\nQueryResult\r\n| count\r\n);\r\nlet NoResults = (\r\ndatatable ( User: string, Source: string, Responder: string, ['Auth Success']: string, Result: string, Count: long) [ \"No Results\", \"N/A\", \"N/A\", \"N/A\", \"N/A\", 0]\r\n);\r\nunion isfuzzy=true \r\n(QueryResult| where toscalar(QueryCount) != 0),\r\n(NoResults | where toscalar (QueryCount) == 0)", + "size": 0, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "identifying failed rdp logins" + } + ] + }, + "name": "remote access hygiene" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "### VPN Insights\r\n---" + }, + "name": "text - 0" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Unusual Remote Activity", + "expandable": true, + "items": [ + { + "type": 1, + "content": { + "json": "Total count of VPN connections that have the following inferences NSP - Non-Standard Port RW - Road warrior configuration detected (i.e. Cisco Anyconnect) COM - Commercial VPN service occurring at the same time which is deemed suspicious.\r\n\r\n" + }, + "name": "text - 0" + } + ] + }, + "name": "group - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_vpn\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where Inferences has_all (\"COM\", \"RW\", \"NSP\")\r\n| summarize count() by src_ip, dest_ip, tostring(Inferences), vpn_type\r\n| count", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "exportFieldName": "Count", + "exportParameterName": "Count", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "35", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### The combination of the \"COM\", \"RW\", and \"NSP\" inferences in a single VPN connection raises questions: Policy Violation: Is the use of commercial VPNs allowed in your organization's security policy? If not, this could indicate a violation. Hidden Activity: Is the non-standard port usage an attempt to mask other activities happening over the VPN tunnel?" + }, + "customWidth": "65", + "name": "text - 1", + "styleSettings": { + "margin": "34px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let FilteredVPN = (\r\n corelight_vpn\r\n | where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n | where Inferences has_all (\"COM\", \"RW\", \"NSP\")\r\n );\r\nlet VPNCount = (\r\n FilteredVPN\r\n | extend Inferences = tostring(Inferences)\r\n | summarize Count = count() by src_ip, dest_ip, Inferences, vpn_type\r\n | project src_ip, dest_ip, Inferences, vpn_type, Count\r\n );\r\nlet QueryResults = (\r\nFilteredVPN\r\n| extend Inferences_string = tostring(Inferences)\r\n| join kind=innerunique(VPNCount)\r\n on\r\n $left.src_ip == $right.src_ip,\r\n $left.dest_ip == $right.dest_ip,\r\n $left.Inferences_string == $right.Inferences,\r\n $left.vpn_type == $right.vpn_type\r\n| extend\r\n Source = src_ip,\r\n Responder = dest_ip,\r\n [\"VPN Type\"] = vpn_type,\r\n Count\r\n| extend NewInferences = strcat_array(Inferences, \",\")\r\n| project Source, Responder, Inferences = NewInferences, ['VPN Type'], Count\r\n| sort by Count\r\n);\r\nlet QueryCount = (\r\nQueryResults\r\n| count\r\n);\r\nlet NoResults = (\r\ndatatable ( Source: string, Responder: string , Inferences: string, ['VPN Type']: string, Count: long)\r\n[\"N/A\", \"N/A\", \"N/A\", \"N/A\", 0]\r\n);\r\nunion isfuzzy=true \r\n(QueryResults | where toscalar(QueryCount) != 0),\r\n(NoResults | where toscalar(QueryCount) == 0)", + "size": 0, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "VPN Type", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "15%" + } + } + ], + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "unusual remote activity" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Suspected Data Exfiltration", + "expandable": true, + "items": [ + { + "type": 1, + "content": { + "json": "Total count of VPN connections using potentially unusual connection configurations such as static TLS key auth." + }, + "name": "text - 0" + } + ] + }, + "name": "group - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_vpn\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where Inferences has_any (\"TLS\", \"SK\")\r\n| summarize count() by src_ip, dest_ip\r\n| count", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal" + } + } + }, + "showBorder": true + } + }, + "customWidth": "35", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### Unmonitored commercial VPNs with a typical traffic patterns or static keys could be used to bypass security controls for data theft.\r\n\r\n#### **Investigate:** Examine VPN sessions with large outgoing transfers, focusing on unusual destinations or protocols." + }, + "customWidth": "65", + "name": "text - 1", + "styleSettings": { + "margin": "30px", + "padding": "10px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let FilteredVPN = (\r\n corelight_vpn\r\n | where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n | where Inferences has_any (\"TLS\", \"SK\")\r\n );\r\nlet VPNCount = ( \r\n FilteredVPN\r\n | summarize Count = count() by src_ip, dest_ip\r\n );\r\nlet QueryResults = (\r\nFilteredVPN\r\n| extend inferences_string = tostring(replace(\",\", \":\", strcat_array(Inferences, \":\")))\r\n| join kind=leftouter(VPNCount) on src_ip, dest_ip\r\n| summarize arg_max(TimeGenerated, *) by src_ip, dest_ip\r\n| project\r\n Source = src_ip,\r\n Responder = dest_ip,\r\n Inferences = inferences_string,\r\n [\"Responder Country\"] = resp_cc,\r\n [\"VPN Type\"] = vpn_type,\r\n Count\r\n| sort by Count\r\n);\r\nlet QueryCount = (\r\nVPNCount\r\n| count \r\n);\r\nlet NoResults = (\r\ndatatable ( Source: string, Responder: string, Inferences: string, [\"Responder Country\"]: string, [\"VPN Type\"]: string, Count: long)\r\n[\"N/A\", \"N/A\", \"N/A\", \"N/A\", \"N/A\", 0]\r\n);\r\nunion isfuzzy=true \r\n(QueryResults | where toscalar(QueryCount) != 0),\r\n(NoResults | where toscalar(QueryCount) == 0)", + "size": 0, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Responder Country", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "3%" + } + } + ], + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 2", + "styleSettings": { + "margin": "12px", + "showBorder": true + } + } + ] + }, + "customWidth": "50", + "name": "suspected data exfiltration" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Possible Unauthorized Remote Access Attempts", + "expandable": true, + "items": [ + { + "type": 1, + "content": { + "json": "Total count of VPN connections that are using the RW- Road warrior configuration detected (i.e. Cisco Anyconnect) and FW - Firewall subversion inferences." + }, + "name": "text - 0" + } + ] + }, + "name": "group - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "corelight_vpn\r\n| where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n| where Inferences has_any (\"RW\", \"FW\")\r\n| summarize count() by uid\r\n| count", + "size": 3, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "greenRed" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": true + } + }, + "customWidth": "30", + "name": "query - 0" + }, + { + "type": 1, + "content": { + "json": "#### Monitoring for \"RW\" (Road Warrior) and \"FW\" (Firewall subversion) inferences is crucial for detecting potential unauthorized access, as these patterns may indicate attempts to bypass security controls. Security teams should prioritize correlating these inferences with internal IP ranges and device logs to identify suspicious activities." + }, + "customWidth": "70", + "name": "text - 1", + "styleSettings": { + "padding": "50px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let FilteredVPN = (\r\n corelight_vpn\r\n | where ('*' in ({Sensor}) or sensor_name in ({Sensor}))\r\n | where Inferences has_any (\"RW\", \"FW\")\r\n );\r\nlet VPNCount = ( \r\n FilteredVPN\r\n | summarize Count = count() by uid\r\n );\r\nlet QueryResults = (\r\nFilteredVPN\r\n| join kind=leftouter(VPNCount) on uid\r\n| summarize arg_max(TimeGenerated, *) by uid\r\n| extend\r\n Source = src_ip,\r\n Responder = dest_ip,\r\n Proto = proto,\r\n Inferences = Inferences,\r\n Bytes = orig_bytes\r\n| extend NewInferences = strcat_array(todynamic(Inferences), \",\")\r\n| project\r\n Source,\r\n Responder,\r\n Proto,\r\n Inferences = NewInferences,\r\n [\"Dest Port\"] = dest_port,\r\n Bytes,\r\n Count\r\n| sort by Count\r\n);\r\nlet QueryCount = (\r\nVPNCount\r\n| count \r\n);\r\nlet NoResults = (\r\ndatatable ( Source: string, Responder: string, Proto: string, Inferences: string, [\"Dest Port\"]: string, Bytes: string , Count: long)\r\n[\"No Results\", \"N/A\", \"N/A\", \"N/A\", \"N/A\", \"N/A\", 0]\r\n);\r\nunion isfuzzy=true \r\n(QueryResults | where toscalar(QueryCount) != 0),\r\n(NoResults | where toscalar(QueryCount) == 0)\r\n| extend [\"Dest Port\"] = coalesce(tostring(tolong(['Dest Port_real'])), ['Dest Port_string']), Bytes = coalesce(tostring(tolong(Bytes_real)), Bytes_string)\r\n| project-away ['Dest Port_*'], Bytes_*\r\n| project-reorder \r\n Source,\r\n Responder,\r\n Proto,\r\n Inferences,\r\n [\"Dest Port\"],\r\n Bytes,\r\n Count", + "size": 0, + "showAnalytics": true, + "noDataMessage": "No data found.", + "timeContextFromParameter": "GlobalTimeRestriction", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "name": "possible unauthorized remote access attempts" + } + ] + }, + "name": "vpn insights" } ] }, - "name": "deprecated_software" + "conditionalVisibility": { + "parameterName": "Tab", + "comparison": "isEqualTo", + "value": "RemoteActivityInsights" + }, + "name": "group - 14" } ] }, "conditionalVisibility": { - "parameterName": "Tab", + "parameterName": "dashboard", "comparison": "isEqualTo", - "value": "corelight_software" + "value": "SecurityWorkflows" }, - "name": "corelight_software_group" + "name": "Security Workflows" } ], - "fallbackResourceIds": [], - "fromTemplateId": "sentinel-CorelightWorkbook", + "fromTemplateId": "sentinel-Corelight", "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" -} +} \ No newline at end of file diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml index 9dc6caffe95..2da2a89b350 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalOrHighSeverityDetectionsByUser.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: CrowdStrikeFalconEndpointProtection - dataTypes: - - CommonSecurityLog - - connectorId: CrowdStrikeFalconEndpointProtectionAma - dataTypes: - - CommonSecurityLog - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -18,8 +12,8 @@ queryFrequency: 1h queryPeriod: 1h triggerOperator: gt triggerThreshold: 0 -tactics: -relevantTechniques: +tactics: [] +relevantTechniques: [] query: | let timeframe = 1h; let threshold = 15; // update threshold value based on organization's preference @@ -55,5 +49,5 @@ entityMappings: columnName: FileHashAlgo - identifier: Value columnName: FileHashCustomEntity -version: 1.0.3 +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml index 6a9d25bea3c..8b4f91261c5 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Analytic Rules/CriticalSeverityDetection.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: CrowdStrikeFalconEndpointProtection - dataTypes: - - CommonSecurityLog - - connectorId: CrowdStrikeFalconEndpointProtectionAma - dataTypes: - - CommonSecurityLog - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -18,8 +12,8 @@ queryFrequency: 1h queryPeriod: 1h triggerOperator: gt triggerThreshold: 0 -tactics: -relevantTechniques: +tactics: [] +relevantTechniques: [] query: | let timeframe = 1h; CrowdStrikeFalconEventStream @@ -47,5 +41,5 @@ entityMappings: columnName: FileHashAlgo - identifier: Value columnName: FileHashCustomEntity -version: 1.0.3 +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConn.zip b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConn.zip index b9769c4be2d..ce530240be5 100644 Binary files a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConn.zip and b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/CrowdstrikeFalconAPISentinelConn.zip differ diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/CrowdstrikeReplicator_API_FunctionApp.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/CrowdstrikeReplicator_API_FunctionApp.json index 83047bb692c..98e96bc04b8 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/CrowdstrikeReplicator_API_FunctionApp.json +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/CrowdstrikeReplicator_API_FunctionApp.json @@ -111,7 +111,7 @@ }, { "title": "", - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicator-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CrowdstrikeReplicatorXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicator-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CrowdstrikeReplicatorXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." }, { "title": "", diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/azuredeploy_Connector_CrowdstrikeFalconAPI_AzureFunction.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/azuredeploy_Connector_CrowdstrikeFalconAPI_AzureFunction.json index 95790332481..3960642d132 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/azuredeploy_Connector_CrowdstrikeFalconAPI_AzureFunction.json +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicator/azuredeploy_Connector_CrowdstrikeFalconAPI_AzureFunction.json @@ -161,7 +161,7 @@ "alwaysOn": true, "reserved": true, "siteConfig": { - "linuxFxVersion": "python|3.8" + "linuxFxVersion": "python|3.11" } }, "resources": [ diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn.zip b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn.zip index 6fa331a536c..f78fab29def 100644 Binary files a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn.zip and b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn.zip differ diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/QueueTriggerCS/EventsToTableMapping.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/QueueTriggerCS/EventsToTableMapping.json index 833bb954d43..6ef19b47717 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/QueueTriggerCS/EventsToTableMapping.json +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeFalconAPISentinelConn/QueueTriggerCS/EventsToTableMapping.json @@ -1,6 +1,16 @@ { "ZipFileWritten": "File", "XarFileWritten": "File", + "SourceCodeFileWritten": "File", + "IsoExtensionFileWritten": "File", + "ImgExtensionFileWritten": "File", + "UnixFileWritten": "File", + "PythonFileWritten": "File", + "WebScriptFileWritten": "File", + "RegistryHiveFileWritten": "File", + "ADExplorerFileWritten": "File", + "CrxFileWritten": "File", + "DexFileWritten": "File", "VmdkFileWritten": "File", "VdiFileWritten": "File", "TiffFileWritten": "File", @@ -53,6 +63,7 @@ "DmpFileWritten": "File", "DmgFileWritten": "File", "DirectoryCreate": "File", + "DebFileWritten": "File", "CriticalFileModified": "File", "CriticalFileAccessed": "File", "CabFileWritten": "File", diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json index b5094eeb4e3..3203e692f6b 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json @@ -5,9 +5,7 @@ "Description": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.", "Data Connectors": [ "Data Connectors/CrowdstrikeReplicator/CrowdstrikeReplicator_API_FunctionApp.json", - "Data Connectors/Connector_Syslog_CrowdStrikeFalconEndpointProtection.json", "Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeReplicatorV2_ConnectorUI.json", - "Data Connectors/template_CrowdStrikeFalconEndpointProtectionAma.json", "Data Connectors/CrowdStrikeFalconAdversaryIntelligence/CrowdStrikeFalconAdversaryIntelligence_FunctionApp.json" ], "Parsers": [ @@ -31,7 +29,7 @@ "azuresentinel.azure-sentinel-solution-commoneventformat" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CrowdStrike Falcon Endpoint Protection", - "Version": "3.0.8", + "Version": "3.0.9", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/3.0.9.zip b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/3.0.9.zip new file mode 100644 index 00000000000..c33daac9077 Binary files /dev/null and b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/3.0.9.zip differ diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json index 6b8a7c9ff7b..02bd9cc1667 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 5, **Parsers:** 3, **Workbooks:** 1, **Analytic Rules:** 2, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 4, **Parsers:** 3, **Workbooks:** 1, **Analytic Rules:** 2, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -67,7 +67,14 @@ "name": "dataconnectors2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This Solution installs the data connector for CrowdStrike Falcon Endpoint Protection. You can get CrowdStrike Falcon Endpoint Protection CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This Solution installs the data connector for CrowdStrike Falcon Endpoint Protection. You can get CrowdStrike Falcon Endpoint Protection custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for CrowdStrike Falcon Endpoint Protection. You can get CrowdStrike Falcon Endpoint Protection custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json index 6dbaba8a153..fd1a26eaca1 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "CrowdStrike Falcon Endpoint Protection", - "_solutionVersion": "3.0.8", + "_solutionVersion": "3.0.9", "solutionId": "azuresentinel.azure-sentinel-solution-crowdstrikefalconep", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "CrowdstrikeReplicator", @@ -53,42 +53,24 @@ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "CrowdStrikeFalconEndpointProtection", + "uiConfigId2": "CrowdstrikeReplicatorv2", "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "CrowdStrikeFalconEndpointProtection", + "dataConnectorContentId2": "CrowdstrikeReplicatorv2", "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", "_dataConnectorId2": "[variables('dataConnectorId2')]", "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", + "dataConnectorVersion2": "1.0.1", "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", - "uiConfigId3": "CrowdstrikeReplicatorv2", + "uiConfigId3": "CrowdStrikeFalconAdversaryIntelligence", "_uiConfigId3": "[variables('uiConfigId3')]", - "dataConnectorContentId3": "CrowdstrikeReplicatorv2", + "dataConnectorContentId3": "CrowdStrikeFalconAdversaryIntelligence", "_dataConnectorContentId3": "[variables('dataConnectorContentId3')]", "dataConnectorId3": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", "_dataConnectorId3": "[variables('dataConnectorId3')]", "dataConnectorTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId3'))))]", - "dataConnectorVersion3": "1.0.1", + "dataConnectorVersion3": "1.0.0", "_dataConnectorcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId3'),'-', variables('dataConnectorVersion3'))))]", - "uiConfigId4": "CrowdStrikeFalconEndpointProtectionAma", - "_uiConfigId4": "[variables('uiConfigId4')]", - "dataConnectorContentId4": "CrowdStrikeFalconEndpointProtectionAma", - "_dataConnectorContentId4": "[variables('dataConnectorContentId4')]", - "dataConnectorId4": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", - "_dataConnectorId4": "[variables('dataConnectorId4')]", - "dataConnectorTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId4'))))]", - "dataConnectorVersion4": "1.0.0", - "_dataConnectorcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId4'),'-', variables('dataConnectorVersion4'))))]", - "uiConfigId5": "CrowdStrikeFalconAdversaryIntelligence", - "_uiConfigId5": "[variables('uiConfigId5')]", - "dataConnectorContentId5": "CrowdStrikeFalconAdversaryIntelligence", - "_dataConnectorContentId5": "[variables('dataConnectorContentId5')]", - "dataConnectorId5": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]", - "_dataConnectorId5": "[variables('dataConnectorId5')]", - "dataConnectorTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId5'))))]", - "dataConnectorVersion5": "1.0.0", - "_dataConnectorcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId5'),'-', variables('dataConnectorVersion5'))))]", "parserObject1": { "_parserName1": "[concat(parameters('workspace'),'/','CrowdStrikeFalconEventStream Data Parser')]", "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'CrowdStrikeFalconEventStream Data Parser')]", @@ -118,18 +100,18 @@ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.3", + "analyticRuleVersion1": "1.0.4", "_analyticRulecontentId1": "4465ebde-b381-45f7-ad08-7d818070a11c", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4465ebde-b381-45f7-ad08-7d818070a11c')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4465ebde-b381-45f7-ad08-7d818070a11c')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4465ebde-b381-45f7-ad08-7d818070a11c','-', '1.0.3')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4465ebde-b381-45f7-ad08-7d818070a11c','-', '1.0.4')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.3", + "analyticRuleVersion2": "1.0.4", "_analyticRulecontentId2": "f7d298b2-726c-42a5-bbac-0d7f9950f527", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f7d298b2-726c-42a5-bbac-0d7f9950f527')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f7d298b2-726c-42a5-bbac-0d7f9950f527')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f7d298b2-726c-42a5-bbac-0d7f9950f527','-', '1.0.3')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f7d298b2-726c-42a5-bbac-0d7f9950f527','-', '1.0.4')))]" }, "CrowdStrike_Base": "CrowdStrike_Base", "_CrowdStrike_Base": "[variables('CrowdStrike_Base')]", @@ -169,7 +151,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.8", + "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -299,7 +281,7 @@ "title": "Option 2 - Manual Deployment of Azure Functions" }, { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicator-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CrowdstrikeReplicatorXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicator-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CrowdstrikeReplicatorXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." }, { "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAWS_KEY\n\t\tAWS_SECRET\n\t\tAWS_REGION_NAME\n\t\tQUEUE_URL\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." @@ -500,7 +482,7 @@ "title": "Option 2 - Manual Deployment of Azure Functions" }, { - "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicator-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CrowdstrikeReplicatorXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.8.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." + "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicator-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CrowdstrikeReplicatorXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." }, { "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAWS_KEY\n\t\tAWS_SECRET\n\t\tAWS_REGION_NAME\n\t\tQUEUE_URL\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n4. Once all application settings have been entered, click **Save**." @@ -520,7 +502,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.8", + "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -536,364 +518,15 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId2')]", - "title": "[Deprecated] CrowdStrike Falcon Endpoint Protection via Legacy Agent", - "publisher": "CrowdStrike", - "descriptionMarkdown": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/endpoint-security-products/) connector allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.", + "title": "Crowdstrike Falcon Data Replicator V2 (using Azure Functions)", + "publisher": "Crowdstrike", + "descriptionMarkdown": "The [Crowdstrike](https://www.crowdstrike.com/) Falcon Data Replicator connector provides the capability to ingest raw event data from the [Falcon Platform](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/) events into Microsoft Sentinel. The connector provides ability to get events from Falcon Agents which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", + "additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. ​Follow the steps to use this Kusto functions alias **CrowdstrikeReplicator** in queries and workbooks [Follow steps to get this Kusto functions>](https://aka.ms/sentinel-crowdstrikereplicator-parser).", "graphQueries": [ { "metricName": "Total data received", - "legend": "CrowdStrikeFalconEventStream", - "baseQuery": "CommonSecurityLog \n| where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Hosts with Detections", - "query": "CrowdStrikeFalconEventStream \n | where EventType == \"DetectionSummaryEvent\" \n| summarize count() by DstHostName \n | top 10 by count_" - }, - { - "description": "Top 10 Users with Detections", - "query": "CrowdStrikeFalconEventStream \n | where EventType == \"DetectionSummaryEvent\" \n| summarize count() by DstUserName \n | top 10 by count_" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog \n| where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" - ] - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (CrowdStrikeFalconEventStream)", - "lastDataReceivedQuery": "CommonSecurityLog \n| where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Crowd Strike Falcon Endpoint Protection and load the function code or click [here](https://aka.ms/sentinel-crowdstrikefalconendpointprotection-parser), on the second line of the query, enter the hostname(s) of your CrowdStrikeFalcon device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Deploy the CrowdStrike Falcon SIEM Collector to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/) to deploy the SIEM Collector and forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.", - "title": "2. Forward CrowdStrike Falcon Event Stream logs to a Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "CrowdStrike Falcon Endpoint Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] CrowdStrike Falcon Endpoint Protection via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "CrowdStrike Falcon Endpoint Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] CrowdStrike Falcon Endpoint Protection via Legacy Agent", - "publisher": "CrowdStrike", - "descriptionMarkdown": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/endpoint-security-products/) connector allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "CrowdStrikeFalconEventStream", - "baseQuery": "CommonSecurityLog \n| where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (CrowdStrikeFalconEventStream)", - "lastDataReceivedQuery": "CommonSecurityLog \n| where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog \n| where DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\"\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Hosts with Detections", - "query": "CrowdStrikeFalconEventStream \n | where EventType == \"DetectionSummaryEvent\" \n| summarize count() by DstHostName \n | top 10 by count_" - }, - { - "description": "Top 10 Users with Detections", - "query": "CrowdStrikeFalconEventStream \n | where EventType == \"DetectionSummaryEvent\" \n| summarize count() by DstUserName \n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Crowd Strike Falcon Endpoint Protection and load the function code or click [here](https://aka.ms/sentinel-crowdstrikefalconendpointprotection-parser), on the second line of the query, enter the hostname(s) of your CrowdStrikeFalcon device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Deploy the CrowdStrike Falcon SIEM Collector to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/) to deploy the SIEM Collector and forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.", - "title": "2. Forward CrowdStrike Falcon Event Stream logs to a Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId2')]", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution." - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName3')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion3')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId3')]", - "title": "Crowdstrike Falcon Data Replicator V2 (using Azure Functions)", - "publisher": "Crowdstrike", - "descriptionMarkdown": "The [Crowdstrike](https://www.crowdstrike.com/) Falcon Data Replicator connector provides the capability to ingest raw event data from the [Falcon Platform](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/) events into Microsoft Sentinel. The connector provides ability to get events from Falcon Agents which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", - "additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. ​Follow the steps to use this Kusto functions alias **CrowdstrikeReplicator** in queries and workbooks [Follow steps to get this Kusto functions>](https://aka.ms/sentinel-crowdstrikereplicator-parser).", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "CrowdStrikeReplicatorV2", - "baseQuery": "CrowdStrikeReplicatorV2" + "legend": "CrowdStrikeReplicatorV2", + "baseQuery": "CrowdStrikeReplicatorV2" } ], "sampleQueries": [ @@ -902,408 +535,56 @@ "query": "CrowdStrikeReplicatorV2 \n | sort by TimeGenerated desc" } ], - "dataTypes": [ - { - "name": "CrowdStrike_Additional_Events_CL", - "lastDataReceivedQuery": "CrowdStrike_Additional_Events_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimNetworkSessionLogs", - "lastDataReceivedQuery": "ASimNetworkSessionLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimDnsActivityLogs", - "lastDataReceivedQuery": "ASimDnsActivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimAuditEventLogs", - "lastDataReceivedQuery": "ASimAuditEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimFileEventLogs", - "lastDataReceivedQuery": "ASimFileEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimAuthenticationEventLogs", - "lastDataReceivedQuery": "ASimAuthenticationEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimProcessEventLogs", - "lastDataReceivedQuery": "ASimProcessEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimRegistryEventLogs", - "lastDataReceivedQuery": "ASimRegistryEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimUserManagementActivityLogs", - "lastDataReceivedQuery": "ASimUserManagementActivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "CrowdStrike_Secondary_Data_CL", - "lastDataReceivedQuery": "CrowdStrike_Secondary_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CrowdStrikeReplicatorV2(starttime=ago(3d)) \n |take 1\n | project IsConnected = true " - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "SQS and AWS S3 account credentials/permissions", - "description": "**AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL** is required. [See the documentation to learn more about data pulling](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/). To start, contact CrowdStrike support. At your request they will create a CrowdStrike managed Amazon Web Services (AWS) S3 bucket for short term storage purposes as well as a SQS (simple queue service) account for monitoring changes to the S3 bucket." - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector uses Azure Functions to connect to the AWS SQS / S3 to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.\n\n>**(Optional Step)** Securely store API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": "1. Configure FDR in CrowdStrike - You must contact the [CrowdStrike support team](https://supportportal.crowdstrike.com/) to enable CrowdStrike FDR.\n\t - Once CrowdStrike FDR is enabled, from the CrowdStrike console, navigate to Support --> API Clients and Keys. \n\t - You need to Create new credentials to copy the AWS Access Key ID, AWS Secret Access Key, SQS Queue URL and AWS Region. \n2. Register AAD application - For DCR to authentiate to ingest data into log analytics, you must use AAD application. \n\t - [Follow the instructions here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-azure-ad-application) (steps 1-5) to get **AAD Tenant Id**, **AAD Client Id** and **AAD Client Secret**. \n\t - For **AAD Principal** Id of this application, access the AAD App through [AAD Portal](https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId/) and capture Object Id from the application overview page.", - "title": "Prerequisites" - }, - { - "description": "Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function", - "title": "Deployment Options" - }, - { - "description": "Use this method for automated deployment of the Crowdstrike Falcon Data Replicator connector V2 using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-gov) \t\t\t\n2. Provide the required details such as Microsoft Sentinel Workspace, CrowdStrike AWS credentials, Azure AD Application details and ingestion configurations \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group. It is recommended to create a new Resource Group for deployment of function app and associated resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "Use the following step-by-step instructions to deploy the Crowdstrike Falcon Data Replicator connector manually with Azure Functions (Deployment via Visual Studio Code).", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Deploy DCE, DCR and Custom Tables for data ingestion**\n\n1. Deploy the required DCE, DCR(s) and the Custom Tables by using the [Data Collection Resource ARM template](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-data-resource) \n2. After successful deployment of DCE and DCR(s), get the below information and keep it handy (required during Azure Functions app deployment).\n\t - DCE log ingestion - Follow the instructions available at [Create data collection endpoint](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-data-collection-endpoint) (Step 3).\n\t - Immutable Ids of one or more DCRs (as applicable) - Follow the instructions available at [Collect information from the DCR](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#collect-information-from-the-dcr) (Stpe 2)." - }, - { - "description": "**2. Deploy a Function App**\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." - }, - { - "description": "**3. Configure the Function App**\n\n1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select ** New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAWS_KEY\n\t\tAWS_SECRET\n\t\tAWS_REGION_NAME\n\t\tQUEUE_URL\n\t\tUSER_SELECTION_REQUIRE_RAW //True if raw data is required\n\t\tUSER_SELECTION_REQUIRE_SECONDARY //True if secondary data is required\n\t\tMAX_QUEUE_MESSAGES_MAIN_QUEUE // 100 for consumption and 150 for Premium\n\t\tMAX_SCRIPT_EXEC_TIME_MINUTES // add the value of 10 here\n\t\tAZURE_TENANT_ID\n\t\tAZURE_CLIENT_ID\n\t\tAZURE_CLIENT_SECRET\n\t\tDCE_INGESTION_ENDPOINT\n\t\tNORMALIZED_DCR_ID\n\t\tRAW_DATA_DCR_ID\n\t\tEVENT_TO_TABLE_MAPPING_LINK // File is present on github. Add if the file can be accessed using internet\n\t\tREQUIRED_FIELDS_SCHEMA_LINK //File is present on github. Add if the file can be accessed using internet\n\t\tSchedule //Add value as '0 */1 * * * *' to ensure the function runs every minute.\n5. Once all application settings have been entered, click **Save**." - } - ], - "metadata": { - "version": "1.0.1" - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", - "contentId": "[variables('_dataConnectorContentId3')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion3')]", - "source": { - "kind": "Solution", - "name": "CrowdStrike Falcon Endpoint Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId3')]", - "contentKind": "DataConnector", - "displayName": "Crowdstrike Falcon Data Replicator V2 (using Azure Functions)", - "contentProductId": "[variables('_dataConnectorcontentProductId3')]", - "id": "[variables('_dataConnectorcontentProductId3')]", - "version": "[variables('dataConnectorVersion3')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId3')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", - "contentId": "[variables('_dataConnectorContentId3')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion3')]", - "source": { - "kind": "Solution", - "name": "CrowdStrike Falcon Endpoint Protection", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "Crowdstrike Falcon Data Replicator V2 (using Azure Functions)", - "publisher": "Crowdstrike", - "descriptionMarkdown": "The [Crowdstrike](https://www.crowdstrike.com/) Falcon Data Replicator connector provides the capability to ingest raw event data from the [Falcon Platform](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/) events into Microsoft Sentinel. The connector provides ability to get events from Falcon Agents which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "CrowdStrikeReplicatorV2", - "baseQuery": "CrowdStrikeReplicatorV2" - } - ], - "dataTypes": [ - { - "name": "CrowdStrike_Additional_Events_CL", - "lastDataReceivedQuery": "CrowdStrike_Additional_Events_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimNetworkSessionLogs", - "lastDataReceivedQuery": "ASimNetworkSessionLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimDnsActivityLogs", - "lastDataReceivedQuery": "ASimDnsActivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimAuditEventLogs", - "lastDataReceivedQuery": "ASimAuditEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimFileEventLogs", - "lastDataReceivedQuery": "ASimFileEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimAuthenticationEventLogs", - "lastDataReceivedQuery": "ASimAuthenticationEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimProcessEventLogs", - "lastDataReceivedQuery": "ASimProcessEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimRegistryEventLogs", - "lastDataReceivedQuery": "ASimRegistryEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "ASimUserManagementActivityLogs", - "lastDataReceivedQuery": "ASimUserManagementActivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - }, - { - "name": "CrowdStrike_Secondary_Data_CL", - "lastDataReceivedQuery": "CrowdStrike_Secondary_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CrowdStrikeReplicatorV2(starttime=ago(3d)) \n |take 1\n | project IsConnected = true " - ] - } - ], - "sampleQueries": [ - { - "description": "Data Replicator - All Activities", - "query": "CrowdStrikeReplicatorV2 \n | sort by TimeGenerated desc" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions on the workspace are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "name": "Microsoft.Web/sites permissions", - "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." - }, - { - "name": "SQS and AWS S3 account credentials/permissions", - "description": "**AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL** is required. [See the documentation to learn more about data pulling](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/). To start, contact CrowdStrike support. At your request they will create a CrowdStrike managed Amazon Web Services (AWS) S3 bucket for short term storage purposes as well as a SQS (simple queue service) account for monitoring changes to the S3 bucket." - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This connector uses Azure Functions to connect to the AWS SQS / S3 to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.\n\n>**(Optional Step)** Securely store API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." - }, - { - "description": "1. Configure FDR in CrowdStrike - You must contact the [CrowdStrike support team](https://supportportal.crowdstrike.com/) to enable CrowdStrike FDR.\n\t - Once CrowdStrike FDR is enabled, from the CrowdStrike console, navigate to Support --> API Clients and Keys. \n\t - You need to Create new credentials to copy the AWS Access Key ID, AWS Secret Access Key, SQS Queue URL and AWS Region. \n2. Register AAD application - For DCR to authentiate to ingest data into log analytics, you must use AAD application. \n\t - [Follow the instructions here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-azure-ad-application) (steps 1-5) to get **AAD Tenant Id**, **AAD Client Id** and **AAD Client Secret**. \n\t - For **AAD Principal** Id of this application, access the AAD App through [AAD Portal](https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId/) and capture Object Id from the application overview page.", - "title": "Prerequisites" - }, - { - "description": "Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function", - "title": "Deployment Options" - }, - { - "description": "Use this method for automated deployment of the Crowdstrike Falcon Data Replicator connector V2 using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-gov) \t\t\t\n2. Provide the required details such as Microsoft Sentinel Workspace, CrowdStrike AWS credentials, Azure AD Application details and ingestion configurations \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group. It is recommended to create a new Resource Group for deployment of function app and associated resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy.", - "title": "Option 1 - Azure Resource Manager (ARM) Template" - }, - { - "description": "Use the following step-by-step instructions to deploy the Crowdstrike Falcon Data Replicator connector manually with Azure Functions (Deployment via Visual Studio Code).", - "title": "Option 2 - Manual Deployment of Azure Functions" - }, - { - "description": "**1. Deploy DCE, DCR and Custom Tables for data ingestion**\n\n1. Deploy the required DCE, DCR(s) and the Custom Tables by using the [Data Collection Resource ARM template](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-data-resource) \n2. After successful deployment of DCE and DCR(s), get the below information and keep it handy (required during Azure Functions app deployment).\n\t - DCE log ingestion - Follow the instructions available at [Create data collection endpoint](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-data-collection-endpoint) (Step 3).\n\t - Immutable Ids of one or more DCRs (as applicable) - Follow the instructions available at [Collect information from the DCR](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#collect-information-from-the-dcr) (Stpe 2)." - }, - { - "description": "**2. Deploy a Function App**\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." - }, - { - "description": "**3. Configure the Function App**\n\n1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select ** New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAWS_KEY\n\t\tAWS_SECRET\n\t\tAWS_REGION_NAME\n\t\tQUEUE_URL\n\t\tUSER_SELECTION_REQUIRE_RAW //True if raw data is required\n\t\tUSER_SELECTION_REQUIRE_SECONDARY //True if secondary data is required\n\t\tMAX_QUEUE_MESSAGES_MAIN_QUEUE // 100 for consumption and 150 for Premium\n\t\tMAX_SCRIPT_EXEC_TIME_MINUTES // add the value of 10 here\n\t\tAZURE_TENANT_ID\n\t\tAZURE_CLIENT_ID\n\t\tAZURE_CLIENT_SECRET\n\t\tDCE_INGESTION_ENDPOINT\n\t\tNORMALIZED_DCR_ID\n\t\tRAW_DATA_DCR_ID\n\t\tEVENT_TO_TABLE_MAPPING_LINK // File is present on github. Add if the file can be accessed using internet\n\t\tREQUIRED_FIELDS_SCHEMA_LINK //File is present on github. Add if the file can be accessed using internet\n\t\tSchedule //Add value as '0 */1 * * * *' to ensure the function runs every minute.\n5. Once all application settings have been entered, click **Save**." - } - ], - "id": "[variables('_uiConfigId3')]", - "additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. ​Follow the steps to use this Kusto functions alias **CrowdstrikeReplicator** in queries and workbooks [Follow steps to get this Kusto functions>](https://aka.ms/sentinel-crowdstrikereplicator-parser)." - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.8", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion4')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId4'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId4')]", - "title": "[Deprecated] CrowdStrike Falcon Endpoint Protection via AMA", - "publisher": "CrowdStrike", - "descriptionMarkdown": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/endpoint-security-products/) connector allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "CrowdStrikeFalconEventStream", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'CrowdStrike'\n |where DeviceProduct =~ 'FalconHost'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ + "dataTypes": [ + { + "name": "CrowdStrike_Additional_Events_CL", + "lastDataReceivedQuery": "CrowdStrike_Additional_Events_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimNetworkSessionLogs", + "lastDataReceivedQuery": "ASimNetworkSessionLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimDnsActivityLogs", + "lastDataReceivedQuery": "ASimDnsActivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimAuditEventLogs", + "lastDataReceivedQuery": "ASimAuditEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimFileEventLogs", + "lastDataReceivedQuery": "ASimFileEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimAuthenticationEventLogs", + "lastDataReceivedQuery": "ASimAuthenticationEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimProcessEventLogs", + "lastDataReceivedQuery": "ASimProcessEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimRegistryEventLogs", + "lastDataReceivedQuery": "ASimRegistryEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, { - "description": "Top 10 Hosts with Detections", - "query": "CrowdStrikeFalconEventStream \n | where EventType == \"DetectionSummaryEvent\" \n| summarize count() by DstHostName \n | top 10 by count_" + "name": "ASimUserManagementActivityLogs", + "lastDataReceivedQuery": "ASimUserManagementActivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" }, { - "description": "Top 10 Users with Detections", - "query": "CrowdStrikeFalconEventStream \n | where EventType == \"DetectionSummaryEvent\" \n| summarize count() by DstUserName \n | top 10 by count_" + "name": "CrowdStrike_Secondary_Data_CL", + "lastDataReceivedQuery": "CrowdStrike_Secondary_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ { "type": "IsConnectedQuery", "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'CrowdStrike'\n |where DeviceProduct =~ 'FalconHost'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + "CrowdStrikeReplicatorV2(starttime=ago(3d)) \n |take 1\n | project IsConnected = true " ] } ], - "dataTypes": [ - { - "name": "CommonSecurityLog (CrowdStrikeFalconEventStream)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'CrowdStrike'\n |where DeviceProduct =~ 'FalconHost'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], "availability": { "status": 1, "isPreview": false @@ -1312,12 +593,12 @@ "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", + "permissionsDisplayText": "read and write permissions on the workspace are required.", "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { - "read": true, "write": true, + "read": true, "delete": true } }, @@ -1333,65 +614,60 @@ ], "customs": [ { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." }, { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + "name": "SQS and AWS S3 account credentials/permissions", + "description": "**AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL** is required. [See the documentation to learn more about data pulling](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/). To start, contact CrowdStrike support. At your request they will create a CrowdStrike managed Amazon Web Services (AWS) S3 bucket for short term storage purposes as well as a SQS (simple queue service) account for monitoring changes to the S3 bucket." } ] }, "instructionSteps": [ { - "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Crowd Strike Falcon Endpoint Protection and load the function code or click [here](https://aka.ms/sentinel-crowdstrikefalconendpointprotection-parser), on the second line of the query, enter the hostname(s) of your CrowdStrikeFalcon device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward CrowdStrike Falcon Event Stream logs to a Syslog agent", - "description": "Deploy the CrowdStrike Falcon SIEM Collector to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/) to deploy the SIEM Collector and forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] + "description": ">**NOTE:** This connector uses Azure Functions to connect to the AWS SQS / S3 to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.\n\n>**(Optional Step)** Securely store API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "1. Configure FDR in CrowdStrike - You must contact the [CrowdStrike support team](https://supportportal.crowdstrike.com/) to enable CrowdStrike FDR.\n\t - Once CrowdStrike FDR is enabled, from the CrowdStrike console, navigate to Support --> API Clients and Keys. \n\t - You need to Create new credentials to copy the AWS Access Key ID, AWS Secret Access Key, SQS Queue URL and AWS Region. \n2. Register AAD application - For DCR to authentiate to ingest data into log analytics, you must use AAD application. \n\t - [Follow the instructions here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-azure-ad-application) (steps 1-5) to get **AAD Tenant Id**, **AAD Client Id** and **AAD Client Secret**. \n\t - For **AAD Principal** Id of this application, access the AAD App through [AAD Portal](https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId/) and capture Object Id from the application overview page.", + "title": "Prerequisites" + }, + { + "description": "Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function", + "title": "Deployment Options" + }, + { + "description": "Use this method for automated deployment of the Crowdstrike Falcon Data Replicator connector V2 using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-gov) \t\t\t\n2. Provide the required details such as Microsoft Sentinel Workspace, CrowdStrike AWS credentials, Azure AD Application details and ingestion configurations \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group. It is recommended to create a new Resource Group for deployment of function app and associated resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy.", + "title": "Option 1 - Azure Resource Manager (ARM) Template" + }, + { + "description": "Use the following step-by-step instructions to deploy the Crowdstrike Falcon Data Replicator connector manually with Azure Functions (Deployment via Visual Studio Code).", + "title": "Option 2 - Manual Deployment of Azure Functions" + }, + { + "description": "**1. Deploy DCE, DCR and Custom Tables for data ingestion**\n\n1. Deploy the required DCE, DCR(s) and the Custom Tables by using the [Data Collection Resource ARM template](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-data-resource) \n2. After successful deployment of DCE and DCR(s), get the below information and keep it handy (required during Azure Functions app deployment).\n\t - DCE log ingestion - Follow the instructions available at [Create data collection endpoint](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-data-collection-endpoint) (Step 3).\n\t - Immutable Ids of one or more DCRs (as applicable) - Follow the instructions available at [Collect information from the DCR](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#collect-information-from-the-dcr) (Stpe 2)." + }, + { + "description": "**2. Deploy a Function App**\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." }, { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " + "description": "**3. Configure the Function App**\n\n1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select ** New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAWS_KEY\n\t\tAWS_SECRET\n\t\tAWS_REGION_NAME\n\t\tQUEUE_URL\n\t\tUSER_SELECTION_REQUIRE_RAW //True if raw data is required\n\t\tUSER_SELECTION_REQUIRE_SECONDARY //True if secondary data is required\n\t\tMAX_QUEUE_MESSAGES_MAIN_QUEUE // 100 for consumption and 150 for Premium\n\t\tMAX_SCRIPT_EXEC_TIME_MINUTES // add the value of 10 here\n\t\tAZURE_TENANT_ID\n\t\tAZURE_CLIENT_ID\n\t\tAZURE_CLIENT_SECRET\n\t\tDCE_INGESTION_ENDPOINT\n\t\tNORMALIZED_DCR_ID\n\t\tRAW_DATA_DCR_ID\n\t\tEVENT_TO_TABLE_MAPPING_LINK // File is present on github. Add if the file can be accessed using internet\n\t\tREQUIRED_FIELDS_SCHEMA_LINK //File is present on github. Add if the file can be accessed using internet\n\t\tSchedule //Add value as '0 */1 * * * *' to ensure the function runs every minute.\n5. Once all application settings have been entered, click **Save**." } - ] + ], + "metadata": { + "version": "1.0.1" + } } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", - "contentId": "[variables('_dataConnectorContentId4')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", "kind": "DataConnector", - "version": "[variables('dataConnectorVersion4')]", + "version": "[variables('dataConnectorVersion2')]", "source": { "kind": "Solution", "name": "CrowdStrike Falcon Endpoint Protection", @@ -1416,27 +692,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId4')]", + "contentId": "[variables('_dataConnectorContentId2')]", "contentKind": "DataConnector", - "displayName": "[Deprecated] CrowdStrike Falcon Endpoint Protection via AMA", - "contentProductId": "[variables('_dataConnectorcontentProductId4')]", - "id": "[variables('_dataConnectorcontentProductId4')]", - "version": "[variables('dataConnectorVersion4')]" + "displayName": "Crowdstrike Falcon Data Replicator V2 (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId2')]", + "id": "[variables('_dataConnectorcontentProductId2')]", + "version": "[variables('dataConnectorVersion2')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", "dependsOn": [ - "[variables('_dataConnectorId4')]" + "[variables('_dataConnectorId2')]" ], "location": "[parameters('workspace-location')]", "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", - "contentId": "[variables('_dataConnectorContentId4')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", "kind": "DataConnector", - "version": "[variables('dataConnectorVersion4')]", + "version": "[variables('dataConnectorVersion2')]", "source": { "kind": "Solution", "name": "CrowdStrike Falcon Endpoint Protection", @@ -1455,45 +731,77 @@ } }, { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId4'))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", "apiVersion": "2021-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "[Deprecated] CrowdStrike Falcon Endpoint Protection via AMA", - "publisher": "CrowdStrike", - "descriptionMarkdown": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/endpoint-security-products/) connector allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.", + "title": "Crowdstrike Falcon Data Replicator V2 (using Azure Functions)", + "publisher": "Crowdstrike", + "descriptionMarkdown": "The [Crowdstrike](https://www.crowdstrike.com/) Falcon Data Replicator connector provides the capability to ingest raw event data from the [Falcon Platform](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/) events into Microsoft Sentinel. The connector provides ability to get events from Falcon Agents which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.", "graphQueries": [ { "metricName": "Total data received", - "legend": "CrowdStrikeFalconEventStream", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'CrowdStrike'\n |where DeviceProduct =~ 'FalconHost'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + "legend": "CrowdStrikeReplicatorV2", + "baseQuery": "CrowdStrikeReplicatorV2" } ], "dataTypes": [ { - "name": "CommonSecurityLog (CrowdStrikeFalconEventStream)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'CrowdStrike'\n |where DeviceProduct =~ 'FalconHost'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "name": "CrowdStrike_Additional_Events_CL", + "lastDataReceivedQuery": "CrowdStrike_Additional_Events_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimNetworkSessionLogs", + "lastDataReceivedQuery": "ASimNetworkSessionLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimDnsActivityLogs", + "lastDataReceivedQuery": "ASimDnsActivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimAuditEventLogs", + "lastDataReceivedQuery": "ASimAuditEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimFileEventLogs", + "lastDataReceivedQuery": "ASimFileEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimAuthenticationEventLogs", + "lastDataReceivedQuery": "ASimAuthenticationEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimProcessEventLogs", + "lastDataReceivedQuery": "ASimProcessEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimRegistryEventLogs", + "lastDataReceivedQuery": "ASimRegistryEventLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "ASimUserManagementActivityLogs", + "lastDataReceivedQuery": "ASimUserManagementActivityLogs\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "CrowdStrike_Secondary_Data_CL", + "lastDataReceivedQuery": "CrowdStrike_Secondary_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ { "type": "IsConnectedQuery", "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'CrowdStrike'\n |where DeviceProduct =~ 'FalconHost'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + "CrowdStrikeReplicatorV2(starttime=ago(3d)) \n |take 1\n | project IsConnected = true " ] } ], "sampleQueries": [ { - "description": "Top 10 Hosts with Detections", - "query": "CrowdStrikeFalconEventStream \n | where EventType == \"DetectionSummaryEvent\" \n| summarize count() by DstHostName \n | top 10 by count_" - }, - { - "description": "Top 10 Users with Detections", - "query": "CrowdStrikeFalconEventStream \n | where EventType == \"DetectionSummaryEvent\" \n| summarize count() by DstUserName \n | top 10 by count_" + "description": "Data Replicator - All Activities", + "query": "CrowdStrikeReplicatorV2 \n | sort by TimeGenerated desc" } ], "availability": { @@ -1504,12 +812,12 @@ "resourceProvider": [ { "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", + "permissionsDisplayText": "read and write permissions on the workspace are required.", "providerDisplayName": "Workspace", "scope": "Workspace", "requiredPermissions": { - "read": true, "write": true, + "read": true, "delete": true } }, @@ -1525,83 +833,75 @@ ], "customs": [ { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." }, { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + "name": "SQS and AWS S3 account credentials/permissions", + "description": "**AWS_SECRET**, **AWS_REGION_NAME**, **AWS_KEY**, **QUEUE_URL** is required. [See the documentation to learn more about data pulling](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/). To start, contact CrowdStrike support. At your request they will create a CrowdStrike managed Amazon Web Services (AWS) S3 bucket for short term storage purposes as well as a SQS (simple queue service) account for monitoring changes to the S3 bucket." } ] }, "instructionSteps": [ { - "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Crowd Strike Falcon Endpoint Protection and load the function code or click [here](https://aka.ms/sentinel-crowdstrikefalconendpointprotection-parser), on the second line of the query, enter the hostname(s) of your CrowdStrikeFalcon device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward CrowdStrike Falcon Event Stream logs to a Syslog agent", - "description": "Deploy the CrowdStrike Falcon SIEM Collector to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n1. [Follow these instructions](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/) to deploy the SIEM Collector and forward syslog\n2. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] + "description": ">**NOTE:** This connector uses Azure Functions to connect to the AWS SQS / S3 to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details.\n\n>**(Optional Step)** Securely store API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "1. Configure FDR in CrowdStrike - You must contact the [CrowdStrike support team](https://supportportal.crowdstrike.com/) to enable CrowdStrike FDR.\n\t - Once CrowdStrike FDR is enabled, from the CrowdStrike console, navigate to Support --> API Clients and Keys. \n\t - You need to Create new credentials to copy the AWS Access Key ID, AWS Secret Access Key, SQS Queue URL and AWS Region. \n2. Register AAD application - For DCR to authentiate to ingest data into log analytics, you must use AAD application. \n\t - [Follow the instructions here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-azure-ad-application) (steps 1-5) to get **AAD Tenant Id**, **AAD Client Id** and **AAD Client Secret**. \n\t - For **AAD Principal** Id of this application, access the AAD App through [AAD Portal](https://aad.portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId/) and capture Object Id from the application overview page.", + "title": "Prerequisites" + }, + { + "description": "Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function", + "title": "Deployment Options" + }, + { + "description": "Use this method for automated deployment of the Crowdstrike Falcon Data Replicator connector V2 using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-gov) \t\t\t\n2. Provide the required details such as Microsoft Sentinel Workspace, CrowdStrike AWS credentials, Azure AD Application details and ingestion configurations \n> **NOTE:** Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group. It is recommended to create a new Resource Group for deployment of function app and associated resources.\n3. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n4. Click **Purchase** to deploy.", + "title": "Option 1 - Azure Resource Manager (ARM) Template" + }, + { + "description": "Use the following step-by-step instructions to deploy the Crowdstrike Falcon Data Replicator connector manually with Azure Functions (Deployment via Visual Studio Code).", + "title": "Option 2 - Manual Deployment of Azure Functions" + }, + { + "description": "**1. Deploy DCE, DCR and Custom Tables for data ingestion**\n\n1. Deploy the required DCE, DCR(s) and the Custom Tables by using the [Data Collection Resource ARM template](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-azuredeploy-data-resource) \n2. After successful deployment of DCE and DCR(s), get the below information and keep it handy (required during Azure Functions app deployment).\n\t - DCE log ingestion - Follow the instructions available at [Create data collection endpoint](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#create-data-collection-endpoint) (Step 3).\n\t - Immutable Ids of one or more DCRs (as applicable) - Follow the instructions available at [Collect information from the DCR](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal#collect-information-from-the-dcr) (Stpe 2)." + }, + { + "description": "**2. Deploy a Function App**\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdstrikeReplicatorV2-functionapp) file. Extract archive to your local development computer.\n2. Follow the [function app manual deployment instructions](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AzureFunctionsManualDeployment.md#function-app-manual-deployment-instructions) to deploy the Azure Functions app using VSCode.\n3. After successful deployment of the function app, follow next steps for configuring it." }, { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " + "description": "**3. Configure the Function App**\n\n1. Go to Azure Portal for the Function App configuration.\n2. In the Function App, select the Function App Name and select **Configuration**.\n3. In the **Application settings** tab, select ** New application setting**.\n4. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tAWS_KEY\n\t\tAWS_SECRET\n\t\tAWS_REGION_NAME\n\t\tQUEUE_URL\n\t\tUSER_SELECTION_REQUIRE_RAW //True if raw data is required\n\t\tUSER_SELECTION_REQUIRE_SECONDARY //True if secondary data is required\n\t\tMAX_QUEUE_MESSAGES_MAIN_QUEUE // 100 for consumption and 150 for Premium\n\t\tMAX_SCRIPT_EXEC_TIME_MINUTES // add the value of 10 here\n\t\tAZURE_TENANT_ID\n\t\tAZURE_CLIENT_ID\n\t\tAZURE_CLIENT_SECRET\n\t\tDCE_INGESTION_ENDPOINT\n\t\tNORMALIZED_DCR_ID\n\t\tRAW_DATA_DCR_ID\n\t\tEVENT_TO_TABLE_MAPPING_LINK // File is present on github. Add if the file can be accessed using internet\n\t\tREQUIRED_FIELDS_SCHEMA_LINK //File is present on github. Add if the file can be accessed using internet\n\t\tSchedule //Add value as '0 */1 * * * *' to ensure the function runs every minute.\n5. Once all application settings have been entered, click **Save**." } ], - "id": "[variables('_uiConfigId4')]", - "additionalRequirementBanner": "These queries are dependent on a parser based on a Kusto Function deployed as part of the solution." + "id": "[variables('_uiConfigId2')]", + "additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. ​Follow the steps to use this Kusto functions alias **CrowdstrikeReplicator** in queries and workbooks [Follow steps to get this Kusto functions>](https://aka.ms/sentinel-crowdstrikereplicator-parser)." } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName5')]", + "name": "[variables('dataConnectorTemplateSpecName3')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.8", + "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion5')]", + "contentVersion": "[variables('dataConnectorVersion3')]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId5'))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]", "apiVersion": "2021-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", "kind": "GenericUI", "properties": { "connectorUiConfig": { - "id": "[variables('_uiConfigId5')]", + "id": "[variables('_uiConfigId3')]", "title": "CrowdStrike Falcon Adversary Intelligence (using Azure Functions)", "publisher": "CrowdStrike", "descriptionMarkdown": "The [CrowdStrike](https://www.crowdstrike.com/) Falcon Indicators of Compromise connector retrieves the Indicators of Compromise from the Falcon Intel API and uploads them [Microsoft Sentinel Threat Intel](https://learn.microsoft.com/en-us/azure/sentinel/understand-threat-intelligence).", @@ -1718,12 +1018,12 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]", - "contentId": "[variables('_dataConnectorContentId5')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", + "contentId": "[variables('_dataConnectorContentId3')]", "kind": "DataConnector", - "version": "[variables('dataConnectorVersion5')]", + "version": "[variables('dataConnectorVersion3')]", "source": { "kind": "Solution", "name": "CrowdStrike Falcon Endpoint Protection", @@ -1748,27 +1048,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId5')]", + "contentId": "[variables('_dataConnectorContentId3')]", "contentKind": "DataConnector", "displayName": "CrowdStrike Falcon Adversary Intelligence (using Azure Functions)", - "contentProductId": "[variables('_dataConnectorcontentProductId5')]", - "id": "[variables('_dataConnectorcontentProductId5')]", - "version": "[variables('dataConnectorVersion5')]" + "contentProductId": "[variables('_dataConnectorcontentProductId3')]", + "id": "[variables('_dataConnectorcontentProductId3')]", + "version": "[variables('dataConnectorVersion3')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", "dependsOn": [ - "[variables('_dataConnectorId5')]" + "[variables('_dataConnectorId3')]" ], "location": "[parameters('workspace-location')]", "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]", - "contentId": "[variables('_dataConnectorContentId5')]", + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", + "contentId": "[variables('_dataConnectorContentId3')]", "kind": "DataConnector", - "version": "[variables('dataConnectorVersion5')]", + "version": "[variables('dataConnectorVersion3')]", "source": { "kind": "Solution", "name": "CrowdStrike Falcon Endpoint Protection", @@ -1787,7 +1087,7 @@ } }, { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId5'))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]", "apiVersion": "2021-03-01-preview", "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", @@ -1904,7 +1204,7 @@ "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select ** New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tCROWDSTRIKE_CLIENT_ID\n\t\tCROWDSTRIKE_CLIENT_SECRET\n\t\tCROWDSTRIKE_BASE_URL\n\t\tTENANT_ID\n\t\tINDICATORS\n\t\tWorkspaceKey\n\t\tAAD_CLIENT_ID\n\t\tAAD_CLIENT_SECRET \n\t\tLOOK_BACK_DAYS \n\t\tWORKSPACE_ID \n4. Once all application settings have been entered, click **Save**." } ], - "id": "[variables('_uiConfigId5')]" + "id": "[variables('_uiConfigId3')]" } } }, @@ -1917,7 +1217,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CrowdStrikeFalconEventStream Data Parser with template version 3.0.8", + "description": "CrowdStrikeFalconEventStream Data Parser with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -2049,7 +1349,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CrowdstrikeReplicator Data Parser with template version 3.0.8", + "description": "CrowdstrikeReplicator Data Parser with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject2').parserVersion2]", @@ -2181,7 +1481,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CrowdStrikeReplicatorV2 Data Parser with template version 3.0.8", + "description": "CrowdStrikeReplicatorV2 Data Parser with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject3').parserVersion3]", @@ -2313,7 +1613,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CrowdStrikeFalconEndpointProtection Workbook with template version 3.0.8", + "description": "CrowdStrikeFalconEndpointProtection Workbook with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -2401,7 +1701,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CriticalOrHighSeverityDetectionsByUser_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "CriticalOrHighSeverityDetectionsByUser_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -2429,22 +1729,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CrowdStrikeFalconEndpointProtection", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CrowdStrikeFalconEndpointProtectionAma", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "entityMappings": [ @@ -2542,7 +1830,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CriticalSeverityDetection_AnalyticalRules Analytics Rule with template version 3.0.8", + "description": "CriticalSeverityDetection_AnalyticalRules Analytics Rule with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -2570,22 +1858,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CrowdStrikeFalconEndpointProtection", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CrowdStrikeFalconEndpointProtectionAma", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "entityMappings": [ @@ -2683,7 +1959,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CrowdStrike_Base Playbook with template version 3.0.8", + "description": "CrowdStrike_Base Playbook with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -3060,7 +2336,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Crowdstrike-EndpointEnrichment Playbook with template version 3.0.8", + "description": "Crowdstrike-EndpointEnrichment Playbook with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -4515,7 +3791,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Crowdstrike-ContainHost Playbook with template version 3.0.8", + "description": "Crowdstrike-ContainHost Playbook with template version 3.0.9", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -5630,12 +4906,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.8", + "version": "3.0.9", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "CrowdStrike Falcon Endpoint Protection", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The CrowdStrike Falcon Endpoint Protection solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.

\n\n\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 5, Parsers: 3, Workbooks: 1, Analytic Rules: 2, Playbooks: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The CrowdStrike Falcon Endpoint Protection solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 4, Parsers: 3, Workbooks: 1, Analytic Rules: 2, Playbooks: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -5674,16 +4950,6 @@ "contentId": "[variables('_dataConnectorContentId3')]", "version": "[variables('dataConnectorVersion3')]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId4')]", - "version": "[variables('dataConnectorVersion4')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId5')]", - "version": "[variables('dataConnectorVersion5')]" - }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md b/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md index 52f0b05f19c..3d0963325d2 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md @@ -1,6 +1,8 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------------------| -| 3.0.8 | 10-07-2024 | Deprecated **Data Connector** | +| 3.0.9 | 12-11-2024 | Removed deprecated data connectors | +| | | Updated the python runtime version to 3.11 | +| 3.0.8 | 10-07-2024 | Deprecated **Data Connector** | | 3.0.7 | 20-06-2024 | Shortlinks updated for **Data Connector** CrowdStrike Falcon Indicators of Compromise | | 3.0.6 | 06-06-2024 | Renamed **Data Connector** *CrowdStrike Falcon Indicators of Compromise* to *CrowdStrike Falcon Adversary Intelligence* | | 3.0.5 | 30-05-2024 | Added new Function App **Data Connector** CrowdStrike Falcon Indicators of Compromise | diff --git a/Solutions/DomainTools/Playbooks/CustomConnector/DomainTools_FunctionAppConnector/DomainRiskScore/__init__.py b/Solutions/DomainTools/Playbooks/CustomConnector/DomainTools_FunctionAppConnector/DomainRiskScore/__init__.py index 34fa5a3be58..b87c1b633fb 100644 --- a/Solutions/DomainTools/Playbooks/CustomConnector/DomainTools_FunctionAppConnector/DomainRiskScore/__init__.py +++ b/Solutions/DomainTools/Playbooks/CustomConnector/DomainTools_FunctionAppConnector/DomainRiskScore/__init__.py @@ -1,7 +1,7 @@ import json import logging +import hashlib from datetime import datetime -from hashlib import sha256 from hmac import new from os import environ from urllib.parse import urlencode, urlunparse @@ -56,7 +56,7 @@ def sign(self, timestamp: str, uri: str) -> str: """ params = "".join([self.api_username, timestamp, uri]) return new( - self.api_key.encode("utf-8"), params.encode("utf-8"), digestmod=sha256 + self.api_key.encode("utf-8"), params.encode("utf-8"), digestmod=hashlib.sha256 ).hexdigest() diff --git a/Solutions/DomainTools/Playbooks/CustomConnector/DomainTools_FunctionAppConnector/DomainToolsFunctionApp.zip b/Solutions/DomainTools/Playbooks/CustomConnector/DomainTools_FunctionAppConnector/DomainToolsFunctionApp.zip index 36ff86f3393..6a83a86527c 100644 Binary files a/Solutions/DomainTools/Playbooks/CustomConnector/DomainTools_FunctionAppConnector/DomainToolsFunctionApp.zip and b/Solutions/DomainTools/Playbooks/CustomConnector/DomainTools_FunctionAppConnector/DomainToolsFunctionApp.zip differ diff --git a/Solutions/ESET Protect Platform/Data Connectors/ESETProtectPlatform_API_FunctionApp.json b/Solutions/ESET Protect Platform/Data Connectors/ESETProtectPlatform_API_FunctionApp.json new file mode 100644 index 00000000000..fa05bc9d046 --- /dev/null +++ b/Solutions/ESET Protect Platform/Data Connectors/ESETProtectPlatform_API_FunctionApp.json @@ -0,0 +1,80 @@ +{ + "id": "ESETProtectPlatform", + "title": "ESET Protect Platform", + "publisher": "ESET", + "descriptionMarkdown": "The ESET Protect Platform data connector enables users to inject detections data from [ESET Protect Platform](https://www.eset.com/int/business/protect-platform/) using the provided [Integration REST API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Protect%20Platform/Data%20Connectors). Integration REST API runs as scheduled Azure Function App.", + "graphQueries": [{"metricName": "Total data received", "legend": "IntegrationTable_CL", "baseQuery": "IntegrationTable_CL"}], + "sampleQueries": [ + {"description": "All table records sorted by time", "query": "IntegrationTable_CL\n| sort by TimeGenerated desc"} + ], + "dataTypes": [ + { + "name": "IntegrationTable_CL", + "lastDataReceivedQuery": "IntegrationTable_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "IntegrationTable_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": {"status": 1, "isPreview": false}, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Permission to register an application in Microsoft Entra ID", + "description": "Sufficient permissions to register an application with your Microsoft Entra tenant are required." + }, + { + "name": "Permission to assign a role to the registered application", + "description": "Permission to assign the Monitoring Metrics Publisher role to the registered application in Microsoft Entra ID is required." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** The ESET Protect Platform data connector uses Azure Functions to connect to the ESET Protect Platform via Eset Connect API to pull detections logs into Microsoft Sentinel. This process might result in additional data ingestion costs. See details on the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/)." + }, + { + "title": "Step 1 - Create an API user", + "description": "Use this [instruction](https://help.eset.com/eset_connect/en-US/create_api_user_account.html) to create an ESET Connect API User account with **Login** and **Password**." + }, + { + "title": "Step 2 - Create a registered application", + "description": "Create a Microsoft Entra ID registered application by following the steps in the [Register a new application instruction.](https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application#register-a-new-application)" + }, + { + "title": "Step 3 - Deploy the ESET Protect Platform data connector using the Azure Resource Manager (ARM) template", + "description": "\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-EsetProtectionPlatform-azuredeploy)\n\n2. Select the name of the **Log Analytics workspace** associated with your Microsoft Sentinel. Select the same **Resource Group** as the Resource Group of the Log Analytics workspace.\n\n3. Type the parameters of the registered application in Microsoft Entra ID: **Azure Client ID**, **Azure Client Secret**, **Azure Tenant ID**, **Object ID**. You can find the **Object ID** on Azure Portal by following this path \n> Microsoft Entra ID -> Manage (on the left-side menu) -> Enterprise applications -> Object ID column (the value next to your registered application name).\n\n4. Provide the ESET Connect API user account **Login** and **Password** obtained in **Step 1**." + } + ] +} diff --git a/Solutions/ESET Protect Platform/Data Connectors/FunctionAppESETProtectPlatform.zip b/Solutions/ESET Protect Platform/Data Connectors/FunctionAppESETProtectPlatform.zip new file mode 100644 index 00000000000..dbcc365aed0 Binary files /dev/null and b/Solutions/ESET Protect Platform/Data Connectors/FunctionAppESETProtectPlatform.zip differ diff --git a/Solutions/ESET Protect Platform/Data Connectors/azuredeploy_ESETProtectPlatform_API_FunctionApp.json b/Solutions/ESET Protect Platform/Data Connectors/azuredeploy_ESETProtectPlatform_API_FunctionApp.json new file mode 100644 index 00000000000..f39e2ca2a64 --- /dev/null +++ b/Solutions/ESET Protect Platform/Data Connectors/azuredeploy_ESETProtectPlatform_API_FunctionApp.json @@ -0,0 +1,503 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "type": "string", + "metadata": { + "description": "The name of the Log Analytics workspace associated with Microsoft Sentinel." + } + }, + "tableName": { + "type": "string", + "metadata": { + "description": "The name of the custom Log Analytics table to be created." + }, + "defaultValue": "IntegrationTable_CL" + }, + "dataCollectionEndpointName": { + "type": "string", + "metadata": { + "description": "The name of the Data Collection Endpoint to be created." + }, + "defaultValue": "integrationDCE" + }, + "dataCollectionRuleName": { + "type": "string", + "metadata": { + "description": "The name of the Data Collection Rule to be created." + }, + "defaultValue": "integrationDCR" + }, + "applicationName": { + "type": "string", + "metadata": { + "description": "The name of the Azure Function App to be created." + } + }, + "applicationRunInterval": { + "type": "int", + "defaultValue": 5, + "allowedValues": [ + 5, + 10, + 15 + ], + "metadata": { + "description": "The interval in minutes of sending detections to Microsoft Sentinel e.g. every 5 minutes." + } + }, + "objectID": { + "type": "string", + "metadata": { + "description": "The Object ID of the Service Principal associated with the registered application in Microsoft Entra ID." + } + }, + "azureClientID": { + "type": "string", + "metadata": { + "description": "The Azure Client ID of the registered application in Microsoft Entra ID." + } + }, + "azureClientSecret": { + "type": "secureString", + "metadata": { + "description": "The Azure Client Secret of the registered application in Microsoft Entra ID." + } + }, + "azureTenantID": { + "type": "string", + "metadata": { + "description": "The Azure Tenant ID of the registered application in Microsoft Entra ID." + } + }, + "login": { + "type": "string", + "metadata": { + "description": "The ESET Connect API user account login." + } + }, + "password": { + "type": "secureString", + "metadata": { + "description": "The ESET Connect API user account password." + } + }, + "instanceRegion": { + "type": "string", + "defaultValue": "eu", + "allowedValues": [ + "eu", + "us", + "jpn", + "ca", + "de" + ], + "metadata": { + "description": "The region where your ESET Protect/Inspect/ECOS instance is running." + } + }, + "keyBase": { + "type": "string", + "defaultValue": "[newGuid()]", + "metadata": { + "description": "Do not change this value. Base string for the key to encrypt/decrypt token data." + } + } + }, + "variables": { + "tableNameCL": "[if(endsWith(parameters('tableName'), '_CL'), parameters('tableName'), concat(parameters('tableName'), '_CL'))]", + "customTableName": "[concat('Custom-', variables('tableNameCL'))]", + "applicationName": "[concat(parameters('applicationName'), uniquestring(resourceGroup().id))]", + "dataCollectionEndpointId":"[resourceId('Microsoft.Insights/dataCollectionEndpoints', parameters('dataCollectionEndpointName'))]", + "dataCollectionRuleId": "[resourceId('Microsoft.Insights/dataCollectionRules', parameters('dataCollectionRuleName'))]", + "location": "[resourceGroup().location]", + "hostingPlanName": "[variables('applicationName')]", + "contentShare": "[variables('applicationName')]", + "storageAccountName": "[concat(uniquestring(resourceGroup().id), 'azfunction')]", + "workspaces_integration_log_analytics_workspace_externalid":"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]", + "keyBase64": "[base64(replace(parameters('keyBase'), '-', ''))]" + + }, + "resources": [ + { + "type": "Microsoft.Insights/dataCollectionEndpoints", + "name": "[parameters('dataCollectionEndpointName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/tables', parameters('workspaceName'), variables('tableNameCL'))]" + ], + "apiVersion": "2021-04-01", + "properties": { + "networkAcls": { + "publicNetworkAccess": "Enabled" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2022-10-01", + "name": "[concat(parameters('workspaceName'), '/', variables('tableNameCL'))]", + "location": "[variables('location')]", + "properties": { + "schema": { + "name": "[variables('tableNameCL')]", + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "typeName", + "type": "string" + }, + { + "name": "objectName", + "type": "string" + }, + { + "name": "networkCommunication", + "type": "dynamic" + }, + { + "name": "customUuid", + "type": "string" + }, + { + "name": "objectTypeName", + "type": "string" + }, + { + "name": "occurTime", + "type": "string" + }, + { + "name": "displayName", + "type": "string" + }, + { + "name": "responses", + "type": "dynamic" + }, + { + "name": "objectHashSha1", + "type": "string" + }, + { + "name": "severityLevel", + "type": "string" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "objectUrl", + "type": "string" + }, + { + "name": "context", + "type": "dynamic" + } + ] + } + } + }, + { + "type": "Microsoft.Insights/dataCollectionRules", + "apiVersion": "2023-03-11", + "name": "[parameters('dataCollectionRuleName')]", + "location": "[variables('location')]", + "dependsOn": [ + "[resourceId('Microsoft.OperationalInsights/workspaces/tables', parameters('workspaceName'), variables('tableNameCL'))]", + "[variables('dataCollectionEndpointId')]" + ], + "properties": { + "dataCollectionEndpointId": "[variables('dataCollectionEndpointId')]", + "streamDeclarations": { + "[variables('customTableName')]": { + "columns": [ + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "typeName", + "type": "string" + }, + { + "name": "objectName", + "type": "string" + }, + { + "name": "networkCommunication", + "type": "dynamic" + }, + { + "name": "customUuid", + "type": "string" + }, + { + "name": "objectTypeName", + "type": "string" + }, + { + "name": "occurTime", + "type": "string" + }, + { + "name": "displayName", + "type": "string" + }, + { + "name": "responses", + "type": "dynamic" + }, + { + "name": "objectHashSha1", + "type": "string" + }, + { + "name": "severityLevel", + "type": "string" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "objectUrl", + "type": "string" + }, + { + "name": "context", + "type": "dynamic" + } + ] + } + }, + "dataSources": {}, + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[variables('workspaces_integration_log_analytics_workspace_externalid')]", + "name": "[parameters('workspaceName')]" + } + ] + }, + "dataFlows": [ + { + "streams": [ + "[variables('customTableName')]" + ], + "destinations": [ + "[parameters('workspaceName')]" + ], + "transformKql": "source", + "outputStream": "[variables('customTableName')]" + } + ] + } + }, + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(parameters('dataCollectionRuleName'), parameters('objectID'), 'Monitoring Metrics Publisher')]", + "scope": "[variables('dataCollectionRuleId')]", + "properties": { + "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')]", + "principalId": "[parameters('objectID')]", + "principalType": "ServicePrincipal" + }, + "dependsOn": ["[variables('dataCollectionRuleId')]"] + }, + { + "apiVersion": "2022-03-01", + "name": "[variables('applicationName')]", + "type": "Microsoft.Web/sites", + "kind": "functionapp,linux", + "location": "[resourceGroup().location]", + "tags": {}, + "dependsOn": [ + "[concat('Microsoft.Web/serverfarms/', variables('hostingPlanName'))]", + "[concat('Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]", + "[variables('dataCollectionRuleId')]" + + ], + "properties": { + "name": "[variables('applicationName')]", + "siteConfig": { + "appSettings": [ + { + "name": "FUNCTIONS_EXTENSION_VERSION", + "value": "~4" + }, + { + "name": "FUNCTIONS_WORKER_RUNTIME", + "value": "python" + }, + { + "name": "APPLICATIONINSIGHTS_CONNECTION_STRING", + "value": "[reference(concat('microsoft.insights/components/', variables('applicationName')), '2015-05-01').ConnectionString]" + }, + { + "name": "AzureWebJobsStorage", + "value": "[concat('DefaultEndpointsProtocol=https;AccountName=',variables('storageAccountName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value,';EndpointSuffix=','core.windows.net')]" + }, + { + "name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING", + "value": "[concat('DefaultEndpointsProtocol=https;AccountName=',variables('storageAccountName'),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value,';EndpointSuffix=','core.windows.net')]" + }, + { + "name": "WEBSITE_CONTENTSHARE", + "value": "[toLower(variables('contentShare'))]" + }, + { + "name": "WEBSITE_RUN_FROM_PACKAGE", + "value": "https://aka.ms/sentinel-EsetProtectionPlatform-FunctionApp" + }, + { + "name": "ENDPOINT_URI", + "value": "[reference(variables('dataCollectionEndpointId'), '2021-04-01').logsIngestion.endpoint]" + }, + { + "name": "DCR_IMMUTABLEID", + "value": "[reference(variables('dataCollectionRuleId'), '2023-03-11').immutableId]" + }, + { + "name": "STREAM_NAME", + "value": "[variables('customTableName')]" + }, + { + "name": "AZURE_CLIENT_ID", + "value": "[parameters('azureClientID')]" + }, + { + "name": "AZURE_CLIENT_SECRET", + "value": "[parameters('azureClientSecret')]" + }, + { + "name": "AZURE_TENANT_ID", + "value": "[parameters('azureTenantID')]" + }, + { + "name": "PASSWORD_INTEGRATION", + "value": "[parameters('password')]" + }, + { + "name": "USERNAME_INTEGRATION", + "value": "[parameters('login')]" + }, + { + "name": "INTERVAL", + "value": "[parameters('applicationRunInterval')]" + }, + { + "name": "PYTHONPATH", + "value": "/home/site/wwwroot/.python_packages/lib/site-packages,/home/site/wwwroot" + }, + { + "name": "PYTHON_ISOLATE_WORKER_DEPENDENCIES", + "value": "1" + }, + { + "name": "KEY_BASE64", + "value": "[variables('keyBase64')]" + }, + { + + "name": "INSTANCE_REGION", + "value": "[parameters('instanceRegion')]" + } + ], + "cors": { + "allowedOrigins": [ + "https://portal.azure.com" + ] + }, + "use32BitWorkerProcess": false, + "ftpsState": "FtpsOnly", + "linuxFxVersion": "Python|3.11" + }, + "clientAffinityEnabled": false, + "publicNetworkAccess": "Enabled", + "httpsOnly": true, + "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/sites/basicPublishingCredentialsPolicies", + "apiVersion": "2022-09-01", + "name": "[concat(variables('applicationName'), '/scm')]", + "properties": { + "allow": false + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/Sites', variables('applicationName'))]" + ] + }, + { + "type": "Microsoft.Web/sites/basicPublishingCredentialsPolicies", + "apiVersion": "2022-09-01", + "name": "[concat(variables('applicationName'), '/ftp')]", + "properties": { + "allow": false + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/Sites', variables('applicationName'))]" + ] + } + ] + }, + { + "apiVersion": "2022-03-01", + "name": "[variables('hostingPlanName')]", + "type": "Microsoft.Web/serverfarms", + "location": "[resourceGroup().location]", + "kind": "linux", + "tags": {}, + "dependsOn": [], + "properties": { + "name": "[variables('hostingPlanName')]", + "workerSize": "0", + "workerSizeId": "0", + "numberOfWorkers": 1, + "reserved": true + }, + "sku": { + "Tier": "Dynamic", + "Name": "Y1" + } + }, + { + "apiVersion": "2020-02-02", + "name": "[variables('applicationName')]", + "type": "microsoft.insights/components", + "location": "westeurope", + "tags": {}, + "dependsOn": [], + "properties": { + "ApplicationId": "[variables('applicationName')]", + "Request_Source": "IbizaWebAppExtensionCreate", + "Flow_Type": "Redfield", + "Application_Type": "web", + "WorkspaceResourceId": "[variables('workspaces_integration_log_analytics_workspace_externalid')]" + } + }, + { + "apiVersion": "2022-05-01", + "type": "Microsoft.Storage/storageAccounts", + "name": "[variables('storageAccountName')]", + "location": "[resourceGroup().location]", + "tags": {}, + "sku": { + "name": "Standard_LRS" + }, + "properties": { + "supportsHttpsTrafficOnly": true, + "minimumTlsVersion": "TLS1_2", + "defaultToOAuthAuthentication": true + } + } + ] +} \ No newline at end of file diff --git a/Solutions/ESET Protect Platform/Data Connectors/function_app.py b/Solutions/ESET Protect Platform/Data Connectors/function_app.py new file mode 100644 index 00000000000..37b484f31cc --- /dev/null +++ b/Solutions/ESET Protect Platform/Data Connectors/function_app.py @@ -0,0 +1,24 @@ +import logging +import os + +import azure.functions as func + +app = func.FunctionApp() + + +@app.timer_trigger( + schedule=f"0 */{os.getenv('INTERVAL', 5)} * * * *", arg_name="myTimer", run_on_startup=False, use_monitor=False +) +def timer_trigger(myTimer: func.TimerRequest) -> None: + if myTimer.past_due: + logging.info("The timer is past due!") + + logging.info("MAIN execution") + try: + from integration.main import main + + main() + except Exception as e: + logging.error(f"main error: {e}") + + logging.info("Python timer trigger function executed.") diff --git a/Solutions/ESET Protect Platform/Data Connectors/host.json b/Solutions/ESET Protect Platform/Data Connectors/host.json new file mode 100644 index 00000000000..9df913614d9 --- /dev/null +++ b/Solutions/ESET Protect Platform/Data Connectors/host.json @@ -0,0 +1,15 @@ +{ + "version": "2.0", + "logging": { + "applicationInsights": { + "samplingSettings": { + "isEnabled": true, + "excludedTypes": "Request" + } + } + }, + "extensionBundle": { + "id": "Microsoft.Azure.Functions.ExtensionBundle", + "version": "[4.*, 5.0.0)" + } +} \ No newline at end of file diff --git a/Solutions/ESET Protect Platform/Data Connectors/integration/__init__.py b/Solutions/ESET Protect Platform/Data Connectors/integration/__init__.py new file mode 100644 index 00000000000..e69de29bb2d diff --git a/Solutions/ESET Protect Platform/Data Connectors/integration/exceptions.py b/Solutions/ESET Protect Platform/Data Connectors/integration/exceptions.py new file mode 100644 index 00000000000..f08735288c7 --- /dev/null +++ b/Solutions/ESET Protect Platform/Data Connectors/integration/exceptions.py @@ -0,0 +1,41 @@ +import logging + + +class AuthenticationException(Exception): + def __init__(self, status: int, message: str) -> None: + self.status = status + self.message = message + self.s = f"AuthenticationException happend with status: {self.status}. Message: {self.message}" + logging.error(self.s) + + def __str__(self) -> str: + return self.s + + +class MissingCredentialsException(Exception): + def __init__(self) -> None: + self.s = "Missing credentials. Check if username and password are passed and correct." + logging.error(self.s) + + def __str__(self) -> str: + return self.s + + +class InvalidCredentialsException(AuthenticationException): + def __init__(self, e: AuthenticationException) -> None: + super().__init__(e.status, e.message) + self.s = f"{e.status, e.message}. Failed to get token in init setup. Check your credentials." + logging.error(self.s) + + def __str__(self) -> str: + return self.s + + +class TokenRefreshException(AuthenticationException): + def __init__(self, e: AuthenticationException) -> None: + super().__init__(e.status, e.message) + self.s = f"{e.status, e.message}. Failed to update access token. Refresh token may be invalid or expired." + logging.error(self.s) + + def __str__(self) -> str: + return self.s diff --git a/Solutions/ESET Protect Platform/Data Connectors/integration/main.py b/Solutions/ESET Protect Platform/Data Connectors/integration/main.py new file mode 100644 index 00000000000..fb6547ad842 --- /dev/null +++ b/Solutions/ESET Protect Platform/Data Connectors/integration/main.py @@ -0,0 +1,105 @@ +import asyncio +import logging +import time +import typing as t +from datetime import datetime, timezone + +from integration.models import Config, EnvVariables, TokenStorage +from integration.utils import ( + LastDetectionTimeHandler, + RequestSender, + TokenProvider, + TransformerDetections, +) + + +class ServiceClient: + def __init__(self) -> None: + self.config = Config() + self.env_vars = EnvVariables() + self.last_detection_time_handler = LastDetectionTimeHandler( + self.env_vars.conn_str, + self.env_vars.last_detection_time, + ) + self.request_sender = RequestSender(self.config, self.env_vars) + self.token_provider = TokenProvider(TokenStorage(), self.request_sender, self.env_vars, self.config.buffer) + self.transformer_detections = TransformerDetections(self.env_vars) + self._is_running = False + self._next_page_token: str | None = None + self._cur_ld_time: str | None = None + + async def run(self) -> None: + if self._is_running: + while self._is_running: + await asyncio.gather(self._custom_sleep(), self._process_integration()) + else: + await asyncio.gather(self._process_integration()) + + async def _process_integration(self) -> None: + start_time = time.time() + max_duration = self.env_vars.interval * 60 + + while self._next_page_token != "" and (time.time() - start_time) < (max_duration - 30): + response_data = await self._call_service() + self._next_page_token = response_data.get("nextPageToken") if response_data else "" + + if response_data and response_data.get("detections") and (time.time() - start_time) < (max_duration - 15): + self._cur_ld_time, successful_data_upload = ( + await self.transformer_detections.send_integration_detections(response_data, self._cur_ld_time) + ) + self._next_page_token = "" if successful_data_upload is False else self._next_page_token + self._update_last_detection_time() + + def _update_last_detection_time(self) -> None: + if self._cur_ld_time and self._cur_ld_time != self.last_detection_time_handler.last_detection_time: + self.last_detection_time_handler.storage_table_handler.input_entity( + new_entity=self.last_detection_time_handler.get_entity_schema(self._cur_ld_time) # type: ignore[call-arg] + ) + + async def _custom_sleep(self) -> None: + logging.info(f"Start of the {self.env_vars.interval} seconds interval") + await asyncio.sleep(self.env_vars.interval) + logging.info(f"End of the {self.env_vars.interval} seconds interval") + + async def _call_service(self) -> dict[str, t.Any] | None: + logging.info(f"Service call initiated") + + if not self.token_provider.token.access_token or datetime.now(timezone.utc) > self.token_provider.token.expiration_time: # type: ignore + await self.token_provider.get_token() + + try: + if ( + self.token_provider.token.expiration_time + and datetime.now(timezone.utc) < self.token_provider.token.expiration_time + ): + data = await self.request_sender.send_request( + self.request_sender.send_request_get, + { + "Authorization": f"Bearer {self.token_provider.token.access_token}", + "Content-Type": "application/json", + }, + self.last_detection_time_handler.last_detection_time, + self._next_page_token, + ) + logging.info( + f"Service call response data is {'obtained' if data and data.get('detections') else f'empty: {data}'}" + ) + return data + + logging.info("Service not called due to missing token.") + except Exception as e: + logging.error(f"Error in running service call: {e}") + + return None + + +def main() -> None: + logging.basicConfig( + format="%(asctime)s - %(levelname)s - %(message)s", level=logging.INFO, datefmt="%Y-%m-%d %H:%M:%S" + ) + service_client = ServiceClient() + asyncio.run(service_client.run()) + + +if __name__ == "__main__": + main() diff --git a/Solutions/ESET Protect Platform/Data Connectors/integration/models.py b/Solutions/ESET Protect Platform/Data Connectors/integration/models.py new file mode 100644 index 00000000000..afbba7d4309 --- /dev/null +++ b/Solutions/ESET Protect Platform/Data Connectors/integration/models.py @@ -0,0 +1,101 @@ +import logging +import os +import typing as t +from dataclasses import dataclass, field +from datetime import datetime, timedelta, timezone +from importlib import resources + +import yaml + + +@dataclass +class TokenStorage: + __access_token: str | None = field(default=None, init=False) + __refresh_token: str | None = field(default=None, init=False) + __expiration_time: datetime | None = field(default=None, init=False) + + @property + def access_token(self) -> str | None: + return self.__access_token + + @access_token.setter + def access_token(self, value: str) -> None: + self.__access_token = value + + @property + def refresh_token(self) -> str | None: + return self.__refresh_token + + @refresh_token.setter + def refresh_token(self, value: str) -> None: + self.__refresh_token = value + + @property + def expiration_time(self) -> datetime | None: + return self.__expiration_time + + @expiration_time.setter + def expiration_time(self, value: datetime) -> None: + self.__expiration_time = value + + def to_dict(self) -> dict[str, t.Any]: + return { + "access_token": self.access_token, + "refresh_token": self.refresh_token, + "expiration_time": self.expiration_time, + } + + +class Config: + def __init__(self) -> None: + config = self.get_config_params() + if config: + self.max_retries: int = config.get("max_retries") # type: ignore + self.retry_delay: float = float(config.get("retry_delay")) # type: ignore + self.requests_timeout = config.get("requests_timeout") + self.buffer: int = config.get("buffer") # type: ignore + + def get_config_params(self) -> dict[str, t.Any] | t.Any: + try: + return yaml.safe_load( + resources.files(__package__ or "integration").parent.joinpath("config.yml").read_bytes() + ) + except FileNotFoundError as e: + logging.error(e) + raise FileNotFoundError("The config file is not found. Further processing is impossible.") + + +class EnvVariables: + def __init__(self) -> None: + self.__username: str | None = os.getenv("USERNAME_INTEGRATION") + self.__password: str | None = os.getenv("PASSWORD_INTEGRATION") + self.interval: int = int(os.getenv("INTERVAL", 5)) + self.last_detection_time: str = os.getenv( + "LAST_DETECTION", + (datetime.now(timezone.utc) - timedelta(seconds=self.interval * 60)).strftime("%Y-%m-%dT%H:%M:%SZ"), + ) + self.endpoint_uri: str = os.getenv("ENDPOINT_URI", "") + self.dcr_immutableid: str = os.getenv("DCR_IMMUTABLEID", "") + self.stream_name: str = os.getenv("STREAM_NAME", "") + self.__conn_str: str = os.getenv("WEBSITE_CONTENTAZUREFILECONNECTIONSTRING", "") + self.__key_base64: str = os.getenv("KEY_BASE64", "") + + region = os.getenv("INSTANCE_REGION", "") + self.oauth_url: str = f"https://{region}.business-account.iam.eset.systems" + self.detections_url: str = f"https://{region}.incident-management.eset.systems/v1/detections" + + @property + def username(self) -> str | None: + return self.__username + + @property + def password(self) -> str | None: + return self.__password + + @property + def conn_str(self) -> str: + return self.__conn_str + + @property + def key_base64(self) -> str: + return self.__key_base64 diff --git a/Solutions/ESET Protect Platform/Data Connectors/integration/models_detections.py b/Solutions/ESET Protect Platform/Data Connectors/integration/models_detections.py new file mode 100644 index 00000000000..2684ba196de --- /dev/null +++ b/Solutions/ESET Protect Platform/Data Connectors/integration/models_detections.py @@ -0,0 +1,49 @@ +from datetime import datetime + +from pydantic import BaseModel, Field + + +class NetworkCommunication(BaseModel): + direction: str + localIpAddress: str + localPort: int + protocolName: str + remoteIpAddress: str + remotePort: int + + +class Context(BaseModel): + circumstances: str + deviceUuid: str + process: dict[str, str] + userName: str + + +class Response(BaseModel): + description: str + deviceRestartRequired: bool + displayName: str + protectionName: str + + +class Detection(BaseModel): + context: Context + networkCommunication: NetworkCommunication + responses: list[Response] + category: str + displayName: str + objectHashSha1: str + objectName: str + objectTypeName: str + objectUrl: str + occurTime: str + TimeGenerated: str = datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ") + severityLevel: str + typeName: str + customUuid: str = Field(alias="uuid") + + +class Detections(BaseModel): + detections: list[Detection] + nextPageToken: str + totalSize: int diff --git a/Solutions/ESET Protect Platform/Data Connectors/integration/py.typed b/Solutions/ESET Protect Platform/Data Connectors/integration/py.typed new file mode 100644 index 00000000000..e69de29bb2d diff --git a/Solutions/ESET Protect Platform/Data Connectors/integration/utils.py b/Solutions/ESET Protect Platform/Data Connectors/integration/utils.py new file mode 100644 index 00000000000..485561765a1 --- /dev/null +++ b/Solutions/ESET Protect Platform/Data Connectors/integration/utils.py @@ -0,0 +1,289 @@ +import asyncio +import logging +import typing as t +import urllib.parse +from datetime import datetime, timedelta, timezone + +import aiohttp +from aiohttp.client_exceptions import ClientResponseError +from azure.core.exceptions import HttpResponseError, ServiceRequestError +from azure.data.tables import TableServiceClient +from azure.identity.aio import DefaultAzureCredential +from azure.monitor.ingestion.aio import LogsIngestionClient +from cryptography.fernet import Fernet, InvalidToken +from integration.exceptions import ( + AuthenticationException, + InvalidCredentialsException, + MissingCredentialsException, + TokenRefreshException, +) +from integration.models import Config, EnvVariables, TokenStorage +from integration.models_detections import Detection, Detections +from pydantic import ValidationError + + +class RequestSender: + def __init__(self, config: Config, env_vars: EnvVariables): + self.config = config + self.env_vars = env_vars + + async def send_request( + self, + send_request_fun: ( + t.Callable[ + [aiohttp.client.ClientSession, str, str | None], t.Coroutine[t.Any, t.Any, dict[str, str | int] | t.Any] + ] + | t.Callable[ + [aiohttp.client.ClientSession, str | None], t.Coroutine[t.Any, t.Any, dict[str, str | int] | t.Any] + ] + ), + headers: dict[str, t.Any] | None = None, + *data: t.Any, + ) -> t.Dict[str, str | int] | None: + retries = 0 + + while retries < self.config.max_retries: + try: + async with aiohttp.ClientSession(headers=headers, raise_for_status=True) as session: + return await send_request_fun(session, *data) + + except ClientResponseError as e: + if e.status in [400, 401, 403]: + raise AuthenticationException(status=e.status, message=e.message) + + retries += 1 + logging.error( + f"Exception: {e.status} {e.message}. Request failed. " + f"Request retry attempt: {retries}/{self.config.max_retries}" + ) + await asyncio.sleep(self.config.retry_delay) + return None + + async def send_request_post( + self, session: aiohttp.client.ClientSession, grant_type: str | None + ) -> t.Dict[str, str | int] | t.Any: + logging.info("Sending token request") + + async with session.post( + url=f"{self.env_vars.oauth_url}/oauth/token", + data=urllib.parse.quote(f"grant_type={grant_type}", safe="=&/"), + timeout=self.config.requests_timeout, + ) as response: + return await response.json() + + async def send_request_get( + self, session: aiohttp.client.ClientSession, last_detection_time: str, next_page_token: str | None + ) -> t.Dict[str, str | int] | t.Any: + logging.info("Sending service request") + + async with session.get( + self.env_vars.detections_url, params=self._prepare_get_request_params(last_detection_time, next_page_token) + ) as response: + return await response.json() + + def _prepare_get_request_params(self, last_detection_time: str, next_page_token: str | None) -> dict[str, t.Any]: + params = {"pageSize": 100} + if next_page_token not in ["", None]: + params["pageToken"] = next_page_token # type: ignore[assignment] + if last_detection_time: + params["startTime"] = last_detection_time # type: ignore[assignment] + + return params + + +class TokenProvider: + def __init__(self, token: TokenStorage, requests_sender: RequestSender, env_vars: EnvVariables, buffer: int): + self.token = token + self.requests_sender = requests_sender + self.env_vars = env_vars + self.buffer = buffer + self.fernet = Fernet(self.env_vars.key_base64.encode("utf-8")) + self.storage_table_name = "TokenParams" + self.storage_table_handler = StorageTableHandler(self.env_vars.conn_str, self.storage_table_name) + self.storage_table_handler.set_entity() + + self.get_token_params_from_storage() + + def get_token_params_from_storage(self) -> None: + if not self.storage_table_handler.entities: + return None + for token_param in self.token.to_dict().keys(): + value = self.storage_table_handler.entities.get(token_param) + if isinstance(value, bytes): + try: + value = self.fernet.decrypt(value).decode("utf-8") + except InvalidToken: + logging.warning("Issue with decrypt: Invalid Token") + value = "" + setattr(self.token, token_param, value) + + async def get_token(self) -> None: + logging.info("Getting token") + + if not self.token.access_token and (not self.env_vars.username or not self.env_vars.password): + raise MissingCredentialsException() + + grant_type = ( + f"refresh_token&refresh_token={self.token.refresh_token}" + if self.token.access_token + else f"password&username={self.env_vars.username}&password={self.env_vars.password}" + ) + + try: + response = await self.requests_sender.send_request( + self.requests_sender.send_request_post, + {"Content-type": "application/x-www-form-urlencoded"}, + grant_type, + ) + except AuthenticationException as e: + if not self.token.access_token: + raise InvalidCredentialsException(e) + else: + self.storage_table_handler.input_entity({k: "" for k in self.token.to_dict()}) # type: ignore[call-arg] + raise TokenRefreshException(e) + + if response: + self.set_token_params_locally_and_in_storage(response) + logging.info("Token obtained successfully") + + def set_token_params_locally_and_in_storage(self, response: t.Dict[str, str | int]) -> None: + self.token.access_token = t.cast(str, response["access_token"]) + self.token.refresh_token = t.cast(str, response["refresh_token"]) + self.token.expiration_time = datetime.now(timezone.utc) + timedelta( + seconds=int(response["expires_in"]) - self.buffer + ) + self.storage_table_handler.input_entity( + { + k: self.fernet.encrypt(v.encode("utf-8")) if type(v) is str else v + for k, v in self.token.to_dict().items() + } + ) # type: ignore[call-arg] + + +class TransformerDetections: + def __init__(self, env_vars: EnvVariables) -> None: + self.env_vars = env_vars + + async def send_integration_detections( + self, detections: dict[str, t.Any] | None, last_detection: str | None + ) -> tuple[str | None, bool]: + validated_detections = self._validate_detections_data(detections) + if not validated_detections: + return last_detection, False + return await self._send_data_to_log_analytics_workspace(validated_detections, last_detection) + + def _validate_detections_data(self, response_data: dict[str, t.Any] | None) -> list[Detection] | None: + if not response_data: + logging.info("No new detections") + return None + try: + return Detections.model_validate(response_data).detections + except ValidationError as e: + logging.error(e) + validated_detections = [] + for detection in response_data.get("detections"): # type: ignore + try: + validated_detections.append(Detection.model_validate(detection)) + except ValidationError as e: + logging.error(e) + + return validated_detections + + async def _send_data_to_log_analytics_workspace( + self, validated_data: t.List[Detection], last_detection: str | None, successful_data_upload: bool = False + ) -> tuple[str | None, bool]: + credential = DefaultAzureCredential() # Env vars: AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID + client = LogsIngestionClient(endpoint=self.env_vars.endpoint_uri, credential=credential, logging_enable=True) + + async with client: + try: + self._update_time_generated(validated_data) + dumped_data = [d.model_dump() for d in validated_data] + + await client.upload( + rule_id=self.env_vars.dcr_immutableid, + stream_name=self.env_vars.stream_name, + logs=dumped_data, # type: ignore[arg-type] + ) + last_detection = max(validated_data, key=lambda detection: detection.occurTime).occurTime + successful_data_upload = True + except ServiceRequestError as e: + logging.error(f"Authentication to Azure service failed: {e}") + except HttpResponseError as e: + logging.error(f"Upload failed: {e}") + + await credential.close() + return last_detection, successful_data_upload + + def _update_time_generated(self, validated_data: t.List[Detection]) -> None: + utc_now = datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ") + for data in validated_data: + data.TimeGenerated = utc_now + + +class StorageTableHandler: + def __init__(self, env_conn_str: str, table_name_keys: str) -> None: + self.conn_str = env_conn_str + self.table_name_keys = table_name_keys + self.entities = None + self.table_client = None + + def with_table_client(func: t.Callable[[t.Any, t.Any], t.Any]) -> t.Callable[[t.Any], t.Any]: # type: ignore + def wrapper(storage_table_handler_instance, *args, **kwargs): # type: ignore[no-untyped-def] + try: + with TableServiceClient.from_connection_string( + conn_str=storage_table_handler_instance.conn_str + ) as table_service_client: + storage_table_handler_instance.table_client = table_service_client.create_table_if_not_exists( + table_name=storage_table_handler_instance.table_name_keys + ) + return func(storage_table_handler_instance, *args, **kwargs) + except ValueError as e: + raise ValueError(f"Connection string WEBSITE_CONTENTAZUREFILECONNECTIONSTRING value error: {e}") + + return wrapper + + @with_table_client # type: ignore + def set_entity(self) -> None: + if self.table_client: + self.entities = next(self.table_client.query_entities(""), None) + return None + + @with_table_client + def input_entity(self, new_entity: dict[str, t.Any]) -> None: + entity = { + "PartitionKey": self.table_name_keys, + "RowKey": self.table_name_keys, + "TimeGenerated": datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ"), + } | new_entity + try: + if self.table_client: + ( + self.table_client.update_entity(entity=entity) + if self.entities + else self.table_client.create_entity(entity=entity) + ) + logging.info(f"Entity: {self.table_name_keys} updated") + except Exception as e: + print("Exception occurred:", e) + + +class LastDetectionTimeHandler: + def __init__(self, storage_table_conn_str: str, env_last_occur_time: str) -> None: + self.storage_table_name = "LastDetectionTime" + self.storage_table_handler = StorageTableHandler(storage_table_conn_str, self.storage_table_name) + self.storage_table_handler.set_entity() + self.last_detection_time = self.get_last_occur_time(env_last_occur_time) + + def get_last_occur_time(self, env_last_occur_time: str) -> t.Any: + if self.storage_table_handler.entities: + return self.storage_table_handler.entities.get(self.storage_table_name) + return env_last_occur_time + + def get_entity_schema(self, cur_last_detection_time: str) -> dict[str, t.Any]: + return { + self.storage_table_name: ( + datetime.strptime(cur_last_detection_time, "%Y-%m-%dT%H:%M:%SZ") + timedelta(seconds=1) + ).isoformat() + + "Z" + } diff --git a/Solutions/ESET Protect Platform/Data Connectors/requirements.txt b/Solutions/ESET Protect Platform/Data Connectors/requirements.txt new file mode 100644 index 00000000000..ade7a02d953 --- /dev/null +++ b/Solutions/ESET Protect Platform/Data Connectors/requirements.txt @@ -0,0 +1,30 @@ +aiohttp==3.9.5 ; python_version >= "3.11" and python_version < "4.0" +aiosignal==1.3.1 ; python_version >= "3.11" and python_version < "4.0" +annotated-types==0.7.0 ; python_version >= "3.11" and python_version < "4.0" +attrs==24.2.0 ; python_version >= "3.11" and python_version < "4.0" +azure-core==1.30.2 ; python_version >= "3.11" and python_version < "4.0" +azure-data-tables==12.5.0 ; python_version >= "3.11" and python_version < "4.0" +azure-functions==1.20.0 ; python_version >= "3.11" and python_version < "4.0" +azure-identity==1.17.1 ; python_version >= "3.11" and python_version < "4.0" +azure-monitor-ingestion==1.0.4 ; python_version >= "3.11" and python_version < "4.0" +certifi==2024.8.30 ; python_version >= "3.11" and python_version < "4.0" +cffi==1.17.1 ; python_version >= "3.11" and python_version < "4.0" and platform_python_implementation != "PyPy" +charset-normalizer==3.3.2 ; python_version >= "3.11" and python_version < "4.0" +cryptography==43.0.1 ; python_version >= "3.11" and python_version < "4.0" +frozenlist==1.4.1 ; python_version >= "3.11" and python_version < "4.0" +idna==3.10 ; python_version >= "3.11" and python_version < "4.0" +isodate==0.6.1 ; python_version >= "3.11" and python_version < "4.0" +msal-extensions==1.2.0 ; python_version >= "3.11" and python_version < "4.0" +msal==1.31.0 ; python_version >= "3.11" and python_version < "4.0" +multidict==6.1.0 ; python_version >= "3.11" and python_version < "4.0" +portalocker==2.10.1 ; python_version >= "3.11" and python_version < "4.0" +pycparser==2.22 ; python_version >= "3.11" and python_version < "4.0" and platform_python_implementation != "PyPy" +pydantic-core==2.20.1 ; python_version >= "3.11" and python_version < "4.0" +pydantic==2.8.2 ; python_version >= "3.11" and python_version < "4.0" +pyjwt[crypto]==2.9.0 ; python_version >= "3.11" and python_version < "4.0" +pyyaml==6.0.1 ; python_version >= "3.11" and python_version < "4.0" +requests==2.32.3 ; python_version >= "3.11" and python_version < "4.0" +six==1.16.0 ; python_version >= "3.11" and python_version < "4.0" +typing-extensions==4.12.2 ; python_version >= "3.11" and python_version < "4.0" +urllib3==2.2.3 ; python_version >= "3.11" and python_version < "4.0" +yarl==1.13.1 ; python_version >= "3.11" and python_version < "4.0" diff --git a/Solutions/ESET Protect Platform/Data/Solution_ESETProtectPlatform.json b/Solutions/ESET Protect Platform/Data/Solution_ESETProtectPlatform.json new file mode 100644 index 00000000000..b6813c11bcf --- /dev/null +++ b/Solutions/ESET Protect Platform/Data/Solution_ESETProtectPlatform.json @@ -0,0 +1,14 @@ +{ + "Name": "ESET Protect Platform", + "Author": "ESET", + "Logo": "", + "Description": "ESET Protect Platform solution for Microsoft Sentinel ingests detections from [ESET Protect Platform](https://www.eset.com/int/business/protect-platform/) using the provided [Integration REST API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Protect%20Platform/Data%20Connectors). \n\n**Underlying Microsoft Technologies used:**\n\nThe ESET Protect Platform solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Logs Ingestion API in Azure Monitor](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n", + "Data Connectors": [ + "Data Connectors/ESETProtectPlatform_API_FunctionApp.json" + ], + "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\ESET Protect Platform", + "Version": "1.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1Pconnector": false + } \ No newline at end of file diff --git a/Solutions/ESET Protect Platform/Package/3.0.0.zip b/Solutions/ESET Protect Platform/Package/3.0.0.zip new file mode 100644 index 00000000000..e998ac2e8b9 Binary files /dev/null and b/Solutions/ESET Protect Platform/Package/3.0.0.zip differ diff --git a/Solutions/ESET Protect Platform/Package/createUiDefinition.json b/Solutions/ESET Protect Platform/Package/createUiDefinition.json new file mode 100644 index 00000000000..11bb249e26d --- /dev/null +++ b/Solutions/ESET Protect Platform/Package/createUiDefinition.json @@ -0,0 +1,85 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ESET%20Protect%20Platform/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nESET Protect Platform solution for Microsoft Sentinel ingests detections from [ESET Protect Platform](https://www.eset.com/int/business/protect-platform/) using the provided [Integration REST API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Protect%20Platform/Data%20Connectors). \n\n**Underlying Microsoft Technologies used:**\n\nThe ESET Protect Platform solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Logs Ingestion API in Azure Monitor](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for ESET Protect Platform. You can get ESET Protect Platform custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/ESET Protect Platform/Package/mainTemplate.json b/Solutions/ESET Protect Platform/Package/mainTemplate.json new file mode 100644 index 00000000000..75f6456cd17 --- /dev/null +++ b/Solutions/ESET Protect Platform/Package/mainTemplate.json @@ -0,0 +1,393 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "ESET", + "comments": "Solution template for ESET Protect Platform" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } + }, + "variables": { + "_solutionName": "ESET Protect Platform", + "_solutionVersion": "3.0.0", + "solutionId": "eset.eset-protect-platform-solution", + "_solutionId": "[variables('solutionId')]", + "uiConfigId1": "ESETProtectPlatform", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "ESETProtectPlatform", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "ESET Protect Platform data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "ESET Protect Platform (using Azure Functions)", + "publisher": "ESET", + "descriptionMarkdown": "The ESET Protect Platform data connector enables users to inject detections data from [ESET Protect Platform](https://www.eset.com/int/business/protect-platform/) using the provided [Integration REST API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Protect%20Platform/Data%20Connectors). Integration REST API runs as scheduled Azure Function App.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "IntegrationTable_CL", + "baseQuery": "IntegrationTable_CL" + } + ], + "sampleQueries": [ + { + "description": "All table records sorted by time", + "query": "IntegrationTable_CL\n| sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "IntegrationTable_CL", + "lastDataReceivedQuery": "IntegrationTable_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "IntegrationTable_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Permission to register an application in Microsoft Entra ID", + "description": "Sufficient permissions to register an application with your Microsoft Entra tenant are required." + }, + { + "name": "Permission to assign a role to the registered application", + "description": "Permission to assign the Monitoring Metrics Publisher role to the registered application in Microsoft Entra ID is required." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** The ESET Protect Platform data connector uses Azure Functions to connect to the ESET Protect Platform via Eset Connect API to pull detections logs into Microsoft Sentinel. This process might result in additional data ingestion costs. See details on the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/)." + }, + { + "description": "Use this [instruction](https://help.eset.com/eset_connect/en-US/create_api_user_account.html) to create an ESET Connect API User account with **Login** and **Password**.", + "title": "Step 1 - Create an API user" + }, + { + "description": "Create a Microsoft Entra ID registered application by following the steps in the [Register a new application instruction.](https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application#register-a-new-application)", + "title": "Step 2 - Create a registered application" + }, + { + "description": "\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-EsetProtectionPlatform-azuredeploy)\n\n2. Select the name of the **Log Analytics workspace** associated with your Microsoft Sentinel. Select the same **Resource Group** as the Resource Group of the Log Analytics workspace.\n\n3. Type the parameters of the registered application in Microsoft Entra ID: **Azure Client ID**, **Azure Client Secret**, **Azure Tenant ID**, **Object ID**. You can find the **Object ID** on Azure Portal by following this path \n> Microsoft Entra ID -> Manage (on the left-side menu) -> Enterprise applications -> Object ID column (the value next to your registered application name).\n\n4. Provide the ESET Connect API user account **Login** and **Password** obtained in **Step 1**.", + "title": "Step 3 - Deploy the ESET Protect Platform data connector using the Azure Resource Manager (ARM) template" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "ESET Protect Platform", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "ESET" + }, + "support": { + "name": "ESET Enterprise Integrations", + "email": "eset-enterpise-integration@eset.com", + "tier": "Partner", + "link": "https://help.eset.com/eset_connect/en-US/integrations.html" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "ESET Protect Platform (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "ESET Protect Platform", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "ESET" + }, + "support": { + "name": "ESET Enterprise Integrations", + "email": "eset-enterpise-integration@eset.com", + "tier": "Partner", + "link": "https://help.eset.com/eset_connect/en-US/integrations.html" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "ESET Protect Platform (using Azure Functions)", + "publisher": "ESET", + "descriptionMarkdown": "The ESET Protect Platform data connector enables users to inject detections data from [ESET Protect Platform](https://www.eset.com/int/business/protect-platform/) using the provided [Integration REST API](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ESET%20Protect%20Platform/Data%20Connectors). Integration REST API runs as scheduled Azure Function App.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "IntegrationTable_CL", + "baseQuery": "IntegrationTable_CL" + } + ], + "dataTypes": [ + { + "name": "IntegrationTable_CL", + "lastDataReceivedQuery": "IntegrationTable_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "IntegrationTable_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "All table records sorted by time", + "query": "IntegrationTable_CL\n| sort by TimeGenerated desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "Permission to register an application in Microsoft Entra ID", + "description": "Sufficient permissions to register an application with your Microsoft Entra tenant are required." + }, + { + "name": "Permission to assign a role to the registered application", + "description": "Permission to assign the Monitoring Metrics Publisher role to the registered application in Microsoft Entra ID is required." + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** The ESET Protect Platform data connector uses Azure Functions to connect to the ESET Protect Platform via Eset Connect API to pull detections logs into Microsoft Sentinel. This process might result in additional data ingestion costs. See details on the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/)." + }, + { + "description": "Use this [instruction](https://help.eset.com/eset_connect/en-US/create_api_user_account.html) to create an ESET Connect API User account with **Login** and **Password**.", + "title": "Step 1 - Create an API user" + }, + { + "description": "Create a Microsoft Entra ID registered application by following the steps in the [Register a new application instruction.](https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application#register-a-new-application)", + "title": "Step 2 - Create a registered application" + }, + { + "description": "\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-EsetProtectionPlatform-azuredeploy)\n\n2. Select the name of the **Log Analytics workspace** associated with your Microsoft Sentinel. Select the same **Resource Group** as the Resource Group of the Log Analytics workspace.\n\n3. Type the parameters of the registered application in Microsoft Entra ID: **Azure Client ID**, **Azure Client Secret**, **Azure Tenant ID**, **Object ID**. You can find the **Object ID** on Azure Portal by following this path \n> Microsoft Entra ID -> Manage (on the left-side menu) -> Enterprise applications -> Object ID column (the value next to your registered application name).\n\n4. Provide the ESET Connect API user account **Login** and **Password** obtained in **Step 1**.", + "title": "Step 3 - Deploy the ESET Protect Platform data connector using the Azure Resource Manager (ARM) template" + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "ESET Protect Platform", + "publisherDisplayName": "ESET Enterprise Integrations", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

ESET Protect Platform solution for Microsoft Sentinel ingests detections from ESET Protect Platform using the provided Integration REST API.

\n

Underlying Microsoft Technologies used:

\n

The ESET Protect Platform solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Logs Ingestion API in Azure Monitor

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "ESET Protect Platform", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "ESET" + }, + "support": { + "name": "ESET Enterprise Integrations", + "email": "eset-enterpise-integration@eset.com", + "tier": "Partner", + "link": "https://help.eset.com/eset_connect/en-US/integrations.html" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + ] + }, + "firstPublishDate": "2024-10-15", + "lastPublishDate": "2024-10-15", + "providers": [ + "ESET Enterprise Integrations" + ], + "categories": { + "domains": [ + "Security - Automation (SOAR)", + "Security - Threat Protection" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/ESET Protect Platform/Package/testParameters.json b/Solutions/ESET Protect Platform/Package/testParameters.json new file mode 100644 index 00000000000..e55ec41a9ac --- /dev/null +++ b/Solutions/ESET Protect Platform/Package/testParameters.json @@ -0,0 +1,24 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + } +} diff --git a/Solutions/ESET Protect Platform/ReleaseNotes.md b/Solutions/ESET Protect Platform/ReleaseNotes.md new file mode 100644 index 00000000000..e5dd5cf78c4 --- /dev/null +++ b/Solutions/ESET Protect Platform/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|---------------------------------------------| +| 3.0.0 | 04-11-2024 | Initial Solution Release | \ No newline at end of file diff --git a/Solutions/ESET Protect Platform/SolutionMetadata.json b/Solutions/ESET Protect Platform/SolutionMetadata.json new file mode 100644 index 00000000000..5e41a55f8d0 --- /dev/null +++ b/Solutions/ESET Protect Platform/SolutionMetadata.json @@ -0,0 +1,16 @@ +{ + "publisherId": "eset", + "offerId": "eset-protect-platform-solution", + "firstPublishDate": "2024-10-15", + "lastPublishDate": "2024-10-15", + "providers": ["ESET Enterprise Integrations"], + "categories": { + "domains" : ["Security - Automation (SOAR)", "Security - Threat Protection"] + }, + "support": { + "name": "ESET Enterprise Integrations", + "email": "eset-enterpise-integration@eset.com", + "tier": "Partner", + "link": "https://help.eset.com/eset_connect/en-US/integrations.html" + } +} diff --git a/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_poller.json b/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_poller.json index 18fb4242e2f..34c02491a0b 100644 --- a/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_poller.json +++ b/Solutions/Ermes Browser Security/Data Connectors/ErmesBrowserSecurityEvents_ccp/data_connector_poller.json @@ -20,9 +20,7 @@ "TokenEndpointHeaders": { "Content-Type": "application/x-www-form-urlencoded" }, - "TokenEndpointQueryParameters": { - "grant_type": "client_credentials" - } + "TokenEndpointQueryParameters": {} }, "request": { "apiEndpoint": "https://api.shield.ermessecurity.com/public/v1/events", @@ -30,7 +28,7 @@ "queryParameters": { "max_results": 100, "sort": "-_created", - "is_azure": "3.0.1" + "is_azure": "[variables('_solutionVersion')]" }, "queryWindowInMin": 5, "queryTimeFormat": "yyyy-MM-ddTHH:mm:ss.000000+00:00", diff --git a/Solutions/Ermes Browser Security/Package/3.0.3.zip b/Solutions/Ermes Browser Security/Package/3.0.3.zip index c7847b2b742..3185c0785d0 100644 Binary files a/Solutions/Ermes Browser Security/Package/3.0.3.zip and b/Solutions/Ermes Browser Security/Package/3.0.3.zip differ diff --git a/Solutions/Ermes Browser Security/Package/createUiDefinition.json b/Solutions/Ermes Browser Security/Package/createUiDefinition.json index 04cad3d20ff..2eb8029336a 100644 --- a/Solutions/Ermes Browser Security/Package/createUiDefinition.json +++ b/Solutions/Ermes Browser Security/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Ermes%20Browser%20Security/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Ermes Browser Security](https://www.ermes.company) Solution for Microsoft Sentinel provides a simple way to ingest Security and Audit events from Ermes into Microsoft Sentinel.\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Ermes%20Browser%20Security/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Ermes Browser Security](https://www.ermes.company) Solution for Microsoft Sentinel provides a simple way to ingest Security and Audit events from Ermes into Microsoft Sentinel.\n\n**Data Connectors:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/Ermes Browser Security/Package/mainTemplate.json b/Solutions/Ermes Browser Security/Package/mainTemplate.json index 55bbf9be2ea..c599558e56e 100644 --- a/Solutions/Ermes Browser Security/Package/mainTemplate.json +++ b/Solutions/Ermes Browser Security/Package/mainTemplate.json @@ -557,9 +557,7 @@ "TokenEndpointHeaders": { "Content-Type": "application/x-www-form-urlencoded" }, - "TokenEndpointQueryParameters": { - "grant_type": "client_credentials" - } + "TokenEndpointQueryParameters": {} }, "request": { "apiEndpoint": "https://api.shield.ermessecurity.com/public/v1/events", @@ -567,7 +565,7 @@ "queryParameters": { "max_results": 100, "sort": "-_created", - "is_azure": "3.0.1" + "is_azure": "[variables('_solutionVersion')]" }, "queryWindowInMin": 5, "queryTimeFormat": "yyyy-MM-ddTHH:mm:ss.000000+00:00", @@ -612,7 +610,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "Ermes Browser Security", "publisherDisplayName": "Ermes Cyber Security S.p.A.", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Ermes Browser Security Solution for Microsoft Sentinel provides a simple way to ingest Security and Audit events from Ermes into Microsoft Sentinel.

\n

Data Connectors: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Ermes Browser Security Solution for Microsoft Sentinel provides a simple way to ingest Security and Audit events from Ermes into Microsoft Sentinel.

\n

Data Connectors: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", diff --git a/Solutions/Ermes Browser Security/ReleaseNotes.md b/Solutions/Ermes Browser Security/ReleaseNotes.md index a3e6c1091e2..d5462adbd8b 100644 --- a/Solutions/Ermes Browser Security/ReleaseNotes.md +++ b/Solutions/Ermes Browser Security/ReleaseNotes.md @@ -1,6 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|----------------------------------------------------| -| 3.0.3 | 19-02-2024 | Updated _solutionVersion to dataConnectorCCPVersion | -| 3.0.2 | 23-01-2024 | Updated paging type in **CCP Data Connector** | -| 3.0.1 | 28-11-2023 | Updated **CCP Data Connector** | +| 3.0.3 | 19-02-2024 | Updated _solutionVersion to dataConnectorCCPVersion.
Removed grant_type and added the Solution version to the query parameters | +| 3.0.2 | 23-01-2024 | Updated paging type in **CCP Data Connector** | +| 3.0.1 | 28-11-2023 | Updated **CCP Data Connector** | | 3.0.0 | 29-09-2023 | Initial Solution Release | diff --git a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Data/Solution_Fortinet-Fortigate.json b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Data/Solution_Fortinet-Fortigate.json index ec83126984b..3b7995cf2f7 100644 --- a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Data/Solution_Fortinet-Fortigate.json +++ b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Data/Solution_Fortinet-Fortigate.json @@ -3,10 +3,6 @@ "Author": "Microsoft - support@microsoft.com", "Logo": "", "Description": "Gain insight into your organization's network and improve your security operation capabilities with the [Fortinet FortiGate Next-generation Firewall](https://www.fortinet.com/products/next-generation-firewall) Solution for Microsoft Sentinel. It allows you to easily connect your FortiGate logs with Microsoft Sentinel. This enables you to view dashboards, create custom alerts, and improve investigation. \n\n Playbooks are included to help in automated remediation \n\n For questions about [FortiGate](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/fortinet.fortinet_fortigate-vm_v5?tab=Overview), please contact Fortinet at [azuresales@fortinet.com](mailto:azuresales@fortinet.com).\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.", - "Data Connectors": [ - "Data Connectors/Fortinet-FortiGate.json", - "Data Connectors/template_Fortinet-FortiGateAma.json" - ], "Playbooks": [ "Playbooks/FortinetFortigateFunctionApp/azuredeploy.json", "Playbooks/FortinetCustomConnector/azuredeploy.json", @@ -21,7 +17,7 @@ "azuresentinel.azure-sentinel-solution-commoneventformat" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", - "Version": "3.0.6", + "Version": "3.0.7", "Metadata": "SolutionMetadata.json", "TemplateSpec": true } \ No newline at end of file diff --git a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/3.0.7.zip b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/3.0.7.zip new file mode 100644 index 00000000000..22f9405089b Binary files /dev/null and b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/3.0.7.zip differ diff --git a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/createUiDefinition.json b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/createUiDefinition.json index 3d36e030742..a683207bed8 100644 --- a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/createUiDefinition.json +++ b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Fortinet%20FortiGate%20Next-Generation%20Firewall%20connector%20for%20Microsoft%20Sentinel/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nGain insight into your organization's network and improve your security operation capabilities with the [Fortinet FortiGate Next-generation Firewall](https://www.fortinet.com/products/next-generation-firewall) Solution for Microsoft Sentinel. It allows you to easily connect your FortiGate logs with Microsoft Sentinel. This enables you to view dashboards, create custom alerts, and improve investigation. \n\n Playbooks are included to help in automated remediation \n\n For questions about [FortiGate](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/fortinet.fortinet_fortigate-vm_v5?tab=Overview), please contact Fortinet at [azuresales@fortinet.com](mailto:azuresales@fortinet.com).\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Workbooks:** 1, **Custom Azure Logic Apps Connectors:** 1, **Function Apps:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Fortinet%20FortiGate%20Next-Generation%20Firewall%20connector%20for%20Microsoft%20Sentinel/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nGain insight into your organization's network and improve your security operation capabilities with the [Fortinet FortiGate Next-generation Firewall](https://www.fortinet.com/products/next-generation-firewall) Solution for Microsoft Sentinel. It allows you to easily connect your FortiGate logs with Microsoft Sentinel. This enables you to view dashboards, create custom alerts, and improve investigation. \n\n Playbooks are included to help in automated remediation \n\n For questions about [FortiGate](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/fortinet.fortinet_fortigate-vm_v5?tab=Overview), please contact Fortinet at [azuresales@fortinet.com](mailto:azuresales@fortinet.com).\n\n This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation. \n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connector:** 1,**Workbooks:** 1, **Custom Azure Logic Apps Connectors:** 1, **Function Apps:** 1, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,30 +51,6 @@ } ], "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel. You can get Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, { "name": "workbooks", "label": "Workbooks", diff --git a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/mainTemplate.json b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/mainTemplate.json index 7dc0b9e16eb..bab28c10f6b 100644 --- a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/mainTemplate.json +++ b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/Package/mainTemplate.json @@ -41,27 +41,9 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", - "_solutionVersion": "3.0.6", + "_solutionVersion": "3.0.7", "solutionId": "azuresentinel.azure-sentinel-solution-fortinetfortigate", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "Fortinet", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "Fortinet", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "FortinetAma", - "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "FortinetAma", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", - "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "FortinetFortigateFunctionApp": "FortinetFortigateFunctionApp", "_FortinetFortigateFunctionApp": "[variables('FortinetFortigateFunctionApp')]", "playbookVersion1": "1.0", @@ -112,798 +94,6 @@ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel data connector with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] Fortinet via Legacy Agent", - "publisher": "Fortinet", - "logo": "FortinetLogo.svg", - "descriptionMarkdown": "The Fortinet firewall connector allows you to easily connect your Fortinet logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Fortinet", - "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n" - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | sort by TimeGenerated" - }, - { - "description": "Summarize by destination IP and port", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated​\n | sort by TimeGenerated" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" - ] - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Fortinet)", - "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "availability": { - "status": 2, - "isPreview": false, - "featureFlag": { - "feature": "FortinetConnector", - "featureStates": { - "1": 2, - "2": 2, - "3": 2, - "4": 2, - "5": 2, - "6": 1, - "7": 1 - } - } - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python --version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py &&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Set your Fortinet to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine’s IP address.\n\n\nCopy the CLI commands below and:\n- Replace \"server <ip address>\" with the Syslog agent's IP address.\n- Set the \"<facility_name>\" to use the facility you configured in the Syslog agent (by default, the agent sets this to local4).\n- Set the Syslog port to 514, the port your agent uses.\n- To enable CEF format in early FortiOS versions, you may need to run the command \"set csv disable\".\n\nFor more information, go to the [Fortinet Document Library](https://aka.ms/asi-syslog-fortinet-fortinetdocumentlibrary), choose your version, and use the \"Handbook\" and \"Log Message Reference\" PDFs.\n\n[Learn more >](https://aka.ms/CEF-Fortinet)", - "instructions": [ - { - "parameters": { - "label": "Set up the connection using the CLI to run the following commands:", - "value": "config log syslogd setting\n set status enable\nset format cef\nset port 514\nset server \nend", - "rows": 8 - }, - "type": "CopyableLabel" - } - ], - "title": "2. Forward Fortinet logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python --version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py &&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "metadata": { - "id": "19ecaeff-8959-4cb8-a11e-a150ecd5a494", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "community" - }, - "author": { - "name": "Fortinet" - }, - "support": { - "name": "Fortinet", - "link": "https://www.fortinet.com/support/contact", - "tier": "developer" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Fortinet via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Fortinet via Legacy Agent", - "publisher": "Fortinet", - "descriptionMarkdown": "The Fortinet firewall connector allows you to easily connect your Fortinet logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Fortinet", - "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Fortinet)", - "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)" - ] - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | sort by TimeGenerated" - }, - { - "description": "Summarize by destination IP and port", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated​\n | sort by TimeGenerated" - } - ], - "availability": { - "status": 2, - "isPreview": false, - "featureFlag": { - "feature": "FortinetConnector", - "featureStates": { - "1": 2, - "2": 2, - "3": 2, - "4": 2, - "5": 2, - "6": 1, - "7": 1 - } - } - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python --version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py &&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Set your Fortinet to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine’s IP address.\n\n\nCopy the CLI commands below and:\n- Replace \"server <ip address>\" with the Syslog agent's IP address.\n- Set the \"<facility_name>\" to use the facility you configured in the Syslog agent (by default, the agent sets this to local4).\n- Set the Syslog port to 514, the port your agent uses.\n- To enable CEF format in early FortiOS versions, you may need to run the command \"set csv disable\".\n\nFor more information, go to the [Fortinet Document Library](https://aka.ms/asi-syslog-fortinet-fortinetdocumentlibrary), choose your version, and use the \"Handbook\" and \"Log Message Reference\" PDFs.\n\n[Learn more >](https://aka.ms/CEF-Fortinet)", - "instructions": [ - { - "parameters": { - "label": "Set up the connection using the CLI to run the following commands:", - "value": "config log syslogd setting\n set status enable\nset format cef\nset port 514\nset server \nend", - "rows": 8 - }, - "type": "CopyableLabel" - } - ], - "title": "2. Forward Fortinet logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python --version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py &&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel data connector with template version 3.0.6", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "[Deprecated] Fortinet via AMA", - "publisher": "Fortinet", - "logo": "FortinetLogo.svg", - "descriptionMarkdown": "The Fortinet firewall connector allows you to easily connect your Fortinet logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Fortinet", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Fortinet'\n |where DeviceProduct =~ 'Fortigate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | sort by TimeGenerated" - }, - { - "description": "Summarize by destination IP and port", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated​\n | sort by TimeGenerated" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Fortinet'\n |where DeviceProduct =~ 'Fortigate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Fortinet)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Fortinet'\n |where DeviceProduct =~ 'Fortigate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "availability": { - "status": 1, - "isPreview": false, - "featureFlag": { - "feature": "FortinetConnector", - "featureStates": { - "1": 2, - "2": 2, - "3": 2, - "4": 2, - "5": 2, - "6": 1, - "7": 1 - } - } - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Fortinet logs to Syslog agent", - "description": "Set your Fortinet to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine’s IP address.\n\n\nCopy the CLI commands below and:\n- Replace \"server <ip address>\" with the Syslog agent's IP address.\n- Set the \"<facility_name>\" to use the facility you configured in the Syslog agent (by default, the agent sets this to local4).\n- Set the Syslog port to 514, the port your agent uses.\n- To enable CEF format in early FortiOS versions, you may need to run the command \"set csv disable\".\n\nFor more information, go to the [Fortinet Document Library](https://aka.ms/asi-syslog-fortinet-fortinetdocumentlibrary), choose your version, and use the \"Handbook\" and \"Log Message Reference\" PDFs.\n\n[Learn more >](https://aka.ms/CEF-Fortinet)", - "instructions": [ - { - "parameters": { - "label": "Set up the connection using the CLI to run the following commands:", - "value": "config log syslogd setting\n set status enable\nset format cef\nset port 514\nset server \nend", - "rows": 8 - }, - "type": "CopyableLabel" - } - ] - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "metadata": { - "id": "19ecaeff-8959-4cb8-a11e-a150ecd5a494", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "community" - }, - "author": { - "name": "Fortinet" - }, - "support": { - "name": "Fortinet", - "link": "https://www.fortinet.com/support/contact", - "tier": "developer" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Fortinet via AMA", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Fortinet via AMA", - "publisher": "Fortinet", - "descriptionMarkdown": "The Fortinet firewall connector allows you to easily connect your Fortinet logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Fortinet", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Fortinet'\n |where DeviceProduct =~ 'Fortigate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Fortinet)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Fortinet'\n |where DeviceProduct =~ 'Fortigate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Fortinet'\n |where DeviceProduct =~ 'Fortigate'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | sort by TimeGenerated" - }, - { - "description": "Summarize by destination IP and port", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Fortinet\"\n| where DeviceProduct startswith \"Fortigate\"\n\n | summarize count() by DestinationIP, DestinationPort, TimeGenerated​\n | sort by TimeGenerated" - } - ], - "availability": { - "status": 1, - "isPreview": false, - "featureFlag": { - "feature": "FortinetConnector", - "featureStates": { - "1": 2, - "2": 2, - "3": 2, - "4": 2, - "5": 2, - "6": 1, - "7": 1 - } - } - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Fortinet logs to Syslog agent", - "description": "Set your Fortinet to send Syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine’s IP address.\n\n\nCopy the CLI commands below and:\n- Replace \"server <ip address>\" with the Syslog agent's IP address.\n- Set the \"<facility_name>\" to use the facility you configured in the Syslog agent (by default, the agent sets this to local4).\n- Set the Syslog port to 514, the port your agent uses.\n- To enable CEF format in early FortiOS versions, you may need to run the command \"set csv disable\".\n\nFor more information, go to the [Fortinet Document Library](https://aka.ms/asi-syslog-fortinet-fortinetdocumentlibrary), choose your version, and use the \"Handbook\" and \"Log Message Reference\" PDFs.\n\n[Learn more >](https://aka.ms/CEF-Fortinet)", - "instructions": [ - { - "parameters": { - "label": "Set up the connection using the CLI to run the following commands:", - "value": "config log syslogd setting\n set status enable\nset format cef\nset port 514\nset server \nend", - "rows": 8 - }, - "type": "CopyableLabel" - } - ] - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "id": "[variables('_uiConfigId2')]" - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -913,7 +103,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FortinetFortigateFunctionApp Playbook with template version 3.0.6", + "description": "FortinetFortigateFunctionApp Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -1024,11 +214,11 @@ "appSettings": [ { "name": "AzureWebJobsStorage", - "value": "[[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2022-09-01').keys[0].value)]" + "value": "[[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-04-01').keys[0].value)]" }, { "name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING", - "value": "[[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2022-09-01').keys[0].value)]" + "value": "[[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2023-04-01').keys[0].value)]" }, { "name": "WEBSITE_CONTENTSHARE", @@ -1192,7 +382,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FortinetCustomConnector Playbook with template version 3.0.6", + "description": "FortinetCustomConnector Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -2801,7 +1991,7 @@ ], "metadata": { "comments": "This Fortinet custom connector uses Fortinet-Fortigate API to perform different actions on Forinet VM", - "lastUpdateTime": "2024-08-22T10:53:14.293Z", + "lastUpdateTime": "2024-11-11T16:34:06.399Z", "releaseNotes": { "version": "1.0", "title": "[variables('blanks')]", @@ -2833,7 +2023,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Fortinet-FortiGate-IPEnrichment Playbook with template version 3.0.6", + "description": "Fortinet-FortiGate-IPEnrichment Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -6286,10 +5476,7 @@ "type": "Microsoft.Logic/workflows", "location": "[[variables('workspace-location-inline')]", "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('User Identifier Name'))]": {} - } + "type": "UserAssigned" }, "apiVersion": "2016-06-01", "tags": { @@ -6396,7 +5583,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Fortinet-FortiGate-ResponseOnBlockIP Playbook with template version 3.0.6", + "description": "Fortinet-FortiGate-ResponseOnBlockIP Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -6515,10 +5702,7 @@ "name": "[[parameters('PlaybookName')]", "location": "[[variables('workspace-location-inline')]", "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('User Identifier Name'))]": {} - } + "type": "UserAssigned" }, "dependsOn": [ "[[resourceId('Microsoft.Web/connections', variables('FortinetConnectorConnectionName'))]", @@ -10482,7 +9666,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Fortinet-FortiGate-ResponseOnBlockURL Playbook with template version 3.0.6", + "description": "Fortinet-FortiGate-ResponseOnBlockURL Playbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", @@ -12091,7 +11275,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Fortigate Workbook with template version 3.0.6", + "description": "Fortigate Workbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -12147,10 +11331,6 @@ "contentId": "CommonSecurityLog", "kind": "DataType" }, - { - "contentId": "Fortinet", - "kind": "DataConnector" - }, { "contentId": "CefAma", "kind": "DataConnector" @@ -12179,12 +11359,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.6", + "version": "3.0.7", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Gain insight into your organization's network and improve your security operation capabilities with the Fortinet FortiGate Next-generation Firewall Solution for Microsoft Sentinel. It allows you to easily connect your FortiGate logs with Microsoft Sentinel. This enables you to view dashboards, create custom alerts, and improve investigation.

\n

Playbooks are included to help in automated remediation

\n

For questions about FortiGate, please contact Fortinet at azuresales@fortinet.com.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 2, Workbooks: 1, Custom Azure Logic Apps Connectors: 1, Function Apps: 1, Playbooks: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Gain insight into your organization's network and improve your security operation capabilities with the Fortinet FortiGate Next-generation Firewall Solution for Microsoft Sentinel. It allows you to easily connect your FortiGate logs with Microsoft Sentinel. This enables you to view dashboards, create custom alerts, and improve investigation.

\n

Playbooks are included to help in automated remediation

\n

For questions about FortiGate, please contact Fortinet at azuresales@fortinet.com.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connector: 1,Workbooks: 1, Custom Azure Logic Apps Connectors: 1, Function Apps: 1, Playbooks: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -12208,16 +11388,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "AzureFunction", "contentId": "[variables('_FortinetFortigateFunctionApp')]", diff --git a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/ReleaseNotes.md b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/ReleaseNotes.md index 43c087e94b8..a5dd7855c87 100644 --- a/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/ReleaseNotes.md +++ b/Solutions/Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-----------------------------------------------------------------------------------------| +| 3.0.7 | 11-11-2024 |Removed Deprecated data connectors | | 3.0.6 | 22-08-2024 |Deprecated data connectors | | 3.0.5 | 05-04-2024 |Workbook queries are optimized to fix timeout issues | | 3.0.4 | 29-01-2024 |Classic app insights to Log analytics | diff --git a/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml b/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml index 7c4d1b07b26..41d20c1937d 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml @@ -1,5 +1,5 @@ id: 4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa -name: Detect Connections Outside Operational Hours +name: GSA - Detect Connections Outside Operational Hours description: This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations. severity: High status: Available @@ -36,5 +36,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml b/Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml index f9e25e2e0a8..b518991bcb6 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml @@ -1,5 +1,5 @@ id: 57abf863-1c1e-46c6-85b2-35370b712c1e -name: Detect IP Address Changes and Overlapping Sessions +name: GSA - Detect IP Address Changes and Overlapping Sessions description: | This query identifies network sessions based on DeviceId and UserPrincipalName, then checks for changed IP addresses and overlapping session times. severity: High @@ -18,22 +18,37 @@ relevantTechniques: - T1078 - T1133 query: | - // Identify sessions - let sessions = - NetworkAccessTraffic - | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), SourceIps = make_set(SourceIp) by DeviceId, UserPrincipalName, SessionId - | sort by StartTime asc; - // Check for changed IP addresses and overlapping session times - sessions - | extend PreviousSourceIps = prev(SourceIps, 1) - | extend PreviousEndTime = prev(EndTime, 1) - | extend PreviousDeviceId = prev(DeviceId, 1) - | extend PreviousUserPrincipalName = prev(UserPrincipalName, 1) - | where DeviceId == PreviousDeviceId and UserPrincipalName == PreviousUserPrincipalName - | where set_difference(SourceIps, PreviousSourceIps) != dynamic([]) // Check if the current and previous IP sets differ - | where PreviousEndTime > StartTime // Check for overlapping session times - | project DeviceId, UserPrincipalName, SourceIps, PreviousSourceIps, StartTime, EndTime, PreviousEndTime - | extend IPCustomEntity = tostring(array_slice(SourceIps, 0, 1)[0]), PreviousIPCustomEntity = tostring(array_slice(PreviousSourceIps, 0, 1)[0]), AccountCustomEntity = UserPrincipalName + // Identify sessions + let sessions = + NetworkAccessTraffic + | summarize + StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated), + SourceIps = make_set(SourceIp) + by DeviceId, UserPrincipalName, SessionId + | sort by StartTime asc; + // Check for changed IP addresses and overlapping session times + sessions + | extend PreviousSourceIps = prev(SourceIps, 1) + | extend PreviousEndTime = prev(EndTime, 1) + | extend PreviousDeviceId = prev(DeviceId, 1) + | extend PreviousUserPrincipalName = prev(UserPrincipalName, 1) + | where DeviceId == PreviousDeviceId + and UserPrincipalName == PreviousUserPrincipalName + | where array_length(set_difference(SourceIps, PreviousSourceIps)) > 0 // Check if the current and previous IP sets differ + | where PreviousEndTime > StartTime // Check for overlapping session times + | project + DeviceId, + UserPrincipalName, + SourceIps, + PreviousSourceIps, + StartTime, + EndTime, + PreviousEndTime + | extend + IPCustomEntity = tostring(array_slice(SourceIps, 0, 1)[0]), + PreviousIPCustomEntity = tostring(array_slice(PreviousSourceIps, 0, 1)[0]), + AccountCustomEntity = UserPrincipalName entityMappings: - entityType: Account fieldMappings: @@ -43,5 +58,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.0 +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml b/Solutions/Global Secure Access/Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml index 8481644cb79..9d659589c2e 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml @@ -121,9 +121,5 @@ entityMappings: columnName: UserWhoDeletedAccountName - identifier: UPNSuffix columnName: UserWhoDeletedAccountUPNSuffix - - entityType: IP - fieldMappings: - - identifier: Address - columnName: ClientIP -version: 2.1.3 +version: 2.1.4 kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/Office 365 - Mail_redirect_via_ExO_transport_rule.yaml b/Solutions/Global Secure Access/Analytic Rules/Office 365 - Mail_redirect_via_ExO_transport_rule.yaml index 256c1fac3da..940b571889d 100644 --- a/Solutions/Global Secure Access/Analytic Rules/Office 365 - Mail_redirect_via_ExO_transport_rule.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/Office 365 - Mail_redirect_via_ExO_transport_rule.yaml @@ -23,53 +23,85 @@ relevantTechniques: - T1114 - T1020 query: | - // OfficeActivity Query - let officeActivityQuery = OfficeActivity - | where OfficeWorkload == "Exchange" - | where Operation in~ ("New-TransportRule", "Set-TransportRule") - | mv-apply DynamicParameters = todynamic(Parameters) on ( - summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)) - ) - | extend RuleName = case( - Operation =~ "Set-TransportRule", OfficeObjectId, - Operation =~ "New-TransportRule", ParsedParameters.Name, - "Unknown" - ) - | mv-expand ExpandedParameters = todynamic(Parameters) - | where ExpandedParameters.Name in~ ("BlindCopyTo", "RedirectMessageTo") and isnotempty(ExpandedParameters.Value) - | extend RedirectTo = ExpandedParameters.Value - | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0] - | extend From = ParsedParameters.From - | project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, From, Operation, RuleName, Parameters - | extend AccountName = tostring(split(UserId, "@")[0]), - AccountUPNSuffix = tostring(split(UserId, "@")[1]); - // EnrichedMicrosoft365AuditLogs Query - let enrichedLogsQuery = EnrichedMicrosoft365AuditLogs - | where Workload == "Exchange" - | where Operation in~ ("New-TransportRule", "Set-TransportRule") - | extend AdditionalProps = parse_json(AdditionalProperties) - | mv-apply DynamicParameters = todynamic(AdditionalProps.Parameters) on ( - summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)) - ) - | extend RuleName = case( - Operation =~ "Set-TransportRule", ObjectId, - Operation =~ "New-TransportRule", ParsedParameters.Name, - "Unknown" - ) - | mv-expand ExpandedParameters = todynamic(AdditionalProps.Parameters) - | where ExpandedParameters.Name in~ ("BlindCopyTo", "RedirectMessageTo") and isnotempty(ExpandedParameters.Value) - | extend RedirectTo = ExpandedParameters.Value - | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P\d+))?', dynamic(["IPAddress", "Port"]), ClientIp)[0] - | extend From = ParsedParameters.From - | extend UserAgent = tostring(AdditionalProps.UserAgent) - | project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, From, Operation, RuleName, Parameters = tostring(AdditionalProps.Parameters), UserAgent - | extend AccountName = tostring(split(UserId, "@")[0]), - AccountUPNSuffix = tostring(split(UserId, "@")[1]); - // Combine both queries - union isfuzzy=true officeActivityQuery, enrichedLogsQuery - | summarize arg_min(TimeGenerated, *) by RuleName, RedirectTo - | project TimeGenerated, RedirectTo, IPAddress, Port, UserId, From, Operation, RuleName, Parameters, AccountName, AccountUPNSuffix - | order by TimeGenerated desc; + // OfficeActivity Query + let officeActivityQuery = OfficeActivity + | where OfficeWorkload == "Exchange" + | where Operation in~ ("New-TransportRule", "Set-TransportRule") + | mv-apply DynamicParameters = todynamic(Parameters) on ( + summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)) + ) + | extend RuleName = case( + Operation =~ "Set-TransportRule", OfficeObjectId, + Operation =~ "New-TransportRule", ParsedParameters.Name, + "Unknown" + ) + | mv-expand ExpandedParameters = todynamic(Parameters) + | where ExpandedParameters.Name in~ ("BlindCopyTo", "RedirectMessageTo") and isnotempty(ExpandedParameters.Value) + | extend RedirectTo = tostring(ExpandedParameters.Value) // Cast to string + | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0] + | extend From = ParsedParameters.From + | project + TimeGenerated, + RedirectTo, + IPAddress = tostring(ClientIPValues[0]), + Port = tostring(ClientIPValues[1]), + UserId, + From, + Operation, + RuleName, + Parameters + | extend + AccountName = tostring(split(UserId, "@")[0]), + AccountUPNSuffix = tostring(split(UserId, "@")[1]); + // EnrichedMicrosoft365AuditLogs Query + let enrichedLogsQuery = EnrichedMicrosoft365AuditLogs + | where Workload == "Exchange" + | where Operation in~ ("New-TransportRule", "Set-TransportRule") + | extend AdditionalProps = parse_json(AdditionalProperties) + | mv-apply DynamicParameters = todynamic(AdditionalProps.Parameters) on ( + summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value)) + ) + | extend RuleName = case( + Operation =~ "Set-TransportRule", ObjectId, + Operation =~ "New-TransportRule", ParsedParameters.Name, + "Unknown" + ) + | mv-expand ExpandedParameters = todynamic(AdditionalProps.Parameters) + | where ExpandedParameters.Name in~ ("BlindCopyTo", "RedirectMessageTo") and isnotempty(ExpandedParameters.Value) + | extend RedirectTo = tostring(ExpandedParameters.Value) // Cast to string + | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P\d+))?', dynamic(["IPAddress", "Port"]), ClientIp)[0] + | extend From = ParsedParameters.From + | extend UserAgent = tostring(AdditionalProps.UserAgent) + | project + TimeGenerated, + RedirectTo, + IPAddress = tostring(ClientIPValues[0]), + Port = tostring(ClientIPValues[1]), + UserId, + From, + Operation, + RuleName, + Parameters = tostring(AdditionalProps.Parameters), + UserAgent + | extend + AccountName = tostring(split(UserId, "@")[0]), + AccountUPNSuffix = tostring(split(UserId, "@")[1]); + // Combine both queries + union isfuzzy=true officeActivityQuery, enrichedLogsQuery + | summarize arg_min(TimeGenerated, *) by RuleName, RedirectTo + | project + TimeGenerated, + RedirectTo, + IPAddress, + Port, + UserId, + From, + Operation, + RuleName, + Parameters, + AccountName, + AccountUPNSuffix + | order by TimeGenerated desc entityMappings: - entityType: Account fieldMappings: @@ -83,5 +115,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 2.1.4 +version: 2.1.5 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml index 137210a2b0a..8cae3de7ca2 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml @@ -1,5 +1,5 @@ id: e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b -name: Detect Abnormal Deny Rate for Source to Destination IP +name: GSA - Detect Abnormal Deny Rate for Source to Destination IP description: | Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules. configurableParameters: @@ -54,5 +54,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: DestinationIp -version: 1.0.0 +version: 1.0.1 kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml index cfb6b7509f2..a195c01775c 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml @@ -1,5 +1,5 @@ id: f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a -name: Detect Protocol Changes for Destination Ports +name: GSA - Detect Protocol Changes for Destination Ports description: | Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes. @@ -50,5 +50,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: FqdnCustomEntity -version: 1.0.0 +version: 1.0.1 kind: Scheduled diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml index 1c2f4ebeb1e..9cb257bc4b7 100644 --- a/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml +++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml @@ -1,5 +1,5 @@ id: 82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1 -name: Detect Source IP Scanning Multiple Open Ports +name: GSA - Detect Source IP Scanning Multiple Open Ports description: | Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access. Configurable Parameters: @@ -25,9 +25,9 @@ query: | NetworkAccessTraffic | where TimeGenerated > ago(1d) | where Action == 'Allowed' - | summarize PortsScanned = dcount(DestinationPort) by SourceIp, bin(TimeGenerated, port_scan_time) + | summarize PortsScanned = dcount(DestinationPort) by SourceIp, DestinationFqdn, bin(TimeGenerated, port_scan_time) | where PortsScanned > min_ports_threshold - | project SourceIp, PortsScanned, TimeGenerated + | project SourceIp, PortsScanned, TimeGenerated,DestinationFqdn entityMappings: - entityType: IP fieldMappings: @@ -36,6 +36,6 @@ entityMappings: - entityType: URL fieldMappings: - identifier: Url - columnName: Fqdn -version: 1.0.0 + columnName: DestinationFqdn +version: 1.0.1 kind: Scheduled diff --git a/Solutions/Global Secure Access/Hunting Queries/AnomolousUserAccessingOtherUsersMailbox.yaml b/Solutions/Global Secure Access/Hunting Queries/AnomolousUserAccessingOtherUsersMailbox.yaml index d32cfda7041..e273707ca43 100644 --- a/Solutions/Global Secure Access/Hunting Queries/AnomolousUserAccessingOtherUsersMailbox.yaml +++ b/Solutions/Global Secure Access/Hunting Queries/AnomolousUserAccessingOtherUsersMailbox.yaml @@ -14,77 +14,116 @@ tags: - Solorigate - NOBELIUM query: | - let starttime = todatetime('{{StartTimeISO}}'); - let endtime = todatetime('{{EndTimeISO}}'); - let lookback = totimespan((endtime - starttime) * 2); - let user_threshold = 1; // Threshold for number of mailboxes accessed - let folder_threshold = 5; // Threshold for number of mailbox folders accessed - // OfficeActivity Query - let OfficeEvents = OfficeActivity - | where TimeGenerated between (ago(lookback)..starttime) - | where Operation =~ "MailItemsAccessed" - | where ResultStatus =~ "Succeeded" - | where tolower(MailboxOwnerUPN) != tolower(UserId) - | join kind=rightanti ( - OfficeActivity - | where TimeGenerated between (starttime..endtime) - | where Operation =~ "MailItemsAccessed" - | where ResultStatus =~ "Succeeded" - | where tolower(MailboxOwnerUPN) != tolower(UserId) - ) on MailboxOwnerUPN, UserId - | where isnotempty(Folders) - | mv-expand parse_json(Folders) - | extend folders = tostring(Folders.Path) - | extend ClientIP = iif(Client_IPAddress startswith "[", extract("\\[([^\\]]*)", 1, Client_IPAddress), Client_IPAddress) - | summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), set_folders = make_set(folders, 100000), set_ClientInfoString = make_set(ClientInfoString, 100000), set_ClientIP = make_set(ClientIP, 100000), set_MailboxGuid = make_set(MailboxGuid, 100000), set_MailboxOwnerUPN = make_set(MailboxOwnerUPN, 100000) by UserId - | extend folder_count = array_length(set_folders) - | extend user_count = array_length(set_MailboxGuid) - | where user_count > user_threshold or folder_count > folder_threshold - | extend Reason = case(user_count > user_threshold and folder_count > folder_threshold, "Both User and Folder Threshold Exceeded", folder_count > folder_threshold and user_count < user_threshold, "Folder Count Threshold Exceeded", "User Threshold Exceeded") - | sort by user_count desc - | project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders - | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) - | extend Account_0_Name = AccountName - | extend Account_0_UPNSuffix = AccountUPNSuffix; - // EnrichedMicrosoft365AuditLogs Query - let EnrichedEvents = EnrichedMicrosoft365AuditLogs - | where TimeGenerated between (ago(lookback)..starttime) - | where Operation =~ "MailItemsAccessed" - | where ResultStatus =~ "Succeeded" - | extend MailboxOwnerUPN = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN) - | where tolower(MailboxOwnerUPN) != tolower(UserId) - | join kind=rightanti ( - EnrichedMicrosoft365AuditLogs - | where TimeGenerated between (starttime..endtime) - | where Operation =~ "MailItemsAccessed" - | where ResultStatus =~ "Succeeded" - | extend MailboxOwnerUPN = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN) - | where tolower(MailboxOwnerUPN) != tolower(UserId) - ) on MailboxOwnerUPN, UserId - | where isnotempty(tostring(parse_json(AdditionalProperties).Folders)) - | mv-expand Folders = parse_json(AdditionalProperties).Folders - | extend folders = tostring(Folders.Path) - | extend ClientIP = iif(ClientIp startswith "[", extract("\\[([^\\]]*)", 1, ClientIp), ClientIp) - | extend ClientInfoString = tostring(parse_json(AdditionalProperties).ClientInfoString) - | extend MailboxGuid = tostring(parse_json(AdditionalProperties).MailboxGuid) - | summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), set_folders = make_set(folders, 100000), set_ClientInfoString = make_set(ClientInfoString, 100000), set_ClientIP = make_set(ClientIP, 100000), set_MailboxGuid = make_set(MailboxGuid, 100000), set_MailboxOwnerUPN = make_set(MailboxOwnerUPN, 100000) by UserId - | extend folder_count = array_length(set_folders) - | extend user_count = array_length(set_MailboxGuid) - | where user_count > user_threshold or folder_count > folder_threshold - | extend Reason = case(user_count > user_threshold and folder_count > folder_threshold, "Both User and Folder Threshold Exceeded", folder_count > folder_threshold and user_count < user_threshold, "Folder Count Threshold Exceeded", "User Threshold Exceeded") - | sort by user_count desc - | project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders - | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) - | extend Account_0_Name = AccountName - | extend Account_0_UPNSuffix = AccountUPNSuffix; - // Combine Office and Enriched Logs - let CombinedEvents = OfficeEvents - | union EnrichedEvents - | summarize arg_min(StartTime, *) by UserId, ClientIP; - // Final Output - CombinedEvents - | project UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders, AccountName, AccountUPNSuffix - | order by user_count desc + let starttime = todatetime('{{StartTimeISO}}'); + let endtime = todatetime('{{EndTimeISO}}'); + let lookback = totimespan((endtime - starttime) * 2); + let user_threshold = 1; // Threshold for number of mailboxes accessed + let folder_threshold = 5; // Threshold for number of mailbox folders accessed + // OfficeActivity Query + let OfficeEvents = OfficeActivity + | where TimeGenerated between (ago(lookback)..starttime) + | where Operation =~ "MailItemsAccessed" + | where ResultStatus =~ "Succeeded" + | where tolower(MailboxOwnerUPN) != tolower(UserId) + | join kind=rightanti ( + OfficeActivity + | where TimeGenerated between (starttime..endtime) + | where Operation =~ "MailItemsAccessed" + | where ResultStatus =~ "Succeeded" + | where tolower(MailboxOwnerUPN) != tolower(UserId) + ) on MailboxOwnerUPN, UserId + | where isnotempty(Folders) + | mv-expand ParsedFolders = parse_json(Folders) + | extend folders = tostring(ParsedFolders.Path) + | extend ClientIP = iif(Client_IPAddress startswith "[", extract("\\[([^\\]]*)", 1, Client_IPAddress), Client_IPAddress) + | summarize + StartTime = max(TimeGenerated), + EndTime = min(TimeGenerated), + set_folders = make_set(folders, 100000), + set_ClientInfoString = make_set(ClientInfoString, 100000), + set_ClientIP = make_set(ClientIP, 100000), + set_MailboxGuid = make_set(MailboxGuid, 100000), + set_MailboxOwnerUPN = make_set(MailboxOwnerUPN, 100000) + by UserId + | extend + folder_count = array_length(set_folders), + user_count = array_length(set_MailboxGuid) + | where user_count > user_threshold or folder_count > folder_threshold + | extend Reason = case( + user_count > user_threshold and folder_count > folder_threshold, "Both User and Folder Threshold Exceeded", + folder_count > folder_threshold and user_count <= user_threshold, "Folder Count Threshold Exceeded", + "User Threshold Exceeded") + | sort by user_count desc + | project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders + | extend + AccountName = tostring(split(UserId, "@")[0]), + AccountUPNSuffix = tostring(split(UserId, "@")[1]); + // EnrichedMicrosoft365AuditLogs Query + let EnrichedEvents = EnrichedMicrosoft365AuditLogs + | where TimeGenerated between (ago(lookback)..starttime) + | where Operation =~ "MailItemsAccessed" + | where ResultStatus =~ "Succeeded" + | extend MailboxOwnerUPN = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN) + | where tolower(MailboxOwnerUPN) != tolower(UserId) + | join kind=rightanti ( + EnrichedMicrosoft365AuditLogs + | where TimeGenerated between (starttime..endtime) + | where Operation =~ "MailItemsAccessed" + | where ResultStatus =~ "Succeeded" + | extend MailboxOwnerUPN = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN) + | where tolower(MailboxOwnerUPN) != tolower(UserId) + ) on MailboxOwnerUPN, UserId + | where isnotempty(tostring(parse_json(AdditionalProperties).Folders)) + | mv-expand ParsedFolders = parse_json(AdditionalProperties).Folders + | extend folders = tostring(ParsedFolders.Path) + | extend ClientIP = iif(ClientIp startswith "[", extract("\\[([^\\]]*)", 1, ClientIp), ClientIp) + | extend ClientInfoString = tostring(parse_json(AdditionalProperties).ClientInfoString) + | extend MailboxGuid = tostring(parse_json(AdditionalProperties).MailboxGuid) + | summarize + StartTime = max(TimeGenerated), + EndTime = min(TimeGenerated), + set_folders = make_set(folders, 100000), + set_ClientInfoString = make_set(ClientInfoString, 100000), + set_ClientIP = make_set(ClientIP, 100000), + set_MailboxGuid = make_set(MailboxGuid, 100000), + set_MailboxOwnerUPN = make_set(MailboxOwnerUPN, 100000) + by UserId + | extend + folder_count = array_length(set_folders), + user_count = array_length(set_MailboxGuid) + | where user_count > user_threshold or folder_count > folder_threshold + | extend Reason = case( + user_count > user_threshold and folder_count > folder_threshold, "Both User and Folder Threshold Exceeded", + folder_count > folder_threshold and user_count <= user_threshold, "Folder Count Threshold Exceeded", + "User Threshold Exceeded") + | sort by user_count desc + | project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders + | extend + AccountName = tostring(split(UserId, "@")[0]), + AccountUPNSuffix = tostring(split(UserId, "@")[1]); + // Combine Office and Enriched Logs + let CombinedEvents = OfficeEvents + | union EnrichedEvents + | mv-expand ClientIP = set_ClientIP // Expand the set_ClientIP into individual ClientIP rows + | extend ClientIP = tostring(ClientIP) // Explicitly cast ClientIP to string + | summarize arg_min(StartTime, *) by UserId, ClientIP + // Define AccountName and AccountUPNSuffix after summarize to ensure they're available + | extend + AccountName = tostring(split(UserId, "@")[0]), + AccountUPNSuffix = tostring(split(UserId, "@")[1]); + // Final Output + CombinedEvents + | project + UserId, + user_count, + folder_count, + set_MailboxOwnerUPN, + set_ClientIP, + set_ClientInfoString, + set_folders, + AccountName, + AccountUPNSuffix + | order by user_count desc entityMappings: - entityType: Account fieldMappings: @@ -92,4 +131,4 @@ entityMappings: columnName: AccountName - identifier: UPNSuffix columnName: AccountUPNSuffix -version: 2.0.2 +version: 2.0.3 diff --git a/Solutions/Global Secure Access/Package/3.0.0.zip b/Solutions/Global Secure Access/Package/3.0.0.zip index cf955a94a0e..6145e17ffcd 100644 Binary files a/Solutions/Global Secure Access/Package/3.0.0.zip and b/Solutions/Global Secure Access/Package/3.0.0.zip differ diff --git a/Solutions/Global Secure Access/Package/createUiDefinition.json b/Solutions/Global Secure Access/Package/createUiDefinition.json index ab866d954b8..f3d85d5a148 100644 --- a/Solutions/Global Secure Access/Package/createUiDefinition.json +++ b/Solutions/Global Secure Access/Package/createUiDefinition.json @@ -80,7 +80,7 @@ { "name": "workbook1", "type": "Microsoft.Common.Section", - "label": "Microsoft Global Secure Access Enriched M365 Logs", + "label": "Enriched Microsoft 365 logs Workbook", "elements": [ { "name": "workbook1-text", @@ -94,7 +94,7 @@ { "name": "workbook2", "type": "Microsoft.Common.Section", - "label": "Microsoft Global Secure Access Traffic Logs", + "label": "Network Traffic Insights", "elements": [ { "name": "workbook2-text", @@ -136,7 +136,7 @@ { "name": "analytic1", "type": "Microsoft.Common.Section", - "label": "Detect Connections Outside Operational Hours", + "label": "GSA - Detect Connections Outside Operational Hours", "elements": [ { "name": "analytic1-text", @@ -150,7 +150,7 @@ { "name": "analytic2", "type": "Microsoft.Common.Section", - "label": "Detect IP Address Changes and Overlapping Sessions", + "label": "GSA - Detect IP Address Changes and Overlapping Sessions", "elements": [ { "name": "analytic2-text", @@ -360,7 +360,7 @@ { "name": "analytic17", "type": "Microsoft.Common.Section", - "label": "Detect Abnormal Deny Rate for Source to Destination IP", + "label": "GSA - Detect Abnormal Deny Rate for Source to Destination IP", "elements": [ { "name": "analytic17-text", @@ -374,7 +374,7 @@ { "name": "analytic18", "type": "Microsoft.Common.Section", - "label": "Detect Protocol Changes for Destination Ports", + "label": "GSA - Detect Protocol Changes for Destination Ports", "elements": [ { "name": "analytic18-text", @@ -388,7 +388,7 @@ { "name": "analytic19", "type": "Microsoft.Common.Section", - "label": "Detect Source IP Scanning Multiple Open Ports", + "label": "GSA - Detect Source IP Scanning Multiple Open Ports", "elements": [ { "name": "analytic19-text", diff --git a/Solutions/Global Secure Access/Package/mainTemplate.json b/Solutions/Global Secure Access/Package/mainTemplate.json index d962276efd5..4f1d323bb5b 100644 --- a/Solutions/Global Secure Access/Package/mainTemplate.json +++ b/Solutions/Global Secure Access/Package/mainTemplate.json @@ -30,7 +30,7 @@ }, "workbook1-name": { "type": "string", - "defaultValue": "Microsoft Global Secure Access Enriched M365 Logs", + "defaultValue": "Enriched Microsoft 365 logs Workbook", "minLength": 1, "metadata": { "description": "Name for the workbook" @@ -38,7 +38,7 @@ }, "workbook2-name": { "type": "string", - "defaultValue": "Microsoft Global Secure Access Traffic Logs", + "defaultValue": "Network Traffic Insights", "minLength": 1, "metadata": { "description": "Name for the workbook" @@ -66,18 +66,18 @@ "_workbookContentId2": "[variables('workbookContentId2')]", "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.0", + "analyticRuleVersion1": "1.0.1", "_analyticRulecontentId1": "4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa','-', '1.0.0')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa','-', '1.0.1')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.0", + "analyticRuleVersion2": "1.0.2", "_analyticRulecontentId2": "57abf863-1c1e-46c6-85b2-35370b712c1e", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '57abf863-1c1e-46c6-85b2-35370b712c1e')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('57abf863-1c1e-46c6-85b2-35370b712c1e')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','57abf863-1c1e-46c6-85b2-35370b712c1e','-', '1.0.0')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','57abf863-1c1e-46c6-85b2-35370b712c1e','-', '1.0.2')))]" }, "analyticRuleObject3": { "analyticRuleVersion3": "2.0.8", @@ -87,11 +87,11 @@ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dc451755-8ab3-4059-b805-e454c45d1d44','-', '2.0.8')))]" }, "analyticRuleObject4": { - "analyticRuleVersion4": "2.1.3", + "analyticRuleVersion4": "2.1.4", "_analyticRulecontentId4": "4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac')]", "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac','-', '2.1.3')))]" + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac','-', '2.1.4')))]" }, "analyticRuleObject5": { "analyticRuleVersion5": "2.1.4", @@ -101,11 +101,11 @@ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1a8f1297-23a4-4f09-a20b-90af8fc3641a','-', '2.1.4')))]" }, "analyticRuleObject6": { - "analyticRuleVersion6": "2.1.4", + "analyticRuleVersion6": "2.1.5", "_analyticRulecontentId6": "edcfc2e0-3134-434c-8074-9101c530d419", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'edcfc2e0-3134-434c-8074-9101c530d419')]", "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('edcfc2e0-3134-434c-8074-9101c530d419')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edcfc2e0-3134-434c-8074-9101c530d419','-', '2.1.4')))]" + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','edcfc2e0-3134-434c-8074-9101c530d419','-', '2.1.5')))]" }, "analyticRuleObject7": { "analyticRuleVersion7": "2.0.6", @@ -164,11 +164,11 @@ "_analyticRulecontentProductId14": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','efd17c5f-5167-40f8-a1e9-0818940785d9','-', '2.2.6')))]" }, "analyticRuleObject15": { - "analyticRuleVersion15": "1.0.5", + "analyticRuleVersion15": "1.0.6", "_analyticRulecontentId15": "30375d00-68cc-4f95-b89a-68064d566358", "analyticRuleId15": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '30375d00-68cc-4f95-b89a-68064d566358')]", "analyticRuleTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('30375d00-68cc-4f95-b89a-68064d566358')))]", - "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','30375d00-68cc-4f95-b89a-68064d566358','-', '1.0.5')))]" + "_analyticRulecontentProductId15": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','30375d00-68cc-4f95-b89a-68064d566358','-', '1.0.6')))]" }, "analyticRuleObject16": { "analyticRuleVersion16": "2.0.8", @@ -178,28 +178,28 @@ "_analyticRulecontentProductId16": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','abd6976d-8f71-4851-98c4-4d086201319c','-', '2.0.8')))]" }, "analyticRuleObject17": { - "analyticRuleVersion17": "1.0.0", + "analyticRuleVersion17": "1.0.1", "_analyticRulecontentId17": "e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b", "analyticRuleId17": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b')]", "analyticRuleTemplateSpecName17": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b')))]", - "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b','-', '1.0.0')))]" + "_analyticRulecontentProductId17": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b','-', '1.0.1')))]" }, "analyticRuleObject18": { - "analyticRuleVersion18": "1.0.0", + "analyticRuleVersion18": "1.0.1", "_analyticRulecontentId18": "f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a", "analyticRuleId18": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a')]", "analyticRuleTemplateSpecName18": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a')))]", - "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a','-', '1.0.0')))]" + "_analyticRulecontentProductId18": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a','-', '1.0.1')))]" }, "analyticRuleObject19": { - "analyticRuleVersion19": "1.0.0", + "analyticRuleVersion19": "1.0.1", "_analyticRulecontentId19": "82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1", "analyticRuleId19": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1')]", "analyticRuleTemplateSpecName19": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1')))]", - "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1','-', '1.0.0')))]" + "_analyticRulecontentProductId19": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1','-', '1.0.1')))]" }, "huntingQueryObject1": { - "huntingQueryVersion1": "2.0.2", + "huntingQueryVersion1": "2.0.3", "_huntingQuerycontentId1": "271e8881-3044-4332-a5f4-42264c2e0315", "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('271e8881-3044-4332-a5f4-42264c2e0315')))]" }, @@ -344,7 +344,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "description": "@{workbookKey=GSAM365EnrichedEvents; logoFileName=gsa.svg; description=This Workbook provides a detailed view of Microsoft 365 log data, enriched with contextual information to enhance visibility into user activities and potential security threats.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Microsoft Global Secure Access Enriched M365 Logs; templateRelativePath=GSAM365EnrichedEvents.json; provider=Microsoft}.description", + "description": "@{workbookKey=GSAM365EnrichedEvents; logoFileName=gsa.svg; description=This Workbook provides a detailed view of Microsoft 365 log data, enriched with contextual information to enhance visibility into user activities and potential security threats.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Enriched Microsoft 365 logs Workbook; templateRelativePath=GSAM365EnrichedEvents.json; provider=Microsoft}.description", "parentId": "[variables('workbookId1')]", "contentId": "[variables('_workbookContentId1')]", "kind": "Workbook", @@ -428,7 +428,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", "properties": { - "description": "@{workbookKey=GSANetworkTraffic; logoFileName=gsa.svg; description=This workbook provides an overview of all traffic logs within your network, offering insights into data transfer, anomalies, and potential threats.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Microsoft Global Secure Access Traffic Logs; templateRelativePath=GSANetworkTraffic.json; subtitle=; provider=Microsoft}.description", + "description": "@{workbookKey=GSANetworkTraffic; logoFileName=gsa.svg; description=This workbook provides an overview of all traffic logs within your network, offering insights into data transfer, anomalies, and potential threats.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Network Traffic Insights; templateRelativePath=GSANetworkTraffic.json; subtitle=; provider=Microsoft}.description", "parentId": "[variables('workbookId2')]", "contentId": "[variables('_workbookContentId2')]", "kind": "Workbook", @@ -498,7 +498,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations.", - "displayName": "Detect Connections Outside Operational Hours", + "displayName": "GSA - Detect Connections Outside Operational Hours", "enabled": false, "query": "let starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet operational_start_hour = 8; // Start of operational hours (8 AM)\nlet operational_end_hour = 18; // End of operational hours (6 PM)\nNetworkAccessTraffic\n| where TimeGenerated between(starttime .. endtime)\n| extend HourOfDay = datetime_part('hour', TimeGenerated)\n| where HourOfDay < operational_start_hour or HourOfDay >= operational_end_hour\n| project TimeGenerated, UserPrincipalName, SourceIp, DestinationIp, DestinationPort, Action, DeviceId, DeviceOperatingSystem, ConnectionId\n| extend IPCustomEntity = SourceIp, AccountCustomEntity = UserPrincipalName\n", "queryFrequency": "PT1H", @@ -511,10 +511,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -529,8 +529,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountCustomEntity" } ] }, @@ -538,8 +538,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] } @@ -582,7 +582,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "contentKind": "AnalyticsRule", - "displayName": "Detect Connections Outside Operational Hours", + "displayName": "GSA - Detect Connections Outside Operational Hours", "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" @@ -612,9 +612,9 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "This query identifies network sessions based on DeviceId and UserPrincipalName, then checks for changed IP addresses and overlapping session times.", - "displayName": "Detect IP Address Changes and Overlapping Sessions", + "displayName": "GSA - Detect IP Address Changes and Overlapping Sessions", "enabled": false, - "query": "// Identify sessions\nlet sessions = \n NetworkAccessTraffic\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), SourceIps = make_set(SourceIp) by DeviceId, UserPrincipalName, SessionId\n | sort by StartTime asc;\n// Check for changed IP addresses and overlapping session times\nsessions\n | extend PreviousSourceIps = prev(SourceIps, 1)\n | extend PreviousEndTime = prev(EndTime, 1)\n | extend PreviousDeviceId = prev(DeviceId, 1)\n | extend PreviousUserPrincipalName = prev(UserPrincipalName, 1)\n | where DeviceId == PreviousDeviceId and UserPrincipalName == PreviousUserPrincipalName\n | where set_difference(SourceIps, PreviousSourceIps) != dynamic([]) // Check if the current and previous IP sets differ\n | where PreviousEndTime > StartTime // Check for overlapping session times\n | project DeviceId, UserPrincipalName, SourceIps, PreviousSourceIps, StartTime, EndTime, PreviousEndTime\n | extend IPCustomEntity = tostring(array_slice(SourceIps, 0, 1)[0]), PreviousIPCustomEntity = tostring(array_slice(PreviousSourceIps, 0, 1)[0]), AccountCustomEntity = UserPrincipalName\n", + "query": "// Identify sessions\nlet sessions = \n NetworkAccessTraffic\n | summarize \n StartTime = min(TimeGenerated), \n EndTime = max(TimeGenerated), \n SourceIps = make_set(SourceIp) \n by DeviceId, UserPrincipalName, SessionId\n | sort by StartTime asc;\n// Check for changed IP addresses and overlapping session times\nsessions\n | extend PreviousSourceIps = prev(SourceIps, 1)\n | extend PreviousEndTime = prev(EndTime, 1)\n | extend PreviousDeviceId = prev(DeviceId, 1)\n | extend PreviousUserPrincipalName = prev(UserPrincipalName, 1)\n | where DeviceId == PreviousDeviceId \n and UserPrincipalName == PreviousUserPrincipalName\n | where array_length(set_difference(SourceIps, PreviousSourceIps)) > 0 // Check if the current and previous IP sets differ\n | where PreviousEndTime > StartTime // Check for overlapping session times\n | project \n DeviceId, \n UserPrincipalName, \n SourceIps, \n PreviousSourceIps, \n StartTime, \n EndTime, \n PreviousEndTime\n | extend \n IPCustomEntity = tostring(array_slice(SourceIps, 0, 1)[0]), \n PreviousIPCustomEntity = tostring(array_slice(PreviousSourceIps, 0, 1)[0]), \n AccountCustomEntity = UserPrincipalName\n", "queryFrequency": "PT1H", "queryPeriod": "PT24H", "severity": "High", @@ -625,10 +625,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -643,8 +643,8 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "AccountCustomEntity", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountCustomEntity" } ] }, @@ -652,8 +652,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] } @@ -696,7 +696,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "contentKind": "AnalyticsRule", - "displayName": "Detect IP Address Changes and Overlapping Sessions", + "displayName": "GSA - Detect IP Address Changes and Overlapping Sessions", "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" @@ -739,16 +739,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "Office365", "dataTypes": [ "OfficeActivity (Exchange)" - ], - "connectorId": "Office365" + ] } ], "tactics": [ @@ -762,16 +762,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "UserId", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserId" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } ] }, @@ -779,8 +779,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ] } @@ -866,16 +866,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "Office365", "dataTypes": [ "OfficeActivity (Teams)" - ], - "connectorId": "Office365" + ] } ], "tactics": [ @@ -889,16 +889,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "MemberAdded", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "MemberAdded" }, { - "columnName": "MemberAddedAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "MemberAddedAccountName" }, { - "columnName": "MemberAddedAccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "MemberAddedAccountUPNSuffix" } ] }, @@ -906,16 +906,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "UserWhoAdded", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserWhoAdded" }, { - "columnName": "UserWhoAddedAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "UserWhoAddedAccountName" }, { - "columnName": "UserWhoAddedAccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UserWhoAddedAccountUPNSuffix" } ] }, @@ -923,25 +923,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "UserWhoDeleted", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserWhoDeleted" }, { - "columnName": "UserWhoDeletedAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "UserWhoDeletedAccountName" }, { - "columnName": "UserWhoDeletedAccountUPNSuffix", - "identifier": "UPNSuffix" - } - ] - }, - { - "entityType": "IP", - "fieldMappings": [ - { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "UPNSuffix", + "columnName": "UserWhoDeletedAccountUPNSuffix" } ] } @@ -1027,16 +1018,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "Office365", "dataTypes": [ "OfficeActivity (Teams)" - ], - "connectorId": "Office365" + ] } ], "tactics": [ @@ -1050,16 +1041,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "MemberAdded_Removed", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "MemberAdded_Removed" }, { - "columnName": "MemberAdded_RemovedAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "MemberAdded_RemovedAccountName" }, { - "columnName": "MemberAdded_RemovedAccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "MemberAdded_RemovedAccountUPNSuffix" } ] }, @@ -1067,16 +1058,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "UserWhoAdded", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserWhoAdded" }, { - "columnName": "UserWhoAddedAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "UserWhoAddedAccountName" }, { - "columnName": "UserWhoAddedAccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UserWhoAddedAccountUPNSuffix" } ] }, @@ -1084,16 +1075,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "UserWhoDeleted", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserWhoDeleted" }, { - "columnName": "UserWhoDeletedAccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "UserWhoDeletedAccountName" }, { - "columnName": "UserWhoDeletedAccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UserWhoDeletedAccountUPNSuffix" } ] }, @@ -1101,8 +1092,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ] } @@ -1177,7 +1168,7 @@ "description": "Identifies when an Exchange Online transport rule is configured to forward emails.\nThis could indicate an adversary mailbox configured to collect mail from multiple user accounts.", "displayName": "GSA Enriched Office 365 - Mail Redirect via ExO Transport Rule", "enabled": false, - "query": "// OfficeActivity Query\nlet officeActivityQuery = OfficeActivity\n | where OfficeWorkload == \"Exchange\"\n | where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\n | mv-apply DynamicParameters = todynamic(Parameters) on (\n summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))\n )\n | extend RuleName = case(\n Operation =~ \"Set-TransportRule\", OfficeObjectId,\n Operation =~ \"New-TransportRule\", ParsedParameters.Name,\n \"Unknown\"\n )\n | mv-expand ExpandedParameters = todynamic(Parameters)\n | where ExpandedParameters.Name in~ (\"BlindCopyTo\", \"RedirectMessageTo\") and isnotempty(ExpandedParameters.Value)\n | extend RedirectTo = ExpandedParameters.Value\n | extend ClientIPValues = extract_all(@'\\[?(::ffff:)?(?P(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]]+)\\]?([-:](?P\\d+))?', dynamic([\"IPAddress\", \"Port\"]), ClientIP)[0]\n | extend From = ParsedParameters.From\n | project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, From, Operation, RuleName, Parameters\n | extend AccountName = tostring(split(UserId, \"@\")[0]),\n AccountUPNSuffix = tostring(split(UserId, \"@\")[1]);\n// EnrichedMicrosoft365AuditLogs Query\nlet enrichedLogsQuery = EnrichedMicrosoft365AuditLogs\n | where Workload == \"Exchange\"\n | where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\n | extend AdditionalProps = parse_json(AdditionalProperties)\n | mv-apply DynamicParameters = todynamic(AdditionalProps.Parameters) on (\n summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))\n )\n | extend RuleName = case(\n Operation =~ \"Set-TransportRule\", ObjectId,\n Operation =~ \"New-TransportRule\", ParsedParameters.Name,\n \"Unknown\"\n )\n | mv-expand ExpandedParameters = todynamic(AdditionalProps.Parameters)\n | where ExpandedParameters.Name in~ (\"BlindCopyTo\", \"RedirectMessageTo\") and isnotempty(ExpandedParameters.Value)\n | extend RedirectTo = ExpandedParameters.Value\n | extend ClientIPValues = extract_all(@'\\[?(::ffff:)?(?P(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]]+)\\]?([-:](?P\\d+))?', dynamic([\"IPAddress\", \"Port\"]), ClientIp)[0]\n | extend From = ParsedParameters.From\n | extend UserAgent = tostring(AdditionalProps.UserAgent)\n | project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, From, Operation, RuleName, Parameters = tostring(AdditionalProps.Parameters), UserAgent\n | extend AccountName = tostring(split(UserId, \"@\")[0]),\n AccountUPNSuffix = tostring(split(UserId, \"@\")[1]);\n// Combine both queries\nunion isfuzzy=true officeActivityQuery, enrichedLogsQuery\n| summarize arg_min(TimeGenerated, *) by RuleName, RedirectTo\n| project TimeGenerated, RedirectTo, IPAddress, Port, UserId, From, Operation, RuleName, Parameters, AccountName, AccountUPNSuffix\n| order by TimeGenerated desc;\n", + "query": "// OfficeActivity Query\nlet officeActivityQuery = OfficeActivity\n | where OfficeWorkload == \"Exchange\"\n | where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\n | mv-apply DynamicParameters = todynamic(Parameters) on (\n summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))\n )\n | extend RuleName = case(\n Operation =~ \"Set-TransportRule\", OfficeObjectId,\n Operation =~ \"New-TransportRule\", ParsedParameters.Name,\n \"Unknown\"\n )\n | mv-expand ExpandedParameters = todynamic(Parameters)\n | where ExpandedParameters.Name in~ (\"BlindCopyTo\", \"RedirectMessageTo\") and isnotempty(ExpandedParameters.Value)\n | extend RedirectTo = tostring(ExpandedParameters.Value) // Cast to string\n | extend ClientIPValues = extract_all(@'\\[?(::ffff:)?(?P(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]]+)\\]?([-:](?P\\d+))?', dynamic([\"IPAddress\", \"Port\"]), ClientIP)[0]\n | extend From = ParsedParameters.From\n | project\n TimeGenerated,\n RedirectTo,\n IPAddress = tostring(ClientIPValues[0]),\n Port = tostring(ClientIPValues[1]),\n UserId,\n From,\n Operation,\n RuleName,\n Parameters\n | extend\n AccountName = tostring(split(UserId, \"@\")[0]),\n AccountUPNSuffix = tostring(split(UserId, \"@\")[1]);\n // EnrichedMicrosoft365AuditLogs Query\n let enrichedLogsQuery = EnrichedMicrosoft365AuditLogs\n | where Workload == \"Exchange\"\n | where Operation in~ (\"New-TransportRule\", \"Set-TransportRule\")\n | extend AdditionalProps = parse_json(AdditionalProperties)\n | mv-apply DynamicParameters = todynamic(AdditionalProps.Parameters) on (\n summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))\n )\n | extend RuleName = case(\n Operation =~ \"Set-TransportRule\", ObjectId,\n Operation =~ \"New-TransportRule\", ParsedParameters.Name,\n \"Unknown\"\n )\n | mv-expand ExpandedParameters = todynamic(AdditionalProps.Parameters)\n | where ExpandedParameters.Name in~ (\"BlindCopyTo\", \"RedirectMessageTo\") and isnotempty(ExpandedParameters.Value)\n | extend RedirectTo = tostring(ExpandedParameters.Value) // Cast to string\n | extend ClientIPValues = extract_all(@'\\[?(::ffff:)?(?P(\\d+\\.\\d+\\.\\d+\\.\\d+)|[^\\]]+)\\]?([-:](?P\\d+))?', dynamic([\"IPAddress\", \"Port\"]), ClientIp)[0]\n | extend From = ParsedParameters.From\n | extend UserAgent = tostring(AdditionalProps.UserAgent)\n | project\n TimeGenerated,\n RedirectTo,\n IPAddress = tostring(ClientIPValues[0]),\n Port = tostring(ClientIPValues[1]),\n UserId,\n From,\n Operation,\n RuleName,\n Parameters = tostring(AdditionalProps.Parameters),\n UserAgent\n | extend\n AccountName = tostring(split(UserId, \"@\")[0]),\n AccountUPNSuffix = tostring(split(UserId, \"@\")[1]);\n // Combine both queries\n union isfuzzy=true officeActivityQuery, enrichedLogsQuery\n | summarize arg_min(TimeGenerated, *) by RuleName, RedirectTo\n | project\n TimeGenerated,\n RedirectTo,\n IPAddress,\n Port,\n UserId,\n From,\n Operation,\n RuleName,\n Parameters,\n AccountName,\n AccountUPNSuffix\n | order by TimeGenerated desc\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -1188,16 +1179,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Office365", "dataTypes": [ "OfficeActivity (Exchange)" - ], - "connectorId": "Office365" + ] }, { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -1213,16 +1204,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "UserId", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserId" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } ] }, @@ -1230,8 +1221,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPAddress" } ] } @@ -1317,16 +1308,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "Office365", "dataTypes": [ "OfficeActivity (Exchange)" - ], - "connectorId": "Office365" + ] } ], "tactics": [ @@ -1342,16 +1333,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "UserId", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserId" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } ] }, @@ -1359,8 +1350,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIPAddress", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIPAddress" } ] } @@ -1446,16 +1437,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "Office365", "dataTypes": [ "OfficeActivity (Teams)" - ], - "connectorId": "Office365" + ] } ], "tactics": [ @@ -1470,16 +1461,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "UserId", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserId" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } ] } @@ -1565,16 +1556,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "Office365", "dataTypes": [ "OfficeActivity (Exchange)" - ], - "connectorId": "Office365" + ] } ], "tactics": [ @@ -1590,16 +1581,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "UserId", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserId" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } ] }, @@ -1607,8 +1598,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ] } @@ -1694,16 +1685,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "Office365", "dataTypes": [ "OfficeActivity (Exchange)" - ], - "connectorId": "Office365" + ] } ], "tactics": [ @@ -1719,16 +1710,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "UserId", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserId" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } ] }, @@ -1736,8 +1727,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ] } @@ -1823,16 +1814,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "Office365", "dataTypes": [ "OfficeActivity (SharePoint)" - ], - "connectorId": "Office365" + ] } ], "tactics": [ @@ -1848,16 +1839,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "UserId", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserId" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } ] }, @@ -1865,8 +1856,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ] }, @@ -1874,8 +1865,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Site_Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Site_Url" } ] }, @@ -1883,8 +1874,8 @@ "entityType": "File", "fieldMappings": [ { - "columnName": "FileNames", - "identifier": "Name" + "identifier": "Name", + "columnName": "FileNames" } ] } @@ -1970,16 +1961,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "Office365", "dataTypes": [ "OfficeActivity" - ], - "connectorId": "Office365" + ] } ], "tactics": [ @@ -1995,16 +1986,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "UserId", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserId" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } ] }, @@ -2012,8 +2003,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIPOnly", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIPOnly" } ] } @@ -2099,16 +2090,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "Office365", "dataTypes": [ "OfficeActivity (SharePoint)" - ], - "connectorId": "Office365" + ] } ], "tactics": [ @@ -2122,16 +2113,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "UserId", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserId" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } ] }, @@ -2139,8 +2130,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ] }, @@ -2148,8 +2139,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Site_Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Site_Url" } ] } @@ -2235,16 +2226,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "Office365", "dataTypes": [ "OfficeActivity (SharePoint)" - ], - "connectorId": "Office365" + ] } ], "tactics": [ @@ -2258,16 +2249,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "UserId", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserId" }, { - "columnName": "UserIdName", - "identifier": "Name" + "identifier": "Name", + "columnName": "UserIdName" }, { - "columnName": "UserIdUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "UserIdUPNSuffix" } ] }, @@ -2275,8 +2266,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ] }, @@ -2284,8 +2275,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Site_Url", - "identifier": "Url" + "identifier": "Url", + "columnName": "Site_Url" } ] } @@ -2371,16 +2362,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "Office365", "dataTypes": [ "OfficeActivity (SharePoint)" - ], - "connectorId": "Office365" + ] } ], "tactics": [ @@ -2394,16 +2385,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "UserId", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserId" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } ] }, @@ -2411,8 +2402,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ] }, @@ -2420,8 +2411,8 @@ "entityType": "File", "fieldMappings": [ { - "columnName": "FileSample", - "identifier": "Name" + "identifier": "Name", + "columnName": "FileSample" } ] } @@ -2431,16 +2422,16 @@ "FilesList": "fileslist" }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { "reopenClosedIncident": false, - "enabled": true, - "lookbackDuration": "PT5H", "matchingMethod": "Selected", + "lookbackDuration": "PT5H", "groupByEntities": [ "Account" - ] - }, - "createIncident": true + ], + "enabled": true + } } } }, @@ -2523,16 +2514,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] }, { + "connectorId": "Office365", "dataTypes": [ "OfficeActivity (SharePoint)" - ], - "connectorId": "Office365" + ] } ], "tactics": [ @@ -2546,16 +2537,16 @@ "entityType": "Account", "fieldMappings": [ { - "columnName": "UserId", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "UserId" }, { - "columnName": "AccountName", - "identifier": "Name" + "identifier": "Name", + "columnName": "AccountName" }, { - "columnName": "AccountUPNSuffix", - "identifier": "UPNSuffix" + "identifier": "UPNSuffix", + "columnName": "AccountUPNSuffix" } ] }, @@ -2563,8 +2554,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "ClientIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "ClientIP" } ] }, @@ -2572,8 +2563,8 @@ "entityType": "File", "fieldMappings": [ { - "columnName": "FileSample", - "identifier": "Name" + "identifier": "Name", + "columnName": "FileSample" } ] } @@ -2583,16 +2574,16 @@ "FilesList": "fileslist" }, "incidentConfiguration": { + "createIncident": true, "groupingConfiguration": { "reopenClosedIncident": false, - "enabled": true, - "lookbackDuration": "PT5H", "matchingMethod": "Selected", + "lookbackDuration": "PT5H", "groupByEntities": [ "Account" - ] - }, - "createIncident": true + ], + "enabled": true + } } } }, @@ -2662,7 +2653,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules.", - "displayName": "Detect Abnormal Deny Rate for Source to Destination IP", + "displayName": "GSA - Detect Abnormal Deny Rate for Source to Destination IP", "enabled": false, "query": "let NumOfStdsThreshold = 3;\nlet LearningPeriod = 5d;\nlet BinTime = 1h;\nlet MinThreshold = 5.0;\nlet MinLearningBuckets = 5;\nlet TrafficLogs = NetworkAccessTraffic\n | where Action == 'Denied'\n | where isnotempty(DestinationIp) and isnotempty(SourceIp);\nlet LearningSrcIpDenyRate = TrafficLogs\n | where TimeGenerated between (ago(LearningPeriod + 1d) .. ago(1d))\n | summarize count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp\n | summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, DestinationIp\n | where LearningTimeBuckets > MinLearningBuckets;\nlet AlertTimeSrcIpDenyRate = TrafficLogs\n | where TimeGenerated between (ago(1h) .. now())\n | summarize AlertTimeSrcIpDenyRateCount = count() by SourceIp, DestinationIp;\nAlertTimeSrcIpDenyRate\n | join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, DestinationIp\n | extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)\n | where AlertTimeSrcIpDenyRateCount > LearningThreshold\n | project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold \n", "queryFrequency": "PT1H", @@ -2675,10 +2666,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "NetworkAccessTrafficLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2691,8 +2682,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SourceIp", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIp" } ] }, @@ -2700,8 +2691,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "DestinationIp", - "identifier": "Url" + "identifier": "Url", + "columnName": "DestinationIp" } ] } @@ -2744,7 +2735,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject17')._analyticRulecontentId17]", "contentKind": "AnalyticsRule", - "displayName": "Detect Abnormal Deny Rate for Source to Destination IP", + "displayName": "GSA - Detect Abnormal Deny Rate for Source to Destination IP", "contentProductId": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", "id": "[variables('analyticRuleObject17')._analyticRulecontentProductId17]", "version": "[variables('analyticRuleObject17').analyticRuleVersion17]" @@ -2774,7 +2765,7 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes.", - "displayName": "Detect Protocol Changes for Destination Ports", + "displayName": "GSA - Detect Protocol Changes for Destination Ports", "enabled": false, "query": "let LearningPeriod = 7d;\nlet RunTime = 1d;\nlet StartLearningPeriod = ago(LearningPeriod + RunTime);\nlet EndRunTime = ago(RunTime);\nlet LearningPortToProtocol = \n NetworkAccessTraffic\n | where TimeGenerated between (StartLearningPeriod .. EndRunTime)\n | where isnotempty(DestinationPort)\n | summarize LearningTimeCount = count() by LearningTimeDstPort = DestinationPort, LearningTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;\nlet AlertTimePortToProtocol = \n NetworkAccessTraffic\n | where TimeGenerated between (EndRunTime .. now())\n | where isnotempty(DestinationPort)\n | summarize AlertTimeCount = count() by AlertTimeDstPort = DestinationPort, AlertTimeProtocol = TransportProtocol, SourceIp, DestinationFqdn;\nAlertTimePortToProtocol\n | join kind=leftouter (LearningPortToProtocol) on $left.AlertTimeDstPort == $right.LearningTimeDstPort and $left.SourceIp == $right.SourceIp and $left.DestinationFqdn == $right.DestinationFqdn\n | where isnull(LearningTimeProtocol) or LearningTimeProtocol != AlertTimeProtocol\n | project AlertTimeDstPort, AlertTimeProtocol, LearningTimeProtocol, SourceIp, DestinationFqdn\n | extend IPCustomEntity = SourceIp, FqdnCustomEntity = DestinationFqdn\n", "queryFrequency": "PT1H", @@ -2787,10 +2778,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2803,8 +2794,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "IPCustomEntity", - "identifier": "Address" + "identifier": "Address", + "columnName": "IPCustomEntity" } ] }, @@ -2812,8 +2803,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "FqdnCustomEntity", - "identifier": "Url" + "identifier": "Url", + "columnName": "FqdnCustomEntity" } ] } @@ -2856,7 +2847,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject18')._analyticRulecontentId18]", "contentKind": "AnalyticsRule", - "displayName": "Detect Protocol Changes for Destination Ports", + "displayName": "GSA - Detect Protocol Changes for Destination Ports", "contentProductId": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", "id": "[variables('analyticRuleObject18')._analyticRulecontentProductId18]", "version": "[variables('analyticRuleObject18').analyticRuleVersion18]" @@ -2886,9 +2877,9 @@ "location": "[parameters('workspace-location')]", "properties": { "description": "Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.", - "displayName": "Detect Source IP Scanning Multiple Open Ports", + "displayName": "GSA - Detect Source IP Scanning Multiple Open Ports", "enabled": false, - "query": "let port_scan_time = 30s;\nlet min_ports_threshold = 100;\nNetworkAccessTraffic\n| where TimeGenerated > ago(1d)\n| where Action == 'Allowed'\n| summarize PortsScanned = dcount(DestinationPort) by SourceIp, bin(TimeGenerated, port_scan_time)\n| where PortsScanned > min_ports_threshold\n| project SourceIp, PortsScanned, TimeGenerated\n", + "query": "let port_scan_time = 30s;\nlet min_ports_threshold = 100;\nNetworkAccessTraffic\n| where TimeGenerated > ago(1d)\n| where Action == 'Allowed'\n| summarize PortsScanned = dcount(DestinationPort) by SourceIp, DestinationFqdn, bin(TimeGenerated, port_scan_time)\n| where PortsScanned > min_ports_threshold\n| project SourceIp, PortsScanned, TimeGenerated,DestinationFqdn\n", "queryFrequency": "P1D", "queryPeriod": "P1D", "severity": "Medium", @@ -2899,10 +2890,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "AzureActiveDirectory", "dataTypes": [ "EnrichedMicrosoft365AuditLogs" - ], - "connectorId": "AzureActiveDirectory" + ] } ], "tactics": [ @@ -2916,8 +2907,8 @@ "entityType": "IP", "fieldMappings": [ { - "columnName": "SourceIp", - "identifier": "Address" + "identifier": "Address", + "columnName": "SourceIp" } ] }, @@ -2925,8 +2916,8 @@ "entityType": "URL", "fieldMappings": [ { - "columnName": "Fqdn", - "identifier": "Url" + "identifier": "Url", + "columnName": "DestinationFqdn" } ] } @@ -2969,7 +2960,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('analyticRuleObject19')._analyticRulecontentId19]", "contentKind": "AnalyticsRule", - "displayName": "Detect Source IP Scanning Multiple Open Ports", + "displayName": "GSA - Detect Source IP Scanning Multiple Open Ports", "contentProductId": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", "id": "[variables('analyticRuleObject19')._analyticRulecontentProductId19]", "version": "[variables('analyticRuleObject19').analyticRuleVersion19]" @@ -3000,7 +2991,7 @@ "eTag": "*", "displayName": "GSA Enriched Office 365 - Anomalous access to other users' mailboxes", "category": "Hunting Queries", - "query": "let starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet lookback = totimespan((endtime - starttime) * 2);\nlet user_threshold = 1; // Threshold for number of mailboxes accessed\nlet folder_threshold = 5; // Threshold for number of mailbox folders accessed\n// OfficeActivity Query\nlet OfficeEvents = OfficeActivity\n | where TimeGenerated between (ago(lookback)..starttime)\n | where Operation =~ \"MailItemsAccessed\"\n | where ResultStatus =~ \"Succeeded\"\n | where tolower(MailboxOwnerUPN) != tolower(UserId)\n | join kind=rightanti (\n OfficeActivity\n | where TimeGenerated between (starttime..endtime)\n | where Operation =~ \"MailItemsAccessed\"\n | where ResultStatus =~ \"Succeeded\"\n | where tolower(MailboxOwnerUPN) != tolower(UserId)\n ) on MailboxOwnerUPN, UserId\n | where isnotempty(Folders)\n | mv-expand parse_json(Folders)\n | extend folders = tostring(Folders.Path)\n | extend ClientIP = iif(Client_IPAddress startswith \"[\", extract(\"\\\\[([^\\\\]]*)\", 1, Client_IPAddress), Client_IPAddress)\n | summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), set_folders = make_set(folders, 100000), set_ClientInfoString = make_set(ClientInfoString, 100000), set_ClientIP = make_set(ClientIP, 100000), set_MailboxGuid = make_set(MailboxGuid, 100000), set_MailboxOwnerUPN = make_set(MailboxOwnerUPN, 100000) by UserId\n | extend folder_count = array_length(set_folders)\n | extend user_count = array_length(set_MailboxGuid)\n | where user_count > user_threshold or folder_count > folder_threshold\n | extend Reason = case(user_count > user_threshold and folder_count > folder_threshold, \"Both User and Folder Threshold Exceeded\", folder_count > folder_threshold and user_count < user_threshold, \"Folder Count Threshold Exceeded\", \"User Threshold Exceeded\")\n | sort by user_count desc\n | project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders\n | extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n | extend Account_0_Name = AccountName\n | extend Account_0_UPNSuffix = AccountUPNSuffix;\n// EnrichedMicrosoft365AuditLogs Query\nlet EnrichedEvents = EnrichedMicrosoft365AuditLogs\n | where TimeGenerated between (ago(lookback)..starttime)\n | where Operation =~ \"MailItemsAccessed\"\n | where ResultStatus =~ \"Succeeded\"\n | extend MailboxOwnerUPN = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN)\n | where tolower(MailboxOwnerUPN) != tolower(UserId)\n | join kind=rightanti (\n EnrichedMicrosoft365AuditLogs\n | where TimeGenerated between (starttime..endtime)\n | where Operation =~ \"MailItemsAccessed\"\n | where ResultStatus =~ \"Succeeded\"\n | extend MailboxOwnerUPN = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN)\n | where tolower(MailboxOwnerUPN) != tolower(UserId)\n ) on MailboxOwnerUPN, UserId\n | where isnotempty(tostring(parse_json(AdditionalProperties).Folders))\n | mv-expand Folders = parse_json(AdditionalProperties).Folders\n | extend folders = tostring(Folders.Path)\n | extend ClientIP = iif(ClientIp startswith \"[\", extract(\"\\\\[([^\\\\]]*)\", 1, ClientIp), ClientIp)\n | extend ClientInfoString = tostring(parse_json(AdditionalProperties).ClientInfoString)\n | extend MailboxGuid = tostring(parse_json(AdditionalProperties).MailboxGuid)\n | summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), set_folders = make_set(folders, 100000), set_ClientInfoString = make_set(ClientInfoString, 100000), set_ClientIP = make_set(ClientIP, 100000), set_MailboxGuid = make_set(MailboxGuid, 100000), set_MailboxOwnerUPN = make_set(MailboxOwnerUPN, 100000) by UserId\n | extend folder_count = array_length(set_folders)\n | extend user_count = array_length(set_MailboxGuid)\n | where user_count > user_threshold or folder_count > folder_threshold\n | extend Reason = case(user_count > user_threshold and folder_count > folder_threshold, \"Both User and Folder Threshold Exceeded\", folder_count > folder_threshold and user_count < user_threshold, \"Folder Count Threshold Exceeded\", \"User Threshold Exceeded\")\n | sort by user_count desc\n | project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders\n | extend AccountName = tostring(split(UserId, \"@\")[0]), AccountUPNSuffix = tostring(split(UserId, \"@\")[1])\n | extend Account_0_Name = AccountName\n | extend Account_0_UPNSuffix = AccountUPNSuffix;\n// Combine Office and Enriched Logs\nlet CombinedEvents = OfficeEvents\n | union EnrichedEvents\n | summarize arg_min(StartTime, *) by UserId, ClientIP;\n// Final Output\nCombinedEvents\n | project UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders, AccountName, AccountUPNSuffix\n | order by user_count desc\n", + "query": "let starttime = todatetime('{{StartTimeISO}}');\nlet endtime = todatetime('{{EndTimeISO}}');\nlet lookback = totimespan((endtime - starttime) * 2);\nlet user_threshold = 1; // Threshold for number of mailboxes accessed\nlet folder_threshold = 5; // Threshold for number of mailbox folders accessed\n// OfficeActivity Query\nlet OfficeEvents = OfficeActivity\n | where TimeGenerated between (ago(lookback)..starttime)\n | where Operation =~ \"MailItemsAccessed\"\n | where ResultStatus =~ \"Succeeded\"\n | where tolower(MailboxOwnerUPN) != tolower(UserId)\n | join kind=rightanti (\n OfficeActivity\n | where TimeGenerated between (starttime..endtime)\n | where Operation =~ \"MailItemsAccessed\"\n | where ResultStatus =~ \"Succeeded\"\n | where tolower(MailboxOwnerUPN) != tolower(UserId)\n ) on MailboxOwnerUPN, UserId\n | where isnotempty(Folders)\n | mv-expand ParsedFolders = parse_json(Folders)\n | extend folders = tostring(ParsedFolders.Path)\n | extend ClientIP = iif(Client_IPAddress startswith \"[\", extract(\"\\\\[([^\\\\]]*)\", 1, Client_IPAddress), Client_IPAddress)\n | summarize \n StartTime = max(TimeGenerated), \n EndTime = min(TimeGenerated), \n set_folders = make_set(folders, 100000), \n set_ClientInfoString = make_set(ClientInfoString, 100000), \n set_ClientIP = make_set(ClientIP, 100000), \n set_MailboxGuid = make_set(MailboxGuid, 100000), \n set_MailboxOwnerUPN = make_set(MailboxOwnerUPN, 100000) \n by UserId\n | extend \n folder_count = array_length(set_folders),\n user_count = array_length(set_MailboxGuid)\n | where user_count > user_threshold or folder_count > folder_threshold\n | extend Reason = case(\n user_count > user_threshold and folder_count > folder_threshold, \"Both User and Folder Threshold Exceeded\",\n folder_count > folder_threshold and user_count <= user_threshold, \"Folder Count Threshold Exceeded\",\n \"User Threshold Exceeded\")\n | sort by user_count desc\n | project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders\n | extend \n AccountName = tostring(split(UserId, \"@\")[0]), \n AccountUPNSuffix = tostring(split(UserId, \"@\")[1]);\n // EnrichedMicrosoft365AuditLogs Query\n let EnrichedEvents = EnrichedMicrosoft365AuditLogs\n | where TimeGenerated between (ago(lookback)..starttime)\n | where Operation =~ \"MailItemsAccessed\"\n | where ResultStatus =~ \"Succeeded\"\n | extend MailboxOwnerUPN = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN)\n | where tolower(MailboxOwnerUPN) != tolower(UserId)\n | join kind=rightanti (\n EnrichedMicrosoft365AuditLogs\n | where TimeGenerated between (starttime..endtime)\n | where Operation =~ \"MailItemsAccessed\"\n | where ResultStatus =~ \"Succeeded\"\n | extend MailboxOwnerUPN = tostring(parse_json(AdditionalProperties).MailboxOwnerUPN)\n | where tolower(MailboxOwnerUPN) != tolower(UserId)\n ) on MailboxOwnerUPN, UserId\n | where isnotempty(tostring(parse_json(AdditionalProperties).Folders))\n | mv-expand ParsedFolders = parse_json(AdditionalProperties).Folders\n | extend folders = tostring(ParsedFolders.Path)\n | extend ClientIP = iif(ClientIp startswith \"[\", extract(\"\\\\[([^\\\\]]*)\", 1, ClientIp), ClientIp)\n | extend ClientInfoString = tostring(parse_json(AdditionalProperties).ClientInfoString)\n | extend MailboxGuid = tostring(parse_json(AdditionalProperties).MailboxGuid)\n | summarize \n StartTime = max(TimeGenerated), \n EndTime = min(TimeGenerated), \n set_folders = make_set(folders, 100000), \n set_ClientInfoString = make_set(ClientInfoString, 100000), \n set_ClientIP = make_set(ClientIP, 100000), \n set_MailboxGuid = make_set(MailboxGuid, 100000), \n set_MailboxOwnerUPN = make_set(MailboxOwnerUPN, 100000) \n by UserId\n | extend \n folder_count = array_length(set_folders),\n user_count = array_length(set_MailboxGuid)\n | where user_count > user_threshold or folder_count > folder_threshold\n | extend Reason = case(\n user_count > user_threshold and folder_count > folder_threshold, \"Both User and Folder Threshold Exceeded\",\n folder_count > folder_threshold and user_count <= user_threshold, \"Folder Count Threshold Exceeded\",\n \"User Threshold Exceeded\")\n | sort by user_count desc\n | project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders\n | extend \n AccountName = tostring(split(UserId, \"@\")[0]), \n AccountUPNSuffix = tostring(split(UserId, \"@\")[1]);\n // Combine Office and Enriched Logs\n let CombinedEvents = OfficeEvents\n | union EnrichedEvents\n | mv-expand ClientIP = set_ClientIP // Expand the set_ClientIP into individual ClientIP rows\n | extend ClientIP = tostring(ClientIP) // Explicitly cast ClientIP to string\n | summarize arg_min(StartTime, *) by UserId, ClientIP\n // Define AccountName and AccountUPNSuffix after summarize to ensure they're available\n | extend \n AccountName = tostring(split(UserId, \"@\")[0]), \n AccountUPNSuffix = tostring(split(UserId, \"@\")[1]);\n // Final Output\n CombinedEvents\n | project \n UserId, \n user_count, \n folder_count, \n set_MailboxOwnerUPN, \n set_ClientIP, \n set_ClientInfoString, \n set_folders, \n AccountName, \n AccountUPNSuffix\n | order by user_count desc\n", "version": 2, "tags": [ { @@ -3055,9 +3046,9 @@ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "contentKind": "HuntingQuery", "displayName": "GSA Enriched Office 365 - Anomalous access to other users' mailboxes", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '2.0.2')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '2.0.2')))]", - "version": "2.0.2" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '2.0.3')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '2.0.3')))]", + "version": "2.0.3" } }, { diff --git a/Solutions/Global Secure Access/Package/testParameters.json b/Solutions/Global Secure Access/Package/testParameters.json index 8dd674f5956..1025a867a83 100644 --- a/Solutions/Global Secure Access/Package/testParameters.json +++ b/Solutions/Global Secure Access/Package/testParameters.json @@ -23,7 +23,7 @@ }, "workbook1-name": { "type": "string", - "defaultValue": "Microsoft Global Secure Access Enriched M365 Logs", + "defaultValue": "Enriched Microsoft 365 logs Workbook", "minLength": 1, "metadata": { "description": "Name for the workbook" @@ -31,7 +31,7 @@ }, "workbook2-name": { "type": "string", - "defaultValue": "Microsoft Global Secure Access Traffic Logs", + "defaultValue": "Network Traffic Insights", "minLength": 1, "metadata": { "description": "Name for the workbook" diff --git a/Solutions/Global Secure Access/ReleaseNotes.md b/Solutions/Global Secure Access/ReleaseNotes.md index c865104afe2..2d7b29dd6cf 100644 --- a/Solutions/Global Secure Access/ReleaseNotes.md +++ b/Solutions/Global Secure Access/ReleaseNotes.md @@ -1,3 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|------------------------------------------------------------------------------------------| +| 3.0.0 | 28-10-2024 | Fixing queries to combine events | | 3.0.0 | 05-09-2024 | Initial Solution release | + + diff --git a/Solutions/Google Cloud Platform Cloud Monitoring/Data Connectors/GCP_Monitor_func.zip b/Solutions/Google Cloud Platform Cloud Monitoring/Data Connectors/GCP_Monitor_func.zip index 526f24b2b42..0ebef0b985d 100644 Binary files a/Solutions/Google Cloud Platform Cloud Monitoring/Data Connectors/GCP_Monitor_func.zip and b/Solutions/Google Cloud Platform Cloud Monitoring/Data Connectors/GCP_Monitor_func.zip differ diff --git a/Solutions/Google Cloud Platform Cloud Monitoring/Data Connectors/requirements.txt b/Solutions/Google Cloud Platform Cloud Monitoring/Data Connectors/requirements.txt index 0bf7e10993c..f2fe20143c8 100644 --- a/Solutions/Google Cloud Platform Cloud Monitoring/Data Connectors/requirements.txt +++ b/Solutions/Google Cloud Platform Cloud Monitoring/Data Connectors/requirements.txt @@ -1,4 +1,4 @@ google-cloud-monitoring==2.2.1 azure-functions==1.6.0 -aiohttp==3.9.2 +aiohttp==3.10.2 azure-storage-file-share==12.5.0 \ No newline at end of file diff --git a/Solutions/Google Cloud Platform Security Command Center/Data Connectors/GCPSecurityCommandCenter.json b/Solutions/Google Cloud Platform Security Command Center/Data Connectors/GCPSecurityCommandCenter.json index ce311ecc984..022557d7302 100644 --- a/Solutions/Google Cloud Platform Security Command Center/Data Connectors/GCPSecurityCommandCenter.json +++ b/Solutions/Google Cloud Platform Security Command Center/Data Connectors/GCPSecurityCommandCenter.json @@ -20,7 +20,7 @@ "dataTypes": [ { "name": "{{graphQueriesTableName}}", - "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriteria": [ diff --git a/Solutions/Google Cloud Platform Security Command Center/Package/3.0.6.zip b/Solutions/Google Cloud Platform Security Command Center/Package/3.0.6.zip new file mode 100644 index 00000000000..5db960f7457 Binary files /dev/null and b/Solutions/Google Cloud Platform Security Command Center/Package/3.0.6.zip differ diff --git a/Solutions/Google Cloud Platform Security Command Center/Package/mainTemplate.json b/Solutions/Google Cloud Platform Security Command Center/Package/mainTemplate.json index a40b7983517..46a068e82be 100644 --- a/Solutions/Google Cloud Platform Security Command Center/Package/mainTemplate.json +++ b/Solutions/Google Cloud Platform Security Command Center/Package/mainTemplate.json @@ -42,7 +42,7 @@ "variables": { "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_solutionName": "Google Cloud Security Command Center", - "_solutionVersion": "3.0.5", + "_solutionVersion": "3.0.6", "_solutionAuthor": "Microsoft", "_packageIcon": "google_logo", "solutionId": "azuresentinel.azure-sentinel-solution-gcpscclogs-api", @@ -113,7 +113,7 @@ "dataTypes": [ { "name": "{{graphQueriesTableName}}", - "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriteria": [ @@ -297,7 +297,7 @@ "dataTypes": [ { "name": "{{graphQueriesTableName}}", - "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | where name_s == \"no data test\" | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriteria": [ diff --git a/Solutions/Google Cloud Platform Security Command Center/ReleaseNotes.md b/Solutions/Google Cloud Platform Security Command Center/ReleaseNotes.md index 2afcd26bfe9..b505b3409c7 100644 --- a/Solutions/Google Cloud Platform Security Command Center/ReleaseNotes.md +++ b/Solutions/Google Cloud Platform Security Command Center/ReleaseNotes.md @@ -1,4 +1,5 @@ -| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|---------------------------------------------| -| 3.0.5 | 16-05-2024 | Modification in ** Data Connector ** | -| 3.0.4 | 28-02-2024 | Initial solution release | \ No newline at end of file +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|------------------------------------------------| +| 3.0.6 | 12-11-2024 | Modified datatype query for **Data Connector** | +| 3.0.5 | 16-05-2024 | Modification in ** Data Connector ** | +| 3.0.4 | 28-02-2024 | Initial solution release | \ No newline at end of file diff --git a/Solutions/IllumioSaaS/Data Connectors/IllumioEventsConn.zip b/Solutions/IllumioSaaS/Data Connectors/IllumioEventsConn.zip index 861322cf4d5..a5d9259a89e 100644 Binary files a/Solutions/IllumioSaaS/Data Connectors/IllumioEventsConn.zip and b/Solutions/IllumioSaaS/Data Connectors/IllumioEventsConn.zip differ diff --git a/Solutions/IllumioSaaS/Data Connectors/IllumioQueueTrigger.zip b/Solutions/IllumioSaaS/Data Connectors/IllumioQueueTrigger.zip index b188b93ca2e..8651225d2e2 100644 Binary files a/Solutions/IllumioSaaS/Data Connectors/IllumioQueueTrigger.zip and b/Solutions/IllumioSaaS/Data Connectors/IllumioQueueTrigger.zip differ diff --git a/Solutions/IllumioSaaS/Data Connectors/IllumioSaaS_FunctionApp.json b/Solutions/IllumioSaaS/Data Connectors/IllumioSaaS_FunctionApp.json index a15df6f41f2..b0638f4f6fa 100644 --- a/Solutions/IllumioSaaS/Data Connectors/IllumioSaaS_FunctionApp.json +++ b/Solutions/IllumioSaaS/Data Connectors/IllumioSaaS_FunctionApp.json @@ -121,6 +121,6 @@ } ], "metadata": { - "version": "1.1.0" + "version": "1.2.0" } } \ No newline at end of file diff --git a/Solutions/IllumioSaaS/Data Connectors/azuredeploy_IllumioSaaS_FunctionApp.json b/Solutions/IllumioSaaS/Data Connectors/azuredeploy_IllumioSaaS_FunctionApp.json index e34c236e81f..7b1dc5affee 100644 --- a/Solutions/IllumioSaaS/Data Connectors/azuredeploy_IllumioSaaS_FunctionApp.json +++ b/Solutions/IllumioSaaS/Data Connectors/azuredeploy_IllumioSaaS_FunctionApp.json @@ -847,7 +847,7 @@ }, { "name": "WEBSITE_RUN_FROM_PACKAGE", - "value": "https://raw.githubusercontent.com/illumio-shield/Azure-Sentinel/illumio-sentinel-m2/Solutions/IllumioSaaS/Data%20Connectors/IllumioEventsConn.zip" + "value": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/IllumioSaaS/Data%20Connectors/IllumioEventsConn.zip" }, { "name": "FUNCTIONS_WORKER_RUNTIME", diff --git a/Solutions/IllumioSaaS/Data Connectors/requirements.txt b/Solutions/IllumioSaaS/Data Connectors/requirements.txt index f2752389adb..9bf651603be 100644 --- a/Solutions/IllumioSaaS/Data Connectors/requirements.txt +++ b/Solutions/IllumioSaaS/Data Connectors/requirements.txt @@ -1,8 +1,8 @@ -azure-storage-queue==12.1.5 +azure-storage-queue==12.4.0 azure-core==1.30.0 azure-functions==1.18.0 gzip_stream==1.2.0 aiobotocore==2.12.1 -azure-identity==1.15.0 +azure-identity==1.16.1 azure-monitor-ingestion==1.0.3 polars \ No newline at end of file diff --git a/Solutions/IllumioSaaS/Package/3.2.0.zip b/Solutions/IllumioSaaS/Package/3.2.0.zip index d60891cde85..9f097b4f78a 100644 Binary files a/Solutions/IllumioSaaS/Package/3.2.0.zip and b/Solutions/IllumioSaaS/Package/3.2.0.zip differ diff --git a/Solutions/IllumioSaaS/Package/3.2.2.zip b/Solutions/IllumioSaaS/Package/3.2.2.zip new file mode 100644 index 00000000000..459ac595439 Binary files /dev/null and b/Solutions/IllumioSaaS/Package/3.2.2.zip differ diff --git a/Solutions/IllumioSaaS/Package/mainTemplate.json b/Solutions/IllumioSaaS/Package/mainTemplate.json index cbd3e49fabd..d47e9ec4df1 100644 --- a/Solutions/IllumioSaaS/Package/mainTemplate.json +++ b/Solutions/IllumioSaaS/Package/mainTemplate.json @@ -55,7 +55,7 @@ }, "variables": { "_solutionName": "IllumioSaaS", - "_solutionVersion": "3.2.0", + "_solutionVersion": "3.2.2", "solutionId": "illumioinc1629822633689.illumio_sentinel", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "IllumioSaaSDataConnector", @@ -65,7 +65,7 @@ "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.1.0", + "dataConnectorVersion1": "1.2.0", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "workbookVersion1": "1.0.0", "workbookContentId1": "IllumioAuditableEventsWorkbook", @@ -140,7 +140,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IllumioSaaS data connector with template version 3.2.0", + "description": "IllumioSaaS data connector with template version 3.2.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -274,7 +274,7 @@ } ], "metadata": { - "version": "1.1.0" + "version": "1.2.0" } } } @@ -486,7 +486,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IllumioAuditableEvents Workbook with template version 3.2.0", + "description": "IllumioAuditableEvents Workbook with template version 3.2.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -573,7 +573,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IllumioFlowData Workbook with template version 3.2.0", + "description": "IllumioFlowData Workbook with template version 3.2.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -660,7 +660,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IllumioWorkloadsStats Workbook with template version 3.2.0", + "description": "IllumioWorkloadsStats Workbook with template version 3.2.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion3')]", @@ -747,7 +747,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Illumio_VEN_Firewall_Tampering_Detection_Query_AnalyticalRules Analytics Rule with template version 3.2.0", + "description": "Illumio_VEN_Firewall_Tampering_Detection_Query_AnalyticalRules Analytics Rule with template version 3.2.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -792,8 +792,8 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "hostname" + "columnName": "hostname", + "identifier": "HostName" } ] }, @@ -801,8 +801,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ipaddress" + "columnName": "ipaddress", + "identifier": "Address" } ] } @@ -866,7 +866,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Illumio_VEN_Enforcement_Change_Detection_Query_AnalyticalRules Analytics Rule with template version 3.2.0", + "description": "Illumio_VEN_Enforcement_Change_Detection_Query_AnalyticalRules Analytics Rule with template version 3.2.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -911,8 +911,8 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "workload_name" + "columnName": "workload_name", + "identifier": "HostName" } ] }, @@ -920,8 +920,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "created_by" + "columnName": "created_by", + "identifier": "Name" } ] }, @@ -929,8 +929,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ipaddress" + "columnName": "ipaddress", + "identifier": "Address" } ] } @@ -994,7 +994,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Illumio_VEN_Offline_Detection_Query_AnalyticalRules Analytics Rule with template version 3.2.0", + "description": "Illumio_VEN_Offline_Detection_Query_AnalyticalRules Analytics Rule with template version 3.2.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -1039,8 +1039,8 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "hostname" + "columnName": "hostname", + "identifier": "HostName" } ] } @@ -1104,7 +1104,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Illumio_VEN_Clone_Detection_Query_AnalyticalRules Analytics Rule with template version 3.2.0", + "description": "Illumio_VEN_Clone_Detection_Query_AnalyticalRules Analytics Rule with template version 3.2.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -1149,8 +1149,8 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "hostname" + "columnName": "hostname", + "identifier": "HostName" } ] } @@ -1214,7 +1214,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Illumio_VEN_Deactivated_Query_AnalyticalRules Analytics Rule with template version 3.2.0", + "description": "Illumio_VEN_Deactivated_Query_AnalyticalRules Analytics Rule with template version 3.2.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -1259,8 +1259,8 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "hostname" + "columnName": "hostname", + "identifier": "HostName" } ] }, @@ -1268,8 +1268,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ipaddress" + "columnName": "ipaddress", + "identifier": "Address" } ] } @@ -1333,7 +1333,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Illumio_VEN_Suspend_Query_AnalyticalRules Analytics Rule with template version 3.2.0", + "description": "Illumio_VEN_Suspend_Query_AnalyticalRules Analytics Rule with template version 3.2.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -1378,8 +1378,8 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "hostname" + "columnName": "hostname", + "identifier": "HostName" } ] }, @@ -1387,8 +1387,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ipaddress" + "columnName": "ipaddress", + "identifier": "Address" } ] } @@ -1448,7 +1448,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.2.0", + "version": "3.2.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "IllumioSaaS", diff --git a/Solutions/IllumioSaaS/data/Solution_IllumioSaaS.json b/Solutions/IllumioSaaS/data/Solution_IllumioSaaS.json index ae0456c5f53..d24dcf39032 100644 --- a/Solutions/IllumioSaaS/data/Solution_IllumioSaaS.json +++ b/Solutions/IllumioSaaS/data/Solution_IllumioSaaS.json @@ -20,7 +20,7 @@ "Analytic Rules/Illumio_VEN_Suspend_Query.yaml" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\IllumioSaaS", - "Version": "3.2.0", + "Version": "3.2.2", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/ImpervaCloudWAF/Data/Solution_ImpervaCloudWAF.json b/Solutions/ImpervaCloudWAF/Data/Solution_ImpervaCloudWAF.json index 6c4c8225206..8ff99236e9e 100644 --- a/Solutions/ImpervaCloudWAF/Data/Solution_ImpervaCloudWAF.json +++ b/Solutions/ImpervaCloudWAF/Data/Solution_ImpervaCloudWAF.json @@ -4,7 +4,7 @@ "Logo": "", "Description": "[Imperva Cloud WAF](https://www.imperva.com/resources/resource-library/datasheets/imperva-cloud-waf/) offers the industry's leading web application security firewall, providing enterprise-class protection against the most sophisticated security threats. As a cloud-based WAF, it ensures that your website is always protected against any type of application layer hacking attempt. Imperva Cloud WAF is a key component of Imperva's market-leading, full stack application security solution which brings defence-in-depth to a new level.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)", "Parsers": [ - "Parsers/ImpervaWAFCloud" + "Parsers/ImpervaWAFCloud.yaml" ], "Data Connectors": [ "Data Connectors/ImpervaWAFCloud_FunctionApp.json" diff --git a/Solutions/ImpervaCloudWAF/Package/3.0.1.zip b/Solutions/ImpervaCloudWAF/Package/3.0.1.zip new file mode 100644 index 00000000000..44c397b614b Binary files /dev/null and b/Solutions/ImpervaCloudWAF/Package/3.0.1.zip differ diff --git a/Solutions/ImpervaCloudWAF/Package/createUiDefinition.json b/Solutions/ImpervaCloudWAF/Package/createUiDefinition.json index ea6900986a5..cdeac76e1c4 100644 --- a/Solutions/ImpervaCloudWAF/Package/createUiDefinition.json +++ b/Solutions/ImpervaCloudWAF/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ImpervaCloudWAF/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Imperva Cloud WAF](https://www.imperva.com/resources/resource-library/datasheets/imperva-cloud-waf/) offers the industry's leading web application security firewall, providing enterprise-class protection against the most sophisticated security threats. As a cloud-based WAF, it ensures that your website is always protected against any type of application layer hacking attempt. Imperva Cloud WAF is a key component of Imperva's market-leading, full stack application security solution which brings defence-in-depth to a new level.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ImpervaCloudWAF/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[Imperva Cloud WAF](https://www.imperva.com/resources/resource-library/datasheets/imperva-cloud-waf/) offers the industry's leading web application security firewall, providing enterprise-class protection against the most sophisticated security threats. As a cloud-based WAF, it ensures that your website is always protected against any type of application layer hacking attempt. Imperva Cloud WAF is a key component of Imperva's market-leading, full stack application security solution which brings defence-in-depth to a new level.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/ImpervaCloudWAF/Package/mainTemplate.json b/Solutions/ImpervaCloudWAF/Package/mainTemplate.json index d01698538bc..a21da366da1 100644 --- a/Solutions/ImpervaCloudWAF/Package/mainTemplate.json +++ b/Solutions/ImpervaCloudWAF/Package/mainTemplate.json @@ -41,9 +41,16 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "ImpervaCloudWAF", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "azuresentinel.azure-sentinel-solution-impervawafcloud", "_solutionId": "[variables('solutionId')]", + "parserObject1": { + "_parserName1": "[concat(parameters('workspace'),'/','ImpervaWAFCloud')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ImpervaWAFCloud')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('ImpervaWAFCloud-Parser')))]", + "parserVersion1": "1.0.0", + "parserContentId1": "ImpervaWAFCloud-Parser" + }, "uiConfigId1": "ImpervaWAFCloudAPI", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "ImpervaWAFCloudAPI", @@ -183,6 +190,138 @@ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject1').parserTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "ImpervaWAFCloud Data Parser with template version 3.0.1", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject1').parserVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject1')._parserName1]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for ImpervaWAFCloud", + "category": "Microsoft Sentinel Parser", + "functionAlias": "ImpervaWAFCloud", + "query": "ImpervaWAFCloud_CL \n| extend EventVendor = EventVendor_s,\n EventProduct = EventProduct_s,\n EventType = EventType_s,\n EventSeverity = column_ifexists('severity_s', ''),\n DvcAction = column_ifexists('act_s', ''),\n NetworkApplicationProtocol = column_ifexists('app_s', ''),\n Country = column_ifexists('ccode_s', ''),\n City = column_ifexists('cicode_s', ''),\n HttpStatusCode = column_ifexists('cn1_s', ''),\n SrcPortNumber = column_ifexists('cpt_s', ''),\n AccountName = column_ifexists('Customer_s', ''),\n RequestId = column_ifexists('deviceExternalId_s', ''),\n PoPName = column_ifexists('deviceFacility_s', ''),\n BrowserType = column_ifexists('dproc_s', ''),\n EventEndTime = column_ifexists('end_s', ''),\n NetworkSessionId = column_ifexists('fileId_s', ''),\n PostBody = column_ifexists('postbody_s', ''),\n QueryString = column_ifexists('qstr_s', ''),\n UrlOriginal = column_ifexists('request_s', ''),\n HttpUserAgentOriginal = column_ifexists('requestClientApplication_s', ''),\n HttpRequestMethod = column_ifexists('requestMethod_s', ''),\n DstIpAddr = column_ifexists('sip_s', ''),\n SiteID = column_ifexists('siteid_s', ''),\n DstDomainHostname = column_ifexists('sourceServiceName_s', ''),\n DstPortNumber = column_ifexists('spt_s', ''),\n SrcIpAddr = column_ifexists('src_s', ''),\n EventStartTime = column_ifexists('start_s', ''),\n AccountID = column_ifexists('suid_s', ''),\n NetworkApplicationProtocoVersion = column_ifexists('ver_s', ''),\n HttpRequestXff = column_ifexists('xff_s', ''),\n CaptchaSupport = column_ifexists('CapSupport_s', ''),\n ClientApp = column_ifexists('clapp_s', ''),\n ClientAppSig = column_ifexists('clappsig_s', ''),\n CookiesSupport = column_ifexists('COSupport_s', ''),\n SrcGeoLatitude = column_ifexists('latitude_s', ''),\n SrcGeoLongitude = column_ifexists('longitude_s', ''),\n VisitorID = column_ifexists('VID_g', '')\n| project TimeGenerated, EventVendor, EventProduct, EventType, EventSeverity, DvcAction, NetworkApplicationProtocol, Country, City, HttpStatusCode, SrcPortNumber, AccountName, RequestId, PoPName, BrowserType, EventEndTime, NetworkSessionId, PostBody, QueryString, UrlOriginal, HttpUserAgentOriginal, HttpRequestMethod, DstIpAddr, SiteID, DstDomainHostname, DstPortNumber, SrcIpAddr, EventStartTime, AccountID, NetworkApplicationProtocoVersion, HttpRequestXff, CaptchaSupport, ClientApp, ClientAppSig, CookiesSupport, SrcGeoLatitude, SrcGeoLongitude, VisitorID\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ImpervaWAFCloud')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "name": "ImpervaCloudWAF", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject1').parserContentId1]", + "contentKind": "Parser", + "displayName": "Parser for ImpervaWAFCloud", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "version": "[variables('parserObject1').parserVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject1')._parserName1]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for ImpervaWAFCloud", + "category": "Microsoft Sentinel Parser", + "functionAlias": "ImpervaWAFCloud", + "query": "ImpervaWAFCloud_CL \n| extend EventVendor = EventVendor_s,\n EventProduct = EventProduct_s,\n EventType = EventType_s,\n EventSeverity = column_ifexists('severity_s', ''),\n DvcAction = column_ifexists('act_s', ''),\n NetworkApplicationProtocol = column_ifexists('app_s', ''),\n Country = column_ifexists('ccode_s', ''),\n City = column_ifexists('cicode_s', ''),\n HttpStatusCode = column_ifexists('cn1_s', ''),\n SrcPortNumber = column_ifexists('cpt_s', ''),\n AccountName = column_ifexists('Customer_s', ''),\n RequestId = column_ifexists('deviceExternalId_s', ''),\n PoPName = column_ifexists('deviceFacility_s', ''),\n BrowserType = column_ifexists('dproc_s', ''),\n EventEndTime = column_ifexists('end_s', ''),\n NetworkSessionId = column_ifexists('fileId_s', ''),\n PostBody = column_ifexists('postbody_s', ''),\n QueryString = column_ifexists('qstr_s', ''),\n UrlOriginal = column_ifexists('request_s', ''),\n HttpUserAgentOriginal = column_ifexists('requestClientApplication_s', ''),\n HttpRequestMethod = column_ifexists('requestMethod_s', ''),\n DstIpAddr = column_ifexists('sip_s', ''),\n SiteID = column_ifexists('siteid_s', ''),\n DstDomainHostname = column_ifexists('sourceServiceName_s', ''),\n DstPortNumber = column_ifexists('spt_s', ''),\n SrcIpAddr = column_ifexists('src_s', ''),\n EventStartTime = column_ifexists('start_s', ''),\n AccountID = column_ifexists('suid_s', ''),\n NetworkApplicationProtocoVersion = column_ifexists('ver_s', ''),\n HttpRequestXff = column_ifexists('xff_s', ''),\n CaptchaSupport = column_ifexists('CapSupport_s', ''),\n ClientApp = column_ifexists('clapp_s', ''),\n ClientAppSig = column_ifexists('clappsig_s', ''),\n CookiesSupport = column_ifexists('COSupport_s', ''),\n SrcGeoLatitude = column_ifexists('latitude_s', ''),\n SrcGeoLongitude = column_ifexists('longitude_s', ''),\n VisitorID = column_ifexists('VID_g', '')\n| project TimeGenerated, EventVendor, EventProduct, EventType, EventSeverity, DvcAction, NetworkApplicationProtocol, Country, City, HttpStatusCode, SrcPortNumber, AccountName, RequestId, PoPName, BrowserType, EventEndTime, NetworkSessionId, PostBody, QueryString, UrlOriginal, HttpUserAgentOriginal, HttpRequestMethod, DstIpAddr, SiteID, DstDomainHostname, DstPortNumber, SrcIpAddr, EventStartTime, AccountID, NetworkApplicationProtocoVersion, HttpRequestXff, CaptchaSupport, ClientApp, ClientAppSig, CookiesSupport, SrcGeoLatitude, SrcGeoLongitude, VisitorID\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ImpervaWAFCloud')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "kind": "Solution", + "name": "ImpervaCloudWAF", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -192,7 +331,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaCloudWAF data connector with template version 3.0.0", + "description": "ImpervaCloudWAF data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -543,7 +682,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaAbnormalProtocolUsage_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "ImpervaAbnormalProtocolUsage_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -648,7 +787,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaAdminPanelUncommonIp_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "ImpervaAdminPanelUncommonIp_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -753,7 +892,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaAttackNotBlocked_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "ImpervaAttackNotBlocked_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -858,7 +997,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaCommandInUri_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "ImpervaCommandInUri_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -963,7 +1102,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaForbiddenCountry_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "ImpervaForbiddenCountry_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -1068,7 +1207,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaForbiddenMethod_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "ImpervaForbiddenMethod_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -1182,7 +1321,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaMaliciousClient_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "ImpervaMaliciousClient_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -1296,7 +1435,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaMaliciousUA_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "ImpervaMaliciousUA_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1401,7 +1540,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaMultipleUAsSource_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "ImpervaMultipleUAsSource_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -1506,7 +1645,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaSuspiciousDstPort_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "ImpervaSuspiciousDstPort_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -1611,7 +1750,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaDestinationBlocked_HuntingQueries Hunting Query with template version 3.0.0", + "description": "ImpervaDestinationBlocked_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -1696,7 +1835,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaInsecureWebProtocolVersion_HuntingQueries Hunting Query with template version 3.0.0", + "description": "ImpervaInsecureWebProtocolVersion_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -1781,7 +1920,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaNonWebApplication_HuntingQueries Hunting Query with template version 3.0.0", + "description": "ImpervaNonWebApplication_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -1866,7 +2005,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaRareApplications_HuntingQueries Hunting Query with template version 3.0.0", + "description": "ImpervaRareApplications_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -1951,7 +2090,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaRareClientApplications_HuntingQueries Hunting Query with template version 3.0.0", + "description": "ImpervaRareClientApplications_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -2036,7 +2175,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaRareDstPorts_HuntingQueries Hunting Query with template version 3.0.0", + "description": "ImpervaRareDstPorts_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -2121,7 +2260,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaRequestsFromBots_HuntingQueries Hunting Query with template version 3.0.0", + "description": "ImpervaRequestsFromBots_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -2206,7 +2345,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaSourceBlocked_HuntingQueries Hunting Query with template version 3.0.0", + "description": "ImpervaSourceBlocked_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -2291,7 +2430,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaTopApplicationsErrors_HuntingQueries Hunting Query with template version 3.0.0", + "description": "ImpervaTopApplicationsErrors_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -2376,7 +2515,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpervaTopSourcesErrors_HuntingQueries Hunting Query with template version 3.0.0", + "description": "ImpervaTopSourcesErrors_HuntingQueries Hunting Query with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -2461,7 +2600,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Imperva WAF Cloud Overview Workbook with template version 3.0.0", + "description": "Imperva WAF Cloud Overview Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -2545,12 +2684,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "ImpervaCloudWAF", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Imperva Cloud WAF offers the industry's leading web application security firewall, providing enterprise-class protection against the most sophisticated security threats. As a cloud-based WAF, it ensures that your website is always protected against any type of application layer hacking attempt. Imperva Cloud WAF is a key component of Imperva's market-leading, full stack application security solution which brings defence-in-depth to a new level.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Imperva Cloud WAF offers the industry's leading web application security firewall, providing enterprise-class protection against the most sophisticated security threats. As a cloud-based WAF, it ensures that your website is always protected against any type of application layer hacking attempt. Imperva Cloud WAF is a key component of Imperva's market-leading, full stack application security solution which brings defence-in-depth to a new level.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Azure Monitor HTTP Data Collector API

    \n
    2. \n

  2. Azure Functions

    \n
    3. \n
\n

Data Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2575,6 +2714,11 @@ "dependencies": { "operator": "AND", "criteria": [ + { + "kind": "Parser", + "contentId": "[variables('parserObject1').parserContentId1]", + "version": "[variables('parserObject1').parserVersion1]" + }, { "kind": "DataConnector", "contentId": "[variables('_dataConnectorContentId1')]", diff --git a/Solutions/ImpervaCloudWAF/ReleaseNotes.md b/Solutions/ImpervaCloudWAF/ReleaseNotes.md index 739be150f86..8b6db5c2c71 100644 --- a/Solutions/ImpervaCloudWAF/ReleaseNotes.md +++ b/Solutions/ImpervaCloudWAF/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|------------------------------------------------- | +| 3.0.1 | 07-11-2024 | Added existing ***Parser* into the solution | | 3.0.0 | 22-08-2024 | Updated the python runtime version to **3.11** | diff --git a/Solutions/Infoblox/Package/3.0.1.zip b/Solutions/Infoblox/Package/3.0.1.zip new file mode 100644 index 00000000000..7b774da6e92 Binary files /dev/null and b/Solutions/Infoblox/Package/3.0.1.zip differ diff --git a/Solutions/Infoblox/Package/mainTemplate.json b/Solutions/Infoblox/Package/mainTemplate.json index 8e30123920f..efdba304cc8 100644 --- a/Solutions/Infoblox/Package/mainTemplate.json +++ b/Solutions/Infoblox/Package/mainTemplate.json @@ -47,7 +47,7 @@ }, "variables": { "_solutionName": "Infoblox", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "infoblox.infoblox-app-for-microsoft-sentinel", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "InfobloxDataConnector", @@ -316,7 +316,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox data connector with template version 3.0.0", + "description": "Infoblox data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -1307,7 +1307,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox data connector with template version 3.0.0", + "description": "Infoblox data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -1734,7 +1734,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox data connector with template version 3.0.0", + "description": "Infoblox data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion3')]", @@ -2099,7 +2099,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox data connector with template version 3.0.0", + "description": "Infoblox data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion4')]", @@ -2542,7 +2542,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox data connector with template version 3.0.0", + "description": "Infoblox data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion5')]", @@ -2949,7 +2949,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_Lookup_Workbook Workbook with template version 3.0.0", + "description": "Infoblox_Lookup_Workbook Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -3107,7 +3107,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox_Workbook Workbook with template version 3.0.0", + "description": "Infoblox_Workbook Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -3125,7 +3125,7 @@ }, "properties": { "displayName": "[parameters('workbook2-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"370d206d-18b1-43d4-a170-71a4a12ba9b2\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"SOC Insights Overview\",\"subTarget\":\"6\",\"style\":\"link\"},{\"id\":\"63a011d0-c970-408d-b027-a8579848a6fd\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Config Insights Overview\",\"subTarget\":\"8\",\"style\":\"link\"},{\"id\":\"f8b51e3b-e4b2-4ba4-9a9c-bedea05a1ee7\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Blocked Traffic Overview\",\"subTarget\":\"4\",\"style\":\"link\"},{\"id\":\"d3af8e0b-806c-4f1f-b006-845c842bc2fc\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DNS Overview\",\"subTarget\":\"1\",\"style\":\"link\"},{\"id\":\"dbd0c004-e0b4-446c-91cd-5a5af3f6e16e\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DHCP Overview\",\"subTarget\":\"2\",\"style\":\"link\"},{\"id\":\"41df2b27-5f91-4a8b-adcb-e7997f86d6d6\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Audit Log Overview\",\"subTarget\":\"3\",\"style\":\"link\"},{\"id\":\"4f1a6ec7-3d56-4f50-8045-34adbb8d92d0\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Service Log Overview\",\"subTarget\":\"5\",\"style\":\"link\"},{\"id\":\"ffabdc7f-2cb7-40fc-a883-d82609bba051\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Threat Intelligence Overview\",\"subTarget\":\"7\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e1e015ea-e688-48be-ac2b-846fe98be48e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"9f36e52f-3282-4976-9187-7b3f551d91e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(SourceUserName)\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"4bf79012-0d96-4024-8cb6-0b9c0d9407ef\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where isnotempty(SourceHostName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct SourceHostName\\r\\n| sort by SourceHostName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8b364f17-07f7-4403-8086-26bf36c92536\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Asset\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName)\\r\\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct DeviceName\\r\\n| sort by DeviceName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"66255f50-472e-4295-8d64-6b9fa2e3c887\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SLD\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\", SecondLevelDomain)\\r\\n| where isnotempty(SecondLevelDomain)\\r\\n| distinct SecondLevelDomain\\r\\n| order by SecondLevelDomain \\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f0a80c9f-a800-4958-b51c-4b38bfaf6624\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResponseCode\",\"label\":\"Response Code\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSRCode: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode)\\r\\n| where isnotempty(InfobloxDNSRCode) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct InfobloxDNSRCode\\r\\n| sort by InfobloxDNSRCode asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"aeb144ce-64b1-45ba-85d9-f0a2da9a69d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RecordType\",\"label\":\"Record Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType)\\r\\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct InfobloxDNSQType\\r\\n| sort by InfobloxDNSQType asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(DestinationDnsDomain)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| project-rename ['Destination Dns Domain'] = DestinationDnsDomain\\r\\n| project ['Destination Dns Domain'], Count\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Most Requested FQDNs\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Destination Dns Domain\",\"exportParameterName\":\"DestinationDnsDomain\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Most Requested FQDNs\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"0\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'Most Requested FQDNs' grid to see 'Top 10 Devices'\"},\"conditionalVisibility\":{\"parameterName\":\"DestinationDnsDomain\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 18\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 20\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"72d2b1bd-300c-4f3e-b4ca-4dcaec96fb3a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TopDevices\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| where DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(DeviceName)\\r\\n| summarize Count = count() by DeviceName\\r\\n| top 10 by Count desc\\r\\n| summarize DeviceList = make_list(DeviceName)\\r\\n\\r\\n\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"102ee8fc-7658-4bca-82f3-54ed66d2ba9d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TopMAC\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\" and DestinationDnsDomain == ('{DestinationDnsDomain}') \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(SourceMACAddress)\\r\\n| summarize Count = count() by SourceMACAddress\\r\\n| top 10 by Count desc\\r\\n| summarize DeviceList = make_list(SourceMACAddress)\\r\\n\\r\\n\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4c59d86e-9130-41a4-ba95-4e7974e4de06\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirstDevice\",\"type\":1,\"query\":\"print (todynamic('{TopDevices}')[0])\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0f1d8907-d375-4db8-a5c9-f9d7390d8f7f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecondDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[1]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bd2a1987-e9ba-42ac-9856-a8c781ebb332\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThirdDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[2]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"04910ee0-5aa4-4897-82d6-15167ad50e01\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FourthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[3]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9a023fc0-b8b3-4e1e-9d9c-2c5c511cf32f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FifthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[4]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"5619aab8-f9b6-4218-9315-c6741facf4eb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SixthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[5]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4dd8c03f-0ec4-494c-a237-ff5c9ab73f8f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SeventhDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[6]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1a2455e4-36ec-46c9-bb3f-395ff1186abb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EightDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[7]\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"72b22373-007c-4d10-bbdd-bdac49ea666c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NinethDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[8]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"eb44f209-d53b-488f-8275-05294b57b1c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[9]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bb6a7aa4-0cf3-49d4-9649-179f6d60af71\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirstMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[0]\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"571e7afc-50fc-4f35-a7cf-c1d23a00effe\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecondMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[1]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"00dca50c-6034-4a97-b1b0-da773ed535e7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThirdMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[2]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"05752a54-7398-4373-9d67-bc5ce96c32a1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FourthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[3]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"42233555-d975-4e88-b62e-2a53e728ae38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FifthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[4]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"3a0eea52-845c-4347-b01b-6f4531de2d5c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SixthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[5]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"29854b31-e4cd-4157-94d4-c0c3fef6f9a2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SeventhMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[6]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"959fdc81-126b-44f9-8a82-753bc8d5bebd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EightMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[7]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"78b51494-7bb5-4a7d-ab01-67483568319d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NinethMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[8]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b66ac0ed-09b2-49e1-bead-88c1a1145f70\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[9]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Hide\",\"comparison\":\"isNotEqualTo\"},\"name\":\"parameters - 18\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Top 10 Devices for Domain : {DestinationDnsDomain}\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FirstDevice}')\\r\\n| summarize Count = count() by SourceIP\\r\\n| render piechart with(title=tostring(todynamic('{TopDevices}')[0]))\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FirstDevice} , MAC : {FirstMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FirstDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 18\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SecondDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SecondDevice} , MAC : {SecondMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SecondDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{ThirdDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {ThirdDevice} , MAC : {ThirdMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"ThirdDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FourthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FourthDevice} , MAC : {FourthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FourthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FifthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FifthDevice} , MAC : {FifthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FifthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SixthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SixthDevice} , MAC : {SixthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SixthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SeventhDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SeventhDevice} , MAC : {SeventhMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SeventhDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{EightDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {EightDevice} , MAC : {EightMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"EightDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{NinethDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {NinethDevice} , MAC : {NinethMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"NinethDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{TenthDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {TenthDevice} , MAC : {TenthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"TenthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"DestinationDnsDomain\",\"comparison\":\"isNotEqualTo\"},\"name\":\"group - 19\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(SourceUserName)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD})) \\r\\n| project-rename User = SourceUserName\\r\\n| summarize Count = count() by User\\r\\n| project User, Count\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Requests Count by Users\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"User\",\"exportParameterName\":\"SourceUserName\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"compositeBarSettings\":{\"labelText\":\"\"}}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Top Users\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'DNS Requests Count by Users' grid to see 'Overall DNS Requests made by User' and 'Top 10 Requested Domains by User'\"},\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 19\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\nInfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string, \\r\\nInfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string, \\r\\nInfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand SourceUserName == ('{SourceUserName}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User, ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall DNS Requests made by User : {SourceUserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 15\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand SourceUserName == ('{SourceUserName}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Requested Domains by User : {SourceUserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"group\":\"DestinationDnsDomain\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize count() by InfobloxDNSRCode\",\"size\":3,\"showAnalytics\":true,\"title\":\"Response Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Response_Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 9\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'Types of Response' pie chart to see 'DNS Requests' and 'Top 20 Devices'\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\\r\\n InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\\r\\n InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand InfobloxDNSRCode == ('{Response_Type}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User, ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"{Response_Type} DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 16\",\"styleSettings\":{\"padding\":\"17px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand InfobloxDNSRCode == ('{Response_Type}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DeviceName\\r\\n| top 20 by Count\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 20 Devices for {Response_Type} DNS Request\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":20,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSQType)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize count() by InfobloxDNSQType\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Query Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| sort by TimeGenerated asc\\r\\n| make-series Count = count() default = 0 on TimeGenerated from ago(1d) to now() step 1h by InfobloxDNSRCode\",\"size\":0,\"title\":\"Overall Queries Per Hour\",\"timeContext\":{\"durationMs\":86400000},\"exportFieldName\":\"x\",\"exportParameterName\":\"QPS_Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true,\"showDataPoints\":true,\"xSettings\":{\"label\":\"Time\"}}},\"customWidth\":\"100\",\"name\":\"query - 11\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"18px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'Overall Queries Per Hour' bar chart to see 'Queries Per Minutes'\"},\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 20\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 21\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Gridtimestring = tostring('{QPS_Time}');\\r\\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \\\" \\\"), indexof(Gridtimestring, \\\"GMT\\\") - 1 - indexof(Gridtimestring, \\\" \\\"))) -5h - 30m;\\r\\n\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| where TimeGenerated between (Gridtime - 30m .. Gridtime + 30m)\\r\\n| sort by TimeGenerated asc\\r\\n| make-series Count = count() default = 0 on bin(TimeGenerated, 1m) from (Gridtime - 30m) to (Gridtime + 30m) step 1m by InfobloxDNSRCode\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall Queries Per Minute\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Count\",\"color\":\"blueDark\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 13\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Gridtimestring = tostring('{QPS_Time}');\\r\\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \\\" \\\"), indexof(Gridtimestring, \\\"GMT\\\") - 1 - indexof(Gridtimestring, \\\" \\\"))) -5h - 30m;\\r\\n\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSQType)\\r\\nand TimeGenerated between ((Gridtime - 30m) .. (Gridtime + 30m))\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DeviceName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Overall Query by Devices per hour\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\\r\\n InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\\r\\n InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User, ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxAnCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowGreenBlue\"}},{\"columnMatch\":\"InfobloxNsCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowOrangeBrown\"}},{\"columnMatch\":\"InfobloxArCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"SourceUserName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"representation\":\"brown\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź“ť ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 15\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"Main Group\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-Get-IP-Space-Data** logic app which is deployed with the Microsoft Sentinel Solution.
\\r\\nPlease configure this logic app first and keep it enabled in order to use this workbook.\",\"style\":\"info\"},\"name\":\"text - 15\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"4abe4038-7e69-4b2c-9ec2-e1f9311e96be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"379d941d-6191-494d-b518-caf9e0d8ce55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DHCPServer\",\"label\":\"DHCP Server\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(InfobloxHostID) \\r\\n| distinct InfobloxHostID\\r\\n| sort by InfobloxHostID asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"68911f86-d896-407d-9a0b-07934f997037\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(SourceHostName) and (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| distinct SourceHostName\\r\\n| sort by SourceHostName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"c5628a47-4153-4808-a618-9a06d560428b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MAC\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(SourceMACAddress) and (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| distinct SourceMACAddress\\r\\n| sort by SourceMACAddress asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"053f6da7-3bb9-4f9f-9bc5-ec09a9723f52\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Space\",\"label\":\"IP Space\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxIPSpace: string, InfobloxHostID: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(name_s)\\r\\n| distinct name_s\\r\\n| order by name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Released DHCP Leases (Unique IPs)\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases (Unique IPs)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize count()\",\"size\":3,\"showAnalytics\":true,\"title\":\"Released DHCP Leases\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID in (\\\"DHCP-LEASE-CREATE\\\", \\\"DHCP-LEASE-UPDATE\\\")\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"showAnalytics\":true,\"title\":\"New / Updated DHCP Leases (Unique IPs)\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases (Unique IPs)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n and DeviceEventClassID in (\\\"DHCP-LEASE-CREATE\\\", \\\"DHCP-LEASE-UPDATE\\\")\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize count()\",\"size\":3,\"showAnalytics\":true,\"title\":\"New / Updated DHCP Leases \",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"greenDark\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by InfobloxLeaseOp\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Leases over Time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| extend InfobloxLeaseOp = trim(@\\\"\\\\s\\\", InfobloxLeaseOp)\\r\\n| where isnotempty(InfobloxLeaseOp)\\r\\n| summarize count() by InfobloxLeaseOp\",\"size\":3,\"showAnalytics\":true,\"title\":\"DHCP Activity Summary\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Lease\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"51px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'DHCP Activity Summary' pie chart to see 'DHCP Lease for Activity'\"},\"conditionalVisibility\":{\"parameterName\":\"Lease\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand isnotempty(SourceMACAddress)\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count = count() by SourceMACAddress\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 MAC Address\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Pie_MAC\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 6\",\"styleSettings\":{\"padding\":\"53px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'Top 10 MAC Address' pie chart to see 'Source IPs for MAC'\"},\"conditionalVisibility\":{\"parameterName\":\"Pie_MAC\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string,\\r\\nInfobloxDUID: string, InfobloxLifetime: string,InfobloxLeaseUUID: string, InfobloxFingerprintPr: string,\\r\\nInfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), InfobloxLeaseOp = trim(@\\\"\\\\s\\\", InfobloxLeaseOp)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\nand InfobloxLeaseOp == ('{Lease}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space})) and isnotempty(trim(@\\\"\\\\s\\\", InfobloxLeaseOp))\\r\\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\\r\\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Lease for Activity : {Lease}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Lease\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand SourceMACAddress == ('{Pie_MAC}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceIP\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Source IPs for MAC : {Pie_MAC}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"Pie_MAC\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), SourceIP = trim(@\\\"\\\\s\\\", SourceIP)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand isnotempty(SourceIP)\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count=count() by SourceIP\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 IP Addresses\",\"showRefreshButton\":true,\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SourceIP\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'Top 10 IP Addresses' grid to see 'Host for IP'\"},\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), SourceIP = trim(@\\\"\\\\s\\\", SourceIP)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\nand SourceIP == ('{SourceIP}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count = count() by SourceHostName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Host for IP : {SourceIP}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\nand DeviceProduct == \\\"Data Connector\\\" \\r\\nand DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string,\\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\\r\\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\\r\\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Lease\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5\",\"padding\":\"5\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź“ť ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 14\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"group - 5\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"82320096-33a6-4d48-b64f-2c90aa564ed4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"00756d7d-b074-42e5-996e-4ffa6487606f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserName\",\"label\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(SourceUserName)\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"3d2f3549-f5c5-4496-a013-f9b306321c75\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(DeviceAction) and (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| distinct DeviceAction\\r\\n| sort by DeviceAction asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName})) \\r\\nand (('{Action:escapjson}') == \\\"*\\\" or DeviceAction in~ ({Action}))\\r\\n| project-rename Action = DeviceAction\\r\\n| summarize Count = count() by Action\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Types of Actions\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"bar_Action\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'Types of Actions' bar chart to see 'Top 10 User for Action' and 'Audit Logs for Action'\"},\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 4\"}],\"exportParameters\":true},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(SourceUserName)\\r\\nand DeviceAction == ('{bar_Action}')\\r\\nand (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| project-rename User = SourceUserName, Action = DeviceAction\\r\\n| summarize Count = count() by User\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 User for Action : {bar_Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Pie_user\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"70px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'Top 10 User for Action : {bar_Action}' pie chart to see 'Top 10 SourceIP for User'\"},\"conditionalVisibility\":{\"parameterName\":\"Pie_user\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\" \\r\\n and DeviceAction == ('{bar_Action}')\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string, \\r\\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string, \\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, \\r\\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\\r\\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs for Action : {bar_Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\" \\r\\n and DeviceAction == ('{bar_Action}')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where SourceUserName == ('{Pie_user}') and DeviceAction == ('{bar_Action}')\\r\\n| summarize Count = count() by SourceIP\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Source IP for User : {Pie_user}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Pie_user\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string,\\r\\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string,\\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\\r\\n InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName})) \\r\\n and (('{Action:escapjson}') == \\\"*\\\" or DeviceAction in~ ({Action}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\\r\\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź“ť ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"3\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"daee0513-3b57-4c4d-9052-7a92094a4036\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"9f36e52f-3282-4976-9187-7b3f551d91e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| where isnotempty(SourceUserName) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by SourceUserName\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8b364f17-07f7-4403-8086-26bf36c92536\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Asset\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend DeviceName = trim(@\\\"\\\\s\\\", DeviceName)\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend DeviceName = trim(@\\\"\\\\s\\\", DeviceName), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct DeviceName\\r\\n| sort by DeviceName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"cf61f3a4-fe90-4244-b94b-4aedc1210af9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Location\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1Region: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(Location) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct Location\\r\\n| sort by Location asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"e63dae9c-b8cf-4c02-9a7f-de990bfc4d1b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SLD\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where isnotempty(SecondLevelDomain)\\r\\n| distinct SecondLevelDomain\\r\\n| order by SecondLevelDomain\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"aeb144ce-64b1-45ba-85d9-f0a2da9a69d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DNSRecordType\",\"label\":\"DNS Record Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct InfobloxDNSQType\\r\\n| order by InfobloxDNSQType asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f67927b9-00eb-4a45-b9d0-4bde9ac74d86\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PolicyName\",\"label\":\"Policy Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(InfobloxB1PolicyName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct InfobloxB1PolicyName\\r\\n| sort by InfobloxB1PolicyName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location}))\\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(SourceUserName) \\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by User = SourceUserName\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Compromised Users\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location}))\\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(DestinationDnsDomain)\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Blocked Domains\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxRPZ: string, InfobloxPolicyID: string, InfobloxDomainCat: string, InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string, InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by InfobloxRPZ\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Feeds, Filters\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(DeviceName) \\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by Asset = DeviceName\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Compromised Assets\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Asset\",\"exportParameterName\":\"DeviceName\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"100\",\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'Top 10 Malicious Assets' grid to see 'Overall Asset Details'\"},\"conditionalVisibility\":{\"parameterName\":\"DeviceName\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\\r\\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\\r\\n InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand DeviceName == ('{DeviceName}')\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\\r\\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall Asset : {DeviceName} Details \",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Threat Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"29\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"DeviceName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\\r\\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\\r\\n InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| order by TimeGenerated\\r\\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\\r\\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Blocked DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Threat Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"29\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź“ť ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 7\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"4\"},\"name\":\"group - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-Get-Service-Name** and **Infoblox-Get-Host-Name** logic apps which are deployed with the Microsoft Sentinel Solution.
\\r\\nPlease configure this logic apps first and keep enabled in order to use this workbook.\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"19baf045-4606-49d8-8cb7-ef3ee9fed69a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"af60a861-3c2f-42a5-9045-295348fa5ac6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ServiceName\",\"label\":\"Service Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(name_s)\\r\\n| distinct name_s\\r\\n| order by name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"796c7544-d2ff-42c6-a5c4-816298e72782\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\\r\\n| extend HostID = tostring(split(split(InfobloxLogName, ';')[0], '/')[0])\\r\\n| parse-kv LogSeverity as (InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\\r\\n| extend LogSeverityHostID = tostring(split(InfobloxLogName, '/')[0])\\r\\n| extend HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\\r\\n| extend HostName = trim(@\\\"\\\\s\\\", display_name_s), name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(HostName) and ('{ServiceName:escapejson}' == \\\"*\\\" or name_s in~ ({ServiceName}))\\r\\n| distinct HostName\\r\\n| order by HostName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\\r\\n| extend InfobloxLogName = split(split(InfobloxLogName, ';')[0], '/')\\r\\n| extend HostID = tostring(InfobloxLogName[0]), Process = tostring(InfobloxLogName[1])\\r\\n| parse-kv LogSeverity as (msg:string, InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\\r\\n| extend InfobloxLogName = split(InfobloxLogName, '/')\\r\\n| extend LogSeverityHostID = tostring(InfobloxLogName[0]),\\r\\n LogSeverityProcess = tostring(InfobloxLogName[1]),\\r\\n Message = split(iif(isempty(Message), msg , Message), '\\\"')[1]\\r\\n| extend Process = iif(isempty(Process), LogSeverityProcess, Process), HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\\r\\n| extend ['Service Name'] = trim(@\\\"\\\\s\\\", name_s), ['Host Name'] = trim(@\\\"\\\\s\\\", display_name_s), ['Process Name'] = trim(@\\\"\\\\s\\\",Process)\\r\\n| where ('{ServiceName:escapejson}' == \\\"*\\\" or ['Service Name'] in~ ({ServiceName}))\\r\\nand ('{HostName:escapejson}' == \\\"*\\\" or ['Host Name'] in~ ({HostName}))\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], ['Service Name'], ['Process Name'], ['Host Name'], Message\",\"size\":0,\"showAnalytics\":true,\"title\":\"Service Log Data\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź“ť ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"5\"},\"name\":\"group - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This data connector depends on parsers based on Kusto Functions to work as expected called **InfobloxInsight, InfobloxInsightEvents, InfobloxInsightAssets, InfobloxInsightIndicators, **and **InfobloxInsightComments** which are deployed with the Microsoft Sentinel Solution.\",\"style\":\"info\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"0 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"# Infoblox SOC Insights Workbook\\r\\n\\r\\n##### Get a closer look at your Infoblox SOC Insights. \\r\\n\\r\\nThis workbook is intended to help visualize your [BloxOne SOC Insights](https://csp.infoblox.com/#/insights-console/insights/open/threats) data as part of the **Infoblox SOC Insight Solution**. Drilldown your data and visualize events, trends, and anomalous changes over time.\\r\\n\\r\\n---\\r\\n\"},\"name\":\"text - 3\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| extend isConfigIssue = iff((ThreatClass has_cs (\\\"CONFIGURATIONISSUE\\\")), \\\"Configuration\\\", \\\"Threats\\\")\\r\\n| summarize count() by isConfigIssue\",\"size\":3,\"title\":\"Insight Types\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"pink\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"Insight Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, Priority: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| summarize dcount(InfobloxInsightID) by Priority\",\"size\":3,\"title\":\"Priority\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"purple\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"Priority\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| summarize count() by ThreatProperty\",\"size\":3,\"title\":\"Threat Families\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"pink\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"Threat Families\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| summarize count() by ThreatType\",\"size\":3,\"title\":\"Threat Classes\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"Threat Classes\"}]},\"name\":\"Overall\"},{\"type\":1,\"content\":{\"json\":\"## Using this Workbook\\r\\nTo make use of this workbook, you must ingest Infoblox SOC Insight data into Sentinel in one or both ways:\\r\\n- Deploy the **Infoblox SOC Insights Data Connector** and forward CEF syslog via the Microsoft forwarding agent.\\r\\n- Deploy the **Infoblox-SOC-Get-Open-Insights-API** playbook.\\r\\n\\r\\nYou can use one or both at the same time, but beware of duplicate data!\\r\\n\\r\\nConfigure the **Analytic Queries** that come with this Microsoft Sentinel Solution. They will add the Insights as Incidents, so you can easily track and run playbooks on them.\\r\\n\\r\\nThen, once you have some Insights, run the **Infoblox-SOC-Get-Insight-Details** playbook to get all the gritty details. If you wish, you can then run **Infoblox-SOC-Import-Indicators-TI** to ingest each Indicator of an Insight into Sentinel as **Threat Intelligence**.\\r\\n\\r\\n## Run playbooks directly from this workbook!\\r\\n\\r\\n#### Set the **Resource Group**, [**Tenant ID**](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) and **Playbook** to run when clicking on the **Run Playbook** in the SOC Insight Incidents table below.\\r\\n\\r\\n**Infoblox-SOC-Get-Insight-Details** pulls all the details about each individual Insight. \\r\\n\\r\\n**Infoblox-SOC-Import-Indicators-TI** pushes each Indicator of the Insight into Sentinel as **Threat Intelligence**. You must run the **Infoblox-SOC-Get-Insight-Details** *before* running **Infoblox-SOC-Import-Indicators-TI**.\\r\\n\\r\\nYou will need to run the playbooks for each Insight/Incident. You can do that manually within this workbook with the **Run Playbook** button in the table below, from the **Incidents** blade, or configure them to run automatically with **Analytics**. \\r\\n\\r\\nAfter running **Infoblox-SOC-Get-Insight-Details** on an Insight, **click on it in the table below** to see the details.\\r\\n\\r\\n**You can rerun playbooks on Insights** that already contain data to get the most recent. \",\"style\":\"upsell\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"0 0 5px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e8613f2c-08c6-49e6-a2c6-e12d185c6bd3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResourceTypes\",\"label\":\"Resource Types\",\"type\":7,\"description\":\"This parameter must be set to Logic app.\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"includeAll\":true,\"showDefault\":false},\"value\":[\"microsoft.logic/workflows\"]},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup\",\"label\":\"Incidents Resource Group\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"isGlobal\":true,\"query\":\"where type =~ \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| where resourceGroup =~ \\\"{SentinelResourceGroup}\\\"\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0a92b010-8b48-4601-872f-83e13561b088\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"63c75027-cc56-4958-9296-e0c986ab11e0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PlaybookResourceGroup\",\"label\":\"Playbook Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"3c6d99b2-1eb1-4650-a3f0-d48dc03f87cb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenantID\",\"label\":\"Tenant ID\",\"type\":1,\"isRequired\":true,\"value\":\"\"},{\"id\":\"e1ea6f58-cd1b-4807-a7de-7da91b787bd4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PlaybookName\",\"label\":\"Playbook\",\"type\":5,\"description\":\"Set the playbook to run when clicking on the \\\"Run Playbook\\\" in the SOC Insight Incidents table below.\",\"isRequired\":true,\"query\":\"Resources\\r\\n| where type in~({ResourceTypes})\\r\\n| extend resourceGroupId = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup)\\r\\n| where resourceGroup =~ \\\"{PlaybookResourceGroup}\\\"// or '*' in~({PlaybookResourceGroup})\\r\\n| order by name asc\\r\\n| extend Rank = row_number()\\r\\n| project label = tostring(name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"Infoblox-SOC-Get-Insight-Details\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 0 - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **SOC Insight Incident** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"15px 0 0 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"103f5c4e-6007-46c3-88ed-74fdb7843acc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000}]},\"value\":{\"durationMs\":2592000000}},{\"id\":\"7c4c6733-a2d8-40b1-abf5-7f2d777e814c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SelectPriority\",\"label\":\"Priority\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\":\\\"N/A\\\"},\\r\\n { \\\"value\\\":\\\"INFO\\\"},\\r\\n { \\\"value\\\":\\\"LOW\\\"},\\r\\n { \\\"value\\\":\\\"MEDIUM\\\"},\\r\\n { \\\"value\\\":\\\"HIGH\\\"},\\r\\n { \\\"value\\\":\\\"CRITICAL\\\"}\\r\\n]\",\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"3e3ee805-c983-480e-9c10-49a47be4ddc6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Status\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| distinct Status\\r\\n| sort by Status asc\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1c79577f-a4f2-4b2a-aaa7-fbcc5e27831d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Owner\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| where Status in ({Status})\\r\\n| project Owner=tostring(Owner.userPrincipalName)\\r\\n| sort by Owner asc\\r\\n| extend Owner = iff(isnotempty( Owner), Owner, \\\"Unassigned\\\")\\r\\n| distinct Owner\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 19 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let x =\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| extend IncidentID = IncidentName\\r\\n| extend IncidentNumber = toint(IncidentNumber)\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| extend RunPlaybook = \\\"Run Playbook\\\"\\r\\n| where Title has_cs \\\"Infoblox - SOC Insight\\\"\\r\\n| extend Labels = tostring(Labels)\\r\\n| extend InfobloxInsightID = extract(\\\"InfobloxInsightID: (.*?)\\\\\\\"\\\", 1, Labels)\\r\\n| join \\r\\n (InfobloxInsight\\r\\n | summarize arg_max(TimeGenerated, *) by InfobloxInsightID\\r\\n ) on InfobloxInsightID\\r\\n//sometimes duplicate TimeGenerated so grab LastSeen next\\r\\n| summarize arg_max(LastSeen, *) by IncidentNumber\\r\\n| project IncidentNumber, Severity, Priority, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID\\r\\n; \\r\\nlet incidents =\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber)\\r\\n| extend IncidentID = IncidentName\\r\\n| extend IncidentNumber = toint(IncidentNumber)\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| extend RunPlaybook = \\\"Run Playbook\\\"\\r\\n| where Title has_cs \\\"Infoblox - SOC Insight\\\"\\r\\n| extend Alerts = extract(\\\"\\\\\\\\[(.*?)\\\\\\\\]\\\", 1, tostring(AlertIds))\\r\\n| mv-expand AlertIds to typeof(string)\\r\\n//----------------\\r\\n;\\r\\nlet alerts =\\r\\n SecurityAlert\\r\\n | extend AlertEntities = parse_json(Entities)\\r\\n //| extend InfobloxInsightID = tostring(AlertEntities.ObjectGuid)\\r\\n;\\r\\nincidents | join alerts on $left.AlertIds == $right.SystemAlertId\\r\\n//----------------------\\r\\n| summarize AlertCount=dcount(AlertIds) by IncidentNumber, IncidentID, Status, Title, Alerts, IncidentUrl, Owner=tostring(Owner.userPrincipalName) , RunPlaybook\\r\\n// -------------\\r\\n| join kind=inner (incidents | join alerts on $left.AlertIds == $right.SystemAlertId) on IncidentNumber\\r\\n| join kind=fullouter x on IncidentNumber\\r\\n| summarize arg_max(TimeGenerated,*) by (IncidentNumber)\\r\\n//| where Priority in ({SelectPriority}) or '{SelectPriority:label}' == \\\"All\\\"\\r\\n| where Status in ({Status}) or '{Status:label}' == \\\"All\\\"\\r\\n| project IncidentNumber, Severity, Priority, Title, Status, Owner, IncidentUrl, RunPlaybook, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID, IncidentID\\r\\n//| project-away IncidentID\\r\\n| order by toint(IncidentNumber) desc\\r\\n\",\"size\":0,\"title\":\"SOC Insight Incidents\",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"InfobloxInsightID\",\"parameterName\":\"InfobloxInsightID\",\"parameterType\":1},{\"fieldName\":\"IncidentID\",\"parameterName\":\"IncidentID\",\"parameterType\":1},{\"fieldName\":\"Title\",\"parameterName\":\"Title\",\"parameterType\":1}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Informational\",\"representation\":\"Sev4\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Priority\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"INFO\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"LOW\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MEDIUM\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"HIGH\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"CRITICAL\",\"representation\":\"purple\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"New\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Active\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Owner\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}},{\"columnMatch\":\"RunPlaybook\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:label}/providers/Microsoft.SecurityInsights/incidents/{IncidentID}/runPlaybook?api-version=2019-01-01-preview\",\"body\":\"{\\r\\n \\\"LogicAppsResourceId\\\":\\\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.Logic/workflows/{PlaybookName:label}\\\",\\r\\n \\\"tenantId\\\":\\\"{TenantID}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}},\"tooltipFormat\":{\"tooltip\":\"Run {PlaybookName} on this insight.\"}},{\"columnMatch\":\"EventsCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"NotBlockedCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"BlockedCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"InsightDataReady\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Data Not Found\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Ready\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"To see data for this insight, run the Infoblox-SOC-API-Get-Insight-Details playbook.\"}},{\"columnMatch\":\"isPopulated\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Ready\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Data Not Found\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"To see data about this Insight, run the Infoblox-SOC-API-Get-Insight-Details Playbook.\"}},{\"columnMatch\":\"Alerts\",\"formatter\":5},{\"columnMatch\":\"AlertCount\",\"formatter\":0,\"formatOptions\":{\"aggregation\":\"Sum\"}},{\"columnMatch\":\"Entities\",\"formatter\":1},{\"columnMatch\":\"alertCount\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"redBright\"}},{\"columnMatch\":\"count_AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"rowLimit\":500,\"filter\":true}},\"name\":\"IncidentDetailsView\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"46b4abc5-316b-4c75-89b7-5cf134d6dbb0\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Summary\",\"subTarget\":\"Summary\",\"style\":\"link\"},{\"id\":\"81661594-3591-4fe6-a67d-b69ae55abf67\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Assets\",\"subTarget\":\"Assets\",\"preText\":\"IPs\",\"style\":\"link\"},{\"id\":\"46ca603b-ead0-46bd-987d-1d157b2a763a\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators\",\"subTarget\":\"Indicators\",\"style\":\"link\"},{\"id\":\"f2ce2fdb-104a-447f-b42b-6d11931a09ff\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Events\",\"subTarget\":\"Events\",\"style\":\"link\"},{\"id\":\"03782b90-e744-4654-95c3-a1056cfe78f9\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Comments\",\"subTarget\":\"Comments\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"},\"name\":\"links - 16\",\"styleSettings\":{\"padding\":\"20px 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"#### Click on **SOC Insight Incident** above to view more information.\",\"style\":\"upsell\"},\"conditionalVisibility\":{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 14\",\"styleSettings\":{\"padding\":\"10px 0 10px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## {Title}\"},\"name\":\"text - 8\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"5c15d5ff-4108-4538-930b-201f4f8da870\",\"cellValue\":\"https://csp.infoblox.com/#/insights-console/insight/{InfobloxInsightID}/summary\",\"linkTarget\":\"Url\",\"linkLabel\":\"Redirect To Summary on CSP\",\"preText\":\"\",\"style\":\"link\"}]},\"name\":\"links - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(LastSeen)\\r\\n| extend format_datetime(todatetime(FirstSeen), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend FirstSeen = strcat(tostring(FirstSeen), \\\" UTC\\\")\\r\\n| project FirstSeen\",\"size\":3,\"title\":\"First Seen\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"FirstSeen\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"First Seen\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(LastSeen)\\r\\n| extend format_datetime(todatetime(LastSeen), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend LastSeen = strcat(tostring(LastSeen), \\\" UTC\\\")\\r\\n| project LastSeen\",\"size\":3,\"title\":\"Last Seen \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"LastSeen\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Last Seen\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(SpreadingDate)\\r\\n| extend format_datetime(todatetime(SpreadingDate), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend SpreadingDate = strcat(tostring(SpreadingDate), \\\" UTC\\\")\\r\\n| project SpreadingDate\",\"size\":3,\"title\":\"Spreading Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"SpreadingDate\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Spreading Date\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(PersistentDate)\\r\\n| extend format_datetime(todatetime(PersistentDate), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend PersistentDate = strcat(tostring(PersistentDate), \\\" UTC\\\")\\r\\n| project PersistentDate\",\"size\":3,\"title\":\"Persistent Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"PersistentDate\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Persistent Date\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(BlockedCount)\\r\\n| project BlockedCount\",\"size\":3,\"title\":\"Blocked Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"BlockedCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Blocked Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(NotBlockedCount)\\r\\n| project NotBlockedCount\",\"size\":3,\"title\":\"Not Blocked Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"NotBlockedCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Not Blocked Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(EventsCount)\\r\\n| project EventsCount\\r\\n\",\"size\":3,\"title\":\"Total Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventsCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"gray\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where isnotempty(SourceIP)\\r\\n| summarize count() by SourceIP\\r\\n| top 20 by count_ \\r\\n| project SourceIP);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where SourceIP in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\\r\\n\",\"size\":0,\"title\":\"Top 20 Compromised Assets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Top Impacted IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| summarize count() by ThreatIndicator\\r\\n| top 20 by count_ \\r\\n| project ThreatIndicator);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, ThreatIndicator, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatIndicator\\r\\n\",\"size\":0,\"title\":\"Top 20 Indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Top 20 Indicators\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| summarize count() );\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d\",\"size\":0,\"title\":\"Events\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\"},\"customWidth\":\"33\",\"name\":\"Events\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Summary\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Summary\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Assets\\r\\n---\\r\\nSee your protected assets/devices affected by this insight. **Install the Infoblox Endpoint client for more accurate data.**\"},\"name\":\"text - 6\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **Asset** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 7\",\"styleSettings\":{\"margin\":\"15px 0 15px 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| join\\r\\n(\\r\\n InfobloxInsightAssets\\r\\n | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n) on SourceIP\\r\\n| order by LastSeen, EventCount desc\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['OS Version'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| project SourceIP, User, ['MAC Address'], ['OS Version'], DeviceName, Network,['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SourceIP\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"IndicatorDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleBlue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Associated Events\"},{\"columnId\":\"IndicatorDistinctCount\",\"label\":\"Associated Indicators\"}]}},\"name\":\"Assets\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"75\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {SourceIP}\",\"styleSettings\":{\"margin\":\"0 60px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize count() by ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ThreatIndicator, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| summarize Count = count() by ThreatIndicator\\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"25\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\" Indicators for {SourceIP}\",\"styleSettings\":{\"margin\":\"0 15px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatLevel\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Level Trend for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"High\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Threat Level Trend for {SourceIP}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Trend for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Not Blocked\",\"color\":\"red\"},{\"seriesName\":\"Log\",\"color\":\"blue\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Action Trend for {SourceIP}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Events = count() default = 0 on Detected from ago(Lookback) to now() step 1d\",\"size\":0,\"title\":\"All Events for {SourceIP}\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"All Events for {SourceIP}\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Assets\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Assets\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Indicators\\r\\n---\\r\\nAn **Indicator** is a domain or IP address that is seen in the resolution chain of a query from a device.\\r\\n\\r\\n\"},\"name\":\"text - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(InfobloxB1PolicyAction)\\r\\n| summarize count_distinct(ThreatIndicator) by InfobloxB1PolicyAction\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Not Blocked\",\"color\":\"red\"},{\"seriesName\":\"Blocked\",\"color\":\"green\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| summarize count_distinct(ThreatIndicator) by ThreatLevel\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"blue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **Indicator** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 7\",\"styleSettings\":{\"padding\":\"15px 0 15px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"5b2e1804-a9a6-4b86-8a6e-27fd0ab029b5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatLevelParam\",\"label\":\"Threat Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e36bc3c2-b85e-478c-968b-7faf79c21c49\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"InfobloxB1PolicyActionParam\",\"label\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct InfobloxB1PolicyAction\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AssetCount = (InfobloxInsightIndicators\\r\\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\\r\\n| join kind=inner\\r\\n(\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"66b112e0-3187-4faa-9357-d229e98002ca\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\\r\\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\\r\\n| where ThreatIndicator1 has_cs ThreatIndicator\\r\\n| summarize by SourceIP, ThreatIndicator\\r\\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\\r\\n\\r\\n\\r\\nInfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' == \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' == \\\"All\\\"\\r\\n| join\\r\\n (\\r\\n AssetCount\\r\\n ) on ThreatIndicator\\r\\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\\r\\n| extend URL = strcat(\\\"https://csp.infoblox.com/#/security_research/search/auto/\\\", ThreatIndicator, \\\"/summary\\\")\\r\\n| extend sort_order = case(\\r\\n ThreatLevel == \\\"High\\\", 5,\\r\\n ThreatLevel == \\\"Medium\\\", 4,\\r\\n ThreatLevel == \\\"Low\\\", 3,\\r\\n ThreatLevel == \\\"N/A\\\", 2,\\r\\n 1 // default case if ThreatLevel doesn't match any of the above\\r\\n)\\r\\n| order by sort_order, EventCount desc\\r\\n| project-away sort_order\\r\\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\\r\\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"ThreatIndicator\",\"exportParameterName\":\"ThreatIndicator\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Not Blocked\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Investigate in Dossier\"}},{\"columnMatch\":\"SourceIPDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"bluePurple\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Associated Events\"},{\"columnId\":\"URL\",\"label\":\"Investigate in Dossier\"}]}},\"name\":\"Indicators\",\"styleSettings\":{\"margin\":\"0 15px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| join\\r\\n(\\r\\n InfobloxInsightAssets\\r\\n | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n) on SourceIP\\r\\n| order by LastSeen, EventCount desc\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Source OSVersion'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| summarize by SourceIP, User, ['MAC Address'], ['Source OSVersion'], DeviceName, Network, ['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets for {ThreatIndicator}\",\"noDataMessage\":\"Select an Indicator in the above chart to see details.\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"IndicatorDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleBlue\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Assets for {ThreatIndicator}\",\"styleSettings\":{\"margin\":\"0 20px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize count() by SourceIP\\r\\n| top 500 by count_ \\r\\n);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where SourceIP in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\",\"size\":0,\"showAnalytics\":true,\"title\":\"Source IPs for {ThreatIndicator}\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"createOtherGroup\":15}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Source IPs for {ThreatIndicator}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where Detected >= ago(30d)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['Date Time'] = TimeGenerated\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, User, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, ['MAC Address'], ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {ThreatIndicator}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {ThreatIndicator}\",\"styleSettings\":{\"margin\":\"0 20px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Trend for {ThreatIndicator}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"gray\"},{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Allow - No Log\",\"color\":\"red\"},{\"seriesName\":\"Log\",\"color\":\"lightBlue\"}]}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Action Trend for {ThreatIndicator}\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Indicators\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Events\\r\\n---\\r\\nDNS security events associated with this insight.\\r\\n\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatLevel)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatLevel\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Level\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"33\",\"name\":\"Threat Level\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatClass)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatClass\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Classes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Threat Classes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatProperty)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatProperty\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Families\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Threat Families\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by SourceUserName\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Users\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(DeviceName)\\r\\n| where Detected >= ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceName\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Names\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Device Names\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(SourceIP)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Source IPs\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Source IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1Network)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1Network\",\"size\":4,\"title\":\"Sources\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Sources\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1PolicyName)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1PolicyName\",\"size\":4,\"title\":\"Policies\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Policies\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1PolicyAction)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1PolicyAction\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Actions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Log\",\"color\":\"lightBlue\"},{\"seriesName\":\"Allow - No Log\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"name\":\"Actions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DNSResponse)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DNSResponse\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"DNS Responses\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"DNS Responses\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DeviceRegion)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceRegion\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Regions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Device Regions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DeviceCountry)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceCountry\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Countries\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"33\",\"name\":\"Device Countries\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| project-rename ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, SourceMACAddress, ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Events\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Events\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightComments\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct CommentChanger, Comment, DateChanged, Status\\r\\n| order by DateChanged desc\\r\\n| project-rename ['Date Time'] = DateChanged, User = CommentChanger\\r\\n| project ['Date Time'], Status, User, Comment\",\"size\":0,\"title\":\"Comments\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"Comments\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Comments\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Comments\"},{\"type\":1,\"content\":{\"json\":\"đź“ť ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 17\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"6\"},\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This Config Insights depends on the **Infoblox-Config-Insights** and **InfoBlox-Config-Insight-Details** logic apps which are deployed with the Microsoft Sentinel Solution.
\\r\\nPlease configure this logic apps first and keep it enabled in order to use this Config Insight Details Dashboard.\\r\\n\",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":1,\"content\":{\"json\":\"# Infoblox Config Insights\"},\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"## Steps to view Config Insights Details using this workbook\\r\\n- This workbook is intended to view the available config insights and view their details.\\r\\n- Select the **Resource Group** and **Subscription ID**.\\r\\n- Select TimeRange.\\r\\n- From the **Config Insights** panel, select any config Insight.\\r\\n- You will be able to see the config details of the selected Insight.\\r\\n- If there is message like **The query returned no results** on config details panel, then click on the **GET CONFIG INSIGHT DETAILS** link to get the Config Insight Details for that Config Insight.\\r\\n- This will execute the **InfoBlox-Config-Insight-Details** logic app in the background.\\r\\n- You can check the status of the playbook to identify the Config Insight Details status.\\r\\n- Click on the refresh button of the lookup panel until you get the Config Insight Details.\\r\\n
\\r\\n
\\r\\n**Note** : In cases where specific indicators may not have lookup information available in Infoblox, users are advised to refer to the Logic App status for further details.\\r\\n\",\"style\":\"upsell\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SubscriptionId\",\"label\":\"Subscription ID\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| distinct subscriptionId\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup1\",\"label\":\"Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| where subscriptionId == ('{SubscriptionId}')\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"},{\"id\":\"f70e5d0e-2eff-4bca-9489-90ab64378887\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000}],\"allowCustom\":false},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, policyAnalyticsId_g:string) [];\\r\\nunion isfuzzy = true\\r\\ndummy_table,\\r\\nInfoblox_Config_Insights_CL\\r\\n| summarize arg_max(TimeGenerated, *) by policyAnalyticsId_g\\r\\n| extend ConfigInsightDetails = \\\"GET CONFIG INSIGHT DETAILS\\\"\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'],\\r\\n['Policy Analytics ID'] = policyAnalyticsId_g,\\r\\n['Insight Type'] = column_ifexists(\\\"insightType_s\\\",\\\"\\\"),\\r\\n[\\\"Config Insight Details\\\"] = column_ifexists(\\\"ConfigInsightDetails\\\",\\\"\\\")\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Config Insights\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Policy Analytics ID\",\"exportParameterName\":\"ConfigInsightId\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Config Insight Details\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{SubscriptionId}/resourceGroups/{SentinelResourceGroup1}/providers/Microsoft.Logic/workflows/InfoBlox-Config-Insight-Details/triggers/manual/run?api-version=2016-10-01\",\"body\":\"{\\r\\n \\\"config_insight_id\\\": \\\"{ConfigInsightId}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}}}],\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"Policy Analytics ID\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Policy Analytics ID\",\"sortOrder\":1}]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, analyticInsightId_g:string, feeds_s:string) [];\\r\\nunion isfuzzy = true\\r\\ndummy_table,\\r\\nInfoblox_Config_Insight_Details_CL\\r\\n| where analyticInsightId_g == \\\"{ConfigInsightId}\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by analyticInsightId_g\\r\\n| extend ParsedJson = parse_json(feeds_s)\\r\\n| mv-expand ParsedJson\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], \\r\\n['Insight Type'] = insightType_s,\\r\\n['Rule Type'] = ParsedJson.ruleType, \\r\\n['Rule Name'] = ParsedJson.ruleName, \\r\\n['Feed Name'] = ParsedJson.feedName, \\r\\n['Current Action'] = ParsedJson.currentAction, \\r\\n['Recommended Action'] = ParsedJson.recommendedAction, \\r\\n['Status'] = ParsedJson.status\",\"size\":0,\"showAnalytics\":true,\"title\":\"Config Insights Detail for Config ID: {ConfigInsightId}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"ConfigInsightId\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"8\"},\"name\":\"group - 16\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Subscription}\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\",\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"  Please take time to answer a quick survey,\\r\\n[ click here. ](https://forms.office.com/r/n9beey85aP)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\\n---\\n\\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)\\n\"},\"customWidth\":\"79\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"20\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Microsoft Sentinel Logo\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"18c690d7-7cbd-46c1-b677-1f72692d40cd\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Ingestion\",\"subTarget\":\"Indicators\",\"preText\":\"Alert rules\",\"style\":\"link\"},{\"id\":\"f88dcf47-af98-4684-9de3-1ee5f48f68fc\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Search\",\"subTarget\":\"Observed\",\"style\":\"link\"}]},\"name\":\"Tabs link\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelligenceIndicator\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":1,\"content\":{\"json\":\"đź“ť ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},\"name\":\"Indicators Ingestion\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9aec751b-07bd-43ba-80b9-f711887dce45\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Indicator\",\"label\":\"Search Indicator in Events\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Threat Research Parameters\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| summarize count() by Table_Name \\r\\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\\r\\n| sort by ['Logs Count'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Type\",\"exportParameterName\":\"Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed over Time\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tiObservables = ThreatIntelligenceIndicator\\r\\n | where TimeGenerated < now()\\r\\n | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\\r\\nlet alertEntity = SecurityAlert \\r\\n | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\\r\\n | mvexpand(Entities)\\r\\n | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\\r\\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \\\".\\\", Entities.DnsDomain),\\r\\n iif(isnotempty(Entities.Url), Entities.Url,\\r\\n iif(isnotempty(Entities.Value), Entities.Value,\\r\\n iif(Entities.Type == \\\"account\\\", strcat(Entities.Name,\\\"@\\\",Entities.UPNSuffix),\\\"\\\")))))\\r\\n | where isnotempty(entity) \\r\\n | project entity, SystemAlertId, AlertTime;\\r\\nlet IncidentAlerts = SecurityIncident\\r\\n | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\\r\\n | mv-expand AlertIds\\r\\n | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\\r\\nlet AlertsWithTiObservables = alertEntity\\r\\n | join kind=inner tiObservables on $left.entity == $right.Indicator;\\r\\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\\r\\n | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\\r\\nIncidentsWithAlertsWithTiObservables\\r\\n| where Indicator contains '{Indicator}' or Indicator == \\\"*\\\"\\r\\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\\r\\n| sort by Incidents, Alerts desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Alerts\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Botnet\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MaliciousUrl\",\"representation\":\"Initial_Access\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Malware\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Phishing\",\"representation\":\"Exfiltration\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Pre attack\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Incidents\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Alerts\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated < now()\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], IndicatorId, ThreatType, Active, Tags, TrafficLightProtocolLevel, EmailSenderAddress, FileHashType, FileHashValue, DomainName, NetworkIP\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Indicator\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"đź“ť ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Observed\"},\"name\":\"Indicators Observed\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"7\"},\"name\":\"group - 7\"}],\"fromTemplateId\":\"sentinel-Infoblox | Infoblox Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"370d206d-18b1-43d4-a170-71a4a12ba9b2\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"SOC Insights Overview\",\"subTarget\":\"6\",\"style\":\"link\"},{\"id\":\"63a011d0-c970-408d-b027-a8579848a6fd\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Config Insights Overview\",\"subTarget\":\"8\",\"style\":\"link\"},{\"id\":\"f8b51e3b-e4b2-4ba4-9a9c-bedea05a1ee7\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Blocked Traffic Overview\",\"subTarget\":\"4\",\"style\":\"link\"},{\"id\":\"d3af8e0b-806c-4f1f-b006-845c842bc2fc\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DNS Overview\",\"subTarget\":\"1\",\"style\":\"link\"},{\"id\":\"dbd0c004-e0b4-446c-91cd-5a5af3f6e16e\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"DHCP Overview\",\"subTarget\":\"2\",\"style\":\"link\"},{\"id\":\"41df2b27-5f91-4a8b-adcb-e7997f86d6d6\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Audit Log Overview\",\"subTarget\":\"3\",\"style\":\"link\"},{\"id\":\"4f1a6ec7-3d56-4f50-8045-34adbb8d92d0\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Service Log Overview\",\"subTarget\":\"5\",\"style\":\"link\"},{\"id\":\"ffabdc7f-2cb7-40fc-a883-d82609bba051\",\"cellValue\":\"Parameter\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Threat Intelligence Overview\",\"subTarget\":\"7\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e1e015ea-e688-48be-ac2b-846fe98be48e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"9f36e52f-3282-4976-9187-7b3f551d91e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(SourceUserName)\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"4bf79012-0d96-4024-8cb6-0b9c0d9407ef\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where isnotempty(SourceHostName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct SourceHostName\\r\\n| sort by SourceHostName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8b364f17-07f7-4403-8086-26bf36c92536\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Asset\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName)\\r\\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct DeviceName\\r\\n| sort by DeviceName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"66255f50-472e-4295-8d64-6b9fa2e3c887\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SLD\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\", SecondLevelDomain)\\r\\n| where isnotempty(SecondLevelDomain)\\r\\n| distinct SecondLevelDomain\\r\\n| order by SecondLevelDomain \\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f0a80c9f-a800-4958-b51c-4b38bfaf6624\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResponseCode\",\"label\":\"Response Code\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSRCode: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode)\\r\\n| where isnotempty(InfobloxDNSRCode) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct InfobloxDNSRCode\\r\\n| sort by InfobloxDNSRCode asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"aeb144ce-64b1-45ba-85d9-f0a2da9a69d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RecordType\",\"label\":\"Record Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType)\\r\\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\n| distinct InfobloxDNSQType\\r\\n| sort by InfobloxDNSQType asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(DestinationDnsDomain)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| project-rename ['Destination Dns Domain'] = DestinationDnsDomain\\r\\n| project ['Destination Dns Domain'], Count\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Most Requested FQDNs\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Destination Dns Domain\",\"exportParameterName\":\"DestinationDnsDomain\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Most Requested FQDNs\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"0\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'Most Requested FQDNs' grid to see 'Top 10 Devices'\"},\"conditionalVisibility\":{\"parameterName\":\"DestinationDnsDomain\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 18\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 20\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"72d2b1bd-300c-4f3e-b4ca-4dcaec96fb3a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TopDevices\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| where DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(DeviceName)\\r\\n| summarize Count = count() by DeviceName\\r\\n| top 10 by Count desc\\r\\n| summarize DeviceList = make_list(DeviceName)\\r\\n\\r\\n\",\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"102ee8fc-7658-4bca-82f3-54ed66d2ba9d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TopMAC\",\"type\":1,\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\" and DestinationDnsDomain == ('{DestinationDnsDomain}') \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(SourceMACAddress)\\r\\n| summarize Count = count() by SourceMACAddress\\r\\n| top 10 by Count desc\\r\\n| summarize DeviceList = make_list(SourceMACAddress)\\r\\n\\r\\n\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4c59d86e-9130-41a4-ba95-4e7974e4de06\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirstDevice\",\"type\":1,\"query\":\"print (todynamic('{TopDevices}')[0])\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0f1d8907-d375-4db8-a5c9-f9d7390d8f7f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecondDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[1]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bd2a1987-e9ba-42ac-9856-a8c781ebb332\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThirdDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[2]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"04910ee0-5aa4-4897-82d6-15167ad50e01\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FourthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[3]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9a023fc0-b8b3-4e1e-9d9c-2c5c511cf32f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FifthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[4]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"5619aab8-f9b6-4218-9315-c6741facf4eb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SixthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[5]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4dd8c03f-0ec4-494c-a237-ff5c9ab73f8f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SeventhDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[6]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1a2455e4-36ec-46c9-bb3f-395ff1186abb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EightDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[7]\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"72b22373-007c-4d10-bbdd-bdac49ea666c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NinethDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[8]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"eb44f209-d53b-488f-8275-05294b57b1c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenthDevice\",\"type\":1,\"query\":\"print todynamic('{TopDevices}')[9]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bb6a7aa4-0cf3-49d4-9649-179f6d60af71\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FirstMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[0]\",\"timeContext\":{\"durationMs\":2592000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"571e7afc-50fc-4f35-a7cf-c1d23a00effe\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SecondMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[1]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"00dca50c-6034-4a97-b1b0-da773ed535e7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThirdMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[2]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"05752a54-7398-4373-9d67-bc5ce96c32a1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FourthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[3]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"42233555-d975-4e88-b62e-2a53e728ae38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"FifthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[4]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"3a0eea52-845c-4347-b01b-6f4531de2d5c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SixthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[5]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"29854b31-e4cd-4157-94d4-c0c3fef6f9a2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SeventhMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[6]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"959fdc81-126b-44f9-8a82-753bc8d5bebd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EightMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[7]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"78b51494-7bb5-4a7d-ab01-67483568319d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NinethMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[8]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"b66ac0ed-09b2-49e1-bead-88c1a1145f70\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenthMAC\",\"type\":1,\"query\":\"print todynamic('{TopMAC}')[9]\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Hide\",\"comparison\":\"isNotEqualTo\"},\"name\":\"parameters - 18\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Top 10 Devices for Domain : {DestinationDnsDomain}\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FirstDevice}')\\r\\n| summarize Count = count() by SourceIP\\r\\n| render piechart with(title=tostring(todynamic('{TopDevices}')[0]))\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FirstDevice} , MAC : {FirstMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FirstDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 18\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SecondDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SecondDevice} , MAC : {SecondMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SecondDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{ThirdDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {ThirdDevice} , MAC : {ThirdMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"ThirdDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FourthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FourthDevice} , MAC : {FourthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FourthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{FifthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {FifthDevice} , MAC : {FifthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"FifthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SixthDevice}') \\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SixthDevice} , MAC : {SixthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SixthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{SeventhDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {SeventhDevice} , MAC : {SeventhMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SeventhDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{EightDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {EightDevice} , MAC : {EightMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"EightDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{NinethDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {NinethDevice} , MAC : {NinethMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"NinethDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand DestinationDnsDomain == ('{DestinationDnsDomain}')\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand DeviceName == ('{TenthDevice}') \\r\\n| summarize Count = count() by SourceIP\",\"size\":4,\"showAnalytics\":true,\"title\":\"Device : {TenthDevice} , MAC : {TenthMAC}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"TenthDevice\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"DestinationDnsDomain\",\"comparison\":\"isNotEqualTo\"},\"name\":\"group - 19\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(SourceUserName)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD})) \\r\\n| project-rename User = SourceUserName\\r\\n| summarize Count = count() by User\\r\\n| project User, Count\\r\\n| sort by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Requests Count by Users\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"User\",\"exportParameterName\":\"SourceUserName\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"compositeBarSettings\":{\"labelText\":\"\"}}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Top Users\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'DNS Requests Count by Users' grid to see 'Overall DNS Requests made by User' and 'Top 10 Requested Domains by User'\"},\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 19\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\nInfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string, \\r\\nInfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string, \\r\\nInfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand SourceUserName == ('{SourceUserName}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User, ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall DNS Requests made by User : {SourceUserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 15\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand SourceUserName == ('{SourceUserName}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Requested Domains by User : {SourceUserName}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"DestinationDnsDomain\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"group\":\"DestinationDnsDomain\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceUserName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize count() by InfobloxDNSRCode\",\"size\":3,\"showAnalytics\":true,\"title\":\"Response Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Response_Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 9\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'Types of Response' pie chart to see 'DNS Requests' and 'Top 20 Devices'\\r\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\\r\\n InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\\r\\n InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand InfobloxDNSRCode == ('{Response_Type}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User, ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"{Response_Type} DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 16\",\"styleSettings\":{\"padding\":\"17px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand InfobloxDNSRCode == ('{Response_Type}')\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DeviceName\\r\\n| top 20 by Count\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 20 Devices for {Response_Type} DNS Request\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":20,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Response_Type\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSQType)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize count() by InfobloxDNSQType\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Query Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"68px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| sort by TimeGenerated asc\\r\\n| make-series Count = count() default = 0 on TimeGenerated from ago(1d) to now() step 1h by InfobloxDNSRCode\",\"size\":0,\"title\":\"Overall Queries Per Hour\",\"timeContext\":{\"durationMs\":86400000},\"exportFieldName\":\"x\",\"exportParameterName\":\"QPS_Time\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true,\"showDataPoints\":true,\"xSettings\":{\"label\":\"Time\"}}},\"customWidth\":\"100\",\"name\":\"query - 11\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"18px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'Overall Queries Per Hour' bar chart to see 'Queries Per Minutes'\"},\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 20\",\"styleSettings\":{\"margin\":\"5px\"}}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 21\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Gridtimestring = tostring('{QPS_Time}');\\r\\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \\\" \\\"), indexof(Gridtimestring, \\\"GMT\\\") - 1 - indexof(Gridtimestring, \\\" \\\"))) -5h - 30m;\\r\\n\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSRCode)\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| where TimeGenerated between (Gridtime - 30m .. Gridtime + 30m)\\r\\n| sort by TimeGenerated asc\\r\\n| make-series Count = count() default = 0 on bin(TimeGenerated, 1m) from (Gridtime - 30m) to (Gridtime + 30m) step 1m by InfobloxDNSRCode\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall Queries Per Minute\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"gridSettings\":{\"rowLimit\":10000},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Count\",\"color\":\"blueDark\"}]}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 13\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Gridtimestring = tostring('{QPS_Time}');\\r\\nlet Gridtime = todatetime(substring(Gridtimestring, indexof(Gridtimestring, \\\" \\\"), indexof(Gridtimestring, \\\"GMT\\\") - 1 - indexof(Gridtimestring, \\\" \\\"))) -5h - 30m;\\r\\n\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand isnotempty(InfobloxDNSQType)\\r\\nand TimeGenerated between ((Gridtime - 30m) .. (Gridtime + 30m))\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DeviceName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Overall Query by Devices per hour\",\"timeContext\":{\"durationMs\":86400000},\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"QPS_Time\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxDNSRCode:string, InfobloxB1Region:string,\\r\\n InfobloxDNSView:string, InfobloxDNSQClass:string, InfobloxDNSQFlags:string, InfobloxAnCount:string, InfobloxNsCount:string,\\r\\n InfobloxArCount:string, InfobloxB1ConnectionType:string, InfobloxB1OPHName:string, InfobloxB1OPHIPAddress:string, InfobloxB1Network:string,\\r\\n InfobloxB1SrcOSVersion:string, InfobloxB1DHCPFingerprint:string, InfobloxB1DNSTags:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName), InfobloxDNSRCode = trim(@\\\"\\\\s\\\", InfobloxDNSRCode), InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), DestinationDnsDomain = trim(@\\\"\\\\s\\\", DestinationDnsDomain), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand (('{RecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({RecordType}))\\r\\nand (('{ResponseCode:escapjson}') == \\\"*\\\" or InfobloxDNSRCode in~ ({ResponseCode}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, ['Host Name'] = SourceHostName, ['Query Type'] = InfobloxDNSQType, ['Response Type'] = InfobloxDNSRCode, Location = InfobloxB1Region, ['DNS View'] = InfobloxDNSView, ['DNS Query Class'] = InfobloxDNSQClass, ['DNS Query Flags'] = InfobloxDNSQFlags, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['DNS Response Record Count'] = InfobloxAnCount, ['DNS Response Authoritative Count'] = InfobloxNsCount, ['DNS Response Additional Record Count'] = InfobloxArCount, ['Connection Type'] = InfobloxB1ConnectionType, ['Infoblox HostName'] = InfobloxB1OPHName, ['Infoblox HostIP'] = InfobloxB1OPHIPAddress, Network = InfobloxB1Network, ['Source OS Version'] = InfobloxB1SrcOSVersion, ['DNS Tags'] = InfobloxB1DNSTags, ['Date Time'] = TimeGenerated, ['Device Name'] = DeviceName, ['Device Address'] = DeviceAddress, ['Source IP'] = SourceIP, ['Source Port'] = SourcePort, ['Destination Dns Domain'] = DestinationDnsDomain, ['Additional Extensions'] = AdditionalExtensions, ['Device Event Class ID'] = DeviceEventClassID, ['Application Protocol'] = ApplicationProtocol, ['Log Severity'] = LogSeverity\\r\\n| project ['Date Time'], User, ['Host Name'], ['Device Name'], ['Device Address'], ['Source IP'], ['Source Port'], Activity, toint(['Log Severity']), ['Destination Dns Domain'], ['Query Type'], ['Response Type'], Location, ['DHCP Fingerprint'], ['DNS View'], ['DNS Query Class'], ['DNS Query Flags'], ['DNS Response Record Count'], ['DNS Response Authoritative Count'], ['DNS Response Additional Record Count'], ['Connection Type'], ['Infoblox HostName'], ['Infoblox HostIP'], Network, ['Source OS Version'], ['DNS Tags'], ['Additional Extensions'], Protocol, ['Device Event Class ID'], ['Application Protocol']\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Log Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxAnCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowGreenBlue\"}},{\"columnMatch\":\"InfobloxNsCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowOrangeBrown\"}},{\"columnMatch\":\"InfobloxArCount\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"SourceUserName\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"!=\",\"representation\":\"brown\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź“ť ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 15\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"Main Group\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-Get-IP-Space-Data** logic app which is deployed with the Microsoft Sentinel Solution.
\\r\\nPlease configure this logic app first and keep it enabled in order to use this workbook.\",\"style\":\"info\"},\"name\":\"text - 15\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"4abe4038-7e69-4b2c-9ec2-e1f9311e96be\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"379d941d-6191-494d-b518-caf9e0d8ce55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DHCPServer\",\"label\":\"DHCP Server\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(InfobloxHostID) \\r\\n| distinct InfobloxHostID\\r\\n| sort by InfobloxHostID asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"68911f86-d896-407d-9a0b-07934f997037\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(SourceHostName) and (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| distinct SourceHostName\\r\\n| sort by SourceHostName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"c5628a47-4153-4808-a618-9a06d560428b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"MAC\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" and DeviceProduct == \\\"Data Connector\\\" and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where isnotempty(SourceMACAddress) and (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| distinct SourceMACAddress\\r\\n| sort by SourceMACAddress asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"053f6da7-3bb9-4f9f-9bc5-ec09a9723f52\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Space\",\"label\":\"IP Space\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxIPSpace: string, InfobloxHostID: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(name_s)\\r\\n| distinct name_s\\r\\n| order by name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"showAnalytics\":true,\"title\":\"Released DHCP Leases (Unique IPs)\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases (Unique IPs)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID == \\\"DHCP-LEASE-DELETE\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize count()\",\"size\":3,\"showAnalytics\":true,\"title\":\"Released DHCP Leases\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Released DHCP Leases\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID in (\\\"DHCP-LEASE-CREATE\\\", \\\"DHCP-LEASE-UPDATE\\\")\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize dcount(SourceIP)\",\"size\":3,\"showAnalytics\":true,\"title\":\"New / Updated DHCP Leases (Unique IPs)\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_SourceIP\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases (Unique IPs)\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n and DeviceEventClassID in (\\\"DHCP-LEASE-CREATE\\\", \\\"DHCP-LEASE-UPDATE\\\")\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize count()\",\"size\":3,\"showAnalytics\":true,\"title\":\"New / Updated DHCP Leases \",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"rowLimit\":200,\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"InfobloxThreatLevel\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"greenDark\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Updated DHCP Leases \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by InfobloxLeaseOp\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Leases over Time\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"linechart\",\"chartSettings\":{\"showLegend\":true}},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| extend InfobloxLeaseOp = trim(@\\\"\\\\s\\\", InfobloxLeaseOp)\\r\\n| where isnotempty(InfobloxLeaseOp)\\r\\n| summarize count() by InfobloxLeaseOp\",\"size\":3,\"showAnalytics\":true,\"title\":\"DHCP Activity Summary\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Lease\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"51px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'DHCP Activity Summary' pie chart to see 'DHCP Lease for Activity'\"},\"conditionalVisibility\":{\"parameterName\":\"Lease\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand isnotempty(SourceMACAddress)\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count = count() by SourceMACAddress\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 MAC Address\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Pie_MAC\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 6\",\"styleSettings\":{\"padding\":\"53px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'Top 10 MAC Address' pie chart to see 'Source IPs for MAC'\"},\"conditionalVisibility\":{\"parameterName\":\"Pie_MAC\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 15\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string,\\r\\nInfobloxDUID: string, InfobloxLifetime: string,InfobloxLeaseUUID: string, InfobloxFingerprintPr: string,\\r\\nInfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), InfobloxLeaseOp = trim(@\\\"\\\\s\\\", InfobloxLeaseOp)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\nand InfobloxLeaseOp == ('{Lease}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space})) and isnotempty(trim(@\\\"\\\\s\\\", InfobloxLeaseOp))\\r\\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\\r\\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Lease for Activity : {Lease}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Lease\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxLeaseOp: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand SourceMACAddress == ('{Pie_MAC}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| make-series Hits = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SourceIP\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Source IPs for MAC : {Pie_MAC}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"showLegend\":true}},\"conditionalVisibility\":{\"parameterName\":\"Pie_MAC\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 14\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with (kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), SourceIP = trim(@\\\"\\\\s\\\", SourceIP)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\nand isnotempty(SourceIP)\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count=count() by SourceIP\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 IP Addresses\",\"showRefreshButton\":true,\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SourceIP\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'Top 10 IP Addresses' grid to see 'Host for IP'\"},\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName),\\r\\nSourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress), SourceIP = trim(@\\\"\\\\s\\\", SourceIP)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName})) \\r\\nand SourceIP == ('{SourceIP}')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| summarize Count = count() by SourceHostName\",\"size\":3,\"showAnalytics\":true,\"title\":\"Host for IP : {SourceIP}\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\" \\r\\nand DeviceProduct == \\\"Data Connector\\\" \\r\\nand DeviceEventClassID has_cs \\\"DHCP\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string,\\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\\r\\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend InfobloxHostID = trim(@\\\"\\\\s\\\", InfobloxHostID), SourceHostName = trim(@\\\"\\\\s\\\", SourceHostName), SourceMACAddress = trim(@\\\"\\\\s\\\", SourceMACAddress)\\r\\n| where (('{DHCPServer:escapjson}') == \\\"*\\\" or InfobloxHostID in~ ({DHCPServer})) \\r\\nand (('{MAC:escapjson}') == \\\"*\\\" or SourceMACAddress in~ ({MAC})) \\r\\nand (('{HostName:escapjson}') == \\\"*\\\" or SourceHostName in~ ({HostName}))\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, IP_Space_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxIPSpace == $right.id_s \\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where (('{IP_Space:escapjson}') == \\\"*\\\" or name_s in~ ({IP_Space}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, ['DHCP Server'] = InfobloxHostID, ['Host Name'] = SourceHostName, ['MAC Address'] = SourceMACAddress, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['IP Space'] = name_s, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, Subnet = InfobloxSubnet, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint\\r\\n| project ['Date Time'], ['DHCP Server'], ['Host Name'], ['MAC Address'], ['Source IP'], ['Log Severity'], Activity, ['IP Space'], Computer, ['Collector Host Name'], ['Application Protocol'], Subnet, ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint\",\"size\":0,\"showAnalytics\":true,\"title\":\"DHCP Lease\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5\",\"padding\":\"5\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź“ť ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 14\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"group - 5\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"82320096-33a6-4d48-b64f-2c90aa564ed4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"00756d7d-b074-42e5-996e-4ffa6487606f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserName\",\"label\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(SourceUserName)\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"3d2f3549-f5c5-4496-a013-f9b306321c75\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(DeviceAction) and (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| distinct DeviceAction\\r\\n| sort by DeviceAction asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":1209600000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string, InfobloxRangeStart: string, InfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName})) \\r\\nand (('{Action:escapjson}') == \\\"*\\\" or DeviceAction in~ ({Action}))\\r\\n| project-rename Action = DeviceAction\\r\\n| summarize Count = count() by Action\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Types of Actions\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"bar_Action\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Action\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'Types of Actions' bar chart to see 'Top 10 User for Action' and 'Audit Logs for Action'\"},\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 4\"}],\"exportParameters\":true},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where isnotempty(SourceUserName)\\r\\nand DeviceAction == ('{bar_Action}')\\r\\nand (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| project-rename User = SourceUserName, Action = DeviceAction\\r\\n| summarize Count = count() by User\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 User for Action : {bar_Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Pie_user\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"70px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'Top 10 User for Action : {bar_Action}' pie chart to see 'Top 10 SourceIP for User'\"},\"conditionalVisibility\":{\"parameterName\":\"Pie_user\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\" \\r\\n and DeviceAction == ('{bar_Action}')\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string, \\r\\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string, \\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string, \\r\\nInfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\\r\\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs for Action : {bar_Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"bar_Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\" \\r\\n and DeviceAction == ('{bar_Action}')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where SourceUserName == ('{Pie_user}') and DeviceAction == ('{bar_Action}')\\r\\n| summarize Count = count() by SourceIP\\r\\n| top 10 by Count desc\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Source IP for User : {Pie_user}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Pie_user\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"Audit\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxHostID: string, InfobloxIPSpace: string, InfobloxSubnet: string,\\r\\nInfobloxHTTPReqBody: string, InfobloxResourceId: string, InfobloxResourceType: string, InfobloxHTTPRespBody: string,\\r\\nid: string, name: string, pool_id: string, service_type: string, InfobloxSubjectGroups: string, InfobloxRangeStart: string,\\r\\nInfobloxRangeEnd: string, InfobloxLeaseOp: string, InfobloxClientID: string, InfobloxDUID: string, InfobloxLifetime: string,\\r\\n InfobloxLeaseUUID: string, InfobloxFingerprintPr: string, InfobloxFingerprint: string ) with ( kv_delimiter=\\\"=\\\", pair_delimiter=\\\";\\\")\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceAction = trim(@\\\"\\\\s\\\", DeviceAction)\\r\\n| where (('{UserName:escapjson}') == \\\"*\\\" or SourceUserName in~ ({UserName})) \\r\\n and (('{Action:escapjson}') == \\\"*\\\" or DeviceAction in~ ({Action}))\\r\\n| project-rename ['Date Time'] = TimeGenerated, User = SourceUserName, Action = DeviceAction, ['Source IP'] = SourceIP, ['Log Severity'] = LogSeverity, ['Infoblox Host ID'] = InfobloxHostID, ['Infoblox IP Space'] = InfobloxIPSpace, Subnet = InfobloxSubnet, ['HTTP Req Body'] = InfobloxHTTPReqBody, ['Resource Id'] = InfobloxResourceId, ['Resource Type'] = InfobloxResourceType, ['HTTP Resp Body'] = InfobloxHTTPRespBody, ['pool id'] = pool_id, ['service type'] = service_type, ['Subject Groups'] = InfobloxSubjectGroups, ['Range Start'] = InfobloxRangeStart, ['Range End'] = InfobloxRangeEnd, ['Lease Op'] = InfobloxLeaseOp, ['Client ID'] = InfobloxClientID, Lifetime = InfobloxLifetime, ['Lease UUID'] = InfobloxLeaseUUID, FingerprintPr = InfobloxFingerprintPr, Fingerprint = InfobloxFingerprint, DUID = InfobloxDUID, ['Application Protocol'] = ApplicationProtocol, ['Collector Host Name'] = CollectorHostName\\r\\n| project ['Date Time'], Action, Activity, User, ['Source IP'], ['Log Severity'], Computer, Message, ['Infoblox Host ID'], ['Infoblox IP Space'], Subnet, ['HTTP Req Body'], ['Resource Id'], ['Resource Type'], ['HTTP Resp Body'], id, name, ['pool id'], ['service type'], ['Subject Groups'], ['Range Start'], ['Range End'], ['Lease Op'], ['Client ID'], DUID, Lifetime, ['Lease UUID'], FingerprintPr, Fingerprint, ['Application Protocol'], ['Collector Host Name']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit Logs\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LogSeverity\",\"formatter\":4,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź“ť ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"3\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"daee0513-3b57-4c4d-9052-7a92094a4036\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"},{\"id\":\"9f36e52f-3282-4976-9187-7b3f551d91e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"User\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| where isnotempty(SourceUserName) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| summarize arg_max(TimeGenerated,*) by SourceUserName\\r\\n| distinct SourceUserName\\r\\n| sort by SourceUserName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"8b364f17-07f7-4403-8086-26bf36c92536\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Asset\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| extend DeviceName = trim(@\\\"\\\\s\\\", DeviceName)\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend DeviceName = trim(@\\\"\\\\s\\\", DeviceName), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(DeviceName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct DeviceName\\r\\n| sort by DeviceName desc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"cf61f3a4-fe90-4244-b94b-4aedc1210af9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Location\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1Region: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(Location) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct Location\\r\\n| sort by Location asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"e63dae9c-b8cf-4c02-9a7f-de990bfc4d1b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SLD\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where isnotempty(SecondLevelDomain)\\r\\n| distinct SecondLevelDomain\\r\\n| order by SecondLevelDomain\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"aeb144ce-64b1-45ba-85d9-f0a2da9a69d3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DNSRecordType\",\"label\":\"DNS Record Type\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"DNS\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxDNSQType: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(InfobloxDNSQType) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct InfobloxDNSQType\\r\\n| order by InfobloxDNSQType asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"f67927b9-00eb-4a45-b9d0-4bde9ac74d86\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PolicyName\",\"label\":\"Policy Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\" \\r\\n and DeviceProduct == \\\"Data Connector\\\" \\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName), SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName)\\r\\n| where isnotempty(InfobloxB1PolicyName) and (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) and InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| distinct InfobloxB1PolicyName\\r\\n| sort by InfobloxB1PolicyName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location}))\\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(SourceUserName) \\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by User = SourceUserName\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Compromised Users\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType}))\\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset}))\\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location}))\\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(DestinationDnsDomain)\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by DestinationDnsDomain\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Blocked Domains\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]},\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxRPZ: string, InfobloxPolicyID: string, InfobloxDomainCat: string, InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string, InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User}))\\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by InfobloxRPZ\\r\\n| top 10 by Count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Feeds, Filters\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"padding\":\"52px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\" \\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string, InfobloxB1PolicyName: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand isnotempty(DeviceName) \\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| summarize Count = count() by Asset = DeviceName\\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Compromised Assets\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Asset\",\"exportParameterName\":\"DeviceName\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"100\",\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź’ˇ Click on 'Top 10 Malicious Assets' grid to see 'Overall Asset Details'\"},\"conditionalVisibility\":{\"parameterName\":\"DeviceName\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\\r\\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\\r\\n InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand DeviceName == ('{DeviceName}')\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\\r\\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overall Asset : {DeviceName} Details \",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Threat Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"29\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"DeviceName\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"RPZ\\\"\\r\\n| parse-kv AdditionalExtensions as (InfobloxDNSQType:string, InfobloxB1Region:string, InfobloxB1PolicyAction: string,\\r\\n InfobloxB1PolicyName: string, InfobloxRPZRule: string, InfobloxPolicyID: string, InfobloxDomainCat: string,\\r\\n InfobloxB1ConnectionType: string, InfobloxB1Network: string,InfobloxB1SrcOSVersion: string, InfobloxB1DNSTags:string,\\r\\n InfobloxB1ThreatIndicator: string, InfobloxB1FeedType: string, InfobloxThreatLevel:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| extend SourceUserName = trim(@\\\"\\\\s\\\", SourceUserName), DeviceName = trim(@\\\"\\\\s\\\", DeviceName),\\r\\n Location = trim(@\\\"\\\\s\\\", InfobloxB1Region), DestinationDnsDomain = trim(@\\\"\\\\s\\\",DestinationDnsDomain),\\r\\n InfobloxDNSQType = trim(@\\\"\\\\s\\\", InfobloxDNSQType), InfobloxB1PolicyName = trim(@\\\"\\\\s\\\",InfobloxB1PolicyName)\\r\\n| where (('{User:escapjson}') == \\\"*\\\" or SourceUserName in~ ({User})) \\r\\nand (('{DNSRecordType:escapjson}') == \\\"*\\\" or InfobloxDNSQType in~ ({DNSRecordType})) \\r\\nand (('{Asset:escapjson}') == \\\"*\\\" or DeviceName in~ ({Asset})) \\r\\nand (('{Location:escapjson}') == \\\"*\\\" or InfobloxB1Region in~ ({Location})) \\r\\nand (('{PolicyName:escapjson}') == \\\"*\\\" or InfobloxB1PolicyName in~ ({PolicyName}))\\r\\nand InfobloxB1PolicyAction contains \\\"Block\\\"\\r\\n| extend DestinationDnsDomain_ = trim_end(@'.',DestinationDnsDomain)\\r\\n| extend domains = split(DestinationDnsDomain_,'.')\\r\\n| extend SecondLevelDomain =strcat(domains[-2],'.',domains[-1])\\r\\n| extend SecondLevelDomain = trim(@\\\"\\\\s\\\",SecondLevelDomain)\\r\\n| where (('{SLD:escapjson}') == \\\"*\\\" or SecondLevelDomain in~ ({SLD}))\\r\\n| order by TimeGenerated\\r\\n| project-rename User = SourceUserName, Asset = DeviceName, ['Policy Action'] = InfobloxB1PolicyAction, ['Threat Level'] = InfobloxThreatLevel, ['Policy Name'] = InfobloxB1PolicyName, Severity = LogSeverity, ['Policy ID'] = InfobloxPolicyID, ['Connection Type'] = InfobloxB1ConnectionType, ['DNS Tags'] = InfobloxB1DNSTags, ['Feed Type'] = InfobloxB1FeedType,['Date Time'] = TimeGenerated, ['Source IP'] = SourceIP, ['Collector Host Name'] = CollectorHostName, ['Application Protocol'] = ApplicationProtocol, ['RPZ Rule'] = InfobloxRPZRule, ['Threat Indicator'] = InfobloxB1ThreatIndicator\\r\\n| project ['Date Time'], User, Asset, ['Source IP'], toint(Severity), Activity, Computer, toint(['Threat Level']), ['Collector Host Name'], ['Application Protocol'], ['RPZ Rule'], ['Policy Name'], ['Policy Action'], ['Policy ID'], Location, ['Connection Type'], ['DNS Tags'], ['Threat Indicator'], ['Feed Type']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Blocked DNS Requests\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"<=\",\"thresholdValue\":\"1\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"5\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"8\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Threat Level\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"80\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"<=\",\"thresholdValue\":\"29\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź“ť ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 7\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"4\"},\"name\":\"group - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook depends on the **Infoblox-Get-Service-Name** and **Infoblox-Get-Host-Name** logic apps which are deployed with the Microsoft Sentinel Solution.
\\r\\nPlease configure this logic apps first and keep enabled in order to use this workbook.\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"19baf045-4606-49d8-8cb7-ef3ee9fed69a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"af60a861-3c2f-42a5-9045-295348fa5ac6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ServiceName\",\"label\":\"Service Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| extend name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(name_s)\\r\\n| distinct name_s\\r\\n| order by name_s asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]},{\"id\":\"796c7544-d2ff-42c6-a5c4-816298e72782\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"HostName\",\"label\":\"Host Name\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\\r\\n| extend HostID = tostring(split(split(InfobloxLogName, ';')[0], '/')[0])\\r\\n| parse-kv LogSeverity as (InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\\r\\n| extend LogSeverityHostID = tostring(split(InfobloxLogName, '/')[0])\\r\\n| extend HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId:string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\\r\\n| extend HostName = trim(@\\\"\\\\s\\\", display_name_s), name_s = trim(@\\\"\\\\s\\\", name_s)\\r\\n| where isnotempty(HostName) and ('{ServiceName:escapejson}' == \\\"*\\\" or name_s in~ ({ServiceName}))\\r\\n| distinct HostName\\r\\n| order by HostName asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, id_s: string, name_s: string) [];\\r\\nlet dummy_table_2 = datatable(TimeGenerated: datetime, ophid_g: string, display_name_s: string) [];\\r\\nCommonSecurityLog\\r\\n| where TimeGenerated {TimeRange:value}\\r\\n and DeviceVendor == \\\"Infoblox\\\"\\r\\n and DeviceProduct == \\\"Data Connector\\\"\\r\\n and DeviceEventClassID has_cs \\\"Service\\\"\\r\\n and isnotempty(AdditionalExtensions)\\r\\n| parse-kv AdditionalExtensions as (InfobloxLogName:string) with (pair_delimiter='|', kv_delimiter='=')\\r\\n| extend InfobloxLogName = split(split(InfobloxLogName, ';')[0], '/')\\r\\n| extend HostID = tostring(InfobloxLogName[0]), Process = tostring(InfobloxLogName[1])\\r\\n| parse-kv LogSeverity as (msg:string, InfobloxLogName:string) with (pair_delimiter=' ', kv_delimiter='=')\\r\\n| extend InfobloxLogName = split(InfobloxLogName, '/')\\r\\n| extend LogSeverityHostID = tostring(InfobloxLogName[0]),\\r\\n LogSeverityProcess = tostring(InfobloxLogName[1]),\\r\\n Message = split(iif(isempty(Message), msg , Message), '\\\"')[1]\\r\\n| extend Process = iif(isempty(Process), LogSeverityProcess, Process), HostID = iif(isempty(HostID), LogSeverityHostID, HostID)\\r\\n| parse-kv AdditionalExtensions as (InfobloxServiceId: string) with (pair_delimiter=';', kv_delimiter='=')\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table, Service_Name_Info_CL | where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by id_s) on $left.InfobloxServiceId == $right.id_s\\r\\n| join kind=leftouter(union isfuzzy=true dummy_table_2, Host_Name_Info_CL | extend ophid_g = replace_string(ophid_g, '-', '') |where TimeGenerated >= ago(365d) | summarize arg_max(TimeGenerated, *) by ophid_g) on $left.HostID == $right.ophid_g\\r\\n| extend ['Service Name'] = trim(@\\\"\\\\s\\\", name_s), ['Host Name'] = trim(@\\\"\\\\s\\\", display_name_s), ['Process Name'] = trim(@\\\"\\\\s\\\",Process)\\r\\n| where ('{ServiceName:escapejson}' == \\\"*\\\" or ['Service Name'] in~ ({ServiceName}))\\r\\nand ('{HostName:escapejson}' == \\\"*\\\" or ['Host Name'] in~ ({HostName}))\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], ['Service Name'], ['Process Name'], ['Host Name'], Message\",\"size\":0,\"showAnalytics\":true,\"title\":\"Service Log Data\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"đź“ť ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"5\"},\"name\":\"group - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This data connector depends on parsers based on Kusto Functions to work as expected called **InfobloxInsight, InfobloxInsightEvents, InfobloxInsightAssets, InfobloxInsightIndicators, **and **InfobloxInsightComments** which are deployed with the Microsoft Sentinel Solution.\",\"style\":\"info\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"0 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"# Infoblox SOC Insights Workbook\\r\\n\\r\\n##### Get a closer look at your Infoblox SOC Insights. \\r\\n\\r\\nThis workbook is intended to help visualize your [BloxOne SOC Insights](https://csp.infoblox.com/#/insights-console/insights/open/threats) data as part of the **Infoblox SOC Insight Solution**. Drilldown your data and visualize events, trends, and anomalous changes over time.\\r\\n\\r\\n---\\r\\n\"},\"name\":\"text - 3\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| extend isConfigIssue = iff((ThreatClass has_cs (\\\"CONFIGURATIONISSUE\\\")), \\\"Configuration\\\", \\\"Threats\\\")\\r\\n| summarize count() by isConfigIssue\",\"size\":3,\"title\":\"Insight Types\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"pink\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"Insight Types\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, Priority: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| summarize dcount(InfobloxInsightID) by Priority\",\"size\":3,\"title\":\"Priority\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"purple\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"Priority\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| summarize count() by ThreatProperty\",\"size\":3,\"title\":\"Threat Families\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"MEDIUM\",\"color\":\"orange\"},{\"seriesName\":\"CRITICAL\",\"color\":\"pink\"},{\"seriesName\":\"INFO\",\"color\":\"blue\"},{\"seriesName\":\"LOW\",\"color\":\"yellow\"},{\"seriesName\":\"HIGH\",\"color\":\"red\"}]}},\"customWidth\":\"50\",\"name\":\"Threat Families\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(InfobloxInsightID: string, FirstSeen: datetime, ThreatClass: string, ThreatProperty: string, ThreatType: string, FeedSource: string, Priority: string, Status: string) [];\\r\\nunion isfuzzy=true dummy_table,\\r\\nInfobloxInsight\\r\\n| distinct Status, InfobloxInsightID, FirstSeen, ThreatClass, ThreatProperty, ThreatType, FeedSource, Priority\\r\\n| summarize count() by ThreatType\",\"size\":3,\"title\":\"Threat Classes\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"Threat Classes\"}]},\"name\":\"Overall\"},{\"type\":1,\"content\":{\"json\":\"## Using this Workbook\\r\\nTo make use of this workbook, you must ingest Infoblox SOC Insight data into Sentinel in one or both ways:\\r\\n- Deploy the **Infoblox SOC Insights Data Connector** and forward CEF syslog via the Microsoft forwarding agent.\\r\\n- Deploy the **Infoblox-SOC-Get-Open-Insights-API** playbook.\\r\\n\\r\\nYou can use one or both at the same time, but beware of duplicate data!\\r\\n\\r\\nConfigure the **Analytic Queries** that come with this Microsoft Sentinel Solution. They will add the Insights as Incidents, so you can easily track and run playbooks on them.\\r\\n\\r\\nThen, once you have some Insights, run the **Infoblox-SOC-Get-Insight-Details** playbook to get all the gritty details. If you wish, you can then run **Infoblox-SOC-Import-Indicators-TI** to ingest each Indicator of an Insight into Sentinel as **Threat Intelligence**.\\r\\n\\r\\n## Run playbooks directly from this workbook!\\r\\n\\r\\n#### Set the **Resource Group**, [**Tenant ID**](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) and **Playbook** to run when clicking on the **Run Playbook** in the SOC Insight Incidents table below.\\r\\n\\r\\n**Infoblox-SOC-Get-Insight-Details** pulls all the details about each individual Insight. \\r\\n\\r\\n**Infoblox-SOC-Import-Indicators-TI** pushes each Indicator of the Insight into Sentinel as **Threat Intelligence**. You must run the **Infoblox-SOC-Get-Insight-Details** *before* running **Infoblox-SOC-Import-Indicators-TI**.\\r\\n\\r\\nYou will need to run the playbooks for each Insight/Incident. You can do that manually within this workbook with the **Run Playbook** button in the table below, from the **Incidents** blade, or configure them to run automatically with **Analytics**. \\r\\n\\r\\nAfter running **Infoblox-SOC-Get-Insight-Details** on an Insight, **click on it in the table below** to see the details.\\r\\n\\r\\n**You can rerun playbooks on Insights** that already contain data to get the most recent. \",\"style\":\"upsell\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"0 0 5px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e8613f2c-08c6-49e6-a2c6-e12d185c6bd3\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ResourceTypes\",\"label\":\"Resource Types\",\"type\":7,\"description\":\"This parameter must be set to Logic app.\",\"isRequired\":true,\"isGlobal\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"includeAll\":true,\"showDefault\":false},\"value\":[\"microsoft.logic/workflows\"]},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup\",\"label\":\"Incidents Resource Group\",\"type\":2,\"isRequired\":true,\"isGlobal\":true,\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"isGlobal\":true,\"query\":\"where type =~ \\\"microsoft.operationalinsights/workspaces\\\"\\r\\n| where resourceGroup =~ \\\"{SentinelResourceGroup}\\\"\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0a92b010-8b48-4601-872f-83e13561b088\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"63c75027-cc56-4958-9296-e0c986ab11e0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PlaybookResourceGroup\",\"label\":\"Playbook Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| where type in~ ({ResourceTypes})\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"3c6d99b2-1eb1-4650-a3f0-d48dc03f87cb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TenantID\",\"label\":\"Tenant ID\",\"type\":1,\"isRequired\":true,\"value\":\"\"},{\"id\":\"e1ea6f58-cd1b-4807-a7de-7da91b787bd4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PlaybookName\",\"label\":\"Playbook\",\"type\":5,\"description\":\"Set the playbook to run when clicking on the \\\"Run Playbook\\\" in the SOC Insight Incidents table below.\",\"isRequired\":true,\"query\":\"Resources\\r\\n| where type in~({ResourceTypes})\\r\\n| extend resourceGroupId = strcat('/subscriptions/', subscriptionId, '/resourceGroups/', resourceGroup)\\r\\n| where resourceGroup =~ \\\"{PlaybookResourceGroup}\\\"// or '*' in~({PlaybookResourceGroup})\\r\\n| order by name asc\\r\\n| extend Rank = row_number()\\r\\n| project label = tostring(name)\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"Infoblox-SOC-Get-Insight-Details\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 0 - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **SOC Insight Incident** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 15\",\"styleSettings\":{\"padding\":\"15px 0 0 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"103f5c4e-6007-46c3-88ed-74fdb7843acc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000}]},\"value\":{\"durationMs\":2592000000}},{\"id\":\"7c4c6733-a2d8-40b1-abf5-7f2d777e814c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SelectPriority\",\"label\":\"Priority\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\":\\\"N/A\\\"},\\r\\n { \\\"value\\\":\\\"INFO\\\"},\\r\\n { \\\"value\\\":\\\"LOW\\\"},\\r\\n { \\\"value\\\":\\\"MEDIUM\\\"},\\r\\n { \\\"value\\\":\\\"HIGH\\\"},\\r\\n { \\\"value\\\":\\\"CRITICAL\\\"}\\r\\n]\",\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]},{\"id\":\"3e3ee805-c983-480e-9c10-49a47be4ddc6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Status\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| distinct Status\\r\\n| sort by Status asc\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"1c79577f-a4f2-4b2a-aaa7-fbcc5e27831d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Owner\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"SecurityIncident\\r\\n| where CreatedTime {TimeRange:value}\\r\\n| where Status in ({Status})\\r\\n| project Owner=tostring(Owner.userPrincipalName)\\r\\n| sort by Owner asc\\r\\n| extend Owner = iff(isnotempty( Owner), Owner, \\\"Unassigned\\\")\\r\\n| distinct Owner\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 19 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let x =\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated, *) by IncidentNumber\\r\\n| extend IncidentID = IncidentName\\r\\n| extend IncidentNumber = toint(IncidentNumber)\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| extend RunPlaybook = \\\"Run Playbook\\\"\\r\\n| where Title has_cs \\\"Infoblox - SOC Insight\\\"\\r\\n| extend Labels = tostring(Labels)\\r\\n| extend InfobloxInsightID = extract(\\\"InfobloxInsightID: (.*?)\\\\\\\"\\\", 1, Labels)\\r\\n| join \\r\\n (InfobloxInsight\\r\\n | summarize arg_max(TimeGenerated, *) by InfobloxInsightID\\r\\n ) on InfobloxInsightID\\r\\n//sometimes duplicate TimeGenerated so grab LastSeen next\\r\\n| summarize arg_max(LastSeen, *) by IncidentNumber\\r\\n| project IncidentNumber, Severity, Priority, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID\\r\\n; \\r\\nlet incidents =\\r\\nSecurityIncident\\r\\n| summarize arg_max(TimeGenerated,*) by tostring(IncidentNumber)\\r\\n| extend IncidentID = IncidentName\\r\\n| extend IncidentNumber = toint(IncidentNumber)\\r\\n| where tostring(Owner.userPrincipalName) in ({Owner}) or (isempty(tostring(Owner.userPrincipalName)) and \\\"Unassigned\\\" in ({Owner}))\\r\\n| extend RunPlaybook = \\\"Run Playbook\\\"\\r\\n| where Title has_cs \\\"Infoblox - SOC Insight\\\"\\r\\n| extend Alerts = extract(\\\"\\\\\\\\[(.*?)\\\\\\\\]\\\", 1, tostring(AlertIds))\\r\\n| mv-expand AlertIds to typeof(string)\\r\\n//----------------\\r\\n;\\r\\nlet alerts =\\r\\n SecurityAlert\\r\\n | extend AlertEntities = parse_json(Entities)\\r\\n //| extend InfobloxInsightID = tostring(AlertEntities.ObjectGuid)\\r\\n;\\r\\nincidents | join alerts on $left.AlertIds == $right.SystemAlertId\\r\\n//----------------------\\r\\n| summarize AlertCount=dcount(AlertIds) by IncidentNumber, IncidentID, Status, Title, Alerts, IncidentUrl, Owner=tostring(Owner.userPrincipalName) , RunPlaybook\\r\\n// -------------\\r\\n| join kind=inner (incidents | join alerts on $left.AlertIds == $right.SystemAlertId) on IncidentNumber\\r\\n| join kind=fullouter x on IncidentNumber\\r\\n| summarize arg_max(TimeGenerated,*) by (IncidentNumber)\\r\\n//| where Priority in ({SelectPriority}) or '{SelectPriority:label}' == \\\"All\\\"\\r\\n| where Status in ({Status}) or '{Status:label}' == \\\"All\\\"\\r\\n| project IncidentNumber, Severity, Priority, Title, Status, Owner, IncidentUrl, RunPlaybook, ThreatType, ThreatClass, ThreatFamily, LastSeen, FirstSeen, FeedSource, EventsCount, NotBlockedCount, BlockedCount, PersistentDate, SpreadingDate, InfobloxInsightID, IncidentID\\r\\n//| project-away IncidentID\\r\\n| order by toint(IncidentNumber) desc\\r\\n\",\"size\":0,\"title\":\"SOC Insight Incidents\",\"timeContextFromParameter\":\"TimeRange\",\"exportedParameters\":[{\"fieldName\":\"InfobloxInsightID\",\"parameterName\":\"InfobloxInsightID\",\"parameterType\":1},{\"fieldName\":\"IncidentID\",\"parameterName\":\"IncidentID\",\"parameterType\":1},{\"fieldName\":\"Title\",\"parameterName\":\"Title\",\"parameterType\":1}],\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"Sev0\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"Sev1\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"Sev2\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Informational\",\"representation\":\"Sev4\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"unknown\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Priority\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"INFO\",\"representation\":\"blue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"LOW\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MEDIUM\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"HIGH\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"CRITICAL\",\"representation\":\"purple\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"New\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Active\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Owner\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25ch\"}},{\"columnMatch\":\"IncidentUrl\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Open Incident\"}},{\"columnMatch\":\"RunPlaybook\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.OperationalInsights/workspaces/{Workspace:label}/providers/Microsoft.SecurityInsights/incidents/{IncidentID}/runPlaybook?api-version=2019-01-01-preview\",\"body\":\"{\\r\\n \\\"LogicAppsResourceId\\\":\\\"/subscriptions/{Subscription:id}/resourceGroups/{PlaybookResourceGroup:label}/providers/Microsoft.Logic/workflows/{PlaybookName:label}\\\",\\r\\n \\\"tenantId\\\":\\\"{TenantID}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}},\"tooltipFormat\":{\"tooltip\":\"Run {PlaybookName} on this insight.\"}},{\"columnMatch\":\"EventsCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"NotBlockedCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"BlockedCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"InsightDataReady\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Data Not Found\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Ready\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"gray\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"To see data for this insight, run the Infoblox-SOC-API-Get-Insight-Details playbook.\"}},{\"columnMatch\":\"isPopulated\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Ready\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Data Not Found\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]},\"tooltipFormat\":{\"tooltip\":\"To see data about this Insight, run the Infoblox-SOC-API-Get-Insight-Details Playbook.\"}},{\"columnMatch\":\"Alerts\",\"formatter\":5},{\"columnMatch\":\"AlertCount\",\"formatter\":0,\"formatOptions\":{\"aggregation\":\"Sum\"}},{\"columnMatch\":\"Entities\",\"formatter\":1},{\"columnMatch\":\"alertCount\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"palette\":\"redBright\"}},{\"columnMatch\":\"count_AlertCount\",\"formatter\":8,\"formatOptions\":{\"palette\":\"greenRed\"}}],\"rowLimit\":500,\"filter\":true}},\"name\":\"IncidentDetailsView\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"46b4abc5-316b-4c75-89b7-5cf134d6dbb0\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Summary\",\"subTarget\":\"Summary\",\"style\":\"link\"},{\"id\":\"81661594-3591-4fe6-a67d-b69ae55abf67\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Assets\",\"subTarget\":\"Assets\",\"preText\":\"IPs\",\"style\":\"link\"},{\"id\":\"46ca603b-ead0-46bd-987d-1d157b2a763a\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators\",\"subTarget\":\"Indicators\",\"style\":\"link\"},{\"id\":\"f2ce2fdb-104a-447f-b42b-6d11931a09ff\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Events\",\"subTarget\":\"Events\",\"style\":\"link\"},{\"id\":\"03782b90-e744-4654-95c3-a1056cfe78f9\",\"cellValue\":\"view\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Comments\",\"subTarget\":\"Comments\",\"style\":\"link\"}]},\"conditionalVisibility\":{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"},\"name\":\"links - 16\",\"styleSettings\":{\"padding\":\"20px 0 20px 0\"}},{\"type\":1,\"content\":{\"json\":\"#### Click on **SOC Insight Incident** above to view more information.\",\"style\":\"upsell\"},\"conditionalVisibility\":{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 14\",\"styleSettings\":{\"padding\":\"10px 0 10px 0\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## {Title}\"},\"name\":\"text - 8\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"list\",\"links\":[{\"id\":\"5c15d5ff-4108-4538-930b-201f4f8da870\",\"cellValue\":\"https://csp.infoblox.com/#/insights-console/insight/{InfobloxInsightID}/summary\",\"linkTarget\":\"Url\",\"linkLabel\":\"Redirect To Summary on CSP\",\"preText\":\"\",\"style\":\"link\"}]},\"name\":\"links - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(LastSeen)\\r\\n| extend format_datetime(todatetime(FirstSeen), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend FirstSeen = strcat(tostring(FirstSeen), \\\" UTC\\\")\\r\\n| project FirstSeen\",\"size\":3,\"title\":\"First Seen\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"FirstSeen\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"First Seen\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(LastSeen)\\r\\n| extend format_datetime(todatetime(LastSeen), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend LastSeen = strcat(tostring(LastSeen), \\\" UTC\\\")\\r\\n| project LastSeen\",\"size\":3,\"title\":\"Last Seen \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"LastSeen\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Last Seen\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(SpreadingDate)\\r\\n| extend format_datetime(todatetime(SpreadingDate), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend SpreadingDate = strcat(tostring(SpreadingDate), \\\" UTC\\\")\\r\\n| project SpreadingDate\",\"size\":3,\"title\":\"Spreading Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"SpreadingDate\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Spreading Date\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(PersistentDate)\\r\\n| extend format_datetime(todatetime(PersistentDate), 'M/dd/yyyy, h:mm:ss tt')\\r\\n| extend PersistentDate = strcat(tostring(PersistentDate), \\\" UTC\\\")\\r\\n| project PersistentDate\",\"size\":3,\"title\":\"Persistent Date\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"PersistentDate\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false,\"size\":\"auto\"}},\"customWidth\":\"25\",\"name\":\"Persistent Date\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(BlockedCount)\\r\\n| project BlockedCount\",\"size\":3,\"title\":\"Blocked Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"BlockedCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Blocked Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(NotBlockedCount)\\r\\n| project NotBlockedCount\",\"size\":3,\"title\":\"Not Blocked Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"NotBlockedCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"red\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Not Blocked Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsight\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *)\\r\\n| where isnotempty(EventsCount)\\r\\n| project EventsCount\\r\\n\",\"size\":3,\"title\":\"Total Hits\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"EventsCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"gray\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"Total Hits\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where isnotempty(SourceIP)\\r\\n| summarize count() by SourceIP\\r\\n| top 20 by count_ \\r\\n| project SourceIP);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where SourceIP in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\\r\\n\",\"size\":0,\"title\":\"Top 20 Compromised Assets\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Top Impacted IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| summarize count() by ThreatIndicator\\r\\n| top 20 by count_ \\r\\n| project ThreatIndicator);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, ThreatIndicator, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatIndicator\\r\\n\",\"size\":0,\"title\":\"Top 20 Indicators\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"chartSettings\":{\"createOtherGroup\":15,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Top 20 Indicators\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| summarize count() );\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d\",\"size\":0,\"title\":\"Events\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\"},\"customWidth\":\"33\",\"name\":\"Events\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Summary\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Summary\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Assets\\r\\n---\\r\\nSee your protected assets/devices affected by this insight. **Install the Infoblox Endpoint client for more accurate data.**\"},\"name\":\"text - 6\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **Asset** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 7\",\"styleSettings\":{\"margin\":\"15px 0 15px 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| join\\r\\n(\\r\\n InfobloxInsightAssets\\r\\n | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n) on SourceIP\\r\\n| order by LastSeen, EventCount desc\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['OS Version'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| project SourceIP, User, ['MAC Address'], ['OS Version'], DeviceName, Network,['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"SourceIP\",\"exportParameterName\":\"SourceIP\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"IndicatorDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleBlue\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Associated Events\"},{\"columnId\":\"IndicatorDistinctCount\",\"label\":\"Associated Indicators\"}]}},\"name\":\"Assets\",\"styleSettings\":{\"margin\":\"0 0 20px 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"75\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {SourceIP}\",\"styleSettings\":{\"margin\":\"0 60px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize count() by ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ThreatIndicator, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| summarize Count = count() by ThreatIndicator\\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"25\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\" Indicators for {SourceIP}\",\"styleSettings\":{\"margin\":\"0 15px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by ThreatLevel\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Level Trend for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"linechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"High\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Threat Level Trend for {SourceIP}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Trend for {SourceIP}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"turquoise\"},{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Not Blocked\",\"color\":\"red\"},{\"seriesName\":\"Log\",\"color\":\"blue\"}]}},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Action Trend for {SourceIP}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where SourceIP == '{SourceIP}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected > ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Events = count() default = 0 on Detected from ago(Lookback) to now() step 1d\",\"size\":0,\"title\":\"All Events for {SourceIP}\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"areachart\"},\"customWidth\":\"33\",\"conditionalVisibility\":{\"parameterName\":\"SourceIP\",\"comparison\":\"isNotEqualTo\"},\"name\":\"All Events for {SourceIP}\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Assets\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Assets\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Indicators\\r\\n---\\r\\nAn **Indicator** is a domain or IP address that is seen in the resolution chain of a query from a device.\\r\\n\\r\\n\"},\"name\":\"text - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(InfobloxB1PolicyAction)\\r\\n| summarize count_distinct(ThreatIndicator) by InfobloxB1PolicyAction\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Not Blocked\",\"color\":\"red\"},{\"seriesName\":\"Blocked\",\"color\":\"green\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| summarize count_distinct(ThreatIndicator) by ThreatLevel\",\"size\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"blue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"50\",\"name\":\"query - 8 - Copy\"},{\"type\":1,\"content\":{\"json\":\"#### Click on **Indicator** below to view more information.\",\"style\":\"upsell\"},\"name\":\"text - 7\",\"styleSettings\":{\"padding\":\"15px 0 15px 0\"}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"5b2e1804-a9a6-4b86-8a6e-27fd0ab029b5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"ThreatLevelParam\",\"label\":\"Threat Level\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e36bc3c2-b85e-478c-968b-7faf79c21c49\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"InfobloxB1PolicyActionParam\",\"label\":\"Action\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"InfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct InfobloxB1PolicyAction\",\"crossComponentResources\":[\"{Workspace}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"All\",\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AssetCount = (InfobloxInsightIndicators\\r\\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\\r\\n| join kind=inner\\r\\n(\\r\\nInfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\\r\\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\\r\\n| where ThreatIndicator1 has_cs ThreatIndicator\\r\\n| summarize by SourceIP, ThreatIndicator\\r\\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\\r\\n\\r\\n\\r\\nInfobloxInsightIndicators\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(ThreatIndicator)\\r\\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' == \\\"All\\\"\\r\\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' == \\\"All\\\"\\r\\n| join\\r\\n (\\r\\n AssetCount\\r\\n ) on ThreatIndicator\\r\\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\\r\\n| extend URL = strcat(\\\"https://csp.infoblox.com/#/security_research/search/auto/\\\", ThreatIndicator, \\\"/summary\\\")\\r\\n| extend sort_order = case(\\r\\n ThreatLevel == \\\"High\\\", 5,\\r\\n ThreatLevel == \\\"Medium\\\", 4,\\r\\n ThreatLevel == \\\"Low\\\", 3,\\r\\n ThreatLevel == \\\"N/A\\\", 2,\\r\\n 1 // default case if ThreatLevel doesn't match any of the above\\r\\n)\\r\\n| order by sort_order, EventCount desc\\r\\n| project-away sort_order\\r\\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\\r\\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"ThreatIndicator\",\"exportParameterName\":\"ThreatIndicator\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Blocked\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Not Blocked\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Investigate in Dossier\"}},{\"columnMatch\":\"SourceIPDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"bluePurple\"}}],\"rowLimit\":500,\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventCount\",\"label\":\"Associated Events\"},{\"columnId\":\"URL\",\"label\":\"Investigate in Dossier\"}]}},\"name\":\"Indicators\",\"styleSettings\":{\"margin\":\"0 15px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| join\\r\\n(\\r\\n InfobloxInsightAssets\\r\\n | summarize arg_max(TimeGenerated, *) by SourceIP, SourceUserName, SourceMACAddress, InfobloxB1SrcOSVersion\\r\\n) on SourceIP\\r\\n| order by LastSeen, EventCount desc\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Source OSVersion'] = InfobloxB1SrcOSVersion, Network = InfobloxB1Network, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| summarize by SourceIP, User, ['MAC Address'], ['Source OSVersion'], DeviceName, Network, ['DHCP Fingerprint'], Location, EventCount, IndicatorDistinctCount, LastSeen, FirstSeen\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Assets for {ThreatIndicator}\",\"noDataMessage\":\"Select an Indicator in the above chart to see details.\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"EventCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"IndicatorDistinctCount\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purpleBlue\"}}],\"rowLimit\":500,\"filter\":true}},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Assets for {ThreatIndicator}\",\"styleSettings\":{\"margin\":\"0 20px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\n// Finding Tops \\r\\nlet Top = materialize(InfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where isnotempty(DestinationDnsDomain)\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| summarize count() by SourceIP\\r\\n| top 500 by count_ \\r\\n);\\r\\n// Filtering datasource to Tops and Plot Time chart\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where SourceIP in ((Top))\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Total= count() default = 0 on Detected from ago(Lookback) to now() step 1d by SourceIP\",\"size\":0,\"showAnalytics\":true,\"title\":\"Source IPs for {ThreatIndicator}\",\"color\":\"amethyst\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"barchart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"createOtherGroup\":15}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Source IPs for {ThreatIndicator}\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where Detected >= ago(30d)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| project-rename User = SourceUserName, ['MAC Address'] = SourceMACAddress, ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint, ['Date Time'] = TimeGenerated\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, User, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, ['MAC Address'], ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events for {ThreatIndicator}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true,\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"SourceIP\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Events for {ThreatIndicator}\",\"styleSettings\":{\"margin\":\"0 20px 0 0\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let Lookback = 30d;\\r\\nInfobloxInsightEvents\\r\\n| where Detected >= ago(Lookback)\\r\\n| where ThreatIndicator has_cs '{ThreatIndicator}'\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, SourceUserName, DeviceName, SourceIP, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion\\r\\n| make-series Trend = count() default = 0 on Detected from ago(Lookback) to now() step 1d by InfobloxB1PolicyAction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Action Trend for {ThreatIndicator}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":500,\"filter\":true},\"chartSettings\":{\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"N/A\",\"color\":\"gray\"},{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Allow - No Log\",\"color\":\"red\"},{\"seriesName\":\"Log\",\"color\":\"lightBlue\"}]}},\"customWidth\":\"30\",\"conditionalVisibility\":{\"parameterName\":\"ThreatIndicator\",\"comparison\":\"isNotEqualTo\"},\"name\":\"Action Trend for {ThreatIndicator}\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Indicators\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Events\\r\\n---\\r\\nDNS security events associated with this insight.\\r\\n\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatLevel)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatLevel\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Level\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"33\",\"name\":\"Threat Level\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatClass)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatClass\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Classes\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Threat Classes\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(ThreatProperty)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by ThreatProperty\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Threat Families\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Threat Families\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by SourceUserName\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Users\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where isnotempty(DeviceName)\\r\\n| where Detected >= ago(30d)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceName\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Names\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Device Names\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(SourceIP)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by SourceIP\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Source IPs\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Source IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1Network)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1Network\",\"size\":4,\"title\":\"Sources\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Sources\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1PolicyName)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1PolicyName\",\"size\":4,\"title\":\"Policies\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Policies\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(InfobloxB1PolicyAction)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by InfobloxB1PolicyAction\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Actions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"Block\",\"color\":\"green\"},{\"seriesName\":\"Log\",\"color\":\"lightBlue\"},{\"seriesName\":\"Allow - No Log\",\"color\":\"red\"}]}},\"customWidth\":\"33\",\"name\":\"Actions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DNSResponse)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DNSResponse\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"DNS Responses\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"DNS Responses\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DeviceRegion)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceRegion\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Regions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"Device Regions\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| where isnotempty(DeviceCountry)\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, InfobloxDNSQType, ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, InfobloxB1PolicyName, InfobloxB1PolicyAction, InfobloxB1Network, DNSResponse, DNSView, InfobloxB1FeedName, SourceMACAddress, InfobloxB1SrcOSVersion, InfobloxB1DHCPFingerprint, ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| summarize Count = count() by DeviceCountry\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":4,\"title\":\"Device Countries\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true,\"seriesLabelSettings\":[{\"seriesName\":\"High\",\"color\":\"red\"},{\"seriesName\":\"Medium\",\"color\":\"orange\"},{\"seriesName\":\"Low\",\"color\":\"yellow\"},{\"seriesName\":\"Info\",\"color\":\"lightBlue\"},{\"seriesName\":\"N/A\",\"color\":\"gray\"}]}},\"customWidth\":\"33\",\"name\":\"Device Countries\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightEvents\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| where Detected >= ago(30d)\\r\\n| project-rename ['Query Type'] = InfobloxDNSQType, ['Policy Name'] = InfobloxB1PolicyName, ['Policy Action'] = InfobloxB1PolicyAction, Network = InfobloxB1Network, FeedName = InfobloxB1FeedName, ['Source OSVersion'] = InfobloxB1SrcOSVersion, ['DHCP Fingerprint'] = InfobloxB1DHCPFingerprint\\r\\n| distinct ThreatLevel, ThreatConfidence, Detected, DestinationDnsDomain, ['Query Type'], ThreatClass, SourceUserName, DeviceName, SourceIP, ThreatProperty, ['Policy Name'], ['Policy Action'], Network, DNSResponse, DNSView, FeedName, SourceMACAddress, ['Source OSVersion'], ['DHCP Fingerprint'], ResponseRegion, ResponseCountry, DeviceRegion, DeviceCountry\\r\\n| order by Detected desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Events\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatLevel\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"N/A\",\"representation\":\"gray\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Info\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"InfobloxB1PolicyAction\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"contains\",\"thresholdValue\":\"Allow\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"contains\",\"thresholdValue\":\"Block\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"lightBlue\",\"text\":\"{0}{1}\"}]}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"Events\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Events\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Events\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InfobloxInsightComments\\r\\n| where InfobloxInsightID == \\\"{InfobloxInsightID}\\\"\\r\\n| distinct CommentChanger, Comment, DateChanged, Status\\r\\n| order by DateChanged desc\\r\\n| project-rename ['Date Time'] = DateChanged, User = CommentChanger\\r\\n| project ['Date Time'], Status, User, Comment\",\"size\":0,\"title\":\"Comments\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"Comments\"}]},\"conditionalVisibilities\":[{\"parameterName\":\"view\",\"comparison\":\"isEqualTo\",\"value\":\"Comments\"},{\"parameterName\":\"InfobloxInsightID\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"Comments\"},{\"type\":1,\"content\":{\"json\":\"đź“ť ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 17\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"6\"},\"name\":\"group - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This Config Insights depends on the **Infoblox-Config-Insights** and **InfoBlox-Config-Insight-Details** logic apps which are deployed with the Microsoft Sentinel Solution.
\\r\\nPlease configure this logic apps first and keep it enabled in order to use this Config Insight Details Dashboard.\\r\\n\",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":1,\"content\":{\"json\":\"# Infoblox Config Insights\"},\"name\":\"text - 5\"},{\"type\":1,\"content\":{\"json\":\"## Steps to view Config Insights Details using this workbook\\r\\n- This workbook is intended to view the available config insights and view their details.\\r\\n- Select the **Resource Group** and **Subscription ID**.\\r\\n- Select TimeRange.\\r\\n- From the **Config Insights** panel, select any config Insight.\\r\\n- You will be able to see the config details of the selected Insight.\\r\\n- If there is message like **The query returned no results** on config details panel, then click on the **GET CONFIG INSIGHT DETAILS** link to get the Config Insight Details for that Config Insight.\\r\\n- This will execute the **InfoBlox-Config-Insight-Details** logic app in the background.\\r\\n- You can check the status of the playbook to identify the Config Insight Details status.\\r\\n- Click on the refresh button of the lookup panel until you get the Config Insight Details.\\r\\n
\\r\\n
\\r\\n**Note** : In cases where specific indicators may not have lookup information available in Infoblox, users are advised to refer to the Logic App status for further details.\\r\\n\",\"style\":\"upsell\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"7783c2b4-a6e6-4117-92ec-a9a751f01465\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SubscriptionId\",\"label\":\"Subscription ID\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| distinct subscriptionId\",\"typeSettings\":{\"resourceTypeFilter\":{\"microsoft.operationalinsights/workspaces\":true},\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"4a15b858-69b6-4198-abfd-6af5f187d813\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SentinelResourceGroup1\",\"label\":\"Resource Group\",\"type\":2,\"isRequired\":true,\"query\":\"Resources\\r\\n| summarize Count = count() by subscriptionId, resourceGroup\\r\\n| where subscriptionId == ('{SubscriptionId}')\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project resourceGroup\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":\"\"},{\"id\":\"f70e5d0e-2eff-4bca-9489-90ab64378887\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000}],\"allowCustom\":false},\"value\":{\"durationMs\":1209600000},\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, policyAnalyticsId_g:string) [];\\r\\nunion isfuzzy = true\\r\\ndummy_table,\\r\\nInfoblox_Config_Insights_CL\\r\\n| summarize arg_max(TimeGenerated, *) by policyAnalyticsId_g\\r\\n| extend ConfigInsightDetails = \\\"GET CONFIG INSIGHT DETAILS\\\"\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'],\\r\\n['Policy Analytics ID'] = policyAnalyticsId_g,\\r\\n['Insight Type'] = column_ifexists(\\\"insightType_s\\\",\\\"\\\"),\\r\\n[\\\"Config Insight Details\\\"] = column_ifexists(\\\"ConfigInsightDetails\\\",\\\"\\\")\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Config Insights\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"Policy Analytics ID\",\"exportParameterName\":\"ConfigInsightId\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Config Insight Details\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"ArmAction\",\"linkIsContextBlade\":true,\"armActionContext\":{\"path\":\"/subscriptions/{SubscriptionId}/resourceGroups/{SentinelResourceGroup1}/providers/Microsoft.Logic/workflows/InfoBlox-Config-Insight-Details/triggers/manual/run?api-version=2016-10-01\",\"body\":\"{\\r\\n \\\"config_insight_id\\\": \\\"{ConfigInsightId}\\\"\\r\\n}\",\"httpMethod\":\"POST\",\"description\":\"# Actions can potentially modify resources.\\n## Please use caution and include a confirmation message in this description when authoring this command.\"}}}],\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"Policy Analytics ID\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Policy Analytics ID\",\"sortOrder\":1}]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let dummy_table = datatable(TimeGenerated: datetime, analyticInsightId_g:string, feeds_s:string) [];\\r\\nunion isfuzzy = true\\r\\ndummy_table,\\r\\nInfoblox_Config_Insight_Details_CL\\r\\n| where analyticInsightId_g == \\\"{ConfigInsightId}\\\"\\r\\n| summarize arg_max(TimeGenerated, *) by analyticInsightId_g\\r\\n| extend ParsedJson = parse_json(feeds_s)\\r\\n| mv-expand ParsedJson\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], \\r\\n['Insight Type'] = insightType_s,\\r\\n['Rule Type'] = ParsedJson.ruleType, \\r\\n['Rule Name'] = ParsedJson.ruleName, \\r\\n['Feed Name'] = ParsedJson.feedName, \\r\\n['Current Action'] = ParsedJson.currentAction, \\r\\n['Recommended Action'] = ParsedJson.recommendedAction, \\r\\n['Status'] = ParsedJson.status\",\"size\":0,\"showAnalytics\":true,\"title\":\"Config Insights Detail for Config ID: {ConfigInsightId}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"conditionalVisibility\":{\"parameterName\":\"ConfigInsightId\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"8\"},\"name\":\"group - 16\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Subscription}\"],\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\",\"label\":\"Time Range\"}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"  Please take time to answer a quick survey,\\r\\n[ click here. ](https://forms.office.com/r/n9beey85aP)\"},\"name\":\"Survey\"},{\"type\":1,\"content\":{\"json\":\"# [Threat Intelligence](https://docs.microsoft.com/azure/sentinel/understand-threat-intelligence)\\n---\\n\\nWithin a Security Information and Event Management (SIEM) solution like Microsoft Sentinel, the most commonly used form of CTI is threat indicators, also known as Indicators of Compromise or IoCs. Threat indicators are data that associate observed artifacts such as URLs, file hashes, or IP addresses with known threat activity such as phishing, botnets, or malware. This form of threat intelligence is often called tactical threat intelligence because it can be applied to security products and automation in large scale to detect potential threats to an organization and protect against them. In Microsoft Sentinel, you can use threat indicators to help detect malicious activity observed in your environment and provide context to security investigators to help inform response decisions. [Video Demo](https://youtu.be/4Bet2oVODow)\\n\"},\"customWidth\":\"79\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\"![Image Name](https://azure.microsoft.com/svghandler/azure-sentinel?width=600&height=315) \"},\"customWidth\":\"20\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"Microsoft Sentinel Logo\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"18c690d7-7cbd-46c1-b677-1f72692d40cd\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Ingestion\",\"subTarget\":\"Indicators\",\"preText\":\"Alert rules\",\"style\":\"link\"},{\"id\":\"f88dcf47-af98-4684-9de3-1ee5f48f68fc\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Search\",\"subTarget\":\"Observed\",\"style\":\"link\"}]},\"name\":\"Tabs link\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 1h)\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Type and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem, bin(TimeGenerated, 1h)\\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Imported into Sentinel by Indicator Provider and Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by SourceSystem\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Source\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelligenceIndicator\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 12\"},{\"type\":1,\"content\":{\"json\":\"đź“ť ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},\"name\":\"Indicators Ingestion\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9aec751b-07bd-43ba-80b9-f711887dce45\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Indicator\",\"label\":\"Search Indicator in Events\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Threat Research Parameters\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| summarize count() by Table_Name \\r\\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\\r\\n| sort by ['Logs Count'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Type\",\"exportParameterName\":\"Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileOriginUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FQDN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessSHA256', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Name', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteUrl', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RecipientEmailAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SenderMailFromAddress', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Url', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHashValue', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSenderAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DomainName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AADEmail', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Account', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('AccountUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Caller', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CompromisedEntity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DisplayName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Email_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FullyQualifiedSubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('InitiatingProcessAccountUpn', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('MailboxOwnerUPN', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Owner', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RequesterUpn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIdentity', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserID', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SubjectUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUser', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('TargetUserName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Upn', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('User_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserId_', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserId_s_s', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('userName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserName', '') has \\\"{Indicator}\\\" \\r\\nor column_ifexists('UserName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('userPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName_s', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('UserPrincipalName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Computer', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FileHash', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('FilePath', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('Process', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('CommandLine', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NewProcessName', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('ParentProcessName', '') has \\\"{Indicator}\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed over Time\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tiObservables = ThreatIntelligenceIndicator\\r\\n | where TimeGenerated < now()\\r\\n | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\\r\\nlet alertEntity = SecurityAlert \\r\\n | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\\r\\n | mvexpand(Entities)\\r\\n | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\\r\\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \\\".\\\", Entities.DnsDomain),\\r\\n iif(isnotempty(Entities.Url), Entities.Url,\\r\\n iif(isnotempty(Entities.Value), Entities.Value,\\r\\n iif(Entities.Type == \\\"account\\\", strcat(Entities.Name,\\\"@\\\",Entities.UPNSuffix),\\\"\\\")))))\\r\\n | where isnotempty(entity) \\r\\n | project entity, SystemAlertId, AlertTime;\\r\\nlet IncidentAlerts = SecurityIncident\\r\\n | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\\r\\n | mv-expand AlertIds\\r\\n | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\\r\\nlet AlertsWithTiObservables = alertEntity\\r\\n | join kind=inner tiObservables on $left.entity == $right.Indicator;\\r\\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\\r\\n | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\\r\\nIncidentsWithAlertsWithTiObservables\\r\\n| where Indicator contains '{Indicator}' or Indicator == \\\"*\\\"\\r\\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\\r\\n| sort by Incidents, Alerts desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Alerts\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Botnet\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MaliciousUrl\",\"representation\":\"Initial_Access\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Malware\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Phishing\",\"representation\":\"Exfiltration\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"Pre attack\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Incidents\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Alerts\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated < now()\\r\\n| project-rename ['Date Time'] = TimeGenerated\\r\\n| project ['Date Time'], IndicatorId, ThreatType, Active, Tags, TrafficLightProtocolLevel, EmailSenderAddress, FileHashType, FileHashValue, DomainName, NetworkIP\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Indicator\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 6\"},{\"type\":1,\"content\":{\"json\":\"đź“ť ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Observed\"},\"name\":\"Indicators Observed\"}]},\"conditionalVisibility\":{\"parameterName\":\"Parameter\",\"comparison\":\"isEqualTo\",\"value\":\"7\"},\"name\":\"group - 7\"}],\"fromTemplateId\":\"sentinel-Infoblox | Infoblox Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -3257,7 +3257,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-SOCInsight-Detected-APISource_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "Infoblox-SOCInsight-Detected-APISource_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -3285,10 +3285,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "InfobloxSOCInsightsDataConnector_API", "dataTypes": [ "InfobloxInsight" - ], - "connectorId": "InfobloxSOCInsightsDataConnector_API" + ] } ], "tactics": [ @@ -3300,15 +3300,16 @@ ], "entityMappings": [ { + "entityType": "SecurityGroup", "fieldMappings": [ { "columnName": "InfobloxInsightID", "identifier": "ObjectGuid" } - ], - "entityType": "SecurityGroup" + ] }, { + "entityType": "Malware", "fieldMappings": [ { "columnName": "ThreatClass", @@ -3318,30 +3319,29 @@ "columnName": "ThreatProperty", "identifier": "Category" } - ], - "entityType": "Malware" + ] } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "Status": "Status", - "Severity": "Priority", - "PersistentDate": "PersistentDate", + "UnblockedHits": "NotBlockedCount", "BlockedHits": "BlockedCount", + "InfobloxInsightID": "[variables('_Infoblox_Insight_ID')]", + "Severity": "Priority", "FirstSeen": "FirstSeen", + "TotalHits": "EventsCount", "SpreadingDate": "SpreadingDate", "LastSeen": "LastSeen", "FeedSource": "FeedSource", - "InfobloxInsightID": "[variables('_Infoblox_Insight_ID')]", - "TotalHits": "EventsCount", - "UnblockedHits": "NotBlockedCount" + "PersistentDate": "PersistentDate", + "Status": "Status" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}", "alertSeverityColumnName": "IncidentSeverity", - "alertDescriptionFormat": "Observed via API. {{ThreatFamily}}. Last Observation: {{LastSeen}}" + "alertDescriptionFormat": "Observed via API. {{ThreatFamily}}. Last Observation: {{LastSeen}}", + "alertDisplayNameFormat": "Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}" }, "incidentConfiguration": { "createIncident": true @@ -3397,7 +3397,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-SOCInsight-Detected-CDCSource_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "Infoblox-SOCInsight-Detected-CDCSource_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -3425,16 +3425,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "InfobloxSOCInsightsDataConnector_Legacy", "dataTypes": [ "CommonSecurityLog (InfobloxCDC_SOCInsights)" - ], - "connectorId": "InfobloxSOCInsightsDataConnector_Legacy" + ] }, { + "connectorId": "InfobloxSOCInsightsDataConnector_AMA", "dataTypes": [ "CommonSecurityLog (InfobloxCDC_SOCInsights)" - ], - "connectorId": "InfobloxSOCInsightsDataConnector_AMA" + ] } ], "tactics": [ @@ -3446,15 +3446,16 @@ ], "entityMappings": [ { + "entityType": "SecurityGroup", "fieldMappings": [ { "columnName": "InfobloxInsightID", "identifier": "ObjectGuid" } - ], - "entityType": "SecurityGroup" + ] }, { + "entityType": "Malware", "fieldMappings": [ { "columnName": "ThreatClass", @@ -3464,25 +3465,24 @@ "columnName": "ThreatProperty", "identifier": "Category" } - ], - "entityType": "Malware" + ] } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "Status": "Status", - "UnblockedHits": "NotBlockedCount", "BlockedHits": "BlockedCount", + "InfobloxInsightID": "[variables('_Infoblox_Insight_ID')]", + "Status": "Status", "TotalHits": "EventsCount", "FeedSource": "FeedSource", - "InfobloxInsightID": "[variables('_Infoblox_Insight_ID')]" + "UnblockedHits": "NotBlockedCount" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}", "alertSeverityColumnName": "IncidentSeverity", - "alertDescriptionFormat": "Observed via CDC. {{ThreatFamily}}. {{Message}}" + "alertDescriptionFormat": "Observed via CDC. {{ThreatFamily}}. {{Message}}", + "alertDisplayNameFormat": "Infoblox - SOC Insight - {{ThreatClass}} {{ThreatProperty}}" }, "incidentConfiguration": { "createIncident": true @@ -3538,7 +3538,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "InfobloxCDC_SOCInsights Data Parser with template version 3.0.0", + "description": "InfobloxCDC_SOCInsights Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -3666,7 +3666,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "InfobloxInsight Data Parser with template version 3.0.0", + "description": "InfobloxInsight Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject2').parserVersion2]", @@ -3794,7 +3794,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "InfobloxInsightAssets Data Parser with template version 3.0.0", + "description": "InfobloxInsightAssets Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject3').parserVersion3]", @@ -3922,7 +3922,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "InfobloxInsightComments Data Parser with template version 3.0.0", + "description": "InfobloxInsightComments Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject4').parserVersion4]", @@ -4050,7 +4050,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "InfobloxInsightEvents Data Parser with template version 3.0.0", + "description": "InfobloxInsightEvents Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject5').parserVersion5]", @@ -4178,7 +4178,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "InfobloxInsightIndicators Data Parser with template version 3.0.0", + "description": "InfobloxInsightIndicators Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject6').parserVersion6]", @@ -4306,7 +4306,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-Block-Allow-IP-Domain Playbook with template version 3.0.0", + "description": "Infoblox-Block-Allow-IP-Domain Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -5010,7 +5010,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-Block-Allow-IP-Domain-Incident-Based Playbook with template version 3.0.0", + "description": "Infoblox-Block-Allow-IP-Domain-Incident-Based Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -6055,7 +6055,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-Config-Insight-Details Playbook with template version 3.0.0", + "description": "Infoblox-Config-Insight-Details Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -6413,7 +6413,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-Config-Insights Playbook with template version 3.0.0", + "description": "Infoblox-Config-Insights Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -6873,7 +6873,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-Data-Connector-Trigger-Sync Playbook with template version 3.0.0", + "description": "Infoblox-Data-Connector-Trigger-Sync Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", @@ -7584,7 +7584,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-DHCP-Lookup Playbook with template version 3.0.0", + "description": "Infoblox-DHCP-Lookup Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion6')]", @@ -8417,7 +8417,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-Get-IP-Space-Data Playbook with template version 3.0.0", + "description": "Infoblox-Get-IP-Space-Data Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion7')]", @@ -9313,7 +9313,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-Get-Service-Name Playbook with template version 3.0.0", + "description": "Infoblox-Get-Service-Name Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion8')]", @@ -9852,7 +9852,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-IPAM-Lookup Playbook with template version 3.0.0", + "description": "Infoblox-IPAM-Lookup Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion9')]", @@ -11888,7 +11888,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-SOC-Get-Insight-Details Playbook with template version 3.0.0", + "description": "Infoblox-SOC-Get-Insight-Details Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion10')]", @@ -12832,7 +12832,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-SOC-Get-Open-Insights-API Playbook with template version 3.0.0", + "description": "Infoblox-SOC-Get-Open-Insights-API Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion11')]", @@ -13130,7 +13130,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-SOC-Import-Indicators-TI Playbook with template version 3.0.0", + "description": "Infoblox-SOC-Import-Indicators-TI Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion12')]", @@ -13755,7 +13755,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-TIDE-Lookup Playbook with template version 3.0.0", + "description": "Infoblox-TIDE-Lookup Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion13')]", @@ -14524,7 +14524,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-TIDE-Lookup-Via-Incident Playbook with template version 3.0.0", + "description": "Infoblox-TIDE-Lookup-Via-Incident Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion14')]", @@ -15264,7 +15264,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-TIDE-Lookup-Comment-Enrichment Playbook with template version 3.0.0", + "description": "Infoblox-TIDE-Lookup-Comment-Enrichment Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion15')]", @@ -16837,7 +16837,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-TimeRangeBased-DHCP-Lookup Playbook with template version 3.0.0", + "description": "Infoblox-TimeRangeBased-DHCP-Lookup Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion16')]", @@ -17891,7 +17891,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Infoblox-Get-Host-Name Playbook with template version 3.0.0", + "description": "Infoblox-Get-Host-Name Playbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion17')]", @@ -18431,7 +18431,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Infoblox", diff --git a/Solutions/Infoblox/ReleaseNotes.md b/Solutions/Infoblox/ReleaseNotes.md index 603961b9640..2ef63330b52 100644 --- a/Solutions/Infoblox/ReleaseNotes.md +++ b/Solutions/Infoblox/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.0.1 | 07-11-2024 | Byug fix in Infoblox_Workbook **Workbook** | | 3.0.0 | 15-07-2024 | Initial Solution Release | \ No newline at end of file diff --git a/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json b/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json index 477109ffdd8..0bb70edba80 100644 --- a/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json +++ b/Solutions/Infoblox/Workbooks/Infoblox_Workbook.json @@ -5540,7 +5540,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let AssetCount = (InfobloxInsightIndicators\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| join kind=inner\r\n(\r\nInfobloxInsightEvents\r\n| where InfobloxInsightID == \"66b112e0-3187-4faa-9357-d229e98002ca\"\r\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\r\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\r\n| where ThreatIndicator1 has_cs ThreatIndicator\r\n| summarize by SourceIP, ThreatIndicator\r\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\r\n\r\n\r\nInfobloxInsightIndicators\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where isnotempty(ThreatIndicator)\r\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' == \"All\"\r\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' == \"All\"\r\n| join\r\n (\r\n AssetCount\r\n ) on ThreatIndicator\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| extend URL = strcat(\"https://csp.infoblox.com/#/security_research/search/auto/\", ThreatIndicator, \"/summary\")\r\n| extend sort_order = case(\r\n ThreatLevel == \"High\", 5,\r\n ThreatLevel == \"Medium\", 4,\r\n ThreatLevel == \"Low\", 3,\r\n ThreatLevel == \"N/A\", 2,\r\n 1 // default case if ThreatLevel doesn't match any of the above\r\n)\r\n| order by sort_order, EventCount desc\r\n| project-away sort_order\r\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\r\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\r\n\r\n", + "query": "let AssetCount = (InfobloxInsightIndicators\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| join kind=inner\r\n(\r\nInfobloxInsightEvents\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| summarize arg_max(TimeGenerated, *) by SourceIP, ThreatIndicator\r\n) on $left.InfobloxInsightID == $right.InfobloxInsightID\r\n| where ThreatIndicator1 has_cs ThreatIndicator\r\n| summarize by SourceIP, ThreatIndicator\r\n| summarize ['Unique Asset Count'] = count() by ThreatIndicator);\r\n\r\n\r\nInfobloxInsightIndicators\r\n| where InfobloxInsightID == \"{InfobloxInsightID}\"\r\n| where isnotempty(ThreatIndicator)\r\n| where InfobloxB1PolicyAction in ({InfobloxB1PolicyActionParam}) or '{InfobloxB1PolicyActionParam:label}' == \"All\"\r\n| where ThreatLevel in ({ThreatLevelParam}) or '{ThreatLevelParam:label}' == \"All\"\r\n| join\r\n (\r\n AssetCount\r\n ) on ThreatIndicator\r\n| summarize arg_max(TimeGenerated, *), count_distinct(SourceMACAddress) by ThreatIndicator, InfobloxB1PolicyAction\r\n| extend URL = strcat(\"https://csp.infoblox.com/#/security_research/search/auto/\", ThreatIndicator, \"/summary\")\r\n| extend sort_order = case(\r\n ThreatLevel == \"High\", 5,\r\n ThreatLevel == \"Medium\", 4,\r\n ThreatLevel == \"Low\", 3,\r\n ThreatLevel == \"N/A\", 2,\r\n 1 // default case if ThreatLevel doesn't match any of the above\r\n)\r\n| order by sort_order, EventCount desc\r\n| project-away sort_order\r\n| project-rename ['Policy Action'] = InfobloxB1PolicyAction, ['Feed Name'] = InfobloxB1FeedName\r\n| project ThreatIndicator, ['Unique Asset Count'], ['Policy Action'], ThreatLevel, ThreatConfidence, ['Feed Name'], ThreatActor, LastSeen, FirstSeen, EventCount, URL\r\n\r\n", "size": 0, "showAnalytics": true, "timeContextFromParameter": "TimeRange", diff --git a/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json b/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json index c60bdcd7f72..53e3c0b304f 100644 --- a/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json +++ b/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json @@ -2,7 +2,7 @@ "Name": "Malware Protection Essentials", "Author": "Microsoft - support@microsoft.com", "Logo": "", - "Description": "[Malware Protection Essentials](https://aka.ms/AboutASIM) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. [Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices) \n 2. [Azure Firewall](https://portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall) \n 3. [Azure Network Security Groups](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-networksecuritygroupazure-sentinel-solution-networksecuritygroup) \n 4. [Check Point](https://portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1) \n 5. [Cisco ASA](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscoasaazure-sentinel-solution-ciscoasa) \n 6. [Cisco Meraki Security Events](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscomerakiazure-sentinel-solution-ciscomeraki) \n 7. [Corelight](https://portal.azure.com/#create/corelightinc1584998267292.corelight-for-azure-sentinelcorelight-for-azure-sentinel-solution-template) \n 8. [Fortinet FortiGate](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate) \n 9. [Microsoft Defender for IoT](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforotazure-sentinel-solution-unifiedmicrosoftsocforot) \n 10. [Microsoft Defender for Cloud](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoftdefenderforcloudazure-sentinel-solution-microsoftdefenderforcloud) \n 11. [Microsoft Sysmon For Linux](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-sysmonforlinuxazure-sentinel-solution-sysmonforlinux) \n 12. [Windows Firewall](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsfirewallazure-sentinel-solution-windowsfirewall) \n 13. [Palo Alto PANOS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos) \n 14. [Vectra AI Stream](https://portal.azure.com/#create/vectraaiinc.vectra_sentinel_solutionvectra_sentinel_solutions) \n 15. [WatchGuard Firebox](https://portal.azure.com/#create/watchguard-technologies.watchguard_firebox_msswatchguard-sentinel-solution-plan) \n 16. [Zscaler Internet Access](https://portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1) \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.", + "Description": "Malware Protection Essentials is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Amazon Web Services \n 2. Azure Firewall \n 3. Azure Network Security Groups \n 4. Check Point \n 5. Cisco ASA \n 6. Cisco Meraki Security Events \n 7. Corelight \n 8. Fortinet FortiGate \n 9. Microsoft Defender for IoT \n 10. Microsoft Defender for Cloud \n 11. Microsoft Sysmon For Linux \n 12. Windows Firewall \n 13. Palo Alto PANOS \n 14. Vectra AI Stream \n 15. WatchGuard Firebox \n 16. Zscaler Internet Access \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.", "Analytic Rules": [ "Analytic Rules/StartupRegistryModified.yaml", "Analytic Rules/PrintProcessersModified.yaml", @@ -26,6 +26,24 @@ "Workbooks": [ "Workbooks/MalwareProtectionEssentialsWorkbook.json" ], + "dependentDomainSolutionIds": [ + "azuresentinel.azure-sentinel-solution-amazonwebservices", + "sentinel4azurefirewall.sentinel4azurefirewall", + "azuresentinel.azure-sentinel-solution-networksecuritygroup", + "checkpoint.checkpoint-sentinel-solutions", + "azuresentinel.azure-sentinel-solution-ciscoasa", + "azuresentinel.azure-sentinel-solution-ciscomeraki", + "corelightinc1584998267292.corelight-for-azure-sentinel", + "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel", + "azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforot", + "azuresentinel.azure-sentinel-solution-microsoftdefenderforcloud", + "azuresentinel.azure-sentinel-solution-sysmonforlinux", + "azuresentinel.azure-sentinel-solution-windowsfirewall", + "azuresentinel.azure-sentinel-solution-paloaltopanos", + "vectraaiinc.vectra_sentinel_solution", + "watchguard-technologies.watchguard_firebox_mss", + "zscaler1579058425289.zscaler_internet_access_mss" + ], "WorkbooksDescription": "This workbook provides details about Suspicious Malware Activities from File, Process and Registry events generated by EDR (Endpoint Detection and Response) solutions.", "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Malware Protection Essentials\\", "Version": "3.0.1", diff --git a/Solutions/Malware Protection Essentials/Package/3.0.1.zip b/Solutions/Malware Protection Essentials/Package/3.0.1.zip index f6e72dbf7e2..a296855808e 100644 Binary files a/Solutions/Malware Protection Essentials/Package/3.0.1.zip and b/Solutions/Malware Protection Essentials/Package/3.0.1.zip differ diff --git a/Solutions/Malware Protection Essentials/Package/createUiDefinition.json b/Solutions/Malware Protection Essentials/Package/createUiDefinition.json index b041f5b19ac..19402047074 100644 --- a/Solutions/Malware Protection Essentials/Package/createUiDefinition.json +++ b/Solutions/Malware Protection Essentials/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Malware%20Protection%20Essentials/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution.\n\n[Malware Protection Essentials](https://aka.ms/AboutASIM) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. [Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices) \n 2. [Azure Firewall](https://portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall) \n 3. [Azure Network Security Groups](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-networksecuritygroupazure-sentinel-solution-networksecuritygroup) \n 4. [Check Point](https://portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1) \n 5. [Cisco ASA](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscoasaazure-sentinel-solution-ciscoasa) \n 6. [Cisco Meraki Security Events](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscomerakiazure-sentinel-solution-ciscomeraki) \n 7. [Corelight](https://portal.azure.com/#create/corelightinc1584998267292.corelight-for-azure-sentinelcorelight-for-azure-sentinel-solution-template) \n 8. [Fortinet FortiGate](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate) \n 9. [Microsoft Defender for IoT](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforotazure-sentinel-solution-unifiedmicrosoftsocforot) \n 10. [Microsoft Defender for Cloud](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoftdefenderforcloudazure-sentinel-solution-microsoftdefenderforcloud) \n 11. [Microsoft Sysmon For Linux](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-sysmonforlinuxazure-sentinel-solution-sysmonforlinux) \n 12. [Windows Firewall](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsfirewallazure-sentinel-solution-windowsfirewall) \n 13. [Palo Alto PANOS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos) \n 14. [Vectra AI Stream](https://portal.azure.com/#create/vectraaiinc.vectra_sentinel_solutionvectra_sentinel_solutions) \n 15. [WatchGuard Firebox](https://portal.azure.com/#create/watchguard-technologies.watchguard_firebox_msswatchguard-sentinel-solution-plan) \n 16. [Zscaler Internet Access](https://portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1) \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.\n\n**Workbooks:** 1, **Analytic Rules:** 6, **Hunting Queries:** 6, **Watchlists:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Malware%20Protection%20Essentials/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nMalware Protection Essentials is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Amazon Web Services \n 2. Azure Firewall \n 3. Azure Network Security Groups \n 4. Check Point \n 5. Cisco ASA \n 6. Cisco Meraki Security Events \n 7. Corelight \n 8. Fortinet FortiGate \n 9. Microsoft Defender for IoT \n 10. Microsoft Defender for Cloud \n 11. Microsoft Sysmon For Linux \n 12. Windows Firewall \n 13. Palo Alto PANOS \n 14. Vectra AI Stream \n 15. WatchGuard Firebox \n 16. Zscaler Internet Access \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.\n\n**Workbooks:** 1, **Analytic Rules:** 6, **Hunting Queries:** 6, **Watchlists:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/Malware Protection Essentials/Package/mainTemplate.json b/Solutions/Malware Protection Essentials/Package/mainTemplate.json index ce74f166913..32235a2ac84 100644 --- a/Solutions/Malware Protection Essentials/Package/mainTemplate.json +++ b/Solutions/Malware Protection Essentials/Package/mainTemplate.json @@ -228,16 +228,16 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } ], "entityType": "Host" @@ -245,16 +245,16 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Username" + "columnName": "Username", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } ], "entityType": "Account" @@ -262,12 +262,12 @@ { "fieldMappings": [ { - "identifier": "ProcessId", - "columnName": "ActingProcessId" + "columnName": "ActingProcessId", + "identifier": "ProcessId" }, { - "identifier": "CommandLine", - "columnName": "ActingProcessCommandLine" + "columnName": "ActingProcessCommandLine", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -275,12 +275,12 @@ { "fieldMappings": [ { - "identifier": "Hive", - "columnName": "RegHive" + "columnName": "RegHive", + "identifier": "Hive" }, { - "identifier": "Key", - "columnName": "RegKey" + "columnName": "RegKey", + "identifier": "Key" } ], "entityType": "RegistryKey" @@ -288,16 +288,16 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "RegistryValue" + "columnName": "RegistryValue", + "identifier": "Name" }, { - "identifier": "Value", - "columnName": "RegistryValueData" + "columnName": "RegistryValueData", + "identifier": "Value" }, { - "identifier": "ValueType", - "columnName": "RegistryValueType" + "columnName": "RegistryValueType", + "identifier": "ValueType" } ], "entityType": "RegistryValue" @@ -444,16 +444,16 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } ], "entityType": "Host" @@ -461,16 +461,16 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Username" + "columnName": "Username", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } ], "entityType": "Account" @@ -478,12 +478,12 @@ { "fieldMappings": [ { - "identifier": "ProcessId", - "columnName": "ActingProcessId" + "columnName": "ActingProcessId", + "identifier": "ProcessId" }, { - "identifier": "CommandLine", - "columnName": "ActingProcessCommandLine" + "columnName": "ActingProcessCommandLine", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -491,12 +491,12 @@ { "fieldMappings": [ { - "identifier": "Hive", - "columnName": "RegHive" + "columnName": "RegHive", + "identifier": "Hive" }, { - "identifier": "Key", - "columnName": "RegKey" + "columnName": "RegKey", + "identifier": "Key" } ], "entityType": "RegistryKey" @@ -504,16 +504,16 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "RegistryValue" + "columnName": "RegistryValue", + "identifier": "Name" }, { - "identifier": "Value", - "columnName": "RegistryValueData" + "columnName": "RegistryValueData", + "identifier": "Value" }, { - "identifier": "ValueType", - "columnName": "RegistryValueType" + "columnName": "RegistryValueType", + "identifier": "ValueType" } ], "entityType": "RegistryValue" @@ -596,7 +596,7 @@ "description": "This analytic rule detects process creation events with base64 encoded command line arguments. This could be an indication of a malicious process being executed.", "displayName": "Process Creation with Suspicious CommandLine Arguments", "enabled": false, - "query": "_ASim_ProcessEvent\n| where EventType == 'ProcessCreated'\n| extend CommandLineArgs = strcat_array(array_slice(split(CommandLine, \" \"), 1, -1), \" \")\n| where strlen(CommandLineArgs) > 0\n| where CommandLineArgs contains \"base64\"\n| project\nTimeGenerated,\nDvcHostname,\nDvcIpAddr,\nDvcDomain,\nTargetUsername,\nTargetUsernameType,\nTargetProcessName,\nTargetProcessId,\nCommandLine\n| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')), TargetUsername)\n| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')), TargetUsername)\n| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')), Username)\n| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')), '')\n", + "query": "_ASim_ProcessEvent\n| where EventType == 'ProcessCreated'\n| extend CommandLineArgs = strcat_array(array_slice(split(CommandLine, \" \"), 1, -1), \" \")\n| where strlen(CommandLineArgs) > 0\n| where CommandLineArgs contains \"base64\"\n| project\nTimeGenerated,\nDvcHostname,\nDvcIpAddr,\nDvcDomain,\nTargetUsername,\nTargetUsernameType,\nTargetProcessName,\nTargetProcessId,\nCommandLine\n| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[1]), TargetUsername)\n| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[0]), TargetUsername)\n| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')\n", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "severity": "Medium", @@ -661,16 +661,16 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DvcHostname" + "columnName": "DvcHostname", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DvcDomain" + "columnName": "DvcDomain", + "identifier": "DnsDomain" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } ], "entityType": "Host" @@ -678,8 +678,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "DvcIpAddr" + "columnName": "DvcIpAddr", + "identifier": "Address" } ], "entityType": "IP" @@ -687,16 +687,16 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Username" + "columnName": "Username", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } ], "entityType": "Account" @@ -704,12 +704,12 @@ { "fieldMappings": [ { - "identifier": "ProcessId", - "columnName": "TargetProcessId" + "columnName": "TargetProcessId", + "identifier": "ProcessId" }, { - "identifier": "CommandLine", - "columnName": "CommandLine" + "columnName": "CommandLine", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -855,16 +855,16 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DvcHostname" + "columnName": "DvcHostname", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DvcDomain" + "columnName": "DvcDomain", + "identifier": "DnsDomain" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } ], "entityType": "Host" @@ -872,8 +872,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "DvcIpAddr" + "columnName": "DvcIpAddr", + "identifier": "Address" } ], "entityType": "IP" @@ -881,16 +881,16 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Username" + "columnName": "Username", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } ], "entityType": "Account" @@ -898,12 +898,12 @@ { "fieldMappings": [ { - "identifier": "ProcessId", - "columnName": "TargetProcessId" + "columnName": "TargetProcessId", + "identifier": "ProcessId" }, { - "identifier": "CommandLine", - "columnName": "CommandLine" + "columnName": "CommandLine", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -1049,16 +1049,16 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } ], "entityType": "Host" @@ -1066,16 +1066,16 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Username" + "columnName": "Username", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } ], "entityType": "Account" @@ -1083,12 +1083,12 @@ { "fieldMappings": [ { - "identifier": "ProcessId", - "columnName": "ActingProcessId" + "columnName": "ActingProcessId", + "identifier": "ProcessId" }, { - "identifier": "CommandLine", - "columnName": "ActingProcessCommandLine" + "columnName": "ActingProcessCommandLine", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -1096,12 +1096,12 @@ { "fieldMappings": [ { - "identifier": "Hive", - "columnName": "RegHive" + "columnName": "RegHive", + "identifier": "Hive" }, { - "identifier": "Key", - "columnName": "RegKey" + "columnName": "RegKey", + "identifier": "Key" } ], "entityType": "RegistryKey" @@ -1109,16 +1109,16 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "RegistryValue" + "columnName": "RegistryValue", + "identifier": "Name" }, { - "identifier": "Value", - "columnName": "RegistryValueData" + "columnName": "RegistryValueData", + "identifier": "Value" }, { - "identifier": "ValueType", - "columnName": "RegistryValueType" + "columnName": "RegistryValueType", + "identifier": "ValueType" } ], "entityType": "RegistryValue" @@ -1264,16 +1264,16 @@ { "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } ], "entityType": "Host" @@ -1281,16 +1281,16 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Username" + "columnName": "Username", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } ], "entityType": "Account" @@ -1298,12 +1298,12 @@ { "fieldMappings": [ { - "identifier": "ProcessId", - "columnName": "ActingProcessId" + "columnName": "ActingProcessId", + "identifier": "ProcessId" }, { - "identifier": "CommandLine", - "columnName": "ActingProcessCommandLine" + "columnName": "ActingProcessCommandLine", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -1311,12 +1311,12 @@ { "fieldMappings": [ { - "identifier": "Hive", - "columnName": "RegHive" + "columnName": "RegHive", + "identifier": "Hive" }, { - "identifier": "Key", - "columnName": "RegKey" + "columnName": "RegKey", + "identifier": "Key" } ], "entityType": "RegistryKey" @@ -1324,16 +1324,16 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "RegistryValue" + "columnName": "RegistryValue", + "identifier": "Name" }, { - "identifier": "Value", - "columnName": "RegistryValueData" + "columnName": "RegistryValueData", + "identifier": "Value" }, { - "identifier": "ValueType", - "columnName": "RegistryValueType" + "columnName": "RegistryValueType", + "identifier": "ValueType" } ], "entityType": "RegistryValue" @@ -2016,7 +2016,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "Malware Protection Essentials", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Malware Protection Essentials is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the ASIM.

\n

Prerequisite :-

\n

Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.

\n
    \n
  1. Amazon Web Services
    2. \n
  2. Azure Firewall
    3. \n
  3. Azure Network Security Groups
    4. \n
  4. Check Point
    5. \n
  5. Cisco ASA
    6. \n
  6. Cisco Meraki Security Events
    7. \n
  7. Corelight
    8. \n
  8. Fortinet FortiGate
    9. \n
  9. Microsoft Defender for IoT
    10. \n
  10. Microsoft Defender for Cloud
    11. \n
  11. Microsoft Sysmon For Linux
    12. \n
  12. Windows Firewall
    13. \n
  13. Palo Alto PANOS
    14. \n
  14. Vectra AI Stream
    15. \n
  15. WatchGuard Firebox
    16. \n
  16. Zscaler Internet Access
    17. \n
\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Product solutions as described above
    2. \n
  2. Logic app for data summarization
    3. \n
\n

Recommendation :-

\n

It is highly recommended to use the Summarize data logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.

\n

Workbooks: 1, Analytic Rules: 6, Hunting Queries: 6, Watchlists: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Malware Protection Essentials is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the ASIM.

\n

Prerequisite :-

\n

Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.

\n
    \n
  1. Amazon Web Services
    2. \n
  2. Azure Firewall
    3. \n
  3. Azure Network Security Groups
    4. \n
  4. Check Point
    5. \n
  5. Cisco ASA
    6. \n
  6. Cisco Meraki Security Events
    7. \n
  7. Corelight
    8. \n
  8. Fortinet FortiGate
    9. \n
  9. Microsoft Defender for IoT
    10. \n
  10. Microsoft Defender for Cloud
    11. \n
  11. Microsoft Sysmon For Linux
    12. \n
  12. Windows Firewall
    13. \n
  13. Palo Alto PANOS
    14. \n
  14. Vectra AI Stream
    15. \n
  15. WatchGuard Firebox
    16. \n
  16. Zscaler Internet Access
    17. \n
\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Product solutions as described above
    2. \n
  2. Logic app for data summarization
    3. \n
\n

Recommendation :-

\n

It is highly recommended to use the Summarize data logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.

\n

Workbooks: 1, Analytic Rules: 6, Hunting Queries: 6, Watchlists: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2039,7 +2039,6 @@ "link": "https://support.microsoft.com" }, "dependencies": { - "operator": "AND", "criteria": [ { "kind": "AnalyticsRule", @@ -2110,6 +2109,70 @@ "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", "version": "[variables('workbookVersion1')]" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-amazonwebservices" + }, + { + "kind": "Solution", + "contentId": "sentinel4azurefirewall.sentinel4azurefirewall" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-networksecuritygroup" + }, + { + "kind": "Solution", + "contentId": "checkpoint.checkpoint-sentinel-solutions" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-ciscoasa" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-ciscomeraki" + }, + { + "kind": "Solution", + "contentId": "corelightinc1584998267292.corelight-for-azure-sentinel" + }, + { + "kind": "Solution", + "contentId": "Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforot" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-microsoftdefenderforcloud" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-sysmonforlinux" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-windowsfirewall" + }, + { + "kind": "Solution", + "contentId": "azuresentinel.azure-sentinel-solution-paloaltopanos" + }, + { + "kind": "Solution", + "contentId": "vectraaiinc.vectra_sentinel_solution" + }, + { + "kind": "Solution", + "contentId": "watchguard-technologies.watchguard_firebox_mss" + }, + { + "kind": "Solution", + "contentId": "zscaler1579058425289.zscaler_internet_access_mss" } ] }, diff --git a/Solutions/Malware Protection Essentials/ReleaseNotes.md b/Solutions/Malware Protection Essentials/ReleaseNotes.md index 4f2cb921093..28c43343876 100644 --- a/Solutions/Malware Protection Essentials/ReleaseNotes.md +++ b/Solutions/Malware Protection Essentials/ReleaseNotes.md @@ -1,3 +1,4 @@ -| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|--------------------| -|3.0.0 |21-12-2023 |Initial Solution Release| +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|--------------|---------------------------------|----------------------------------------------| +| 3.0.1 | 18-10-2024 | **Analytical Rule** [Process Creation with Suspicious CommandLine Arguments] | +| 3.0.0 | 21-12-2023 | Initial Solution Release | diff --git a/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json b/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json index d28de412666..29a65ac80e0 100644 --- a/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json +++ b/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json @@ -205,7 +205,11 @@ "Hunting Queries/Email Queries/URL Click/User clicks on phishing URLs in emails.yaml", "Hunting Queries/Email Queries/URL/Phishing Email Url Redirector.yaml", "Hunting Queries/Email Queries/URL/SafeLinks URL detections.yaml", - "Hunting Queries/Email Queries/ZAP/Total ZAP count.yaml" + "Hunting Queries/Email Queries/ZAP/Total ZAP count.yaml", + "Hunting Queries/Email Queries/Hunting/Automated email notifications and suspicious sign-in activity.yaml", + "Hunting Queries/Email Queries/Hunting/Files share contents and suspicious sign-in activity.yaml", + "Hunting Queries/Email Queries/Hunting/BEC - File sharing tactics - OneDrive or SharePoint.yaml", + "Hunting Queries/Email Queries/Hunting/BEC - File sharing tactics - Dropbox.yaml" ], "Workbooks" : [ "Workbooks/MicrosoftDefenderForOffice365detectionsandinsights.json", @@ -213,7 +217,7 @@ "Workbooks/MicrosoftDefenderForIdentity.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Microsoft Defender XDR", - "Version": "3.0.9", + "Version": "3.0.10", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "StaticDataConnectorIds": [ diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Automated email notifications and suspicious sign-in activity.yaml b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Automated email notifications and suspicious sign-in activity.yaml new file mode 100644 index 00000000000..805f1d2998c --- /dev/null +++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Automated email notifications and suspicious sign-in activity.yaml @@ -0,0 +1,26 @@ +id: 0955f477-6471-468a-9b13-fc5fa96d7db2 +name: Automated email notifications and suspicious sign-in activity +description: | + This query helps hunting for Automated email notifications and suspicious sign-in activity +description-detailed: | + This query helps hunting for Automated email notifications and suspicious sign-in activity. + By correlating the email from the Microsoft notification service or Dropbox automated notification service with a suspicious sign-in activity, we can identify compromises, especially from securely shared SharePoint or Dropbox files. + Shared by Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/ +requiredDataConnectors: +- connectorId: MicrosoftThreatProtection + dataTypes: + - EmailEvents + - AADSignInEventsBeta +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + let usersWithSuspiciousEmails = EmailEvents + | where SenderFromAddress in ("no-reply@notify.microsoft.com", "no-reply@dropbox.com") or InternetMessageId startswith "= 20 +version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/BEC - File sharing tactics - OneDrive or SharePoint.yaml b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/BEC - File sharing tactics - OneDrive or SharePoint.yaml new file mode 100644 index 00000000000..524db92b733 --- /dev/null +++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/BEC - File sharing tactics - OneDrive or SharePoint.yaml @@ -0,0 +1,38 @@ +id: da745698-da8a-40c5-b527-2e9328c2cefe +name: BEC - File sharing tactics - OneDrive or SharePoint +description: | + This query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint +description-detailed: | + This query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint. + It highlights that a specific file has been shared by a user with multiple participants. Correlating this activity with suspicious sign-in attempts preceding this can help identify lateral movements and BEC attacks. + Shared by Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/ +requiredDataConnectors: +- connectorId: MicrosoftThreatProtection + dataTypes: + - CloudAppEvents +tactics: + - LateralMovement +relevantTechniques: + - T1021 +query: | + let securelinkCreated = CloudAppEvents + | where ActionType == "SecureLinkCreated" + | project FileCreatedTime = Timestamp, AccountObjectId, ObjectName; + let filesCreated = securelinkCreated + | where isnotempty(ObjectName) + | distinct tostring(ObjectName); + CloudAppEvents + | where ActionType == "AddedToSecureLink" + | where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business") + | extend FileShared = tostring(RawEventData.ObjectId) + | where FileShared in (filesCreated) + | extend UserSharedWith = tostring(RawEventData.TargetUserOrGroupName) + | extend TypeofUserSharedWith = RawEventData.TargetUserOrGroupType + | where TypeofUserSharedWith == "Guest" + | where isnotempty(FileShared) and isnotempty(UserSharedWith) + | join kind=inner securelinkCreated on $left.FileShared==$right.ObjectName + // Secure file created recently (in the last 1day) + | where (Timestamp - FileCreatedTime) between (1d .. 0h) + | summarize NumofUsersSharedWith = dcount(UserSharedWith) by FileShared + | where NumofUsersSharedWith >= 20 +version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Files share contents and suspicious sign-in activity.yaml b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Files share contents and suspicious sign-in activity.yaml new file mode 100644 index 00000000000..2a7133c253d --- /dev/null +++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/Files share contents and suspicious sign-in activity.yaml @@ -0,0 +1,30 @@ +id: 11cc0e3f-9718-4ab5-be7b-d9c036ed6b0a +name: Files share contents and suspicious sign-in activity +description: | + This query helps hunting for Files share contents and suspicious sign-in activity +description-detailed: | + This query helps hunting for Files share contents and suspicious sign-in activity. + By correlating the file share emails with suspicious sign-ins, compromises can be detected. Since these are observed as campaigns, validating that the same file has been shared with multiple users in the organization can support the detection. + Shared by Microsoft Threat Intelligence: https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-services-misused-for-identity-phishing/ +requiredDataConnectors: +- connectorId: MicrosoftThreatProtection + dataTypes: + - EmailEvents + - AADSignInEventsBeta +tactics: + - InitialAccess +relevantTechniques: + - T1566 +query: | + let usersWithSuspiciousEmails = EmailEvents + | where Subject has_all ("shared", "with you") + | where Subject has_any ("payment", "invoice", "urgent", "mandatory", "Payoff", "Wire", "Confirmation", "password") + | where isnotempty(RecipientObjectId) + | summarize RecipientCount = dcount(RecipientObjectId), RecipientList = make_set(RecipientObjectId) by Subject + | where RecipientCount >= 10 + | mv-expand RecipientList to typeof(string) + | distinct RecipientList; + AADSignInEventsBeta + | where AccountObjectId in (usersWithSuspiciousEmails) + | where RiskLevelDuringSignIn == 100 +version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Package/3.0.10.zip b/Solutions/Microsoft Defender XDR/Package/3.0.10.zip new file mode 100644 index 00000000000..46d28c7db45 Binary files /dev/null and b/Solutions/Microsoft Defender XDR/Package/3.0.10.zip differ diff --git a/Solutions/Microsoft Defender XDR/Package/createUiDefinition.json b/Solutions/Microsoft Defender XDR/Package/createUiDefinition.json index d95e38b9d57..e5d9b2556f1 100644 --- a/Solutions/Microsoft Defender XDR/Package/createUiDefinition.json +++ b/Solutions/Microsoft Defender XDR/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Microsoft Defender XDR](https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender) solution for Microsoft Sentinel enables you to ingest Security Alerts/Incidents and raw logs from the products within Microsoft Defender XDR suite into Microsoft Sentinel.\n\nAdditional Hunting Queries to support proactive and reactive hunting for the Microsoft Defender XDR solution can be found on [GitHub](https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender). This repository has a collection of queries developed by Microsoft Security Research and Microsoft Sentinel community contributions.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Workbooks:** 3, **Analytic Rules:** 40, **Hunting Queries:** 156\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Microsoft Defender XDR](https://www.microsoft.com/security/business/threat-protection/microsoft-365-defender) solution for Microsoft Sentinel enables you to ingest Security Alerts/Incidents and raw logs from the products within Microsoft Defender XDR suite into Microsoft Sentinel.\n\nAdditional Hunting Queries to support proactive and reactive hunting for the Microsoft Defender XDR solution can be found on [GitHub](https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender). This repository has a collection of queries developed by Microsoft Security Research and Microsoft Sentinel community contributions.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor HTTP Data Collector API](https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\n**Data Connectors:** 1, **Workbooks:** 3, **Analytic Rules:** 40, **Hunting Queries:** 160\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -2938,6 +2938,62 @@ } } ] + }, + { + "name": "huntingquery157", + "type": "Microsoft.Common.Section", + "label": "Automated email notifications and suspicious sign-in activity", + "elements": [ + { + "name": "huntingquery157-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps hunting for Automated email notifications and suspicious sign-in activity This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents AADSignInEventsBeta Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery158", + "type": "Microsoft.Common.Section", + "label": "Files share contents and suspicious sign-in activity", + "elements": [ + { + "name": "huntingquery158-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps hunting for Files share contents and suspicious sign-in activity This hunting query depends on MicrosoftThreatProtection data connector (EmailEvents AADSignInEventsBeta Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery159", + "type": "Microsoft.Common.Section", + "label": "BEC - File sharing tactics - OneDrive or SharePoint", + "elements": [ + { + "name": "huntingquery159-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery160", + "type": "Microsoft.Common.Section", + "label": "BEC - File sharing tactics - Dropbox", + "elements": [ + { + "name": "huntingquery160-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query helps hunting for BEC - File sharing tactics - Dropbox This hunting query depends on MicrosoftThreatProtection data connector (CloudAppEvents Parser or Table)" + } + } + ] } ] } diff --git a/Solutions/Microsoft Defender XDR/Package/mainTemplate.json b/Solutions/Microsoft Defender XDR/Package/mainTemplate.json index 4ac5705ea00..79071cb1470 100644 --- a/Solutions/Microsoft Defender XDR/Package/mainTemplate.json +++ b/Solutions/Microsoft Defender XDR/Package/mainTemplate.json @@ -57,7 +57,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Microsoft Defender XDR", - "_solutionVersion": "3.0.9", + "_solutionVersion": "3.0.10", "solutionId": "azuresentinel.azure-sentinel-solution-microsoft365defender", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "MicrosoftThreatProtection", @@ -1129,6 +1129,26 @@ "_huntingQuerycontentId156": "c10b22a0-6021-46f9-bdaf-05bf2350a554", "huntingQueryTemplateSpecName156": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('c10b22a0-6021-46f9-bdaf-05bf2350a554')))]" }, + "huntingQueryObject157": { + "huntingQueryVersion157": "1.0.0", + "_huntingQuerycontentId157": "0955f477-6471-468a-9b13-fc5fa96d7db2", + "huntingQueryTemplateSpecName157": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0955f477-6471-468a-9b13-fc5fa96d7db2')))]" + }, + "huntingQueryObject158": { + "huntingQueryVersion158": "1.0.0", + "_huntingQuerycontentId158": "11cc0e3f-9718-4ab5-be7b-d9c036ed6b0a", + "huntingQueryTemplateSpecName158": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('11cc0e3f-9718-4ab5-be7b-d9c036ed6b0a')))]" + }, + "huntingQueryObject159": { + "huntingQueryVersion159": "1.0.0", + "_huntingQuerycontentId159": "da745698-da8a-40c5-b527-2e9328c2cefe", + "huntingQueryTemplateSpecName159": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('da745698-da8a-40c5-b527-2e9328c2cefe')))]" + }, + "huntingQueryObject160": { + "huntingQueryVersion160": "1.0.0", + "_huntingQuerycontentId160": "85dea577-1c76-44ff-8cad-b47182874ddb", + "huntingQueryTemplateSpecName160": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('85dea577-1c76-44ff-8cad-b47182874ddb')))]" + }, "workbookVersion1": "1.0.0", "workbookContentId1": "MicrosoftDefenderForOffice365detectionsandinsights", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", @@ -1160,7 +1180,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Defender XDR data connector with template version 3.0.9", + "description": "Microsoft Defender XDR data connector with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -1637,7 +1657,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PossiblePhishingwithCSL&NetworkSession_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "PossiblePhishingwithCSL&NetworkSession_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -1665,86 +1685,86 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "AlertEvidence", "EmailEvents", "IdentityInfo", "DeviceEvents", "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" }, { - "connectorId": "Zscaler", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Zscaler" }, { - "connectorId": "Fortinet", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "Fortinet" }, { - "connectorId": "CheckPoint", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CheckPoint" }, { - "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "PaloAltoNetworks" }, { - "connectorId": "AWSS3", "datatypes": [ "AWSVPCFlow" - ] + ], + "connectorId": "AWSS3" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ] + ], + "connectorId": "WindowsForwardedEvents" }, { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "MicrosoftSysmonForLinux", "dataTypes": [ "Syslog" - ] + ], + "connectorId": "MicrosoftSysmonForLinux" }, { - "connectorId": "AzureNSG", "dataTypes": [ "AzureDiagnostics" - ] + ], + "connectorId": "AzureNSG" }, { - "connectorId": "AzureMonitor(VMInsights)", "dataTypes": [ "VMConnection" - ] + ], + "connectorId": "AzureMonitor(VMInsights)" }, { - "connectorId": "AIVectraStream", "dataTypes": [ "VectraStream_CL" - ] + ], + "connectorId": "AIVectraStream" } ], "tactics": [ @@ -1757,6 +1777,7 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -1770,10 +1791,10 @@ "identifier": "UPNSuffix", "columnName": "InitiatingProcessAccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -1787,10 +1808,10 @@ "identifier": "UPNSuffix", "columnName": "RecipientEmailUPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -1804,26 +1825,25 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "SourceIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "DestinationIP" } - ], - "entityType": "IP" + ] } ] } @@ -1879,7 +1899,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SUNSPOTHashes_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "SUNSPOTHashes_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -1907,11 +1927,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceImageLoadEvents", "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -1922,6 +1942,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -1935,10 +1956,10 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -1952,8 +1973,7 @@ "identifier": "UPNSuffix", "columnName": "InitiatingProcessAccountDomain" } - ], - "entityType": "Account" + ] } ] } @@ -2009,7 +2029,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialBuildProcessCompromiseMDE_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "PotentialBuildProcessCompromiseMDE_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -2037,11 +2057,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceFileEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2052,6 +2072,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "HostName", @@ -2061,10 +2082,10 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -2078,8 +2099,7 @@ "identifier": "UPNSuffix", "columnName": "FileEditDomain" } - ], - "entityType": "Account" + ] } ] } @@ -2135,7 +2155,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SolarWinds_TEARDROP_Process-IOCs_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "SolarWinds_TEARDROP_Process-IOCs_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -2163,10 +2183,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2181,6 +2201,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -2194,10 +2215,10 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -2211,10 +2232,10 @@ "identifier": "UPNSuffix", "columnName": "InitiatingProcessAccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { "identifier": "Algorithm", @@ -2224,8 +2245,7 @@ "identifier": "Value", "columnName": "InitiatingProcessSHA1" } - ], - "entityType": "FileHash" + ] } ] } @@ -2281,7 +2301,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SolarWinds_SUNBURST_Network-IOCs_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "SolarWinds_SUNBURST_Network-IOCs_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -2309,10 +2329,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2327,6 +2347,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -2340,10 +2361,10 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -2357,28 +2378,28 @@ "identifier": "UPNSuffix", "columnName": "InitiatingProcessAccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "RemoteIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "RemoteUrl" } - ], - "entityType": "URL" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { "identifier": "Algorithm", @@ -2388,8 +2409,7 @@ "identifier": "Value", "columnName": "InitiatingProcessMD5" } - ], - "entityType": "FileHash" + ] } ] } @@ -2445,7 +2465,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -2473,10 +2493,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceFileEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2491,6 +2511,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -2504,10 +2525,10 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -2521,10 +2542,10 @@ "identifier": "UPNSuffix", "columnName": "InitiatingProcessAccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { "identifier": "Algorithm", @@ -2534,8 +2555,7 @@ "identifier": "Value", "columnName": "MD5" } - ], - "entityType": "FileHash" + ] } ] } @@ -2591,7 +2611,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AVdetectionsrelatedtoUkrainebasedthreats_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "AVdetectionsrelatedtoUkrainebasedthreats_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -2619,10 +2639,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2633,6 +2653,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -2646,8 +2667,7 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] } ] } @@ -2703,7 +2723,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AVTarrask_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "AVTarrask_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -2731,10 +2751,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2745,6 +2765,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -2758,17 +2779,16 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "PublicIP" } - ], - "entityType": "IP" + ] } ] } @@ -2824,7 +2844,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AVSpringShell_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "AVSpringShell_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -2852,10 +2872,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "SecurityAlert" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2866,6 +2886,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -2879,17 +2900,16 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "PublicIP" } - ], - "entityType": "IP" + ] } ] } @@ -2945,7 +2965,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PossibleWebpBufferOverflow_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "PossibleWebpBufferOverflow_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -2973,13 +2993,13 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceNetworkEvents", "DeviceEvents", "DeviceTvmSoftwareVulnerabilities" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -2990,6 +3010,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -3003,10 +3024,10 @@ "identifier": "DnsDomain", "columnName": "HostNameDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -3020,62 +3041,61 @@ "identifier": "UPNSuffix", "columnName": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "LocalIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", "columnName": "ProcessId" } - ], - "entityType": "Process" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", "columnName": "InitiatingProcessId" } - ], - "entityType": "Process" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "CommandLine", "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "alertDetailsOverride": { - "alertDynamicProperties": [], - "alertDisplayNameFormat": "Possible exploitation of CVE-2023-4863" + "alertDisplayNameFormat": "Possible exploitation of CVE-2023-4863", + "alertDynamicProperties": [] }, "incidentConfiguration": { "groupingConfiguration": { + "reopenClosedIncident": false, + "enabled": false, + "matchingMethod": "Selected", "groupByEntities": [ "Account" ], - "lookbackDuration": "PT5H", - "enabled": false, - "matchingMethod": "Selected", - "reopenClosedIncident": false + "lookbackDuration": "PT5H" }, "createIncident": false } @@ -3132,7 +3152,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DeimosComponentExecution_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "DeimosComponentExecution_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -3160,10 +3180,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3178,6 +3198,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -3191,8 +3212,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -3248,7 +3268,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImminentRansomware_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "ImminentRansomware_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", @@ -3285,6 +3305,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -3298,8 +3319,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -3355,7 +3375,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousCMDExecutionByJava_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "MaliciousCMDExecutionByJava_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", @@ -3383,10 +3403,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3397,6 +3417,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -3410,8 +3431,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -3467,7 +3487,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "C2-NamedPipe_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "C2-NamedPipe_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", @@ -3495,10 +3515,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3509,6 +3529,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -3522,8 +3543,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -3579,7 +3599,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DoppelPaymerProcDump_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "DoppelPaymerProcDump_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", @@ -3607,10 +3627,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3621,6 +3641,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -3634,8 +3655,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -3691,7 +3711,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LSASSCredDumpProcdump_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "LSASSCredDumpProcdump_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", @@ -3719,10 +3739,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3733,6 +3753,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -3746,8 +3767,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -3803,7 +3823,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DoppelpaymerStopService_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "DoppelpaymerStopService_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", @@ -3831,10 +3851,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3847,6 +3867,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -3860,8 +3881,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -3917,7 +3937,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QakbotCampaignSelfDeletion_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "QakbotCampaignSelfDeletion_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", @@ -3945,10 +3965,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3959,6 +3979,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -3972,8 +3993,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -4029,7 +4049,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Regsvr32Rundll32ImageLoadsAbnormalExtension_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "Regsvr32Rundll32ImageLoadsAbnormalExtension_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", @@ -4057,11 +4077,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4077,6 +4097,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -4090,35 +4111,34 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "LocalIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "RemoteIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "RemoteUrl" } - ], - "entityType": "URL" + ] } ] } @@ -4174,7 +4194,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Regsvr32Rundll32WithAnomalousParentProcess_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "Regsvr32Rundll32WithAnomalousParentProcess_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", @@ -4202,11 +4222,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceNetworkEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4222,6 +4242,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -4235,35 +4256,34 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "LocalIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "RemoteIP" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "RemoteUrl" } - ], - "entityType": "URL" + ] } ] } @@ -4319,7 +4339,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousCommandInitiatedByWebServerProcess_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "SuspiciousCommandInitiatedByWebServerProcess_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", @@ -4347,10 +4367,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4366,6 +4386,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -4379,8 +4400,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -4436,7 +4456,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BITSAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "BITSAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", @@ -4464,10 +4484,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4482,6 +4502,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -4495,10 +4516,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", @@ -4508,8 +4529,7 @@ "identifier": "CommandLine", "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -4565,7 +4585,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OfficeAppsLaunchingWscript_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "OfficeAppsLaunchingWscript_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", @@ -4593,10 +4613,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4611,6 +4631,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -4624,10 +4645,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", @@ -4637,8 +4658,7 @@ "identifier": "CommandLine", "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -4694,7 +4714,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialKerberoastActivities_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "PotentialKerberoastActivities_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", @@ -4722,10 +4742,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "IdentityLogonEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4739,6 +4759,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -4752,10 +4773,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -4769,8 +4790,7 @@ "identifier": "Name", "columnName": "AccountName" } - ], - "entityType": "Account" + ] } ] } @@ -4826,7 +4846,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FilesCopiedToUSBDrives_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "FilesCopiedToUSBDrives_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", @@ -4854,11 +4874,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents", "DeviceFileEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -4869,6 +4889,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -4882,10 +4903,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "File", "fieldMappings": [ { "identifier": "Name", @@ -4895,10 +4916,10 @@ "identifier": "Directory", "columnName": "FolderPath" } - ], - "entityType": "File" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { "identifier": "Algorithm", @@ -4908,8 +4929,7 @@ "identifier": "Value", "columnName": "SHA256" } - ], - "entityType": "FileHash" + ] } ] } @@ -4965,7 +4985,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MosaicLoader_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "MosaicLoader_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", @@ -4993,10 +5013,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceRegistryEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5007,6 +5027,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -5020,10 +5041,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "RegistryValue", "fieldMappings": [ { "identifier": "Name", @@ -5033,8 +5054,7 @@ "identifier": "Value", "columnName": "RegistryValueData" } - ], - "entityType": "RegistryValue" + ] } ] } @@ -5090,7 +5110,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnomalousVoulmeOfFileDeletion_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "AnomalousVoulmeOfFileDeletion_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", @@ -5118,11 +5138,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "CloudAppEvents", "AADSignInEventsBeta" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5133,15 +5153,16 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { "identifier": "AadUserId", "columnName": "UserId" } - ], - "entityType": "Account" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "Name", @@ -5151,17 +5172,16 @@ "identifier": "NTDomain", "columnName": "NTDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "CloudApplication", "fieldMappings": [ { "identifier": "AppId", "columnName": "ApplicationId" } - ], - "entityType": "CloudApplication" + ] } ], "customDetails": { @@ -5220,7 +5240,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RemoteFileCreationWithPsExec_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "RemoteFileCreationWithPsExec_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", @@ -5248,10 +5268,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceFileEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5262,6 +5282,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -5275,8 +5296,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -5332,7 +5352,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ServiceAccountsPerformingRemotePS_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "ServiceAccountsPerformingRemotePS_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", @@ -5360,11 +5380,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceLogonEvents", "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5375,6 +5395,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -5388,10 +5409,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -5405,8 +5426,7 @@ "identifier": "Name", "columnName": "AccountName" } - ], - "entityType": "Account" + ] } ] } @@ -5462,7 +5482,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountCreation_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "AccountCreation_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", @@ -5490,10 +5510,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5504,6 +5524,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -5517,10 +5538,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", @@ -5530,8 +5551,7 @@ "identifier": "CommandLine", "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -5587,7 +5607,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LocalAdminGroupChanges_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "LocalAdminGroupChanges_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", @@ -5615,11 +5635,11 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "IdentityInfo", "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5630,6 +5650,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -5643,10 +5664,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -5660,8 +5681,7 @@ "identifier": "NTDomain", "columnName": "laccountdomain" } - ], - "entityType": "Account" + ] } ] } @@ -5717,7 +5737,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareProcessAsService_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "RareProcessAsService_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", @@ -5745,13 +5765,13 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents", "DeviceNetworkEvents", "DeviceFileEvents", "DeviceImageLoadEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5766,6 +5786,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -5779,10 +5800,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", @@ -5792,8 +5813,7 @@ "identifier": "CommandLine", "columnName": "ServiceProcessCmdline" } - ], - "entityType": "Process" + ] } ] } @@ -5849,7 +5869,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DisableSecurityServiceViaRegistry_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "DisableSecurityServiceViaRegistry_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", @@ -5877,10 +5897,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -5891,6 +5911,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -5904,10 +5925,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -5921,10 +5942,10 @@ "identifier": "NTDomain", "columnName": "AccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", @@ -5934,8 +5955,7 @@ "identifier": "CommandLine", "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -5991,7 +6011,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DataDeletionOnMulipleDrivesUsingCipherExe_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "DataDeletionOnMulipleDrivesUsingCipherExe_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", @@ -6019,10 +6039,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -6033,6 +6053,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -6046,8 +6067,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -6103,7 +6123,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LaZagneCredTheft_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "LaZagneCredTheft_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]", @@ -6131,10 +6151,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -6145,6 +6165,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -6158,10 +6179,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", @@ -6171,8 +6192,7 @@ "identifier": "CommandLine", "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -6228,7 +6248,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LogDeletionUsingWevtutil_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "LogDeletionUsingWevtutil_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]", @@ -6256,10 +6276,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -6270,6 +6290,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -6283,8 +6304,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -6340,7 +6360,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultiProcessKillWithTaskKill_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "MultiProcessKillWithTaskKill_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]", @@ -6368,10 +6388,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -6382,6 +6402,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -6395,8 +6416,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -6452,7 +6472,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialCobaltStrikeRansomwareActivity_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "PotentialCobaltStrikeRansomwareActivity_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]", @@ -6480,12 +6500,12 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "AlertInfo", "AlertEvidence", "DeviceLogonEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -6502,6 +6522,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -6515,10 +6536,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -6532,17 +6553,16 @@ "identifier": "DnsDomain", "columnName": "AccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "RemoteIP" } - ], - "entityType": "IP" + ] } ] } @@ -6598,7 +6618,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QakbotDiscoveryActivities_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "QakbotDiscoveryActivities_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]", @@ -6626,10 +6646,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -6644,6 +6664,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -6657,8 +6678,7 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] } ] } @@ -6714,7 +6734,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ShadowCopyDeletion_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "ShadowCopyDeletion_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]", @@ -6742,10 +6762,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceProcessEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -6756,6 +6776,7 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", @@ -6769,10 +6790,10 @@ "identifier": "DnsDomain", "columnName": "DnsDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", @@ -6786,10 +6807,10 @@ "identifier": "DnsDomain", "columnName": "AccountDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "Process", "fieldMappings": [ { "identifier": "ProcessId", @@ -6799,8 +6820,7 @@ "identifier": "CommandLine", "columnName": "ProcessCommandLine" } - ], - "entityType": "Process" + ] } ] } @@ -6856,7 +6876,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Check for spoofing attempts on the domain with Authentication failures_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Check for spoofing attempts on the domain with Authentication failures_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -6941,7 +6961,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Delivered Bad Emails from Top bad IPv4 addresses_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Delivered Bad Emails from Top bad IPv4 addresses_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -7026,7 +7046,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailDelivered-ToInbox_HuntingQueries Hunting Query with template version 3.0.9", + "description": "EmailDelivered-ToInbox_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -7111,7 +7131,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DeimosComponentExecution_HuntingQueries Hunting Query with template version 3.0.9", + "description": "DeimosComponentExecution_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -7192,7 +7212,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LemonDuckRegistrationFunction_HuntingQueries Hunting Query with template version 3.0.9", + "description": "LemonDuckRegistrationFunction_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -7273,7 +7293,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DeviceWithLog4jAlerts_HuntingQueries Hunting Query with template version 3.0.9", + "description": "DeviceWithLog4jAlerts_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -7354,7 +7374,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Log4jVulnRelatedAlerts_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Log4jVulnRelatedAlerts_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -7435,7 +7455,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousUseOfMSBuildAsLoLBin_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MaliciousUseOfMSBuildAsLoLBin_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -7516,7 +7536,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QakbotReconActivities_HuntingQueries Hunting Query with template version 3.0.9", + "description": "QakbotReconActivities_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -7597,7 +7617,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "JudgementPandaExfilActivity_HuntingQueries Hunting Query with template version 3.0.9", + "description": "JudgementPandaExfilActivity_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -7682,7 +7702,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "C2-NamedPipe_HuntingQueries Hunting Query with template version 3.0.9", + "description": "C2-NamedPipe_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject11').huntingQueryVersion11]", @@ -7763,7 +7783,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ReconWithRundll_HuntingQueries Hunting Query with template version 3.0.9", + "description": "ReconWithRundll_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject12').huntingQueryVersion12]", @@ -7844,7 +7864,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DoppelPaymerProcdump_HuntingQueries Hunting Query with template version 3.0.9", + "description": "DoppelPaymerProcdump_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject13').huntingQueryVersion13]", @@ -7925,7 +7945,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LaZagne_HuntingQueries Hunting Query with template version 3.0.9", + "description": "LaZagne_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject14').huntingQueryVersion14]", @@ -8006,7 +8026,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LSASSCredDumpProcdump_HuntingQueries Hunting Query with template version 3.0.9", + "description": "LSASSCredDumpProcdump_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject15').huntingQueryVersion15]", @@ -8087,7 +8107,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DoppelpaymerStopServices_HuntingQueries Hunting Query with template version 3.0.9", + "description": "DoppelpaymerStopServices_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject16').huntingQueryVersion16]", @@ -8168,7 +8188,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QakbotCampaignSelfDeletion_HuntingQueries Hunting Query with template version 3.0.9", + "description": "QakbotCampaignSelfDeletion_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject17').huntingQueryVersion17]", @@ -8249,7 +8269,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousCommandInitiatedByWebServerProcess_HuntingQueries Hunting Query with template version 3.0.9", + "description": "SuspiciousCommandInitiatedByWebServerProcess_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject18').huntingQueryVersion18]", @@ -8330,7 +8350,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnomalousPayloadDeliveredWithISOFile_HuntingQueries Hunting Query with template version 3.0.9", + "description": "AnomalousPayloadDeliveredWithISOFile_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject19').huntingQueryVersion19]", @@ -8415,7 +8435,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BitsadminActivity_HuntingQueries Hunting Query with template version 3.0.9", + "description": "BitsadminActivity_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject20').huntingQueryVersion20]", @@ -8496,7 +8516,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousUseOfMSIExec_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MaliciousUseOfMSIExec_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject21').huntingQueryVersion21]", @@ -8577,7 +8597,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousUseOfMsiExecMimikatz_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MaliciousUseOfMsiExecMimikatz_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject22').huntingQueryVersion22]", @@ -8658,7 +8678,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OfficeAppsLaunchingWscript_HuntingQueries Hunting Query with template version 3.0.9", + "description": "OfficeAppsLaunchingWscript_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject23').huntingQueryVersion23]", @@ -8739,7 +8759,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PowerShellDownloads_HuntingQueries Hunting Query with template version 3.0.9", + "description": "PowerShellDownloads_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject24').huntingQueryVersion24]", @@ -8820,7 +8840,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousMshtaUsage_HuntingQueries Hunting Query with template version 3.0.9", + "description": "SuspiciousMshtaUsage_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject25').huntingQueryVersion25]", @@ -8901,7 +8921,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FilesCopiedToUSBDrives_HuntingQueries Hunting Query with template version 3.0.9", + "description": "FilesCopiedToUSBDrives_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject26').huntingQueryVersion26]", @@ -8982,7 +9002,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousDLLInSpoolFolder_HuntingQueries Hunting Query with template version 3.0.9", + "description": "SuspiciousDLLInSpoolFolder_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject27').huntingQueryVersion27]", @@ -9063,7 +9083,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousFilesInSpoolFolder_HuntingQueries Hunting Query with template version 3.0.9", + "description": "SuspiciousFilesInSpoolFolder_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject28').huntingQueryVersion28]", @@ -9144,7 +9164,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousSpoolsvChildProcess_HuntingQueries Hunting Query with template version 3.0.9", + "description": "SuspiciousSpoolsvChildProcess_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject29').huntingQueryVersion29]", @@ -9225,7 +9245,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CVE-2022-26134-Confluence_HuntingQueries Hunting Query with template version 3.0.9", + "description": "CVE-2022-26134-Confluence_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject30').huntingQueryVersion30]", @@ -9310,7 +9330,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MosaicLoader_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MosaicLoader_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject31').huntingQueryVersion31]", @@ -9391,7 +9411,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PrintNightmareUsageDetection-CVE-2021-1675_HuntingQueries Hunting Query with template version 3.0.9", + "description": "PrintNightmareUsageDetection-CVE-2021-1675_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject32').huntingQueryVersion32]", @@ -9472,7 +9492,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnomalousVoulmeOfFileDeletion_HuntingQueries Hunting Query with template version 3.0.9", + "description": "AnomalousVoulmeOfFileDeletion_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject33').huntingQueryVersion33]", @@ -9553,7 +9573,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DetectMailSniper_HuntingQueries Hunting Query with template version 3.0.9", + "description": "DetectMailSniper_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject34').huntingQueryVersion34]", @@ -9634,7 +9654,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountBruteForce_HuntingQueries Hunting Query with template version 3.0.9", + "description": "AccountBruteForce_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject35').huntingQueryVersion35]", @@ -9711,7 +9731,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ServiceAccountsPerformingRemotePS_HuntingQueries Hunting Query with template version 3.0.9", + "description": "ServiceAccountsPerformingRemotePS_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject36').huntingQueryVersion36]", @@ -9792,7 +9812,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LocalAdminGroupChanges_HuntingQueries Hunting Query with template version 3.0.9", + "description": "LocalAdminGroupChanges_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject37').huntingQueryVersion37]", @@ -9873,7 +9893,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ScheduledTaskCreation_HuntingQueries Hunting Query with template version 3.0.9", + "description": "ScheduledTaskCreation_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject38').huntingQueryVersion38]", @@ -9954,7 +9974,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DetectMultipleSignsOfRamsomwareActivity_HuntingQueries Hunting Query with template version 3.0.9", + "description": "DetectMultipleSignsOfRamsomwareActivity_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject39').huntingQueryVersion39]", @@ -10035,7 +10055,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IcedIdSuspiciousImageLoad_HuntingQueries Hunting Query with template version 3.0.9", + "description": "IcedIdSuspiciousImageLoad_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject40').huntingQueryVersion40]", @@ -10116,7 +10136,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LogDeletionUsingWevtutil_HuntingQueries Hunting Query with template version 3.0.9", + "description": "LogDeletionUsingWevtutil_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject41').huntingQueryVersion41]", @@ -10197,7 +10217,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultiProcessKillWithTaskKill_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MultiProcessKillWithTaskKill_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject42').huntingQueryVersion42]", @@ -10278,7 +10298,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialCobaltStrikeRansomwareActivity_HuntingQueries Hunting Query with template version 3.0.9", + "description": "PotentialCobaltStrikeRansomwareActivity_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject43').huntingQueryVersion43]", @@ -10359,7 +10379,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "QakbotDiscoveryActivities_HuntingQueries Hunting Query with template version 3.0.9", + "description": "QakbotDiscoveryActivities_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject44').huntingQueryVersion44]", @@ -10440,7 +10460,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ShadowCopyDeletion_HuntingQueries Hunting Query with template version 3.0.9", + "description": "ShadowCopyDeletion_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject45').huntingQueryVersion45]", @@ -10525,7 +10545,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TurningOffServicesWithSCCommad_HuntingQueries Hunting Query with template version 3.0.9", + "description": "TurningOffServicesWithSCCommad_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject46').huntingQueryVersion46]", @@ -10606,7 +10626,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Detect_CISA_Alert_AA22-117A2021_Top_Routinely_Exploited_Vulnerabilities_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Detect_CISA_Alert_AA22-117A2021_Top_Routinely_Exploited_Vulnerabilities_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject47').huntingQueryVersion47]", @@ -10687,7 +10707,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PayloadDropUsingCertUtil_HuntingQueries Hunting Query with template version 3.0.9", + "description": "PayloadDropUsingCertUtil_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject48').huntingQueryVersion48]", @@ -10768,7 +10788,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImminentRansomware_HuntingQueries Hunting Query with template version 3.0.9", + "description": "ImminentRansomware_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject49').huntingQueryVersion49]", @@ -10849,7 +10869,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RobbinhoodDriver_HuntingQueries Hunting Query with template version 3.0.9", + "description": "RobbinhoodDriver_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject50').huntingQueryVersion50]", @@ -10930,7 +10950,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Snip3MaliciousNetworkConnectivity_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Snip3MaliciousNetworkConnectivity_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject51').huntingQueryVersion51]", @@ -11011,7 +11031,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousCMDExecutionByJava_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MaliciousCMDExecutionByJava_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject52').huntingQueryVersion52]", @@ -11092,7 +11112,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ClearSystemLogs_HuntingQueries Hunting Query with template version 3.0.9", + "description": "ClearSystemLogs_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject53').huntingQueryVersion53]", @@ -11173,7 +11193,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Regsvr32Rundll32ImageLoadsAbnormalExtension_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Regsvr32Rundll32ImageLoadsAbnormalExtension_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject54').huntingQueryVersion54]", @@ -11258,7 +11278,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Regsvr32Rundll32WithAnomalousParentProcess_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Regsvr32Rundll32WithAnomalousParentProcess_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject55').huntingQueryVersion55]", @@ -11343,7 +11363,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User&GroupEnumWithNetCommand_HuntingQueries Hunting Query with template version 3.0.9", + "description": "User&GroupEnumWithNetCommand_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject56').huntingQueryVersion56]", @@ -11420,7 +11440,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialKerberoastActivities_HuntingQueries Hunting Query with template version 3.0.9", + "description": "PotentialKerberoastActivities_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject57').huntingQueryVersion57]", @@ -11505,7 +11525,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousAppExeutedByWebserver_HuntingQueries Hunting Query with template version 3.0.9", + "description": "SuspiciousAppExeutedByWebserver_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject58').huntingQueryVersion58]", @@ -11586,7 +11606,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousFileCreationByPrintSpoolerService_HuntingQueries Hunting Query with template version 3.0.9", + "description": "SuspiciousFileCreationByPrintSpoolerService_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject59').huntingQueryVersion59]", @@ -11671,7 +11691,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SpoolsvSpawningRundll32_HuntingQueries Hunting Query with template version 3.0.9", + "description": "SpoolsvSpawningRundll32_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject60').huntingQueryVersion60]", @@ -11752,7 +11772,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MITRESuspiciousEvents_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MITRESuspiciousEvents_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject61').huntingQueryVersion61]", @@ -11829,7 +11849,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RemoteFileCreationWithPsExec_HuntingQueries Hunting Query with template version 3.0.9", + "description": "RemoteFileCreationWithPsExec_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject62').huntingQueryVersion62]", @@ -11910,7 +11930,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AccountCreation_HuntingQueries Hunting Query with template version 3.0.9", + "description": "AccountCreation_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject63').huntingQueryVersion63]", @@ -11987,7 +12007,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareProcessAsService_HuntingQueries Hunting Query with template version 3.0.9", + "description": "RareProcessAsService_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject64').huntingQueryVersion64]", @@ -12072,7 +12092,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SAMNameChange_CVE-2021-42278_HuntingQueries Hunting Query with template version 3.0.9", + "description": "SAMNameChange_CVE-2021-42278_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject65').huntingQueryVersion65]", @@ -12153,7 +12173,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DisableSecurityServiceViaRegistry_HuntingQueries Hunting Query with template version 3.0.9", + "description": "DisableSecurityServiceViaRegistry_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject66').huntingQueryVersion66]", @@ -12234,7 +12254,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainDiscoveryWMICwithDLLHostExe_HuntingQueries Hunting Query with template version 3.0.9", + "description": "DomainDiscoveryWMICwithDLLHostExe_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject67').huntingQueryVersion67]", @@ -12315,7 +12335,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MDEExclusionUsingPowerShell_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MDEExclusionUsingPowerShell_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject68').huntingQueryVersion68]", @@ -12396,7 +12416,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DataDeletionOnMulipleDrivesUsingCipherExe_HuntingQueries Hunting Query with template version 3.0.9", + "description": "DataDeletionOnMulipleDrivesUsingCipherExe_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject69').huntingQueryVersion69]", @@ -12477,7 +12497,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LaZagneCredTheft_HuntingQueries Hunting Query with template version 3.0.9", + "description": "LaZagneCredTheft_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject70').huntingQueryVersion70]", @@ -12558,7 +12578,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ATP policy status check_HuntingQueries Hunting Query with template version 3.0.9", + "description": "ATP policy status check_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject71').huntingQueryVersion71]", @@ -12643,7 +12663,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "JNLP attachment_HuntingQueries Hunting Query with template version 3.0.9", + "description": "JNLP attachment_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject72').huntingQueryVersion72]", @@ -12728,7 +12748,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Safe attachment detection_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Safe attachment detection_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject73').huntingQueryVersion73]", @@ -12813,7 +12833,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Authentication failures_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Authentication failures_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject74').huntingQueryVersion74]", @@ -12898,7 +12918,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spoof attempts with auth failure_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Spoof attempts with auth failure_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject75').huntingQueryVersion75]", @@ -12983,7 +13003,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Audit Email Preview-Download action_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Audit Email Preview-Download action_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject76').huntingQueryVersion76]", @@ -13068,7 +13088,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Hunt for TABL changes_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Hunt for TABL changes_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject77').huntingQueryVersion77]", @@ -13153,7 +13173,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Local time to UTC time conversion_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Local time to UTC time conversion_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject78').huntingQueryVersion78]", @@ -13238,7 +13258,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MDO daily detection summary report_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MDO daily detection summary report_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject79').huntingQueryVersion79]", @@ -13323,7 +13343,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Mail item accessed_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Mail item accessed_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject80').huntingQueryVersion80]", @@ -13408,7 +13428,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malicious email senders_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Malicious email senders_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject81').huntingQueryVersion81]", @@ -13493,7 +13513,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "New TABL Items_HuntingQueries Hunting Query with template version 3.0.9", + "description": "New TABL Items_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject82').huntingQueryVersion82]", @@ -13578,7 +13598,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Emails containing links to IP addresses_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Emails containing links to IP addresses_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject83').huntingQueryVersion83]", @@ -13663,7 +13683,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Good emails from senders with bad patterns_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Good emails from senders with bad patterns_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject84').huntingQueryVersion84]", @@ -13748,7 +13768,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Hunt for email conversation take over attempts_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Hunt for email conversation take over attempts_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject85').huntingQueryVersion85]", @@ -13833,7 +13853,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Hunt for malicious URLs using external IOC source_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Hunt for malicious URLs using external IOC source_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject86').huntingQueryVersion86]", @@ -13918,7 +13938,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Hunt for malicious attachments using external IOC source_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Hunt for malicious attachments using external IOC source_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject87').huntingQueryVersion87]", @@ -14003,7 +14023,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Inbox rule change which forward-redirect email_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Inbox rule change which forward-redirect email_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject88').huntingQueryVersion88]", @@ -14088,7 +14108,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MDO_CountOfRecipientsEmailaddressbySubject_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MDO_CountOfRecipientsEmailaddressbySubject_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject89').huntingQueryVersion89]", @@ -14173,7 +14193,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MDO_CountOfSendersEmailaddressbySubject_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MDO_CountOfSendersEmailaddressbySubject_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject90').huntingQueryVersion90]", @@ -14258,7 +14278,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MDO_Countofrecipientsemailaddressesbysubject_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MDO_Countofrecipientsemailaddressesbysubject_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject91').huntingQueryVersion91]", @@ -14343,7 +14363,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MDO_SummaryOfSenders_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MDO_SummaryOfSenders_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject92').huntingQueryVersion92]", @@ -14428,7 +14448,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MDO_URLClickedinEmail_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MDO_URLClickedinEmail_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject93').huntingQueryVersion93]", @@ -14513,7 +14533,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Detections by detection methods_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Detections by detection methods_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject94').huntingQueryVersion94]", @@ -14598,7 +14618,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Mail reply to new domain_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Mail reply to new domain_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject95').huntingQueryVersion95]", @@ -14683,7 +14703,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Mailflow by directionality_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Mailflow by directionality_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject96').huntingQueryVersion96]", @@ -14768,7 +14788,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malicious emails detected per day_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Malicious emails detected per day_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject97').huntingQueryVersion97]", @@ -14853,7 +14873,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Sender recipient contact establishment_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Sender recipient contact establishment_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject98').huntingQueryVersion98]", @@ -14938,7 +14958,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 100 malicious email senders_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Top 100 malicious email senders_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject99').huntingQueryVersion99]", @@ -15023,7 +15043,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 100 senders_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Top 100 senders_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject100').huntingQueryVersion100]", @@ -15108,7 +15128,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Zero day threats_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Zero day threats_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject101').huntingQueryVersion101]", @@ -15193,7 +15213,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Email containing malware accessed on a unmanaged device_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Email containing malware accessed on a unmanaged device_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject102').huntingQueryVersion102]", @@ -15278,7 +15298,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Email containing malware sent by an internal sender_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Email containing malware sent by an internal sender_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject103').huntingQueryVersion103]", @@ -15363,7 +15383,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Email malware detection report_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Email malware detection report_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject104').huntingQueryVersion104]", @@ -15448,7 +15468,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malware detections by detection methods_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Malware detections by detection methods_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject105').huntingQueryVersion105]", @@ -15533,7 +15553,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Admin overrides_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Admin overrides_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject106').huntingQueryVersion106]", @@ -15618,7 +15638,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top policies performing admin overrides_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Top policies performing admin overrides_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject107').huntingQueryVersion107]", @@ -15703,7 +15723,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top policies performing user overrides_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Top policies performing user overrides_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject108').huntingQueryVersion108]", @@ -15788,7 +15808,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User overrides_HuntingQueries Hunting Query with template version 3.0.9", + "description": "User overrides_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject109').huntingQueryVersion109]", @@ -15873,7 +15893,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Appspot phishing abuse_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Appspot phishing abuse_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject110').huntingQueryVersion110]", @@ -15958,7 +15978,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PhishDetectionByDetectionMethod_HuntingQueries Hunting Query with template version 3.0.9", + "description": "PhishDetectionByDetectionMethod_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject111').huntingQueryVersion111]", @@ -16043,7 +16063,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Campaign with randomly named attachments_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Campaign with randomly named attachments_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject112').huntingQueryVersion112]", @@ -16128,7 +16148,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Campaign with suspicious keywords_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Campaign with suspicious keywords_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject113').huntingQueryVersion113]", @@ -16213,7 +16233,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Custom detection-Emails with QR from non-prevalent senders_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Custom detection-Emails with QR from non-prevalent senders_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject114').huntingQueryVersion114]", @@ -16298,7 +16318,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Emails delivered having URLs from QR codes_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Emails delivered having URLs from QR codes_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject115').huntingQueryVersion115]", @@ -16383,7 +16403,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Emails with QR codes and suspicious keywords in subject_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Emails with QR codes and suspicious keywords in subject_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject116').huntingQueryVersion116]", @@ -16468,7 +16488,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Emails with QR codes from non-prevalent sender_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Emails with QR codes from non-prevalent sender_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject117').huntingQueryVersion117]", @@ -16553,7 +16573,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Hunting for sender patterns_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Hunting for sender patterns_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject118').huntingQueryVersion118]", @@ -16638,7 +16658,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Hunting for user signals-clusters_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Hunting for user signals-clusters_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject119').huntingQueryVersion119]", @@ -16723,7 +16743,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Inbound emails with QR code URLs_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Inbound emails with QR code URLs_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject120').huntingQueryVersion120]", @@ -16808,7 +16828,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Personalized campaigns based on the first few keywords_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Personalized campaigns based on the first few keywords_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject121').huntingQueryVersion121]", @@ -16893,7 +16913,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Personalized campaigns based on the last few keywords_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Personalized campaigns based on the last few keywords_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject122').huntingQueryVersion122]", @@ -16978,7 +16998,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Risky sign-in attempt from a non-managed device_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Risky sign-in attempt from a non-managed device_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject123').huntingQueryVersion123]", @@ -17063,7 +17083,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Suspicious sign-in attempts from QR code phishing campaigns_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Suspicious sign-in attempts from QR code phishing campaigns_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject124').huntingQueryVersion124]", @@ -17148,7 +17168,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Group quarantine release_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Group quarantine release_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject125').huntingQueryVersion125]", @@ -17233,7 +17253,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "High Confidence Phish Released_HuntingQueries Hunting Query with template version 3.0.9", + "description": "High Confidence Phish Released_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject126').huntingQueryVersion126]", @@ -17318,7 +17338,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Quarantine Release Email Details_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Quarantine Release Email Details_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject127').huntingQueryVersion127]", @@ -17403,7 +17423,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Quarantine release trend_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Quarantine release trend_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject128').huntingQueryVersion128]", @@ -17488,7 +17508,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Email remediation action list_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Email remediation action list_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject129').huntingQueryVersion129]", @@ -17573,7 +17593,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Display Name - Spoof and Impersonation_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Display Name - Spoof and Impersonation_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject130').huntingQueryVersion130]", @@ -17658,7 +17678,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Referral phish emails_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Referral phish emails_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject131').huntingQueryVersion131]", @@ -17743,7 +17763,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spoof and impersonation detections by sender IP_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Spoof and impersonation detections by sender IP_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject132').huntingQueryVersion132]", @@ -17828,7 +17848,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Spoof and impersonation phish detections_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Spoof and impersonation phish detections_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject133').huntingQueryVersion133]", @@ -17913,7 +17933,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User not covered under display name impersonation_HuntingQueries Hunting Query with template version 3.0.9", + "description": "User not covered under display name impersonation_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject134').huntingQueryVersion134]", @@ -17998,7 +18018,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Admin reported submissions_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Admin reported submissions_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject135').huntingQueryVersion135]", @@ -18083,7 +18103,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Status of submissions_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Status of submissions_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject136').huntingQueryVersion136]", @@ -18168,7 +18188,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top submitters of admin submissions_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Top submitters of admin submissions_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject137').huntingQueryVersion137]", @@ -18253,7 +18273,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top submitters of user submissions_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Top submitters of user submissions_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject138').huntingQueryVersion138]", @@ -18338,7 +18358,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User reported submissions_HuntingQueries Hunting Query with template version 3.0.9", + "description": "User reported submissions_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject139').huntingQueryVersion139]", @@ -18423,7 +18443,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Attacked more than x times average_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Attacked more than x times average_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject140').huntingQueryVersion140]", @@ -18508,7 +18528,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Malicious mails by sender IPs_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Malicious mails by sender IPs_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject141').huntingQueryVersion141]", @@ -18593,7 +18613,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 URL domains attacking organization_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Top 10 URL domains attacking organization_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject142').huntingQueryVersion142]", @@ -18678,7 +18698,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top 10 percent of most attacked users_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Top 10 percent of most attacked users_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject143').huntingQueryVersion143]", @@ -18763,7 +18783,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top external malicious senders_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Top external malicious senders_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject144').huntingQueryVersion144]", @@ -18848,7 +18868,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Top targeted users_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Top targeted users_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject145').huntingQueryVersion145]", @@ -18933,7 +18953,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "End user malicious clicks_HuntingQueries Hunting Query with template version 3.0.9", + "description": "End user malicious clicks_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject146').huntingQueryVersion146]", @@ -19018,7 +19038,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URL click count by click action_HuntingQueries Hunting Query with template version 3.0.9", + "description": "URL click count by click action_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject147').huntingQueryVersion147]", @@ -19103,7 +19123,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URL click on ZAP Email_HuntingQueries Hunting Query with template version 3.0.9", + "description": "URL click on ZAP Email_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject148').huntingQueryVersion148]", @@ -19188,7 +19208,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URL clicks actions by URL_HuntingQueries Hunting Query with template version 3.0.9", + "description": "URL clicks actions by URL_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject149').huntingQueryVersion149]", @@ -19273,7 +19293,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLClick details based on malicious URL click alert_HuntingQueries Hunting Query with template version 3.0.9", + "description": "URLClick details based on malicious URL click alert_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject150').huntingQueryVersion150]", @@ -19358,7 +19378,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User clicked through events_HuntingQueries Hunting Query with template version 3.0.9", + "description": "User clicked through events_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject151').huntingQueryVersion151]", @@ -19443,7 +19463,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User clicks on malicious inbound emails_HuntingQueries Hunting Query with template version 3.0.9", + "description": "User clicks on malicious inbound emails_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject152').huntingQueryVersion152]", @@ -19528,7 +19548,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User clicks on phishing URLs in emails_HuntingQueries Hunting Query with template version 3.0.9", + "description": "User clicks on phishing URLs in emails_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject153').huntingQueryVersion153]", @@ -19613,7 +19633,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Phishing Email Url Redirector_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Phishing Email Url Redirector_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject154').huntingQueryVersion154]", @@ -19698,7 +19718,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SafeLinks URL detections_HuntingQueries Hunting Query with template version 3.0.9", + "description": "SafeLinks URL detections_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject155').huntingQueryVersion155]", @@ -19783,7 +19803,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Total ZAP count_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Total ZAP count_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject156').huntingQueryVersion156]", @@ -19859,6 +19879,346 @@ "version": "1.0.0" } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject157').huntingQueryTemplateSpecName157]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Automated email notifications and suspicious sign-in activity_HuntingQueries Hunting Query with template version 3.0.10", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject157').huntingQueryVersion157]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Microsoft_Defender_XDR_Hunting_Query_157", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Automated email notifications and suspicious sign-in activity", + "category": "Hunting Queries", + "query": "let usersWithSuspiciousEmails = EmailEvents\n| where SenderFromAddress in (\"no-reply@notify.microsoft.com\", \"no-reply@dropbox.com\") or InternetMessageId startswith \"= 10\n| mv-expand RecipientList to typeof(string)\n| distinct RecipientList;\nAADSignInEventsBeta\n| where AccountObjectId in (usersWithSuspiciousEmails)\n| where RiskLevelDuringSignIn == 100\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query helps hunting for Files share contents and suspicious sign-in activity" + }, + { + "name": "tactics", + "value": "InitialAccess" + }, + { + "name": "techniques", + "value": "T1566" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject158')._huntingQuerycontentId158),'/'))))]", + "properties": { + "description": "Microsoft Defender XDR Hunting Query 158", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject158')._huntingQuerycontentId158)]", + "contentId": "[variables('huntingQueryObject158')._huntingQuerycontentId158]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject158').huntingQueryVersion158]", + "source": { + "kind": "Solution", + "name": "Microsoft Defender XDR", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject158')._huntingQuerycontentId158]", + "contentKind": "HuntingQuery", + "displayName": "Files share contents and suspicious sign-in activity", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject158')._huntingQuerycontentId158,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject158')._huntingQuerycontentId158,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject159').huntingQueryTemplateSpecName159]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BEC - File sharing tactics - OneDrive or SharePoint_HuntingQueries Hunting Query with template version 3.0.10", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject159').huntingQueryVersion159]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Microsoft_Defender_XDR_Hunting_Query_159", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "BEC - File sharing tactics - OneDrive or SharePoint", + "category": "Hunting Queries", + "query": "let securelinkCreated = CloudAppEvents\n| where ActionType == \"SecureLinkCreated\"\n| project FileCreatedTime = Timestamp, AccountObjectId, ObjectName;\nlet filesCreated = securelinkCreated\n| where isnotempty(ObjectName)\n| distinct tostring(ObjectName);\nCloudAppEvents\n| where ActionType == \"AddedToSecureLink\"\n| where Application in (\"Microsoft SharePoint Online\", \"Microsoft OneDrive for Business\")\n| extend FileShared = tostring(RawEventData.ObjectId)\n| where FileShared in (filesCreated)\n| extend UserSharedWith = tostring(RawEventData.TargetUserOrGroupName)\n| extend TypeofUserSharedWith = RawEventData.TargetUserOrGroupType\n| where TypeofUserSharedWith == \"Guest\"\n| where isnotempty(FileShared) and isnotempty(UserSharedWith)\n| join kind=inner securelinkCreated on $left.FileShared==$right.ObjectName\n// Secure file created recently (in the last 1day)\n| where (Timestamp - FileCreatedTime) between (1d .. 0h)\n| summarize NumofUsersSharedWith = dcount(UserSharedWith) by FileShared\n| where NumofUsersSharedWith >= 20\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query helps hunting for BEC - File sharing tactics - OneDrive or SharePoint" + }, + { + "name": "tactics", + "value": "LateralMovement" + }, + { + "name": "techniques", + "value": "T1021" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject159')._huntingQuerycontentId159),'/'))))]", + "properties": { + "description": "Microsoft Defender XDR Hunting Query 159", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject159')._huntingQuerycontentId159)]", + "contentId": "[variables('huntingQueryObject159')._huntingQuerycontentId159]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject159').huntingQueryVersion159]", + "source": { + "kind": "Solution", + "name": "Microsoft Defender XDR", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject159')._huntingQuerycontentId159]", + "contentKind": "HuntingQuery", + "displayName": "BEC - File sharing tactics - OneDrive or SharePoint", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject159')._huntingQuerycontentId159,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject159')._huntingQuerycontentId159,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryObject160').huntingQueryTemplateSpecName160]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BEC - File sharing tactics - Dropbox_HuntingQueries Hunting Query with template version 3.0.10", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryObject160').huntingQueryVersion160]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Microsoft_Defender_XDR_Hunting_Query_160", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "BEC - File sharing tactics - Dropbox", + "category": "Hunting Queries", + "query": "CloudAppEvents\n| where ActionType in (\"Added users and/or groups to shared file/folder\", \"Invited user to Dropbox and added them to shared file/folder\")\n| where Application == \"Dropbox\"\n| where ObjectType == \"File\"\n| extend FileShared = tostring(ObjectName)\n| where isnotempty(FileShared)\n| mv-expand ActivityObjects\n| where ActivityObjects.Type == \"Account\" and ActivityObjects.Role == \"To\"\n| extend SharedBy = AccountId\n| extend UserSharedWith = tostring(ActivityObjects.Name)\n| summarize dcount(UserSharedWith) by FileShared, AccountObjectId\n| where dcount_UserSharedWith >= 20\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This query helps hunting for BEC - File sharing tactics - Dropbox" + }, + { + "name": "tactics", + "value": "LateralMovement" + }, + { + "name": "techniques", + "value": "T1021" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject160')._huntingQuerycontentId160),'/'))))]", + "properties": { + "description": "Microsoft Defender XDR Hunting Query 160", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject160')._huntingQuerycontentId160)]", + "contentId": "[variables('huntingQueryObject160')._huntingQuerycontentId160]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryObject160').huntingQueryVersion160]", + "source": { + "kind": "Solution", + "name": "Microsoft Defender XDR", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('huntingQueryObject160')._huntingQuerycontentId160]", + "contentKind": "HuntingQuery", + "displayName": "BEC - File sharing tactics - Dropbox", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject160')._huntingQuerycontentId160,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject160')._huntingQuerycontentId160,'-', '1.0.0')))]", + "version": "1.0.0" + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -19868,7 +20228,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MicrosoftDefenderForOffice365detectionsandinsights Workbook with template version 3.0.9", + "description": "MicrosoftDefenderForOffice365detectionsandinsights Workbook with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -19972,7 +20332,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MicrosoftDefenderForEndPoint Workbook with template version 3.0.9", + "description": "MicrosoftDefenderForEndPoint Workbook with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -20047,7 +20407,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MicrosoftDefenderForIdentity Workbook with template version 3.0.9", + "description": "MicrosoftDefenderForIdentity Workbook with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion3')]", @@ -20139,12 +20499,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.9", + "version": "3.0.10", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Microsoft Defender XDR", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Microsoft Defender XDR solution for Microsoft Sentinel enables you to ingest Security Alerts/Incidents and raw logs from the products within Microsoft Defender XDR suite into Microsoft Sentinel.

\n

Additional Hunting Queries to support proactive and reactive hunting for the Microsoft Defender XDR solution can be found on GitHub. This repository has a collection of queries developed by Microsoft Security Research and Microsoft Sentinel community contributions.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Azure Monitor HTTP Data Collector API
    2. \n
\n

Data Connectors: 1, Workbooks: 3, Analytic Rules: 40, Hunting Queries: 156

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Microsoft Defender XDR solution for Microsoft Sentinel enables you to ingest Security Alerts/Incidents and raw logs from the products within Microsoft Defender XDR suite into Microsoft Sentinel.

\n

Additional Hunting Queries to support proactive and reactive hunting for the Microsoft Defender XDR solution can be found on GitHub. This repository has a collection of queries developed by Microsoft Security Research and Microsoft Sentinel community contributions.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Azure Monitor HTTP Data Collector API
    2. \n
\n

Data Connectors: 1, Workbooks: 3, Analytic Rules: 40, Hunting Queries: 160

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -21154,6 +21514,26 @@ "contentId": "[variables('huntingQueryObject156')._huntingQuerycontentId156]", "version": "[variables('huntingQueryObject156').huntingQueryVersion156]" }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject157')._huntingQuerycontentId157]", + "version": "[variables('huntingQueryObject157').huntingQueryVersion157]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject158')._huntingQuerycontentId158]", + "version": "[variables('huntingQueryObject158').huntingQueryVersion158]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject159')._huntingQuerycontentId159]", + "version": "[variables('huntingQueryObject159').huntingQueryVersion159]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('huntingQueryObject160')._huntingQuerycontentId160]", + "version": "[variables('huntingQueryObject160').huntingQueryVersion160]" + }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml index 9587223e6fb..6da74007dd1 100644 --- a/Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml +++ b/Solutions/Microsoft Entra ID/Analytic Rules/PrivlegedRoleAssignedOutsidePIM.yaml @@ -23,7 +23,7 @@ query: | AuditLogs | where Category =~ "RoleManagement" | where OperationName has "Add member to role outside of PIM" - or (LoggedByService =~ "Core Directory" and OperationName =~ "Add member to role" and Identity != "MS-PIM") + or (LoggedByService =~ "Core Directory" and OperationName =~ "Add member to role" and Identity != "MS-PIM" and Identity != "MS-PIM-Fairfax") | mv-apply TargetResource = TargetResources on ( where TargetResource.type =~ "User" @@ -65,5 +65,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: InitiatingIpAddress -version: 1.0.5 +version: 1.0.6 kind: Scheduled diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json index b2403b8410e..51b86166103 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeAdminAuditLogEvents.json @@ -1,8 +1,8 @@ { "id": "ESI-ExchangeAdminAuditLogEvents", - "title": "Microsoft Exchange Logs and Events", + "title": "[Deprecated] Microsoft Exchange Logs and Events", "publisher": "Microsoft", - "descriptionMarkdown": "You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", + "descriptionMarkdown": "Deprecated, use the 'ESI-Opt' dataconnectors. You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", "graphQueries": [ { "metricName": "Total data received", @@ -100,35 +100,14 @@ "customs": [ { "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - } + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } ] }, "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", - "instructions": [ - { - "parameters": { - "title": "Parser deployment (When using Microsoft Exchange Security Solution, Parsers are automatically deployed)", - "instructionSteps": [ - { - "title": "1. Download the Parser file", - "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" - }, - { - "title": "2. Create Parser **ExchangeAdminAuditLogs** function", - "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" - }, - { - "title": "3. Save Parser **ExchangeAdminAuditLogs** function", - "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, { "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)" }, @@ -209,7 +188,7 @@ "instructionSteps": [ { "title": "A. Create DCR, Type Event log", - "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MS Exchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." } ] }, @@ -229,7 +208,7 @@ }, { "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used", - "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MS Exchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.", + "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MSExchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.", "instructions": [ { "parameters": { @@ -689,15 +668,53 @@ "type": "InstructionStepsGroup" } ] + }, + { + "title": "", + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "instructions": [ + { + "parameters": { + "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below", + "instructionSteps": [ + { + "title": "Manual Parser Deployment", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" + }, + { + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" + }, + { + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } ], "metadata": { "id": "5738bef7-b6c0-4fec-ba0b-ac728bef83a9", - "version": "2.2.1", + "version": "2.2.2", "kind": "dataConnector", "source": { "kind": "solution", - "name": "ESI - Exchange Security Configuration Analyzer" + "name": "Microsoft Exchange Security - Exchange On-Premises" }, "support": { "name": "Community", diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeOnPremisesCollector.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeOnPremisesCollector.json index 8a5aca66a47..ab20473cb4c 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeOnPremisesCollector.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeOnPremisesCollector.json @@ -19,7 +19,7 @@ "dataTypes": [ { "name": "ESIExchangeConfig_CL", - "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)" + "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time" } ], "connectivityCriterias": [ @@ -61,40 +61,14 @@ { "name": "Service Account with Organization Management role", "description": "The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information." - } + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } ] }, "instructionSteps": [ - { - "title": "Parser deployment **(When using Microsoft Exchange Security Solution, Parsers are automatically deployed)**", - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : [**ExchangeConfiguration**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)", - "instructions": [ - { - "parameters": { - "title": "Parsers deployment", - "instructionSteps": [ - { - "title": "1. Download the Parser files", - "description": "The latest version of the 2 files [**ExchangeConfiguration.yaml**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList.yaml**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)" - }, - { - "title": "2. Create Parser **ExchangeConfiguration** function", - "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" - }, - { - "title": "3. Save Parser **ExchangeConfiguration** function", - "description": "Click on save button.\n Define the parameters as asked on the header of the parser file.\nClick save again." - }, - { - "title": "4. Reproduce the same steps for Parser **ExchangeEnvironmentList**", - "description": "Reproduce the step 2 and 3 with the content of 'ExchangeEnvironmentList.yaml' file" - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, { "title": "1. Install the ESI Collector Script on a server with Exchange Admin PowerShell console", "description": "This is the script that will collect Exchange Information to push content in Microsoft Sentinel.\n ", @@ -152,11 +126,49 @@ { "title": "3. Schedule the ESI Collector Script (If not done by the Install Script due to lack of permission or ignored during installation)", "description": "The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel.\n We recommend to schedule the script once a day.\n The account used to launch the Script needs to be member of the group Organization Management" + }, + { + "title": "", + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "instructions": [ + { + "parameters": { + "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below", + "instructionSteps": [ + { + "title": "Manual Parser Deployment", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" + }, + { + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" + }, + { + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } ], "metadata": { "id": "ed950fd7-e457-4a59-88f0-b9c949aa280d", - "version": "1.2.1", + "version": "1.2.2", "kind": "dataConnector", "source": { "kind": "solution", diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json new file mode 100644 index 00000000000..fa1ad2c7c2e --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json @@ -0,0 +1,199 @@ +{ + "id": "ESI-Opt1ExchangeAdminAuditLogsByEventLogs", + "title": "Microsoft Exchange Admin Audit Logs by Event Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 1] - Using Azure Monitor Agent - You can stream all Exchange Audit events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "ExchangeAuditLogs", + "baseQuery": "Event | where EventLog == 'MSExchange Management'" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "Event | where EventLog == 'MSExchange Management' | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "Event", + "lastDataReceivedQuery": "Event | where EventLog == 'MSExchange Management' | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Event | where EventLog == 'MSExchange Management' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 1** of the wiki." + }, + { + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "2. [Option 1] MS Exchange Management Log collection - MS Exchange Admin Audit event logs by Data Collection Rules", + "description": "The MS Exchange Admin Audit event logs are collected using Data Collection Rules (DCR) and allow to store all Administrative Cmdlets executed in an Exchange environment.", + "instructions": [ + { + "parameters": { + "title": "DCR", + "instructionSteps": [ + { + "title": "Data Collection Rules Deployment", + "description": "**Enable data collection rule**\n> Microsoft Exchange Admin Audit Events logs are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered)", + "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption1-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCR, Type Event log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "", + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "instructions": [ + { + "parameters": { + "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below", + "instructionSteps": [ + { + "title": "Manual Parser Deployment", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" + }, + { + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" + }, + { + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "metadata": { + "id": "dfa2e270-b24f-4d76-b9a5-cd4a878596bf", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } +} \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt2ExchangeServersEventLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt2ExchangeServersEventLogs.json new file mode 100644 index 00000000000..f980fc45731 --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt2ExchangeServersEventLogs.json @@ -0,0 +1,183 @@ +{ + "id": "ESI-Opt2ExchangeServersEventLogs", + "title": "Microsoft Exchange Logs and Events", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 2] - Using Azure Monitor Agent - You can stream all Exchange Security & Application Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange Eventlogs", + "baseQuery": "Event | where EventLog == 'Application'" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "Event | where EventLog == 'Application' | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "Event", + "lastDataReceivedQuery": "Event | where EventLog == 'Application' | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Event | where EventLog == 'Application' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Log Analytics will be deprecated", + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 2** of the wiki." + }, + { + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "2. [Option 2] Security/Application/System logs of Exchange Servers", + "description": "The Security/Application/System logs of Exchange Servers are collected using Data Collection Rules (DCR).", + "instructions": [ + { + "parameters": { + "title": "Security Event log collection", + "instructionSteps": [ + { + "title": "Data Collection Rules - Security Event logs", + "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add Exchange Servers on *Resources* tab.\n2. Select Security log level\n\n> **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.", + "instructions": [ + { + "parameters": { + "linkType": "OpenCreateDataCollectionRule", + "dataCollectionRuleType": 0 + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "title": "Application and System Event log collection", + "instructionSteps": [ + { + "title": "Enable data collection rule", + "description": "> Application and System Events logs are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered method)", + "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption2-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCR, Type Event log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Basic' option.\n6. For Application, select 'Critical', 'Error' and 'Warning'. For System, select Critical/Error/Warning/Information. \n7. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "metadata": { + "id": "22e0234b-278d-40f4-8be8-c2968faeaf91", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } +} \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt34DomainControllersSecurityEventLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt34DomainControllersSecurityEventLogs.json new file mode 100644 index 00000000000..8084de0ae36 --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt34DomainControllersSecurityEventLogs.json @@ -0,0 +1,151 @@ +{ + "id": "ESI-Opt34DomainControllersSecurityEventLogs", + "title": " Microsoft Active-Directory Domain Controllers Security Event Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 3 & 4] - Using Azure Monitor Agent -You can stream a part or all Domain Controllers Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Domain Controllers Security Logs", + "baseQuery": "SecurityEvent" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "SecurityEvent | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "SecurityEvent", + "lastDataReceivedQuery": "SecurityEvent | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "SecurityEvent | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 3 and 4** of the wiki." + }, + { + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Security logs of Domain Controllers", + "description": "Select how to stream Security logs of Domain Controllers. If you want to implement Option 3, you just need to select DC on same site as Exchange Servers. If you want to implement Option 4, you can select all DCs of your forest.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "[Option 3] List only Domain Controllers on the same site as Exchange Servers for next step", + "description": "**This limits the quantity of data injested but some incident can't be detected.**" + }, + { + "title": "[Option 4] List all Domain Controllers of your Active-Directory Forest for next step", + "description": "**This allows collecting all security events**" + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "title": "Security Event log collection", + "instructionSteps": [ + { + "title": "Data Collection Rules - Security Event logs", + "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add chosen DCs on *Resources* tab.\n2. Select Security log level\n\n> **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.", + "instructions": [ + { + "parameters": { + "linkType": "OpenCreateDataCollectionRule", + "dataCollectionRuleType": 0 + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "metadata": { + "id": "036e16af-5a27-465a-8662-b7ac385a8d45", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } +} \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt5ExchangeIISLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt5ExchangeIISLogs.json new file mode 100644 index 00000000000..5e0f308c123 --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt5ExchangeIISLogs.json @@ -0,0 +1,184 @@ +{ + "id": "ESI-Opt5ExchangeIISLogs", + "title": "IIS Logs of Microsoft Exchange Servers", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 5] - Using Azure Monitor Agent - You can stream all IIS Logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange IIS logs", + "baseQuery": "W3CIISLog" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "W3CIISLog | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "W3CIISLog", + "lastDataReceivedQuery": "W3CIISLog | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "W3CIISLog | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 5** of the wiki." + }, + { + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "[Option 5] IIS logs of Exchange Servers", + "description": "Select how to stream IIS logs of Exchange Servers", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Enable data collection rule", + "description": "> IIS logs are collected only from **Windows** agents.", + "instructions": [ + { + "type": "AdminAuditEvents" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Preferred Method)", + "description": "Use this method for automated deployment of the DCE and DCR.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy." + }, + { + "title": "B. Deploy Data Connection Rule", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption5-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create DCR, Type IIS log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. Select the created DCE. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'IIS logs' (Do not enter a path if IIS Logs path is configured by default). Click on 'Add data source'\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "metadata": { + "id": "4b1075ed-80f5-4930-bfe1-877e86b48dc1", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } +} \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt6ExchangeMessageTrackingLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt6ExchangeMessageTrackingLogs.json new file mode 100644 index 00000000000..932d31bfe5e --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt6ExchangeMessageTrackingLogs.json @@ -0,0 +1,201 @@ +{ + "id": "ESI-Opt6ExchangeMessageTrackingLogs", + "title": "Microsoft Exchange Message Tracking Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 6] - Using Azure Monitor Agent - You can stream all Exchange Message Tracking from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. Those logs can be used to track the flow of messages in your Exchange environment. This data connector is based on the option 6 of the [Microsoft Exchange Security wiki](https://aka.ms/ESI_DataConnectorOptions).", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange Message Tracking logs", + "baseQuery": "MessageTrackingLog_CL" + } + ], + "sampleQueries": [ + { + "description": "Exchange Message Tracking logs", + "query": "MessageTrackingLog_CL | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "MessageTrackingLog_CL", + "lastDataReceivedQuery": "MessageTrackingLog_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "MessageTrackingLog_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Log Analytics will be deprecated", + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 6** of the wiki." + }, + { + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "2. Message Tracking of Exchange Servers", + "description": "Select how to stream Message Tracking of Exchange Servers", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Data Collection Rules - When Azure Monitor Agent is used", + "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the DCE and DCR.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy." + }, + { + "title": "B. Deploy Data Connection Rule and Custom Table", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption6-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Create Custom Table - Explanation", + "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)." + }, + { + "title": "Create Custom Table using an ARM Template", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-MessageTrackingCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3. Click **Create** to deploy." + }, + { + "title": "Create Custom Table using PowerShell in Cloud Shell", + "description": "1. From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t\"schema\": {\n\t\t\t\t\t \"name\": \"MessageTrackingLog_CL\",\n\t\t\t\t\t \"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"directionality\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"reference\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"source\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientIP\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"connectorId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"customData\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"eventId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"internalMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"logId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageSubject\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"networkMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalClientIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalServerIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientCount\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"relatedRecipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"returnPath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"serverIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"sourceContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"schemaVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageTrackingTenantId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"totalBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"transportTrafficType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t'@\n3. Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4. Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/MessageTrackingLog_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams" + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE, like ESI-ExchangeServers. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create a DCR, Type Custom log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option6-MessageTrackingLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\*.log' in file pattern, 'MessageTrackingLog_CL' in Table Name.\n6.in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend TimeGenerated =todatetime(d[0]) ,clientIP =tostring(d[1]) ,clientHostname =tostring(d[2]) ,serverIp=tostring(d[3]) ,senderHostname=tostring(d[4]) ,sourceContext=tostring(d[5]) ,connectorId =tostring(d[6]) ,source=tostring(d[7]) ,eventId =tostring(d[8]) ,internalMessageId =tostring(d[9]) ,messageId =tostring(d[10]) ,networkMessageId =tostring(d[11]) ,recipientAddress=tostring(d[12]) ,recipientStatus=tostring(d[13]) ,totalBytes=tostring(d[14]) ,recipientCount=tostring(d[15]) ,relatedRecipientAddress=tostring(d[16]) ,reference=tostring(d[17]) ,messageSubject =tostring(d[18]) ,senderAddress=tostring(d[19]) ,returnPath=tostring(d[20]) ,messageInfo =tostring(d[21]) ,directionality=tostring(d[22]) ,messageTrackingTenantId =tostring(d[23]) ,originalClientIp =tostring(d[24]) ,originalServerIp =tostring(d[25]) ,customData=tostring(d[26]) ,transportTrafficType =tostring(d[27]) ,logId =tostring(d[28]) ,schemaVersion=tostring(d[29]) | project-away d,RawData\n and click on 'Destination'.\n6. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n7. Click on 'Add data source'.\n8. Fill other required parameters and tags and create the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "metadata": { + "id": "ababbb06-b977-4259-ab76-87874d353039", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } +} \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json new file mode 100644 index 00000000000..c65ebb89cd5 --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json @@ -0,0 +1,201 @@ +{ + "id": "ESI-Opt7ExchangeHTTPProxyLogs", + "title": "Microsoft Exchange HTTP Proxy Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 7] - Using Azure Monitor Agent - You can stream HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you create custom alerts, and improve investigation. [Learn more](https://aka.ms/ESI_DataConnectorOptions)", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange HTTPProxy logs", + "baseQuery": "ExchangeHttpProxy_CL" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "ExchangeHttpProxy_CL | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "ExchangeHttpProxy_CL", + "lastDataReceivedQuery": "ExchangeHttpProxy_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "ExchangeHttpProxy_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Log Analytics will be deprecated", + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 7** of the wiki." + }, + { + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel", + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "2. [Option 7] HTTP Proxy of Exchange Servers", + "description": "Select how to stream HTTP Proxy of Exchange Servers", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Data Collection Rules - When Azure Monitor Agent is used", + "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered Method)", + "description": "Use this method for automated deployment of the DCE and DCR.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy." + }, + { + "title": "B. Deploy Data Connection Rule", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption7-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Create Custom Table - Explanation", + "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)." + }, + { + "title": "Create Custom Table using an ARM Template", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-HTTPProxyCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3. Click **Create** to deploy." + }, + { + "title": "Create Custom Table using PowerShell in Cloud Shell", + "description": "1. From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t \"schema\": {\n\t\t\t\t\t\t\"name\": \"ExchangeHttpProxy_CL\",\n\t\t\t\t\t\t\"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AccountForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ActivityContextLifeTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ADLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AnchorMailbox\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticatedUser\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticationType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthModulePerfContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndCookie\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndGenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendProcessingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BuildVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CalculateTargetBackEndLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientIpAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CoreLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"DatabaseGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"EdgeTraceId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ErrorCode\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericErrors\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GlsLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerCompletionLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerToModuleSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpPipelineLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpProxyOverhead\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"IsAuthenticated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"KerberosAuthHeaderLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MajorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Method\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MinorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ModuleToHandlerSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Organization\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"PartitionEndpointLookupLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Protocol\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProtocolAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestHandlerLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResourceForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResponseBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RevisionVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RouteRefresherLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingHint\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerHostName\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"SharedCacheLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetOutstandingRequests\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServer\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServerVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalAccountForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalGlsLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalRequestTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalResourceForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalSharedCacheLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlQuery\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlStem\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserADObjectGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserAgent\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t }\n\t\t\t }\n\t\t }\n\t\t '@\n3. Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4. Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/ExchangeHttpProxy_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams" + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create a DCR, Type Custom log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option7-HTTPProxyLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter the following file pattern : \n\t\t'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Autodiscover\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Eas\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ecp\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ews\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Mapi\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Oab\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Owa\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\OwaCalendar\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\PowerShell\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\RpcHttp\\*.log'\n6. Put 'ExchangeHttpProxy_CL' in Table Name.\n7. in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend DateTime=todatetime(d[0]),RequestId=tostring(d[1]) ,MajorVersion=tostring(d[2]) ,MinorVersion=tostring(d[3]) ,BuildVersion=tostring(d[4]) ,RevisionVersion=tostring(d[5]) ,ClientRequestId=tostring(d[6]) ,Protocol=tostring(d[7]) ,UrlHost=tostring(d[8]) ,UrlStem=tostring(d[9]) ,ProtocolAction=tostring(d[10]) ,AuthenticationType=tostring(d[11]) ,IsAuthenticated=tostring(d[12]) ,AuthenticatedUser=tostring(d[13]) ,Organization=tostring(d[14]) ,AnchorMailbox=tostring(d[15]) ,UserAgent=tostring(d[16]) ,ClientIpAddress=tostring(d[17]) ,ServerHostName=tostring(d[18]) ,HttpStatus=tostring(d[19]) ,BackEndStatus=tostring(d[20]) ,ErrorCode=tostring(d[21]) ,Method=tostring(d[22]) ,ProxyAction=tostring(d[23]) ,TargetServer=tostring(d[24]) ,TargetServerVersion=tostring(d[25]) ,RoutingType=tostring(d[26]) ,RoutingHint=tostring(d[27]) ,BackEndCookie=tostring(d[28]) ,ServerLocatorHost=tostring(d[29]) ,ServerLocatorLatency=tostring(d[30]) ,RequestBytes=tostring(d[31]) ,ResponseBytes=tostring(d[32]) ,TargetOutstandingRequests=tostring(d[33]) ,AuthModulePerfContext=tostring(d[34]) ,HttpPipelineLatency=tostring(d[35]) ,CalculateTargetBackEndLatency=tostring(d[36]) ,GlsLatencyBreakup=tostring(d[37]) ,TotalGlsLatency=tostring(d[38]) ,AccountForestLatencyBreakup=tostring(d[39]) ,TotalAccountForestLatency=tostring(d[40]) ,ResourceForestLatencyBreakup=tostring(d[41]) ,TotalResourceForestLatency=tostring(d[42]) ,ADLatency=tostring(d[43]) ,SharedCacheLatencyBreakup=tostring(d[44]) ,TotalSharedCacheLatency=tostring(d[45]) ,ActivityContextLifeTime=tostring(d[46]) ,ModuleToHandlerSwitchingLatency=tostring(d[47]) ,ClientReqStreamLatency=tostring(d[48]) ,BackendReqInitLatency=tostring(d[49]) ,BackendReqStreamLatency=tostring(d[50]) ,BackendProcessingLatency=tostring(d[51]) ,BackendRespInitLatency=tostring(d[52]) ,BackendRespStreamLatency=tostring(d[53]) ,ClientRespStreamLatency=tostring(d[54]) ,KerberosAuthHeaderLatency=tostring(d[55]) ,HandlerCompletionLatency=tostring(d[56]) ,RequestHandlerLatency=tostring(d[57]) ,HandlerToModuleSwitchingLatency=tostring(d[58]) ,ProxyTime=tostring(d[59]) ,CoreLatency=tostring(d[60]) ,RoutingLatency=tostring(d[61]) ,HttpProxyOverhead=tostring(d[62]) ,TotalRequestTime=tostring(d[63]) ,RouteRefresherLatency=tostring(d[64]) ,UrlQuery=tostring(d[65]) ,BackEndGenericInfo=tostring(d[66]) ,GenericInfo=tostring(d[67]) ,GenericErrors=tostring(d[68]) ,EdgeTraceId=tostring(d[69]) ,DatabaseGuid=tostring(d[70]) ,UserADObjectGuid=tostring(d[71]) ,PartitionEndpointLookupLatency=tostring(d[72]) ,RoutingStatus=tostring(d[73]) | extend TimeGenerated = DateTime | project-away d,RawData,DateTime | project-away d,RawData,DateTime\n and click on 'Destination'.\n8. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n9. Click on 'Add data source'.\n10. Fill other required parameters and tags and create the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "metadata": { + "id": "2e63ad0e-84e3-4f01-b210-9db0bc42b8ff", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } +} \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option5-IIS.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option5-IIS.json index cbec31cc165..79f6ed56ed1 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option5-IIS.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option5-IIS.json @@ -33,7 +33,7 @@ } }, "variables": { - "dataCollectionEndpointId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.operationalinsights/dataCollectionEndpoints/',parameters('dataCollectionEndpointName'))]", + "dataCollectionEndpointId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('dataCollectionEndpointName'))]", "workspaceResourceId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.operationalinsights/workspaces/',parameters('workspacename'))]" }, "resources": [ diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking-TableOnly.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking-TableOnly.json new file mode 100644 index 00000000000..da00c86f02b --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking-TableOnly.json @@ -0,0 +1,160 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspacename": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "The log analitycs workspace name" + } + }, + "customtablename": { + "type": "string", + "defaultValue": "MessageTrackingLog_CL", + "minLength": 1, + "metadata": { + "description": "The name of the Custom Table to create. By default uses 'MessageTrackingLog_CL', but you can change it to any other name but do it carefully and with full knowledge of the facts ." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2021-12-01-preview", + "name": "[concat(parameters('workspacename'), '/', parameters('customtablename'))]", + "properties": { + "plan": "Analytics", + "schema": { + "name": "[parameters('customtablename')]", + "columns": [ + { + "name": "directionality", + "type": "string" + }, + { + "name": "reference", + "type": "string" + }, + { + "name": "source", + "type": "string" + }, + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "clientHostname", + "type": "string" + }, + { + "name": "clientIP", + "type": "string" + }, + { + "name": "connectorId", + "type": "string" + }, + { + "name": "customData", + "type": "string" + }, + { + "name": "eventId", + "type": "string" + }, + { + "name": "internalMessageId", + "type": "string" + }, + { + "name": "logId", + "type": "string" + }, + { + "name": "messageId", + "type": "string" + }, + { + "name": "messageInfo", + "type": "string" + }, + { + "name": "messageSubject", + "type": "string" + }, + { + "name": "networkMessageId", + "type": "string" + }, + { + "name": "originalClientIp", + "type": "string" + }, + { + "name": "originalServerIp", + "type": "string" + }, + { + "name": "recipientAddress", + "type": "string" + }, + { + "name": "recipientCount", + "type": "string" + }, + { + "name": "recipientStatus", + "type": "string" + }, + { + "name": "relatedRecipientAddress", + "type": "string" + }, + { + "name": "returnPath", + "type": "string" + }, + { + "name": "senderAddress", + "type": "string" + }, + { + "name": "senderHostname", + "type": "string" + }, + { + "name": "serverIp", + "type": "string" + }, + { + "name": "sourceContext", + "type": "string" + }, + { + "name": "schemaVersion", + "type": "string" + }, + { + "name": "messageTrackingTenantId", + "type": "string" + }, + { + "name": "totalBytes", + "type": "string" + }, + { + "name": "transportTrafficType", + "type": "string" + }, + { + "name": "FilePath", + "type": "string" + } + ] + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking.json index 9404db100a3..7786f9d9160 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option6-MessageTracking.json @@ -40,7 +40,7 @@ } }, "variables": { - "dataCollectionEndpointId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.operationalinsights/dataCollectionEndpoints/',parameters('dataCollectionEndpointName'))]", + "dataCollectionEndpointId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('dataCollectionEndpointName'))]", "workspaceResourceId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.operationalinsights/workspaces/',parameters('workspacename'))]" }, "resources": [ @@ -49,7 +49,6 @@ "apiVersion": "2021-12-01-preview", "name": "[concat(parameters('workspacename'), '/MessageTrackingLog_CL')]", "properties": { - "totalRetentionInDays": 90, "plan": "Analytics", "schema": { "name": "MessageTrackingLog_CL", @@ -173,10 +172,13 @@ { "name": "transportTrafficType", "type": "string" + }, + { + "name": "FilePath", + "type": "string" } ] - }, - "retentionInDays": 90 + } } }, { @@ -194,123 +196,15 @@ "Custom-MessageTrackingLog_CL": { "columns": [ { - "name": "date-time", + "name": "TimeGenerated", "type": "datetime" }, { - "name": "client-ip", - "type": "string" - }, - { - "name": "client-hostname", - "type": "string" - }, - { - "name": "server-ip", - "type": "string" - }, - { - "name": "server-hostname", - "type": "string" - }, - { - "name": "source-context", - "type": "string" - }, - { - "name": "connector-id", - "type": "string" - }, - { - "name": "source", - "type": "string" - }, - { - "name": "event-id", - "type": "string" - }, - { - "name": "internal-message-id", - "type": "string" - }, - { - "name": "message-id", - "type": "string" - }, - { - "name": "network-message-id", - "type": "string" - }, - { - "name": "recipient-address", - "type": "string" - }, - { - "name": "recipient-status", - "type": "string" - }, - { - "name": "total-bytes", - "type": "string" - }, - { - "name": "recipient-count", - "type": "string" - }, - { - "name": "related-recipient-address", - "type": "string" - }, - { - "name": "reference", - "type": "string" - }, - { - "name": "message-subject", - "type": "string" - }, - { - "name": "sender-address", - "type": "string" - }, - { - "name": "return-path", - "type": "string" - }, - { - "name": "message-info", - "type": "string" - }, - { - "name": "directionality", - "type": "string" - }, - { - "name": "tenant-id", - "type": "string" - }, - { - "name": "original-client-ip", - "type": "string" - }, - { - "name": "original-server-ip", - "type": "string" - }, - { - "name": "custom-data", - "type": "string" - }, - { - "name": "transport-traffic-type", - "type": "string" - }, - { - "name": "log-id", + "name": "RawData", "type": "string" }, { - "name": "schema-version", + "name": "FilePath", "type": "string" } ] @@ -351,7 +245,7 @@ "destinations": [ "la-data-destination" ], - "transformKql": "source\n| extend TimeGenerated = todatetime(['date-time'])\n| extend\n clientHostname = ['client-hostname'],\n clientIP = ['client-ip'],\n connectorId = ['connector-id'],\n customData = ['custom-data'],\n eventId = ['event-id'],\n internalMessageId = ['internal-message-id'],\n logId = ['log-id'],\n messageId = ['message-id'],\n messageInfo = ['message-info'],\n messageSubject = ['message-subject'],\n networkMessageId = ['network-message-id'],\n originalClientIp = ['original-client-ip'],\n originalServerIp = ['original-server-ip'],\n recipientAddress= ['recipient-address'],\n recipientCount= ['recipient-count'],\n recipientStatus= ['recipient-status'],\n relatedRecipientAddress= ['related-recipient-address'],\n returnPath= ['return-path'],\n senderAddress= ['sender-address'],\n senderHostname= ['server-hostname'],\n serverIp= ['server-ip'],\n sourceContext= ['source-context'],\n schemaVersion=['schema-version'],\n messageTrackingTenantId = ['tenant-id'],\n totalBytes = ['total-bytes'],\n transportTrafficType = ['transport-traffic-type']\n| project-away\n ['client-ip'],\n ['client-hostname'],\n ['connector-id'],\n ['custom-data'],\n ['date-time'],\n ['event-id'],\n ['internal-message-id'],\n ['log-id'],\n ['message-id'],\n ['message-info'],\n ['message-subject'],\n ['network-message-id'],\n ['original-client-ip'],\n ['original-server-ip'],\n ['recipient-address'],\n ['recipient-count'],\n ['recipient-status'],\n ['related-recipient-address'],\n ['return-path'],\n ['sender-address'],\n ['server-hostname'],\n ['server-ip'],\n ['source-context'],\n ['schema-version'],\n ['tenant-id'],\n ['total-bytes'],\n ['transport-traffic-type']\n\n", + "transformKql": "source\n| extend d = split(RawData,',') | extend TimeGenerated =todatetime(d[0]) ,clientIP =tostring(d[1]) ,clientHostname =tostring(d[2]) ,serverIp=tostring(d[3]) ,senderHostname=tostring(d[4]) ,sourceContext=tostring(d[5]) ,connectorId =tostring(d[6]) ,source=tostring(d[7]) ,eventId =tostring(d[8]) ,internalMessageId =tostring(d[9]) ,messageId =tostring(d[10]) ,networkMessageId =tostring(d[11]) ,recipientAddress=tostring(d[12]) ,recipientStatus=tostring(d[13]) ,totalBytes=tostring(d[14]) ,recipientCount=tostring(d[15]) ,relatedRecipientAddress=tostring(d[16]) ,reference=tostring(d[17]) ,messageSubject =tostring(d[18]) ,senderAddress=tostring(d[19]) ,returnPath=tostring(d[20]) ,messageInfo =tostring(d[21]) ,directionality=tostring(d[22]) ,messageTrackingTenantId =tostring(d[23]) ,originalClientIp =tostring(d[24]) ,originalServerIp =tostring(d[25]) ,customData=tostring(d[26]) ,transportTrafficType =tostring(d[27]) ,logId =tostring(d[28]) ,schemaVersion=tostring(d[29]) | project-away d,RawData", "outputStream": "Custom-MessageTrackingLog_CL" } ] diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy-Table.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy-Table.json new file mode 100644 index 00000000000..87a869d2ed2 --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy-Table.json @@ -0,0 +1,336 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspacename": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "The log analitycs workspace name" + } + }, + "customtablename": { + "type": "string", + "defaultValue": "ExchangeHttpProxy_CL", + "minLength": 1, + "metadata": { + "description": "The name of the Custom Table to create. By default uses 'ExchangeHttpProxy_CL', but you can change it to any other name but do it carefully and with full knowledge of the facts ." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/tables", + "apiVersion": "2021-12-01-preview", + "name": "[concat(parameters('workspacename'), '/', parameters('customtablename'))]", + "properties": { + "plan": "Analytics", + "schema": { + "name": "[parameters('customtablename')]", + "columns": [ + { + "name": "AccountForestLatencyBreakup", + "type": "string" + }, + { + "name": "ActivityContextLifeTime", + "type": "string" + }, + { + "name": "ADLatency", + "type": "string" + }, + { + "name": "AnchorMailbox", + "type": "string" + }, + { + "name": "AuthenticatedUser", + "type": "string" + }, + { + "name": "AuthenticationType", + "type": "string" + }, + { + "name": "AuthModulePerfContext", + "type": "string" + }, + { + "name": "BackEndCookie", + "type": "string" + }, + { + "name": "BackEndGenericInfo", + "type": "string" + }, + { + "name": "BackendProcessingLatency", + "type": "string" + }, + { + "name": "BackendReqInitLatency", + "type": "string" + }, + { + "name": "BackendReqStreamLatency", + "type": "string" + }, + { + "name": "BackendRespInitLatency", + "type": "string" + }, + { + "name": "BackendRespStreamLatency", + "type": "string" + }, + { + "name": "BackEndStatus", + "type": "string" + }, + { + "name": "BuildVersion", + "type": "string" + }, + { + "name": "CalculateTargetBackEndLatency", + "type": "string" + }, + { + "name": "ClientIpAddress", + "type": "string" + }, + { + "name": "ClientReqStreamLatency", + "type": "string" + }, + { + "name": "ClientRequestId", + "type": "string" + }, + { + "name": "ClientRespStreamLatency", + "type": "string" + }, + { + "name": "CoreLatency", + "type": "string" + }, + { + "name": "DatabaseGuid", + "type": "string" + }, + { + "name": "EdgeTraceId", + "type": "string" + }, + { + "name": "ErrorCode", + "type": "string" + }, + { + "name": "GenericErrors", + "type": "string" + }, + { + "name": "GenericInfo", + "type": "string" + }, + { + "name": "GlsLatencyBreakup", + "type": "string" + }, + { + "name": "HandlerCompletionLatency", + "type": "string" + }, + { + "name": "HandlerToModuleSwitchingLatency", + "type": "string" + }, + { + "name": "HttpPipelineLatency", + "type": "string" + }, + { + "name": "HttpProxyOverhead", + "type": "string" + }, + { + "name": "HttpStatus", + "type": "string" + }, + { + "name": "IsAuthenticated", + "type": "string" + }, + { + "name": "KerberosAuthHeaderLatency", + "type": "string" + }, + { + "name": "MajorVersion", + "type": "string" + }, + { + "name": "Method", + "type": "string" + }, + { + "name": "MinorVersion", + "type": "string" + }, + { + "name": "ModuleToHandlerSwitchingLatency", + "type": "string" + }, + { + "name": "Organization", + "type": "string" + }, + { + "name": "PartitionEndpointLookupLatency", + "type": "string" + }, + { + "name": "Protocol", + "type": "string" + }, + { + "name": "ProtocolAction", + "type": "string" + }, + { + "name": "ProxyAction", + "type": "string" + }, + { + "name": "ProxyTime", + "type": "string" + }, + { + "name": "RequestBytes", + "type": "string" + }, + { + "name": "RequestHandlerLatency", + "type": "string" + }, + { + "name": "RequestId", + "type": "string" + }, + { + "name": "ResourceForestLatencyBreakup", + "type": "string" + }, + { + "name": "ResponseBytes", + "type": "string" + }, + { + "name": "RevisionVersion", + "type": "string" + }, + { + "name": "RouteRefresherLatency", + "type": "string" + }, + { + "name": "RoutingHint", + "type": "string" + }, + { + "name": "RoutingLatency", + "type": "string" + }, + { + "name": "RoutingStatus", + "type": "string" + }, + { + "name": "RoutingType", + "type": "string" + }, + { + "name": "ServerHostName", + "type": "string" + }, + { + "name": "ServerLocatorHost", + "type": "string" + }, + { + "name": "ServerLocatorLatency", + "type": "string" + }, + { + "name": "SharedCacheLatencyBreakup", + "type": "string" + }, + { + "name": "TargetOutstandingRequests", + "type": "string" + }, + { + "name": "TargetServer", + "type": "string" + }, + { + "name": "TargetServerVersion", + "type": "string" + }, + { + "name": "TotalAccountForestLatency", + "type": "string" + }, + { + "name": "TotalGlsLatency", + "type": "string" + }, + { + "name": "TotalRequestTime", + "type": "string" + }, + { + "name": "TotalResourceForestLatency", + "type": "string" + }, + { + "name": "TotalSharedCacheLatency", + "type": "string" + }, + { + "name": "UrlHost", + "type": "string" + }, + { + "name": "UrlQuery", + "type": "string" + }, + { + "name": "UrlStem", + "type": "string" + }, + { + "name": "UserADObjectGuid", + "type": "string" + }, + { + "name": "UserAgent", + "type": "string" + }, + { + "name": "TimeGenerated", + "type": "datetime" + }, + { + "name": "FilePath", + "type": "string" + } + ] + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy.json index 737dee3b406..657121bf321 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_Option7-HTTPProxy.json @@ -40,7 +40,7 @@ } }, "variables": { - "dataCollectionEndpointId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.operationalinsights/dataCollectionEndpoints/',parameters('dataCollectionEndpointName'))]", + "dataCollectionEndpointId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('dataCollectionEndpointName'))]", "workspaceResourceId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.operationalinsights/workspaces/',parameters('workspacename'))]" }, "resources": [ @@ -49,7 +49,6 @@ "apiVersion": "2021-12-01-preview", "name": "[concat(parameters('workspacename'), '/ExchangeHttpProxy_CL')]", "properties": { - "totalRetentionInDays": 90, "plan": "Analytics", "schema": { "name": "ExchangeHttpProxy_CL", @@ -349,10 +348,13 @@ { "name": "TimeGenerated", "type": "datetime" + }, + { + "name": "FilePath", + "type": "string" } ] - }, - "retentionInDays": 90 + } } }, { @@ -374,299 +376,11 @@ "type": "datetime" }, { - "name": "DateTime", - "type": "string" - }, - { - "name": "RequestId", - "type": "string" - }, - { - "name": "MajorVersion", - "type": "string" - }, - { - "name": "MinorVersion", - "type": "string" - }, - { - "name": "BuildVersion", - "type": "string" - }, - { - "name": "RevisionVersion", - "type": "string" - }, - { - "name": "ClientRequestId", - "type": "string" - }, - { - "name": "Protocol", - "type": "string" - }, - { - "name": "UrlHost", - "type": "string" - }, - { - "name": "UrlStem", - "type": "string" - }, - { - "name": "ProtocolAction", - "type": "string" - }, - { - "name": "AuthenticationType", - "type": "string" - }, - { - "name": "IsAuthenticated", - "type": "string" - }, - { - "name": "AuthenticatedUser", - "type": "string" - }, - { - "name": "Organization", - "type": "string" - }, - { - "name": "AnchorMailbox", - "type": "string" - }, - { - "name": "UserAgent", - "type": "string" - }, - { - "name": "ClientIpAddress", - "type": "string" - }, - { - "name": "ServerHostName", - "type": "string" - }, - { - "name": "HttpStatus", - "type": "string" - }, - { - "name": "BackEndStatus", - "type": "string" - }, - { - "name": "ErrorCode", - "type": "string" - }, - { - "name": "Method", - "type": "string" - }, - { - "name": "ProxyAction", - "type": "string" - }, - { - "name": "TargetServer", - "type": "string" - }, - { - "name": "TargetServerVersion", - "type": "string" - }, - { - "name": "RoutingType", - "type": "string" - }, - { - "name": "RoutingHint", - "type": "string" - }, - { - "name": "BackEndCookie", - "type": "string" - }, - { - "name": "ServerLocatorHost", - "type": "string" - }, - { - "name": "ServerLocatorLatency", - "type": "string" - }, - { - "name": "RequestBytes", - "type": "string" - }, - { - "name": "ResponseBytes", - "type": "string" - }, - { - "name": "TargetOutstandingRequests", - "type": "string" - }, - { - "name": "AuthModulePerfContext", - "type": "string" - }, - { - "name": "HttpPipelineLatency", - "type": "string" - }, - { - "name": "CalculateTargetBackEndLatency", - "type": "string" - }, - { - "name": "GlsLatencyBreakup", - "type": "string" - }, - { - "name": "TotalGlsLatency", - "type": "string" - }, - { - "name": "AccountForestLatencyBreakup", - "type": "string" - }, - { - "name": "TotalAccountForestLatency", - "type": "string" - }, - { - "name": "ResourceForestLatencyBreakup", - "type": "string" - }, - { - "name": "TotalResourceForestLatency", - "type": "string" - }, - { - "name": "ADLatency", - "type": "string" - }, - { - "name": "SharedCacheLatencyBreakup", - "type": "string" - }, - { - "name": "TotalSharedCacheLatency", - "type": "string" - }, - { - "name": "ActivityContextLifeTime", - "type": "string" - }, - { - "name": "ModuleToHandlerSwitchingLatency", - "type": "string" - }, - { - "name": "ClientReqStreamLatency", - "type": "string" - }, - { - "name": "BackendReqInitLatency", - "type": "string" - }, - { - "name": "BackendReqStreamLatency", - "type": "string" - }, - { - "name": "BackendProcessingLatency", - "type": "string" - }, - { - "name": "BackendRespInitLatency", - "type": "string" - }, - { - "name": "BackendRespStreamLatency", - "type": "string" - }, - { - "name": "ClientRespStreamLatency", - "type": "string" - }, - { - "name": "KerberosAuthHeaderLatency", - "type": "string" - }, - { - "name": "HandlerCompletionLatency", - "type": "string" - }, - { - "name": "RequestHandlerLatency", - "type": "string" - }, - { - "name": "HandlerToModuleSwitchingLatency", - "type": "string" - }, - { - "name": "ProxyTime", - "type": "string" - }, - { - "name": "CoreLatency", - "type": "string" - }, - { - "name": "RoutingLatency", - "type": "string" - }, - { - "name": "HttpProxyOverhead", - "type": "string" - }, - { - "name": "TotalRequestTime", - "type": "string" - }, - { - "name": "RouteRefresherLatency", - "type": "string" - }, - { - "name": "UrlQuery", - "type": "string" - }, - { - "name": "BackEndGenericInfo", - "type": "string" - }, - { - "name": "GenericInfo", - "type": "string" - }, - { - "name": "GenericErrors", - "type": "string" - }, - { - "name": "EdgeTraceId", - "type": "string" - }, - { - "name": "DatabaseGuid", - "type": "string" - }, - { - "name": "UserADObjectGuid", - "type": "string" - }, - { - "name": "PartitionEndpointLookupLatency", + "name": "RawData", "type": "string" }, { - "name": "RoutingStatus", + "name": "FilePath", "type": "string" } ] @@ -716,7 +430,7 @@ "destinations": [ "la-data-destination" ], - "transformKql": "source\n| extend TimeGenerated = todatetime(DateTime)\n| project-away DateTime\n\n", + "transformKql": "source | extend d = split(RawData,',') | extend DateTime=todatetime(d[0]),RequestId=tostring(d[1]) ,MajorVersion=tostring(d[2]) ,MinorVersion=tostring(d[3]) ,BuildVersion=tostring(d[4]) ,RevisionVersion=tostring(d[5]) ,ClientRequestId=tostring(d[6]) ,Protocol=tostring(d[7]) ,UrlHost=tostring(d[8]) ,UrlStem=tostring(d[9]) ,ProtocolAction=tostring(d[10]) ,AuthenticationType=tostring(d[11]) ,IsAuthenticated=tostring(d[12]) ,AuthenticatedUser=tostring(d[13]) ,Organization=tostring(d[14]) ,AnchorMailbox=tostring(d[15]) ,UserAgent=tostring(d[16]) ,ClientIpAddress=tostring(d[17]) ,ServerHostName=tostring(d[18]) ,HttpStatus=tostring(d[19]) ,BackEndStatus=tostring(d[20]) ,ErrorCode=tostring(d[21]) ,Method=tostring(d[22]) ,ProxyAction=tostring(d[23]) ,TargetServer=tostring(d[24]) ,TargetServerVersion=tostring(d[25]) ,RoutingType=tostring(d[26]) ,RoutingHint=tostring(d[27]) ,BackEndCookie=tostring(d[28]) ,ServerLocatorHost=tostring(d[29]) ,ServerLocatorLatency=tostring(d[30]) ,RequestBytes=tostring(d[31]) ,ResponseBytes=tostring(d[32]) ,TargetOutstandingRequests=tostring(d[33]) ,AuthModulePerfContext=tostring(d[34]) ,HttpPipelineLatency=tostring(d[35]) ,CalculateTargetBackEndLatency=tostring(d[36]) ,GlsLatencyBreakup=tostring(d[37]) ,TotalGlsLatency=tostring(d[38]) ,AccountForestLatencyBreakup=tostring(d[39]) ,TotalAccountForestLatency=tostring(d[40]) ,ResourceForestLatencyBreakup=tostring(d[41]) ,TotalResourceForestLatency=tostring(d[42]) ,ADLatency=tostring(d[43]) ,SharedCacheLatencyBreakup=tostring(d[44]) ,TotalSharedCacheLatency=tostring(d[45]) ,ActivityContextLifeTime=tostring(d[46]) ,ModuleToHandlerSwitchingLatency=tostring(d[47]) ,ClientReqStreamLatency=tostring(d[48]) ,BackendReqInitLatency=tostring(d[49]) ,BackendReqStreamLatency=tostring(d[50]) ,BackendProcessingLatency=tostring(d[51]) ,BackendRespInitLatency=tostring(d[52]) ,BackendRespStreamLatency=tostring(d[53]) ,ClientRespStreamLatency=tostring(d[54]) ,KerberosAuthHeaderLatency=tostring(d[55]) ,HandlerCompletionLatency=tostring(d[56]) ,RequestHandlerLatency=tostring(d[57]) ,HandlerToModuleSwitchingLatency=tostring(d[58]) ,ProxyTime=tostring(d[59]) ,CoreLatency=tostring(d[60]) ,RoutingLatency=tostring(d[61]) ,HttpProxyOverhead=tostring(d[62]) ,TotalRequestTime=tostring(d[63]) ,RouteRefresherLatency=tostring(d[64]) ,UrlQuery=tostring(d[65]) ,BackEndGenericInfo=tostring(d[66]) ,GenericInfo=tostring(d[67]) ,GenericErrors=tostring(d[68]) ,EdgeTraceId=tostring(d[69]) ,DatabaseGuid=tostring(d[70]) ,UserADObjectGuid=tostring(d[71]) ,PartitionEndpointLookupLatency=tostring(d[72]) ,RoutingStatus=tostring(d[73]) | extend TimeGenerated = DateTime | project-away d,RawData,DateTime | project-away d,RawData,DateTime", "outputStream": "Custom-ExchangeHttpProxy_CL" } ] diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data/Solution_MicrosoftExchangeSecurity.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data/Solution_MicrosoftExchangeSecurity.json index 00c0c0a44c9..c7462b84ea1 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data/Solution_MicrosoftExchangeSecurity.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Data/Solution_MicrosoftExchangeSecurity.json @@ -5,13 +5,20 @@ "Description": "The Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Windows Event logs collection, including MS Exchange Management Event logs](https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-windows-events)\n\nb. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)", "Data Connectors": [ "Data Connectors/ESI-ExchangeAdminAuditLogEvents.json", - "Data Connectors/ESI-ExchangeOnPremisesCollector.json" + "Data Connectors/ESI-ExchangeOnPremisesCollector.json", + "Data Connectors/ESI-Opt1ExchangeAdminAuditLogsByEventLogs.json", + "Data Connectors/ESI-Opt2ExchangeServersEventLogs.json", + "Data Connectors/ESI-Opt34DomainControllersSecurityEventLogs.json", + "Data Connectors/ESI-Opt5ExchangeIISLogs.json", + "Data Connectors/ESI-Opt6ExchangeMessageTrackingLogs.json", + "Data Connectors/ESI-Opt7ExchangeHTTPProxyLogs.json" ], "Parsers": [ "Parsers/ExchangeAdminAuditLogs.yaml", "Parsers/ExchangeConfiguration.yaml", "Parsers/ExchangeEnvironmentList.yaml", - "Parsers/MESCheckVIP.yaml" + "Parsers/MESCheckVIP.yaml", + "Parsers/MESCompareDataOnPMRA.yaml" ], "Workbooks": [ "Workbooks/Microsoft Exchange Least Privilege with RBAC.json", @@ -28,7 +35,7 @@ "Watchlists/ExchangeVIP.json" ], "BasePath": "C:\\Git Repositories\\Azure-Sentinel\\Solutions\\Microsoft Exchange Security - Exchange On-Premises\\", - "Version": "3.1.5", + "Version": "3.3.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/3.3.0.zip b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/3.3.0.zip new file mode 100644 index 00000000000..2d56ee0620f Binary files /dev/null and b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/3.3.0.zip differ diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/createUiDefinition.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/createUiDefinition.json index 354722fba77..20ce28013be 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/createUiDefinition.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20On-Premises/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Windows Event logs collection, including MS Exchange Management Event logs](https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-windows-events)\n\nb. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)\n\n**Data Connectors:** 2, **Parsers:** 4, **Workbooks:** 4, **Analytic Rules:** 2, **Watchlists:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20On-Premises/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Windows Event logs collection, including MS Exchange Management Event logs](https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-windows-events)\n\nb. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)\n\n**Data Connectors:** 8, **Parsers:** 5, **Workbooks:** 4, **Analytic Rules:** 2, **Watchlists:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,57 +60,64 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs two (2) data connectors for ingesting Microsoft Exchange on-premises events to provide security insights. Each of these data connectors help ingest a different set of logs/events." + "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { "name": "dataconnectors2-text", - "type": "Microsoft.Common.Section", - "label": "1. Exchange Security Insights On-Premises Collector", - "elements": [ - { - "name": "dataconnectors3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This data connector collects security configuration, RBAC information and audit information from your on-premises Exchange environment(s). It uses a scheduled script that needs to be manually deployed in your environment. This connects directly (via proxy if needed) to Log Analytics/Microsoft Sentinel to ingest data." + "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } - } - ] }, { "name": "dataconnectors4-text", - "type": "Microsoft.Common.Section", - "label": "2. Exchange Audit Event logs via Legacy Agent", - "elements": [ - { - "name": "dataconnectors5-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This data connector uses Log Analytics Agent or Azure Monitor Agent to collect MSExchange Management Eventlogs, Exchange Security logs, Domain Controllers Security logs, IIS Logs, Exchange logs. Not all logs are required but it depends on your needs and on what you want to collect and secure for hunting in case of compromise. The first important logs consumed by this solution are “MSExchange Management” Event logs." - } - } - ] + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } }, { "name": "dataconnectors6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "After installing the solution, configure and enable the data connector that’s most relevant to your Exchange environment by following guidance in Manage solution view." + "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, { - "name": "dataconnectors-parser", - "type": "Microsoft.Common.Section", - "label": "Parsers", - "elements": [ + "name": "dataconnectors8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange On-Premises. You can get Microsoft Exchange Security - Exchange On-Premises custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, { "name": "dataconnectors-parser-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The solution installs four (4) parsers that transform ingested data. The transformed logs can be accessed using the ExchangeConfiguration, ExchangeAdminAuditLogs, MESCheckVIP and ExchangeEnvironmentList Kusto Function aliases." + "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." } - } - ] }, { "name": "dataconnectors-link2", @@ -321,4 +328,4 @@ "workspace": "[basics('workspace')]" } } -} \ No newline at end of file +} diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json index b2e9d5ed6cd..8161f1dc1f8 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json @@ -81,7 +81,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Microsoft Exchange Security - Exchange On-Premises", - "_solutionVersion": "3.1.5", + "_solutionVersion": "3.3.0", "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-exchangesecurityinsights", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "ESI-ExchangeAdminAuditLogEvents", @@ -91,7 +91,7 @@ "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "2.2.1", + "dataConnectorVersion1": "2.2.2", "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", "uiConfigId2": "ESI-ExchangeOnPremisesCollector", "_uiConfigId2": "[variables('uiConfigId2')]", @@ -100,8 +100,62 @@ "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", "_dataConnectorId2": "[variables('dataConnectorId2')]", "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.2.1", + "dataConnectorVersion2": "1.2.2", "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", + "uiConfigId3": "ESI-Opt1ExchangeAdminAuditLogsByEventLogs", + "_uiConfigId3": "[variables('uiConfigId3')]", + "dataConnectorContentId3": "ESI-Opt1ExchangeAdminAuditLogsByEventLogs", + "_dataConnectorContentId3": "[variables('dataConnectorContentId3')]", + "dataConnectorId3": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", + "_dataConnectorId3": "[variables('dataConnectorId3')]", + "dataConnectorTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId3'))))]", + "dataConnectorVersion3": "1.0.0", + "_dataConnectorcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId3'),'-', variables('dataConnectorVersion3'))))]", + "uiConfigId4": "ESI-Opt2ExchangeServersEventLogs", + "_uiConfigId4": "[variables('uiConfigId4')]", + "dataConnectorContentId4": "ESI-Opt2ExchangeServersEventLogs", + "_dataConnectorContentId4": "[variables('dataConnectorContentId4')]", + "dataConnectorId4": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", + "_dataConnectorId4": "[variables('dataConnectorId4')]", + "dataConnectorTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId4'))))]", + "dataConnectorVersion4": "1.0.0", + "_dataConnectorcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId4'),'-', variables('dataConnectorVersion4'))))]", + "uiConfigId5": "ESI-Opt34DomainControllersSecurityEventLogs", + "_uiConfigId5": "[variables('uiConfigId5')]", + "dataConnectorContentId5": "ESI-Opt34DomainControllersSecurityEventLogs", + "_dataConnectorContentId5": "[variables('dataConnectorContentId5')]", + "dataConnectorId5": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]", + "_dataConnectorId5": "[variables('dataConnectorId5')]", + "dataConnectorTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId5'))))]", + "dataConnectorVersion5": "1.0.0", + "_dataConnectorcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId5'),'-', variables('dataConnectorVersion5'))))]", + "uiConfigId6": "ESI-Opt5ExchangeIISLogs", + "_uiConfigId6": "[variables('uiConfigId6')]", + "dataConnectorContentId6": "ESI-Opt5ExchangeIISLogs", + "_dataConnectorContentId6": "[variables('dataConnectorContentId6')]", + "dataConnectorId6": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId6'))]", + "_dataConnectorId6": "[variables('dataConnectorId6')]", + "dataConnectorTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId6'))))]", + "dataConnectorVersion6": "1.0.0", + "_dataConnectorcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId6'),'-', variables('dataConnectorVersion6'))))]", + "uiConfigId7": "ESI-Opt6ExchangeMessageTrackingLogs", + "_uiConfigId7": "[variables('uiConfigId7')]", + "dataConnectorContentId7": "ESI-Opt6ExchangeMessageTrackingLogs", + "_dataConnectorContentId7": "[variables('dataConnectorContentId7')]", + "dataConnectorId7": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId7'))]", + "_dataConnectorId7": "[variables('dataConnectorId7')]", + "dataConnectorTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId7'))))]", + "dataConnectorVersion7": "1.0.0", + "_dataConnectorcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId7'),'-', variables('dataConnectorVersion7'))))]", + "uiConfigId8": "ESI-Opt7ExchangeHTTPProxyLogs", + "_uiConfigId8": "[variables('uiConfigId8')]", + "dataConnectorContentId8": "ESI-Opt7ExchangeHTTPProxyLogs", + "_dataConnectorContentId8": "[variables('dataConnectorContentId8')]", + "dataConnectorId8": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId8'))]", + "_dataConnectorId8": "[variables('dataConnectorId8')]", + "dataConnectorTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId8'))))]", + "dataConnectorVersion8": "1.0.0", + "_dataConnectorcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId8'),'-', variables('dataConnectorVersion8'))))]", "parserObject1": { "_parserName1": "[concat(parameters('workspace'),'/','ExchangeAdminAuditLogs Data Parser')]", "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ExchangeAdminAuditLogs Data Parser')]", @@ -130,6 +184,13 @@ "parserVersion4": "1.0.0", "parserContentId4": "MESCheckVIP-Parser" }, + "parserObject5": { + "_parserName5": "[concat(parameters('workspace'),'/','MESCompareDataOnPMRA')]", + "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataOnPMRA')]", + "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCompareDataOnPMRA-Parser')))]", + "parserVersion5": "1.0.0", + "parserContentId5": "MESCompareDataOnPMRA-Parser" + }, "workbookVersion1": "1.0.1", "workbookContentId1": "MicrosoftExchangeLeastPrivilegewithRBAC", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", @@ -149,7 +210,7 @@ "workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))))]", "_workbookContentId3": "[variables('workbookContentId3')]", "_workbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId3'),'-', variables('workbookVersion3'))))]", - "workbookVersion4": "1.0.1", + "workbookVersion4": "2.0.0", "workbookContentId4": "MicrosoftExchangeSecurityReview", "workbookId4": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId4'))]", "workbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId4'))))]", @@ -185,7 +246,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.1.5", + "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -201,9 +262,9 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId1')]", - "title": "Microsoft Exchange Logs and Events", + "title": "[Deprecated] Microsoft Exchange Logs and Events", "publisher": "Microsoft", - "descriptionMarkdown": "You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", + "descriptionMarkdown": "Deprecated, use the 'ESI-Opt' dataconnectors. You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", "graphQueries": [ { "metricName": "Total data received", @@ -301,35 +362,14 @@ "customs": [ { "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" } ] }, "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", - "instructions": [ - { - "parameters": { - "title": "Parser deployment (When using Microsoft Exchange Security Solution, Parsers are automatically deployed)", - "instructionSteps": [ - { - "title": "1. Download the Parser file", - "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" - }, - { - "title": "2. Create Parser **ExchangeAdminAuditLogs** function", - "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" - }, - { - "title": "3. Save Parser **ExchangeAdminAuditLogs** function", - "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, { "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)" }, @@ -409,7 +449,7 @@ "instructionSteps": [ { "title": "A. Create DCR, Type Event log", - "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MS Exchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." } ] }, @@ -429,7 +469,7 @@ }, { "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used", - "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MS Exchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.", + "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MSExchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.", "instructions": [ { "parameters": { @@ -890,15 +930,52 @@ } ], "title": "2. Deploy log injestion following choosed options" + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "instructions": [ + { + "parameters": { + "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below", + "instructionSteps": [ + { + "title": "Manual Parser Deployment", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" + }, + { + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" + }, + { + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } ], "metadata": { "id": "5738bef7-b6c0-4fec-ba0b-ac728bef83a9", - "version": "2.2.1", + "version": "2.2.2", "kind": "dataConnector", "source": { "kind": "solution", - "name": "ESI - Exchange Security Configuration Analyzer" + "name": "Microsoft Exchange Security - Exchange On-Premises" }, "support": { "name": "Community", @@ -946,7 +1023,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_dataConnectorContentId1')]", "contentKind": "DataConnector", - "displayName": "Microsoft Exchange Logs and Events", + "displayName": "[Deprecated] Microsoft Exchange Logs and Events", "contentProductId": "[variables('_dataConnectorcontentProductId1')]", "id": "[variables('_dataConnectorcontentProductId1')]", "version": "[variables('dataConnectorVersion1')]" @@ -989,9 +1066,9 @@ "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "Microsoft Exchange Logs and Events", + "title": "[Deprecated] Microsoft Exchange Logs and Events", "publisher": "Microsoft", - "descriptionMarkdown": "You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", + "descriptionMarkdown": "Deprecated, use the 'ESI-Opt' dataconnectors. You can stream all Exchange Audit events, IIS Logs, HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", "graphQueries": [ { "metricName": "Total data received", @@ -1089,35 +1166,14 @@ "customs": [ { "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" } ] }, "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", - "instructions": [ - { - "parameters": { - "title": "Parser deployment (When using Microsoft Exchange Security Solution, Parsers are automatically deployed)", - "instructionSteps": [ - { - "title": "1. Download the Parser file", - "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" - }, - { - "title": "2. Create Parser **ExchangeAdminAuditLogs** function", - "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" - }, - { - "title": "3. Save Parser **ExchangeAdminAuditLogs** function", - "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, { "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)" }, @@ -1197,7 +1253,7 @@ "instructionSteps": [ { "title": "A. Create DCR, Type Event log", - "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MS Exchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." } ] }, @@ -1217,7 +1273,7 @@ }, { "title": "Data Collection Rules - When the legacy Azure Log Analytics Agent is used", - "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MS Exchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.", + "description": "**Configure the logs to be collected**\n\nConfigure the Events you want to collect and their severities.\n\n1. Under workspace **Legacy agents management**, select **Windows Event logs**.\n2. Click **Add Windows event log** and enter **MSExchange Management** as log name.\n3. Collect Error, Warning and Information types\n4. Click **Save**.", "instructions": [ { "parameters": { @@ -1678,6 +1734,43 @@ } ], "title": "2. Deploy log injestion following choosed options" + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "instructions": [ + { + "parameters": { + "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below", + "instructionSteps": [ + { + "title": "Manual Parser Deployment", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" + }, + { + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" + }, + { + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } ], "id": "[variables('_uiConfigId1')]" @@ -1693,7 +1786,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.1.5", + "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -1709,7 +1802,7 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId2')]", - "title": "Exchange Security Insights On-Premise Collector", + "title": "Exchange Security Insights On-Premises Collector", "publisher": "Microsoft", "descriptionMarkdown": "Connector used to push Exchange On-Premises Security configuration for Microsoft Sentinel Analysis", "graphQueries": [ @@ -1728,7 +1821,7 @@ "dataTypes": [ { "name": "ESIExchangeConfig_CL", - "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)" + "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time" } ], "connectivityCriterias": [ @@ -1770,40 +1863,14 @@ { "name": "Service Account with Organization Management role", "description": "The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information." + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" } ] }, "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : [**ExchangeConfiguration**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)", - "instructions": [ - { - "parameters": { - "title": "Parsers deployment", - "instructionSteps": [ - { - "title": "1. Download the Parser files", - "description": "The latest version of the 2 files [**ExchangeConfiguration.yaml**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList.yaml**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)" - }, - { - "title": "2. Create Parser **ExchangeConfiguration** function", - "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" - }, - { - "title": "3. Save Parser **ExchangeConfiguration** function", - "description": "Click on save button.\n Define the parameters as asked on the header of the parser file.\nClick save again." - }, - { - "title": "4. Reproduce the same steps for Parser **ExchangeEnvironmentList**", - "description": "Reproduce the step 2 and 3 with the content of 'ExchangeEnvironmentList.yaml' file" - } - ] - }, - "type": "InstructionStepsGroup" - } - ], - "title": "Parser deployment **(When using Microsoft Exchange Security Solution, Parsers are automatically deployed)**" - }, { "description": "This is the script that will collect Exchange Information to push content in Microsoft Sentinel.\n ", "instructions": [ @@ -1861,11 +1928,48 @@ { "description": "The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel.\n We recommend to schedule the script once a day.\n The account used to launch the Script needs to be member of the group Organization Management", "title": "3. Schedule the ESI Collector Script (If not done by the Install Script due to lack of permission or ignored during installation)" + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "instructions": [ + { + "parameters": { + "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below", + "instructionSteps": [ + { + "title": "Manual Parser Deployment", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" + }, + { + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" + }, + { + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } ], "metadata": { "id": "ed950fd7-e457-4a59-88f0-b9c949aa280d", - "version": "1.2.1", + "version": "1.2.2", "kind": "dataConnector", "source": { "kind": "solution", @@ -1917,7 +2021,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_dataConnectorContentId2')]", "contentKind": "DataConnector", - "displayName": "Exchange Security Insights On-Premise Collector", + "displayName": "Exchange Security Insights On-Premises Collector", "contentProductId": "[variables('_dataConnectorcontentProductId2')]", "id": "[variables('_dataConnectorcontentProductId2')]", "version": "[variables('dataConnectorVersion2')]" @@ -1960,7 +2064,7 @@ "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "Exchange Security Insights On-Premise Collector", + "title": "Exchange Security Insights On-Premises Collector", "publisher": "Microsoft", "descriptionMarkdown": "Connector used to push Exchange On-Premises Security configuration for Microsoft Sentinel Analysis", "graphQueries": [ @@ -1973,7 +2077,7 @@ "dataTypes": [ { "name": "ESIExchangeConfig_CL", - "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)" + "lastDataReceivedQuery": "ESIExchangeConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time" } ], "connectivityCriterias": [ @@ -2021,40 +2125,14 @@ { "name": "Service Account with Organization Management role", "description": "The service Account that launch the script as scheduled task needs to be Organization Management to be able to retrieve all the needed security Information." + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" } ] }, "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : [**ExchangeConfiguration**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)", - "instructions": [ - { - "parameters": { - "title": "Parsers deployment", - "instructionSteps": [ - { - "title": "1. Download the Parser files", - "description": "The latest version of the 2 files [**ExchangeConfiguration.yaml**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList.yaml**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)" - }, - { - "title": "2. Create Parser **ExchangeConfiguration** function", - "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" - }, - { - "title": "3. Save Parser **ExchangeConfiguration** function", - "description": "Click on save button.\n Define the parameters as asked on the header of the parser file.\nClick save again." - }, - { - "title": "4. Reproduce the same steps for Parser **ExchangeEnvironmentList**", - "description": "Reproduce the step 2 and 3 with the content of 'ExchangeEnvironmentList.yaml' file" - } - ] - }, - "type": "InstructionStepsGroup" - } - ], - "title": "Parser deployment **(When using Microsoft Exchange Security Solution, Parsers are automatically deployed)**" - }, { "description": "This is the script that will collect Exchange Information to push content in Microsoft Sentinel.\n ", "instructions": [ @@ -2112,6 +2190,43 @@ { "description": "The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel.\n We recommend to schedule the script once a day.\n The account used to launch the Script needs to be member of the group Organization Management", "title": "3. Schedule the ESI Collector Script (If not done by the Install Script due to lack of permission or ignored during installation)" + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "instructions": [ + { + "parameters": { + "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below", + "instructionSteps": [ + { + "title": "Manual Parser Deployment", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" + }, + { + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" + }, + { + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] } ], "id": "[variables('_uiConfigId2')]" @@ -2121,76 +2236,2828 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject1').parserTemplateSpecName1]", + "name": "[variables('dataConnectorTemplateSpecName3')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeAdminAuditLogs Data Parser with template version 3.1.5", + "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject1').parserVersion1]", + "contentVersion": "[variables('dataConnectorVersion3')]", "parameters": {}, "variables": {}, "resources": [ { - "name": "[variables('parserObject1')._parserName1]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", + "kind": "GenericUI", "properties": { - "eTag": "*", - "displayName": "Parser for ExchangeAdminAuditLogs", - "category": "Microsoft Sentinel Parser", - "functionAlias": "ExchangeAdminAuditLogs", - "query": "let CmdletCheck = externaldata (Cmdlet:string, UserOriented:string, RestrictToParameter:string, Parameters:string)[h\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/CmdletWatchlist.csv\"]with(format=\"csv\",ignoreFirstRecord=true);\nlet SensitiveCmdlets = CmdletCheck | project tostring(Cmdlet) ;\nlet Check = (T:(*)) {\n let fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [\n \"NONE\",\"NONE\",\"NONE\",\"NONE\",\"00000001-0000-1000-0000-100000000000\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != \"00000001-0000-1000-0000-100000000000\" | project-away TableName;\n let SearchUserDisplayName = T | join Watchlist on $left.TargetObject == $right.displayName | project TargetObject,SearchKey;\n let SearchUserUPN = T | join Watchlist on $left.TargetObject == $right.userPrincipalName | project TargetObject,SearchKey;\n let SearchUserCanonicalName = T | join Watchlist on $left.TargetObject == $right.canonicalName | project TargetObject,SearchKey;\n let SearchUserSAMAccountName = T | join Watchlist on $left.TargetObject == $right.sAMAccountName | project TargetObject,SearchKey;\n let SearchUserObjectSID = T | join Watchlist on $left.TargetObject == $right.objectSID | project TargetObject,SearchKey;\n let SearchUserObjectGUID = T | join (Watchlist | extend objectGuidString = tostring(objectGUID)) on $left.TargetObject == $right.objectGuidString | project TargetObject,SearchKey;\n let SearchUserDistinguishedName = T | join Watchlist on $left.TargetObject == $right.distinguishedName | project TargetObject,SearchKey;\n union isfuzzy=true withsource=TableName \n SearchUserDisplayName, \n SearchUserUPN, \n SearchUserCanonicalName, \n SearchUserSAMAccountName,\n SearchUserObjectSID,\n SearchUserObjectGUID,\n SearchUserDistinguishedName\n };\nlet Env = ExchangeConfiguration(SpecificSectionList=\"ESIEnvironment\")\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\n| project DomainFQDN_, ESIEnvironment;\nlet EventList = Event\n | where EventLog == 'MSExchange Management'\n | where EventID in (1,6) // 1 = Success, 6 = Failure\n | parse ParameterXml with '' CmdletName '' CmdletParameters '' Caller '' *\n | extend TargetObject = iif( CmdletParameters has \"-Identity \", split(split(CmdletParameters,'-Identity ')[1],'\"')[1], iif( CmdletParameters has \"-Name \", split(split(CmdletParameters,'-Name ')[1],'\"')[1], \"\"));\nlet MSExchange_Management = (){\nEventList\n | extend Status = case( EventID == 1, 'Success', 'Failure')\n | join kind=leftouter (EventList | project TargetObject | invoke Check()) on TargetObject\n | extend IsVIP = iif(SearchKey == \"\", false, true)\n | join kind=leftouter ( \n MESCheckVIP() ) on SearchKey\n | extend CmdletNameJoin = tolower(CmdletName)\n | join kind=leftouter ( \n CmdletCheck\n | extend CmdletNameJoin = tolower(Cmdlet)\n ) on CmdletNameJoin\n | extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\n | join kind=leftouter ( \n Env\n ) on $left.DomainEnv == $right.DomainFQDN_\n | extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\"Unknown-\",DomainEnv))\n | extend IsSenstiveCmdlet = iif( isnotempty(CmdletNameJoin1) , true, false) \n | extend IsRestrictedCmdLet = iif(IsSenstiveCmdlet == true, iif( RestrictToParameter == \"Yes\", true, false), dynamic(null))\n | extend RestrictedParameters = iif(IsSenstiveCmdlet == true, split(tolower(Parameters),';'), dynamic(null))\n | extend ExtractedParameters = iif(IsSenstiveCmdlet == true,extract_all(@\"\\B(-\\w+)\", tolower(CmdletParameters)), dynamic(null))\n | extend IsSenstiveCmdletParameters = iif(IsSenstiveCmdlet == true,iif( array_length(set_difference(ExtractedParameters,RestrictedParameters)) == array_length(ExtractedParameters), false, true ) , false)\n | extend IsSensitive = iif( ( IsSenstiveCmdlet == true and IsRestrictedCmdLet == false ) or (IsSenstiveCmdlet == true and IsRestrictedCmdLet == true and IsSenstiveCmdletParameters == true ), true, false )\n | project TimeGenerated,Computer,Status,Caller,TargetObject,IsVIP,canonicalName,displayName,distinguishedName,objectGUID,objectSID,sAMAccountName,userPrincipalName,CmdletName,CmdletParameters,IsSenstiveCmdlet,IsRestrictedCmdLet,ExtractedParameters,RestrictedParameters,IsSenstiveCmdletParameters,IsSensitive,UserOriented, ESIEnvironment\n};\nMSExchange_Management\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", - "dependsOn": [ - "[variables('parserObject1')._parserId1]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ExchangeAdminAuditLogs Data Parser')]", - "contentId": "[variables('parserObject1').parserContentId1]", - "kind": "Parser", - "version": "[variables('parserObject1').parserVersion1]", - "source": { - "name": "Microsoft Exchange Security - Exchange On-Premises", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Community", - "tier": "Community", - "link": "https://github.com/Azure/Azure-Sentinel/issues" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject1').parserContentId1]", + "connectorUiConfig": { + "id": "[variables('_uiConfigId3')]", + "title": "Microsoft Exchange Admin Audit Logs by Event Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 1] - Using Azure Monitor Agent - You can stream all Exchange Audit events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "ExchangeAuditLogs", + "baseQuery": "Event | where EventLog == 'MSExchange Management'" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "Event | where EventLog == 'MSExchange Management' | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "Event", + "lastDataReceivedQuery": "Event | where EventLog == 'MSExchange Management' | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Event | where EventLog == 'MSExchange Management' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 1** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "The MS Exchange Admin Audit event logs are collected using Data Collection Rules (DCR) and allow to store all Administrative Cmdlets executed in an Exchange environment.", + "instructions": [ + { + "parameters": { + "title": "DCR", + "instructionSteps": [ + { + "title": "Data Collection Rules Deployment", + "description": "**Enable data collection rule**\n> Microsoft Exchange Admin Audit Events logs are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered)", + "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption1-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCR, Type Event log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. [Option 1] MS Exchange Management Log collection - MS Exchange Admin Audit event logs by Data Collection Rules" + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "instructions": [ + { + "parameters": { + "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below", + "instructionSteps": [ + { + "title": "Manual Parser Deployment", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" + }, + { + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" + }, + { + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "metadata": { + "id": "dfa2e270-b24f-4d76-b9a5-cd4a878596bf", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", + "contentId": "[variables('_dataConnectorContentId3')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion3')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId3')]", + "contentKind": "DataConnector", + "displayName": "Microsoft Exchange Admin Audit Logs by Event Logs", + "contentProductId": "[variables('_dataConnectorcontentProductId3')]", + "id": "[variables('_dataConnectorcontentProductId3')]", + "version": "[variables('dataConnectorVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId3')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", + "contentId": "[variables('_dataConnectorContentId3')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion3')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Microsoft Exchange Admin Audit Logs by Event Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 1] - Using Azure Monitor Agent - You can stream all Exchange Audit events from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to view dashboards, create custom alerts, and improve investigation. This is used by Microsoft Exchange Security Workbooks to provide security insights of your On-Premises Exchange environment", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "ExchangeAuditLogs", + "baseQuery": "Event | where EventLog == 'MSExchange Management'" + } + ], + "dataTypes": [ + { + "name": "Event", + "lastDataReceivedQuery": "Event | where EventLog == 'MSExchange Management' | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Event | where EventLog == 'MSExchange Management' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "Event | where EventLog == 'MSExchange Management' | sort by TimeGenerated" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 1** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "The MS Exchange Admin Audit event logs are collected using Data Collection Rules (DCR) and allow to store all Administrative Cmdlets executed in an Exchange environment.", + "instructions": [ + { + "parameters": { + "title": "DCR", + "instructionSteps": [ + { + "title": "Data Collection Rules Deployment", + "description": "**Enable data collection rule**\n> Microsoft Exchange Admin Audit Events logs are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered)", + "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption1-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCR, Type Event log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Custom' option, enter 'MSExchange Management' as expression and Add it.\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. [Option 1] MS Exchange Management Log collection - MS Exchange Admin Audit event logs by Data Collection Rules" + }, + { + "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Parsers are automatically deployed with the solution. Follow the steps to create the Kusto Functions alias : [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)", + "instructions": [ + { + "parameters": { + "title": "Parsers are automatically deployed during Solution deployment. If you want to deploy manually, follow the steps below", + "instructionSteps": [ + { + "title": "Manual Parser Deployment", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "1. Download the Parser file", + "description": "The latest version of the file [**ExchangeAdminAuditLogs**](https://aka.ms/sentinel-ESI-ExchangeCollector-ExchangeAdminAuditLogs-parser)" + }, + { + "title": "2. Create Parser **ExchangeAdminAuditLogs** function", + "description": "In 'Logs' explorer of your Microsoft Sentinel's log analytics, copy the content of the file to Log explorer" + }, + { + "title": "3. Save Parser **ExchangeAdminAuditLogs** function", + "description": "Click on save button.\n No parameter is needed for this parser.\nClick save again." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ], + "id": "[variables('_uiConfigId3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion4')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId4'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId4')]", + "title": "Microsoft Exchange Logs and Events", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 2] - Using Azure Monitor Agent - You can stream all Exchange Security & Application Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange Eventlogs", + "baseQuery": "Event | where EventLog == 'Application'" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "Event | where EventLog == 'Application' | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "Event", + "lastDataReceivedQuery": "Event | where EventLog == 'Application' | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Event | where EventLog == 'Application' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Log Analytics will be deprecated", + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 2** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "The Security/Application/System logs of Exchange Servers are collected using Data Collection Rules (DCR).", + "instructions": [ + { + "parameters": { + "title": "Security Event log collection", + "instructionSteps": [ + { + "title": "Data Collection Rules - Security Event logs", + "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add Exchange Servers on *Resources* tab.\n2. Select Security log level\n\n> **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.", + "instructions": [ + { + "parameters": { + "linkType": "OpenCreateDataCollectionRule", + "dataCollectionRuleType": 0 + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "title": "Application and System Event log collection", + "instructionSteps": [ + { + "title": "Enable data collection rule", + "description": "> Application and System Events logs are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered method)", + "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption2-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCR, Type Event log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Basic' option.\n6. For Application, select 'Critical', 'Error' and 'Warning'. For System, select Critical/Error/Warning/Information. \n7. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. [Option 2] Security/Application/System logs of Exchange Servers" + } + ], + "metadata": { + "id": "22e0234b-278d-40f4-8be8-c2968faeaf91", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", + "contentId": "[variables('_dataConnectorContentId4')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion4')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId4')]", + "contentKind": "DataConnector", + "displayName": "Microsoft Exchange Logs and Events", + "contentProductId": "[variables('_dataConnectorcontentProductId4')]", + "id": "[variables('_dataConnectorcontentProductId4')]", + "version": "[variables('dataConnectorVersion4')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId4')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", + "contentId": "[variables('_dataConnectorContentId4')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion4')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId4'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Microsoft Exchange Logs and Events", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 2] - Using Azure Monitor Agent - You can stream all Exchange Security & Application Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange Eventlogs", + "baseQuery": "Event | where EventLog == 'Application'" + } + ], + "dataTypes": [ + { + "name": "Event", + "lastDataReceivedQuery": "Event | where EventLog == 'Application' | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Event | where EventLog == 'Application' | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "Event | where EventLog == 'Application' | sort by TimeGenerated" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Log Analytics will be deprecated", + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 2** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "The Security/Application/System logs of Exchange Servers are collected using Data Collection Rules (DCR).", + "instructions": [ + { + "parameters": { + "title": "Security Event log collection", + "instructionSteps": [ + { + "title": "Data Collection Rules - Security Event logs", + "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add Exchange Servers on *Resources* tab.\n2. Select Security log level\n\n> **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.", + "instructions": [ + { + "parameters": { + "linkType": "OpenCreateDataCollectionRule", + "dataCollectionRuleType": 0 + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "title": "Application and System Event log collection", + "instructionSteps": [ + { + "title": "Enable data collection rule", + "description": "> Application and System Events logs are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered method)", + "description": "Use this method for automated deployment of the DCR.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption2-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCR, Type Event log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'Windows Event logs' and select 'Basic' option.\n6. For Application, select 'Critical', 'Error' and 'Warning'. For System, select Critical/Error/Warning/Information. \n7. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. [Option 2] Security/Application/System logs of Exchange Servers" + } + ], + "id": "[variables('_uiConfigId4')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion5')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId5'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId5')]", + "title": " Microsoft Active-Directory Domain Controllers Security Event Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 3 & 4] - Using Azure Monitor Agent -You can stream a part or all Domain Controllers Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Domain Controllers Security Logs", + "baseQuery": "SecurityEvent" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "SecurityEvent | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "SecurityEvent", + "lastDataReceivedQuery": "SecurityEvent | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "SecurityEvent | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 3 and 4** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "Select how to stream Security logs of Domain Controllers. If you want to implement Option 3, you just need to select DC on same site as Exchange Servers. If you want to implement Option 4, you can select all DCs of your forest.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "[Option 3] List only Domain Controllers on the same site as Exchange Servers for next step", + "description": "**This limits the quantity of data injested but some incident can't be detected.**" + }, + { + "title": "[Option 4] List all Domain Controllers of your Active-Directory Forest for next step", + "description": "**This allows collecting all security events**" + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "title": "Security Event log collection", + "instructionSteps": [ + { + "title": "Data Collection Rules - Security Event logs", + "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add chosen DCs on *Resources* tab.\n2. Select Security log level\n\n> **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.", + "instructions": [ + { + "parameters": { + "linkType": "OpenCreateDataCollectionRule", + "dataCollectionRuleType": 0 + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "Security logs of Domain Controllers" + } + ], + "metadata": { + "id": "036e16af-5a27-465a-8662-b7ac385a8d45", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId5'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]", + "contentId": "[variables('_dataConnectorContentId5')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion5')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId5')]", + "contentKind": "DataConnector", + "displayName": " Microsoft Active-Directory Domain Controllers Security Event Logs", + "contentProductId": "[variables('_dataConnectorcontentProductId5')]", + "id": "[variables('_dataConnectorcontentProductId5')]", + "version": "[variables('dataConnectorVersion5')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId5'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId5')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]", + "contentId": "[variables('_dataConnectorContentId5')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion5')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId5'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": " Microsoft Active-Directory Domain Controllers Security Event Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 3 & 4] - Using Azure Monitor Agent -You can stream a part or all Domain Controllers Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Domain Controllers Security Logs", + "baseQuery": "SecurityEvent" + } + ], + "dataTypes": [ + { + "name": "SecurityEvent", + "lastDataReceivedQuery": "SecurityEvent | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "SecurityEvent | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "SecurityEvent | sort by TimeGenerated" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 3 and 4** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "Select how to stream Security logs of Domain Controllers. If you want to implement Option 3, you just need to select DC on same site as Exchange Servers. If you want to implement Option 4, you can select all DCs of your forest.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "[Option 3] List only Domain Controllers on the same site as Exchange Servers for next step", + "description": "**This limits the quantity of data injested but some incident can't be detected.**" + }, + { + "title": "[Option 4] List all Domain Controllers of your Active-Directory Forest for next step", + "description": "**This allows collecting all security events**" + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "title": "Security Event log collection", + "instructionSteps": [ + { + "title": "Data Collection Rules - Security Event logs", + "description": "**Enable data collection rule for Security Logs**\nSecurity Events logs are collected only from **Windows** agents.\n1. Add chosen DCs on *Resources* tab.\n2. Select Security log level\n\n> **Common level** is the minimum required. Please select 'Common' or 'All Security Events' on DCR definition.", + "instructions": [ + { + "parameters": { + "linkType": "OpenCreateDataCollectionRule", + "dataCollectionRuleType": 0 + }, + "type": "InstallAgent" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "Security logs of Domain Controllers" + } + ], + "id": "[variables('_uiConfigId5')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName6')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion6')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId6'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId6')]", + "title": "IIS Logs of Microsoft Exchange Servers", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 5] - Using Azure Monitor Agent - You can stream all IIS Logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange IIS logs", + "baseQuery": "W3CIISLog" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "W3CIISLog | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "W3CIISLog", + "lastDataReceivedQuery": "W3CIISLog | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "W3CIISLog | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 5** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "Select how to stream IIS logs of Exchange Servers", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Enable data collection rule", + "description": "> IIS logs are collected only from **Windows** agents.", + "instructions": [ + { + "type": "AdminAuditEvents" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Preferred Method)", + "description": "Use this method for automated deployment of the DCE and DCR.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy." + }, + { + "title": "B. Deploy Data Connection Rule", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption5-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create DCR, Type IIS log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. Select the created DCE. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'IIS logs' (Do not enter a path if IIS Logs path is configured by default). Click on 'Add data source'\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "[Option 5] IIS logs of Exchange Servers" + } + ], + "metadata": { + "id": "4b1075ed-80f5-4930-bfe1-877e86b48dc1", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId6'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId6'))]", + "contentId": "[variables('_dataConnectorContentId6')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion6')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId6')]", + "contentKind": "DataConnector", + "displayName": "IIS Logs of Microsoft Exchange Servers", + "contentProductId": "[variables('_dataConnectorcontentProductId6')]", + "id": "[variables('_dataConnectorcontentProductId6')]", + "version": "[variables('dataConnectorVersion6')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId6'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId6')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId6'))]", + "contentId": "[variables('_dataConnectorContentId6')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion6')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId6'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "IIS Logs of Microsoft Exchange Servers", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 5] - Using Azure Monitor Agent - You can stream all IIS Logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you to create custom alerts, and improve investigation.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange IIS logs", + "baseQuery": "W3CIISLog" + } + ], + "dataTypes": [ + { + "name": "W3CIISLog", + "lastDataReceivedQuery": "W3CIISLog | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "W3CIISLog | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "W3CIISLog | sort by TimeGenerated" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 5** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "Select how to stream IIS logs of Exchange Servers", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Enable data collection rule", + "description": "> IIS logs are collected only from **Windows** agents.", + "instructions": [ + { + "type": "AdminAuditEvents" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Preferred Method)", + "description": "Use this method for automated deployment of the DCE and DCR.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy." + }, + { + "title": "B. Deploy Data Connection Rule", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption5-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create DCR, Type IIS log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields, Select Windows as platform type and give a name to the DCR. Select the created DCE. \n4. In the **Resources** tab, enter you Exchange Servers.\n5. In 'Collect and deliver', add a Data Source type 'IIS logs' (Do not enter a path if IIS Logs path is configured by default). Click on 'Add data source'\n6. 'Make other preferable configuration changes', if needed, then click **Create**." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "[Option 5] IIS logs of Exchange Servers" + } + ], + "id": "[variables('_uiConfigId6')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName7')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion7')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId7'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId7')]", + "title": "Microsoft Exchange Message Tracking Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 6] - Using Azure Monitor Agent - You can stream all Exchange Message Tracking from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. Those logs can be used to track the flow of messages in your Exchange environment. This data connector is based on the option 6 of the [Microsoft Exchange Security wiki](https://aka.ms/ESI_DataConnectorOptions).", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange Message Tracking logs", + "baseQuery": "MessageTrackingLog_CL" + } + ], + "sampleQueries": [ + { + "description": "Exchange Message Tracking logs", + "query": "MessageTrackingLog_CL | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "MessageTrackingLog_CL", + "lastDataReceivedQuery": "MessageTrackingLog_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "MessageTrackingLog_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Log Analytics will be deprecated", + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 6** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "Select how to stream Message Tracking of Exchange Servers", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Data Collection Rules - When Azure Monitor Agent is used", + "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the DCE and DCR.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy." + }, + { + "title": "B. Deploy Data Connection Rule and Custom Table", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption6-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Create Custom Table - Explanation", + "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)." + }, + { + "title": "Create Custom Table using an ARM Template", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-MessageTrackingCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3. Click **Create** to deploy." + }, + { + "title": "Create Custom Table using PowerShell in Cloud Shell", + "description": "1. From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t\"schema\": {\n\t\t\t\t\t \"name\": \"MessageTrackingLog_CL\",\n\t\t\t\t\t \"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"directionality\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"reference\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"source\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientIP\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"connectorId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"customData\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"eventId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"internalMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"logId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageSubject\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"networkMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalClientIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalServerIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientCount\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"relatedRecipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"returnPath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"serverIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"sourceContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"schemaVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageTrackingTenantId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"totalBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"transportTrafficType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t'@\n3. Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4. Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/MessageTrackingLog_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams" + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE, like ESI-ExchangeServers. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create a DCR, Type Custom log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option6-MessageTrackingLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\*.log' in file pattern, 'MessageTrackingLog_CL' in Table Name.\n6.in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend TimeGenerated =todatetime(d[0]) ,clientIP =tostring(d[1]) ,clientHostname =tostring(d[2]) ,serverIp=tostring(d[3]) ,senderHostname=tostring(d[4]) ,sourceContext=tostring(d[5]) ,connectorId =tostring(d[6]) ,source=tostring(d[7]) ,eventId =tostring(d[8]) ,internalMessageId =tostring(d[9]) ,messageId =tostring(d[10]) ,networkMessageId =tostring(d[11]) ,recipientAddress=tostring(d[12]) ,recipientStatus=tostring(d[13]) ,totalBytes=tostring(d[14]) ,recipientCount=tostring(d[15]) ,relatedRecipientAddress=tostring(d[16]) ,reference=tostring(d[17]) ,messageSubject =tostring(d[18]) ,senderAddress=tostring(d[19]) ,returnPath=tostring(d[20]) ,messageInfo =tostring(d[21]) ,directionality=tostring(d[22]) ,messageTrackingTenantId =tostring(d[23]) ,originalClientIp =tostring(d[24]) ,originalServerIp =tostring(d[25]) ,customData=tostring(d[26]) ,transportTrafficType =tostring(d[27]) ,logId =tostring(d[28]) ,schemaVersion=tostring(d[29]) | project-away d,RawData\n and click on 'Destination'.\n6. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n7. Click on 'Add data source'.\n8. Fill other required parameters and tags and create the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. Message Tracking of Exchange Servers" + } + ], + "metadata": { + "id": "ababbb06-b977-4259-ab76-87874d353039", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId7'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId7'))]", + "contentId": "[variables('_dataConnectorContentId7')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion7')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId7')]", + "contentKind": "DataConnector", + "displayName": "Microsoft Exchange Message Tracking Logs", + "contentProductId": "[variables('_dataConnectorcontentProductId7')]", + "id": "[variables('_dataConnectorcontentProductId7')]", + "version": "[variables('dataConnectorVersion7')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId7'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId7')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId7'))]", + "contentId": "[variables('_dataConnectorContentId7')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion7')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId7'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Microsoft Exchange Message Tracking Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 6] - Using Azure Monitor Agent - You can stream all Exchange Message Tracking from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. Those logs can be used to track the flow of messages in your Exchange environment. This data connector is based on the option 6 of the [Microsoft Exchange Security wiki](https://aka.ms/ESI_DataConnectorOptions).", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange Message Tracking logs", + "baseQuery": "MessageTrackingLog_CL" + } + ], + "dataTypes": [ + { + "name": "MessageTrackingLog_CL", + "lastDataReceivedQuery": "MessageTrackingLog_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "MessageTrackingLog_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "sampleQueries": [ + { + "description": "Exchange Message Tracking logs", + "query": "MessageTrackingLog_CL | sort by TimeGenerated" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Log Analytics will be deprecated", + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 6** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "Select how to stream Message Tracking of Exchange Servers", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Data Collection Rules - When Azure Monitor Agent is used", + "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the DCE and DCR.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy." + }, + { + "title": "B. Deploy Data Connection Rule and Custom Table", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption6-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Create Custom Table - Explanation", + "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)." + }, + { + "title": "Create Custom Table using an ARM Template", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-MessageTrackingCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3. Click **Create** to deploy." + }, + { + "title": "Create Custom Table using PowerShell in Cloud Shell", + "description": "1. From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t\"schema\": {\n\t\t\t\t\t \"name\": \"MessageTrackingLog_CL\",\n\t\t\t\t\t \"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"directionality\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"reference\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"source\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"clientIP\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"connectorId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"customData\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"eventId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"internalMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"logId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageSubject\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"networkMessageId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalClientIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"originalServerIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientCount\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"recipientStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"relatedRecipientAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"returnPath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"senderHostname\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"serverIp\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"sourceContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"schemaVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"messageTrackingTenantId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"totalBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"transportTrafficType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t'@\n3. Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4. Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/MessageTrackingLog_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams" + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE, like ESI-ExchangeServers. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create a DCR, Type Custom log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option6-MessageTrackingLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter 'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\Logs\\MessageTracking\\*.log' in file pattern, 'MessageTrackingLog_CL' in Table Name.\n6.in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend TimeGenerated =todatetime(d[0]) ,clientIP =tostring(d[1]) ,clientHostname =tostring(d[2]) ,serverIp=tostring(d[3]) ,senderHostname=tostring(d[4]) ,sourceContext=tostring(d[5]) ,connectorId =tostring(d[6]) ,source=tostring(d[7]) ,eventId =tostring(d[8]) ,internalMessageId =tostring(d[9]) ,messageId =tostring(d[10]) ,networkMessageId =tostring(d[11]) ,recipientAddress=tostring(d[12]) ,recipientStatus=tostring(d[13]) ,totalBytes=tostring(d[14]) ,recipientCount=tostring(d[15]) ,relatedRecipientAddress=tostring(d[16]) ,reference=tostring(d[17]) ,messageSubject =tostring(d[18]) ,senderAddress=tostring(d[19]) ,returnPath=tostring(d[20]) ,messageInfo =tostring(d[21]) ,directionality=tostring(d[22]) ,messageTrackingTenantId =tostring(d[23]) ,originalClientIp =tostring(d[24]) ,originalServerIp =tostring(d[25]) ,customData=tostring(d[26]) ,transportTrafficType =tostring(d[27]) ,logId =tostring(d[28]) ,schemaVersion=tostring(d[29]) | project-away d,RawData\n and click on 'Destination'.\n6. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n7. Click on 'Add data source'.\n8. Fill other required parameters and tags and create the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. Message Tracking of Exchange Servers" + } + ], + "id": "[variables('_uiConfigId7')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName8')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.3.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion8')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId8'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId8')]", + "title": "Microsoft Exchange HTTP Proxy Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 7] - Using Azure Monitor Agent - You can stream HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you create custom alerts, and improve investigation. [Learn more](https://aka.ms/ESI_DataConnectorOptions)", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange HTTPProxy logs", + "baseQuery": "ExchangeHttpProxy_CL" + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "ExchangeHttpProxy_CL | sort by TimeGenerated" + } + ], + "dataTypes": [ + { + "name": "ExchangeHttpProxy_CL", + "lastDataReceivedQuery": "ExchangeHttpProxy_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "ExchangeHttpProxy_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Log Analytics will be deprecated", + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 7** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "Select how to stream HTTP Proxy of Exchange Servers", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Data Collection Rules - When Azure Monitor Agent is used", + "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered Method)", + "description": "Use this method for automated deployment of the DCE and DCR.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy." + }, + { + "title": "B. Deploy Data Connection Rule", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption7-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Create Custom Table - Explanation", + "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)." + }, + { + "title": "Create Custom Table using an ARM Template", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-HTTPProxyCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3. Click **Create** to deploy." + }, + { + "title": "Create Custom Table using PowerShell in Cloud Shell", + "description": "1. From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t \"schema\": {\n\t\t\t\t\t\t\"name\": \"ExchangeHttpProxy_CL\",\n\t\t\t\t\t\t\"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AccountForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ActivityContextLifeTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ADLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AnchorMailbox\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticatedUser\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticationType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthModulePerfContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndCookie\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndGenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendProcessingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BuildVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CalculateTargetBackEndLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientIpAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CoreLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"DatabaseGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"EdgeTraceId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ErrorCode\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericErrors\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GlsLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerCompletionLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerToModuleSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpPipelineLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpProxyOverhead\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"IsAuthenticated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"KerberosAuthHeaderLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MajorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Method\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MinorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ModuleToHandlerSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Organization\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"PartitionEndpointLookupLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Protocol\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProtocolAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestHandlerLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResourceForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResponseBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RevisionVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RouteRefresherLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingHint\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerHostName\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"SharedCacheLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetOutstandingRequests\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServer\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServerVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalAccountForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalGlsLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalRequestTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalResourceForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalSharedCacheLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlQuery\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlStem\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserADObjectGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserAgent\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t }\n\t\t\t }\n\t\t }\n\t\t '@\n3. Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4. Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/ExchangeHttpProxy_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams" + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create a DCR, Type Custom log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option7-HTTPProxyLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter the following file pattern : \n\t\t'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Autodiscover\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Eas\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ecp\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ews\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Mapi\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Oab\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Owa\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\OwaCalendar\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\PowerShell\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\RpcHttp\\*.log'\n6. Put 'ExchangeHttpProxy_CL' in Table Name.\n7. in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend DateTime=todatetime(d[0]),RequestId=tostring(d[1]) ,MajorVersion=tostring(d[2]) ,MinorVersion=tostring(d[3]) ,BuildVersion=tostring(d[4]) ,RevisionVersion=tostring(d[5]) ,ClientRequestId=tostring(d[6]) ,Protocol=tostring(d[7]) ,UrlHost=tostring(d[8]) ,UrlStem=tostring(d[9]) ,ProtocolAction=tostring(d[10]) ,AuthenticationType=tostring(d[11]) ,IsAuthenticated=tostring(d[12]) ,AuthenticatedUser=tostring(d[13]) ,Organization=tostring(d[14]) ,AnchorMailbox=tostring(d[15]) ,UserAgent=tostring(d[16]) ,ClientIpAddress=tostring(d[17]) ,ServerHostName=tostring(d[18]) ,HttpStatus=tostring(d[19]) ,BackEndStatus=tostring(d[20]) ,ErrorCode=tostring(d[21]) ,Method=tostring(d[22]) ,ProxyAction=tostring(d[23]) ,TargetServer=tostring(d[24]) ,TargetServerVersion=tostring(d[25]) ,RoutingType=tostring(d[26]) ,RoutingHint=tostring(d[27]) ,BackEndCookie=tostring(d[28]) ,ServerLocatorHost=tostring(d[29]) ,ServerLocatorLatency=tostring(d[30]) ,RequestBytes=tostring(d[31]) ,ResponseBytes=tostring(d[32]) ,TargetOutstandingRequests=tostring(d[33]) ,AuthModulePerfContext=tostring(d[34]) ,HttpPipelineLatency=tostring(d[35]) ,CalculateTargetBackEndLatency=tostring(d[36]) ,GlsLatencyBreakup=tostring(d[37]) ,TotalGlsLatency=tostring(d[38]) ,AccountForestLatencyBreakup=tostring(d[39]) ,TotalAccountForestLatency=tostring(d[40]) ,ResourceForestLatencyBreakup=tostring(d[41]) ,TotalResourceForestLatency=tostring(d[42]) ,ADLatency=tostring(d[43]) ,SharedCacheLatencyBreakup=tostring(d[44]) ,TotalSharedCacheLatency=tostring(d[45]) ,ActivityContextLifeTime=tostring(d[46]) ,ModuleToHandlerSwitchingLatency=tostring(d[47]) ,ClientReqStreamLatency=tostring(d[48]) ,BackendReqInitLatency=tostring(d[49]) ,BackendReqStreamLatency=tostring(d[50]) ,BackendProcessingLatency=tostring(d[51]) ,BackendRespInitLatency=tostring(d[52]) ,BackendRespStreamLatency=tostring(d[53]) ,ClientRespStreamLatency=tostring(d[54]) ,KerberosAuthHeaderLatency=tostring(d[55]) ,HandlerCompletionLatency=tostring(d[56]) ,RequestHandlerLatency=tostring(d[57]) ,HandlerToModuleSwitchingLatency=tostring(d[58]) ,ProxyTime=tostring(d[59]) ,CoreLatency=tostring(d[60]) ,RoutingLatency=tostring(d[61]) ,HttpProxyOverhead=tostring(d[62]) ,TotalRequestTime=tostring(d[63]) ,RouteRefresherLatency=tostring(d[64]) ,UrlQuery=tostring(d[65]) ,BackEndGenericInfo=tostring(d[66]) ,GenericInfo=tostring(d[67]) ,GenericErrors=tostring(d[68]) ,EdgeTraceId=tostring(d[69]) ,DatabaseGuid=tostring(d[70]) ,UserADObjectGuid=tostring(d[71]) ,PartitionEndpointLookupLatency=tostring(d[72]) ,RoutingStatus=tostring(d[73]) | extend TimeGenerated = DateTime | project-away d,RawData,DateTime | project-away d,RawData,DateTime\n and click on 'Destination'.\n8. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n9. Click on 'Add data source'.\n10. Fill other required parameters and tags and create the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. [Option 7] HTTP Proxy of Exchange Servers" + } + ], + "metadata": { + "id": "2e63ad0e-84e3-4f01-b210-9db0bc42b8ff", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Microsoft Exchange Security - Exchange On-Premises" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + }, + "author": { + "name": "Microsoft" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId8'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId8'))]", + "contentId": "[variables('_dataConnectorContentId8')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion8')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId8')]", + "contentKind": "DataConnector", + "displayName": "Microsoft Exchange HTTP Proxy Logs", + "contentProductId": "[variables('_dataConnectorcontentProductId8')]", + "id": "[variables('_dataConnectorcontentProductId8')]", + "version": "[variables('dataConnectorVersion8')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId8'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId8')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId8'))]", + "contentId": "[variables('_dataConnectorContentId8')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion8')]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId8'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Microsoft Exchange HTTP Proxy Logs", + "publisher": "Microsoft", + "descriptionMarkdown": "[Option 7] - Using Azure Monitor Agent - You can stream HTTP Proxy logs and Security Event logs from the Windows machines connected to your Microsoft Sentinel workspace using the Windows agent. This connection enables you create custom alerts, and improve investigation. [Learn more](https://aka.ms/ESI_DataConnectorOptions)", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Exchange HTTPProxy logs", + "baseQuery": "ExchangeHttpProxy_CL" + } + ], + "dataTypes": [ + { + "name": "ExchangeHttpProxy_CL", + "lastDataReceivedQuery": "ExchangeHttpProxy_CL | summarize Time = max(TimeGenerated) | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "ExchangeHttpProxy_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(7h)" + ] + } + ], + "sampleQueries": [ + { + "description": "All Audit logs", + "query": "ExchangeHttpProxy_CL | sort by TimeGenerated" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Log Analytics will be deprecated", + "description": "Azure Log Analytics will be deprecated, to collect data from non-Azure VMs, Azure Arc is recommended. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "name": "Detailled documentation", + "description": ">**NOTE:** Detailled documentation on Installation procedure and usage can be found [here](https://aka.ms/MicrosoftExchangeSecurityGithub)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This solution is based on options. This allows you to choose which data will be ingest as some options can generate a very high volume of data. Depending on what you want to collect, track in your Workbooks, Analytics Rules, Hunting capabilities you will choose the option(s) you will deploy. Each options are independant for one from the other. To learn more about each option: ['Microsoft Exchange Security' wiki](https://aka.ms/ESI_DataConnectorOptions)\n\n>This Data Connector is the **option 7** of the wiki." + }, + { + "description": "Type of servers (Exchange Servers, Domain Controllers linked to Exchange Servers or all Domain Controllers) depends on the option you want to deploy.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Deploy Monitor Agents", + "description": "This step is required only if it's the first time you onboard your Exchange Servers/Domain Controllers\n**Deploy the Azure Arc Agent**\n> [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "1. Download and install the agents needed to collect logs for Microsoft Sentinel" + }, + { + "description": "Select how to stream HTTP Proxy of Exchange Servers", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Data Collection Rules - When Azure Monitor Agent is used", + "description": "**Enable data collection rule**\n> Message Tracking are collected only from **Windows** agents.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Option 1 - Azure Resource Manager (ARM) Template (Prefered Method)", + "description": "Use this method for automated deployment of the DCE and DCR.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCEExchangeServers)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. You can change the proposed name of the DCE.\n5. Click **Create** to deploy." + }, + { + "title": "B. Deploy Data Connection Rule", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-DCROption7-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace ID** 'and/or Other required fields'.\n>4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Option 2 - Manual Deployment of Azure Automation", + "description": "Use the following step-by-step instructions to deploy manually a Data Collection Rule.", + "instructions": [ + { + "parameters": { + "instructionSteps": [ + { + "title": "Create Custom Table - Explanation", + "description": "The Custom Table can't be created using the Azure Portal. You need to use an ARM template, a PowerShell Script or another method [described here](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/create-custom-table?tabs=azure-powershell-1%2Cazure-portal-2%2Cazure-portal-3#create-a-custom-table)." + }, + { + "title": "Create Custom Table using an ARM Template", + "description": "1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-ESI-HTTPProxyCustomTable)\n2. Select the preferred **Subscription**, **Resource Group**, **Location** and **Analytic Workspace Name**. \n3. Click **Create** to deploy." + }, + { + "title": "Create Custom Table using PowerShell in Cloud Shell", + "description": "1. From the Azure Portal, open a Cloud Shell.\n2. Copy and paste and Execute the following script in the Cloud Shell to create the table.\n\t\t$tableParams = @'\n\t\t{\n\t\t\t\"properties\": {\n\t\t\t\t \"schema\": {\n\t\t\t\t\t\t\"name\": \"ExchangeHttpProxy_CL\",\n\t\t\t\t\t\t\"columns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AccountForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ActivityContextLifeTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ADLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AnchorMailbox\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticatedUser\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthenticationType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"AuthModulePerfContext\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndCookie\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndGenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendProcessingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespInitLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackendRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BackEndStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"BuildVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CalculateTargetBackEndLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientIpAddress\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientReqStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ClientRespStreamLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"CoreLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"DatabaseGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"EdgeTraceId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ErrorCode\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericErrors\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GenericInfo\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"GlsLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerCompletionLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HandlerToModuleSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpPipelineLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpProxyOverhead\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"HttpStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"IsAuthenticated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"KerberosAuthHeaderLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MajorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Method\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"MinorVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ModuleToHandlerSwitchingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Organization\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"PartitionEndpointLookupLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"Protocol\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProtocolAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyAction\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ProxyTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestHandlerLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RequestId\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResourceForestLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ResponseBytes\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RevisionVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RouteRefresherLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingHint\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingStatus\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"RoutingType\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerHostName\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"ServerLocatorLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"SharedCacheLatencyBreakup\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetOutstandingRequests\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServer\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TargetServerVersion\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalAccountForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalGlsLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalRequestTime\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalResourceForestLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TotalSharedCacheLatency\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlHost\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlQuery\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UrlStem\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserADObjectGuid\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"UserAgent\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"TimeGenerated\",\n\t\t\t\t\t\t\t\t\t\"type\": \"datetime\"\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"name\": \"FilePath\",\n\t\t\t\t\t\t\t\t\t\"type\": \"string\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t }\n\t\t\t }\n\t\t }\n\t\t '@\n3. Copy, Replace, Paste and execute the following parameters with your own values:\n\t\t$SubscriptionID = 'YourGUID'\n\t\t$ResourceGroupName = 'YourResourceGroupName'\n\t\t$WorkspaceName = 'YourWorkspaceName'\n4. Execute the Following Cmdlet to create the table:\n\t\tInvoke-AzRestMethod -Path \"/subscriptions/$SubscriptionID/resourcegroups/$ResourceGroupName/providers/microsoft.operationalinsights/workspaces/$WorkspaceName/tables/ExchangeHttpProxy_CL?api-version=2021-12-01-preview\" -Method PUT -payload $tableParams" + } + ] + }, + "type": "InstructionStepsGroup" + }, + { + "parameters": { + "instructionSteps": [ + { + "title": "A. Create DCE (If not already created for Exchange Servers)", + "description": "1. From the Azure Portal, navigate to [Azure Data collection Endpoint](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionEndpoints).\n2. Click **+ Create** at the top.\n3. In the **Basics** tab, fill the required fields and give a name to the DCE. \n3. 'Make other preferable configuration changes', if needed, then click **Create**." + }, + { + "title": "B. Create a DCR, Type Custom log", + "description": "1. From the Azure Portal, navigate to [Azure Data collection rules](https://portal.azure.com/#view/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/~/dataCollectionRules).\n2. Click on 'Create' button.\n3. On 'Basics' tab, fill the Rule name like **DCR-Option7-HTTPProxyLogs**, select the 'Data Collection Endpoint' with the previously created endpoint and fill other parameters.\n4. In the **Resources** tab, add your Exchange Servers.\n5. In **Collect and Deliver**, add a Data Source type 'Custom Text logs' and enter the following file pattern : \n\t\t'C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Autodiscover\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Eas\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ecp\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Ews\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Mapi\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Oab\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\Owa\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\OwaCalendar\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\PowerShell\\*.log','C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\RpcHttp\\*.log'\n6. Put 'ExchangeHttpProxy_CL' in Table Name.\n7. in Transform field, enter the following KQL request :\n\t\tsource | extend d = split(RawData,',') | extend DateTime=todatetime(d[0]),RequestId=tostring(d[1]) ,MajorVersion=tostring(d[2]) ,MinorVersion=tostring(d[3]) ,BuildVersion=tostring(d[4]) ,RevisionVersion=tostring(d[5]) ,ClientRequestId=tostring(d[6]) ,Protocol=tostring(d[7]) ,UrlHost=tostring(d[8]) ,UrlStem=tostring(d[9]) ,ProtocolAction=tostring(d[10]) ,AuthenticationType=tostring(d[11]) ,IsAuthenticated=tostring(d[12]) ,AuthenticatedUser=tostring(d[13]) ,Organization=tostring(d[14]) ,AnchorMailbox=tostring(d[15]) ,UserAgent=tostring(d[16]) ,ClientIpAddress=tostring(d[17]) ,ServerHostName=tostring(d[18]) ,HttpStatus=tostring(d[19]) ,BackEndStatus=tostring(d[20]) ,ErrorCode=tostring(d[21]) ,Method=tostring(d[22]) ,ProxyAction=tostring(d[23]) ,TargetServer=tostring(d[24]) ,TargetServerVersion=tostring(d[25]) ,RoutingType=tostring(d[26]) ,RoutingHint=tostring(d[27]) ,BackEndCookie=tostring(d[28]) ,ServerLocatorHost=tostring(d[29]) ,ServerLocatorLatency=tostring(d[30]) ,RequestBytes=tostring(d[31]) ,ResponseBytes=tostring(d[32]) ,TargetOutstandingRequests=tostring(d[33]) ,AuthModulePerfContext=tostring(d[34]) ,HttpPipelineLatency=tostring(d[35]) ,CalculateTargetBackEndLatency=tostring(d[36]) ,GlsLatencyBreakup=tostring(d[37]) ,TotalGlsLatency=tostring(d[38]) ,AccountForestLatencyBreakup=tostring(d[39]) ,TotalAccountForestLatency=tostring(d[40]) ,ResourceForestLatencyBreakup=tostring(d[41]) ,TotalResourceForestLatency=tostring(d[42]) ,ADLatency=tostring(d[43]) ,SharedCacheLatencyBreakup=tostring(d[44]) ,TotalSharedCacheLatency=tostring(d[45]) ,ActivityContextLifeTime=tostring(d[46]) ,ModuleToHandlerSwitchingLatency=tostring(d[47]) ,ClientReqStreamLatency=tostring(d[48]) ,BackendReqInitLatency=tostring(d[49]) ,BackendReqStreamLatency=tostring(d[50]) ,BackendProcessingLatency=tostring(d[51]) ,BackendRespInitLatency=tostring(d[52]) ,BackendRespStreamLatency=tostring(d[53]) ,ClientRespStreamLatency=tostring(d[54]) ,KerberosAuthHeaderLatency=tostring(d[55]) ,HandlerCompletionLatency=tostring(d[56]) ,RequestHandlerLatency=tostring(d[57]) ,HandlerToModuleSwitchingLatency=tostring(d[58]) ,ProxyTime=tostring(d[59]) ,CoreLatency=tostring(d[60]) ,RoutingLatency=tostring(d[61]) ,HttpProxyOverhead=tostring(d[62]) ,TotalRequestTime=tostring(d[63]) ,RouteRefresherLatency=tostring(d[64]) ,UrlQuery=tostring(d[65]) ,BackEndGenericInfo=tostring(d[66]) ,GenericInfo=tostring(d[67]) ,GenericErrors=tostring(d[68]) ,EdgeTraceId=tostring(d[69]) ,DatabaseGuid=tostring(d[70]) ,UserADObjectGuid=tostring(d[71]) ,PartitionEndpointLookupLatency=tostring(d[72]) ,RoutingStatus=tostring(d[73]) | extend TimeGenerated = DateTime | project-away d,RawData,DateTime | project-away d,RawData,DateTime\n and click on 'Destination'.\n8. In 'Destination', add a destination and select the Workspace where you have previously created the Custom Table \n9. Click on 'Add data source'.\n10. Fill other required parameters and tags and create the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "title": "Assign the DCR to all Exchange Servers", + "description": "Add all your Exchange Servers to the DCR" + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ], + "title": "2. [Option 7] HTTP Proxy of Exchange Servers" + } + ], + "id": "[variables('_uiConfigId8')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject1').parserTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "ExchangeAdminAuditLogs Data Parser with template version 3.3.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject1').parserVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject1')._parserName1]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for ExchangeAdminAuditLogs", + "category": "Microsoft Sentinel Parser", + "functionAlias": "ExchangeAdminAuditLogs", + "query": "let CmdletCheck = externaldata (Cmdlet:string, UserOriented:string, RestrictToParameter:string, Parameters:string)[h\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/CmdletWatchlist.csv\"]with(format=\"csv\",ignoreFirstRecord=true);\nlet SensitiveCmdlets = CmdletCheck | project tostring(Cmdlet) ;\nlet Check = (T:(*)) {\n let fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [\n \"NONE\",\"NONE\",\"NONE\",\"NONE\",\"00000001-0000-1000-0000-100000000000\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != \"00000001-0000-1000-0000-100000000000\" | project-away TableName;\n let SearchUserDisplayName = T | join Watchlist on $left.TargetObject == $right.displayName | project TargetObject,SearchKey;\n let SearchUserUPN = T | join Watchlist on $left.TargetObject == $right.userPrincipalName | project TargetObject,SearchKey;\n let SearchUserCanonicalName = T | join Watchlist on $left.TargetObject == $right.canonicalName | project TargetObject,SearchKey;\n let SearchUserSAMAccountName = T | join Watchlist on $left.TargetObject == $right.sAMAccountName | project TargetObject,SearchKey;\n let SearchUserObjectSID = T | join Watchlist on $left.TargetObject == $right.objectSID | project TargetObject,SearchKey;\n let SearchUserObjectGUID = T | join (Watchlist | extend objectGuidString = tostring(objectGUID)) on $left.TargetObject == $right.objectGuidString | project TargetObject,SearchKey;\n let SearchUserDistinguishedName = T | join Watchlist on $left.TargetObject == $right.distinguishedName | project TargetObject,SearchKey;\n union isfuzzy=true withsource=TableName \n SearchUserDisplayName, \n SearchUserUPN, \n SearchUserCanonicalName, \n SearchUserSAMAccountName,\n SearchUserObjectSID,\n SearchUserObjectGUID,\n SearchUserDistinguishedName\n };\nlet Env = ExchangeConfiguration(SpecificSectionList=\"ESIEnvironment\")\n| extend DomainFQDN_ = tostring(CmdletResultValue.DomainFQDN)\n| project DomainFQDN_, ESIEnvironment;\nlet EventList = Event\n | where EventLog == 'MSExchange Management'\n | where EventID in (1,6) // 1 = Success, 6 = Failure\n | parse ParameterXml with '' CmdletName '' CmdletParameters '' Caller '' *\n | extend TargetObject = iif( CmdletParameters has \"-Identity \", split(split(CmdletParameters,'-Identity ')[1],'\"')[1], iif( CmdletParameters has \"-Name \", split(split(CmdletParameters,'-Name ')[1],'\"')[1], \"\"));\nlet MSExchange_Management = (){\nEventList\n | extend Status = case( EventID == 1, 'Success', 'Failure')\n | join kind=leftouter (EventList | project TargetObject | invoke Check()) on TargetObject\n | extend IsVIP = iif(SearchKey == \"\", false, true)\n | join kind=leftouter ( \n MESCheckVIP() ) on SearchKey\n | extend CmdletNameJoin = tolower(CmdletName)\n | join kind=leftouter ( \n CmdletCheck\n | extend CmdletNameJoin = tolower(Cmdlet)\n ) on CmdletNameJoin\n | extend DomainEnv = replace_string(Computer,strcat(tostring(split(Computer,'.',0)[0]),'.'),'')\n | join kind=leftouter ( \n Env\n ) on $left.DomainEnv == $right.DomainFQDN_\n | extend ESIEnvironment = iif (isnotempty(ESIEnvironment), ESIEnvironment, strcat(\"Unknown-\",DomainEnv))\n | extend IsSenstiveCmdlet = iif( isnotempty(CmdletNameJoin1) , true, false) \n | extend IsRestrictedCmdLet = iif(IsSenstiveCmdlet == true, iif( RestrictToParameter == \"Yes\", true, false), dynamic(null))\n | extend RestrictedParameters = iif(IsSenstiveCmdlet == true, split(tolower(Parameters),';'), dynamic(null))\n | extend ExtractedParameters = iif(IsSenstiveCmdlet == true,extract_all(@\"\\B(-\\w+)\", tolower(CmdletParameters)), dynamic(null))\n | extend IsSenstiveCmdletParameters = iif(IsSenstiveCmdlet == true,iif( array_length(set_difference(ExtractedParameters,RestrictedParameters)) == array_length(ExtractedParameters), false, true ) , false)\n | extend IsSensitive = iif( ( IsSenstiveCmdlet == true and IsRestrictedCmdLet == false ) or (IsSenstiveCmdlet == true and IsRestrictedCmdLet == true and IsSenstiveCmdletParameters == true ), true, false )\n | project TimeGenerated,Computer,Status,Caller,TargetObject,IsVIP,canonicalName,displayName,distinguishedName,objectGUID,objectSID,sAMAccountName,userPrincipalName,CmdletName,CmdletParameters,IsSenstiveCmdlet,IsRestrictedCmdLet,ExtractedParameters,RestrictedParameters,IsSenstiveCmdletParameters,IsSensitive,UserOriented, ESIEnvironment\n};\nMSExchange_Management\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'ExchangeAdminAuditLogs Data Parser')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "name": "Microsoft Exchange Security - Exchange On-Premises", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", "displayName": "Parser for ExchangeAdminAuditLogs", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.3.0')))]", @@ -2257,7 +5124,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeConfiguration Data Parser with template version 3.1.5", + "description": "ExchangeConfiguration Data Parser with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject2').parserVersion2]", @@ -2387,7 +5254,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeEnvironmentList Data Parser with template version 3.1.5", + "description": "ExchangeEnvironmentList Data Parser with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject3').parserVersion3]", @@ -2517,7 +5384,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MESCheckVIP Data Parser with template version 3.1.5", + "description": "MESCheckVIP Data Parser with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject4').parserVersion4]", @@ -2638,6 +5505,136 @@ } } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject5').parserTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MESCompareDataOnPMRA Data Parser with template version 3.3.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject5').parserVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject5')._parserName5]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for MRA Configuration Data Comparison On-Premises", + "category": "Microsoft Sentinel Parser", + "functionAlias": "MESCompareDataOnPMRA", + "query": "// Version: 1.0.0\n// Last Updated: 30/08/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n//| extend WhenChanged = case(Actiontype == \"Modif\" , tostring(bin(WhenChanged,1m)), Actiontype == \"Add\",tostring(bin(WhenChanged,1m)),Actiontype == \"Remove\",\"NoInformation\",\"N/A\")\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope, \n RecipientWriteScope, \n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n", + "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", + "dependsOn": [ + "[variables('parserObject5')._parserId5]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataOnPMRA')]", + "contentId": "[variables('parserObject5').parserContentId5]", + "kind": "Parser", + "version": "[variables('parserObject5').parserVersion5]", + "source": { + "name": "Microsoft Exchange Security - Exchange On-Premises", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject5').parserContentId5]", + "contentKind": "Parser", + "displayName": "Parser for MRA Configuration Data Comparison On-Premises", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", + "version": "[variables('parserObject5').parserVersion5]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject5')._parserName5]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for MRA Configuration Data Comparison On-Premises", + "category": "Microsoft Sentinel Parser", + "functionAlias": "MESCompareDataOnPMRA", + "query": "// Version: 1.0.0\n// Last Updated: 30/08/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n//| extend WhenChanged = case(Actiontype == \"Modif\" , tostring(bin(WhenChanged,1m)), Actiontype == \"Add\",tostring(bin(WhenChanged,1m)),Actiontype == \"Remove\",\"NoInformation\",\"N/A\")\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope, \n RecipientWriteScope, \n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n", + "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", + "dependsOn": [ + "[variables('parserObject5')._parserId5]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataOnPMRA')]", + "contentId": "[variables('parserObject5').parserContentId5]", + "kind": "Parser", + "version": "[variables('parserObject5').parserVersion5]", + "source": { + "kind": "Solution", + "name": "Microsoft Exchange Security - Exchange On-Premises", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Community", + "tier": "Community", + "link": "https://github.com/Azure/Azure-Sentinel/issues" + } + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -2647,7 +5644,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Least Privilege with RBAC Workbook with template version 3.1.5", + "description": "Microsoft Exchange Least Privilege with RBAC Workbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -2738,7 +5735,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Search AdminAuditLog Workbook with template version 3.1.5", + "description": "Microsoft Exchange Search AdminAuditLog Workbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -2829,7 +5826,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Admin Activity Workbook with template version 3.1.5", + "description": "Microsoft Exchange Admin Activity Workbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion3')]", @@ -2920,7 +5917,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Security Review Workbook with template version 3.1.5", + "description": "Microsoft Exchange Security Review Workbook with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion4')]", @@ -2938,7 +5935,7 @@ }, "properties": { "displayName": "[parameters('workbook4-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Security Review\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"743317e2-ebcf-4958-861d-4ff97fc7cce1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"On-Premises\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":1,\"content\":{\"json\":\"This workbook helps review your Exchange Security configuration.\\r\\nSelect your Exchange Organization and adjust the time range.\\r\\nBy default, the Help won't be displayed. To display the help, choose Yes on the toogle buttom \\\"Show Help\\\"\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Mailbox Access\",\"subTarget\":\"Delegation\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true},{\"id\":\"be02c735-6150-4b6e-a386-b2b023e754e5\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Exchange & AD Groups\",\"subTarget\":\"ExchAD\",\"style\":\"link\"},{\"id\":\"30dc6820-339d-4fa9-ad79-5d79816a5cab\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Local Administrators\",\"subTarget\":\"Server\",\"style\":\"link\"},{\"id\":\"571fa2a4-1f1e-44a2-ada0-ccfb31b9abbb\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Exchange Security Configuration\",\"subTarget\":\"SecConf\",\"style\":\"link\"},{\"id\":\"26c68d90-925b-4c3c-a837-e3cecd489b2d\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Transport Configuration\",\"subTarget\":\"Transport\",\"style\":\"link\"},{\"id\":\"eb2888ca-7fa6-4e82-88db-1bb3663a801e\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Summary\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"TopMenuTabs\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\n\\r\\nThe goal of this workbook is to outline key security configurations of your Exchange On-Premises environment.\\r\\n\\r\\nMost of Exchange organizations have were installed years ago (sometimes more than 10 years). Many configurations have been done and might not have been documented. For most environments, the core commitment was maintaining a high availability of the users’ mailboxes putting aside other consideration (even security considerations). Recommended security practices have also evolved since the first released and a regular review is necessary.\\r\\n\\r\\nThis workbook is designed to show your Exchange organization is configured with a security point of view. Indeed, some configurations easy to display as there are no UI available.\\r\\n\\r\\nFor each configuration, you will find explanations and recommendations when applicable.\\r\\n\\r\\n- This workbook does not pretend to show you every weak Security configurations, but the most common issues and known to be used by attackers. \\r\\n- It will not show you if you have been comprised, but will help you identify unexpected configuration.\\r\\n\\r\\n----\\r\\n\\r\\n## Quick reminder of how Exchange works\\r\\n\\r\\nDuring Exchange installation two very important groups are created :\\r\\n- Exchange Trusted Subsystem : Contain all the computer accounts for Exchange Server\\r\\n- Exchange Windows Permissions : Contain the group Exchange trusted Subsystem\\r\\n\\r\\nThese groups have :\\r\\n- Very high privileges in ALL AD domains including the root domain\\r\\n- Right on any Exchange including mailboxes\\r\\n\\r\\nAs each Exchange server computer account is member of Exchange Trusted Subsystem, it means by taking control of the computer account or being System on an Exchange server you will gain access to all the permissions granted to Exchange Trusted Subsystem and Exchange Windows Permissions.\\r\\n\\r\\nTo protect AD and Exchange, it is very important to ensure the following:\\r\\n- There is a very limited number of persons that are local Administrator on Exchange server\\r\\n- To protect user right like : Act part of the operating System, Debug\\r\\n\\r\\nEvery service account or application that have high privileges on Exchange need to be considered as sensitive\\r\\n\\r\\n** 💡 Exchange servers need to be considered as very sensitive servers**\\r\\n\\r\\n-----\\r\\n\\r\\n\\r\\n## Tabs\\r\\n\\r\\n### Mailbox Access\\r\\n\\r\\nThis tab will show you several top sensitive delegations that allow an account to access, modify, act as another user, search, export the content of a mailbox.\\r\\n\\r\\n### Exchange & AD Groups\\r\\n\\r\\nThis tab will show you the members of Exchange groups and Sensitive AD groups.\\r\\n\\r\\n### Local Administrators\\r\\n\\r\\nThis tab will show you the non standard content of the local Administrators group. Remember that a member of the local Administrators group can take control of the computer account of the server and then it will have all the permissions associated with Exchange Trusted Subsytem and Exchange Windows Permissions\\r\\n\\r\\nThe information is displayed with different views : \\r\\n- List of nonstandard users\\r\\n- Number of servers with a nonstandard a user\\r\\n- Nonstandard groups content\\r\\n- For each user important information are displayed like last logon, last password set, enabled\\r\\n\\r\\n### Exchange Security configuration\\r\\n\\r\\nThis tab will show you some important configuration for your Exchange Organization\\r\\n- Status of Admin Audit Log configuration\\r\\n- Status of POP and IMAP configuration : especially, is Plaintext Authentication configured ?\\r\\n- Nonstandard permissions on the Exchange container in the Configuration Partition\\r\\n\\r\\n### Transport Configuration\\r\\n\\r\\nThis tab will show you the configuration of the main Transport components\\r\\n- Receive Connectors configured with Anonymous and/or Open Relay\\r\\n- Remote Domain Autoforward configuration\\r\\n- Transport Rules configured with BlindCopyTo, SendTo, RedirectTo\\r\\n- Journal Rule and Journal Recipient configurations\\r\\n- Accepted Domains with *\\r\\n\\r\\n\"},\"name\":\"WorkbookInfo\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"InformationTab\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Security Configuration for the Exchange environment\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays several security information regarding the organization or server's configuration.\"},\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"This section display the Exchange version and the CU installed.\\r\\n\\r\\nFor the latest build number, check this link : Exchange Build Numbers\\r\\n\\r\\nThis section is built from a file located in the public github repository.\\r\\nThe repository is manually updated by the team project when new CU/SU are released.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ServerVersionCheckHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExchBuildNumber.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\\r\\n//ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| extend VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Minor,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Build)\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExchVersion\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend VersionNumber = tostring(CmdletResultValue.ProductVersion)\\r\\n| extend Server = tostring(ProcessedByServer_s)\\r\\n| extend CmdletResultType = tostring(CmdletResultType)\\r\\n| join kind= leftouter (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\\r\\n| distinct Server,VersionNumber,Productname,CU,SU,CmdletResultType\\r\\n| extend Server = strcat(\\\"💻 \\\",Server)\\r\\n| extend Productname = case ( VersionNumber startswith \\\"15.02\\\", \\\"Exchange 2019\\\", VersionNumber startswith \\\"15.01\\\", \\\"Exchange 2016\\\", VersionNumber startswith \\\"15.00\\\",\\\"Exchange 2013\\\", \\\"Exchange 2010\\\")\\r\\n| extend CU = iff(CmdletResultType <>\\\"Success\\\", \\\"Unable to retrieve information from server\\\", iff(CU <> \\\"\\\", CU, \\\"New CU or SU not yet in the List\\\"))\\r\\n| extend SU = iff(CmdletResultType <>\\\"Success\\\", \\\"Unable to retrieve information from server\\\", iff( SU <> \\\"\\\", SU, \\\"New CU or SU not yet in the List\\\"))\\r\\n|project-away CmdletResultType\\r\\n| sort by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange servers CU-SU level\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersList\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExchBuildNumber.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExchVersion\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| extend VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Minor,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Build)\\r\\n| extend VersionNumber = tostring(CmdletResultValue.ProductVersion)\\r\\n| extend Server = tostring(CmdletResultValue.Server)\\r\\n| join kind= leftouter (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\\r\\n| extend CU = iff( CU <> \\\"\\\", CU, \\\"New CU/SU not yet in the CU List\\\")\\r\\n| extend Version =strcat (VersionNumber,\\\"-\\\",CU,\\\"-\\\",SU)\\r\\n| summarize dcount(Server) by Version\",\"size\":0,\"showAnalytics\":true,\"title\":\"Version break down\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"ExchangeServerVersionPie\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Admin Audit Log configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The Admin Audit log stores all the actions performed on Exchange Servers (except read actions such as Get/Test).\\r\\n\\r\\nAdmin Audit Log \\r\\n\\r\\nManage Admin Audit Log \\r\\n\\r\\n\\r\\nThis can be used to track \\r\\n- Unexpected behaviors\\r\\n- Who did a modification\\r\\n- Real actions performed by an account (the output could be used with to identify the necessary privileges)\\r\\n\\r\\nℹ️ Recommendations\\r\\n- Ensure that Admin Audit Log is not disabled\\r\\n- Ensure that critical Cmdlets have not been excluded\\r\\n- Ensure that AdminAuditLogCmdlets is set to * (list of audited Cmdlets)\\r\\n- Review the retention configuration for the Admin Audit Log content\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AdminAuditHelp\"},{\"type\":1,\"content\":{\"json\":\"Here the main settings for the Admin Audit Log. Remember that AdminAudit log need to be enabled and no cmdlet should be excluded. Also check the retention limit.\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\\\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/CmdletWatchlist.csv\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\\r\\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\\r\\n| project AdminAuditLogExcludedCmdlets);\\r\\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend AdminAuditLogEnabled = iff(CmdletResultValue.AdminAuditLogEnabled == \\\"FALSE\\\", \\\" ❌ Disabled, High Risk\\\", \\\"✅ Enabled\\\")\\r\\n| extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\\r\\n| extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit,8)\\r\\n| extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit,0,indexof(AdminAuditLogAgeLimit, ','))\\r\\n| extend AdminAuditLogAgeLimit = iff(toint(AdminAuditLogAgeLimit) == 0,strcat(\\\"❌ No AdminAuditlog recorded \\\",AdminAuditLogAgeLimit), iff(toint(AdminAuditLogAgeLimit) <=30,strcat(\\\"⚠️ Value to low except if exported \\\",AdminAuditLogAgeLimit), strcat(\\\"✅\\\",AdminAuditLogAgeLimit)))\\r\\n| extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\\r\\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,2)\\r\\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,0,indexof(AdminAuditLogCmdlets, '\\\"]') )\\r\\n| extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets,'\\\"',\\\"\\\")\\r\\n| extend Comment_AdminAuditLogCmdlets = iff( AdminAuditLogCmdlets == \\\"*\\\",\\\"✅ Default configuration\\\",\\\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\\\")\\r\\n| extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\\r\\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,2)\\r\\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,0,indexof(AdminAuditLogExcludedCmdlets, ']'))\\r\\n| extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets,'\\\"',\\\"\\\")\\r\\n//| extend Cmdlet = replace_string(AdminAuditLogExcludedCmdlets,'\\\"',\\\"\\\")\\r\\n//| extend AALECSplit = tostring(split(AdminAuditLogExcludedCmdlets,\\\",\\\"))\\r\\n| project-away CmdletResultValue\\r\\n| extend Comment_AdminAuditLogExcludedCmdlet = case( isnotempty( SentsitivecmdletTrack ),\\\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\\\",AdminAuditLogExcludedCmdlets <>\\\"\\\",\\\"⚠️ Some Cmdlets are excluded \\\",\\\"✅ No Excluded CmdLet\\\")\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Comment_AdminAuditLogCmdlets\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70ch\"}}],\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"AdminAuditLogCmdlets\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"AdminAuditLogCmdlets\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 0Admin Audit Log configuration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\"},\"name\":\"POP authentication configuration\"},{\"type\":1,\"content\":{\"json\":\"### POP authentication configuration\"},\"name\":\"text - 11\"},{\"type\":1,\"content\":{\"json\":\"If the POP Service is started, the LoginType should not set to Plaintext. This means that the password will be sent in clear on the network. As POP is enabled by default on all the mailboxes, this represents a high security risk.\\r\\n\\r\\nPOP Authentication\\r\\n- **PlainText** TLS encryption is not required on port 110. Usernames and passwords are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\\r\\n- **PlainTextAuthentication** TLS encryption is not required on port 110. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\\r\\n- **SecureLogin** Connection on port 110 must use TLS encryption before authenticating.\\r\\n\\r\\nℹ️ Recommendations\\r\\nDisable POP on all mailboxes except those who need to actually use this protocol.\\r\\nSet the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application.\\r\\n\\r\\nIf the application is not able to perform this type of authentication:\\r\\n- Ensure that POP is disabled on all the mailboxes except those who really need it \\r\\n- Monitor the POP connections\\r\\n- Change the password of the application on a regular basis\\r\\n\\r\\nRecommended Reading : \\r\\n\\r\\nConfiguring Authentication for POP3 and IMAP4\\r\\n \\r\\n Set-PopSettings\\r\\n\\r\\n\\r\\nIn order to track mailboxes that are currently using POP\\r\\n- Enable POP logging\\r\\n- Set-PopSettings -Server SRV1 -ProtocolLogEnabled verbose\\r\\n- Several weeks later, analyze the log content\\r\\n- Default location : - Get-PopSettings -server SRV1 | fl server,*log*\\r\\n- Check for connection and authentication\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"PopServiceHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"PopSettings\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangePop3\\\")\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n| join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangePop3BE\\\" )\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| extend LoginType = iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n| extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n| extend ServiceName = iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n| extend Status = tostring(Status)\\r\\n| extend BackendEndService= tostring(ServiceName1)\\r\\n| extend StartupType = tostring(StartupType)\\r\\n| extend BEStatus = tostring(Status1)\\r\\n| extend BEStartupType = tostring(StartupType1)\\r\\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n| sort by ServerName asc\",\"size\":1,\"showAnalytics\":true,\"title\":\"Pop Authentication : should not be set as Plaintext\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LoginType\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":0,\"formatOptions\":{\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"LoginType\"],\"finalBy\":\"LoginType\"}}},\"name\":\"PopSettingsQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"### IMAP authentication configuration\"},\"name\":\"IMAPTitle\"},{\"type\":1,\"content\":{\"json\":\"If the IMAP Service is started, the LoginType should not set to Plaintext. This means that the passwords will be sent in clear over the network. As IMAP is enabled by default on all the mailboxes, this is a high security risk.\\r\\n\\r\\nIMAP Authentication\\r\\n- **PlainText** TLS encryption is not required on port 110. User name and password are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\\r\\n- **PlainTextAuthentication** TLS encryption is not required on port 143. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\\r\\n- **SecureLogin** Connection on port 143 must use TLS encryption before authenticating.\\r\\n\\r\\nℹ️ Recommendations \\r\\nDisable IMAP on all mailboxes except those which needs to use this protocol. Set the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application accordingly.\\r\\n\\r\\nIf the application is not able to perform this type of authentication:\\r\\n- Ensure that IMAP is disable on all the mailboxes except those who really need it \\r\\n- Monitor the connection\\r\\n- Regularly, change the password of the application\\r\\n\\r\\nRecommended Reading : \\r\\n\\r\\nConfiguring Authentication for POP3 and IMAP4\\r\\n\\r\\n Set-IMAPSettings\\r\\n\\r\\n\\r\\n\\r\\nIn order to track mailboxes that are currently using IMAP\\r\\n- Enable IMAP logging\\r\\n- Set-IMAPSettings -Server SRV1 -ProtocolLogEnabled verbose\\r\\n- Several weeks later, analyze the log content\\r\\n- Default location : Get-IMAPSettings -server SRV1 | fl server,*log*\\r\\n- Check for connection and authentication\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"IMAPHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"IMAPSettings\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangeIMAP4\\\")\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n| join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangeIMAP4BE\\\" )\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| extend LoginType = iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n| extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n| extend ServiceName = iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n| extend Status = tostring(Status)\\r\\n| extend BackendEndService= tostring(ServiceName1)\\r\\n| extend StartupType = tostring(StartupType)\\r\\n| extend BEStatus = tostring(Status1)\\r\\n| extend BEStartupType = tostring(StartupType1)\\r\\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n| sort by ServerName asc\",\"size\":1,\"showAnalytics\":true,\"title\":\"IMAP Authentication : should not be set as Plaintext\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LoginType\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"LoginType\"],\"finalBy\":\"LoginType\"}}},\"name\":\"IMAPSettingsQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Nonstandard permissions on Configuration Partitions\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section highlights nonstandard permissions on Configuration Partition for Exchange container. By selecting Yes for Generic All buttom only delegation set for Generic All will be display. Standard, Deny and inherited permissions have been removed\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"During the lifetime of an Exchange Organization, many permissions may have been set on Exchange containers in the Configuration Partition.\\r\\nThis section displayed all the nonstandard permissions found on the most important Exchange containers :\\r\\n - Groups from legacy Exchange versions (Exchange Enterprise Servers, Exchange Domain Servers,...)\\r\\n - SID for deleted accounts\\r\\n - Old service accounts (that may not have been disabled or removed...)\\r\\n \\r\\nWhen an administrator run setup /prepareAD, his account will be granted Generic All at the top-level Exchange container\\r\\n\\r\\nBy default, this section only displayed the Generic All permissions.\\r\\n \\r\\nThis section is built by removing all the standard AD and Exchange groups.\\r\\n\\r\\n Exchange 2013 deployment permissions reference\\r\\n \\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"80f9134a-420f-47c9-b171-1ca8e72efa3e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"GenericAll\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"29e2005c-3bd4-4bb8-be63-053d11abe1d4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NonStandardPermissions\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Authenticated Users\\\", \\\"Domain Admins\\\", \\\"Enterprise Admins\\\",\\\"Schema Admins\\\", \\\"Exchange Trusted Subsystem\\\", \\\"Exchange Servers\\\",\\\"Organization Management\\\", \\\"Public Folder Management\\\",\\\"Delegated Setup\\\", \\\"ANONYMOUS LOGON\\\", \\\"NETWORK SERVICE\\\", \\\"SYSTEM\\\", \\\"Everyone\\\",\\\"Managed Availability Servers\\\"]);\\r\\nlet Exchsrv =ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| summarize make_list(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"PartConfPerm\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Deny !contains \\\"True\\\" and CmdletResultValue.IsInherited !contains \\\"True\\\"\\r\\n| where (CmdletResultValue.AccessRights == \\\"[983551]\\\") in ({GenericAll})\\r\\n| where not (CmdletResultValue.UserString has_any (StandardGroup)) in ({NonStandardPermissions})\\r\\n| where not (CmdletResultValue.UserString has_any (Exchsrv))in ({NonStandardPermissions})\\r\\n| extend Name = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend Account = tostring(CmdletResultValue.UserString )\\r\\n| extend AccessRights = iff (tostring(CmdletResultValue.AccessRightsString) contains \\\"GenericAll\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\\r\\n| extend ExtendedRights = iff (tostring(CmdletResultValue.ExtendedRightsString) contains \\\"-As\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\\r\\n| extend InheritanceType = tostring(CmdletResultValue.InheritanceType)\\r\\n| extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\\r\\n| project-away CmdletResultValue\\r\\n| sort by DN desc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"AccessRights\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"AccessRights\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Nonstandard permissions on Configuration Partitions\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"SecConf\"},\"name\":\"Security Configuration for the Exchange environment\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays important security configurations that allow access to all or partial mailboxes' content - Direct delegations are not listed - Example :
\\r\\n- Permissions Full Access \\r\\n- Permission on mailboxes folders\\r\\n\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n//| where CmdletResultValue.Name !contains \\\"Deleg\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\"\\r\\n| where CmdletResultValue.Name !contains \\\"Deleg\\\" \\r\\n| where CmdletResultValue.RoleAssigneeName !in (\\\"Hygiene Management\\\",\\\"Exchange Online-ApplicationAccount\\\",\\\"Discovery Management\\\")\\r\\n| where CmdletResultValue.Role.Name contains \\\"Export\\\" or CmdletResultValue.Role.Name contains \\\"Impersonation\\\" or (CmdletResultValue.Role.Name contains \\\"Search\\\" and CmdletResultValue.Role.Name !contains \\\"MailboxSearchApplication\\\")\\r\\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role.Name)\",\"size\":1,\"showAnalytics\":true,\"title\":\"Number of delegations for sensitive RBAC roles\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"role\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_RoleAssigneeName\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"role\",\"sortOrderField\":1}},\"name\":\"MRAQuery\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Application Impersonation Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows the delegated account to access and modify the content of every mailboxes using EWS.\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes using EWS. \\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nIt should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\\r\\n\\r\\nHelp for the role Application Impersonation\\r\\n\\r\\nIt is common (but not recommended) to see service accounts from backup solution, antivirus software, MDM... with this delegation.\\r\\n\\r\\nNote that the default configuration to the group Hygiene Management is excluded. This group is a sensitive group. Remember to monitor the content of this group.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.Role.Name contains \\\"Impersonation\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n//| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Application Impersonation Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Import Export Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to export the content all mailboxes in a scope in PST file.\\r\\nExcluded from the result as default configuration :\\r\\nDelegating delegation to Organization Management\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Import Export** is a RBAC role that allows an account to export the content of any maibox in a PST. It also allows search in all mailboxes.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\\r\\n\\r\\nHelp for the role Mailbox Import Export\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n- create an empty group with this delegation\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ExportRoleHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Role.Name contains \\\"export\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, RoleAssigneeType,Status, CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Import Export Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Search Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to search inside all or in a scope of mailboxes and export the result in PST.\\r\\nExcluded from the result as default configuration :\\r\\nDelegating delegation to Organization Management\\r\\nExchange Online-ApplicationAccount\\r\\nDiscovery Management has been excluded\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Search** is an RBAC role that allows an account to search in any mailbox and export the results to a PST.\\r\\n\\r\\n⚡ This role is very powerful.\\r\\n\\r\\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\\r\\n\\r\\nHelp for the role Mailbox Search\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n\\r\\n- add the administrators in the Discovery Management group\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Role.Name contains \\\"search\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| where CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\"\\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Search Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"ReceiveAs/SendAs Extended Right on databases\",\"items\":[{\"type\":1,\"content\":{\"json\":\"These are delegations at the database level.\\r\\n\\r\\n**Receive As Extended Right on database's objects in the Configuration**\\r\\n\\r\\nWhen an account has **ReceiveAs** permissions on a database's object, it can open and view the content of any mailboxes on that database.\\r\\n\\r\\nHelp for Receive As Permission\\r\\n\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person.Change the password as often as possible.\\r\\n\\r\\n**Send As Extended Right on database objects in the Configuration**\\r\\n\\r\\n\\r\\nWhen an account has **SendAs** permissions on a database's object, it can send messages from all the mailboxes contained in this database. The messages that are sent from a mailbox will appear as if the mailbox owner sent them.\\r\\n\\r\\nHelp for Send As Permission\\r\\n\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person.Change the password as often as possible.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SendAsHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| union ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| summarize dcount(tostring(CmdletResultValue.UserString)) by iff( tostring(Section) contains \\\"MailboxDatabaseReceiveAs\\\",\\\"ReceiveAs Unique Acct\\\",\\\"SendAs Unique Acct\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Number of accounts with ReceiveAs/SendAs delegations\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_UserString\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"Column1\",\"sortOrderField\":1}},\"customWidth\":\"50\",\"name\":\"ReceiveAsUsersTiles\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| union ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| summarize dcount(tostring(CmdletResultValue.Identity.Name)) by iff( tostring(Section) contains \\\"MailboxDatabaseReceiveAs\\\",\\\"ReceiveAs Unique DB\\\",\\\"SendAs Unique DB\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"ReceiveAs/SendAs database delegations\",\"color\":\"purple\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_Identity_Name\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"Column1\",\"sortOrderField\":1}},\"customWidth\":\"50\",\"name\":\"ReceiveAsTiles\",\"styleSettings\":{\"margin\":\"25\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| extend Account = tostring(CmdletResultValue.UserString)\\r\\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n| summarize Count =count() by Account,DatabaseName\\r\\n| project Account,Count,DatabaseName\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"ReceiveAs Extended Right on databases\",\"noDataMessage\":\"No Receive-As delegation\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Account\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Account\"],\"finalBy\":\"Account\"},\"sortBy\":[{\"itemKey\":\"$gen_count_$gen_group_0\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"Account\",\"comment\":\"Account and the number of databases on which it has delegation \"}]},\"sortBy\":[{\"itemKey\":\"$gen_count_$gen_group_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"MailboxDatabaseReceiveAsGrid\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| extend Account = tostring(CmdletResultValue.UserString)\\r\\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n| summarize Count =count() by Account, DatabaseName\\r\\n| project Account, Count, DatabaseName\",\"size\":1,\"showAnalytics\":true,\"title\":\"SendAs Extended Right on databases\",\"noDataMessage\":\"No Send-As delegation\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Account\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Sum\",\"compositeBarSettings\":{\"labelText\":\"\"}}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Account\"],\"finalBy\":\"Account\"},\"labelSettings\":[{\"columnId\":\"Account\",\"comment\":\"Account and the number of databases on which it has delegation \"}]}},\"customWidth\":\"50\",\"name\":\"MailboxDatabaseSendAsGrid\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ReceiveSendAs\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Delegation\"},\"name\":\"Importantsecurityconfiguration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Local Administrators\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The following section will display the content of the local Administrators group for each server\\r\\n\\r\\n** When content refer to groups from other forests, none or partial information will be displayed and the number of Administrators may be inconsistent. **\\r\\n\\r\\nMost of the sections display the same information but with differents sorting, displays...\"},\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"Only Exchange administrators should be members of the local Administrators group of Exchange servers.\\r\\n\\r\\nYou need to review the content of the local Administrators group on a regular basis.\\r\\n\\r\\nIt is considered a high security risk to have a discrepancy of members between the servers. \\r\\n\\r\\nIt is not recommended to have more than one local administrator accounts. Furthermore, the password should be unique on each server and regularly changed. A solution like LAPS could be used to manage the local administrator password.\\r\\n\\r\\nOnly Exchange administrators should be able to logon on Exchange servers.\\r\\n\\r\\nHere the default content of the local Administrators group for an Exchange server \\r\\n:\\r\\n- Administrator (this account can be renamed)\\r\\n- Domain Admins\\r\\n- Exchange Trusted Subsystem\\r\\n- Organization Management\\r\\n\\r\\n**Service accounts should not be members of the local Administrators group**. If it is necessary, you need to ensure that the account is dedicated to Exchange. If the service account opens sessions on other servers, it can be used for lateral movements. \\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"LocalAdminsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"dfffbaa4-5888-41c2-b039-dafb6110260c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Limited\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":1,\"content\":{\"json\":\"**Top 10 servers with high number of unique local Administrators members**\"},\"name\":\"text - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup)) in ({Limited})\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| where ObjectClass !contains \\\"group\\\"\\r\\n| summarize dcount(MemberPath) by Parentgroup\\r\\n| top 10 by dcount_MemberPath\\r\\n| sort by dcount_MemberPath\",\"size\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Click to see number of unique members for all servers\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Number of unique members for all servers\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup)) in ({Limited})\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| where ObjectClass !contains \\\"group\\\"\\r\\n| summarize dcount(MemberPath) by Parentgroup\\r\\n| sort by dcount_MemberPath\",\"size\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 9 - Copy\"}]},\"name\":\"All servers number of members\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let allsrv = ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") | where \\r\\nCmdletResultValue.IsMailboxServer== true | extend Name=tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Name = tostring(trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup)))\\r\\n| distinct Name\\r\\n| project Name\\r\\n| join kind=rightanti (allsrv) on Name\\r\\n| project CmdletResultValue.Name\",\"size\":4,\"title\":\"Servers not reachable\",\"noDataMessage\":\"All server were successfully analyzed\",\"noDataMessageStyle\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletResultValue_Name\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"name\":\"query - 9 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.ServerRole <> 64\\r\\n| count\\r\\n\",\"size\":4,\"title\":\"Number of servers\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\\r\\n| distinct Parentgroup = Parentgroup\\r\\n| count \",\"size\":4,\"title\":\"Number of Analyzed servers\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"This view shows each nonstandard user account that is member (directly or by a group) of the local Administrators group per server.\\r\\n\\r\\nConsider reviewing:\\r\\n- **nonstandard members** the Memberpath help to understand from which group the user comprised\\r\\n- **inconsistent memebrs** across servers\\r\\n\\r\\nNote that content from Trusted forests might not be displayed. \",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"LocalAdminPerServersHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0 \\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| summarize Count=count() by MemberPath,Parentgroup,Level,ObjectClass,LastLogon,LastPwdSet,Enabled,DN\\r\\n| project Parentgroup = strcat(\\\"💻 \\\",Parentgroup),Count,MemberPath,Level,ObjectClass,LastLogon,LastPwdSet,Enabled,DN\\r\\n| sort by Parentgroup asc \",\"size\":1,\"showAnalytics\":true,\"title\":\" Total Non standard Groups and accounts including nested groups\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Parentgroup\",\"formatter\":5,\"formatOptions\":{\"aggregation\":\"Count\"}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Parentgroup\"],\"finalBy\":\"Parentgroup\"},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"Parentgroup\",\"label\":\"Server\"}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"name\":\"LocalAdminPerServers\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend MemberPath = case( ObjectClass == \\\"group\\\", strcat( \\\"👪 \\\", MemberPath), ObjectClass == \\\"computer\\\", strcat( \\\"💻 \\\", MemberPath), strcat( \\\"🧑‍🦰 \\\", MemberPath) )\\r\\n| project-away CmdletResultValue\\r\\n//| summarize Count=count(), Servers=make_set(Parentgroup) by MemberPath\\r\\n| summarize Count=count() by MemberPath,Parentgroup \\r\\n| sort by Count desc\",\"size\":1,\"showAnalytics\":true,\"title\":\"Non Standard accounts summary\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Group\",\"formatter\":1},{\"columnMatch\":\"MemberPath\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Member\",\"formatter\":1}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"MemberPath\"],\"expandTopLevel\":false},\"labelSettings\":[{\"columnId\":\"MemberPath\",\"label\":\"MemberPath\"},{\"columnId\":\"Parentgroup\",\"label\":\"Servers\"},{\"columnId\":\"Count\",\"label\":\"Nb Servers\"}]}},\"name\":\"LocalAdminCount\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"##### Select a server to display its content\\r\\n\\r\\nBy default only the non-standard members are displayed. \\r\\n\\r\\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"19e606d9-7f3e-4d2f-a314-892da571e50a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\\r\\n| distinct Parentgroup = Parentgroup\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"05ef4f1c-4cf4-406f-9fb2-9ee30dc93abd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Limited\",\"label\":\"Show only nonstandard members\",\"type\":10,\"description\":\"Show only non standard members\",\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\",\"value\":\"True\"},{\"id\":\"901bf975-426f-486b-82de-ff0d64f139bb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"2f7a613f-8749-44c9-b8be-844964badef8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0 \\r\\n| where CmdletResultValue.Parentgroup contains \\\"{Server}\\\"\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup)) in ({Limited})\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ Never logged\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(365d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ Password never set\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| project-away CmdletResultValue\\r\\n| sort by MemberPath asc\\r\\n| project-away Parentgroup\",\"size\":1,\"showAnalytics\":true,\"title\":\"Local Administrators group content\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Server\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"AdGroups\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Server\"},\"name\":\"Local Administrators\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange and AD GRoup\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays the content of high privilege groups in Exchange and AD.\"},\"name\":\"text - 7\"},{\"type\":1,\"content\":{\"json\":\"The **Exchange Trusted Subsystem** group is one the two most sensistive groups in Exchange. This group has all privileges in Exchange and very high privileges in AD.\\r\\n\\r\\nExchange 2013 deployment permissions reference\\r\\n\\r\\nThis group should only contains computer accounts for each Exchange servers. When the DAG has an IP and a CNO, it is acceptable to have the DAG's computer account.\\r\\n\\r\\nThis section only shows direct nonstandard members.\",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ExchangeTrustedSubsystemHelp\"},{\"type\":1,\"content\":{\"json\":\"The **Exchange Windows Permissions** group is one the two most sensistive groups in Exchange. This group has very high privileges in AD.\\r\\n\\r\\nExchange 2013 deployment permissions reference\\r\\n\\r\\nThis group should only contains the group Exchange Trusted SubSystem. This section only shows direct nonstandard members. \",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"WindowsPermissionGroupTileHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETSValidcontent = union kind=outer (ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(CmdletResultValue.Name)), (ExchangeConfiguration(SpecificSectionList=\\\"DAG\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(Identity));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ETS\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETSValidcontent)\\r\\n| summarize MyCount=countif( CmdletResultType == \\\"Success\\\") by CmdletResultType\\r\\n| project Result = iff ( CmdletResultType == \\\"Success\\\", tostring(MyCount), \\\"\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Trusted SubSystem group nonstandard member count\",\"noDataMessage\":\"Content of group as Expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletResultValue_Name\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Result\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"ScriptError\"}},\"showBorder\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersTileGroup1Query\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETScontent = ExchangeConfiguration(SpecificSectionList=\\\"ETS\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") | project Name = tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"EWP\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETScontent) and CmdletResultValue.Name != \\\"Exchange Trusted Subsystem\\\"\\r\\n| extend Result = iff ( CmdletResultType == \\\"Success\\\", \\\"\\\", \\\"Error in the script unable to retrieve value\\\")\\r\\n| summarize MyCount=countif( CmdletResultType == \\\"Success\\\") by CmdletResultType\\r\\n| project Result = iff ( CmdletResultType == \\\"Success\\\", tostring(MyCount), \\\"\\\")\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Windows Permissions group direct nonstandard members (Exchange Trusted subsystem non standard content not included)\",\"noDataMessage\":\"Content of group as expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletResultValue_Name\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Result\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"ScriptError\"}},\"showBorder\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersTileGroup2Query\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange Windows Permissions direct nonstandard content (Exchange Trusted subsystem non standard content not included)\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETSValidcontnet = union kind=outer (ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(CmdletResultValue.Name)), (ExchangeConfiguration(SpecificSectionList=\\\"DAG\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(Identity));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ETS\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETSValidcontnet)\\r\\n//| extend Name = strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name))\\r\\n| extend Name = iff(CmdletResultType == \\\"Success\\\", strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name)),\\\"Script was unable to retrieve data\\\")\\r\\n| project Name \",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Trusted SubSystem nonstandard content\",\"noDataMessage\":\"Content of Exchange Trusted SubSystem as Expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"ETSDetails\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETScontent = ExchangeConfiguration(SpecificSectionList=\\\"ETS\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") | project Name = tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"EWP\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETScontent) and CmdletResultValue.Name != \\\"Exchange Trusted Subsystem\\\"\\r\\n//| extend Name = strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name))\\r\\n| extend Name = iff(CmdletResultType == \\\"Success\\\", strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name)),\\\"Script was unable to retrieve data\\\")\\r\\n| project Name \",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Windows Permissions direct nonstandard content (Exchange Trusted subsystem non standard content not included)\",\"noDataMessage\":\"Content of Exchange Windows Permissions as Expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"WindowsPermissionsQuery\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ETS and WP Grids\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange groups from old Exchange version\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Groups from old Exchange version should have been removed\\r\\n- List of old groups \\r\\n\\t- Exchange Organization Administrators\\r\\n\\t- Exchange Recipient Administrators\\r\\n\\t- Exchange Public Folder Administrators\\r\\n\\t- Exchange Server Administrator\\r\\n\\t- Exchange View-Only Administrator\\r\\n\\t- Exchange Enterprise Servers (located in the root domain)\\r\\n\\t- Exchange Domain Servers : one group per domain\\r\\n\\r\\n\\r\\nHelp for Built-in role groups\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nlet OldVGroup = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")| where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"| extend Parentgroup = tostring(CmdletResultValue.Parentgroup));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\") |union OldVGroup\\r\\n| where CmdletResultValue.Level != 0 and CmdletResultValue.ObjectClass !contains \\\"group\\\"\\r\\n| extend MemberPath= tostring(split(tostring(CmdletResultValue.MemberPath), \\\"\\\\\\\\\\\")[countof(tostring(CmdletResultValue.MemberPath), \\\"\\\\\\\\\\\")])\\r\\n| summarize dcount(tostring(MemberPath)) by Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| sort by dcount_MemberPath\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"noDataMessage\":\"No groups from old versions found\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Expand details on the content of old groups\",\"expandable\":true,\"expanded\":false,\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"let OldVGroup = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")| where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"| extend Parentgroup = tostring(CmdletResultValue.Parentgroup));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\") |union OldVGroup\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a695df39-1965-479a-ad0f-b4d3d168aaed\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\\r\\n\"},{\"id\":\"2d69bad8-0904-467a-86e6-cb0923520c18\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"Old Exchange groups content groups (Extract for the OU \\\"Microsoft Exchange Security Groups\\\").\\r\\nSelect a group to display detailed information of its contents.\\r\\nLevel attribute helps you understand the level of nested groups.\\r\\n\\r\\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let OldVGroupEES = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n | where (CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.MemberPath != @\\\"Exchange Enterprise Servers\\\\Exchange Domain Servers\\\") or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled) );\\r\\nlet OldVGroupEDS = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='B13', Target = \\\"On-Premises\\\")\\r\\n | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.Level ==0\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| mv-expand CmdletResultValue.Members\\r\\n| where CmdletResultValue_Members.objectClass == \\\"group\\\"\\r\\n| project Parentgroup, MemberPath= strcat(Parentgroup,\\\"\\\\\\\\\\\", CmdletResultValue_Members.name), Level = tostring(1), ObjectClass = tostring(CmdletResultValue_Members.objectClass), DN = tostring(CmdletResultValue_Members.DistinguishedName), ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)| join kind=inner ( ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='B13', Target = \\\"On-Premises\\\")\\r\\n | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid)) on ObjectGuid) ;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='B13', Target = \\\"On-Premises\\\") \\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\")\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| union OldVGroupEES,OldVGroupEDS\\r\\n| search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago(0d) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago(0d) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| sort by tostring(CmdletResultValue.MemberPath) asc \\r\\n| where CmdletResultValue.Level != 0\\r\\n//| extend DN = tostring(CmdletResultValue.DN)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ Never logged\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ Password never set\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n| extend MemberPath = case(ObjectClass == \\\"group\\\", strcat(\\\"👪 \\\", MemberPath), ObjectClass == \\\"computer\\\", strcat(\\\"💻 \\\", MemberPath), strcat(\\\"🧑‍🦰 \\\", MemberPath))\\r\\n| project Parentgroup, MemberPath, Level, ObjectClass,LastLogon, LastPwdSet ,Enabled,DN\\r\\n\",\"size\":1,\"showAnalytics\":true,\"noDataMessage\":\"The query returned no results.\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5},{\"columnMatch\":\"Parentgroup\",\"formatter\":5},{\"columnMatch\":\"LastPwdSet\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5},{\"columnMatch\":\"Id\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"showPin\":true,\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 5\"}]},\"name\":\"Exchange group from old Exchange versions\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Ensure that no service account are a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\\r\\n- Limit the usage of nested group for administration.\\r\\n- Ensure that accounts are given only the required pernissions to execute their tasks.\\r\\n- Use just in time administration principle by adding users in a group only when they need the permissions, then remove them when their operation is over.\\r\\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\\r\\n- Monitor the content of the following groups:\\r\\n - Organization Management\\r\\n - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\\r\\n - Discovery Management\\r\\n - Server Management\\r\\n - Hygiene Management\\r\\n - Exchange Servers\\r\\n - Exchange Trusted Subsystem \\r\\n - Exchange Windows Permissions\\r\\n - xxx High privilege group (not an exhaustive list)\\r\\n - All RBAC groups that have high roles delegation\\r\\n - All nested groups in high privileges groups\\r\\n - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\\r\\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\\r\\n- Periodically review the members of the groups\\r\\n\\r\\nHelp for Built-in role groups\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Summary content of most important groups\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Level != 0 and CmdletResultValue.ObjectClass !contains \\\"group\\\"\\r\\n| extend MemberPath= tostring(split(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")[countof(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")])\\r\\n| summarize dcount(tostring(MemberPath)) by Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where Parentgroup in (\\\"Organization Management\\\", \\\"Compliance Management\\\", \\\"Discovery Management\\\", \\\"Server Management\\\", \\\"Recipient Manangement\\\",\\\"Security Administrator\\\", \\\"Hygiene Management\\\", \\\"Public Folder Manangement\\\", \\\"Records Manangement\\\") or Parentgroup contains \\\"Impersonation\\\" or Parentgroup contains \\\"Export\\\"\\r\\n| sort by dcount_MemberPath\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true}},\"name\":\"query - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Expand for summary content for all groups located in the OU Exchange Security Groups\",\"expandable\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Level != 0 and CmdletResultValue.ObjectClass !contains \\\"group\\\"\\r\\n| extend MemberPath= tostring(split(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")[countof(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")])\\r\\n| summarize dcount(tostring(MemberPath)) by Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| sort by dcount_MemberPath desc\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"OU Exchange Security Groups\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true}},\"showPin\":false,\"name\":\"query - 0 - Copy\"}]},\"name\":\"All groups\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Trusted Subsystem\\\"\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Windows Permissions\\\"\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"showExportToExcel\":true,\"showAnalytics\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f3b935d7-b78f-41d2-94bc-f8c878a13260\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon >\",\"type\":10,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"3343688f-e609-4822-b4ed-cdd50b77d948\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set >\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"Exchange groups content (Extract for the OU \\\"Microsoft Exchange Security Groups\\\").\\r\\nSelect a group to display detailed information of its contents.\\r\\nLevel attribute helps you understand the level of nested groups.\\r\\n\\r\\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| sort by tostring(CmdletResultValue.MemberPath) asc \\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| sort by MemberPath asc\\r\\n//| extend MemberPath = case( ObjectClass == \\\"group\\\", strcat( \\\"👪 \\\", MemberPath), ObjectClass == \\\"computer\\\", strcat( \\\"💻 \\\", MemberPath), strcat( \\\"🧑‍🦰 \\\", MemberPath) )\\r\\n| project-away CmdletResultValue,Parentgroup\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Exchange group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"AD Group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"High privileges AD groups can take control of Exchange by adding any accounts in the Exchange groups.\\r\\n\\r\\nNote that the members of the Account Operators are able to manage every AD group (except those protected by AdminSDHolder). This means they can manage the content of every high privilege Exchange groups.\\r\\n\\r\\nℹ️ It is recommended to not use this group and to monitor its changes.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ADGroupHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"268bd356-7d05-41c3-9867-00c6ab198c5a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"showExportToExcel\":true,\"showAnalytics\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},{\"id\":\"9d02cad2-f4c5-418d-976f-b88b56f80cb5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"9e591429-d8ea-40c2-80c1-2426c72c92d5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":1,\"content\":{\"json\":\"Overview of high privileges AD Groups' content.\\r\\nSelect a group to display detailed information of its contents.\\r\\nLevel attribute helps you understand the level of nested groups.\\r\\n\\r\\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| sort by tostring(CmdletResultValue.MemberPath) asc \\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| sort by MemberPath asc\\r\\n//| extend MemberPath = case( ObjectClass == \\\"group\\\", strcat( \\\"👪 \\\", MemberPath), ObjectClass == \\\"computer\\\", strcat( \\\"💻 \\\", MemberPath), strcat( \\\"🧑‍🦰 \\\", MemberPath) )\\r\\n| project-away CmdletResultValue,Parentgroup\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5},{\"columnMatch\":\"Parentgroup\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"AD Group\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"ExchAD\"},\"name\":\"Exchange and AD GRoup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Security configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays differents security configuration for transport components.\"},\"name\":\"text - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\"\\r\\n| summarize Count = countif (CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\") by Name,tostring(CmdletResultValue.Server.Name)\\r\\n\",\"size\":0,\"title\":\"Anonymous Configuration\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"yAxis\":[\"Count\"],\"group\":\"CmdletResultValue_Server_Name\",\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"33\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RCAnonymous\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend Identity = tostring(Identity)\\r\\n|summarize count() by Identity\",\"size\":0,\"title\":\"OpenRelay with \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" for Anonymous\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.AuthMechanismString contains (\\\"ExternalAuthoritative\\\")\\r\\n| extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n| summarize count() by Name,Server\\r\\n\",\"size\":0,\"title\":\"Open Relay using with Externally Secure\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 2\"}]},\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors OpenRelay using Extended Right \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" for Anonymous\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This view shows all **Receive Connectors** configured configured as Open Relay with the Extended Rights \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" set on the Receive Connector object in the Configuration partition.\\r\\n\\r\\n\\r\\nRemember that with this configuration, the Exchange servers can be used to send emails outside the organization. Depending on the configuration, the connectors may be protected by IPs. However, IP protection is not safe configuration.\\r\\n\\r\\nYou can check if the \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" ExtendedRights has been added on the Receive connector for Anonymous with PowerShell: `Get-ReceiveConnector | Get-ADPermission | ? {$_.ExtendedRights -like \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\"}`\\r\\n\\r\\nAllow anonymous relay on Exchange server\\r\\n\\r\\nSee the section \\\"Receive Connectors with Anonymous Permission\\\" for additional information regarding Anonymous authentication and IP protection.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ReceiveConnectorsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"fa5f9749-d6f8-436f-ae00-cba306713bac\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.ServerRole <> \\\"64\\\"\\r\\n| extend SRVName = tostring(CmdletResultValue.Name)\\r\\n| distinct SRVName\\r\\n| sort by SRVName asc\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"14912e83-60a1-4a21-a34b-500d4662a666\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NoIPRestriction\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":\\\"False\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":1,\"content\":{\"json\":\"The toogle buttom help you to sort by:\\r\\n\\r\\n- Server\\r\\n- Receive connectors with no IP restrictions\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RCAnonymous\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project Identity,CmdletResultValue\\r\\n| extend Identity = tostring(Identity)\\r\\n| extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.DistinguishedName,\\\",\\\",3)),\\\"[\\\\\\\"CN=\\\",\\\"\\\"),\\\"\\\\\\\"]\\\",\\\"\\\")\\r\\n|join kind=leftouter ( ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\") ) on $left.Identity == $right.Name\\r\\n| where CmdletResultValue1.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue1.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue1.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n| where CmdletResultValue1.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n| extend Server = tostring(CmdletResultValue1.Server.Name)\\r\\n| extend Name = tostring(CmdletResultValue1.Name)\\r\\n| extend TransportRole = iff(CmdletResultValue1.TransportRole== \\\"32\\\" , \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n| extend Enabled = tostring(CmdletResultValue1.Enabled)\\r\\n| extend PermissionGroups = tostring(CmdletResultValue1.PermissionGroupsString) \\r\\n| extend AuthMechanism = tostring(CmdletResultValue1.AuthMechanismString)\\r\\n| mv-expand RemoteIPall=CmdletResultValue1.RemoteIPRanges\\r\\n| mv-expand BindingAllall=CmdletResultValue1.Bindings\\r\\n| extend RemoteIP= RemoteIPall.Expression\\r\\n| extend IP= strcat (BindingAllall.Address,\\\"-\\\",BindingAllall.Port)\\r\\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\\r\\n| sort by Server asc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"name\":\"RCAnonymousQuery\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Receive Connectors OpenRelay using Extended Right \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" for Anonymous\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors OpenRelay using Authentication ExternalAuthoritative\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This view shows all Receive Connectors configured with authentication set to Externally Secure. With this configuration the Receive connector will be allow as Open Relay.\\r\\n\\r\\nRemember that with this configuration, the Exchange servers can be used to send emails outside the organization. Depending on the configuration, the connectors may be protected by IP. However, IP protection is not safe configuration.\\r\\n\\r\\n\\r\\nAllow anonymous relay on Exchange server\\r\\n\\r\\nSee the section \\\"Receive Connectors with Anonymous Permission\\\" for additional information regarding Anonymous authentication and IP protection.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ReceiveConnectorsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"195a66a1-7aa2-4564-bd3b-233049d6f101\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.ServerRole <> \\\"64\\\"\\r\\n| extend SRVName = tostring(CmdletResultValue.Name)\\r\\n| distinct SRVName\\r\\n| sort by SRVName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4ef1d2a2-a13f-4bd4-9e66-2d9a15ad8a7a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NoIPRestriction\",\"type\":10,\"description\":\"See Receive Connectors with no IP restriction\",\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":\\\"False\\\" }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"The toogle buttom help you to sort by:\\r\\n\\r\\n- Server\\r\\n- Receive connectors with no IP restrictions\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n| where CmdletResultValue.AuthMechanismString contains \\\"ExternalAuthoritative\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n| project CmdletResultValue\\r\\n| extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend TransportRole = iff(CmdletResultValue.TransportRole== \\\"32\\\" , \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n//| extend Bindings = iif(tostring(parse_json(tostring(CmdletResultValue.Bindings))[1].Port )!=\\\"\\\",tostring(strcat(tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Address),\\\"-\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Port),\\\",\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[1].Address),\\\"-\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[1].Port))),tostring(strcat(tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Address),\\\"-\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Port))))\\r\\n//| extend RemoteIPRanges = tostring(CmdletResultValue.RemoteIPRanges)\\r\\n| extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n| mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n| mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n| extend RemoteIP= RemoteIPall.Expression\\r\\n| extend IP= strcat (BindingAllall.Address,\\\"-\\\",BindingAllall.Port)\\r\\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\\r\\n| sort by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Receive Connectors configure with Externally Secured Authentication\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Security Transport Configuration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors with Anonymous Permission\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This view shows all Receive Connectors configured with Anonymous authentication. It is not recommended to configure connectors with Anonymous authentication.\\r\\n\\r\\nWhen configured with Anonymous and No Ip Restriction, any machine can initiate an SMTP session with the Receive Connectors. This can then be used send emails (SPAM/Virus/Phishing....) to all the mailboxes in the organization. The mail will be seen as an internal mail and might bypass some protections.\\r\\n\\r\\nIf you absolute need this configuration because some of your application does not support Authentication, it is strongly recommended to limit the IP addresses that can establish SMTP sessions with Exchange. Do not use range of subnet.\\r\\n\\r\\nThis section has an option button to display \\r\\n All Receive Connectors with Anonymous (No)\\r\\n All Receive Connectors with Anonymous and with no IP Restriction (Yes)\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ReceiveConnectorsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"195a66a1-7aa2-4564-bd3b-233049d6f101\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.ServerRole <> \\\"64\\\"\\r\\n| extend SRVName = tostring(CmdletResultValue.Name)\\r\\n| distinct SRVName\\r\\n| sort by SRVName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bcb24a01-9242-4fec-b30a-02b0583cbc87\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NoIPRestriction\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":\\\"False\\\" }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"The toogle buttom help you to sort by:\\r\\n\\r\\n- Server\\r\\n- Receive connectors with no IP restrictions\"},\"name\":\"text - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n| where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n| project CmdletResultValue\\r\\n| extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend TransportRole = iff(CmdletResultValue.TransportRole== \\\"32\\\" , \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString) \\r\\n| extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n| mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n| mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n| extend RemoteIP= RemoteIPall.Expression\\r\\n| extend IP= strcat (BindingAllall.Address,\\\"-\\\",BindingAllall.Port)\\r\\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\\r\\n| sort by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Receive Connectors configure with Anonymous Permission\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Receive Connectors configure with Anonymous Permission\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Rules with specific actions to monitor\",\"items\":[{\"type\":1,\"content\":{\"json\":\"A common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\\r\\n\\r\\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\\r\\n- BlindCopyTo\\r\\n- RedirectMessageTo\\r\\n- CopyTo\\r\\n\\r\\n\\r\\nFor more information :\\r\\nMail flow rules in Exchange Serve\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n//| extend State = tostring(CmdletResultValue.State)\\r\\n| extend Status= iff ( tostring(CmdletResultValue.State)== \\\"Enabled\\\" or tostring(CmdletResultValue.State)== \\\"1\\\" , \\\"Enabled\\\",iff(tostring(CmdletResultValue.State)==\\\"\\\",\\\"\\\", \\\"Disabled\\\"))\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend Mode = tostring(CmdletResultValue.Identity.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc\\r\\n| sort by Status desc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Transport Rules actions to monitor\"},{\"type\":1,\"content\":{\"json\":\"### Journal Mailboxes\"},\"name\":\"JournalMailboxHelp\"},{\"type\":1,\"content\":{\"json\":\"The **Journal Mailboxes** contain emails sent and received by specific or all users. The content of these mailboxes is very sensitives.\\r\\n\\r\\nJournal Rules should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. Also by default, no one should access to these mailboxes.\\r\\n\\r\\nThen, it is recommended to regularly check who have Full Access mailbox or Receive As on these mailboxes.\\r\\nAdditional information :\\r\\n\\r\\nJournaling in Exchange Server\\r\\n\\r\\nJournaling procedures\\r\\n\\r\\n\\r\\nMailbox audit logging in Exchange Server\\r\\n\\r\\n\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"JournalHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"JournalRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n| extend Status= iff ( tostring(CmdletResultValue.Enabled)== \\\"Enabled\\\" or tostring(CmdletResultValue.Enabled)== \\\"1\\\" , \\\"Enabled\\\", iff(tostring(CmdletResultValue.Enabled)==\\\"\\\",\\\"\\\", \\\"Disabled\\\"))\\r\\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress)\\r\\n| extend Recipient = tostring(CmdletResultValue.Recipient)\\r\\n| sort by Identity asc\\r\\n| sort by Status desc\\r\\n| project-away CmdletResultValue\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Journal Rules configured in your environment\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"JournalQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Journal Recipients on mailbox databases configured in your environment\",\"items\":[{\"type\":1,\"content\":{\"json\":\"As Journal Recipient on databases send all the mail send to users in this database to a specific mailbox. The content of these mailboxes is very sensitive.\\r\\n\\r\\nJournal Recipients configuration should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. No one should have access to these mailboxes by default.\\r\\n\\r\\nIt is recommended to regularly check who have Full Access or Receive As on these mailboxes.\\r\\n\\r\\nAdditional information :\\r\\n\\r\\nJournaling in Exchange Server\\r\\n\\r\\nJournaling procedures\\r\\n\\r\\n\\r\\nMailbox audit logging in Exchange Server\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"JournalRecipientsHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MbxDBJournaling\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.JournalRecipient !=\\\"\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Identity = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"JournalRecipientsGroup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is set to True for an SMTP domain, then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\\r\\n\\r\\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \\r\\n\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\\r\\n\\r\\nAdditional information:\\r\\n\\r\\nRemote Domains\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\\r\\n| extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address == \\\"*\\\", strcat (\\\"❌\\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address != \\\"*\\\", strcat (\\\"⚠️\\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅\\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n| project-away CmdletResultValue\\r\\n| sort by Address asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"Accepted domains set to * authorize Open Relay.\\r\\n\\r\\nMore information:\\r\\n\\r\\nAccepted domains\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"AcceptedDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.DomainName.Address == \\\"*\\\"\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\\r\\n| extend Address = \\\"* : ❌ OpenRelay configuration\\\"\\r\\n| extend DomainType = case(CmdletResultValue.DomainType==\\\"0\\\",\\\"Authoritative Domain\\\",CmdletResultValue.DomainType==\\\"1\\\",\\\"ExternalRelay\\\",CmdletResultValue.DomainType==\\\"2\\\",\\\"InternalRelay\\\",\\\"NotApplicable\\\")\\r\\n| project-away CmdletResultValue\",\"size\":1,\"showAnalytics\":true,\"title\":\"Accepted domain with *\",\"noDataMessage\":\"Accepted Domain * not confirgured (no Open Relay)\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ForwardGroup\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Transport\"},\"name\":\"Transport Security configuration\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityReview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Security Review\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"743317e2-ebcf-4958-861d-4ff97fc7cce1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"On-Premises\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"cfc36178-c5d7-4f69-87f5-b887e722f968\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Compare_Collect\",\"label\":\"CompareCollect\",\"type\":10,\"description\":\"If this sesstion is checked, two collection will be compared\",\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"0a7e59b0-755e-40c9-a4e0-ec7f516e991c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateCompare\",\"type\":2,\"description\":\"This date must be older than the date configured in the Date of configuration\",\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"TimeRange - Copy\"},{\"type\":1,\"content\":{\"json\":\"This workbook helps review your Exchange Security configuration.\\r\\nSelect your Exchange Organization and adjust the time range.\\r\\n**By default, the Help won't be displayed. To display the help, choose Yes on the toogle buttom \\\"Show Help\\\"**\\r\\n\\r\\nTo compare collects, choose **Yes on the toogle buttom Compare Collect ** and choose the initial date.\\r\\nDepending on the section, a new table will be displayed with **all** the modifications (Add, Remove, Modifications) beetween the two dates.\\r\\nFor some sections, you'll see Add+Remove. This means that an account has been added and then removed during the choosen time range.\\r\\n\\r\\n**Important notes** : Some information are limited are may be not 100% accurate :\\r\\n - Date\\r\\n - When a fied is modified several times in the range, only first and last values will be displayed\\r\\n - **Remove Time is displayed the date of the last collect and not the exact remove time**\\r\\n - ... \\r\\n\\r\\nThis is due to some restrictions in the collect. The goal of the comparaison is to give you a global overview of the modifications between two collects.\\r\\nFor more details information, please check the workbook **\\\"Microsoft Exchange Search AdminAuditLog\\\"**\\r\\n.\\r\\n\\r\\nThe compare functionnality may not be available for all sections in this workbook.\\r\\n\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Mailbox Access\",\"subTarget\":\"Delegation\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true},{\"id\":\"be02c735-6150-4b6e-a386-b2b023e754e5\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Exchange & AD Groups\",\"subTarget\":\"ExchAD\",\"style\":\"link\"},{\"id\":\"30dc6820-339d-4fa9-ad79-5d79816a5cab\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Local Administrators\",\"subTarget\":\"Server\",\"style\":\"link\"},{\"id\":\"571fa2a4-1f1e-44a2-ada0-ccfb31b9abbb\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Exchange Security Configuration\",\"subTarget\":\"SecConf\",\"style\":\"link\"},{\"id\":\"26c68d90-925b-4c3c-a837-e3cecd489b2d\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Transport Configuration\",\"subTarget\":\"Transport\",\"style\":\"link\"},{\"id\":\"eb2888ca-7fa6-4e82-88db-1bb3663a801e\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Summary\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"TopMenuTabs\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\n\\r\\nThe goal of this workbook is to outline key security configurations of your Exchange On-Premises environment.\\r\\n\\r\\nMost of Exchange organizations have were installed years ago (sometimes more than 10 years). Many configurations have been done and might not have been documented. For most environments, the core commitment was maintaining a high availability of the users’ mailboxes putting aside other consideration (even security considerations). Recommended security practices have also evolved since the first released and a regular review is necessary.\\r\\n\\r\\nThis workbook is designed to show your Exchange organization is configured with a security point of view. Indeed, some configurations easy to display as there are no UI available.\\r\\n\\r\\nFor each configuration, you will find explanations and recommendations when applicable.\\r\\n\\r\\n- This workbook does not pretend to show you every weak Security configurations, but the most common issues and known to be used by attackers. \\r\\n- It will not show you if you have been comprised, but will help you identify unexpected configuration.\\r\\n\\r\\n----\\r\\n\\r\\n## Quick reminder of how Exchange works\\r\\n\\r\\nDuring Exchange installation two very important groups are created :\\r\\n- Exchange Trusted Subsystem : Contain all the computer accounts for Exchange Server\\r\\n- Exchange Windows Permissions : Contain the group Exchange trusted Subsystem\\r\\n\\r\\nThese groups have :\\r\\n- Very high privileges in ALL AD domains including the root domain\\r\\n- Right on any Exchange including mailboxes\\r\\n\\r\\nAs each Exchange server computer account is member of Exchange Trusted Subsystem, it means by taking control of the computer account or being System on an Exchange server you will gain access to all the permissions granted to Exchange Trusted Subsystem and Exchange Windows Permissions.\\r\\n\\r\\nTo protect AD and Exchange, it is very important to ensure the following:\\r\\n- There is a very limited number of persons that are local Administrator on Exchange server\\r\\n- To protect user right like : Act part of the operating System, Debug\\r\\n\\r\\nEvery service account or application that have high privileges on Exchange need to be considered as sensitive\\r\\n\\r\\n** 💡 Exchange servers need to be considered as very sensitive servers**\\r\\n\\r\\n-----\\r\\n\\r\\n\\r\\n## Tabs\\r\\n\\r\\n### Mailbox Access\\r\\n\\r\\nThis tab will show you several top sensitive delegations that allow an account to access, modify, act as another user, search, export the content of a mailbox.\\r\\n\\r\\n### Exchange & AD Groups\\r\\n\\r\\nThis tab will show you the members of Exchange groups and Sensitive AD groups.\\r\\n\\r\\n### Local Administrators\\r\\n\\r\\nThis tab will show you the non standard content of the local Administrators group. Remember that a member of the local Administrators group can take control of the computer account of the server and then it will have all the permissions associated with Exchange Trusted Subsytem and Exchange Windows Permissions\\r\\n\\r\\nThe information is displayed with different views : \\r\\n- List of nonstandard users\\r\\n- Number of servers with a nonstandard a user\\r\\n- Nonstandard groups content\\r\\n- For each user important information are displayed like last logon, last password set, enabled\\r\\n\\r\\n### Exchange Security configuration\\r\\n\\r\\nThis tab will show you some important configuration for your Exchange Organization\\r\\n- Status of Admin Audit Log configuration\\r\\n- Status of POP and IMAP configuration : especially, is Plaintext Authentication configured ?\\r\\n- Nonstandard permissions on the Exchange container in the Configuration Partition\\r\\n\\r\\n### Transport Configuration\\r\\n\\r\\nThis tab will show you the configuration of the main Transport components\\r\\n- Receive Connectors configured with Anonymous and/or Open Relay\\r\\n- Remote Domain Autoforward configuration\\r\\n- Transport Rules configured with BlindCopyTo, SendTo, RedirectTo\\r\\n- Journal Rule and Journal Recipient configurations\\r\\n- Accepted Domains with *\\r\\n\\r\\n\"},\"name\":\"WorkbookInfo\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"InformationTab\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Security Configuration for the Exchange Environment\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays several security information regarding the organization or server's configuration.\"},\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"This section displays the Exchange version and the CU installed.\\r\\n\\r\\nFor the latest build number, check this link : Exchange Build Numbers\\r\\n\\r\\nThis section is built from a file located in the public GitHub repository.\\r\\nThe repository is manually updated by the team project when new CU/SU are released. ((Delay may happen between the release of a new CU/SU and the update of the file))\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ServerVersionCheckHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\\\"https://aka.ms/ExchBuildNumber\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\\r\\n//ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| extend VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Minor,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Build)\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExchVersion\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend VersionNumber = tostring(CmdletResultValue.ProductVersion)\\r\\n| extend Server = tostring(ProcessedByServer_s)\\r\\n| extend CmdletResultType = tostring(CmdletResultType)\\r\\n| join kind= leftouter (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\\r\\n| distinct Server,VersionNumber,Productname,CU,SU,CmdletResultType\\r\\n| extend Server = strcat(\\\"💻 \\\",Server)\\r\\n| extend Productname = case ( VersionNumber startswith \\\"15.02\\\", \\\"Exchange 2019\\\", VersionNumber startswith \\\"15.01\\\", \\\"Exchange 2016\\\", VersionNumber startswith \\\"15.00\\\",\\\"Exchange 2013\\\", \\\"Exchange 2010\\\")\\r\\n| extend CU = iff(CmdletResultType <>\\\"Success\\\", \\\"Unable to retrieve information from server\\\", iff(CU <> \\\"\\\", CU, \\\"New CU or SU not yet in the List\\\"))\\r\\n| extend SU = iff(CmdletResultType <>\\\"Success\\\", \\\"Unable to retrieve information from server\\\", iff( SU <> \\\"\\\", SU, \\\"New CU or SU not yet in the List\\\"))\\r\\n|project-away CmdletResultType\\r\\n| sort by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange servers CU-SU level\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersList\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\\\"https://aka.ms/ExchBuildNumber\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExchVersion\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| extend VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Minor,\\\".\\\",CmdletResultValue.AdminDisplayVersion.Build)\\r\\n| extend VersionNumber = tostring(CmdletResultValue.ProductVersion)\\r\\n| extend Server = tostring(CmdletResultValue.Server)\\r\\n| join kind= leftouter (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\\r\\n| extend CU = iff( CU <> \\\"\\\", CU, \\\"New CU/SU not yet in the CU List\\\")\\r\\n| extend Version =strcat (VersionNumber,\\\"-\\\",CU,\\\"-\\\",SU)\\r\\n| summarize dcount(Server) by Version\",\"size\":0,\"showAnalytics\":true,\"title\":\"Version break down\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"ExchangeServerVersionPie\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Admin Audit Log configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The Admin Audit log stores all the actions performed on Exchange Servers (except Read actions such as Get/Test).\\r\\n\\r\\nAdmin Audit Log \\r\\n\\r\\nManage Admin Audit Log \\r\\n\\r\\n\\r\\nThis can be used to track :\\r\\n- Unexpected behaviors\\r\\n- Who did a modification\\r\\n- Real actions performed by an account (the output could be used to identify the necessary privileges) and then reduce the privilege of the account by creating appropriate RBAC delegation\\r\\n\\r\\nℹ️ Recommendations\\r\\n- Ensure that Admin Audit Log is not disabled\\r\\n- Ensure that critical Cmdlets have not been excluded\\r\\n- Ensure that AdminAuditLogCmdlets is set to * (list of audited Cmdlets)\\r\\n- Review the retention configuration for the Admin Audit Log content\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AdminAuditHelp\"},{\"type\":1,\"content\":{\"json\":\"Here the main settings for the Admin Audit Log. \\r\\nRemember that AdminAudit log needs to be enabled and no cmdlet should be excluded. Also check the retention limit.\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\\\"https://aka.ms/CmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\\r\\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\\r\\n| project AdminAuditLogExcludedCmdlets);\\r\\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend AdminAuditLogEnabled = iff(CmdletResultValue.AdminAuditLogEnabled == \\\"FALSE\\\", \\\" ❌ Disabled, High Risk\\\", \\\"✅ Enabled\\\")\\r\\n| extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\\r\\n| extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit,8)\\r\\n| extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit,0,indexof(AdminAuditLogAgeLimit, ','))\\r\\n| extend AdminAuditLogAgeLimit = iff(toint(AdminAuditLogAgeLimit) == 0,strcat(\\\"❌ No AdminAuditlog recorded \\\",AdminAuditLogAgeLimit), iff(toint(AdminAuditLogAgeLimit) <=30,strcat(\\\"⚠️ Value to low except if exported \\\",AdminAuditLogAgeLimit), strcat(\\\"✅\\\",AdminAuditLogAgeLimit)))\\r\\n| extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\\r\\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,2)\\r\\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,0,indexof(AdminAuditLogCmdlets, '\\\"]') )\\r\\n| extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets,'\\\"',\\\"\\\")\\r\\n| extend Comment_AdminAuditLogCmdlets = iff( AdminAuditLogCmdlets == \\\"*\\\",\\\"✅ Default configuration\\\",\\\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\\\")\\r\\n| extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\\r\\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,2)\\r\\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,0,indexof(AdminAuditLogExcludedCmdlets, ']'))\\r\\n| extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets,'\\\"',\\\"\\\")\\r\\n//| extend Cmdlet = replace_string(AdminAuditLogExcludedCmdlets,'\\\"',\\\"\\\")\\r\\n//| extend AALECSplit = tostring(split(AdminAuditLogExcludedCmdlets,\\\",\\\"))\\r\\n| project-away CmdletResultValue\\r\\n| extend Comment_AdminAuditLogExcludedCmdlet = case( isnotempty( SentsitivecmdletTrack ),\\\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\\\",AdminAuditLogExcludedCmdlets <>\\\"\\\",\\\"⚠️ Some Cmdlets are excluded \\\",\\\"✅ No Excluded CmdLet\\\")\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Comment_AdminAuditLogCmdlets\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70ch\"}}],\"rowLimit\":10000,\"sortBy\":[{\"itemKey\":\"AdminAuditLogCmdlets\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"AdminAuditLogCmdlets\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\\\"https://aka.ms/CmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\\r\\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\\r\\n| project AdminAuditLogExcludedCmdlets);\\r\\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\\r\\nlet _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n | extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\n//let _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet _CurrentDateB = datetime_add('day', 1, todatetime(toscalar(_currD)));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\\r\\n | extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit, 8)\\r\\n | extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit, 0, indexof(AdminAuditLogAgeLimit, ','))\\r\\n | extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\\r\\n | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 2)\\r\\n | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 0, indexof(AdminAuditLogCmdlets, '\\\"]'))\\r\\n | extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets, '\\\"', \\\"\\\")\\r\\n | extend Comment_AdminAuditLogCmdlets = iff(AdminAuditLogCmdlets == \\\"*\\\", \\\"✅ Default configuration\\\", \\\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\\\")\\r\\n | extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\\r\\n | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 2)\\r\\n | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 0, indexof(AdminAuditLogExcludedCmdlets, ']'))\\r\\n | extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets, '\\\"', \\\"\\\")\\r\\n | project-away CmdletResultValue\\r\\n | extend Comment_AdminAuditLogExcludedCmdlet = case(isnotempty(SentsitivecmdletTrack), \\\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\\\", AdminAuditLogExcludedCmdlets <> \\\"\\\", \\\"⚠️ Some Cmdlets are excluded \\\", \\\"✅ No Excluded CmdLet\\\")\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"AdminAuditLog\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\\r\\n | extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit, 8)\\r\\n | extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit, 0, indexof(AdminAuditLogAgeLimit, ','))\\r\\n | extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\\r\\n | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 2)\\r\\n | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 0, indexof(AdminAuditLogCmdlets, '\\\"]'))\\r\\n | extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets, '\\\"', \\\"\\\")\\r\\n | extend Comment_AdminAuditLogCmdlets = iff(AdminAuditLogCmdlets == \\\"*\\\", \\\"✅ Default configuration\\\", \\\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\\\")\\r\\n | extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\\r\\n | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 2)\\r\\n | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 0, indexof(AdminAuditLogExcludedCmdlets, ']'))\\r\\n | extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets, '\\\"', \\\"\\\")\\r\\n | project-away CmdletResultValue\\r\\n | extend Comment_AdminAuditLogExcludedCmdlet = case(isnotempty(SentsitivecmdletTrack), \\\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\\\", AdminAuditLogExcludedCmdlets <> \\\"\\\", \\\"⚠️ Some Cmdlets are excluded \\\", \\\"✅ No Excluded CmdLet\\\")\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffModifData = union AfterData, BeforeData\\r\\n | sort by WhenChanged asc \\r\\n | project\\r\\n WhenChanged,\\r\\n AdminAuditLogAgeLimit,\\r\\n AdminAuditLogCmdlets,\\r\\n Comment_AdminAuditLogCmdlets,\\r\\n AdminAuditLogExcludedCmdlets,\\r\\n Comment_AdminAuditLogExcludedCmdlet,\\r\\n WhenCreated\\r\\n | extend AdminAuditLogAgeLimit = iff(AdminAuditLogAgeLimit != prev(AdminAuditLogAgeLimit) and prev(AdminAuditLogAgeLimit) != \\\"\\\", strcat(\\\"📍 \\\", AdminAuditLogAgeLimit, \\\" (\\\", prev(AdminAuditLogAgeLimit), \\\"->\\\", AdminAuditLogAgeLimit, \\\" )\\\"), AdminAuditLogAgeLimit)\\r\\n | extend AdminAuditLogCmdlets = iff(AdminAuditLogCmdlets != prev(AdminAuditLogCmdlets) and prev(AdminAuditLogCmdlets) != \\\"\\\", strcat(\\\"📍 \\\", AdminAuditLogCmdlets, \\\" (\\\", prev(AdminAuditLogCmdlets), \\\"->\\\", AdminAuditLogCmdlets, \\\" )\\\"), AdminAuditLogCmdlets)\\r\\n | extend Comment_AdminAuditLogCmdlets = iff(Comment_AdminAuditLogCmdlets != prev(Comment_AdminAuditLogCmdlets) and prev(Comment_AdminAuditLogCmdlets) != \\\"\\\", strcat(\\\"📍 \\\", Comment_AdminAuditLogCmdlets, \\\" (\\\", prev(Comment_AdminAuditLogCmdlets), \\\"->\\\", Comment_AdminAuditLogCmdlets, \\\" )\\\"), Comment_AdminAuditLogCmdlets)\\r\\n | extend AdminAuditLogExcludedCmdlets = iff(AdminAuditLogExcludedCmdlets != prev(AdminAuditLogExcludedCmdlets) and prev(AdminAuditLogExcludedCmdlets) != \\\"\\\", strcat(\\\"📍 \\\", AdminAuditLogExcludedCmdlets, \\\" (\\\", prev(AdminAuditLogExcludedCmdlets), \\\"->\\\", AdminAuditLogExcludedCmdlets, \\\" )\\\"), AdminAuditLogExcludedCmdlets)\\r\\n | extend Comment_AdminAuditLogExcludedCmdlet = iff(Comment_AdminAuditLogExcludedCmdlet != prev(Comment_AdminAuditLogExcludedCmdlet) and prev(Comment_AdminAuditLogExcludedCmdlet) != \\\"\\\", strcat(\\\"📍 \\\", Comment_AdminAuditLogExcludedCmdlet, \\\" (\\\", prev(Comment_AdminAuditLogExcludedCmdlet), \\\"->\\\", Comment_AdminAuditLogExcludedCmdlet, \\\" )\\\"), Comment_AdminAuditLogExcludedCmdlet)\\r\\n | extend ActiontypeR =iff(( AdminAuditLogAgeLimit contains \\\"📍\\\" or AdminAuditLogCmdlets contains \\\"📍\\\" or Comment_AdminAuditLogCmdlets contains \\\"📍\\\" or AdminAuditLogExcludedCmdlets contains \\\"📍\\\" or Comment_AdminAuditLogExcludedCmdlet contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n AdminAuditLogAgeLimit,\\r\\n AdminAuditLogCmdlets,\\r\\n Comment_AdminAuditLogCmdlets,\\r\\n AdminAuditLogExcludedCmdlets,\\r\\n Comment_AdminAuditLogExcludedCmdlet,\\r\\n WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n AdminAuditLogAgeLimit,\\r\\n AdminAuditLogCmdlets,\\r\\n Comment_AdminAuditLogCmdlets,\\r\\n AdminAuditLogExcludedCmdlets,\\r\\n Comment_AdminAuditLogExcludedCmdlet\",\"size\":1,\"showAnalytics\":true,\"title\":\"AdminAuditLog settings comparaison\",\"noDataMessage\":\"No modification\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 3\"}]},\"name\":\"group - 0Admin Audit Log configuration\"},{\"type\":1,\"content\":{\"json\":\"### POP authentication configuration\"},\"name\":\"text - 11\"},{\"type\":1,\"content\":{\"json\":\"If the POP Service is started, the LoginType should not set to Plaintext. This means that the password will be sent in clear on the network. As POP is enabled by default on all the mailboxes, this represents a high security risk.\\r\\n\\r\\nPOP Authentication\\r\\n- **PlainText** TLS encryption is not required on port 110. Usernames and passwords are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\\r\\n- **PlainTextAuthentication** TLS encryption is not required on port 110. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\\r\\n- **SecureLogin** Connection on port 110 must use TLS encryption before authenticating.\\r\\n\\r\\nℹ️ Recommendations\\r\\nDisable POP on all mailboxes except those which really need to use this protocol.\\r\\nSet the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application.\\r\\n\\r\\nIf the application is not able to perform this type of authentication:\\r\\n- Ensure that POP is disabled on all the mailboxes except those who really need it \\r\\n- Monitor the POP connections\\r\\n- Change the password of the application on a regular basis\\r\\n\\r\\nRecommended Reading : \\r\\n\\r\\nConfiguring Authentication for POP3 and IMAP4\\r\\n \\r\\n Set-PopSettings\\r\\n\\r\\n\\r\\nIn order to track mailboxes that are currently using POP\\r\\n- Enable POP logging\\r\\n- Set-PopSettings -Server SRV1 -ProtocolLogEnabled verbose\\r\\n- Several weeks later, analyze the log content\\r\\n- Default location : - Get-PopSettings -server SRV1 | fl server,*log*\\r\\n- Check for connection and authentication\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"PopServiceHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"PopSettings\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name == (\\\"MSExchangePop3\\\")\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n| join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangePop3BE\\\" )\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| extend LoginType = iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n| extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n| extend ServiceName = iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n| extend Status = tostring(Status)\\r\\n| extend BackendEndService= tostring(ServiceName1)\\r\\n| extend StartupType = tostring(StartupType)\\r\\n| extend BEStatus = tostring(Status1)\\r\\n| extend BEStartupType = tostring(StartupType1)\\r\\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n| sort by ServerName asc\",\"size\":1,\"showAnalytics\":true,\"title\":\"Pop Authentication : should not be set as Plaintext\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LoginType\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":0,\"formatOptions\":{\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"LoginType\"],\"finalBy\":\"LoginType\"}}},\"name\":\"PopSettingsQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"POP settings comparaison\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"PopSettings\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n//| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\n//let _CurrentDateB = datetime_add('day',1,todatetime(toscalar(_currD)));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"PopSettings\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | where CmdletResultValue.Name == (\\\"MSExchangePop3\\\")\\r\\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n | join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | where CmdletResultValue.Name contains (\\\"MSExchangePop3BE\\\" )\\r\\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n | extend LoginType = iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n | extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n | extend ServiceName = iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n | extend Status = tostring(Status)\\r\\n | extend BackendEndService= tostring(ServiceName1)\\r\\n | extend StartupType = tostring(StartupType)\\r\\n | extend BEStatus = tostring(Status1)\\r\\n | extend BEStartupType = tostring(StartupType1)\\r\\n | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n | sort by ServerName asc\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"PopSettings\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | where CmdletResultValue.Name == (\\\"MSExchangePop3\\\")\\r\\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n | join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | where CmdletResultValue.Name contains (\\\"MSExchangePop3BE\\\" )\\r\\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n | extend LoginType = iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n | extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n | extend ServiceName = iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n | extend Status = tostring(Status)\\r\\n | extend BackendEndService= tostring(ServiceName1)\\r\\n | extend StartupType = tostring(StartupType)\\r\\n | extend BEStatus = tostring(Status1)\\r\\n | extend BEStartupType = tostring(StartupType1)\\r\\n | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n | sort by ServerName asc\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n | sort by ServerName,TimeGenerated asc\\r\\n | extend LoginType = iff(ServerName == prev(ServerName) and LoginType != prev(LoginType) and prev(LoginType) != \\\"\\\", strcat(\\\"📍 \\\", LoginType, \\\" (\\\", prev(LoginType), \\\"->\\\", LoginType, \\\" )\\\"), LoginType)\\r\\n | extend ProtocolLogEnabled = iff(ServerName == prev(ServerName) and ProtocolLogEnabled != prev(ProtocolLogEnabled) and prev(ProtocolLogEnabled) != \\\"\\\", strcat(\\\"📍 \\\", ProtocolLogEnabled, \\\" (\\\", prev(ProtocolLogEnabled), \\\"->\\\", ProtocolLogEnabled, \\\" )\\\"), ProtocolLogEnabled)\\r\\n | extend Status = iff( ServerName == prev(ServerName) and Status != prev(Status) and prev(Status) != \\\"\\\", strcat(\\\"📍 \\\", Status, \\\" (\\\", prev(Status), \\\"->\\\", Status, \\\" )\\\"), Status)\\r\\n | extend StartupType = iff(ServerName == prev(ServerName) and StartupType != prev(StartupType) and prev(StartupType) != \\\"\\\", strcat(\\\"📍 \\\", StartupType, \\\" (\\\", prev(StartupType), \\\"->\\\", StartupType, \\\" )\\\"), StartupType)\\r\\n | extend BEStatus = iff(ServerName == prev(ServerName) and BEStatus != prev(BEStatus) and prev(BEStatus) != \\\"\\\", strcat(\\\"📍 \\\", BEStatus, \\\" (\\\", prev(BEStatus), \\\"->\\\", BEStatus, \\\" )\\\"), BEStatus)\\r\\n | extend BEStartupType = iff(ServerName == prev(ServerName) and BEStartupType != prev(BEStartupType) and prev(BEStartupType) != \\\"\\\", strcat(\\\"📍 \\\", BEStartupType, \\\" (\\\", prev(BEStartupType), \\\"->\\\", BEStartupType, \\\" )\\\"), BEStartupType)\\r\\n | extend ActiontypeR =iff((LoginType contains \\\"📍\\\" or ProtocolLogEnabled contains \\\"📍\\\" or Status contains \\\"📍\\\" or StartupType contains \\\"📍\\\" or BEStatus contains \\\"📍\\\" or BEStartupType contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n TimeGenerated,\\r\\n Actiontype,\\r\\n ServerName,\\r\\n LoginType,\\r\\n ProtocolLogEnabled,\\r\\n Status,\\r\\n StartupType,\\r\\n BEStatus,\\r\\n BEStartupType\\r\\n;\\r\\nDiffModifData\\r\\n//| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n ServerName,\\r\\n LoginType,\\r\\n ProtocolLogEnabled,\\r\\n Status,\\r\\n StartupType,\\r\\n BEStatus, \\r\\n BEStartupType\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"Compare\"}]},\"name\":\"POP authentication configuration\"},{\"type\":1,\"content\":{\"json\":\"### IMAP authentication configuration\"},\"name\":\"IMAPTitle\"},{\"type\":1,\"content\":{\"json\":\"If the IMAP Service is started, the LoginType should not set to Plaintext. This means that the passwords will be sent in clear over the network. As IMAP is enabled by default on all the mailboxes, this is a high security risk.\\r\\n\\r\\nIMAP Authentication\\r\\n- **PlainText** TLS encryption is not required on port 110. User name and password are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\\r\\n- **PlainTextAuthentication** TLS encryption is not required on port 143. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\\r\\n- **SecureLogin** Connection on port 143 must use TLS encryption before authenticating.\\r\\n\\r\\nℹ️ Recommendations \\r\\nDisable IMAP on all mailboxes except those which really need to use this protocol. Set the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application accordingly.\\r\\n\\r\\nIf the application is not able to perform this type of authentication:\\r\\n- Ensure that IMAP is disable on all the mailboxes except those who really need it \\r\\n- Monitor the connection\\r\\n- Regularly, change the password of the application\\r\\n\\r\\nRecommended Reading : \\r\\n\\r\\nConfiguring Authentication for POP3 and IMAP4\\r\\n\\r\\n Set-IMAPSettings\\r\\n\\r\\n\\r\\n\\r\\nIn order to track mailboxes that are currently using IMAP\\r\\n- Enable IMAP logging\\r\\n- Set-IMAPSettings -Server SRV1 -ProtocolLogEnabled verbose\\r\\n- Several weeks later, analyze the log content\\r\\n- Default location : Get-IMAPSettings -server SRV1 | fl server,*log*\\r\\n- Check for connection and authentication\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"IMAPHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"IMAPSettings\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name == (\\\"MSExchangeImap4\\\")\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n| join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name contains (\\\"MSExchangeIMAP4BE\\\" )\\r\\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n| extend LoginType = iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n| extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n| extend ServiceName = iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n| extend Status = tostring(Status)\\r\\n| extend BackendEndService= tostring(ServiceName1)\\r\\n| extend StartupType = tostring(StartupType)\\r\\n| extend BEStatus = tostring(Status1)\\r\\n| extend BEStartupType = tostring(StartupType1)\\r\\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n| sort by ServerName asc\",\"size\":1,\"showAnalytics\":true,\"title\":\"IMAP Authentication : should not be set as Plaintext\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"LoginType\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"LoginType\"],\"finalBy\":\"LoginType\"}}},\"name\":\"IMAPSettingsQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"IMAPSettings\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n//| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\n//let _CurrentDateB = datetime_add('day',1,todatetime(toscalar(_currD)));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"IMAPSettings\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | where CmdletResultValue.Name == (\\\"MSExchangeImap4\\\")\\r\\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n | join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | where CmdletResultValue.Name contains (\\\"MSExchangeIMAP4BE\\\" )\\r\\n | project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n | extend LoginType = iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n | extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n | extend ServiceName = iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n | extend Status = tostring(Status)\\r\\n | extend BackendEndService= tostring(ServiceName1)\\r\\n | extend StartupType = tostring(StartupType)\\r\\n | extend BEStatus = tostring(Status1)\\r\\n | extend BEStartupType = tostring(StartupType1)\\r\\n | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n | sort by ServerName asc\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"IMAPSettings\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | where CmdletResultValue.Name == (\\\"MSExchangeImap4\\\")\\r\\n | project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\\r\\n | join (ExchangeConfiguration(SpecificSectionList=\\\"POPIMAPServicesStatus\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | where CmdletResultValue.Name contains (\\\"MSExchangeIMAP4BE\\\" )\\r\\n | project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\\r\\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\\r\\n | extend LoginType = iff(CmdletResultValue.LoginType== 1 , \\\"⛔ PlainText, High Risk\\\", iff(CmdletResultValue.LoginType== 2, \\\"⚠️ PlainTextAuthentication\\\",\\\"✅ SecureLogin\\\"))\\r\\n | extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\\r\\n | extend ServiceName = iff(tostring(ServiceName)==\\\"\\\", \\\"Service Status not retrieved\\\",tostring(ServiceName))\\r\\n | extend Status = tostring(Status)\\r\\n | extend BackendEndService= tostring(ServiceName1)\\r\\n | extend StartupType = tostring(StartupType)\\r\\n | extend BEStatus = tostring(Status1)\\r\\n | extend BEStartupType = tostring(StartupType1)\\r\\n | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\\r\\n | sort by ServerName asc\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n | sort by ServerName,TimeGenerated asc\\r\\n | extend LoginType = iff(ServerName == prev(ServerName) and LoginType != prev(LoginType) and prev(LoginType) != \\\"\\\", strcat(\\\"📍 \\\", LoginType, \\\" (\\\", prev(LoginType), \\\"->\\\", LoginType, \\\" )\\\"), LoginType)\\r\\n | extend ProtocolLogEnabled = iff(ServerName == prev(ServerName) and ProtocolLogEnabled != prev(ProtocolLogEnabled) and prev(ProtocolLogEnabled) != \\\"\\\", strcat(\\\"📍 \\\", ProtocolLogEnabled, \\\" (\\\", prev(ProtocolLogEnabled), \\\"->\\\", ProtocolLogEnabled, \\\" )\\\"), ProtocolLogEnabled)\\r\\n | extend Status = iff( ServerName == prev(ServerName) and Status != prev(Status) and prev(Status) != \\\"\\\", strcat(\\\"📍 \\\", Status, \\\" (\\\", prev(Status), \\\"->\\\", Status, \\\" )\\\"), Status)\\r\\n | extend StartupType = iff(ServerName == prev(ServerName) and StartupType != prev(StartupType) and prev(StartupType) != \\\"\\\", strcat(\\\"📍 \\\", StartupType, \\\" (\\\", prev(StartupType), \\\"->\\\", StartupType, \\\" )\\\"), StartupType)\\r\\n | extend BEStatus = iff(ServerName == prev(ServerName) and BEStatus != prev(BEStatus) and prev(BEStatus) != \\\"\\\", strcat(\\\"📍 \\\", BEStatus, \\\" (\\\", prev(BEStatus), \\\"->\\\", BEStatus, \\\" )\\\"), BEStatus)\\r\\n | extend BEStartupType = iff(ServerName == prev(ServerName) and BEStartupType != prev(BEStartupType) and prev(BEStartupType) != \\\"\\\", strcat(\\\"📍 \\\", BEStartupType, \\\" (\\\", prev(BEStartupType), \\\"->\\\", BEStartupType, \\\" )\\\"), BEStartupType)\\r\\n | extend ActiontypeR =iff((LoginType contains \\\"📍\\\" or ProtocolLogEnabled contains \\\"📍\\\" or Status contains \\\"📍\\\" or StartupType contains \\\"📍\\\" or BEStatus contains \\\"📍\\\" or BEStartupType contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n Actiontype,\\r\\n ServerName,\\r\\n LoginType,\\r\\n ProtocolLogEnabled,\\r\\n Status,\\r\\n StartupType,\\r\\n BEStatus,\\r\\n BEStartupType\\r\\n;\\r\\nDiffModifData\\r\\n//| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n ServerName,\\r\\n LoginType,\\r\\n ProtocolLogEnabled,\\r\\n Status,\\r\\n StartupType,\\r\\n BEStatus, \\r\\n BEStartupType\",\"size\":1,\"showAnalytics\":true,\"title\":\"IMAP settings comparaison\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"Compare - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Nonstandard permissions on Configuration Partitions\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section highlights nonstandard permissions on the Exchange container in the Configuration Partition. By selecting Yes for **Generic All** button, only delegations set to Generic All will be displayed. \\r\\nAlso Standard, Deny and inherited permissions have been removed\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"During the lifetime of an Exchange Organization, many permissions may have been set on Exchange containers in the Configuration Partition.\\r\\nThis section displayed all the nonstandard permissions found on the most important Exchange containers :\\r\\n - Groups from legacy Exchange versions (Exchange Enterprise Servers, Exchange Domain Servers,...)\\r\\n - SID for deleted accounts\\r\\n - Old service accounts (that may not have been disabled or removed...)\\r\\n \\r\\nWhen an administrator runs setup /PrepareAD, his account will be granted Generic All at the top-level Exchange container\\r\\n\\r\\nBy default, this section only displayed the **Generic All** permissions.\\r\\n \\r\\nThis section is built by removing all the standard AD and Exchange groups.\\r\\n\\r\\n Exchange 2013 deployment permissions reference\\r\\n \\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"80f9134a-420f-47c9-b171-1ca8e72efa3e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"GenericAll\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"29e2005c-3bd4-4bb8-be63-053d11abe1d4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NonStandardPermissions\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Authenticated Users\\\", \\\"Domain Admins\\\", \\\"Enterprise Admins\\\",\\\"Schema Admins\\\", \\\"Exchange Trusted Subsystem\\\", \\\"Exchange Servers\\\",\\\"Organization Management\\\", \\\"Public Folder Management\\\",\\\"Delegated Setup\\\", \\\"ANONYMOUS LOGON\\\", \\\"NETWORK SERVICE\\\", \\\"SYSTEM\\\", \\\"Everyone\\\",\\\"Managed Availability Servers\\\"]);\\r\\nlet Exchsrv =ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| summarize make_list(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"PartConfPerm\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Deny !contains \\\"True\\\" and CmdletResultValue.IsInherited !contains \\\"True\\\"\\r\\n| where (CmdletResultValue.AccessRights == \\\"[983551]\\\") in ({GenericAll})\\r\\n| where not (CmdletResultValue.UserString has_any (StandardGroup)) in ({NonStandardPermissions})\\r\\n| where not (CmdletResultValue.UserString has_any (Exchsrv))in ({NonStandardPermissions})\\r\\n| extend Name = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend Account = tostring(CmdletResultValue.UserString )\\r\\n| extend AccessRights = iff (tostring(CmdletResultValue.AccessRightsString) contains \\\"GenericAll\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\\r\\n| extend ExtendedRights = iff (tostring(CmdletResultValue.ExtendedRightsString) contains \\\"-As\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\\r\\n| extend InheritanceType = tostring(CmdletResultValue.InheritanceType)\\r\\n| extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\\r\\n| project-away CmdletResultValue\\r\\n| sort by DN desc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"DN\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"DN\",\"sortOrder\":2}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Authenticated Users\\\", \\\"Domain Admins\\\", \\\"Enterprise Admins\\\", \\\"Schema Admins\\\", \\\"Exchange Trusted Subsystem\\\", \\\"Exchange Servers\\\", \\\"Organization Management\\\", \\\"Public Folder Management\\\", \\\"Delegated Setup\\\", \\\"ANONYMOUS LOGON\\\", \\\"NETWORK SERVICE\\\", \\\"SYSTEM\\\", \\\"Everyone\\\", \\\"Managed Availability Servers\\\"]);\\r\\nlet Exchsrv =ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='B119E5', Target = \\\"On-Premises\\\")\\r\\n | summarize make_list(CmdletResultValue.Name);\\r\\nlet _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"PartConfPerm\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n ESIExchangeConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where Section_s == \\\"PartConfPerm\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n | where CmdletResultValue.Deny !contains \\\"True\\\" and CmdletResultValue.IsInherited !contains \\\"True\\\"\\r\\n | where (CmdletResultValue.AccessRights == \\\"[983551]\\\") in (True, False)\\r\\n | where not (CmdletResultValue.UserString has_any (StandardGroup)) in (True)\\r\\n | where not (CmdletResultValue.UserString has_any (Exchsrv))in (True)\\r\\n | extend Name = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend Account = tostring(CmdletResultValue.UserString )\\r\\n | extend AccessRights = iff (tostring(CmdletResultValue.AccessRightsString) contains \\\"GenericAll\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\\r\\n | extend ExtendedRights = iff (tostring(CmdletResultValue.ExtendedRightsString) contains \\\"-As\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\\r\\n | extend InheritanceType = tostring(CmdletResultValue.InheritanceType)\\r\\n | extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\\r\\n | extend AllInfo = strcat(Name,Account,CmdletResultValue.AccessRightsString,CmdletResultValue.ExtendedRightsString)\\r\\n | project-away CmdletResultValue\\r\\n | sort by Name,Account desc\\r\\n;\\r\\nlet AlldataUnique = allDataRange\\r\\n | join kind = innerunique (allDataRange) on AllInfo \\r\\n | distinct \\r\\n Name, \\r\\n Account, \\r\\n AccessRights, \\r\\n ExtendedRights, \\r\\n InheritanceType, \\r\\n DN,\\r\\n AllInfo\\r\\n;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"PartConfPerm\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | where CmdletResultValue.Deny !contains \\\"True\\\" and CmdletResultValue.IsInherited !contains \\\"True\\\"\\r\\n | where (CmdletResultValue.AccessRights == \\\"[983551]\\\") in (True, False)\\r\\n | where not (CmdletResultValue.UserString has_any (StandardGroup)) in (True)\\r\\n | where not (CmdletResultValue.UserString has_any (Exchsrv))in (True)\\r\\n | extend Name = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend Account = tostring(CmdletResultValue.UserString )\\r\\n | extend AccessRights = iff (tostring(CmdletResultValue.AccessRightsString) contains \\\"GenericAll\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\\r\\n | extend ExtendedRights = iff (tostring(CmdletResultValue.ExtendedRightsString) contains \\\"-As\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\\r\\n | extend InheritanceType = tostring(CmdletResultValue.InheritanceType)\\r\\n | extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\\r\\n | extend AllInfo = strcat(Name,Account,CmdletResultValue.AccessRightsString,CmdletResultValue.ExtendedRightsString)\\r\\n | project-away CmdletResultValue\\r\\n | sort by Name,Account desc\\r\\n ;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"PartConfPerm\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | where CmdletResultValue.Deny !contains \\\"True\\\" and CmdletResultValue.IsInherited !contains \\\"True\\\"\\r\\n | where (CmdletResultValue.AccessRights == \\\"[983551]\\\") in (True, False)\\r\\n | where not (CmdletResultValue.UserString has_any (StandardGroup)) in (True)\\r\\n | where not (CmdletResultValue.UserString has_any (Exchsrv))in (True)\\r\\n | extend Name = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend Account = tostring(CmdletResultValue.UserString )\\r\\n | extend AccessRights = iff (tostring(CmdletResultValue.AccessRightsString) contains \\\"GenericAll\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\\r\\n | extend ExtendedRights = iff (tostring(CmdletResultValue.ExtendedRightsString) contains \\\"-As\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\\r\\n | extend InheritanceType = tostring(CmdletResultValue.InheritanceType)\\r\\n | extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\\r\\n | extend AllInfo = strcat(Name,Account,CmdletResultValue.AccessRightsString,CmdletResultValue.ExtendedRightsString)\\r\\n | project-away CmdletResultValue\\r\\n | sort by Name,Account desc\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n | join kind = leftanti (AfterData) on AllInfo\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n | join kind = innerunique (BeforeData) on AllInfo\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n | join kind = leftanti (InBeforedatabotAfter) on AllInfo\\r\\n | extend Actiontype =\\\"Add/Remove\\\"\\r\\n | project \\r\\n Actiontype,\\r\\n Name, \\r\\n Account, \\r\\n AccessRights, \\r\\n ExtendedRights, \\r\\n InheritanceType, \\r\\n DN \\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on AllInfo\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n Actiontype,\\r\\n Name, \\r\\n Account, \\r\\n AccessRights, \\r\\n ExtendedRights, \\r\\n InheritanceType, \\r\\n DN \",\"size\":1,\"showAnalytics\":true,\"title\":\"Compare NonStandard Permissions for Exchange Container in the Configuration Partition\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"Compare - Copy - Copy\"}]},\"name\":\"Nonstandard permissions on Configuration Partitions\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"SecConf\"},\"name\":\"Security Configuration for the Exchange environment\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays important security configurations that allow access to all or partial mailboxes' content - Direct delegations are not listed - Example :
\\r\\n- Permissions Full Access \\r\\n- Permission on mailboxes folders\\r\\n\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.RoleAssignmentDelegationType !=\\\"6\\\" \\r\\n| where CmdletResultValue.RoleAssigneeName !in (\\\"Hygiene Management\\\",\\\"Exchange Online-ApplicationAccount\\\",\\\"Discovery Management\\\")\\r\\n| where CmdletResultValue.Role.Name == \\\"Mailbox Import Export\\\" or CmdletResultValue.Role.Name == \\\"ApplicationImpersonation\\\" or (CmdletResultValue.Role.Name == \\\"Mailbox Search\\\")\\r\\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role.Name)\",\"size\":1,\"showAnalytics\":true,\"title\":\"Number of delegations for sensitive RBAC roles\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"role\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_RoleAssigneeName\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"role\",\"sortOrderField\":1}},\"name\":\"MRAQuery\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Application Impersonation Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows the delegated accounts to access and modify the content of every mailboxes using EWS.\\r\\nExcluded from the result as default configuration :\\r\\n- The Delegating delegation for this role assigned to Organization Management\\r\\n- Hygiene Management group as it is a default delegation\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes using EWS. \\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nIt should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\\r\\n\\r\\nHelp for the role Application Impersonation\\r\\n\\r\\nIt is common (but not recommended) to see service accounts from backup solution, antivirus software, MDM... with this delegation.\\r\\nThese service accounts should be closely monitored and the security of the server where they are running needs to be at the same level of Exchange servers.\\r\\nNote that the default configuration to the group Hygiene Management is excluded. This group is a sensitive group. Remember to monitor the content of this group.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList})\\r\\n| where CmdletResultValue.Role.Name == \\\"ApplicationImpersonation\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssignmentDelegationType !=\\\"6\\\" \\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssignmentDelegationType\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssignmentDelegationType\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExclusionsAcctValue = dynamic([\\\"Hygiene Management\\\", \\\"RIM-MailboxAdmins\\\"]);\\r\\nMESCompareDataOnPMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"On-Premises\\\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\\\"Impersonation\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"**Remove Time is displayed the date of the last collect and not the exact remove time**\"},\"name\":\"text - 4\"}]},\"name\":\"Application Impersonation Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Import Export Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to export the content all mailboxes in a scope in PST file.\\r\\nExcluded from the result as default configuration :\\r\\nDelegating delegation to Organization Management\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Import Export** is a RBAC role that allows an account to export the content of any maibox in a PST. It also allows the delegated account to perform searches in all mailboxes.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\\r\\n\\r\\nHelp for the role Mailbox Import Export\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n- Create an empty group with this delegation\\r\\n- Monitor the group content and alert when the group content is modified\\r\\n- Add administrators in this group only for a short period of time\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ExportRoleHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Role.Name == \\\"Mailbox Import Export\\\" and CmdletResultValue.RoleAssignmentDelegationType !=\\\"6\\\" \\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, RoleAssigneeType,Status, CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExclusionsAcctValue = dynamic([\\\"Hygiene Management\\\", \\\"RIM-MailboxAdmins\\\"]);\\r\\nMESCompareDataOnPMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"On-Premises\\\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\\\"export\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"**Remove Time is displayed the date of the last collect and not the exact remove time**\"},\"name\":\"text - 4\"}]},\"name\":\"Mailbox Import Export Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Search Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows the delegated account to search inside all or in a scope of mailboxes and export the result in PST.\\r\\nExcluded from the result as default configuration :\\r\\n- The Delegating delegation for this role assigned to Organization Management\\r\\n- Delegation for the account Exchange Online-Application\\r\\n- Delegation for the group Discovery Management \\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Search** is an RBAC role that allows an account to search in any mailbox and export the results to a PST.\\r\\n\\r\\n⚡ This role is very powerful.\\r\\n\\r\\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\\r\\n\\r\\nHelp for the role Mailbox Search\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n\\r\\n- Temporarily add the administrators in the Discovery Management group\\r\\n- Monitor the group content and alert when the group is modified\\r\\n- Add administrators in this group only for a short period of time\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Role.Name == \\\"Mailbox Search\\\" and CmdletResultValue.RoleAssignmentDelegationType !=\\\"6\\\" \\r\\n| where CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\"\\r\\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \\\"0\\\" or CmdletResultValue.RoleAssigneeType== \\\"2\\\" , \\\"User\\\", CmdletResultValue.RoleAssigneeType== \\\"10\\\",\\\"Group\\\",\\\"LinkedGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\\r\\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.RecipientWriteScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientWriteScope==\\\"3\\\",\\\"MyGAL\\\", CmdletResultValue.RecipientWriteScope==\\\"4\\\",\\\"Self\\\",CmdletResultValue.RecipientWriteScope==\\\"7\\\", \\\"CustomRecipientScope\\\",CmdletResultValue.RecipientWriteScope==\\\"8\\\",\\\"MyDistributionGroups\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\\\"0\\\",\\\"None\\\",CmdletResultValue.ConfigWriteScope==\\\"7\\\",\\\"CustomConfigScope\\\",CmdletResultValue.ConfigWriteScope==\\\"10\\\",\\\"OrganizationConfig\\\",\\\"NotApplicable\\\")\\r\\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \\\"0\\\" , \\\"None\\\", \\\"OrganizationConfig\\\")\\r\\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\\\"2\\\",\\\"Organization\\\",CmdletResultValue.RecipientReadScope==\\\"3\\\",\\\"MyGAL\\\",CmdletResultValue.RecipientReadScope==\\\"4\\\",\\\"Self\\\",\\\"NotApplicable\\\")\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\\\"6\\\" , \\\"Delegating\\\", \\\"Regular\\\") \\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\\\"👪 \\\", tostring(CmdletResultValue.RoleAssigneeName)) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExclusionsAcctValue = dynamic([\\\"Hygiene Management\\\", \\\"RIM-MailboxAdmins\\\"]);\\r\\nMESCompareDataOnPMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"On-Premises\\\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\\\"Search\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"**Remove Time is displayed the date of the last collect and not the exact remove time**\"},\"name\":\"text - 4\"}]},\"name\":\"Mailbox Search Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"ReceiveAs/SendAs Extended Right on databases\",\"items\":[{\"type\":1,\"content\":{\"json\":\"These sections display delegations at the database level (the database Object, not the container) ..\\r\\n\\r\\n**Receive As Extended Right on database's objects in the Configuration**\\r\\n\\r\\nWhen an account has **ReceiveAs** permissions on a database's object, it can open and view the content of any mailboxes on that database.\\r\\n\\r\\nHelp for Receive As Permission\\r\\n\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person. This account should be closely monitored and the security of the server where it is running needs to be at the same level of Exchange servers.\\r\\nChange the password as often as possible.\\r\\n\\r\\n**Send As Extended Right on database objects in the Configuration**\\r\\n\\r\\n\\r\\nWhen an account has **SendAs** permissions on a database's object, it can send messages from all the mailboxes contained in this database. The messages that are sent from a mailbox will appear as if the mailbox owner sent them.\\r\\n\\r\\nHelp for Send As Permission\\r\\n\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person.\\r\\nThis account should be closely monitored and the security of the server where it is running needs to be at the same level of Exchange servers. \\r\\nChange the password as often as possible.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SendAsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"eb0af112-df51-47f5-8849-b3ee764fa72d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IsInherited\",\"label\":\"Included Inherited deleg\",\"type\":10,\"description\":\"Yes Show all the delegations (Databases object and Database Containers), No only databases objects\",\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"false\\\", \\\"label\\\": \\\"No\\\" , \\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"true, false\\\", \\\"label\\\": \\\"Yes\\\"}\\r\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"true, false\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| union ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n| summarize dcount(tostring(CmdletResultValue.UserString)) by iff( tostring(Section) contains \\\"MailboxDatabaseReceiveAs\\\",\\\"ReceiveAs Unique Acct\\\",\\\"SendAs Unique Acct\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Number of accounts with ReceiveAs/SendAs delegations\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_UserString\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"Column1\",\"sortOrderField\":1}},\"customWidth\":\"50\",\"name\":\"ReceiveAsUsersTiles\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| union ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n| summarize dcount(tostring(CmdletResultValue.Identity.Name)) by iff( tostring(Section) contains \\\"MailboxDatabaseReceiveAs\\\",\\\"ReceiveAs Unique DB\\\",\\\"SendAs Unique DB\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Databases with ReceiveAs/SendAs delegations\",\"color\":\"purple\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Column1\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_Identity_Name\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"Column1\",\"sortOrderField\":1}},\"customWidth\":\"50\",\"name\":\"ReceiveAsTiles\",\"styleSettings\":{\"margin\":\"25\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n| extend Account = tostring(CmdletResultValue.UserString)\\r\\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n| summarize Count =count() by Account,DatabaseName,IsInherited\\r\\n| project Account,Count,DatabaseName,IsInherited\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"ReceiveAs Extended Right on databases\",\"noDataMessage\":\"No Receive-As delegation\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Account\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":8,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Account\"],\"finalBy\":\"Account\"},\"sortBy\":[{\"itemKey\":\"$gen_count_$gen_group_0\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"Account\",\"comment\":\"Account and the number of databases on which it has delegation \"}]},\"sortBy\":[{\"itemKey\":\"$gen_count_$gen_group_0\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"MailboxDatabaseReceiveAsGrid\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n| where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n| extend Account = tostring(CmdletResultValue.UserString)\\r\\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n| summarize Count =count() by Account,DatabaseName,IsInherited\\r\\n| project Account,Count,DatabaseName,IsInherited\",\"size\":1,\"showAnalytics\":true,\"title\":\"SendAs Extended Right on databases\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Account\",\"formatter\":5}],\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Account\"],\"finalBy\":\"Account\"}}},\"customWidth\":\"50\",\"name\":\"SendAs Extended Right on databases\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n ESIExchangeConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where Section_s == \\\"MailboxDatabaseReceiveAs\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n | where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n | extend Account = tostring(CmdletResultValue.UserString)\\r\\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n | extend Allinfo = strcat(Account,DatabaseName)\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n | sort by Account\\r\\n;\\r\\nlet AlldataUnique = allDataRange\\r\\n | join kind = innerunique (allDataRange) on Allinfo \\r\\n | distinct \\r\\n Account,\\r\\n DatabaseName,\\r\\n IsInherited,\\r\\n Allinfo\\r\\n;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n | extend Account = tostring(CmdletResultValue.UserString)\\r\\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n | extend Allinfo = strcat(Account,DatabaseName)\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n | sort by Account\\r\\n ;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseReceiveAs\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n | extend Account = tostring(CmdletResultValue.UserString)\\r\\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n | extend Allinfo = strcat(Account,DatabaseName)\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n | sort by Account\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n | join kind = leftanti (AfterData) on Allinfo\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n | join kind = innerunique (BeforeData) on Allinfo\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n | join kind = leftanti (InBeforedatabotAfter) on Allinfo\\r\\n | extend Actiontype =\\\"Add/Remove\\\"\\r\\n | project \\r\\n Actiontype,\\r\\n Account,\\r\\n DatabaseName,\\r\\n IsInherited,\\r\\n Allinfo\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Allinfo\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n Actiontype,\\r\\n Account,\\r\\n DatabaseName,\\r\\n IsInherited\",\"size\":3,\"showAnalytics\":true,\"title\":\"Comparaison ReceiveAs\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n ESIExchangeConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where Section_s == \\\"MailboxDatabaseSendAs\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n | where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n | extend Account = tostring(CmdletResultValue.UserString)\\r\\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n | extend Allinfo = strcat(Account,DatabaseName)\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n | sort by Account\\r\\n;\\r\\nlet AlldataUnique = allDataRange\\r\\n | join kind = innerunique (allDataRange) on Allinfo \\r\\n | distinct \\r\\n Account,\\r\\n DatabaseName,\\r\\n IsInherited,\\r\\n Allinfo\\r\\n;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n | extend Account = tostring(CmdletResultValue.UserString)\\r\\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n | extend Allinfo = strcat(Account,DatabaseName)\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n | sort by Account\\r\\n ;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"MailboxDatabaseSendAs\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | where CmdletResultValue <> \\\"{'Error':'EmptyResult'}\\\"\\r\\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\\r\\n | extend Account = tostring(CmdletResultValue.UserString)\\r\\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\\r\\n | extend Allinfo = strcat(Account,DatabaseName)\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n | sort by Account\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n | join kind = leftanti (AfterData) on Allinfo\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n | join kind = innerunique (BeforeData) on Allinfo\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n | join kind = leftanti (InBeforedatabotAfter) on Allinfo\\r\\n | extend Actiontype =\\\"Add/Remove\\\"\\r\\n | project \\r\\n Actiontype,\\r\\n Account,\\r\\n DatabaseName,\\r\\n IsInherited,\\r\\n Allinfo\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Allinfo\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n Actiontype,\\r\\n Account,\\r\\n DatabaseName,\\r\\n IsInherited\",\"size\":3,\"showAnalytics\":true,\"title\":\"Comparaison SendAs\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 5 - Copy\"}]},\"name\":\"ReceiveSendAs\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Delegation\"},\"name\":\"Importantsecurityconfiguration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Local Administrators\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The following section will display the content of the local Administrators group for each server\\r\\n\\r\\n** When content refers to groups from other forests, none or partial information will be displayed, and the number of Administrators may be inconsistent. **\\r\\n\\r\\nMost of the sections display the same information but with different sorting, views...\\r\\nIf an SID is part of the local Administrators group, it won't be displayed due to a collect limitation.\"},\"name\":\"text - 12\"},{\"type\":1,\"content\":{\"json\":\"Only Exchange administrators should be members of the local Administrators group of Exchange servers.\\r\\n\\r\\nYou need to review the content of the local Administrators group on a regular basis. Ensure that the content is enforced by GPO.\\r\\n\\r\\nIt is considered as a high security risk to have a discrepancy of members between the servers. \\r\\n\\r\\nIt is not recommended to have more than one local Administrator accounts. Furthermore, the password should be unique on each server and regularly changed. A solution like LAPS could be used to manage the local administrator password.\\r\\n\\r\\nOnly Exchange administrators should be able to logon on Exchange servers.\\r\\n\\r\\nHere the default content of the local Administrators group for an Exchange server \\r\\n:\\r\\n- Administrator (this account can be renamed)\\r\\n- Domain Admins\\r\\n- Exchange Trusted Subsystem\\r\\n- Organization Management\\r\\n\\r\\n**Service accounts should not be members of the local Administrators group**. If it is necessary, you need to ensure that the account is dedicated to Exchange. If the service account opens sessions on other servers, it can be used for lateral movements.\\r\\nThese service accounts should be closely monitored and the security of the server where they are running needs to be at the same level of Exchange servers.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"LocalAdminsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"dfffbaa4-5888-41c2-b039-dafb6110260c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Limited\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":1,\"content\":{\"json\":\"**Yes** : display all content including the default Groups : Default groups after the installation of Exchange\\r\\n\\r\\n**No** : display only content of non standard Groups\"},\"name\":\"text - 15\"},{\"type\":1,\"content\":{\"json\":\"**Top 10 servers with high number of unique local Administrators members**\"},\"name\":\"text - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup)) in ({Limited})\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| where ObjectClass !contains \\\"group\\\"\\r\\n| summarize dcount(MemberPath) by Parentgroup\\r\\n| top 10 by dcount_MemberPath\\r\\n| sort by dcount_MemberPath\",\"size\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Click to see number of unique members for every servers in the organization\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Number of unique members for all servers\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup)) in ({Limited})\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| where ObjectClass !contains \\\"group\\\"\\r\\n| summarize dcount(MemberPath) by Parentgroup\\r\\n| sort by dcount_MemberPath\",\"size\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"name\":\"query - 9 - Copy\"}]},\"name\":\"All servers number of members\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let allsrv = ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") | where \\r\\nCmdletResultValue.IsMailboxServer== true | extend Name=tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Name = tostring(trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup)))\\r\\n| distinct Name\\r\\n| project Name\\r\\n| join kind=rightanti (allsrv) on Name\\r\\n| project CmdletResultValue.Name\",\"size\":4,\"title\":\"Servers not reachable during the collect\",\"noDataMessage\":\"All server were successfully analyzed\",\"noDataMessageStyle\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletResultValue_Name\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":true}},\"name\":\"query - 9 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.ServerRole <> 64\\r\\n| count\\r\\n\",\"size\":4,\"title\":\"Total number of servers in the Organizaton\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\\r\\n| distinct Parentgroup = Parentgroup\\r\\n| count \",\"size\":4,\"title\":\"Number of Analyzed servers\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 9 - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"This Tab shows each nonstandard user account that is member (directly or by a group) of the local Administrators group per server.\\r\\n\\r\\nConsider reviewing:\\r\\n- **nonstandard members** : the Memberpath help to understand from which group inclusion the user come from\\r\\n- **inconsistent members** across servers\\r\\n\\r\\nNote that content from Trusted forests might not be displayed. \",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"LocalAdminPerServersHelp\"},{\"type\":1,\"content\":{\"json\":\"This tabled shows a comparaison of the content between two dates.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"LocalAdminPerServersHelp - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"590a6eb9-3349-46cd-ace1-cae9aac1f26a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\\r\\n| distinct Parentgroup = Parentgroup\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 18\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nlet _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n ESIExchangeConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where Section_s == \\\"LocalAminGroup\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n | where CmdletResultValue.Level != 0 \\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| extend Allinfo = strcat(Parentgroup,MemberPath)\\r\\n| sort by Parentgroup asc\\r\\n;\\r\\nlet AlldataUnique = allDataRange\\r\\n | join kind = innerunique (allDataRange) on Allinfo \\r\\n | distinct \\r\\n Parentgroup,\\r\\n MemberPath, \\r\\n Level, \\r\\n ObjectClass, \\r\\n LastLogon, \\r\\n LastPwdSet, \\r\\n Enabled, \\r\\n DN,\\r\\n Allinfo\\r\\n;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | where CmdletResultValue.Level != 0 \\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| extend Allinfo = strcat(Parentgroup,MemberPath)\\r\\n| sort by Parentgroup asc\\r\\n ;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | where CmdletResultValue.Level != 0 \\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| extend Allinfo = strcat(Parentgroup,MemberPath)\\r\\n| sort by Parentgroup asc\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n | join kind = leftanti (AfterData) on Allinfo\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n | join kind = innerunique (BeforeData) on Allinfo\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n | join kind = leftanti (InBeforedatabotAfter) on Allinfo\\r\\n | extend Actiontype =\\\"Add/Remove\\\"\\r\\n | project \\r\\n Actiontype,\\r\\n Parentgroup,\\r\\n MemberPath, \\r\\n Level, \\r\\n ObjectClass, \\r\\n LastLogon, \\r\\n LastPwdSet, \\r\\n Enabled, \\r\\n DN\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Allinfo\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n Actiontype,\\r\\n Parentgroup, \\r\\n MemberPath, \\r\\n Level, \\r\\n ObjectClass, \\r\\n LastLogon, \\r\\n LastPwdSet, \\r\\n Enabled, \\r\\n DN\\r\\n| where Parentgroup contains \\\"{Server}\\\"\",\"size\":3,\"showAnalytics\":true,\"title\":\"To view the comparaison for one specific server, select a server in the dropdown list\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"query - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0 \\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| summarize Count=count() by MemberPath,Parentgroup,Level,ObjectClass,LastLogon,LastPwdSet,Enabled,DN\\r\\n| project Parentgroup = strcat(\\\"💻 \\\",Parentgroup),Count,MemberPath,Level,ObjectClass,LastLogon,LastPwdSet,Enabled,DN\\r\\n| sort by Parentgroup asc \",\"size\":1,\"showAnalytics\":true,\"title\":\" Total per server of Non standard Groups and accounts including nested groups\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Parentgroup\",\"formatter\":5,\"formatOptions\":{\"aggregation\":\"Count\"}},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"aggregation\":\"Sum\"}}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Parentgroup\"],\"finalBy\":\"Parentgroup\"},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"Parentgroup\",\"label\":\"Server\"}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"name\":\"LocalAdminPerServers\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend MemberPath = case( ObjectClass == \\\"group\\\", strcat( \\\"👪 \\\", MemberPath), ObjectClass == \\\"computer\\\", strcat( \\\"💻 \\\", MemberPath), strcat( \\\"🧑‍🦰 \\\", MemberPath) )\\r\\n| project-away CmdletResultValue\\r\\n//| summarize Count=count(), Servers=make_set(Parentgroup) by MemberPath\\r\\n| summarize Count=count() by MemberPath,Parentgroup \\r\\n| sort by Count desc\",\"size\":1,\"showAnalytics\":true,\"title\":\"Non Standard accounts summary for all servers\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Group\",\"formatter\":1},{\"columnMatch\":\"MemberPath\",\"formatter\":5},{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}},{\"columnMatch\":\"Member\",\"formatter\":1}],\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"MemberPath\"],\"expandTopLevel\":false},\"labelSettings\":[{\"columnId\":\"MemberPath\",\"label\":\"MemberPath\"},{\"columnId\":\"Parentgroup\",\"label\":\"Servers\"},{\"columnId\":\"Count\",\"label\":\"Nb Servers\"}]}},\"name\":\"LocalAdminCount\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"##### Select a server to display its content\\r\\n\\r\\nBy default only the non-standard members are displayed. \\r\\n\\r\\n❌ : for last logon displayed when the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"19e606d9-7f3e-4d2f-a314-892da571e50a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level == 1\\r\\n| project CmdletResultValue\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\\r\\n| distinct Parentgroup = Parentgroup\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"05ef4f1c-4cf4-406f-9fb2-9ee30dc93abd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Limited\",\"label\":\"Show only nonstandard members\",\"type\":10,\"description\":\"Show only non standard members\",\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\",\"value\":\"True\"},{\"id\":\"901bf975-426f-486b-82de-ff0d64f139bb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"2f7a613f-8749-44c9-b8be-844964badef8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let StandardGroup = dynamic([\\\"Administrator\\\", \\\"Domain Admins\\\",\\\"Exchange Trusted Subsystem\\\",\\\"Organization Management\\\", \\\"Admins du domaine\\\"]);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"LocalAminGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Level != 0 \\r\\n| where CmdletResultValue.Parentgroup contains \\\"{Server}\\\"\\r\\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup)) in ({Limited})\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = trim_end(@'\\\\\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ Never logged\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(365d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ Password never set\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| project-away CmdletResultValue\\r\\n| sort by MemberPath asc\\r\\n| project-away Parentgroup\",\"size\":1,\"showAnalytics\":true,\"title\":\"Local Administrators group content\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Server\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"AdGroups\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Server\"},\"name\":\"Local Administrators\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange and AD GRoup\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays the content of high privilege groups in Exchange and AD.\"},\"name\":\"text - 7\"},{\"type\":1,\"content\":{\"json\":\"The **Exchange Trusted Subsystem** group is one of the two most sensitive groups in Exchange. This group has all privileges in Exchange and very high privileges in AD.\\r\\n\\r\\nExchange 2013 deployment permissions reference\\r\\n\\r\\nThis group should only contain computer accounts for each Exchange servers. When the DAG has an IP and a CNO, it is acceptable to have the DAG's computer account.\\r\\n\\r\\nThis section only shows direct nonstandard members.\",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ExchangeTrustedSubsystemHelp\"},{\"type\":1,\"content\":{\"json\":\"The **Exchange Windows Permissions** group is one of the two most sensitive groups in Exchange. This group has very high privileges in AD.\\r\\n\\r\\nExchange 2013 deployment permissions reference\\r\\n\\r\\nThis group should only contain the group Exchange Trusted SubSystem. This section only shows direct nonstandard members. \",\"style\":\"info\"},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"WindowsPermissionGroupTileHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETSValidcontent = union kind=outer (ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(CmdletResultValue.Name)), (ExchangeConfiguration(SpecificSectionList=\\\"DAG\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(Identity));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ETS\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETSValidcontent)\\r\\n| summarize MyCount=countif( CmdletResultType == \\\"Success\\\") by CmdletResultType\\r\\n| project Result = iff ( CmdletResultType == \\\"Success\\\", tostring(MyCount), \\\"\\\")\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Trusted SubSystem group nonstandard member count\",\"noDataMessage\":\"Content of group as Expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletResultValue_Name\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Result\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"ScriptError\"}},\"showBorder\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersTileGroup1Query\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETScontent = ExchangeConfiguration(SpecificSectionList=\\\"ETS\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") | project Name = tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"EWP\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETScontent) and CmdletResultValue.Name != \\\"Exchange Trusted Subsystem\\\"\\r\\n| extend Result = iff ( CmdletResultType == \\\"Success\\\", \\\"\\\", \\\"Error in the script unable to retrieve value\\\")\\r\\n| summarize MyCount=countif( CmdletResultType == \\\"Success\\\") by CmdletResultType\\r\\n| project Result = iff ( CmdletResultType == \\\"Success\\\", tostring(MyCount), \\\"\\\")\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Windows Permissions group direct nonstandard members (Exchange Trusted subsystem non standard content not included)\",\"noDataMessage\":\"Content of group as expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletResultValue_Name\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Result\",\"formatter\":12,\"formatOptions\":{\"palette\":\"hotCold\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3},\"emptyValCustomText\":\"ScriptError\"}},\"showBorder\":true}},\"customWidth\":\"50\",\"name\":\"ExchangeServersTileGroup2Query\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETSValidcontnet = union kind=outer (ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(CmdletResultValue.Name)), (ExchangeConfiguration(SpecificSectionList=\\\"DAG\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")| project Name = tostring(Identity));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ETS\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETSValidcontnet)\\r\\n//| extend Name = strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name))\\r\\n| extend Name = iff(CmdletResultType == \\\"Success\\\", strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name)),\\\"Script was unable to retrieve data\\\")\\r\\n| project Name \",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Trusted SubSystem nonstandard content\",\"noDataMessage\":\"Content of Exchange Trusted SubSystem as Expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"ETSDetails\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ETScontent = ExchangeConfiguration(SpecificSectionList=\\\"ETS\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") | project Name = tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"EWP\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Name !in (ETScontent) and CmdletResultValue.Name != \\\"Exchange Trusted Subsystem\\\"\\r\\n| extend Name = iff(CmdletResultType == \\\"Success\\\", strcat (\\\"⛔\\\",tostring(CmdletResultValue.Name)),\\\"Script was unable to retrieve data\\\")\\r\\n| project Name \",\"size\":1,\"showAnalytics\":true,\"title\":\"Exchange Windows Permissions direct nonstandard content (Exchange Trusted subsystem non standard content not included)\",\"noDataMessage\":\"Content of Exchange Windows Permissions as Expected\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"WindowsPermissionsQuery\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ETS and WP Grids\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange groups from old Exchange version\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Groups from the old Exchange version should have been removed\\r\\n- List of old groups \\r\\n\\t- Exchange Organization Administrators\\r\\n\\t- Exchange Recipient Administrators\\r\\n\\t- Exchange Public Folder Administrators\\r\\n\\t- Exchange Server Administrator\\r\\n\\t- Exchange View-Only Administrator\\r\\n\\t- Exchange Enterprise Servers (located in the root domain)\\r\\n\\t- Exchange Domain Servers : one group per domain\\r\\n\\r\\n\\r\\nHelp for Built-in role groups\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"If still exist, this section showed a summary of the content of old groups\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nlet OldVGroup = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")| where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"| extend Parentgroup = tostring(CmdletResultValue.Parentgroup));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\") |union OldVGroup\\r\\n| where CmdletResultValue.Level != 0 and CmdletResultValue.ObjectClass !contains \\\"group\\\"\\r\\n| extend MemberPath= tostring(split(tostring(CmdletResultValue.MemberPath), \\\"\\\\\\\\\\\")[countof(tostring(CmdletResultValue.MemberPath), \\\"\\\\\\\\\\\")])\\r\\n| summarize dcount(tostring(MemberPath)) by Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| sort by dcount_MemberPath\\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"noDataMessage\":\"No groups from old versions found\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Expand this section to details on the content of the old groups\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"Please select a group\"},\"name\":\"text - 5\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"let OldVGroup = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")| where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"| extend Parentgroup = tostring(CmdletResultValue.Parentgroup));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\") |union OldVGroup\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a695df39-1965-479a-ad0f-b4d3d168aaed\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\\r\\n\"},{\"id\":\"2d69bad8-0904-467a-86e6-cb0923520c18\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"Old Exchange groups content groups (Extract for the OU \\\"Microsoft Exchange Security Groups\\\").\\r\\nSelect a group to display detailed information of its contents.\\r\\nLevel attribute helps you understand the level of nested groups.\\r\\n\\r\\n❌ : for last logon displayed when the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let OldVGroupEES = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n | where (CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.MemberPath != @\\\"Exchange Enterprise Servers\\\\Exchange Domain Servers\\\") or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled) );\\r\\nlet OldVGroupEDS = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.Level ==0\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | mv-expand CmdletResultValue.Members\\r\\n | where CmdletResultValue_Members.objectClass == \\\"group\\\"\\r\\n | project Parentgroup, MemberPath= strcat(Parentgroup,\\\"\\\\\\\\\\\", CmdletResultValue_Members.name), Level = tostring(1), ObjectClass = tostring(CmdletResultValue_Members.objectClass), DN = tostring(CmdletResultValue_Members.DistinguishedName), ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)\\r\\n | join kind=inner ( ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\")\\r\\n | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid)) on ObjectGuid) ;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\", SpecificConfigurationEnv={EnvironmentList}, Target = \\\"On-Premises\\\") \\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\")\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | union OldVGroupEES,OldVGroupEDS\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | where todatetime (CmdletResultValue.LastPwdSetString) < ago(0d) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n | where todatetime (CmdletResultValue.LastLogonString) < ago(0d) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n | sort by tostring(CmdletResultValue.MemberPath) asc \\r\\n | where CmdletResultValue.Level != 0\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ Never logged\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ Password never set\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend MemberPath = case(ObjectClass == \\\"group\\\", strcat(\\\"👪 \\\", MemberPath), ObjectClass == \\\"computer\\\", strcat(\\\"💻 \\\", MemberPath), strcat(\\\"🧑‍🦰 \\\", MemberPath))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | project Parentgroup, MemberPath, Level, ObjectClass,LastLogon, LastPwdSet ,Enabled,DN\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Selected group content\",\"noDataMessage\":\"The query returned no results.\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5},{\"columnMatch\":\"Parentgroup\",\"formatter\":5},{\"columnMatch\":\"LastPwdSet\",\"formatter\":0,\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},{\"columnMatch\":\"ParentId\",\"formatter\":5},{\"columnMatch\":\"Id\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"showPin\":true,\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeDataEES=\\r\\n (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | where (CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.MemberPath != @\\\"Exchange Enterprise Servers\\\\Exchange Domain Servers\\\") or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled));\\r\\nlet BeforeDataEDS = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.Level == 0\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | mv-expand CmdletResultValue.Members\\r\\n | where CmdletResultValue_Members.objectClass == \\\"group\\\"\\r\\n | project\\r\\n Parentgroup,\\r\\n MemberPath= strcat(Parentgroup, \\\"\\\\\\\\\\\", CmdletResultValue_Members.name),\\r\\n Level = tostring(1),\\r\\n ObjectClass = tostring(CmdletResultValue_Members.objectClass),\\r\\n DN = tostring(CmdletResultValue_Members.DistinguishedName),\\r\\n ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)\\r\\n | join kind=inner (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='B13', Target = \\\"On-Premises\\\")\\r\\n | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid))\\r\\n on ObjectGuid); \\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\")\\r\\n | union BeforeDataEES, BeforeDataEDS\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | sort by MemberPath asc\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n;\\r\\nlet AfterDataEES=\\r\\n (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | where (CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.MemberPath != @\\\"Exchange Enterprise Servers\\\\Exchange Domain Servers\\\") or CmdletResultValue.Parentgroup == \\\"Exchange Services\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled));\\r\\nlet AfterDataEDS = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\" and CmdletResultValue.Level == 0\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | mv-expand CmdletResultValue.Members\\r\\n | where CmdletResultValue_Members.objectClass == \\\"group\\\"\\r\\n | project\\r\\n Parentgroup,\\r\\n MemberPath= strcat(Parentgroup, \\\"\\\\\\\\\\\", CmdletResultValue_Members.name),\\r\\n Level = tostring(1),\\r\\n ObjectClass = tostring(CmdletResultValue_Members.objectClass),\\r\\n DN = tostring(CmdletResultValue_Members.DistinguishedName),\\r\\n ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)\\r\\n | join kind=inner (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | where CmdletResultValue.Parentgroup == \\\"Exchange Enterprise Servers\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid))\\r\\n on ObjectGuid); \\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | union AfterDataEES, AfterDataEDS\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | sort by MemberPath asc\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n;\\r\\nlet allDataRange = \\r\\n ESIExchangeConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where Section_s == \\\"ExGroup\\\" or Section_s == \\\"ADGroup\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n | where CmdletResultValue.Parentgroup in (\\\"Exchange Organization Administrators\\\", \\\"Exchange Recipient Administrators\\\", \\\"Exchange Public Folder Administrators\\\", \\\"Exchange Server Administrator\\\", \\\"Exchange View-Only Administrator\\\", \\\"Exchange Enterprise Servers\\\" , \\\"Exchange Services\\\")\\r\\n //| where CmdletResultValue.MemberPath != @\\\"Exchange Enterprise Servers\\\\Exchange Domain Servers\\\"\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | sort by MemberPath asc\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n ;\\r\\nlet AlldataUnique = allDataRange\\r\\n | join kind = innerunique (allDataRange) on MemberPath \\r\\n | distinct \\r\\n TimeGenerated,\\r\\n Parentgroup,\\r\\n MemberPath,\\r\\n Level,\\r\\n ObjectClass,\\r\\n LastLogon,\\r\\n LastPwdSet,\\r\\n Enabled\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n | join kind = leftanti (AfterData ) on MemberPath\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n| join kind = innerunique (BeforeData ) on MemberPath\\r\\n| extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n| join kind = leftanti (InBeforedatabotAfter ) on MemberPath\\r\\n| extend Actiontype =\\\"Add/Remove\\\"\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on MemberPath\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData,AddRemoveindataset,InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype),\\\"N/A\\\")\\r\\n| where MemberPath <> \\\"Exchange Enterprise Servers\\\\\\\\Exchange Domain Servers\\\"\\r\\n| project\\r\\n Actiontype,Parentgroup, MemberPath, Level, ObjectClass, LastLogon, LastPwdSet, Enabled\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Compare of the contents of selected old group\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"ExchangeServersGroupsGrid - Compare\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 5\"}]},\"name\":\"Exchange group from old Exchange versions\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Ensure that no service account is a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\\r\\n- Limit the usage of nested group for administration.\\r\\n- Ensure that accounts are given only the required permissions to execute their tasks.\\r\\n- Use just in time administration principle by adding users in a group only when they need the required permissions, then remove them when their operation is over.\\r\\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\\r\\n- Monitor the content of the following groups:\\r\\n - Organization Management\\r\\n - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\\r\\n - Discovery Management\\r\\n - Server Management\\r\\n - Hygiene Management\\r\\n - Exchange Servers\\r\\n - Exchange Trusted Subsystem \\r\\n - Exchange Windows Permissions\\r\\n - xxx High privilege group (not an exhaustive list)\\r\\n - All RBAC groups that have high roles delegation\\r\\n - All nested groups in high privileges groups\\r\\n - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\\r\\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\\r\\n- Periodically review the members of the groups\\r\\n\\r\\nHelp for Built-in role groups\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Summary content of most important groups\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Level != 0 and CmdletResultValue.ObjectClass !contains \\\"group\\\"\\r\\n| extend MemberPath= tostring(split(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")[countof(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")])\\r\\n| summarize dcount(tostring(MemberPath)) by Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| where Parentgroup in (\\\"Organization Management\\\", \\\"Compliance Management\\\", \\\"Discovery Management\\\", \\\"Server Management\\\", \\\"Recipient Manangement\\\",\\\"Security Administrator\\\", \\\"Hygiene Management\\\", \\\"Public Folder Manangement\\\", \\\"Records Manangement\\\") or Parentgroup contains \\\"Impersonation\\\" or Parentgroup contains \\\"Export\\\"\\r\\n| sort by dcount_MemberPath\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true}},\"name\":\"query - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Expand for summary content for all groups located in the OU Exchange Security Groups\",\"expandable\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.Level != 0 and CmdletResultValue.ObjectClass !contains \\\"group\\\"\\r\\n| extend MemberPath= tostring(split(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")[countof(tostring(CmdletResultValue.MemberPath),\\\"\\\\\\\\\\\")])\\r\\n| summarize dcount(tostring(MemberPath)) by Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| sort by dcount_MemberPath desc\\r\\n\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"OU Exchange Security Groups\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Parentgroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_MemberPath\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true}},\"showPin\":false,\"name\":\"query - 0 - Copy\"}]},\"name\":\"All groups\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":1,\"content\":{\"json\":\"Please select a group\"},\"name\":\"text - 5 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Trusted Subsystem\\\"\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Windows Permissions\\\"\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"showExportToExcel\":true,\"showAnalytics\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f3b935d7-b78f-41d2-94bc-f8c878a13260\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon >\",\"type\":10,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"3343688f-e609-4822-b4ed-cdd50b77d948\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set >\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"Exchange groups content (Extract for the OU \\\"Microsoft Exchange Security Groups\\\").\\r\\nSelect a group to display detailed information of its contents.\\r\\nLevel attribute helps you understand the level of nested groups.\\r\\n\\r\\n❌ : for last logon displayed when the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| sort by tostring(CmdletResultValue.MemberPath) asc \\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| sort by MemberPath asc\\r\\n| project-away CmdletResultValue,Parentgroup\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n ESIExchangeConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where Section_s == \\\"ExGroup\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | sort by MemberPath asc\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n ;\\r\\nlet AlldataUnique = allDataRange\\r\\n | join kind = innerunique (allDataRange) on MemberPath \\r\\n | distinct \\r\\n TimeGenerated,\\r\\n Parentgroup,\\r\\n MemberPath,\\r\\n Level,\\r\\n ObjectClass,\\r\\n LastLogon,\\r\\n LastPwdSet,\\r\\n Enabled\\r\\n;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | sort by MemberPath asc\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | sort by MemberPath asc\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n | join kind = leftanti (AfterData ) on MemberPath\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n| join kind = innerunique (BeforeData ) on MemberPath\\r\\n| extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n| join kind = leftanti (InBeforedatabotAfter ) on MemberPath\\r\\n| extend Actiontype =\\\"Add/Remove\\\"\\r\\n| project \\r\\n TimeGenerated,\\r\\n Parentgroup,\\r\\n Actiontype,\\r\\n MemberPath,\\r\\n Level,\\r\\n ObjectClass,\\r\\n LastLogon,\\r\\n LastPwdSet,\\r\\n Enabled\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on MemberPath\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData,AddRemoveindataset,InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype),\\\"N/A\\\")\\r\\n| project\\r\\n Actiontype,Parentgroup, MemberPath, Level, ObjectClass, LastLogon, LastPwdSet, Enabled\",\"size\":3,\"showAnalytics\":true,\"title\":\"Add/Remove information in selected group\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"ExchangeServersGroupsGrid - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"Add/Remove means that the account has been added and removed between the Time Range (so not present Before or After the Time Range)\"},\"name\":\"text - 7\"}]},\"name\":\"Exchange group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"AD Group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Please select a group\"},\"name\":\"text - 5 - Copy\"},{\"type\":1,\"content\":{\"json\":\"High privileges AD groups can take control of Exchange by adding any accounts in the Exchange groups.\\r\\n\\r\\nNote that the members of the Account Operators are able to manage every AD group (except those protected by AdminSDHolder). This means they can manage the content of every high privilege Exchange groups.\\r\\n\\r\\nℹ️ It is recommended to not use this group and to monitor its changes.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ADGroupHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"268bd356-7d05-41c3-9867-00c6ab198c5a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where tostring(CmdletResultValue.Parentgroup) != \\\"Exchange Enterprise Servers\\\" and tostring(CmdletResultValue.Parentgroup) <> \\\"Exchange Services\\\"\\r\\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9d02cad2-f4c5-418d-976f-b88b56f80cb5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"LastLogon\",\"label\":\"Last Logon\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[ {\\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true},\\r\\n{ \\\"value\\\": \\\"90d\\\", \\\"label\\\": \\\"90d\\\" },\\r\\n { \\\"value\\\": \\\"180d\\\", \\\"label\\\": \\\"6m\\\" },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1085d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"},{\"id\":\"9e591429-d8ea-40c2-80c1-2426c72c92d5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"PasswordLast\",\"label\":\"Password Last Set\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[{ \\\"value\\\": \\\"0d\\\", \\\"label\\\": \\\"No filter\\\",\\\"selected\\\":true },\\r\\n { \\\"value\\\": \\\"365d\\\", \\\"label\\\": \\\"1y\\\" },\\r\\n{ \\\"value\\\": \\\"730d\\\", \\\"label\\\": \\\"2y\\\" },\\r\\n{ \\\"value\\\": \\\"1095d\\\", \\\"label\\\": \\\"3y\\\" },\\r\\n{ \\\"value\\\": \\\"1097d\\\", \\\"label\\\": \\\"more than 3y\\\"},\\r\\n{ \\\"value\\\": \\\"3650d\\\", \\\"label\\\": \\\"more than 10y\\\"}\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":1,\"content\":{\"json\":\"Overview of high privileges AD Groups' content.\\r\\nSelect a group to display detailed information of its contents.\\r\\nLevel attribute helps you understand the level of nested groups.\\r\\n\\r\\n❌ : for last logon displayed when the last logon is greater than 180 days\\r\\n\\r\\n❌ : for password last set displayed when last password set greater than 365 days\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \\\"\\\"\\r\\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \\\"\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| sort by tostring(CmdletResultValue.MemberPath) asc \\r\\n| project CmdletResultValue\\r\\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n| extend Level = tostring(CmdletResultValue.Level)\\r\\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n| extend LastLogon = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastLogon))))\\r\\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n| extend LastPwdSet = iif(ObjectClass==\\\"group\\\" or ObjectClass==\\\"computer\\\" or ObjectClass==\\\"Local User\\\" or ObjectClass==\\\"computer\\\",\\\"N/A\\\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\\\"\\\", \\\"❌ No logon\\\",strcat(\\\"❌\\\",LastPwdSet))))\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend DN = tostring(CmdletResultValue.DN)\\r\\n| sort by MemberPath asc\\r\\n| project-away CmdletResultValue,Parentgroup\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5},{\"columnMatch\":\"Parentgroup\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n ESIExchangeConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where Section_s == \\\"ADGroup\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | sort by MemberPath asc\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n ;\\r\\nlet AlldataUnique = allDataRange\\r\\n | join kind = innerunique (allDataRange) on MemberPath \\r\\n | distinct \\r\\n TimeGenerated,\\r\\n Parentgroup,\\r\\n MemberPath,\\r\\n Level,\\r\\n ObjectClass,\\r\\n LastLogon,\\r\\n LastPwdSet,\\r\\n Enabled\\r\\n;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | sort by MemberPath asc\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"ADGroup\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | search CmdletResultValue.Parentgroup == \\\"{Group}\\\"\\r\\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n | extend Level = tostring(CmdletResultValue.Level)\\r\\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\\r\\n | extend LastLogon = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastLogon))))\\r\\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n | extend LastPwdSet = iif(ObjectClass == \\\"group\\\" or ObjectClass == \\\"computer\\\" or ObjectClass == \\\"Local User\\\" or ObjectClass == \\\"computer\\\", \\\"N/A\\\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \\\"\\\", \\\"❌ No logon\\\", strcat(\\\"❌\\\", LastPwdSet))))\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend DN = tostring(CmdletResultValue.DN)\\r\\n | sort by MemberPath asc\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n | join kind = leftanti (AfterData ) on MemberPath\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n| join kind = innerunique (BeforeData ) on MemberPath\\r\\n| extend Actiontype =\\\"Remove\\\"\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n| join kind = leftanti (InBeforedatabotAfter ) on MemberPath\\r\\n| extend Actiontype =\\\"Add/Remove\\\"\\r\\n| project \\r\\n TimeGenerated,\\r\\n Parentgroup,\\r\\n Actiontype,\\r\\n MemberPath,\\r\\n Level,\\r\\n ObjectClass,\\r\\n LastLogon,\\r\\n LastPwdSet,\\r\\n Enabled\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on MemberPath\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData,AddRemoveindataset,InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype),\\\"N/A\\\")\\r\\n| project\\r\\n Actiontype,Parentgroup, MemberPath, Level, ObjectClass, LastLogon, LastPwdSet, Enabled\",\"size\":3,\"showAnalytics\":true,\"noDataMessage\":\"Add/Remove information in selected group\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"MemberPath\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"ExchangeServersGroupsGrid - Compare\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"Add/Remove means that the account has been added and removed between the Time Range (so not present Before or After the Time Range)\"},\"name\":\"text - 6\"}]},\"name\":\"AD Group\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"ExchAD\"},\"name\":\"Exchange and AD GRoup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Security configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab displays different security configurations for transport components.\"},\"name\":\"text - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors with\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\"\\r\\n| summarize Count = countif (CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\") by Name,tostring(CmdletResultValue.Server.Name)\\r\\n\",\"size\":0,\"title\":\"Anonymous Configuration\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"yAxis\":[\"Count\"],\"group\":\"CmdletResultValue_Server_Name\",\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"33\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RCAnonymous\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| extend Identity = tostring(Identity)\\r\\n|summarize count() by Identity\",\"size\":0,\"title\":\"OpenRelay with \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" for Anonymous\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.AuthMechanismString contains (\\\"ExternalAuthoritative\\\")\\r\\n| extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n| summarize count() by Name,Server\\r\\n\",\"size\":0,\"title\":\"Open Relay using with Externally Secure\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 2\"}]},\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors OpenRelay using Extended Right \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" for Anonymous\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This view shows all **Receive Connectors** configured configured as Open Relay with the Extended Rights \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" set on the Receive Connector object in the Configuration partition.\\r\\n\\r\\n\\r\\nRemember that with this configuration, the Exchange servers can be used to send emails outside the organization. Depending on the configuration, the connectors may be protected by IPs. However, IP protection is not safe configuration.\\r\\n\\r\\nYou can check if the \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" ExtendedRights has been added on the Receive connector for Anonymous with PowerShell: `Get-ReceiveConnector | Get-ADPermission | ? {$_.ExtendedRights -like \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\"}`\\r\\n\\r\\nAllow anonymous relay on Exchange server\\r\\n\\r\\nSee the section \\\"Receive Connectors with Anonymous Permission\\\" for additional information regarding Anonymous authentication and IP protection.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ReceiveConnectorsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"fa5f9749-d6f8-436f-ae00-cba306713bac\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.ServerRole <> \\\"64\\\"\\r\\n| extend SRVName = tostring(CmdletResultValue.Name)\\r\\n| distinct SRVName\\r\\n| sort by SRVName asc\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"14912e83-60a1-4a21-a34b-500d4662a666\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NoIPRestriction\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":\\\"False\\\" }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":1,\"content\":{\"json\":\"The toggle button helps you to sort by:\\r\\n\\r\\n- Server\\r\\n- Receive connectors with/without no IP restrictions\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RCAnonymous\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project Identity,CmdletResultValue\\r\\n| extend Identity = tostring(Identity)\\r\\n| extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.Identity.DistinguishedName,\\\",\\\",3)),\\\"[\\\\\\\"CN=\\\",\\\"\\\"),\\\"\\\\\\\"]\\\",\\\"\\\")\\r\\n|join kind=leftouter ( ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\") ) on $left.Identity == $right.Name\\r\\n| where CmdletResultValue1.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue1.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue1.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n| where CmdletResultValue1.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n| extend Server = tostring(CmdletResultValue1.Server.Name)\\r\\n| extend Name = tostring(CmdletResultValue1.Name)\\r\\n| extend TransportRole = iff(CmdletResultValue1.TransportRole== \\\"32\\\" , \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n| extend Enabled = tostring(CmdletResultValue1.Enabled)\\r\\n| extend PermissionGroups = tostring(CmdletResultValue1.PermissionGroupsString) \\r\\n| extend AuthMechanism = tostring(CmdletResultValue1.AuthMechanismString)\\r\\n| mv-expand RemoteIPall=CmdletResultValue1.RemoteIPRanges\\r\\n| mv-expand BindingAllall=CmdletResultValue1.Bindings\\r\\n| extend RemoteIP= RemoteIPall.Expression\\r\\n| extend IP= strcat (BindingAllall.Address,\\\"-\\\",BindingAllall.Port)\\r\\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\\r\\n| sort by Server asc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"name\":\"RCAnonymousQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n | extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"RCAnonymous\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| project Identity,CmdletResultValue\\r\\n| extend Identity = tostring(Identity)\\r\\n| extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.Identity.DistinguishedName,\\\",\\\",3)),\\\"[\\\\\\\"CN=\\\",\\\"\\\"),\\\"\\\\\\\"]\\\",\\\"\\\")\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"RCAnonymous\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project Identity,CmdletResultValue\\r\\n | extend Identity = tostring(Identity)\\r\\n | extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.Identity.DistinguishedName,\\\",\\\",3)),\\\"[\\\\\\\"CN=\\\",\\\"\\\"),\\\"\\\\\\\"]\\\",\\\"\\\")\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Server\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n | join kind = leftanti AfterData on Server\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct \\r\\n Actiontype,\\r\\n Identity,\\r\\n Server\\r\\n | project \\r\\n Actiontype,\\r\\n Identity,\\r\\n Server\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), \\\"N/A\\\")\\r\\n| project\\r\\n Actiontype,\\r\\n Permission = \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\",\\r\\n Identity,\\r\\n Server\\r\\n| order by Server\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4\"}]},\"name\":\"Receive Connectors OpenRelay using Extended Right \\\"ms-Exch-SMTP-Accept-Any-Recipient\\\" for Anonymous\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors OpenRelay using Authentication ExternalAuthoritative\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This view shows all Receive Connectors configured with authentication set to Externally Secure. With this configuration the Receive connector will be allow as Open Relay.\\r\\n\\r\\nRemember that with this configuration, the Exchange servers can be used to send emails outside the organization. Depending on the configuration, the connectors may be protected by IP. However, IP protection is not safe configuration.\\r\\n\\r\\n\\r\\nAllow anonymous relay on Exchange server\\r\\n\\r\\nSee the section \\\"Receive Connectors with Anonymous Permission\\\" for additional information regarding Anonymous authentication and IP protection.\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ReceiveConnectorsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"195a66a1-7aa2-4564-bd3b-233049d6f101\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.ServerRole <> \\\"64\\\"\\r\\n| extend SRVName = tostring(CmdletResultValue.Name)\\r\\n| distinct SRVName\\r\\n| sort by SRVName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"4ef1d2a2-a13f-4bd4-9e66-2d9a15ad8a7a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NoIPRestriction\",\"type\":10,\"description\":\"See Receive Connectors with no IP restriction\",\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":\\\"False\\\" }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"The toggle button helps you to sort by:\\r\\n\\r\\n- Server\\r\\n- Receive connectors with/without no IP restrictions\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n| where CmdletResultValue.AuthMechanismString contains \\\"ExternalAuthoritative\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n| project CmdletResultValue\\r\\n| extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend TransportRole = iff(CmdletResultValue.TransportRole== \\\"32\\\" , \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n//| extend Bindings = iif(tostring(parse_json(tostring(CmdletResultValue.Bindings))[1].Port )!=\\\"\\\",tostring(strcat(tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Address),\\\"-\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Port),\\\",\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[1].Address),\\\"-\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[1].Port))),tostring(strcat(tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Address),\\\"-\\\",tostring(parse_json(tostring(CmdletResultValue.Bindings))[0].Port))))\\r\\n//| extend RemoteIPRanges = tostring(CmdletResultValue.RemoteIPRanges)\\r\\n| extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n| mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n| mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n| extend RemoteIP= RemoteIPall.Expression\\r\\n| extend IP= strcat (BindingAllall.Address,\\\"-\\\",BindingAllall.Port)\\r\\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\\r\\n| sort by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Receive Connectors configure with Externally Secured Authentication\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n | where CmdletResultValue.AuthMechanismString contains \\\"ExternalAuthoritative\\\"\\r\\n | project CmdletResultValue,WhenChanged,WhenCreated\\r\\n | extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \\\"32\\\", \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n | mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n | extend RemoteIP= RemoteIPall.Expression\\r\\n | extend IP= strcat (BindingAllall.Address, \\\"-\\\", BindingAllall.Port)\\r\\n | extend Identity = strcat(Server,'\\\\\\\\',Name)\\r\\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\\r\\n | sort by Server asc\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n | where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n | where CmdletResultValue.AuthMechanismString contains \\\"ExternalAuthoritative\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n | project CmdletResultValue, WhenChanged,WhenCreated\\r\\n | extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \\\"32\\\", \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n | mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n | extend RemoteIP= RemoteIPall.Expression\\r\\n | extend IP= strcat (BindingAllall.Address, \\\"-\\\", BindingAllall.Port)\\r\\n | extend Identity = strcat(Server,'\\\\\\\\',Name)\\r\\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\\r\\n | sort by Server asc\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Identity\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n | join kind = leftanti AfterData on Server\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | extend Binding = tostring(Bindings)\\r\\n | extend RIR = tostring(RemoteIPRange)\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Server,\\r\\n Name,\\r\\n TransportRole,\\r\\n Enabled,\\r\\n PermissionGroups,\\r\\n AuthMechanism,\\r\\n Bindings = Binding,\\r\\n RemoteIPRange = RIR,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n | sort by WhenChanged asc \\r\\n | sort by Server, Name asc\\r\\n | extend Identity = strcat(Server,\\\"\\\\\\\\\\\",Name)\\r\\n | extend Name = iff(Name != prev(Name) and prev(Name) != \\\"\\\" and Identity == prev(Identity) , strcat(\\\"📍 \\\", Name, \\\" (\\\", prev(Name), \\\"->\\\", Name, \\\" )\\\"), Name)\\r\\n | extend TransportRole = iff(TransportRole != prev(TransportRole) and prev(TransportRole) != \\\"\\\"and Identity == prev(Identity), strcat(\\\"📍 \\\", TransportRole, \\\" (\\\", prev(TransportRole), \\\"->\\\", TransportRole, \\\" )\\\"), TransportRole)\\r\\n | extend Enabled = iff(Enabled != prev(Enabled) and prev(Enabled) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", Enabled, \\\" (\\\", prev(Enabled), \\\"->\\\", Enabled, \\\" )\\\"), Enabled)\\r\\n | extend PermissionGroups = iff(PermissionGroups != prev(PermissionGroups) and prev(PermissionGroups) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", PermissionGroups, \\\" (\\\", prev(PermissionGroups), \\\"->\\\", PermissionGroups, \\\" )\\\"), PermissionGroups)\\r\\n | extend AuthMechanism = iff(AuthMechanism != prev(AuthMechanism) and prev(AuthMechanism) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", AuthMechanism, \\\" (\\\", prev(AuthMechanism), \\\"->\\\", AuthMechanism, \\\" )\\\"), AuthMechanism)\\r\\n | extend Bindings = iff(tostring(Bindings) != tostring(prev(Bindings)) and tostring(prev(Bindings)) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", tostring(Bindings), \\\" (\\\", prev(Bindings), \\\"->\\\", tostring(Bindings), \\\" )\\\"), tostring(Bindings))\\r\\n | extend RemoteIPRange = iff(tostring(RemoteIPRange) != tostring(prev(RemoteIPRange)) and tostring(prev(RemoteIPRange)) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", tostring(RemoteIPRange), \\\" (\\\", prev(RemoteIPRange), \\\"->\\\", RemoteIPRange, \\\" )\\\"), tostring(RemoteIPRange))\\r\\n | extend ActiontypeR =iff(( Name contains \\\"📍\\\" or TransportRole contains \\\"📍\\\" or Enabled contains \\\"📍\\\" or PermissionGroups contains \\\"📍\\\" or AuthMechanism contains \\\"📍\\\" or Bindings contains \\\"📍\\\" or Bindings contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Server,\\r\\n Name,\\r\\n TransportRole,\\r\\n Enabled,\\r\\n PermissionGroups,\\r\\n AuthMechanism,\\r\\n tostring=(Bindings),\\r\\n tostring(RemoteIPRange),\\r\\n WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n Actiontype,\\r\\n WhenChanged,\\r\\n Server,\\r\\n Name,\\r\\n TransportRole,\\r\\n Enabled,\\r\\n PermissionGroups,\\r\\n AuthMechanism,\\r\\n Bindings = Bindings_string,\\r\\n RemoteIPRange = RemoteIPRange_string,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy\"}]},\"name\":\"Security Transport Configuration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Receive Connectors with Anonymous Permission\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This view shows all Receive Connectors configured with Anonymous authentication. It is not recommended to configure connectors with Anonymous authentication.\\r\\n\\r\\nWhen configured with Anonymous and No Ip Restriction, any machine can initiate an SMTP session with the Receive Connectors. This can then be used send emails (SPAM/Virus/Phishing....) to all the mailboxes in the organization. The mail will be seen as an internal mail and might bypass some protections.\\r\\n\\r\\nIf you absolute need this configuration because some of your application does not support Authentication, it is strongly recommended to limit the IP addresses that can establish SMTP sessions with Exchange. Do not use range of subnet.\\r\\n\\r\\nThis section has an option button to display \\r\\n All Receive Connectors with Anonymous (No)\\r\\n All Receive Connectors with Anonymous and with no IP Restriction (Yes)\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"ReceiveConnectorsHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"195a66a1-7aa2-4564-bd3b-233049d6f101\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Server\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ExchangeServers\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.ServerRole <> \\\"64\\\"\\r\\n| extend SRVName = tostring(CmdletResultValue.Name)\\r\\n| distinct SRVName\\r\\n| sort by SRVName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"bcb24a01-9242-4fec-b30a-02b0583cbc87\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"NoIPRestriction\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":\\\"False\\\" }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"The toggle button helps you to sort by:\\r\\n- Server\\r\\n- Receive connectors with/without no IP restrictions\"},\"name\":\"text - 3 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n| where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n| project CmdletResultValue\\r\\n| extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend TransportRole = iff(CmdletResultValue.TransportRole== \\\"32\\\" , \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString) \\r\\n| extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n| mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n| mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n| extend RemoteIP= RemoteIPall.Expression\\r\\n| extend IP= strcat (BindingAllall.Address,\\\"-\\\",BindingAllall.Port)\\r\\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\\r\\n| sort by Server asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Receive Connectors configure with Anonymous Permission\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Server\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n| where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n | where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n | project CmdletResultValue,WhenChanged,WhenCreated\\r\\n | extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \\\"32\\\", \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n | mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n | extend RemoteIP= RemoteIPall.Expression\\r\\n | extend IP= strcat (BindingAllall.Address, \\\"-\\\", BindingAllall.Port)\\r\\n | extend Identity = strcat(Server,'\\\\\\\\',Name)\\r\\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\\r\\n | sort by Server asc\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"ReceiveConnector\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | where CmdletResultValue.Server.Name contains \\\"{Server}\\\"\\r\\n | where (CmdletResultValue.RemoteIPRanges contains \\\"0.0.0.0\\\" or CmdletResultValue.RemoteIPRanges contains \\\"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\\\") in ({NoIPRestriction})\\r\\n | where CmdletResultValue.PermissionGroupsString contains \\\"Anonymous\\\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\\r\\n | project CmdletResultValue, WhenChanged,WhenCreated\\r\\n | extend Server = tostring(CmdletResultValue.Server.Name)\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \\\"32\\\", \\\"HubTransport\\\", \\\"FrontendTransport\\\")\\r\\n | extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\\r\\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\\r\\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\\r\\n | mv-expand BindingAllall=CmdletResultValue.Bindings\\r\\n | extend RemoteIP= RemoteIPall.Expression\\r\\n | extend IP= strcat (BindingAllall.Address, \\\"-\\\", BindingAllall.Port)\\r\\n | extend Identity = strcat(Server,'\\\\\\\\',Name)\\r\\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\\r\\n | sort by Server asc\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Identity\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | extend Binding = tostring(Bindings)\\r\\n | extend RIR = tostring(RemoteIPRange)\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Server,\\r\\n Name,\\r\\n TransportRole,\\r\\n Enabled,\\r\\n PermissionGroups,\\r\\n AuthMechanism,\\r\\n Bindings = Binding,\\r\\n RemoteIPRange = RIR,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n | sort by WhenChanged asc \\r\\n | sort by Server, Name asc\\r\\n | extend Identity = strcat(Server,\\\"\\\\\\\\\\\",Name)\\r\\n | extend Name = iff(Name != prev(Name) and prev(Name) != \\\"\\\" and Identity == prev(Identity) , strcat(\\\"📍 \\\", Name, \\\" (\\\", prev(Name), \\\"->\\\", Name, \\\" )\\\"), Name)\\r\\n | extend TransportRole = iff(TransportRole != prev(TransportRole) and prev(TransportRole) != \\\"\\\"and Identity == prev(Identity), strcat(\\\"📍 \\\", TransportRole, \\\" (\\\", prev(TransportRole), \\\"->\\\", TransportRole, \\\" )\\\"), TransportRole)\\r\\n | extend Enabled = iff(Enabled != prev(Enabled) and prev(Enabled) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", Enabled, \\\" (\\\", prev(Enabled), \\\"->\\\", Enabled, \\\" )\\\"), Enabled)\\r\\n | extend PermissionGroups = iff(PermissionGroups != prev(PermissionGroups) and prev(PermissionGroups) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", PermissionGroups, \\\" (\\\", prev(PermissionGroups), \\\"->\\\", PermissionGroups, \\\" )\\\"), PermissionGroups)\\r\\n | extend AuthMechanism = iff(AuthMechanism != prev(AuthMechanism) and prev(AuthMechanism) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", AuthMechanism, \\\" (\\\", prev(AuthMechanism), \\\"->\\\", AuthMechanism, \\\" )\\\"), AuthMechanism)\\r\\n | extend Bindings = iff(tostring(Bindings) != tostring(prev(Bindings)) and tostring(prev(Bindings)) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", tostring(Bindings), \\\" (\\\", prev(Bindings), \\\"->\\\", tostring(Bindings), \\\" )\\\"), tostring(Bindings))\\r\\n | extend RemoteIPRange = iff(tostring(RemoteIPRange) != tostring(prev(RemoteIPRange)) and tostring(prev(RemoteIPRange)) != \\\"\\\" and Identity == prev(Identity), strcat(\\\"📍 \\\", tostring(RemoteIPRange), \\\" (\\\", prev(RemoteIPRange), \\\"->\\\", RemoteIPRange, \\\" )\\\"), tostring(RemoteIPRange))\\r\\n | extend ActiontypeR =iff(( Name contains \\\"📍\\\" or TransportRole contains \\\"📍\\\" or Enabled contains \\\"📍\\\" or PermissionGroups contains \\\"📍\\\" or AuthMechanism contains \\\"📍\\\" or Bindings contains \\\"📍\\\" or Bindings contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Server,\\r\\n Name,\\r\\n TransportRole,\\r\\n Enabled,\\r\\n PermissionGroups,\\r\\n AuthMechanism,\\r\\n Bindings,\\r\\n RemoteIPRange,\\r\\n WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n Actiontype,\\r\\n WhenChanged,\\r\\n Server,\\r\\n Name,\\r\\n TransportRole,\\r\\n Enabled,\\r\\n PermissionGroups,\\r\\n AuthMechanism,\\r\\n Bindings = Bindings_string,\\r\\n RemoteIPRange = RemoteIPRange_string,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy\"}]},\"name\":\"Receive Connectors configure with Anonymous Permission\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Rules with specific actions to monitor\",\"items\":[{\"type\":1,\"content\":{\"json\":\"A common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\\r\\n\\r\\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\\r\\n- BlindCopyTo\\r\\n- RedirectMessageTo\\r\\n- CopyTo\\r\\n\\r\\n\\r\\nFor more information :\\r\\nMail flow rules in Exchange Server\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n//| extend State = tostring(CmdletResultValue.State)\\r\\n| extend Status= iff ( tostring(CmdletResultValue.State)== \\\"Enabled\\\" or tostring(CmdletResultValue.State)== \\\"1\\\" , \\\"Enabled\\\",iff(tostring(CmdletResultValue.State)==\\\"\\\",\\\"\\\", \\\"Disabled\\\"))\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend Mode = tostring(CmdletResultValue.Identity.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc\\r\\n| sort by Status desc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n | extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\n//let _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| project CmdletResultValue,TimeGenerated\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n//| extend State = tostring(CmdletResultValue.State)\\r\\n| extend Status= iff ( tostring(CmdletResultValue.State)== \\\"Enabled\\\" or tostring(CmdletResultValue.State)== \\\"1\\\" , \\\"Enabled\\\",iff(tostring(CmdletResultValue.State)==\\\"\\\",\\\"\\\", \\\"Disabled\\\"))\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend Mode = tostring(CmdletResultValue.Identity.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc\\r\\n| sort by Status desc\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| project CmdletResultValue, TimeGenerated\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n//| extend State = tostring(CmdletResultValue.State)\\r\\n| extend Status= iff ( tostring(CmdletResultValue.State)== \\\"Enabled\\\" or tostring(CmdletResultValue.State)== \\\"1\\\" , \\\"Enabled\\\",iff(tostring(CmdletResultValue.State)==\\\"\\\",\\\"\\\", \\\"Disabled\\\"))\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend Mode = tostring(CmdletResultValue.Identity.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc\\r\\n| sort by Status desc\\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Identity\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct\\r\\n TimeGenerated,\\r\\n Actiontype,\\r\\n Identity,\\r\\n Status,\\r\\n SentTo,\\r\\n BlindCopyTo,\\r\\n CopyTo,\\r\\n RedirectMessageTo,\\r\\n Mode\\r\\n;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n | sort by Identity, TimeGenerated asc\\r\\n | extend Status = iff(Status != prev(Status) and Identity == prev(Identity), strcat(\\\"📍 \\\", Status, \\\" (\\\", iff(prev(Status)==\\\"\\\",\\\"Null\\\",prev(Status)), \\\"->\\\", Status, \\\" )\\\"), Status)\\r\\n | extend SentTo = iff(SentTo != prev(SentTo) and Identity == prev(Identity), strcat(\\\"📍 \\\", SentTo, \\\" (\\\", iff(prev(SentTo)==\\\"\\\",\\\"Null\\\",prev(SentTo)), \\\"->\\\", SentTo, \\\" )\\\"), SentTo)\\r\\n | extend BlindCopyTo = iff(BlindCopyTo != prev(BlindCopyTo) and Identity == prev(Identity), strcat(\\\"📍 \\\", BlindCopyTo, \\\" (\\\", iff(prev(BlindCopyTo)==\\\"\\\",\\\"Null\\\",prev(BlindCopyTo)), \\\"->\\\", BlindCopyTo, \\\" )\\\"), BlindCopyTo)\\r\\n | extend CopyTo = iff(CopyTo != prev(CopyTo) and Identity == prev(Identity), strcat(\\\"📍 \\\", CopyTo, \\\" (\\\", iff(prev(CopyTo)==\\\"\\\",\\\"Null\\\",prev(CopyTo)), \\\"->\\\", CopyTo, \\\" )\\\"), CopyTo)\\r\\n | extend RedirectMessageTo = iff(CopyTo != prev(RedirectMessageTo) and Identity == prev(Identity), strcat(\\\"📍 \\\", RedirectMessageTo, \\\" (\\\", iff(prev(RedirectMessageTo)==\\\"\\\",\\\"Null\\\",prev(RedirectMessageTo)), \\\"->\\\", RedirectMessageTo, \\\" )\\\"), RedirectMessageTo)\\r\\n | extend Mode = iff(Mode != prev(Mode) and Identity == prev(Identity), strcat(\\\"📍 \\\", Mode, \\\" (\\\", iff(prev(Mode)==\\\"\\\",\\\"Null\\\",prev(Mode)), \\\"->\\\", Mode, \\\" )\\\"), Mode)\\r\\n | extend ActiontypeR =iff(( Identity contains \\\"📍\\\" or Status contains \\\"📍\\\" or SentTo contains \\\"📍\\\" or BlindCopyTo contains \\\"📍\\\" or CopyTo contains \\\"📍\\\" or RedirectMessageTo contains \\\"📍\\\" or Mode contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n TimeGenerated,\\r\\n Actiontype,\\r\\n Identity,\\r\\n Status,\\r\\n SentTo,\\r\\n BlindCopyTo,\\r\\n CopyTo,\\r\\n RedirectMessageTo,\\r\\n Mode\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by TimeGenerated desc \\r\\n| project\\r\\n TimeGenerated,\\r\\n Actiontype,\\r\\n Identity,\\r\\n Status,\\r\\n SentTo,\\r\\n BlindCopyTo,\\r\\n CopyTo,\\r\\n RedirectMessageTo,\\r\\n Mode\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy - Copy - Copy\"}]},\"name\":\"Transport Rules actions to monitor\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Journal Mailboxes\"},\"name\":\"JournalMailboxHelp\"},{\"type\":1,\"content\":{\"json\":\"The **Journal Mailboxes** contain emails sent and received by specific or all users. The content of these mailboxes is very sensitives.\\r\\n\\r\\nJournal Rules should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. Also by default, no one should access to these mailboxes.\\r\\n\\r\\nThen, it is recommended to regularly check who have Full Access mailbox or Receive As on these mailboxes.\\r\\nAdditional information :\\r\\n\\r\\nJournaling in Exchange Server\\r\\n\\r\\nJournaling procedures\\r\\n\\r\\n\\r\\nMailbox audit logging in Exchange Server\\r\\n\\r\\n\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"JournalHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"JournalRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Status= iff ( tostring(CmdletResultValue.Enabled)== \\\"true\\\" , \\\"Enabled\\\", iff(tostring(CmdletResultValue.Enabled)==\\\"\\\",\\\"\\\", \\\"Disabled\\\"))\\r\\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\\r\\n| extend Recipient = tostring(CmdletResultValue.Recipient.Address)\\r\\n| sort by Name asc\\r\\n| sort by Status desc\\r\\n| project-away CmdletResultValue\\r\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"Journal Rules configured in your environment\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"JournalQuery\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"JournalRule\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet allDataRange = \\r\\n ESIExchangeConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where Section_s == \\\"JournalRule\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\\r\\n | project CmdletResultValue, TimeGenerated\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend Status= iff (tostring(CmdletResultValue.Enabled) == \\\"true\\\", \\\"Enabled\\\", iff(tostring(CmdletResultValue.Enabled) == \\\"\\\", \\\"\\\", \\\"Disabled\\\"))\\r\\n //| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\\r\\n | extend Recipient = tostring(CmdletResultValue.Recipient.Address)\\r\\n | extend Allinfo = strcat(Name,JournalEmailAddress,Recipient)\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n | sort by Name asc\\r\\n | sort by Status desc\\r\\n;\\r\\nlet AlldataUnique = allDataRange\\r\\n | join kind = innerunique (allDataRange) on Allinfo \\r\\n | distinct \\r\\n TimeGenerated,\\r\\n Name,\\r\\n Status,\\r\\n JournalEmailAddress,\\r\\n Recipient,\\r\\n Allinfo\\r\\n;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"JournalRule\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend Status= iff (tostring(CmdletResultValue.Enabled) == \\\"true\\\", \\\"Enabled\\\", iff(tostring(CmdletResultValue.Enabled) == \\\"\\\", \\\"\\\", \\\"Disabled\\\"))\\r\\n //| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\\r\\n | extend Recipient = tostring(CmdletResultValue.Recipient.Address)\\r\\n | extend Allinfo = strcat(Name,JournalEmailAddress,Recipient)\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n | sort by Name asc\\r\\n | sort by Status desc\\r\\n ;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"JournalRule\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend Status= iff (tostring(CmdletResultValue.Enabled) == \\\"true\\\", \\\"Enabled\\\", iff(tostring(CmdletResultValue.Enabled) == \\\"\\\", \\\"\\\", \\\"Disabled\\\"))\\r\\n //| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n | extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\\r\\n | extend Recipient = tostring(CmdletResultValue.Recipient.Address)\\r\\n | extend Allinfo = strcat(Name,JournalEmailAddress,Recipient)\\r\\n | extend CmdletResultV = tostring(CmdletResultValue)\\r\\n | sort by Name asc\\r\\n | sort by Status desc\\r\\n;\\r\\nlet AllnotinAfterData = AlldataUnique\\r\\n | join kind = leftanti (AfterData) on Allinfo\\r\\n;\\r\\nlet InBeforedatabotAfter = AllnotinAfterData\\r\\n | join kind = innerunique (BeforeData) on Allinfo\\r\\n | extend Actiontype = iff (Name != \\\"\\\", \\\"Remove\\\", \\\"\\\")\\r\\n;\\r\\nlet AddRemoveindataset = AllnotinAfterData\\r\\n | join kind = leftanti (InBeforedatabotAfter) on Allinfo\\r\\n | extend Actiontype =\\\"Add/Remove\\\"\\r\\n;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Allinfo\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Add/Remove\\\", strcat(\\\"➕/➖ \\\", Actiontype), \\\"N/A\\\")\\r\\n| where Name <> \\\"\\\"\\r\\n| project\\r\\n Actiontype,\\r\\n Name,\\r\\n Status,\\r\\n JournalEmailAddress,\\r\\n Recipient\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy - Copy - Copy - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Journal Recipients on mailbox databases configured in your environment\",\"items\":[{\"type\":1,\"content\":{\"json\":\"As Journal Recipient on databases send all the mail send to users in this database to a specific mailbox. The content of these mailboxes is very sensitive.\\r\\n\\r\\nJournal Recipients configuration should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. No one should have access to these mailboxes by default.\\r\\n\\r\\nIt is recommended to regularly check who have Full Access or Receive As on these mailboxes.\\r\\n\\r\\nAdditional information :\\r\\n\\r\\nJournaling in Exchange Server\\r\\n\\r\\nJournaling procedures\\r\\n\\r\\n\\r\\nMailbox audit logging in Exchange Server\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"JournalRecipientsHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MbxDBJournaling\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| where CmdletResultValue.JournalRecipient !=\\\"\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Identity = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient.Name)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc\\r\\n\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"JournalRecipient\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"JournalRecipient\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"MbxDBJournaling\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n | extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\n//let _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"MbxDBJournaling\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| project CmdletResultValue,WhenChanged,WhenCreated\\r\\n| extend Identity = tostring(CmdletResultValue.Identity.Name)\\r\\n| extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient.Name)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc \\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"MbxDBJournaling\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue,WhenChanged,WhenCreated\\r\\n | extend Identity = tostring(CmdletResultValue.Identity.Name)\\r\\n | extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient.Name)\\r\\n | project-away CmdletResultValue\\r\\n | sort by Identity asc \\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Identity\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n JournalRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n | sort by Identity, WhenChanged asc\\r\\n | extend JournalRecipient = iff(JournalRecipient != prev(JournalRecipient) and Identity == prev(Identity), strcat(\\\"📍 \\\", JournalRecipient, \\\" (\\\", iff(prev(JournalRecipient)==\\\"\\\",\\\"Null\\\",prev(JournalRecipient)), \\\"->\\\", JournalRecipient, \\\" )\\\"), JournalRecipient)\\r\\n | extend ActiontypeR =iff(( Identity contains \\\"📍\\\" or JournalRecipient contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n JournalRecipient,\\r\\n WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n JournalRecipient,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy - Copy - Copy - Copy\"}]},\"name\":\"JournalRecipientsGroup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is set to True for an SMTP domain, then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\\r\\n\\r\\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \\r\\n\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\\r\\n\\r\\nAdditional information:\\r\\n\\r\\nRemote Domains\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\\r\\n| extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address == \\\"*\\\", strcat (\\\"❌\\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address != \\\"*\\\", strcat (\\\"⚠️\\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅\\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n| project-away CmdletResultValue\\r\\n| sort by Address asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n| project CmdletResultValue,WhenChanged,WhenCreated\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\\r\\n| extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address == \\\"*\\\", strcat (\\\"❌\\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address != \\\"*\\\", strcat (\\\"⚠️\\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅\\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n| project-away CmdletResultValue\\r\\n| sort by Address asc \\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue,WhenChanged,WhenCreated\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend Address = tostring(CmdletResultValue.DomainName.Address)\\r\\n | extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address == \\\"*\\\", strcat (\\\"❌\\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.Address != \\\"*\\\", strcat (\\\"⚠️\\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅\\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n | project-away CmdletResultValue\\r\\n | sort by Address asc \\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Name\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n | join kind = leftanti AfterData on Name\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Name,\\r\\n Address,\\r\\n AutoForwardEnabled,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffModifData = union BeforeData,AfterData\\r\\n | sort by WhenChanged asc \\r\\n | sort by Name asc\\r\\n //| extend Name = iff(Name != prev(Name) and prev(Name) != \\\"\\\" , strcat(\\\"📍 \\\", Name, \\\" (\\\", prev(Name), \\\"->\\\", Name, \\\" )\\\"), Name)\\r\\n | extend Address = iff(Address != prev(Address) and prev(Address) != \\\"\\\" and Name == prev(Name), strcat(\\\"📍 \\\", Address, \\\" (\\\", prev(Address), \\\"->\\\", Address, \\\" )\\\"), Address)\\r\\n | extend AutoForwardEnabled = iff(AutoForwardEnabled != prev(AutoForwardEnabled) and prev(AutoForwardEnabled) != \\\"\\\" and Name == prev(Name), strcat(\\\"📍 \\\", AutoForwardEnabled, \\\" (\\\", prev(AutoForwardEnabled), \\\"->\\\", AutoForwardEnabled, \\\" )\\\"), AutoForwardEnabled)\\r\\n | extend ActiontypeR =iff(( Name contains \\\"📍\\\" or Address contains \\\"📍\\\" or AutoForwardEnabled contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Name,\\r\\n Address,\\r\\n AutoForwardEnabled,\\r\\n WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Name,\\r\\n Address,\\r\\n AutoForwardEnabled,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"Accepted domains set to * authorize Open Relay.\\r\\n\\r\\nMore information:\\r\\n\\r\\nAccepted domains\\r\\n\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"AcceptedDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"On-Premises\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.DomainName.Address == \\\"*\\\"\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\\r\\n| extend Address = \\\"* : ❌ OpenRelay configuration\\\"\\r\\n| extend DomainType = case(CmdletResultValue.DomainType==\\\"0\\\",\\\"Authoritative Domain\\\",CmdletResultValue.DomainType==\\\"1\\\",\\\"ExternalRelay\\\",CmdletResultValue.DomainType==\\\"2\\\",\\\"InternalRelay\\\",\\\"NotApplicable\\\")\\r\\n| project-away CmdletResultValue\",\"size\":1,\"showAnalytics\":true,\"title\":\"Accepted domain with *\",\"noDataMessage\":\"Accepted Domain * not confirgured (no Open Relay)\",\"noDataMessageStyle\":3,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"On-Premises\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"AcceptedDomain\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | summarize TimeMax = arg_max(TimeGenerated, *)\\r\\n //| extend TimeMax = tostring(split(TimeMax, \\\"T\\\")[0])\\r\\n | project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"AcceptedDomain\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue, WhenChanged, WhenCreated\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend Address = tostring(CmdletResultValue.DomainName.Address)\\r\\n | extend DomainType = case(CmdletResultValue.DomainType==\\\"0\\\",\\\"Authoritative Domain\\\",CmdletResultValue.DomainType==\\\"1\\\",\\\"ExternalRelay\\\",CmdletResultValue.DomainType==\\\"2\\\",\\\"InternalRelay\\\",\\\"NotApplicable\\\")\\r\\n | project-away CmdletResultValue\\r\\n | sort by Address asc \\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"AcceptedDomain\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | project CmdletResultValue, WhenChanged, WhenCreated\\r\\n | extend Name = tostring(CmdletResultValue.Name)\\r\\n | extend Address = tostring(CmdletResultValue.DomainName.Address)\\r\\n | extend DomainType = case(CmdletResultValue.DomainType==\\\"0\\\",\\\"Authoritative Domain\\\",CmdletResultValue.DomainType==\\\"1\\\",\\\"ExternalRelay\\\",CmdletResultValue.DomainType==\\\"2\\\",\\\"InternalRelay\\\",\\\"NotApplicable\\\")\\r\\n | project-away CmdletResultValue\\r\\n | sort by Address asc \\r\\n;\\r\\nlet i=0;\\r\\nlet DiffAddData = BeforeData\\r\\n | join kind = rightanti (AfterData)\\r\\n on Name\\r\\n | extend Actiontype =\\\"Add\\\"\\r\\n;\\r\\nlet DiffRemoveData = BeforeData\\r\\n | join kind = leftanti AfterData on Name\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Name,\\r\\n Address,\\r\\n DomainType,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffModifData = union BeforeData, AfterData\\r\\n | sort by WhenChanged asc \\r\\n | sort by Name asc\\r\\n // | extend Name = iff(Name != prev(Name) and prev(Name) != \\\"\\\", strcat(\\\"📍 \\\", Name, \\\" (\\\", prev(Name), \\\"->\\\", Name, \\\" )\\\"), Name)\\r\\n | extend Address = iff(Address != prev(Address) and prev(Address) != \\\"\\\" and Name == prev(Name), strcat(\\\"📍 \\\", Address, \\\" (\\\", prev(Address), \\\"->\\\", Address, \\\" )\\\"), Address)\\r\\n | extend DomainType = iff(DomainType != prev(DomainType) and prev(DomainType) != \\\"\\\" and Name == prev(Name), strcat(\\\"📍 \\\", DomainType, \\\" (\\\", prev(DomainType), \\\"->\\\", DomainType, \\\" )\\\"), DomainType)\\r\\n | extend ActiontypeR =iff((Name contains \\\"📍\\\" or Address contains \\\"📍\\\" or DomainType contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Name,\\r\\n Address,\\r\\n DomainType,\\r\\n WhenCreated\\r\\n;\\r\\nDiffModifData\\r\\n| union DiffAddData, DiffRemoveData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Name,\\r\\n Address,\\r\\n DomainType,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4 - Copy - Copy - Copy - Copy - Copy\"}]},\"name\":\"ForwardGroup\"}]},\"name\":\"Journal Rules\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Transport\"},\"name\":\"Transport Security configuration\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityReview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -2949,7 +5946,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId4'),'/'))))]", "properties": { - "description": "@{workbookKey=MicrosoftExchangeSecurityReview; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Microsoft Exchange Security Review; templateRelativePath=Microsoft Exchange Security Review.json; subtitle=; provider=Microsoft}.description", + "description": "@{workbookKey=MicrosoftExchangeSecurityReview; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=2.0.0; title=Microsoft Exchange Security Review; templateRelativePath=Microsoft Exchange Security Review.json; subtitle=; provider=Microsoft}.description", "parentId": "[variables('workbookId4')]", "contentId": "[variables('_workbookContentId4')]", "kind": "Workbook", @@ -3011,7 +6008,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CriticalCmdletsUsageDetection_AnalyticalRules Analytics Rule with template version 3.1.5", + "description": "CriticalCmdletsUsageDetection_AnalyticalRules Analytics Rule with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -3057,54 +6054,54 @@ ], "entityMappings": [ { - "entityType": "Mailbox", "fieldMappings": [ { - "identifier": "MailboxPrimaryAddress", - "columnName": "TargetObject" + "columnName": "TargetObject", + "identifier": "MailboxPrimaryAddress" } - ] + ], + "entityType": "Mailbox" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "TargetObject" + "columnName": "TargetObject", + "identifier": "Sid" }, { - "identifier": "ObjectGuid", - "columnName": "TargetObject" + "columnName": "TargetObject", + "identifier": "ObjectGuid" }, { - "identifier": "FullName", - "columnName": "TargetObject" + "columnName": "TargetObject", + "identifier": "FullName" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Caller" + "columnName": "Caller", + "identifier": "Name" } - ] + ], + "entityType": "Account" } ], "alertDetailsOverride": { - "alertSeverityColumnName": "Level", "alertDisplayNameFormat": "{{CmdletName}} executed on {{TargetObject}}", - "alertDescriptionFormat": "Alert from Microsoft Exchange Security as {{CmdletName}} with parameters {{CmdletParameters}} was executed on {{TargetObject}}" + "alertDescriptionFormat": "Alert from Microsoft Exchange Security as {{CmdletName}} with parameters {{CmdletParameters}} was executed on {{TargetObject}}", + "alertSeverityColumnName": "Level" } } }, @@ -3158,7 +6155,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ServerOrientedWithUserOrientedAdministration_AnalyticalRules Analytics Rule with template version 3.1.5", + "description": "ServerOrientedWithUserOrientedAdministration_AnalyticalRules Analytics Rule with template version 3.3.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -3204,48 +6201,48 @@ ], "entityMappings": [ { - "entityType": "Mailbox", "fieldMappings": [ { - "identifier": "MailboxPrimaryAddress", - "columnName": "userPrincipalName" + "columnName": "userPrincipalName", + "identifier": "MailboxPrimaryAddress" }, { - "identifier": "Upn", - "columnName": "userPrincipalName" + "columnName": "userPrincipalName", + "identifier": "Upn" } - ] + ], + "entityType": "Mailbox" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "ServerCmdletTargetObject" + "columnName": "ServerCmdletTargetObject", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Caller" + "columnName": "Caller", + "identifier": "Name" }, { - "identifier": "ObjectGuid", - "columnName": "objectGUID" + "columnName": "objectGUID", + "identifier": "ObjectGuid" } - ] + ], + "entityType": "Account" } ] } @@ -3332,12 +6329,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.1.5", + "version": "3.3.0", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Microsoft Exchange Security - Exchange On-Premises", "publisherDisplayName": "Community", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Windows Event logs collection, including MS Exchange Management Event logs

    \n
    2. \n

  2. Custom logs ingestion via Data Collector REST API

    \n
    3. \n
\n

Data Connectors: 2, Parsers: 4, Workbooks: 4, Analytic Rules: 2, Watchlists: 2

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n

  1. Windows Event logs collection, including MS Exchange Management Event logs

    \n
    2. \n

  2. Custom logs ingestion via Data Collector REST API

    \n
    3. \n
\n

Data Connectors: 8, Parsers: 5, Workbooks: 4, Analytic Rules: 2, Watchlists: 2

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3371,6 +6368,36 @@ "contentId": "[variables('_dataConnectorContentId2')]", "version": "[variables('dataConnectorVersion2')]" }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId3')]", + "version": "[variables('dataConnectorVersion3')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId4')]", + "version": "[variables('dataConnectorVersion4')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId5')]", + "version": "[variables('dataConnectorVersion5')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId6')]", + "version": "[variables('dataConnectorVersion6')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId7')]", + "version": "[variables('dataConnectorVersion7')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId8')]", + "version": "[variables('dataConnectorVersion8')]" + }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", @@ -3391,6 +6418,11 @@ "contentId": "[variables('parserObject4').parserContentId4]", "version": "[variables('parserObject4').parserVersion4]" }, + { + "kind": "Parser", + "contentId": "[variables('parserObject5').parserContentId5]", + "version": "[variables('parserObject5').parserVersion5]" + }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", @@ -3424,12 +6456,12 @@ { "kind": "Watchlist", "contentId": "[variables('_Exchange Services Monitoring')]", - "version": "3.1.5" + "version": "3.3.0" }, { "kind": "Watchlist", "contentId": "[variables('_Exchange VIP')]", - "version": "3.1.5" + "version": "3.3.0" } ] }, diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/MESCompareDataOnPMRA.yaml b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/MESCompareDataOnPMRA.yaml new file mode 100644 index 00000000000..33c7525d895 --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/MESCompareDataOnPMRA.yaml @@ -0,0 +1,183 @@ +id: 0a0f4ea0-6b94-4420-892e-41ca985f2f01 +Function: + Title: Parser for MRA Configuration Data Comparison On-Premises + Version: '1.0.0' + LastUpdated: '2024-08-30' +Category: Microsoft Sentinel Parser +FunctionName: MESCompareDataOnPMRA +FunctionAlias: MESCompareDataOnPMRA +FunctionParams: + - Name: SectionCompare + Type: string + Description: The Section to compare. Default value is "". + Default: '' + - Name: DateCompare + Type: string + Description: The date of the source comparison. Default value is "lastdate". + Default: 'lastdate' + - Name: CurrentDate + Type: string + Description: The date of the target comparison. Default value is "lastdate". + Default: 'lastdate' + - Name: EnvList + Type: string + Description: List of environments to compare. Default value is "All". + Default: 'All' + - Name: TypeEnv + Type: string + Description: Type of environment to compare. Default value is "Online". + Default: 'Online' + - Name: CurrentRole + Type: string + Description: A specific role to compare. Default value is "". + Default: '' + - Name: ExclusionsAcct + Type: dynamic + Description: List of actors to exclude. Default value is "dynamic('')". + Default: dynamic('') +FunctionQuery: | + // Version: 1.0.0 + // Last Updated: 30/08/2024 + // + // DESCRIPTION: + // This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them. + // + // USAGE: + // Parameters : 7 parameters to add during creation. + // 1. SectionCompare, type string, default value "" + // 2. DateCompare, type string, default value "lastdate" + // 3. CurrentDate, type string, default value "lastdate" + // 4. EnvList, type string, default value "All" + // 5. TypeEnv, type string, default value "Online" + // 6. CurrentRole, type string, default value "" + // 7. ExclusionsAcct, type dynamic, default value dynamic("") + // + // Parameters simulation + // If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values. + // + // let SectionCompare = "SampleEntry"; + // let EnvList = "All"; + // let TypeEnv = "Online"; + // let CurrentRole = ""; + // let ExclusionsAcct = dynamic(""); + // let DateCompare = "lastdate"; + // let CurrentDate = "lastdate"; + // + // Parameters definition + let _SectionCompare = SectionCompare; + let _EnvList =EnvList; + let _TypeEnv = TypeEnv; + let _CurrentRole =CurrentRole; + let _ExclusionsAcct = ExclusionsAcct; + let _DateCompare = DateCompare; + let _CurrentDate = CurrentDate; + let _DateCompareB = todatetime(DateCompare); + let _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv) + | summarize TimeMax = max(TimeGenerated) + | extend TimeMax = tostring(split(TimeMax,"T")[0]) + | project TimeMax); + let _CurrentDateB = todatetime(toscalar(_currD)); + let BeforeData = + ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv) + | where CmdletResultValue.Role contains _CurrentRole + and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) + and CmdletResultValue.Name !contains "Deleg" + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== "0" or CmdletResultValue.RoleAssigneeType== "2" , "User", CmdletResultValue.RoleAssigneeType== "10","Group","LinkedGroup") + | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name) + | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name) + | extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope=="0","None",CmdletResultValue.RecipientWriteScope=="2","Organization",CmdletResultValue.RecipientWriteScope=="3","MyGAL", CmdletResultValue.RecipientWriteScope=="4","Self",CmdletResultValue.RecipientWriteScope=="7", "CustomRecipientScope",CmdletResultValue.RecipientWriteScope=="8","MyDistributionGroups","NotApplicable") + | extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope=="0","None",CmdletResultValue.ConfigWriteScope=="7","CustomConfigScope",CmdletResultValue.ConfigWriteScope=="10","OrganizationConfig","NotApplicable") + | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) + | extend Status= tostring(CmdletResultValue.Enabled) + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend Role = tostring(CmdletResultValue.Role) + ; + let AfterData = + ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv) + | where CmdletResultValue.Role contains _CurrentRole + and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) + and CmdletResultValue.Name !contains "Deleg" + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== "0" or CmdletResultValue.RoleAssigneeType== "2" , "User", CmdletResultValue.RoleAssigneeType== "10","Group","LinkedGroup") + | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name) + | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name) + | extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope=="0","None",CmdletResultValue.RecipientWriteScope=="2","Organization",CmdletResultValue.RecipientWriteScope=="3","MyGAL", CmdletResultValue.RecipientWriteScope=="4","Self",CmdletResultValue.RecipientWriteScope=="7", "CustomRecipientScope",CmdletResultValue.RecipientWriteScope=="8","MyDistributionGroups","NotApplicable") + | extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope=="0","None",CmdletResultValue.ConfigWriteScope=="7","CustomConfigScope",CmdletResultValue.ConfigWriteScope=="10","OrganizationConfig","NotApplicable") + | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) + | extend Status= tostring(CmdletResultValue.Enabled) + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend Role = tostring(CmdletResultValue.Role) + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") + ; + let i=0; + let allDataRange = + ESIExchangeConfig_CL + | where TimeGenerated between (_DateCompareB .. _CurrentDateB) + | where ESIEnvironment_s == _EnvList + | where Section_s == "MRA" + | extend CmdletResultValue = parse_json(rawData_s) + | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t + | where CmdletResultValue.Role contains _CurrentRole + and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct) + and CmdletResultValue.Name !contains "Deleg" + | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) + | extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== "0" or CmdletResultValue.RoleAssigneeType== "2" , "User", CmdletResultValue.RoleAssigneeType== "10","Group","LinkedGroup") + | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name) + | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name) + | extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope=="0","None",CmdletResultValue.RecipientWriteScope=="2","Organization",CmdletResultValue.RecipientWriteScope=="3","MyGAL", CmdletResultValue.RecipientWriteScope=="4","Self",CmdletResultValue.RecipientWriteScope=="7", "CustomRecipientScope",CmdletResultValue.RecipientWriteScope=="8","MyDistributionGroups","NotApplicable") + | extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope=="0","None",CmdletResultValue.ConfigWriteScope=="7","CustomConfigScope",CmdletResultValue.ConfigWriteScope=="10","OrganizationConfig","NotApplicable") + | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) + | extend Status= tostring(CmdletResultValue.Enabled) + | extend Role = tostring(CmdletResultValue.Role) + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") + ; + let DiffAddDataP1 = allDataRange + | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated + ; + let DiffAddDataP2 = allDataRange + | join kind = innerunique (allDataRange ) on WhenCreated + | where WhenCreated >=_DateCompareB + | where bin(WhenCreated,5m)==bin(WhenChanged,5m) + | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + ; + let DiffAddData = union DiffAddDataP1,DiffAddDataP2 + | extend Actiontype ="Add"; + let DiffRemoveData = allDataRange + | join kind = leftanti AfterData on RoleAssigneeName + | extend Actiontype ="Remove" + | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + ; + let DiffModifData = union AfterData,allDataRange + | sort by ManagementRoleAssignement,WhenChanged asc + | extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !="" , strcat("📍 ", Status, " (",prev(Status),"->", Status," )"),Status) + | extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !="" , strcat("📍 ", CustomRecipientWriteScope, " (", prev(CustomRecipientWriteScope),"->", CustomRecipientWriteScope, ")"),CustomRecipientWriteScope) + | extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !="" , strcat("📍 ", CustomConfigWriteScope, " (", prev(CustomConfigWriteScope),"->", CustomConfigWriteScope, ")"),CustomConfigWriteScope) + | extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !="" , strcat("📍 ", RecipientWriteScope, " (", prev(RecipientWriteScope),"->", RecipientWriteScope, ")"),RecipientWriteScope) + | extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !="" , strcat("📍 ", ConfigWriteScope, " (", prev(ConfigWriteScope),"->", ConfigWriteScope, ")"),ConfigWriteScope) + | extend ActiontypeR =iff((Status contains "📍" or CustomRecipientWriteScope contains"📍" or CustomConfigWriteScope contains"📍" or RecipientWriteScope contains"📍" or ConfigWriteScope contains"📍" ), i=i + 1, i) + | extend Actiontype =iff(ActiontypeR > 0, "Modif", "NO") + | where ActiontypeR == 1 + | project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated + ; + union DiffAddData, DiffRemoveData, DiffModifData + | extend RoleAssigneeName = iff(RoleAssigneeType == "User", strcat("🧑‍🦰 ", RoleAssigneeName), strcat("👪 ", RoleAssigneeName)) + | extend WhenChanged = iff (Actiontype == "Modif", WhenChanged, iff(Actiontype == "Add",WhenCreated, WhenChanged)) + //| extend WhenChanged = case(Actiontype == "Modif" , tostring(bin(WhenChanged,1m)), Actiontype == "Add",tostring(bin(WhenChanged,1m)),Actiontype == "Remove","NoInformation","N/A") + | extend Actiontype = case(Actiontype == "Add", strcat("➕ ", Actiontype), Actiontype == "Remove", strcat("➖ ", Actiontype), Actiontype == "Modif", strcat("📍 ", Actiontype), "N/A") + | sort by WhenChanged desc + | project + WhenChanged, + Actiontype, + RoleAssigneeName, + RoleAssigneeType, + Status, + CustomRecipientWriteScope, + CustomConfigWriteScope, + RecipientWriteScope, + ConfigWriteScope, + ManagementRoleAssignement, + RoleAssignmentDelegationType, + WhenCreated \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md index 56b98e50e99..d3e7780a041 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md @@ -28,6 +28,10 @@ Parsers are created [using functions in Azure monitor log queries](https://docs. - [Parser Description](#parser-description-3) - [Parser dependency](#parser-dependency-1) - [Parser Setup](#parser-setup-3) + - [Microsoft Exchange Compare Data MRA Parser for On-Premises](#microsoft-exchange-compare-data-mra-parser-for-on-premises) + - [Parser Definition](#parser-definition-4) + - [Parser Description](#parser-description-4) + - [Parser Setup](#parser-setup-4) ## ExchangeConfiguration Parser @@ -184,3 +188,39 @@ This parser is linked to "ExchangeVIP" whatchlist >1 parameter to add during creation : UserToCheck, type string, No default value 1. Function App usually take 10-15 minutes to activate. You can then use Function Alias for other queries + +## Microsoft Exchange Compare Data MRA Parser for On-Premises + +### Parser Definition + +- Title: Microsoft Exchange Compare Data MRA Parser for On-Premises +- Version: 1.0.0 +- Last Updated: 30/08/2024 +- Description: This parser compare data from MRA and ESI Exchange Collector to find differences + +|**Version** |**Details** | +|---------|-----------------------------------------------------------------------------------------------------------------------| +|v1.0 |
  • Function initilisation for Sentinel Solution
| + +### Parser Description + +This parser compare data from MRA and ESI Exchange Collector to find differences + +### Parser Setup + + 1. Open Log Analytics/Microsoft Sentinel Logs blade. Copy the query below and paste into the Logs query window. + 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter the Function Name "MESCompareDataMRA". + 3. Function App usually take 10-15 minutes to activate. You can then use Function Alias for other queries + 4. This parser is linked to "MRA" and "ESI Exchange Collector" tables + +>#### **Parameters:** + +>7 parameter to add during creation : +> +> 1. SectionCompare, type string, default value "" +> 2. DateCompare, type string, default value "lastdate" +> 3. CurrentDate, type string, default value "lastdate" +> 4. EnvList, type string, default value "All" +> 5. TypeEnv, type string, default value "Online" +> 6. CurrentRole, type string, default value "" +> 7. ExclusionsAcct, type dynamic, default value dynamic("") \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md b/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md index e5216daeaad..14f533df77a 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md @@ -1,7 +1,9 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| -| 3.1.5 | 27-09-2024 | Fixed Spelling error in title of **Data Connector** | -| | 26-04-2024 | Repackaged for fix on parser in maintemplate to have old parsername and parentid | +| 3.3.0 | 26-08-2024 | Add Compare in Exchange Security Review. Create DataConnectors for Azure Monitor Agent. Correct bugs | +| 3.2.0 | 09-04-2024 | Explode "ExchangeAdminAuditLogEvents" dataconnector to multiple simplier dataconnectors | +| 3.1.5 | 26-04-2024 | Fix Typpo in DataConnector | +| | | Repackaged for fix on parser in maintemplate to have old parsername and parentid | | 3.1.4 | 18-04-2024 | Repackaged for parser issue while redeployment | | 3.1.3 | 10-04-2024 | Updated DataConnector last Log indicator and IsConnected queries by including Application and System Log Event Types | | 3.1.2 | 20-02-2024 | Correct DataConnector last Log indicator and IsConnected queries | diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Workbooks/Microsoft Exchange Security Review.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Workbooks/Microsoft Exchange Security Review.json index 50428e48bc4..4f96d1b47be 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Workbooks/Microsoft Exchange Security Review.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Workbooks/Microsoft Exchange Security Review.json @@ -26,10 +26,12 @@ "query": "ExchangeEnvironmentList(Target=\"On-Premises\") | where ESIEnvironment != \"\"", "typeSettings": { "limitSelectTo": 1, + "additionalResourceOptions": [], "showDefault": false }, "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [] }, { "id": "a88b4e41-eb2f-41bf-92d8-27c83650a4b8", @@ -40,11 +42,26 @@ "isRequired": true, "query": "let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \"all\",\"All\",tostring({EnvironmentList})),',');\r\nESIExchangeConfig_CL\r\n| extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n| where ScopedEnvironment in (_configurationEnv)\r\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n| summarize Collection = max(Collection)\r\n| project Collection = \"lastdate\", Selected = true\r\n| join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n | where ScopedEnvironment in (_configurationEnv)\r\n | where TimeGenerated > ago(90d)\r\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n | summarize by Collection \r\n | join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n | where ScopedEnvironment in (_configurationEnv)\r\n | where TimeGenerated > ago(90d)\r\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\r\n | summarize by PreciseCollection, Collection \r\n | join kind=leftouter (\r\n ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n | where ScopedEnvironment in (_configurationEnv)\r\n | where TimeGenerated > ago(90d)\r\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\r\n | summarize by PreciseCollection, Collection \r\n | summarize count() by Collection\r\n ) on Collection\r\n ) on Collection\r\n) on Collection\r\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\"Last Known date\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\r\n| sort by Selected, Value desc", "typeSettings": { + "additionalResourceOptions": [], "showDefault": false }, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, + { + "id": "cfc36178-c5d7-4f69-87f5-b887e722f968", + "version": "KqlParameterItem/1.0", + "name": "Compare_Collect", + "label": "CompareCollect", + "type": 10, + "description": "If this sesstion is checked, two collection will be compared", + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n { \"value\": \"True\", \"label\": \"Yes\" },\r\n { \"value\": \"True,False\", \"label\": \"No\", \"selected\":true }\r\n]" + }, { "id": "8ac96eb3-918b-4a36-bcc4-df50d8f46175", "version": "KqlParameterItem/1.0", @@ -52,7 +69,7 @@ "label": "Show Help", "type": 10, "isRequired": true, - "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\\r\\n\"}", + "query": "{\"version\":\"1.0.0\",\"content\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\\r\\n\"}\r\n", "timeContext": { "durationMs": 2592000000 }, @@ -65,10 +82,42 @@ }, "name": "TimeRange" }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "0a7e59b0-755e-40c9-a4e0-ec7f516e991c", + "version": "KqlParameterItem/1.0", + "name": "DateCompare", + "type": 2, + "description": "This date must be older than the date configured in the Date of configuration", + "isRequired": true, + "query": "let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \"all\",\"All\",tostring({EnvironmentList})),',');\r\nESIExchangeConfig_CL\r\n| extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n| where ScopedEnvironment in (_configurationEnv)\r\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n| summarize Collection = max(Collection)\r\n| project Collection = \"lastdate\", Selected = true\r\n| join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n | where ScopedEnvironment in (_configurationEnv)\r\n | where TimeGenerated > ago(90d)\r\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n | summarize by Collection \r\n | join kind= fullouter ( ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n | where ScopedEnvironment in (_configurationEnv)\r\n | where TimeGenerated > ago(90d)\r\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\r\n | summarize by PreciseCollection, Collection \r\n | join kind=leftouter (\r\n ESIExchangeConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \r\n | where ScopedEnvironment in (_configurationEnv)\r\n | where TimeGenerated > ago(90d)\r\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\r\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\r\n | summarize by PreciseCollection, Collection \r\n | summarize count() by Collection\r\n ) on Collection\r\n ) on Collection\r\n) on Collection\r\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\"Last Known date\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\r\n| sort by Selected, Value desc", + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "above", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "TimeRange - Copy" + }, { "type": 1, "content": { - "json": "This workbook helps review your Exchange Security configuration.\r\nSelect your Exchange Organization and adjust the time range.\r\nBy default, the Help won't be displayed. To display the help, choose Yes on the toogle buttom \"Show Help\"", + "json": "This workbook helps review your Exchange Security configuration.\r\nSelect your Exchange Organization and adjust the time range.\r\n**By default, the Help won't be displayed. To display the help, choose Yes on the toogle buttom \"Show Help\"**\r\n\r\nTo compare collects, choose **Yes on the toogle buttom Compare Collect ** and choose the initial date.\r\nDepending on the section, a new table will be displayed with **all** the modifications (Add, Remove, Modifications) beetween the two dates.\r\nFor some sections, you'll see Add+Remove. This means that an account has been added and then removed during the choosen time range.\r\n\r\n**Important notes** : Some information are limited are may be not 100% accurate :\r\n - Date\r\n - When a fied is modified several times in the range, only first and last values will be displayed\r\n - **Remove Time is displayed the date of the last collect and not the exact remove time**\r\n - ... \r\n\r\nThis is due to some restrictions in the collect. The goal of the comparaison is to give you a global overview of the modifications between two collects.\r\nFor more details information, please check the workbook **\"Microsoft Exchange Search AdminAuditLog\"**\r\n.\r\n\r\nThe compare functionnality may not be available for all sections in this workbook.\r\n", "style": "info" }, "name": "text - 9" @@ -161,7 +210,7 @@ "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Security Configuration for the Exchange environment", + "title": "Security Configuration for the Exchange Environment", "items": [ { "type": 1, @@ -173,7 +222,7 @@ { "type": 1, "content": { - "json": "This section display the Exchange version and the CU installed.\r\n\r\nFor the latest build number, check this link : Exchange Build Numbers\r\n\r\nThis section is built from a file located in the public github repository.\r\nThe repository is manually updated by the team project when new CU/SU are released.\r\n", + "json": "This section displays the Exchange version and the CU installed.\r\n\r\nFor the latest build number, check this link : Exchange Build Numbers\r\n\r\nThis section is built from a file located in the public GitHub repository.\r\nThe repository is manually updated by the team project when new CU/SU are released. ((Delay may happen between the release of a new CU/SU and the update of the file))\r\n", "style": "info" }, "conditionalVisibility": { @@ -187,7 +236,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExchBuildNumber.csv\"]with(format=\"csv\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\r\n//ExchangeConfiguration(SpecificSectionList=\"ExchangeServers\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n//| extend VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\".\",CmdletResultValue.AdminDisplayVersion.Minor,\".\",CmdletResultValue.AdminDisplayVersion.Build)\r\nExchangeConfiguration(SpecificSectionList=\"ExchVersion\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend VersionNumber = tostring(CmdletResultValue.ProductVersion)\r\n| extend Server = tostring(ProcessedByServer_s)\r\n| extend CmdletResultType = tostring(CmdletResultType)\r\n| join kind= leftouter (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\r\n| distinct Server,VersionNumber,Productname,CU,SU,CmdletResultType\r\n| extend Server = strcat(\"💻 \",Server)\r\n| extend Productname = case ( VersionNumber startswith \"15.02\", \"Exchange 2019\", VersionNumber startswith \"15.01\", \"Exchange 2016\", VersionNumber startswith \"15.00\",\"Exchange 2013\", \"Exchange 2010\")\r\n| extend CU = iff(CmdletResultType <>\"Success\", \"Unable to retrieve information from server\", iff(CU <> \"\", CU, \"New CU or SU not yet in the List\"))\r\n| extend SU = iff(CmdletResultType <>\"Success\", \"Unable to retrieve information from server\", iff( SU <> \"\", SU, \"New CU or SU not yet in the List\"))\r\n|project-away CmdletResultType\r\n| sort by Server asc\r\n", + "query": "let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\"https://aka.ms/ExchBuildNumber\"]with(format=\"csv\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\r\n//ExchangeConfiguration(SpecificSectionList=\"ExchangeServers\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n//| extend VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\".\",CmdletResultValue.AdminDisplayVersion.Minor,\".\",CmdletResultValue.AdminDisplayVersion.Build)\r\nExchangeConfiguration(SpecificSectionList=\"ExchVersion\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend VersionNumber = tostring(CmdletResultValue.ProductVersion)\r\n| extend Server = tostring(ProcessedByServer_s)\r\n| extend CmdletResultType = tostring(CmdletResultType)\r\n| join kind= leftouter (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\r\n| distinct Server,VersionNumber,Productname,CU,SU,CmdletResultType\r\n| extend Server = strcat(\"💻 \",Server)\r\n| extend Productname = case ( VersionNumber startswith \"15.02\", \"Exchange 2019\", VersionNumber startswith \"15.01\", \"Exchange 2016\", VersionNumber startswith \"15.00\",\"Exchange 2013\", \"Exchange 2010\")\r\n| extend CU = iff(CmdletResultType <>\"Success\", \"Unable to retrieve information from server\", iff(CU <> \"\", CU, \"New CU or SU not yet in the List\"))\r\n| extend SU = iff(CmdletResultType <>\"Success\", \"Unable to retrieve information from server\", iff( SU <> \"\", SU, \"New CU or SU not yet in the List\"))\r\n|project-away CmdletResultType\r\n| sort by Server asc\r\n", "size": 1, "showAnalytics": true, "title": "Exchange servers CU-SU level", @@ -209,7 +258,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/ExchBuildNumber.csv\"]with(format=\"csv\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\r\nExchangeConfiguration(SpecificSectionList=\"ExchVersion\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n//| extend VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\".\",CmdletResultValue.AdminDisplayVersion.Minor,\".\",CmdletResultValue.AdminDisplayVersion.Build)\r\n| extend VersionNumber = tostring(CmdletResultValue.ProductVersion)\r\n| extend Server = tostring(CmdletResultValue.Server)\r\n| join kind= leftouter (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\r\n| extend CU = iff( CU <> \"\", CU, \"New CU/SU not yet in the CU List\")\r\n| extend Version =strcat (VersionNumber,\"-\",CU,\"-\",SU)\r\n| summarize dcount(Server) by Version", + "query": "let ExchCUSU = externaldata (Productname:string, CU:string, SU:string, BuildNbAll:string, BuilCUNb:string, Major:string, CUBuildNb:string, SUBuildNb:string)[h\"https://aka.ms/ExchBuildNumber\"]with(format=\"csv\",ignoreFirstRecord=true)| project Productname,CU,SU,BuildNbAll,BuilCUNb,Major,CUBuildNb,SUBuildNb;\r\nExchangeConfiguration(SpecificSectionList=\"ExchVersion\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n//| extend VersionNumber = strcat(CmdletResultValue.AdminDisplayVersion.Major,\".\",CmdletResultValue.AdminDisplayVersion.Minor,\".\",CmdletResultValue.AdminDisplayVersion.Build)\r\n| extend VersionNumber = tostring(CmdletResultValue.ProductVersion)\r\n| extend Server = tostring(CmdletResultValue.Server)\r\n| join kind= leftouter (ExchCUSU) on $left.VersionNumber == $right.BuildNbAll\r\n| extend CU = iff( CU <> \"\", CU, \"New CU/SU not yet in the CU List\")\r\n| extend Version =strcat (VersionNumber,\"-\",CU,\"-\",SU)\r\n| summarize dcount(Server) by Version", "size": 0, "showAnalytics": true, "title": "Version break down", @@ -231,7 +280,7 @@ { "type": 1, "content": { - "json": "The Admin Audit log stores all the actions performed on Exchange Servers (except read actions such as Get/Test).\r\n\r\nAdmin Audit Log \r\n\r\nManage Admin Audit Log \r\n\r\n\r\nThis can be used to track \r\n- Unexpected behaviors\r\n- Who did a modification\r\n- Real actions performed by an account (the output could be used with to identify the necessary privileges)\r\n\r\nℹ️ Recommendations\r\n- Ensure that Admin Audit Log is not disabled\r\n- Ensure that critical Cmdlets have not been excluded\r\n- Ensure that AdminAuditLogCmdlets is set to * (list of audited Cmdlets)\r\n- Review the retention configuration for the Admin Audit Log content", + "json": "The Admin Audit log stores all the actions performed on Exchange Servers (except Read actions such as Get/Test).\r\n\r\nAdmin Audit Log \r\n\r\nManage Admin Audit Log \r\n\r\n\r\nThis can be used to track :\r\n- Unexpected behaviors\r\n- Who did a modification\r\n- Real actions performed by an account (the output could be used to identify the necessary privileges) and then reduce the privilege of the account by creating appropriate RBAC delegation\r\n\r\nℹ️ Recommendations\r\n- Ensure that Admin Audit Log is not disabled\r\n- Ensure that critical Cmdlets have not been excluded\r\n- Ensure that AdminAuditLogCmdlets is set to * (list of audited Cmdlets)\r\n- Review the retention configuration for the Admin Audit Log content", "style": "info" }, "conditionalVisibility": { @@ -244,7 +293,7 @@ { "type": 1, "content": { - "json": "Here the main settings for the Admin Audit Log. Remember that AdminAudit log need to be enabled and no cmdlet should be excluded. Also check the retention limit." + "json": "Here the main settings for the Admin Audit Log. \r\nRemember that AdminAudit log needs to be enabled and no cmdlet should be excluded. Also check the retention limit." }, "name": "text - 0" }, @@ -252,7 +301,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\"https://raw.githubusercontent.com/nlepagnez/ESI-PublicContent/main/Operations/Watchlists/CmdletWatchlist.csv\"]with(format=\"csv\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\r\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\r\n| project AdminAuditLogExcludedCmdlets);\r\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\r\nExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend AdminAuditLogEnabled = iff(CmdletResultValue.AdminAuditLogEnabled == \"FALSE\", \" ❌ Disabled, High Risk\", \"✅ Enabled\")\r\n| extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\r\n| extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit,8)\r\n| extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit,0,indexof(AdminAuditLogAgeLimit, ','))\r\n| extend AdminAuditLogAgeLimit = iff(toint(AdminAuditLogAgeLimit) == 0,strcat(\"❌ No AdminAuditlog recorded \",AdminAuditLogAgeLimit), iff(toint(AdminAuditLogAgeLimit) <=30,strcat(\"⚠️ Value to low except if exported \",AdminAuditLogAgeLimit), strcat(\"✅\",AdminAuditLogAgeLimit)))\r\n| extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\r\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,2)\r\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,0,indexof(AdminAuditLogCmdlets, '\"]') )\r\n| extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets,'\"',\"\")\r\n| extend Comment_AdminAuditLogCmdlets = iff( AdminAuditLogCmdlets == \"*\",\"✅ Default configuration\",\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\")\r\n| extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\r\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,2)\r\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,0,indexof(AdminAuditLogExcludedCmdlets, ']'))\r\n| extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets,'\"',\"\")\r\n//| extend Cmdlet = replace_string(AdminAuditLogExcludedCmdlets,'\"',\"\")\r\n//| extend AALECSplit = tostring(split(AdminAuditLogExcludedCmdlets,\",\"))\r\n| project-away CmdletResultValue\r\n| extend Comment_AdminAuditLogExcludedCmdlet = case( isnotempty( SentsitivecmdletTrack ),\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\",AdminAuditLogExcludedCmdlets <>\"\",\"⚠️ Some Cmdlets are excluded \",\"✅ No Excluded CmdLet\")", + "query": "let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\"https://aka.ms/CmdletWatchlist\"]with(format=\"csv\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\r\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\r\n| project AdminAuditLogExcludedCmdlets);\r\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\r\nExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend AdminAuditLogEnabled = iff(CmdletResultValue.AdminAuditLogEnabled == \"FALSE\", \" ❌ Disabled, High Risk\", \"✅ Enabled\")\r\n| extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\r\n| extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit,8)\r\n| extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit,0,indexof(AdminAuditLogAgeLimit, ','))\r\n| extend AdminAuditLogAgeLimit = iff(toint(AdminAuditLogAgeLimit) == 0,strcat(\"❌ No AdminAuditlog recorded \",AdminAuditLogAgeLimit), iff(toint(AdminAuditLogAgeLimit) <=30,strcat(\"⚠️ Value to low except if exported \",AdminAuditLogAgeLimit), strcat(\"✅\",AdminAuditLogAgeLimit)))\r\n| extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\r\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,2)\r\n| extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets,0,indexof(AdminAuditLogCmdlets, '\"]') )\r\n| extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets,'\"',\"\")\r\n| extend Comment_AdminAuditLogCmdlets = iff( AdminAuditLogCmdlets == \"*\",\"✅ Default configuration\",\"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\")\r\n| extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\r\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,2)\r\n| extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets,0,indexof(AdminAuditLogExcludedCmdlets, ']'))\r\n| extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets,'\"',\"\")\r\n//| extend Cmdlet = replace_string(AdminAuditLogExcludedCmdlets,'\"',\"\")\r\n//| extend AALECSplit = tostring(split(AdminAuditLogExcludedCmdlets,\",\"))\r\n| project-away CmdletResultValue\r\n| extend Comment_AdminAuditLogExcludedCmdlet = case( isnotempty( SentsitivecmdletTrack ),\"❌ Some excluded CmdLets are part of Sensitive Cmdlets\",AdminAuditLogExcludedCmdlets <>\"\",\"⚠️ Some Cmdlets are excluded \",\"✅ No Excluded CmdLet\")", "size": 1, "showAnalytics": true, "showExportToExcel": true, @@ -287,19 +336,31 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let SensitiveCMDLet = externaldata (Cmdlet:string, UserOriented:string, Parameters:string)[h\"https://aka.ms/CmdletWatchlist\"]with(format=\"csv\",ignoreFirstRecord=true)| project Cmdlet,UserOriented,Parameters;\r\nlet AAL = (ExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend AdminAuditLogExcludedCmdlets = CmdletResultValue.AdminAuditLogExcludedCmdlets\r\n| project AdminAuditLogExcludedCmdlets);\r\nlet SentsitivecmdletTrack = toscalar(SensitiveCMDLet | where Cmdlet has_any ( AAL)| project Cmdlet);\r\nlet _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n | extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\n//let _CurrentDateB = todatetime(toscalar(_currD));\r\nlet _CurrentDateB = datetime_add('day', 1, todatetime(toscalar(_currD)));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\r\n | extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit, 8)\r\n | extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit, 0, indexof(AdminAuditLogAgeLimit, ','))\r\n | extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\r\n | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 2)\r\n | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 0, indexof(AdminAuditLogCmdlets, '\"]'))\r\n | extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets, '\"', \"\")\r\n | extend Comment_AdminAuditLogCmdlets = iff(AdminAuditLogCmdlets == \"*\", \"✅ Default configuration\", \"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\")\r\n | extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\r\n | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 2)\r\n | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 0, indexof(AdminAuditLogExcludedCmdlets, ']'))\r\n | extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets, '\"', \"\")\r\n | project-away CmdletResultValue\r\n | extend Comment_AdminAuditLogExcludedCmdlet = case(isnotempty(SentsitivecmdletTrack), \"❌ Some excluded CmdLets are part of Sensitive Cmdlets\", AdminAuditLogExcludedCmdlets <> \"\", \"⚠️ Some Cmdlets are excluded \", \"✅ No Excluded CmdLet\")\r\n | extend WhenChanged = todatetime(WhenChanged)\r\n | extend WhenCreated = todatetime(WhenCreated)\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"AdminAuditLog\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | extend AdminAuditLogAgeLimit = tostring(CmdletResultValue.AdminAuditLogAgeLimit)\r\n | extend AdminAuditLogAgeLimit = substring(AdminAuditLogAgeLimit, 8)\r\n | extend AdminAuditLogAgeLimit =substring(AdminAuditLogAgeLimit, 0, indexof(AdminAuditLogAgeLimit, ','))\r\n | extend AdminAuditLogCmdlets = tostring(CmdletResultValue.AdminAuditLogCmdlets)\r\n | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 2)\r\n | extend AdminAuditLogCmdlets = substring(AdminAuditLogCmdlets, 0, indexof(AdminAuditLogCmdlets, '\"]'))\r\n | extend AdminAuditLogCmdlets = replace_string(AdminAuditLogCmdlets, '\"', \"\")\r\n | extend Comment_AdminAuditLogCmdlets = iff(AdminAuditLogCmdlets == \"*\", \"✅ Default configuration\", \"❌ if AdminAuditLogCmdlets empty no logging else only AdminAuditLogCmdlets will be logged\")\r\n | extend AdminAuditLogExcludedCmdlets = tostring(CmdletResultValue.AdminAuditLogExcludedCmdlets)\r\n | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 2)\r\n | extend AdminAuditLogExcludedCmdlets = substring(AdminAuditLogExcludedCmdlets, 0, indexof(AdminAuditLogExcludedCmdlets, ']'))\r\n | extend AdminAuditLogExcludedCmdlets = replace_string(AdminAuditLogExcludedCmdlets, '\"', \"\")\r\n | project-away CmdletResultValue\r\n | extend Comment_AdminAuditLogExcludedCmdlet = case(isnotempty(SentsitivecmdletTrack), \"❌ Some excluded CmdLets are part of Sensitive Cmdlets\", AdminAuditLogExcludedCmdlets <> \"\", \"⚠️ Some Cmdlets are excluded \", \"✅ No Excluded CmdLet\")\r\n | extend WhenChanged = todatetime(WhenChanged)\r\n | extend WhenCreated = todatetime(WhenCreated)\r\n;\r\nlet i=0;\r\nlet DiffModifData = union AfterData, BeforeData\r\n | sort by WhenChanged asc \r\n | project\r\n WhenChanged,\r\n AdminAuditLogAgeLimit,\r\n AdminAuditLogCmdlets,\r\n Comment_AdminAuditLogCmdlets,\r\n AdminAuditLogExcludedCmdlets,\r\n Comment_AdminAuditLogExcludedCmdlet,\r\n WhenCreated\r\n | extend AdminAuditLogAgeLimit = iff(AdminAuditLogAgeLimit != prev(AdminAuditLogAgeLimit) and prev(AdminAuditLogAgeLimit) != \"\", strcat(\"📍 \", AdminAuditLogAgeLimit, \" (\", prev(AdminAuditLogAgeLimit), \"->\", AdminAuditLogAgeLimit, \" )\"), AdminAuditLogAgeLimit)\r\n | extend AdminAuditLogCmdlets = iff(AdminAuditLogCmdlets != prev(AdminAuditLogCmdlets) and prev(AdminAuditLogCmdlets) != \"\", strcat(\"📍 \", AdminAuditLogCmdlets, \" (\", prev(AdminAuditLogCmdlets), \"->\", AdminAuditLogCmdlets, \" )\"), AdminAuditLogCmdlets)\r\n | extend Comment_AdminAuditLogCmdlets = iff(Comment_AdminAuditLogCmdlets != prev(Comment_AdminAuditLogCmdlets) and prev(Comment_AdminAuditLogCmdlets) != \"\", strcat(\"📍 \", Comment_AdminAuditLogCmdlets, \" (\", prev(Comment_AdminAuditLogCmdlets), \"->\", Comment_AdminAuditLogCmdlets, \" )\"), Comment_AdminAuditLogCmdlets)\r\n | extend AdminAuditLogExcludedCmdlets = iff(AdminAuditLogExcludedCmdlets != prev(AdminAuditLogExcludedCmdlets) and prev(AdminAuditLogExcludedCmdlets) != \"\", strcat(\"📍 \", AdminAuditLogExcludedCmdlets, \" (\", prev(AdminAuditLogExcludedCmdlets), \"->\", AdminAuditLogExcludedCmdlets, \" )\"), AdminAuditLogExcludedCmdlets)\r\n | extend Comment_AdminAuditLogExcludedCmdlet = iff(Comment_AdminAuditLogExcludedCmdlet != prev(Comment_AdminAuditLogExcludedCmdlet) and prev(Comment_AdminAuditLogExcludedCmdlet) != \"\", strcat(\"📍 \", Comment_AdminAuditLogExcludedCmdlet, \" (\", prev(Comment_AdminAuditLogExcludedCmdlet), \"->\", Comment_AdminAuditLogExcludedCmdlet, \" )\"), Comment_AdminAuditLogExcludedCmdlet)\r\n | extend ActiontypeR =iff(( AdminAuditLogAgeLimit contains \"📍\" or AdminAuditLogCmdlets contains \"📍\" or Comment_AdminAuditLogCmdlets contains \"📍\" or AdminAuditLogExcludedCmdlets contains \"📍\" or Comment_AdminAuditLogExcludedCmdlet contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n WhenChanged,\r\n Actiontype,\r\n AdminAuditLogAgeLimit,\r\n AdminAuditLogCmdlets,\r\n Comment_AdminAuditLogCmdlets,\r\n AdminAuditLogExcludedCmdlets,\r\n Comment_AdminAuditLogExcludedCmdlet,\r\n WhenCreated\r\n;\r\nDiffModifData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n WhenChanged,\r\n AdminAuditLogAgeLimit,\r\n AdminAuditLogCmdlets,\r\n Comment_AdminAuditLogCmdlets,\r\n AdminAuditLogExcludedCmdlets,\r\n Comment_AdminAuditLogExcludedCmdlet", + "size": 1, + "showAnalytics": true, + "title": "AdminAuditLog settings comparaison", + "noDataMessage": "No modification", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 3" } ] }, "name": "group - 0Admin Audit Log configuration" }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable" - }, - "name": "POP authentication configuration" - }, { "type": 1, "content": { @@ -310,7 +371,7 @@ { "type": 1, "content": { - "json": "If the POP Service is started, the LoginType should not set to Plaintext. This means that the password will be sent in clear on the network. As POP is enabled by default on all the mailboxes, this represents a high security risk.\r\n\r\nPOP Authentication\r\n- **PlainText** TLS encryption is not required on port 110. Usernames and passwords are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\r\n- **PlainTextAuthentication** TLS encryption is not required on port 110. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\r\n- **SecureLogin** Connection on port 110 must use TLS encryption before authenticating.\r\n\r\nℹ️ Recommendations\r\nDisable POP on all mailboxes except those who need to actually use this protocol.\r\nSet the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application.\r\n\r\nIf the application is not able to perform this type of authentication:\r\n- Ensure that POP is disabled on all the mailboxes except those who really need it \r\n- Monitor the POP connections\r\n- Change the password of the application on a regular basis\r\n\r\nRecommended Reading : \r\n\r\nConfiguring Authentication for POP3 and IMAP4\r\n \r\n Set-PopSettings\r\n\r\n\r\nIn order to track mailboxes that are currently using POP\r\n- Enable POP logging\r\n- Set-PopSettings -Server SRV1 -ProtocolLogEnabled verbose\r\n- Several weeks later, analyze the log content\r\n- Default location : - Get-PopSettings -server SRV1 | fl server,*log*\r\n- Check for connection and authentication\r\n", + "json": "If the POP Service is started, the LoginType should not set to Plaintext. This means that the password will be sent in clear on the network. As POP is enabled by default on all the mailboxes, this represents a high security risk.\r\n\r\nPOP Authentication\r\n- **PlainText** TLS encryption is not required on port 110. Usernames and passwords are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\r\n- **PlainTextAuthentication** TLS encryption is not required on port 110. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\r\n- **SecureLogin** Connection on port 110 must use TLS encryption before authenticating.\r\n\r\nℹ️ Recommendations\r\nDisable POP on all mailboxes except those which really need to use this protocol.\r\nSet the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application.\r\n\r\nIf the application is not able to perform this type of authentication:\r\n- Ensure that POP is disabled on all the mailboxes except those who really need it \r\n- Monitor the POP connections\r\n- Change the password of the application on a regular basis\r\n\r\nRecommended Reading : \r\n\r\nConfiguring Authentication for POP3 and IMAP4\r\n \r\n Set-PopSettings\r\n\r\n\r\nIn order to track mailboxes that are currently using POP\r\n- Enable POP logging\r\n- Set-PopSettings -Server SRV1 -ProtocolLogEnabled verbose\r\n- Several weeks later, analyze the log content\r\n- Default location : - Get-PopSettings -server SRV1 | fl server,*log*\r\n- Check for connection and authentication\r\n", "style": "info" }, "conditionalVisibility": { @@ -324,7 +385,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"PopSettings\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name contains (\"MSExchangePop3\")\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n| join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name contains (\"MSExchangePop3BE\" )\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n| extend LoginType = iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n| extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\r\n| extend ServiceName = iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n| extend Status = tostring(Status)\r\n| extend BackendEndService= tostring(ServiceName1)\r\n| extend StartupType = tostring(StartupType)\r\n| extend BEStatus = tostring(Status1)\r\n| extend BEStartupType = tostring(StartupType1)\r\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n| sort by ServerName asc", + "query": "ExchangeConfiguration(SpecificSectionList=\"PopSettings\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name == (\"MSExchangePop3\")\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n| join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name contains (\"MSExchangePop3BE\" )\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n| extend LoginType = iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n| extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\r\n| extend ServiceName = iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n| extend Status = tostring(Status)\r\n| extend BackendEndService= tostring(ServiceName1)\r\n| extend StartupType = tostring(StartupType)\r\n| extend BEStatus = tostring(Status1)\r\n| extend BEStartupType = tostring(StartupType1)\r\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n| sort by ServerName asc", "size": 1, "showAnalytics": true, "title": "Pop Authentication : should not be set as Plaintext", @@ -361,6 +422,35 @@ "showBorder": true } }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "POP settings comparaison", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"PopSettings\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n| summarize TimeMax = arg_max(TimeGenerated,*)\r\n//| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\r\n| project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\n//let _CurrentDateB = datetime_add('day',1,todatetime(toscalar(_currD)));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"PopSettings\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | where CmdletResultValue.Name == (\"MSExchangePop3\")\r\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n | join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | where CmdletResultValue.Name contains (\"MSExchangePop3BE\" )\r\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n | extend LoginType = iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n | extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\r\n | extend ServiceName = iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n | extend Status = tostring(Status)\r\n | extend BackendEndService= tostring(ServiceName1)\r\n | extend StartupType = tostring(StartupType)\r\n | extend BEStatus = tostring(Status1)\r\n | extend BEStartupType = tostring(StartupType1)\r\n | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n | sort by ServerName asc\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"PopSettings\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | where CmdletResultValue.Name == (\"MSExchangePop3\")\r\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n | join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | where CmdletResultValue.Name contains (\"MSExchangePop3BE\" )\r\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n | extend LoginType = iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n | extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\r\n | extend ServiceName = iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n | extend Status = tostring(Status)\r\n | extend BackendEndService= tostring(ServiceName1)\r\n | extend StartupType = tostring(StartupType)\r\n | extend BEStatus = tostring(Status1)\r\n | extend BEStartupType = tostring(StartupType1)\r\n | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n | sort by ServerName asc\r\n;\r\nlet i=0;\r\nlet DiffModifData = union BeforeData,AfterData\r\n | sort by ServerName,TimeGenerated asc\r\n | extend LoginType = iff(ServerName == prev(ServerName) and LoginType != prev(LoginType) and prev(LoginType) != \"\", strcat(\"📍 \", LoginType, \" (\", prev(LoginType), \"->\", LoginType, \" )\"), LoginType)\r\n | extend ProtocolLogEnabled = iff(ServerName == prev(ServerName) and ProtocolLogEnabled != prev(ProtocolLogEnabled) and prev(ProtocolLogEnabled) != \"\", strcat(\"📍 \", ProtocolLogEnabled, \" (\", prev(ProtocolLogEnabled), \"->\", ProtocolLogEnabled, \" )\"), ProtocolLogEnabled)\r\n | extend Status = iff( ServerName == prev(ServerName) and Status != prev(Status) and prev(Status) != \"\", strcat(\"📍 \", Status, \" (\", prev(Status), \"->\", Status, \" )\"), Status)\r\n | extend StartupType = iff(ServerName == prev(ServerName) and StartupType != prev(StartupType) and prev(StartupType) != \"\", strcat(\"📍 \", StartupType, \" (\", prev(StartupType), \"->\", StartupType, \" )\"), StartupType)\r\n | extend BEStatus = iff(ServerName == prev(ServerName) and BEStatus != prev(BEStatus) and prev(BEStatus) != \"\", strcat(\"📍 \", BEStatus, \" (\", prev(BEStatus), \"->\", BEStatus, \" )\"), BEStatus)\r\n | extend BEStartupType = iff(ServerName == prev(ServerName) and BEStartupType != prev(BEStartupType) and prev(BEStartupType) != \"\", strcat(\"📍 \", BEStartupType, \" (\", prev(BEStartupType), \"->\", BEStartupType, \" )\"), BEStartupType)\r\n | extend ActiontypeR =iff((LoginType contains \"📍\" or ProtocolLogEnabled contains \"📍\" or Status contains \"📍\" or StartupType contains \"📍\" or BEStatus contains \"📍\" or BEStartupType contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n TimeGenerated,\r\n Actiontype,\r\n ServerName,\r\n LoginType,\r\n ProtocolLogEnabled,\r\n Status,\r\n StartupType,\r\n BEStatus,\r\n BEStartupType\r\n;\r\nDiffModifData\r\n//| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| project\r\n ServerName,\r\n LoginType,\r\n ProtocolLogEnabled,\r\n Status,\r\n StartupType,\r\n BEStatus, \r\n BEStartupType", + "size": 1, + "showAnalytics": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "Compare" + } + ] + }, + "name": "POP authentication configuration" + }, { "type": 1, "content": { @@ -371,7 +461,7 @@ { "type": 1, "content": { - "json": "If the IMAP Service is started, the LoginType should not set to Plaintext. This means that the passwords will be sent in clear over the network. As IMAP is enabled by default on all the mailboxes, this is a high security risk.\r\n\r\nIMAP Authentication\r\n- **PlainText** TLS encryption is not required on port 110. User name and password are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\r\n- **PlainTextAuthentication** TLS encryption is not required on port 143. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\r\n- **SecureLogin** Connection on port 143 must use TLS encryption before authenticating.\r\n\r\nℹ️ Recommendations \r\nDisable IMAP on all mailboxes except those which needs to use this protocol. Set the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application accordingly.\r\n\r\nIf the application is not able to perform this type of authentication:\r\n- Ensure that IMAP is disable on all the mailboxes except those who really need it \r\n- Monitor the connection\r\n- Regularly, change the password of the application\r\n\r\nRecommended Reading : \r\n\r\nConfiguring Authentication for POP3 and IMAP4\r\n\r\n Set-IMAPSettings\r\n\r\n\r\n\r\nIn order to track mailboxes that are currently using IMAP\r\n- Enable IMAP logging\r\n- Set-IMAPSettings -Server SRV1 -ProtocolLogEnabled verbose\r\n- Several weeks later, analyze the log content\r\n- Default location : Get-IMAPSettings -server SRV1 | fl server,*log*\r\n- Check for connection and authentication\r\n", + "json": "If the IMAP Service is started, the LoginType should not set to Plaintext. This means that the passwords will be sent in clear over the network. As IMAP is enabled by default on all the mailboxes, this is a high security risk.\r\n\r\nIMAP Authentication\r\n- **PlainText** TLS encryption is not required on port 110. User name and password are sent unencrypted unless the underlying connection is encrypted by using TLS or SSL.\r\n- **PlainTextAuthentication** TLS encryption is not required on port 143. However, Basic authentication is permitted only on a port that uses TLS or SSL encryption.\r\n- **SecureLogin** Connection on port 143 must use TLS encryption before authenticating.\r\n\r\nℹ️ Recommendations \r\nDisable IMAP on all mailboxes except those which really need to use this protocol. Set the authentication to SecureLogin or at least to PlainTextAuthentication and configure the application accordingly.\r\n\r\nIf the application is not able to perform this type of authentication:\r\n- Ensure that IMAP is disable on all the mailboxes except those who really need it \r\n- Monitor the connection\r\n- Regularly, change the password of the application\r\n\r\nRecommended Reading : \r\n\r\nConfiguring Authentication for POP3 and IMAP4\r\n\r\n Set-IMAPSettings\r\n\r\n\r\n\r\nIn order to track mailboxes that are currently using IMAP\r\n- Enable IMAP logging\r\n- Set-IMAPSettings -Server SRV1 -ProtocolLogEnabled verbose\r\n- Several weeks later, analyze the log content\r\n- Default location : Get-IMAPSettings -server SRV1 | fl server,*log*\r\n- Check for connection and authentication\r\n", "style": "info" }, "conditionalVisibility": { @@ -385,7 +475,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"IMAPSettings\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name contains (\"MSExchangeIMAP4\")\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n| join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name contains (\"MSExchangeIMAP4BE\" )\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n| extend LoginType = iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n| extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\r\n| extend ServiceName = iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n| extend Status = tostring(Status)\r\n| extend BackendEndService= tostring(ServiceName1)\r\n| extend StartupType = tostring(StartupType)\r\n| extend BEStatus = tostring(Status1)\r\n| extend BEStartupType = tostring(StartupType1)\r\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n| sort by ServerName asc", + "query": "ExchangeConfiguration(SpecificSectionList=\"IMAPSettings\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n| join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name == (\"MSExchangeImap4\")\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n| join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name contains (\"MSExchangeIMAP4BE\" )\r\n| project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n| extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n| extend LoginType = iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n| extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\r\n| extend ServiceName = iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n| extend Status = tostring(Status)\r\n| extend BackendEndService= tostring(ServiceName1)\r\n| extend StartupType = tostring(StartupType)\r\n| extend BEStatus = tostring(Status1)\r\n| extend BEStartupType = tostring(StartupType1)\r\n| project ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n| sort by ServerName asc", "size": 1, "showAnalytics": true, "title": "IMAP Authentication : should not be set as Plaintext", @@ -415,6 +505,25 @@ "showBorder": true } }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"IMAPSettings\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n| summarize TimeMax = arg_max(TimeGenerated,*)\r\n//| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\r\n| project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\n//let _CurrentDateB = datetime_add('day',1,todatetime(toscalar(_currD)));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"IMAPSettings\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | where CmdletResultValue.Name == (\"MSExchangeImap4\")\r\n | project TimeGenerated,ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n | join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | where CmdletResultValue.Name contains (\"MSExchangeIMAP4BE\" )\r\n | project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n | extend LoginType = iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n | extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\r\n | extend ServiceName = iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n | extend Status = tostring(Status)\r\n | extend BackendEndService= tostring(ServiceName1)\r\n | extend StartupType = tostring(StartupType)\r\n | extend BEStatus = tostring(Status1)\r\n | extend BEStartupType = tostring(StartupType1)\r\n | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n | sort by ServerName asc\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"IMAPSettings\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n | join kind = leftouter(ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | where CmdletResultValue.Name == (\"MSExchangeImap4\")\r\n | project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString\r\n | join (ExchangeConfiguration(SpecificSectionList=\"POPIMAPServicesStatus\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\r\n | where CmdletResultValue.Name contains (\"MSExchangeIMAP4BE\" )\r\n | project ServerName= tostring(CmdletResultValue.Server), ServiceName=CmdletResultValue.Name, Status=CmdletResultValue.StatusString,StartupType=CmdletResultValue.StartTypeString) on ServerName) on ServerName\r\n | extend ServerName = tostring(CmdletResultValue.Server.Name)\r\n | extend LoginType = iff(CmdletResultValue.LoginType== 1 , \"⛔ PlainText, High Risk\", iff(CmdletResultValue.LoginType== 2, \"⚠️ PlainTextAuthentication\",\"✅ SecureLogin\"))\r\n | extend ProtocolLogEnabled = tostring(CmdletResultValue.ProtocolLogEnabled)\r\n | extend ServiceName = iff(tostring(ServiceName)==\"\", \"Service Status not retrieved\",tostring(ServiceName))\r\n | extend Status = tostring(Status)\r\n | extend BackendEndService= tostring(ServiceName1)\r\n | extend StartupType = tostring(StartupType)\r\n | extend BEStatus = tostring(Status1)\r\n | extend BEStartupType = tostring(StartupType1)\r\n | project TimeGenerated,ServerName,LoginType,ServiceName,Status,StartupType,BackendEndService,BEStatus,BEStartupType,ProtocolLogEnabled\r\n | sort by ServerName asc\r\n;\r\nlet i=0;\r\nlet DiffModifData = union BeforeData,AfterData\r\n | sort by ServerName,TimeGenerated asc\r\n | extend LoginType = iff(ServerName == prev(ServerName) and LoginType != prev(LoginType) and prev(LoginType) != \"\", strcat(\"📍 \", LoginType, \" (\", prev(LoginType), \"->\", LoginType, \" )\"), LoginType)\r\n | extend ProtocolLogEnabled = iff(ServerName == prev(ServerName) and ProtocolLogEnabled != prev(ProtocolLogEnabled) and prev(ProtocolLogEnabled) != \"\", strcat(\"📍 \", ProtocolLogEnabled, \" (\", prev(ProtocolLogEnabled), \"->\", ProtocolLogEnabled, \" )\"), ProtocolLogEnabled)\r\n | extend Status = iff( ServerName == prev(ServerName) and Status != prev(Status) and prev(Status) != \"\", strcat(\"📍 \", Status, \" (\", prev(Status), \"->\", Status, \" )\"), Status)\r\n | extend StartupType = iff(ServerName == prev(ServerName) and StartupType != prev(StartupType) and prev(StartupType) != \"\", strcat(\"📍 \", StartupType, \" (\", prev(StartupType), \"->\", StartupType, \" )\"), StartupType)\r\n | extend BEStatus = iff(ServerName == prev(ServerName) and BEStatus != prev(BEStatus) and prev(BEStatus) != \"\", strcat(\"📍 \", BEStatus, \" (\", prev(BEStatus), \"->\", BEStatus, \" )\"), BEStatus)\r\n | extend BEStartupType = iff(ServerName == prev(ServerName) and BEStartupType != prev(BEStartupType) and prev(BEStartupType) != \"\", strcat(\"📍 \", BEStartupType, \" (\", prev(BEStartupType), \"->\", BEStartupType, \" )\"), BEStartupType)\r\n | extend ActiontypeR =iff((LoginType contains \"📍\" or ProtocolLogEnabled contains \"📍\" or Status contains \"📍\" or StartupType contains \"📍\" or BEStatus contains \"📍\" or BEStartupType contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n Actiontype,\r\n ServerName,\r\n LoginType,\r\n ProtocolLogEnabled,\r\n Status,\r\n StartupType,\r\n BEStatus,\r\n BEStartupType\r\n;\r\nDiffModifData\r\n//| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| project\r\n ServerName,\r\n LoginType,\r\n ProtocolLogEnabled,\r\n Status,\r\n StartupType,\r\n BEStatus, \r\n BEStartupType", + "size": 1, + "showAnalytics": true, + "title": "IMAP settings comparaison", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "Compare - Copy" + }, { "type": 12, "content": { @@ -425,14 +534,14 @@ { "type": 1, "content": { - "json": "This section highlights nonstandard permissions on Configuration Partition for Exchange container. By selecting Yes for Generic All buttom only delegation set for Generic All will be display. Standard, Deny and inherited permissions have been removed" + "json": "This section highlights nonstandard permissions on the Exchange container in the Configuration Partition. By selecting Yes for **Generic All** button, only delegations set to Generic All will be displayed. \r\nAlso Standard, Deny and inherited permissions have been removed" }, "name": "text - 0" }, { "type": 1, "content": { - "json": "During the lifetime of an Exchange Organization, many permissions may have been set on Exchange containers in the Configuration Partition.\r\nThis section displayed all the nonstandard permissions found on the most important Exchange containers :\r\n - Groups from legacy Exchange versions (Exchange Enterprise Servers, Exchange Domain Servers,...)\r\n - SID for deleted accounts\r\n - Old service accounts (that may not have been disabled or removed...)\r\n \r\nWhen an administrator run setup /prepareAD, his account will be granted Generic All at the top-level Exchange container\r\n\r\nBy default, this section only displayed the Generic All permissions.\r\n \r\nThis section is built by removing all the standard AD and Exchange groups.\r\n\r\n Exchange 2013 deployment permissions reference\r\n \r\n", + "json": "During the lifetime of an Exchange Organization, many permissions may have been set on Exchange containers in the Configuration Partition.\r\nThis section displayed all the nonstandard permissions found on the most important Exchange containers :\r\n - Groups from legacy Exchange versions (Exchange Enterprise Servers, Exchange Domain Servers,...)\r\n - SID for deleted accounts\r\n - Old service accounts (that may not have been disabled or removed...)\r\n \r\nWhen an administrator runs setup /PrepareAD, his account will be granted Generic All at the top-level Exchange container\r\n\r\nBy default, this section only displayed the **Generic All** permissions.\r\n \r\nThis section is built by removing all the standard AD and Exchange groups.\r\n\r\n Exchange 2013 deployment permissions reference\r\n \r\n", "style": "info" }, "conditionalVisibility": { @@ -488,15 +597,15 @@ "filter": true, "sortBy": [ { - "itemKey": "AccessRights", - "sortOrder": 1 + "itemKey": "DN", + "sortOrder": 2 } ] }, "sortBy": [ { - "itemKey": "AccessRights", - "sortOrder": 1 + "itemKey": "DN", + "sortOrder": 2 } ] }, @@ -504,6 +613,25 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let StandardGroup = dynamic([\"Authenticated Users\", \"Domain Admins\", \"Enterprise Admins\", \"Schema Admins\", \"Exchange Trusted Subsystem\", \"Exchange Servers\", \"Organization Management\", \"Public Folder Management\", \"Delegated Setup\", \"ANONYMOUS LOGON\", \"NETWORK SERVICE\", \"SYSTEM\", \"Everyone\", \"Managed Availability Servers\"]);\r\nlet Exchsrv =ExchangeConfiguration(SpecificSectionList=\"ExchangeServers\", SpecificConfigurationDate=\"lastdate\", SpecificConfigurationEnv='B119E5', Target = \"On-Premises\")\r\n | summarize make_list(CmdletResultValue.Name);\r\nlet _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"PartConfPerm\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n ESIExchangeConfig_CL\r\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n | where ESIEnvironment_s == _EnvList\r\n | where Section_s == \"PartConfPerm\"\r\n | extend CmdletResultValue = parse_json(rawData_s)\r\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n | where CmdletResultValue.Deny !contains \"True\" and CmdletResultValue.IsInherited !contains \"True\"\r\n | where (CmdletResultValue.AccessRights == \"[983551]\") in (True, False)\r\n | where not (CmdletResultValue.UserString has_any (StandardGroup)) in (True)\r\n | where not (CmdletResultValue.UserString has_any (Exchsrv))in (True)\r\n | extend Name = tostring(CmdletResultValue.Identity.Name)\r\n | extend Account = tostring(CmdletResultValue.UserString )\r\n | extend AccessRights = iff (tostring(CmdletResultValue.AccessRightsString) contains \"GenericAll\", strcat (\"❌ \",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\r\n | extend ExtendedRights = iff (tostring(CmdletResultValue.ExtendedRightsString) contains \"-As\", strcat (\"❌ \",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\r\n | extend InheritanceType = tostring(CmdletResultValue.InheritanceType)\r\n | extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\r\n | extend AllInfo = strcat(Name,Account,CmdletResultValue.AccessRightsString,CmdletResultValue.ExtendedRightsString)\r\n | project-away CmdletResultValue\r\n | sort by Name,Account desc\r\n;\r\nlet AlldataUnique = allDataRange\r\n | join kind = innerunique (allDataRange) on AllInfo \r\n | distinct \r\n Name, \r\n Account, \r\n AccessRights, \r\n ExtendedRights, \r\n InheritanceType, \r\n DN,\r\n AllInfo\r\n;\r\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\"PartConfPerm\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | where CmdletResultValue.Deny !contains \"True\" and CmdletResultValue.IsInherited !contains \"True\"\r\n | where (CmdletResultValue.AccessRights == \"[983551]\") in (True, False)\r\n | where not (CmdletResultValue.UserString has_any (StandardGroup)) in (True)\r\n | where not (CmdletResultValue.UserString has_any (Exchsrv))in (True)\r\n | extend Name = tostring(CmdletResultValue.Identity.Name)\r\n | extend Account = tostring(CmdletResultValue.UserString )\r\n | extend AccessRights = iff (tostring(CmdletResultValue.AccessRightsString) contains \"GenericAll\", strcat (\"❌ \",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\r\n | extend ExtendedRights = iff (tostring(CmdletResultValue.ExtendedRightsString) contains \"-As\", strcat (\"❌ \",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\r\n | extend InheritanceType = tostring(CmdletResultValue.InheritanceType)\r\n | extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\r\n | extend AllInfo = strcat(Name,Account,CmdletResultValue.AccessRightsString,CmdletResultValue.ExtendedRightsString)\r\n | project-away CmdletResultValue\r\n | sort by Name,Account desc\r\n ;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"PartConfPerm\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | where CmdletResultValue.Deny !contains \"True\" and CmdletResultValue.IsInherited !contains \"True\"\r\n | where (CmdletResultValue.AccessRights == \"[983551]\") in (True, False)\r\n | where not (CmdletResultValue.UserString has_any (StandardGroup)) in (True)\r\n | where not (CmdletResultValue.UserString has_any (Exchsrv))in (True)\r\n | extend Name = tostring(CmdletResultValue.Identity.Name)\r\n | extend Account = tostring(CmdletResultValue.UserString )\r\n | extend AccessRights = iff (tostring(CmdletResultValue.AccessRightsString) contains \"GenericAll\", strcat (\"❌ \",tostring(CmdletResultValue.AccessRightsString)), tostring(CmdletResultValue.AccessRightsString))\r\n | extend ExtendedRights = iff (tostring(CmdletResultValue.ExtendedRightsString) contains \"-As\", strcat (\"❌ \",tostring(CmdletResultValue.ExtendedRightsString)), tostring(CmdletResultValue.ExtendedRightsString))\r\n | extend InheritanceType = tostring(CmdletResultValue.InheritanceType)\r\n | extend DN = tostring(CmdletResultValue.Identity.DistinguishedName)\r\n | extend AllInfo = strcat(Name,Account,CmdletResultValue.AccessRightsString,CmdletResultValue.ExtendedRightsString)\r\n | project-away CmdletResultValue\r\n | sort by Name,Account desc\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n | join kind = leftanti (AfterData) on AllInfo\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n | join kind = innerunique (BeforeData) on AllInfo\r\n | extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n | join kind = leftanti (InBeforedatabotAfter) on AllInfo\r\n | extend Actiontype =\"Add/Remove\"\r\n | project \r\n Actiontype,\r\n Name, \r\n Account, \r\n AccessRights, \r\n ExtendedRights, \r\n InheritanceType, \r\n DN \r\n;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on AllInfo\r\n | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype), \"N/A\")\r\n| project\r\n Actiontype,\r\n Name, \r\n Account, \r\n AccessRights, \r\n ExtendedRights, \r\n InheritanceType, \r\n DN ", + "size": 1, + "showAnalytics": true, + "title": "Compare NonStandard Permissions for Exchange Container in the Configuration Partition", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "Compare - Copy - Copy" } ] }, @@ -535,7 +663,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList})\r\n//| where CmdletResultValue.Name !contains \"Deleg\" and CmdletResultValue.RoleAssigneeName != \"Hygiene Management\" and CmdletResultValue.RoleAssigneeName != \"Exchange Online-ApplicationAccount\" and CmdletResultValue.RoleAssigneeName != \"Discovery Management\"\r\n| where CmdletResultValue.Name !contains \"Deleg\" \r\n| where CmdletResultValue.RoleAssigneeName !in (\"Hygiene Management\",\"Exchange Online-ApplicationAccount\",\"Discovery Management\")\r\n| where CmdletResultValue.Role.Name contains \"Export\" or CmdletResultValue.Role.Name contains \"Impersonation\" or (CmdletResultValue.Role.Name contains \"Search\" and CmdletResultValue.Role.Name !contains \"MailboxSearchApplication\")\r\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role.Name)", + "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList})\r\n| where CmdletResultValue.RoleAssignmentDelegationType !=\"6\" \r\n| where CmdletResultValue.RoleAssigneeName !in (\"Hygiene Management\",\"Exchange Online-ApplicationAccount\",\"Discovery Management\")\r\n| where CmdletResultValue.Role.Name == \"Mailbox Import Export\" or CmdletResultValue.Role.Name == \"ApplicationImpersonation\" or (CmdletResultValue.Role.Name == \"Mailbox Search\")\r\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role.Name)", "size": 1, "showAnalytics": true, "title": "Number of delegations for sensitive RBAC roles", @@ -580,14 +708,14 @@ { "type": 1, "content": { - "json": "This delegation allows the delegated account to access and modify the content of every mailboxes using EWS." + "json": "This delegation allows the delegated accounts to access and modify the content of every mailboxes using EWS.\r\nExcluded from the result as default configuration :\r\n- The Delegating delegation for this role assigned to Organization Management\r\n- Hygiene Management group as it is a default delegation" }, "name": "text - 0" }, { "type": 1, "content": { - "json": "**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes using EWS. \r\n\r\n⚡ This role is very powerfull.\r\n\r\nIt should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\r\n\r\nHelp for the role Application Impersonation\r\n\r\nIt is common (but not recommended) to see service accounts from backup solution, antivirus software, MDM... with this delegation.\r\n\r\nNote that the default configuration to the group Hygiene Management is excluded. This group is a sensitive group. Remember to monitor the content of this group.", + "json": "**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes using EWS. \r\n\r\n⚡ This role is very powerfull.\r\n\r\nIt should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\r\n\r\nHelp for the role Application Impersonation\r\n\r\nIt is common (but not recommended) to see service accounts from backup solution, antivirus software, MDM... with this delegation.\r\nThese service accounts should be closely monitored and the security of the server where they are running needs to be at the same level of Exchange servers.\r\nNote that the default configuration to the group Hygiene Management is excluded. This group is a sensitive group. Remember to monitor the content of this group.", "style": "info" }, "conditionalVisibility": { @@ -601,9 +729,42 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList})\r\n| where CmdletResultValue.Role.Name contains \"Impersonation\" and CmdletResultValue.RoleAssigneeName != \"Hygiene Management\" and CmdletResultValue.Name !contains \"Deleg\"\r\n//| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\r\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\r\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\r\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\r\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\r\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\r\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \"0\" , \"None\", \"OrganizationConfig\")\r\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\"2\",\"Organization\",CmdletResultValue.RecipientReadScope==\"3\",\"MyGAL\",CmdletResultValue.RecipientReadScope==\"4\",\"Self\",\"NotApplicable\")\r\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\r\n| extend Status= tostring(CmdletResultValue.Enabled)\r\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\"6\" , \"Delegating\", \"Regular\") \r\n| extend RoleAssigneeName = iff( RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\"👪 \", tostring(CmdletResultValue.RoleAssigneeName)) )\r\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged", + "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList})\r\n| where CmdletResultValue.Role.Name == \"ApplicationImpersonation\" and CmdletResultValue.RoleAssigneeName != \"Hygiene Management\" and CmdletResultValue.RoleAssignmentDelegationType !=\"6\" \r\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\r\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\r\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\r\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\r\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\r\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \"0\" , \"None\", \"OrganizationConfig\")\r\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\"2\",\"Organization\",CmdletResultValue.RecipientReadScope==\"3\",\"MyGAL\",CmdletResultValue.RecipientReadScope==\"4\",\"Self\",\"NotApplicable\")\r\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\r\n| extend Status= tostring(CmdletResultValue.Enabled)\r\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\"6\" , \"Delegating\", \"Regular\") \r\n| extend RoleAssigneeName = iff( RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\"👪 \", tostring(CmdletResultValue.RoleAssigneeName)) )\r\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged", + "size": 1, + "showAnalytics": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true, + "sortBy": [ + { + "itemKey": "RoleAssignmentDelegationType", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "RoleAssignmentDelegationType", + "sortOrder": 1 + } + ] + }, + "name": "query - 1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let ExclusionsAcctValue = dynamic([\"Hygiene Management\", \"RIM-MailboxAdmins\"]);\r\nMESCompareDataOnPMRA(SectionCompare=\"MRA\",DateCompare=\"{DateCompare:value}\",CurrentDate = \"{DateOfConfiguration:value}\",EnvList ={EnvironmentList},TypeEnv = \"On-Premises\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\"Impersonation\")", "size": 1, "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -612,10 +773,22 @@ "filter": true } }, - "name": "query - 1", + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 1 - Copy", "styleSettings": { "showBorder": true } + }, + { + "type": 1, + "content": { + "json": "**Remove Time is displayed the date of the last collect and not the exact remove time**" + }, + "name": "text - 4" } ] }, @@ -638,7 +811,7 @@ { "type": 1, "content": { - "json": "**Mailbox Import Export** is a RBAC role that allows an account to export the content of any maibox in a PST. It also allows search in all mailboxes.\r\n\r\n⚡ This role is very powerfull.\r\n\r\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\r\n\r\nHelp for the role Mailbox Import Export\r\n\r\nℹ️ Recommendations\r\n\r\nIf you temporarily need this delegation, consider the following:\r\n- create an empty group with this delegation\r\n- monitor the group content and alert when the group modified\r\n- add administrators in this group only for a short period of time.\r\n", + "json": "**Mailbox Import Export** is a RBAC role that allows an account to export the content of any maibox in a PST. It also allows the delegated account to perform searches in all mailboxes.\r\n\r\n⚡ This role is very powerfull.\r\n\r\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\r\n\r\nHelp for the role Mailbox Import Export\r\n\r\nℹ️ Recommendations\r\n\r\nIf you temporarily need this delegation, consider the following:\r\n- Create an empty group with this delegation\r\n- Monitor the group content and alert when the group content is modified\r\n- Add administrators in this group only for a short period of time\r\n", "style": "info" }, "conditionalVisibility": { @@ -652,7 +825,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Role.Name contains \"export\" and CmdletResultValue.Name !contains \"Deleg\"\r\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\r\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\r\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\r\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\r\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\r\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \"0\" , \"None\", \"OrganizationConfig\")\r\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\"2\",\"Organization\",CmdletResultValue.RecipientReadScope==\"3\",\"MyGAL\",CmdletResultValue.RecipientReadScope==\"4\",\"Self\",\"NotApplicable\")\r\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\r\n| extend Status= tostring(CmdletResultValue.Enabled)\r\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\"6\" , \"Delegating\", \"Regular\") \r\n| extend RoleAssigneeName = iff( RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\"👪 \", tostring(CmdletResultValue.RoleAssigneeName)) )\r\n| project RoleAssigneeName, RoleAssigneeType,Status, CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged", + "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Role.Name == \"Mailbox Import Export\" and CmdletResultValue.RoleAssignmentDelegationType !=\"6\" \r\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\r\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\r\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\r\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\r\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\r\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \"0\" , \"None\", \"OrganizationConfig\")\r\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\"2\",\"Organization\",CmdletResultValue.RecipientReadScope==\"3\",\"MyGAL\",CmdletResultValue.RecipientReadScope==\"4\",\"Self\",\"NotApplicable\")\r\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\r\n| extend Status= tostring(CmdletResultValue.Enabled)\r\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\"6\" , \"Delegating\", \"Regular\") \r\n| extend RoleAssigneeName = iff( RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\"👪 \", tostring(CmdletResultValue.RoleAssigneeName)) )\r\n| project RoleAssigneeName, RoleAssigneeType,Status, CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged", "size": 1, "showAnalytics": true, "showExportToExcel": true, @@ -679,6 +852,39 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let ExclusionsAcctValue = dynamic([\"Hygiene Management\", \"RIM-MailboxAdmins\"]);\r\nMESCompareDataOnPMRA(SectionCompare=\"MRA\",DateCompare=\"{DateCompare:value}\",CurrentDate = \"{DateOfConfiguration:value}\",EnvList ={EnvironmentList},TypeEnv = \"On-Premises\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\"export\")", + "size": 1, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "**Remove Time is displayed the date of the last collect and not the exact remove time**" + }, + "name": "text - 4" } ] }, @@ -694,14 +900,14 @@ { "type": 1, "content": { - "json": "This delegation allows to search inside all or in a scope of mailboxes and export the result in PST.\r\nExcluded from the result as default configuration :\r\nDelegating delegation to Organization Management\r\nExchange Online-ApplicationAccount\r\nDiscovery Management has been excluded\r\n" + "json": "This delegation allows the delegated account to search inside all or in a scope of mailboxes and export the result in PST.\r\nExcluded from the result as default configuration :\r\n- The Delegating delegation for this role assigned to Organization Management\r\n- Delegation for the account Exchange Online-Application\r\n- Delegation for the group Discovery Management \r\n" }, "name": "text - 0" }, { "type": 1, "content": { - "json": "**Mailbox Search** is an RBAC role that allows an account to search in any mailbox and export the results to a PST.\r\n\r\n⚡ This role is very powerful.\r\n\r\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\r\n\r\nHelp for the role Mailbox Search\r\n\r\nℹ️ Recommendations\r\n\r\nIf you temporarily need this delegation, consider the following:\r\n\r\n- add the administrators in the Discovery Management group\r\n- monitor the group content and alert when the group modified\r\n- add administrators in this group only for a short period of time\r\n", + "json": "**Mailbox Search** is an RBAC role that allows an account to search in any mailbox and export the results to a PST.\r\n\r\n⚡ This role is very powerful.\r\n\r\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\r\n\r\nHelp for the role Mailbox Search\r\n\r\nℹ️ Recommendations\r\n\r\nIf you temporarily need this delegation, consider the following:\r\n\r\n- Temporarily add the administrators in the Discovery Management group\r\n- Monitor the group content and alert when the group is modified\r\n- Add administrators in this group only for a short period of time\r\n", "style": "info" }, "conditionalVisibility": { @@ -715,7 +921,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Role.Name contains \"search\" and CmdletResultValue.Name !contains \"Deleg\"\r\n| where CmdletResultValue.RoleAssigneeName != \"Exchange Online-ApplicationAccount\" and CmdletResultValue.RoleAssigneeName != \"Discovery Management\"\r\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\r\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\r\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\r\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\r\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\r\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \"0\" , \"None\", \"OrganizationConfig\")\r\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\"2\",\"Organization\",CmdletResultValue.RecipientReadScope==\"3\",\"MyGAL\",CmdletResultValue.RecipientReadScope==\"4\",\"Self\",\"NotApplicable\")\r\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\r\n| extend Status= tostring(CmdletResultValue.Enabled)\r\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\"6\" , \"Delegating\", \"Regular\") \r\n| extend RoleAssigneeName = iff( RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\"👪 \", tostring(CmdletResultValue.RoleAssigneeName)) )\r\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged", + "query": "ExchangeConfiguration(SpecificSectionList=\"MRA\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Role.Name == \"Mailbox Search\" and CmdletResultValue.RoleAssignmentDelegationType !=\"6\" \r\n| where CmdletResultValue.RoleAssigneeName != \"Exchange Online-ApplicationAccount\" and CmdletResultValue.RoleAssigneeName != \"Discovery Management\"\r\n| extend RoleAssigneeType = case(CmdletResultValue.RoleAssigneeType== \"0\" or CmdletResultValue.RoleAssigneeType== \"2\" , \"User\", CmdletResultValue.RoleAssigneeType== \"10\",\"Group\",\"LinkedGroup\")\r\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope.Name)\r\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope.Name)\r\n| extend RecipientWriteScope = case(CmdletResultValue.RecipientWriteScope==\"0\",\"None\",CmdletResultValue.RecipientWriteScope==\"2\",\"Organization\",CmdletResultValue.RecipientWriteScope==\"3\",\"MyGAL\", CmdletResultValue.RecipientWriteScope==\"4\",\"Self\",CmdletResultValue.RecipientWriteScope==\"7\", \"CustomRecipientScope\",CmdletResultValue.RecipientWriteScope==\"8\",\"MyDistributionGroups\",\"NotApplicable\")\r\n| extend ConfigWriteScope = case(CmdletResultValue.ConfigWriteScope==\"0\",\"None\",CmdletResultValue.ConfigWriteScope==\"7\",\"CustomConfigScope\",CmdletResultValue.ConfigWriteScope==\"10\",\"OrganizationConfig\",\"NotApplicable\")\r\n| extend ConfigReadScope = iff(CmdletResultValue.ConfigReadScope == \"0\" , \"None\", \"OrganizationConfig\")\r\n| extend RecipientReadScope = case(CmdletResultValue.RecipientReadScope==\"2\",\"Organization\",CmdletResultValue.RecipientReadScope==\"3\",\"MyGAL\",CmdletResultValue.RecipientReadScope==\"4\",\"Self\",\"NotApplicable\")\r\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\r\n| extend Status= tostring(CmdletResultValue.Enabled)\r\n| extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType ==\"6\" , \"Delegating\", \"Regular\") \r\n| extend RoleAssigneeName = iff( RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \",tostring(CmdletResultValue.RoleAssigneeName)), strcat(\"👪 \", tostring(CmdletResultValue.RoleAssigneeName)) )\r\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope, CustomConfigWriteScope, RecipientWriteScope, ConfigWriteScope, ConfigReadScope, RecipientReadScope, ManagementRoleAssignement, RoleAssignmentDelegationType, WhenCreated, WhenChanged", "size": 1, "showAnalytics": true, "showExportToExcel": true, @@ -742,6 +948,39 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let ExclusionsAcctValue = dynamic([\"Hygiene Management\", \"RIM-MailboxAdmins\"]);\r\nMESCompareDataOnPMRA(SectionCompare=\"MRA\",DateCompare=\"{DateCompare:value}\",CurrentDate = \"{DateOfConfiguration:value}\",EnvList ={EnvironmentList},TypeEnv = \"On-Premises\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\"Search\")", + "size": 1, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "**Remove Time is displayed the date of the last collect and not the exact remove time**" + }, + "name": "text - 4" } ] }, @@ -757,7 +996,7 @@ { "type": 1, "content": { - "json": "These are delegations at the database level.\r\n\r\n**Receive As Extended Right on database's objects in the Configuration**\r\n\r\nWhen an account has **ReceiveAs** permissions on a database's object, it can open and view the content of any mailboxes on that database.\r\n\r\nHelp for Receive As Permission\r\n\r\n\r\nℹ️ Recommendations\r\n\r\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person.Change the password as often as possible.\r\n\r\n**Send As Extended Right on database objects in the Configuration**\r\n\r\n\r\nWhen an account has **SendAs** permissions on a database's object, it can send messages from all the mailboxes contained in this database. The messages that are sent from a mailbox will appear as if the mailbox owner sent them.\r\n\r\nHelp for Send As Permission\r\n\r\n\r\nℹ️ Recommendations\r\n\r\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person.Change the password as often as possible.\r\n", + "json": "These sections display delegations at the database level (the database Object, not the container) ..\r\n\r\n**Receive As Extended Right on database's objects in the Configuration**\r\n\r\nWhen an account has **ReceiveAs** permissions on a database's object, it can open and view the content of any mailboxes on that database.\r\n\r\nHelp for Receive As Permission\r\n\r\n\r\nℹ️ Recommendations\r\n\r\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person. This account should be closely monitored and the security of the server where it is running needs to be at the same level of Exchange servers.\r\nChange the password as often as possible.\r\n\r\n**Send As Extended Right on database objects in the Configuration**\r\n\r\n\r\nWhen an account has **SendAs** permissions on a database's object, it can send messages from all the mailboxes contained in this database. The messages that are sent from a mailbox will appear as if the mailbox owner sent them.\r\n\r\nHelp for Send As Permission\r\n\r\n\r\nℹ️ Recommendations\r\n\r\nDo not set this permission on databases. When an application requires this permission, ensure that the application account’s password is well protected and known by a very limited number of person.\r\nThis account should be closely monitored and the security of the server where it is running needs to be at the same level of Exchange servers. \r\nChange the password as often as possible.\r\n", "style": "info" }, "conditionalVisibility": { @@ -767,11 +1006,41 @@ }, "name": "SendAsHelp" }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "eb0af112-df51-47f5-8849-b3ee764fa72d", + "version": "KqlParameterItem/1.0", + "name": "IsInherited", + "label": "Included Inherited deleg", + "type": 10, + "description": "Yes Show all the delegations (Databases object and Database Containers), No only databases objects", + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\r\n { \"value\": \"false\", \"label\": \"No\" , \"selected\":true },\r\n { \"value\": \"true, false\", \"label\": \"Yes\"}\r\n]", + "timeContext": { + "durationMs": 86400000 + }, + "value": "true, false" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 7" + }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| union ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| summarize dcount(tostring(CmdletResultValue.UserString)) by iff( tostring(Section) contains \"MailboxDatabaseReceiveAs\",\"ReceiveAs Unique Acct\",\"SendAs Unique Acct\")", + "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| union ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n| summarize dcount(tostring(CmdletResultValue.UserString)) by iff( tostring(Section) contains \"MailboxDatabaseReceiveAs\",\"ReceiveAs Unique Acct\",\"SendAs Unique Acct\")", "size": 1, "showAnalytics": true, "title": "Number of accounts with ReceiveAs/SendAs delegations", @@ -811,10 +1080,10 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| union ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| summarize dcount(tostring(CmdletResultValue.Identity.Name)) by iff( tostring(Section) contains \"MailboxDatabaseReceiveAs\",\"ReceiveAs Unique DB\",\"SendAs Unique DB\")", + "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| union ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n| summarize dcount(tostring(CmdletResultValue.Identity.Name)) by iff( tostring(Section) contains \"MailboxDatabaseReceiveAs\",\"ReceiveAs Unique DB\",\"SendAs Unique DB\")", "size": 1, "showAnalytics": true, - "title": "ReceiveAs/SendAs database delegations", + "title": "Databases with ReceiveAs/SendAs delegations", "color": "purple", "showExportToExcel": true, "queryType": 0, @@ -855,7 +1124,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| extend Account = tostring(CmdletResultValue.UserString)\r\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n| summarize Count =count() by Account,DatabaseName\r\n| project Account,Count,DatabaseName\r\n", + "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n| extend Account = tostring(CmdletResultValue.UserString)\r\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n| extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n| summarize Count =count() by Account,DatabaseName,IsInherited\r\n| project Account,Count,DatabaseName,IsInherited\r\n", "size": 1, "showAnalytics": true, "title": "ReceiveAs Extended Right on databases", @@ -918,12 +1187,10 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| extend Account = tostring(CmdletResultValue.UserString)\r\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n| summarize Count =count() by Account, DatabaseName\r\n| project Account, Count, DatabaseName", + "query": "ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n| where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n| extend Account = tostring(CmdletResultValue.UserString)\r\n| extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n| extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n| summarize Count =count() by Account,DatabaseName,IsInherited\r\n| project Account,Count,DatabaseName,IsInherited", "size": 1, "showAnalytics": true, "title": "SendAs Extended Right on databases", - "noDataMessage": "No Send-As delegation", - "noDataMessageStyle": 3, "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -932,20 +1199,8 @@ { "columnMatch": "Account", "formatter": 5 - }, - { - "columnMatch": "Count", - "formatter": 8, - "formatOptions": { - "palette": "blue", - "aggregation": "Sum", - "compositeBarSettings": { - "labelText": "" - } - } } ], - "rowLimit": 10000, "filter": true, "hierarchySettings": { "treeType": 1, @@ -953,35 +1208,75 @@ "Account" ], "finalBy": "Account" - }, - "labelSettings": [ - { - "columnId": "Account", - "comment": "Account and the number of databases on which it has delegation " - } - ] + } } }, "customWidth": "50", - "name": "MailboxDatabaseSendAsGrid", + "name": "SendAs Extended Right on databases", "styleSettings": { "showBorder": true } - } - ] - }, - "name": "ReceiveSendAs" - } - ] - }, - "conditionalVisibility": { - "parameterName": "selected", - "comparison": "isEqualTo", - "value": "Delegation" - }, - "name": "Importantsecurityconfiguration" - }, - { + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n ESIExchangeConfig_CL\r\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n | where ESIEnvironment_s == _EnvList\r\n | where Section_s == \"MailboxDatabaseReceiveAs\"\r\n | extend CmdletResultValue = parse_json(rawData_s)\r\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n | where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n | extend Account = tostring(CmdletResultValue.UserString)\r\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n | extend Allinfo = strcat(Account,DatabaseName)\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n | sort by Account\r\n;\r\nlet AlldataUnique = allDataRange\r\n | join kind = innerunique (allDataRange) on Allinfo \r\n | distinct \r\n Account,\r\n DatabaseName,\r\n IsInherited,\r\n Allinfo\r\n;\r\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n | extend Account = tostring(CmdletResultValue.UserString)\r\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n | extend Allinfo = strcat(Account,DatabaseName)\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n | sort by Account\r\n ;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseReceiveAs\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n | extend Account = tostring(CmdletResultValue.UserString)\r\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n | extend Allinfo = strcat(Account,DatabaseName)\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n | sort by Account\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n | join kind = leftanti (AfterData) on Allinfo\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n | join kind = innerunique (BeforeData) on Allinfo\r\n | extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n | join kind = leftanti (InBeforedatabotAfter) on Allinfo\r\n | extend Actiontype =\"Add/Remove\"\r\n | project \r\n Actiontype,\r\n Account,\r\n DatabaseName,\r\n IsInherited,\r\n Allinfo\r\n;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Allinfo\r\n | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype), \"N/A\")\r\n| project\r\n Actiontype,\r\n Account,\r\n DatabaseName,\r\n IsInherited", + "size": 3, + "showAnalytics": true, + "title": "Comparaison ReceiveAs", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n ESIExchangeConfig_CL\r\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n | where ESIEnvironment_s == _EnvList\r\n | where Section_s == \"MailboxDatabaseSendAs\"\r\n | extend CmdletResultValue = parse_json(rawData_s)\r\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n | where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n | extend Account = tostring(CmdletResultValue.UserString)\r\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n | extend Allinfo = strcat(Account,DatabaseName)\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n | sort by Account\r\n;\r\nlet AlldataUnique = allDataRange\r\n | join kind = innerunique (allDataRange) on Allinfo \r\n | distinct \r\n Account,\r\n DatabaseName,\r\n IsInherited,\r\n Allinfo\r\n;\r\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n | extend Account = tostring(CmdletResultValue.UserString)\r\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n | extend Allinfo = strcat(Account,DatabaseName)\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n | sort by Account\r\n ;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"MailboxDatabaseSendAs\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | where CmdletResultValue <> \"{'Error':'EmptyResult'}\"\r\n | where (CmdletResultValue.IsInherited == false ) in ({IsInherited})\r\n | extend Account = tostring(CmdletResultValue.UserString)\r\n | extend DatabaseName = tostring(CmdletResultValue.Identity.Name)\r\n | extend IsInherited = tostring(CmdletResultValue.IsInherited)\r\n | extend Allinfo = strcat(Account,DatabaseName)\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n | sort by Account\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n | join kind = leftanti (AfterData) on Allinfo\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n | join kind = innerunique (BeforeData) on Allinfo\r\n | extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n | join kind = leftanti (InBeforedatabotAfter) on Allinfo\r\n | extend Actiontype =\"Add/Remove\"\r\n | project \r\n Actiontype,\r\n Account,\r\n DatabaseName,\r\n IsInherited,\r\n Allinfo\r\n;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Allinfo\r\n | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype), \"N/A\")\r\n| project\r\n Actiontype,\r\n Account,\r\n DatabaseName,\r\n IsInherited", + "size": 3, + "showAnalytics": true, + "title": "Comparaison SendAs", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 5 - Copy" + } + ] + }, + "name": "ReceiveSendAs" + } + ] + }, + "conditionalVisibility": { + "parameterName": "selected", + "comparison": "isEqualTo", + "value": "Delegation" + }, + "name": "Importantsecurityconfiguration" + }, + { "type": 12, "content": { "version": "NotebookGroup/1.0", @@ -991,14 +1286,14 @@ { "type": 1, "content": { - "json": "The following section will display the content of the local Administrators group for each server\r\n\r\n** When content refer to groups from other forests, none or partial information will be displayed and the number of Administrators may be inconsistent. **\r\n\r\nMost of the sections display the same information but with differents sorting, displays..." + "json": "The following section will display the content of the local Administrators group for each server\r\n\r\n** When content refers to groups from other forests, none or partial information will be displayed, and the number of Administrators may be inconsistent. **\r\n\r\nMost of the sections display the same information but with different sorting, views...\r\nIf an SID is part of the local Administrators group, it won't be displayed due to a collect limitation." }, "name": "text - 12" }, { "type": 1, "content": { - "json": "Only Exchange administrators should be members of the local Administrators group of Exchange servers.\r\n\r\nYou need to review the content of the local Administrators group on a regular basis.\r\n\r\nIt is considered a high security risk to have a discrepancy of members between the servers. \r\n\r\nIt is not recommended to have more than one local administrator accounts. Furthermore, the password should be unique on each server and regularly changed. A solution like LAPS could be used to manage the local administrator password.\r\n\r\nOnly Exchange administrators should be able to logon on Exchange servers.\r\n\r\nHere the default content of the local Administrators group for an Exchange server \r\n:\r\n- Administrator (this account can be renamed)\r\n- Domain Admins\r\n- Exchange Trusted Subsystem\r\n- Organization Management\r\n\r\n**Service accounts should not be members of the local Administrators group**. If it is necessary, you need to ensure that the account is dedicated to Exchange. If the service account opens sessions on other servers, it can be used for lateral movements. \r\n", + "json": "Only Exchange administrators should be members of the local Administrators group of Exchange servers.\r\n\r\nYou need to review the content of the local Administrators group on a regular basis. Ensure that the content is enforced by GPO.\r\n\r\nIt is considered as a high security risk to have a discrepancy of members between the servers. \r\n\r\nIt is not recommended to have more than one local Administrator accounts. Furthermore, the password should be unique on each server and regularly changed. A solution like LAPS could be used to manage the local administrator password.\r\n\r\nOnly Exchange administrators should be able to logon on Exchange servers.\r\n\r\nHere the default content of the local Administrators group for an Exchange server \r\n:\r\n- Administrator (this account can be renamed)\r\n- Domain Admins\r\n- Exchange Trusted Subsystem\r\n- Organization Management\r\n\r\n**Service accounts should not be members of the local Administrators group**. If it is necessary, you need to ensure that the account is dedicated to Exchange. If the service account opens sessions on other servers, it can be used for lateral movements.\r\nThese service accounts should be closely monitored and the security of the server where they are running needs to be at the same level of Exchange servers.\r\n", "style": "info" }, "conditionalVisibility": { @@ -1031,6 +1326,13 @@ }, "name": "parameters - 7" }, + { + "type": 1, + "content": { + "json": "**Yes** : display all content including the default Groups : Default groups after the installation of Exchange\r\n\r\n**No** : display only content of non standard Groups" + }, + "name": "text - 15" + }, { "type": 1, "content": { @@ -1077,8 +1379,9 @@ "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Click to see number of unique members for all servers", + "title": "Click to see number of unique members for every servers in the organization", "expandable": true, + "expanded": true, "items": [ { "type": 1, @@ -1131,7 +1434,7 @@ "version": "KqlItem/1.0", "query": "let allsrv = ExchangeConfiguration(SpecificSectionList=\"ExchangeServers\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\") | where \r\nCmdletResultValue.IsMailboxServer== true | extend Name=tostring(CmdletResultValue.Name);\r\nExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\") \r\n| where CmdletResultValue.Level == 1\r\n| project CmdletResultValue\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Name = tostring(trim_end(@'\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup)))\r\n| distinct Name\r\n| project Name\r\n| join kind=rightanti (allsrv) on Name\r\n| project CmdletResultValue.Name", "size": 4, - "title": "Servers not reachable", + "title": "Servers not reachable during the collect", "noDataMessage": "All server were successfully analyzed", "noDataMessageStyle": 3, "queryType": 0, @@ -1159,7 +1462,7 @@ "version": "KqlItem/1.0", "query": "ExchangeConfiguration(SpecificSectionList=\"ExchangeServers\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n| where CmdletResultValue.ServerRole <> 64\r\n| count\r\n", "size": 4, - "title": "Number of servers", + "title": "Total number of servers in the Organizaton", "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", "visualization": "tiles", @@ -1210,7 +1513,7 @@ { "type": 1, "content": { - "json": "This view shows each nonstandard user account that is member (directly or by a group) of the local Administrators group per server.\r\n\r\nConsider reviewing:\r\n- **nonstandard members** the Memberpath help to understand from which group the user comprised\r\n- **inconsistent memebrs** across servers\r\n\r\nNote that content from Trusted forests might not be displayed. ", + "json": "This Tab shows each nonstandard user account that is member (directly or by a group) of the local Administrators group per server.\r\n\r\nConsider reviewing:\r\n- **nonstandard members** : the Memberpath help to understand from which group inclusion the user come from\r\n- **inconsistent members** across servers\r\n\r\nNote that content from Trusted forests might not be displayed. ", "style": "info" }, "conditionalVisibility": { @@ -1220,6 +1523,61 @@ }, "name": "LocalAdminPerServersHelp" }, + { + "type": 1, + "content": { + "json": "This tabled shows a comparaison of the content between two dates.", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "LocalAdminPerServersHelp - Copy" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "590a6eb9-3349-46cd-ace1-cae9aac1f26a", + "version": "KqlParameterItem/1.0", + "name": "Server", + "type": 2, + "query": "ExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n| where CmdletResultValue.Level == 1\r\n| project CmdletResultValue\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\r\n| distinct Parentgroup = Parentgroup", + "typeSettings": { + "additionalResourceOptions": [] + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": null + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 18" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let StandardGroup = dynamic([\"Administrator\", \"Domain Admins\",\"Exchange Trusted Subsystem\",\"Organization Management\", \"Admins du domaine\"]);\r\nlet _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n ESIExchangeConfig_CL\r\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n | where ESIEnvironment_s == _EnvList\r\n | where Section_s == \"LocalAminGroup\"\r\n | extend CmdletResultValue = parse_json(rawData_s)\r\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n | where CmdletResultValue.Level != 0 \r\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\r\n| project CmdletResultValue\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| extend Allinfo = strcat(Parentgroup,MemberPath)\r\n| sort by Parentgroup asc\r\n;\r\nlet AlldataUnique = allDataRange\r\n | join kind = innerunique (allDataRange) on Allinfo \r\n | distinct \r\n Parentgroup,\r\n MemberPath, \r\n Level, \r\n ObjectClass, \r\n LastLogon, \r\n LastPwdSet, \r\n Enabled, \r\n DN,\r\n Allinfo\r\n;\r\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | where CmdletResultValue.Level != 0 \r\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\r\n| project CmdletResultValue\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| extend Allinfo = strcat(Parentgroup,MemberPath)\r\n| sort by Parentgroup asc\r\n ;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | where CmdletResultValue.Level != 0 \r\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\r\n| project CmdletResultValue\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| extend Allinfo = strcat(Parentgroup,MemberPath)\r\n| sort by Parentgroup asc\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n | join kind = leftanti (AfterData) on Allinfo\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n | join kind = innerunique (BeforeData) on Allinfo\r\n | extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n | join kind = leftanti (InBeforedatabotAfter) on Allinfo\r\n | extend Actiontype =\"Add/Remove\"\r\n | project \r\n Actiontype,\r\n Parentgroup,\r\n MemberPath, \r\n Level, \r\n ObjectClass, \r\n LastLogon, \r\n LastPwdSet, \r\n Enabled, \r\n DN\r\n;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Allinfo\r\n | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype), \"N/A\")\r\n| project\r\n Actiontype,\r\n Parentgroup, \r\n MemberPath, \r\n Level, \r\n ObjectClass, \r\n LastLogon, \r\n LastPwdSet, \r\n Enabled, \r\n DN\r\n| where Parentgroup contains \"{Server}\"", + "size": 3, + "showAnalytics": true, + "title": "To view the comparaison for one specific server, select a server in the dropdown list", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true + } + }, + "name": "query - 17" + }, { "type": 3, "content": { @@ -1227,7 +1585,7 @@ "query": "let StandardGroup = dynamic([\"Administrator\", \"Domain Admins\",\"Exchange Trusted Subsystem\",\"Organization Management\", \"Admins du domaine\"]);\r\nExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Level != 0 \r\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\r\n| project CmdletResultValue\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastPwdSet = tostring(CmdletResultValue.LastPwdSetString)\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| summarize Count=count() by MemberPath,Parentgroup,Level,ObjectClass,LastLogon,LastPwdSet,Enabled,DN\r\n| project Parentgroup = strcat(\"💻 \",Parentgroup),Count,MemberPath,Level,ObjectClass,LastLogon,LastPwdSet,Enabled,DN\r\n| sort by Parentgroup asc ", "size": 1, "showAnalytics": true, - "title": " Total Non standard Groups and accounts including nested groups", + "title": " Total per server of Non standard Groups and accounts including nested groups", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -1290,7 +1648,7 @@ "query": "let StandardGroup = dynamic([\"Administrator\", \"Domain Admins\",\"Exchange Trusted Subsystem\",\"Organization Management\", \"Admins du domaine\"]);\r\nExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Level == 1\r\n| where not (CmdletResultValue.MemberPath has_any (StandardGroup))\r\n| project CmdletResultValue\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators',tostring(CmdletResultValue.Parentgroup))\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend MemberPath = case( ObjectClass == \"group\", strcat( \"👪 \", MemberPath), ObjectClass == \"computer\", strcat( \"💻 \", MemberPath), strcat( \"🧑‍🦰 \", MemberPath) )\r\n| project-away CmdletResultValue\r\n//| summarize Count=count(), Servers=make_set(Parentgroup) by MemberPath\r\n| summarize Count=count() by MemberPath,Parentgroup \r\n| sort by Count desc", "size": 1, "showAnalytics": true, - "title": "Non Standard accounts summary", + "title": "Non Standard accounts summary for all servers", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -1349,7 +1707,7 @@ { "type": 1, "content": { - "json": "##### Select a server to display its content\r\n\r\nBy default only the non-standard members are displayed. \r\n\r\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days" + "json": "##### Select a server to display its content\r\n\r\nBy default only the non-standard members are displayed. \r\n\r\n❌ : for last logon displayed when the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days" }, "name": "text - 0" }, @@ -1365,10 +1723,12 @@ "type": 2, "query": "ExchangeConfiguration(SpecificSectionList=\"LocalAminGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n| where CmdletResultValue.Level == 1\r\n| project CmdletResultValue\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Parentgroup = trim_end(@'\\\\Local Administrators', tostring(CmdletResultValue.Parentgroup))\r\n| distinct Parentgroup = Parentgroup", "typeSettings": { + "additionalResourceOptions": [], "showDefault": false }, "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "value": null }, { "id": "05ef4f1c-4cf4-406f-9fb2-9ee30dc93abd", @@ -1479,7 +1839,7 @@ { "type": 1, "content": { - "json": "The **Exchange Trusted Subsystem** group is one the two most sensistive groups in Exchange. This group has all privileges in Exchange and very high privileges in AD.\r\n\r\nExchange 2013 deployment permissions reference\r\n\r\nThis group should only contains computer accounts for each Exchange servers. When the DAG has an IP and a CNO, it is acceptable to have the DAG's computer account.\r\n\r\nThis section only shows direct nonstandard members.", + "json": "The **Exchange Trusted Subsystem** group is one of the two most sensitive groups in Exchange. This group has all privileges in Exchange and very high privileges in AD.\r\n\r\nExchange 2013 deployment permissions reference\r\n\r\nThis group should only contain computer accounts for each Exchange servers. When the DAG has an IP and a CNO, it is acceptable to have the DAG's computer account.\r\n\r\nThis section only shows direct nonstandard members.", "style": "info" }, "customWidth": "50", @@ -1493,7 +1853,7 @@ { "type": 1, "content": { - "json": "The **Exchange Windows Permissions** group is one the two most sensistive groups in Exchange. This group has very high privileges in AD.\r\n\r\nExchange 2013 deployment permissions reference\r\n\r\nThis group should only contains the group Exchange Trusted SubSystem. This section only shows direct nonstandard members. ", + "json": "The **Exchange Windows Permissions** group is one of the two most sensitive groups in Exchange. This group has very high privileges in AD.\r\n\r\nExchange 2013 deployment permissions reference\r\n\r\nThis group should only contain the group Exchange Trusted SubSystem. This section only shows direct nonstandard members. ", "style": "info" }, "customWidth": "50", @@ -1591,7 +1951,6 @@ "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Exchange Windows Permissions direct nonstandard content (Exchange Trusted subsystem non standard content not included)", "items": [ { "type": 3, @@ -1620,7 +1979,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let ETScontent = ExchangeConfiguration(SpecificSectionList=\"ETS\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\") | project Name = tostring(CmdletResultValue.Name);\r\nExchangeConfiguration(SpecificSectionList=\"EWP\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name !in (ETScontent) and CmdletResultValue.Name != \"Exchange Trusted Subsystem\"\r\n//| extend Name = strcat (\"⛔\",tostring(CmdletResultValue.Name))\r\n| extend Name = iff(CmdletResultType == \"Success\", strcat (\"⛔\",tostring(CmdletResultValue.Name)),\"Script was unable to retrieve data\")\r\n| project Name ", + "query": "let ETScontent = ExchangeConfiguration(SpecificSectionList=\"ETS\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\") | project Name = tostring(CmdletResultValue.Name);\r\nExchangeConfiguration(SpecificSectionList=\"EWP\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.Name !in (ETScontent) and CmdletResultValue.Name != \"Exchange Trusted Subsystem\"\r\n| extend Name = iff(CmdletResultType == \"Success\", strcat (\"⛔\",tostring(CmdletResultValue.Name)),\"Script was unable to retrieve data\")\r\n| project Name ", "size": 1, "showAnalytics": true, "title": "Exchange Windows Permissions direct nonstandard content (Exchange Trusted subsystem non standard content not included)", @@ -1650,7 +2009,7 @@ { "type": 1, "content": { - "json": "ℹ️ Recommendations\r\n\r\n- Groups from old Exchange version should have been removed\r\n- List of old groups \r\n\t- Exchange Organization Administrators\r\n\t- Exchange Recipient Administrators\r\n\t- Exchange Public Folder Administrators\r\n\t- Exchange Server Administrator\r\n\t- Exchange View-Only Administrator\r\n\t- Exchange Enterprise Servers (located in the root domain)\r\n\t- Exchange Domain Servers : one group per domain\r\n\r\n\r\nHelp for Built-in role groups", + "json": "ℹ️ Recommendations\r\n\r\n- Groups from the old Exchange version should have been removed\r\n- List of old groups \r\n\t- Exchange Organization Administrators\r\n\t- Exchange Recipient Administrators\r\n\t- Exchange Public Folder Administrators\r\n\t- Exchange Server Administrator\r\n\t- Exchange View-Only Administrator\r\n\t- Exchange Enterprise Servers (located in the root domain)\r\n\t- Exchange Domain Servers : one group per domain\r\n\r\n\r\nHelp for Built-in role groups", "style": "info" }, "conditionalVisibility": { @@ -1665,6 +2024,7 @@ "content": { "version": "NotebookGroup/1.0", "groupType": "editable", + "title": "If still exist, this section showed a summary of the content of old groups", "items": [ { "type": 3, @@ -1705,10 +2065,16 @@ "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Expand details on the content of old groups", + "title": "Expand this section to details on the content of the old groups", "expandable": true, - "expanded": false, "items": [ + { + "type": 1, + "content": { + "json": "Please select a group" + }, + "name": "text - 5" + }, { "type": 9, "content": { @@ -1724,7 +2090,8 @@ "showDefault": false }, "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "value": null }, { "id": "a695df39-1965-479a-ad0f-b4d3d168aaed", @@ -1754,7 +2121,7 @@ { "type": 1, "content": { - "json": "Old Exchange groups content groups (Extract for the OU \"Microsoft Exchange Security Groups\").\r\nSelect a group to display detailed information of its contents.\r\nLevel attribute helps you understand the level of nested groups.\r\n\r\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days" + "json": "Old Exchange groups content groups (Extract for the OU \"Microsoft Exchange Security Groups\").\r\nSelect a group to display detailed information of its contents.\r\nLevel attribute helps you understand the level of nested groups.\r\n\r\n❌ : for last logon displayed when the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days" }, "name": "text - 2" }, @@ -1762,9 +2129,10 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "let OldVGroupEES = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\", SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n | where (CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.MemberPath != @\"Exchange Enterprise Servers\\Exchange Domain Servers\") or CmdletResultValue.Parentgroup == \"Exchange Services\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend Enabled = tostring(CmdletResultValue.Enabled) );\r\nlet OldVGroupEDS = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"lastdate\", SpecificConfigurationEnv='B13', Target = \"On-Premises\")\r\n | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.Level ==0\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n| mv-expand CmdletResultValue.Members\r\n| where CmdletResultValue_Members.objectClass == \"group\"\r\n| project Parentgroup, MemberPath= strcat(Parentgroup,\"\\\\\", CmdletResultValue_Members.name), Level = tostring(1), ObjectClass = tostring(CmdletResultValue_Members.objectClass), DN = tostring(CmdletResultValue_Members.DistinguishedName), ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)| join kind=inner ( ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"lastdate\", SpecificConfigurationEnv='B13', Target = \"On-Premises\")\r\n | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid)) on ObjectGuid) ;\r\nExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=\"lastdate\", SpecificConfigurationEnv='B13', Target = \"On-Premises\") \r\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n| where CmdletResultValue.Parentgroup in (\"Exchange Organization Administrators\", \"Exchange Recipient Administrators\", \"Exchange Public Folder Administrators\", \"Exchange Server Administrator\", \"Exchange View-Only Administrator\")\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| union OldVGroupEES,OldVGroupEDS\r\n| search CmdletResultValue.Parentgroup == \"{Group}\"\r\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago(0d) or tostring (CmdletResultValue.LastPwdSetString) == \"\"\r\n| where todatetime (CmdletResultValue.LastLogonString) < ago(0d) or tostring (CmdletResultValue.LastLogonString) == \"\"\r\n| sort by tostring(CmdletResultValue.MemberPath) asc \r\n| where CmdletResultValue.Level != 0\r\n//| extend DN = tostring(CmdletResultValue.DN)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ Never logged\", strcat(\"❌\", LastLogon))))\r\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n| extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ Password never set\", strcat(\"❌\", LastPwdSet))))\r\n| extend MemberPath = case(ObjectClass == \"group\", strcat(\"👪 \", MemberPath), ObjectClass == \"computer\", strcat(\"💻 \", MemberPath), strcat(\"🧑‍🦰 \", MemberPath))\r\n| project Parentgroup, MemberPath, Level, ObjectClass,LastLogon, LastPwdSet ,Enabled,DN\r\n", + "query": "let OldVGroupEES = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\", SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n | where (CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.MemberPath != @\"Exchange Enterprise Servers\\Exchange Domain Servers\") or CmdletResultValue.Parentgroup == \"Exchange Services\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend Enabled = tostring(CmdletResultValue.Enabled) );\r\nlet OldVGroupEDS = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\", SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.Level ==0\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | mv-expand CmdletResultValue.Members\r\n | where CmdletResultValue_Members.objectClass == \"group\"\r\n | project Parentgroup, MemberPath= strcat(Parentgroup,\"\\\\\", CmdletResultValue_Members.name), Level = tostring(1), ObjectClass = tostring(CmdletResultValue_Members.objectClass), DN = tostring(CmdletResultValue_Members.DistinguishedName), ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)\r\n | join kind=inner ( ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\", SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\")\r\n | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid)) on ObjectGuid) ;\r\nExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=\"{DateOfConfiguration:value}\", SpecificConfigurationEnv={EnvironmentList}, Target = \"On-Premises\") \r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | where CmdletResultValue.Parentgroup in (\"Exchange Organization Administrators\", \"Exchange Recipient Administrators\", \"Exchange Public Folder Administrators\", \"Exchange Server Administrator\", \"Exchange View-Only Administrator\")\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | union OldVGroupEES,OldVGroupEDS\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | where todatetime (CmdletResultValue.LastPwdSetString) < ago(0d) or tostring (CmdletResultValue.LastPwdSetString) == \"\"\r\n | where todatetime (CmdletResultValue.LastLogonString) < ago(0d) or tostring (CmdletResultValue.LastLogonString) == \"\"\r\n | sort by tostring(CmdletResultValue.MemberPath) asc \r\n | where CmdletResultValue.Level != 0\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ Never logged\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ Password never set\", strcat(\"❌\", LastPwdSet))))\r\n | extend MemberPath = case(ObjectClass == \"group\", strcat(\"👪 \", MemberPath), ObjectClass == \"computer\", strcat(\"💻 \", MemberPath), strcat(\"🧑‍🦰 \", MemberPath))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | project Parentgroup, MemberPath, Level, ObjectClass,LastLogon, LastPwdSet ,Enabled,DN\r\n", "size": 1, "showAnalytics": true, + "title": "Selected group content", "noDataMessage": "The query returned no results.", "showExportToExcel": true, "queryType": 0, @@ -1807,6 +2175,44 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeDataEES=\r\n (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | where (CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.MemberPath != @\"Exchange Enterprise Servers\\Exchange Domain Servers\") or CmdletResultValue.Parentgroup == \"Exchange Services\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend Enabled = tostring(CmdletResultValue.Enabled));\r\nlet BeforeDataEDS = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.Level == 0\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | mv-expand CmdletResultValue.Members\r\n | where CmdletResultValue_Members.objectClass == \"group\"\r\n | project\r\n Parentgroup,\r\n MemberPath= strcat(Parentgroup, \"\\\\\", CmdletResultValue_Members.name),\r\n Level = tostring(1),\r\n ObjectClass = tostring(CmdletResultValue_Members.objectClass),\r\n DN = tostring(CmdletResultValue_Members.DistinguishedName),\r\n ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)\r\n | join kind=inner (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=\"lastdate\", SpecificConfigurationEnv='B13', Target = \"On-Premises\")\r\n | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid))\r\n on ObjectGuid); \r\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | where CmdletResultValue.Parentgroup in (\"Exchange Organization Administrators\", \"Exchange Recipient Administrators\", \"Exchange Public Folder Administrators\", \"Exchange Server Administrator\", \"Exchange View-Only Administrator\")\r\n | union BeforeDataEES, BeforeDataEDS\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | sort by MemberPath asc\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n;\r\nlet AfterDataEES=\r\n (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | where (CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.MemberPath != @\"Exchange Enterprise Servers\\Exchange Domain Servers\") or CmdletResultValue.Parentgroup == \"Exchange Services\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend Enabled = tostring(CmdletResultValue.Enabled));\r\nlet AfterDataEDS = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\" and CmdletResultValue.Level == 0\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | mv-expand CmdletResultValue.Members\r\n | where CmdletResultValue_Members.objectClass == \"group\"\r\n | project\r\n Parentgroup,\r\n MemberPath= strcat(Parentgroup, \"\\\\\", CmdletResultValue_Members.name),\r\n Level = tostring(1),\r\n ObjectClass = tostring(CmdletResultValue_Members.objectClass),\r\n DN = tostring(CmdletResultValue_Members.DistinguishedName),\r\n ObjectGuid = tostring(CmdletResultValue_Members.ObjectGuid)\r\n | join kind=inner (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | where CmdletResultValue.Parentgroup == \"Exchange Enterprise Servers\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend ObjectGuid = tostring(CmdletResultValue.ObjectGuid))\r\n on ObjectGuid); \r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | union AfterDataEES, AfterDataEDS\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | sort by MemberPath asc\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n;\r\nlet allDataRange = \r\n ESIExchangeConfig_CL\r\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n | where ESIEnvironment_s == _EnvList\r\n | where Section_s == \"ExGroup\" or Section_s == \"ADGroup\"\r\n | extend CmdletResultValue = parse_json(rawData_s)\r\n | project TimeGenerated,CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n | where CmdletResultValue.Parentgroup in (\"Exchange Organization Administrators\", \"Exchange Recipient Administrators\", \"Exchange Public Folder Administrators\", \"Exchange Server Administrator\", \"Exchange View-Only Administrator\", \"Exchange Enterprise Servers\" , \"Exchange Services\")\r\n //| where CmdletResultValue.MemberPath != @\"Exchange Enterprise Servers\\Exchange Domain Servers\"\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | sort by MemberPath asc\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n ;\r\nlet AlldataUnique = allDataRange\r\n | join kind = innerunique (allDataRange) on MemberPath \r\n | distinct \r\n TimeGenerated,\r\n Parentgroup,\r\n MemberPath,\r\n Level,\r\n ObjectClass,\r\n LastLogon,\r\n LastPwdSet,\r\n Enabled\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n | join kind = leftanti (AfterData ) on MemberPath\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n| join kind = innerunique (BeforeData ) on MemberPath\r\n| extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n| join kind = leftanti (InBeforedatabotAfter ) on MemberPath\r\n| extend Actiontype =\"Add/Remove\"\r\n;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on MemberPath\r\n | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData,AddRemoveindataset,InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype),\"N/A\")\r\n| where MemberPath <> \"Exchange Enterprise Servers\\\\Exchange Domain Servers\"\r\n| project\r\n Actiontype,Parentgroup, MemberPath, Level, ObjectClass, LastLogon, LastPwdSet, Enabled\r\n", + "size": 3, + "showAnalytics": true, + "title": "Compare of the contents of selected old group", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true, + "sortBy": [ + { + "itemKey": "MemberPath", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "MemberPath", + "sortOrder": 1 + } + ] + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "ExchangeServersGroupsGrid - Compare", + "styleSettings": { + "showBorder": true + } } ] }, @@ -1826,7 +2232,7 @@ { "type": 1, "content": { - "json": "ℹ️ Recommendations\r\n\r\n- Ensure that no service account are a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\r\n- Limit the usage of nested group for administration.\r\n- Ensure that accounts are given only the required pernissions to execute their tasks.\r\n- Use just in time administration principle by adding users in a group only when they need the permissions, then remove them when their operation is over.\r\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\r\n- Monitor the content of the following groups:\r\n - Organization Management\r\n - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\r\n - Discovery Management\r\n - Server Management\r\n - Hygiene Management\r\n - Exchange Servers\r\n - Exchange Trusted Subsystem \r\n - Exchange Windows Permissions\r\n - xxx High privilege group (not an exhaustive list)\r\n - All RBAC groups that have high roles delegation\r\n - All nested groups in high privileges groups\r\n - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\r\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\r\n- Periodically review the members of the groups\r\n\r\nHelp for Built-in role groups", + "json": "ℹ️ Recommendations\r\n\r\n- Ensure that no service account is a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\r\n- Limit the usage of nested group for administration.\r\n- Ensure that accounts are given only the required permissions to execute their tasks.\r\n- Use just in time administration principle by adding users in a group only when they need the required permissions, then remove them when their operation is over.\r\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\r\n- Monitor the content of the following groups:\r\n - Organization Management\r\n - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\r\n - Discovery Management\r\n - Server Management\r\n - Hygiene Management\r\n - Exchange Servers\r\n - Exchange Trusted Subsystem \r\n - Exchange Windows Permissions\r\n - xxx High privilege group (not an exhaustive list)\r\n - All RBAC groups that have high roles delegation\r\n - All nested groups in high privileges groups\r\n - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\r\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\r\n- Periodically review the members of the groups\r\n\r\nHelp for Built-in role groups", "style": "info" }, "conditionalVisibility": { @@ -1917,6 +2323,13 @@ }, "name": "ExchangeGroupsList" }, + { + "type": 1, + "content": { + "json": "Please select a group" + }, + "name": "text - 5 - Copy" + }, { "type": 9, "content": { @@ -1934,7 +2347,8 @@ "showExportToExcel": true, "showAnalytics": true, "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "value": null }, { "id": "f3b935d7-b78f-41d2-94bc-f8c878a13260", @@ -1973,7 +2387,7 @@ { "type": 1, "content": { - "json": "Exchange groups content (Extract for the OU \"Microsoft Exchange Security Groups\").\r\nSelect a group to display detailed information of its contents.\r\nLevel attribute helps you understand the level of nested groups.\r\n\r\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days" + "json": "Exchange groups content (Extract for the OU \"Microsoft Exchange Security Groups\").\r\nSelect a group to display detailed information of its contents.\r\nLevel attribute helps you understand the level of nested groups.\r\n\r\n❌ : for last logon displayed when the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days" }, "name": "text - 2" }, @@ -1981,7 +2395,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"ExGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| search CmdletResultValue.Parentgroup == \"{Group}\"\r\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \"\"\r\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \"\"\r\n| where CmdletResultValue.Level != 0\r\n| sort by tostring(CmdletResultValue.MemberPath) asc \r\n| project CmdletResultValue\r\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastLogon = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\"\", \"❌ No logon\",strcat(\"❌\",LastLogon))))\r\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n| extend LastPwdSet = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\"\", \"❌ No logon\",strcat(\"❌\",LastPwdSet))))\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| sort by MemberPath asc\r\n//| extend MemberPath = case( ObjectClass == \"group\", strcat( \"👪 \", MemberPath), ObjectClass == \"computer\", strcat( \"💻 \", MemberPath), strcat( \"🧑‍🦰 \", MemberPath) )\r\n| project-away CmdletResultValue,Parentgroup", + "query": "ExchangeConfiguration(SpecificSectionList=\"ExGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| search CmdletResultValue.Parentgroup == \"{Group}\"\r\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \"\"\r\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \"\"\r\n| where CmdletResultValue.Level != 0\r\n| sort by tostring(CmdletResultValue.MemberPath) asc \r\n| project CmdletResultValue\r\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastLogon = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\"\", \"❌ No logon\",strcat(\"❌\",LastLogon))))\r\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n| extend LastPwdSet = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\"\", \"❌ No logon\",strcat(\"❌\",LastPwdSet))))\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| sort by MemberPath asc\r\n| project-away CmdletResultValue,Parentgroup", "size": 3, "showAnalytics": true, "showExportToExcel": true, @@ -2008,6 +2422,51 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n ESIExchangeConfig_CL\r\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n | where ESIEnvironment_s == _EnvList\r\n | where Section_s == \"ExGroup\"\r\n | extend CmdletResultValue = parse_json(rawData_s)\r\n | project TimeGenerated,CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | sort by MemberPath asc\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n ;\r\nlet AlldataUnique = allDataRange\r\n | join kind = innerunique (allDataRange) on MemberPath \r\n | distinct \r\n TimeGenerated,\r\n Parentgroup,\r\n MemberPath,\r\n Level,\r\n ObjectClass,\r\n LastLogon,\r\n LastPwdSet,\r\n Enabled\r\n;\r\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | sort by MemberPath asc\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"ExGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | sort by MemberPath asc\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n | join kind = leftanti (AfterData ) on MemberPath\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n| join kind = innerunique (BeforeData ) on MemberPath\r\n| extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n| join kind = leftanti (InBeforedatabotAfter ) on MemberPath\r\n| extend Actiontype =\"Add/Remove\"\r\n| project \r\n TimeGenerated,\r\n Parentgroup,\r\n Actiontype,\r\n MemberPath,\r\n Level,\r\n ObjectClass,\r\n LastLogon,\r\n LastPwdSet,\r\n Enabled\r\n;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on MemberPath\r\n | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData,AddRemoveindataset,InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype),\"N/A\")\r\n| project\r\n Actiontype,Parentgroup, MemberPath, Level, ObjectClass, LastLogon, LastPwdSet, Enabled", + "size": 3, + "showAnalytics": true, + "title": "Add/Remove information in selected group", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true, + "sortBy": [ + { + "itemKey": "MemberPath", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "MemberPath", + "sortOrder": 1 + } + ] + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "ExchangeServersGroupsGrid - Copy", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "Add/Remove means that the account has been added and removed between the Time Range (so not present Before or After the Time Range)" + }, + "name": "text - 7" } ] }, @@ -2020,6 +2479,13 @@ "groupType": "editable", "title": "AD Group", "items": [ + { + "type": 1, + "content": { + "json": "Please select a group" + }, + "name": "text - 5 - Copy" + }, { "type": 1, "content": { @@ -2043,17 +2509,14 @@ "version": "KqlParameterItem/1.0", "name": "Group", "type": 2, - "query": "ExchangeConfiguration(SpecificSectionList=\"ADGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\r\n| distinct GroupName\r\n| sort by GroupName asc\r\n", + "query": "ExchangeConfiguration(SpecificSectionList=\"ADGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where tostring(CmdletResultValue.Parentgroup) != \"Exchange Enterprise Servers\" and tostring(CmdletResultValue.Parentgroup) <> \"Exchange Services\"\r\n| extend GroupName = tostring(CmdletResultValue.Parentgroup)\r\n| distinct GroupName\r\n| sort by GroupName asc\r\n", "typeSettings": { + "additionalResourceOptions": [], "showDefault": false }, - "showExportToExcel": true, - "showAnalytics": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "rowLimit": 10000 - } + "value": null }, { "id": "9d02cad2-f4c5-418d-976f-b88b56f80cb5", @@ -2089,7 +2552,7 @@ { "type": 1, "content": { - "json": "Overview of high privileges AD Groups' content.\r\nSelect a group to display detailed information of its contents.\r\nLevel attribute helps you understand the level of nested groups.\r\n\r\n❌ : for last logon displayed when user logged or the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days" + "json": "Overview of high privileges AD Groups' content.\r\nSelect a group to display detailed information of its contents.\r\nLevel attribute helps you understand the level of nested groups.\r\n\r\n❌ : for last logon displayed when the last logon is greater than 180 days\r\n\r\n❌ : for password last set displayed when last password set greater than 365 days" }, "name": "text - 0" }, @@ -2097,7 +2560,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"ADGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| search CmdletResultValue.Parentgroup == \"{Group}\"\r\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \"\"\r\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \"\"\r\n| where CmdletResultValue.Level != 0\r\n| sort by tostring(CmdletResultValue.MemberPath) asc \r\n| project CmdletResultValue\r\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastLogon = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\"\", \"❌ No logon\",strcat(\"❌\",LastLogon))))\r\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n| extend LastPwdSet = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\"\", \"❌ No logon\",strcat(\"❌\",LastPwdSet))))\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| sort by MemberPath asc\r\n//| extend MemberPath = case( ObjectClass == \"group\", strcat( \"👪 \", MemberPath), ObjectClass == \"computer\", strcat( \"💻 \", MemberPath), strcat( \"🧑‍🦰 \", MemberPath) )\r\n| project-away CmdletResultValue,Parentgroup", + "query": "ExchangeConfiguration(SpecificSectionList=\"ADGroup\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| search CmdletResultValue.Parentgroup == \"{Group}\"\r\n| where todatetime (CmdletResultValue.LastPwdSetString) < ago({PasswordLast}) or tostring (CmdletResultValue.LastPwdSetString) == \"\"\r\n| where todatetime (CmdletResultValue.LastLogonString) < ago({LastLogon}) or tostring (CmdletResultValue.LastLogonString) == \"\"\r\n| where CmdletResultValue.Level != 0\r\n| sort by tostring(CmdletResultValue.MemberPath) asc \r\n| project CmdletResultValue\r\n| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n| extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n| extend Level = tostring(CmdletResultValue.Level)\r\n| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n| extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n| extend LastLogon = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString,iff (LastLogon==\"\", \"❌ No logon\",strcat(\"❌\",LastLogon))))\r\n| extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n| extend LastPwdSet = iif(ObjectClass==\"group\" or ObjectClass==\"computer\" or ObjectClass==\"Local User\" or ObjectClass==\"computer\",\"N/A\",iif ( todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString,iff (LastPwdSet==\"\", \"❌ No logon\",strcat(\"❌\",LastPwdSet))))\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend DN = tostring(CmdletResultValue.DN)\r\n| sort by MemberPath asc\r\n| project-away CmdletResultValue,Parentgroup", "size": 3, "showAnalytics": true, "showExportToExcel": true, @@ -2122,6 +2585,51 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n ESIExchangeConfig_CL\r\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n | where ESIEnvironment_s == _EnvList\r\n | where Section_s == \"ADGroup\"\r\n | extend CmdletResultValue = parse_json(rawData_s)\r\n | project TimeGenerated,CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | sort by MemberPath asc\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n ;\r\nlet AlldataUnique = allDataRange\r\n | join kind = innerunique (allDataRange) on MemberPath \r\n | distinct \r\n TimeGenerated,\r\n Parentgroup,\r\n MemberPath,\r\n Level,\r\n ObjectClass,\r\n LastLogon,\r\n LastPwdSet,\r\n Enabled\r\n;\r\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | sort by MemberPath asc\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"ADGroup\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | search CmdletResultValue.Parentgroup == \"{Group}\"\r\n | extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\r\n | extend MemberPath = tostring(CmdletResultValue.MemberPath)\r\n | extend Level = tostring(CmdletResultValue.Level)\r\n | extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\r\n | extend LastLogon = tostring(CmdletResultValue.LastLogonString)\r\n | extend LastLogon = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastLogonString) > ago(180d), CmdletResultValue.LastLogonString, iff (LastLogon == \"\", \"❌ No logon\", strcat(\"❌\", LastLogon))))\r\n | extend LastPwdSet = CmdletResultValue.LastPwdSetString\r\n | extend LastPwdSet = iif(ObjectClass == \"group\" or ObjectClass == \"computer\" or ObjectClass == \"Local User\" or ObjectClass == \"computer\", \"N/A\", iif (todatetime (CmdletResultValue.LastPwdSetString) > ago(366d), CmdletResultValue.LastPwdSetString, iff (LastPwdSet == \"\", \"❌ No logon\", strcat(\"❌\", LastPwdSet))))\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend DN = tostring(CmdletResultValue.DN)\r\n | sort by MemberPath asc\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n | join kind = leftanti (AfterData ) on MemberPath\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n| join kind = innerunique (BeforeData ) on MemberPath\r\n| extend Actiontype =\"Remove\"\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n| join kind = leftanti (InBeforedatabotAfter ) on MemberPath\r\n| extend Actiontype =\"Add/Remove\"\r\n| project \r\n TimeGenerated,\r\n Parentgroup,\r\n Actiontype,\r\n MemberPath,\r\n Level,\r\n ObjectClass,\r\n LastLogon,\r\n LastPwdSet,\r\n Enabled\r\n;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on MemberPath\r\n | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData,AddRemoveindataset,InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype),\"N/A\")\r\n| project\r\n Actiontype,Parentgroup, MemberPath, Level, ObjectClass, LastLogon, LastPwdSet, Enabled", + "size": 3, + "showAnalytics": true, + "noDataMessage": "Add/Remove information in selected group", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true, + "sortBy": [ + { + "itemKey": "MemberPath", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "MemberPath", + "sortOrder": 1 + } + ] + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "ExchangeServersGroupsGrid - Compare", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "Add/Remove means that the account has been added and removed between the Time Range (so not present Before or After the Time Range)" + }, + "name": "text - 6" } ] }, @@ -2146,7 +2654,7 @@ { "type": 1, "content": { - "json": "This tab displays differents security configuration for transport components." + "json": "This tab displays different security configurations for transport components." }, "name": "text - 10" }, @@ -2155,7 +2663,7 @@ "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Receive Connectors", + "title": "Receive Connectors with", "items": [ { "type": 3, @@ -2256,7 +2764,8 @@ "durationMs": 86400000 }, "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "value": null }, { "id": "14912e83-60a1-4a21-a34b-500d4662a666", @@ -2282,7 +2791,7 @@ { "type": 1, "content": { - "json": "The toogle buttom help you to sort by:\r\n\r\n- Server\r\n- Receive connectors with no IP restrictions" + "json": "The toggle button helps you to sort by:\r\n\r\n- Server\r\n- Receive connectors with/without no IP restrictions" }, "name": "text - 3" }, @@ -2290,7 +2799,7 @@ "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"RCAnonymous\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project Identity,CmdletResultValue\r\n| extend Identity = tostring(Identity)\r\n| extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.DistinguishedName,\",\",3)),\"[\\\"CN=\",\"\"),\"\\\"]\",\"\")\r\n|join kind=leftouter ( ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\") ) on $left.Identity == $right.Name\r\n| where CmdletResultValue1.Server.Name contains \"{Server}\"\r\n| where (CmdletResultValue1.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue1.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n| where CmdletResultValue1.PermissionGroupsString contains \"Anonymous\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\r\n| extend Server = tostring(CmdletResultValue1.Server.Name)\r\n| extend Name = tostring(CmdletResultValue1.Name)\r\n| extend TransportRole = iff(CmdletResultValue1.TransportRole== \"32\" , \"HubTransport\", \"FrontendTransport\")\r\n| extend Enabled = tostring(CmdletResultValue1.Enabled)\r\n| extend PermissionGroups = tostring(CmdletResultValue1.PermissionGroupsString) \r\n| extend AuthMechanism = tostring(CmdletResultValue1.AuthMechanismString)\r\n| mv-expand RemoteIPall=CmdletResultValue1.RemoteIPRanges\r\n| mv-expand BindingAllall=CmdletResultValue1.Bindings\r\n| extend RemoteIP= RemoteIPall.Expression\r\n| extend IP= strcat (BindingAllall.Address,\"-\",BindingAllall.Port)\r\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\r\n| sort by Server asc", + "query": "ExchangeConfiguration(SpecificSectionList=\"RCAnonymous\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project Identity,CmdletResultValue\r\n| extend Identity = tostring(Identity)\r\n| extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.Identity.DistinguishedName,\",\",3)),\"[\\\"CN=\",\"\"),\"\\\"]\",\"\")\r\n|join kind=leftouter ( ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\") ) on $left.Identity == $right.Name\r\n| where CmdletResultValue1.Server.Name contains \"{Server}\"\r\n| where (CmdletResultValue1.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue1.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n| where CmdletResultValue1.PermissionGroupsString contains \"Anonymous\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\r\n| extend Server = tostring(CmdletResultValue1.Server.Name)\r\n| extend Name = tostring(CmdletResultValue1.Name)\r\n| extend TransportRole = iff(CmdletResultValue1.TransportRole== \"32\" , \"HubTransport\", \"FrontendTransport\")\r\n| extend Enabled = tostring(CmdletResultValue1.Enabled)\r\n| extend PermissionGroups = tostring(CmdletResultValue1.PermissionGroupsString) \r\n| extend AuthMechanism = tostring(CmdletResultValue1.AuthMechanismString)\r\n| mv-expand RemoteIPall=CmdletResultValue1.RemoteIPRanges\r\n| mv-expand BindingAllall=CmdletResultValue1.Bindings\r\n| extend RemoteIP= RemoteIPall.Expression\r\n| extend IP= strcat (BindingAllall.Address,\"-\",BindingAllall.Port)\r\n| summarize Bindings = make_set(tostring(IP)),RemoteIPRange = make_set(tostring(RemoteIP)) by Server,Name,TransportRole,Enabled,PermissionGroups,AuthMechanism\r\n| sort by Server asc", "size": 1, "showAnalytics": true, "showExportToExcel": true, @@ -2317,6 +2826,28 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n | extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"RCAnonymous\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| project Identity,CmdletResultValue\r\n| extend Identity = tostring(Identity)\r\n| extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.Identity.DistinguishedName,\",\",3)),\"[\\\"CN=\",\"\"),\"\\\"]\",\"\")\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"RCAnonymous\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project Identity,CmdletResultValue\r\n | extend Identity = tostring(Identity)\r\n | extend Server = replace_string(replace_string(tostring(split(CmdletResultValue.Identity.DistinguishedName,\",\",3)),\"[\\\"CN=\",\"\"),\"\\\"]\",\"\")\r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Server\r\n | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n | join kind = leftanti AfterData on Server\r\n | extend Actiontype =\"Remove\"\r\n | distinct \r\n Actiontype,\r\n Identity,\r\n Server\r\n | project \r\n Actiontype,\r\n Identity,\r\n Server\r\n;\r\nunion DiffAddData, DiffRemoveData\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), \"N/A\")\r\n| project\r\n Actiontype,\r\n Permission = \"ms-Exch-SMTP-Accept-Any-Recipient\",\r\n Identity,\r\n Server\r\n| order by Server\r\n\r\n", + "size": 3, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 4" } ] }, @@ -2357,7 +2888,8 @@ "showDefault": false }, "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "value": null }, { "id": "4ef1d2a2-a13f-4bd4-9e66-2d9a15ad8a7a", @@ -2378,7 +2910,7 @@ { "type": 1, "content": { - "json": "The toogle buttom help you to sort by:\r\n\r\n- Server\r\n- Receive connectors with no IP restrictions" + "json": "The toggle button helps you to sort by:\r\n\r\n- Server\r\n- Receive connectors with/without no IP restrictions" }, "name": "text - 3" }, @@ -2414,6 +2946,28 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| where CmdletResultValue.Server.Name contains \"{Server}\"\r\n| where (CmdletResultValue.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n | where CmdletResultValue.AuthMechanismString contains \"ExternalAuthoritative\"\r\n | project CmdletResultValue,WhenChanged,WhenCreated\r\n | extend Server = tostring(CmdletResultValue.Server.Name)\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \"32\", \"HubTransport\", \"FrontendTransport\")\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\r\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\r\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\r\n | mv-expand BindingAllall=CmdletResultValue.Bindings\r\n | extend RemoteIP= RemoteIPall.Expression\r\n | extend IP= strcat (BindingAllall.Address, \"-\", BindingAllall.Port)\r\n | extend Identity = strcat(Server,'\\\\',Name)\r\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\r\n | sort by Server asc\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | where CmdletResultValue.Server.Name contains \"{Server}\"\r\n | where (CmdletResultValue.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n | where CmdletResultValue.AuthMechanismString contains \"ExternalAuthoritative\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\r\n | project CmdletResultValue, WhenChanged,WhenCreated\r\n | extend Server = tostring(CmdletResultValue.Server.Name)\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \"32\", \"HubTransport\", \"FrontendTransport\")\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\r\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\r\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\r\n | mv-expand BindingAllall=CmdletResultValue.Bindings\r\n | extend RemoteIP= RemoteIPall.Expression\r\n | extend IP= strcat (BindingAllall.Address, \"-\", BindingAllall.Port)\r\n | extend Identity = strcat(Server,'\\\\',Name)\r\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\r\n | sort by Server asc\r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Identity\r\n | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n | join kind = leftanti AfterData on Server\r\n | extend Actiontype =\"Remove\"\r\n | extend Binding = tostring(Bindings)\r\n | extend RIR = tostring(RemoteIPRange)\r\n | distinct\r\n WhenChanged,\r\n Actiontype,\r\n Server,\r\n Name,\r\n TransportRole,\r\n Enabled,\r\n PermissionGroups,\r\n AuthMechanism,\r\n Bindings = Binding,\r\n RemoteIPRange = RIR,\r\n WhenCreated \r\n;\r\nlet DiffModifData = union BeforeData,AfterData\r\n | sort by WhenChanged asc \r\n | sort by Server, Name asc\r\n | extend Identity = strcat(Server,\"\\\\\",Name)\r\n | extend Name = iff(Name != prev(Name) and prev(Name) != \"\" and Identity == prev(Identity) , strcat(\"📍 \", Name, \" (\", prev(Name), \"->\", Name, \" )\"), Name)\r\n | extend TransportRole = iff(TransportRole != prev(TransportRole) and prev(TransportRole) != \"\"and Identity == prev(Identity), strcat(\"📍 \", TransportRole, \" (\", prev(TransportRole), \"->\", TransportRole, \" )\"), TransportRole)\r\n | extend Enabled = iff(Enabled != prev(Enabled) and prev(Enabled) != \"\" and Identity == prev(Identity), strcat(\"📍 \", Enabled, \" (\", prev(Enabled), \"->\", Enabled, \" )\"), Enabled)\r\n | extend PermissionGroups = iff(PermissionGroups != prev(PermissionGroups) and prev(PermissionGroups) != \"\" and Identity == prev(Identity), strcat(\"📍 \", PermissionGroups, \" (\", prev(PermissionGroups), \"->\", PermissionGroups, \" )\"), PermissionGroups)\r\n | extend AuthMechanism = iff(AuthMechanism != prev(AuthMechanism) and prev(AuthMechanism) != \"\" and Identity == prev(Identity), strcat(\"📍 \", AuthMechanism, \" (\", prev(AuthMechanism), \"->\", AuthMechanism, \" )\"), AuthMechanism)\r\n | extend Bindings = iff(tostring(Bindings) != tostring(prev(Bindings)) and tostring(prev(Bindings)) != \"\" and Identity == prev(Identity), strcat(\"📍 \", tostring(Bindings), \" (\", prev(Bindings), \"->\", tostring(Bindings), \" )\"), tostring(Bindings))\r\n | extend RemoteIPRange = iff(tostring(RemoteIPRange) != tostring(prev(RemoteIPRange)) and tostring(prev(RemoteIPRange)) != \"\" and Identity == prev(Identity), strcat(\"📍 \", tostring(RemoteIPRange), \" (\", prev(RemoteIPRange), \"->\", RemoteIPRange, \" )\"), tostring(RemoteIPRange))\r\n | extend ActiontypeR =iff(( Name contains \"📍\" or TransportRole contains \"📍\" or Enabled contains \"📍\" or PermissionGroups contains \"📍\" or AuthMechanism contains \"📍\" or Bindings contains \"📍\" or Bindings contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n WhenChanged,\r\n Actiontype,\r\n Server,\r\n Name,\r\n TransportRole,\r\n Enabled,\r\n PermissionGroups,\r\n AuthMechanism,\r\n tostring=(Bindings),\r\n tostring(RemoteIPRange),\r\n WhenCreated\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n Actiontype,\r\n WhenChanged,\r\n Server,\r\n Name,\r\n TransportRole,\r\n Enabled,\r\n PermissionGroups,\r\n AuthMechanism,\r\n Bindings = Bindings_string,\r\n RemoteIPRange = RemoteIPRange_string,\r\n WhenCreated", + "size": 3, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 4 - Copy" } ] }, @@ -2454,7 +3008,8 @@ "showDefault": false }, "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" + "resourceType": "microsoft.operationalinsights/workspaces", + "value": null }, { "id": "bcb24a01-9242-4fec-b30a-02b0583cbc87", @@ -2477,7 +3032,7 @@ { "type": 1, "content": { - "json": "The toogle buttom help you to sort by:\r\n\r\n- Server\r\n- Receive connectors with no IP restrictions" + "json": "The toggle button helps you to sort by:\r\n- Server\r\n- Receive connectors with/without no IP restrictions" }, "name": "text - 3 - Copy" }, @@ -2513,6 +3068,25 @@ "styleSettings": { "showBorder": true } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| where CmdletResultValue.Server.Name contains \"{Server}\"\r\n| where (CmdletResultValue.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n | where CmdletResultValue.PermissionGroupsString contains \"Anonymous\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\r\n | project CmdletResultValue,WhenChanged,WhenCreated\r\n | extend Server = tostring(CmdletResultValue.Server.Name)\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \"32\", \"HubTransport\", \"FrontendTransport\")\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\r\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\r\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\r\n | mv-expand BindingAllall=CmdletResultValue.Bindings\r\n | extend RemoteIP= RemoteIPall.Expression\r\n | extend IP= strcat (BindingAllall.Address, \"-\", BindingAllall.Port)\r\n | extend Identity = strcat(Server,'\\\\',Name)\r\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\r\n | sort by Server asc\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"ReceiveConnector\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | where CmdletResultValue.Server.Name contains \"{Server}\"\r\n | where (CmdletResultValue.RemoteIPRanges contains \"0.0.0.0\" or CmdletResultValue.RemoteIPRanges contains \"ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff\") in ({NoIPRestriction})\r\n | where CmdletResultValue.PermissionGroupsString contains \"Anonymous\" //> 12 and CmdletResultValue.PermissionGroups != 14 and CmdletResultValue.PermissionGroups != 16\r\n | project CmdletResultValue, WhenChanged,WhenCreated\r\n | extend Server = tostring(CmdletResultValue.Server.Name)\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend TransportRole = iff(CmdletResultValue.TransportRole == \"32\", \"HubTransport\", \"FrontendTransport\")\r\n | extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend PermissionGroups = tostring(CmdletResultValue.PermissionGroupsString)\r\n | extend AuthMechanism = tostring(CmdletResultValue.AuthMechanismString)\r\n | mv-expand RemoteIPall=CmdletResultValue.RemoteIPRanges\r\n | mv-expand BindingAllall=CmdletResultValue.Bindings\r\n | extend RemoteIP= RemoteIPall.Expression\r\n | extend IP= strcat (BindingAllall.Address, \"-\", BindingAllall.Port)\r\n | extend Identity = strcat(Server,'\\\\',Name)\r\n | summarize Bindings = make_set(tostring(IP)), RemoteIPRange = make_set(tostring(RemoteIP)) by Server, Name, TransportRole, Enabled, PermissionGroups, AuthMechanism,WhenChanged,WhenCreated,Identity\r\n | sort by Server asc\r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Identity\r\n | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n | join kind = leftanti AfterData on Identity\r\n | extend Actiontype =\"Remove\"\r\n | extend Binding = tostring(Bindings)\r\n | extend RIR = tostring(RemoteIPRange)\r\n | distinct\r\n WhenChanged,\r\n Actiontype,\r\n Server,\r\n Name,\r\n TransportRole,\r\n Enabled,\r\n PermissionGroups,\r\n AuthMechanism,\r\n Bindings = Binding,\r\n RemoteIPRange = RIR,\r\n WhenCreated \r\n;\r\nlet DiffModifData = union BeforeData,AfterData\r\n | sort by WhenChanged asc \r\n | sort by Server, Name asc\r\n | extend Identity = strcat(Server,\"\\\\\",Name)\r\n | extend Name = iff(Name != prev(Name) and prev(Name) != \"\" and Identity == prev(Identity) , strcat(\"📍 \", Name, \" (\", prev(Name), \"->\", Name, \" )\"), Name)\r\n | extend TransportRole = iff(TransportRole != prev(TransportRole) and prev(TransportRole) != \"\"and Identity == prev(Identity), strcat(\"📍 \", TransportRole, \" (\", prev(TransportRole), \"->\", TransportRole, \" )\"), TransportRole)\r\n | extend Enabled = iff(Enabled != prev(Enabled) and prev(Enabled) != \"\" and Identity == prev(Identity), strcat(\"📍 \", Enabled, \" (\", prev(Enabled), \"->\", Enabled, \" )\"), Enabled)\r\n | extend PermissionGroups = iff(PermissionGroups != prev(PermissionGroups) and prev(PermissionGroups) != \"\" and Identity == prev(Identity), strcat(\"📍 \", PermissionGroups, \" (\", prev(PermissionGroups), \"->\", PermissionGroups, \" )\"), PermissionGroups)\r\n | extend AuthMechanism = iff(AuthMechanism != prev(AuthMechanism) and prev(AuthMechanism) != \"\" and Identity == prev(Identity), strcat(\"📍 \", AuthMechanism, \" (\", prev(AuthMechanism), \"->\", AuthMechanism, \" )\"), AuthMechanism)\r\n | extend Bindings = iff(tostring(Bindings) != tostring(prev(Bindings)) and tostring(prev(Bindings)) != \"\" and Identity == prev(Identity), strcat(\"📍 \", tostring(Bindings), \" (\", prev(Bindings), \"->\", tostring(Bindings), \" )\"), tostring(Bindings))\r\n | extend RemoteIPRange = iff(tostring(RemoteIPRange) != tostring(prev(RemoteIPRange)) and tostring(prev(RemoteIPRange)) != \"\" and Identity == prev(Identity), strcat(\"📍 \", tostring(RemoteIPRange), \" (\", prev(RemoteIPRange), \"->\", RemoteIPRange, \" )\"), tostring(RemoteIPRange))\r\n | extend ActiontypeR =iff(( Name contains \"📍\" or TransportRole contains \"📍\" or Enabled contains \"📍\" or PermissionGroups contains \"📍\" or AuthMechanism contains \"📍\" or Bindings contains \"📍\" or Bindings contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n WhenChanged,\r\n Actiontype,\r\n Server,\r\n Name,\r\n TransportRole,\r\n Enabled,\r\n PermissionGroups,\r\n AuthMechanism,\r\n Bindings,\r\n RemoteIPRange,\r\n WhenCreated\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n Actiontype,\r\n WhenChanged,\r\n Server,\r\n Name,\r\n TransportRole,\r\n Enabled,\r\n PermissionGroups,\r\n AuthMechanism,\r\n Bindings = Bindings_string,\r\n RemoteIPRange = RemoteIPRange_string,\r\n WhenCreated", + "size": 3, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 4 - Copy - Copy" } ] }, @@ -2528,7 +3102,7 @@ { "type": 1, "content": { - "json": "A common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\r\n\r\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\r\n- BlindCopyTo\r\n- RedirectMessageTo\r\n- CopyTo\r\n\r\n\r\nFor more information :\r\nMail flow rules in Exchange Serve\r\n", + "json": "A common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\r\n\r\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\r\n- BlindCopyTo\r\n- RedirectMessageTo\r\n- CopyTo\r\n\r\n\r\nFor more information :\r\nMail flow rules in Exchange Server\r\n", "style": "info" }, "conditionalVisibility": { @@ -2557,103 +3131,47 @@ "styleSettings": { "showBorder": true } - } - ] - }, - "name": "Transport Rules actions to monitor" - }, - { - "type": 1, - "content": { - "json": "### Journal Mailboxes" - }, - "name": "JournalMailboxHelp" - }, - { - "type": 1, - "content": { - "json": "The **Journal Mailboxes** contain emails sent and received by specific or all users. The content of these mailboxes is very sensitives.\r\n\r\nJournal Rules should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. Also by default, no one should access to these mailboxes.\r\n\r\nThen, it is recommended to regularly check who have Full Access mailbox or Receive As on these mailboxes.\r\nAdditional information :\r\n\r\nJournaling in Exchange Server\r\n\r\nJournaling procedures\r\n\r\n\r\nMailbox audit logging in Exchange Server\r\n\r\n\r\n", - "style": "info" - }, - "conditionalVisibility": { - "parameterName": "Help", - "comparison": "isEqualTo", - "value": "Yes" - }, - "name": "JournalHelp" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"JournalRule\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend Identity = tostring(CmdletResultValue.Identity)\r\n| extend Status= iff ( tostring(CmdletResultValue.Enabled)== \"Enabled\" or tostring(CmdletResultValue.Enabled)== \"1\" , \"Enabled\", iff(tostring(CmdletResultValue.Enabled)==\"\",\"\", \"Disabled\"))\r\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress)\r\n| extend Recipient = tostring(CmdletResultValue.Recipient)\r\n| sort by Identity asc\r\n| sort by Status desc\r\n| project-away CmdletResultValue\r\n", - "size": 1, - "showAnalytics": true, - "title": "Journal Rules configured in your environment", - "showExportToExcel": true, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "rowLimit": 10000, - "filter": true - } - }, - "name": "JournalQuery", - "styleSettings": { - "showBorder": true - } - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "title": "Journal Recipients on mailbox databases configured in your environment", - "items": [ - { - "type": 1, - "content": { - "json": "As Journal Recipient on databases send all the mail send to users in this database to a specific mailbox. The content of these mailboxes is very sensitive.\r\n\r\nJournal Recipients configuration should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. No one should have access to these mailboxes by default.\r\n\r\nIt is recommended to regularly check who have Full Access or Receive As on these mailboxes.\r\n\r\nAdditional information :\r\n\r\nJournaling in Exchange Server\r\n\r\nJournaling procedures\r\n\r\n\r\nMailbox audit logging in Exchange Server\r\n", - "style": "info" - }, - "conditionalVisibility": { - "parameterName": "Help", - "comparison": "isEqualTo", - "value": "Yes" - }, - "name": "JournalRecipientsHelp" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"MbxDBJournaling\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.JournalRecipient !=\"\"\r\n| project CmdletResultValue\r\n| extend Identity = tostring(CmdletResultValue.Identity.Name)\r\n| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient)\r\n| project-away CmdletResultValue\r\n| sort by Identity asc\r\n", - "size": 1, + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"TransportRule\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n | extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\n//let _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"TransportRule\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| project CmdletResultValue,TimeGenerated\r\n| extend Identity = iif( CmdletResultValue.Identity contains \"OrgHierarchyToIgnore\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\r\n//| extend State = tostring(CmdletResultValue.State)\r\n| extend Status= iff ( tostring(CmdletResultValue.State)== \"Enabled\" or tostring(CmdletResultValue.State)== \"1\" , \"Enabled\",iff(tostring(CmdletResultValue.State)==\"\",\"\", \"Disabled\"))\r\n| extend SentTo = tostring(CmdletResultValue.SentToString)\r\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\r\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\r\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\r\n| extend Mode = tostring(CmdletResultValue.Identity.Mode)\r\n| project-away CmdletResultValue\r\n| sort by Identity asc\r\n| sort by Status desc\r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"TransportRule\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| project CmdletResultValue, TimeGenerated\r\n| extend Identity = iif( CmdletResultValue.Identity contains \"OrgHierarchyToIgnore\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\r\n//| extend State = tostring(CmdletResultValue.State)\r\n| extend Status= iff ( tostring(CmdletResultValue.State)== \"Enabled\" or tostring(CmdletResultValue.State)== \"1\" , \"Enabled\",iff(tostring(CmdletResultValue.State)==\"\",\"\", \"Disabled\"))\r\n| extend SentTo = tostring(CmdletResultValue.SentToString)\r\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\r\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\r\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\r\n| extend Mode = tostring(CmdletResultValue.Identity.Mode)\r\n| project-away CmdletResultValue\r\n| sort by Identity asc\r\n| sort by Status desc\r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Identity\r\n | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n | join kind = leftanti AfterData on Identity\r\n | extend Actiontype =\"Remove\"\r\n | distinct\r\n TimeGenerated,\r\n Actiontype,\r\n Identity,\r\n Status,\r\n SentTo,\r\n BlindCopyTo,\r\n CopyTo,\r\n RedirectMessageTo,\r\n Mode\r\n;\r\nlet DiffModifData = union BeforeData,AfterData\r\n | sort by Identity, TimeGenerated asc\r\n | extend Status = iff(Status != prev(Status) and Identity == prev(Identity), strcat(\"📍 \", Status, \" (\", iff(prev(Status)==\"\",\"Null\",prev(Status)), \"->\", Status, \" )\"), Status)\r\n | extend SentTo = iff(SentTo != prev(SentTo) and Identity == prev(Identity), strcat(\"📍 \", SentTo, \" (\", iff(prev(SentTo)==\"\",\"Null\",prev(SentTo)), \"->\", SentTo, \" )\"), SentTo)\r\n | extend BlindCopyTo = iff(BlindCopyTo != prev(BlindCopyTo) and Identity == prev(Identity), strcat(\"📍 \", BlindCopyTo, \" (\", iff(prev(BlindCopyTo)==\"\",\"Null\",prev(BlindCopyTo)), \"->\", BlindCopyTo, \" )\"), BlindCopyTo)\r\n | extend CopyTo = iff(CopyTo != prev(CopyTo) and Identity == prev(Identity), strcat(\"📍 \", CopyTo, \" (\", iff(prev(CopyTo)==\"\",\"Null\",prev(CopyTo)), \"->\", CopyTo, \" )\"), CopyTo)\r\n | extend RedirectMessageTo = iff(CopyTo != prev(RedirectMessageTo) and Identity == prev(Identity), strcat(\"📍 \", RedirectMessageTo, \" (\", iff(prev(RedirectMessageTo)==\"\",\"Null\",prev(RedirectMessageTo)), \"->\", RedirectMessageTo, \" )\"), RedirectMessageTo)\r\n | extend Mode = iff(Mode != prev(Mode) and Identity == prev(Identity), strcat(\"📍 \", Mode, \" (\", iff(prev(Mode)==\"\",\"Null\",prev(Mode)), \"->\", Mode, \" )\"), Mode)\r\n | extend ActiontypeR =iff(( Identity contains \"📍\" or Status contains \"📍\" or SentTo contains \"📍\" or BlindCopyTo contains \"📍\" or CopyTo contains \"📍\" or RedirectMessageTo contains \"📍\" or Mode contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n TimeGenerated,\r\n Actiontype,\r\n Identity,\r\n Status,\r\n SentTo,\r\n BlindCopyTo,\r\n CopyTo,\r\n RedirectMessageTo,\r\n Mode\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by TimeGenerated desc \r\n| project\r\n TimeGenerated,\r\n Actiontype,\r\n Identity,\r\n Status,\r\n SentTo,\r\n BlindCopyTo,\r\n CopyTo,\r\n RedirectMessageTo,\r\n Mode", + "size": 3, "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces" }, - "name": "query - 1", - "styleSettings": { - "showBorder": true - } + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 4 - Copy - Copy - Copy - Copy" } ] }, - "name": "JournalRecipientsGroup" + "name": "Transport Rules actions to monitor" }, { "type": 12, "content": { "version": "NotebookGroup/1.0", "groupType": "editable", - "title": "Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled", "items": [ { "type": 1, "content": { - "json": "If **AutoForwardEnabled** is set to True for an SMTP domain, then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\r\n\r\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \r\n\r\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\r\n\r\nAdditional information:\r\n\r\nRemote Domains\r\n", + "json": "### Journal Mailboxes" + }, + "name": "JournalMailboxHelp" + }, + { + "type": 1, + "content": { + "json": "The **Journal Mailboxes** contain emails sent and received by specific or all users. The content of these mailboxes is very sensitives.\r\n\r\nJournal Rules should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. Also by default, no one should access to these mailboxes.\r\n\r\nThen, it is recommended to regularly check who have Full Access mailbox or Receive As on these mailboxes.\r\nAdditional information :\r\n\r\nJournaling in Exchange Server\r\n\r\nJournaling procedures\r\n\r\n\r\nMailbox audit logging in Exchange Server\r\n\r\n\r\n", "style": "info" }, "conditionalVisibility": { @@ -2661,15 +3179,16 @@ "comparison": "isEqualTo", "value": "Yes" }, - "name": "AutoForwardHelp" + "name": "JournalHelp" }, { "type": 3, "content": { "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"RemoteDomain\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend Name = tostring(CmdletResultValue.Name)\r\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\r\n| extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address == \"*\", strcat (\"❌\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address != \"*\", strcat (\"⚠️\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\"✅\",tostring(CmdletResultValue.AutoForwardEnabled))))\r\n| project-away CmdletResultValue\r\n| sort by Address asc ", + "query": "ExchangeConfiguration(SpecificSectionList=\"JournalRule\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend Name = tostring(CmdletResultValue.Name)\r\n| extend Status= iff ( tostring(CmdletResultValue.Enabled)== \"true\" , \"Enabled\", iff(tostring(CmdletResultValue.Enabled)==\"\",\"\", \"Disabled\"))\r\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n| extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\r\n| extend Recipient = tostring(CmdletResultValue.Recipient.Address)\r\n| sort by Name asc\r\n| sort by Status desc\r\n| project-away CmdletResultValue\r\n", "size": 1, "showAnalytics": true, + "title": "Journal Rules configured in your environment", "showExportToExcel": true, "queryType": 0, "resourceType": "microsoft.operationalinsights/workspaces", @@ -2678,50 +3197,224 @@ "filter": true } }, - "name": "query - 1", + "name": "JournalQuery", "styleSettings": { "showBorder": true } }, { - "type": 1, + "type": 3, "content": { - "json": "Accepted domains set to * authorize Open Relay.\r\n\r\nMore information:\r\n\r\nAccepted domains\r\n", - "style": "info" + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"JournalRule\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet allDataRange = \r\n ESIExchangeConfig_CL\r\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\r\n | where ESIEnvironment_s == _EnvList\r\n | where Section_s == \"JournalRule\"\r\n | extend CmdletResultValue = parse_json(rawData_s)\r\n | project TimeGenerated, CmdletResultValue //,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\r\n | project CmdletResultValue, TimeGenerated\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend Status= iff (tostring(CmdletResultValue.Enabled) == \"true\", \"Enabled\", iff(tostring(CmdletResultValue.Enabled) == \"\", \"\", \"Disabled\"))\r\n //| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\r\n | extend Recipient = tostring(CmdletResultValue.Recipient.Address)\r\n | extend Allinfo = strcat(Name,JournalEmailAddress,Recipient)\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n | sort by Name asc\r\n | sort by Status desc\r\n;\r\nlet AlldataUnique = allDataRange\r\n | join kind = innerunique (allDataRange) on Allinfo \r\n | distinct \r\n TimeGenerated,\r\n Name,\r\n Status,\r\n JournalEmailAddress,\r\n Recipient,\r\n Allinfo\r\n;\r\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\"JournalRule\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend Status= iff (tostring(CmdletResultValue.Enabled) == \"true\", \"Enabled\", iff(tostring(CmdletResultValue.Enabled) == \"\", \"\", \"Disabled\"))\r\n //| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\r\n | extend Recipient = tostring(CmdletResultValue.Recipient.Address)\r\n | extend Allinfo = strcat(Name,JournalEmailAddress,Recipient)\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n | sort by Name asc\r\n | sort by Status desc\r\n ;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"JournalRule\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend Status= iff (tostring(CmdletResultValue.Enabled) == \"true\", \"Enabled\", iff(tostring(CmdletResultValue.Enabled) == \"\", \"\", \"Disabled\"))\r\n //| extend Enabled = tostring(CmdletResultValue.Enabled)\r\n | extend JournalEmailAddress = tostring(CmdletResultValue.JournalEmailAddress.Address)\r\n | extend Recipient = tostring(CmdletResultValue.Recipient.Address)\r\n | extend Allinfo = strcat(Name,JournalEmailAddress,Recipient)\r\n | extend CmdletResultV = tostring(CmdletResultValue)\r\n | sort by Name asc\r\n | sort by Status desc\r\n;\r\nlet AllnotinAfterData = AlldataUnique\r\n | join kind = leftanti (AfterData) on Allinfo\r\n;\r\nlet InBeforedatabotAfter = AllnotinAfterData\r\n | join kind = innerunique (BeforeData) on Allinfo\r\n | extend Actiontype = iff (Name != \"\", \"Remove\", \"\")\r\n;\r\nlet AddRemoveindataset = AllnotinAfterData\r\n | join kind = leftanti (InBeforedatabotAfter) on Allinfo\r\n | extend Actiontype =\"Add/Remove\"\r\n;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Allinfo\r\n | extend Actiontype =\"Add\"\r\n;\r\nunion DiffAddData, AddRemoveindataset, InBeforedatabotAfter\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Add/Remove\", strcat(\"➕/➖ \", Actiontype), \"N/A\")\r\n| where Name <> \"\"\r\n| project\r\n Actiontype,\r\n Name,\r\n Status,\r\n JournalEmailAddress,\r\n Recipient", + "size": 3, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" }, "conditionalVisibility": { - "parameterName": "Help", + "parameterName": "Compare_Collect", "comparison": "isEqualTo", - "value": "Yes" + "value": "True" }, - "name": "text - 3" + "name": "query - 4 - Copy - Copy - Copy - Copy - Copy" }, { - "type": 3, + "type": 12, "content": { - "version": "KqlItem/1.0", - "query": "ExchangeConfiguration(SpecificSectionList=\"AcceptedDomain\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where CmdletResultValue.DomainName.Address == \"*\"\r\n| extend Name = tostring(CmdletResultValue.Name)\r\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\r\n| extend Address = \"* : ❌ OpenRelay configuration\"\r\n| extend DomainType = case(CmdletResultValue.DomainType==\"0\",\"Authoritative Domain\",CmdletResultValue.DomainType==\"1\",\"ExternalRelay\",CmdletResultValue.DomainType==\"2\",\"InternalRelay\",\"NotApplicable\")\r\n| project-away CmdletResultValue", - "size": 1, - "showAnalytics": true, - "title": "Accepted domain with *", - "noDataMessage": "Accepted Domain * not confirgured (no Open Relay)", - "noDataMessageStyle": 3, - "showExportToExcel": true, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "rowLimit": 10000, - "filter": true - } + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Journal Recipients on mailbox databases configured in your environment", + "items": [ + { + "type": 1, + "content": { + "json": "As Journal Recipient on databases send all the mail send to users in this database to a specific mailbox. The content of these mailboxes is very sensitive.\r\n\r\nJournal Recipients configuration should be reviewed to check if they are still needed. Mailbox audit should be set on these mailboxes. No one should have access to these mailboxes by default.\r\n\r\nIt is recommended to regularly check who have Full Access or Receive As on these mailboxes.\r\n\r\nAdditional information :\r\n\r\nJournaling in Exchange Server\r\n\r\nJournaling procedures\r\n\r\n\r\nMailbox audit logging in Exchange Server\r\n", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "JournalRecipientsHelp" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ExchangeConfiguration(SpecificSectionList=\"MbxDBJournaling\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| where CmdletResultValue.JournalRecipient !=\"\"\r\n| project CmdletResultValue\r\n| extend Identity = tostring(CmdletResultValue.Identity.Name)\r\n| extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient.Name)\r\n| project-away CmdletResultValue\r\n| sort by Identity asc\r\n", + "size": 1, + "showAnalytics": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "sortBy": [ + { + "itemKey": "JournalRecipient", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "JournalRecipient", + "sortOrder": 1 + } + ] + }, + "name": "query - 1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"MbxDBJournaling\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n | extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\n//let _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"MbxDBJournaling\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| project CmdletResultValue,WhenChanged,WhenCreated\r\n| extend Identity = tostring(CmdletResultValue.Identity.Name)\r\n| extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient.Name)\r\n| project-away CmdletResultValue\r\n| sort by Identity asc \r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"MbxDBJournaling\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue,WhenChanged,WhenCreated\r\n | extend Identity = tostring(CmdletResultValue.Identity.Name)\r\n | extend JournalRecipient = tostring(CmdletResultValue.JournalRecipient.Name)\r\n | project-away CmdletResultValue\r\n | sort by Identity asc \r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Identity\r\n | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n | join kind = leftanti AfterData on Identity\r\n | extend Actiontype =\"Remove\"\r\n | distinct\r\n WhenChanged,\r\n Actiontype,\r\n Identity,\r\n JournalRecipient,\r\n WhenCreated \r\n;\r\nlet DiffModifData = union BeforeData,AfterData\r\n | sort by Identity, WhenChanged asc\r\n | extend JournalRecipient = iff(JournalRecipient != prev(JournalRecipient) and Identity == prev(Identity), strcat(\"📍 \", JournalRecipient, \" (\", iff(prev(JournalRecipient)==\"\",\"Null\",prev(JournalRecipient)), \"->\", JournalRecipient, \" )\"), JournalRecipient)\r\n | extend ActiontypeR =iff(( Identity contains \"📍\" or JournalRecipient contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n WhenChanged,\r\n Actiontype,\r\n Identity,\r\n JournalRecipient,\r\n WhenCreated\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n WhenChanged,\r\n Actiontype,\r\n Identity,\r\n JournalRecipient,\r\n WhenCreated", + "size": 3, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 4 - Copy - Copy - Copy - Copy - Copy" + } + ] }, - "name": "query - 4", - "styleSettings": { - "showBorder": true - } + "name": "JournalRecipientsGroup" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled", + "items": [ + { + "type": 1, + "content": { + "json": "If **AutoForwardEnabled** is set to True for an SMTP domain, then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\r\n\r\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \r\n\r\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\r\n\r\nAdditional information:\r\n\r\nRemote Domains\r\n", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "AutoForwardHelp" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ExchangeConfiguration(SpecificSectionList=\"RemoteDomain\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| extend Name = tostring(CmdletResultValue.Name)\r\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\r\n| extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address == \"*\", strcat (\"❌\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address != \"*\", strcat (\"⚠️\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\"✅\",tostring(CmdletResultValue.AutoForwardEnabled))))\r\n| project-away CmdletResultValue\r\n| sort by Address asc ", + "size": 1, + "showAnalytics": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"RemoteDomain\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"RemoteDomain\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n| project CmdletResultValue,WhenChanged,WhenCreated\r\n| extend Name = tostring(CmdletResultValue.Name)\r\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\r\n| extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address == \"*\", strcat (\"❌\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address != \"*\", strcat (\"⚠️\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\"✅\",tostring(CmdletResultValue.AutoForwardEnabled))))\r\n| project-away CmdletResultValue\r\n| sort by Address asc \r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"RemoteDomain\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue,WhenChanged,WhenCreated\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend Address = tostring(CmdletResultValue.DomainName.Address)\r\n | extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address == \"*\", strcat (\"❌\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \"true\" and CmdletResultValue.Address != \"*\", strcat (\"⚠️\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\"✅\",tostring(CmdletResultValue.AutoForwardEnabled))))\r\n | project-away CmdletResultValue\r\n | sort by Address asc \r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Name\r\n | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n | join kind = leftanti AfterData on Name\r\n | extend Actiontype =\"Remove\"\r\n | distinct\r\n WhenChanged,\r\n Actiontype,\r\n Name,\r\n Address,\r\n AutoForwardEnabled,\r\n WhenCreated \r\n;\r\nlet DiffModifData = union BeforeData,AfterData\r\n | sort by WhenChanged asc \r\n | sort by Name asc\r\n //| extend Name = iff(Name != prev(Name) and prev(Name) != \"\" , strcat(\"📍 \", Name, \" (\", prev(Name), \"->\", Name, \" )\"), Name)\r\n | extend Address = iff(Address != prev(Address) and prev(Address) != \"\" and Name == prev(Name), strcat(\"📍 \", Address, \" (\", prev(Address), \"->\", Address, \" )\"), Address)\r\n | extend AutoForwardEnabled = iff(AutoForwardEnabled != prev(AutoForwardEnabled) and prev(AutoForwardEnabled) != \"\" and Name == prev(Name), strcat(\"📍 \", AutoForwardEnabled, \" (\", prev(AutoForwardEnabled), \"->\", AutoForwardEnabled, \" )\"), AutoForwardEnabled)\r\n | extend ActiontypeR =iff(( Name contains \"📍\" or Address contains \"📍\" or AutoForwardEnabled contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n WhenChanged,\r\n Actiontype,\r\n Name,\r\n Address,\r\n AutoForwardEnabled,\r\n WhenCreated\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n WhenChanged,\r\n Actiontype,\r\n Name,\r\n Address,\r\n AutoForwardEnabled,\r\n WhenCreated", + "size": 3, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 4 - Copy - Copy - Copy - Copy" + }, + { + "type": 1, + "content": { + "json": "Accepted domains set to * authorize Open Relay.\r\n\r\nMore information:\r\n\r\nAccepted domains\r\n", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "text - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ExchangeConfiguration(SpecificSectionList=\"AcceptedDomain\",SpecificConfigurationDate=\"{DateOfConfiguration:value}\",SpecificConfigurationEnv={EnvironmentList},Target = \"On-Premises\")\r\n| project CmdletResultValue\r\n| where CmdletResultValue.DomainName.Address == \"*\"\r\n| extend Name = tostring(CmdletResultValue.Name)\r\n| extend Address = tostring(CmdletResultValue.DomainName.Address)\r\n| extend Address = \"* : ❌ OpenRelay configuration\"\r\n| extend DomainType = case(CmdletResultValue.DomainType==\"0\",\"Authoritative Domain\",CmdletResultValue.DomainType==\"1\",\"ExternalRelay\",CmdletResultValue.DomainType==\"2\",\"InternalRelay\",\"NotApplicable\")\r\n| project-away CmdletResultValue", + "size": 1, + "showAnalytics": true, + "title": "Accepted domain with *", + "noDataMessage": "Accepted Domain * not confirgured (no Open Relay)", + "noDataMessageStyle": 3, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 4", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let _EnvList ={EnvironmentList};\r\nlet _TypeEnv = \"On-Premises\";\r\nlet _DateCompare = \"{DateCompare:value}\";\r\nlet _CurrentDate = \"{DateOfConfiguration:value}\";\r\nlet _DateCompareB = todatetime(_DateCompare);\r\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\"AcceptedDomain\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | summarize TimeMax = arg_max(TimeGenerated, *)\r\n //| extend TimeMax = tostring(split(TimeMax, \"T\")[0])\r\n | project TimeMax);\r\nlet _CurrentDateB = todatetime(toscalar(_currD));\r\nlet BeforeData = \r\n ExchangeConfiguration(SpecificSectionList=\"AcceptedDomain\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue, WhenChanged, WhenCreated\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend Address = tostring(CmdletResultValue.DomainName.Address)\r\n | extend DomainType = case(CmdletResultValue.DomainType==\"0\",\"Authoritative Domain\",CmdletResultValue.DomainType==\"1\",\"ExternalRelay\",CmdletResultValue.DomainType==\"2\",\"InternalRelay\",\"NotApplicable\")\r\n | project-away CmdletResultValue\r\n | sort by Address asc \r\n;\r\nlet AfterData = \r\n ExchangeConfiguration(SpecificSectionList=\"AcceptedDomain\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\r\n | project CmdletResultValue, WhenChanged, WhenCreated\r\n | extend Name = tostring(CmdletResultValue.Name)\r\n | extend Address = tostring(CmdletResultValue.DomainName.Address)\r\n | extend DomainType = case(CmdletResultValue.DomainType==\"0\",\"Authoritative Domain\",CmdletResultValue.DomainType==\"1\",\"ExternalRelay\",CmdletResultValue.DomainType==\"2\",\"InternalRelay\",\"NotApplicable\")\r\n | project-away CmdletResultValue\r\n | sort by Address asc \r\n;\r\nlet i=0;\r\nlet DiffAddData = BeforeData\r\n | join kind = rightanti (AfterData)\r\n on Name\r\n | extend Actiontype =\"Add\"\r\n;\r\nlet DiffRemoveData = BeforeData\r\n | join kind = leftanti AfterData on Name\r\n | extend Actiontype =\"Remove\"\r\n | distinct\r\n WhenChanged,\r\n Actiontype,\r\n Name,\r\n Address,\r\n DomainType,\r\n WhenCreated \r\n;\r\nlet DiffModifData = union BeforeData, AfterData\r\n | sort by WhenChanged asc \r\n | sort by Name asc\r\n // | extend Name = iff(Name != prev(Name) and prev(Name) != \"\", strcat(\"📍 \", Name, \" (\", prev(Name), \"->\", Name, \" )\"), Name)\r\n | extend Address = iff(Address != prev(Address) and prev(Address) != \"\" and Name == prev(Name), strcat(\"📍 \", Address, \" (\", prev(Address), \"->\", Address, \" )\"), Address)\r\n | extend DomainType = iff(DomainType != prev(DomainType) and prev(DomainType) != \"\" and Name == prev(Name), strcat(\"📍 \", DomainType, \" (\", prev(DomainType), \"->\", DomainType, \" )\"), DomainType)\r\n | extend ActiontypeR =iff((Name contains \"📍\" or Address contains \"📍\" or DomainType contains \"📍\"), i=i + 1, i)\r\n | extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\r\n | where ActiontypeR == 1\r\n | project\r\n WhenChanged,\r\n Actiontype,\r\n Name,\r\n Address,\r\n DomainType,\r\n WhenCreated\r\n;\r\nDiffModifData\r\n| union DiffAddData, DiffRemoveData\r\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\", WhenCreated, WhenChanged))\r\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\r\n| sort by WhenChanged desc \r\n| project\r\n WhenChanged,\r\n Actiontype,\r\n Name,\r\n Address,\r\n DomainType,\r\n WhenCreated", + "size": 3, + "showAnalytics": true, + "title": "Display changes ( Add, Remove, modifications of parameters )", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "Compare_Collect", + "comparison": "isEqualTo", + "value": "True" + }, + "name": "query - 4 - Copy - Copy - Copy - Copy - Copy" + } + ] + }, + "name": "ForwardGroup" } ] }, - "name": "ForwardGroup" + "name": "Journal Rules" } ] }, diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/ESI-ExchangeOnlineCollector.json b/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/ESI-ExchangeOnlineCollector.json index e223a7bcfee..244f91c89db 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/ESI-ExchangeOnlineCollector.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/ESI-ExchangeOnlineCollector.json @@ -19,7 +19,7 @@ "dataTypes": [ { "name": "ESIExchangeOnlineConfig_CL", - "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)" + "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time" } ], "connectivityCriterias": [ diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/azuredeploy_ESI_ExchangeOnlineCollector_Automation.json b/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/azuredeploy_ESI_ExchangeOnlineCollector_Automation.json index aa5b4d88777..a9d47e17c75 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/azuredeploy_ESI_ExchangeOnlineCollector_Automation.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Data Connectors/azuredeploy_ESI_ExchangeOnlineCollector_Automation.json @@ -9,7 +9,7 @@ "automationAccounts_ESI_DataCollector_tenantName": { "type": "String", "metadata": { - "description": "Specifies the tenant name (don't put the GUID, only the name) that will be audited (Name of Azure AD Tenant where Automation Account is deployed)." + "description": "Specifies the tenant primary domain name (don't put the GUID, only the FQDN Name) that will be audited (Name of Azure AD Tenant where Automation Account is deployed)." } }, "automationAccounts_ESI_DataCollector_tenantID": { diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json b/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json index 7b55b9445db..719ed124386 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json @@ -9,7 +9,6 @@ "Parsers": [ "Parsers/ExchangeConfiguration.yaml", "Parsers/ExchangeEnvironmentList.yaml", - "Parsers/MESCheckVIP.yaml", "Parsers/MESCheckOnlineVIP.yaml", "Parsers/MESCompareDataMRA.yaml", "Parsers/MESOfficeActivityLogs.yaml" @@ -26,7 +25,7 @@ ], "WatchlistDescription": "ExchOnlineVIP Watchlists contains a list of VIP users identified in Exchange Online that would be more monitored than others. This watchlist is used in the Audit log workbooks to filter activities on those users.", "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Microsoft Exchange Security - Exchange Online", - "Version": "3.1.5", + "Version": "3.1.6", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.1.6.zip b/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.1.6.zip new file mode 100644 index 00000000000..a364ca4e498 Binary files /dev/null and b/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.1.6.zip differ diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json b/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json index 0059d5a13e3..86b4bf71ed9 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20Online/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange Online configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)\n\n**Data Connectors:** 1, **Parsers:** 6, **Workbooks:** 4, **Watchlists:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20Online/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange Online configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)\n\n**Data Connectors:** 1, **Parsers:** 5, **Workbooks:** 4, **Watchlists:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -67,7 +67,7 @@ "name": "dataconnectors-parser-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The solution installs six (6) parsers that transform ingested data. The transformed logs can be accessed using the ExchangeConfiguration, MESCheckVIP and ExchangeEnvironmentList Kusto Function aliases." + "text": "The solution installs five (5) parsers that transform ingested data. The transformed logs can be accessed using the ExchangeConfiguration, MESCheckVIP and ExchangeEnvironmentList, MESOfficeActivityLogs and MESCompareDataMRA Kusto Function aliases." } }, { @@ -139,7 +139,7 @@ { "name": "workbook3", "type": "Microsoft.Common.Section", - "label": "Microsoft Exchange Online Admin Activity", + "label": "Microsoft Exchange Admin Activity - Online", "elements": [ { "name": "workbook3-text", diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json b/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json index e06b0e19132..1ead482a520 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json @@ -46,7 +46,7 @@ }, "workbook3-name": { "type": "string", - "defaultValue": "Microsoft Exchange Online Admin Activity", + "defaultValue": "Microsoft Exchange Admin Activity - Online", "minLength": 1, "metadata": { "description": "Name for the workbook" @@ -70,12 +70,12 @@ } }, "variables": { - "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-esionline", - "_solutionId": "[variables('solutionId')]", "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Microsoft Exchange Security - Exchange Online", - "_solutionVersion": "3.1.5", + "_solutionVersion": "3.1.6", + "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-esionline", + "_solutionId": "[variables('solutionId')]", "uiConfigId1": "ESI-ExchangeOnlineCollector", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "ESI-ExchangeOnlineCollector", @@ -100,32 +100,25 @@ "parserContentId2": "ExchangeEnvironmentList-Parser" }, "parserObject3": { - "_parserName3": "[concat(parameters('workspace'),'/','MESCheckVIP Data Parser')]", - "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckVIP Data Parser')]", - "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCheckVIP-Parser')))]", + "_parserName3": "[concat(parameters('workspace'),'/','MESCheckOnlineVIP Data Parser')]", + "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]", + "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCheckOnlineVIP-Parser')))]", "parserVersion3": "1.0.0", - "parserContentId3": "MESCheckVIP-Parser" + "parserContentId3": "MESCheckOnlineVIP-Parser" }, "parserObject4": { - "_parserName4": "[concat(parameters('workspace'),'/','MESCheckOnlineVIP Data Parser')]", - "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]", - "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCheckOnlineVIP-Parser')))]", - "parserVersion4": "1.0.0", - "parserContentId4": "MESCheckOnlineVIP-Parser" + "_parserName4": "[concat(parameters('workspace'),'/','MESCompareDataMRA Data Parser')]", + "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]", + "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCompareDataMRA-Parser')))]", + "parserVersion4": "1.1.0", + "parserContentId4": "MESCompareDataMRA-Parser" }, "parserObject5": { - "_parserName5": "[concat(parameters('workspace'),'/','MESCompareDataMRA Data Parser')]", - "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]", - "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESCompareDataMRA-Parser')))]", + "_parserName5": "[concat(parameters('workspace'),'/','MESOfficeActivityLogs Data Parser')]", + "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]", + "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESOfficeActivityLogs-Parser')))]", "parserVersion5": "1.0.0", - "parserContentId5": "MESCompareDataMRA-Parser" - }, - "parserObject6": { - "_parserName6": "[concat(parameters('workspace'),'/','MESOfficeActivityLogs Data Parser')]", - "_parserId6": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]", - "parserTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MESOfficeActivityLogs-Parser')))]", - "parserVersion6": "1.0.0", - "parserContentId6": "MESOfficeActivityLogs-Parser" + "parserContentId5": "MESOfficeActivityLogs-Parser" }, "workbookVersion1": "1.1.0", "workbookContentId1": "MicrosoftExchangeLeastPrivilegewithRBAC-Online", @@ -140,7 +133,7 @@ "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]", "_workbookContentId2": "[variables('workbookContentId2')]", "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", - "workbookVersion3": "1.0.0", + "workbookVersion3": "1.0.1", "workbookContentId3": "MicrosoftExchangeAdminActivity-Online", "workbookId3": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId3'))]", "workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))))]", @@ -166,7 +159,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Security - Exchange Online data connector with template version 3.1.5", + "description": "Microsoft Exchange Security - Exchange Online data connector with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -201,7 +194,7 @@ "dataTypes": [ { "name": "ESIExchangeOnlineConfig_CL", - "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)" + "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time" } ], "connectivityCriterias": [ @@ -518,7 +511,7 @@ "dataTypes": [ { "name": "ESIExchangeOnlineConfig_CL", - "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time)" + "lastDataReceivedQuery": "ESIExchangeOnlineConfig_CL | summarize Time = max(todatetime(EntryDate_s)) by GenerationInstanceID_g, ESIEnvironment_s | where isnotempty(Time) |summarize Time = max(Time) | project Time" } ], "connectivityCriterias": [ @@ -744,7 +737,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeConfiguration Data Parser with template version 3.1.5", + "description": "ExchangeConfiguration Data Parser with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -874,7 +867,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeEnvironmentList Data Parser with template version 3.1.5", + "description": "ExchangeEnvironmentList Data Parser with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject2').parserVersion2]", @@ -1004,7 +997,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MESCheckVIP Data Parser with template version 3.1.5", + "description": "MESCheckOnlineVIP Data Parser with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject3').parserVersion3]", @@ -1018,10 +1011,10 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for VIP Check for Exchange", + "displayName": "Parser for VIP Check for Exchange Online", "category": "Microsoft Sentinel Parser", - "functionAlias": "MESCheckVIP", - "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [\n \"NONE\",\"NONE\",\"NONE\",\"NONE\",\"00000001-0000-1000-0000-100000000000\",\"NONE\",\"NONE\"];\nlet Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != \"00000001-0000-1000-0000-100000000000\" | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ canonicalName \n or _UserToCheck =~ displayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck =~ objectSID \n or _UserToCheck == tostring(objectGUID) \n or _UserToCheck =~ distinguishedName\n or _UserToCheck == \"All\"\n | extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",displayName,\"#\",userPrincipalName,\"#\",sAMAccountName,\"#\",objectGUID,\"#\",objectSID,\"#\",distinguishedName,\"#\"),_UserToCheck);\nSearchUser\n", + "functionAlias": "MESCheckOnlineVIP", + "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ DisplayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck == \"All\"\n| extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",DisplayName,\"#\",userPrincipalName,\"#\",sAMAccountName),_UserToCheck);\nSearchUser\n", "functionParameters": "UserToCheck:string='All'", "version": 2, "tags": [ @@ -1040,7 +1033,7 @@ "[variables('parserObject3')._parserId3]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckVIP Data Parser')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]", "contentId": "[variables('parserObject3').parserContentId3]", "kind": "Parser", "version": "[variables('parserObject3').parserVersion3]", @@ -1069,7 +1062,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject3').parserContentId3]", "contentKind": "Parser", - "displayName": "Parser for VIP Check for Exchange", + "displayName": "Parser for VIP Check for Exchange Online", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]", "version": "[variables('parserObject3').parserVersion3]" @@ -1082,10 +1075,10 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for VIP Check for Exchange", + "displayName": "Parser for VIP Check for Exchange Online", "category": "Microsoft Sentinel Parser", - "functionAlias": "MESCheckVIP", - "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [\n \"NONE\",\"NONE\",\"NONE\",\"NONE\",\"00000001-0000-1000-0000-100000000000\",\"NONE\",\"NONE\"];\nlet Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != \"00000001-0000-1000-0000-100000000000\" | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ canonicalName \n or _UserToCheck =~ displayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck =~ objectSID \n or _UserToCheck == tostring(objectGUID) \n or _UserToCheck =~ distinguishedName\n or _UserToCheck == \"All\"\n | extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",displayName,\"#\",userPrincipalName,\"#\",sAMAccountName,\"#\",objectGUID,\"#\",objectSID,\"#\",distinguishedName,\"#\"),_UserToCheck);\nSearchUser\n", + "functionAlias": "MESCheckOnlineVIP", + "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ DisplayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck == \"All\"\n| extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",DisplayName,\"#\",userPrincipalName,\"#\",sAMAccountName),_UserToCheck);\nSearchUser\n", "functionParameters": "UserToCheck:string='All'", "version": 2, "tags": [ @@ -1105,7 +1098,7 @@ "[variables('parserObject3')._parserId3]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckVIP Data Parser')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]", "contentId": "[variables('parserObject3').parserContentId3]", "kind": "Parser", "version": "[variables('parserObject3').parserVersion3]", @@ -1134,7 +1127,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MESCheckOnlineVIP Data Parser with template version 3.1.5", + "description": "MESCompareDataMRA Data Parser with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject4').parserVersion4]", @@ -1148,11 +1141,11 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for VIP Check for Exchange Online", + "displayName": "Parser for MRA Configuration Data Comparison", "category": "Microsoft Sentinel Parser", - "functionAlias": "MESCheckOnlineVIP", - "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ DisplayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck == \"All\"\n| extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",DisplayName,\"#\",userPrincipalName,\"#\",sAMAccountName),_UserToCheck);\nSearchUser\n", - "functionParameters": "UserToCheck:string='All'", + "functionAlias": "MESCompareDataMRA", + "query": "// Version: 1.1.0\n// Last Updated: 30/08/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope))\n | extend CustomConfigWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope))\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope.Name))\n | extend CustomConfigWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope))\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeOnlineConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope,\n RecipientWriteScope,\n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n", + "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')", "version": 2, "tags": [ { @@ -1170,7 +1163,7 @@ "[variables('parserObject4')._parserId4]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]", "contentId": "[variables('parserObject4').parserContentId4]", "kind": "Parser", "version": "[variables('parserObject4').parserVersion4]", @@ -1199,9 +1192,9 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject4').parserContentId4]", "contentKind": "Parser", - "displayName": "Parser for VIP Check for Exchange Online", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", + "displayName": "Parser for MRA Configuration Data Comparison", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.1.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.1.0')))]", "version": "[variables('parserObject4').parserVersion4]" } }, @@ -1212,11 +1205,11 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for VIP Check for Exchange Online", + "displayName": "Parser for MRA Configuration Data Comparison", "category": "Microsoft Sentinel Parser", - "functionAlias": "MESCheckOnlineVIP", - "query": "//let UserToCheck = \"SampleEntry\";\nlet _UserToCheck = iif(UserToCheck == \"\" or UserToCheck == \"All\",\"All\",tolower(UserToCheck));\nlet fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\nlet SearchUser = Watchlist | where _UserToCheck =~ DisplayName \n or _UserToCheck =~ userPrincipalName \n or _UserToCheck =~ sAMAccountName \n or _UserToCheck == \"All\"\n| extend ValueChecked = iif(_UserToCheck==\"All\",strcat(\"#\",DisplayName,\"#\",userPrincipalName,\"#\",sAMAccountName),_UserToCheck);\nSearchUser\n", - "functionParameters": "UserToCheck:string='All'", + "functionAlias": "MESCompareDataMRA", + "query": "// Version: 1.1.0\n// Last Updated: 30/08/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope))\n | extend CustomConfigWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope))\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope.Name))\n | extend CustomConfigWriteScope = iff (_TypeEnv==\"On-Premises\", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope))\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\" or CmdletResultValue.RoleAssignmentDelegationType == \"Delegating\", \"Delegating\", \"Regular\") \n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeOnlineConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope,\n RecipientWriteScope,\n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n", + "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')", "version": 2, "tags": [ { @@ -1235,7 +1228,7 @@ "[variables('parserObject4')._parserId4]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCheckOnlineVIP Data Parser')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]", "contentId": "[variables('parserObject4').parserContentId4]", "kind": "Parser", "version": "[variables('parserObject4').parserVersion4]", @@ -1264,7 +1257,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MESCompareDataMRA Data Parser with template version 3.1.5", + "description": "MESOfficeActivityLogs Data Parser with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject5').parserVersion5]", @@ -1278,11 +1271,11 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Parser for MRA Configuration Data Comparison", + "displayName": "Parser for Office Activity Logs", "category": "Microsoft Sentinel Parser", - "functionAlias": "MESCompareDataMRA", - "query": "// Version: 1.0.0\n// Last Updated: 25/02/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeOnlineConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope,\n RecipientWriteScope,\n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n", - "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')", + "functionAlias": "MESOfficeActivityLogs", + "query": "// Version: 1.0.0\n// Last Updated: 25/02/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\nlet CmdletCheck = externaldata (Cmdlet:string, UserOriented:string, RestrictToParameter:string, Parameters:string)[h\"https://aka.ms/CmdletWatchlist\"]with(format=\"csv\",ignoreFirstRecord=true);\nlet SensitiveCmdlets = CmdletCheck | project tostring(Cmdlet) ;\nlet Check = (T:(*)) {\n let fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\n let SearchUserDisplayName = T | join Watchlist on $left.TargetObject == $right.DisplayName | project TargetObject,SearchKey;\n let SearchUserSAMAccountName = T | join Watchlist on $left.TargetObject == $right.sAMAccountName | project TargetObject,SearchKey;\n let SearchUserUPN = T | join Watchlist on $left.TargetObject == $right.userPrincipalName | project TargetObject,SearchKey;\n union isfuzzy=true withsource=TableName \n SearchUserDisplayName,\n SearchUserSAMAccountName, \n SearchUserUPN\n };\nlet EventList = OfficeActivity\n | where RecordType == \"ExchangeAdmin\"\n | where UserType <> \"DcAdmin\" and UserKey !contains \"NT AUTHORITY\"\n | extend CmdletName = Operation\n | extend Param = replace_string(replace_string((replace_string(Parameters,'[{\"Name\":\"','-')),'\",\"Value\":\"',' : '),'\"},{\"Name\":\"',', -')\n // | extend Param = replace_string((replace_string(Parameters,'\",\"Value\":\"',' : ')),'\"},{\"Name\":\"',' -')\n | extend Param = replace_string((replace_string(Param,'\"},{\"',' ; ')),'\"}]','')\n | extend Param = replace_string(Param,'\\\\\\\\','\\\\')\n | extend TargetObject = tostring(split(split(Param,\"-Identity : \")[1],' -')[0])\n | extend TargetObject = replace_string(TargetObject,',','')\n | extend TargetObject = iff(TargetObject==\"\",TargetObject=\"N/A\",TargetObject);\nlet Office_Activity = (){\nEventList\n | join kind=leftouter (EventList | project TargetObject | invoke Check()) on TargetObject\n | extend IsVIP = iif(SearchKey == \"\", false, true)\n | join kind=leftouter ( \n MESCheckOnlineVIP() ) on SearchKey\n | extend CmdletNameJoin = tolower(CmdletName)\n | join kind=leftouter ( \n CmdletCheck\n | extend CmdletNameJoin = tolower(Cmdlet)\n ) on CmdletNameJoin\n | extend Caller = UserId\n | extend CmdletParameters = Param\n | extend IsSenstiveCmdlet = iif( isnotempty(CmdletNameJoin1) , true, false) \n | extend IsRestrictedCmdLet = iif(IsSenstiveCmdlet == true, iif( RestrictToParameter == \"Yes\", true, false), dynamic(null))\n | extend RestrictedParameters = iif(IsSenstiveCmdlet == true, split(tolower(Parameters1),';'), dynamic(null))\n | extend ExtractedParameters = iif(IsSenstiveCmdlet == true,extract_all(@\"\\B(-\\w+)\", tolower(CmdletParameters)), dynamic(null))\n | extend IsSenstiveCmdletParameters = iif(IsSenstiveCmdlet == true,iif( array_length(set_difference(ExtractedParameters,RestrictedParameters)) == array_length(ExtractedParameters), false, true ) , false)\n | extend IsSensitive = iif( ( IsSenstiveCmdlet == true and IsRestrictedCmdLet == false ) or (IsSenstiveCmdlet == true and IsRestrictedCmdLet == true and IsSenstiveCmdletParameters == true ), true, false )\n | project TimeGenerated,Caller,TargetObject,IsVIP,userPrincipalName,CmdletName,CmdletParameters,IsSenstiveCmdlet,IsRestrictedCmdLet,ExtractedParameters,RestrictedParameters,IsSenstiveCmdletParameters,IsSensitive,UserOriented\n};\nOffice_Activity\n", + "functionParameters": "", "version": 2, "tags": [ { @@ -1300,7 +1293,7 @@ "[variables('parserObject5')._parserId5]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]", "contentId": "[variables('parserObject5').parserContentId5]", "kind": "Parser", "version": "[variables('parserObject5').parserVersion5]", @@ -1329,7 +1322,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject5').parserContentId5]", "contentKind": "Parser", - "displayName": "Parser for MRA Configuration Data Comparison", + "displayName": "Parser for Office Activity Logs", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", "version": "[variables('parserObject5').parserVersion5]" @@ -1340,136 +1333,6 @@ "apiVersion": "2022-10-01", "name": "[variables('parserObject5')._parserName5]", "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for MRA Configuration Data Comparison", - "category": "Microsoft Sentinel Parser", - "functionAlias": "MESCompareDataMRA", - "query": "// Version: 1.0.0\n// Last Updated: 25/02/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\n// USAGE:\n// Parameters : 7 parameters to add during creation. \n// 1. SectionCompare, type string, default value \"\"\n// 2. DateCompare, type string, default value \"lastdate\"\n// 3. CurrentDate, type string, default value \"lastdate\"\n// 4. EnvList, type string, default value \"All\"\n// 5. TypeEnv, type string, default value \"Online\"\n// 6. CurrentRole, type string, default value \"\"\n// 7. ExclusionsAcct, type dynamic, default value dynamic(\"\")\n//\n// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SectionCompare = \"SampleEntry\";\n// let EnvList = \"All\";\n// let TypeEnv = \"Online\";\n// let CurrentRole = \"\";\n// let ExclusionsAcct = dynamic(\"\");\n// let DateCompare = \"lastdate\";\n// let CurrentDate = \"lastdate\";\n//\n// Parameters definition\nlet _SectionCompare = SectionCompare;\nlet _EnvList =EnvList;\nlet _TypeEnv = TypeEnv;\nlet _CurrentRole =CurrentRole;\nlet _ExclusionsAcct = ExclusionsAcct;\nlet _DateCompare = DateCompare;\nlet _CurrentDate = CurrentDate;\nlet _DateCompareB = todatetime(DateCompare);\nlet _currD = (ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n| summarize TimeMax = max(TimeGenerated)\n| extend TimeMax = tostring(split(TimeMax,\"T\")[0])\n| project TimeMax);\nlet _CurrentDateB = todatetime(toscalar(_currD));\nlet BeforeData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_DateCompare,SpecificConfigurationEnv=_EnvList,Target=_TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == \"6\", \"Delegating\", \"Regular\") \n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ; \nlet AfterData = \n ExchangeConfiguration(SpecificSectionList=_SectionCompare,SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet i=0;\nlet allDataRange = \n ESIExchangeOnlineConfig_CL\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\n | where ESIEnvironment_s == _EnvList\n | where Section_s == \"MRA\"\n | extend CmdletResultValue = parse_json(rawData_s)\n | project TimeGenerated,CmdletResultValue,WhenChanged = WhenChanged_t, WhenCreated=WhenCreated_t\n | where CmdletResultValue.Role contains _CurrentRole\n and CmdletResultValue.RoleAssigneeName !in (_ExclusionsAcct)\n and CmdletResultValue.Name !contains \"Deleg\"\n | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\n | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == \"User\", \"User\", \"RoleGroup\")\n | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\n | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\n | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\n | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope)\n | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope)\n | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\n | extend Status= tostring(CmdletResultValue.Enabled)\n | extend Role = tostring(CmdletResultValue.Role)\n | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType)\n ;\nlet DiffAddDataP1 = allDataRange\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\n;\nlet DiffAddDataP2 = allDataRange\n | join kind = innerunique (allDataRange ) on WhenCreated\n | where WhenCreated >=_DateCompareB\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\n | distinct ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\n| extend Actiontype =\"Add\";\nlet DiffRemoveData = allDataRange\n | join kind = leftanti AfterData on RoleAssigneeName\n | extend Actiontype =\"Remove\"\n | distinct Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n | project WhenChanged=_CurrentDateB,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n ;\nlet DiffModifData = union AfterData,allDataRange\n| sort by ManagementRoleAssignement,WhenChanged asc\n| extend Status = iff( ManagementRoleAssignement == prev(ManagementRoleAssignement) and Status != prev(Status) and prev(Status) !=\"\" , strcat(\"📍 \", Status, \" (\",prev(Status),\"->\", Status,\" )\"),Status)\n| extend CustomRecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomRecipientWriteScope != prev(CustomRecipientWriteScope) and prev(CustomRecipientWriteScope) !=\"\" , strcat(\"📍 \", CustomRecipientWriteScope, \" (\", prev(CustomRecipientWriteScope),\"->\", CustomRecipientWriteScope, \")\"),CustomRecipientWriteScope)\n| extend CustomConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and CustomConfigWriteScope != prev(CustomConfigWriteScope) and prev(CustomConfigWriteScope) !=\"\" , strcat(\"📍 \", CustomConfigWriteScope, \" (\", prev(CustomConfigWriteScope),\"->\", CustomConfigWriteScope, \")\"),CustomConfigWriteScope)\n| extend RecipientWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and RecipientWriteScope != prev(RecipientWriteScope) and prev(RecipientWriteScope) !=\"\" , strcat(\"📍 \", RecipientWriteScope, \" (\", prev(RecipientWriteScope),\"->\", RecipientWriteScope, \")\"),RecipientWriteScope)\n| extend ConfigWriteScope = iff(ManagementRoleAssignement == prev(ManagementRoleAssignement) and ConfigWriteScope != prev(ConfigWriteScope) and prev(ConfigWriteScope) !=\"\" , strcat(\"📍 \", ConfigWriteScope, \" (\", prev(ConfigWriteScope),\"->\", ConfigWriteScope, \")\"),ConfigWriteScope)\n| extend ActiontypeR =iff((Status contains \"📍\" or CustomRecipientWriteScope contains\"📍\" or CustomConfigWriteScope contains\"📍\" or RecipientWriteScope contains\"📍\" or ConfigWriteScope contains\"📍\" ), i=i + 1, i)\n| extend Actiontype =iff(ActiontypeR > 0, \"Modif\", \"NO\")\n| where ActiontypeR == 1\n| project WhenChanged,Actiontype,ManagementRoleAssignement,RoleAssigneeName, Status,CustomRecipientWriteScope,RoleAssigneeType,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,RoleAssignmentDelegationType,WhenCreated\n;\nunion DiffAddData, DiffRemoveData, DiffModifData\n| extend RoleAssigneeName = iff(RoleAssigneeType == \"User\", strcat(\"🧑‍🦰 \", RoleAssigneeName), strcat(\"👪 \", RoleAssigneeName))\n| extend WhenChanged = iff (Actiontype == \"Modif\", WhenChanged, iff(Actiontype == \"Add\",WhenCreated, WhenChanged))\n| extend Actiontype = case(Actiontype == \"Add\", strcat(\"➕ \", Actiontype), Actiontype == \"Remove\", strcat(\"➖ \", Actiontype), Actiontype == \"Modif\", strcat(\"📍 \", Actiontype), \"N/A\")\n| sort by WhenChanged desc \n| project\n WhenChanged,\n Actiontype,\n RoleAssigneeName,\n RoleAssigneeType,\n Status,\n CustomRecipientWriteScope,\n CustomConfigWriteScope,\n RecipientWriteScope,\n ConfigWriteScope,\n ManagementRoleAssignement,\n RoleAssignmentDelegationType,\n WhenCreated\n", - "functionParameters": "SectionCompare:string='',DateCompare:string='lastdate',CurrentDate:string='lastdate',EnvList:string='All',TypeEnv:string='Online',CurrentRole:string='',ExclusionsAcct:dynamic=dynamic('')", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", - "dependsOn": [ - "[variables('parserObject5')._parserId5]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESCompareDataMRA Data Parser')]", - "contentId": "[variables('parserObject5').parserContentId5]", - "kind": "Parser", - "version": "[variables('parserObject5').parserVersion5]", - "source": { - "kind": "Solution", - "name": "Microsoft Exchange Security - Exchange Online", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Community", - "tier": "Community", - "link": "https://github.com/Azure/Azure-Sentinel/issues" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('parserObject6').parserTemplateSpecName6]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "MESOfficeActivityLogs Data Parser with template version 3.1.5", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('parserObject6').parserVersion6]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[variables('parserObject6')._parserName6]", - "apiVersion": "2022-10-01", - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "location": "[parameters('workspace-location')]", - "properties": { - "eTag": "*", - "displayName": "Parser for Office Activity Logs", - "category": "Microsoft Sentinel Parser", - "functionAlias": "MESOfficeActivityLogs", - "query": "// Version: 1.0.0\n// Last Updated: 25/02/2024\n// \n// DESCRIPTION:\n// This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them.\n//\nlet CmdletCheck = externaldata (Cmdlet:string, UserOriented:string, RestrictToParameter:string, Parameters:string)[h\"https://aka.ms/CmdletWatchlist\"]with(format=\"csv\",ignoreFirstRecord=true);\nlet SensitiveCmdlets = CmdletCheck | project tostring(Cmdlet) ;\nlet Check = (T:(*)) {\n let fuzzyWatchlist = datatable(DisplayName:string, sAMAccountName:string, userPrincipalName:string) [\n \"NONE\",\"NONE\",\"NONE\"];\n let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchOnlineVIP'), fuzzyWatchlist | project-away TableName;\n let SearchUserDisplayName = T | join Watchlist on $left.TargetObject == $right.DisplayName | project TargetObject,SearchKey;\n let SearchUserSAMAccountName = T | join Watchlist on $left.TargetObject == $right.sAMAccountName | project TargetObject,SearchKey;\n let SearchUserUPN = T | join Watchlist on $left.TargetObject == $right.userPrincipalName | project TargetObject,SearchKey;\n union isfuzzy=true withsource=TableName \n SearchUserDisplayName,\n SearchUserSAMAccountName, \n SearchUserUPN\n };\nlet EventList = OfficeActivity\n | where RecordType == \"ExchangeAdmin\"\n | where UserType <> \"DcAdmin\" and UserKey !contains \"NT AUTHORITY\"\n | extend CmdletName = Operation\n | extend Param = replace_string(replace_string((replace_string(Parameters,'[{\"Name\":\"','-')),'\",\"Value\":\"',' : '),'\"},{\"Name\":\"',', -')\n // | extend Param = replace_string((replace_string(Parameters,'\",\"Value\":\"',' : ')),'\"},{\"Name\":\"',' -')\n | extend Param = replace_string((replace_string(Param,'\"},{\"',' ; ')),'\"}]','')\n | extend Param = replace_string(Param,'\\\\\\\\','\\\\')\n | extend TargetObject = tostring(split(split(Param,\"-Identity : \")[1],' -')[0])\n | extend TargetObject = replace_string(TargetObject,',','')\n | extend TargetObject = iff(TargetObject==\"\",TargetObject=\"N/A\",TargetObject);\nlet Office_Activity = (){\nEventList\n | join kind=leftouter (EventList | project TargetObject | invoke Check()) on TargetObject\n | extend IsVIP = iif(SearchKey == \"\", false, true)\n | join kind=leftouter ( \n MESCheckOnlineVIP() ) on SearchKey\n | extend CmdletNameJoin = tolower(CmdletName)\n | join kind=leftouter ( \n CmdletCheck\n | extend CmdletNameJoin = tolower(Cmdlet)\n ) on CmdletNameJoin\n | extend Caller = UserId\n | extend CmdletParameters = Param\n | extend IsSenstiveCmdlet = iif( isnotempty(CmdletNameJoin1) , true, false) \n | extend IsRestrictedCmdLet = iif(IsSenstiveCmdlet == true, iif( RestrictToParameter == \"Yes\", true, false), dynamic(null))\n | extend RestrictedParameters = iif(IsSenstiveCmdlet == true, split(tolower(Parameters1),';'), dynamic(null))\n | extend ExtractedParameters = iif(IsSenstiveCmdlet == true,extract_all(@\"\\B(-\\w+)\", tolower(CmdletParameters)), dynamic(null))\n | extend IsSenstiveCmdletParameters = iif(IsSenstiveCmdlet == true,iif( array_length(set_difference(ExtractedParameters,RestrictedParameters)) == array_length(ExtractedParameters), false, true ) , false)\n | extend IsSensitive = iif( ( IsSenstiveCmdlet == true and IsRestrictedCmdLet == false ) or (IsSenstiveCmdlet == true and IsRestrictedCmdLet == true and IsSenstiveCmdletParameters == true ), true, false )\n | project TimeGenerated,Caller,TargetObject,IsVIP,userPrincipalName,CmdletName,CmdletParameters,IsSenstiveCmdlet,IsRestrictedCmdLet,ExtractedParameters,RestrictedParameters,IsSenstiveCmdletParameters,IsSensitive,UserOriented\n};\nOffice_Activity\n", - "functionParameters": "", - "version": 2, - "tags": [ - { - "name": "description", - "value": "" - } - ] - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject6')._parserId6,'/'))))]", - "dependsOn": [ - "[variables('parserObject6')._parserId6]" - ], - "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]", - "contentId": "[variables('parserObject6').parserContentId6]", - "kind": "Parser", - "version": "[variables('parserObject6').parserVersion6]", - "source": { - "name": "Microsoft Exchange Security - Exchange Online", - "kind": "Solution", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Community", - "tier": "Community", - "link": "https://github.com/Azure/Azure-Sentinel/issues" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('parserObject6').parserContentId6]", - "contentKind": "Parser", - "displayName": "Parser for Office Activity Logs", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.0.0')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.0.0')))]", - "version": "[variables('parserObject6').parserVersion6]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2022-10-01", - "name": "[variables('parserObject6')._parserName6]", - "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", "displayName": "Parser for Office Activity Logs", @@ -1490,15 +1353,15 @@ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", "location": "[parameters('workspace-location')]", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject6')._parserId6,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", "dependsOn": [ - "[variables('parserObject6')._parserId6]" + "[variables('parserObject5')._parserId5]" ], "properties": { "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MESOfficeActivityLogs Data Parser')]", - "contentId": "[variables('parserObject6').parserContentId6]", + "contentId": "[variables('parserObject5').parserContentId5]", "kind": "Parser", - "version": "[variables('parserObject6').parserVersion6]", + "version": "[variables('parserObject5').parserVersion5]", "source": { "kind": "Solution", "name": "Microsoft Exchange Security - Exchange Online", @@ -1524,7 +1387,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Least Privilege with RBAC - Online Workbook with template version 3.1.5", + "description": "Microsoft Exchange Least Privilege with RBAC - Online Workbook with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1542,7 +1405,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"e59f0f7f-fd05-4ec8-9f59-e4d9c3b589f2\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Current RBAC Delegation\",\"subTarget\":\"RBACDelegation\",\"preText\":\"RBAC Delegation\",\"postText\":\"\",\"style\":\"link\"},{\"id\":\"26056188-7abf-4913-a927-806099e616eb\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Custom Roles\",\"subTarget\":\"CustomRole\",\"style\":\"link\"},{\"id\":\"5eeebe10-be67-4f8a-9d91-4bc6c70c3e16\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"start\",\"style\":\"link\"}]},\"name\":\"links - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9ae328d6-99c8-4c44-8d59-42ca4d999098\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"Online\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The current delegation are compared to an export of default delegation available on Exchange Online.\\r\\n\\r\\nTo find which is used for the comparaison please follow this link.\\r\\nThe export is located on the public GitHub of the project.\\r\\n\\r\\ncheck this link : https://aka.ms/esiwatchlist\\r\\n\\r\\nIt will be updated by the team project.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation on User Accounts\",\"items\":[{\"type\":1,\"content\":{\"json\":\" Custom Delegation on User Accounts\"},\"name\":\"text - 2 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d9d4e0a2-b75d-4825-9f4e-7606516500e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"cf5959fa-a833-4bb2-90bd-d4c90dca5506\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Role\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Role=tostring (CmdletResultValue.Role)\\r\\n| distinct Role\\r\\n| sort by Role asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.RoleAssigneeName endswith \\\"{RoleAssignee}\\\" \\r\\n| where CmdletResultValue.Role contains \\\"{Role}\\\"\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| project Name, Role, RoleAssigneeName,Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope\\r\\n| sort by RoleAssigneeName asc\\r\\n\",\"size\":3,\"showAnalytics\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Custom Delegation on User Accounts\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays all the nonstandard delegations done directly to a user account.\\r\\n\\r\\nDetailed information for the user accounts will be displayed.\\r\\n\\r\\nThis status is done by comparing current delegation with the default delegation for Exchange 2019 CU11.\\r\\n\\r\\nThese types of delegations are not available on the Exchange Admin Center.\\r\\n\\r\\nUsual results :\\r\\n\\r\\n - Delegations done directly to service account. Being able to see this delegation will help to sanityze the environment as some delegations may be no more necessary\\r\\n\\r\\n - Delegation done by mistake directly to Administrator Accounts\\r\\n\\r\\n - Suspicious delegations\\r\\n\\r\\n\\r\\nDetailed information for the user accounts will be displayed in below sections\\r\\n\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation on Groups\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Custom Delegation on Groups\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c548eb09-54e3-41bf-a99d-be3534f7018b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f5511a2b-9bf6-48ae-a968-2d1f879c8bfa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Role\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Role=tostring (CmdletResultValue.Role)\\r\\n| distinct Role\\r\\n| sort by Role asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"MR-CustMailRecipients\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nlet RoleG = ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n | project RoleAssigneeName=tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.RoleAssigneeName endswith \\\"{RoleAssignee}\\\" \\r\\n| where CmdletResultValue.Role contains \\\"{Role}\\\"\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| project CmdletResultValue\\r\\n| extend ManagementRoleAssignment = tostring(CmdletResultValue.Name)\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n|lookup RoleG on RoleAssigneeName \\r\\n| project-away CmdletResultValue\\r\\n| sort by RoleAssigneeName asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Custom Delegation on Groups\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays all the nonstandard delegations done for standard and non standard groups. Indeed, default groups have a list of default delegations but an Exchange administrators can add also new roles to the default groups.\\r\\n\\r\\nThis status is done by comparing current delegation with the default delegation for Exchange 2019 CU11.\\r\\n\\r\\nUsual results :\\r\\n\\r\\n - Delegations done for Organization Management to role like Mailbox Import Export or Mailbox Search\\r\\n\\r\\n - Delegation done by mistake\\r\\n\\r\\n - Suspicious delegations\\r\\n\\r\\nDetailed information for the user accounts present in the groups will be displayed in below sections\\r\\n\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"RBACDelegation\"},\"name\":\"Custom Delegation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### How to user this tab\\r\\n**1 - Select an account** : All the Cmdlet launched by the account during the selected time frame will be displayer.\\r\\n\\r\\n**2 - Select a cmdlet** : All the roles that contain will be displayed\\r\\n\\r\\n**3 - Review the list of roles** : This table contains all the roles that contain the selected Cmdlet\\r\\n\\r\\n\",\"style\":\"info\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### How to undertand the \\\"List of Roles with this CmdLet\\\" table ? \\r\\n\\r\\n**WeightRole :** Display the wieight of this role based on its importance in terms of security risk\\r\\n\\r\\n**SumRole :** Among all the Cmdlet launched by the account during the defined time frame, this role available for x cmdlet. This role include x cmdlet run by the user.\\r\\n\\r\\n**OrgMgmtRole :** This role is really in the scope of Organization Management group. If the selected Cmdlet is not included is any other role, it make sense that this user is member of the Organization Management group\\r\\n\\r\\n \",\"style\":\"upsell\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CounUserCmdlet = (ExchangeAdminAuditLogs\\r\\n| where Status == \\\"Success\\\"\\r\\n| extend Caller = tostring(split(Caller,\\\"/\\\")[countof(Caller,\\\"/\\\")])\\r\\n| summarize Count=count() by Caller);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"Organization Management\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where CmdletResultValue.ObjectClass == \\\"user\\\"\\r\\n//| project CmdletResultValue,Count\\r\\n| extend Account = tostring(CmdletResultValue.SamAccountName)\\r\\n| join kind=leftouter (CounUserCmdlet) on $left.Account == $right.Caller\\r\\n| project Account,Count\\r\\n//| project-away CmdletResultValue\\r\\n| sort by Account asc\",\"size\":3,\"title\":\"Organization Management Members\",\"exportFieldName\":\"Account\",\"exportParameterName\":\"Account\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purple\"}}]}},\"customWidth\":\"20\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"100%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeAdminAuditLogs\\r\\n| where Caller contains \\\"{Account}\\\"\\r\\n| where Status == \\\"Success\\\"\\r\\n| distinct CmdletName\\r\\n| sort by CmdletName asc\",\"size\":3,\"title\":\"List of CmdLet run by the account\",\"exportFieldName\":\"CmdletName\",\"exportParameterName\":\"CmdletName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"CmdletName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"CmdletName\",\"sortOrder\":1}]},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RBACRoleCmdlet = _GetWatchlist('RBACRoleCmdlet');\\r\\nlet UserRoleList = ExchangeAdminAuditLogs | where Caller contains \\\"{Account}\\\" | where Status == \\\"Success\\\" | distinct CmdletName;\\r\\nlet countRole = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize SumRole = count()by Role);\\r\\nlet RolevsCmdlet = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize make_set(Name) by Role);\\r\\nRolevsCmdlet\\r\\n| join kind=leftouter ( countRole ) on Role\\r\\n| project Role,CmdletList=set_Name,SumRole\\r\\n| join kind=leftouter ( RBACRoleCmdlet ) on Role\\r\\n| where Name has \\\"{CmdletName}\\\"\\r\\n| extend PossibleRoles = Role\\r\\n| extend OrgMgmtRole = OrgM\\r\\n| extend RoleWeight = Priority\\r\\n|distinct PossibleRoles,RoleWeight,tostring(SumRole),OrgMgmtRole,tostring(CmdletList)\\r\\n|sort by SumRole,RoleWeight\\r\\n\",\"size\":3,\"title\":\"List of Roles with this CmdLet\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"PossibleRoles\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"PossibleRoles\",\"sortOrder\":1}]},\"customWidth\":\"40\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"0\",\"maxWidth\":\"100%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RBACRoleCmdlet = _GetWatchlist('RBACRoleCmdlet');\\r\\nlet UserRoleList = ExchangeAdminAuditLogs | where TimeGenerated {TimeRange} | where Caller contains \\\"{Account}\\\" | where Status == \\\"Success\\\" | distinct CmdletName;\\r\\nlet countRole = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize SumRole = count()by Role);\\r\\nlet RolevsCmdlet = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize make_set(Name) by Role);\\r\\nRolevsCmdlet\\r\\n| join kind=leftouter ( countRole ) on Role\\r\\n| project Role,CmdletList=set_Name,SumRole\\r\\n| join kind=leftouter ( RBACRoleCmdlet ) on Role\\r\\n| extend Roles = Role\\r\\n| extend OrgMgmtRole = OrgM\\r\\n| extend RoleWeight = Priority\\r\\n| extend CmdletList=tostring(CmdletList)\\r\\n| summarize by Roles,CmdletList,RoleWeight,tostring(SumRole),OrgMgmtRole\\r\\n| distinct Roles,RoleWeight,tostring(SumRole),OrgMgmtRole,tostring(CmdletList)\\r\\n|sort by Roles asc\",\"size\":0,\"title\":\"Recommended Roles for selected users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Roles\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Roles\",\"sortOrder\":1}]},\"name\":\"query - 3\"}]},\"name\":\"group - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Leastprivileges\"},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Role details\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"List of Custom Roles\",\"items\":[{\"type\":1,\"content\":{\"json\":\"List of existing custom Roles\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"List of Custom with a Management Role Assignement (associated with a group or a user). Display the target account and scope if set\"},\"customWidth\":\"50\",\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| extend ParentRole =split(tostring(CmdletResultValue.Parent),\\\"\\\\\\\\\\\")[1]\\r\\n| project Identity, ParentRole, WhenCreated, WhenChanged\",\"size\":3,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Scope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| project Role, Scope, RoleAssigneeName\\r\\n| join kind=inner (MRcustomRoles) on Role\\r\\n| project Role,RoleAssigneeName,Scope\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='ITSY', Target = \\\"Online\\\")\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Scope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| project Role= tostring(CmdletResultValue.Role), Scope, RoleAssigneeName\\r\\n| join kind=rightouter (MRcustomRoles) on Role\\r\\n| project Role = Role1, Scope, RoleAssigneeName,Comment = iff(Role == \\\"\\\", \\\"⚠️ No existing delegation for this role\\\", \\\"✅ This role is delegated with a Management Role Assignment\\\")\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Role)\\r\\n| join kind=rightouter (MRcustomRoles) on Role\\r\\n| summarize acount = count() by iff( Role==\\\"\\\",\\\"Number of non assigned roles\\\", Role)\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 5\"}]},\"name\":\"List of Custom Roles\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Roles delegation on group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows delegation associated with the Custom Roles\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| project RoleAssigneeName, Role, Status,CustomRecipientWriteScope, CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,WhenCreated, WhenChanged\\r\\n| join kind=inner (MRcustomRoles) on Role\\r\\n| project RoleAssigneeName, Role, Status,CustomRecipientWriteScope, CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,WhenCreated, WhenChanged\",\"size\":3,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Details for Custom Roles Cmdlets \",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays for the chosen custom management roles all Cmdlets and their parameters associated with this custom role.\\r\\nRemember that for a cmdlet, some parameters can be removed.\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"07c8ac83-371d-4702-ab66-72aeb2a20053\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CustomRole\",\"type\":2,\"isRequired\":true,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| project Identity\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"MR-CustPF\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustomDetails\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"{CustomRole}\\\"\\r\\n| extend CmdletName = CmdletResultValue.Name\\r\\n| extend Parameters = CmdletResultValue.Parameters\\r\\n| project CmdletName,Parameters\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Details for Custom Roles Cmdlets \"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"CustomRole\"},\"name\":\"Custom Role\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeLeastPrivilegewithRBAC-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"e59f0f7f-fd05-4ec8-9f59-e4d9c3b589f2\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Current RBAC Delegation\",\"subTarget\":\"RBACDelegation\",\"preText\":\"RBAC Delegation\",\"postText\":\"\",\"style\":\"link\"},{\"id\":\"26056188-7abf-4913-a927-806099e616eb\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Custom Roles\",\"subTarget\":\"CustomRole\",\"style\":\"link\"},{\"id\":\"5eeebe10-be67-4f8a-9d91-4bc6c70c3e16\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"start\",\"style\":\"link\"}]},\"name\":\"links - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9ae328d6-99c8-4c44-8d59-42ca4d999098\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"Online\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The current delegation are compared to an export of default delegation available on Exchange Online.\\r\\n\\r\\nTo find which is used for the comparaison please follow this link.\\r\\nThe export is located on the public GitHub of the project.\\r\\n\\r\\ncheck this link : https://aka.ms/esiwatchlist\\r\\n\\r\\nIt will be updated by the team project.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation on User Accounts\",\"items\":[{\"type\":1,\"content\":{\"json\":\" Custom Delegation on User Accounts\"},\"name\":\"text - 2 - Copy\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d9d4e0a2-b75d-4825-9f4e-7606516500e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"cf5959fa-a833-4bb2-90bd-d4c90dca5506\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Role\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Role=tostring (CmdletResultValue.Role)\\r\\n| distinct Role\\r\\n| sort by Role asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.RoleAssigneeName endswith \\\"{RoleAssignee}\\\" \\r\\n| where CmdletResultValue.Role contains \\\"{Role}\\\"\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"User\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| project Name, Role, RoleAssigneeName,Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope\\r\\n| sort by RoleAssigneeName asc\\r\\n\",\"size\":3,\"showAnalytics\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Custom Delegation on User Accounts\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays all the nonstandard delegations done directly to a user account.\\r\\n\\r\\nDetailed information for the user accounts will be displayed.\\r\\n\\r\\nThis status is done by comparing current delegation with the default delegation for Exchange 2019 CU11.\\r\\n\\r\\nThese types of delegations are not available on the Exchange Admin Center.\\r\\n\\r\\nUsual results :\\r\\n\\r\\n - Delegations done directly to service account. Being able to see this delegation will help to sanityze the environment as some delegations may be no more necessary\\r\\n\\r\\n - Delegation done by mistake directly to Administrator Accounts\\r\\n\\r\\n - Suspicious delegations\\r\\n\\r\\n\\r\\nDetailed information for the user accounts will be displayed in below sections\\r\\n\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Delegation on Groups\",\"items\":[{\"type\":1,\"content\":{\"json\":\"Custom Delegation on Groups\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c548eb09-54e3-41bf-a99d-be3534f7018b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RoleAssignee\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| project CmdletResultValue\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| distinct RoleAssigneeName\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"f5511a2b-9bf6-48ae-a968-2d1f879c8bfa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Role\",\"type\":2,\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| project CmdletResultValue\\r\\n| extend Role=tostring (CmdletResultValue.Role)\\r\\n| distinct Role\\r\\n| sort by Role asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"MR-CustMailRecipients\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DefMRA = externaldata (Name:string)[h\\\"https://aka.ms/standardMRAOnline\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| summarize make_list(Name);\\r\\nlet RoleG = ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n | project RoleAssigneeName=tostring(CmdletResultValue.Name);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.RoleAssigneeName endswith \\\"{RoleAssignee}\\\" \\r\\n| where CmdletResultValue.Role contains \\\"{Role}\\\"\\r\\n| where CmdletResultValue.Name !in (DefMRA) and CmdletResultValue.RoleAssigneeType == \\\"RoleGroup\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| project CmdletResultValue\\r\\n| extend ManagementRoleAssignment = tostring(CmdletResultValue.Name)\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n|lookup RoleG on RoleAssigneeName \\r\\n| project-away CmdletResultValue\\r\\n| sort by RoleAssigneeName asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"RoleAssigneeName\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Custom Delegation on Groups\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays all the nonstandard delegations done for standard and non standard groups. Indeed, default groups have a list of default delegations but an Exchange administrators can add also new roles to the default groups.\\r\\n\\r\\nThis status is done by comparing current delegation with the default delegation for Exchange 2019 CU11.\\r\\n\\r\\nUsual results :\\r\\n\\r\\n - Delegations done for Organization Management to role like Mailbox Import Export or Mailbox Search\\r\\n\\r\\n - Delegation done by mistake\\r\\n\\r\\n - Suspicious delegations\\r\\n\\r\\nDetailed information for the user accounts present in the groups will be displayed in below sections\\r\\n\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"RBACDelegation\"},\"name\":\"Custom Delegation\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### How to user this tab\\r\\n**1 - Select an account** : All the Cmdlet launched by the account during the selected time frame will be displayer.\\r\\n\\r\\n**2 - Select a cmdlet** : All the roles that contain will be displayed\\r\\n\\r\\n**3 - Review the list of roles** : This table contains all the roles that contain the selected Cmdlet\\r\\n\\r\\n\",\"style\":\"info\"},\"name\":\"text - 1\"},{\"type\":1,\"content\":{\"json\":\"### How to undertand the \\\"List of Roles with this CmdLet\\\" table ? \\r\\n\\r\\n**WeightRole :** Display the wieight of this role based on its importance in terms of security risk\\r\\n\\r\\n**SumRole :** Among all the Cmdlet launched by the account during the defined time frame, this role available for x cmdlet. This role include x cmdlet run by the user.\\r\\n\\r\\n**OrgMgmtRole :** This role is really in the scope of Organization Management group. If the selected Cmdlet is not included is any other role, it make sense that this user is member of the Organization Management group\\r\\n\\r\\n \",\"style\":\"upsell\"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let CounUserCmdlet = (ExchangeAdminAuditLogs\\r\\n| where Status == \\\"Success\\\"\\r\\n| extend Caller = tostring(split(Caller,\\\"/\\\")[countof(Caller,\\\"/\\\")])\\r\\n| summarize Count=count() by Caller);\\r\\nExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| search CmdletResultValue.Parentgroup == \\\"Organization Management\\\"\\r\\n| where CmdletResultValue.Level != 0\\r\\n| where CmdletResultValue.ObjectClass == \\\"user\\\"\\r\\n//| project CmdletResultValue,Count\\r\\n| extend Account = tostring(CmdletResultValue.SamAccountName)\\r\\n| join kind=leftouter (CounUserCmdlet) on $left.Account == $right.Caller\\r\\n| project Account,Count\\r\\n//| project-away CmdletResultValue\\r\\n| sort by Account asc\",\"size\":3,\"title\":\"Organization Management Members\",\"exportFieldName\":\"Account\",\"exportParameterName\":\"Account\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"purple\"}}]}},\"customWidth\":\"20\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"100%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeAdminAuditLogs\\r\\n| where Caller contains \\\"{Account}\\\"\\r\\n| where Status == \\\"Success\\\"\\r\\n| distinct CmdletName\\r\\n| sort by CmdletName asc\",\"size\":3,\"title\":\"List of CmdLet run by the account\",\"exportFieldName\":\"CmdletName\",\"exportParameterName\":\"CmdletName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"CmdletName\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"CmdletName\",\"sortOrder\":1}]},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RBACRoleCmdlet = _GetWatchlist('RBACRoleCmdlet');\\r\\nlet UserRoleList = ExchangeAdminAuditLogs | where Caller contains \\\"{Account}\\\" | where Status == \\\"Success\\\" | distinct CmdletName;\\r\\nlet countRole = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize SumRole = count()by Role);\\r\\nlet RolevsCmdlet = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize make_set(Name) by Role);\\r\\nRolevsCmdlet\\r\\n| join kind=leftouter ( countRole ) on Role\\r\\n| project Role,CmdletList=set_Name,SumRole\\r\\n| join kind=leftouter ( RBACRoleCmdlet ) on Role\\r\\n| where Name has \\\"{CmdletName}\\\"\\r\\n| extend PossibleRoles = Role\\r\\n| extend OrgMgmtRole = OrgM\\r\\n| extend RoleWeight = Priority\\r\\n|distinct PossibleRoles,RoleWeight,tostring(SumRole),OrgMgmtRole,tostring(CmdletList)\\r\\n|sort by SumRole,RoleWeight\\r\\n\",\"size\":3,\"title\":\"List of Roles with this CmdLet\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"PossibleRoles\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"PossibleRoles\",\"sortOrder\":1}]},\"customWidth\":\"40\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"0\",\"maxWidth\":\"100%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let RBACRoleCmdlet = _GetWatchlist('RBACRoleCmdlet');\\r\\nlet UserRoleList = ExchangeAdminAuditLogs | where TimeGenerated {TimeRange} | where Caller contains \\\"{Account}\\\" | where Status == \\\"Success\\\" | distinct CmdletName;\\r\\nlet countRole = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize SumRole = count()by Role);\\r\\nlet RolevsCmdlet = (RBACRoleCmdlet | where Name has_any (UserRoleList)| summarize make_set(Name) by Role);\\r\\nRolevsCmdlet\\r\\n| join kind=leftouter ( countRole ) on Role\\r\\n| project Role,CmdletList=set_Name,SumRole\\r\\n| join kind=leftouter ( RBACRoleCmdlet ) on Role\\r\\n| extend Roles = Role\\r\\n| extend OrgMgmtRole = OrgM\\r\\n| extend RoleWeight = Priority\\r\\n| extend CmdletList=tostring(CmdletList)\\r\\n| summarize by Roles,CmdletList,RoleWeight,tostring(SumRole),OrgMgmtRole\\r\\n| distinct Roles,RoleWeight,tostring(SumRole),OrgMgmtRole,tostring(CmdletList)\\r\\n|sort by Roles asc\",\"size\":0,\"title\":\"Recommended Roles for selected users\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"Roles\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"Roles\",\"sortOrder\":1}]},\"name\":\"query - 3\"}]},\"name\":\"group - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Leastprivileges\"},\"name\":\"group - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Role details\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"List of Custom Roles\",\"items\":[{\"type\":1,\"content\":{\"json\":\"List of existing custom Roles\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"List of Custom with a Management Role Assignement (associated with a group or a user). Display the target account and scope if set\"},\"customWidth\":\"50\",\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| extend ParentRole =split(tostring(CmdletResultValue.Parent),\\\"\\\\\\\\\\\")[1]\\r\\n| project Identity, ParentRole, WhenCreated, WhenChanged\",\"size\":3,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Scope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| project Role, Scope, RoleAssigneeName\\r\\n| join kind=inner (MRcustomRoles) on Role\\r\\n| project Role,RoleAssigneeName,Scope\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"lastdate\\\", SpecificConfigurationEnv='ITSY', Target = \\\"Online\\\")\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Scope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| project Role= tostring(CmdletResultValue.Role), Scope, RoleAssigneeName\\r\\n| join kind=rightouter (MRcustomRoles) on Role\\r\\n| project Role = Role1, Scope, RoleAssigneeName,Comment = iff(Role == \\\"\\\", \\\"⚠️ No existing delegation for this role\\\", \\\"✅ This role is delegated with a Management Role Assignment\\\")\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Role)\\r\\n| join kind=rightouter (MRcustomRoles) on Role\\r\\n| summarize acount = count() by iff( Role==\\\"\\\",\\\"Number of non assigned roles\\\", Role)\",\"size\":0,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 5\"}]},\"name\":\"List of Custom Roles\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Custom Roles delegation on group\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows delegation associated with the Custom Roles\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let MRcustomRoles = (ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project Role = tostring(CmdletResultValue.Name));\\r\\nExchangeConfiguration(SpecificSectionList=\\\"MRA\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Role = tostring(CmdletResultValue.Role)\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| project RoleAssigneeName, Role, Status,CustomRecipientWriteScope, CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,WhenCreated, WhenChanged\\r\\n| join kind=inner (MRcustomRoles) on Role\\r\\n| project RoleAssigneeName, Role, Status,CustomRecipientWriteScope, CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,WhenCreated, WhenChanged\",\"size\":3,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Details for Custom Roles Cmdlets \",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displays for the chosen custom management roles all Cmdlets and their parameters associated with this custom role.\\r\\nRemember that for a cmdlet, some parameters can be removed.\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"07c8ac83-371d-4702-ab66-72aeb2a20053\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CustomRole\",\"type\":2,\"isRequired\":true,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustom\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = CmdletResultValue.Name\\r\\n| project Identity\",\"typeSettings\":{\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"MR-CustPF\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRCustomDetails\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"{CustomRole}\\\"\\r\\n| extend CmdletName = CmdletResultValue.Name\\r\\n| extend Parameters = CmdletResultValue.Parameters\\r\\n| project CmdletName,Parameters\",\"size\":1,\"showAnalytics\":true,\"timeContext\":{\"durationMs\":86400000},\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Details for Custom Roles Cmdlets \"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"CustomRole\"},\"name\":\"Custom Role\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeLeastPrivilegewithRBAC-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -1611,7 +1474,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Security Review - Online Workbook with template version 3.1.5", + "description": "Microsoft Exchange Security Review - Online Workbook with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -1629,7 +1492,7 @@ }, "properties": { "displayName": "[parameters('workbook2-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Security Review Online\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9ae328d6-99c8-4c44-8d59-42ca4d999098\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"Online\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"181fa282-a002-42f1-ad57-dfb86df3194e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Compare_Collect\",\"type\":10,\"description\":\"If this button is checked, two collections will be compared\",\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a9e0099e-5eb1-43b8-915c-587aa05bccf0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateCompare\",\"type\":2,\"description\":\"Date to Comapre\",\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"This workbook helps review your Exchange Security configuration.\\r\\nAdjust the time range, and when needed select an item in the dropdownlist\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Mailbox Access\",\"subTarget\":\"Delegation\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true},{\"id\":\"be02c735-6150-4b6e-a386-b2b023e754e5\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"EXO & Azure AD Groups\",\"subTarget\":\"ExchAD\",\"style\":\"link\"},{\"id\":\"26c68d90-925b-4c3c-a837-e3cecd489b2d\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Transport Configuration\",\"subTarget\":\"Transport\",\"style\":\"link\"},{\"id\":\"eb2888ca-7fa6-4e82-88db-1bb3663a801e\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"TopMenuTabs\"},{\"type\":1,\"content\":{\"json\":\"To compare collects, select **Yes** and choose the initial date.\\r\\nFor each role, a new table will be displayed with **all** the modifications (Add, Remove, Modifications) beetween the two dates.\\r\\n\\r\\n**Important notes** : Some information are limited are may be not 100% accurate :\\r\\n - Date\\r\\n - GUID of user instead of the name\\r\\n - Fusion of modifications when a role assisgnment is changed within the same collect \\r\\n - ... \\r\\n\\r\\nThis is due to some restrictions in the collect. For more details information, please check the workbook **\\\"Microsoft Exchange Search AdminAuditLog - Online\\\"**\\r\\n.\\r\\n\\r\\nThe compare functionnality is not available for all sections in this workbook.\\r\\n\"},\"name\":\"text - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\n\\r\\nThe goal of this workbook is to outline key security configurations of your Exchange on-premises environment.\\r\\n\\r\\nMost of Exchange organizations have were installed years ago (sometimes more than 10 years). Many configurations have been done and might not have been documented. For most environments, the core commitment was maintaining a high availability of the users’ mailboxes putting aside other consideration (even security considerations). Recommended security practices have also evolved since the first released and a regular review is necessary.\\r\\n\\r\\nThis workbook is designed to show your Exchange organization is configured with a security point of view. Indeed, some configurations easy to display as there are no UI available.\\r\\n\\r\\nFor each configuration, you will find explanations and recommendations when applicable.\\r\\n\\r\\n- This workbook does not pretend to show you every weak Security configurations, but the most common issues and known to be used by attackers. \\r\\n- It will not show you if you have been comprised, but will help you identify unexpected configuration.\\r\\n\\r\\n----\\r\\n\\r\\n## Quick reminder of how Exchange works\\r\\n\\r\\nDuring Exchange installation two very important groups are created :\\r\\n- Exchange Trusted Subsystem : Contain all the computer accounts for Exchange Server\\r\\n- Exchange Windows Permissions : Contain the group Exchange trusted Subsystem\\r\\n\\r\\nThese groups have :\\r\\n- Very high privileges in ALL AD domains including the root domain\\r\\n- Right on any Exchange including mailboxes\\r\\n\\r\\nAs each Exchange server computer account is member of Exchange Trusted Subsystem, it means by taking control of the computer account or being System on an Exchange server you will gain access to all the permissions granted to Exchange Trusted Subsystem and Exchange Windows Permissions.\\r\\n\\r\\nTo protect AD and Exchange, it is very important to ensure the following:\\r\\n- There is a very limited number of persons that are local Administrator on Exchange server\\r\\n- To protect user right like : Act part of the operating System, Debug\\r\\n\\r\\nEvery service account or application that have high privileges on Exchange need to be considered as sensitive\\r\\n\\r\\n** 💡 Exchange servers need to be considered as very sensitive servers**\\r\\n\\r\\n-----\\r\\n\\r\\n\\r\\n## Tabs\\r\\n\\r\\n### Mailbox Access\\r\\n\\r\\nThis tab will show you several top sensitive delegations that allow an account to access, modify, act as another user, search, export the content of a mailbox.\\r\\n\\r\\n### Exchange & AD Groups\\r\\n\\r\\nThis tab will show you the members of Exchange groups and Sensitive AD groups.\\r\\n\\r\\n### Local Administrators\\r\\n\\r\\nThis tab will show you the non standard content of the local Administrators group. Remember that a member of the local Administrators group can take control of the computer account of the server and then it will have all the permissions associated with Exchange Trusted Subsytem and Exchange Windows Permissions\\r\\n\\r\\nThe information is displayed with different views : \\r\\n- List of nonstandard users\\r\\n- Number of servers with a nonstandard a user\\r\\n- Nonstandard groups content\\r\\n- For each user important information are displayed like last logon, last password set, enabled\\r\\n\\r\\n### Exchange Security configuration\\r\\n\\r\\nThis tab will show you some important configuration for your Exchange Organization\\r\\n- Status of Admin Audit Log configuration\\r\\n- Status of POP and IMAP configuration : especially, is Plaintext Authentication configured ?\\r\\n- Nonstandard permissions on the Exchange container in the Configuration Partition\\r\\n\\r\\n### Transport Configuration\\r\\n\\r\\nThis tab will show you the configuration of the main Transport components\\r\\n- Receive Connectors configured with Anonymous and/or Open Relay\\r\\n- Remote Domain Autoforward configuration\\r\\n- Transport Rules configured with BlindCopyTo, SendTo, RedirectTo\\r\\n- Journal Rule and Journal Recipient configurations\\r\\n- Accepted Domains with *\\r\\n\\r\\n\"},\"name\":\"WorkbookInfo\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"InformationTab\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Display important security configurations that allow to access mailboxes' content. Direct delegations on mailboxes are not listed (Full Access permission mailboxes or direct delegations on mailboxes folders)\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !contains \\\"Deleg\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| where CmdletResultValue.Role contains \\\"Export\\\" or CmdletResultValue.Role contains \\\"Impersonation\\\" or CmdletResultValue.Role contains \\\"Search\\\"\\r\\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role)\",\"size\":3,\"title\":\"Number of accounts with sensitive RBAC roles\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"role\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_RoleAssigneeName\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"role\",\"sortOrderField\":1}},\"name\":\"MRAQuery\"},{\"type\":1,\"content\":{\"json\":\"**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes. This role is very powerfull and should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\\r\\n\\r\\nIt is common to see service accounts for backup solution, antivirus software, MDM...\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SensitiveRBACHelp\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Application Impersonation Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows the delegated account to access and modify the content of every mailboxes using EWS.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"Impersonation\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"RoleGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExclusionsAcctValue = dynamic([\\\"Hygiene Management\\\", \\\"RIM-MailboxAdmins\\\"]);\\r\\nMESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\\\"Impersonation\\\")\",\"size\":3,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 2\"}]},\"name\":\"Application Impersonation Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Import Export Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to import contents in all mailboxes.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Import Export** is an RBAC role that allows an account to import (export is not available online) contant in a user mailbox. It also allows searches in all mailboxes.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n- create an empty group with this delegation\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"export\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"RoleGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = \\\"N/A\\\",CurrentRole=\\\"export\\\")\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Import Export Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Search Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to search inside all or in a scope of mailboxes.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\\r\\nDiscovery Management has been excluded\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Search** is an RBAC role that allows an account to search in any mailbox.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n\\r\\n- add the administrators in the Discovery Management group\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"search\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| where CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"Group\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = \\\"N/A\\\",CurrentRole=\\\"Search\\\")\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Search Role\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Delegation\"},\"name\":\"Importantsecurityconfiguration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange Group\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Ensure that no service account are a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\\r\\n- Limit the usage of nested group for administration.\\r\\n- Ensure that accounts are given only the required pernissions to execute their tasks.\\r\\n- Use just in time administration principle by adding users in a group only when they need the permissions, then remove them when their operation is over.\\r\\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\\r\\n- Monitor the content of the following groups:\\r\\n - TenantAdmins_-xxx (Membership in this role group is synchronized across services and managed centrally)\\r\\n - Organization Management\\r\\n - ExchangeServiceAdmins_-xxx (Membership in this role group is synchronized across services and managed centrally)\\r\\n - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\\r\\n - Discovery Management\\r\\n - Hygiene Management\\r\\n - Security Administrator (Membership in this role group is synchronized across services and managed centrally)\\r\\n - xxx High privilege group (not an exhaustive list)\\r\\n - Compliance Management\\r\\n - All RBAC groups that have high roles delegation\\r\\n - All nested groups in high privileges groups\\r\\n - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\\r\\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\\r\\n- Periodically review the members of the groups\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\" Number of direct members per group with RecipientType User\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n//| where CmdletResultValue.RecipientType !contains \\\"group\\\"\\r\\n| extend Members= tostring(CmdletResultValue.Identity)\\r\\n| summarize dcount(tostring(Members)) by RoleGroup = tostring(CmdletResultValue.RoleGroup)\\r\\n| where RoleGroup has_any (\\\"TenantAdmins\\\",\\\"Organization Management\\\", \\\"Discovery Management\\\", \\\"Compliance Management\\\", \\\"Server Management\\\", \\\"ExchangeServiceAdmins\\\",\\\"Security Administrator\\\", \\\"SecurityAdmins\\\", \\\"Recipient Manangement\\\", \\\"Records Manangement\\\",\\\"Impersonation\\\",\\\"Export\\\")\\r\\n| sort by dcount_Members\\r\\n\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleGroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_Members\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"sortCriteriaField\":\"dcount_Members\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Number of direct members per group with RecipientType User\",\"expandable\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.RecipientType !contains \\\"group\\\"\\r\\n| extend Members= tostring(CmdletResultValue.Identity)\\r\\n| summarize dcount(tostring(Members)) by RoleGroup = tostring(CmdletResultValue.RoleGroup)\\r\\n| sort by dcount_Members\\r\\n\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleGroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_Members\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"sortCriteriaField\":\"dcount_Members\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList - Copy\"},{\"type\":1,\"content\":{\"json\":\"Exchange Online groups content.\\r\\nSelect a group to display detailed information of its contents.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Trusted Subsystem\\\"\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Windows Permissions\\\"\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Name)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\nExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| search CmdletResultValue.RoleGroup == \\\"{Group}\\\"\\r\\n//| where CmdletResultValue.Level != 0\\r\\n| project CmdletResultValue\\r\\n| extend Members = tostring(CmdletResultValue.Identity)\\r\\n//| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n//| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n//| extend Level = tostring(CmdletResultValue.Level)\\r\\n//| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n//| extend LastLogon = CmdletResultValue.LastLogonString\\r\\n//| extend LastLogon = iif ( todatetime (CmdletResultValue.LastLogonString) < ago(-366d), CmdletResultValue.LastLogonString,strcat(\\\"💥\\\",CmdletResultValue.LastLogonString))\\r\\n//| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend Members = case( CmdletResultValue.RecipientType == \\\"Group\\\", strcat( \\\"👪 \\\", Members), strcat( \\\"🧑‍🦰 \\\", Members) )\\r\\n| extend RecipientType = tostring(CmdletResultValue.RecipientType)\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Exchange group\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"ExchAD\"},\"name\":\"Exchange and AD GRoup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Security configuration\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Inbound Connector configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows the configuration of the Inbound connnectors\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend State = tostring(CmdletResultValue.Enabled)\\r\\n| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n| extend WhenChanged = tostring(CmdletResultValue.WhenChanged)\\r\\n| extend WhenCreated = tostring(CmdletResultValue.WhenCreated)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Name asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"InBoundC\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend State = iff( Identity == prev(Identity) and State != prev(State) and prev(State) !=\\\"\\\" , strcat(\\\"📍 \\\", State, \\\" (\\\",prev(State),\\\"->\\\", State,\\\" )\\\"),State)\\r\\n| extend ConnectorType = iff( Identity == prev(Identity) and ConnectorType != prev(ConnectorType) and prev(ConnectorType) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorType, \\\" (\\\",prev(ConnectorType),\\\"->\\\", ConnectorType,\\\" )\\\"),ConnectorType)\\r\\n| extend ConnectorSource = iff( Identity == prev(Identity) and ConnectorSource != prev(ConnectorSource) and prev(ConnectorSource) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorSource, \\\" (\\\",prev(ConnectorSource),\\\"->\\\", ConnectorSource,\\\" )\\\"),ConnectorSource)\\r\\n| extend SenderIPAddresses = iff( Identity == prev(Identity) and SenderIPAddresses != prev(SenderIPAddresses) and prev(SenderIPAddresses) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderIPAddresses, \\\" (\\\",prev(SenderIPAddresses),\\\"->\\\", SenderIPAddresses,\\\" )\\\"),SenderIPAddresses)\\r\\n| extend SenderDomains = iff( Identity == prev(Identity) and SenderDomains != prev(SenderDomains) and prev(SenderDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderDomains, \\\" (\\\",prev(SenderDomains),\\\"->\\\", SenderDomains,\\\" )\\\"),SenderDomains)\\r\\n| extend TrustedOrganizations = iff( Identity == prev(Identity) and TrustedOrganizations != prev(TrustedOrganizations) and prev(TrustedOrganizations) !=\\\"\\\" , strcat(\\\"📍 \\\", TrustedOrganizations, \\\" (\\\",prev(TrustedOrganizations),\\\"->\\\", TrustedOrganizations,\\\" )\\\"),TrustedOrganizations)\\r\\n| extend AssociatedAcceptedDomainsRequireTls = iff (Identity == prev(Identity) and AssociatedAcceptedDomainsRequireTls != prev(AssociatedAcceptedDomainsRequireTls) and prev(AssociatedAcceptedDomainsRequireTls) !=\\\"\\\" , strcat(\\\"📍 \\\", AssociatedAcceptedDomainsRequireTls, \\\" (\\\",prev(AssociatedAcceptedDomainsRequireTls),\\\"->\\\", AssociatedAcceptedDomainsRequireTls,\\\" )\\\"),AssociatedAcceptedDomainsRequireTls)\\r\\n| extend RestrictDomainsToIPAddresses = iff(Identity == prev(Identity) and RestrictDomainsToIPAddresses != prev(RestrictDomainsToIPAddresses) and prev(RestrictDomainsToIPAddresses) !=\\\"\\\" , strcat(\\\"📍 \\\", RestrictDomainsToIPAddresses, \\\" (\\\",prev(RestrictDomainsToIPAddresses),\\\"->\\\", RestrictDomainsToIPAddresses,\\\" )\\\"),RestrictDomainsToIPAddresses)\\r\\n| extend RestrictDomainsToCertificate = iff( Identity == prev(Identity) and RestrictDomainsToCertificate != prev(RestrictDomainsToCertificate) and prev(RestrictDomainsToCertificate) !=\\\"\\\" , strcat(\\\"📍 \\\", RestrictDomainsToCertificate, \\\" (\\\",prev(RestrictDomainsToCertificate),\\\"->\\\", RestrictDomainsToCertificate,\\\" )\\\"),RestrictDomainsToCertificate)\\r\\n| extend CloudServicesMailEnabled = iff( Identity == prev(Identity) and CloudServicesMailEnabled != prev(CloudServicesMailEnabled) and prev(CloudServicesMailEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", CloudServicesMailEnabled, \\\" (\\\",prev(CloudServicesMailEnabled),\\\"->\\\", CloudServicesMailEnabled,\\\" )\\\"),CloudServicesMailEnabled)\\r\\n| extend TreatMessagesAsInternal = iff( Identity == prev(Identity) and TreatMessagesAsInternal != prev(TreatMessagesAsInternal) and prev(TreatMessagesAsInternal) !=\\\"\\\" , strcat(\\\"📍 \\\", TreatMessagesAsInternal, \\\" (\\\",prev(TreatMessagesAsInternal),\\\"->\\\", TreatMessagesAsInternal,\\\" )\\\"),TreatMessagesAsInternal)\\r\\n| extend TlsSenderCertificateName = iff(Identity == prev(Identity) and TlsSenderCertificateName != prev(TlsSenderCertificateName) and prev(TlsSenderCertificateName) !=\\\"\\\" , strcat(\\\"📍 \\\", TlsSenderCertificateName, \\\" (\\\",prev(TlsSenderCertificateName),\\\"->\\\", TlsSenderCertificateName,\\\" )\\\"),TlsSenderCertificateName)\\r\\n| extend ScanAndDropRecipients = iff( Identity == prev(Identity) and ScanAndDropRecipients != prev(ScanAndDropRecipients) and prev(ScanAndDropRecipients) !=\\\"\\\" , strcat(\\\"📍 \\\", ScanAndDropRecipients, \\\" (\\\",prev(ScanAndDropRecipients),\\\"->\\\", ScanAndDropRecipients,\\\" )\\\"),ScanAndDropRecipients)\\r\\n| extend Comment = iff( Identity == prev(Identity) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or State contains \\\"📍\\\" or ConnectorType contains \\\"📍\\\" or ConnectorSource contains \\\"📍\\\" or SenderIPAddresses contains \\\"📍\\\" or SenderDomains contains \\\"📍\\\" or TrustedOrganizations contains \\\"📍\\\" or AssociatedAcceptedDomainsRequireTls contains \\\"📍\\\" or RestrictDomainsToIPAddresses contains \\\"📍\\\" or RestrictDomainsToCertificate contains \\\"📍\\\" or CloudServicesMailEnabled contains \\\"📍\\\" or TreatMessagesAsInternal contains \\\"📍\\\" or TlsSenderCertificateName contains \\\"📍\\\" or ScanAndDropRecipients contains \\\"📍\\\" or Comment contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n State,\\r\\n ConnectorType,\\r\\n ConnectorSource,\\r\\n Comment,\\r\\n SenderIPAddresses,\\r\\n SenderDomains,\\r\\n TrustedOrganizations,\\r\\n AssociatedAcceptedDomainsRequireTls,\\r\\n RestrictDomainsToIPAddresses,\\r\\n RestrictDomainsToCertificate,\\r\\n CloudServicesMailEnabled,\\r\\n TreatMessagesAsInternal,\\r\\n TlsSenderCertificateName,\\r\\n ScanAndDropRecipients,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 2\"}]},\"name\":\"Inbound Connector configuration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Outbound Connector configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows the configuration of the Outbound connnectors\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend State = tostring(CmdletResultValue.Enabled)\\r\\n| extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n| extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n| extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n| extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n| extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n| extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n| extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n| extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n| extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n| extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n| extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n| extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n| extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n| extend WhenChanged = tostring(CmdletResultValue.WhenChanged)\\r\\n| extend WhenCreated = tostring(CmdletResultValue.WhenCreated)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Name asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Outbound Connector configuration - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"OutBoundC\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend State = iff( Identity == prev(Identity) and State != prev(State) and prev(State) !=\\\"\\\" , strcat(\\\"📍 \\\", State, \\\" (\\\",prev(State),\\\"->\\\", State,\\\" )\\\"),State)\\r\\n| extend ConnectorType = iff( Identity == prev(Identity) and ConnectorType != prev(ConnectorType) and prev(ConnectorType) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorType, \\\" (\\\",prev(ConnectorType),\\\"->\\\", ConnectorType,\\\" )\\\"),ConnectorType)\\r\\n| extend ConnectorSource = iff( Identity == prev(Identity) and ConnectorSource != prev(ConnectorSource) and prev(ConnectorSource) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorSource, \\\" (\\\",prev(ConnectorSource),\\\"->\\\", ConnectorSource,\\\" )\\\"),ConnectorSource)\\r\\n| extend CloudServicesMailEnabled = iff( Identity == prev(Identity) and CloudServicesMailEnabled != prev(CloudServicesMailEnabled) and prev(CloudServicesMailEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", CloudServicesMailEnabled, \\\" (\\\",prev(CloudServicesMailEnabled),\\\"->\\\", CloudServicesMailEnabled,\\\" )\\\"),CloudServicesMailEnabled)\\r\\n| extend Comment = iff( Comment == prev(Comment) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend RecipientDomains = iff( Identity == prev(Identity) and RecipientDomains != prev(RecipientDomains) and prev(RecipientDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", RecipientDomains, \\\" (\\\",prev(RecipientDomains),\\\"->\\\", RecipientDomains,\\\" )\\\"),RecipientDomains)\\r\\n| extend SmartHosts = iff( Identity == prev(Identity) and SmartHosts != prev(SmartHosts) and prev(SmartHosts) !=\\\"\\\" , strcat(\\\"📍 \\\", SmartHosts, \\\" (\\\",prev(SmartHosts),\\\"->\\\", SmartHosts,\\\" )\\\"),SmartHosts)\\r\\n| extend TlsDomain = iff( Identity == prev(Identity) and TlsDomain != prev(TlsDomain) and prev(TlsDomain) !=\\\"\\\" , strcat(\\\"📍 \\\", TlsDomain, \\\" (\\\",prev(TlsDomain),\\\"->\\\", TlsDomain,\\\" )\\\"),TlsDomain)\\r\\n| extend IsTransportRuleScoped = iff( Identity == prev(Identity) and IsTransportRuleScoped != prev(IsTransportRuleScoped) and prev(IsTransportRuleScoped) !=\\\"\\\" , strcat(\\\"📍 \\\", IsTransportRuleScoped, \\\" (\\\",prev(IsTransportRuleScoped),\\\"->\\\", IsTransportRuleScoped,\\\" )\\\"),IsTransportRuleScoped)\\r\\n| extend RouteAllMessagesViaOnPremises = iff( Identity == prev(Identity) and RouteAllMessagesViaOnPremises != prev(RouteAllMessagesViaOnPremises) and prev(RouteAllMessagesViaOnPremises) !=\\\"\\\" , strcat(\\\"📍 \\\", RouteAllMessagesViaOnPremises, \\\" (\\\",prev(RouteAllMessagesViaOnPremises),\\\"->\\\", RouteAllMessagesViaOnPremises,\\\" )\\\"),RouteAllMessagesViaOnPremises)\\r\\n| extend AllAcceptedDomains = iff( Identity == prev(Identity) and AllAcceptedDomains != prev(AllAcceptedDomains) and prev(AllAcceptedDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", AllAcceptedDomains, \\\" (\\\",prev(AllAcceptedDomains),\\\"->\\\", AllAcceptedDomains,\\\" )\\\"),AllAcceptedDomains)\\r\\n| extend SenderRewritingEnabled = iff( Identity == prev(Identity) and SenderRewritingEnabled != prev(SenderRewritingEnabled) and prev(SenderRewritingEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderRewritingEnabled, \\\" (\\\",prev(SenderRewritingEnabled),\\\"->\\\", SenderRewritingEnabled,\\\" )\\\"),SenderRewritingEnabled)\\r\\n| extend TestMode = iff( Identity == prev(Identity)and TestMode != prev(TestMode) and prev(TestMode) !=\\\"\\\" , strcat(\\\"📍 \\\", TestMode, \\\" (\\\",prev(TestMode),\\\"->\\\", TestMode,\\\" )\\\"),TestMode)\\r\\n| extend LinkForModifiedConnector = iff( Identity == prev(Identity) and LinkForModifiedConnector != prev(LinkForModifiedConnector) and prev(LinkForModifiedConnector) !=\\\"\\\" , strcat(\\\"📍 \\\", LinkForModifiedConnector, \\\" (\\\",prev(LinkForModifiedConnector),\\\"->\\\", LinkForModifiedConnector,\\\" )\\\"),LinkForModifiedConnector)\\r\\n| extend ValidationRecipients = iff( Identity == prev(Identity) and ValidationRecipients != prev(ValidationRecipients) and prev(ValidationRecipients) !=\\\"\\\" , strcat(\\\"📍 \\\", ValidationRecipients, \\\" (\\\",prev(ValidationRecipients),\\\"->\\\", ValidationRecipients,\\\" )\\\"),ValidationRecipients)\\r\\n| extend IsValidated = iff( Identity == prev(Identity) and IsValidated != prev(IsValidated) and prev(IsValidated) !=\\\"\\\" , strcat(\\\"📍 \\\", IsValidated, \\\" (\\\",prev(IsValidated),\\\"->\\\", IsValidated,\\\" )\\\"),IsValidated)\\r\\n| extend LastValidationTimestamp = iff( Identity == prev(Identity) and LastValidationTimestamp != prev(LastValidationTimestamp) and prev(LastValidationTimestamp) !=\\\"\\\" , strcat(\\\"📍 \\\", LastValidationTimestamp, \\\" (\\\",prev(LastValidationTimestamp),\\\"->\\\", LastValidationTimestamp,\\\" )\\\"),LastValidationTimestamp)\\r\\n| extend Comment = iff( Identity == prev(Identity) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or State contains \\\"📍\\\" or ConnectorType contains \\\"📍\\\" or ConnectorSource contains \\\"📍\\\"or CloudServicesMailEnabled contains \\\"📍\\\" or Comment contains \\\"📍\\\" or UseMXRecord contains \\\"📍\\\" or RecipientDomains contains \\\"📍\\\" or SmartHosts contains \\\"📍\\\" or TlsDomain contains \\\"📍\\\" or TlsSettings contains \\\"📍\\\" or IsTransportRuleScoped contains \\\"📍\\\" or RouteAllMessagesViaOnPremises contains \\\"📍\\\" or AllAcceptedDomains contains \\\"📍\\\" or SenderRewritingEnabled contains \\\"📍\\\" or TestMode contains \\\"📍\\\" or LinkForModifiedConnector contains \\\"📍\\\" or ValidationRecipients contains \\\"📍\\\" or IsValidated contains \\\"📍\\\" or LastValidationTimestamp contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n State,\\r\\n ConnectorType,\\r\\n ConnectorSource, \\r\\n CloudServicesMailEnabled,\\r\\n Comment,\\r\\n UseMXRecord,\\r\\n RecipientDomains,\\r\\n SmartHosts,\\r\\n TlsDomain,\\r\\n TlsSettings,\\r\\n IsTransportRuleScoped,\\r\\n RouteAllMessagesViaOnPremises,\\r\\n AllAcceptedDomains,\\r\\n SenderRewritingEnabled,\\r\\n TestMode,\\r\\n LinkForModifiedConnector,\\r\\n ValidationRecipients,\\r\\n IsValidated,\\r\\n LastValidationTimestamp,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Rules with specific actions to monitor\",\"items\":[{\"type\":1,\"content\":{\"json\":\"A common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\\r\\n\\r\\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\\r\\n- BlindCopyTo\\r\\n- SentTo\\r\\n- CopyTo\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n| extend State = tostring(CmdletResultValue.State)\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n| extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n| extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Transport Rules actions to monitor\"},{\"type\":1,\"content\":{\"json\":\"** Due to lack of informaiton in Powershell, the Transport Rule compare section could display approximate information for Add and Modif. Especially, for the WhenCreated parameter.\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n | extend CmdletResultValue.RedirectMessageToString\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange =\\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"TransportRule\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| sort by Identity,TimeGenerated asc\\r\\n | extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n | extend CmdletResultValue.RedirectMessageToString\\r\\n | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n | extend WhenChanged = todatetime(bin(WhenChanged,1m))\\r\\n | extend aa=prev(WhenCreated)\\r\\n | extend WhenCreated = iff( Identity == prev(Identity) and WhenChanged != prev(WhenChanged),aa ,WhenChanged)\\r\\n | extend WhenCreated =bin(WhenCreated,1m)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = inner (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,Mode,SetSCL,SenderIpRangesString,MessageTypeMatchesString,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData1 = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffAddData2 = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\"\\r\\n| distinct Identity;\\r\\nlet DiffAddData = DiffAddData1\\r\\n| join DiffAddData2 on Identity\\r\\n;\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenChanged,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo, SetSCL, SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend SentTo = iff( Identity == prev(Identity) and SentTo != prev(SentTo) and prev(SentTo) !=\\\"\\\" , strcat(\\\"📍 \\\", SentTo, \\\" (\\\",prev(SentTo),\\\"->\\\", SentTo,\\\" )\\\"),SentTo)\\r\\n| extend BlindCopyTo = iff( Identity == prev(Identity) and BlindCopyTo != prev(BlindCopyTo) and prev(BlindCopyTo) !=\\\"\\\" , strcat(\\\"📍 \\\", BlindCopyTo, \\\" (\\\",prev(BlindCopyTo),\\\"->\\\", BlindCopyTo,\\\" )\\\"),BlindCopyTo)\\r\\n| extend CopyTo = iff( Identity == prev(Identity) and CopyTo != prev(CopyTo) and prev(CopyTo) !=\\\"\\\" , strcat(\\\"📍 \\\", CopyTo, \\\" (\\\",prev(CopyTo),\\\"->\\\", CopyTo,\\\" )\\\"),CopyTo)\\r\\n| extend SetSCL = iff( Identity == prev(Identity)and SetSCL != prev(SetSCL) and prev(SetSCL) !=\\\"\\\" , strcat(\\\"📍 \\\", SetSCL, \\\" (\\\",prev(SetSCL),\\\"->\\\", SetSCL,\\\" )\\\"),SetSCL)\\r\\n| extend SenderIpRangesString = iff( Identity == prev(Identity)and SenderIpRangesString != prev(SenderIpRangesString) and prev(SenderIpRangesString) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderIpRangesString, \\\" (\\\",prev(SenderIpRangesString),\\\"->\\\", SenderIpRangesString,\\\" )\\\"),SenderIpRangesString)\\r\\n| extend MessageTypeMatchesString = iff( Identity == prev(Identity)and MessageTypeMatchesString != prev(MessageTypeMatchesString) and prev(MessageTypeMatchesString) !=\\\"\\\" , strcat(\\\"📍 \\\", MessageTypeMatchesString, \\\" (\\\",prev(MessageTypeMatchesString),\\\"->\\\", MessageTypeMatchesString,\\\" )\\\"),MessageTypeMatchesString)\\r\\n| extend Mode = iff( Identity == prev(Identity)and Mode != prev(Mode) and prev(Mode) !=\\\"\\\" , strcat(\\\"📍 \\\", Mode, \\\" (\\\",prev(Mode),\\\"->\\\", Mode,\\\" )\\\"),Mode)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or SentTo contains \\\"📍\\\" or BlindCopyTo contains \\\"📍\\\" or CopyTo contains \\\"📍\\\" or SetSCL contains \\\"📍\\\" or SenderIpRangesString contains \\\"📍\\\" or MessageTypeMatchesString contains \\\"📍\\\" or Mode contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n SentTo,\\r\\n BlindCopyTo,\\r\\n CopyTo,\\r\\n RedirectMessageTo,\\r\\n SetSCL,\\r\\n SenderIpRangesString,\\r\\n MessageTypeMatchesString,\\r\\n Mode,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Outbound Policy : Autoforward configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is enabled, then automatic transfer are allowed.\\r\\nFor example: users in Outlook will be able set automatic transfer of all their emails to external addresses.\\r\\nThere are several methods to authorized automatic forward. \\r\\nPlease review this article : https://learn.microsoft.com/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding?view=o365-worldwide\\r\\n**In summary :**\\r\\n\\r\\n**Scenario 1 :**\\r\\n\\r\\nYou configure remote domain settings to allow automatic forwarding.\\r\\nAutomatic forwarding in the outbound spam filter policy is set to Off.\\r\\n*Result :* \\r\\nAutomatically forwarded messages to recipients in the affected domains are blocked.\\r\\n\\r\\n**Scenario 2 :**\\r\\n\\r\\nYou configure remote domain settings to allow automatic forwarding.\\r\\nAutomatic forwarding in the outbound spam filter policy is set to Automatic - System-controlled.\\r\\n\\r\\n*Result :* \\r\\n\\r\\nAutomatically forwarded messages to recipients in the affected domains are blocked.\\r\\nAs described earlier, Automatic - System-controlled used to mean On, but the setting has changed over time to mean Off in all organizations.\\r\\n\\r\\nFor absolute clarity, you should configure your outbound spam filter policy to On or Off.\\r\\n\\r\\n**Scenario 3 :**\\r\\n\\r\\nAutomatic forwarding in the outbound spam filter policy is set to On\\r\\nYou use mail flow rules or remote domains to block automatically forwarded email\\r\\n\\r\\n*Result : *\\r\\n\\r\\nAutomatically forwarded messages to affected recipients are blocked by mail flow rules or remote domains.\\r\\n****\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let HOSFR = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterRule\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n| project Identity,HostedOutboundSpamFilterPolicy;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n| join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n| extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n| extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n| extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n| extend AutoForwardingMode= iff (CmdletResultValue.AutoForwardingMode == \\\"On\\\" , strcat (\\\"❌ \\\", tostring(CmdletResultValue.AutoForwardingMode)), tostring(CmdletResultValue.AutoForwardingMode))\\r\\n| extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n| extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n| extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n| extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n| extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n| extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n| extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n| extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n| extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n| project Identity,IsDefault,Enabled,AutoForwardingMode,OutboundSpamFilterRule,BccSuspiciousOutboundAdditionalRecipients,BccSuspiciousOutboundMail,NotifyOutboundSpam,NotifyOutboundSpamRecipient,WhenChanged,WhenCreated\\r\\n| sort by Identity asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"OutboundPol - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet HOSFR = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterRule\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n| project Identity,HostedOutboundSpamFilterPolicy;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | extend Identity = tostring(Identity)\\r\\n | join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n | extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n | extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n | extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n | extend AutoForwardingMode= tostring(CmdletResultValue.AutoForwardingMode)\\r\\n | extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n | extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n | extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | extend Identity = tostring(Identity)\\r\\n | join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n | extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n | extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n | extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n | extend AutoForwardingMode= tostring(CmdletResultValue.AutoForwardingMode)\\r\\n | extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n | extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n | extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRangeOSFR = ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"HostedOutboundSpamFilterRule\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n | extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n | project Identity, HostedOutboundSpamFilterPolicy;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"HostedOutboundSpamFilterPolicy\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n | project\\r\\n TimeGenerated,\\r\\n Identity,\\r\\n CmdletResultValue,\\r\\n WhenChanged = todatetime(bin(WhenChanged_t,1m)),\\r\\n WhenCreated=todatetime(bin(WhenCreated_t,1m))\\r\\n | join kind=fullouter allDataRangeOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n | extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n | extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n | extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n | extend AutoForwardingMode= tostring(CmdletResultValue.AutoForwardingMode)\\r\\n | extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n | extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n | extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData\\r\\n | where WhenCreated >= _DateCompareB)\\r\\n on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange) on WhenCreated\\r\\n | where WhenCreated >= _DateCompareB\\r\\n | where bin(WhenCreated, 5m) == bin(WhenChanged, 5m)\\r\\n | distinct\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffAddData = union DiffAddDataP1, DiffAddDataP2\\r\\n | extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n | project\\r\\n WhenChanged=_CurrentDateB,\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated\\r\\n;\\r\\nlet DiffModifData = union AfterData, allDataRange\\r\\n | sort by Identity, WhenChanged asc\\r\\n | project\\r\\n WhenChanged,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n | extend Identity = iff(Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) != \\\"\\\", strcat(\\\"📍 \\\", Identity, \\\" (\\\", prev(Identity), \\\"->\\\", Identity, \\\" )\\\"), Identity)\\r\\n | extend IsDefault = iff(Identity == prev(Identity) and IsDefault != prev(IsDefault) and prev(IsDefault) != \\\"\\\", strcat(\\\"📍 \\\", IsDefault, \\\" (\\\", prev(IsDefault), \\\"->\\\", IsDefault, \\\" )\\\"), IsDefault)\\r\\n | extend Enabled = iff(Identity == prev(Identity) and Enabled != prev(Enabled) and prev(Enabled) != \\\"\\\", strcat(\\\"📍 \\\", Enabled, \\\" (\\\", prev(Enabled), \\\"->\\\", Enabled, \\\" )\\\"), Enabled)\\r\\n | extend AutoForwardingMode = iff(Identity == prev(Identity) and AutoForwardingMode != prev(AutoForwardingMode) and prev(AutoForwardingMode) != \\\"\\\", strcat(\\\"📍 \\\", AutoForwardingMode, \\\" (\\\", prev(AutoForwardingMode), \\\"->\\\", AutoForwardingMode, \\\" )\\\"), AutoForwardingMode)\\r\\n | extend OutboundSpamFilterRule = iff(Identity == prev(Identity) and OutboundSpamFilterRule != prev(OutboundSpamFilterRule) and prev(OutboundSpamFilterRule) != \\\"\\\", strcat(\\\"📍 \\\", OutboundSpamFilterRule, \\\" (\\\", prev(OutboundSpamFilterRule), \\\"->\\\", OutboundSpamFilterRule, \\\" )\\\"), OutboundSpamFilterRule)\\r\\n | extend RecommendedPolicyType = iff(Identity == prev(Identity) and RecommendedPolicyType != prev(RecommendedPolicyType) and prev(RecommendedPolicyType) != \\\"\\\", strcat(\\\"📍 \\\", RecommendedPolicyType, \\\" (\\\", prev(RecommendedPolicyType), \\\"->\\\", RecommendedPolicyType, \\\" )\\\"), RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = iff(Identity == prev(Identity) and RecipientLimitExternalPerHour != prev(RecipientLimitExternalPerHour) and prev(RecipientLimitExternalPerHour) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitExternalPerHour, \\\" (\\\", prev(RecipientLimitExternalPerHour), \\\"->\\\", RecipientLimitExternalPerHour, \\\" )\\\"), RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = iff(Identity == prev(Identity) and RecipientLimitInternalPerHour != prev(RecipientLimitInternalPerHour) and prev(RecipientLimitInternalPerHour) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitInternalPerHour, \\\" (\\\", prev(RecipientLimitInternalPerHour), \\\"->\\\", RecipientLimitInternalPerHour, \\\" )\\\"), RecipientLimitInternalPerHour)\\r\\n | extend ActionWhenThresholdReached = iff(Identity == prev(Identity) and ActionWhenThresholdReached != prev(ActionWhenThresholdReached) and prev(ActionWhenThresholdReached) != \\\"\\\", strcat(\\\"📍 \\\", ActionWhenThresholdReached, \\\" (\\\", prev(ActionWhenThresholdReached), \\\"->\\\", ActionWhenThresholdReached, \\\" )\\\"), ActionWhenThresholdReached)\\r\\n | extend RecipientLimitPerDay = iff(Identity == prev(Identity) and RecipientLimitPerDay != prev(RecipientLimitPerDay) and prev(RecipientLimitPerDay) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitPerDay, \\\" (\\\", prev(RecipientLimitPerDay), \\\"->\\\", RecipientLimitPerDay, \\\" )\\\"), RecipientLimitPerDay)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients = iff(Identity == prev(Identity) and BccSuspiciousOutboundAdditionalRecipients != prev(BccSuspiciousOutboundAdditionalRecipients) and prev(BccSuspiciousOutboundAdditionalRecipients) != \\\"\\\", strcat(\\\"📍 \\\", BccSuspiciousOutboundAdditionalRecipients, \\\" (\\\", prev(BccSuspiciousOutboundAdditionalRecipients), \\\"->\\\", BccSuspiciousOutboundAdditionalRecipients, \\\" )\\\"), BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = iff(Identity == prev(Identity) and BccSuspiciousOutboundMail != prev(BccSuspiciousOutboundMail) and prev(BccSuspiciousOutboundMail) != \\\"\\\", strcat(\\\"📍 \\\", BccSuspiciousOutboundMail, \\\" (\\\", prev(BccSuspiciousOutboundMail), \\\"->\\\", BccSuspiciousOutboundMail, \\\" )\\\"), BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam = iff(Identity == prev(Identity) and NotifyOutboundSpam != prev(NotifyOutboundSpam) and prev(NotifyOutboundSpam) != \\\"\\\", strcat(\\\"📍 \\\", NotifyOutboundSpam, \\\" (\\\", prev(NotifyOutboundSpam), \\\"->\\\", NotifyOutboundSpam, \\\" )\\\"), NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = iff(Identity == prev(Identity) and NotifyOutboundSpamRecipient != prev(NotifyOutboundSpamRecipient) and prev(NotifyOutboundSpamRecipient) != \\\"\\\", strcat(\\\"📍 \\\", NotifyOutboundSpamRecipient, \\\" (\\\", prev(NotifyOutboundSpamRecipient), \\\"->\\\", NotifyOutboundSpamRecipient, \\\" )\\\"), NotifyOutboundSpamRecipient)\\r\\n | extend ActiontypeR =iff((Identity contains \\\"📍\\\" or IsDefault contains \\\"📍\\\" or Enabled contains \\\"📍\\\" or OutboundSpamFilterRule contains \\\"📍\\\" or AutoForwardingMode contains \\\"📍\\\" or BccSuspiciousOutboundAdditionalRecipients contains \\\"📍\\\" or BccSuspiciousOutboundMail contains \\\"📍\\\" or NotifyOutboundSpam contains \\\"📍\\\" or NotifyOutboundSpamRecipient contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 7 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is set to True for an SMTP domain and the Outbound Policy is set to On then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\\r\\n\\r\\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \\r\\n\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Address = tostring(CmdletResultValue.DomainName)\\r\\n| extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.DomainName == \\\"*\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.DomainName != \\\"*\\\", strcat (\\\"⚠️ \\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅ \\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n| project-away CmdletResultValue\\r\\n| sort by Address asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ForwardGroup\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n \\t | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"RemoteDomain\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,DomainName,AutoForwardEnabled,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend DomainName = iff( Identity == prev(Identity) and DomainName != prev(DomainName) and prev(DomainName) !=\\\"\\\" , strcat(\\\"📍 \\\", DomainName, \\\" (\\\",prev(DomainName),\\\"->\\\", DomainName,\\\" )\\\"),DomainName)\\r\\n| extend AutoForwardEnabled = iff( Identity == prev(Identity) and AutoForwardEnabled != prev(AutoForwardEnabled) and prev(AutoForwardEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", AutoForwardEnabled, \\\" (\\\",prev(AutoForwardEnabled),\\\"->\\\", AutoForwardEnabled,\\\" )\\\"),AutoForwardEnabled)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or DomainName contains \\\"📍\\\" or AutoForwardEnabled contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n DomainName,\\r\\n AutoForwardEnabled,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 7\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Transport\"},\"name\":\"Transport Security configuration\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityReview-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Security Review Online\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9ae328d6-99c8-4c44-8d59-42ca4d999098\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"ExchangeEnvironmentList(Target=\\\"Online\\\") | where ESIEnvironment != \\\"\\\"\",\"typeSettings\":{\"limitSelectTo\":1,\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a88b4e41-eb2f-41bf-92d8-27c83650a4b8\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateOfConfiguration\",\"label\":\"Collection time\",\"type\":2,\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"181fa282-a002-42f1-ad57-dfb86df3194e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Compare_Collect\",\"type\":10,\"description\":\"If this button is checked, two collections will be compared\",\"isRequired\":true,\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a9e0099e-5eb1-43b8-915c-587aa05bccf0\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DateCompare\",\"type\":2,\"description\":\"Date to Comapre\",\"isRequired\":true,\"query\":\"let _configurationEnv = split(iff(isnull({EnvironmentList}) or isempty({EnvironmentList}) or tolower({EnvironmentList}) == \\\"all\\\",\\\"All\\\",tostring({EnvironmentList})),',');\\r\\nESIExchangeOnlineConfig_CL\\r\\n| extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n| where ScopedEnvironment in (_configurationEnv)\\r\\n| extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n| summarize Collection = max(Collection)\\r\\n| project Collection = \\\"lastdate\\\", Selected = true\\r\\n| join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | summarize by Collection \\r\\n | join kind= fullouter ( ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm ')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | join kind=leftouter (\\r\\n ESIExchangeOnlineConfig_CL | extend ScopedEnvironment = iff(_configurationEnv contains \\\"All\\\", \\\"All\\\",ESIEnvironment_s) \\r\\n | where ScopedEnvironment in (_configurationEnv)\\r\\n | where TimeGenerated > ago(90d)\\r\\n | extend Collection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd')\\r\\n | extend PreciseCollection = format_datetime(todatetime(EntryDate_s), 'yyyy-MM-dd HH:mm')\\r\\n | summarize by PreciseCollection, Collection \\r\\n | summarize count() by Collection\\r\\n ) on Collection\\r\\n ) on Collection\\r\\n) on Collection\\r\\n| project Value = iif(Selected,Collection,iif(count_ > 1,PreciseCollection,Collection1)), Label = iif(Selected,\\\"Last Known date\\\",iif(count_ > 1,PreciseCollection,Collection1)), Selected\\r\\n| sort by Selected, Value desc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"This workbook helps review your Exchange Security configuration.\\r\\nAdjust the time range, and when needed select an item in the dropdownlist\",\"style\":\"info\"},\"name\":\"text - 9\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Mailbox Access\",\"subTarget\":\"Delegation\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true},{\"id\":\"be02c735-6150-4b6e-a386-b2b023e754e5\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"EXO & Azure AD Groups\",\"subTarget\":\"ExchAD\",\"style\":\"link\"},{\"id\":\"26c68d90-925b-4c3c-a837-e3cecd489b2d\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Transport Configuration\",\"subTarget\":\"Transport\",\"style\":\"link\"},{\"id\":\"eb2888ca-7fa6-4e82-88db-1bb3663a801e\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"TopMenuTabs\"},{\"type\":1,\"content\":{\"json\":\"To compare collects, select **Yes** and choose the initial date.\\r\\nFor each role, a new table will be displayed with **all** the modifications (Add, Remove, Modifications) beetween the two dates.\\r\\n\\r\\n**Important notes** : Some information are limited are may be not 100% accurate :\\r\\n - Date\\r\\n - GUID of user instead of the name\\r\\n - Fusion of modifications when a role assisgnment is changed within the same collect \\r\\n - ... \\r\\n\\r\\nThis is due to some restrictions in the collect. For more details information, please check the workbook **\\\"Microsoft Exchange Search AdminAuditLog - Online\\\"**\\r\\n.\\r\\n\\r\\nThe compare functionnality is not available for all sections in this workbook.\\r\\n\"},\"name\":\"text - 9\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\n\\r\\nThe goal of this workbook is to outline key security configurations of your Exchange on-premises environment.\\r\\n\\r\\nMost of Exchange organizations have were installed years ago (sometimes more than 10 years). Many configurations have been done and might not have been documented. For most environments, the core commitment was maintaining a high availability of the users’ mailboxes putting aside other consideration (even security considerations). Recommended security practices have also evolved since the first released and a regular review is necessary.\\r\\n\\r\\nThis workbook is designed to show your Exchange organization is configured with a security point of view. Indeed, some configurations easy to display as there are no UI available.\\r\\n\\r\\nFor each configuration, you will find explanations and recommendations when applicable.\\r\\n\\r\\n- This workbook does not pretend to show you every weak Security configurations, but the most common issues and known to be used by attackers. \\r\\n- It will not show you if you have been comprised, but will help you identify unexpected configuration.\\r\\n\\r\\n----\\r\\n\\r\\n## Quick reminder of how Exchange works\\r\\n\\r\\nDuring Exchange installation two very important groups are created :\\r\\n- Exchange Trusted Subsystem : Contain all the computer accounts for Exchange Server\\r\\n- Exchange Windows Permissions : Contain the group Exchange trusted Subsystem\\r\\n\\r\\nThese groups have :\\r\\n- Very high privileges in ALL AD domains including the root domain\\r\\n- Right on any Exchange including mailboxes\\r\\n\\r\\nAs each Exchange server computer account is member of Exchange Trusted Subsystem, it means by taking control of the computer account or being System on an Exchange server you will gain access to all the permissions granted to Exchange Trusted Subsystem and Exchange Windows Permissions.\\r\\n\\r\\nTo protect AD and Exchange, it is very important to ensure the following:\\r\\n- There is a very limited number of persons that are local Administrator on Exchange server\\r\\n- To protect user right like : Act part of the operating System, Debug\\r\\n\\r\\nEvery service account or application that have high privileges on Exchange need to be considered as sensitive\\r\\n\\r\\n** 💡 Exchange servers need to be considered as very sensitive servers**\\r\\n\\r\\n-----\\r\\n\\r\\n\\r\\n## Tabs\\r\\n\\r\\n### Mailbox Access\\r\\n\\r\\nThis tab will show you several top sensitive delegations that allow an account to access, modify, act as another user, search, export the content of a mailbox.\\r\\n\\r\\n### Exchange & AD Groups\\r\\n\\r\\nThis tab will show you the members of Exchange groups and Sensitive AD groups.\\r\\n\\r\\n### Local Administrators\\r\\n\\r\\nThis tab will show you the non standard content of the local Administrators group. Remember that a member of the local Administrators group can take control of the computer account of the server and then it will have all the permissions associated with Exchange Trusted Subsytem and Exchange Windows Permissions\\r\\n\\r\\nThe information is displayed with different views : \\r\\n- List of nonstandard users\\r\\n- Number of servers with a nonstandard a user\\r\\n- Nonstandard groups content\\r\\n- For each user important information are displayed like last logon, last password set, enabled\\r\\n\\r\\n### Exchange Security configuration\\r\\n\\r\\nThis tab will show you some important configuration for your Exchange Organization\\r\\n- Status of Admin Audit Log configuration\\r\\n- Status of POP and IMAP configuration : especially, is Plaintext Authentication configured ?\\r\\n- Nonstandard permissions on the Exchange container in the Configuration Partition\\r\\n\\r\\n### Transport Configuration\\r\\n\\r\\nThis tab will show you the configuration of the main Transport components\\r\\n- Receive Connectors configured with Anonymous and/or Open Relay\\r\\n- Remote Domain Autoforward configuration\\r\\n- Transport Rules configured with BlindCopyTo, SendTo, RedirectTo\\r\\n- Journal Rule and Journal Recipient configurations\\r\\n- Accepted Domains with *\\r\\n\\r\\n\"},\"name\":\"WorkbookInfo\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"InformationTab\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Display important security configurations that allow to access mailboxes' content. Direct delegations on mailboxes are not listed (Full Access permission mailboxes or direct delegations on mailboxes folders)\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Name !contains \\\"Deleg\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\"\\r\\n| where CmdletResultValue.Role contains \\\"Export\\\" or CmdletResultValue.Role contains \\\"Impersonation\\\" or CmdletResultValue.Role contains \\\"Search\\\"\\r\\n| summarize dcount(tostring(CmdletResultValue.RoleAssigneeName)) by role=tostring(CmdletResultValue.Role)\",\"size\":3,\"title\":\"Number of accounts with sensitive RBAC roles\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"role\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_CmdletResultValue_RoleAssigneeName\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"role\",\"sortOrderField\":1}},\"name\":\"MRAQuery\"},{\"type\":1,\"content\":{\"json\":\"**ApplicationImpersonation** is a RBAC role that allows access (read and modify) to the content of all mailboxes. This role is very powerfull and should be carefully delegated. When a delegation is necessary, RBAC scopes should be configured to limit the list of impacted mailboxes.\\r\\n\\r\\nIt is common to see service accounts for backup solution, antivirus software, MDM...\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SensitiveRBACHelp\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Application Impersonation Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows the delegated account to access and modify the content of every mailboxes using EWS.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"Impersonation\\\" and CmdletResultValue.RoleAssigneeName != \\\"Hygiene Management\\\" and CmdletResultValue.RoleAssigneeName !contains \\\"RIM-MailboxAdmins\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"RoleGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExclusionsAcctValue = dynamic([\\\"Hygiene Management\\\", \\\"RIM-MailboxAdmins\\\"]);\\r\\nMESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = ExclusionsAcctValue ,CurrentRole=\\\"Impersonation\\\")\",\"size\":3,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 2\"}]},\"name\":\"Application Impersonation Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Import Export Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to import contents in all mailboxes.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Import Export** is an RBAC role that allows an account to import (export is not available online) contant in a user mailbox. It also allows searches in all mailboxes.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is not delegated to any user or group. The members of the group Organization Management by default do not have this role but are able to delegate it.\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n- create an empty group with this delegation\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"export\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"RoleGroup\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = \\\"N/A\\\",CurrentRole=\\\"export\\\")\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Import Export Role\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Mailbox Search Role\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This delegation allows to search inside all or in a scope of mailboxes.\\r\\nExcluded from the result as it is a default configuration :\\r\\nDelegating delegation to Organization Management\\r\\nDiscovery Management has been excluded\\r\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"**Mailbox Search** is an RBAC role that allows an account to search in any mailbox.\\r\\n\\r\\n⚡ This role is very powerfull.\\r\\n\\r\\nBy default, this role is only delegated to the group Discovery Management. The members of the group Organization Management do not have this role but are able to delegate it.\\r\\n\\r\\nℹ️ Recommendations\\r\\n\\r\\nIf you temporarily need this delegation, consider the following:\\r\\n\\r\\n- add the administrators in the Discovery Management group\\r\\n- monitor the group content and alert when the group modified\\r\\n- add administrators in this group only for a short period of time\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"SearchRBACHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"MRA\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| where CmdletResultValue.Role contains \\\"search\\\" and CmdletResultValue.Name !contains \\\"Deleg\\\"\\r\\n| where CmdletResultValue.RoleAssigneeName != \\\"Exchange Online-ApplicationAccount\\\" and CmdletResultValue.RoleAssigneeName != \\\"Discovery Management\\\"\\r\\n| extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName)\\r\\n| extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType== \\\"User\\\" , \\\"User\\\", \\\"Group\\\")\\r\\n| extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope)\\r\\n| extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope)\\r\\n| extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope)\\r\\n| extend RecipientWriteScope = CmdletResultValue.RecipientWriteScope\\r\\n| extend ConfigWriteScope = CmdletResultValue.ConfigWriteScope\\r\\n| extend ManagementRoleAssignement = tostring(CmdletResultValue.Name)\\r\\n| extend Status= tostring(CmdletResultValue.Enabled)\\r\\n| extend RoleAssigneeName = iff( RoleAssigneeType == \\\"User\\\", strcat(\\\"🧑‍🦰 \\\",RoleAssigneeName), strcat(\\\"👪 \\\", RoleAssigneeName) )\\r\\n| project RoleAssigneeName, RoleAssigneeType, Status,CustomRecipientWriteScope,CustomConfigWriteScope,CustomResourceScope,RecipientWriteScope,ConfigWriteScope,ManagementRoleAssignement,WhenChanged,WhenCreated\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MESCompareDataMRA(SectionCompare=\\\"MRA\\\",DateCompare=\\\"{DateCompare:value}\\\",CurrentDate = \\\"{DateOfConfiguration:value}\\\",EnvList ={EnvironmentList},TypeEnv = \\\"Online\\\",ExclusionsAcct = \\\"N/A\\\",CurrentRole=\\\"Search\\\")\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"ManagementRoleAssignement\"],\"expandTopLevel\":true},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"ConfigWriteScope\",\"sortOrder\":1}]},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 1 - Copy\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Mailbox Search Role\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Delegation\"},\"name\":\"Importantsecurityconfiguration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Exchange Group\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"ℹ️ Recommendations\\r\\n\\r\\n- Ensure that no service account are a member of the high privilege groups. Use RBAC to delegate the exact required permissions.\\r\\n- Limit the usage of nested group for administration.\\r\\n- Ensure that accounts are given only the required pernissions to execute their tasks.\\r\\n- Use just in time administration principle by adding users in a group only when they need the permissions, then remove them when their operation is over.\\r\\n- Limit the number of Organization management members. When you review the Admin Audit logs you might see that the administrators rarely needed Organization Management privileges.\\r\\n- Monitor the content of the following groups:\\r\\n - TenantAdmins_-xxx (Membership in this role group is synchronized across services and managed centrally)\\r\\n - Organization Management\\r\\n - ExchangeServiceAdmins_-xxx (Membership in this role group is synchronized across services and managed centrally)\\r\\n - Recipient Management (Member of this group have at least the following rights : set-mailbox, Add-MailboxPermission)\\r\\n - Discovery Management\\r\\n - Hygiene Management\\r\\n - Security Administrator (Membership in this role group is synchronized across services and managed centrally)\\r\\n - xxx High privilege group (not an exhaustive list)\\r\\n - Compliance Management\\r\\n - All RBAC groups that have high roles delegation\\r\\n - All nested groups in high privileges groups\\r\\n - Note that this is not a complete list. The content of all the groups that have high privileges should be monitored.\\r\\n- Each time a new RBAC group is created, decide if the content of this groups should be monitored\\r\\n- Periodically review the members of the groups\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\" Number of direct members per group with RecipientType User\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n//| where CmdletResultValue.RecipientType !contains \\\"group\\\"\\r\\n| extend Members= tostring(CmdletResultValue.Identity)\\r\\n| summarize dcount(tostring(Members)) by RoleGroup = tostring(CmdletResultValue.RoleGroup)\\r\\n| where RoleGroup has_any (\\\"TenantAdmins\\\",\\\"Organization Management\\\", \\\"Discovery Management\\\", \\\"Compliance Management\\\", \\\"Server Management\\\", \\\"ExchangeServiceAdmins\\\",\\\"Security Administrator\\\", \\\"SecurityAdmins\\\", \\\"Recipient Manangement\\\", \\\"Records Manangement\\\",\\\"Impersonation\\\",\\\"Export\\\")\\r\\n| sort by dcount_Members\\r\\n\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleGroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_Members\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"sortCriteriaField\":\"dcount_Members\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Number of direct members per group with RecipientType User\",\"expandable\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| where CmdletResultValue.RecipientType !contains \\\"group\\\"\\r\\n| extend Members= tostring(CmdletResultValue.Identity)\\r\\n| summarize dcount(tostring(Members)) by RoleGroup = tostring(CmdletResultValue.RoleGroup)\\r\\n| sort by dcount_Members\\r\\n\",\"size\":3,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"RoleGroup\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"dcount_Members\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":true,\"sortCriteriaField\":\"dcount_Members\",\"sortOrderField\":2,\"size\":\"auto\"}},\"name\":\"query - 0\"}]},\"name\":\"ExchangeGroupsList - Copy\"},{\"type\":1,\"content\":{\"json\":\"Exchange Online groups content.\\r\\nSelect a group to display detailed information of its contents.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b4b7a6ad-381a-48d6-9938-bf7cb812b474\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Group\",\"type\":2,\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RoleGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Trusted Subsystem\\\"\\r\\n//| where CmdletResultValue.Parentgroup != \\\"Exchange Windows Permissions\\\"\\r\\n| project CmdletResultValue\\r\\n| extend GroupName = tostring(CmdletResultValue.Name)\\r\\n| distinct GroupName\\r\\n| sort by GroupName asc\\r\\n\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//ExchangeConfiguration(SpecificSectionList=\\\"ExGroup\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\nExchangeConfiguration(SpecificSectionList=\\\"RoleGroupMember\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| search CmdletResultValue.RoleGroup == \\\"{Group}\\\"\\r\\n//| where CmdletResultValue.Level != 0\\r\\n| project CmdletResultValue\\r\\n| extend Members = tostring(CmdletResultValue.Identity)\\r\\n//| extend Parentgroup = tostring(CmdletResultValue.Parentgroup)\\r\\n//| extend MemberPath = tostring(CmdletResultValue.MemberPath)\\r\\n//| extend Level = tostring(CmdletResultValue.Level)\\r\\n//| extend ObjectClass = tostring(CmdletResultValue.ObjectClass)\\r\\n//| extend LastLogon = CmdletResultValue.LastLogonString\\r\\n//| extend LastLogon = iif ( todatetime (CmdletResultValue.LastLogonString) < ago(-366d), CmdletResultValue.LastLogonString,strcat(\\\"💥\\\",CmdletResultValue.LastLogonString))\\r\\n//| extend LastPwdSet = CmdletResultValue.LastPwdSetString\\r\\n//| extend Enabled = tostring(CmdletResultValue.Enabled)\\r\\n| extend Members = case( CmdletResultValue.RecipientType == \\\"Group\\\", strcat( \\\"👪 \\\", Members), strcat( \\\"🧑‍🦰 \\\", Members) )\\r\\n| extend RecipientType = tostring(CmdletResultValue.RecipientType)\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"CmdletResultValue\",\"formatter\":5}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"ExchangeServersGroupsGrid\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Exchange group\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"ExchAD\"},\"name\":\"Exchange and AD GRoup\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Security configuration\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Inbound Connector configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows the configuration of the Inbound connnectors\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend State = tostring(CmdletResultValue.Enabled)\\r\\n| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n| extend WhenChanged = tostring(CmdletResultValue.WhenChanged)\\r\\n| extend WhenCreated = tostring(CmdletResultValue.WhenCreated)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Name asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"InBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"InBoundC\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend SenderIPAddresses = tostring(CmdletResultValue.SenderIPAddresses)\\r\\n\\t| extend SenderDomains = tostring(CmdletResultValue.SenderDomains)\\r\\n\\t| extend TrustedOrganizations = tostring(CmdletResultValue.TrustedOrganizations)\\r\\n\\t| extend AssociatedAcceptedDomainsRequireTls = tostring(CmdletResultValue.AssociatedAcceptedDomainsRequireTls)\\r\\n\\t| extend RestrictDomainsToIPAddresses = tostring(CmdletResultValue.RestrictDomainsToIPAddresses)\\r\\n\\t| extend RestrictDomainsToCertificate = tostring(CmdletResultValue.RestrictDomainsToCertificate)\\r\\n\\t| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n\\t| extend TreatMessagesAsInternal = tostring(CmdletResultValue.TreatMessagesAsInternal)\\r\\n\\t| extend TlsSenderCertificateName = tostring(CmdletResultValue.TlsSenderCertificateName)\\r\\n\\t| extend ScanAndDropRecipients = tostring(CmdletResultValue.ScanAndDropRecipients)\\r\\n\\t| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend State = iff( Identity == prev(Identity) and State != prev(State) and prev(State) !=\\\"\\\" , strcat(\\\"📍 \\\", State, \\\" (\\\",prev(State),\\\"->\\\", State,\\\" )\\\"),State)\\r\\n| extend ConnectorType = iff( Identity == prev(Identity) and ConnectorType != prev(ConnectorType) and prev(ConnectorType) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorType, \\\" (\\\",prev(ConnectorType),\\\"->\\\", ConnectorType,\\\" )\\\"),ConnectorType)\\r\\n| extend ConnectorSource = iff( Identity == prev(Identity) and ConnectorSource != prev(ConnectorSource) and prev(ConnectorSource) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorSource, \\\" (\\\",prev(ConnectorSource),\\\"->\\\", ConnectorSource,\\\" )\\\"),ConnectorSource)\\r\\n| extend SenderIPAddresses = iff( Identity == prev(Identity) and SenderIPAddresses != prev(SenderIPAddresses) and prev(SenderIPAddresses) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderIPAddresses, \\\" (\\\",prev(SenderIPAddresses),\\\"->\\\", SenderIPAddresses,\\\" )\\\"),SenderIPAddresses)\\r\\n| extend SenderDomains = iff( Identity == prev(Identity) and SenderDomains != prev(SenderDomains) and prev(SenderDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderDomains, \\\" (\\\",prev(SenderDomains),\\\"->\\\", SenderDomains,\\\" )\\\"),SenderDomains)\\r\\n| extend TrustedOrganizations = iff( Identity == prev(Identity) and TrustedOrganizations != prev(TrustedOrganizations) and prev(TrustedOrganizations) !=\\\"\\\" , strcat(\\\"📍 \\\", TrustedOrganizations, \\\" (\\\",prev(TrustedOrganizations),\\\"->\\\", TrustedOrganizations,\\\" )\\\"),TrustedOrganizations)\\r\\n| extend AssociatedAcceptedDomainsRequireTls = iff (Identity == prev(Identity) and AssociatedAcceptedDomainsRequireTls != prev(AssociatedAcceptedDomainsRequireTls) and prev(AssociatedAcceptedDomainsRequireTls) !=\\\"\\\" , strcat(\\\"📍 \\\", AssociatedAcceptedDomainsRequireTls, \\\" (\\\",prev(AssociatedAcceptedDomainsRequireTls),\\\"->\\\", AssociatedAcceptedDomainsRequireTls,\\\" )\\\"),AssociatedAcceptedDomainsRequireTls)\\r\\n| extend RestrictDomainsToIPAddresses = iff(Identity == prev(Identity) and RestrictDomainsToIPAddresses != prev(RestrictDomainsToIPAddresses) and prev(RestrictDomainsToIPAddresses) !=\\\"\\\" , strcat(\\\"📍 \\\", RestrictDomainsToIPAddresses, \\\" (\\\",prev(RestrictDomainsToIPAddresses),\\\"->\\\", RestrictDomainsToIPAddresses,\\\" )\\\"),RestrictDomainsToIPAddresses)\\r\\n| extend RestrictDomainsToCertificate = iff( Identity == prev(Identity) and RestrictDomainsToCertificate != prev(RestrictDomainsToCertificate) and prev(RestrictDomainsToCertificate) !=\\\"\\\" , strcat(\\\"📍 \\\", RestrictDomainsToCertificate, \\\" (\\\",prev(RestrictDomainsToCertificate),\\\"->\\\", RestrictDomainsToCertificate,\\\" )\\\"),RestrictDomainsToCertificate)\\r\\n| extend CloudServicesMailEnabled = iff( Identity == prev(Identity) and CloudServicesMailEnabled != prev(CloudServicesMailEnabled) and prev(CloudServicesMailEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", CloudServicesMailEnabled, \\\" (\\\",prev(CloudServicesMailEnabled),\\\"->\\\", CloudServicesMailEnabled,\\\" )\\\"),CloudServicesMailEnabled)\\r\\n| extend TreatMessagesAsInternal = iff( Identity == prev(Identity) and TreatMessagesAsInternal != prev(TreatMessagesAsInternal) and prev(TreatMessagesAsInternal) !=\\\"\\\" , strcat(\\\"📍 \\\", TreatMessagesAsInternal, \\\" (\\\",prev(TreatMessagesAsInternal),\\\"->\\\", TreatMessagesAsInternal,\\\" )\\\"),TreatMessagesAsInternal)\\r\\n| extend TlsSenderCertificateName = iff(Identity == prev(Identity) and TlsSenderCertificateName != prev(TlsSenderCertificateName) and prev(TlsSenderCertificateName) !=\\\"\\\" , strcat(\\\"📍 \\\", TlsSenderCertificateName, \\\" (\\\",prev(TlsSenderCertificateName),\\\"->\\\", TlsSenderCertificateName,\\\" )\\\"),TlsSenderCertificateName)\\r\\n| extend ScanAndDropRecipients = iff( Identity == prev(Identity) and ScanAndDropRecipients != prev(ScanAndDropRecipients) and prev(ScanAndDropRecipients) !=\\\"\\\" , strcat(\\\"📍 \\\", ScanAndDropRecipients, \\\" (\\\",prev(ScanAndDropRecipients),\\\"->\\\", ScanAndDropRecipients,\\\" )\\\"),ScanAndDropRecipients)\\r\\n| extend Comment = iff( Identity == prev(Identity) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or State contains \\\"📍\\\" or ConnectorType contains \\\"📍\\\" or ConnectorSource contains \\\"📍\\\" or SenderIPAddresses contains \\\"📍\\\" or SenderDomains contains \\\"📍\\\" or TrustedOrganizations contains \\\"📍\\\" or AssociatedAcceptedDomainsRequireTls contains \\\"📍\\\" or RestrictDomainsToIPAddresses contains \\\"📍\\\" or RestrictDomainsToCertificate contains \\\"📍\\\" or CloudServicesMailEnabled contains \\\"📍\\\" or TreatMessagesAsInternal contains \\\"📍\\\" or TlsSenderCertificateName contains \\\"📍\\\" or ScanAndDropRecipients contains \\\"📍\\\" or Comment contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,State,ConnectorType,ConnectorSource,SenderIPAddresses,SenderDomains,TrustedOrganizations,AssociatedAcceptedDomainsRequireTls,RestrictDomainsToIPAddresses,RestrictDomainsToCertificate,CloudServicesMailEnabled,TreatMessagesAsInternal,TlsSenderCertificateName,ScanAndDropRecipients,Comment,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n State,\\r\\n ConnectorType,\\r\\n ConnectorSource,\\r\\n Comment,\\r\\n SenderIPAddresses,\\r\\n SenderDomains,\\r\\n TrustedOrganizations,\\r\\n AssociatedAcceptedDomainsRequireTls,\\r\\n RestrictDomainsToIPAddresses,\\r\\n RestrictDomainsToCertificate,\\r\\n CloudServicesMailEnabled,\\r\\n TreatMessagesAsInternal,\\r\\n TlsSenderCertificateName,\\r\\n ScanAndDropRecipients,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 2\"}]},\"name\":\"Inbound Connector configuration\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Outbound Connector configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This section shows the configuration of the Outbound connnectors\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend State = tostring(CmdletResultValue.Enabled)\\r\\n| extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n| extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n| extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n| extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n| extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n| extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n| extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n| extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n| extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n| extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n| extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n| extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n| extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n| extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n| extend Comment = tostring(CmdletResultValue.Comment)\\r\\n| extend WhenChanged = tostring(CmdletResultValue.WhenChanged)\\r\\n| extend WhenCreated = tostring(CmdletResultValue.WhenCreated)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Name asc\",\"size\":3,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Outbound Connector configuration - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"OutBoundC\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"OutBoundC\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n \\t| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend State = tostring(CmdletResultValue.Enabled)\\r\\n | extend UseMXRecord = tostring(CmdletResultValue.UseMXRecord)\\r\\n\\t| extend ConnectorType = tostring(CmdletResultValue.ConnectorType)\\r\\n\\t| extend ConnectorSource = tostring(CmdletResultValue.ConnectorSource)\\r\\n\\t| extend RecipientDomains = tostring(CmdletResultValue.RecipientDomains)\\r\\n | extend SmartHosts = tostring(CmdletResultValue.SmartHosts)\\r\\n | extend TlsDomain = tostring(CmdletResultValue.TlsDomain)\\r\\n | extend TlsSettings = tostring(CmdletResultValue.TlsSettings)\\r\\n | extend IsTransportRuleScoped = tostring(CmdletResultValue.IsTransportRuleScoped)\\r\\n | extend RouteAllMessagesViaOnPremises = tostring(CmdletResultValue.RouteAllMessagesViaOnPremises)\\r\\n | extend CloudServicesMailEnabled = tostring(CmdletResultValue.CloudServicesMailEnabled)\\r\\n | extend AllAcceptedDomains = tostring(CmdletResultValue.AllAcceptedDomains)\\r\\n | extend SenderRewritingEnabled = tostring(CmdletResultValue.SenderRewritingEnabled)\\r\\n | extend TestMode = tostring(CmdletResultValue.TestMode)\\r\\n | extend LinkForModifiedConnector = tostring(CmdletResultValue.LinkForModifiedConnector)\\r\\n | extend ValidationRecipients = tostring(CmdletResultValue.ValidationRecipients)\\r\\n | extend IsValidated = tostring(CmdletResultValue.IsValidated)\\r\\n | extend LastValidationTimestamp = tostring(CmdletResultValue.LastValidationTimestamp)\\r\\n | extend Comment = tostring(CmdletResultValue.Comment)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend State = iff( Identity == prev(Identity) and State != prev(State) and prev(State) !=\\\"\\\" , strcat(\\\"📍 \\\", State, \\\" (\\\",prev(State),\\\"->\\\", State,\\\" )\\\"),State)\\r\\n| extend ConnectorType = iff( Identity == prev(Identity) and ConnectorType != prev(ConnectorType) and prev(ConnectorType) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorType, \\\" (\\\",prev(ConnectorType),\\\"->\\\", ConnectorType,\\\" )\\\"),ConnectorType)\\r\\n| extend ConnectorSource = iff( Identity == prev(Identity) and ConnectorSource != prev(ConnectorSource) and prev(ConnectorSource) !=\\\"\\\" , strcat(\\\"📍 \\\", ConnectorSource, \\\" (\\\",prev(ConnectorSource),\\\"->\\\", ConnectorSource,\\\" )\\\"),ConnectorSource)\\r\\n| extend CloudServicesMailEnabled = iff( Identity == prev(Identity) and CloudServicesMailEnabled != prev(CloudServicesMailEnabled) and prev(CloudServicesMailEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", CloudServicesMailEnabled, \\\" (\\\",prev(CloudServicesMailEnabled),\\\"->\\\", CloudServicesMailEnabled,\\\" )\\\"),CloudServicesMailEnabled)\\r\\n| extend Comment = iff( Comment == prev(Comment) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend RecipientDomains = iff( Identity == prev(Identity) and RecipientDomains != prev(RecipientDomains) and prev(RecipientDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", RecipientDomains, \\\" (\\\",prev(RecipientDomains),\\\"->\\\", RecipientDomains,\\\" )\\\"),RecipientDomains)\\r\\n| extend SmartHosts = iff( Identity == prev(Identity) and SmartHosts != prev(SmartHosts) and prev(SmartHosts) !=\\\"\\\" , strcat(\\\"📍 \\\", SmartHosts, \\\" (\\\",prev(SmartHosts),\\\"->\\\", SmartHosts,\\\" )\\\"),SmartHosts)\\r\\n| extend TlsDomain = iff( Identity == prev(Identity) and TlsDomain != prev(TlsDomain) and prev(TlsDomain) !=\\\"\\\" , strcat(\\\"📍 \\\", TlsDomain, \\\" (\\\",prev(TlsDomain),\\\"->\\\", TlsDomain,\\\" )\\\"),TlsDomain)\\r\\n| extend IsTransportRuleScoped = iff( Identity == prev(Identity) and IsTransportRuleScoped != prev(IsTransportRuleScoped) and prev(IsTransportRuleScoped) !=\\\"\\\" , strcat(\\\"📍 \\\", IsTransportRuleScoped, \\\" (\\\",prev(IsTransportRuleScoped),\\\"->\\\", IsTransportRuleScoped,\\\" )\\\"),IsTransportRuleScoped)\\r\\n| extend RouteAllMessagesViaOnPremises = iff( Identity == prev(Identity) and RouteAllMessagesViaOnPremises != prev(RouteAllMessagesViaOnPremises) and prev(RouteAllMessagesViaOnPremises) !=\\\"\\\" , strcat(\\\"📍 \\\", RouteAllMessagesViaOnPremises, \\\" (\\\",prev(RouteAllMessagesViaOnPremises),\\\"->\\\", RouteAllMessagesViaOnPremises,\\\" )\\\"),RouteAllMessagesViaOnPremises)\\r\\n| extend AllAcceptedDomains = iff( Identity == prev(Identity) and AllAcceptedDomains != prev(AllAcceptedDomains) and prev(AllAcceptedDomains) !=\\\"\\\" , strcat(\\\"📍 \\\", AllAcceptedDomains, \\\" (\\\",prev(AllAcceptedDomains),\\\"->\\\", AllAcceptedDomains,\\\" )\\\"),AllAcceptedDomains)\\r\\n| extend SenderRewritingEnabled = iff( Identity == prev(Identity) and SenderRewritingEnabled != prev(SenderRewritingEnabled) and prev(SenderRewritingEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderRewritingEnabled, \\\" (\\\",prev(SenderRewritingEnabled),\\\"->\\\", SenderRewritingEnabled,\\\" )\\\"),SenderRewritingEnabled)\\r\\n| extend TestMode = iff( Identity == prev(Identity)and TestMode != prev(TestMode) and prev(TestMode) !=\\\"\\\" , strcat(\\\"📍 \\\", TestMode, \\\" (\\\",prev(TestMode),\\\"->\\\", TestMode,\\\" )\\\"),TestMode)\\r\\n| extend LinkForModifiedConnector = iff( Identity == prev(Identity) and LinkForModifiedConnector != prev(LinkForModifiedConnector) and prev(LinkForModifiedConnector) !=\\\"\\\" , strcat(\\\"📍 \\\", LinkForModifiedConnector, \\\" (\\\",prev(LinkForModifiedConnector),\\\"->\\\", LinkForModifiedConnector,\\\" )\\\"),LinkForModifiedConnector)\\r\\n| extend ValidationRecipients = iff( Identity == prev(Identity) and ValidationRecipients != prev(ValidationRecipients) and prev(ValidationRecipients) !=\\\"\\\" , strcat(\\\"📍 \\\", ValidationRecipients, \\\" (\\\",prev(ValidationRecipients),\\\"->\\\", ValidationRecipients,\\\" )\\\"),ValidationRecipients)\\r\\n| extend IsValidated = iff( Identity == prev(Identity) and IsValidated != prev(IsValidated) and prev(IsValidated) !=\\\"\\\" , strcat(\\\"📍 \\\", IsValidated, \\\" (\\\",prev(IsValidated),\\\"->\\\", IsValidated,\\\" )\\\"),IsValidated)\\r\\n| extend LastValidationTimestamp = iff( Identity == prev(Identity) and LastValidationTimestamp != prev(LastValidationTimestamp) and prev(LastValidationTimestamp) !=\\\"\\\" , strcat(\\\"📍 \\\", LastValidationTimestamp, \\\" (\\\",prev(LastValidationTimestamp),\\\"->\\\", LastValidationTimestamp,\\\" )\\\"),LastValidationTimestamp)\\r\\n| extend Comment = iff( Identity == prev(Identity) and Comment != prev(Comment) and prev(Comment) !=\\\"\\\" , strcat(\\\"📍 \\\", Comment, \\\" (\\\",prev(Comment),\\\"->\\\", Comment,\\\" )\\\"),Comment)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or State contains \\\"📍\\\" or ConnectorType contains \\\"📍\\\" or ConnectorSource contains \\\"📍\\\"or CloudServicesMailEnabled contains \\\"📍\\\" or Comment contains \\\"📍\\\" or UseMXRecord contains \\\"📍\\\" or RecipientDomains contains \\\"📍\\\" or SmartHosts contains \\\"📍\\\" or TlsDomain contains \\\"📍\\\" or TlsSettings contains \\\"📍\\\" or IsTransportRuleScoped contains \\\"📍\\\" or RouteAllMessagesViaOnPremises contains \\\"📍\\\" or AllAcceptedDomains contains \\\"📍\\\" or SenderRewritingEnabled contains \\\"📍\\\" or TestMode contains \\\"📍\\\" or LinkForModifiedConnector contains \\\"📍\\\" or ValidationRecipients contains \\\"📍\\\" or IsValidated contains \\\"📍\\\" or LastValidationTimestamp contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,State,ConnectorType,ConnectorSource,UseMXRecord,RecipientDomains,SmartHosts,TlsDomain,TlsSettings,IsTransportRuleScoped,RouteAllMessagesViaOnPremises,CloudServicesMailEnabled,AllAcceptedDomains,SenderRewritingEnabled,TestMode,LinkForModifiedConnector,ValidationRecipients,IsValidated,LastValidationTimestamp,Comment,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n State,\\r\\n ConnectorType,\\r\\n ConnectorSource, \\r\\n CloudServicesMailEnabled,\\r\\n Comment,\\r\\n UseMXRecord,\\r\\n RecipientDomains,\\r\\n SmartHosts,\\r\\n TlsDomain,\\r\\n TlsSettings,\\r\\n IsTransportRuleScoped,\\r\\n RouteAllMessagesViaOnPremises,\\r\\n AllAcceptedDomains,\\r\\n SenderRewritingEnabled,\\r\\n TestMode,\\r\\n LinkForModifiedConnector,\\r\\n ValidationRecipients,\\r\\n IsValidated,\\r\\n LastValidationTimestamp,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Transport Rules with specific actions to monitor\",\"items\":[{\"type\":1,\"content\":{\"json\":\"A common way used by attackers to exfiltrate data is to set Transport Rules that send all or sensitive messages outside the organization or to a mailbox where they already have full control.\\r\\n\\r\\nThis section shows your Transport rules with sentitive actions that can lead to data leaks:\\r\\n- BlindCopyTo\\r\\n- SentTo\\r\\n- CopyTo\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"TransportRulesHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Identity = iif( CmdletResultValue.Identity contains \\\"OrgHierarchyToIgnore\\\",tostring(CmdletResultValue.Identity.Name),tostring(CmdletResultValue.Identity))\\r\\n| extend State = tostring(CmdletResultValue.State)\\r\\n| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n| extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n| extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n| extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n| project-away CmdletResultValue\\r\\n| sort by Identity asc\",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"Transport Rules actions to monitor\"},{\"type\":1,\"content\":{\"json\":\"** Due to lack of informaiton in Powershell, the Transport Rule compare section could display approximate information for Add and Modif. Especially, for the WhenCreated parameter.\"},\"name\":\"text - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n | extend CmdletResultValue.RedirectMessageToString\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"TransportRule\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange =\\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"TransportRule\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n\\t| sort by Identity,TimeGenerated asc\\r\\n | extend SentTo = tostring(CmdletResultValue.SentToString)\\r\\n\\t| extend BlindCopyTo = tostring(CmdletResultValue.BlindCopyToString)\\r\\n\\t| extend CopyTo = tostring(CmdletResultValue.CopyToString)\\r\\n\\t| extend RedirectMessageTo = tostring(CmdletResultValue.RedirectMessageToString)\\r\\n\\t| extend Mode = tostring(CmdletResultValue.Mode)\\r\\n | extend CmdletResultValue.RedirectMessageToString\\r\\n | extend SetSCL = tostring(CmdletResultValue.SetSCL)\\r\\n | extend SenderIpRangesString = tostring(CmdletResultValue.SenderIpRangesString)\\r\\n | extend MessageTypeMatchesString = tostring(CmdletResultValue.MessageTypeMatchesString)\\r\\n | extend WhenChanged = todatetime(bin(WhenChanged,1m))\\r\\n | extend aa=prev(WhenCreated)\\r\\n | extend WhenCreated = iff( Identity == prev(Identity) and WhenChanged != prev(WhenChanged),aa ,WhenChanged)\\r\\n | extend WhenCreated =bin(WhenCreated,1m)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = inner (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,Mode,SetSCL,SenderIpRangesString,MessageTypeMatchesString,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData1 = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffAddData2 = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\"\\r\\n| distinct Identity;\\r\\nlet DiffAddData = DiffAddData1\\r\\n| join DiffAddData2 on Identity\\r\\n;\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenChanged,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo, SetSCL, SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend SentTo = iff( Identity == prev(Identity) and SentTo != prev(SentTo) and prev(SentTo) !=\\\"\\\" , strcat(\\\"📍 \\\", SentTo, \\\" (\\\",prev(SentTo),\\\"->\\\", SentTo,\\\" )\\\"),SentTo)\\r\\n| extend BlindCopyTo = iff( Identity == prev(Identity) and BlindCopyTo != prev(BlindCopyTo) and prev(BlindCopyTo) !=\\\"\\\" , strcat(\\\"📍 \\\", BlindCopyTo, \\\" (\\\",prev(BlindCopyTo),\\\"->\\\", BlindCopyTo,\\\" )\\\"),BlindCopyTo)\\r\\n| extend CopyTo = iff( Identity == prev(Identity) and CopyTo != prev(CopyTo) and prev(CopyTo) !=\\\"\\\" , strcat(\\\"📍 \\\", CopyTo, \\\" (\\\",prev(CopyTo),\\\"->\\\", CopyTo,\\\" )\\\"),CopyTo)\\r\\n| extend SetSCL = iff( Identity == prev(Identity)and SetSCL != prev(SetSCL) and prev(SetSCL) !=\\\"\\\" , strcat(\\\"📍 \\\", SetSCL, \\\" (\\\",prev(SetSCL),\\\"->\\\", SetSCL,\\\" )\\\"),SetSCL)\\r\\n| extend SenderIpRangesString = iff( Identity == prev(Identity)and SenderIpRangesString != prev(SenderIpRangesString) and prev(SenderIpRangesString) !=\\\"\\\" , strcat(\\\"📍 \\\", SenderIpRangesString, \\\" (\\\",prev(SenderIpRangesString),\\\"->\\\", SenderIpRangesString,\\\" )\\\"),SenderIpRangesString)\\r\\n| extend MessageTypeMatchesString = iff( Identity == prev(Identity)and MessageTypeMatchesString != prev(MessageTypeMatchesString) and prev(MessageTypeMatchesString) !=\\\"\\\" , strcat(\\\"📍 \\\", MessageTypeMatchesString, \\\" (\\\",prev(MessageTypeMatchesString),\\\"->\\\", MessageTypeMatchesString,\\\" )\\\"),MessageTypeMatchesString)\\r\\n| extend Mode = iff( Identity == prev(Identity)and Mode != prev(Mode) and prev(Mode) !=\\\"\\\" , strcat(\\\"📍 \\\", Mode, \\\" (\\\",prev(Mode),\\\"->\\\", Mode,\\\" )\\\"),Mode)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or SentTo contains \\\"📍\\\" or BlindCopyTo contains \\\"📍\\\" or CopyTo contains \\\"📍\\\" or SetSCL contains \\\"📍\\\" or SenderIpRangesString contains \\\"📍\\\" or MessageTypeMatchesString contains \\\"📍\\\" or Mode contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,SentTo,BlindCopyTo,CopyTo,RedirectMessageTo,SetSCL,SenderIpRangesString,MessageTypeMatchesString,Mode,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n SentTo,\\r\\n BlindCopyTo,\\r\\n CopyTo,\\r\\n RedirectMessageTo,\\r\\n SetSCL,\\r\\n SenderIpRangesString,\\r\\n MessageTypeMatchesString,\\r\\n Mode,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Outbound Policy : Autoforward configuration\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is enabled, then automatic transfer are allowed.\\r\\nFor example: users in Outlook will be able set automatic transfer of all their emails to external addresses.\\r\\nThere are several methods to authorized automatic forward. \\r\\nPlease review this article : https://learn.microsoft.com/microsoft-365/security/office-365-security/outbound-spam-policies-external-email-forwarding?view=o365-worldwide\\r\\n**In summary :**\\r\\n\\r\\n**Scenario 1 :**\\r\\n\\r\\nYou configure remote domain settings to allow automatic forwarding.\\r\\nAutomatic forwarding in the outbound spam filter policy is set to Off.\\r\\n*Result :* \\r\\nAutomatically forwarded messages to recipients in the affected domains are blocked.\\r\\n\\r\\n**Scenario 2 :**\\r\\n\\r\\nYou configure remote domain settings to allow automatic forwarding.\\r\\nAutomatic forwarding in the outbound spam filter policy is set to Automatic - System-controlled.\\r\\n\\r\\n*Result :* \\r\\n\\r\\nAutomatically forwarded messages to recipients in the affected domains are blocked.\\r\\nAs described earlier, Automatic - System-controlled used to mean On, but the setting has changed over time to mean Off in all organizations.\\r\\n\\r\\nFor absolute clarity, you should configure your outbound spam filter policy to On or Off.\\r\\n\\r\\n**Scenario 3 :**\\r\\n\\r\\nAutomatic forwarding in the outbound spam filter policy is set to On\\r\\nYou use mail flow rules or remote domains to block automatically forwarded email\\r\\n\\r\\n*Result : *\\r\\n\\r\\nAutomatically forwarded messages to affected recipients are blocked by mail flow rules or remote domains.\\r\\n****\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let HOSFR = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterRule\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n| project Identity,HostedOutboundSpamFilterPolicy;\\r\\nExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend Identity = tostring(CmdletResultValue.Identity)\\r\\n| join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n| extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n| extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n| extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n| extend AutoForwardingMode= iff (CmdletResultValue.AutoForwardingMode == \\\"On\\\" , strcat (\\\"❌ \\\", tostring(CmdletResultValue.AutoForwardingMode)), tostring(CmdletResultValue.AutoForwardingMode))\\r\\n| extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n| extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n| extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n| extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n| extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n| extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n| extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n| extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n| extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n| project Identity,IsDefault,Enabled,AutoForwardingMode,OutboundSpamFilterRule,BccSuspiciousOutboundAdditionalRecipients,BccSuspiciousOutboundMail,NotifyOutboundSpam,NotifyOutboundSpamRecipient,WhenChanged,WhenCreated\\r\\n| sort by Identity asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"OutboundPol - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet HOSFR = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterRule\\\", SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n| project Identity,HostedOutboundSpamFilterPolicy;\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\", SpecificConfigurationDate=_DateCompareB, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | extend Identity = tostring(Identity)\\r\\n | join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n | extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n | extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n | extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n | extend AutoForwardingMode= tostring(CmdletResultValue.AutoForwardingMode)\\r\\n | extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n | extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n | extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"HostedOutboundSpamFilterPolicy\\\", SpecificConfigurationDate=_CurrentDate, SpecificConfigurationEnv=_EnvList, Target = _TypeEnv)\\r\\n | extend Identity = tostring(Identity)\\r\\n | join kind = fullouter HOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n | extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n | extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n | extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n | extend AutoForwardingMode= tostring(CmdletResultValue.AutoForwardingMode)\\r\\n | extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n | extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n | extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRangeOSFR = ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"HostedOutboundSpamFilterRule\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n | extend HostedOutboundSpamFilterPolicy = tostring(CmdletResultValue.HostedOutboundSpamFilterPolicy)\\r\\n | project Identity, HostedOutboundSpamFilterPolicy;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"HostedOutboundSpamFilterPolicy\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | extend Identity = tostring(CmdletResultValue.Identity)\\r\\n | project\\r\\n TimeGenerated,\\r\\n Identity,\\r\\n CmdletResultValue,\\r\\n WhenChanged = todatetime(bin(WhenChanged_t,1m)),\\r\\n WhenCreated=todatetime(bin(WhenCreated_t,1m))\\r\\n | join kind=fullouter allDataRangeOSFR on $left.Identity == $right.HostedOutboundSpamFilterPolicy\\r\\n | extend OutboundSpamFilterRule = tostring(Identity1)\\r\\n | extend IsDefault= tostring(CmdletResultValue.IsDefault)\\r\\n | extend Enabled= tostring(CmdletResultValue.Enabled)\\r\\n | extend AutoForwardingMode= tostring(CmdletResultValue.AutoForwardingMode)\\r\\n | extend RecommendedPolicyType= tostring(CmdletResultValue.RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = tostring(CmdletResultValue.RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = tostring(CmdletResultValue.RecipientLimitInternalPerHour)\\r\\n | extend RecipientLimitPerDay= tostring(CmdletResultValue.RecipientLimitPerDay)\\r\\n | extend ActionWhenThresholdReached = tostring(CmdletResultValue.ActionWhenThresholdReached)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients= tostring(CmdletResultValue.BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = tostring(CmdletResultValue.BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam= tostring(CmdletResultValue.NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = tostring(CmdletResultValue.NotifyOutboundSpamRecipient)\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData\\r\\n | where WhenCreated >= _DateCompareB)\\r\\n on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange) on WhenCreated\\r\\n | where WhenCreated >= _DateCompareB\\r\\n | where bin(WhenCreated, 5m) == bin(WhenChanged, 5m)\\r\\n | distinct\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nlet DiffAddData = union DiffAddDataP1, DiffAddDataP2\\r\\n | extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n | project\\r\\n WhenChanged=_CurrentDateB,\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated\\r\\n;\\r\\nlet DiffModifData = union AfterData, allDataRange\\r\\n | sort by Identity, WhenChanged asc\\r\\n | project\\r\\n WhenChanged,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n | extend Identity = iff(Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) != \\\"\\\", strcat(\\\"📍 \\\", Identity, \\\" (\\\", prev(Identity), \\\"->\\\", Identity, \\\" )\\\"), Identity)\\r\\n | extend IsDefault = iff(Identity == prev(Identity) and IsDefault != prev(IsDefault) and prev(IsDefault) != \\\"\\\", strcat(\\\"📍 \\\", IsDefault, \\\" (\\\", prev(IsDefault), \\\"->\\\", IsDefault, \\\" )\\\"), IsDefault)\\r\\n | extend Enabled = iff(Identity == prev(Identity) and Enabled != prev(Enabled) and prev(Enabled) != \\\"\\\", strcat(\\\"📍 \\\", Enabled, \\\" (\\\", prev(Enabled), \\\"->\\\", Enabled, \\\" )\\\"), Enabled)\\r\\n | extend AutoForwardingMode = iff(Identity == prev(Identity) and AutoForwardingMode != prev(AutoForwardingMode) and prev(AutoForwardingMode) != \\\"\\\", strcat(\\\"📍 \\\", AutoForwardingMode, \\\" (\\\", prev(AutoForwardingMode), \\\"->\\\", AutoForwardingMode, \\\" )\\\"), AutoForwardingMode)\\r\\n | extend OutboundSpamFilterRule = iff(Identity == prev(Identity) and OutboundSpamFilterRule != prev(OutboundSpamFilterRule) and prev(OutboundSpamFilterRule) != \\\"\\\", strcat(\\\"📍 \\\", OutboundSpamFilterRule, \\\" (\\\", prev(OutboundSpamFilterRule), \\\"->\\\", OutboundSpamFilterRule, \\\" )\\\"), OutboundSpamFilterRule)\\r\\n | extend RecommendedPolicyType = iff(Identity == prev(Identity) and RecommendedPolicyType != prev(RecommendedPolicyType) and prev(RecommendedPolicyType) != \\\"\\\", strcat(\\\"📍 \\\", RecommendedPolicyType, \\\" (\\\", prev(RecommendedPolicyType), \\\"->\\\", RecommendedPolicyType, \\\" )\\\"), RecommendedPolicyType)\\r\\n | extend RecipientLimitExternalPerHour = iff(Identity == prev(Identity) and RecipientLimitExternalPerHour != prev(RecipientLimitExternalPerHour) and prev(RecipientLimitExternalPerHour) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitExternalPerHour, \\\" (\\\", prev(RecipientLimitExternalPerHour), \\\"->\\\", RecipientLimitExternalPerHour, \\\" )\\\"), RecipientLimitExternalPerHour)\\r\\n | extend RecipientLimitInternalPerHour = iff(Identity == prev(Identity) and RecipientLimitInternalPerHour != prev(RecipientLimitInternalPerHour) and prev(RecipientLimitInternalPerHour) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitInternalPerHour, \\\" (\\\", prev(RecipientLimitInternalPerHour), \\\"->\\\", RecipientLimitInternalPerHour, \\\" )\\\"), RecipientLimitInternalPerHour)\\r\\n | extend ActionWhenThresholdReached = iff(Identity == prev(Identity) and ActionWhenThresholdReached != prev(ActionWhenThresholdReached) and prev(ActionWhenThresholdReached) != \\\"\\\", strcat(\\\"📍 \\\", ActionWhenThresholdReached, \\\" (\\\", prev(ActionWhenThresholdReached), \\\"->\\\", ActionWhenThresholdReached, \\\" )\\\"), ActionWhenThresholdReached)\\r\\n | extend RecipientLimitPerDay = iff(Identity == prev(Identity) and RecipientLimitPerDay != prev(RecipientLimitPerDay) and prev(RecipientLimitPerDay) != \\\"\\\", strcat(\\\"📍 \\\", RecipientLimitPerDay, \\\" (\\\", prev(RecipientLimitPerDay), \\\"->\\\", RecipientLimitPerDay, \\\" )\\\"), RecipientLimitPerDay)\\r\\n | extend BccSuspiciousOutboundAdditionalRecipients = iff(Identity == prev(Identity) and BccSuspiciousOutboundAdditionalRecipients != prev(BccSuspiciousOutboundAdditionalRecipients) and prev(BccSuspiciousOutboundAdditionalRecipients) != \\\"\\\", strcat(\\\"📍 \\\", BccSuspiciousOutboundAdditionalRecipients, \\\" (\\\", prev(BccSuspiciousOutboundAdditionalRecipients), \\\"->\\\", BccSuspiciousOutboundAdditionalRecipients, \\\" )\\\"), BccSuspiciousOutboundAdditionalRecipients)\\r\\n | extend BccSuspiciousOutboundMail = iff(Identity == prev(Identity) and BccSuspiciousOutboundMail != prev(BccSuspiciousOutboundMail) and prev(BccSuspiciousOutboundMail) != \\\"\\\", strcat(\\\"📍 \\\", BccSuspiciousOutboundMail, \\\" (\\\", prev(BccSuspiciousOutboundMail), \\\"->\\\", BccSuspiciousOutboundMail, \\\" )\\\"), BccSuspiciousOutboundMail)\\r\\n | extend NotifyOutboundSpam = iff(Identity == prev(Identity) and NotifyOutboundSpam != prev(NotifyOutboundSpam) and prev(NotifyOutboundSpam) != \\\"\\\", strcat(\\\"📍 \\\", NotifyOutboundSpam, \\\" (\\\", prev(NotifyOutboundSpam), \\\"->\\\", NotifyOutboundSpam, \\\" )\\\"), NotifyOutboundSpam)\\r\\n | extend NotifyOutboundSpamRecipient = iff(Identity == prev(Identity) and NotifyOutboundSpamRecipient != prev(NotifyOutboundSpamRecipient) and prev(NotifyOutboundSpamRecipient) != \\\"\\\", strcat(\\\"📍 \\\", NotifyOutboundSpamRecipient, \\\" (\\\", prev(NotifyOutboundSpamRecipient), \\\"->\\\", NotifyOutboundSpamRecipient, \\\" )\\\"), NotifyOutboundSpamRecipient)\\r\\n | extend ActiontypeR =iff((Identity contains \\\"📍\\\" or IsDefault contains \\\"📍\\\" or Enabled contains \\\"📍\\\" or OutboundSpamFilterRule contains \\\"📍\\\" or AutoForwardingMode contains \\\"📍\\\" or BccSuspiciousOutboundAdditionalRecipients contains \\\"📍\\\" or BccSuspiciousOutboundMail contains \\\"📍\\\" or NotifyOutboundSpam contains \\\"📍\\\" or NotifyOutboundSpamRecipient contains \\\"📍\\\"), i=i + 1, i)\\r\\n | extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n | where ActiontypeR == 1\\r\\n | distinct\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\", WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n IsDefault,\\r\\n Enabled,\\r\\n AutoForwardingMode,\\r\\n OutboundSpamFilterRule,\\r\\n RecommendedPolicyType,\\r\\n RecipientLimitExternalPerHour,\\r\\n RecipientLimitInternalPerHour,\\r\\n ActionWhenThresholdReached,\\r\\n RecipientLimitPerDay,\\r\\n BccSuspiciousOutboundAdditionalRecipients,\\r\\n BccSuspiciousOutboundMail,\\r\\n NotifyOutboundSpam,\\r\\n NotifyOutboundSpamRecipient,\\r\\n WhenCreated \",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 7 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Remote Domain Autofoward Configuration - * should not allow AutoForwardEnabled\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If **AutoForwardEnabled** is set to True for an SMTP domain and the Outbound Policy is set to On then users in Outlook are allowed to set automatic transfer of all their emails to addresses in this domain.\\r\\n\\r\\nWhen the Default Remote domain is set to * and has the AutoForwardEnabled set True, any user can configure an Outlook rule to automatically forward all emails to any SMTP domain domains outside the organization. This is a high risk configuration as it might allow accounts to leak information. \\r\\n\\r\\nAlso, when setting AutoForwardEnabled to a specific domain, it is strongly recommended enable TLS encryption.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"AutoForwardHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=\\\"{DateOfConfiguration:value}\\\",SpecificConfigurationEnv={EnvironmentList},Target = \\\"Online\\\")\\r\\n| project CmdletResultValue\\r\\n| extend Name = tostring(CmdletResultValue.Name)\\r\\n| extend Address = tostring(CmdletResultValue.DomainName)\\r\\n| extend AutoForwardEnabled = iff (CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.DomainName == \\\"*\\\", strcat (\\\"❌ \\\",tostring(CmdletResultValue.AutoForwardEnabled)),iff(CmdletResultValue.AutoForwardEnabled== \\\"true\\\" and CmdletResultValue.DomainName != \\\"*\\\", strcat (\\\"⚠️ \\\",tostring(CmdletResultValue.AutoForwardEnabled)),strcat (\\\"✅ \\\",tostring(CmdletResultValue.AutoForwardEnabled))))\\r\\n| project-away CmdletResultValue\\r\\n| sort by Address asc \",\"size\":1,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"ForwardGroup\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let _EnvList ={EnvironmentList};\\r\\nlet _TypeEnv = \\\"Online\\\";\\r\\nlet _DateCompare = \\\"{DateCompare:value}\\\";\\r\\nlet _CurrentDate = \\\"{DateOfConfiguration:value}\\\";\\r\\nlet _DateCompareB = todatetime(_DateCompare);\\r\\nlet _currD = (ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n| summarize TimeMax = arg_max(TimeGenerated,*)\\r\\n| extend TimeMax = tostring(split(TimeMax,\\\"T\\\")[0])\\r\\n| project TimeMax);\\r\\nlet _CurrentDateB = todatetime(toscalar(_currD));\\r\\nlet BeforeData = ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_DateCompareB,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n\\t| extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet AfterData = \\r\\n ExchangeConfiguration(SpecificSectionList=\\\"RemoteDomain\\\",SpecificConfigurationDate=_CurrentDate,SpecificConfigurationEnv=_EnvList,Target = _TypeEnv)\\r\\n \\t | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n | extend WhenChanged = todatetime(WhenChanged)\\r\\n | extend WhenCreated = todatetime(WhenCreated)\\r\\n;\\r\\nlet i=0;\\r\\nlet allDataRange = \\r\\n ESIExchangeOnlineConfig_CL\\r\\n | where TimeGenerated between (_DateCompareB .. _CurrentDateB)\\r\\n | where ESIEnvironment_s == _EnvList\\r\\n | where ExecutionResult_s <> \\\"EmptyResult\\\"\\r\\n | where Section_s == \\\"RemoteDomain\\\"\\r\\n | extend CmdletResultValue = parse_json(rawData_s)\\r\\n | project TimeGenerated,CmdletResultValue,WhenChanged = todatetime(WhenChanged_t), WhenCreated=todatetime(WhenCreated_t)\\r\\n | extend Identity = tostring(CmdletResultValue.Name)\\r\\n\\t| extend DomainName = tostring(CmdletResultValue.DomainName)\\r\\n\\t| extend AutoForwardEnabled = tostring(CmdletResultValue.AutoForwardEnabled)\\r\\n ;\\r\\nlet DiffAddDataP1 = allDataRange\\r\\n | join kind = rightanti (AfterData | where WhenCreated >=_DateCompareB) on WhenCreated\\r\\n;\\r\\nlet DiffAddDataP2 = allDataRange\\r\\n | join kind = innerunique (allDataRange ) on WhenCreated\\r\\n | where WhenCreated >=_DateCompareB\\r\\n | where bin(WhenCreated,5m)==bin(WhenChanged,5m)\\r\\n | distinct Identity,DomainName,AutoForwardEnabled,WhenChanged,WhenCreated\\r\\n ;\\r\\nlet DiffAddData = union DiffAddDataP1,DiffAddDataP2\\r\\n| extend Actiontype =\\\"Add\\\";\\r\\nlet DiffRemoveData = allDataRange\\r\\n | join kind = leftanti AfterData on Identity\\r\\n | extend Actiontype =\\\"Remove\\\"\\r\\n | distinct Actiontype ,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n | project WhenChanged=_CurrentDateB,Actiontype,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n ;\\r\\nlet DiffModifData = union AfterData,allDataRange\\r\\n| sort by Identity,WhenChanged asc\\r\\n| project WhenChanged,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n| extend Identity = iff( Identity == prev(Identity) and Identity != prev(Identity) and prev(Identity) !=\\\"\\\" , strcat(\\\"📍 \\\", Identity, \\\" (\\\",prev(Identity),\\\"->\\\", Identity,\\\" )\\\"),Identity)\\r\\n| extend DomainName = iff( Identity == prev(Identity) and DomainName != prev(DomainName) and prev(DomainName) !=\\\"\\\" , strcat(\\\"📍 \\\", DomainName, \\\" (\\\",prev(DomainName),\\\"->\\\", DomainName,\\\" )\\\"),DomainName)\\r\\n| extend AutoForwardEnabled = iff( Identity == prev(Identity) and AutoForwardEnabled != prev(AutoForwardEnabled) and prev(AutoForwardEnabled) !=\\\"\\\" , strcat(\\\"📍 \\\", AutoForwardEnabled, \\\" (\\\",prev(AutoForwardEnabled),\\\"->\\\", AutoForwardEnabled,\\\" )\\\"),AutoForwardEnabled)\\r\\n| extend ActiontypeR =iff((Identity contains \\\"📍\\\" or DomainName contains \\\"📍\\\" or AutoForwardEnabled contains \\\"📍\\\" ), i=i + 1, i)\\r\\n| extend Actiontype =iff(ActiontypeR > 0, \\\"Modif\\\", \\\"NO\\\")\\r\\n| where ActiontypeR == 1\\r\\n| project WhenChanged,Actiontype,Identity,DomainName,AutoForwardEnabled,WhenCreated\\r\\n;\\r\\nunion DiffAddData, DiffRemoveData, DiffModifData\\r\\n| extend WhenChanged = iff (Actiontype == \\\"Modif\\\", WhenChanged, iff(Actiontype == \\\"Add\\\",WhenCreated, WhenChanged))\\r\\n| extend Actiontype = case(Actiontype == \\\"Add\\\", strcat(\\\"➕ \\\", Actiontype), Actiontype == \\\"Remove\\\", strcat(\\\"➖ \\\", Actiontype), Actiontype == \\\"Modif\\\", strcat(\\\"📍 \\\", Actiontype), \\\"N/A\\\")\\r\\n| sort by WhenChanged desc \\r\\n| project\\r\\n WhenChanged,\\r\\n Actiontype,\\r\\n Identity,\\r\\n DomainName,\\r\\n AutoForwardEnabled,\\r\\n WhenCreated\",\"size\":3,\"showAnalytics\":true,\"title\":\"Display changes ( Add, Remove, modifications of parameters )\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"Identity\"],\"expandTopLevel\":true}}},\"conditionalVisibility\":{\"parameterName\":\"Compare_Collect\",\"comparison\":\"isEqualTo\",\"value\":\"True\"},\"name\":\"query - 7\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Transport\"},\"name\":\"Transport Security configuration\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityReview-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -1698,7 +1561,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Admin Activity - Online Workbook with template version 3.1.5", + "description": "Microsoft Exchange Admin Activity - Online Workbook with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion3')]", @@ -1716,7 +1579,7 @@ }, "properties": { "displayName": "[parameters('workbook3-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Admin Activity\\r\\n\\r\\nThis workbook helps you visualize what is happening in your Exchange environment.\\r\\nResults removed :\\r\\n\\t- All Test-* and Set-AdServerSetting Cmdlets\\r\\n\\r\\n**Selection of an environment is unavailable. As this workbook is based on the OfficeActivity Logs (Microsoft 365 Solution) directly linked to the Microsoft Sentinel Environment, we cannot provide a view of another one.**\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3792117c-d924-4ec7-a327-1e8d5e9f291a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"value\":{\"durationMs\":14400000}},{\"id\":\"743317e2-ebcf-4958-861d-4ff97fc7cce1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"query\":\"OfficeActivity | where TimeGenerated {TimeRange}\\r\\n| summarize by OrganizationName\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cmdlet Analysis\",\"subTarget\":\"Cmdlet\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Cmdlet summary\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab parses the events from OfficeActivity logs :\\r\\n\\r\\n- list of cmdlets\\r\\n- filter on a VIP and/or Sensitive objects (based on Watchlist \\\"Exchange VIP\\\" and \\\" Monitored Exchange Cmdlets\\\")\\r\\n- anomalies detections are based on the KQL function series_decompose_anomalies\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"CmdletGroupHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5a942eba-c991-4b84-9a94-c153bca86e12\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"VIPOnly\",\"label\":\"Show VIP Only\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"83befa26-eee0-49ab-9785-72653943bc6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SensitiveOnly\",\"label\":\"Sensitive CmdLet Only\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\\r\\n\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"This section show all the Cmdlets executed in the selected time range. Possible filters are: \\r\\n- **VIP Only selected** Cmdlets used against VIP objects (based on the \\\"Exchange VIP\\\" watchlist)\\r\\n- **Sensitive Cmdlets** Cmdlets considered as Sensitive (based on the \\\"Monitored Exchange Cmdlets\\\" watchlist)\\r\\n\\r\\nThese informations can be useful to detect unexpected behaviors or to determine what are the action performed by the accounts (ie. service accounts).\\r\\n\\r\\nℹ️ It is recommended to delegated only the necessary privileges to an account.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"CmdtListHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize count() by CmdletName\\r\\n| sort by count_\",\"size\":2,\"showAnalytics\":true,\"title\":\"List of all executed cmdlets during the last 90 days (based on Sentinel retention)\",\"exportFieldName\":\"Cmdlet\",\"exportParameterName\":\"CmdletFilter\",\"exportDefaultValue\":\"\\\"\\\"\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Cmdlet\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":20}},\"customWidth\":\"45\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize count() by CmdletName\\r\\n| join kind=leftouter ( MESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n | make-series Count=count() on TimeGenerated from ago(30d) to now() step 1d by CmdletName\\r\\n | extend Anomalies=series_decompose_anomalies(Count)\\r\\n) on CmdletName\\r\\n| project CmdletName, Total=count_, Count, Anomalies\\r\\n| sort by Total\",\"size\":2,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Cmdlet\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"rowLimit\":10000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"Count\",\"label\":\"Count for the last 30 days\"}]}},\"customWidth\":\"55\",\"name\":\"CmdletTrends\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet: string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\", ignoreFirstRecord=true)\\r\\n | project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize Total = count() by Caller\\r\\n| join kind=leftouter ( MESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n | make-series Count=count() on TimeGenerated from ago(30d) to now() step 1d by Caller\\r\\n | extend Anomalies=series_decompose_anomalies(Count)\\r\\n) on Caller\\r\\n| project Caller, Total, Count, Anomalies\\r\\n| sort by Total desc\",\"size\":1,\"showAnalytics\":true,\"exportFieldName\":\"Caller\",\"exportParameterName\":\"CallerFilter\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Caller\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70ch\"}},{\"columnMatch\":\"Total\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"125px\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"300px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"300px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_Total_1\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Count\",\"label\":\"Count for the last 30 days\"}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_Total_1\",\"sortOrder\":2}],\"chartSettings\":{\"createOtherGroup\":20}},\"name\":\"query - 4\"},{\"type\":1,\"content\":{\"json\":\"## List of Cmdlets\\r\\n\\r\\nBy default all accounts found in the log are displayed.\\r\\n\\r\\nSelect an caller, to display all Cmdlets launched by this administrator\\r\\n\\r\\n> **Legend** \\r\\n> \\r\\n> 👑 VIP user \\r\\n> 💥 Sensitive action\\r\\n\\r\\nIf needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"008273d1-a013-4d86-9e23-499e5175a85e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CallerFilter\",\"label\":\"Caller\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| distinct Caller\\r\\n| extend Caller = replace_string(Caller, '\\\\\\\\', '\\\\\\\\\\\\\\\\')\\r\\n| sort by Caller asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"21bd4e45-65ca-4b9b-a19c-177d6b37d807\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TargetObjectFilter\",\"label\":\"Target Object\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({CallerFilter})\\r\\n| distinct TargetObject\\r\\n| sort by TargetObject asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9e93d5c3-0fcb-4ece-b2a0-fc3ff44a0b04\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdletFilter\",\"label\":\"Cmdlet Filter\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({CallerFilter})\\r\\n| distinct CmdletName\\r\\n| sort by CmdletName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet: string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\", ignoreFirstRecord=true)\\r\\n | project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| where (Caller in ({CallerFilter}) or Caller == \\\"ALL\\\") and TargetObject contains \\\"{TargetObjectFilter}\\\" and CmdletName contains \\\"{CmdletFilter}\\\"\\r\\n and TargetObject contains \\\"\\\"\\r\\n and CmdletName contains \\\"\\\"\\r\\n| extend TargetObject = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",TargetObject), TargetObject )\\r\\n| extend Cmdlet = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",CmdletName), CmdletName )\\r\\n| extend IsVIP = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",tostring(IsVIP)), tostring(IsVIP ))\\r\\n| project TimeGenerated, Caller, TargetObject, Cmdlet, CmdletParameters\\r\\n| sort by TimeGenerated desc\",\"size\":2,\"showAnalytics\":true,\"title\":\"History\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ActualCmdLet\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"120ch\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Cmdlet\"},\"name\":\"Cmdlet Group\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityAdminActivity-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Microsoft Exchange Admin Activity\\r\\n\\r\\nThis workbook helps you visualize what is happening in your Exchange environment.\\r\\nResults removed :\\r\\n\\t- All Test-* and Set-AdServerSetting Cmdlets\\r\\n\\r\\n**Selection of an environment is unavailable. As this workbook is based on the OfficeActivity Logs (Microsoft 365 Solution) directly linked to the Microsoft Sentinel Environment, we cannot provide a view of another one.**\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3792117c-d924-4ec7-a327-1e8d5e9f291a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"value\":{\"durationMs\":14400000}},{\"id\":\"743317e2-ebcf-4958-861d-4ff97fc7cce1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"query\":\"OfficeActivity | where TimeGenerated {TimeRange}\\r\\n| summarize by OrganizationName\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"8ac96eb3-918b-4a36-bcc4-df50d8f46175\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"query\":\"{\\\"version\\\":\\\"1.0.0\\\",\\\"content\\\":\\\"[\\\\r\\\\n { \\\\\\\"value\\\\\\\": \\\\\\\"Yes\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"Yes\\\\\\\"},\\\\r\\\\n {\\\\\\\"value\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"label\\\\\\\": \\\\\\\"No\\\\\\\", \\\\\\\"selected\\\\\\\":true }\\\\r\\\\n]\\\\r\\\\n\\\"}\\r\\n\",\"timeContext\":{\"durationMs\":2592000000},\"queryType\":8}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"TimeRange\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"34188faf-7a02-4697-9b36-2afa986afc0f\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cmdlet Analysis\",\"subTarget\":\"Cmdlet\",\"postText\":\"t\",\"style\":\"link\",\"icon\":\"3\",\"linkIsContextBlade\":true}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Cmdlet summary\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab parses the events from OfficeActivity logs :\\r\\n\\r\\n- list of cmdlets\\r\\n- filter on a VIP and/or Sensitive objects (based on Watchlist \\\"Exchange VIP\\\" and \\\" Monitored Exchange Cmdlets\\\")\\r\\n- anomalies detections are based on the KQL function series_decompose_anomalies\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"CmdletGroupHelp\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5a942eba-c991-4b84-9a94-c153bca86e12\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"VIPOnly\",\"label\":\"Show VIP Only\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\",\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"83befa26-eee0-49ab-9785-72653943bc6b\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SensitiveOnly\",\"label\":\"Sensitive CmdLet Only\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"True\\\", \\\"label\\\": \\\"Yes\\\" },\\r\\n { \\\"value\\\": \\\"True,False\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\\r\\n\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"This section show all the Cmdlets executed in the selected time range. Possible filters are: \\r\\n- **VIP Only selected** Cmdlets used against VIP objects (based on the \\\"Exchange VIP\\\" watchlist)\\r\\n- **Sensitive Cmdlets** Cmdlets considered as Sensitive (based on the \\\"Monitored Exchange Cmdlets\\\" watchlist)\\r\\n\\r\\nThese informations can be useful to detect unexpected behaviors or to determine what are the action performed by the accounts (ie. service accounts).\\r\\n\\r\\nℹ️ It is recommended to delegated only the necessary privileges to an account.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"CmdtListHelp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize count() by CmdletName\\r\\n| sort by count_\",\"size\":2,\"showAnalytics\":true,\"title\":\"List of all executed cmdlets during the last 90 days (based on Sentinel retention)\",\"exportFieldName\":\"Cmdlet\",\"exportParameterName\":\"CmdletFilter\",\"exportDefaultValue\":\"\\\"\\\"\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"CmdletName\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Cmdlet\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":20}},\"customWidth\":\"45\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize count() by CmdletName\\r\\n| join kind=leftouter ( MESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n | make-series Count=count() on TimeGenerated from ago(30d) to now() step 1d by CmdletName\\r\\n | extend Anomalies=series_decompose_anomalies(Count)\\r\\n) on CmdletName\\r\\n| project CmdletName, Total=count_, Count, Anomalies\\r\\n| sort by Total\",\"size\":2,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Cmdlet\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"31.5ch\"}},{\"columnMatch\":\"Total\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"9.3ch\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"330px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":9,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"330px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"rowLimit\":10000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"Count\",\"label\":\"Count for the last 30 days\"}]}},\"customWidth\":\"55\",\"name\":\"CmdletTrends\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet: string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\", ignoreFirstRecord=true)\\r\\n | project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| summarize Total = count() by Caller\\r\\n| join kind=leftouter ( MESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n | make-series Count=count() on TimeGenerated from ago(30d) to now() step 1d by Caller\\r\\n | extend Anomalies=series_decompose_anomalies(Count)\\r\\n) on Caller\\r\\n| project Caller, Total, Count, Anomalies\\r\\n| sort by Total desc\",\"size\":1,\"showAnalytics\":true,\"exportFieldName\":\"Caller\",\"exportParameterName\":\"CallerFilter\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Caller\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70ch\"}},{\"columnMatch\":\"Total\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"125px\"}},{\"columnMatch\":\"Count\",\"formatter\":21,\"formatOptions\":{\"palette\":\"blue\",\"customColumnWidthSetting\":\"300px\"},\"tooltipFormat\":{\"tooltip\":\"Trend\"}},{\"columnMatch\":\"Anomalies\",\"formatter\":10,\"formatOptions\":{\"palette\":\"redBright\",\"customColumnWidthSetting\":\"300px\"},\"tooltipFormat\":{\"tooltip\":\"Anomalies\"}}],\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"$gen_bar_Total_1\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"Count\",\"label\":\"Count for the last 30 days\"}]},\"sortBy\":[{\"itemKey\":\"$gen_bar_Total_1\",\"sortOrder\":2}],\"chartSettings\":{\"createOtherGroup\":20}},\"name\":\"query - 4\"},{\"type\":1,\"content\":{\"json\":\"## List of Cmdlets\\r\\n\\r\\nBy default all accounts found in the log are displayed.\\r\\n\\r\\nSelect an caller, to display all Cmdlets launched by this administrator\\r\\n\\r\\n> **Legend** \\r\\n> \\r\\n> 👑 VIP user \\r\\n> 💥 Sensitive action\\r\\n\\r\\nIf needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"008273d1-a013-4d86-9e23-499e5175a85e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CallerFilter\",\"label\":\"Caller\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| distinct Caller\\r\\n| extend Caller = replace_string(Caller, '\\\\\\\\', '\\\\\\\\\\\\\\\\')\\r\\n| sort by Caller asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"21bd4e45-65ca-4b9b-a19c-177d6b37d807\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TargetObjectFilter\",\"label\":\"Target Object\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({CallerFilter})\\r\\n| distinct TargetObject\\r\\n| sort by TargetObject asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"9e93d5c3-0fcb-4ece-b2a0-fc3ff44a0b04\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdletFilter\",\"label\":\"Cmdlet Filter\",\"type\":2,\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({CallerFilter})\\r\\n| distinct CmdletName\\r\\n| sort by CmdletName asc\",\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet: string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\", ignoreFirstRecord=true)\\r\\n | project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where IsVIP in ({VIPOnly})\\r\\n| where IsSensitive in ({SensitiveOnly})\\r\\n| where (Caller in ({CallerFilter}) or Caller == \\\"ALL\\\") and TargetObject contains \\\"{TargetObjectFilter}\\\" and CmdletName contains \\\"{CmdletFilter}\\\"\\r\\n and TargetObject contains \\\"\\\"\\r\\n and CmdletName contains \\\"\\\"\\r\\n| extend TargetObject = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",TargetObject), TargetObject )\\r\\n| extend Cmdlet = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",CmdletName), CmdletName )\\r\\n| extend IsVIP = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",tostring(IsVIP)), tostring(IsVIP ))\\r\\n| project TimeGenerated, Caller, TargetObject, Cmdlet, CmdletParameters\\r\\n| sort by TimeGenerated desc\",\"size\":2,\"showAnalytics\":true,\"title\":\"History\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ActualCmdLet\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"120ch\"}}],\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Cmdlet\"},\"name\":\"Cmdlet Group\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSecurityAdminActivity-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -1727,7 +1590,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId3'),'/'))))]", "properties": { - "description": "@{workbookKey=MicrosoftExchangeAdminActivity-Online; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to Online Exchange organizations. It uses Office Activity logs. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. Required Data Connector: Microsoft 365 (Exchange).; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Microsoft Exchange Online Admin Activity; templateRelativePath=Microsoft Exchange Admin Activity - Online.json; subtitle=; provider=Microsoft}.description", + "description": "@{workbookKey=MicrosoftExchangeAdminActivity-Online; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to Online Exchange organizations. It uses Office Activity logs. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. Required Data Connector: Microsoft 365 (Exchange).; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Microsoft Exchange Admin Activity - Online; templateRelativePath=Microsoft Exchange Admin Activity - Online.json; subtitle=; provider=Microsoft}.description", "parentId": "[variables('workbookId3')]", "contentId": "[variables('_workbookContentId3')]", "kind": "Workbook", @@ -1785,7 +1648,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Search AdminAuditLog - Online Workbook with template version 3.1.5", + "description": "Microsoft Exchange Search AdminAuditLog - Online Workbook with template version 3.1.6", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion4')]", @@ -1803,7 +1666,7 @@ }, "properties": { "displayName": "[parameters('workbook4-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Admin Audit Log\\r\\n\\r\\n** This workbook requires Option 1** (upload of the OfficeActivity logs)\\r\\n\\r\\n**Selection of an environment is unavailable. As this workbook is based on the OfficeActivity Logs (Microsoft 365 Solution) directly linked to the Microsoft Sentinel Environment, we cannot provide a view of another one.**\"},\"name\":\"text - 6\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"79f1e435-df12-4c83-9967-501ab5f6ad6a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"59486bcb-db99-43b3-97dc-a63b271a91d1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"query\":\"OfficeActivity | where TimeGenerated {TimeRange}\\r\\n | summarize by OrganizationName\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"079b3cc5-dab3-4d38-b4d0-71101802949d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"9d830b00-95f4-4fd5-8cfb-95c2e63f5d0b\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cmdlets Analysis\",\"subTarget\":\"CmdletAna\",\"style\":\"link\"},{\"id\":\"944a83ef-377f-4374-83e8-46816b6ce570\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Admin Audit Log - All Admins\",\"subTarget\":\"AllAAL\",\"style\":\"link\"},{\"id\":\"cdab541f-8d91-4882-ba46-7c04cdff257b\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Global Admin Audit Log Search\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e100ee8b-d63b-4c49-9004-6555b56051aa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Admin\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Caller = replace_string(Caller, '\\\\\\\\', '\\\\\\\\\\\\\\\\')\\r\\n| extend admin = Caller\\r\\n| distinct admin\\r\\n\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0d7c1223-d108-4d10-bb24-50891a3415fd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdLet\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({Admin})\\r\\n| distinct CmdletName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**How to understand the data**\\r\\n\\r\\nThese information are extracted from the OfficeActivity logs.\\r\\n\\r\\nEach entry is analyzed regarding the following conditions :\\r\\n\\r\\n - Check if the Target Object is a VIP. The VIP list is based on the watchlist \\\"Exchange VIP\\\".\\r\\n\\r\\n - Check if the Cdmlet is a Sensitive Cmdlet. The Sensitive Cmdlet list is based on the watchlist \\\"Monitored Exchange Cmdlets\\\". \\r\\n - This list contains the list of Cmdlet that are considered as Sensitive. \\r\\n - Some Cmdlet will be considered as Sensitive only if some specific parameters defined in the \\\"Monitored Exchange Cmdlets\\\" watchlist are used.\\r\\n\\r\\nColumn explainatations : \\r\\n - Caller : Named of the Administrators that used this cmdlet\\r\\n - TargetObject : Object modified by the cmdlet\\r\\n - IsVIP : If the Target Object part of the \\\"Exchange VIP\\\" watchlist\\r\\n - Cmdlet : Name of the cmdlet that was used\\r\\n - CmdletParameters : Cmdlet parameters used with the command\\r\\n - IsSensitive :\\r\\n - true : This cmdlet is Sensitive because it was part of the list of the \\\"Monitored Exchange Cmdlets\\\" watchlist and Sensitive parameters have been used for cmdlet with specifc sensitive parameters \\r\\n\\r\\n\"},\"showPin\":false,\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where Caller in ({Admin}) and CmdletName in ({CmdLet})\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend TargetObject = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",TargetObject), TargetObject )\\r\\n| extend CmdletName = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",CmdletName), CmdletName )\\r\\n| extend IsVIP = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",tostring(IsVIP)), tostring(IsVIP ))\\r\\n| extend IsSensitive = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",tostring(IsSenstiveCmdlet)), tostring(IsSenstiveCmdlet))\\r\\n| project TimeGenerated, Caller,IsVIP,TargetObject,IsSensitive,CmdletName,CmdletParameters\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"AllAAL\"},\"name\":\"Global Admin Audit Log\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Analysis of Administrators actions\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Total Cmdlets for the Time Range\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Caller\\r\\n| extend CmdletName\\r\\n| summarize Count=count() by CmdletName\",\"size\":2,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Account = Caller\\r\\n| summarize Count=dcount(CmdletName) by Account,CmdletName\",\"size\":2,\"showAnalytics\":true,\"title\":\"Total Unique Cmdlet per Account for the Time Range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Account\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| summarize Count=count() by CmdletName\\r\\n| sort by CmdletName asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Total List of Cmdlets\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Account = Caller\\r\\n| summarize Count=count() by CmdletName, Account\\r\\n| sort by Count asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"List of Cmdlet per Account\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displayed the list of Cmdlet used in your environment for the defined period of time with the number of time they have been used.\"},\"name\":\"text - 0\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section will display the list of Cmdlet launch by Administrators for the defined period of time and the number of time they have been used\"},\"name\":\"text - 0\"}]},\"customWidth\":\"50\",\"name\":\"group - 3\"}]},\"name\":\"Result Analysis\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"CmdletAna\"},\"name\":\"Analysis of actions performed\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\nThe goals of this workbook is to allow search in the Exchange Admin Audit log.\\r\\n\\r\\nThe source of this workbook is not an export of the Admin Audit log mailbox but an export of the MSExchange Management for each Exchange servers.\\r\\n\\r\\nIf the Admin Audit Log is bypassed, the information won't be displayed in this workbook as there is no method to track this data.\\r\\n\\r\\n## Tabs\\r\\n\\r\\nLet quicly review the content of each tab\\r\\n\\r\\n### Cmdlets Analysis\\r\\n\\r\\nThis tab will show for the defined time range :\\r\\n - A summary of all cmdets used\\r\\n\\r\\n - A summary of all cmdlets used by each Account\\r\\n\\r\\n### Global Admin Audit Log\\r\\n\\r\\nThis tab allow to globally search in the exported Admin Audit log content.\\r\\n\\r\\nWhen Sensitive Cmdlets and/or Sensitive parameters are used, specific informations will be displayed.\\r\\n\\r\\nWhen VIP user are manipulated, specific informations will be displayed.\\r\\n\\r\\nFor more informations on how to understand each Column, refer to \\\"How to understand the data\\\"\\r\\n\\r\\n\\r\\n### AdminAuditLog for Org Mgmt\\r\\n\\r\\nThis tab allow to globally search in the exported Admin Audit log content for only account members on the Organization Management groups.\\r\\n\\r\\nWhen Sensitive Cmdlets and/or Sensitive parameters are used, specific informations will be displayed.\\r\\n\\r\\nWhen VIP user are manipulated, specific informations will be displayed.\\r\\n\\r\\nFor more informations on how to understand each Column, refer to \\\"How to understand the data\\\"\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"group - 5\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSearchAdminAuditLog-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Admin Audit Log\\r\\n\\r\\n** This workbook requires Option 1** (upload of the OfficeActivity logs)\\r\\n\\r\\n**Selection of an environment is unavailable. As this workbook is based on the OfficeActivity Logs (Microsoft 365 Solution) directly linked to the Microsoft Sentinel Environment, we cannot provide a view of another one.**\"},\"name\":\"text - 6\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"79f1e435-df12-4c83-9967-501ab5f6ad6a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"59486bcb-db99-43b3-97dc-a63b271a91d1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EnvironmentList\",\"label\":\"Environment\",\"type\":2,\"query\":\"OfficeActivity | where TimeGenerated {TimeRange}\\r\\n | summarize by OrganizationName\",\"isHiddenWhenLocked\":true,\"typeSettings\":{\"showDefault\":false},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"079b3cc5-dab3-4d38-b4d0-71101802949d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Help\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n { \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }\\r\\n]\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"9d830b00-95f4-4fd5-8cfb-95c2e63f5d0b\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cmdlets Analysis\",\"subTarget\":\"CmdletAna\",\"style\":\"link\"},{\"id\":\"944a83ef-377f-4374-83e8-46816b6ce570\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Admin Audit Log - All Admins\",\"subTarget\":\"AllAAL\",\"style\":\"link\"},{\"id\":\"cdab541f-8d91-4882-ba46-7c04cdff257b\",\"cellValue\":\"selected\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Workbook Help\",\"subTarget\":\"Start\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Global Admin Audit Log Search\",\"items\":[{\"type\":1,\"content\":{\"json\":\"If needed, select an item in the dropdownlist. Dropdownlist are independent.\"},\"name\":\"text - 4\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e100ee8b-d63b-4c49-9004-6555b56051aa\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Admin\",\"type\":2,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Caller = replace_string(Caller, '\\\\\\\\', '\\\\\\\\\\\\\\\\')\\r\\n| extend admin = Caller\\r\\n| distinct admin\\r\\n\\r\\n\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"0d7c1223-d108-4d10-bb24-50891a3415fd\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"CmdLet\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| where Caller in ({Admin})\\r\\n| distinct CmdletName\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**How to understand the data**\\r\\n\\r\\nThese information are extracted from the OfficeActivity logs.\\r\\n\\r\\nEach entry is analyzed regarding the following conditions :\\r\\n\\r\\n - Check if the Target Object is a VIP. The VIP list is based on the watchlist \\\"Exchange VIP\\\".\\r\\n\\r\\n - Check if the Cdmlet is a Sensitive Cmdlet. The Sensitive Cmdlet list is based on the watchlist \\\"Monitored Exchange Cmdlets\\\". \\r\\n - This list contains the list of Cmdlet that are considered as Sensitive. \\r\\n - Some Cmdlet will be considered as Sensitive only if some specific parameters defined in the \\\"Monitored Exchange Cmdlets\\\" watchlist are used.\\r\\n\\r\\nColumn explainatations : \\r\\n - Caller : Named of the Administrators that used this cmdlet\\r\\n - TargetObject : Object modified by the cmdlet\\r\\n - IsVIP : If the Target Object part of the \\\"Exchange VIP\\\" watchlist\\r\\n - Cmdlet : Name of the cmdlet that was used\\r\\n - CmdletParameters : Cmdlet parameters used with the command\\r\\n - IsSensitive :\\r\\n - true : This cmdlet is Sensitive because it was part of the list of the \\\"Monitored Exchange Cmdlets\\\" watchlist and Sensitive parameters have been used for cmdlet with specifc sensitive parameters \\r\\n\\r\\n\"},\"showPin\":false,\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where Caller in ({Admin}) and CmdletName in ({CmdLet})\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend TargetObject = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",TargetObject), TargetObject )\\r\\n| extend CmdletName = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",CmdletName), CmdletName )\\r\\n| extend IsVIP = iif(IsVIP == true and TargetObject !=\\\"\\\" , strcat(\\\"👑 \\\",tostring(IsVIP)), tostring(IsVIP ))\\r\\n| extend IsSensitive = iif(IsSensitive == true and TargetObject !=\\\"\\\", strcat(\\\"💥 \\\",tostring(IsSenstiveCmdlet)), tostring(IsSenstiveCmdlet))\\r\\n| project TimeGenerated, Caller,IsVIP,TargetObject,IsSensitive,CmdletName,CmdletParameters\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"AllAAL\"},\"name\":\"Global Admin Audit Log\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Analysis of Administrators actions\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Total Cmdlets for the Time Range\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Caller\\r\\n| extend CmdletName\\r\\n| summarize Count=count() by CmdletName\",\"size\":2,\"showAnalytics\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"createOtherGroup\":10}},\"customWidth\":\"50\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Account = Caller\\r\\n| summarize Count=dcount(CmdletName) by Account,CmdletName\",\"size\":2,\"showAnalytics\":true,\"title\":\"Total Unique Cmdlet per Account for the Time Range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Account\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| summarize Count=count() by CmdletName\\r\\n| sort by CmdletName asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Total List of Cmdlets\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExcludedCmdlet = externaldata (Cmdlet:string)[h\\\"https://aka.ms/ExcludedCmdletWatchlist\\\"]with(format=\\\"csv\\\",ignoreFirstRecord=true)| project Cmdlet;\\r\\nMESOfficeActivityLogs\\r\\n| where TimeGenerated {TimeRange}\\r\\n| where CmdletName !in (ExcludedCmdlet)\\r\\n| extend Account = Caller\\r\\n| summarize Count=count() by CmdletName, Account\\r\\n| sort by Count asc\",\"size\":0,\"showAnalytics\":true,\"title\":\"List of Cmdlet per Account\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section displayed the list of Cmdlet used in your environment for the defined period of time with the number of time they have been used.\"},\"name\":\"text - 0\"}]},\"customWidth\":\"50\",\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Explanations\",\"expandable\":true,\"items\":[{\"type\":1,\"content\":{\"json\":\"This section will display the list of Cmdlet launch by Administrators for the defined period of time and the number of time they have been used\"},\"name\":\"text - 0\"}]},\"customWidth\":\"50\",\"name\":\"group - 3\"}]},\"name\":\"Result Analysis\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"CmdletAna\"},\"name\":\"Analysis of actions performed\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Workbook goals\\r\\nThe goals of this workbook is to allow search in the Exchange Admin Audit log.\\r\\n\\r\\nThe source of this workbook is not an export of the Admin Audit log mailbox but an export of the MSExchange Management for each Exchange servers.\\r\\n\\r\\nIf the Admin Audit Log is bypassed, the information won't be displayed in this workbook as there is no method to track this data.\\r\\n\\r\\n## Tabs\\r\\n\\r\\nLet quicly review the content of each tab\\r\\n\\r\\n### Cmdlets Analysis\\r\\n\\r\\nThis tab will show for the defined time range :\\r\\n - A summary of all cmdets used\\r\\n\\r\\n - A summary of all cmdlets used by each Account\\r\\n\\r\\n### Global Admin Audit Log\\r\\n\\r\\nThis tab allow to globally search in the exported Admin Audit log content.\\r\\n\\r\\nWhen Sensitive Cmdlets and/or Sensitive parameters are used, specific informations will be displayed.\\r\\n\\r\\nWhen VIP user are manipulated, specific informations will be displayed.\\r\\n\\r\\nFor more informations on how to understand each Column, refer to \\\"How to understand the data\\\"\\r\\n\\r\\n\\r\\n### AdminAuditLog for Org Mgmt\\r\\n\\r\\nThis tab allow to globally search in the exported Admin Audit log content for only account members on the Organization Management groups.\\r\\n\\r\\nWhen Sensitive Cmdlets and/or Sensitive parameters are used, specific informations will be displayed.\\r\\n\\r\\nWhen VIP user are manipulated, specific informations will be displayed.\\r\\n\\r\\nFor more informations on how to understand each Column, refer to \\\"How to understand the data\\\"\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"selected\",\"comparison\":\"isEqualTo\",\"value\":\"Start\"},\"name\":\"group - 5\"}],\"fromTemplateId\":\"sentinel-MicrosoftExchangeSearchAdminAuditLog-Online\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -1876,7 +1739,7 @@ "defaultDuration": "P1000Y", "contentType": "Text/Csv", "numberOfLinesToSkip": 0, - "itemsSearchKey": "userPrincipalName", + "itemsSearchKey": "sAMAccountName", "rawContent": "displayName,sAMAccountName,userPrincipalName,comment\r\n\"2016DB1 User1\",\"2016DB1-User1\",\"2016DB1-User1@MyCompany.com\",\r\n" }, "apiVersion": "2021-03-01-preview" @@ -1886,12 +1749,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.1.5", + "version": "3.1.6", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Microsoft Exchange Security - Exchange Online", "publisherDisplayName": "Community", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Exchange Security Audit and Configuration Insight solution analyze Exchange Online configuration and logs from a security lens to provide insights and alerts.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Custom logs ingestion via Data Collector REST API
    2. \n
\n

Data Connectors: 1, Parsers: 6, Workbooks: 4, Watchlists: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Exchange Security Audit and Configuration Insight solution analyze Exchange Online configuration and logs from a security lens to provide insights and alerts.

\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Custom logs ingestion via Data Collector REST API
    2. \n
\n

Data Connectors: 1, Parsers: 5, Workbooks: 4, Watchlists: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -1945,11 +1808,6 @@ "contentId": "[variables('parserObject5').parserContentId5]", "version": "[variables('parserObject5').parserVersion5]" }, - { - "kind": "Parser", - "contentId": "[variables('parserObject6').parserContentId6]", - "version": "[variables('parserObject6').parserVersion6]" - }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", @@ -1973,7 +1831,7 @@ { "kind": "Watchlist", "contentId": "[variables('_Exchange Online VIP')]", - "version": "3.1.5" + "version": "3.1.6" } ] }, diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/testParameters.json b/Solutions/Microsoft Exchange Security - Exchange Online/Package/testParameters.json index 39020c8111b..a1e9f9bdb6e 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Package/testParameters.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Package/testParameters.json @@ -39,7 +39,7 @@ }, "workbook3-name": { "type": "string", - "defaultValue": "Microsoft Exchange Online Admin Activity", + "defaultValue": "Microsoft Exchange Admin Activity - Online", "minLength": 1, "metadata": { "description": "Name for the workbook" diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckVIP.yaml b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckVIP.yaml deleted file mode 100644 index f242d0c9b16..00000000000 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCheckVIP.yaml +++ /dev/null @@ -1,29 +0,0 @@ -id: 9f0e2122-f511-4e51-83a0-51fbd86d3121 -Function: - Title: Parser for VIP Check for Exchange - Version: '1.0.0' - LastUpdated: '2023-11-01' -Category: Microsoft Sentinel Parser -FunctionName: MESCheckVIP -FunctionAlias: MESCheckVIP -FunctionParams: - - Name: UserToCheck - Type: string - Description: The user to verifiy if is a VIP or not. Default value is "all". - Default: 'All' -FunctionQuery: | - //let UserToCheck = "SampleEntry"; - let _UserToCheck = iif(UserToCheck == "" or UserToCheck == "All","All",tolower(UserToCheck)); - let fuzzyWatchlist = datatable(displayName:string, userPrincipalName:string, sAMAccountName:string, objectSID:string, objectGUID:guid, canonicalName:string, comment:string) [ - "NONE","NONE","NONE","NONE","00000001-0000-1000-0000-100000000000","NONE","NONE"]; - let Watchlist = union isfuzzy=true withsource=TableName _GetWatchlist('ExchangeVIP'), fuzzyWatchlist | where objectGUID != "00000001-0000-1000-0000-100000000000" | project-away TableName; - let SearchUser = Watchlist | where _UserToCheck =~ canonicalName - or _UserToCheck =~ displayName - or _UserToCheck =~ userPrincipalName - or _UserToCheck =~ sAMAccountName - or _UserToCheck =~ objectSID - or _UserToCheck == tostring(objectGUID) - or _UserToCheck =~ distinguishedName - or _UserToCheck == "All" - | extend ValueChecked = iif(_UserToCheck=="All",strcat("#",displayName,"#",userPrincipalName,"#",sAMAccountName,"#",objectGUID,"#",objectSID,"#",distinguishedName,"#"),_UserToCheck); - SearchUser \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml index 8f5b3cd4e4c..7aded9f868b 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/MESCompareDataMRA.yaml @@ -1,8 +1,8 @@ id: 39f51672-8c63-4600-882a-5db8275f798f Function: Title: Parser for MRA Configuration Data Comparison - Version: '1.0.0' - LastUpdated: '2024-02-25' + Version: '1.1.0' + LastUpdated: '2024-08-30' Category: Microsoft Sentinel Parser FunctionName: MESCompareDataMRA FunctionAlias: MESCompareDataMRA @@ -36,8 +36,8 @@ FunctionParams: Description: List of actors to exclude. Default value is "dynamic('')". Default: dynamic('') FunctionQuery: | - // Version: 1.0.0 - // Last Updated: 25/02/2024 + // Version: 1.1.0 + // Last Updated: 30/08/2024 // // DESCRIPTION: // This parser is used to compare the data of a specific section of the Exchange Online Configuration. It will compare the data of a specific section between two dates and return the differences between them. @@ -84,14 +84,14 @@ FunctionQuery: | and CmdletResultValue.Name !contains "Deleg" | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == "User", "User", "RoleGroup") - | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope) - | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope) + | extend CustomRecipientWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope)) + | extend CustomConfigWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope)) | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope) | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope) | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope) | extend ManagementRoleAssignement = tostring(CmdletResultValue.Name) | extend Status= tostring(CmdletResultValue.Enabled) - | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6", "Delegating", "Regular") + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) | extend Role = tostring(CmdletResultValue.Role) | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType) @@ -103,8 +103,8 @@ FunctionQuery: | and CmdletResultValue.Name !contains "Deleg" | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) | extend RoleAssigneeType = iff(CmdletResultValue.RoleAssigneeType == "User", "User", "RoleGroup") - | extend CustomRecipientWriteScope = tostring(CmdletResultValue.CustomRecipientWriteScope) - | extend CustomConfigWriteScope = tostring(CmdletResultValue.CustomConfigWriteScope) + | extend CustomRecipientWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomRecipientWriteScope.Name), tostring(CmdletResultValue.CustomRecipientWriteScope.Name)) + | extend CustomConfigWriteScope = iff (_TypeEnv=="On-Premises", tostring(CmdletResultValue.CustomConfigWriteScope.Name), tostring(CmdletResultValue.CustomConfigWriteScope)) | extend CustomResourceScope = tostring(CmdletResultValue.CustomResourceScope) | extend RecipientWriteScope = tostring(CmdletResultValue.RecipientWriteScope) | extend ConfigWriteScope = tostring(CmdletResultValue.ConfigWriteScope) @@ -112,6 +112,7 @@ FunctionQuery: | | extend Status= tostring(CmdletResultValue.Enabled) | extend RoleAssigneeName = tostring(CmdletResultValue.RoleAssigneeName) | extend Role = tostring(CmdletResultValue.Role) + | extend RoleAssignmentDelegationType = iff(CmdletResultValue.RoleAssignmentDelegationType == "6" or CmdletResultValue.RoleAssignmentDelegationType == "Delegating", "Delegating", "Regular") | extend RoleAssignmentDelegationType = tostring(CmdletResultValue.RoleAssignmentDelegationType) ; let i=0; diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md index 46169e80260..fa0469c1ecf 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md @@ -164,12 +164,13 @@ If you need to test the parser execution without saving it as a function, add th ### Parser Definition - Title: Microsoft Exchange Compare Data MRA Parser -- Version: 1.0.0 -- Last Updated: 25/02/2024 +- Version: 1.1.0 +- Last Updated: 30/08/2024 - Description: This parser compare data from MRA and ESI Exchange Collector to find differences |**Version** |**Details** | |---------|-----------------------------------------------------------------------------------------------------------------------| +|v1.1 |
  • Function Adaptation for On-Premises table
| |v1.0 |
  • Function initilisation for Sentinel Solution
| ### Parser Description diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md b/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md index f3cf58c8d54..d1bb13ca4d1 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md +++ b/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.1.6 | 30-08-2024 | Correct bug on LasdtReceivedData of DataConnector. and change parser | | 3.1.5 | 15-05-2024 | Enhancement in existing **Parser** | | 3.1.4 | 30-04-2024 | Repackaged for parser issue | | 3.1.3 | 25-04-2024 | Repackaged for parser issue with old names | diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Watchlists/ExchOnlineVIP.json b/Solutions/Microsoft Exchange Security - Exchange Online/Watchlists/ExchOnlineVIP.json index 009bfe4854f..8583ccf670f 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Watchlists/ExchOnlineVIP.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Watchlists/ExchOnlineVIP.json @@ -23,7 +23,7 @@ "defaultDuration": "P1000Y", "contentType": "Text/Csv", "numberOfLinesToSkip": 0, - "itemsSearchKey": "userPrincipalName", + "itemsSearchKey": "sAMAccountName", "rawContent": "displayName,sAMAccountName,userPrincipalName,comment\r\n\"2016DB1 User1\",\"2016DB1-User1\",\"2016DB1-User1@MyCompany.com\",\r\n" }, "apiVersion": "2021-03-01-preview" diff --git a/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml b/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml new file mode 100644 index 00000000000..441e1cf65b1 --- /dev/null +++ b/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml @@ -0,0 +1,54 @@ +id: f00197ab-491f-41e7-9e22-a7003a4c1e54 +name: Mimecast Audit - Logon Authentication Failed +description: Detects threat when logon authentication failure found in audit +displayName: Mimecast Audit - Logon Authentication Failed +severity: High +requiredDataConnectors: + - connectorId: MimecastAuditAPI + dataTypes: + - MimecastAudit_CL +enabled: true +query: | + MimecastAudit + | where ['Source IP'] !="" and ['Audit Type'] == "Logon Authentication Failed" + | extend SourceIp = ['Source IP'] +queryFrequency: 30m +queryPeriod: 30m +triggerOperator: gt +triggerThreshold: 3 +suppressionDuration: 5h +suppressionEnabled: false +tactics: +- Discovery +- InitialAccess +- CredentialAccess +relevantTechniques: +- T1110 +alertRuleTemplateName: +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: P7D + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert +alertDetailsOverride: +customDetails: +entityMappings: +- entityType: IP + fieldMappings: + - identifier: Address + columnName: SourceIp +- entityType: Mailbox + fieldMappings: + - identifier: MailboxPrimaryAddress + columnName: User +- entityType: CloudApplication + fieldMappings: + - identifier: AppId + columnName: Application +version: 1.0.0 +kind: Scheduled + diff --git a/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_AV.yaml b/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_AV.yaml new file mode 100644 index 00000000000..00b39028289 --- /dev/null +++ b/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_AV.yaml @@ -0,0 +1,45 @@ +id: 33bf0cc9-e568-42bf-9571-c22adf7be66d +name: Mimecast Secure Email Gateway - AV +description: | + 'Detects threats from email anti virus scan.' +severity: Informational +status: Available +requiredDataConnectors: + - connectorId: MimecastSEGAPI + dataTypes: + - MimecastCG +enabled: true +queryFrequency: 15m +queryPeriod: 15m +triggerOperator: gt +triggerThreshold: 0 +tactics: +- Execution +relevantTechniques: +- T1053 +query: | + MimecastCG + | where Type == "email_antivirus" + | extend SenderEnvelope = ['Sender Envelope'] +suppressionDuration: 5h +suppressionEnabled: false +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: P7D + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: AlertPerResult +entityMappings: +- entityType: MailMessage + fieldMappings: + - identifier: Sender + columnName: SenderEnvelope + - identifier: Recipient + columnName: Recipients + - identifier: Subject + columnName: Subject +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml b/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml new file mode 100644 index 00000000000..6dd475f6eb3 --- /dev/null +++ b/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml @@ -0,0 +1,55 @@ +id: 72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2 +name: Mimecast Secure Email Gateway - Attachment Protect +description: | + 'Detect threat for mail attachment under the targeted threat protection.' +severity: High +status: Available +requiredDataConnectors: + - connectorId: MimecastSEGAPI + dataTypes: + - MimecastCG +enabled: true +queryFrequency: 15m +queryPeriod: 15m +triggerOperator: gt +triggerThreshold: 0 +tactics: +- Collection +- Exfiltration +- Discovery +- InitialAccess +- Execution +relevantTechniques: +- T1114 +- T1566 +- T0865 +query: | + MimecastCG + | where Type == "email_ttp_ap" + | extend SenderEnvelope = ['Sender Envelope'] , SenderIp = ['Sender IP'] +suppressionDuration: 5h +suppressionEnabled: false +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: P7D + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: AlertPerResult +entityMappings: +- entityType: MailMessage + fieldMappings: + - identifier: Sender + columnName: SenderEnvelope + - identifier: Recipient + columnName: Recipients + - identifier: Subject + columnName: Subject +- entityType: IP + fieldMappings: + - identifier: Address + columnName: SenderIp +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Impersonation.yaml b/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Impersonation.yaml new file mode 100644 index 00000000000..29b3a3e2ef0 --- /dev/null +++ b/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Impersonation.yaml @@ -0,0 +1,47 @@ +id: 2ef77cef-439f-4d94-848f-3eca67510d2f +name: Mimecast Secure Email Gateway - Impersonation Protect +description: | + 'Detects threats from impersonation mail under targeted threat protection.' +severity: High +status: Available +requiredDataConnectors: + - connectorId: MimecastSEGAPI + dataTypes: + - MimecastCG +enabled: true +queryFrequency: 15m +queryPeriod: 15m +triggerOperator: gt +triggerThreshold: 0 +tactics: +- Discovery +- LateralMovement +- Collection +relevantTechniques: +- T1114 +query: | + MimecastCG + | where Type == "email_ttp_impersonation" + | extend SenderEnvelope = ['Sender Envelope'] , SenderIp = ['Sender IP'] +suppressionDuration: 5h +suppressionEnabled: false +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: P7D + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: AlertPerResult +entityMappings: +- entityType: MailMessage + fieldMappings: + - identifier: Sender + columnName: SenderEnvelope + - identifier: SenderIP + columnName: SenderIp + - identifier: Recipient + columnName: Recipients +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Internal_Mail_Protect.yaml b/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Internal_Mail_Protect.yaml new file mode 100644 index 00000000000..019465d1bf1 --- /dev/null +++ b/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Internal_Mail_Protect.yaml @@ -0,0 +1,48 @@ +id: d3bd7640-3600-49f9-8d10-6fe312e68b4f +name: Mimecast Secure Email Gateway - Internal Email Protect +description: | + 'Detects threats from internal email threat protection.' +severity: High +status: Available +requiredDataConnectors: + - connectorId: MimecastSEGAPI + dataTypes: + - MimecastCG +enabled: true +queryFrequency: 15m +queryPeriod: 15m +triggerOperator: gt +triggerThreshold: 0 +tactics: +- LateralMovement +- Persistence +- Exfiltration +relevantTechniques: +- T1534 +- T1546 +query: | + MimecastCG + | where Type == "email_iep" + | extend SenderEnvelope = ['Sender Envelope'] , MessageId = ['Message ID'] +suppressionDuration: 5h +suppressionEnabled: false +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: P7D + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: AlertPerResult +entityMappings: +- entityType: MailMessage + fieldMappings: + - identifier: Sender + columnName: SenderEnvelope + - identifier: Recipient + columnName: Recipients + - identifier: InternetMessageId + columnName: MessageId +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Spam_Event.yaml b/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Spam_Event.yaml new file mode 100644 index 00000000000..726f9df8fc4 --- /dev/null +++ b/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Spam_Event.yaml @@ -0,0 +1,45 @@ +id: 0cda82c8-e8f0-4117-896e-a10f1b43e64a +name: Mimecast Secure Email Gateway - Spam Event Thread +description: | + 'Detects threat from spam event thread protection logs.' +severity: Low +status: Available +requiredDataConnectors: + - connectorId: MimecastSEGAPI + dataTypes: + - MimecastCG +enabled: true +queryFrequency: 15m +queryPeriod: 15m +triggerOperator: gt +triggerThreshold: 0 +tactics: +- Discovery +relevantTechniques: +- T1083 +query: | + MimecastCG + | where Type == "email_spam" + | extend SenderEnvelope = ['Sender Envelope'] +suppressionDuration: 5h +suppressionEnabled: false +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: P7D + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: AlertPerResult +entityMappings: +- entityType: MailMessage + fieldMappings: + - identifier: Sender + columnName: SenderEnvelope + - identifier: Recipient + columnName: Recipients + - identifier: Subject + columnName: Subject +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Url_Protect.yaml b/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Url_Protect.yaml new file mode 100644 index 00000000000..94abbe13597 --- /dev/null +++ b/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Url_Protect.yaml @@ -0,0 +1,47 @@ +id: 80f244cd-b0d6-404e-9aed-37f7a66eda9f +name: Mimecast Secure Email Gateway - URL Protect +description: | + 'Detect threat when potentially malicious url found.' +severity: High +status: Available +requiredDataConnectors: + - connectorId: MimecastSEGAPI + dataTypes: + - MimecastCG +enabled: true +queryFrequency: 15m +queryPeriod: 15m +triggerOperator: gt +triggerThreshold: 0 +tactics: +- InitialAccess +- Discovery +- Execution +relevantTechniques: +- T1566 +query: | + MimecastCG + | where Type == "email_ttp_url" + | extend SenderEnvelope = ['Sender Envelope'] +suppressionDuration: 5h +suppressionEnabled: false +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: P7D + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: AlertPerResult +entityMappings: +- entityType: MailMessage + fieldMappings: + - identifier: Sender + columnName: SenderEnvelope + - identifier: Recipient + columnName: Recipients + - identifier: Subject + columnName: Subject +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Virus.yaml b/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Virus.yaml new file mode 100644 index 00000000000..aa7d3e43ecd --- /dev/null +++ b/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastCG_Virus.yaml @@ -0,0 +1,45 @@ +id: d78d7352-fa5a-47d4-b48f-cb2c3252c0eb +name: Mimecast Secure Email Gateway - Virus +description: | + 'Detect threat for virus from mail receipt virus event.' +severity: Informational +status: Available +requiredDataConnectors: + - connectorId: MimecastSEGAPI + dataTypes: + - MimecastCG +enabled: true +queryFrequency: 15m +queryPeriod: 15m +triggerOperator: gt +triggerThreshold: 0 +tactics: +- Execution +relevantTechniques: +- T1053 +query: | + MimecastCG + | where Type == "email_receipt" and isnotempty(['Virus Found']) + | extend SenderEnvelope = ['Sender Envelope'] +suppressionDuration: 5h +suppressionEnabled: false +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: P7D + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: AlertPerResult +entityMappings: +- entityType: MailMessage + fieldMappings: + - identifier: Sender + columnName: SenderEnvelope + - identifier: Recipient + columnName: Recipients + - identifier: Subject + columnName: Subject +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastDLP_Notifications.yaml b/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastDLP_Notifications.yaml new file mode 100644 index 00000000000..cf8f81c1e62 --- /dev/null +++ b/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastDLP_Notifications.yaml @@ -0,0 +1,44 @@ +id: cfd67598-ad0d-430a-a793-027eb4dbe967 +name: Mimecast Data Leak Prevention - Notifications +description: Detects threat for data leak when action is notification +severity: High +requiredDataConnectors: + - connectorId: MimecastSEGAPI + dataTypes: + - MimecastDLP +enabled: true +query: | + MimecastDLP + | where Action == "notification" + | extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address'] +queryFrequency: 15m +queryPeriod: 15m +triggerOperator: gt +triggerThreshold: 0 +suppressionDuration: 5h +suppressionEnabled: false +tactics: +- Exfiltration +relevantTechniques: +- T1030 +alertRuleTemplateName: +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: P7D + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert +entityMappings: +- entityType: MailMessage + fieldMappings: + - identifier: Sender + columnName: SenderAddress + - identifier: Recipient + columnName: RecipientAddress + - identifier: DeliveryAction + columnName: Action +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastDLP_hold.yaml b/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastDLP_hold.yaml new file mode 100644 index 00000000000..e567fc59f27 --- /dev/null +++ b/Solutions/Mimecast/Analytic Rules/MimecastSEG/MimecastDLP_hold.yaml @@ -0,0 +1,43 @@ +id: 8e52bcf1-4f50-4c39-8678-d9efad64e379 +name: Mimecast Data Leak Prevention - Hold +description: Detects threat for data leak when action is hold +severity: Informational +requiredDataConnectors: + - connectorId: MimecastSEGAPI + dataTypes: + - MimecastDLP +enabled: true +query: | + MimecastDLP + | where Action == "hold" + | extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address'] +queryFrequency: 15m +queryPeriod: 15m +triggerOperator: gt +triggerThreshold: 0 +suppressionDuration: 5h +suppressionEnabled: false +tactics: +- Exfiltration +relevantTechniques: +- T1030 +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: P7D + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: SingleAlert +entityMappings: +- entityType: MailMessage + fieldMappings: + - identifier: Sender + columnName: SenderAddress + - identifier: Recipient + columnName: RecipientAddress + - identifier: DeliveryAction + columnName: Action +version: 1.0.0 +kind: Scheduled diff --git a/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Attachment.yaml b/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Attachment.yaml new file mode 100644 index 00000000000..75ee0348f6a --- /dev/null +++ b/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Attachment.yaml @@ -0,0 +1,45 @@ +id: 617a55be-a8d8-49c1-8687-d19a0231056f +name: Mimecast Targeted Threat Protection - Attachment Protect +description: | + 'Detects a threat for an unsafe attachment in an email.' +severity: High +status: Available +requiredDataConnectors: + - connectorId: MimecastTTPAPI + dataTypes: + - MimecastTTPAttachment +queryFrequency: 30m +queryPeriod: 30m +triggerOperator: gt +triggerThreshold: 0 +tactics: +- InitialAccess +- Discovery +relevantTechniques: +- T0865 +query: | + MimecastTTPAttachment + | where Result != "safe" + | extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address'] +suppressionDuration: 5h +suppressionEnabled: false +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: P7D + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: AlertPerResult +entityMappings: + - entityType: MailMessage + fieldMappings: + - identifier: Sender + columnName: SenderAddress + - identifier: Recipient + columnName: RecipientAddress + - identifier: Subject + columnName: Subject +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Impersonation.yaml b/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Impersonation.yaml new file mode 100644 index 00000000000..665a5027585 --- /dev/null +++ b/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Impersonation.yaml @@ -0,0 +1,48 @@ +id: c048fa06-0d50-4626-ae82-a6cea812d9c4 +name: Mimecast Targeted Threat Protection - Impersonation Protect +description: | + 'Detects a maliciously tagged impersonation.' +severity: High +status: Available +requiredDataConnectors: + - connectorId: MimecastTTPAPI + dataTypes: + - MimecastTTPImpersonation +queryFrequency: 30m +queryPeriod: 30m +triggerOperator: gt +triggerThreshold: 0 +tactics: +- Exfiltration +- Collection +- Discovery +relevantTechniques: +- T1114 +query: | + MimecastTTPImpersonation + | where ['Tagged Malicious'] == true + | extend SenderAddress = ['Sender Address'], + SenderIPAddress = ['Sender IP Address'], + RecipientAddress = ['Recipient Address'] +suppressionDuration: 5h +suppressionEnabled: false +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: P7D + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: AlertPerResult +entityMappings: + - entityType: MailMessage + fieldMappings: + - identifier: Sender + columnName: SenderAddress + - identifier: SenderIP + columnName: SenderIPAddress + - identifier: Recipient + columnName: RecipientAddress +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Url.yaml b/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Url.yaml new file mode 100644 index 00000000000..d18f149b58d --- /dev/null +++ b/Solutions/Mimecast/Analytic Rules/MimecastTTP/Mimecast_TTP_Url.yaml @@ -0,0 +1,53 @@ +id: 952faed4-c6a6-4873-aeb9-b348e9ce5aba +name: Mimecast Targeted Threat Protection - URL Protect +description: | + 'Detects malicious scan results and actions which are not allowed.' +severity: High +status: Available +requiredDataConnectors: + - connectorId: MimecastTTPAPI + dataTypes: + - MimecastTTPUrl +queryFrequency: 30m +queryPeriod: 30m +triggerOperator: gt +triggerThreshold: 0 +tactics: +- InitialAccess +- Discovery +relevantTechniques: +- T0865 +query: | + MimecastTTPUrl + | where ['Scan Result'] == "malicious" and Action != "allow" + | extend From_User_EmailAddress = ['From User Email Address'],MessageID = ['Message ID'] , User_EmailAddress = ['User Email Address'] +suppressionDuration: 5h +suppressionEnabled: false +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: true + reopenClosedIncident: false + lookbackDuration: P7D + matchingMethod: AllEntities +eventGroupingSettings: + aggregationKind: AlertPerResult +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: SendingIP + - entityType: MailMessage + fieldMappings: + - identifier: Sender + columnName: From_User_EmailAddress + - identifier: InternetMessageId + columnName: MessageID + - identifier: Recipient + columnName: User_EmailAddress + - entityType: URL + fieldMappings: + - identifier: Url + columnName: Url +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/MimecastAT.zip b/Solutions/Mimecast/Data Connectors/MimecastAT/MimecastAT.zip new file mode 100644 index 00000000000..dee247b180d Binary files /dev/null and b/Solutions/Mimecast/Data Connectors/MimecastAT/MimecastAT.zip differ diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/Mimecast_AT_FunctionApp.json b/Solutions/Mimecast/Data Connectors/MimecastAT/Mimecast_AT_FunctionApp.json new file mode 100644 index 00000000000..0001e207d8e --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/Mimecast_AT_FunctionApp.json @@ -0,0 +1,167 @@ +{ + "id": "MimecastATAPI", + "title": "Mimecast Awareness Training", + "publisher": "Mimecast", + "descriptionMarkdown": "The data connector for [Mimecast Awareness Training](https://community.mimecast.com/s/article/Azure-Sentinel) provides customers with the visibility into security events related to the Targeted Threat Protection inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. \nThe Mimecast products included within the connector are: \n- Performance Details \n- Safe Score Details \n- User Data\n- Watchlist Details\n", + "graphQueries": [ + { + "metricName": "Total Performance Details data received", + "legend": "Awareness_Performance_Details_CL", + "baseQuery": "Awareness_Performance_Details_CL" + }, + { + "metricName": "Total Safe Score Details data received", + "legend": "Awareness_SafeScore_Details_CL", + "baseQuery": "Awareness_SafeScore_Details_CL" + }, + { + "metricName": "Total User Data received", + "legend": "Awareness_User_Data_CL", + "baseQuery": "Awareness_User_Data_CL" + }, + { + "metricName": "Total Watchlist Details data received", + "legend": "Awareness_Watchlist_Details_CL", + "baseQuery": "Awareness_Watchlist_Details_CL" + } + ], + "sampleQueries": [ + { + "description": "Awareness_Performance_Details_CL", + "query": "Awareness_Performance_Details_CL\n| sort by TimeGenerated desc" + }, + { + "description": "Awareness_SafeScore_Details_CL", + "query": "Awareness_SafeScore_Details_CL\n| sort by TimeGenerated desc" + }, + { + "description": "Awareness_User_Data_CL", + "query": "Awareness_User_Data_CL\n| sort by TimeGenerated desc" + }, + { + "description": "Awareness_Watchlist_Details_CL", + "query": "Awareness_User_Data_CL\n| sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "Awareness_Performance_Details_CL", + "lastDataReceivedQuery": "Awareness_Performance_Details_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Awareness_SafeScore_Details_CL", + "lastDataReceivedQuery": "Awareness_SafeScore_Details_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Awareness_User_Data_CL", + "lastDataReceivedQuery": "Awareness_User_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Awareness_Watchlist_Details_CL", + "lastDataReceivedQuery": "Awareness_Watchlist_Details_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Awareness_Performance_Details_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "Awareness_SafeScore_Details_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "Awareness_User_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "Awareness_Watchlist_Details_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "See the documentation to learn more about API on the [Rest API reference](https://integrations.mimecast.com/documentation/)" + } + ] + }, + "instructionSteps": [ + { + "title": "Resource group", + "description": "You need to have a resource group created with a subscription you are going to use." + }, + { + "title": "Functions app", + "description": "You need to have an Azure App registered for this connector to use\n1. Application Id\n2. Tenant Id\n3. Client Id\n4. Client Secret" + }, + { + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "title": "Configuration:", + "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)" + }, + { + "title": "", + "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Mimecast Awareness Training Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MimecastAT-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n3. Enter the below information : \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBase URL (Default: https://api.services.mimecast.com) \n\t\tMimecast Client ID \n\t\tMimecast Client Secret \n\t\tLog Level (Default: INFO) \n\t\tSchedule (0 0 */1 * * *) \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/PerformanceDetails/__init__.py b/Solutions/Mimecast/Data Connectors/MimecastAT/PerformanceDetails/__init__.py new file mode 100644 index 00000000000..cad60fdf31b --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/PerformanceDetails/__init__.py @@ -0,0 +1,21 @@ +"""Init module for PerformanceDetails.""" + +import datetime +import logging +import time +import azure.functions as func +from .mimecast_performance_details_to_sentinel import MimecastAwarenessPerformance + + +def main(mytimer: func.TimerRequest) -> None: + """Driver method for awareness training performance details.""" + utc_timestamp = ( + datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + ) + function_start_time = time.time() + performance_details_obj = MimecastAwarenessPerformance(function_start_time) + performance_details_obj.get_awareness_performance_details_data_in_sentinel() + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/PerformanceDetails/function.json b/Solutions/Mimecast/Data Connectors/MimecastAT/PerformanceDetails/function.json new file mode 100644 index 00000000000..36c1449c9e1 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/PerformanceDetails/function.json @@ -0,0 +1,11 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%" + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/PerformanceDetails/mimecast_performance_details_to_sentinel.py b/Solutions/Mimecast/Data Connectors/MimecastAT/PerformanceDetails/mimecast_performance_details_to_sentinel.py new file mode 100644 index 00000000000..b4a3d0b7de0 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/PerformanceDetails/mimecast_performance_details_to_sentinel.py @@ -0,0 +1,235 @@ +"""Get Mimecast Awareness Training Performance data and ingest into sentinel.""" + +import inspect +from ..SharedCode import consts +from ..SharedCode.mimecast_exception import MimecastException, MimecastTimeoutException +from ..SharedCode.logger import applogger +from ..SharedCode.state_manager import StateManager +from ..SharedCode.utils import Utils +import time +import datetime +from tenacity import RetryError + + +class MimecastAwarenessPerformance(Utils): + """Class for Mimecast Awareness Training Performance Details.""" + + def __init__(self, start_time) -> None: + """Initialize utility methods and variables. + + Args: + start_time (str): azure function starting time. + """ + super().__init__(consts.AWARENESS_PERFORMANCE_FUNCTION_NAME) + self.check_environment_var_exist( + [ + {"BaseURL": consts.BASE_URL}, + {"WorkspaceID": consts.WORKSPACE_ID}, + {"WorkspaceKey": consts.WORKSPACE_KEY}, + {"MimecastClientID": consts.MIMECAST_CLIENT_ID}, + {"MimecastClientSecret": consts.MIMECAST_CLIENT_SECRET}, + {"ConnectionString": consts.CONN_STRING}, + {"LogLevel": consts.LOG_LEVEL}, + ] + ) + self.authenticate_mimecast_api() + self.state_manager_obj = StateManager( + consts.CONN_STRING, + consts.PERFORMANCE_CHECKPOINT_FILE, + consts.FILE_SHARE_NAME, + ) + self.hash_file_state_manager_obj = StateManager( + consts.CONN_STRING, consts.PERFORMANCE_HASH_FILE, consts.FILE_SHARE_NAME + ) + self.performance_details_url = ( + consts.BASE_URL + consts.ENDPOINTS["PERFORMANCE_DETAILS"] + ) + self.function_start_time = start_time + + def get_request_body_and_checkpoint(self): + """Get the request body and checkpoint data for pagination. + + Returns: + tuple: A dictionary containing the request body and the checkpoint data. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + request_body = { + "meta": {"pagination": {"pageSize": consts.MAX_PAGE_SIZE}}, + "data": [{"includeUserDetails": True}], + } + checkpoint = self.get_checkpoint_data(self.state_manager_obj) + if checkpoint: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Page checkpoint found.", + ) + ) + pageToken = checkpoint.get("pageToken") + request_body["meta"]["pagination"]["pageToken"] = pageToken + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Page checkpoint data : {}.".format(checkpoint), + ) + ) + else: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Page checkpoint not found.", + ) + ) + return request_body, checkpoint + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def get_awareness_performance_details_data_in_sentinel(self): + """Get Mimecast awareness training performance details data and ingest to sentinel.""" + __method_name = inspect.currentframe().f_code.co_name + try: + request_body, checkpoint_data = self.get_request_body_and_checkpoint() + next_page = True + while next_page: + if ( + int(time.time()) + >= self.function_start_time + consts.FUNCTION_APP_TIMEOUT_SECONDS + ): + raise MimecastTimeoutException() + performance_details_response = self.make_rest_call( + method="POST", url=self.performance_details_url, json=request_body + ) + performance_details_data = performance_details_response["data"] + if len(performance_details_data) > 0: + next_page_token = performance_details_response["meta"][ + "pagination" + ].get("next", "") + next_page_token_flag = False + if next_page_token: + next_page_token_flag = True + checkpoint_token_updated = self.filter_unique_data_and_post( + performance_details_data, + self.hash_file_state_manager_obj, + consts.TABLE_NAME["PERFORMANCE_DETAILS"], + checkpoint_data, + self.state_manager_obj, + next_page_token_flag, + ) + if next_page_token: + request_body["meta"]["pagination"][ + "pageToken" + ] = next_page_token + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Posting page checkpoint : {}.".format(next_page_token), + ) + ) + checkpoint_data = { + "pageToken": next_page_token, + "date": datetime.datetime.utcnow().isoformat(), + } + self.post_checkpoint_data( + self.state_manager_obj, checkpoint_data + ) + else: + if checkpoint_token_updated: + del request_body["meta"]["pagination"]["pageToken"] + checkpoint_data = {} + else: + next_page = False + hash_data_to_save = self.convert_to_hash( + performance_details_data + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Posting hash checkpoint.", + ) + ) + self.post_checkpoint_data( + self.hash_file_state_manager_obj, hash_data_to_save + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "End of data.", + ) + ) + else: + next_page = False + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No data found.", + ) + ) + except KeyError as key_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.KEY_ERROR_MSG.format(key_error), + ) + ) + raise MimecastException() + except RetryError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.MAX_RETRY_ERROR_MSG.format( + error, error.last_attempt.exception() + ), + ) + ) + raise MimecastException() + except MimecastTimeoutException: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "function app 9:30 mins executed hence breaking.", + ) + ) + return + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/SafeScoreDetails/__init__.py b/Solutions/Mimecast/Data Connectors/MimecastAT/SafeScoreDetails/__init__.py new file mode 100644 index 00000000000..c38ba8280ed --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/SafeScoreDetails/__init__.py @@ -0,0 +1,21 @@ +"""Init module for PerformanceDetails.""" + +import datetime +import logging +import time +import azure.functions as func +from .mimecast_safe_score_details_to_sentinel import MimecastAwarenessSafeScore + + +def main(mytimer: func.TimerRequest) -> None: + """Driver method for awareness training performance details.""" + utc_timestamp = ( + datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + ) + function_start_time = time.time() + performance_details_obj = MimecastAwarenessSafeScore(function_start_time) + performance_details_obj.get_awareness_safe_score_details_data_in_sentinel() + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/SafeScoreDetails/function.json b/Solutions/Mimecast/Data Connectors/MimecastAT/SafeScoreDetails/function.json new file mode 100644 index 00000000000..36c1449c9e1 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/SafeScoreDetails/function.json @@ -0,0 +1,11 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%" + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/SafeScoreDetails/mimecast_safe_score_details_to_sentinel.py b/Solutions/Mimecast/Data Connectors/MimecastAT/SafeScoreDetails/mimecast_safe_score_details_to_sentinel.py new file mode 100644 index 00000000000..c354498fd3f --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/SafeScoreDetails/mimecast_safe_score_details_to_sentinel.py @@ -0,0 +1,232 @@ +"""Get Mimecast Awareness Training SafeScore data and ingest into sentinel.""" + +import inspect +from ..SharedCode import consts +from ..SharedCode.mimecast_exception import MimecastException, MimecastTimeoutException +from ..SharedCode.logger import applogger +from ..SharedCode.state_manager import StateManager +from ..SharedCode.utils import Utils +import time +import datetime +from tenacity import RetryError + + +class MimecastAwarenessSafeScore(Utils): + """Class for Mimecast Awareness Training SafeScore Details.""" + + def __init__(self, start_time) -> None: + """Initialize utility methods and variables. + + Args: + start_time (str): azure function starting time. + """ + super().__init__(consts.AWARENESS_SAFESCORE_FUNCTION_NAME) + self.check_environment_var_exist( + [ + {"BaseURL": consts.BASE_URL}, + {"WorkspaceID": consts.WORKSPACE_ID}, + {"WorkspaceKey": consts.WORKSPACE_KEY}, + {"MimecastClientID": consts.MIMECAST_CLIENT_ID}, + {"MimecastClientSecret": consts.MIMECAST_CLIENT_SECRET}, + {"ConnectionString": consts.CONN_STRING}, + {"LogLevel": consts.LOG_LEVEL}, + ] + ) + self.authenticate_mimecast_api() + self.state_manager_obj = StateManager( + consts.CONN_STRING, consts.SAFESCORE_CHECKPOINT_FILE, consts.FILE_SHARE_NAME + ) + self.hash_file_state_manager_obj = StateManager( + consts.CONN_STRING, consts.SAFESCORE_HASH_FILE, consts.FILE_SHARE_NAME + ) + self.safe_score_details_url = ( + consts.BASE_URL + consts.ENDPOINTS["SAFE_SCORE_DETAILS"] + ) + self.function_start_time = start_time + + def get_request_body_and_checkpoint(self): + """Get the request body and checkpoint data for pagination. + + Returns: + tuple: A dictionary containing the request body and the checkpoint data. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + request_body = {"meta": {"pagination": {"pageSize": consts.MAX_PAGE_SIZE}}} + checkpoint = self.get_checkpoint_data(self.state_manager_obj) + if checkpoint: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Page checkpoint found.", + ) + ) + pageToken = checkpoint.get("pageToken") + request_body["meta"]["pagination"]["pageToken"] = pageToken + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Page checkpoint data : {}.".format(checkpoint), + ) + ) + else: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Page checkpoint not found.", + ) + ) + return request_body, checkpoint + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def get_awareness_safe_score_details_data_in_sentinel(self): + """Get Mimecast awareness training safe_score details data and ingest to sentinel.""" + __method_name = inspect.currentframe().f_code.co_name + try: + request_body, checkpoint_data = self.get_request_body_and_checkpoint() + next_page = True + while next_page: + if ( + int(time.time()) + >= self.function_start_time + consts.FUNCTION_APP_TIMEOUT_SECONDS + ): + raise MimecastTimeoutException() + safe_score_details_response = self.make_rest_call( + method="POST", url=self.safe_score_details_url, json=request_body + ) + safe_score_details_data = safe_score_details_response["data"] + if len(safe_score_details_data) > 0: + next_page_token = safe_score_details_response["meta"][ + "pagination" + ].get("next", "") + next_page_token_flag = False + if next_page_token: + next_page_token_flag = True + checkpoint_token_updated = self.filter_unique_data_and_post( + safe_score_details_data, + self.hash_file_state_manager_obj, + consts.TABLE_NAME["SAFE_SCORE_DETAILS"], + checkpoint_data, + self.state_manager_obj, + next_page_token_flag, + ) + if next_page_token: + request_body["meta"]["pagination"][ + "pageToken" + ] = next_page_token + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Posting page checkpoint : {}.".format(next_page_token), + ) + ) + checkpoint_data = { + "pageToken": next_page_token, + "date": datetime.datetime.utcnow().isoformat(), + } + self.post_checkpoint_data( + self.state_manager_obj, checkpoint_data + ) + else: + if checkpoint_token_updated: + del request_body["meta"]["pagination"]["pageToken"] + checkpoint_data = {} + else: + next_page = False + hash_data_to_save = self.convert_to_hash( + safe_score_details_data + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Posting hash checkpoint.", + ) + ) + self.post_checkpoint_data( + self.hash_file_state_manager_obj, + hash_data_to_save, + True, + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "End of data.", + ) + ) + else: + next_page = False + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No data found.", + ) + ) + except KeyError as key_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.KEY_ERROR_MSG.format(key_error), + ) + ) + raise MimecastException() + except RetryError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.MAX_RETRY_ERROR_MSG.format( + error, error.last_attempt.exception() + ), + ) + ) + raise MimecastException() + except MimecastTimeoutException: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "function app 9:30 mins executed hence breaking.", + ) + ) + return + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/__init__.py b/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/__init__.py new file mode 100644 index 00000000000..91361ed4c8b --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/__init__.py @@ -0,0 +1 @@ +"""This is init file to consider SharedCode as package.""" diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/consts.py b/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/consts.py new file mode 100644 index 00000000000..9521c39b5d8 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/consts.py @@ -0,0 +1,75 @@ +"""Module with constants and configurations for the Mimecast integration.""" + +import os + +LOG_LEVEL = os.environ.get("LogLevel", "INFO") +LOGS_STARTS_WITH = "Mimecast" +LOG_FORMAT = "{}(method = {}) : {} : {}" + + +# *Sentinel related constants +WORKSPACE_KEY = os.environ.get("WorkspaceKey", "") +WORKSPACE_ID = os.environ.get("WorkspaceID", "") +FUNCTION_APP_TIMEOUT_SECONDS = 570 + +# *Mimecast related constants +MIMECAST_CLIENT_ID = os.environ.get("MimecastClientID", "") +MIMECAST_CLIENT_SECRET = os.environ.get("MimecastClientSecret", "") +MAX_PAGE_SIZE = 500 +BASE_URL = os.environ.get("BaseURL", "https://api.services.mimecast.com") +ENDPOINTS = { + "OAUTH2": "/oauth/token", + "PERFORMANCE_DETAILS": "/api/awareness-training/company/get-performance-details", + "WATCHLIST_DETAILS": "/api/awareness-training/company/get-watchlist-details", + "SAFE_SCORE_DETAILS": "/api/awareness-training/company/get-safe-score-details", + "CAMPAIGN_DATA": "/api/awareness-training/phishing/campaign/get-campaign", + "USER_DATA": "/api/awareness-training/phishing/campaign/get-user-data", +} + +TABLE_NAME = { + "PERFORMANCE_DETAILS": "Awareness_Performance_Details", + "USER_DATA": "Awareness_User_Data", + "WATCHLIST_DETAILS": "Awareness_Watchlist_Details", + "SAFE_SCORE_DETAILS": "Awareness_SafeScore_Details", +} +AWARENESS_PERFORMANCE_FUNCTION_NAME = "Awareness Training Performance Details" +AWARENESS_WATCHLIST_FUNCTION_NAME = "Awareness Training Watchlist Details" +AWARENESS_SAFESCORE_FUNCTION_NAME = "Awareness Training SafeScore Details" +AWARENESS_USER_DATA_FUNCTION_NAME = "Awareness Training Phishing User Data" + + +# *Error Messages for Exception +UNEXPECTED_ERROR_MSG = "Unexpected error : Error-{}." +HTTP_ERROR_MSG = "HTTP error : Error-{}." +REQUEST_ERROR_MSG = "Request error : Error-{}." +CONNECTION_ERROR_MSG = "Connection error : Error-{}." +KEY_ERROR_MSG = "Key error : Error-{}." +TYPE_ERROR_MSG = "Type error : Error-{}." +VALUE_ERROR_MSG = "Value error : Error-{}." +JSON_DECODE_ERROR_MSG = "JSONDecode error : Error-{}." +TIME_OUT_ERROR_MSG = "Timeout error : Error-{}" +MAX_RETRY_ERROR_MSG = "Max retries exceeded : {} Last exception: {}" + + +# *checkpoint related constants +CONN_STRING = os.environ.get("AzureWebJobsStorage", "") +FILE_SHARE_NAME = os.environ.get("File_Share_Name", "mimecast-checkpoints") +PERFORMANCE_CHECKPOINT_FILE = "performance_details" +PERFORMANCE_HASH_FILE = "performance_details_hash" +WATCHLIST_CHECKPOINT_FILE = "watchlist_details" +WATCHLIST_HASH_FILE = "watchlist_details_hash" +SAFESCORE_CHECKPOINT_FILE = "safescore_details" +SAFESCORE_HASH_FILE = "safescore_details_hash" + +# *Extra constants +MAX_RETRIES = 5 +SENTINEL_RETRY_COUNT = 3 +MAX_TIMEOUT_SENTINEL = 120 +INGESTION_ERROR_SLEEP_TIME = 30 +EXCEPTION_STATUS_CODE = [400, 403, 409] +RETRY_STATUS_CODE = [429, 500, 503, 502, 509] +MAX_SLEEP_TIME = 30 +MIN_SLEEP_TIME = 5 +BACKOFF_MULTIPLIER = 2 +CHECKPOINT_RESET_TIME = 12 +DATE_TIME_FORMAT = "%Y-%m-%d" diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/logger.py b/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/logger.py new file mode 100644 index 00000000000..3bcac77b9e4 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/logger.py @@ -0,0 +1,23 @@ +"""Handle the logger.""" + +import logging +import sys +from . import consts + +log_level = consts.LOG_LEVEL + +LOG_LEVELS = { + "DEBUG": logging.DEBUG, + "INFO": logging.INFO, + "WARNING": logging.WARNING, + "ERROR": logging.ERROR, +} + +try: + applogger = logging.getLogger("azure") + applogger.setLevel(LOG_LEVELS.get(log_level.upper(), logging.INFO)) +except Exception: + applogger.setLevel(logging.INFO) +finally: + handler = logging.StreamHandler(stream=sys.stdout) + applogger.addHandler(handler) diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/mimecast_exception.py b/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/mimecast_exception.py new file mode 100644 index 00000000000..53c1f7257f8 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/mimecast_exception.py @@ -0,0 +1,25 @@ +"""This File contains custom Exception class for Mimecast.""" + + +class MimecastException(Exception): + """Exception class to handle Mimecast exception. + + Args: + Exception (string): will print exception message. + """ + + def __init__(self, message=None) -> None: + """Initialize custom Mimecast exception with custom message.""" + super().__init__(message) + + +class MimecastTimeoutException(Exception): + """Exception class to handle Mimecast exception. + + Args: + Exception (string): will print exception message. + """ + + def __init__(self, message=None) -> None: + """Initialize custom Mimecast exception with custom message.""" + super().__init__(message) diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/sentinel.py b/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/sentinel.py new file mode 100644 index 00000000000..0f399fdef5c --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/sentinel.py @@ -0,0 +1,272 @@ +"""This file contains methods for creating microsoft custom log table.""" + +import base64 +import requests +import hashlib +import hmac +import time +import inspect +import datetime +from .logger import applogger +from SharedCode.state_manager import StateManager +from . import consts +from .mimecast_exception import MimecastException +from urllib3.exceptions import NameResolutionError + + +def build_signature( + date, + content_length, + method, + content_type, + resource, +): + """To build signature which is required in header.""" + x_headers = "x-ms-date:" + date + string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource + bytes_to_hash = bytes(string_to_hash, encoding="utf-8") + decoded_key = base64.b64decode(consts.WORKSPACE_KEY) + encoded_hash = base64.b64encode(hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode() + authorization = "SharedKey {}:{}".format(consts.WORKSPACE_ID, encoded_hash) + + return authorization + + +def post_data(body, log_type): + """Build and send a request to the POST API. + + Args: + body (str): Data to post into Sentinel log analytics workspace + log_type (str): Custom log table name in which data wil be added. + + Returns: + status_code: Returns the response status code got while posting data to sentinel. + """ + __method_name = inspect.currentframe().f_code.co_name + method = "POST" + content_type = "application/json" + resource = "/api/logs" + rfc1123date = datetime.datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT") + content_length = len(body) + try: + signature = build_signature( + rfc1123date, + content_length, + method, + content_type, + resource, + ) + except Exception as err: + applogger.error( + "{}(method={}) : Error in build signature -{}".format( + consts.LOGS_STARTS_WITH, + __method_name, + err, + ) + ) + raise MimecastException() + uri = "https://" + consts.WORKSPACE_ID + ".ods.opinsights.azure.com" + resource + "?api-version=2016-04-01" + + headers = { + "content-type": content_type, + "Authorization": signature, + "Log-Type": log_type, + "x-ms-date": rfc1123date, + } + retry_count = 0 + while retry_count < consts.SENTINEL_RETRY_COUNT: + try: + response = requests.post(uri, data=body, headers=headers, timeout=consts.MAX_TIMEOUT_SENTINEL) + + result = handle_response(response, body, log_type) + if result is not False: + return result + retry_count += 1 + continue + + except requests.exceptions.ConnectionError as error: + try: + if isinstance(error.args[0].reason, NameResolutionError): + applogger.error( + "{}(method={}) : {} : Workspace ID is wrong: {}, Sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + error, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + except Exception as unknown_connect_error: + applogger.error( + "{}(method={}) : {} : Unknown Error in ConnectionError: {}, Sleeping for {} seconds." + " and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + unknown_connect_error, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + applogger.error( + "{}(method={}) : {} : Unknown Connection Error, sleeping - {} seconds and retrying.. Error - {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + consts.INGESTION_ERROR_SLEEP_TIME, + error, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + except requests.exceptions.Timeout as error: + applogger.error( + "{}(method={}) : {} : sleeping - {} seconds and retrying.. Timeout Error: {}".format( + consts.LOGS_STARTS_WITH, __method_name, log_type, consts.INGESTION_ERROR_SLEEP_TIME, error + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + except requests.RequestException as error: + applogger.error( + "{}(method={}) : {} : Request Error: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + error, + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : Unknown Error: {}.".format( + consts.LOGS_STARTS_WITH, __method_name, log_type, error + ) + ) + raise MimecastException() + applogger.error( + "{}(method={}) : {} : Maximum Retry count of {} exceeded, hence stopping execution.".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + consts.SENTINEL_RETRY_COUNT, + ) + ) + raise MimecastException() + + +def handle_response(response, body, log_type): + """Handle the response from Azure Sentinel.""" + try: + __method_name = inspect.currentframe().f_code.co_name + if response.status_code >= 200 and response.status_code <= 299: + applogger.debug( + "{}(method={}) : Status_code: {} Accepted: Data Posted Successfully to azure sentinel.".format( + consts.LOGS_STARTS_WITH, + __method_name, + response.status_code, + ) + ) + return response.status_code + elif response.status_code == 400: + applogger.error( + "{}(method={}) : {} : Response code: {} from posting data to log analytics. Error: Response: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + response.status_code, + response.text, + ) + ) + curent_corrupt_data_obj = StateManager( + consts.CONN_STRING, + "{}-Ingest-To-Sentinel-Corrupt_{}".format(log_type, str(int(time.time()))), + consts.FILE_SHARE_NAME, + ) + curent_corrupt_data_obj.post(body) + raise MimecastException() + elif response.status_code == 403: + applogger.error( + "{}(method={}) : {} : Response code :{} Error occurred for build signature: Response: {} " + "Issue with WorkspaceKey ,Kindly verify your WorkspaceKey".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + response.status_code, + response.text, + ) + ) + raise MimecastException() + elif response.status_code == 429: + applogger.error( + "{}(method={}) : {} : Error occurred: Response code : {} Too many request: Response: {} . " + "sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + response.status_code, + response.text, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + return False + elif response.status_code == 500: + applogger.error( + "{}(method={}) : {} : Error occurred: Response code : {} Internal Server Error: Response: {} . " + "sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + response.status_code, + response.text, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + return False + elif response.status_code == 503: + applogger.error( + "{}(method={}) : {} : Error occurred: Response code : {} Service Unavailable: Response: {} . " + "sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + response.status_code, + response.text, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + return False + applogger.error( + "{}(method={}) : {} : Response code: {} from posting data to log analytics. Response: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + response.status_code, + response.text, + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : Unknown Error: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + error, + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/state_manager.py b/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/state_manager.py new file mode 100644 index 00000000000..0bfe9819ce1 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/state_manager.py @@ -0,0 +1,69 @@ +"""This module will help to save file to state manager.""" + +from azure.storage.fileshare import ShareClient +from azure.storage.fileshare import ShareFileClient +from azure.core.exceptions import ResourceNotFoundError, ResourceExistsError + + +class StateManager: + """State manager class for specific operation. + + This class will help to manage the state of the operation + by saving and getting data from Azure Storage. + + Args: + connection_string (str): Azure Storage connection string. + file_path (str): File path on the share. + share_name (str): Name of the share. + """ + + def __init__(self, connection_string, file_path, share_name): + """Initialize the share_cli and file_cli.""" + self.share_cli = ShareClient.from_connection_string( + conn_str=connection_string, share_name=share_name + ) + self.file_cli = ShareFileClient.from_connection_string( + conn_str=connection_string, share_name=share_name, file_path=file_path + ) + + def post(self, marker_text: str): + """Post method for posting the data to Azure Storage. + + This method will upload the given text to the + Azure Storage as a file. + + Args: + marker_text (str): String to be saved in the file. + """ + try: + self.file_cli.upload_file(marker_text) + except ResourceNotFoundError: + try: + self.share_cli.create_share() + self.file_cli.upload_file(marker_text) + except ResourceExistsError: + self.file_cli.upload_file(marker_text) + + def get(self): + """Get method for getting the data from Azure Storage. + + This method will download the file from Azure Storage + and return the contents as a string. + + Returns: + str: The contents of the file. + """ + try: + return self.file_cli.download_file().readall().decode() + except ResourceNotFoundError: + return None + + def delete(self): + """Delete method for deleting the data from Azure Storage. + + This method will delete the file from Azure Storage. + """ + try: + self.file_cli.delete_file() + except ResourceNotFoundError: + raise ResourceNotFoundError("File not found to be deleted.") diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/utils.py b/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/utils.py new file mode 100644 index 00000000000..99b2837bf15 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/SharedCode/utils.py @@ -0,0 +1,881 @@ +"""Utils File.""" + +import inspect +import requests +import json +from json.decoder import JSONDecodeError +import hashlib +from .state_manager import StateManager +from .mimecast_exception import MimecastException +from .logger import applogger +from . import consts +from ..SharedCode.sentinel import post_data +from tenacity import ( + retry, + stop_after_attempt, + wait_exponential, + retry_if_exception_type, + retry_if_result, + retry_any, + RetryError, +) +from requests.exceptions import ConnectionError +import datetime + + +def retry_on_status_code(response): + """Check and retry based on a list of status codes. + + Args: + response (): API response is passed + + Returns: + Bool: if given status code is in list then true else false + """ + __method_name = inspect.currentframe().f_code.co_name + if isinstance(response, dict): + return False + if response.status_code in consts.RETRY_STATUS_CODE: + applogger.info( + "{}(method={}) : Retrying due to status code : {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + response.status_code, + ) + ) + return True + return False + + +class Utils: + """Utils Class.""" + + def __init__(self, azure_function_name) -> None: + """Init Function.""" + self.azure_function_name = azure_function_name + self.log_format = consts.LOG_FORMAT + self.headers = {} + self.first_page = True + + def check_environment_var_exist(self, environment_var): + """Check the existence of required environment variables. + + Logs the validation process and completion. Raises MimecastException if any required field is missing. + + Args: + environment_var(list) : variables to check for existence + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Validating Environment Variables.", + ) + ) + missing_required_field = False + for var in environment_var: + key, val = next(iter(var.items())) + if not val: + missing_required_field = True + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Environment variable {} is not set.".format(key), + ) + ) + if missing_required_field: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Validation failed.", + ) + ) + raise MimecastException() + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Validation Complete.", + ) + ) + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def get_checkpoint_data(self, checkpoint_obj: StateManager, load_flag=True): + """Get checkpoint data from a StateManager object. + + Args: + checkpoint_obj (StateManager): The StateManager object to retrieve checkpoint data from. + load_flag (bool): A flag indicating whether to load the data as JSON (default is True). + + Returns: + The retrieved checkpoint data. + + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Fetching checkpoint data.", + ) + ) + checkpoint_data = checkpoint_obj.get() + if load_flag and checkpoint_data: + checkpoint_data = json.loads(checkpoint_data) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Checkpoint data fetched.", + ) + ) + return checkpoint_data + except json.decoder.JSONDecodeError as json_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.JSON_DECODE_ERROR_MSG.format(json_error), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def post_checkpoint_data(self, checkpoint_obj: StateManager, data, dump_flag=True): + """Post checkpoint data. + + It post the data to a checkpoint object based on the dump_flag parameter. + + Args: + checkpoint_obj (StateManager): The StateManager object to post data to. + data: The data to be posted. + dump_flag (bool): A flag indicating whether to dump the data as JSON before posting (default is True). + """ + __method_name = inspect.currentframe().f_code.co_name + try: + if dump_flag: + checkpoint_obj.post(json.dumps(data)) + else: + checkpoint_obj.post(data) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Checkpoint posted to azure storage.", + ) + ) + except TypeError as type_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TYPE_ERROR_MSG.format(type_error), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + @retry( + stop=stop_after_attempt(consts.MAX_RETRIES), + wait=wait_exponential( + multiplier=consts.BACKOFF_MULTIPLIER, + min=consts.MIN_SLEEP_TIME, + max=consts.MAX_SLEEP_TIME, + ), + retry=retry_any( + retry_if_result(retry_on_status_code), + retry_if_exception_type(ConnectionError), + ), + before_sleep=lambda retry_state: applogger.error( + "{}(method = {}) : Retrying after {} seconds, attempt number : {} ".format( + consts.LOGS_STARTS_WITH, + " Retry Decorator", + retry_state.upcoming_sleep, + retry_state.attempt_number, + ) + ), + ) + def make_rest_call( + self, method, url, params=None, data=None, json=None, check_retry=True + ): + """Make a rest call. + + Args: + url (str): The URL to make the call to. + method (str): The HTTP method to use for the call. + params (dict, optional): The parameters to pass in the call (default is None). + data (dict, optional): The body(in x-www-form-urlencoded formate) of the request (default is None). + json (dict, optional): The body(in row formate) of the request (default is None). + check_retry (bool, optional): A flag indicating whether to check for retry (default is True). + + Returns: + dict: The JSON response if the call is successful. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Rest Call, Method :{}, url: {}".format(method, url), + ) + ) + + response = requests.request( + method, + url, + headers=self.headers, + params=params, + data=data, + json=json, + timeout=consts.MAX_TIMEOUT_SENTINEL, + ) + if response.status_code >= 200 and response.status_code <= 299: + response_json = response.json() + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Success, Status code : {}".format(response.status_code), + ) + ) + self.handle_failed_response_for_success(response_json) + return response_json + elif response.status_code == 400: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Bad Request = {}, Status code : {}".format( + response.text, response.status_code + ), + ) + ) + self.handle_failed_response_for_failure(response) + elif response.status_code == 401: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unauthorized, Status code : {}".format(response.status_code), + ) + ) + response_json = response.json() + fail_json = response_json.get("fail", []) + error_code = None + error_message = None + if fail_json: + error_code = fail_json[0].get("code") + error_message = fail_json[0].get("message") + if check_retry: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Generating new token, Error message = {}, Error code = {}".format( + error_message, error_code + ), + ) + ) + check_retry = False + self.authenticate_mimecast_api(check_retry) + return self.make_rest_call( + method, url=url, json=json, check_retry=check_retry + ) + else: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Max retry reached for generating access token," + "Error message = {}, Error code = {}".format( + error_message, error_code + ), + ) + ) + raise MimecastException() + elif response.status_code == 403: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Forbidden, Status code : {}".format(response.status_code), + ) + ) + self.handle_failed_response_for_failure(response) + elif response.status_code == 404: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Not Found, URL : {}, Status code : {}".format( + url, response.status_code + ), + ) + ) + raise MimecastException() + elif response.status_code == 409: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Conflict, Status code : {}".format(response.status_code), + ) + ) + self.handle_failed_response_for_failure(response) + elif response.status_code == 429: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Too Many Requests, Status code : {} ".format( + response.status_code + ), + ) + ) + return response + elif response.status_code == 500: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Internal Server Error, Status code : {}".format( + response.status_code + ), + ) + ) + return self.handle_failed_response_for_failure(response) + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unexpected Error = {}, Status code : {}".format( + response.text, response.status_code + ), + ) + ) + raise MimecastException() + + except MimecastException: + raise MimecastException() + except requests.exceptions.Timeout as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TIME_OUT_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + except JSONDecodeError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.JSON_DECODE_ERROR_MSG.format( + "{}, API Response = {}".format(error, response.text) + ), + ) + ) + raise MimecastException() + except requests.ConnectionError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.CONNECTION_ERROR_MSG.format(error), + ) + ) + raise ConnectionError() + except requests.RequestException as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.REQUEST_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def handle_failed_response_for_failure(self, response): + """Handle the failed response for failure status codes. + + If request get authentication error it will regenerate the access token. + + Args: + response_json (dict): The JSON response from the API. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + response_json = response.json() + error_message = response_json + fail_json = response_json.get("fail", []) + error_json = response_json.get("error") + if fail_json: + error_message = fail_json[0].get("message") + elif error_json: + error_message = error_json.get("message") + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + error_message, + ) + ) + if response.status_code in consts.EXCEPTION_STATUS_CODE: + raise MimecastException() + + return response + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def handle_failed_response_for_success(self, response_json): + """Handle the failed response for a successful request. + + Check if there is failure in success response or not. + + Args: + response_json (dict): The JSON response from the request. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + fail_json = response_json.get("fail", []) + if fail_json: + try: + error_message = fail_json[0].get("errors")[0].get("message") + except (KeyError, IndexError, ValueError, TypeError): + error_message = fail_json + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Failed response message = {}.".format(error_message), + ) + ) + raise MimecastException() + else: + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No failed response found.", + ) + ) + return + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def authenticate_mimecast_api(self, check_retry=True): + """Authenticate mimecast endpoint generate access token and update header. + + Args: + check_retry (bool): Flag for retry of generating access token. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + body = { + "client_id": consts.MIMECAST_CLIENT_ID, + "client_secret": consts.MIMECAST_CLIENT_SECRET, + "grant_type": "client_credentials", + } + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Generating access token.", + ) + ) + self.headers = {} + url = "{}{}".format(consts.BASE_URL, consts.ENDPOINTS["OAUTH2"]) + response = self.make_rest_call( + method="POST", url=url, data=body, check_retry=check_retry + ) + if "access_token" in response: + access_token = response.get("access_token") + self.headers.update( + { + "Content-Type": "application/json", + "Authorization": "Bearer {}".format(access_token), + } + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Successfully generated access token and header updated.", + ) + ) + return + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Error occurred while fetching the access token from the response = {}.".format( + response + ), + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except RetryError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.MAX_RETRY_ERROR_MSG.format( + error, error.last_attempt.exception() + ), + ) + ) + raise MimecastException() + except KeyError as key_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.KEY_ERROR_MSG.format(key_error), + ) + ) + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def convert_to_hash(self, data_to_hash): + """Convert json data records to hash. + + Args: + data_to_hash (list): list of data to hash + + Returns: + list: hashed data list + """ + __method_name = inspect.currentframe().f_code.co_name + hashed_data = [] + for record in data_to_hash: + try: + json_string = json.dumps(record) + res_hash = hashlib.sha256( + json_string.encode("utf-8", errors="replace") + ).hexdigest() + hashed_data.append(res_hash) + except TypeError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TYPE_ERROR_MSG.format(err), + ) + ) + continue + except ValueError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.VALUE_ERROR_MSG.format(err), + ) + ) + continue + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + continue + return hashed_data + + def compare_data_with_checkpoint(self, data_to_compare, state_manager_obj): + """Compare data with checkpoint hash and return unique records. + + Args: + data_to_compare (list): list of data to compare + state_manager_obj (Statemanager): statemanager object to get checkpoint hash data + + Returns: + list: list of unique data. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + hashed_data = self.convert_to_hash(data_to_compare) + checkpoint_hash_list = self.get_checkpoint_data(state_manager_obj, True) + if checkpoint_hash_list: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Found hashed data checkpoint.", + ) + ) + hash_record = { + hashed_data[i]: record for i, record in enumerate(data_to_compare) + } + unique_hashes = set(hashed_data) - set(checkpoint_hash_list) + unique_data = [hash_record[hash] for hash in unique_hashes] + return unique_data + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Hashed data checkpoint not found.", + ) + ) + return data_to_compare + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def filter_unique_data_and_post( + self, + data_to_post, + hash_file_state_manager_obj, + table_name, + checkpoint_data, + checkpoint_obj, + next_page_token_flag, + ): + """Filter unique data from the given data and post it to Azure Sentinel Log Analytics. + + Args: + data_to_post (list): The data to be posted to azure Sentinel log analytics. + hash_file_state_manager_obj (StateManager): The StateManager object to retrieve hash checkpoint data. + table_name (str): The custom log table name in which data will be added. + checkpoint_data (dict): The checkpoint data to be updated. + checkpoint_obj (StateManager): The StateManager object to post checkpoint data to. + next_page_token_flag (bool): A flag indicating whether a next page token is present. + + Returns: + bool: True if checkpoint data is deleted, otherwise False. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + if self.first_page: + data_to_post = self.compare_data_with_checkpoint( + data_to_post, hash_file_state_manager_obj + ) + self.first_page = False + if len(data_to_post) > 0: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Posting data to azure Sentinel log analytics, data count : {}.".format( + len(data_to_post) + ), + ) + ) + post_data(json.dumps(data_to_post), log_type=table_name) + if not next_page_token_flag: + if checkpoint_data: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "New data found in same last page, so resetting checkpoint", + ) + ) + checkpoint_data.update( + {"date": datetime.datetime.utcnow().isoformat()} + ) + else: + checkpoint_data = { + "date": datetime.datetime.utcnow().isoformat() + } + self.post_checkpoint_data(checkpoint_obj, checkpoint_data) + return False + else: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Data already posted to sentinel, no new data found.", + ) + ) + return self.compare_last_pagetoken_time( + checkpoint_data, checkpoint_obj, hash_file_state_manager_obj + ) + + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def compare_last_pagetoken_time( + self, checkpoint_data, checkpoint_obj, hash_file_state_manager_obj + ): + """Compare last page token time with current time. + + Args: + checkpoint_data (dict): checkpoint data + checkpoint_obj (StateManager): The StateManager object to post checkpoint data to. + hash_file_state_manager_obj (StateManager): The StateManager object to retrieve hash checkpoint data. + + Returns: + checkpoint_data (dict): checkpoint data + """ + __method_name = inspect.currentframe().f_code.co_name + try: + if checkpoint_data: + last_page_token_time = checkpoint_data.get("date") + if ( + last_page_token_time + and datetime.datetime.utcnow() + - datetime.datetime.fromisoformat(last_page_token_time) + >= datetime.timedelta(hours=consts.CHECKPOINT_RESET_TIME) + ): + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Last date time more than 12 hours old, so resetting checkpoints", + ) + ) + checkpoint_data = {} + self.post_checkpoint_data(checkpoint_obj, checkpoint_data) + self.post_checkpoint_data( + hash_file_state_manager_obj, checkpoint_data + ) + return True + return False + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/UserData/__init__.py b/Solutions/Mimecast/Data Connectors/MimecastAT/UserData/__init__.py new file mode 100644 index 00000000000..660ac58fc46 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/UserData/__init__.py @@ -0,0 +1,21 @@ +"""Init module for UserData.""" + +import datetime +import logging +import time +import azure.functions as func +from .mimecast_user_data_to_sentinel import MimecastAwarenessUserData + + +def main(mytimer: func.TimerRequest) -> None: + """Driver method for awareness training user data.""" + utc_timestamp = ( + datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + ) + function_start_time = time.time() + user_data_obj = MimecastAwarenessUserData(function_start_time) + user_data_obj.get_awareness_user_data_in_sentinel() + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/UserData/function.json b/Solutions/Mimecast/Data Connectors/MimecastAT/UserData/function.json new file mode 100644 index 00000000000..7daae7c9be7 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/UserData/function.json @@ -0,0 +1,11 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "0 0 */12 * * *" + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/UserData/mimecast_user_data_to_sentinel.py b/Solutions/Mimecast/Data Connectors/MimecastAT/UserData/mimecast_user_data_to_sentinel.py new file mode 100644 index 00000000000..700c8652122 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/UserData/mimecast_user_data_to_sentinel.py @@ -0,0 +1,248 @@ +"""Get Mimecast Awareness Training phishing campaigns user data and ingest into sentinel.""" + +import inspect +from ..SharedCode import consts +from ..SharedCode.mimecast_exception import MimecastException, MimecastTimeoutException +from ..SharedCode.logger import applogger +from ..SharedCode.utils import Utils +from ..SharedCode.sentinel import post_data +import json +import time +from tenacity import RetryError + + +class MimecastAwarenessUserData(Utils): + """Class for Mimecast Awareness Training phishing campaigns user data.""" + + def __init__(self, start_time) -> None: + """Initialize utility methods and variables.""" + super().__init__(consts.AWARENESS_USER_DATA_FUNCTION_NAME) + self.check_environment_var_exist( + [ + {"BaseURL": consts.BASE_URL}, + {"WorkspaceID": consts.WORKSPACE_ID}, + {"WorkspaceKey": consts.WORKSPACE_KEY}, + {"MimecastClientID": consts.MIMECAST_CLIENT_ID}, + {"MimecastClientSecret": consts.MIMECAST_CLIENT_SECRET}, + {"ConnectionString": consts.CONN_STRING}, + {"LogLevel": consts.LOG_LEVEL}, + ] + ) + self.authenticate_mimecast_api() + self.get_campaign_url = consts.BASE_URL + consts.ENDPOINTS["CAMPAIGN_DATA"] + self.get_user_url = consts.BASE_URL + consts.ENDPOINTS["USER_DATA"] + self.function_start_time = start_time + + def fetch_user_data_for_campaigns(self, campaign_id): + """Get mimecast phishing user data from given campaign. + + Args: + campaign (dict): campaign for which user data to be fetched. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + request_body = { + "data": [{"id": campaign_id}], + "meta": {"pagination": {"pageSize": consts.MAX_PAGE_SIZE}}, + } + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Fetching user data for campaign : {}.".format(campaign_id), + ) + ) + next_page = True + total_user_count = 0 + while next_page: + if ( + int(time.time()) + >= self.function_start_time + consts.FUNCTION_APP_TIMEOUT_SECONDS + ): + raise MimecastTimeoutException() + user_data_response = self.make_rest_call( + method="POST", url=self.get_user_url, json=request_body + ) + user_data = user_data_response.get("data", []) + if len(user_data) > 0 and len(user_data[0].get("items", [])) > 0: + total_user_count += len(user_data[0]["items"]) + user_data_items = user_data[0]["items"] + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Posting data to azure Sentinel log analytics, data count : {}.".format( + len(user_data_items) + ), + ) + ) + post_data( + json.dumps(user_data_items), + log_type=consts.TABLE_NAME["USER_DATA"], + ) + next_page_token = user_data_response["meta"]["pagination"].get( + "next", "" + ) + if next_page_token: + request_body["meta"]["pagination"][ + "pageToken" + ] = next_page_token + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Found next in response : {}.".format(next_page_token), + ) + ) + else: + next_page = False + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "End of user data for campaign id : {}.".format( + campaign_id + ), + ) + ) + else: + next_page = False + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No user data found for campaign : {}.".format(campaign_id), + ) + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Total user count : {} for campaign : {}.".format( + total_user_count, campaign_id + ), + ) + ) + except KeyError as key_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.KEY_ERROR_MSG.format(key_error), + ) + ) + raise MimecastException() + except MimecastTimeoutException: + raise MimecastTimeoutException() + except RetryError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.MAX_RETRY_ERROR_MSG.format( + error, error.last_attempt.exception() + ), + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def get_awareness_user_data_in_sentinel(self): + """Get Mimecast Awareness Training phishing campaigns user data and ingest to sentinel.""" + __method_name = inspect.currentframe().f_code.co_name + try: + campaigns_response = self.make_rest_call( + method="POST", url=self.get_campaign_url + ) + campaigns_data = campaigns_response["data"] + if len(campaigns_data) > 0: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Awareness Training Phishing User Data : Found {} Phishing Campaigns ids".format( + len(campaigns_data) + ), + ) + ) + for campaign in campaigns_data: + if ( + int(time.time()) + >= self.function_start_time + + consts.FUNCTION_APP_TIMEOUT_SECONDS + ): + raise MimecastTimeoutException() + self.fetch_user_data_for_campaigns(campaign["id"]) + else: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No Phishing Campaigns found.", + ) + ) + except KeyError as key_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.KEY_ERROR_MSG.format(key_error), + ) + ) + raise MimecastException() + except MimecastTimeoutException: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "function app 9:30 mins executed hence breaking.", + ) + ) + return + except RetryError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.MAX_RETRY_ERROR_MSG.format( + error, error.last_attempt.exception() + ), + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/WatchlistDetails/__init__.py b/Solutions/Mimecast/Data Connectors/MimecastAT/WatchlistDetails/__init__.py new file mode 100644 index 00000000000..7652272f301 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/WatchlistDetails/__init__.py @@ -0,0 +1,21 @@ +"""Init module for PerformanceDetails.""" + +import datetime +import logging +import time +import azure.functions as func +from .mimecast_watchlist_details_to_sentinel import MimecastAwarenessWatchlist + + +def main(mytimer: func.TimerRequest) -> None: + """Driver method for awareness training performance details.""" + utc_timestamp = ( + datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + ) + function_start_time = time.time() + performance_details_obj = MimecastAwarenessWatchlist(function_start_time) + performance_details_obj.get_awareness_watchlist_details_data_in_sentinel() + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/WatchlistDetails/function.json b/Solutions/Mimecast/Data Connectors/MimecastAT/WatchlistDetails/function.json new file mode 100644 index 00000000000..36c1449c9e1 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/WatchlistDetails/function.json @@ -0,0 +1,11 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%" + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/WatchlistDetails/mimecast_watchlist_details_to_sentinel.py b/Solutions/Mimecast/Data Connectors/MimecastAT/WatchlistDetails/mimecast_watchlist_details_to_sentinel.py new file mode 100644 index 00000000000..f8113e35770 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/WatchlistDetails/mimecast_watchlist_details_to_sentinel.py @@ -0,0 +1,232 @@ +"""Get Mimecast Awareness Training Watchlist data and ingest into sentinel.""" + +import inspect +from ..SharedCode import consts +from ..SharedCode.mimecast_exception import MimecastException, MimecastTimeoutException +from ..SharedCode.logger import applogger +from ..SharedCode.state_manager import StateManager +from ..SharedCode.utils import Utils +import time +import datetime +from tenacity import RetryError + + +class MimecastAwarenessWatchlist(Utils): + """Class for Mimecast Awareness Training Watchlist Details.""" + + def __init__(self, start_time) -> None: + """Initialize utility methods and variables. + + Args: + start_time (str): azure function starting time. + """ + super().__init__(consts.AWARENESS_WATCHLIST_FUNCTION_NAME) + self.check_environment_var_exist( + [ + {"BaseURL": consts.BASE_URL}, + {"WorkspaceID": consts.WORKSPACE_ID}, + {"WorkspaceKey": consts.WORKSPACE_KEY}, + {"MimecastClientID": consts.MIMECAST_CLIENT_ID}, + {"MimecastClientSecret": consts.MIMECAST_CLIENT_SECRET}, + {"ConnectionString": consts.CONN_STRING}, + {"LogLevel": consts.LOG_LEVEL}, + ] + ) + self.authenticate_mimecast_api() + self.state_manager_obj = StateManager( + consts.CONN_STRING, consts.WATCHLIST_CHECKPOINT_FILE, consts.FILE_SHARE_NAME + ) + self.hash_file_state_manager_obj = StateManager( + consts.CONN_STRING, consts.WATCHLIST_HASH_FILE, consts.FILE_SHARE_NAME + ) + self.watchlist_details_url = ( + consts.BASE_URL + consts.ENDPOINTS["WATCHLIST_DETAILS"] + ) + self.function_start_time = start_time + + def get_request_body_and_checkpoint(self): + """Get the request body and checkpoint data for pagination. + + Returns: + tuple: A dictionary containing the request body and the checkpoint data. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + request_body = {"meta": {"pagination": {"pageSize": consts.MAX_PAGE_SIZE}}} + checkpoint = self.get_checkpoint_data(self.state_manager_obj) + if checkpoint: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Page checkpoint found.", + ) + ) + pageToken = checkpoint.get("pageToken") + request_body["meta"]["pagination"]["pageToken"] = pageToken + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Page checkpoint data : {}.".format(checkpoint), + ) + ) + else: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Page checkpoint not found.", + ) + ) + return request_body, checkpoint + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def get_awareness_watchlist_details_data_in_sentinel(self): + """Get Mimecast awareness training watchlist details data and ingest to sentinel.""" + __method_name = inspect.currentframe().f_code.co_name + try: + request_body, checkpoint_data = self.get_request_body_and_checkpoint() + next_page = True + while next_page: + if ( + int(time.time()) + >= self.function_start_time + consts.FUNCTION_APP_TIMEOUT_SECONDS + ): + raise MimecastTimeoutException() + watchlist_details_response = self.make_rest_call( + method="POST", url=self.watchlist_details_url, json=request_body + ) + watchlist_details_data = watchlist_details_response["data"] + if len(watchlist_details_data) > 0: + next_page_token = watchlist_details_response["meta"][ + "pagination" + ].get("next", "") + next_page_token_flag = False + if next_page_token: + next_page_token_flag = True + checkpoint_token_updated = self.filter_unique_data_and_post( + watchlist_details_data, + self.hash_file_state_manager_obj, + consts.TABLE_NAME["WATCHLIST_DETAILS"], + checkpoint_data, + self.state_manager_obj, + next_page_token_flag, + ) + if next_page_token: + request_body["meta"]["pagination"][ + "pageToken" + ] = next_page_token + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Posting page checkpoint : {}.".format(next_page_token), + ) + ) + checkpoint_data = { + "pageToken": next_page_token, + "date": datetime.datetime.utcnow().isoformat(), + } + self.post_checkpoint_data( + self.state_manager_obj, checkpoint_data + ) + else: + if checkpoint_token_updated: + del request_body["meta"]["pagination"]["pageToken"] + checkpoint_data = {} + else: + next_page = False + hash_data_to_save = self.convert_to_hash( + watchlist_details_data + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Posting hash checkpoint.", + ) + ) + self.post_checkpoint_data( + self.hash_file_state_manager_obj, + hash_data_to_save, + True, + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "End of data.", + ) + ) + else: + next_page = False + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No data found.", + ) + ) + except KeyError as key_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.KEY_ERROR_MSG.format(key_error), + ) + ) + raise MimecastException() + except RetryError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.MAX_RETRY_ERROR_MSG.format( + error, error.last_attempt.exception() + ), + ) + ) + raise MimecastException() + except MimecastTimeoutException: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "function app 9:30 mins executed hence breaking.", + ) + ) + return + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/azuredeploy_Connector_MimecastAT_AzureFunction.json b/Solutions/Mimecast/Data Connectors/MimecastAT/azuredeploy_Connector_MimecastAT_AzureFunction.json new file mode 100644 index 00000000000..ec265396c4a --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/azuredeploy_Connector_MimecastAT_AzureFunction.json @@ -0,0 +1,250 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "FunctionName": { + "defaultValue": "MimecastAT", + "minLength": 1, + "maxLength": 11, + "type": "string" + }, + "WorkspaceID": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Enter Workspace ID of Log Analytics workspace" + } + }, + "WorkspaceKey": { + "type": "securestring", + "minLength": 1, + "metadata": { + "description": "Enter Workspace Key of Log Analytics workspace" + } + }, + "MimecastBaseURL": { + "defaultValue": "https://api.services.mimecast.com", + "type": "string", + "metadata": { + "description": "Enter Base URL of Mimecast API 2.0 (e.g. https://api.services.mimecast.com)" + } + }, + "MimecastClientID": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Enter Mimecast Client ID for authentication" + } + }, + "MimecastClientSecret": { + "type": "securestring", + "minLength": 1, + "metadata": { + "description": "Enter Mimecast Client Secret for authentication" + } + }, + "Schedule": { + "type": "string", + "minLength": 11, + "metadata": { + "description": "Please enter a valid Quartz cron-expression. (Example: 0 0 0 * * *)\n\nDo not keep the value empty, minimum value is 10 minutes" + }, + "defaultValue": "0 0 */1 * * *" + }, + "LogLevel": { + "type": "string", + "metadata": { + "description": "Please add log level or log severity value. By default it is set to INFO" + }, + "allowedValues": [ + "Debug", + "Info", + "Error", + "Warning" + ], + "defaultValue": "Info" + }, + "AppInsightsWorkspaceResourceID": { + "type": "string", + "metadata": { + "description": "Migrate Classic Application Insights to Log Analytic Workspace which is retiring by 29 Febraury 2024. Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'" + } + } + }, + "variables": { + "FunctionName": "[concat(toLower(trim(parameters('FunctionName'))), uniqueString(resourceGroup().id))]", + "StorageSuffix": "[environment().suffixes.storage]", + "LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(trim(parameters('WorkspaceID'))), '.ods.opinsights'))]" + }, + "resources": [ + { + "type": "Microsoft.Insights/components", + "apiVersion": "2020-02-02", + "name": "[variables('FunctionName')]", + "location": "[resourceGroup().location]", + "kind": "web", + "properties": { + "Application_Type": "web", + "ApplicationId": "[variables('FunctionName')]", + "WorkspaceResourceId": "[trim(parameters('AppInsightsWorkspaceResourceID'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[tolower(variables('FunctionName'))]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Allow" + }, + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "file": { + "keyType": "Account", + "enabled": true + }, + "blob": { + "keyType": "Account", + "enabled": true + } + }, + "keySource": "Microsoft.Storage" + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + }, + "deleteRetentionPolicy": { + "enabled": false + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + } + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "name": "[variables('FunctionName')]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]", + "[resourceId('Microsoft.Insights/components', variables('FunctionName'))]" + ], + "kind": "functionapp,linux", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "name": "[variables('FunctionName')]", + "httpsOnly": true, + "clientAffinityEnabled": true, + "alwaysOn": true, + "reserved": true, + "siteConfig": { + "linuxFxVersion": "python|3.11" + } + }, + "resources": [ + { + "apiVersion": "2018-11-01", + "type": "config", + "name": "appsettings", + "dependsOn": [ + "[concat('Microsoft.Web/sites/', variables('FunctionName'))]" + ], + "properties": { + "FUNCTIONS_EXTENSION_VERSION": "~4", + "FUNCTIONS_WORKER_RUNTIME": "python", + "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]", + "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]", + "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", + "logAnalyticsUri": "[variables('LogAnaltyicsUri')]", + "WorkspaceID": "[trim(parameters('WorkspaceID'))]", + "WorkspaceKey": "[trim(parameters('WorkspaceKey'))]", + "BaseURL": "[trim(parameters('MimecastBaseURL'))]", + "MimecastClientID": "[trim(parameters('MimecastClientID'))]", + "MimecastClientSecret": "[trim(parameters('MimecastClientSecret'))]", + "File_Share_Name": "mimecast-checkpoints", + "Schedule": "[trim(parameters('Schedule'))]", + "LogLevel": "[trim(parameters('LogLevel'))]", + "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-MimecastAT-functionapp" + } + } + ] + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/azure-webjobs-hosts')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "publicAccess": "None" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/azure-webjobs-secrets')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "publicAccess": "None" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices/shares", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/', tolower(variables('FunctionName')))]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "shareQuota": 5120 + } + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/host.json b/Solutions/Mimecast/Data Connectors/MimecastAT/host.json new file mode 100644 index 00000000000..e5f694470ac --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/host.json @@ -0,0 +1,22 @@ +{ + "version": "2.0", + "functionTimeout": "00:10:00", + "logging": { + "logLevel": { + "default": "Trace", + "Host.Results": "Trace", + "Function": "Trace", + "Host.Aggregator": "Trace" + }, + "applicationInsights": { + "samplingSettings": { + "isEnabled": true, + "excludedTypes": "Request" + } + } + }, + "extensionBundle": { + "id": "Microsoft.Azure.Functions.ExtensionBundle", + "version": "[4.*, 5.0.0)" + } +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastAT/requirements.txt b/Solutions/Mimecast/Data Connectors/MimecastAT/requirements.txt new file mode 100644 index 00000000000..c1afa26574b --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAT/requirements.txt @@ -0,0 +1,10 @@ +# DO NOT include azure-functions-worker in this file +# The Python Worker is managed by Azure Functions platform +# Manually managing azure-functions-worker may cause unexpected issues + +azure-functions +requests +azure-storage-file-share==12.15.0 +aiohttp +tenacity +asyncio \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastAudit/MimecastAudit/__init__.py b/Solutions/Mimecast/Data Connectors/MimecastAudit/MimecastAudit/__init__.py new file mode 100644 index 00000000000..a76928b6558 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAudit/MimecastAudit/__init__.py @@ -0,0 +1,58 @@ +"""This is init file for Mimecast Audit .""" + +import datetime +import logging +import inspect +import time +from .mimecast_audit_to_sentinel import MimeCastAuditToSentinel +from SharedCode.logger import applogger +from SharedCode import consts +import azure.functions as func + + +def main(mytimer: func.TimerRequest) -> None: + """Mimecast Audit Function.""" + __method_name = inspect.currentframe().f_code.co_name + utc_timestamp = ( + datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + ) + start = time.time() + applogger.info( + "{} : {}, Function started at {}".format( + consts.LOGS_STARTS_WITH, + consts.AUDIT_FUNCTION_NAME, + datetime.datetime.fromtimestamp(start), + ) + ) + + audit_object = MimeCastAuditToSentinel(int(start)) + audit_object.get_mimecast_audit_data_in_sentinel() + + end = time.time() + + applogger.info( + "{} : {}, Function ended at {}".format( + consts.LOGS_STARTS_WITH, + consts.AUDIT_FUNCTION_NAME, + datetime.datetime.fromtimestamp(end), + ) + ) + applogger.info( + "{} : {}, Total time taken = {}".format( + consts.LOGS_STARTS_WITH, consts.AUDIT_FUNCTION_NAME, end - start + ) + ) + + if mytimer.past_due: + applogger.info( + "{}(method={}) : {} : The timer is past due!".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.AUDITS_NAME, + ) + ) + + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/Mimecast/Data Connectors/MimecastAudit/MimecastAudit/function.json b/Solutions/Mimecast/Data Connectors/MimecastAudit/MimecastAudit/function.json new file mode 100644 index 00000000000..36c1449c9e1 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAudit/MimecastAudit/function.json @@ -0,0 +1,11 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%" + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastAudit/MimecastAudit/mimecast_audit_to_sentinel.py b/Solutions/Mimecast/Data Connectors/MimecastAudit/MimecastAudit/mimecast_audit_to_sentinel.py new file mode 100644 index 00000000000..ce3bcfd1977 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAudit/MimecastAudit/mimecast_audit_to_sentinel.py @@ -0,0 +1,570 @@ +"""Get Mimecast Audit Data and Ingest into Sentinel.""" + +from ..SharedCode.state_manager import StateManager +import json +import datetime +import inspect +import time +from SharedCode import consts +from SharedCode.logger import applogger +from SharedCode.mimecast_exception import MimecastException, MimecastTimeoutException +from SharedCode.utils import Utils +from SharedCode import sentinel +from tenacity import RetryError + + +class MimeCastAuditToSentinel(Utils): + """This class contains methods to create object and ingest mimecast audit data to sentinel.""" + + def __init__(self, start) -> None: + """Initialize instance variable for class.""" + super().__init__(consts.AUDIT_FUNCTION_NAME) + self.check_environment_var_exist( + [ + {"Base_Url": consts.BASE_URL}, + {"WorkspaceID": consts.WORKSPACE_ID}, + {"WorkspaceKey": consts.WORKSPACE_KEY}, + {"Mimecast_Client_Id": consts.MIMECAST_CLIENT_ID}, + {"Mimecast_Client_Secret": consts.MIMECAST_CLIENT_SECRET}, + {"File_Path": consts.FILE_PATH}, + {"File_Share_Name": consts.FILE_SHARE_NAME}, + ] + ) + self.state_manager = StateManager( + connection_string=consts.CONN_STRING, + file_path=consts.FILE_PATH, + share_name=consts.FILE_SHARE_NAME, + ) + self.function_start_time = start + self.authenticate_mimecast_api() + self.start_date = None + + def get_utc_time_in_past(self, days): + """Generate time by subtracting days from current UTC time. + + Args: + start_datetime (string): start of data fetching + Returns: + string : string of date days ago + """ + try: + __method_name = inspect.currentframe().f_code.co_name + now = datetime.datetime.utcnow() + offset_time = now - datetime.timedelta(days=days) + offset_time = offset_time.replace(tzinfo=datetime.timezone.utc) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Successfully generated past UTC time ", + ) + ) + return offset_time.strftime("%Y-%m-%dT%H:%M:%S%z") + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def update_date_in_checkpoint(self): + """Initialize new interval of date in checkpoint. + + Returns: + json : Updated checkpoint. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Setting new start date and end date in checkpoint file", + ) + ) + + checkpoint = self.get_checkpoint_data(self.state_manager, load_flag=True) + + utc_timestamp = ( + datetime.datetime.utcnow() + .replace(tzinfo=datetime.timezone.utc) + .isoformat() + ) + start_date = checkpoint.get("end_time") + mimecast_start_date = datetime.datetime.strptime( + start_date, consts.TIME_FORMAT + ) + + checkpoint["start_time"] = mimecast_start_date.strftime(consts.TIME_FORMAT) + end_date = datetime.datetime.fromisoformat(utc_timestamp) + mimecast_end_date = end_date.strftime(consts.TIME_FORMAT) + checkpoint["end_time"] = mimecast_end_date + checkpoint["next"] = "" + + self.post_checkpoint_data( + self.state_manager, data=checkpoint, dump_flag=True + ) + self.start_date = checkpoint["start_time"] + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Checkpoint updated with new start date and end date", + ) + ) + + return checkpoint["start_time"], checkpoint["end_time"] + except MimecastException: + raise MimecastException() + except KeyError as key_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.KEY_ERROR_MSG.format(key_error), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def checkpoint_field(self): + """Set the start date and end date in checkpoint file. + + Returns: + json : Parsed checkpoint + """ + __method_name = inspect.currentframe().f_code.co_name + try: + checkpoint = self.get_checkpoint_data(self.state_manager, load_flag=True) + + if not checkpoint: + checkpoint = {} + + utc_timestamp = ( + datetime.datetime.utcnow() + .replace(tzinfo=datetime.timezone.utc) + .isoformat() + ) + + checkpoint_updated = False + if checkpoint.get("start_time") is None: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Checkpoint is empty ", + ) + ) + + start_date = None + if not consts.START_DATE: + start_date = self.get_utc_time_in_past(days=consts.DAYS_BACK) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Date set to {} days in the past".format(consts.DAYS_BACK), + ) + ) + else: + start_date = ( + datetime.datetime.strptime(consts.START_DATE, "%Y-%m-%d") + .replace( + hour=0, minute=0, second=0, tzinfo=datetime.timezone.utc + ) + .strftime(consts.TIME_FORMAT) + ) + now = datetime.datetime.utcnow().strftime(consts.TIME_FORMAT) + last_valid_date = self.get_utc_time_in_past( + days=consts.VALID_PREVIOUS_DAY + ) + if start_date > now: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Error Occurred while validating params. StartTime cannot be in the future.", + ) + ) + raise MimecastException() + elif start_date < last_valid_date: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Date provided is older than 60 days. " + "Ingestion will start from this date: {}".format( + last_valid_date + ), + ) + ) + + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Date taken from user input", + ) + ) + + mimecast_start_date = datetime.datetime.strptime( + start_date, consts.TIME_FORMAT + ) + checkpoint["start_time"] = mimecast_start_date.strftime( + consts.TIME_FORMAT + ) + + end_date = datetime.datetime.fromisoformat(utc_timestamp) + mimecast_end_date = end_date.strftime(consts.TIME_FORMAT) + checkpoint["end_time"] = mimecast_end_date + + checkpoint_updated = True + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Start and end dates initialized in the checkpoint file.", + ) + ) + + self.start_date = checkpoint["start_time"] + if checkpoint_updated: + self.post_checkpoint_data(self.state_manager, data=checkpoint) + + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Checkpoint data fetched and written", + ) + ) + + return checkpoint + except MimecastException: + raise MimecastException() + except KeyError as key_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.KEY_ERROR_MSG.format(key_error), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def valid_run(self): + """Validate run of function. + + Raises: + MimecastTimeoutException: To limit total function run time + MimecastException: Unknown Exception + + Returns: + Bool: Will Decide to stop or run + """ + try: + __method_name = inspect.currentframe().f_code.co_name + + valid_run = True + if ( + int(time.time()) + >= self.function_start_time + consts.FUNCTION_APP_TIMEOUT_SECONDS + ): + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "function app has executed 9:30 mins hence breaking.", + ) + ) + raise MimecastTimeoutException() + + difference = datetime.datetime.now( + datetime.timezone.utc + ) - datetime.datetime.strptime(self.start_date, consts.TIME_FORMAT) + + if difference < datetime.timedelta(minutes=15): + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Time difference is less than 15 minutes, stopping the execution", + ) + ) + valid_run = False + + return valid_run + except MimecastTimeoutException: + raise MimecastTimeoutException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def get_mimecast_audit_data_in_sentinel(self): + """Fetch the audit data and push into sentinel. + + Raises: + MimecastException: MimecastException + MimecastException: KeyError + MimecastException: Unknown Exception + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Fetching and Pushing Audit Data from Mimecast", + ) + ) + + checkpoint = self.checkpoint_field() + start_date = checkpoint.get("start_time") + end_date = checkpoint.get("end_time") + + payload = self.set_payload(start_date, end_date) + + if "next" in checkpoint and checkpoint["next"] != "": + token = checkpoint.get("next") + payload = self.set_payload(start_date, end_date, token=token) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Continuing data ingestion from remaining ,from : {}".format( + start_date + ), + ) + ) + + has_more_data = True + while has_more_data: + + has_more_data = self.valid_run() + if not has_more_data: + break + + start_datetime = payload["data"][0]["startDateTime"] + end_datetime = payload["data"][0]["endDateTime"] + page_token = payload["meta"]["pagination"].get("pageToken", "") + + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Making Mimecast API request with start date : {} end date : {} , token : {}".format( + start_datetime, end_datetime, page_token + ), + ) + ) + + response = self.make_rest_call( + method="POST", + url=consts.BASE_URL + consts.ENDPOINTS["AUDIT_ENDPOINT"], + json=payload, + ) + + data = response.get("data") + if len(data) > 0: + data_to_post = json.dumps(data) + sentinel.post_data(data_to_post, consts.TABLE_NAME["Audit"]) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Data ingested to Sentinel ,start date : {} end date : {} , count : {} ".format( + start_date, end_date, len(data) + ), + ) + ) + else: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No Data found", + ) + ) + + if "next" in response["meta"]["pagination"]: + token = response["meta"]["pagination"]["next"] + checkpoint["next"] = token + checkpoint["start_time"] = start_datetime + checkpoint["end_time"] = end_datetime + self.post_checkpoint_data( + self.state_manager, checkpoint, dump_flag=True + ) + payload = self.set_payload(start_date, end_date, token=token) + + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Next token updated in checkpoint file", + ) + ) + else: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Successfully completed the execution between start date :{} and end date : {}".format( + start_date, end_date + ), + ) + ) + start_date, end_date = self.update_date_in_checkpoint() + payload = self.set_payload(start_date, end_date) + + except MimecastException: + raise MimecastException() + except MimecastTimeoutException: + return + except KeyError as key_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.KEY_ERROR_MSG.format(key_error), + ) + ) + raise MimecastException() + except RetryError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.MAX_RETRY_ERROR_MSG.format( + error, error.last_attempt.exception() + ), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def set_payload(self, start_datetime, end_datetime, token=None): + """Set payload for api call. + + Args: + start_datetime (string): start of data fetching + end_datetime (string): end date of data fetching + token (string, optional): next token . Defaults to None. + + Raises: + MimecastException: MimecastException + MimecastException: KeyError + MimecastException: Unknown error + + Returns: + json: will be passed in body of api call + """ + __method_name = inspect.currentframe().f_code.co_name + try: + + payload = { + "meta": {"pagination": {"pageSize": consts.MAX_PAGE_SIZE}}, + "data": [ + {"startDateTime": start_datetime, "endDateTime": end_datetime} + ], + } + if token: + payload["meta"]["pagination"]["pageToken"] = token + + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Payload set with start date : {} and end date : {}".format( + start_datetime, end_datetime + ), + ) + ) + + return payload + except MimecastException: + raise MimecastException() + except KeyError as key_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.KEY_ERROR_MSG.format(key_error), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastAudit/Mimecast_Audit.zip b/Solutions/Mimecast/Data Connectors/MimecastAudit/Mimecast_Audit.zip new file mode 100644 index 00000000000..980cad10490 Binary files /dev/null and b/Solutions/Mimecast/Data Connectors/MimecastAudit/Mimecast_Audit.zip differ diff --git a/Solutions/Mimecast/Data Connectors/MimecastAudit/Mimecast_Audit_FunctionApp.json b/Solutions/Mimecast/Data Connectors/MimecastAudit/Mimecast_Audit_FunctionApp.json new file mode 100644 index 00000000000..7c7ca4c35eb --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAudit/Mimecast_Audit_FunctionApp.json @@ -0,0 +1,117 @@ +{ + "id": "MimecastAuditAPI", + "title": "Mimecast Audit", + "publisher": "Mimecast", + "descriptionMarkdown": "The data connector for [Mimecast Audit](https://community.mimecast.com/s/article/Azure-Sentinel) provides customers with the visibility into security events related to audit and authentication events within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into user activity, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. \nThe Mimecast products included within the connector are: \nAudit\n ", + "graphQueries": [ + { + "metricName": "Total Audit data received", + "legend": "MimecastAudit_CL", + "baseQuery": "MimecastAudit_CL" + } + ], + "sampleQueries": [ + { + "description": "MimecastAudit_CL", + "query": "MimecastAudit_CL\n| sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "MimecastAudit_CL", + "lastDataReceivedQuery": "MimecastAudit_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "MimecastAudit_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "See the documentation to learn more about API on the [Rest API reference](https://integrations.mimecast.com/documentation/)" + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "title": "Configuration:", + "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)" + }, + { + "title": "", + "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Deploy the Mimecast Audit Data Connector:", + "description": "Use this method for automated deployment of the Mimecast Audit Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MimecastAuditAzureDeploy-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n3. Enter the below information : \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBase URL (Default: https://api.services.mimecast.com) \n\t\tStart Date \n\t\tMimecast Client ID \n\t\tMimecast Client Secret \n\t\tLog Level (Default: INFO) \n\t\tSchedule (0 0 */1 * * *) \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/__init__.py b/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/__init__.py new file mode 100644 index 00000000000..91361ed4c8b --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/__init__.py @@ -0,0 +1 @@ +"""This is init file to consider SharedCode as package.""" diff --git a/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/consts.py b/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/consts.py new file mode 100644 index 00000000000..af5fc5bd9cb --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/consts.py @@ -0,0 +1,73 @@ +"""Module with constants and configurations for the Mimecast integration.""" + +import os + +AUDITS_NAME = "Audit" + +LOG_LEVEL = os.environ.get("LogLevel", "INFO") +LOGS_STARTS_WITH = "Mimecast" +LOG_FORMAT = "{}(method = {}) : {} : {}" + + +# *Sentinel related constants +AZURE_CLIENT_ID = os.environ.get("Azure_Client_Id", "") +AZURE_CLIENT_SECRET = os.environ.get("Azure_Client_Secret", "") +AZURE_TENANT_ID = os.environ.get("Azure_Tenant_Id", "") +WORKSPACE_KEY = os.environ.get("WorkspaceKey", "") +WORKSPACE_ID = os.environ.get("WorkspaceID", "") + +# *Mimecast related constants +MIMECAST_CLIENT_ID = os.environ.get("MimecastClientID") +MIMECAST_CLIENT_SECRET = os.environ.get("MimecastClientSecret") + +BASE_URL = os.environ.get("BaseURL", "https://api.services.mimecast.com") +ENDPOINTS = { + "OAUTH2": "/oauth/token", + "TTP_URL": "/api/ttp/url/get-logs", + "SEG_DLP": "/api/dlp/get-logs", + "AUDIT_ENDPOINT": "/api/audit/get-audit-events", +} + +MAX_PAGE_SIZE = 500 +TIME_FORMAT = "%Y-%m-%dT%H:%M:%S%z" +TABLE_NAME = {"TTP_URL": "Ttp_Url", "SEG_DLP": "Seg_Dlp", "Audit": "Audit"} +TTP_URL_FUNCTION_NAME = "TTP_URL" +SEG_DLP_FUNCTION_NAME = "SEG_DLP" +AUDIT_FUNCTION_NAME = "Audit" +START_DATE = os.environ.get("StartDate") +DAYS_BACK = 60 +FUNCTION_APP_TIMEOUT_SECONDS = 570 +VALID_PREVIOUS_DAY = 63 + +# *Error Messages for Exception +UNEXPECTED_ERROR_MSG = "Unexpected error : Error-{}" +HTTP_ERROR_MSG = "HTTP error : Error-{}" +REQUEST_ERROR_MSG = "Request error : Error-{}" +CONNECTION_ERROR_MSG = "Connection error : Error-{}" +KEY_ERROR_MSG = "Key error : Error-{}" +TYPE_ERROR_MSG = "Type error : Error-{}" +VALUE_ERROR_MSG = "Value error : Error-{}" +JSON_DECODE_ERROR_MSG = "JSONDecode error : Error-{}" +TIME_OUT_ERROR_MSG = "Timeout error : Error-{}" +MAX_RETRY_ERROR_MSG = "Max retries exceeded : {} Last exception: {}" + + +# *checkpoint related constants +CONN_STRING = os.environ.get("AzureWebJobsStorage") +FILE_PATH = "Audit" +FILE_SHARE_NAME = os.environ.get("FileShareName", "mimecast-checkpoints") + + +# *Extra constants +DATE_TIME_FORMAT = "%Y-%m-%d %H:%M:%S.%f" +MAX_FILE_SIZE = 20 * 1024 * 1024 +MAX_CHUNK_SIZE = 1024 * 1024 +MAX_RETRIES = 5 +SENTINEL_RETRY_COUNT = 3 +MAX_TIMEOUT_SENTINEL = 120 +INGESTION_ERROR_SLEEP_TIME = 30 +EXCEPTION_STATUS_CODE = [400, 403, 409] +RETRY_STATUS_CODE = [429, 500, 503, 502, 509] +MAX_SLEEP_TIME = 30 +MIN_SLEEP_TIME = 5 +BACKOFF_MULTIPLIER = 2 diff --git a/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/logger.py b/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/logger.py new file mode 100644 index 00000000000..e97c12ceca2 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/logger.py @@ -0,0 +1,23 @@ +"""Handle the logger.""" + +import logging +import sys +from SharedCode import consts + +log_level = consts.LOG_LEVEL + +LOG_LEVELS = { + "DEBUG": logging.DEBUG, + "INFO": logging.INFO, + "WARNING": logging.WARNING, + "ERROR": logging.ERROR, +} + +try: + applogger = logging.getLogger("azure") + applogger.setLevel(LOG_LEVELS.get(log_level.upper(), logging.INFO)) +except Exception: + applogger.setLevel(logging.INFO) +finally: + handler = logging.StreamHandler(stream=sys.stdout) + applogger.addHandler(handler) diff --git a/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/mimecast_exception.py b/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/mimecast_exception.py new file mode 100644 index 00000000000..53c1f7257f8 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/mimecast_exception.py @@ -0,0 +1,25 @@ +"""This File contains custom Exception class for Mimecast.""" + + +class MimecastException(Exception): + """Exception class to handle Mimecast exception. + + Args: + Exception (string): will print exception message. + """ + + def __init__(self, message=None) -> None: + """Initialize custom Mimecast exception with custom message.""" + super().__init__(message) + + +class MimecastTimeoutException(Exception): + """Exception class to handle Mimecast exception. + + Args: + Exception (string): will print exception message. + """ + + def __init__(self, message=None) -> None: + """Initialize custom Mimecast exception with custom message.""" + super().__init__(message) diff --git a/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/sentinel.py b/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/sentinel.py new file mode 100644 index 00000000000..9822fa0e0fb --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/sentinel.py @@ -0,0 +1,280 @@ +"""This file contains methods for creating microsoft custom log table.""" + +import base64 +import requests +import hashlib +import hmac +import time +import inspect +import datetime +from .logger import applogger +from .state_manager import StateManager +from . import consts +from .mimecast_exception import MimecastException +from urllib3.exceptions import NameResolutionError + + +def build_signature( + date, + content_length, + method, + content_type, + resource, +): + """To build signature which is required in header.""" + x_headers = "x-ms-date:" + date + string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource + bytes_to_hash = bytes(string_to_hash, encoding="utf-8") + decoded_key = base64.b64decode(consts.WORKSPACE_KEY) + encoded_hash = base64.b64encode(hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode() + authorization = "SharedKey {}:{}".format(consts.WORKSPACE_ID, encoded_hash) + + return authorization + + +def post_data(body, log_type): + """Build and send a request to the POST API. + + Args: + body (str): Data to post into Sentinel log analytics workspace + log_type (str): Custom log table name in which data wil be added. + + Returns: + status_code: Returns the response status code got while posting data to sentinel. + """ + __method_name = inspect.currentframe().f_code.co_name + method = "POST" + content_type = "application/json" + resource = "/api/logs" + rfc1123date = datetime.datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT") + content_length = len(body) + try: + signature = build_signature( + rfc1123date, + content_length, + method, + content_type, + resource, + ) + except Exception as err: + applogger.error( + "{}(method={}) : Error in build signature-{}".format( + consts.LOGS_STARTS_WITH, + __method_name, + err, + ) + ) + raise MimecastException() + uri = "https://" + consts.WORKSPACE_ID + ".ods.opinsights.azure.com" + resource + "?api-version=2016-04-01" + + headers = { + "content-type": content_type, + "Authorization": signature, + "Log-Type": log_type, + "x-ms-date": rfc1123date, + } + retry_count = 0 + while retry_count < consts.SENTINEL_RETRY_COUNT: + try: + + response = requests.post(uri, data=body, headers=headers, timeout=consts.MAX_TIMEOUT_SENTINEL) + + result = handle_response(response, body) + if result is not False: + return result + retry_count += 1 + continue + + except requests.exceptions.ConnectionError as error: + try: + if isinstance(error.args[0].reason, NameResolutionError): + applogger.error( + "{}(method={}) : {} : Workspace ID is wrong: {}, Sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.AUDIT_FUNCTION_NAME, + error, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + except Exception as unknown_connect_error: + applogger.error( + "{}(method={}) : {} : Unknown Error in ConnectionError: {}, Sleeping for {} seconds." + " and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.AUDIT_FUNCTION_NAME, + unknown_connect_error, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + applogger.error( + "{}(method={}) : {} : Unknown Connection Error, sleeping - {} seconds and retrying.. Error - {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.AUDIT_FUNCTION_NAME, + consts.INGESTION_ERROR_SLEEP_TIME, + error, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + except requests.exceptions.Timeout as error: + applogger.error( + "{}(method={}) : {} : sleeping - {} seconds and retrying.. Timeout Error: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.AUDIT_FUNCTION_NAME, + consts.INGESTION_ERROR_SLEEP_TIME, + error, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + except requests.RequestException as error: + applogger.error( + "{}(method={}) : {} : Request Error: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.AUDIT_FUNCTION_NAME, + error, + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : Unknown Error: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.AUDIT_FUNCTION_NAME, + error, + ) + ) + raise MimecastException() + applogger.error( + "{}(method={}) : {} : Maximum Retry count of {} exceeded, hence stopping execution.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.AUDIT_FUNCTION_NAME, + consts.SENTINEL_RETRY_COUNT, + ) + ) + raise MimecastException() + + +def handle_response(response, body): + """Handle the response from Azure Sentinel.""" + try: + __method_name = inspect.currentframe().f_code.co_name + if response.status_code >= 200 and response.status_code <= 299: + applogger.debug( + "{}(method={}) : Status_code: {} Accepted: Data Posted Successfully to azure sentinel.".format( + consts.LOGS_STARTS_WITH, + __method_name, + response.status_code, + ) + ) + return response.status_code + elif response.status_code == 400: + applogger.error( + "{}(method={}) : {} : Response code: {} from posting data to log analytics. Response: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.AUDIT_FUNCTION_NAME, + response.status_code, + response.text, + ) + ) + curent_corrupt_data_obj = StateManager( + consts.CONN_STRING, + "Audit-Ingest-To-Sentinel-Corrupt_{}".format(str(int(time.time()))), + consts.FILE_SHARE_NAME, + ) + curent_corrupt_data_obj.post(body) + raise MimecastException() + elif response.status_code == 403: + applogger.error( + "{}(method={}) : {} : Response code :{} Too Error occurred for build signature: Response: {} ." + "Issue with WorkspaceKey ,Kindly verify your WorkspaceKey".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.AUDIT_FUNCTION_NAME, + response.status_code, + response.text, + ) + ) + raise MimecastException() + elif response.status_code == 429: + applogger.error( + "{}(method={}) : {} : Error occurred: Response code : {} Too many request: Response: {} . " + "sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.AUDIT_FUNCTION_NAME, + response.status_code, + response.text, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + return False + elif response.status_code == 500: + applogger.error( + "{}(method={}) : {} : Error occurred: Response code : {} Internal Server Error: Response: {} . " + "sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.AUDIT_FUNCTION_NAME, + response.status_code, + response.text, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + return False + elif response.status_code == 503: + applogger.error( + "{}(method={}) : {} : Error occurred: Response code : {} Service Unavailable: Response: {} . " + "sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.AUDIT_FUNCTION_NAME, + response.status_code, + response.text, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + return False + applogger.error( + "{}(method={}) : {} : Response code: {} from posting data to log analytics. Response: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.AUDIT_FUNCTION_NAME, + response.status_code, + response.text, + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : Unknown Error: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.AUDIT_FUNCTION_NAME, + error, + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/state_manager.py b/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/state_manager.py new file mode 100644 index 00000000000..0bfe9819ce1 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/state_manager.py @@ -0,0 +1,69 @@ +"""This module will help to save file to state manager.""" + +from azure.storage.fileshare import ShareClient +from azure.storage.fileshare import ShareFileClient +from azure.core.exceptions import ResourceNotFoundError, ResourceExistsError + + +class StateManager: + """State manager class for specific operation. + + This class will help to manage the state of the operation + by saving and getting data from Azure Storage. + + Args: + connection_string (str): Azure Storage connection string. + file_path (str): File path on the share. + share_name (str): Name of the share. + """ + + def __init__(self, connection_string, file_path, share_name): + """Initialize the share_cli and file_cli.""" + self.share_cli = ShareClient.from_connection_string( + conn_str=connection_string, share_name=share_name + ) + self.file_cli = ShareFileClient.from_connection_string( + conn_str=connection_string, share_name=share_name, file_path=file_path + ) + + def post(self, marker_text: str): + """Post method for posting the data to Azure Storage. + + This method will upload the given text to the + Azure Storage as a file. + + Args: + marker_text (str): String to be saved in the file. + """ + try: + self.file_cli.upload_file(marker_text) + except ResourceNotFoundError: + try: + self.share_cli.create_share() + self.file_cli.upload_file(marker_text) + except ResourceExistsError: + self.file_cli.upload_file(marker_text) + + def get(self): + """Get method for getting the data from Azure Storage. + + This method will download the file from Azure Storage + and return the contents as a string. + + Returns: + str: The contents of the file. + """ + try: + return self.file_cli.download_file().readall().decode() + except ResourceNotFoundError: + return None + + def delete(self): + """Delete method for deleting the data from Azure Storage. + + This method will delete the file from Azure Storage. + """ + try: + self.file_cli.delete_file() + except ResourceNotFoundError: + raise ResourceNotFoundError("File not found to be deleted.") diff --git a/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/utils.py b/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/utils.py new file mode 100644 index 00000000000..8ca64964ae3 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAudit/SharedCode/utils.py @@ -0,0 +1,653 @@ +"""Utils File.""" + +import inspect +import requests +import json +from json.decoder import JSONDecodeError +from SharedCode.state_manager import StateManager +from SharedCode.mimecast_exception import MimecastException +from SharedCode.logger import applogger +from SharedCode import consts +from tenacity import ( + retry, + stop_after_attempt, + wait_exponential, + retry_if_exception_type, + retry_if_result, + retry_any, + RetryError, +) +from requests.exceptions import ConnectionError + + +def retry_on_status_code(response): + """Check and retry based on a list of status codes. + + Args: + response (): API response is passed + + Returns: + Bool: if given status code is in list then true else false + """ + __method_name = inspect.currentframe().f_code.co_name + if isinstance(response, dict): + return False + if response.status_code in consts.RETRY_STATUS_CODE: + applogger.info( + "{}(method={}) : {} : Retrying due to status code : {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.AUDIT_FUNCTION_NAME, + response.status_code, + ) + ) + return True + return False + + +class Utils: + """Utils Class.""" + + def __init__(self, azure_function_name) -> None: + """Init Function.""" + self.azure_function_name = azure_function_name + self.log_format = consts.LOG_FORMAT + self.headers = {} + + def check_environment_var_exist(self, environment_var): + """Check the existence of required environment variables. + + Logs the validation process and completion. Raises MimecastException if any required field is missing. + + Args: + environment_var(list) : variables to check for existence + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Validating Environment Variables", + ) + ) + missing_required_field = False + for var in environment_var: + key, val = next(iter(var.items())) + if not val: + missing_required_field = True + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Environment variable {} is not set".format(key), + ) + ) + if missing_required_field: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Validation failed", + ) + ) + raise MimecastException() + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Validation Complete", + ) + ) + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def get_checkpoint_data(self, checkpoint_obj: StateManager, load_flag=True): + """Get checkpoint data from a StateManager object. + + It retrieve the checkpoint data and logs it if the load flag is set to True. + + Args: + checkpoint_obj (StateManager): The StateManager object to retrieve checkpoint data from. + load_flag (bool): A flag indicating whether to load the data as JSON (default is True). + + Returns: + The retrieved checkpoint data. + + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Fetching checkpoint data", + ) + ) + checkpoint_data = checkpoint_obj.get() + if load_flag and checkpoint_data: + checkpoint_data = json.loads(checkpoint_data) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Checkpoint data = {}".format(checkpoint_data), + ) + ) + return checkpoint_data + except json.decoder.JSONDecodeError as json_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.JSON_DECODE_ERROR_MSG.format(json_error), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def post_checkpoint_data(self, checkpoint_obj: StateManager, data, dump_flag=True): + """Post checkpoint data. + + It post the data to a checkpoint object based on the dump_flag parameter. + + Args: + checkpoint_obj (StateManager): The StateManager object to post data to. + data: The data to be posted. + dump_flag (bool): A flag indicating whether to dump the data as JSON before posting (default is True). + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Posting checkpoint data = {}".format(data), + ) + ) + if dump_flag: + checkpoint_obj.post(json.dumps(data)) + else: + checkpoint_obj.post(data) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Data posted to azure storage", + ) + ) + except TypeError as type_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TYPE_ERROR_MSG.format(type_error), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + @retry( + stop=stop_after_attempt(consts.MAX_RETRIES), + wait=wait_exponential( + multiplier=consts.BACKOFF_MULTIPLIER, + min=consts.MIN_SLEEP_TIME, + max=consts.MAX_SLEEP_TIME, + ), + retry=retry_any( + retry_if_result(retry_on_status_code), + retry_if_exception_type(ConnectionError), + ), + before_sleep=lambda retry_state: applogger.error( + "{}(method = {}) : Retring after {} secends, attempt number: {} ".format( + consts.LOGS_STARTS_WITH, + " Retry Decorator", + retry_state.upcoming_sleep, + retry_state.attempt_number, + ) + ), + ) + def make_rest_call( + self, method, url, params=None, data=None, json=None, check_retry=True + ): + """Make a rest call. + + Args: + url (str): The URL to make the call to. + method (str): The HTTP method to use for the call. + params (dict, optional): The parameters to pass in the call (default is None). + data (dict, optional): The body(in x-www-form-urlencoded formate) of the request (default is None). + json (dict, optional): The body(in row formate) of the request (default is None). + check_retry (bool, optional): A flag indicating whether to check for retry (default is True). + + Returns: + dict: The JSON response if the call is successful. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Rest Call, Method :{}, url: {}".format(method, url), + ) + ) + + response = requests.request( + method, + url, + headers=self.headers, + params=params, + data=data, + json=json, + timeout=consts.MAX_TIMEOUT_SENTINEL, + ) + if response.status_code >= 200 and response.status_code <= 299: + response_json = response.json() + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Success, Status code : {}".format(response.status_code), + ) + ) + self.handle_failed_response_for_success(response_json) + return response_json + elif response.status_code == 400: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Bad Request = {}, Status code : {}".format( + response.text, response.status_code + ), + ) + ) + self.handle_failed_response_for_failure(response) + elif response.status_code == 401: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unauthorized, Status code : {}".format(response.status_code), + ) + ) + response_json = response.json() + fail_json = response_json.get("fail", []) + error_code = None + error_message = None + if fail_json: + error_code = fail_json[0].get("code") + error_message = fail_json[0].get("message") + if check_retry: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Generating new token, Error message = {}, Error code = {}".format( + error_message, error_code + ), + ) + ) + check_retry = False + self.authenticate_mimecast_api(check_retry) + return self.make_rest_call( + method, url=url, json=json, check_retry=check_retry + ) + else: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Max retry reached for generating access token," + "Error message = {}, Error code = {}".format( + error_message, error_code + ), + ) + ) + raise MimecastException() + elif response.status_code == 403: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Forbidden, Status code : {}".format(response.status_code), + ) + ) + self.handle_failed_response_for_failure(response) + elif response.status_code == 404: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Not Found, URL : {}, Status code : {}".format( + url, response.status_code + ), + ) + ) + raise MimecastException() + elif response.status_code == 409: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Conflict, Status code : {}".format(response.status_code), + ) + ) + self.handle_failed_response_for_failure(response) + elif response.status_code == 429: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Too Many Requests, Status code : {} ".format( + response.status_code + ), + ) + ) + return response + elif response.status_code == 500: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Internal Server Error, Status code : {}".format( + response.status_code + ), + ) + ) + return self.handle_failed_response_for_failure(response) + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unexpected Error = {}, Status code : {}".format( + response.text, response.status_code + ), + ) + ) + raise MimecastException() + + except MimecastException: + raise MimecastException() + except requests.exceptions.Timeout as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TIME_OUT_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + except JSONDecodeError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.JSON_DECODE_ERROR_MSG.format( + "{}, API Response = {}".format(error, response.text) + ), + ) + ) + raise MimecastException() + except requests.ConnectionError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.CONNECTION_ERROR_MSG.format(error), + ) + ) + raise requests.ConnectionError() + except requests.RequestException as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.REQUEST_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def handle_failed_response_for_failure(self, response): + """Handle the failed response for failure status codes. + + If request get authentication error it will regenerate the access token. + + Args: + response_json (dict): The JSON response from the API. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + response_json = response.json() + error_message = response_json + fail_json = response_json.get("fail", []) + error_json = response_json.get("error") + if fail_json: + error_message = fail_json[0].get("message") + elif error_json: + error_message = error_json.get("message") + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + error_message, + ) + ) + if response.status_code in consts.EXCEPTION_STATUS_CODE: + raise MimecastException() + + return response + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def handle_failed_response_for_success(self, response_json): + """Handle the failed response for a successful request. + + Check if there is failure in success response or not. + + Args: + response_json (dict): The JSON response from the request. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + fail_json = response_json.get("fail", []) + if fail_json: + try: + error_message = fail_json[0].get("errors")[0].get("message") + except (KeyError, IndexError, ValueError, TypeError): + error_message = fail_json + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Failed response message = {}".format(error_message), + ) + ) + raise MimecastException() + else: + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No failed response found", + ) + ) + return + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def authenticate_mimecast_api(self, check_retry=True): + """Authenticate mimecast endpoint generate access token and update header. + + Args: + check_retry (bool): Flag for retry of generating access token. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + body = { + "client_id": consts.MIMECAST_CLIENT_ID, + "client_secret": consts.MIMECAST_CLIENT_SECRET, + "grant_type": "client_credentials", + } + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Generating access token", + ) + ) + self.headers = {} + url = "{}{}".format(consts.BASE_URL, consts.ENDPOINTS["OAUTH2"]) + response = self.make_rest_call( + method="POST", url=url, data=body, check_retry=check_retry + ) + + if "access_token" in response: + access_token = response.get("access_token") + self.headers.update( + { + "Content-Type": "application/json", + "Authorization": "Bearer {}".format(access_token), + } + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Successfully generated access token and header updated", + ) + ) + return + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Error occurred while fetching the access token from the response = {}".format( + response + ), + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except RetryError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.MAX_RETRY_ERROR_MSG.format( + error, error.last_attempt.exception() + ), + ) + ) + raise MimecastException() + except KeyError as key_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.KEY_ERROR_MSG.format(key_error), + ) + ) + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastAudit/azuredeploy_Connector_MimecastAudit_AzureFunction.json b/Solutions/Mimecast/Data Connectors/MimecastAudit/azuredeploy_Connector_MimecastAudit_AzureFunction.json new file mode 100644 index 00000000000..5f985f8c3b6 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAudit/azuredeploy_Connector_MimecastAudit_AzureFunction.json @@ -0,0 +1,259 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "FunctionName": { + "defaultValue": "MimecastADT", + "minLength": 1, + "maxLength": 11, + "type": "string" + }, + "WorkspaceID": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Enter Workspace ID of Log Analytics workspace" + } + }, + "WorkspaceKey": { + "type": "securestring", + "minLength": 1, + "metadata": { + "description": "Enter Workspace Key of Log Analytics workspace" + } + }, + "MimecastBaseURL": { + "defaultValue": "https://api.services.mimecast.com", + "type": "string", + "metadata": { + "description": "Enter Base URL of Mimecast API 2.0 (e.g. https://api.services.mimecast.com)" + } + }, + "MimecastClientId": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Enter Mimecast Client ID for authentication" + } + }, + "MimecastClientSecret": { + "type": "securestring", + "minLength": 1, + "metadata": { + "description": "Enter Mimecast Client Secret for authentication" + } + }, + "StartDate": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Enter the start date in the 'yyyy-mm-dd' format. If you do not provide a date, data from the last 60 days will be fetched automatically. Ensure that the date is in the past and properly formatted" + } + }, + "Schedule": { + "type": "string", + "minLength": 11, + "metadata": { + "description": "Please enter a valid Quartz cron-expression. (Example: 0 0 0 * * *)\n\nDo not keep the value empty, minimum value is 10 minutes" + }, + "defaultValue": "0 0 */1 * * *" + }, + "LogLevel": { + "type": "string", + "metadata": { + "description": "Please add log level or log severity value. By default it is set to INFO" + }, + "allowedValues": [ + "Debug", + "Info", + "Error", + "Warning" + ], + "defaultValue": "Info" + }, + "AppInsightsWorkspaceResourceID": { + "type": "string", + "metadata": { + "description": "Migrate Classic Application Insights to Log Analytic Workspace which is retiring by 29 Febraury 2024. Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'" + } + } + }, + "variables": { + "FunctionName": "[concat(toLower(trim(parameters('FunctionName'))), uniqueString(resourceGroup().id))]", + "StorageSuffix": "[environment().suffixes.storage]", + "LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(trim(parameters('WorkspaceID'))), '.ods.opinsights'))]" + }, + "resources": [ + { + "type": "Microsoft.Insights/components", + "apiVersion": "2020-02-02", + "name": "[variables('FunctionName')]", + "location": "[resourceGroup().location]", + "kind": "web", + "properties": { + "Application_Type": "web", + "ApplicationId": "[variables('FunctionName')]", + "WorkspaceResourceId": "[trim(parameters('AppInsightsWorkspaceResourceID'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[tolower(variables('FunctionName'))]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Allow" + }, + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "file": { + "keyType": "Account", + "enabled": true + }, + "blob": { + "keyType": "Account", + "enabled": true + } + }, + "keySource": "Microsoft.Storage" + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + }, + "deleteRetentionPolicy": { + "enabled": false + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + } + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "name": "[variables('FunctionName')]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]", + "[resourceId('Microsoft.Insights/components', variables('FunctionName'))]" + ], + "kind": "functionapp,linux", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "name": "[variables('FunctionName')]", + "httpsOnly": true, + "clientAffinityEnabled": true, + "alwaysOn": true, + "reserved": true, + "siteConfig": { + "linuxFxVersion": "python|3.11" + } + }, + "resources": [ + { + "apiVersion": "2018-11-01", + "type": "config", + "name": "appsettings", + "dependsOn": [ + "[concat('Microsoft.Web/sites/', variables('FunctionName'))]" + ], + "properties": { + "FUNCTIONS_EXTENSION_VERSION": "~4", + "FUNCTIONS_WORKER_RUNTIME": "python", + "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]", + "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]", + "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", + "logAnalyticsUri": "[variables('LogAnaltyicsUri')]", + "Function_App_Name": "[variables('FunctionName')]", + "WorkspaceID": "[trim(parameters('WorkspaceID'))]", + "WorkspaceKey": "[trim(parameters('WorkspaceKey'))]", + "BaseURL": "[trim(parameters('MimecastBaseURL'))]", + "StartDate": "[trim(parameters('StartDate'))]", + "MimecastClientID": "[trim(parameters('MimecastClientId'))]", + "MimecastClientSecret": "[trim(parameters('MimecastClientSecret'))]", + "File_Share_Name": "mimecast-checkpoints", + "Schedule": "[trim(parameters('Schedule'))]", + "LogLevel": "[trim(parameters('LogLevel'))]", + "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-Mimecast_Audit-functionapp" + } + } + ] + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/azure-webjobs-hosts')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "publicAccess": "None" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/azure-webjobs-secrets')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "publicAccess": "None" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices/shares", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/', tolower(variables('FunctionName')))]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "shareQuota": 5120 + } + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastAudit/host.json b/Solutions/Mimecast/Data Connectors/MimecastAudit/host.json new file mode 100644 index 00000000000..cbe70153083 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAudit/host.json @@ -0,0 +1,22 @@ +{ + "version": "2.0", + "logging": { + "logLevel": { + "default": "Trace", + "Host.Results": "Trace", + "Function": "Trace", + "Host.Aggregator": "Trace" + }, + "applicationInsights": { + "samplingSettings": { + "isEnabled": true, + "excludedTypes": "Request" + } + } + }, + "functionTimeout": "00:10:00", + "extensionBundle": { + "id": "Microsoft.Azure.Functions.ExtensionBundle", + "version": "[4.*, 5.0.0)" + } +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastAudit/requirements.txt b/Solutions/Mimecast/Data Connectors/MimecastAudit/requirements.txt new file mode 100644 index 00000000000..d5eb866352a --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastAudit/requirements.txt @@ -0,0 +1,11 @@ +# DO NOT include azure-functions-worker in this file +# The Python Worker is managed by Azure Functions platform +# Manually managing azure-functions-worker may cause unexpected issues + + +azure-functions +requests +azure-storage-file-share==12.15.0 +aiohttp +tenacity +asyncio \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/MimecastCI.zip b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/MimecastCI.zip new file mode 100644 index 00000000000..92c38cfe74b Binary files /dev/null and b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/MimecastCI.zip differ diff --git a/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/MimecastCI/__init__.py b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/MimecastCI/__init__.py new file mode 100644 index 00000000000..348f80e6746 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/MimecastCI/__init__.py @@ -0,0 +1,44 @@ +"""Init file for Mimecast Cloud Integrated function.""" + +import datetime +import logging +import azure.functions as func +from .mimecast_ci_to_sentinel import MimecastCIToSentinel +from ..SharedCode.logger import applogger +from ..SharedCode import consts +import time + + +async def main(mytimer: func.TimerRequest) -> None: + """Run the main logic of the Function App triggered by a timer.""" + utc_timestamp = ( + datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + ) + start = time.time() + applogger.info( + "{} : {}, Function started at {}".format( + consts.LOGS_STARTS_WITH, + consts.CLOUD_INTEGRATED_FUNCTION_NAME, + datetime.datetime.fromtimestamp(start), + ) + ) + mimecast_to_sentinel_obj = MimecastCIToSentinel(int(start)) + await mimecast_to_sentinel_obj.get_mimecast_ci_data_in_sentinel() + end = time.time() + + applogger.info( + "{} : {}, Function ended at {}".format( + consts.LOGS_STARTS_WITH, + consts.CLOUD_INTEGRATED_FUNCTION_NAME, + datetime.datetime.fromtimestamp(end), + ) + ) + applogger.info( + "{} : {}, Total time taken = {}".format( + consts.LOGS_STARTS_WITH, consts.CLOUD_INTEGRATED_FUNCTION_NAME, end - start + ) + ) + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/MimecastCI/function.json b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/MimecastCI/function.json new file mode 100644 index 00000000000..44f02c1702c --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/MimecastCI/function.json @@ -0,0 +1,12 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%", + "useMonitor": true + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/MimecastCI/mimecast_ci_to_sentinel.py b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/MimecastCI/mimecast_ci_to_sentinel.py new file mode 100644 index 00000000000..fcc3048d94b --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/MimecastCI/mimecast_ci_to_sentinel.py @@ -0,0 +1,623 @@ +"""Get mimecast ci data and ingest to custom table in sentinel.""" + +import inspect +import json +import time +from random import randrange +import gzip +import aiohttp +import asyncio +from aiohttp.client_exceptions import ( + ClientError, + ServerTimeoutError, + ClientResponseError, +) +from ..SharedCode import consts +from ..SharedCode.mimecast_exception import MimecastException, MimecastTimeoutException +from ..SharedCode.logger import applogger +from ..SharedCode.state_manager import StateManager +from ..SharedCode.utils import Utils +from ..SharedCode.sentinel import post_data_async +from tenacity import RetryError + + +class MimecastCIToSentinel(Utils): + """Class for ingest the data from mimecast to sentinel.""" + + def __init__(self, start_time) -> None: + """Initialize MimecastCIToSentinel object.""" + super().__init__(consts.CLOUD_INTEGRATED_FUNCTION_NAME) + self.check_environment_var_exist( + [ + {"Base_Url": consts.BASE_URL}, + {"WorkspaceID": consts.WORKSPACE_ID}, + {"WorkspaceKey": consts.WORKSPACE_KEY}, + {"Mimecast_Client_ID": consts.MIMECAST_CLIENT_ID}, + {"Mimecast_Client_Secret": consts.MIMECAST_CLIENT_SECRET}, + ] + ) + consts.FILE_SHARE_NAME + self.authenticate_mimecast_api() + self.start = start_time + self.checkpoint_obj = StateManager( + consts.CONN_STRING, "Checkpoint-Cloud-Integrated", consts.FILE_SHARE_NAME + ) + + async def get_mimecast_ci_data_in_sentinel(self): + """Get mimecast ci data and ingest data to sentinel, initialization method.""" + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Start fetching ci endpoint data using batch and async", + ) + ) + await self.get_batch_data_urls_from_api() + except MimecastTimeoutException: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Mimecast: 9:00 mins executed hence breaking.", + ) + ) + return + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + async def get_batch_data_urls_from_api(self): + """Retrieve a list of URLs from the Mimecast CI API and processes them. + + This function retrieve a list of URLs from the Mimecast CI API by making a GET request to the + CI endpoint. It iterate through the response pages and retrieves the URLs from each page. + The function then process the URLs and ingest data in sentinel by calling the `process_s3_bucket_urls` method. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + checkpoint_data = self.get_checkpoint_data(self.checkpoint_obj) + next_page = None + if checkpoint_data: + next_page = checkpoint_data.get("nextPage") + else: + checkpoint_data = {} + url = "{}{}".format(consts.BASE_URL, consts.ENDPOINTS["CI"]) + + params = {"type": consts.CI_TYPES, "pageSize": consts.ASYNC_PAGE_SIZE} + page = 1 + while True: + if int(time.time()) >= self.start + consts.FUNCTION_APP_TIMEOUT_SECONDS: + raise MimecastTimeoutException() + if next_page: + params["nextPage"] = next_page + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Params = {}, url = {}, page {}".format(params, url, page), + ) + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Iterating page {}".format(page), + ) + ) + response = self.make_rest_call(method="GET", url=url, params=params) + next_page = response.get("@nextPage") + values = response.get("value") + if not values: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No more data to fetch", + ) + ) + break + + url_list = [val.get("url") for val in values] + + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Found {} urls in response in page {}".format( + len(url_list), page + ), + ) + ) + result = await self.process_s3_bucket_urls(url_list, page) + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Next token = {}".format(next_page), + ) + ) + if result: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Complete processing s3 bucket urls for page {}".format( + page + ), + ) + ) + checkpoint_data.update({"nextPage": next_page}) + self.post_checkpoint_data(self.checkpoint_obj, checkpoint_data) + else: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "An error occurred while fetching data," + "Please ensure that the Sentinel credentials are correct", + ) + ) + raise MimecastException() + page += 1 + except MimecastTimeoutException: + raise MimecastTimeoutException() + except RetryError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.MAX_RETRY_ERROR_MSG.format( + error, error.last_attempt.exception() + ), + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + async def process_s3_bucket_urls(self, url_list, page): + """Process a list of S3 bucket URLs. + + Args: + url_list (List[str]): A list of S3 bucket URLs. + page (int): page number + + Returns: + bool: True if all tasks are completed. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + async with aiohttp.ClientSession() as session: + tasks = [] + for index, url in enumerate(url_list): + task = asyncio.create_task( + self.fetch_unzip_and_ingest_s3_url_data(index + 1, session, url) + ) + tasks.append(task) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "{} tasks created for page {}".format(len(tasks), page), + ) + ) + results = await asyncio.gather(*tasks, return_exceptions=True) + success_count = 0 + for result in results: + if result is True: + success_count += 1 + if success_count == 0 and len(url_list) > 0: + return False + if success_count == len(url_list): + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "All tasks are completed successfully for page {}".format(page), + ) + ) + else: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "{} tasks failed for page {}".format( + (len(url_list) - success_count), page + ), + ) + ) + return True + except MimecastException: + raise MimecastException() + except aiohttp.ClientError as session_err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.CLIENT_ERROR_MSG.format( + "Error creating aiohttp.ClientSession: {} for page {}".format( + session_err, page + ) + ), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format( + "{} for page {}".format(err, page) + ), + ) + ) + raise MimecastException() + + async def decompress_and_make_json(self, index, response): + """Decompress and convert the content of a response to a list of JSON objects. + + Args: + index (int): The task index. + response (aiohttp.ClientResponse): The response object. + + Returns: + list: A list of JSON objects. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Read zip, Decompress zip and make json from events for task {}".format( + index + ), + ) + ) + gzipped_content = await response.read() + decompressed_data = gzip.decompress(gzipped_content) + decompressed_content = decompressed_data.decode("utf-8", errors="replace") + json_objects = [] + corrupt_data = [] + for obj in decompressed_content.splitlines(): + try: + obj = obj.strip() + if obj: + json_objects.append(json.loads(obj)) + except json.JSONDecodeError: + self.handle_corrupt_data(index, obj, corrupt_data) + continue + if corrupt_data: + curent_corrupt_data_obj = StateManager( + consts.CONN_STRING, + "Corrupt-Data-Cloud-Integrated_{}".format(str(int(time.time()))), + consts.FILE_SHARE_NAME, + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Posting corrupted data into checkpoint file for task: {}".format( + index + ), + ) + ) + self.post_checkpoint_data(curent_corrupt_data_obj, corrupt_data) + return json_objects + except MimecastException: + raise MimecastException() + except aiohttp.ClientError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.CLIENT_ERROR_MSG.format( + "Error reading response: {}, for task = {}".format(err, index) + ), + ) + ) + raise MimecastException() + except gzip.BadGzipFile as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "gzip file is corrupted or Invalid: {}, for task = {}".format( + err, index + ), + ) + ) + raise MimecastException() + except UnicodeDecodeError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Error decoding decompressed data: {}, for task = {}".format( + err, index + ), + ) + ) + raise MimecastException() + except (OSError, IOError) as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Error decompressing data: {}, for task = {}".format(err, index), + ) + ) + raise MimecastException() + except json.JSONDecodeError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.JSON_DECODE_ERROR_MSG.format( + "Error parsing JSON: {}, for task = {}".format(err, index) + ), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_TASK_MSG.format(err, index), + ) + ) + raise MimecastException() + + def handle_corrupt_data(self, index, obj, corrupt_data): + """Handle corrupt data by appending it to the corrupt_data list. + + Args: + index (int): The index of the task. + obj: The object to be handled. + corrupt_data (list): A list to store corrupt data. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + corrupt_data.append(str(obj)) + except TypeError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TYPE_ERROR_MSG.format( + "{}, for task = {}".format(err, index) + ), + ) + ) + + async def fetch_unzip_and_ingest_s3_url_data( + self, index, session: aiohttp.ClientSession, url + ): + """Fetch, unzip, and ingest data from a given S3 URL. + + Args: + index (int): The index of the task. + session (aiohttp.ClientSession): The session to use for making the HTTP request. + url (str): The URL of the S3 file. + + Returns: + bool: True if the data was successfully ingested, False otherwise. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + for _ in range(consts.MAX_RETRIES_ASYNC): + try: + response = await self.make_async_call(session, url, index) + response_json = await self.decompress_and_make_json(index, response) + if len(response_json) > 0: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Data len = {}, Ingesting data to sentinel for task = {}".format( + len(response_json), index + ), + ) + ) + await post_data_async( + index, + json.dumps(response_json), + session, + consts.TABLE_NAME["CI"], + ) + return True + return False + except MimecastException: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Retry.. , for task = {}".format(index), + ) + ) + time.sleep(randrange(2, 10)) + continue + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Max retries exceeded, for task = {}".format(index), + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_TASK_MSG.format(err, index), + ) + ) + raise MimecastException() + + async def make_async_call(self, session, url, index): + """Make an asynchronous call to the given URL using the provided session. + + Args: + session (aiohttp.ClientSession): The session to use for making the HTTP request. + url (str): The URL to make the call to. + index (int): The index of the task. + + Returns: + aiohttp.ClientResponse: The response object if the call is successful. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Get Call, for task = {}".format(index), + ) + ) + response = await session.get(url) + + if response.status >= 200 and response.status <= 299: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Success, Status code : {} for task = {}".format( + response.status, index + ), + ) + ) + return response + elif response.status == 429: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Too Many Requests, Status code : {} for task = {}".format( + response.status, index + ), + ) + ) + raise MimecastException() + else: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unexpected Error = {}, Status code : {} for task = {}".format( + response.text, response.status, index + ), + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except ClientResponseError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Client response error: {} - {}, for task = {}".format( + err.status, err.message, index + ), + ) + ) + raise MimecastException() + except ServerTimeoutError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Server timeout error: {}, for task = {}".format(err, index), + ) + ) + raise MimecastException() + except ClientError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Client error: {}, for task = {}".format(err, index), + ) + ) + raise MimecastException() + except asyncio.TimeoutError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Request timeout error: {}, for task = {}".format(err, index), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_TASK_MSG.format(err, index), + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/Mimecast_Cloud_Integrated_FunctionApp.json b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/Mimecast_Cloud_Integrated_FunctionApp.json new file mode 100644 index 00000000000..a8ace5c1fe9 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/Mimecast_Cloud_Integrated_FunctionApp.json @@ -0,0 +1,125 @@ +{ + "id": "MimecastCIAPI", + "title": "Mimecast Cloud Integrated", + "publisher": "Mimecast", + "descriptionMarkdown": "The data connector for [Mimecast Cloud Integrated](https://community.mimecast.com/s/article/Azure-Sentinel) provides customers with the visibility into security events related to the Cloud Integrated inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities.", + "graphQueries": [ + { + "metricName": "Total Cloud Integrated data received", + "legend": "Cloud_Integrated_CL", + "baseQuery": "Cloud_Integrated_CL" + } + ], + "sampleQueries": [ + { + "description": "Cloud_Integrated_CL", + "query": "Cloud_Integrated_CL\n| sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "Cloud_Integrated_CL", + "lastDataReceivedQuery": "Cloud_Integrated_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Cloud_Integrated_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "See the documentation to learn more about API on the [Rest API reference](https://integrations.mimecast.com/documentation/)" + } + ] + }, + "instructionSteps": [ + { + "title": "Resource group", + "description": "You need to have a resource group created with a subscription you are going to use." + }, + { + "title": "Functions app", + "description": "You need to have an Azure App registered for this connector to use\n1. Application Id\n2. Tenant Id\n3. Client Id\n4. Client Secret" + }, + { + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "title": "Configuration:", + "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)" + }, + { + "title": "", + "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Mimecast Cloud Integrated Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MimecastCI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n3. Enter the below information : \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBase URL (Default: https://api.services.mimecast.com) \n\t\tMimecast Client ID \n\t\tMimecast Client Secret \n\t\tLog Level (Default: INFO) \n\t\tSchedule (0 */30 * * * *) \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/__init__.py b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/__init__.py new file mode 100644 index 00000000000..91361ed4c8b --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/__init__.py @@ -0,0 +1 @@ +"""This is init file to consider SharedCode as package.""" diff --git a/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/consts.py b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/consts.py new file mode 100644 index 00000000000..fb6b04b1d22 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/consts.py @@ -0,0 +1,81 @@ +"""Module with constants and configurations for the Mimecast integration.""" + +import os + +LOG_LEVEL = os.environ.get("LogLevel", "INFO") +LOGS_STARTS_WITH = "Mimecast" +LOG_FORMAT = "{}(method = {}) : {} : {}" + + +# *Sentinel related constants +AZURE_CLIENT_ID = os.environ.get("Azure_Client_Id", "") +AZURE_CLIENT_SECRET = os.environ.get("Azure_Client_Secret", "") +AZURE_TENANT_ID = os.environ.get("Azure_Tenant_Id", "") +WORKSPACE_KEY = os.environ.get("Workspace_Key", "") +WORKSPACE_ID = os.environ.get("Workspace_Id", "") + +# *Mimecast related constants +MIMECAST_CLIENT_ID = os.environ.get("Mimecast_client_id") +MIMECAST_CLIENT_SECRET = os.environ.get("Mimecast_client_secret") + +BASE_URL = os.environ.get("BaseUrl", "https://api.services.mimecast.com") +ENDPOINTS = { + "OAUTH2": "/oauth/token", + "TTP_URL": "/api/ttp/url/get-logs", + "SEG_DLP": "/api/dlp/get-logs", + "SEG_CG": "/siem/v1/batch/events/cg", + "CI": "/siem/v1/batch/events/ci", +} + +TABLE_NAME = { + "TTP_URL": "Ttp_Url", + "SEG_DLP": "Seg_Dlp", + "SEG_CG": "Seg_Cg_3", + "CI": "Cloud_Integrated", +} +TTP_URL_FUNCTION_NAME = "TTP_URL" +SEG_DLP_FUNCTION_NAME = "SEG_DLP" +SEG_CG_FUNCTION_NAME = "SEG_CG" +CLOUD_INTEGRATED_FUNCTION_NAME = "CLOUD_INTEGRATED" + +CI_TYPES = "entities,mailflow,urlclick" + +# *Error Messages for Exception +UNEXPECTED_ERROR_MSG = "Unexpected error : Error-{}" +UNEXPECTED_ERROR_TASK_MSG = "Unexpected error : Error-{}, task = {}" +HTTP_ERROR_MSG = "HTTP error : Error-{}" +REQUEST_ERROR_MSG = "Request error : Error-{}" +CONNECTION_ERROR_MSG = "Connection error : Error-{}" +KEY_ERROR_MSG = "Key error : Error-{}" +TYPE_ERROR_MSG = "Type error : Error-{}" +VALUE_ERROR_MSG = "Value error : Error-{}" +JSON_DECODE_ERROR_MSG = "JSONDecode error : Error-{}" +CLIENT_ERROR_MSG = "Client error : Error-{}" +TIME_OUT_ERROR_MSG = "Timeout error : Error-{}" +MAX_RETRY_ERROR_MSG = "Max retries exceeded : {} Last exception: {}" + + +# *checkpoint related constants +CONN_STRING = os.environ.get("Connection_String") +FILE_SHARE_NAME = os.environ.get("File_Share_Name", "mimecast-checkpoints") +START_DATE = os.environ.get("Start_Date") + +# *Extra constants +DATE_TIME_FORMAT = "%Y-%m-%dT%H:%M:%SZ" +MAX_FILE_SIZE = 20 * 1024 * 1024 +MAX_CHUNK_SIZE = 1024 * 1024 +MAX_RETRIES = 5 +MAX_RETRIES_ASYNC = 2 +PAGE_SIZE = 500 +DEFAULT_LOOKUP_DAY = 60 +FUNCTION_APP_TIMEOUT_SECONDS = 540 +TIME_DIFFERENCE = 900 +ASYNC_PAGE_SIZE = 10 +SENTINEL_RETRY_COUNT = 3 +MAX_TIMEOUT_SENTINEL = 120 +INGESTION_ERROR_SLEEP_TIME = 30 +EXCEPTION_STATUS_CODE = [400, 403, 409] +RETRY_STATUS_CODE = [429, 500, 503, 502, 509] +MAX_SLEEP_TIME = 30 +MIN_SLEEP_TIME = 5 +BACKOFF_MULTIPLIER = 2 diff --git a/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/logger.py b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/logger.py new file mode 100644 index 00000000000..3bcac77b9e4 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/logger.py @@ -0,0 +1,23 @@ +"""Handle the logger.""" + +import logging +import sys +from . import consts + +log_level = consts.LOG_LEVEL + +LOG_LEVELS = { + "DEBUG": logging.DEBUG, + "INFO": logging.INFO, + "WARNING": logging.WARNING, + "ERROR": logging.ERROR, +} + +try: + applogger = logging.getLogger("azure") + applogger.setLevel(LOG_LEVELS.get(log_level.upper(), logging.INFO)) +except Exception: + applogger.setLevel(logging.INFO) +finally: + handler = logging.StreamHandler(stream=sys.stdout) + applogger.addHandler(handler) diff --git a/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/mimecast_exception.py b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/mimecast_exception.py new file mode 100644 index 00000000000..53c1f7257f8 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/mimecast_exception.py @@ -0,0 +1,25 @@ +"""This File contains custom Exception class for Mimecast.""" + + +class MimecastException(Exception): + """Exception class to handle Mimecast exception. + + Args: + Exception (string): will print exception message. + """ + + def __init__(self, message=None) -> None: + """Initialize custom Mimecast exception with custom message.""" + super().__init__(message) + + +class MimecastTimeoutException(Exception): + """Exception class to handle Mimecast exception. + + Args: + Exception (string): will print exception message. + """ + + def __init__(self, message=None) -> None: + """Initialize custom Mimecast exception with custom message.""" + super().__init__(message) diff --git a/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/sentinel.py b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/sentinel.py new file mode 100644 index 00000000000..2f6ed7a561a --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/sentinel.py @@ -0,0 +1,353 @@ +"""This file contains methods for creating microsoft custom log table.""" + +import base64 +import requests +import hashlib +import hmac +import inspect +import datetime +import time +import aiohttp +from .logger import applogger +from .mimecast_exception import MimecastException +from . import consts +from .state_manager import StateManager +from urllib3.exceptions import NameResolutionError + + +def build_signature( + date, + content_length, + method, + content_type, + resource, +): + """To build signature which is required in header.""" + x_headers = "x-ms-date:" + date + string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource + bytes_to_hash = bytes(string_to_hash, encoding="utf-8") + decoded_key = base64.b64decode(consts.WORKSPACE_KEY) + encoded_hash = base64.b64encode(hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode() + authorization = "SharedKey {}:{}".format(consts.WORKSPACE_ID, encoded_hash) + + return authorization + + +def post_data(body, log_type): + """Build and send a request to the POST API. + + Args: + body (str): Data to post into Sentinel log analytics workspace + log_type (str): Custom log table name in which data wil be added. + + Returns: + status_code: Returns the response status code got while posting data to sentinel. + """ + __method_name = inspect.currentframe().f_code.co_name + method = "POST" + content_type = "application/json" + resource = "/api/logs" + rfc1123date = datetime.datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT") + content_length = len(body) + try: + signature = build_signature( + rfc1123date, + content_length, + method, + content_type, + resource, + ) + except Exception as err: + applogger.error( + "{}(method={}) : Error in build signature-{}".format( + consts.LOGS_STARTS_WITH, + __method_name, + err, + ) + ) + raise MimecastException() + uri = "https://" + consts.WORKSPACE_ID + ".ods.opinsights.azure.com" + resource + "?api-version=2016-04-01" + + headers = { + "content-type": content_type, + "Authorization": signature, + "Log-Type": log_type, + "x-ms-date": rfc1123date, + } + try: + response = requests.post(uri, data=body, headers=headers) + if response.status_code >= 200 and response.status_code <= 299: + applogger.debug( + "{}(method={}) : Status_code: {} Accepted: Data Posted Successfully to azure sentinel.".format( + consts.LOGS_STARTS_WITH, + __method_name, + response.status_code, + ) + ) + return response.status_code + else: + raise MimecastException() + except requests.RequestException as error: + applogger.error( + "{}(method={}) : Request error : Error-{}".format( + consts.LOGS_STARTS_WITH, + __method_name, + error, + ) + ) + raise MimecastException() + except Exception as error: + applogger.error( + "{}(method={}) : Error-{}".format( + consts.LOGS_STARTS_WITH, + __method_name, + error, + ) + ) + raise MimecastException() + + +async def post_data_async(index, body, session: aiohttp.ClientSession, log_type): + """Build and send a request to the POST API. + + Args: + body (str): Data to post into Sentinel log analytics workspace + log_type (str): Custom log table name in which data wil be added. + + Returns: + status_code: Returns the response status code got while posting data to sentinel. + """ + __method_name = inspect.currentframe().f_code.co_name + method = "POST" + content_type = "application/json" + resource = "/api/logs" + rfc1123date = datetime.datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT") + content_length = len(body) + try: + signature = build_signature( + rfc1123date, + content_length, + method, + content_type, + resource, + ) + except Exception as err: + applogger.error( + "{}(method={}) : Error in build signature-{} for task = {}".format( + consts.LOGS_STARTS_WITH, __method_name, err, index + ) + ) + raise MimecastException() + uri = "https://" + consts.WORKSPACE_ID + ".ods.opinsights.azure.com" + resource + "?api-version=2016-04-01" + + headers = { + "content-type": content_type, + "Authorization": signature, + "Log-Type": log_type, + "x-ms-date": rfc1123date, + } + retry_count = 0 + while retry_count < consts.SENTINEL_RETRY_COUNT: + try: + + response = await session.post(uri, data=body, headers=headers, timeout=consts.MAX_TIMEOUT_SENTINEL) + result = handle_response(response, body, log_type) + + if result is not False: + return result + retry_count += 1 + continue + except requests.exceptions.ConnectionError as error: + try: + if isinstance(error.args[0].reason, NameResolutionError): + applogger.error( + "{}(method={}) : {} : Workspace ID is wrong: {}, Sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.CLOUD_INTEGRATED_FUNCTION_NAME, + error, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + except Exception as unknown_connect_error: + applogger.error( + "{}(method={}) : {} : Unknown Error in ConnectionError: {}, Sleeping for {} seconds." + " and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.CLOUD_INTEGRATED_FUNCTION_NAME, + unknown_connect_error, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + applogger.error( + "{}(method={}) : {} : Unknown Connection Error, sleeping for {} seconds and retrying.." + "Error - {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.CLOUD_INTEGRATED_FUNCTION_NAME, + consts.INGESTION_ERROR_SLEEP_TIME, + error, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + except requests.exceptions.Timeout as error: + applogger.error( + "{}(method={}) : {} : sleeping - {} seconds and retrying.. Timeout Error: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.CLOUD_INTEGRATED_FUNCTION_NAME, + consts.INGESTION_ERROR_SLEEP_TIME, + error, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + except requests.RequestException as error: + applogger.error( + "{}(method={}) : {} : Request Error: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.CLOUD_INTEGRATED_FUNCTION_NAME, + error, + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : Unknown Error: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.CLOUD_INTEGRATED_FUNCTION_NAME, + error, + ) + ) + raise MimecastException() + applogger.error( + "{}(method={}) : {} : Maximum Retry count of {} exceeded, hence stopping execution.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.CLOUD_INTEGRATED_FUNCTION_NAME, + consts.SENTINEL_RETRY_COUNT, + ) + ) + raise MimecastException() + + +def handle_response(response, body, log_type): + """Handle the response from Azure Sentinel.""" + try: + __method_name = inspect.currentframe().f_code.co_name + if response.status >= 200 and response.status <= 299: + applogger.debug( + "{}(method={}) : Status_code: {} Accepted: Data Posted Successfully to azure sentinel.".format( + consts.LOGS_STARTS_WITH, + __method_name, + response.status, + ) + ) + return response.status + elif response.status == 400: + applogger.error( + "{}(method={}) : {} : Response code: {} from posting data to log analytics. Response: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.CLOUD_INTEGRATED_FUNCTION_NAME, + response.status, + response.text, + ) + ) + curent_corrupt_data_obj = StateManager( + consts.CONN_STRING, + "{}-Ingest-To-Sentinel-Corrupt_{}".format(consts.CLOUD_INTEGRATED_FUNCTION_NAME, str(int(time.time()))), + consts.FILE_SHARE_NAME, + ) + curent_corrupt_data_obj.post(body) + raise MimecastException() + elif response.status == 403: + applogger.error( + "{}(method={}) : {} : Response code :{} Error occurred for build signature: Response: {}." + "Issue with WorkspaceKey ,Kindly verify your WorkspaceKey".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.CLOUD_INTEGRATED_FUNCTION_NAME, + response.status, + response.text, + ) + ) + raise MimecastException() + elif response.status == 429: + applogger.error( + "{}(method={}) : {} : Error occurred: Response code : {} Too many request: Response: {} . " + "sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.CLOUD_INTEGRATED_FUNCTION_NAME, + response.status, + response.text, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + return False + elif response.status == 500: + applogger.error( + "{}(method={}) : {} : Error occurred: Response code : {} Internal Server Error: Response: {} . " + "sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.CLOUD_INTEGRATED_FUNCTION_NAME, + response.status, + response.text, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + return False + elif response.status == 503: + applogger.error( + "{}(method={}) : {} : Error occurred: Response code : {} Service Unavailable: Response: {} . " + "sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.CLOUD_INTEGRATED_FUNCTION_NAME, + response.status, + response.text, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + return False + applogger.error( + "{}(method={}) : {} : Response code: {} from posting data to log analytics. Response: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.CLOUD_INTEGRATED_FUNCTION_NAME, + response.status, + response.text, + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : Unknown Error: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.CLOUD_INTEGRATED_FUNCTION_NAME, + error, + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/state_manager.py b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/state_manager.py new file mode 100644 index 00000000000..0bfe9819ce1 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/state_manager.py @@ -0,0 +1,69 @@ +"""This module will help to save file to state manager.""" + +from azure.storage.fileshare import ShareClient +from azure.storage.fileshare import ShareFileClient +from azure.core.exceptions import ResourceNotFoundError, ResourceExistsError + + +class StateManager: + """State manager class for specific operation. + + This class will help to manage the state of the operation + by saving and getting data from Azure Storage. + + Args: + connection_string (str): Azure Storage connection string. + file_path (str): File path on the share. + share_name (str): Name of the share. + """ + + def __init__(self, connection_string, file_path, share_name): + """Initialize the share_cli and file_cli.""" + self.share_cli = ShareClient.from_connection_string( + conn_str=connection_string, share_name=share_name + ) + self.file_cli = ShareFileClient.from_connection_string( + conn_str=connection_string, share_name=share_name, file_path=file_path + ) + + def post(self, marker_text: str): + """Post method for posting the data to Azure Storage. + + This method will upload the given text to the + Azure Storage as a file. + + Args: + marker_text (str): String to be saved in the file. + """ + try: + self.file_cli.upload_file(marker_text) + except ResourceNotFoundError: + try: + self.share_cli.create_share() + self.file_cli.upload_file(marker_text) + except ResourceExistsError: + self.file_cli.upload_file(marker_text) + + def get(self): + """Get method for getting the data from Azure Storage. + + This method will download the file from Azure Storage + and return the contents as a string. + + Returns: + str: The contents of the file. + """ + try: + return self.file_cli.download_file().readall().decode() + except ResourceNotFoundError: + return None + + def delete(self): + """Delete method for deleting the data from Azure Storage. + + This method will delete the file from Azure Storage. + """ + try: + self.file_cli.delete_file() + except ResourceNotFoundError: + raise ResourceNotFoundError("File not found to be deleted.") diff --git a/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/utils.py b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/utils.py new file mode 100644 index 00000000000..062ea32d5e4 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/SharedCode/utils.py @@ -0,0 +1,723 @@ +"""Utils File.""" + +import inspect +import requests +import json +from json.decoder import JSONDecodeError +import datetime +from .state_manager import StateManager +from .mimecast_exception import MimecastException +from .logger import applogger +from . import consts +from tenacity import ( + retry, + stop_after_attempt, + wait_exponential, + retry_if_exception_type, + retry_if_result, + retry_any, + RetryError, +) +from requests.exceptions import ConnectionError + + +def retry_on_status_code(response): + """Check and retry based on a list of status codes. + + Args: + response (): API response is passed + + Returns: + Bool: if given status code is in list then true else false + """ + __method_name = inspect.currentframe().f_code.co_name + if isinstance(response, dict): + return False + if response.status_code in consts.RETRY_STATUS_CODE: + applogger.info( + "{}(method={}) : {} : Retrying due to status code : {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + consts.CLOUD_INTEGRATED_FUNCTION_NAME, + response.status_code, + ) + ) + return True + return False + + +class Utils: + """Utils Class.""" + + def __init__(self, azure_function_name) -> None: + """Init Function.""" + self.azure_function_name = azure_function_name + self.log_format = consts.LOG_FORMAT + self.headers = {} + + def check_environment_var_exist(self, environment_var): + """Check the existence of required environment variables. + + Logs the validation process and completion. Raises MimecastException if any required field is missing. + + Args: + environment_var(list) : variables to check for existence + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Validating Environment Variables", + ) + ) + missing_required_field = False + for var in environment_var: + key, val = next(iter(var.items())) + if not val: + missing_required_field = True + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Environment variable {} is not set".format(key), + ) + ) + if missing_required_field: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Validation failed", + ) + ) + raise MimecastException() + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Validation Complete", + ) + ) + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def get_checkpoint_data(self, checkpoint_obj: StateManager, load_flag=True): + """Get checkpoint data from a StateManager object. + + Args: + checkpoint_obj (StateManager): The StateManager object to retrieve checkpoint data from. + load_flag (bool): A flag indicating whether to load the data as JSON (default is True). + + Returns: + The retrieved checkpoint data. + + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Fetching checkpoint data", + ) + ) + checkpoint_data = checkpoint_obj.get() + if load_flag and checkpoint_data: + checkpoint_data = json.loads(checkpoint_data) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Checkpoint data = {}".format(checkpoint_data), + ) + ) + return checkpoint_data + except json.decoder.JSONDecodeError as json_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.JSON_DECODE_ERROR_MSG.format(json_error), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def post_checkpoint_data(self, checkpoint_obj: StateManager, data, dump_flag=True): + """Post checkpoint data. + + It post the data to a checkpoint object based on the dump_flag parameter. + + Args: + checkpoint_obj (StateManager): The StateManager object to post data to. + data: The data to be posted. + dump_flag (bool): A flag indicating whether to dump the data as JSON before posting (default is True). + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Posting checkpoint data = {}".format(data), + ) + ) + if dump_flag: + checkpoint_obj.post(json.dumps(data)) + else: + checkpoint_obj.post(data) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Data posted to azure storage", + ) + ) + except TypeError as type_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TYPE_ERROR_MSG.format(type_error), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + @retry( + stop=stop_after_attempt(consts.MAX_RETRIES), + wait=wait_exponential( + multiplier=consts.BACKOFF_MULTIPLIER, + min=consts.MIN_SLEEP_TIME, + max=consts.MAX_SLEEP_TIME, + ), + retry=retry_any( + retry_if_result(retry_on_status_code), + retry_if_exception_type(ConnectionError), + ), + before_sleep=lambda retry_state: applogger.error( + "{}(method = {}) : Retring after {} secends, attempt number: {} ".format( + consts.LOGS_STARTS_WITH, + " Retry Decorator", + retry_state.upcoming_sleep, + retry_state.attempt_number, + ) + ), + ) + def make_rest_call( + self, method, url, params=None, data=None, json=None, check_retry=True + ): + """Make a rest call. + + Args: + url (str): The URL to make the call to. + method (str): The HTTP method to use for the call. + params (dict, optional): The parameters to pass in the call (default is None). + data (dict, optional): The body(in x-www-form-urlencoded formate) of the request (default is None). + json (dict, optional): The body(in row formate) of the request (default is None). + check_retry (bool, optional): A flag indicating whether to check for retry (default is True). + + Returns: + dict: The JSON response if the call is successful. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Rest Call, Method :{}, url: {}".format(method, url), + ) + ) + + response = requests.request( + method, + url, + headers=self.headers, + params=params, + data=data, + json=json, + timeout=consts.MAX_TIMEOUT_SENTINEL, + ) + + if response.status_code >= 200 and response.status_code <= 299: + response_json = response.json() + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Success, Status code : {}".format(response.status_code), + ) + ) + self.handle_failed_response_for_success(response_json) + return response_json + elif response.status_code == 400: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Bad Request = {}, Status code : {}".format( + response.text, response.status_code + ), + ) + ) + self.handle_failed_response_for_failure(response) + elif response.status_code == 401: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unauthorized, Status code : {}".format(response.status_code), + ) + ) + response_json = response.json() + fail_json = response_json.get("fail", []) + error_code = None + error_message = None + if fail_json: + error_code = fail_json[0].get("code") + error_message = fail_json[0].get("message") + if check_retry: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Generating new token, Error message = {}, Error code = {}".format( + error_message, error_code + ), + ) + ) + check_retry = False + self.authenticate_mimecast_api(check_retry) + return self.make_rest_call( + method, url, params, data, json, check_retry + ) + else: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Max retry reached for generating access token," + "Error message = {}, Error code = {}".format( + error_message, error_code + ), + ) + ) + raise MimecastException() + elif response.status_code == 403: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Forbidden, Status code : {}".format(response.status_code), + ) + ) + self.handle_failed_response_for_failure(response) + elif response.status_code == 404: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Not Found, URL : {}, Status code : {}".format( + url, response.status_code + ), + ) + ) + raise MimecastException() + elif response.status_code == 409: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Conflict, Status code : {}".format(response.status_code), + ) + ) + self.handle_failed_response_for_failure(response) + elif response.status_code == 429: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Too Many Requests, Status code : {} ".format( + response.status_code + ), + ) + ) + return response + elif response.status_code == 500: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Internal Server Error, Status code : {}".format( + response.status_code + ), + ) + ) + return self.handle_failed_response_for_failure(response) + elif response.status_code == 502: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Issue with a downstream service , Status code : {}".format( + response.status_code + ), + ) + ) + return self.handle_failed_response_for_failure(response) + elif response.status_code == 504: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Timeout from a downstream service, Status code : {}".format( + response.status_code + ), + ) + ) + return self.handle_failed_response_for_failure(response) + + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unexpected Error = {}, Status code : {}".format( + response.text, response.status_code + ), + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except requests.exceptions.Timeout as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TIME_OUT_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + except JSONDecodeError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.JSON_DECODE_ERROR_MSG.format( + "{}, API Response = {}".format(error, response.text) + ), + ) + ) + raise MimecastException() + except requests.ConnectionError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.CONNECTION_ERROR_MSG.format(error), + ) + ) + raise ConnectionError() + except requests.RequestException as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.REQUEST_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def handle_failed_response_for_failure(self, response): + """Handle the failed response for failure status codes. + + If request get authentication error it will regenerate the access token. + + Args: + response_json (dict): The JSON response from the API. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + response_json = response.json() + error_message = response_json + fail_json = response_json.get("fail", []) + error_json = response_json.get("error") + if fail_json: + error_message = fail_json[0].get("message") + elif error_json: + error_message = error_json.get("message") + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + error_message, + ) + ) + if response.status_code in consts.EXCEPTION_STATUS_CODE: + raise MimecastException() + + return response + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def handle_failed_response_for_success(self, response_json): + """Handle the failed response for a successful request. + + Check if there is failure in success response or not. + + Args: + response_json (dict): The JSON response from the request. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + fail_json = response_json.get("fail", []) + if fail_json: + try: + error_message = fail_json[0].get("errors")[0].get("message") + except (KeyError, IndexError, ValueError, TypeError): + error_message = fail_json + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Failed response message = {}".format(error_message), + ) + ) + raise MimecastException() + else: + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No failed response found", + ) + ) + return + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def authenticate_mimecast_api(self, check_retry=True): + """Authenticate mimecast endpoint generate access token and update header. + + Args: + check_retry (bool): Flag for retry of generating access token. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + body = { + "client_id": consts.MIMECAST_CLIENT_ID, + "client_secret": consts.MIMECAST_CLIENT_SECRET, + "grant_type": "client_credentials", + } + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Generating access token", + ) + ) + self.headers = {} + url = "{}{}".format(consts.BASE_URL, consts.ENDPOINTS["OAUTH2"]) + response = self.make_rest_call( + method="POST", url=url, data=body, check_retry=check_retry + ) + if "access_token" in response: + access_token = response.get("access_token") + self.headers.update( + { + "Content-Type": "application/json", + "Authorization": "Bearer {}".format(access_token), + } + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Successfully generated access token and header updated", + ) + ) + return + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Error occurred while fetching the access token from the response = {}".format( + response + ), + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except RetryError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.MAX_RETRY_ERROR_MSG.format( + error, error.last_attempt.exception() + ), + ) + ) + raise MimecastException() + except KeyError as key_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.KEY_ERROR_MSG.format(key_error), + ) + ) + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def iso_to_epoch_int(self, date_time): + """Convert an ISO formatted date and time string to epoch time. + + Args: + date_time (str): The input date and time string in the format "%Y-%m-%dT%H:%M:%SZ" + + Returns: + int: The epoch time as a integer. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + date_time_obj = datetime.datetime.strptime( + date_time, consts.DATE_TIME_FORMAT + ) + epoch_time = date_time_obj.timestamp() + return epoch_time + except TypeError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TYPE_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + except ValueError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.VALUE_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/azuredeploy_Connector_MimecastCI_AzureFunction.json b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/azuredeploy_Connector_MimecastCI_AzureFunction.json new file mode 100644 index 00000000000..2f3f0f08ee3 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/azuredeploy_Connector_MimecastCI_AzureFunction.json @@ -0,0 +1,251 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "FunctionName": { + "defaultValue": "MimecastCI", + "minLength": 1, + "maxLength": 11, + "type": "string" + }, + "WorkspaceID": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Enter Workspace ID of Log Analytics workspace" + } + }, + "WorkspaceKey": { + "type": "securestring", + "minLength": 1, + "metadata": { + "description": "Enter Workspace Key of Log Analytics workspace" + } + }, + "MimecastBaseURL": { + "defaultValue": "https://api.services.mimecast.com", + "type": "string", + "metadata": { + "description": "Enter Base URL of Mimecast API 2.0 (e.g. https://api.services.mimecast.com)" + } + }, + "MimecastClientID": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Enter Mimecast Client ID for authentication" + } + }, + "MimecastClientSecret": { + "type": "securestring", + "minLength": 1, + "metadata": { + "description": "Enter Mimecast Client Secret for authentication" + } + }, + "Schedule": { + "type": "string", + "minLength": 11, + "defaultValue": "0 */30 * * * *", + "metadata": { + "description": "Please enter a valid Quartz cron-expression. (Example: 0 0 0 * * *)\n\nDo not keep the value empty, minimum value is 10 minutes" + } + }, + "LogLevel": { + "type": "string", + "metadata": { + "description": "Please add log level or log severity value. By default it is set to INFO" + }, + "allowedValues": [ + "Debug", + "Info", + "Error", + "Warning" + ], + "defaultValue": "Info" + }, + "AppInsightsWorkspaceResourceID": { + "type": "string", + "metadata": { + "description": "Migrate Classic Application Insights to Log Analytic Workspace which is retiring by 29 Febraury 2024. Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'" + } + } + }, + "variables": { + "FunctionName": "[concat(toLower(trim(parameters('FunctionName'))), uniqueString(resourceGroup().id))]", + "StorageSuffix": "[environment().suffixes.storage]", + "LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(trim(parameters('WorkspaceID'))), '.ods.opinsights'))]" + }, + "resources": [ + { + "type": "Microsoft.Insights/components", + "apiVersion": "2020-02-02", + "name": "[variables('FunctionName')]", + "location": "[resourceGroup().location]", + "kind": "web", + "properties": { + "Application_Type": "web", + "ApplicationId": "[variables('FunctionName')]", + "WorkspaceResourceId": "[trim(parameters('AppInsightsWorkspaceResourceID'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[tolower(variables('FunctionName'))]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Allow" + }, + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "file": { + "keyType": "Account", + "enabled": true + }, + "blob": { + "keyType": "Account", + "enabled": true + } + }, + "keySource": "Microsoft.Storage" + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + }, + "deleteRetentionPolicy": { + "enabled": false + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + } + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "name": "[variables('FunctionName')]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]", + "[resourceId('Microsoft.Insights/components', variables('FunctionName'))]" + ], + "kind": "functionapp,linux", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "name": "[variables('FunctionName')]", + "httpsOnly": true, + "clientAffinityEnabled": true, + "alwaysOn": true, + "reserved": true, + "siteConfig": { + "linuxFxVersion": "python|3.11" + } + }, + "resources": [ + { + "apiVersion": "2018-11-01", + "type": "config", + "name": "appsettings", + "dependsOn": [ + "[concat('Microsoft.Web/sites/', variables('FunctionName'))]" + ], + "properties": { + "FUNCTIONS_EXTENSION_VERSION": "~4", + "FUNCTIONS_WORKER_RUNTIME": "python", + "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]", + "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]", + "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", + "logAnalyticsUri": "[variables('LogAnaltyicsUri')]", + "Workspace_Id": "[trim(parameters('WorkspaceID'))]", + "Workspace_Key": "[trim(parameters('WorkspaceKey'))]", + "BaseUrl": "[trim(parameters('MimecastBaseURL'))]", + "Mimecast_client_id": "[trim(parameters('MimecastClientID'))]", + "Mimecast_client_secret": "[trim(parameters('MimecastClientSecret'))]", + "File_Share_Name": "mimecast-checkpoints", + "Schedule": "[trim(parameters('Schedule'))]", + "LogLevel": "[trim(parameters('LogLevel'))]", + "Connection_String": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", + "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-MimecastCI-functionapp" + } + } + ] + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/azure-webjobs-hosts')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "publicAccess": "None" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/azure-webjobs-secrets')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "publicAccess": "None" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices/shares", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/', tolower(variables('FunctionName')))]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "shareQuota": 5120 + } + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/host.json b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/host.json new file mode 100644 index 00000000000..23ec200f96f --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/host.json @@ -0,0 +1,22 @@ +{ + "version": "2.0", + "functionTimeout": "00:10:00", + "logging": { + "applicationInsights": { + "samplingSettings": { + "isEnabled": true, + "excludedTypes": "Request" + } + }, + "logLevel": { + "default": "Trace", + "Host.Results": "Trace", + "Function": "Trace", + "Host.Aggregator": "Trace" + } + }, + "extensionBundle": { + "id": "Microsoft.Azure.Functions.ExtensionBundle", + "version": "[4.*, 5.0.0)" + } +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/requirements.txt b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/requirements.txt new file mode 100644 index 00000000000..c1afa26574b --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastCloudIntegrated/requirements.txt @@ -0,0 +1,10 @@ +# DO NOT include azure-functions-worker in this file +# The Python Worker is managed by Azure Functions platform +# Manually managing azure-functions-worker may cause unexpected issues + +azure-functions +requests +azure-storage-file-share==12.15.0 +aiohttp +tenacity +asyncio \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastSEG/MimecastCG/__init__.py b/Solutions/Mimecast/Data Connectors/MimecastSEG/MimecastCG/__init__.py new file mode 100644 index 00000000000..4ea42c82020 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastSEG/MimecastCG/__init__.py @@ -0,0 +1,44 @@ +"""Init file for Mimecast SEG CG function.""" + +import datetime +import logging +import azure.functions as func +import time +from .mimecast_cg_to_sentinel import MimecastCGToSentinel +from ..SharedCode.logger import applogger +from ..SharedCode import consts + + +async def main(mytimer: func.TimerRequest) -> None: + """Run the main logic of the Function App triggered by a timer.""" + utc_timestamp = ( + datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + ) + start = time.time() + applogger.info( + "{} : {}, Function started at {}".format( + consts.LOGS_STARTS_WITH, + consts.SEG_DLP_FUNCTION_NAME, + datetime.datetime.fromtimestamp(start), + ) + ) + mimecast_to_sentinel_obj = MimecastCGToSentinel(int(start)) + await mimecast_to_sentinel_obj.get_mimecast_cg_data_in_sentinel() + end = time.time() + + applogger.info( + "{} : {}, Function ended at {}".format( + consts.LOGS_STARTS_WITH, + consts.SEG_DLP_FUNCTION_NAME, + datetime.datetime.fromtimestamp(end), + ) + ) + applogger.info( + "{} : {}, Total time taken = {}".format( + consts.LOGS_STARTS_WITH, consts.SEG_DLP_FUNCTION_NAME, end - start + ) + ) + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/Mimecast/Data Connectors/MimecastSEG/MimecastCG/function.json b/Solutions/Mimecast/Data Connectors/MimecastSEG/MimecastCG/function.json new file mode 100644 index 00000000000..44f02c1702c --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastSEG/MimecastCG/function.json @@ -0,0 +1,12 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%", + "useMonitor": true + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastSEG/MimecastCG/mimecast_cg_to_sentinel.py b/Solutions/Mimecast/Data Connectors/MimecastSEG/MimecastCG/mimecast_cg_to_sentinel.py new file mode 100644 index 00000000000..c8b3fb44e3d --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastSEG/MimecastCG/mimecast_cg_to_sentinel.py @@ -0,0 +1,627 @@ +"""Get mimecast cg data and ingest to custom table in sentinel.""" + +import inspect +import json +import time +from random import randrange +import gzip +import aiohttp +import asyncio +from aiohttp.client_exceptions import ( + ClientError, + ServerTimeoutError, + ClientResponseError, +) +from ..SharedCode import consts +from ..SharedCode.mimecast_exception import MimecastException, MimecastTimeoutException +from ..SharedCode.logger import applogger +from ..SharedCode.state_manager import StateManager +from ..SharedCode.utils import Utils +from ..SharedCode.sentinel import post_data_async +from tenacity import RetryError + + +class MimecastCGToSentinel(Utils): + """Class for ingest cg the data from mimecast to sentinel.""" + + def __init__(self, start_time) -> None: + """Initialize MimecastDLPToSentinel object.""" + super().__init__(consts.SEG_CG_FUNCTION_NAME) + self.check_environment_var_exist( + [ + {"Base_Url": consts.BASE_URL}, + {"WorkspaceID": consts.WORKSPACE_ID}, + {"WorkspaceKey": consts.WORKSPACE_KEY}, + {"Mimecast_Client_ID": consts.MIMECAST_CLIENT_ID}, + {"Mimecast_Client_Secret": consts.MIMECAST_CLIENT_SECRET}, + ] + ) + self.authenticate_mimecast_api() + self.start = start_time + self.checkpoint_obj = StateManager( + consts.CONN_STRING, "Checkpoint-SEG-CG", consts.FILE_SHARE_NAME + ) + + async def get_mimecast_cg_data_in_sentinel(self): + """Get mimecast cg data and ingest data to sentinel, initialization method.""" + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Start fetching cg endpoint data using batch and async", + ) + ) + await self.get_batch_data_urls_from_api() + except MimecastTimeoutException: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Mimecast: 9:00 mins executed hence breaking.", + ) + ) + return + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + async def get_batch_data_urls_from_api(self): + """Retrieve a list of URLs from the Mimecast CG API and processes them. + + This function retrieve a list of URLs from the Mimecast CG API by making a GET request to the + SEG_CG endpoint. It iterate through the response pages and retrieves the URLs from each page. + The function then process the URLs and ingest data in sentinel by calling the `process_s3_bucket_urls` method. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + checkpoint_data = self.get_checkpoint_data(self.checkpoint_obj) + next_page = None + if checkpoint_data: + next_page = checkpoint_data.get("nextPage") + else: + checkpoint_data = {} + url = "{}{}".format(consts.BASE_URL, consts.ENDPOINTS["SEG_CG"]) + + params = {"type": consts.SEG_CG_TYPES, "pageSize": consts.ASYNC_PAGE_SIZE} + page = 1 + while True: + if int(time.time()) >= self.start + consts.FUNCTION_APP_TIMEOUT_SECONDS: + raise MimecastTimeoutException() + if next_page: + params["nextPage"] = next_page + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Params = {}, url = {}, page {}".format(params, url, page), + ) + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Iterating page {}".format(page), + ) + ) + response = self.make_rest_call(method="GET", url=url, params=params) + next_page = response.get("@nextPage") + values = response.get("value") + if not values: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No more data to fetch", + ) + ) + break + + url_list = [val.get("url") for val in values] + + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Found {} urls in response in page {}".format( + len(url_list), page + ), + ) + ) + result = await self.process_s3_bucket_urls(url_list, page) + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Next token = {}".format(next_page), + ) + ) + if result: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Complete processing s3 bucket urls for page {}".format( + page + ), + ) + ) + checkpoint_data.update({"nextPage": next_page}) + self.post_checkpoint_data(self.checkpoint_obj, checkpoint_data) + else: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "An error occurred while fetching data," + "Please ensure that the Sentinel credentials are correct", + ) + ) + raise MimecastException() + page += 1 + + except MimecastTimeoutException: + raise MimecastTimeoutException() + except RetryError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.MAX_RETRY_ERROR_MSG.format( + error, error.last_attempt.exception() + ), + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + async def process_s3_bucket_urls(self, url_list, page): + """Process a list of S3 bucket URLs. + + Args: + url_list (List[str]): A list of S3 bucket URLs. + page (int): page number + + Returns: + bool: True if all tasks are completed. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + async with aiohttp.ClientSession() as session: + tasks = [] + for index, url in enumerate(url_list): + task = asyncio.create_task( + self.fetch_unzip_and_ingest_s3_url_data(index + 1, session, url) + ) + tasks.append(task) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "{} tasks created for page {}".format(len(tasks), page), + ) + ) + results = await asyncio.gather(*tasks, return_exceptions=True) + success_count = 0 + for result in results: + if result is True: + success_count += 1 + if success_count == 0 and len(url_list) > 0: + return False + if success_count == len(url_list): + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "All tasks are completed successfully for page {}".format(page), + ) + ) + else: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "{} tasks failed for page {}".format( + (len(url_list) - success_count), page + ), + ) + ) + return True + except MimecastException: + raise MimecastException() + except aiohttp.ClientError as session_err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.CLIENT_ERROR_MSG.format( + "Error creating aiohttp.ClientSession: {} for page {}".format( + session_err, page + ) + ), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format( + "{} for page {}".format(err, page) + ), + ) + ) + raise MimecastException() + + def handle_corrupt_data(self, index, obj, corrupt_data): + """Handle corrupt data by appending it to the corrupt_data list. + + Args: + index (int): The index of the task. + obj: The object to be handled. + corrupt_data (list): A list to store corrupt data. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + corrupt_data.append(str(obj)) + except TypeError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TYPE_ERROR_MSG.format( + "{}, for task = {}".format(err, index) + ), + ) + ) + + async def decompress_and_make_json(self, index, response): + """Decompress and convert the content of a response to a list of JSON objects. + + Args: + index (int): The task index. + response (aiohttp.ClientResponse): The response object. + + Returns: + list: A list of JSON objects. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Read zip, Decompress zip and make json from events for task {}".format( + index + ), + ) + ) + gzipped_content = await response.read() + decompressed_data = gzip.decompress(gzipped_content) + decompressed_content = decompressed_data.decode("utf-8", errors="replace") + json_objects = [] + corrupt_data = [] + for obj in decompressed_content.splitlines(): + try: + obj = obj.strip() + if obj: + json_objects.append(json.loads(obj)) + except json.JSONDecodeError: + self.handle_corrupt_data(index, obj, corrupt_data) + continue + if corrupt_data: + curent_corrupt_data_obj = StateManager( + consts.CONN_STRING, + "Corrupt-Data-Cloud-Gateway_{}".format(str(int(time.time()))), + consts.FILE_SHARE_NAME, + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Posting corrupted data into checkpoint file for task: {}".format( + index + ), + ) + ) + self.post_checkpoint_data(curent_corrupt_data_obj, corrupt_data) + return json_objects + except MimecastException: + raise MimecastException() + except aiohttp.ClientError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.CLIENT_ERROR_MSG.format( + "Error reading response: {}, for task = {}".format(err, index) + ), + ) + ) + raise MimecastException() + except gzip.BadGzipFile as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "gzip file is corrupted or Invalid: {}, for task = {}".format( + err, index + ), + ) + ) + raise MimecastException() + except UnicodeDecodeError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Error decoding decompressed data: {}, for task = {}".format( + err, index + ), + ) + ) + raise MimecastException() + except (OSError, IOError) as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Error decompressing data: {}, for task = {}".format(err, index), + ) + ) + raise MimecastException() + except json.JSONDecodeError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.JSON_DECODE_ERROR_MSG.format( + "Error parsing JSON: {}, for task = {}".format(err, index) + ), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_TASK_MSG.format(err, index), + ) + ) + raise MimecastException() + + async def fetch_unzip_and_ingest_s3_url_data( + self, index, session: aiohttp.ClientSession, url + ): + """Fetch, unzip, and ingest data from a given S3 URL. + + Args: + index (int): The index of the task. + session (aiohttp.ClientSession): The session to use for making the HTTP request. + url (str): The URL of the S3 file. + + Returns: + bool: True if the data was successfully ingested, False otherwise. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + for _ in range(consts.MAX_RETRIES_ASYNC): + try: + response = await self.make_async_call(session, url, index) + response_json = await self.decompress_and_make_json(index, response) + if len(response_json) > 0: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Data len = {}, Ingesting data to sentinel for task = {}".format( + len(response_json), index + ), + ) + ) + mapping_dict = consts.FILE_PREFIX_MC_TYPE + for data in response_json: + data["type"] = mapping_dict.get(data.get("type")) + + await post_data_async( + index, + json.dumps(response_json), + session, + consts.TABLE_NAME["SEG_CG"], + ) + return True + return False + except MimecastException: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Retry.. , for task = {}".format(index), + ) + ) + time.sleep(randrange(2, 10)) + continue + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Max retries exceeded, for task = {}".format(index), + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_TASK_MSG.format(err, index), + ) + ) + raise MimecastException() + + async def make_async_call(self, session, url, index): + """Make an asynchronous call to the given URL using the provided session. + + Args: + session (aiohttp.ClientSession): The session to use for making the HTTP request. + url (str): The URL to make the call to. + index (int): The index of the task. + + Returns: + aiohttp.ClientResponse: The response object if the call is successful. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Get Call, for task = {}".format(index), + ) + ) + response = await session.get(url) + + if response.status >= 200 and response.status <= 299: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Success, Status code : {} for task = {}".format( + response.status, index + ), + ) + ) + return response + elif response.status == 429: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Too Many Requests, Status code : {} for task = {}".format( + response.status, index + ), + ) + ) + raise MimecastException() + else: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unexpected Error = {}, Status code : {} for task = {}".format( + response.text, response.status, index + ), + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except ClientResponseError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Client response error: {} - {}, for task = {}".format( + err.status, err.message, index + ), + ) + ) + raise MimecastException() + except ServerTimeoutError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Server timeout error: {}, for task = {}".format(err, index), + ) + ) + raise MimecastException() + except ClientError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Client error: {}, for task = {}".format(err, index), + ) + ) + raise MimecastException() + except asyncio.TimeoutError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Request timeout error: {}, for task = {}".format(err, index), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_TASK_MSG.format(err, index), + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastSEG/MimecastDLP/__init__.py b/Solutions/Mimecast/Data Connectors/MimecastSEG/MimecastDLP/__init__.py new file mode 100644 index 00000000000..f497cc5b4a5 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastSEG/MimecastDLP/__init__.py @@ -0,0 +1,44 @@ +"""Init file for Mimecast SEG DLP function.""" + +import datetime +import logging +import time +import azure.functions as func +from .mimecast_dlp_to_sentinel import MimecastDLPToSentinel +from ..SharedCode.logger import applogger +from ..SharedCode import consts + + +def main(mytimer: func.TimerRequest) -> None: + """Run the main logic of the Function App triggered by a timer.""" + utc_timestamp = ( + datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + ) + start = time.time() + applogger.info( + "{} : {}, Function started at {}".format( + consts.LOGS_STARTS_WITH, + consts.SEG_DLP_FUNCTION_NAME, + datetime.datetime.fromtimestamp(start), + ) + ) + mimecast_to_sentinel_obj = MimecastDLPToSentinel(int(start)) + mimecast_to_sentinel_obj.get_mimecast_dlp_data_in_sentinel() + end = time.time() + + applogger.info( + "{} : {}, Function ended at {}".format( + consts.LOGS_STARTS_WITH, + consts.SEG_DLP_FUNCTION_NAME, + datetime.datetime.fromtimestamp(end), + ) + ) + applogger.info( + "{} : {}, Total time taken = {}".format( + consts.LOGS_STARTS_WITH, consts.SEG_DLP_FUNCTION_NAME, end - start + ) + ) + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/Mimecast/Data Connectors/MimecastSEG/MimecastDLP/function.json b/Solutions/Mimecast/Data Connectors/MimecastSEG/MimecastDLP/function.json new file mode 100644 index 00000000000..44f02c1702c --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastSEG/MimecastDLP/function.json @@ -0,0 +1,12 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%", + "useMonitor": true + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastSEG/MimecastDLP/mimecast_dlp_to_sentinel.py b/Solutions/Mimecast/Data Connectors/MimecastSEG/MimecastDLP/mimecast_dlp_to_sentinel.py new file mode 100644 index 00000000000..670047eb269 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastSEG/MimecastDLP/mimecast_dlp_to_sentinel.py @@ -0,0 +1,388 @@ +"""Get mimecast data and ingest to custom table in sentinel.""" + +import inspect +import datetime +import json +import time +from ..SharedCode import consts +from ..SharedCode.mimecast_exception import MimecastException, MimecastTimeoutException +from ..SharedCode.logger import applogger +from ..SharedCode.state_manager import StateManager +from ..SharedCode.utils import Utils +from ..SharedCode.sentinel import post_data +from tenacity import RetryError + + +class MimecastDLPToSentinel(Utils): + """Class for ingest dlp the data from mimecast to sentinel.""" + + def __init__(self, start_time) -> None: + """Initialize MimecastDLPToSentinel object.""" + super().__init__(consts.SEG_DLP_FUNCTION_NAME) + self.check_environment_var_exist( + [ + {"Base_Url": consts.BASE_URL}, + {"WorkspaceID": consts.WORKSPACE_ID}, + {"WorkspaceKey": consts.WORKSPACE_KEY}, + {"Mimecast_Client_ID": consts.MIMECAST_CLIENT_ID}, + {"Mimecast_Client_Secret": consts.MIMECAST_CLIENT_SECRET}, + ] + ) + self.authenticate_mimecast_api() + self.start = start_time + self.checkpoint_obj = StateManager( + consts.CONN_STRING, "Checkpoint-SEG-DLP", consts.FILE_SHARE_NAME + ) + + def get_mimecast_dlp_data_in_sentinel(self): + """Get mimecast data and ingest data to sentinel, initialization method.""" + __method_name = inspect.currentframe().f_code.co_name + try: + # Get from date, to date and page token from checkpoint files at start of execution + from_date, to_date, page_token = self.get_from_date_to_date_page_token() + while ( + self.iso_to_epoch_int(to_date) - self.iso_to_epoch_int(from_date) + >= consts.TIME_DIFFERENCE + ): + if int(time.time()) >= self.start + consts.FUNCTION_APP_TIMEOUT_SECONDS: + raise MimecastTimeoutException() + # Entry point of starting to get and ingest data to sentinel + from_date, to_date, page_token = self.get_and_ingest_data_to_sentinel( + from_date, to_date, page_token + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "From and To time difference is less than 15 min, Stop execution.", + ) + ) + except MimecastTimeoutException: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Mimecast: 9:00 mins executed hence breaking.", + ) + ) + return + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def get_from_date_to_date_page_token(self): + """Get the from date, to date, and page token from the checkpoint data. + + If data is not available in checkpoint file, then get the start date from user input. + If user input is not available or invalid then set from date's default value. + + Returns: + Tuple[str, str, str]: A tuple containing the from date, to date, and page token. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + checkpoint_data = self.get_checkpoint_data(self.checkpoint_obj) + + if not checkpoint_data: + from_date = self.get_start_date_of_data_fetching() + page_token = "" + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Checkpoint data is not available, Start fetching data from = {}".format( + from_date + ), + ) + ) + to_date = datetime.datetime.now(datetime.timezone.utc).strftime( + consts.DATE_TIME_FORMAT + ) + else: + from_date = checkpoint_data.get("from_date") + page_token = checkpoint_data.get("page_token") + to_date = checkpoint_data.get("to_date") + + if (not page_token and from_date) or (not to_date): + to_date = datetime.datetime.now(datetime.timezone.utc).strftime( + consts.DATE_TIME_FORMAT + ) + + if not from_date: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "From date is not available in checkpoint, User has manually changed checkpoint", + ) + ) + raise MimecastException() + return from_date, to_date, page_token + except MimecastException: + raise MimecastException() + except ValueError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.VALUE_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def get_start_date_of_data_fetching(self): + """Retrieve the start date for data fetching. + + If no start date is provided, it calculates the start date based on a default lookup day. + If the provided start date is invalid, it will fail and raise an exception. + + Returns: + str: The start date for data fetching in the format specified by consts.DATE_TIME_FORMAT. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + if not consts.START_DATE: + start_date = ( + datetime.datetime.utcnow() + - datetime.timedelta(days=consts.DEFAULT_LOOKUP_DAY) + ).strftime(consts.DATE_TIME_FORMAT) + return start_date + try: + start_date = datetime.datetime.strptime( + consts.START_DATE, "%Y-%m-%d" + ).strftime(consts.DATE_TIME_FORMAT) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Start date given by user is {}".format(start_date), + ) + ) + # * if start date is future date, raise exception + if start_date > datetime.datetime.utcnow().strftime( + consts.DATE_TIME_FORMAT + ): + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Start date given by user is future date", + ) + ) + raise MimecastException() + return start_date + except ValueError: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Start date given by user is not valid", + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def get_and_ingest_data_to_sentinel(self, from_date, to_date, page_token): + """Iterate through from and to dates and get mimecast data and ingest data to sentinel. + + Args: + from_date (str): The start date for data retrieval. + to_date (str): The end date for data retrieval. + page_token (str): The token for paginating through the data. + + Returns: + Tuple[str, str, str]: A tuple containing the updated start, end dates and token after data ingestion. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + temp_from = from_date + temp_to = to_date + checkpoint_data_to_post = { + "from_date": from_date, + "to_date": to_date, + "page_token": page_token, + } + page = 1 + total_ingested_data_count = 0 + while True: + if int(time.time()) >= self.start + consts.FUNCTION_APP_TIMEOUT_SECONDS: + raise MimecastTimeoutException() + payload = { + "meta": { + "pagination": { + "pageSize": consts.PAGE_SIZE, + "pageToken": "" if not page_token else page_token, + } + }, + "data": [{"from": from_date, "oldestFirst": True, "to": to_date}], + } + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Request body = {}".format(payload), + ) + ) + url = "{}{}".format(consts.BASE_URL, consts.ENDPOINTS["SEG_DLP"]) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Fetching data for 'From datetime' = {}, 'To datetime' = {}".format( + from_date, to_date + ), + ) + ) + response = self.make_rest_call("POST", url, json=payload) + + pagination_details = response.get("meta").get("pagination") + page_token = pagination_details.get("next", "") + total_count = pagination_details.get("totalCount") + data_to_ingest = response.get("data")[0].get("dlpLogs") + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Data count to ingest = {}".format(len(data_to_ingest)), + ) + ) + total_ingested_data_count += len(data_to_ingest) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Next Page token = {}, Total count = {}, Total ingested data count = {}, Page = {}".format( + page_token, + total_count, + total_ingested_data_count, + page, + ), + ) + ) + if len(data_to_ingest) > 0: + post_data(json.dumps(data_to_ingest), consts.TABLE_NAME["SEG_DLP"]) + + checkpoint_data_to_post.update({"page_token": page_token}) + if not page_token: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No next page token found, Breaking the loop", + ) + ) + from_date = to_date + to_date = datetime.datetime.now(datetime.timezone.utc).strftime( + consts.DATE_TIME_FORMAT + ) + checkpoint_data_to_post = { + "from_date": from_date, + "to_date": to_date, + "page_token": page_token, + } + self.post_checkpoint_data( + self.checkpoint_obj, checkpoint_data_to_post + ) + break + self.post_checkpoint_data(self.checkpoint_obj, checkpoint_data_to_post) + page += 1 + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Data ingested from = {}, to = {}, Total ingested count = {}".format( + temp_from, temp_to, total_ingested_data_count + ), + ) + ) + return from_date, to_date, page_token + except MimecastTimeoutException: + raise MimecastTimeoutException() + except RetryError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.MAX_RETRY_ERROR_MSG.format( + error, error.last_attempt.exception() + ), + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except ValueError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.VALUE_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + except TypeError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TYPE_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastSEG/Mimecast_SEG.zip b/Solutions/Mimecast/Data Connectors/MimecastSEG/Mimecast_SEG.zip new file mode 100644 index 00000000000..51e38af47c1 Binary files /dev/null and b/Solutions/Mimecast/Data Connectors/MimecastSEG/Mimecast_SEG.zip differ diff --git a/Solutions/Mimecast/Data Connectors/MimecastSEG/Mimecast_SEG_FunctionApp.json b/Solutions/Mimecast/Data Connectors/MimecastSEG/Mimecast_SEG_FunctionApp.json new file mode 100644 index 00000000000..13574873129 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastSEG/Mimecast_SEG_FunctionApp.json @@ -0,0 +1,131 @@ +{ + "id": "MimecastSEGAPI", + "title": "Mimecast Secure Email Gateway", + "publisher": "Mimecast", + "descriptionMarkdown": "The data connector for [Mimecast Secure Email Gateway](https://community.mimecast.com/s/article/Azure-Sentinel) allows easy log collection from the Secure Email Gateway to surface email insight and user activity within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. Mimecast products and features required: \n- Mimecast Cloud Gateway \n- Mimecast Data Leak Prevention\n ", + "graphQueries": [ + { + "metricName": "Total Cloud Gateway data received", + "legend": "Seg_Cg_CL", + "baseQuery": "Seg_Cg_CL" + }, + { + "metricName": "Total Data Leak Prevention data received", + "legend": "Seg_Dlp_CL", + "baseQuery": "Seg_Dlp_CL" + } + ], + "sampleQueries": [ + { + "description": "Seg_Cg_CL", + "query": "Seg_Cg_CL\n| sort by TimeGenerated desc" + }, + { + "description": "Seg_Dlp_CL", + "query": "Seg_Dlp_CL\n| sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "Seg_Cg_CL", + "lastDataReceivedQuery": "Seg_Cg_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Seg_Dlp_CL", + "lastDataReceivedQuery": "Seg_Dlp_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Seg_Cg_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "Seg_Dlp_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "See the documentation to learn more about API on the [Rest API reference](https://integrations.mimecast.com/documentation/)" + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "title": "Configuration:", + "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)" + }, + { + "title": "", + "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Deploy the Mimecast Secure Email Gateway Data Connector:", + "description": "Use this method for automated deployment of the Mimecast Secure Email Gateway Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MimecastSEGAzureDeploy-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n3. Enter the below information : \n\t\tBase URL (Default: https://api.services.mimecast.com) \n\t\tMimecast Client ID \n\t\tMimecast Client Secret \n\t\tSchedule (0 */30 * * * *) \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tLog Level (Default: INFO) \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/__init__.py b/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/__init__.py new file mode 100644 index 00000000000..91361ed4c8b --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/__init__.py @@ -0,0 +1 @@ +"""This is init file to consider SharedCode as package.""" diff --git a/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/consts.py b/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/consts.py new file mode 100644 index 00000000000..2223b80b32a --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/consts.py @@ -0,0 +1,86 @@ +"""Module with constants and configurations for the Mimecast integration.""" + +import os + +LOG_LEVEL = os.environ.get("LogLevel", "INFO") +LOGS_STARTS_WITH = "Mimecast" +LOG_FORMAT = "{}(method = {}) : {} : {}" + + +# *Sentinel related constants +AZURE_CLIENT_ID = os.environ.get("Azure_Client_Id", "") +AZURE_CLIENT_SECRET = os.environ.get("Azure_Client_Secret", "") +AZURE_TENANT_ID = os.environ.get("Azure_Tenant_Id", "") +WORKSPACE_KEY = os.environ.get("Workspace_Key", "") +WORKSPACE_ID = os.environ.get("Workspace_Id", "") + +# *Mimecast related constants +MIMECAST_CLIENT_ID = os.environ.get("Mimecast_Client_Id") +MIMECAST_CLIENT_SECRET = os.environ.get("Mimecast_Client_Secret") + +BASE_URL = os.environ.get("BaseURL", "https://api.services.mimecast.com") +ENDPOINTS = { + "OAUTH2": "/oauth/token", + "SEG_DLP": "/api/dlp/get-logs", + "SEG_CG": "/siem/v1/batch/events/cg", +} + +TABLE_NAME = {"SEG_DLP": "Seg_Dlp", "SEG_CG": "Seg_Cg"} +SEG_DLP_FUNCTION_NAME = "SEG_DLP" +SEG_CG_FUNCTION_NAME = "SEG_CG" + +SEG_CG_TYPES = ( + "av,delivery,internal email protect,impersonation protect,journal,process,receipt,attachment protect," + "spam,url protect" +) +FILE_PREFIX_MC_TYPE = { + "av": "email_antivirus", + "delivery": "email_delivery", + "internal email protect": "email_iep", + "impersonation protect": "email_ttp_impersonation", + "journal": "email_journal", + "process": "email_process", + "receipt": "email_receipt", + "attachment protect": "email_ttp_ap", + "spam": "email_spam", + "url protect": "email_ttp_url", +} +# *Error Messages for Exception +UNEXPECTED_ERROR_MSG = "Unexpected error : Error-{}" +UNEXPECTED_ERROR_TASK_MSG = "Unexpected error : Error-{}, task = {}" +HTTP_ERROR_MSG = "HTTP error : Error-{}" +REQUEST_ERROR_MSG = "Request error : Error-{}" +CONNECTION_ERROR_MSG = "Connection error : Error-{}" +KEY_ERROR_MSG = "Key error : Error-{}" +TYPE_ERROR_MSG = "Type error : Error-{}" +VALUE_ERROR_MSG = "Value error : Error-{}" +JSON_DECODE_ERROR_MSG = "JSONDecode error : Error-{}" +CLIENT_ERROR_MSG = "Client error : Error-{}" +TIME_OUT_ERROR_MSG = "Timeout error : Error-{}" +MAX_RETRY_ERROR_MSG = "Max retries exceeded : {} Last exception: {}" + + +# *checkpoint related constants +CONN_STRING = os.environ.get("Connection_String") +FILE_SHARE_NAME = os.environ.get("File_Share_Name", "mimecast-checkpoints") +START_DATE = os.environ.get("Start_Date") + +# *Extra constants +DATE_TIME_FORMAT = "%Y-%m-%dT%H:%M:%SZ" +MAX_FILE_SIZE = 20 * 1024 * 1024 +MAX_CHUNK_SIZE = 1024 * 1024 +MAX_RETRIES = 5 +MAX_RETRIES_ASYNC = 2 +PAGE_SIZE = 500 +DEFAULT_LOOKUP_DAY = 60 +FUNCTION_APP_TIMEOUT_SECONDS = 540 +TIME_DIFFERENCE = 900 +ASYNC_PAGE_SIZE = 10 +SENTINEL_RETRY_COUNT = 5 +MAX_TIMEOUT_SENTINEL = 120 +INGESTION_ERROR_SLEEP_TIME = 30 +EXCEPTION_STATUS_CODE = [400, 403, 409] +RETRY_STATUS_CODE = [429, 500, 503, 502, 509] +MAX_SLEEP_TIME = 30 +MIN_SLEEP_TIME = 5 +BACKOFF_MULTIPLIER = 2 diff --git a/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/logger.py b/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/logger.py new file mode 100644 index 00000000000..3bcac77b9e4 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/logger.py @@ -0,0 +1,23 @@ +"""Handle the logger.""" + +import logging +import sys +from . import consts + +log_level = consts.LOG_LEVEL + +LOG_LEVELS = { + "DEBUG": logging.DEBUG, + "INFO": logging.INFO, + "WARNING": logging.WARNING, + "ERROR": logging.ERROR, +} + +try: + applogger = logging.getLogger("azure") + applogger.setLevel(LOG_LEVELS.get(log_level.upper(), logging.INFO)) +except Exception: + applogger.setLevel(logging.INFO) +finally: + handler = logging.StreamHandler(stream=sys.stdout) + applogger.addHandler(handler) diff --git a/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/mimecast_exception.py b/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/mimecast_exception.py new file mode 100644 index 00000000000..53c1f7257f8 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/mimecast_exception.py @@ -0,0 +1,25 @@ +"""This File contains custom Exception class for Mimecast.""" + + +class MimecastException(Exception): + """Exception class to handle Mimecast exception. + + Args: + Exception (string): will print exception message. + """ + + def __init__(self, message=None) -> None: + """Initialize custom Mimecast exception with custom message.""" + super().__init__(message) + + +class MimecastTimeoutException(Exception): + """Exception class to handle Mimecast exception. + + Args: + Exception (string): will print exception message. + """ + + def __init__(self, message=None) -> None: + """Initialize custom Mimecast exception with custom message.""" + super().__init__(message) diff --git a/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/sentinel.py b/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/sentinel.py new file mode 100644 index 00000000000..face441d3e0 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/sentinel.py @@ -0,0 +1,427 @@ +"""This file contains methods for creating microsoft custom log table.""" + +import base64 +import requests +import hashlib +import hmac +import inspect +import datetime +import time +import aiohttp +from .logger import applogger +from .mimecast_exception import MimecastException +from . import consts +from .state_manager import StateManager +from urllib3.exceptions import NameResolutionError + + +def build_signature( + date, + content_length, + method, + content_type, + resource, +): + """To build signature which is required in header.""" + x_headers = "x-ms-date:" + date + string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource + bytes_to_hash = bytes(string_to_hash, encoding="utf-8") + decoded_key = base64.b64decode(consts.WORKSPACE_KEY) + encoded_hash = base64.b64encode(hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode() + authorization = "SharedKey {}:{}".format(consts.WORKSPACE_ID, encoded_hash) + + return authorization + + +def post_data(body, log_type): + """Build and send a request to the POST API. + + Args: + body (str): Data to post into Sentinel log analytics workspace + log_type (str): Custom log table name in which data wil be added. + + Returns: + status_code: Returns the response status code got while posting data to sentinel. + """ + __method_name = inspect.currentframe().f_code.co_name + method = "POST" + content_type = "application/json" + resource = "/api/logs" + rfc1123date = datetime.datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT") + content_length = len(body) + try: + signature = build_signature( + rfc1123date, + content_length, + method, + content_type, + resource, + ) + except Exception as err: + applogger.error( + "{}(method={}) : Error in build signature-{}".format( + consts.LOGS_STARTS_WITH, + __method_name, + err, + ) + ) + raise MimecastException() + uri = "https://" + consts.WORKSPACE_ID + ".ods.opinsights.azure.com" + resource + "?api-version=2016-04-01" + + headers = { + "content-type": content_type, + "Authorization": signature, + "Log-Type": log_type, + "x-ms-date": rfc1123date, + } + retry_count = 0 + while retry_count < consts.SENTINEL_RETRY_COUNT: + try: + + response = requests.post(uri, data=body, headers=headers, timeout=consts.MAX_TIMEOUT_SENTINEL) + + result = handle_response(response, body, log_type, async_call=False) + + if result is not False: + return result + retry_count += 1 + continue + except requests.exceptions.ConnectionError as error: + try: + if isinstance(error.args[0].reason, NameResolutionError): + applogger.error( + "{}(method={}) : {} : Workspace ID is wrong: {}, Sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + error, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + except Exception as unknown_connect_error: + applogger.error( + "{}(method={}) : {} : Unknown Error in ConnectionError: {}, Sleeping for {} seconds." + " and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + unknown_connect_error, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + applogger.error( + "{}(method={}) : {} : Unknown Connection Error, sleeping for {} seconds and retrying.." + "Error - {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + consts.INGESTION_ERROR_SLEEP_TIME, + error, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + except requests.exceptions.Timeout as error: + applogger.error( + "{}(method={}) : {} : sleeping - {} seconds and retrying.. Timeout Error: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + consts.INGESTION_ERROR_SLEEP_TIME, + error, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + except requests.RequestException as error: + applogger.error( + "{}(method={}) : {} : Request Error: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + error, + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : Unknown Error: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + error, + ) + ) + raise MimecastException() + applogger.error( + "{}(method={}) : {} : Maximum Retry count of {} exceeded, hence stopping execution.".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + consts.SENTINEL_RETRY_COUNT, + ) + ) + raise MimecastException() + + +async def post_data_async(index, body, session: aiohttp.ClientSession, log_type): + """Build and send a request to the POST API. + + Args: + body (str): Data to post into Sentinel log analytics workspace + log_type (str): Custom log table name in which data wil be added. + + Returns: + status_code: Returns the response status code got while posting data to sentinel. + """ + __method_name = inspect.currentframe().f_code.co_name + method = "POST" + content_type = "application/json" + resource = "/api/logs" + rfc1123date = datetime.datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT") + content_length = len(body) + try: + signature = build_signature( + rfc1123date, + content_length, + method, + content_type, + resource, + ) + except Exception as err: + applogger.error( + "{}(method={}) : Error in build signature-{} for task = {}".format( + consts.LOGS_STARTS_WITH, __method_name, err, index + ) + ) + raise MimecastException() + uri = "https://" + consts.WORKSPACE_ID + ".ods.opinsights.azure.com" + resource + "?api-version=2016-04-01" + + headers = { + "content-type": content_type, + "Authorization": signature, + "Log-Type": log_type, + "x-ms-date": rfc1123date, + } + retry_count = 0 + while retry_count < consts.SENTINEL_RETRY_COUNT: + try: + + response = await session.post(uri, data=body, headers=headers, timeout=consts.MAX_TIMEOUT_SENTINEL) + + result = handle_response(response, body, log_type, async_call=True) + + if result is not False: + return result + retry_count += 1 + continue + except requests.exceptions.ConnectionError as error: + try: + if isinstance(error.args[0].reason, NameResolutionError): + applogger.error( + "{}(method={}) : {} : Workspace ID is wrong: {}, Sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + error, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + except Exception as unknown_connect_error: + applogger.error( + "{}(method={}) : {} : Unknown Error in ConnectionError: {}, Sleeping for {} seconds." + " and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + unknown_connect_error, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + applogger.error( + "{}(method={}) : {} : Unknown Connection Error, sleeping for {} seconds and retrying.." + "Error - {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + consts.INGESTION_ERROR_SLEEP_TIME, + error, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + except requests.exceptions.Timeout as error: + applogger.error( + "{}(method={}) : {} : sleeping - {} seconds and retrying.. Timeout Error: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + consts.INGESTION_ERROR_SLEEP_TIME, + error, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + except requests.RequestException as error: + applogger.error( + "{}(method={}) : {} : Request Error: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + error, + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : Unknown Error: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + error, + ) + ) + raise MimecastException() + applogger.error( + "{}(method={}) : {} : Maximum Retry count of {} exceeded, hence stopping execution.".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + consts.SENTINEL_RETRY_COUNT, + ) + ) + raise MimecastException() + + +def handle_response(response, body, log_type, async_call=True): + """Handle the response from Azure Sentinel.""" + try: + __method_name = inspect.currentframe().f_code.co_name + + if async_call is False: + response_code = response.status_code + else: + response_code = response.status + + if response_code >= 200 and response_code <= 299: + applogger.debug( + "{}(method={}) : Status_code: {} Accepted: Data Posted Successfully to azure sentinel.".format( + consts.LOGS_STARTS_WITH, + __method_name, + response_code, + ) + ) + return response_code + elif response_code == 400: + applogger.error( + "{}(method={}) : {} : Response code: {} from posting data to log analytics. Error: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + response_code, + response.text, + ) + ) + curent_corrupt_data_obj = StateManager( + consts.CONN_STRING, + "{}-Ingest-To-Sentinel-Corrupt_{}".format(log_type, str(int(time.time()))), + consts.FILE_SHARE_NAME, + ) + curent_corrupt_data_obj.post(body) + raise MimecastException() + elif response_code == 403: + applogger.error( + "{}(method={}) : {} : Response code :{} Error occurred for build signature: Response: {} ." + " Issue with WorkspaceKey ,Kindly verify your WorkspaceKey".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + response_code, + response.text, + ) + ) + raise MimecastException() + elif response_code == 429: + applogger.error( + "{}(method={}) : {} : Error occurred: Response code : {} Too many request: Response: {} . " + "sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + response_code, + response.text, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + return False + elif response_code == 500: + applogger.error( + "{}(method={}) : {} : Error occurred: Response code : {} Internal Server Error: Response: {} . " + "sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + response_code, + response.text, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + return False + elif response_code == 503: + applogger.error( + "{}(method={}) : {} : Error occurred: Response code : {} Service Unavailable: Response: {} . " + "sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + response_code, + response.text, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + return False + applogger.error( + "{}(method={}) : {} : Response code: {} from posting data to log analytics. Response: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + response_code, + response.text, + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : Unknown Error: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + error, + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/state_manager.py b/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/state_manager.py new file mode 100644 index 00000000000..0bfe9819ce1 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/state_manager.py @@ -0,0 +1,69 @@ +"""This module will help to save file to state manager.""" + +from azure.storage.fileshare import ShareClient +from azure.storage.fileshare import ShareFileClient +from azure.core.exceptions import ResourceNotFoundError, ResourceExistsError + + +class StateManager: + """State manager class for specific operation. + + This class will help to manage the state of the operation + by saving and getting data from Azure Storage. + + Args: + connection_string (str): Azure Storage connection string. + file_path (str): File path on the share. + share_name (str): Name of the share. + """ + + def __init__(self, connection_string, file_path, share_name): + """Initialize the share_cli and file_cli.""" + self.share_cli = ShareClient.from_connection_string( + conn_str=connection_string, share_name=share_name + ) + self.file_cli = ShareFileClient.from_connection_string( + conn_str=connection_string, share_name=share_name, file_path=file_path + ) + + def post(self, marker_text: str): + """Post method for posting the data to Azure Storage. + + This method will upload the given text to the + Azure Storage as a file. + + Args: + marker_text (str): String to be saved in the file. + """ + try: + self.file_cli.upload_file(marker_text) + except ResourceNotFoundError: + try: + self.share_cli.create_share() + self.file_cli.upload_file(marker_text) + except ResourceExistsError: + self.file_cli.upload_file(marker_text) + + def get(self): + """Get method for getting the data from Azure Storage. + + This method will download the file from Azure Storage + and return the contents as a string. + + Returns: + str: The contents of the file. + """ + try: + return self.file_cli.download_file().readall().decode() + except ResourceNotFoundError: + return None + + def delete(self): + """Delete method for deleting the data from Azure Storage. + + This method will delete the file from Azure Storage. + """ + try: + self.file_cli.delete_file() + except ResourceNotFoundError: + raise ResourceNotFoundError("File not found to be deleted.") diff --git a/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/utils.py b/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/utils.py new file mode 100644 index 00000000000..0ccabaeed73 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastSEG/SharedCode/utils.py @@ -0,0 +1,720 @@ +"""Utils File.""" + +import inspect +import requests +import json +from json.decoder import JSONDecodeError +import datetime +from .state_manager import StateManager +from .mimecast_exception import MimecastException +from .logger import applogger +from . import consts +from tenacity import ( + retry, + stop_after_attempt, + wait_exponential, + retry_if_exception_type, + retry_if_result, + retry_any, + RetryError, +) +from requests.exceptions import ConnectionError + + +def retry_on_status_code(response): + """Check and retry based on a list of status codes. + + Args: + response (): API response is passed + + Returns: + Bool: if given status code is in list then true else false + """ + __method_name = inspect.currentframe().f_code.co_name + if isinstance(response, dict): + return False + if response.status_code in consts.RETRY_STATUS_CODE: + applogger.info( + "{}(method={}) : Retrying due to status code : {}".format( + consts.LOGS_STARTS_WITH, __method_name, response.status_code + ) + ) + return True + return False + + +class Utils: + """Utils Class.""" + + def __init__(self, azure_function_name) -> None: + """Init Function.""" + self.azure_function_name = azure_function_name + self.log_format = consts.LOG_FORMAT + self.headers = {} + + def check_environment_var_exist(self, environment_var): + """Check the existence of required environment variables. + + Logs the validation process and completion. Raises MimecastException if any required field is missing. + + Args: + environment_var(list) : variables to check for existence + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Validating Environment Variables", + ) + ) + missing_required_field = False + for var in environment_var: + key, val = next(iter(var.items())) + if not val: + missing_required_field = True + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Environment variable {} is not set".format(key), + ) + ) + if missing_required_field: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Validation failed", + ) + ) + raise MimecastException() + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Validation Complete", + ) + ) + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def get_checkpoint_data(self, checkpoint_obj: StateManager, load_flag=True): + """Get checkpoint data from a StateManager object. + + Args: + checkpoint_obj (StateManager): The StateManager object to retrieve checkpoint data from. + load_flag (bool): A flag indicating whether to load the data as JSON (default is True). + + Returns: + The retrieved checkpoint data. + + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Fetching checkpoint data", + ) + ) + checkpoint_data = checkpoint_obj.get() + if load_flag and checkpoint_data: + checkpoint_data = json.loads(checkpoint_data) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Checkpoint data = {}".format(checkpoint_data), + ) + ) + return checkpoint_data + except json.decoder.JSONDecodeError as json_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.JSON_DECODE_ERROR_MSG.format(json_error), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def post_checkpoint_data(self, checkpoint_obj: StateManager, data, dump_flag=True): + """Post checkpoint data. + + It post the data to a checkpoint object based on the dump_flag parameter. + + Args: + checkpoint_obj (StateManager): The StateManager object to post data to. + data: The data to be posted. + dump_flag (bool): A flag indicating whether to dump the data as JSON before posting (default is True). + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Posting checkpoint data = {}".format(data), + ) + ) + if dump_flag: + checkpoint_obj.post(json.dumps(data)) + else: + checkpoint_obj.post(data) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Data posted to azure storage", + ) + ) + except TypeError as type_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TYPE_ERROR_MSG.format(type_error), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + @retry( + stop=stop_after_attempt(consts.MAX_RETRIES), + wait=wait_exponential( + multiplier=consts.BACKOFF_MULTIPLIER, + min=consts.MIN_SLEEP_TIME, + max=consts.MAX_SLEEP_TIME, + ), + retry=retry_any( + retry_if_result(retry_on_status_code), + retry_if_exception_type(ConnectionError), + ), + before_sleep=lambda retry_state: applogger.error( + "{}(method = {}) : Retring after {} secends, attempt number: {} ".format( + consts.LOGS_STARTS_WITH, + " Retry Decorator", + retry_state.upcoming_sleep, + retry_state.attempt_number, + ) + ), + ) + def make_rest_call( + self, method, url, params=None, data=None, json=None, check_retry=True + ): + """Make a rest call. + + Args: + url (str): The URL to make the call to. + method (str): The HTTP method to use for the call. + params (dict, optional): The parameters to pass in the call (default is None). + data (dict, optional): The body(in x-www-form-urlencoded formate) of the request (default is None). + json (dict, optional): The body(in row formate) of the request (default is None). + check_retry (bool, optional): A flag indicating whether to check for retry (default is True). + + Returns: + dict: The JSON response if the call is successful. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Rest Call, Method :{}, url: {}".format(method, url), + ) + ) + + response = requests.request( + method, + url, + headers=self.headers, + params=params, + data=data, + json=json, + timeout=consts.MAX_TIMEOUT_SENTINEL, + ) + + if response.status_code >= 200 and response.status_code <= 299: + response_json = response.json() + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Success, Status code : {}".format(response.status_code), + ) + ) + self.handle_failed_response_for_success(response_json) + return response_json + elif response.status_code == 400: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Bad Request = {}, Status code : {}".format( + response.text, response.status_code + ), + ) + ) + self.handle_failed_response_for_failure(response) + elif response.status_code == 401: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unauthorized, Status code : {}".format(response.status_code), + ) + ) + response_json = response.json() + fail_json = response_json.get("fail", []) + error_code = None + error_message = None + if fail_json: + error_code = fail_json[0].get("code") + error_message = fail_json[0].get("message") + if check_retry: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Generating new token, Error message = {}, Error code = {}".format( + error_message, error_code + ), + ) + ) + check_retry = False + self.authenticate_mimecast_api(check_retry) + return self.make_rest_call( + method, url, params, data, json, check_retry + ) + else: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Max retry reached for generating access token," + "Error message = {}, Error code = {}".format( + error_message, error_code + ), + ) + ) + raise MimecastException() + elif response.status_code == 403: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Forbidden, Status code : {}".format(response.status_code), + ) + ) + self.handle_failed_response_for_failure(response) + elif response.status_code == 404: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Not Found, URL : {}, Status code : {}".format( + url, response.status_code + ), + ) + ) + raise MimecastException() + elif response.status_code == 409: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Conflict, Status code : {}".format(response.status_code), + ) + ) + self.handle_failed_response_for_failure(response) + elif response.status_code == 429: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Too Many Requests, Status code : {} ".format( + response.status_code + ), + ) + ) + return response + elif response.status_code == 500: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Internal Server Error, Status code : {}".format( + response.status_code + ), + ) + ) + return self.handle_failed_response_for_failure(response) + elif response.status_code == 502: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Issue with a downstream service , Status code : {}".format( + response.status_code + ), + ) + ) + return self.handle_failed_response_for_failure(response) + elif response.status_code == 504: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Timeout from a downstream service, Status code : {}".format( + response.status_code + ), + ) + ) + return self.handle_failed_response_for_failure(response) + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unexpected Error = {}, Status code : {}".format( + response.text, response.status_code + ), + ) + ) + raise MimecastException() + + except MimecastException: + raise MimecastException() + except requests.exceptions.Timeout as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TIME_OUT_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + except JSONDecodeError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.JSON_DECODE_ERROR_MSG.format( + "{}, API Response = {}".format(error, response.text) + ), + ) + ) + raise MimecastException() + except requests.ConnectionError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.CONNECTION_ERROR_MSG.format(error), + ) + ) + raise ConnectionError() + except requests.RequestException as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.REQUEST_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def handle_failed_response_for_failure(self, response): + """Handle the failed response for failure status codes. + + If request get authentication error it will regenerate the access token. + + Args: + response_json (dict): The JSON response from the API. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + response_json = response.json() + error_message = response_json + fail_json = response_json.get("fail", []) + error_json = response_json.get("error") + if fail_json: + error_message = fail_json[0].get("message") + elif error_json: + error_message = error_json.get("message") + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + error_message, + ) + ) + if response.status_code in consts.EXCEPTION_STATUS_CODE: + raise MimecastException() + + return response + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def handle_failed_response_for_success(self, response_json): + """Handle the failed response for a successful request. + + Check if there is failure in success response or not. + + Args: + response_json (dict): The JSON response from the request. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + fail_json = response_json.get("fail", []) + if fail_json: + try: + error_message = fail_json[0].get("errors")[0].get("message") + except (KeyError, IndexError, ValueError, TypeError): + error_message = fail_json + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Failed response message = {}".format(error_message), + ) + ) + raise MimecastException() + else: + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No failed response found", + ) + ) + return + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def authenticate_mimecast_api(self, check_retry=True): + """Authenticate mimecast endpoint generate access token and update header. + + Args: + check_retry (bool): Flag for retry of generating access token. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + body = { + "client_id": consts.MIMECAST_CLIENT_ID, + "client_secret": consts.MIMECAST_CLIENT_SECRET, + "grant_type": "client_credentials", + } + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Generating access token", + ) + ) + self.headers = {} + url = "{}{}".format(consts.BASE_URL, consts.ENDPOINTS["OAUTH2"]) + response = self.make_rest_call( + method="POST", url=url, data=body, check_retry=check_retry + ) + if "access_token" in response: + access_token = response.get("access_token") + self.headers.update( + { + "Content-Type": "application/json", + "Authorization": "Bearer {}".format(access_token), + } + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Successfully generated access token and header updated", + ) + ) + return + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Error occurred while fetching the access token from the response = {}".format( + response + ), + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except RetryError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.MAX_RETRY_ERROR_MSG.format( + error, error.last_attempt.exception() + ), + ) + ) + raise MimecastException() + except KeyError as key_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.KEY_ERROR_MSG.format(key_error), + ) + ) + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def iso_to_epoch_int(self, date_time): + """Convert an ISO formatted date and time string to epoch time. + + Args: + date_time (str): The input date and time string in the format "%Y-%m-%dT%H:%M:%SZ" + + Returns: + int: The epoch time as a integer. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + date_time_obj = datetime.datetime.strptime( + date_time, consts.DATE_TIME_FORMAT + ) + epoch_time = date_time_obj.timestamp() + return epoch_time + except TypeError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TYPE_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + except ValueError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.VALUE_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastSEG/azuredeploy_Connector_MimecastSEG_AzureFunction.json b/Solutions/Mimecast/Data Connectors/MimecastSEG/azuredeploy_Connector_MimecastSEG_AzureFunction.json new file mode 100644 index 00000000000..595b149face --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastSEG/azuredeploy_Connector_MimecastSEG_AzureFunction.json @@ -0,0 +1,259 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "FunctionName": { + "defaultValue": "MimecastSEG", + "minLength": 1, + "maxLength": 11, + "type": "string" + }, + "WorkspaceID": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Enter Workspace ID of Log Analytics workspace" + } + }, + "WorkspaceKey": { + "type": "securestring", + "minLength": 1, + "metadata": { + "description": "Enter Workspace Key of Log Analytics workspace" + } + }, + "MimecastBaseURL": { + "defaultValue": "https://api.services.mimecast.com", + "type": "string", + "metadata": { + "description": "Enter Base URL of Mimecast API 2.0 (e.g. https://api.services.mimecast.com)" + } + }, + "MimecastClientID": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Enter Mimecast Client ID for authentication" + } + }, + "MimecastClientSecret": { + "type": "securestring", + "minLength": 1, + "metadata": { + "description": "Enter Mimecast Client Secret for authentication" + } + }, + "StartDate": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Enter the start date in the 'yyyy-mm-dd' format. If you do not provide a date, data from the last 60 days will be fetched automatically. Ensure that the date is in the past and properly formatted" + } + }, + "Schedule": { + "type": "string", + "minLength": 11, + "defaultValue": "0 */30 * * * *", + "metadata": { + "description": "Please enter a valid Quartz cron-expression. (Example: 0 0 0 * * *)\n\nDo not keep the value empty, minimum value is 10 minutes" + } + }, + "LogLevel": { + "type": "string", + "metadata": { + "description": "Please add log level or log severity value. By default it is set to INFO" + }, + "allowedValues": [ + "Debug", + "Info", + "Error", + "Warning" + ], + "defaultValue": "Info" + }, + "AppInsightsWorkspaceResourceID": { + "type": "string", + "metadata": { + "description": "Migrate Classic Application Insights to Log Analytic Workspace which is retiring by 29 Febraury 2024. Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'" + } + } + }, + "variables": { + "FunctionName": "[concat(toLower(trim(parameters('FunctionName'))), uniqueString(resourceGroup().id))]", + "StorageSuffix": "[environment().suffixes.storage]", + "LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(trim(parameters('WorkspaceID'))), '.ods.opinsights'))]" + }, + "resources": [ + { + "type": "Microsoft.Insights/components", + "apiVersion": "2020-02-02", + "name": "[variables('FunctionName')]", + "location": "[resourceGroup().location]", + "kind": "web", + "properties": { + "Application_Type": "web", + "ApplicationId": "[variables('FunctionName')]", + "WorkspaceResourceId": "[trim(parameters('AppInsightsWorkspaceResourceID'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[tolower(variables('FunctionName'))]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Allow" + }, + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "file": { + "keyType": "Account", + "enabled": true + }, + "blob": { + "keyType": "Account", + "enabled": true + } + }, + "keySource": "Microsoft.Storage" + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + }, + "deleteRetentionPolicy": { + "enabled": false + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + } + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "name": "[variables('FunctionName')]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]", + "[resourceId('Microsoft.Insights/components', variables('FunctionName'))]" + ], + "kind": "functionapp,linux", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "name": "[variables('FunctionName')]", + "httpsOnly": true, + "clientAffinityEnabled": true, + "alwaysOn": true, + "reserved": true, + "siteConfig": { + "linuxFxVersion": "python|3.11" + } + }, + "resources": [ + { + "apiVersion": "2018-11-01", + "type": "config", + "name": "appsettings", + "dependsOn": [ + "[concat('Microsoft.Web/sites/', variables('FunctionName'))]" + ], + "properties": { + "FUNCTIONS_EXTENSION_VERSION": "~4", + "FUNCTIONS_WORKER_RUNTIME": "python", + "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]", + "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]", + "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", + "logAnalyticsUri": "[variables('LogAnaltyicsUri')]", + "Workspace_Id": "[trim(parameters('WorkspaceID'))]", + "Workspace_Key": "[trim(parameters('WorkspaceKey'))]", + "BaseURL": "[trim(parameters('MimecastBaseURL'))]", + "Mimecast_Client_Id": "[trim(parameters('MimecastClientID'))]", + "Mimecast_Client_Secret": "[trim(parameters('MimecastClientSecret'))]", + "File_Share_Name": "mimecast-checkpoints", + "Schedule": "[trim(parameters('Schedule'))]", + "Start_Date": "[trim(parameters('StartDate'))]", + "LogLevel": "[trim(parameters('LogLevel'))]", + "Connection_String": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", + "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-Mimecast_SEG-functionapp" + } + } + ] + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/azure-webjobs-hosts')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "publicAccess": "None" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/azure-webjobs-secrets')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "publicAccess": "None" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices/shares", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/', tolower(variables('FunctionName')))]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "shareQuota": 5120 + } + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastSEG/host.json b/Solutions/Mimecast/Data Connectors/MimecastSEG/host.json new file mode 100644 index 00000000000..a3057b371a1 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastSEG/host.json @@ -0,0 +1,23 @@ +{ + "version": "2.0", + "functionTimeout": "00:10:00", + "logging": { + "applicationInsights": { + "samplingSettings": { + "isEnabled": true, + "excludedTypes": "Request" + } + }, + "logLevel": { + "default": "Trace", + "Host.Results": "Trace", + "Function": "Trace", + "Host.Aggregator": "Trace" + }, + "fileLoggingMode": "always" + }, + "extensionBundle": { + "id": "Microsoft.Azure.Functions.ExtensionBundle", + "version": "[4.*, 5.0.0)" + } +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastSEG/requirements.txt b/Solutions/Mimecast/Data Connectors/MimecastSEG/requirements.txt new file mode 100644 index 00000000000..c1afa26574b --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastSEG/requirements.txt @@ -0,0 +1,10 @@ +# DO NOT include azure-functions-worker in this file +# The Python Worker is managed by Azure Functions platform +# Manually managing azure-functions-worker may cause unexpected issues + +azure-functions +requests +azure-storage-file-share==12.15.0 +aiohttp +tenacity +asyncio \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPAttachment/__init__.py b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPAttachment/__init__.py new file mode 100644 index 00000000000..3331b61210e --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPAttachment/__init__.py @@ -0,0 +1,47 @@ +"""This is init file for TTP Attachment.""" + +import datetime +import logging +import azure.functions as func +from SharedCode.logger import applogger +from SharedCode import consts +from MimecastTTPAttachment.mimecast_ttp_attachment import MimecastTTPAttachment +import time + + +log_format = consts.LOG_FORMAT + + +def main(mytimer: func.TimerRequest) -> None: + """Run the main logic of the Function App triggered by a timer.""" + utc_timestamp = ( + datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + ) + start = time.time() + applogger.info( + "{} : {}, Function App started at {}".format( + consts.LOGS_STARTS_WITH, + consts.TTP_ATTACHMENT_FUNCTION_NAME, + datetime.datetime.fromtimestamp(start), + ) + ) + mimecastttpattachment = MimecastTTPAttachment(int(start)) + mimecastttpattachment.get_mimecast_ttp_attachment_data_in_sentinel() + end = time.time() + + applogger.info( + "{} : {}, Function App ended at {}".format( + consts.LOGS_STARTS_WITH, + consts.TTP_ATTACHMENT_FUNCTION_NAME, + datetime.datetime.fromtimestamp(end), + ) + ) + applogger.info( + "{} : {}, Total time taken = {}".format( + consts.LOGS_STARTS_WITH, consts.TTP_ATTACHMENT_FUNCTION_NAME, end - start + ) + ) + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPAttachment/function.json b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPAttachment/function.json new file mode 100644 index 00000000000..36c1449c9e1 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPAttachment/function.json @@ -0,0 +1,11 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%" + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPAttachment/mimecast_ttp_attachment.py b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPAttachment/mimecast_ttp_attachment.py new file mode 100644 index 00000000000..4dee0df65e3 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPAttachment/mimecast_ttp_attachment.py @@ -0,0 +1,252 @@ +"""Get Mimecast TTP Attachment Data and Ingest into Sentinel.""" + +from SharedCode.utils import Utils +from SharedCode.logger import applogger +from SharedCode import consts +from SharedCode.mimecast_exception import MimecastException, MimecastTimeoutException +from SharedCode.state_manager import StateManager +from SharedCode.sentinel import post_data +import inspect +import json +import datetime +import time +from tenacity import RetryError + + +file_path = "mimecastttpattachment" + + +class MimecastTTPAttachment(Utils): + """Mimecast TTP Attachment Class.""" + + def __init__(self, start_time) -> None: + """Initialize the MimecastTTPAttachment class. + + Args: + start(int): The starting time for the timer trigger. + """ + super().__init__(consts.TTP_ATTACHMENT_FUNCTION_NAME) + self.check_environment_var_exist( + [ + {"File_Share_Name": consts.FILE_SHARE_NAME}, + {"Base_Url": consts.BASE_URL}, + {"WorkspaceID": consts.WORKSPACE_ID}, + {"WorkspaceKey": consts.WORKSPACE_KEY}, + {"Mimecast_Client_ID": consts.MIMECAST_CLIENT_ID}, + {"Mimecast_Client_Secret": consts.MIMECAST_CLIENT_SECRET}, + ] + ) + self.authenticate_mimecast_api() + self.start = start_time + self.checkpoint_obj = StateManager( + consts.CONN_STRING, file_path, consts.FILE_SHARE_NAME + ) + + def get_mimecast_ttp_attachment_data_in_sentinel(self): + """Get the TTP Attachment Data from Mimecast.""" + __method_name = inspect.currentframe().f_code.co_name + try: + # Get from date, to date and page token from checkpoint files at start of execution + from_date, to_date, page_token = self.get_from_date_to_date_page_token( + self.checkpoint_obj + ) + while ( + self.iso_to_epoch_int(to_date) - self.iso_to_epoch_int(from_date) + >= consts.TIME_DIFFERENCE + ): + if int(time.time()) >= self.start + consts.FUNCTION_APP_TIMEOUT_SECONDS: + raise MimecastTimeoutException() + # Entry point of starting to get and ingest data to sentinel + from_date, to_date = self.get_and_ingest_data_to_sentinel( + from_date, to_date, page_token + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "From and To time difference is less than 15 min, Stop execution.", + ) + ) + except MimecastTimeoutException: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Mimecast: 9:30 mins executed hence breaking.", + ) + ) + return + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def get_and_ingest_data_to_sentinel(self, from_date, to_date, page_token): + """Iterate through from and to dates and get mimecast data and ingest data to sentinel. + + Args: + from_date (str): The start date for data retrieval. + to_date (str): The end date for data retrieval. + page_token (str): The token for paginating through the data. + + Returns: + Tuple[str, str]: A tuple containing the updated start and end dates after data ingestion. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + temp_from = from_date + temp_to = to_date + checkpoint_data_to_post = { + "from_date": from_date, + "to_date": to_date, + "page_token": page_token, + } + page = 1 + total_ingested_data_count = 0 + while True: + if int(time.time()) >= self.start + consts.FUNCTION_APP_TIMEOUT_SECONDS: + raise MimecastTimeoutException() + payload = { + "meta": { + "pagination": { + "pageSize": consts.PAGE_SIZE, + "pageToken": "" if not page_token else page_token, + } + }, + "data": [{"from": from_date, "oldestFirst": True, "to": to_date}], + } + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Request body = {}".format(payload), + ) + ) + url = "{}{}".format(consts.BASE_URL, consts.ENDPOINTS["TTP_ATTACHMENT"]) + response = self.make_rest_call("POST", url, json=payload) + + pagination_details = response.get("meta").get("pagination") + page_token = pagination_details.get("next", "") + total_count = pagination_details.get("totalCount") + data_to_ingest = response.get("data")[0].get("attachmentLogs") + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Data count to ingest = {}".format(len(data_to_ingest)), + ) + ) + total_ingested_data_count += len(data_to_ingest) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Next Page token = {}, Total count = {}, Total ingested data count = {}, Page = {}".format( + page_token, + total_count, + total_ingested_data_count, + page, + ), + ) + ) + if len(data_to_ingest) > 0: + post_data( + json.dumps(data_to_ingest), + consts.TABLE_NAME["TTP_ATTACHMENT"], + ) + + checkpoint_data_to_post.update({"page_token": page_token}) + if not page_token: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No next page token found, Breaking the loop", + ) + ) + from_date = to_date + to_date = datetime.datetime.now(datetime.timezone.utc).strftime( + consts.DATE_TIME_FORMAT + ) + checkpoint_data_to_post = { + "from_date": from_date, + "to_date": to_date, + "page_token": page_token, + } + self.post_checkpoint_data( + self.checkpoint_obj, checkpoint_data_to_post + ) + break + self.post_checkpoint_data(self.checkpoint_obj, checkpoint_data_to_post) + page += 1 + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Data ingested from = {}, to = {}, Total ingested count = {}".format( + temp_from, temp_to, total_ingested_data_count + ), + ) + ) + return from_date, to_date + except MimecastTimeoutException: + raise MimecastTimeoutException() + except RetryError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.MAX_RETRY_ERROR_MSG.format( + error, error.last_attempt.exception() + ), + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except ValueError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.VALUE_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + except TypeError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TYPE_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPAttachment/sample.dat b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPAttachment/sample.dat new file mode 100644 index 00000000000..e69de29bb2d diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPImpersonation/__init__.py b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPImpersonation/__init__.py new file mode 100644 index 00000000000..67772c85f37 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPImpersonation/__init__.py @@ -0,0 +1,47 @@ +"""This is init file for TTP Impersonation.""" + +import datetime +import logging +import azure.functions as func +from SharedCode.logger import applogger +from SharedCode import consts +from MimecastTTPImpersonation.mimecast_ttp_impersonation import MimecastTTPImpersonation +import time + + +log_format = consts.LOG_FORMAT + + +def main(mytimer: func.TimerRequest) -> None: + """Run the main logic of the Function App triggered by a timer.""" + utc_timestamp = ( + datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + ) + start = time.time() + applogger.info( + "{} : {}, Function App started at {}".format( + consts.LOGS_STARTS_WITH, + consts.TTP_IMPERSONATION_FUNCTION_NAME, + datetime.datetime.fromtimestamp(start), + ) + ) + mimecastttpimpersonation = MimecastTTPImpersonation(int(start)) + mimecastttpimpersonation.get_mimecast_ttp_impersonation_data_in_sentinel() + end = time.time() + + applogger.info( + "{} : {}, Function App ended at {}".format( + consts.LOGS_STARTS_WITH, + consts.TTP_IMPERSONATION_FUNCTION_NAME, + datetime.datetime.fromtimestamp(end), + ) + ) + applogger.info( + "{} : {}, Total time taken = {}".format( + consts.LOGS_STARTS_WITH, consts.TTP_IMPERSONATION_FUNCTION_NAME, end - start + ) + ) + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPImpersonation/function.json b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPImpersonation/function.json new file mode 100644 index 00000000000..36c1449c9e1 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPImpersonation/function.json @@ -0,0 +1,11 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%" + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPImpersonation/mimecast_ttp_impersonation.py b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPImpersonation/mimecast_ttp_impersonation.py new file mode 100644 index 00000000000..e1dbf5d4b82 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPImpersonation/mimecast_ttp_impersonation.py @@ -0,0 +1,254 @@ +"""Get Mimecast TTP Impersonation Data and Ingest into Sentinel.""" + +from SharedCode.utils import Utils +from SharedCode.logger import applogger +from SharedCode import consts +from SharedCode.mimecast_exception import MimecastException, MimecastTimeoutException +from SharedCode.state_manager import StateManager +from SharedCode.sentinel import post_data +import inspect +import json +import datetime +import time +from tenacity import RetryError + + +file_path = "mimecastttpimpersonation" + + +class MimecastTTPImpersonation(Utils): + """Mimecast TTP Impersonation Class.""" + + def __init__(self, start_time) -> None: + """Initialize the MimecastTTPImpersonation class. + + Args: + start(int): The starting time for the timer trigger. + """ + super().__init__(consts.TTP_IMPERSONATION_FUNCTION_NAME) + self.check_environment_var_exist( + [ + {"File_Share_Name": consts.FILE_SHARE_NAME}, + {"Base_Url": consts.BASE_URL}, + {"WorkspaceID": consts.WORKSPACE_ID}, + {"WorkspaceKey": consts.WORKSPACE_KEY}, + {"Mimecast_Client_ID": consts.MIMECAST_CLIENT_ID}, + {"Mimecast_Client_Secret": consts.MIMECAST_CLIENT_SECRET}, + ] + ) + self.authenticate_mimecast_api() + self.start = start_time + self.checkpoint_obj = StateManager( + consts.CONN_STRING, file_path, consts.FILE_SHARE_NAME + ) + + def get_mimecast_ttp_impersonation_data_in_sentinel(self): + """Get the TTP Impersonation Data from Mimecast.""" + __method_name = inspect.currentframe().f_code.co_name + try: + # Get from date, to date and page token from checkpoint files at start of execution + from_date, to_date, page_token = self.get_from_date_to_date_page_token( + self.checkpoint_obj + ) + while ( + self.iso_to_epoch_int(to_date) - self.iso_to_epoch_int(from_date) + >= consts.TIME_DIFFERENCE + ): + if int(time.time()) >= self.start + consts.FUNCTION_APP_TIMEOUT_SECONDS: + raise MimecastTimeoutException() + # Entry point of starting to get and ingest data to sentinel + from_date, to_date = self.get_and_ingest_data_to_sentinel( + from_date, to_date, page_token + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "From and To time difference is less than 15 min, Stop execution.", + ) + ) + except MimecastTimeoutException: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Mimecast: 9:30 mins executed hence breaking.", + ) + ) + return + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def get_and_ingest_data_to_sentinel(self, from_date, to_date, page_token): + """Iterate through from and to dates and get mimecast data and ingest data to sentinel. + + Args: + from_date (str): The start date for data retrieval. + to_date (str): The end date for data retrieval. + page_token (str): The token for paginating through the data. + + Returns: + Tuple[str, str]: A tuple containing the updated start and end dates after data ingestion. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + temp_from = from_date + temp_to = to_date + checkpoint_data_to_post = { + "from_date": from_date, + "to_date": to_date, + "page_token": page_token, + } + page = 1 + total_ingested_data_count = 0 + while True: + if int(time.time()) >= self.start + consts.FUNCTION_APP_TIMEOUT_SECONDS: + raise MimecastTimeoutException() + payload = { + "meta": { + "pagination": { + "pageSize": consts.PAGE_SIZE, + "pageToken": "" if not page_token else page_token, + } + }, + "data": [{"from": from_date, "oldestFirst": True, "to": to_date}], + } + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Request body = {}".format(payload), + ) + ) + url = "{}{}".format( + consts.BASE_URL, consts.ENDPOINTS["TTP_IMPERSONATION"] + ) + response = self.make_rest_call("POST", url, json=payload) + + pagination_details = response.get("meta").get("pagination") + page_token = pagination_details.get("next", "") + total_count = pagination_details.get("totalCount") + data_to_ingest = response.get("data")[0].get("impersonationLogs") + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Data count to ingest = {}".format(len(data_to_ingest)), + ) + ) + total_ingested_data_count += len(data_to_ingest) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Next Page token = {}, Total count = {}, Total ingested data count = {}, Page = {}".format( + page_token, + total_count, + total_ingested_data_count, + page, + ), + ) + ) + if len(data_to_ingest) > 0: + post_data( + json.dumps(data_to_ingest), + consts.TABLE_NAME["TTP_IMPERSONATION"], + ) + + checkpoint_data_to_post.update({"page_token": page_token}) + if not page_token: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No next page token found, Breaking the loop", + ) + ) + from_date = to_date + to_date = datetime.datetime.now(datetime.timezone.utc).strftime( + consts.DATE_TIME_FORMAT + ) + checkpoint_data_to_post = { + "from_date": from_date, + "to_date": to_date, + "page_token": page_token, + } + self.post_checkpoint_data( + self.checkpoint_obj, checkpoint_data_to_post + ) + break + self.post_checkpoint_data(self.checkpoint_obj, checkpoint_data_to_post) + page += 1 + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Data ingested from = {}, to = {}, Total ingested count = {}".format( + temp_from, temp_to, total_ingested_data_count + ), + ) + ) + return from_date, to_date + except MimecastTimeoutException: + raise MimecastTimeoutException() + except MimecastException: + raise MimecastException() + except RetryError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.MAX_RETRY_ERROR_MSG.format( + error, error.last_attempt.exception() + ), + ) + ) + raise MimecastException() + except ValueError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.VALUE_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + except TypeError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TYPE_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPImpersonation/sample.dat b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPImpersonation/sample.dat new file mode 100644 index 00000000000..e69de29bb2d diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPUrl/__init__.py b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPUrl/__init__.py new file mode 100644 index 00000000000..811b24870fc --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPUrl/__init__.py @@ -0,0 +1,47 @@ +"""This is init file for TTP URL.""" + +import datetime +import logging +import azure.functions as func +from SharedCode.logger import applogger +from SharedCode import consts +from MimecastTTPUrl.mimecast_ttp_url import MimecastTTPUrl +import time + + +log_format = consts.LOG_FORMAT + + +def main(mytimer: func.TimerRequest) -> None: + """Run the main logic of the Function App triggered by a timer.""" + utc_timestamp = ( + datetime.datetime.utcnow().replace(tzinfo=datetime.timezone.utc).isoformat() + ) + start = time.time() + applogger.info( + "{} : {}, Function App started at {}".format( + consts.LOGS_STARTS_WITH, + consts.TTP_URL_FUNCTION_NAME, + datetime.datetime.fromtimestamp(start), + ) + ) + mimecastttpurl = MimecastTTPUrl(int(start)) + mimecastttpurl.get_mimecast_ttp_url_data_in_sentinel() + end = time.time() + + applogger.info( + "{} : {}, Function App ended at {}".format( + consts.LOGS_STARTS_WITH, + consts.TTP_URL_FUNCTION_NAME, + datetime.datetime.fromtimestamp(end), + ) + ) + applogger.info( + "{} : {}, Total time taken = {}".format( + consts.LOGS_STARTS_WITH, consts.TTP_URL_FUNCTION_NAME, end - start + ) + ) + if mytimer.past_due: + logging.info("The timer is past due!") + + logging.info("Python timer trigger function ran at %s", utc_timestamp) diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPUrl/function.json b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPUrl/function.json new file mode 100644 index 00000000000..36c1449c9e1 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPUrl/function.json @@ -0,0 +1,11 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "%Schedule%" + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPUrl/mimecast_ttp_url.py b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPUrl/mimecast_ttp_url.py new file mode 100644 index 00000000000..d71e260c75d --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/MimecastTTPUrl/mimecast_ttp_url.py @@ -0,0 +1,249 @@ +"""Get Mimecast TTP URL Data and Ingest into Sentinel.""" + +from SharedCode.utils import Utils +from SharedCode.logger import applogger +from SharedCode import consts +from SharedCode.mimecast_exception import MimecastException, MimecastTimeoutException +from SharedCode.state_manager import StateManager +from SharedCode.sentinel import post_data +import inspect +import json +import datetime +import time +from tenacity import RetryError + + +file_path = "mimecastttpurl" + + +class MimecastTTPUrl(Utils): + """Mimecast TTP Url Class.""" + + def __init__(self, start_time) -> None: + """Initialize the MimecastTTPUrl class. + + Args: + start(int): The starting time for the timer trigger. + """ + super().__init__(consts.TTP_URL_FUNCTION_NAME) + self.check_environment_var_exist( + [ + {"File_Share_Name": consts.FILE_SHARE_NAME}, + {"Base_Url": consts.BASE_URL}, + {"WorkspaceID": consts.WORKSPACE_ID}, + {"WorkspaceKey": consts.WORKSPACE_KEY}, + {"Mimecast_Client_ID": consts.MIMECAST_CLIENT_ID}, + {"Mimecast_Client_Secret": consts.MIMECAST_CLIENT_SECRET}, + ] + ) + self.authenticate_mimecast_api() + self.start = start_time + self.checkpoint_obj = StateManager( + consts.CONN_STRING, file_path, consts.FILE_SHARE_NAME + ) + + def get_mimecast_ttp_url_data_in_sentinel(self): + """Get the TTP Url Data from Mimecast.""" + __method_name = inspect.currentframe().f_code.co_name + try: + # Get from date, to date and page token from checkpoint files at start of execution + from_date, to_date, page_token = self.get_from_date_to_date_page_token( + self.checkpoint_obj + ) + while ( + self.iso_to_epoch_int(to_date) - self.iso_to_epoch_int(from_date) + >= consts.TIME_DIFFERENCE + ): + if int(time.time()) >= self.start + consts.FUNCTION_APP_TIMEOUT_SECONDS: + raise MimecastTimeoutException() + # Entry point of starting to get and ingest data to sentinel + from_date, to_date = self.get_and_ingest_data_to_sentinel( + from_date, to_date, page_token + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "From and To time difference is less than 15 min, Stop execution.", + ) + ) + except MimecastTimeoutException: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Mimecast: 9:30 mins executed hence breaking.", + ) + ) + return + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def get_and_ingest_data_to_sentinel(self, from_date, to_date, page_token): + """Iterate through from and to dates and get mimecast data and ingest data to sentinel. + + Args: + from_date (str): The start date for data retrieval. + to_date (str): The end date for data retrieval. + page_token (str): The token for paginating through the data. + + Returns: + Tuple[str, str]: A tuple containing the updated start and end dates after data ingestion. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + temp_from = from_date + temp_to = to_date + checkpoint_data_to_post = { + "from_date": from_date, + "to_date": to_date, + "page_token": page_token, + } + page = 1 + total_ingested_data_count = 0 + while True: + if int(time.time()) >= self.start + consts.FUNCTION_APP_TIMEOUT_SECONDS: + raise MimecastTimeoutException() + payload = { + "meta": { + "pagination": { + "pageSize": consts.PAGE_SIZE, + "pageToken": "" if not page_token else page_token, + } + }, + "data": [{"from": from_date, "oldestFirst": True, "to": to_date}], + } + applogger.debug( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Request body = {}".format(payload), + ) + ) + url = "{}{}".format(consts.BASE_URL, consts.ENDPOINTS["TTP_URL"]) + response = self.make_rest_call("POST", url, json=payload) + + pagination_details = response.get("meta").get("pagination") + page_token = pagination_details.get("next", "") + total_count = pagination_details.get("totalCount") + data_to_ingest = response.get("data")[0].get("clickLogs") + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Data count to ingest = {}".format(len(data_to_ingest)), + ) + ) + total_ingested_data_count += len(data_to_ingest) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Next Page token = {}, Total count = {}, Total ingested data count = {}, Page = {}".format( + page_token, + total_count, + total_ingested_data_count, + page, + ), + ) + ) + if len(data_to_ingest) > 0: + post_data(json.dumps(data_to_ingest), consts.TABLE_NAME["TTP_URL"]) + + checkpoint_data_to_post.update({"page_token": page_token}) + if not page_token: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No next page token found, Breaking the loop", + ) + ) + from_date = to_date + to_date = datetime.datetime.now(datetime.timezone.utc).strftime( + consts.DATE_TIME_FORMAT + ) + checkpoint_data_to_post = { + "from_date": from_date, + "to_date": to_date, + "page_token": page_token, + } + self.post_checkpoint_data( + self.checkpoint_obj, checkpoint_data_to_post + ) + break + self.post_checkpoint_data(self.checkpoint_obj, checkpoint_data_to_post) + page += 1 + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Data ingested from = {}, to = {}, Total ingested count = {}".format( + temp_from, temp_to, total_ingested_data_count + ), + ) + ) + return from_date, to_date + except MimecastTimeoutException: + raise MimecastTimeoutException() + except MimecastException: + raise MimecastException() + except RetryError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.MAX_RETRY_ERROR_MSG.format( + error, error.last_attempt.exception() + ), + ) + ) + raise MimecastException() + except ValueError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.VALUE_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + except TypeError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TYPE_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/Mimecast_TTP.zip b/Solutions/Mimecast/Data Connectors/MimecastTTP/Mimecast_TTP.zip new file mode 100644 index 00000000000..d2716dccbdb Binary files /dev/null and b/Solutions/Mimecast/Data Connectors/MimecastTTP/Mimecast_TTP.zip differ diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/Mimecast_TTP_FunctionApp.json b/Solutions/Mimecast/Data Connectors/MimecastTTP/Mimecast_TTP_FunctionApp.json new file mode 100644 index 00000000000..8b4a24f951a --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/Mimecast_TTP_FunctionApp.json @@ -0,0 +1,153 @@ +{ + "id": "MimecastTTPAPI", + "title": "Mimecast Targeted Threat Protection", + "publisher": "Mimecast", + "descriptionMarkdown": "The data connector for [Mimecast Targeted Threat Protection](https://community.mimecast.com/s/article/Azure-Sentinel) provides customers with the visibility into security events related to the Targeted Threat Protection inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. \nThe Mimecast products included within the connector are: \n- URL Protect \n- Impersonation Protect \n- Attachment Protect\n", + "graphQueries": [ + { + "metricName": "Total URL Protect data received", + "legend": "Ttp_Url_CL", + "baseQuery": "Ttp_Url_CL" + }, + { + "metricName": "Total Attachment Protect data received", + "legend": "Ttp_Attachment_CL", + "baseQuery": "Ttp_Attachment_CL" + }, + { + "metricName": "Total Impersonation Protect data received", + "legend": "Ttp_Impersonation_CL", + "baseQuery": "Ttp_Impersonation_CL" + } + ], + "sampleQueries": [ + { + "description": "Ttp_Url_CL", + "query": "Ttp_Url_CL\n| sort by TimeGenerated desc" + }, + { + "description": "Ttp_Attachment_CL", + "query": "Ttp_Attachment_CL\n| sort by TimeGenerated desc" + }, + { + "description": "Ttp_Impersonation_CL", + "query": "Ttp_Impersonation_CL\n| sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "Ttp_Url_CL", + "lastDataReceivedQuery": "Ttp_Url_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Ttp_Attachment_CL", + "lastDataReceivedQuery": "Ttp_Attachment_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Ttp_Impersonation_CL", + "lastDataReceivedQuery": "Ttp_Impersonation_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Ttp_Url_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "Ttp_Attachment_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "Ttp_Impersonation_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "See the documentation to learn more about API on the [Rest API reference](https://integrations.mimecast.com/documentation/)" + } + ] + }, + "instructionSteps": [ + { + "title": "Resource group", + "description": "You need to have a resource group created with a subscription you are going to use." + }, + { + "title": "Functions app", + "description": "You need to have an Azure App registered for this connector to use\n1. Application Id\n2. Tenant Id\n3. Client Id\n4. Client Secret" + }, + { + "title": "", + "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "title": "", + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "title": "Configuration:", + "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)" + }, + { + "title": "", + "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "title": "Azure Resource Manager (ARM) Template", + "description": "Use this method for automated deployment of the Mimecast Targeted Threat Protection Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MimecastTTPAzureDeploy-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n3. Enter the below information : \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBase URL (Default: https://api.services.mimecast.com) \n\t\tStart Date \n\t\tMimecast Client ID \n\t\tMimecast Client Secret \n\t\tLog Level (Default: INFO) \n\t\tSchedule (0 0 */1 * * *) \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/__init__.py b/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/__init__.py new file mode 100644 index 00000000000..91361ed4c8b --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/__init__.py @@ -0,0 +1 @@ +"""This is init file to consider SharedCode as package.""" diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/consts.py b/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/consts.py new file mode 100644 index 00000000000..9da1d5992a4 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/consts.py @@ -0,0 +1,77 @@ +"""Module with constants and configurations for the Mimecast integration.""" + +import os + +LOG_LEVEL = os.environ.get("LogLevel", "INFO") +LOGS_STARTS_WITH = "Mimecast" +LOG_FORMAT = "{}(method = {}) : {} : {}" + + +# *Sentinel related constants +AZURE_CLIENT_ID = os.environ.get("Azure_Client_Id", "") +AZURE_CLIENT_SECRET = os.environ.get("Azure_Client_Secret", "") +AZURE_TENANT_ID = os.environ.get("Azure_Tenant_Id", "") +WORKSPACE_KEY = os.environ.get("WorkspaceKey", "") +WORKSPACE_ID = os.environ.get("WorkspaceID", "") + + +# *Mimecast related constants +MIMECAST_CLIENT_ID = os.environ.get("MimecastClientID") +MIMECAST_CLIENT_SECRET = os.environ.get("MimecastClientSecret") + +BASE_URL = os.environ.get("BaseURL", "https://api.services.mimecast.com") +ENDPOINTS = { + "OAUTH2": "/oauth/token", + "TTP_URL": "/api/ttp/url/get-logs", + "SEG_DLP": "/api/dlp/get-logs", + "TTP_ATTACHMENT": "/api/ttp/attachment/get-logs", + "TTP_IMPERSONATION": "/api/ttp/impersonation/get-logs", +} + +TABLE_NAME = { + "TTP_URL": "Ttp_Url", + "SEG_DLP": "Seg_Dlp", + "TTP_ATTACHMENT": "Ttp_Attachment", + "TTP_IMPERSONATION": "Ttp_Impersonation", +} +TTP_URL_FUNCTION_NAME = "TTP_URL" +TTP_ATTACHMENT_FUNCTION_NAME = "TTP_Attachment" +TTP_IMPERSONATION_FUNCTION_NAME = "TTP_Impersonation" +SEG_DLP_FUNCTION_NAME = "SEG_DLP" + + +# *Error Messages for Exception +UNEXPECTED_ERROR_MSG = "Unexpected error : Error-{}" +HTTP_ERROR_MSG = "HTTP error : Error-{}" +REQUEST_ERROR_MSG = "Request error : Error-{}" +CONNECTION_ERROR_MSG = "Connection error : Error-{}" +KEY_ERROR_MSG = "Key error : Error-{}" +TYPE_ERROR_MSG = "Type error : Error-{}" +VALUE_ERROR_MSG = "Value error : Error-{}" +JSON_DECODE_ERROR_MSG = "JSONDecode error : Error-{}" +TIME_OUT_ERROR_MSG = "Timeout error : Error-{}" +MAX_RETRY_ERROR_MSG = "Max retries exceeded : {} Last exception: {}" + + +# *checkpoint related constants +CONN_STRING = os.environ.get("Connection_String") +FILE_SHARE_NAME = os.environ.get("File_Share_Name", "mimecast-checkpoints") +START_DATE = os.environ.get("StartDate") + +# *Extra constants +DATE_TIME_FORMAT = "%Y-%m-%dT%H:%M:%SZ" +MAX_FILE_SIZE = 20 * 1024 * 1024 +MAX_CHUNK_SIZE = 1024 * 1024 +MAX_RETRIES = 5 +PAGE_SIZE = 500 +FUNCTION_APP_TIMEOUT_SECONDS = 570 +TIME_DIFFERENCE = 900 +DEFAULT_LOOKUP_DAY = 60 +SENTINEL_RETRY_COUNT = 3 +MAX_TIMEOUT_SENTINEL = 120 +INGESTION_ERROR_SLEEP_TIME = 30 +EXCEPTION_STATUS_CODE = [400, 403, 409] +RETRY_STATUS_CODE = [429, 500, 503, 502, 509] +MAX_SLEEP_TIME = 30 +MIN_SLEEP_TIME = 5 +BACKOFF_MULTIPLIER = 2 diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/logger.py b/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/logger.py new file mode 100644 index 00000000000..e97c12ceca2 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/logger.py @@ -0,0 +1,23 @@ +"""Handle the logger.""" + +import logging +import sys +from SharedCode import consts + +log_level = consts.LOG_LEVEL + +LOG_LEVELS = { + "DEBUG": logging.DEBUG, + "INFO": logging.INFO, + "WARNING": logging.WARNING, + "ERROR": logging.ERROR, +} + +try: + applogger = logging.getLogger("azure") + applogger.setLevel(LOG_LEVELS.get(log_level.upper(), logging.INFO)) +except Exception: + applogger.setLevel(logging.INFO) +finally: + handler = logging.StreamHandler(stream=sys.stdout) + applogger.addHandler(handler) diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/mimecast_exception.py b/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/mimecast_exception.py new file mode 100644 index 00000000000..53c1f7257f8 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/mimecast_exception.py @@ -0,0 +1,25 @@ +"""This File contains custom Exception class for Mimecast.""" + + +class MimecastException(Exception): + """Exception class to handle Mimecast exception. + + Args: + Exception (string): will print exception message. + """ + + def __init__(self, message=None) -> None: + """Initialize custom Mimecast exception with custom message.""" + super().__init__(message) + + +class MimecastTimeoutException(Exception): + """Exception class to handle Mimecast exception. + + Args: + Exception (string): will print exception message. + """ + + def __init__(self, message=None) -> None: + """Initialize custom Mimecast exception with custom message.""" + super().__init__(message) diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/sentinel.py b/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/sentinel.py new file mode 100644 index 00000000000..9a603058ff6 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/sentinel.py @@ -0,0 +1,275 @@ +"""This file contains methods for creating microsoft custom log table.""" + +import base64 +import requests +import hashlib +import hmac +import time +import inspect +import datetime +from SharedCode.logger import applogger +from SharedCode.state_manager import StateManager +from SharedCode import consts +from SharedCode.mimecast_exception import MimecastException +from urllib3.exceptions import NameResolutionError + + +def build_signature( + date, + content_length, + method, + content_type, + resource, +): + """To build signature which is required in header.""" + x_headers = "x-ms-date:" + date + string_to_hash = method + "\n" + str(content_length) + "\n" + content_type + "\n" + x_headers + "\n" + resource + bytes_to_hash = bytes(string_to_hash, encoding="utf-8") + decoded_key = base64.b64decode(consts.WORKSPACE_KEY) + encoded_hash = base64.b64encode(hmac.new(decoded_key, bytes_to_hash, digestmod=hashlib.sha256).digest()).decode() + authorization = "SharedKey {}:{}".format(consts.WORKSPACE_ID, encoded_hash) + + return authorization + + +def post_data(body, log_type): + """Build and send a request to the POST API. + + Args: + body (str): Data to post into Sentinel log analytics workspace + log_type (str): Custom log table name in which data wil be added. + + Returns: + status_code: Returns the response status code got while posting data to sentinel. + """ + __method_name = inspect.currentframe().f_code.co_name + method = "POST" + content_type = "application/json" + resource = "/api/logs" + rfc1123date = datetime.datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT") + content_length = len(body) + try: + signature = build_signature( + rfc1123date, + content_length, + method, + content_type, + resource, + ) + except Exception as err: + applogger.error( + "{}(method={}) : Error in build signature-{}".format( + consts.LOGS_STARTS_WITH, + __method_name, + err, + ) + ) + raise MimecastException() + uri = "https://" + consts.WORKSPACE_ID + ".ods.opinsights.azure.com" + resource + "?api-version=2016-04-01" + + headers = { + "content-type": content_type, + "Authorization": signature, + "Log-Type": log_type, + "x-ms-date": rfc1123date, + } + retry_count = 0 + while retry_count < consts.SENTINEL_RETRY_COUNT: + try: + + response = requests.post(uri, data=body, headers=headers, timeout=consts.MAX_TIMEOUT_SENTINEL) + + result = handle_response(response, body, log_type) + + if result is not False: + return result + retry_count += 1 + continue + + except requests.exceptions.ConnectionError as error: + try: + if isinstance(error.args[0].reason, NameResolutionError): + applogger.error( + "{}(method={}) : {} : Workspace ID is wrong: {}, Sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + error, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + except Exception as unknown_connect_error: + applogger.error( + "{}(method={}) : {} : Unknown Error in ConnectionError: {}, Sleeping for {} seconds." + " and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + unknown_connect_error, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + applogger.error( + "{}(method={}) : {} : Unknown Connection Error, sleeping - {} seconds and retrying.. Error - {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + consts.INGESTION_ERROR_SLEEP_TIME, + error, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + except requests.exceptions.Timeout as error: + applogger.error( + "{}(method={}) : {} : sleeping - {} seconds and retrying.. Timeout Error: {}".format( + consts.LOGS_STARTS_WITH, __method_name, log_type, consts.INGESTION_ERROR_SLEEP_TIME, error + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + retry_count += 1 + continue + except requests.RequestException as error: + applogger.error( + "{}(method={}) : {} : Request Error: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + error, + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : Unknown Error: {}.".format( + consts.LOGS_STARTS_WITH, __method_name, log_type, error + ) + ) + raise MimecastException() + applogger.error( + "{}(method={}) : {} : Maximum Retry count of {} exceeded, hence stopping execution.".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + consts.SENTINEL_RETRY_COUNT, + ) + ) + raise MimecastException() + + +def handle_response(response, body, log_type): + """Handle the response from Azure Sentinel.""" + try: + __method_name = inspect.currentframe().f_code.co_name + if response.status_code >= 200 and response.status_code <= 299: + applogger.debug( + "{}(method={}) : Status_code: {} Accepted: Data Posted Successfully to azure sentinel.".format( + consts.LOGS_STARTS_WITH, + __method_name, + response.status_code, + ) + ) + return response.status_code + elif response.status_code == 400: + applogger.error( + "{}(method={}) : {} : Response code: {} from posting data to log analytics. Response: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + response.status_code, + response.text, + ) + ) + curent_corrupt_data_obj = StateManager( + consts.CONN_STRING, + "{}-Ingest-To-Sentinel-Corrupt_{}".format(log_type, str(int(time.time()))), + consts.FILE_SHARE_NAME, + ) + curent_corrupt_data_obj.post(body) + + raise MimecastException() + elif response.status_code == 403: + applogger.error( + "{}(method={}) : {} :Response code :{} Error occurred for build signature: Response: {} ." + " Issue with WorkspaceKey, Kindly verify your WorkspaceKey".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + response.status_code, + response.text, + ) + ) + raise MimecastException() + elif response.status_code == 429: + applogger.error( + "{}(method={}) : {} : Error occurred: Response code : {} Too many request: Response: {} . " + "sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + response.status_code, + response.text, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + return False + elif response.status_code == 500: + applogger.error( + "{}(method={}) : {} : Error occurred: Response code : {} Internal Server Error: Response: {} . " + "sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + response.status_code, + response.text, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + return False + elif response.status_code == 503: + applogger.error( + "{}(method={}) : {} : Error occurred: Response code : {} Service Unavailable: Response: {} . " + "sleeping for {} seconds and retrying..".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + response.status_code, + response.text, + consts.INGESTION_ERROR_SLEEP_TIME, + ) + ) + time.sleep(consts.INGESTION_ERROR_SLEEP_TIME) + return False + applogger.error( + "{}(method={}) : {} : Response code: {} from posting data to log analytics. Response: {}".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + response.status_code, + response.text, + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + "{}(method={}) : {} : Unknown Error: {}.".format( + consts.LOGS_STARTS_WITH, + __method_name, + log_type, + error, + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/state_manager.py b/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/state_manager.py new file mode 100644 index 00000000000..0bfe9819ce1 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/state_manager.py @@ -0,0 +1,69 @@ +"""This module will help to save file to state manager.""" + +from azure.storage.fileshare import ShareClient +from azure.storage.fileshare import ShareFileClient +from azure.core.exceptions import ResourceNotFoundError, ResourceExistsError + + +class StateManager: + """State manager class for specific operation. + + This class will help to manage the state of the operation + by saving and getting data from Azure Storage. + + Args: + connection_string (str): Azure Storage connection string. + file_path (str): File path on the share. + share_name (str): Name of the share. + """ + + def __init__(self, connection_string, file_path, share_name): + """Initialize the share_cli and file_cli.""" + self.share_cli = ShareClient.from_connection_string( + conn_str=connection_string, share_name=share_name + ) + self.file_cli = ShareFileClient.from_connection_string( + conn_str=connection_string, share_name=share_name, file_path=file_path + ) + + def post(self, marker_text: str): + """Post method for posting the data to Azure Storage. + + This method will upload the given text to the + Azure Storage as a file. + + Args: + marker_text (str): String to be saved in the file. + """ + try: + self.file_cli.upload_file(marker_text) + except ResourceNotFoundError: + try: + self.share_cli.create_share() + self.file_cli.upload_file(marker_text) + except ResourceExistsError: + self.file_cli.upload_file(marker_text) + + def get(self): + """Get method for getting the data from Azure Storage. + + This method will download the file from Azure Storage + and return the contents as a string. + + Returns: + str: The contents of the file. + """ + try: + return self.file_cli.download_file().readall().decode() + except ResourceNotFoundError: + return None + + def delete(self): + """Delete method for deleting the data from Azure Storage. + + This method will delete the file from Azure Storage. + """ + try: + self.file_cli.delete_file() + except ResourceNotFoundError: + raise ResourceNotFoundError("File not found to be deleted.") diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/utils.py b/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/utils.py new file mode 100644 index 00000000000..86ae0b55ae1 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/SharedCode/utils.py @@ -0,0 +1,849 @@ +"""Utils File.""" + +import inspect +import requests +import datetime +import json +from json.decoder import JSONDecodeError +from SharedCode.state_manager import StateManager +from SharedCode.mimecast_exception import MimecastException +from SharedCode.logger import applogger +from SharedCode import consts +from tenacity import ( + retry, + stop_after_attempt, + wait_exponential, + retry_if_exception_type, + retry_if_result, + retry_any, + RetryError, +) +from requests.exceptions import ConnectionError + + +def retry_on_status_code(response): + """Check and retry based on a list of status codes. + + Args: + response (): API response is passed + + Returns: + Bool: if given status code is in list then true else false + """ + __method_name = inspect.currentframe().f_code.co_name + if isinstance(response, dict): + return False + if response.status_code in consts.RETRY_STATUS_CODE: + applogger.info( + "{}(method={}) : Retrying due to status code : {}".format( + consts.LOGS_STARTS_WITH, __method_name, response.status_code + ) + ) + return True + return False + + +class Utils: + """Utils Class.""" + + def __init__(self, azure_function_name) -> None: + """Init Function.""" + self.azure_function_name = azure_function_name + self.log_format = consts.LOG_FORMAT + self.headers = {} + + def check_environment_var_exist(self, environment_var): + """Check the existence of required environment variables. + + Logs the validation process and completion. Raises MimecastException if any required field is missing. + + Args: + environment_var(list) : variables to check for existence + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Validating Environment Variables", + ) + ) + missing_required_field = False + for var in environment_var: + key, val = next(iter(var.items())) + if not val: + missing_required_field = True + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Environment variable {} is not set".format(key), + ) + ) + if missing_required_field: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Validation failed", + ) + ) + raise MimecastException() + if not consts.BASE_URL.startswith("https://"): + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + '"BaseURL" must start with ”https://”', + ) + ) + raise MimecastException() + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Validation Complete", + ) + ) + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def get_checkpoint_data(self, checkpoint_obj: StateManager, load_flag=True): + """Get checkpoint data from a StateManager object. + + Args: + checkpoint_obj (StateManager): The StateManager object to retrieve checkpoint data from. + load_flag (bool): A flag indicating whether to load the data as JSON (default is True). + + Returns: + The retrieved checkpoint data. + + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Fetching checkpoint data", + ) + ) + checkpoint_data = checkpoint_obj.get() + if load_flag and checkpoint_data: + checkpoint_data = json.loads(checkpoint_data) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Checkpoint data = {}".format(checkpoint_data), + ) + ) + return checkpoint_data + except json.decoder.JSONDecodeError as json_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.JSON_DECODE_ERROR_MSG.format(json_error), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def post_checkpoint_data(self, checkpoint_obj: StateManager, data, dump_flag=True): + """Post checkpoint data. + + It post the data to a checkpoint object based on the dump_flag parameter. + + Args: + checkpoint_obj (StateManager): The StateManager object to post data to. + data: The data to be posted. + dump_flag (bool): A flag indicating whether to dump the data as JSON before posting (default is True). + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Posting checkpoint data = {}".format(data), + ) + ) + if dump_flag: + checkpoint_obj.post(json.dumps(data)) + else: + checkpoint_obj.post(data) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Data posted to azure storage", + ) + ) + except TypeError as type_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TYPE_ERROR_MSG.format(type_error), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + @retry( + stop=stop_after_attempt(consts.MAX_RETRIES), + wait=wait_exponential( + multiplier=consts.BACKOFF_MULTIPLIER, + min=consts.MIN_SLEEP_TIME, + max=consts.MAX_SLEEP_TIME, + ), + retry=retry_any( + retry_if_result(retry_on_status_code), + retry_if_exception_type(ConnectionError), + ), + before_sleep=lambda retry_state: applogger.error( + "{}(method = {}) : Retring after {} secends, attempt number: {} ".format( + consts.LOGS_STARTS_WITH, + " Retry Decorator", + retry_state.upcoming_sleep, + retry_state.attempt_number, + ) + ), + ) + def make_rest_call( + self, method, url, params=None, data=None, json=None, check_retry=True + ): + """Make a rest call. + + Args: + url (str): The URL to make the call to. + method (str): The HTTP method to use for the call. + params (dict, optional): The parameters to pass in the call (default is None). + data (dict, optional): The body(in x-www-form-urlencoded formate) of the request (default is None). + json (dict, optional): The body(in row formate) of the request (default is None). + check_retry (bool, optional): A flag indicating whether to check for retry (default is True). + + Returns: + dict: The JSON response if the call is successful. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Rest Call, Method :{}, url: {}".format(method, url), + ) + ) + + response = requests.request( + method, + url, + headers=self.headers, + params=params, + data=data, + json=json, + timeout=consts.MAX_TIMEOUT_SENTINEL, + ) + + if response.status_code >= 200 and response.status_code <= 299: + response_json = response.json() + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Success, Status code : {}".format(response.status_code), + ) + ) + self.handle_failed_response_for_success(response_json) + return response_json + elif response.status_code == 400: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Bad Request = {}, Status code : {}".format( + response.text, response.status_code + ), + ) + ) + self.handle_failed_response_for_failure(response) + elif response.status_code == 401: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unauthorized, Status code : {}".format(response.status_code), + ) + ) + response_json = response.json() + fail_json = response_json.get("fail", []) + error_code = None + error_message = None + if fail_json: + error_code = fail_json[0].get("code") + error_message = fail_json[0].get("message") + if check_retry: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Generating new token, Error message = {}, Error code = {}".format( + error_message, error_code + ), + ) + ) + check_retry = False + self.authenticate_mimecast_api(check_retry) + return self.make_rest_call( + method, url, params, data, json, check_retry + ) + else: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Max retry reached for generating access token," + "Error message = {}, Error code = {}".format( + error_message, error_code + ), + ) + ) + raise MimecastException() + elif response.status_code == 403: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Forbidden, Status code : {}".format(response.status_code), + ) + ) + self.handle_failed_response_for_failure(response) + elif response.status_code == 404: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Not Found, URL : {}, Status code : {}".format( + url, response.status_code + ), + ) + ) + raise MimecastException() + elif response.status_code == 409: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Conflict, Status code : {}".format(response.status_code), + ) + ) + self.handle_failed_response_for_failure(response) + elif response.status_code == 429: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Too Many Requests, Status code : {} ".format( + response.status_code + ), + ) + ) + return response + elif response.status_code == 500: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Internal Server Error, Status code : {}".format( + response.status_code + ), + ) + ) + return self.handle_failed_response_for_failure(response) + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Unexpected Error = {}, Status code : {}".format( + response.text, response.status_code + ), + ) + ) + raise MimecastException() + + except MimecastException: + raise MimecastException() + except requests.exceptions.Timeout as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TIME_OUT_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + except JSONDecodeError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.JSON_DECODE_ERROR_MSG.format( + "{}, API Response = {}".format(error, response.text) + ), + ) + ) + raise MimecastException() + except requests.ConnectionError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.CONNECTION_ERROR_MSG.format(error), + ) + ) + raise ConnectionError() + except requests.RequestException as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.REQUEST_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def handle_failed_response_for_failure(self, response): + """Handle the failed response for failure status codes. + + If request get authentication error it will regenerate the access token. + + Args: + response_json (dict): The JSON response from the API. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + response_json = response.json() + error_message = response_json + fail_json = response_json.get("fail", []) + error_json = response_json.get("error") + if fail_json: + error_message = fail_json[0].get("message") + elif error_json: + error_message = error_json.get("message") + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + error_message, + ) + ) + if response.status_code in consts.EXCEPTION_STATUS_CODE: + raise MimecastException() + + return response + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def handle_failed_response_for_success(self, response_json): + """Handle the failed response for a successful request. + + Check if there is failure in success response or not. + + Args: + response_json (dict): The JSON response from the request. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + fail_json = response_json.get("fail", []) + if fail_json: + try: + error_message = fail_json[0].get("errors")[0].get("message") + except (KeyError, IndexError, ValueError, TypeError): + error_message = fail_json + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Failed response message = {}".format(error_message), + ) + ) + raise MimecastException() + else: + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "No failed response found", + ) + ) + return + except MimecastException: + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def authenticate_mimecast_api(self, check_retry=True): + """Authenticate mimecast endpoint generate access token and update header. + + Args: + check_retry (bool): Flag for retry of generating access token. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + body = { + "client_id": consts.MIMECAST_CLIENT_ID, + "client_secret": consts.MIMECAST_CLIENT_SECRET, + "grant_type": "client_credentials", + } + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Generating access token", + ) + ) + self.headers = {} + url = "{}{}".format(consts.BASE_URL, consts.ENDPOINTS["OAUTH2"]) + response = self.make_rest_call( + method="POST", url=url, data=body, check_retry=check_retry + ) + if "access_token" in response: + access_token = response.get("access_token") + self.headers.update( + { + "Content-Type": "application/json", + "Authorization": "Bearer {}".format(access_token), + } + ) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Successfully generated access token and header updated", + ) + ) + return + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Error occurred while fetching the access token from the response = {}".format( + response + ), + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except RetryError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.MAX_RETRY_ERROR_MSG.format( + error, error.last_attempt.exception() + ), + ) + ) + raise MimecastException() + except KeyError as key_error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.KEY_ERROR_MSG.format(key_error), + ) + ) + raise MimecastException() + except Exception as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + + def get_from_date_to_date_page_token(self, checkpoint_obj): + """Get the from date, to date, and page token from the checkpoint data. + + If data is not available in checkpoint file, then get the start date from user input. + If user input is not available or invalid then set from date's default value. + + Returns: + Tuple[str, str, str]: A tuple containing the from date, to date, and page token. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + checkpoint_data = self.get_checkpoint_data(checkpoint_obj) + from_date = None + page_token = "" + to_date = None + + if not checkpoint_data: + start_date = self.get_start_date_of_data_fetching() + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Checkpoint data is not available, Start fetching data from = {}".format( + start_date + ), + ) + ) + from_date = start_date + to_date = datetime.datetime.now(datetime.timezone.utc).strftime( + consts.DATE_TIME_FORMAT + ) + else: + from_date = checkpoint_data.get("from_date") + page_token = checkpoint_data.get("page_token") + to_date = checkpoint_data.get("to_date") + + if (not page_token and from_date) or (not to_date): + to_date = datetime.datetime.now(datetime.timezone.utc).strftime( + consts.DATE_TIME_FORMAT + ) + if not from_date: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "From date is not available in checkpoint, User has manually changed checkpoint", + ) + ) + raise MimecastException() + return from_date, to_date, page_token + except MimecastException: + raise MimecastException() + except ValueError as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.VALUE_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def get_start_date_of_data_fetching(self): + """Retrieve the start date for data fetching. + + If no start date is provided, it calculates the start date based on a default lookup day. + If the provided start date is invalid, it will fail and raise an exception. + + Returns: + str: The start date for data fetching in the format specified by consts.DATE_TIME_FORMAT. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + if not consts.START_DATE: + start_date = ( + datetime.datetime.utcnow() + - datetime.timedelta(days=consts.DEFAULT_LOOKUP_DAY) + ).strftime(consts.DATE_TIME_FORMAT) + return start_date + try: + start_date = datetime.datetime.strptime( + consts.START_DATE, "%Y-%m-%d" + ).strftime(consts.DATE_TIME_FORMAT) + applogger.info( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Start date given by user is {}".format(start_date), + ) + ) + # * if start date is future date, raise exception + if start_date > datetime.datetime.utcnow().strftime( + consts.DATE_TIME_FORMAT + ): + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Start date given by user is future date", + ) + ) + raise MimecastException() + return start_date + except ValueError: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + "Start date given by user is not valid", + ) + ) + raise MimecastException() + except MimecastException: + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() + + def iso_to_epoch_int(self, date_time): + """Convert an ISO formatted date and time string to epoch time. + + Args: + date_time (str): The input date and time string in the format "%Y-%m-%dT%H:%M:%SZ" + + Returns: + int: The epoch time as a integer. + """ + __method_name = inspect.currentframe().f_code.co_name + try: + date_time_obj = datetime.datetime.strptime( + date_time, consts.DATE_TIME_FORMAT + ) + epoch_time = date_time_obj.timestamp() + return epoch_time + except TypeError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.TYPE_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + except ValueError as error: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.VALUE_ERROR_MSG.format(error), + ) + ) + raise MimecastException() + except Exception as err: + applogger.error( + self.log_format.format( + consts.LOGS_STARTS_WITH, + __method_name, + self.azure_function_name, + consts.UNEXPECTED_ERROR_MSG.format(err), + ) + ) + raise MimecastException() diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/azuredeploy_Connector_MimecastTTP_AzureFunction.json b/Solutions/Mimecast/Data Connectors/MimecastTTP/azuredeploy_Connector_MimecastTTP_AzureFunction.json new file mode 100644 index 00000000000..ec212f24344 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/azuredeploy_Connector_MimecastTTP_AzureFunction.json @@ -0,0 +1,259 @@ +{ + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "FunctionName": { + "defaultValue": "MimecastTtp", + "minLength": 1, + "maxLength": 11, + "type": "string" + }, + "WorkspaceID": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Enter Workspace ID of Log Analytics workspace" + } + }, + "WorkspaceKey": { + "type": "securestring", + "minLength": 1, + "metadata": { + "description": "Enter Workspace Key of Log Analytics workspace" + } + }, + "MimecastBaseURL": { + "defaultValue": "https://api.services.mimecast.com", + "type": "string", + "metadata": { + "description": "Enter Base URL of Mimecast API 2.0 (e.g. https://api.services.mimecast.com)" + } + }, + "MimecastClientID": { + "type": "string", + "minLength": 1, + "metadata": { + "description": "Enter Mimecast Client ID for authentication" + } + }, + "MimecastClientSecret": { + "type": "securestring", + "minLength": 1, + "metadata": { + "description": "Enter Mimecast Client Secret for authentication" + } + }, + "StartDate": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Enter the start date in the 'yyyy-mm-dd' format. If you do not provide a date, data from the last 60 days will be fetched automatically. Ensure that the date is in the past and properly formatted" + } + }, + "Schedule": { + "type": "string", + "metadata": { + "description": "Please enter a valid Quartz cron-expression. (Example: 0 0 */1 * * *)\n\nDo not keep the value empty, minimum value is 10 minutes" + }, + "defaultValue": "0 0 */1 * * *" + }, + "LogLevel": { + "type": "string", + "metadata": { + "description": "Please add log level or log severity value. By default it is set to INFO" + }, + "allowedValues": [ + "Debug", + "Info", + "Error", + "Warning" + ], + "defaultValue": "Info" + }, + "AppInsightsWorkspaceResourceID": { + "type": "string", + "metadata": { + "description": "Migrate Classic Application Insights to Log Analytic Workspace which is retiring by 29 Febraury 2024. Use 'Log Analytic Workspace-->Properties' blade having 'Resource ID' property value. This is a fully qualified resourceId which is in format '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}'" + } + } + }, + "variables": { + "FunctionName": "[concat(toLower(trim(parameters('FunctionName'))), uniqueString(resourceGroup().id))]", + "StorageSuffix": "[environment().suffixes.storage]", + "LogAnaltyicsUri": "[replace(environment().portal, 'https://portal', concat('https://', toLower(trim(parameters('WorkspaceID'))), '.ods.opinsights'))]" + }, + "resources": [ + { + "type": "Microsoft.Insights/components", + "apiVersion": "2020-02-02", + "name": "[variables('FunctionName')]", + "location": "[resourceGroup().location]", + "kind": "web", + "properties": { + "Application_Type": "web", + "ApplicationId": "[variables('FunctionName')]", + "WorkspaceResourceId": "[trim(parameters('AppInsightsWorkspaceResourceID'))]" + } + }, + { + "type": "Microsoft.Storage/storageAccounts", + "apiVersion": "2019-06-01", + "name": "[tolower(variables('FunctionName'))]", + "location": "[resourceGroup().location]", + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "kind": "StorageV2", + "properties": { + "networkAcls": { + "bypass": "AzureServices", + "virtualNetworkRules": [], + "ipRules": [], + "defaultAction": "Allow" + }, + "supportsHttpsTrafficOnly": true, + "encryption": { + "services": { + "file": { + "keyType": "Account", + "enabled": true + }, + "blob": { + "keyType": "Account", + "enabled": true + } + }, + "keySource": "Microsoft.Storage" + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + }, + "deleteRetentionPolicy": { + "enabled": false + } + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]" + ], + "sku": { + "name": "Standard_LRS", + "tier": "Standard" + }, + "properties": { + "cors": { + "corsRules": [] + } + } + }, + { + "type": "Microsoft.Web/sites", + "apiVersion": "2018-11-01", + "name": "[variables('FunctionName')]", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts', tolower(variables('FunctionName')))]", + "[resourceId('Microsoft.Insights/components', variables('FunctionName'))]" + ], + "kind": "functionapp,linux", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "name": "[variables('FunctionName')]", + "httpsOnly": true, + "clientAffinityEnabled": true, + "alwaysOn": true, + "reserved": true, + "siteConfig": { + "linuxFxVersion": "python|3.11" + } + }, + "resources": [ + { + "apiVersion": "2018-11-01", + "type": "config", + "name": "appsettings", + "dependsOn": [ + "[concat('Microsoft.Web/sites/', variables('FunctionName'))]" + ], + "properties": { + "FUNCTIONS_EXTENSION_VERSION": "~4", + "FUNCTIONS_WORKER_RUNTIME": "python", + "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]", + "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]", + "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", + "logAnalyticsUri": "[variables('LogAnaltyicsUri')]", + "Function_App_Name": "[variables('FunctionName')]", + "WorkspaceID": "[trim(parameters('WorkspaceID'))]", + "WorkspaceKey": "[trim(parameters('WorkspaceKey'))]", + "BaseURL": "[trim(parameters('MimecastBaseURL'))]", + "StartDate": "[trim(parameters('StartDate'))]", + "MimecastClientID": "[trim(parameters('MimecastClientID'))]", + "MimecastClientSecret": "[trim(parameters('MimecastClientSecret'))]", + "File_Share_Name": "mimecast-checkpoints", + "Schedule": "[trim(parameters('Schedule'))]", + "LogLevel": "[trim(parameters('LogLevel'))]", + "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-Mimecast_TTP-functionapp", + "Connection_String": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('FunctionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]" + } + } + ] + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/azure-webjobs-hosts')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "publicAccess": "None" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/blobServices/containers", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/azure-webjobs-secrets')]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/blobServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "publicAccess": "None" + } + }, + { + "type": "Microsoft.Storage/storageAccounts/fileServices/shares", + "apiVersion": "2019-06-01", + "name": "[concat(variables('FunctionName'), '/default/', tolower(variables('FunctionName')))]", + "dependsOn": [ + "[resourceId('Microsoft.Storage/storageAccounts/fileServices', variables('FunctionName'), 'default')]", + "[resourceId('Microsoft.Storage/storageAccounts', variables('FunctionName'))]" + ], + "properties": { + "shareQuota": 5120 + } + } + ] +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/host.json b/Solutions/Mimecast/Data Connectors/MimecastTTP/host.json new file mode 100644 index 00000000000..d5a11a88326 --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/host.json @@ -0,0 +1,22 @@ +{ + "version": "2.0", + "logging": { + "logLevel": { + "default": "Trace", + "Host.Results": "Trace", + "Function": "Trace", + "Host.Aggregator": "Trace" + }, + "applicationInsights": { + "samplingSettings": { + "isEnabled": true, + "excludedTypes": "Request" + } + } + }, + "functionTimeout": "00:10:00", + "extensionBundle": { + "id": "Microsoft.Azure.Functions.ExtensionBundle", + "version": "[4.*, 5.0.0)" + } +} \ No newline at end of file diff --git a/Solutions/Mimecast/Data Connectors/MimecastTTP/requirements.txt b/Solutions/Mimecast/Data Connectors/MimecastTTP/requirements.txt new file mode 100644 index 00000000000..d5eb866352a --- /dev/null +++ b/Solutions/Mimecast/Data Connectors/MimecastTTP/requirements.txt @@ -0,0 +1,11 @@ +# DO NOT include azure-functions-worker in this file +# The Python Worker is managed by Azure Functions platform +# Manually managing azure-functions-worker may cause unexpected issues + + +azure-functions +requests +azure-storage-file-share==12.15.0 +aiohttp +tenacity +asyncio \ No newline at end of file diff --git a/Solutions/Mimecast/Data/Solution_Mimecast.json b/Solutions/Mimecast/Data/Solution_Mimecast.json new file mode 100644 index 00000000000..129d52b1a25 --- /dev/null +++ b/Solutions/Mimecast/Data/Solution_Mimecast.json @@ -0,0 +1,56 @@ +{ + "Name": "Mimecast", + "Author": "Mimecast - dlapi@mimecast.com", + "Logo": "", + "Description": "An Azure app to enable Mimecast data to be viewed using analytical tables and charts which are brought into Azure.", + "Analytic Rules": [ + "Analytic Rules/MimecastTTP/Mimecast_TTP_Attachment.yaml", + "Analytic Rules/MimecastTTP/Mimecast_TTP_Impersonation.yaml", + "Analytic Rules/MimecastTTP/Mimecast_TTP_Url.yaml", + "Analytic Rules/MimecastAudit/Mimecast_Audit.yaml", + "Analytic Rules/MimecastSEG/MimecastCG_Attachment.yaml", + "Analytic Rules/MimecastSEG/MimecastCG_AV.yaml", + "Analytic Rules/MimecastSEG/MimecastCG_Impersonation.yaml", + "Analytic Rules/MimecastSEG/MimecastCG_Internal_Mail_Protect.yaml", + "Analytic Rules/MimecastSEG/MimecastCG_Spam_Event.yaml", + "Analytic Rules/MimecastSEG/MimecastCG_Url_Protect.yaml", + "Analytic Rules/MimecastSEG/MimecastCG_Virus.yaml", + "Analytic Rules/MimecastSEG/MimecastDLP_hold.yaml", + "Analytic Rules/MimecastSEG/MimecastDLP_Notifications.yaml" + ], + "Workbooks": [ + "Workbooks/Mimecast_Audit_Workbook.json", + "Workbooks/Mimecast_Awareness_Training_Workbook.json", + "Workbooks/Mimecast_Cloud_Integrated_Workbook.json", + "Workbooks/Mimecast_SEG_Workbook.json", + "Workbooks/Mimecast_TTP_Workbook.json" + ], + "Playbooks": [ + "Playbooks/Mimecast Data Connector Trigger Sync/azuredeploy.json" + ], + "Parsers": [ + "Parsers/MimecastAT/Mimecast_AT_Performane_Detail.yaml", + "Parsers/MimecastAT/Mimecast_AT_Safe_Score.yaml", + "Parsers/MimecastAT/Mimecast_AT_User_Data.yaml", + "Parsers/MimecastAT/Mimecast_AT_Watchlist.yaml", + "Parsers/MimecastAudit/Mimecast_Audit.yaml", + "Parsers/MimecastCI/Mimecast_Cloud_Integrated.yaml", + "Parsers/MimecastSEG/Mimecast_SEG_CG.yaml", + "Parsers/MimecastSEG/Mimecast_SEG_DLP.yaml", + "Parsers/MimecastTTP/Mimecast_TTP_Attachment.yaml", + "Parsers/MimecastTTP/Mimecast_TTP_Impersonation.yaml", + "Parsers/MimecastTTP/Mimecast_TTP_Url.yaml" + ], + "Data Connectors": [ + "Data Connectors/MimecastAT/Mimecast_AT_FunctionApp.json", + "Data Connectors/MimecastAudit/Mimecast_Audit_FunctionApp.json", + "Data Connectors/MimecastCloudIntegrated/Mimecast_Cloud_Integrated_FunctionApp.json", + "Data Connectors/MimecastSEG/Mimecast_SEG_FunctionApp.json", + "Data Connectors/MimecastTTP/Mimecast_TTP_FunctionApp.json" + ], + "BasePath": "C:\\Azure-Sentinel\\Solutions\\Mimecast", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false +} \ No newline at end of file diff --git a/Solutions/Mimecast/Package/3.0.0.zip b/Solutions/Mimecast/Package/3.0.0.zip new file mode 100644 index 00000000000..6d317cdf3bc Binary files /dev/null and b/Solutions/Mimecast/Package/3.0.0.zip differ diff --git a/Solutions/Mimecast/Package/createUiDefinition.json b/Solutions/Mimecast/Package/createUiDefinition.json new file mode 100644 index 00000000000..3e80a88cea9 --- /dev/null +++ b/Solutions/Mimecast/Package/createUiDefinition.json @@ -0,0 +1,456 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Mimecast/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nAn Azure app to enable Mimecast data to be viewed using analytical tables and charts which are brought into Azure.\n\n**Data Connectors:** 5, **Parsers:** 11, **Workbooks:** 5, **Analytic Rules:** 13, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Mimecast. You can get Mimecast custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Mimecast. You can get Mimecast custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Mimecast. You can get Mimecast custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Mimecast. You can get Mimecast custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for Mimecast. You can get Mimecast custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-parser-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "Mimecast Audit Workbook", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "A workbook providing insights into Mimecast Audit." + } + } + ] + }, + { + "name": "workbook2", + "type": "Microsoft.Common.Section", + "label": "Mimecast Awareness Training Workbook", + "elements": [ + { + "name": "workbook2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "A workbook providing insights into Mimecast Awareness Training." + } + } + ] + }, + { + "name": "workbook3", + "type": "Microsoft.Common.Section", + "label": "Mimecast Cloud Integrated Workbook", + "elements": [ + { + "name": "workbook3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "A workbook providing insights into Mimecast Cloud Integrated." + } + } + ] + }, + { + "name": "workbook4", + "type": "Microsoft.Common.Section", + "label": "Mimecast Secure Email Gateway Workbook", + "elements": [ + { + "name": "workbook4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "A workbook providing insights into Mimecast Secure Email Gateway." + } + } + ] + }, + { + "name": "workbook5", + "type": "Microsoft.Common.Section", + "label": "Mimecast Targeted Threat Protection Workbook", + "elements": [ + { + "name": "workbook5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "A workbook providing insights into Mimecast Targeted Threat Protection." + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Mimecast Targeted Threat Protection - Attachment Protect", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects a threat for an unsafe attachment in an email." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Mimecast Targeted Threat Protection - Impersonation Protect", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects a maliciously tagged impersonation." + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "Mimecast Targeted Threat Protection - URL Protect", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects malicious scan results and actions which are not allowed." + } + } + ] + }, + { + "name": "analytic4", + "type": "Microsoft.Common.Section", + "label": "Mimecast Audit - Logon Authentication Failed", + "elements": [ + { + "name": "analytic4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects threat when logon authentication failure found in audit" + } + } + ] + }, + { + "name": "analytic5", + "type": "Microsoft.Common.Section", + "label": "Mimecast Secure Email Gateway - Attachment Protect", + "elements": [ + { + "name": "analytic5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detect threat for mail attachment under the targeted threat protection." + } + } + ] + }, + { + "name": "analytic6", + "type": "Microsoft.Common.Section", + "label": "Mimecast Secure Email Gateway - AV", + "elements": [ + { + "name": "analytic6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects threats from email anti virus scan." + } + } + ] + }, + { + "name": "analytic7", + "type": "Microsoft.Common.Section", + "label": "Mimecast Secure Email Gateway - Impersonation Protect", + "elements": [ + { + "name": "analytic7-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects threats from impersonation mail under targeted threat protection." + } + } + ] + }, + { + "name": "analytic8", + "type": "Microsoft.Common.Section", + "label": "Mimecast Secure Email Gateway - Internal Email Protect", + "elements": [ + { + "name": "analytic8-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects threats from internal email threat protection." + } + } + ] + }, + { + "name": "analytic9", + "type": "Microsoft.Common.Section", + "label": "Mimecast Secure Email Gateway - Spam Event Thread", + "elements": [ + { + "name": "analytic9-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects threat from spam event thread protection logs." + } + } + ] + }, + { + "name": "analytic10", + "type": "Microsoft.Common.Section", + "label": "Mimecast Secure Email Gateway - URL Protect", + "elements": [ + { + "name": "analytic10-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detect threat when potentially malicious url found." + } + } + ] + }, + { + "name": "analytic11", + "type": "Microsoft.Common.Section", + "label": "Mimecast Secure Email Gateway - Virus", + "elements": [ + { + "name": "analytic11-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detect threat for virus from mail receipt virus event." + } + } + ] + }, + { + "name": "analytic12", + "type": "Microsoft.Common.Section", + "label": "Mimecast Data Leak Prevention - Hold", + "elements": [ + { + "name": "analytic12-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects threat for data leak when action is hold" + } + } + ] + }, + { + "name": "analytic13", + "type": "Microsoft.Common.Section", + "label": "Mimecast Data Leak Prevention - Notifications", + "elements": [ + { + "name": "analytic13-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Detects threat for data leak when action is notification" + } + } + ] + } + ] + }, + { + "name": "playbooks", + "label": "Playbooks", + "subLabel": { + "preValidation": "Configure the playbooks", + "postValidation": "Done" + }, + "bladeTitle": "Playbooks", + "elements": [ + { + "name": "playbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub." + } + }, + { + "name": "playbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/Mimecast/Package/mainTemplate.json b/Solutions/Mimecast/Package/mainTemplate.json new file mode 100644 index 00000000000..e551f01a1e3 --- /dev/null +++ b/Solutions/Mimecast/Package/mainTemplate.json @@ -0,0 +1,6760 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Mimecast - dlapi@mimecast.com", + "comments": "Solution template for Mimecast" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Mimecast Audit Workbook", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook2-name": { + "type": "string", + "defaultValue": "Mimecast Awareness Training Workbook", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook3-name": { + "type": "string", + "defaultValue": "Mimecast Cloud Integrated Workbook", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook4-name": { + "type": "string", + "defaultValue": "Mimecast Secure Email Gateway Workbook", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook5-name": { + "type": "string", + "defaultValue": "Mimecast Targeted Threat Protection Workbook", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } + }, + "variables": { + "email": "dlapi@mimecast.com", + "_email": "[variables('email')]", + "_solutionName": "Mimecast", + "_solutionVersion": "3.0.0", + "solutionId": "mimecastnorthamerica1584469118674.azure-sentinel-solution-mimecast", + "_solutionId": "[variables('solutionId')]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.0", + "_analyticRulecontentId1": "617a55be-a8d8-49c1-8687-d19a0231056f", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '617a55be-a8d8-49c1-8687-d19a0231056f')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('617a55be-a8d8-49c1-8687-d19a0231056f')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','617a55be-a8d8-49c1-8687-d19a0231056f','-', '1.0.0')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.0", + "_analyticRulecontentId2": "c048fa06-0d50-4626-ae82-a6cea812d9c4", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c048fa06-0d50-4626-ae82-a6cea812d9c4')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c048fa06-0d50-4626-ae82-a6cea812d9c4')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c048fa06-0d50-4626-ae82-a6cea812d9c4','-', '1.0.0')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.0.0", + "_analyticRulecontentId3": "952faed4-c6a6-4873-aeb9-b348e9ce5aba", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '952faed4-c6a6-4873-aeb9-b348e9ce5aba')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('952faed4-c6a6-4873-aeb9-b348e9ce5aba')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','952faed4-c6a6-4873-aeb9-b348e9ce5aba','-', '1.0.0')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "1.0.0", + "_analyticRulecontentId4": "f00197ab-491f-41e7-9e22-a7003a4c1e54", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f00197ab-491f-41e7-9e22-a7003a4c1e54')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f00197ab-491f-41e7-9e22-a7003a4c1e54')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f00197ab-491f-41e7-9e22-a7003a4c1e54','-', '1.0.0')))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "1.0.0", + "_analyticRulecontentId5": "72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','72bd7b0c-493c-4fa5-8a95-7f6376b6cfb2','-', '1.0.0')))]" + }, + "analyticRuleObject6": { + "analyticRuleVersion6": "1.0.0", + "_analyticRulecontentId6": "33bf0cc9-e568-42bf-9571-c22adf7be66d", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '33bf0cc9-e568-42bf-9571-c22adf7be66d')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('33bf0cc9-e568-42bf-9571-c22adf7be66d')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','33bf0cc9-e568-42bf-9571-c22adf7be66d','-', '1.0.0')))]" + }, + "analyticRuleObject7": { + "analyticRuleVersion7": "1.0.0", + "_analyticRulecontentId7": "2ef77cef-439f-4d94-848f-3eca67510d2f", + "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2ef77cef-439f-4d94-848f-3eca67510d2f')]", + "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2ef77cef-439f-4d94-848f-3eca67510d2f')))]", + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2ef77cef-439f-4d94-848f-3eca67510d2f','-', '1.0.0')))]" + }, + "analyticRuleObject8": { + "analyticRuleVersion8": "1.0.0", + "_analyticRulecontentId8": "d3bd7640-3600-49f9-8d10-6fe312e68b4f", + "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd3bd7640-3600-49f9-8d10-6fe312e68b4f')]", + "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d3bd7640-3600-49f9-8d10-6fe312e68b4f')))]", + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d3bd7640-3600-49f9-8d10-6fe312e68b4f','-', '1.0.0')))]" + }, + "analyticRuleObject9": { + "analyticRuleVersion9": "1.0.0", + "_analyticRulecontentId9": "0cda82c8-e8f0-4117-896e-a10f1b43e64a", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '0cda82c8-e8f0-4117-896e-a10f1b43e64a')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('0cda82c8-e8f0-4117-896e-a10f1b43e64a')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','0cda82c8-e8f0-4117-896e-a10f1b43e64a','-', '1.0.0')))]" + }, + "analyticRuleObject10": { + "analyticRuleVersion10": "1.0.0", + "_analyticRulecontentId10": "80f244cd-b0d6-404e-9aed-37f7a66eda9f", + "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '80f244cd-b0d6-404e-9aed-37f7a66eda9f')]", + "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('80f244cd-b0d6-404e-9aed-37f7a66eda9f')))]", + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','80f244cd-b0d6-404e-9aed-37f7a66eda9f','-', '1.0.0')))]" + }, + "analyticRuleObject11": { + "analyticRuleVersion11": "1.0.0", + "_analyticRulecontentId11": "d78d7352-fa5a-47d4-b48f-cb2c3252c0eb", + "analyticRuleId11": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'd78d7352-fa5a-47d4-b48f-cb2c3252c0eb')]", + "analyticRuleTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('d78d7352-fa5a-47d4-b48f-cb2c3252c0eb')))]", + "_analyticRulecontentProductId11": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d78d7352-fa5a-47d4-b48f-cb2c3252c0eb','-', '1.0.0')))]" + }, + "analyticRuleObject12": { + "analyticRuleVersion12": "1.0.0", + "_analyticRulecontentId12": "8e52bcf1-4f50-4c39-8678-d9efad64e379", + "analyticRuleId12": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '8e52bcf1-4f50-4c39-8678-d9efad64e379')]", + "analyticRuleTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('8e52bcf1-4f50-4c39-8678-d9efad64e379')))]", + "_analyticRulecontentProductId12": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','8e52bcf1-4f50-4c39-8678-d9efad64e379','-', '1.0.0')))]" + }, + "analyticRuleObject13": { + "analyticRuleVersion13": "1.0.0", + "_analyticRulecontentId13": "cfd67598-ad0d-430a-a793-027eb4dbe967", + "analyticRuleId13": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cfd67598-ad0d-430a-a793-027eb4dbe967')]", + "analyticRuleTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cfd67598-ad0d-430a-a793-027eb4dbe967')))]", + "_analyticRulecontentProductId13": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cfd67598-ad0d-430a-a793-027eb4dbe967','-', '1.0.0')))]" + }, + "workbookVersion1": "1.0.0", + "workbookContentId1": "Mimecast_Audit_Workbook", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "workbookVersion2": "1.0.0", + "workbookContentId2": "Mimecast_Awareness_Training_Workbook", + "workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]", + "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]", + "_workbookContentId2": "[variables('workbookContentId2')]", + "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", + "workbookVersion3": "1.0.0", + "workbookContentId3": "Mimecast_Cloud_Integrated_Workbook", + "workbookId3": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId3'))]", + "workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))))]", + "_workbookContentId3": "[variables('workbookContentId3')]", + "_workbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId3'),'-', variables('workbookVersion3'))))]", + "workbookVersion4": "1.0.0", + "workbookContentId4": "Mimecast_SEG_Workbook", + "workbookId4": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId4'))]", + "workbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId4'))))]", + "_workbookContentId4": "[variables('workbookContentId4')]", + "_workbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId4'),'-', variables('workbookVersion4'))))]", + "workbookVersion5": "1.0.0", + "workbookContentId5": "Mimecast_TTP_Workbook", + "workbookId5": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId5'))]", + "workbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId5'))))]", + "_workbookContentId5": "[variables('workbookContentId5')]", + "_workbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId5'),'-', variables('workbookVersion5'))))]", + "Mimecast Data Connector Trigger Sync": "Mimecast Data Connector Trigger Sync", + "_Mimecast Data Connector Trigger Sync": "[variables('Mimecast Data Connector Trigger Sync')]", + "TemplateEmptyArray": "[json('[]')]", + "playbookVersion1": "1.0", + "playbookContentId1": "Mimecast Data Connector Trigger Sync", + "_playbookContentId1": "[variables('playbookContentId1')]", + "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", + "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", + "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", + "blanks": "[replace('b', 'b', '')]", + "parserObject1": { + "_parserName1": "[concat(parameters('workspace'),'/','AwarenessPerformanceDetails')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AwarenessPerformanceDetails')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('AwarenessPerformanceDetails-Parser')))]", + "parserVersion1": "1.0.0", + "parserContentId1": "AwarenessPerformanceDetails-Parser" + }, + "parserObject2": { + "_parserName2": "[concat(parameters('workspace'),'/','AwarenessSafeScore')]", + "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AwarenessSafeScore')]", + "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('AwarenessSafeScore-Parser')))]", + "parserVersion2": "1.0.0", + "parserContentId2": "AwarenessSafeScore-Parser" + }, + "parserObject3": { + "_parserName3": "[concat(parameters('workspace'),'/','AwarenessUserData')]", + "_parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AwarenessUserData')]", + "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('AwarenessUserData-Parser')))]", + "parserVersion3": "1.0.0", + "parserContentId3": "AwarenessUserData-Parser" + }, + "parserObject4": { + "_parserName4": "[concat(parameters('workspace'),'/','AwarenessWatchlist')]", + "_parserId4": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AwarenessWatchlist')]", + "parserTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('AwarenessWatchlist-Parser')))]", + "parserVersion4": "1.0.0", + "parserContentId4": "AwarenessWatchlist-Parser" + }, + "parserObject5": { + "_parserName5": "[concat(parameters('workspace'),'/','MimecastAudit')]", + "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastAudit')]", + "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MimecastAudit-Parser')))]", + "parserVersion5": "1.0.0", + "parserContentId5": "MimecastAudit-Parser" + }, + "parserObject6": { + "_parserName6": "[concat(parameters('workspace'),'/','MimecastCloudIntegrated')]", + "_parserId6": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastCloudIntegrated')]", + "parserTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MimecastCloudIntegrated-Parser')))]", + "parserVersion6": "1.0.0", + "parserContentId6": "MimecastCloudIntegrated-Parser" + }, + "parserObject7": { + "_parserName7": "[concat(parameters('workspace'),'/','MimecastCG')]", + "_parserId7": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastCG')]", + "parserTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MimecastCG-Parser')))]", + "parserVersion7": "1.0.0", + "parserContentId7": "MimecastCG-Parser" + }, + "parserObject8": { + "_parserName8": "[concat(parameters('workspace'),'/','MimecastDLP')]", + "_parserId8": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastDLP')]", + "parserTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MimecastDLP-Parser')))]", + "parserVersion8": "1.0.0", + "parserContentId8": "MimecastDLP-Parser" + }, + "parserObject9": { + "_parserName9": "[concat(parameters('workspace'),'/','MimecastTTPAttachment')]", + "_parserId9": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastTTPAttachment')]", + "parserTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MimecastTTPAttachment-Parser')))]", + "parserVersion9": "1.0.0", + "parserContentId9": "MimecastTTPAttachment-Parser" + }, + "parserObject10": { + "_parserName10": "[concat(parameters('workspace'),'/','MimecastTTPImpersonation')]", + "_parserId10": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastTTPImpersonation')]", + "parserTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MimecastTTPImpersonation-Parser')))]", + "parserVersion10": "1.0.0", + "parserContentId10": "MimecastTTPImpersonation-Parser" + }, + "parserObject11": { + "_parserName11": "[concat(parameters('workspace'),'/','MimecastTTPUrl')]", + "_parserId11": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastTTPUrl')]", + "parserTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('MimecastTTPUrl-Parser')))]", + "parserVersion11": "1.0.0", + "parserContentId11": "MimecastTTPUrl-Parser" + }, + "uiConfigId1": "MimecastATAPI", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "MimecastATAPI", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "uiConfigId2": "MimecastAuditAPI", + "_uiConfigId2": "[variables('uiConfigId2')]", + "dataConnectorContentId2": "MimecastAuditAPI", + "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", + "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "_dataConnectorId2": "[variables('dataConnectorId2')]", + "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", + "dataConnectorVersion2": "1.0.0", + "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", + "uiConfigId3": "MimecastCIAPI", + "_uiConfigId3": "[variables('uiConfigId3')]", + "dataConnectorContentId3": "MimecastCIAPI", + "_dataConnectorContentId3": "[variables('dataConnectorContentId3')]", + "dataConnectorId3": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", + "_dataConnectorId3": "[variables('dataConnectorId3')]", + "dataConnectorTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId3'))))]", + "dataConnectorVersion3": "1.0.0", + "_dataConnectorcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId3'),'-', variables('dataConnectorVersion3'))))]", + "uiConfigId4": "MimecastSEGAPI", + "_uiConfigId4": "[variables('uiConfigId4')]", + "dataConnectorContentId4": "MimecastSEGAPI", + "_dataConnectorContentId4": "[variables('dataConnectorContentId4')]", + "dataConnectorId4": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", + "_dataConnectorId4": "[variables('dataConnectorId4')]", + "dataConnectorTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId4'))))]", + "dataConnectorVersion4": "1.0.0", + "_dataConnectorcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId4'),'-', variables('dataConnectorVersion4'))))]", + "uiConfigId5": "MimecastTTPAPI", + "_uiConfigId5": "[variables('uiConfigId5')]", + "dataConnectorContentId5": "MimecastTTPAPI", + "_dataConnectorContentId5": "[variables('dataConnectorContentId5')]", + "dataConnectorId5": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]", + "_dataConnectorId5": "[variables('dataConnectorId5')]", + "dataConnectorTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId5'))))]", + "dataConnectorVersion5": "1.0.0", + "_dataConnectorcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId5'),'-', variables('dataConnectorVersion5'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_TTP_Attachment_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects a threat for an unsafe attachment in an email.", + "displayName": "Mimecast Targeted Threat Protection - Attachment Protect", + "enabled": false, + "query": "MimecastTTPAttachment\n| where Result != \"safe\"\n| extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address']\n", + "queryFrequency": "PT30M", + "queryPeriod": "PT30M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "MimecastTTPAPI", + "dataTypes": [ + "MimecastTTPAttachment" + ] + } + ], + "tactics": [ + "InitialAccess", + "Discovery" + ], + "techniques": [ + "T0865" + ], + "entityMappings": [ + { + "entityType": "MailMessage", + "fieldMappings": [ + { + "identifier": "Sender", + "columnName": "SenderAddress" + }, + { + "identifier": "Recipient", + "columnName": "RecipientAddress" + }, + { + "identifier": "Subject", + "columnName": "Subject" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "matchingMethod": "AllEntities", + "reopenClosedIncident": false, + "lookbackDuration": "P7D", + "enabled": true + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "Mimecast Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "Mimecast Targeted Threat Protection - Attachment Protect", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_TTP_Impersonation_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects a maliciously tagged impersonation.", + "displayName": "Mimecast Targeted Threat Protection - Impersonation Protect", + "enabled": false, + "query": "MimecastTTPImpersonation\n| where ['Tagged Malicious'] == true\n| extend SenderAddress = ['Sender Address'],\n SenderIPAddress = ['Sender IP Address'],\n RecipientAddress = ['Recipient Address']\n", + "queryFrequency": "PT30M", + "queryPeriod": "PT30M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "MimecastTTPAPI", + "dataTypes": [ + "MimecastTTPImpersonation" + ] + } + ], + "tactics": [ + "Exfiltration", + "Collection", + "Discovery" + ], + "techniques": [ + "T1114" + ], + "entityMappings": [ + { + "entityType": "MailMessage", + "fieldMappings": [ + { + "identifier": "Sender", + "columnName": "SenderAddress" + }, + { + "identifier": "SenderIP", + "columnName": "SenderIPAddress" + }, + { + "identifier": "Recipient", + "columnName": "RecipientAddress" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "matchingMethod": "AllEntities", + "reopenClosedIncident": false, + "lookbackDuration": "P7D", + "enabled": true + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", + "properties": { + "description": "Mimecast Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "Mimecast Targeted Threat Protection - Impersonation Protect", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_TTP_Url_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects malicious scan results and actions which are not allowed.", + "displayName": "Mimecast Targeted Threat Protection - URL Protect", + "enabled": false, + "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\" and Action != \"allow\"\n| extend From_User_EmailAddress = ['From User Email Address'],MessageID = ['Message ID'] , User_EmailAddress = ['User Email Address']\n", + "queryFrequency": "PT30M", + "queryPeriod": "PT30M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "MimecastTTPAPI", + "dataTypes": [ + "MimecastTTPUrl" + ] + } + ], + "tactics": [ + "InitialAccess", + "Discovery" + ], + "techniques": [ + "T0865" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "SendingIP" + } + ] + }, + { + "entityType": "MailMessage", + "fieldMappings": [ + { + "identifier": "Sender", + "columnName": "From_User_EmailAddress" + }, + { + "identifier": "InternetMessageId", + "columnName": "MessageID" + }, + { + "identifier": "Recipient", + "columnName": "User_EmailAddress" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "identifier": "Url", + "columnName": "Url" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "matchingMethod": "AllEntities", + "reopenClosedIncident": false, + "lookbackDuration": "P7D", + "enabled": true + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", + "properties": { + "description": "Mimecast Analytics Rule 3", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentKind": "AnalyticsRule", + "displayName": "Mimecast Targeted Threat Protection - URL Protect", + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_Audit_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects threat when logon authentication failure found in audit", + "displayName": "Mimecast Audit - Logon Authentication Failed", + "enabled": false, + "query": "MimecastAudit \n| where ['Source IP'] !=\"\" and ['Audit Type'] == \"Logon Authentication Failed\"\n| extend SourceIp = ['Source IP'] \n", + "queryFrequency": "PT30M", + "queryPeriod": "PT30M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 3, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "MimecastAuditAPI", + "dataTypes": [ + "MimecastAudit_CL" + ] + } + ], + "tactics": [ + "Discovery", + "InitialAccess", + "CredentialAccess" + ], + "techniques": [ + "T1110" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "SourceIp" + } + ] + }, + { + "entityType": "Mailbox", + "fieldMappings": [ + { + "identifier": "MailboxPrimaryAddress", + "columnName": "User" + } + ] + }, + { + "entityType": "CloudApplication", + "fieldMappings": [ + { + "identifier": "AppId", + "columnName": "Application" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "matchingMethod": "AllEntities", + "reopenClosedIncident": false, + "lookbackDuration": "P7D", + "enabled": true + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", + "properties": { + "description": "Mimecast Analytics Rule 4", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "contentKind": "AnalyticsRule", + "displayName": "Mimecast Audit - Logon Authentication Failed", + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MimecastCG_Attachment_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detect threat for mail attachment under the targeted threat protection.", + "displayName": "Mimecast Secure Email Gateway - Attachment Protect", + "enabled": false, + "query": "MimecastCG\n| where Type == \"email_ttp_ap\"\n| extend SenderEnvelope = ['Sender Envelope'] , SenderIp = ['Sender IP']\n", + "queryFrequency": "PT15M", + "queryPeriod": "PT15M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "MimecastSEGAPI", + "dataTypes": [ + "MimecastCG" + ] + } + ], + "tactics": [ + "Collection", + "Exfiltration", + "Discovery", + "InitialAccess", + "Execution" + ], + "techniques": [ + "T1114", + "T1566", + "T0865" + ], + "entityMappings": [ + { + "entityType": "MailMessage", + "fieldMappings": [ + { + "identifier": "Sender", + "columnName": "SenderEnvelope" + }, + { + "identifier": "Recipient", + "columnName": "Recipients" + }, + { + "identifier": "Subject", + "columnName": "Subject" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "SenderIp" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "matchingMethod": "AllEntities", + "reopenClosedIncident": false, + "lookbackDuration": "P7D", + "enabled": true + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", + "properties": { + "description": "Mimecast Analytics Rule 5", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "contentKind": "AnalyticsRule", + "displayName": "Mimecast Secure Email Gateway - Attachment Protect", + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MimecastCG_AV_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects threats from email anti virus scan.", + "displayName": "Mimecast Secure Email Gateway - AV", + "enabled": false, + "query": "MimecastCG\n| where Type == \"email_antivirus\"\n| extend SenderEnvelope = ['Sender Envelope'] \n", + "queryFrequency": "PT15M", + "queryPeriod": "PT15M", + "severity": "Informational", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "MimecastSEGAPI", + "dataTypes": [ + "MimecastCG" + ] + } + ], + "tactics": [ + "Execution" + ], + "techniques": [ + "T1053" + ], + "entityMappings": [ + { + "entityType": "MailMessage", + "fieldMappings": [ + { + "identifier": "Sender", + "columnName": "SenderEnvelope" + }, + { + "identifier": "Recipient", + "columnName": "Recipients" + }, + { + "identifier": "Subject", + "columnName": "Subject" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "matchingMethod": "AllEntities", + "reopenClosedIncident": false, + "lookbackDuration": "P7D", + "enabled": true + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", + "properties": { + "description": "Mimecast Analytics Rule 6", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "contentKind": "AnalyticsRule", + "displayName": "Mimecast Secure Email Gateway - AV", + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject7').analyticRuleTemplateSpecName7]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MimecastCG_Impersonation_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects threats from impersonation mail under targeted threat protection.", + "displayName": "Mimecast Secure Email Gateway - Impersonation Protect", + "enabled": false, + "query": "MimecastCG\n| where Type == \"email_ttp_impersonation\"\n| extend SenderEnvelope = ['Sender Envelope'] , SenderIp = ['Sender IP']\n", + "queryFrequency": "PT15M", + "queryPeriod": "PT15M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "MimecastSEGAPI", + "dataTypes": [ + "MimecastCG" + ] + } + ], + "tactics": [ + "Discovery", + "LateralMovement", + "Collection" + ], + "techniques": [ + "T1114" + ], + "entityMappings": [ + { + "entityType": "MailMessage", + "fieldMappings": [ + { + "identifier": "Sender", + "columnName": "SenderEnvelope" + }, + { + "identifier": "SenderIP", + "columnName": "SenderIp" + }, + { + "identifier": "Recipient", + "columnName": "Recipients" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "matchingMethod": "AllEntities", + "reopenClosedIncident": false, + "lookbackDuration": "P7D", + "enabled": true + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject7').analyticRuleId7,'/'))))]", + "properties": { + "description": "Mimecast Analytics Rule 7", + "parentId": "[variables('analyticRuleObject7').analyticRuleId7]", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "contentKind": "AnalyticsRule", + "displayName": "Mimecast Secure Email Gateway - Impersonation Protect", + "contentProductId": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "id": "[variables('analyticRuleObject7')._analyticRulecontentProductId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject8').analyticRuleTemplateSpecName8]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MimecastCG_Internal_Mail_Protect_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects threats from internal email threat protection.", + "displayName": "Mimecast Secure Email Gateway - Internal Email Protect", + "enabled": false, + "query": "MimecastCG\n| where Type == \"email_iep\"\n| extend SenderEnvelope = ['Sender Envelope'] , MessageId = ['Message ID']\n", + "queryFrequency": "PT15M", + "queryPeriod": "PT15M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "MimecastSEGAPI", + "dataTypes": [ + "MimecastCG" + ] + } + ], + "tactics": [ + "LateralMovement", + "Persistence", + "Exfiltration" + ], + "techniques": [ + "T1534", + "T1546" + ], + "entityMappings": [ + { + "entityType": "MailMessage", + "fieldMappings": [ + { + "identifier": "Sender", + "columnName": "SenderEnvelope" + }, + { + "identifier": "Recipient", + "columnName": "Recipients" + }, + { + "identifier": "InternetMessageId", + "columnName": "MessageId" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "matchingMethod": "AllEntities", + "reopenClosedIncident": false, + "lookbackDuration": "P7D", + "enabled": true + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject8').analyticRuleId8,'/'))))]", + "properties": { + "description": "Mimecast Analytics Rule 8", + "parentId": "[variables('analyticRuleObject8').analyticRuleId8]", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "contentKind": "AnalyticsRule", + "displayName": "Mimecast Secure Email Gateway - Internal Email Protect", + "contentProductId": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "id": "[variables('analyticRuleObject8')._analyticRulecontentProductId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MimecastCG_Spam_Event_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects threat from spam event thread protection logs.", + "displayName": "Mimecast Secure Email Gateway - Spam Event Thread", + "enabled": false, + "query": "MimecastCG\n| where Type == \"email_spam\"\n| extend SenderEnvelope = ['Sender Envelope'] \n", + "queryFrequency": "PT15M", + "queryPeriod": "PT15M", + "severity": "Low", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "MimecastSEGAPI", + "dataTypes": [ + "MimecastCG" + ] + } + ], + "tactics": [ + "Discovery" + ], + "techniques": [ + "T1083" + ], + "entityMappings": [ + { + "entityType": "MailMessage", + "fieldMappings": [ + { + "identifier": "Sender", + "columnName": "SenderEnvelope" + }, + { + "identifier": "Recipient", + "columnName": "Recipients" + }, + { + "identifier": "Subject", + "columnName": "Subject" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "matchingMethod": "AllEntities", + "reopenClosedIncident": false, + "lookbackDuration": "P7D", + "enabled": true + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", + "properties": { + "description": "Mimecast Analytics Rule 9", + "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "contentKind": "AnalyticsRule", + "displayName": "Mimecast Secure Email Gateway - Spam Event Thread", + "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject10').analyticRuleTemplateSpecName10]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MimecastCG_Url_Protect_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detect threat when potentially malicious url found.", + "displayName": "Mimecast Secure Email Gateway - URL Protect", + "enabled": false, + "query": "MimecastCG\n| where Type == \"email_ttp_url\"\n| extend SenderEnvelope = ['Sender Envelope']\n", + "queryFrequency": "PT15M", + "queryPeriod": "PT15M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "MimecastSEGAPI", + "dataTypes": [ + "MimecastCG" + ] + } + ], + "tactics": [ + "InitialAccess", + "Discovery", + "Execution" + ], + "techniques": [ + "T1566" + ], + "entityMappings": [ + { + "entityType": "MailMessage", + "fieldMappings": [ + { + "identifier": "Sender", + "columnName": "SenderEnvelope" + }, + { + "identifier": "Recipient", + "columnName": "Recipients" + }, + { + "identifier": "Subject", + "columnName": "Subject" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "matchingMethod": "AllEntities", + "reopenClosedIncident": false, + "lookbackDuration": "P7D", + "enabled": true + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject10').analyticRuleId10,'/'))))]", + "properties": { + "description": "Mimecast Analytics Rule 10", + "parentId": "[variables('analyticRuleObject10').analyticRuleId10]", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "contentKind": "AnalyticsRule", + "displayName": "Mimecast Secure Email Gateway - URL Protect", + "contentProductId": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "id": "[variables('analyticRuleObject10')._analyticRulecontentProductId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject11').analyticRuleTemplateSpecName11]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MimecastCG_Virus_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detect threat for virus from mail receipt virus event.", + "displayName": "Mimecast Secure Email Gateway - Virus", + "enabled": false, + "query": "MimecastCG\n| where Type == \"email_receipt\" and isnotempty(['Virus Found'])\n| extend SenderEnvelope = ['Sender Envelope']\n", + "queryFrequency": "PT15M", + "queryPeriod": "PT15M", + "severity": "Informational", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "MimecastSEGAPI", + "dataTypes": [ + "MimecastCG" + ] + } + ], + "tactics": [ + "Execution" + ], + "techniques": [ + "T1053" + ], + "entityMappings": [ + { + "entityType": "MailMessage", + "fieldMappings": [ + { + "identifier": "Sender", + "columnName": "SenderEnvelope" + }, + { + "identifier": "Recipient", + "columnName": "Recipients" + }, + { + "identifier": "Subject", + "columnName": "Subject" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "matchingMethod": "AllEntities", + "reopenClosedIncident": false, + "lookbackDuration": "P7D", + "enabled": true + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject11').analyticRuleId11,'/'))))]", + "properties": { + "description": "Mimecast Analytics Rule 11", + "parentId": "[variables('analyticRuleObject11').analyticRuleId11]", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "contentKind": "AnalyticsRule", + "displayName": "Mimecast Secure Email Gateway - Virus", + "contentProductId": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", + "id": "[variables('analyticRuleObject11')._analyticRulecontentProductId11]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject12').analyticRuleTemplateSpecName12]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MimecastDLP_hold_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects threat for data leak when action is hold", + "displayName": "Mimecast Data Leak Prevention - Hold", + "enabled": false, + "query": "MimecastDLP \n| where Action == \"hold\"\n| extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address']\n", + "queryFrequency": "PT15M", + "queryPeriod": "PT15M", + "severity": "Informational", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "MimecastSEGAPI", + "dataTypes": [ + "MimecastDLP" + ] + } + ], + "tactics": [ + "Exfiltration" + ], + "techniques": [ + "T1030" + ], + "entityMappings": [ + { + "entityType": "MailMessage", + "fieldMappings": [ + { + "identifier": "Sender", + "columnName": "SenderAddress" + }, + { + "identifier": "Recipient", + "columnName": "RecipientAddress" + }, + { + "identifier": "DeliveryAction", + "columnName": "Action" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "matchingMethod": "AllEntities", + "reopenClosedIncident": false, + "lookbackDuration": "P7D", + "enabled": true + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject12').analyticRuleId12,'/'))))]", + "properties": { + "description": "Mimecast Analytics Rule 12", + "parentId": "[variables('analyticRuleObject12').analyticRuleId12]", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "contentKind": "AnalyticsRule", + "displayName": "Mimecast Data Leak Prevention - Hold", + "contentProductId": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", + "id": "[variables('analyticRuleObject12')._analyticRulecontentProductId12]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject13').analyticRuleTemplateSpecName13]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MimecastDLP_Notifications_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detects threat for data leak when action is notification", + "displayName": "Mimecast Data Leak Prevention - Notifications", + "enabled": false, + "query": "MimecastDLP \n| where Action == \"notification\"\n| extend SenderAddress = ['Sender Address'] ,RecipientAddress = ['Recipient Address']\n", + "queryFrequency": "PT15M", + "queryPeriod": "PT15M", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "MimecastSEGAPI", + "dataTypes": [ + "MimecastDLP" + ] + } + ], + "tactics": [ + "Exfiltration" + ], + "techniques": [ + "T1030" + ], + "entityMappings": [ + { + "entityType": "MailMessage", + "fieldMappings": [ + { + "identifier": "Sender", + "columnName": "SenderAddress" + }, + { + "identifier": "Recipient", + "columnName": "RecipientAddress" + }, + { + "identifier": "DeliveryAction", + "columnName": "Action" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "matchingMethod": "AllEntities", + "reopenClosedIncident": false, + "lookbackDuration": "P7D", + "enabled": true + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject13').analyticRuleId13,'/'))))]", + "properties": { + "description": "Mimecast Analytics Rule 13", + "parentId": "[variables('analyticRuleObject13').analyticRuleId13]", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "contentKind": "AnalyticsRule", + "displayName": "Mimecast Data Leak Prevention - Notifications", + "contentProductId": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", + "id": "[variables('analyticRuleObject13')._analyticRulecontentProductId13]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_Audit_Workbook Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "A workbook providing insights into Mimecast Audit." + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"82fedb33-961a-4199-a5ab-16340948ed10\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":1209600000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastAudit\\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Category\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Audit & Authentication Events by Category\",\"timeContextFromParameter\":\"time_range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"auditType_s\",\"formatter\":1},\"subtitleContent\":{\"columnMatch\":\"count_\"},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"sortCriteriaField\":\"auditType_s\",\"size\":\"auto\"},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"auditType_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"group\":\"Category\",\"createOtherGroup\":10,\"seriesLabelSettings\":[{\"seriesName\":\"reporting_logs\",\"label\":\"Reporting \"},{\"seriesName\":\"authentication_logs\",\"label\":\"Authentication\"},{\"seriesName\":\"case_review_logs\",\"label\":\"Case Review\"},{\"seriesName\":\"account_logs\",\"label\":\"Account\"},{\"seriesName\":\"profile_group_logs\",\"label\":\"Profile Group\"},{\"seriesName\":\"user_account_and_role_logs\",\"label\":\"User Account and Roles\"},{\"seriesName\":\"mimecast_access_logs\",\"label\":\"Mimecast Acess\"},{\"seriesName\":\"archive_service_logs\",\"label\":\"Archive Service\"},{\"seriesName\":\"policy_logs\",\"label\":\"Policy \"},{\"seriesName\":\"awareness_training_logs\",\"label\":\"Awareness Training\"},{\"seriesName\":\"secure_messaging_logs\",\"label\":\"Secure Messaging\"},{\"seriesName\":\"integrations_and_apis\",\"label\":\"Integrations and API's\"}]}},\"name\":\"query - 18\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastAudit\\n| summarize count() by ['Audit Type'] \",\"size\":3,\"showAnalytics\":true,\"title\":\"Audit Events by Type\",\"timeContextFromParameter\":\"time_range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Audit Type\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 15\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastAudit\\n| where Category == \\\"account_logs\\\"\\n| summarize count() by ['Audit Type']\",\"size\":3,\"showAnalytics\":true,\"title\":\"Account Events\",\"timeContextFromParameter\":\"time_range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Audit Type\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 4\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastAudit\\n| where Category == \\\"authentication_logs\\\"\\n| summarize count() by ['Audit Type']\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Authentication Events\",\"timeContextFromParameter\":\"time_range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Audit Type\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 6\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastAudit\\n| where Category == \\\"mimecast_access_logs\\\"\\n| summarize count() by ['Audit Type']\",\"size\":3,\"showAnalytics\":true,\"title\":\"Mimecast Support Access Events\",\"timeContextFromParameter\":\"time_range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Audit Type\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 8\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastAudit\\n| where Category == \\\"archive_service_logs\\\"\\n| summarize count() by ['Audit Type']\",\"size\":3,\"showAnalytics\":true,\"title\":\"Archive Service Events\",\"timeContextFromParameter\":\"time_range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Audit Type\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 10\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastAudit\\n| where Category == \\\"user_account_and_role_logs\\\"\\n| summarize count() by ['Audit Type']\",\"size\":3,\"showAnalytics\":true,\"title\":\"User Account and Role Events\",\"timeContextFromParameter\":\"time_range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Audit Type\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 12\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastAudit\\n| where Category == \\\"policy_logs\\\"\\n| summarize count() by ['Audit Type']\",\"size\":3,\"showAnalytics\":true,\"title\":\"Policy Events\",\"timeContextFromParameter\":\"time_range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Audit Type\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 14\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastAudit\\n| where ['Audit Type'] == \\\"User Logged On\\\" and Application !=\\\"\\\"\\n| summarize count() by Application\",\"size\":3,\"showAnalytics\":true,\"title\":\"Successful Logins by Application\",\"timeContextFromParameter\":\"time_range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Application\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 8\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50%\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastAudit\\n| where ['Source IP'] !=\\\"unknown\\\" and ['Audit Type'] == \\\"User Logged On\\\"\\n| summarize count() by User, Application, ['Source IP'] , [\\\"Event Time\\\"] \",\"size\":0,\"showAnalytics\":true,\"title\":\"Successful Logins by User, App and Source IP\",\"timeContextFromParameter\":\"time_range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Successful Logins\"}]},\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"user_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"user_s\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"count_\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"createOtherGroup\":0},\"mapSettings\":{\"locInfo\":\"AzureResource\",\"locInfoColumn\":\"src_s\",\"sizeAggregation\":\"Count\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"thresholds\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"blue\"}]}}},\"name\":\"query - 12\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastAudit\\n| where ['Source IP'] !=\\\"unknown\\\" and ['Audit Type'] == \\\"Logon Authentication Failed\\\"\\n| summarize [\\\"Failed Login\\\"] = count() by User, Application, ['Source IP'], ['Event Time']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Failed Logins by User, App and Source IP\",\"timeContextFromParameter\":\"time_range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true,\"sortBy\":[{\"itemKey\":\"User\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"User\",\"sortOrder\":1}]},\"name\":\"query - 14\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}}]},\"name\":\"group - 5\"},{\"type\":1,\"content\":{\"json\":\"#### 📝***Refresh the web page to fetch details of recently collected events***\\r\\n\"},\"name\":\"text - 4\"}]},\"name\":\"group - 9\"}],\"fromTemplateId\":\"Sentinel-Mimecast-Audit-Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=Mimecast_Audit_Workbook; logoFileName=Mimecast.svg; description=A workbook providing insights into Mimecast Audit.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Mimecast Audit Workbook; templateRelativePath=Mimecast_Audit_Workbook.json; subtitle=; provider=Mimecast}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "Audit_CL", + "kind": "DataType" + }, + { + "contentId": "MimecastAuditAPI", + "kind": "DataConnector" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_Awareness_Training_Workbook Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId2')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "A workbook providing insights into Mimecast Awareness Training." + }, + "properties": { + "displayName": "[parameters('workbook2-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"6c07c649-3f3c-4383-ac47-32494f912d63\",\"cellValue\":\"setTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Human Risk Overview\",\"subTarget\":\"HumanRisk\",\"style\":\"link\"},{\"id\":\"5884fe55-37eb-4fb0-8835-61de095259ed\",\"cellValue\":\"setTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Awareness Training\",\"subTarget\":\"AwarenessTraining\",\"style\":\"link\"},{\"id\":\"d69c5034-e10a-4d89-b776-dede3e65da34\",\"cellValue\":\"setTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Phishing Training\",\"subTarget\":\"PhishingTraining\",\"style\":\"link\"}]},\"name\":\"links - 5\"},{\"type\":1,\"content\":{\"json\":\"\\r\\n\\r\\n---\"},\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"568f52ad-774c-4bf2-84e2-b0b7d5610797\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time_Range\",\"label\":\"Time Range\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"0f645fbe-75ca-4eff-a2ed-c25bacdedfc7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Email\",\"type\":1,\"query\":\"print tostring('*')\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0 - Copy\"},{\"type\":1,\"content\":{\"json\":\"### Watchlist Panels\\r\\n\\r\\n----\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessWatchlist\\r\\n| where ('{Email}' == \\\"*\\\" or Email == '{Email}') and isnotempty(Email)\\r\\n| summarize Count = count() by ['Watchlist Count']\\r\\n| project tostring(toint(['Watchlist Count'])) , Count\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Breakdown by Watchlist Count\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Watchlist Count\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"35\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"35%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessWatchlist\\r\\n| project Email , Name , [\\\"Watchlist Count\\\"] , ['User State'] \",\"size\":0,\"showAnalytics\":true,\"title\":\"Watchlist Overview\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"65\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"65%\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Performance Panels\\r\\n\\r\\n\\r\\n----\"},\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessPerformanceDetails\\r\\n| project Email , ['Num of Correct'] , ['Num of Incorrect'] , ['Num of Not Watched'] , Name , ['User Details'] , ['User State'] , Department \",\"size\":0,\"showAnalytics\":true,\"title\":\"Performance Overview\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 4\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessPerformanceDetails\\r\\n| where ('{Email}' == \\\"*\\\" or Email == '{Email}') and isnotempty(Email)\\r\\n| summarize Count = count() by tostring( toint(['Num of Correct'])) \",\"size\":0,\"showAnalytics\":true,\"title\":\"Correct Number by Count\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\",\"chartSettings\":{\"group\":\"Num of Correct\"}},\"customWidth\":\"33\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessPerformanceDetails\\r\\n| where ('{Email}' == \\\"*\\\" or Email == '{Email}') and isnotempty(Email)\\r\\n| summarize Count = count() by tostring( toint(['Num of Incorrect'])) \\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Incorrect Number by Count\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"33\",\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessPerformanceDetails\\r\\n| where ('{Email}' == \\\"*\\\" or Email == '{Email}') and isnotempty(Email)\\r\\n| sort by ['Num of Not Watched'] \\r\\n| summarize Count = count() by tostring( toint(['Num of Not Watched'])) \\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Not Watched by Count\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"33\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"33%\"}}]},\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### User Stats Panels\\r\\n\\r\\n----\"},\"name\":\"text - 9\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"994dee73-1b2c-43cd-b3e5-e91e6c3495ab\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Template_Name\",\"label\":\"Template Name\",\"type\":2,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"AwarenessUserData\\r\\n| where ('{Email}' == \\\"*\\\" or Email == '{Email}') \\r\\n and isnotempty(Email)\\r\\n| where isnotempty(['Template Name'])\\r\\n| distinct ['Template Name']\\r\\n| sort by ['Template Name'] asc\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"selectAllValue\":\"*\",\"showDefault\":false},\"timeContext\":{\"durationMs\":2419200000},\"timeContextFromParameter\":\"Time_Range\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessUserData\\r\\n| project Name , Email , Status, ['Template Name'] , ['Num of Campaigns Clicked'] , ['Num of Campaigns Sent'] , ['Num of Correct Answers'] , ['Num of Incorrect Answers'] , ['Num of Training Modules Assigned'] , ['User State'] , ['Clicked IP'] , ['Reaction Time'] , ['Time Clicked'] , ['Time Opened'] , ['Time Reported'] , ['Time Scheduled']\",\"size\":0,\"showAnalytics\":true,\"title\":\"User Stats Overview\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 9\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessUserData\\r\\n| where ('{Email}' == \\\"*\\\" or Email == '{Email}') \\r\\n and isnotempty(Email)\\r\\n and isnotempty(['Template Name'])\\r\\n| where ( ('{Template_Name}') == \\\"*\\\" or ['Template Name'] == ('{Template_Name}'))\\r\\n| summarize Count = count() by ['Num of Campaigns Sent']\\r\\n| project tostring(toint(['Num of Campaigns Sent'])) , Count\\r\\n\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Breakdown by Number of Campaigns Sent\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"graphSettings\":{\"type\":0},\"chartSettings\":{\"group\":\"Num of Campaigns Sent\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessUserData\\r\\n| where ('{Email}' == \\\"*\\\" or Email == '{Email}') \\r\\n and isnotempty(Email)\\r\\n and isnotempty(['Template Name'])\\r\\n| where ( ('{Template_Name}') == \\\"*\\\" or ['Template Name'] == ('{Template_Name}'))\\r\\n| summarize Count = count() by ['Num of Campaigns Clicked']\\r\\n| project tostring(toint(['Num of Campaigns Clicked'])) , Count\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Breakdown by Number of Campaigns Clicked\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Num of Campaigns Clicked\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessUserData\\r\\n| where ('{Email}' == \\\"*\\\" or Email == '{Email}') \\r\\n and isnotempty(Email)\\r\\n and isnotempty(['Template Name'])\\r\\n| where ( ('{Template_Name}') == \\\"*\\\" or ['Template Name'] == ('{Template_Name}'))\\r\\n| summarize Count = count() by ['Num of Training Modules Assigned']\\r\\n| project tostring(toint(['Num of Training Modules Assigned'])) , Count\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Breakdown by Number of Training Modules Assigned\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Num of Training Modules Assigned\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessUserData\\r\\n| where ('{Email}' == \\\"*\\\" or Email == '{Email}') \\r\\n and isnotempty(Email)\\r\\n and isnotempty(['Template Name'])\\r\\n| where ( ('{Template_Name}') == \\\"*\\\" or ['Template Name'] == ('{Template_Name}'))\\r\\n| summarize Count = count() by ['Num of Correct Answers']\\r\\n| project tostring(toint(['Num of Correct Answers'])) , Count\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Breakdown by Number of Correct Answers\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Num of Correct Answers\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessUserData\\r\\n| where ('{Email}' == \\\"*\\\" or Email == '{Email}') \\r\\n and isnotempty(Email)\\r\\n and isnotempty(['Template Name'])\\r\\n| where ( ('{Template_Name}') == \\\"*\\\" or ['Template Name'] == ('{Template_Name}'))\\r\\n| summarize Count = count() by ['Num of Incorrect Answers']\\r\\n| project tostring(toint(['Num of Incorrect Answers'])) , Count\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Breakdown by Number of Incorrect Answers\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Num of Incorrect Answers\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessUserData\\r\\n| where ('{Email}' == \\\"*\\\" or Email == '{Email}') \\r\\n and isnotempty(Email)\\r\\n and isnotempty(['Template Name'])\\r\\n| where ( ('{Template_Name}') == \\\"*\\\" or ['Template Name'] == ('{Template_Name}'))\\r\\n| where isnotempty(['Clicked IP'] )\\r\\n| summarize Count = count() by ['Clicked IP']\\r\\n| project tostring(['Clicked IP']) , Count\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Breakdown by Clicked Ip\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Clicked IP\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":1,\"content\":{\"json\":\"#### 📝***Refresh the web page to fetch details of recently collected events***\\r\\n\"},\"name\":\"text - 5 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"setTab\",\"comparison\":\"isEqualTo\",\"value\":\"AwarenessTraining\"},\"name\":\"group - 3\",\"styleSettings\":{\"padding\":\"10px\"}}]},\"conditionalVisibility\":{\"parameterName\":\"setTab\",\"comparison\":\"isEqualTo\",\"value\":\"AwarenessTraining\"},\"name\":\"group - 1\",\"styleSettings\":{\"padding\":\"10px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"f9053e40-ba9b-40ed-afe4-8ab6731de894\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time_Range\",\"label\":\"Time Range\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"2025c297-a05f-43e6-8af9-f24122e95e81\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Email\",\"type\":1,\"query\":\"print tostring('*')\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"dafsaf\",\"comparison\":\"isNotEqualTo\"},\"name\":\"parameters - 0 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"setTab\",\"comparison\":\"isEqualTo\",\"value\":\"AwarenessTraining\"},\"name\":\"group - 4\",\"styleSettings\":{\"padding\":\"10px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"6a8902e3-d3e9-4465-9976-aaf29c1db37d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time_Range\",\"label\":\"Time Range\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"316968d2-96df-4bb9-acf7-b04a018c203f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Email\",\"type\":1,\"query\":\"print tostring('*')\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessSafeScore\\r\\n| where ('{Email}' == \\\"*\\\" or ['Email Address'] == '{Email}') and isnotempty(['Email Address'])\\r\\n| summarize Count = count() by Risk\\r\\n| order by Risk desc\\r\\n| take 1\",\"size\":3,\"title\":\"Highest Risk\",\"timeContextFromParameter\":\"Time_Range\",\"exportFieldName\":\"Risk\",\"exportParameterName\":\"HighestRisk\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Risk\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"rightContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"min\":0,\"palette\":\"turquoise\"}},\"showBorder\":false},\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"💡 To view Risk details, please click on above tile\"},\"conditionalVisibility\":{\"parameterName\":\"HighestRisk\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessSafeScore\\r\\n| where ('{Email}' == \\\"*\\\" or ['Email Address'] == '{Email}') and isnotempty(['Email Address'])\\r\\n|project [\\\"Email Address\\\"] , Name , Risk , [\\\"Human Error\\\"], Sentiment, Engagement , Knowledge , ['User State']\\r\\n| order by Risk desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Highest Risk Details\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Risk\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false},\"textSettings\":{\"style\":\"bignumber\"}},\"conditionalVisibility\":{\"parameterName\":\"HighestRisk\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}}]},\"name\":\"group - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessSafeScore\\r\\n| where ('{Email}' == \\\"*\\\" or ['Email Address'] == '{Email}') and isnotempty(['Email Address'])\\r\\n| summarize Count = count() by Risk\\r\\n| project Risk, Count\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Breakdown by Risk\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Risk\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessSafeScore\\r\\n| where ('{Email}' == \\\"*\\\" or ['Email Address'] == '{Email}') and isnotempty(['Email Address'])\\r\\n| summarize Count = count() by ['Human Error']\\r\\n| project ['Human Error'], Count\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Breakdown by Human Error\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Human Error\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 1\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessSafeScore\\r\\n| where ('{Email}' == \\\"*\\\" or ['Email Address'] == '{Email}') and isnotempty(['Email Address'])\\r\\n| summarize Count = count() by Sentiment\\r\\n\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Breakdown by Sentiment\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Sentiment\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessSafeScore\\r\\n| where ('{Email}' == \\\"*\\\" or ['Email Address'] == '{Email}') and isnotempty(['Email Address'])\\r\\n| summarize Count = count() by Engagement\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Breakdown by Engagement\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Engagement\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessSafeScore\\r\\n| where ('{Email}' == \\\"*\\\" or ['Email Address'] == '{Email}') and isnotempty(['Email Address'])\\r\\n| summarize Count = count() by Knowledge\\r\\n\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Breakdown by Knowledge\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Knowledge\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 4\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessSafeScore\\r\\n| where ('{Email}' == \\\"*\\\" or ['Email Address'] == '{Email}') and isnotempty(['Email Address'])\\r\\n| summarize Count = count() by ['User State'] \\r\\n\\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Breakdown by User State\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"User State\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 5\",\"styleSettings\":{\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessSafeScore\\r\\n| project [\\\"Email Address\\\"] , Name , Risk , [\\\"Human Error\\\"] , Sentiment, Engagement , Knowledge , ['User State'] \",\"size\":0,\"showAnalytics\":true,\"title\":\"Safe Scores Overview\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 8\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"#### 📝***Refresh the web page to fetch details of recently collected events***\\r\\n\"},\"name\":\"text - 5 - Copy - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"setTab\",\"comparison\":\"isEqualTo\",\"value\":\"HumanRisk\"},\"name\":\"group - 3\",\"styleSettings\":{\"padding\":\"10px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"03fcf595-8dee-44c7-9d71-c09a88138a32\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time_Range\",\"label\":\"Time Range\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"41460584-1c2c-4af8-9aab-086bb8aff8eb\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Email\",\"type\":1,\"query\":\"print tostring('*')\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0 - Copy - Copy\"},{\"type\":1,\"content\":{\"json\":\"### To see an phishing training details , go to the Awareness Training tab and check the User Stats Overview panel.\\r\\n\",\"style\":\"info\"},\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessUserData\\r\\n| where ('{Email}' == \\\"*\\\" or Email == '{Email}') \\r\\n and isnotempty(Email)\\r\\n| summarize by Email, ['Template Name']\\r\\n| summarize Count = count() by ['Template Name']\\r\\n| order by Count desc\\r\\n| take 10\\r\\n| project ['Template Name'], Count\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Breakdown of Top 10 Template Names \",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AwarenessUserData\\r\\n| where ('{Email}' == \\\"*\\\" or Email == '{Email}') and isnotempty(Email)\\r\\n| where Status == \\\"CLICKED\\\"\\r\\n| summarize arg_max(['Reaction Time'], *) by Email, ['Template Name']\\r\\n| project Email, ['Reaction Time'], ['Time Clicked'] , ['Time Opened'], ['Template Name']\\r\\n| order by ['Reaction Time'] asc \\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Users Clicked on Phishing data\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 7\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"#### 📝***Refresh the web page to fetch details of recently collected events***\\r\\n\"},\"name\":\"text - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"setTab\",\"comparison\":\"isEqualTo\",\"value\":\"PhishingTraining\"},\"name\":\"group - 11\"}],\"fromTemplateId\":\"Sentinel-Mimecast-Awareness-Training-Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", + "properties": { + "description": "@{workbookKey=Mimecast_Awareness_Training_Workbook; logoFileName=Mimecast.svg; description=A workbook providing insights into Mimecast Awareness Training.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Mimecast Awareness Training Workbook; templateRelativePath=Mimecast_Awareness_Training_Workbook.json; subtitle=; provider=Mimecast}.description", + "parentId": "[variables('workbookId2')]", + "contentId": "[variables('_workbookContentId2')]", + "kind": "Workbook", + "version": "[variables('workbookVersion2')]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "Awareness_Performance_Details_CL", + "kind": "DataType" + }, + { + "contentId": "Awareness_User_Data_CL", + "kind": "DataType" + }, + { + "contentId": "Awareness_Watchlist_Details_CL", + "kind": "DataType" + }, + { + "contentId": "Awareness_SafeScore_Details_CL", + "kind": "DataType" + }, + { + "contentId": "MimecastATAPI", + "kind": "DataConnector" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId2')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook2-name')]", + "contentProductId": "[variables('_workbookcontentProductId2')]", + "id": "[variables('_workbookcontentProductId2')]", + "version": "[variables('workbookVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_Cloud_Integrated_Workbook Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion3')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId3')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "A workbook providing insights into Mimecast Cloud Integrated." + }, + "properties": { + "displayName": "[parameters('workbook3-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c1d5c69f-05f2-459b-a6ce-f09fe2c4c1c6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| where Tags contains \\\"MALWARE\\\"\\r\\n| count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Malware Tags Count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportParameterName\":\"Malware\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"query - 1\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| where Tags contains \\\"PHISHING\\\"\\r\\n| count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Phishing Tags Count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportParameterName\":\"Phishing\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"query - 2\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| where Tags contains \\\"UNTRUSTWORTHY\\\"\\r\\n| count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Untrustworthy Tags Count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportParameterName\":\"Untrustworthy\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| where Tags contains \\\"SPAM\\\"\\r\\n| count\",\"size\":3,\"showAnalytics\":true,\"title\":\"Spam Tags Count\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportParameterName\":\"Spam\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on the tiles above to view threat details\"},\"conditionalVisibilities\":[{\"parameterName\":\"Malware\",\"comparison\":\"isEqualTo\"},{\"parameterName\":\"Phishing\",\"comparison\":\"isEqualTo\"},{\"parameterName\":\"Untrustworthy\",\"comparison\":\"isEqualTo\"},{\"parameterName\":\"Spam\",\"comparison\":\"isEqualTo\"}],\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| where Tags contains \\\"MALWARE\\\"\\r\\n| project-rename Sender = ['Sender Envelope']\\r\\n| extend Recipients = replace_string(Recipients,'\\\"','') \\r\\n| extend Recipients = replace_string(Recipients,',',', ') \\r\\n| extend Recipients = trim(@\\\"[\\\\[\\\\]]\\\",Recipients)\\r\\n| extend Tags = replace_string(Tags,'\\\"','') \\r\\n| extend Tags = replace_string(Tags,',',', ') \\r\\n| extend Tags = trim(@\\\"[\\\\[\\\\]]\\\",Tags)\\r\\n| extend Attachments = replace_string(Attachments,'\\\"','') \\r\\n| extend Attachments = replace_string(Attachments,',',', ') \\r\\n|extend Attachments = trim(@\\\"[\\\\[\\\\]]\\\",Attachments)\\r\\n| extend ['Message ID'] = trim(@\\\"[\\\\<\\\\>]\\\", ['Message ID'] )\\r\\n| project Sender,\\r\\n ['Sender IP'],\\r\\n Recipients,\\r\\n Tags,\\r\\n ['Policies Applied'],\\r\\n ['Account ID'],\\r\\n ['Aggregate ID'],\\r\\n ['Processing ID'],\\r\\n ['Message ID'],\\r\\n ['Threat State'],\\r\\n ['Threat Type'],\\r\\n ['Event Time'],\\r\\n Attachments,\\r\\n Subject,\\r\\n Source,\\r\\n Direction,\\r\\n ['Sender Header'],\\r\\n ['Historical Mail'],\\r\\n Type,\\r\\n Subtype\\r\\n \",\"size\":0,\"showAnalytics\":true,\"title\":\"Malware Tags Details\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Malware\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 4\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| where Tags contains \\\"PHISHING\\\"\\r\\n| project-rename Sender = ['Sender Envelope']\\r\\n| extend Recipients = replace_string(Recipients,'\\\"','') \\r\\n| extend Recipients = replace_string(Recipients,',',', ') \\r\\n| extend Recipients = trim(@\\\"[\\\\[\\\\]]\\\",Recipients)\\r\\n| extend Tags = replace_string(Tags,'\\\"','') \\r\\n| extend Tags = replace_string(Tags,',',', ') \\r\\n| extend Tags = trim(@\\\"[\\\\[\\\\]]\\\",Tags)\\r\\n| extend Attachments = replace_string(Attachments,'\\\"','') \\r\\n| extend Attachments = replace_string(Attachments,',',', ') \\r\\n|extend Attachments = trim(@\\\"[\\\\[\\\\]]\\\",Attachments)\\r\\n| extend ['Message ID'] = trim(@\\\"[\\\\<\\\\>]\\\", ['Message ID'] )\\r\\n| project Sender,\\r\\n ['Sender IP'],\\r\\n Recipients,\\r\\n Tags,\\r\\n ['Policies Applied'],\\r\\n ['Account ID'],\\r\\n ['Aggregate ID'],\\r\\n ['Processing ID'],\\r\\n ['Message ID'],\\r\\n ['Threat State'],\\r\\n ['Threat Type'],\\r\\n ['Event Time'],\\r\\n Attachments,\\r\\n Subject,\\r\\n Source,\\r\\n Direction,\\r\\n ['Sender Header'],\\r\\n ['Historical Mail'],\\r\\n Type,\\r\\n Subtype\",\"size\":0,\"showAnalytics\":true,\"title\":\"Phishing Tags Details\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Phishing\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| where Tags contains \\\"UNTRUSTWORTHY\\\"\\r\\n| project-rename Sender = ['Sender Envelope']\\r\\n| extend Recipients = replace_string(Recipients,'\\\"','') \\r\\n| extend Recipients = replace_string(Recipients,',',', ') \\r\\n| extend Recipients = trim(@\\\"[\\\\[\\\\]]\\\",Recipients)\\r\\n| extend Tags = replace_string(Tags,'\\\"','') \\r\\n| extend Tags = replace_string(Tags,',',', ') \\r\\n| extend Tags = trim(@\\\"[\\\\[\\\\]]\\\",Tags)\\r\\n| extend Attachments = replace_string(Attachments,'\\\"','') \\r\\n| extend Attachments = replace_string(Attachments,',',', ') \\r\\n|extend Attachments = trim(@\\\"[\\\\[\\\\]]\\\",Attachments)\\r\\n| extend ['Message ID'] = trim(@\\\"[\\\\<\\\\>]\\\", ['Message ID'] )\\r\\n| project Sender,\\r\\n ['Sender IP'],\\r\\n Recipients,\\r\\n Tags,\\r\\n ['Policies Applied'],\\r\\n ['Account ID'],\\r\\n ['Aggregate ID'],\\r\\n ['Processing ID'],\\r\\n ['Message ID'],\\r\\n ['Threat State'],\\r\\n ['Threat Type'],\\r\\n ['Event Time'],\\r\\n Attachments,\\r\\n Subject,\\r\\n Source,\\r\\n Direction,\\r\\n ['Sender Header'],\\r\\n ['Historical Mail'],\\r\\n Type,\\r\\n Subtype\",\"size\":0,\"showAnalytics\":true,\"title\":\"Untrustworthy Tags Details\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Untrustworthy\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| where Tags contains \\\"SPAM\\\"\\r\\n| project-rename Sender = ['Sender Envelope']\\r\\n| extend Recipients = replace_string(Recipients,'\\\"','') \\r\\n| extend Recipients = replace_string(Recipients,',',', ') \\r\\n| extend Recipients = trim(@\\\"[\\\\[\\\\]]\\\",Recipients)\\r\\n| extend Tags = replace_string(Tags,'\\\"','') \\r\\n| extend Tags = replace_string(Tags,',',', ') \\r\\n| extend Tags = trim(@\\\"[\\\\[\\\\]]\\\",Tags)\\r\\n| extend Attachments = replace_string(Attachments,'\\\"','') \\r\\n| extend Attachments = replace_string(Attachments,',',', ') \\r\\n|extend Attachments = trim(@\\\"[\\\\[\\\\]]\\\",Attachments)\\r\\n| extend ['Message ID'] = trim(@\\\"[\\\\<\\\\>]\\\", ['Message ID'] )\\r\\n| project Sender,\\r\\n ['Sender IP'],\\r\\n Recipients,\\r\\n Tags,\\r\\n ['Policies Applied'],\\r\\n ['Account ID'],\\r\\n ['Aggregate ID'],\\r\\n ['Processing ID'],\\r\\n ['Message ID'],\\r\\n ['Threat State'],\\r\\n ['Threat Type'],\\r\\n ['Event Time'],\\r\\n Attachments,\\r\\n Subject,\\r\\n Source,\\r\\n Direction,\\r\\n ['Sender Header'],\\r\\n ['Historical Mail'],\\r\\n Type,\\r\\n Subtype\",\"size\":0,\"showAnalytics\":true,\"title\":\"Spam Tags Details\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Spam\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}}]},\"name\":\"group - 22\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| where isnotempty(Direction)\\r\\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Direction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Email Traffic by Route\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 5\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| parse-kv ['Policies Applied'] as (action: string) with ( kv_delimiter=\\\":\\\", pair_delimiter=\\\",\\\", quote='\\\"')\\r\\n| extend Action = replace_string(trim(@\\\"\\\\s\\\", action),\\\"_\\\",\\\" \\\")\\r\\n| where isnotempty(Action)\\r\\n| summarize count() by Action\",\"size\":0,\"showAnalytics\":true,\"title\":\"Types of Policy Action\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Action\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"xAxis\":\"Action\",\"yAxis\":[\"count_\"]}},\"name\":\"query - 6\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Types of Policy Action' bar chart to see 'Policy Mode for Action'\"},\"conditionalVisibility\":{\"parameterName\":\"Action\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"name\":\"group - 17\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| parse-kv ['Policies Applied'] as (action: string, mode: string) with ( kv_delimiter=\\\":\\\", pair_delimiter=\\\",\\\", quote='\\\"')\\r\\n| extend Action = replace_string(trim(@\\\"\\\\s\\\", action),\\\"_\\\",\\\" \\\"), Mode = replace_string(trim(@\\\"\\\\s\\\", mode),\\\"_\\\",\\\" \\\")\\r\\n| where Action == '{Action}' and isnotempty(Mode)\\r\\n| summarize count() by Mode\",\"size\":3,\"showAnalytics\":true,\"title\":\"Policy Mode for Action : {Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Mode\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Mode\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"Action\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 7\",\"styleSettings\":{\"padding\":\"69px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Policy Mode for Action: {Action}' pie chart to see 'Details of Emails for Policy Mode and Policy Action'\"},\"conditionalVisibilities\":[{\"parameterName\":\"Mode\",\"comparison\":\"isEqualTo\"},{\"parameterName\":\"Action\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| parse-kv ['Policies Applied'] as (action: string, mode: string) with ( kv_delimiter=\\\":\\\", pair_delimiter=\\\",\\\", quote='\\\"')\\r\\n| extend Action = replace_string(trim(@\\\"\\\\s\\\", action),\\\"_\\\",\\\" \\\"), Mode = replace_string(trim(@\\\"\\\\s\\\", mode),\\\"_\\\",\\\" \\\")\\r\\n| where Action == '{Action}' and Mode == '{Mode}'\\r\\n| extend ['Threat Type'] = replace_string(['Threat Type'],\\\"_\\\",\\\" \\\"), ['Threat State'] = replace_string(['Threat State'],\\\"_\\\",\\\" \\\")\\r\\n| project-rename Sender = ['Sender Envelope']\\r\\n| extend Recipients = replace_string(Recipients,'\\\"','') \\r\\n| extend Recipients = replace_string(Recipients,',',', ') \\r\\n| extend Recipients = trim(@\\\"[\\\\[\\\\]]\\\",Recipients)\\r\\n| project Sender, Recipients, Subject, ['Threat State'], ['Threat Type']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Details of Emails for Policy Mode: {Mode} and Policy Action: {Action}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibilities\":[{\"parameterName\":\"Action\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"Mode\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"query - 19\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 21\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| extend ['Threat Type'] = replace_string(trim(@\\\"\\\\s\\\", ['Threat Type']),\\\"_\\\",\\\" \\\")\\r\\n| where isnotempty(['Threat Type'])\\r\\n| summarize count() by ['Threat Type']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Detection\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"ThreatType\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"name\":\"query - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Threat Detection' bar chart to see 'Threat State for Type'\"},\"conditionalVisibility\":{\"parameterName\":\"ThreatType\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"name\":\"group - 18\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| extend ['Threat Type'] = replace_string(trim(@\\\"\\\\s\\\", ['Threat Type']),\\\"_\\\",\\\" \\\"),\\r\\n ['Threat State'] = replace_string(trim(@\\\"\\\\s\\\", ['Threat State']),\\\"_\\\",\\\" \\\")\\r\\n| where ['Threat Type'] == '{ThreatType}' and isnotempty(['Threat State'])\\r\\n| summarize count() by ['Threat State']\",\"size\":3,\"showAnalytics\":true,\"title\":\"Threat State for Type: {ThreatType}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"ThreatState\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"conditionalVisibility\":{\"parameterName\":\"ThreatType\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\",\"styleSettings\":{\"padding\":\"69px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Threat State for Type: {ThreatType}' pie chart to see 'Details of Emails for Threat State and Threat Type'\"},\"conditionalVisibilities\":[{\"parameterName\":\"ThreatState\",\"comparison\":\"isEqualTo\"},{\"parameterName\":\"ThreatType\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| extend ['Threat Type'] = replace_string(trim(@\\\"\\\\s\\\", ['Threat Type']),\\\"_\\\",\\\" \\\"),\\r\\n ['Threat State'] = replace_string(trim(@\\\"\\\\s\\\", ['Threat State']),\\\"_\\\",\\\" \\\")\\r\\n| where ['Threat Type'] == '{ThreatType}' and ['Threat State'] == '{ThreatState}'\\r\\n| project-rename Sender = ['Sender Envelope']\\r\\n| extend Recipients = replace_string(Recipients,'\\\"','') \\r\\n| extend Recipients = replace_string(Recipients,',',', ') \\r\\n| extend Recipients = trim(@\\\"[\\\\[\\\\]]\\\",Recipients)\\r\\n| project Sender, Recipients, Subject, ['Threat State'], ['Threat Type']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Details of Emails for Threat State: {ThreatState} and Threat Type: {ThreatType}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"customWidth\":\"50\",\"conditionalVisibilities\":[{\"parameterName\":\"ThreatType\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"ThreatState\",\"comparison\":\"isNotEqualTo\"}],\"name\":\"query - 18\",\"styleSettings\":{\"showBorder\":true}}],\"exportParameters\":true},\"name\":\"group - 20\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| extend senderGeoDetails = geo_info_from_ip_address(['Sender IP'])\\r\\n| extend latitude = senderGeoDetails.latitude, longitude = senderGeoDetails.longitude, country = senderGeoDetails.country, state = senderGeoDetails.state, city = senderGeoDetails.city\\r\\n| where isnotempty(latitude) and isnotempty(longitude)\\r\\n| extend label = strcat(\\r\\n iif(strlen(city) > 0, strcat(city, \\\", \\\"), \\\"\\\"),\\r\\n iif(strlen(state) > 0, strcat(state, \\\", \\\"), \\\"\\\"),\\r\\n country\\r\\n)\\r\\n| extend label = trim(\\\", \\\", label)\\r\\n| extend label = iif(strlen(label) > 0, label, \\\"N/A\\\")\\r\\n| summarize count() by tostring(latitude), tostring(longitude), label\",\"size\":3,\"showAnalytics\":true,\"title\":\"Messages Sent by Country\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"latitude\":\"latitude\",\"longitude\":\"longitude\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"labelSettings\":\"label\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 15\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| where Direction == \\\"INBOUND\\\"\\r\\n| extend details = geo_info_from_ip_address(['Sender IP'])\\r\\n| extend Country = trim(@\\\"\\\\s\\\", tostring(details.country))\\r\\n| where isnotempty(Country)\\r\\n| summarize count() by Country\\r\\n| top 10 by count_ \",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Inbound Email Detections by Origin\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Country\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 10\",\"styleSettings\":{\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| extend Domain = tostring(split(['Sender Envelope'],\\\"@\\\")[1])\\r\\n| where isnotempty(Domain)\\r\\n| summarize count() by Domain\\r\\n| top 10 by count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Sender Domains\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Domain\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 11\",\"styleSettings\":{\"padding\":\"49px\",\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| extend Subtype = replace_string(trim(@\\\"\\\\s\\\", Subtype),\\\"_\\\",\\\" \\\")\\r\\n| where isnotempty(Subtype)\\r\\n| summarize count() by Subtype\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Threat Sub Types\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"exportFieldName\":\"series\",\"exportParameterName\":\"Subtype\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"100\",\"name\":\"query - 12\",\"styleSettings\":{\"padding\":\"49px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 Click on 'Threat Sub Types' pie chart to see 'Details of Emails for Sub Type'\"},\"conditionalVisibility\":{\"parameterName\":\"Subtype\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 1\"}],\"exportParameters\":true},\"customWidth\":\"50\",\"name\":\"group - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| where ['Sender Envelope'] contains \\\"@\\\"\\r\\n| summarize count() by ['Sender Envelope']\\r\\n| top 10 by count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Senders\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Sender Envelope\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 13\",\"styleSettings\":{\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| extend ['Threat Type'] = replace_string(['Threat Type'],\\\"_\\\",\\\" \\\"),\\r\\n ['Threat State'] = replace_string(['Threat State'],\\\"_\\\",\\\" \\\"),\\r\\n Subtype = replace_string(trim(@\\\"\\\\s\\\", Subtype),\\\"_\\\",\\\" \\\")\\r\\n| where Subtype == '{Subtype}'\\r\\n| project-rename Sender = ['Sender Envelope']\\r\\n| extend Recipients = replace_string(Recipients,'\\\"','') \\r\\n| extend Recipients = replace_string(Recipients,',',', ') \\r\\n| extend Recipients = trim(@\\\"[\\\\[\\\\]]\\\",Recipients)\\r\\n| project Sender, Recipients, Subject, ['Threat State'], ['Threat Type']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Details of Emails for Sub Type: {Subtype}\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Subtype\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 17\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| extend recipients = todynamic(Recipients)\\r\\n| mv-expand recipients\\r\\n| where recipients contains \\\"@\\\"\\r\\n| summarize count() by tostring(recipients)\\r\\n| top 10 by count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Receivers\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"recipients\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 14\",\"styleSettings\":{\"padding\":\"49px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| where Type == \\\"urlclick\\\"\\r\\n| project-rename Sender = ['Sender Envelope']\\r\\n| extend Recipients = replace_string(Recipients,'\\\"','') \\r\\n| extend Recipients = replace_string(Recipients,',',', ') \\r\\n| extend Recipients = trim(@\\\"[\\\\[\\\\]]\\\",Recipients)\\r\\n| extend Tags = replace_string(Tags,'\\\"','') \\r\\n| extend Tags = replace_string(Tags,',',', ') \\r\\n| extend Tags = trim(@\\\"[\\\\[\\\\]]\\\",Tags)\\r\\n| extend Attachments = replace_string(Attachments,'\\\"','') \\r\\n| extend Attachments = replace_string(Attachments,',',', ') \\r\\n|extend Attachments = trim(@\\\"[\\\\[\\\\]]\\\",Attachments)\\r\\n| extend ['Message ID'] = trim(@\\\"[\\\\<\\\\>]\\\", ['Message ID'] )\\r\\n| project Sender,\\r\\n ['Sender IP'],\\r\\n Recipients,\\r\\n ['Threat State'],\\r\\n ['Threat Type'],\\r\\n ['Policies Applied'],\\r\\n ['Account ID'],\\r\\n ['Aggregate ID'],\\r\\n ['Processing ID'],\\r\\n ['Message ID'],\\r\\n [\\\"Event Time\\\"],\\r\\n Attachments,\\r\\n Tags,\\r\\n Subject,\\r\\n Source,\\r\\n Direction,\\r\\n ['Sender Header'],\\r\\n ['Historical Mail'],\\r\\n Type,\\r\\n Subtype\",\"size\":0,\"showAnalytics\":true,\"title\":\"Url Protect Overview\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 20\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCloudIntegrated\\r\\n| where Type == \\\"entities\\\"\\r\\n| project-rename Sender = ['Sender Envelope']\\r\\n| extend Recipients = replace_string(Recipients,'\\\"','') \\r\\n| extend Recipients = replace_string(Recipients,',',', ') \\r\\n| extend Recipients = trim(@\\\"[\\\\[\\\\]]\\\",Recipients)\\r\\n| extend Tags = replace_string(Tags,'\\\"','') \\r\\n| extend Tags = replace_string(Tags,',',', ') \\r\\n| extend Tags = trim(@\\\"[\\\\[\\\\]]\\\",Tags)\\r\\n| extend Attachments = replace_string(Attachments,'\\\"','') \\r\\n| extend Attachments = replace_string(Attachments,',',', ') \\r\\n|extend Attachments = trim(@\\\"[\\\\[\\\\]]\\\",Attachments)\\r\\n| extend ['Message ID'] = trim(@\\\"[\\\\<\\\\>]\\\", ['Message ID'] )\\r\\n| project Type, Sender,\\r\\n ['Sender IP'],\\r\\n Recipients,\\r\\n ['Threat State'],\\r\\n ['Threat Type'],\\r\\n ['Policies Applied'],\\r\\n ['Account ID'],\\r\\n ['Aggregate ID'],\\r\\n ['Processing ID'],\\r\\n ['Message ID'],\\r\\n [\\\"Event Time\\\"],\\r\\n Attachments,\\r\\n Tags,\\r\\n Subject,\\r\\n Source,\\r\\n Direction,\\r\\n ['Sender Header'],\\r\\n ['Historical Mail'],\\r\\n Subtype\",\"size\":0,\"showAnalytics\":true,\"title\":\"Entities Overview\",\"timeContextFromParameter\":\"TimeRange\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 20 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 16\"}]},\"name\":\"group - 0\"}],\"fromTemplateId\":\"Sentinel-Mimecast-Cloud-Integrated-Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId3'),'/'))))]", + "properties": { + "description": "@{workbookKey=Mimecast_Cloud_Integrated_Workbook; logoFileName=Mimecast.svg; description=A workbook providing insights into Mimecast Cloud Integrated.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Mimecast Cloud Integrated Workbook; templateRelativePath=Mimecast_Cloud_Integrated_Workbook.json; subtitle=; provider=Mimecast}.description", + "parentId": "[variables('workbookId3')]", + "contentId": "[variables('_workbookContentId3')]", + "kind": "Workbook", + "version": "[variables('workbookVersion3')]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "Cloud_Integrated_CL", + "kind": "DataType" + }, + { + "contentId": "MimecastCIAPI", + "kind": "DataConnector" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId3')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook3-name')]", + "contentProductId": "[variables('_workbookcontentProductId3')]", + "id": "[variables('_workbookcontentProductId3')]", + "version": "[variables('workbookVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_SEG_Workbook Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion4')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId4')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "A workbook providing insights into Mimecast Secure Email Gateway." + }, + "properties": { + "displayName": "[parameters('workbook4-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"f951ba63-69db-4e29-b73e-700430a58329\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Email Activity Summary\",\"subTarget\":\"2\",\"style\":\"link\"},{\"id\":\"6cb5e992-de3d-43c4-8b2c-32b56cf33cc1\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Email Receipt\",\"subTarget\":\"1\",\"preText\":\"Email Receipt\",\"style\":\"link\"},{\"id\":\"43335114-8770-48e6-b02f-c9b7ee185cc1\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Email Delivery\",\"subTarget\":\"3\",\"style\":\"link\"},{\"id\":\"ffbb9e0f-8551-4797-b28a-fdda3671f1f5\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"AV / AS\",\"subTarget\":\"7\",\"style\":\"link\"},{\"id\":\"7438a20b-c11b-45b9-8c90-1e69e47fa220\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"TLS\",\"subTarget\":\"4\",\"style\":\"link\"},{\"id\":\"312e014c-a77d-4b0f-8d76-e25c13ed3716\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Email Spam\",\"subTarget\":\"8\",\"style\":\"link\",\"linkIsContextBlade\":true},{\"id\":\"6d11cffc-b20e-42be-95d1-8812a2d876e5\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Internal Email Protect\",\"subTarget\":\"6\",\"style\":\"link\"},{\"id\":\"b2026a8b-8136-4d89-b26c-cffda38fcdee\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Email Journal\",\"subTarget\":\"9\",\"style\":\"link\"},{\"id\":\"8605b3c8-3b53-42ac-9e6c-cbf235909733\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Data Leak Prevention\",\"subTarget\":\"5\",\"style\":\"link\"}]},\"name\":\"links - 1\"},{\"type\":1,\"content\":{\"json\":\"--- \"},\"name\":\"text - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b627c016-a002-4b73-a1b6-9c2e30f91d86\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time_Range\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type ==\\\"email_delivery\\\"\\r\\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Direction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Email Traffic\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 1\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let min_t = toscalar(\\r\\n MimecastCG \\r\\n | where Type == \\\"email_receipt\\\" and isnotempty(['Rejection Type'])\\r\\n | summarize min_time = min(['Event Time'])\\r\\n | extend min_t = iff(isempty(min_time),now(),min_time)\\r\\n | project min_t);\\r\\nMimecastCG \\r\\n| where Type == \\\"email_receipt\\\" and isnotempty(['Rejection Type']) \\r\\n| make-series Trend = count() default = 0 on ['Event Time'] from min_t to now() step 1d by tostring(['Rejection Type']) \\r\\n| project-away ['Event Time'] \\r\\n| extend Count = array_sum(Trend) \\r\\n| project ['Rejection Type'] , Count, ['Spark Line'] = Trend \\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Rejections\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"lightBlue\"}},{\"columnMatch\":\"Spark Line\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"33\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nlet min_t = toscalar(\\r\\n MimecastCG \\r\\n | where Type == \\\"email_delivery\\\" and isnotempty(['Rejection Type'])\\r\\n | summarize min_time = min(['Event Time'])\\r\\n | extend min_t = iff(isempty(min_time),now(),min_time)\\r\\n | project min_t);\\r\\nMimecastCG \\r\\n| where Type == \\\"email_delivery\\\" and isnotempty(['Rejection Type'])\\r\\n| make-series Trend = count() default = 0 on ['Event Time'] from min_t to now() step 1d by tostring(['Rejection Type']) \\r\\n| project-away ['Event Time'] \\r\\n| extend Count = array_sum(Trend) \\r\\n| project ['Rejection Type'], Count, ['Spark Line'] = Trend \\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Delivery Failures\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"lightBlue\"}},{\"columnMatch\":\"Spark Line\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let min_t = toscalar(\\r\\n MimecastCG\\r\\n | where Type == \\\"email_process\\\" and isnotempty(['Hold Reason'])\\r\\n | summarize min_time = min(['Event Time'])\\r\\n | extend min_t = iff(isempty(min_time),now(),min_time)\\r\\n | project min_t);\\r\\nMimecastCG\\r\\n| where Type == \\\"email_process\\\" and isnotempty(['Hold Reason'])\\r\\n| make-series Trend = count() default = 0 on ['Event Time'] from min_t to now() step 1d by tostring(['Hold Reason'])\\r\\n| project-away ['Event Time']\\r\\n| extend Count=array_sum(Trend)\\r\\n| project ['Hold Reason'], Count,['Spark Line'] = Trend\\r\\n| order by Count desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Held\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Count\",\"formatter\":4,\"formatOptions\":{\"min\":0,\"palette\":\"lightBlue\"}},{\"columnMatch\":\"Spark Line\",\"formatter\":9,\"formatOptions\":{\"palette\":\"blue\"}}]}},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33%\",\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3eec960e-69f2-487a-986f-e3b495ce6818\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time_Range\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type== \\\"email_receipt\\\"\\r\\n| summarize count() by Direction, Action, ['Sender IP']\\r\\n| summarize sum(count_)\\r\\n| project TotalCount = sum_count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Total Messages Received\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"exportedParameters\":[{\"fieldName\":\"TotalCount\",\"parameterName\":\"MessagesReceived\"},{\"fieldName\":\"TotalCount\",\"parameterName\":\"TileAction\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"TotalCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type== \\\"email_receipt\\\"\\r\\n| where Action in~ (\\\"Acc\\\", \\\"RTY\\\")\\r\\n| summarize count() by Direction, Action, ['Sender IP']\\r\\n| summarize sum(count_)\\r\\n| project TotalCount = sum_count_\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Total Messages Accepted\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"exportedParameters\":[{\"fieldName\":\"TotalCount\",\"parameterName\":\"MessagesAccepted\"},{\"fieldName\":\"TotalCount\",\"parameterName\":\"TileAction\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"TotalCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"query - 0 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type== \\\"email_receipt\\\"\\r\\n| where Action in~ (\\\"REJ\\\", \\\"BNC\\\")\\r\\n| summarize count() by Direction, Action, ['Sender IP']\\r\\n| summarize sum(count_)\\r\\n| project TotalCount = sum_count_\\r\\n\\r\\n// Rej and Bnc are considered as blocked\",\"size\":3,\"showAnalytics\":true,\"title\":\"Total Messages Rejected\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"exportedParameters\":[{\"fieldName\":\"TotalCount\",\"parameterName\":\"MessagesRejected\"},{\"fieldName\":\"TotalCount\",\"parameterName\":\"TileAction\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"TotalCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"amethyst\"}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"query - 0 - Copy - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type== \\\"email_receipt\\\" and Action in~ (\\\"Acc\\\", \\\"RTY\\\")\\r\\n| where isempty( ['TLS Version'])\\r\\n| summarize count() by Direction, Action, ['Sender IP']\\r\\n| summarize sum(count_)\\r\\n| project TotalCount = sum_count_\\r\\n\\r\\n//Acc and Rty are considered as delivered\",\"size\":3,\"showAnalytics\":true,\"title\":\"Total Messages Accepted without TLS\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"exportedParameters\":[{\"fieldName\":\"TotalCount\",\"parameterName\":\"MessagesAcceptedwithoutTLS\"},{\"fieldName\":\"TotalCount\",\"parameterName\":\"TileAction\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"TotalCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"orangeDark\"}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"query - 0 - Copy - Copy - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 To view message details, please click on any of the tiles above\"},\"conditionalVisibility\":{\"parameterName\":\"TileAction\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type== \\\"email_receipt\\\"\\r\\n| project ['Aggregate ID'] ,\\r\\n['Processing ID'],\\r\\n['Account ID'] ,\\r\\n['Action'],\\r\\n['Type'],\\r\\n['Sender Envelope'] ,\\r\\n['Message ID'] ,\\r\\n['Subject'],\\r\\n['Recipients'] ,\\r\\n['Sender IP'] ,\\r\\n['Rejection Type'] ,\\r\\n['Rejection Code'] ,\\r\\n['Direction'] ,\\r\\n['Number of Attachments'] ,\\r\\n['Sender Header'] ,\\r\\n['Rejection Info'] ,\\r\\n[\\\"TLS Version\\\"],\\r\\n[\\\"TLS Cipher\\\"],\\r\\n['Spam Info'] ,\\r\\n['Spam Processing Detail'] ,\\r\\n['Virus Found'] ,\\r\\n['Event Time'] ,\\r\\n['Sub Type'] \",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages Received\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"MessagesReceived\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type== \\\"email_receipt\\\"\\r\\n| where Action in~ (\\\"Acc\\\", \\\"RTY\\\")\\r\\n| project ['Aggregate ID'] ,\\r\\n['Processing ID'],\\r\\n['Account ID'] ,\\r\\n['Action'],\\r\\n['Type'],\\r\\n['Sender Envelope'] ,\\r\\n['Message ID'] ,\\r\\n['Subject'],\\r\\n['Recipients'] ,\\r\\n['Sender IP'] ,\\r\\n['Rejection Type'] ,\\r\\n['Rejection Code'] ,\\r\\n['Direction'] ,\\r\\n['Number of Attachments'] ,\\r\\n['Sender Header'] ,\\r\\n['Rejection Info'] ,\\r\\n[\\\"TLS Version\\\"],\\r\\n[\\\"TLS Cipher\\\"],\\r\\n['Spam Info'] ,\\r\\n['Spam Processing Detail'] ,\\r\\n['Virus Found'] ,\\r\\n['Event Time'] ,\\r\\n['Sub Type'] \",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages Accepted\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"MessagesAccepted\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type== \\\"email_receipt\\\"\\r\\n| where Action in~ (\\\"REJ\\\", \\\"BNC\\\")\\r\\n| project ['Aggregate ID'] ,\\r\\n['Processing ID'],\\r\\n['Account ID'] ,\\r\\n['Action'],\\r\\n['Type'],\\r\\n['Sender Envelope'] ,\\r\\n['Message ID'] ,\\r\\n['Subject'],\\r\\n['Recipients'] ,\\r\\n['Sender IP'] ,\\r\\n['Rejection Type'] ,\\r\\n['Rejection Code'] ,\\r\\n['Direction'] ,\\r\\n['Number of Attachments'] ,\\r\\n['Sender Header'] ,\\r\\n['Rejection Info'] ,\\r\\n[\\\"TLS Version\\\"],\\r\\n[\\\"TLS Cipher\\\"],\\r\\n['Spam Info'] ,\\r\\n['Spam Processing Detail'] ,\\r\\n['Virus Found'] ,\\r\\n['Event Time'] ,\\r\\n['Sub Type'] \",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages Rejected\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"MessagesRejected\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2 - Copy - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_receipt\\\" and Action in~ (\\\"Acc\\\", \\\"RTY\\\")\\r\\n| where isempty([\\\"TLS Version\\\"])\\r\\n| project \\r\\n['Aggregate ID'] ,\\r\\n['Processing ID'] ,\\r\\n['Account ID'],\\r\\n['Action'],\\r\\n['Type'],\\r\\n['Sender Envelope'],\\r\\n['Message ID'] ,\\r\\n['Subject'] ,\\r\\n['Recipients'] ,\\r\\n['Sender IP'] ,\\r\\n['Rejection Type'] ,\\r\\n['Rejection Code'] ,\\r\\n['Direction'] ,\\r\\n['Number of Attachments'] ,\\r\\n['Sender Header'] ,\\r\\n['Rejection Info'],\\r\\n[\\\"TLS Version\\\"],\\r\\n[\\\"TLS Cipher\\\"],\\r\\n['Spam Info'] ,\\r\\n['Spam Processing Detail'] ,\\r\\n['Virus Found'] ,\\r\\n['Event Time'],\\r\\n['Sub Type']\",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages Accepted without TLS\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"MessagesAcceptedwithoutTLS\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 2 - Copy - Copy - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}}]},\"name\":\"group - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type== \\\"email_receipt\\\" and Action in~ (\\\"Acc\\\", \\\"RTY\\\")\\r\\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Direction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages Accepted by Route\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type== \\\"email_receipt\\\" and Action in~ (\\\"Acc\\\", \\\"RTY\\\") and isnotempty( ['Sender IP'])\\r\\n| extend senderGeoDetails = geo_info_from_ip_address(['Sender IP'])\\r\\n| extend latitude = senderGeoDetails.latitude, longitude = senderGeoDetails.longitude, country = senderGeoDetails.country, state = senderGeoDetails.state, city = senderGeoDetails.city\\r\\n| where isnotempty(latitude) and isnotempty(longitude)\\r\\n| extend label = strcat(\\r\\n iif(strlen(city) > 0, strcat(city, \\\", \\\"), \\\"\\\"),\\r\\n iif(strlen(state) > 0, strcat(state, \\\", \\\"), \\\"\\\"),\\r\\n country\\r\\n)\\r\\n| extend label = trim(\\\", \\\", label)\\r\\n| extend label = iif(strlen(label) > 0, label, \\\"N/A\\\")\\r\\n| summarize count() by tostring(latitude), tostring(longitude), label\",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages Accepted by Source Country\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"latitude\":\"latitude\",\"longitude\":\"longitude\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"minData\":-1,\"labelSettings\":\"label\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type== \\\"email_receipt\\\" and Action in~ (\\\"REJ\\\", \\\"BNC\\\") and isnotempty( ['Sender IP'])\\r\\n| extend senderGeoDetails = geo_info_from_ip_address(['Sender IP'])\\r\\n| extend latitude = senderGeoDetails.latitude, longitude = senderGeoDetails.longitude, country = senderGeoDetails.country, state = senderGeoDetails.state, city = senderGeoDetails.city\\r\\n| where isnotempty(latitude) and isnotempty(longitude)\\r\\n| extend label = strcat(\\r\\n iif(strlen(city) > 0, strcat(city, \\\", \\\"), \\\"\\\"),\\r\\n iif(strlen(state) > 0, strcat(state, \\\", \\\"), \\\"\\\"),\\r\\n country\\r\\n)\\r\\n| extend label = trim(\\\", \\\", label)\\r\\n| extend label = iif(strlen(label) > 0, label, \\\"N/A\\\")\\r\\n| summarize count() by tostring(latitude), tostring(longitude), label\",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages Rejected by Source Country\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"latitude\":\"latitude\",\"longitude\":\"longitude\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"minData\":-1,\"labelSettings\":\"label\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 3 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50%\",\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"group - 0\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3eec960e-69f2-487a-986f-e3b495ce6818\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time_Range\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_delivery\\\" and Delivered == \\\"true\\\"\\r\\n| summarize count() by Direction , Delivered , ['Destination IP'] , ['TLS Used'] \\r\\n| summarize sum(count_)\\r\\n| project TotalCount = sum_count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Total Messages Delivered\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"exportedParameters\":[{\"fieldName\":\"TotalCount\",\"parameterName\":\"MessageDelivered\"},{\"fieldName\":\"TotalCount\",\"parameterName\":\"TileAction\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"TotalCount\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"25%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_delivery\\\" and Delivered == \\\"false\\\" and Direction == \\\"Outbound\\\"\\r\\n| summarize count() by Direction , Delivered , ['TLS Used'] \\r\\n| summarize sum(count_)\\r\\n| project TotalCount = sum_count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Total Outbound Delivery Failures\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"exportedParameters\":[{\"fieldName\":\"TotalCount\",\"parameterName\":\"Outbounddeliveryfailures\"},{\"fieldName\":\"TotalCount\",\"parameterName\":\"TileAction\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"TotalCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"query - 0 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"25%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_delivery\\\" and Delivered == \\\"false\\\" and Direction == \\\"Inbound\\\"\\r\\n| summarize count() by Direction , Delivered , ['Destination IP'] , ['TLS Used'] \\r\\n| summarize sum(count_)\\r\\n| project TotalCount = sum_count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Total Inbound Delivery Failures\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"exportedParameters\":[{\"fieldName\":\"TotalCount\",\"parameterName\":\"InboundDeliveryFailures\"},{\"fieldName\":\"TotalCount\",\"parameterName\":\"TileAction\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"TotalCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"greenDark\"}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"query - 0 - Copy - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"25%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_delivery\\\" and Delivered == \\\"true\\\" and ['TLS Used'] == \\\"No\\\"\\r\\n| summarize count() by Direction , Delivered , ['Destination IP'] , ['TLS Used'] \\r\\n| summarize sum(count_)\\r\\n| project TotalCount = sum_count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Total Messages Delivered without TLS\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"exportedParameters\":[{\"fieldName\":\"TotalCount\",\"parameterName\":\"MessagesDeliveredwithoutTLS\"},{\"fieldName\":\"TotalCount\",\"parameterName\":\"TileAction\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"TotalCount\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"orangeDark\"}},\"showBorder\":false}},\"customWidth\":\"25\",\"name\":\"query - 0 - Copy - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"25%\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 To view message details, please click on any of the tiles above\"},\"conditionalVisibility\":{\"parameterName\":\"TileAction\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_delivery\\\" and Delivered == \\\"true\\\"\\r\\n| project \\r\\n [\\\"Aggregate ID\\\"] ,\\r\\n [\\\"Processing ID\\\"],\\r\\n [\\\"Delivered\\\"] ,\\r\\n [\\\"Destination IP\\\"] ,\\r\\n [\\\"Host Name\\\"],\\r\\n [\\\"Delivery Attempts\\\"] ,\\r\\n [\\\"TLS Used\\\"] ,\\r\\n [\\\"Route\\\"] ,\\r\\n [\\\"Account ID\\\"] ,\\r\\n [\\\"Event Time\\\"] ,\\r\\n [\\\"Sender Envelope\\\"] ,\\r\\n [\\\"Message ID\\\"] ,\\r\\n [\\\"Subject\\\"] ,\\r\\n [\\\"Total of Size Attachments\\\"] ,\\r\\n [\\\"Number of Attachments\\\"] ,\\r\\n [\\\"Email Size\\\"] ,\\r\\n [\\\"Type\\\"] ,\\r\\n [\\\"Sub Type\\\"] ,\\r\\n [\\\"Recipients\\\"] ,\\r\\n [\\\"Direction\\\"] ,\\r\\n [\\\"TLS Version\\\"] ,\\r\\n [\\\"TLS Cipher\\\"] ,\\r\\n [\\\"Delivery Errors\\\"] ,\\r\\n [\\\"Rejection Type\\\"] ,\\r\\n [\\\"Rejection Code\\\"] ,\\r\\n [\\\"Rejection Info\\\"] \\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages Delivered\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"MessageDelivered\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 7\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_delivery\\\" and Delivered == \\\"false\\\" and Direction == \\\"Outbound\\\"\\r\\n| project \\r\\n [\\\"Aggregate ID\\\"] ,\\r\\n [\\\"Processing ID\\\"],\\r\\n [\\\"Delivered\\\"] ,\\r\\n [\\\"Destination IP\\\"] ,\\r\\n [\\\"Host Name\\\"] ,\\r\\n [\\\"Delivery Attempts\\\"] ,\\r\\n [\\\"TLS Used\\\"] ,\\r\\n [\\\"Route\\\"] ,\\r\\n [\\\"Account ID\\\"] ,\\r\\n [\\\"Event Time\\\"] ,\\r\\n [\\\"Sender Envelope\\\"] ,\\r\\n [\\\"Message ID\\\"] ,\\r\\n [\\\"Subject\\\"] ,\\r\\n [\\\"Total of Size Attachments\\\"] ,\\r\\n [\\\"Number of Attachments\\\"] ,\\r\\n [\\\"Email Size\\\"] ,\\r\\n [\\\"Type\\\"] ,\\r\\n [\\\"Sub Type\\\"] ,\\r\\n [\\\"Recipients\\\"] ,\\r\\n [\\\"Direction\\\"] ,\\r\\n [\\\"TLS Version\\\"] ,\\r\\n [\\\"TLS Cipher\\\"] ,\\r\\n [\\\"Delivery Errors\\\"] ,\\r\\n [\\\"Rejection Type\\\"] ,\\r\\n [\\\"Rejection Code\\\"] ,\\r\\n [\\\"Rejection Info\\\"] \\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Outbound Delivery Failures\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"Outbounddeliveryfailures\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_delivery\\\" and Delivered == \\\"false\\\" and Direction == \\\"Inbound\\\"\\r\\n| project \\r\\n [\\\"Aggregate ID\\\"] ,\\r\\n [\\\"Processing ID\\\"],\\r\\n [\\\"Delivered\\\"] ,\\r\\n [\\\"Destination IP\\\"] ,\\r\\n [\\\"Host Name\\\"] ,\\r\\n [\\\"Delivery Attempts\\\"] ,\\r\\n [\\\"TLS Used\\\"] ,\\r\\n [\\\"Route\\\"] ,\\r\\n [\\\"Account ID\\\"] ,\\r\\n [\\\"Event Time\\\"] ,\\r\\n [\\\"Sender Envelope\\\"] ,\\r\\n [\\\"Message ID\\\"] ,\\r\\n [\\\"Subject\\\"] ,\\r\\n [\\\"Total of Size Attachments\\\"] ,\\r\\n [\\\"Number of Attachments\\\"] ,\\r\\n [\\\"Email Size\\\"] ,\\r\\n [\\\"Type\\\"] ,\\r\\n [\\\"Sub Type\\\"] ,\\r\\n [\\\"Recipients\\\"] ,\\r\\n [\\\"Direction\\\"] ,\\r\\n [\\\"TLS Version\\\"] ,\\r\\n [\\\"TLS Cipher\\\"] ,\\r\\n [\\\"Delivery Errors\\\"] ,\\r\\n [\\\"Rejection Type\\\"] ,\\r\\n [\\\"Rejection Code\\\"] ,\\r\\n [\\\"Rejection Info\\\"] \\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Inbound Delivery Failures\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"InboundDeliveryFailures\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_delivery\\\" and Delivered == \\\"true\\\" and [\\\"TLS Used\\\"] == \\\"No\\\"\\r\\n| project \\r\\n [\\\"Aggregate ID\\\"] ,\\r\\n [\\\"Processing ID\\\"],\\r\\n [\\\"Delivered\\\"] ,\\r\\n [\\\"Destination IP\\\"] ,\\r\\n [\\\"Host Name\\\"] ,\\r\\n [\\\"Delivery Attempts\\\"] ,\\r\\n [\\\"TLS Used\\\"] ,\\r\\n [\\\"Route\\\"] ,\\r\\n [\\\"Account ID\\\"] ,\\r\\n [\\\"Event Time\\\"] ,\\r\\n [\\\"Sender Envelope\\\"] ,\\r\\n [\\\"Message ID\\\"] ,\\r\\n [\\\"Subject\\\"] ,\\r\\n [\\\"Total of Size Attachments\\\"] ,\\r\\n [\\\"Number of Attachments\\\"] ,\\r\\n [\\\"Email Size\\\"] ,\\r\\n [\\\"Type\\\"] ,\\r\\n [\\\"Sub Type\\\"] ,\\r\\n [\\\"Recipients\\\"] ,\\r\\n [\\\"Direction\\\"] ,\\r\\n [\\\"TLS Version\\\"] ,\\r\\n [\\\"TLS Cipher\\\"] ,\\r\\n [\\\"Delivery Errors\\\"] ,\\r\\n [\\\"Rejection Type\\\"] ,\\r\\n [\\\"Rejection Code\\\"] ,\\r\\n [\\\"Rejection Info\\\"] \\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages Delivered without TLS\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"MessagesDeliveredwithoutTLS\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 8 - Copy - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_delivery\\\" and Delivered == \\\"true\\\" \\r\\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Direction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages Delivered by Route\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 4\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_delivery\\\"\\r\\n| project \\r\\n [\\\"Aggregate ID\\\"] ,\\r\\n [\\\"Processing ID\\\"],\\r\\n [\\\"Delivered\\\"] ,\\r\\n [\\\"Destination IP\\\"] ,\\r\\n [\\\"Host Name\\\"] ,\\r\\n [\\\"Delivery Attempts\\\"] ,\\r\\n [\\\"TLS Used\\\"] ,\\r\\n [\\\"Route\\\"] ,\\r\\n [\\\"Account ID\\\"] ,\\r\\n [\\\"Event Time\\\"] ,\\r\\n [\\\"Sender Envelope\\\"] ,\\r\\n [\\\"Message ID\\\"] ,\\r\\n [\\\"Subject\\\"] ,\\r\\n [\\\"Total of Size Attachments\\\"] ,\\r\\n [\\\"Number of Attachments\\\"] ,\\r\\n [\\\"Email Size\\\"] ,\\r\\n [\\\"Type\\\"] ,\\r\\n [\\\"Sub Type\\\"] ,\\r\\n [\\\"Recipients\\\"] ,\\r\\n [\\\"Direction\\\"] ,\\r\\n [\\\"TLS Version\\\"] ,\\r\\n [\\\"TLS Cipher\\\"] ,\\r\\n [\\\"Delivery Errors\\\"] ,\\r\\n [\\\"Rejection Type\\\"] ,\\r\\n [\\\"Rejection Code\\\"] ,\\r\\n [\\\"Rejection Info\\\"] \\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Message Delivery Events\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 7\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_delivery\\\" and Delivered == \\\"true\\\" and Direction == \\\"Outbound\\\"\\r\\n| summarize Count = count() by Direction , Delivered , ['Destination IP'] , ['TLS Used'] \\r\\n| extend geo_info = geo_info_from_ip_address(['Destination IP'])\\r\\n| extend latitude = geo_info.latitude, longitude = geo_info.longitude, country = geo_info.country , state = geo_info.state , city = geo_info.state\\r\\n| where isnotempty(latitude) and isnotempty(longitude)\\r\\n| extend label = strcat(\\r\\n iif(strlen(city) > 0, strcat(city, \\\", \\\"), \\\"\\\"),\\r\\n iif(strlen(state) > 0, strcat(state, \\\", \\\"), \\\"\\\"),\\r\\n country\\r\\n)\\r\\n| extend label = trim(\\\", \\\", label)\\r\\n| extend label = iif(strlen(label) > 0, label, \\\"N/A\\\")\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages Delivered Outbound by Destination Country\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"locInfoColumn\":\"DestinationIp\",\"latitude\":\"latitude\",\"longitude\":\"longitude\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"labelSettings\":\"label\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"Count\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 6\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50%\",\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"3\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"578d7b4c-c261-429f-b39e-a7d3c5ef2d66\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time_Range\",\"label\":\"Time Range\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type ==\\\"email_antivirus\\\"\\r\\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Route\",\"size\":0,\"showAnalytics\":true,\"title\":\"Anti-Virus Traffic\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 1\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_receipt\\\" and Action in~ (\\\"Acc\\\", \\\"Rty\\\") and ['Rejection Type'] ==\\\"Virus Signature Detection\\\"\\r\\n| summarize count() \\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Total Viruses Rejected\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"exportedParameters\":[{\"fieldName\":\"count_\",\"parameterName\":\"CountTVR\",\"parameterType\":1},{\"fieldName\":\"count_\",\"parameterName\":\"Tileaction\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"query - 0\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_receipt\\\" and isnotempty( ['Spam Info']) and ['Spam Info'] != \\\"[]\\\"\\r\\n| summarize count() \\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Total Messages Rejected as Spam\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"exportedParameters\":[{\"fieldName\":\"count_\",\"parameterName\":\"CountRS\",\"parameterType\":1},{\"fieldName\":\"count_\",\"parameterName\":\"Tileaction\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"green\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"query - 0 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_process\\\" and ['Hold Reason'] == \\\"Spm\\\"\\r\\n| summarize count() \\r\\n\\r\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Total Messages Held as Spam\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"exportedParameters\":[{\"fieldName\":\"count_\",\"parameterName\":\"CountHS\",\"parameterType\":1},{\"fieldName\":\"count_\",\"parameterName\":\"Tileaction\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"amethyst\"}},\"showBorder\":false}},\"customWidth\":\"33\",\"name\":\"query - 0 - Copy - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33%\",\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"💡 To view message details, please click on any of the tiles above\"},\"conditionalVisibility\":{\"parameterName\":\"Tileaction\",\"comparison\":\"isEqualTo\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_receipt\\\" and Action in~ (\\\"Acc\\\", \\\"Rty\\\") and [\\\"Rejection Type\\\"] ==\\\"Virus Signature Detection\\\"\\r\\n| project [\\\"Aggregate ID\\\"], [\\\"Recipients\\\"] , [\\\"Action\\\"] , [\\\"Event Time\\\"] ,[\\\"Sender Envelope\\\"] , [\\\"Message ID\\\"] , [\\\"Subject\\\"] , [\\\"Number of Attachments\\\"] , [\\\"Type\\\"] = Type, [\\\"Sub Type\\\"] , [\\\"Sender IP\\\"] , [\\\"Direction\\\"], [\\\"Sender Header\\\"] , [\\\"TLS Version\\\"] , [\\\"TLS Cipher\\\"] , [\\\"Spam Info\\\"] ,[\\\"Virus Found\\\"] , [\\\"Spam Processing Detail\\\"],[\\\"Rejection Type\\\"] ,[\\\"Rejection Code\\\"], [\\\"Rejection Info\\\"] , [\\\"Processing ID\\\"] , [\\\"Account ID\\\"] \\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Viruses Rejected\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"CountTVR\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 7\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_receipt\\\" and isnotempty(['Spam Info']) and ['Spam Info'] != \\\"[]\\\"\\r\\n| project [\\\"Aggregate ID\\\"], [\\\"Recipients\\\"] , [\\\"Action\\\"] , [\\\"Event Time\\\"] ,[\\\"Sender Envelope\\\"] , [\\\"Message ID\\\"] , [\\\"Subject\\\"] , [\\\"Number of Attachments\\\"] , [\\\"Type\\\"] = Type, [\\\"Sub Type\\\"] , [\\\"Sender IP\\\"] , [\\\"Direction\\\"], [\\\"Sender Header\\\"] , [\\\"TLS Version\\\"] , [\\\"TLS Cipher\\\"] , [\\\"Spam Info\\\"] ,[\\\"Virus Found\\\"] , [\\\"Spam Processing Detail\\\"],[\\\"Rejection Type\\\"] ,[\\\"Rejection Code\\\"], [\\\"Rejection Info\\\"] , [\\\"Processing ID\\\"] , [\\\"Account ID\\\"] \\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages Rejected as Spam\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true},\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"blue\"}},\"showBorder\":false}},\"conditionalVisibility\":{\"parameterName\":\"CountRS\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 0 - Copy - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_process\\\" and ['Hold Reason'] == \\\"Spm\\\"\\r\\n| project [\\\"Aggregate ID\\\"], [\\\"Recipients\\\"] , [\\\"Action\\\"] , [\\\"Event Time\\\"], ['Hold Reason'] ,[\\\"Sender Envelope\\\"] , [\\\"Message ID\\\"] , [\\\"Subject\\\"] , [\\\"Number of Attachments\\\"] , [\\\"Type\\\"] = Type, [\\\"Sub Type\\\"] , [\\\"Sender IP\\\"] , [\\\"Direction\\\"], [\\\"Sender Header\\\"] , [\\\"TLS Version\\\"] , [\\\"TLS Cipher\\\"] , [\\\"Spam Info\\\"] ,[\\\"Virus Found\\\"] , [\\\"Spam Processing Detail\\\"],[\\\"Rejection Type\\\"] ,[\\\"Rejection Code\\\"], [\\\"Rejection Info\\\"] , [\\\"Processing ID\\\"] , [\\\"Account ID\\\"] \\r\\n\\r\\n\\r\\n\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages Held as Spam\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"conditionalVisibility\":{\"parameterName\":\"CountHS\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_receipt\\\" and isnotempty(['Virus Found'])\\r\\n| summarize Count = count() by ['Sender Envelope'] , Recipients , ['Sender IP'],['Virus Found'] , ['Event Time']\\r\\n| sort by Count desc\\r\\n| extend Sender = ['Sender Envelope'] , Recipient = Recipients , [\\\"Source IP\\\"] = ['Sender IP'], [\\\"Virus Name\\\"] = ['Virus Found']\\r\\n| project Sender, Recipient, [\\\"Source IP\\\"], [\\\"Virus Name\\\"], Count , ['Event Time']\\r\\n| extend Count = iff(isnull(Count), 0, Count)\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages Rejected Due to Virus\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true},\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_receipt\\\" and isnotempty(['Spam Info'] ) and ['Spam Info'] != \\\"[]\\\"\\r\\n| summarize Count = count() by ['Sender Envelope'] , Recipients , ['Sender IP'],['Spam Info'] , ['Event Time']\\r\\n| sort by Count desc\\r\\n| extend Sender = ['Sender Envelope'] , Recipient = Recipients , [\\\"Source IP\\\"] = ['Sender IP'], [\\\"Spam Information\\\"] = ['Spam Info'] \\r\\n| project Sender, Recipient, [\\\"Source IP\\\"], [\\\"Spam Information\\\"], Count ,['Event Time']\\r\\n| extend Count = iff(isnull(Count), 0, Count)\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Messages Rejected as Spam\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true},\"tileSettings\":{\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"min\":-1,\"palette\":\"blue\"}},\"showBorder\":false}},\"customWidth\":\"50\",\"name\":\"query - 0 - Copy - Copy - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50%\",\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"7\"},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"02075565-ceae-47c2-ba15-44b2f74313c4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time_Range\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_delivery\\\" and Delivered == \\\"true\\\" and isnotnull(['TLS Used'])\\r\\n| make-series Count=count() default=0 on ['Event Time'] step 1d by ['TLS Used']\",\"size\":0,\"showAnalytics\":true,\"title\":\"TLS Delivery\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 1\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_delivery\\\" and Delivered== \\\"true\\\" and isnotempty(['TLS Version'])\\r\\n| summarize Count = count(Recipients) by bin(['Event Time'] , 1d), ['TLS Version']\",\"size\":0,\"showAnalytics\":true,\"title\":\"TLS Versions (Delivery)\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"group\":\"TLS Version\"}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_receipt\\\" and isnotempty(['TLS Version'])\\r\\n| summarize Count = count(Recipients) by bin(['Event Time'] , 1d), ['TLS Version']\",\"size\":0,\"showAnalytics\":true,\"title\":\"TLS Versions (Receipt)\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"group\":\"TLS Version\"}},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_delivery\\\" and isnotempty(['TLS Cipher'])\\r\\n| summarize count() by Cipher = ['TLS Cipher'] \\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Delivery Ciphers\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true},\"chartSettings\":{\"group\":\"Cipher\"}},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy - Copy\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_receipt\\\" and isnotempty(['TLS Cipher'])\\r\\n| summarize count() by Cipher = ['TLS Cipher'] \\r\\n| sort by count_ desc\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Receipt Ciphers\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true},\"chartSettings\":{\"group\":\"Cipher\"}},\"customWidth\":\"50\",\"name\":\"query - 6\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_delivery\\\" and ['TLS Used'] == \\\"No\\\" and Delivered == \\\"true\\\"\\r\\n| extend temp = split(Recipients, \\\"@\\\")\\r\\n| extend [\\\"Recipient Domain\\\"] = tostring(temp[1])\\r\\n| summarize Count = count() by [\\\"Recipient Domain\\\"] \\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Recipient Domains not Using TLS\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"group\":\"*\"}},\"customWidth\":\"50\",\"name\":\"query - 6\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50%\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_receipt\\\" and Action in~ (\\\"Acc\\\", \\\"Rty\\\") and isempty(['TLS Version'])\\r\\n| extend temp = split(['Sender Envelope'], \\\"@\\\")\\r\\n| extend [\\\"Sending Domain\\\"] = tostring(temp[1])\\r\\n| summarize Count = count() by [\\\"Sending Domain\\\"] \\r\\n| top 10 by Count\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top 10 Sending Domains not Using TLS\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\",\"chartSettings\":{\"group\":\"Sending Domain\"}},\"customWidth\":\"50\",\"name\":\"query - 4\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50%\",\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"4\"},\"name\":\"group - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cbe43313-4782-4061-b7c0-d48e146bfeb1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time_Range\",\"label\":\"Time Range\",\"type\":4,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastDLP\\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Action\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Data Leak Prevention Events\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"chartSettings\":{\"group\":\"*\",\"createOtherGroup\":25,\"seriesLabelSettings\":[{\"seriesName\":\"data_leak_prevention_notification\",\"label\":\"Notification\"},{\"seriesName\":\"data_leak_prevention_hold\",\"label\":\"Hold\"},{\"seriesName\":\"data_leak_prevention_smart_folder\",\"label\":\"Smart Folder\"},{\"seriesName\":\"data_leak_prevention_secure_messaging\",\"label\":\"Secure Messaging\"},{\"seriesName\":\"data_leak_prevention_secure_delivery\",\"label\":\"Secure Delivery\"},{\"seriesName\":\"data_leak_prevention_bounce\",\"label\":\"Bounce\"},{\"seriesName\":\"data_leak_prevention_stationery\",\"label\":\"Stationary\"},{\"seriesName\":\"data_leak_prevention_delete\",\"label\":\"Delete\"},{\"seriesName\":\"data_leak_prevention_meta_expire\",\"label\":\"Meta Expire\"},{\"seriesName\":\"data_leak_prevention_content_expire\",\"label\":\"Content Expire\"}]}},\"name\":\"query - 23\",\"styleSettings\":{\"margin\":\"5px\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastDLP\\n| summarize count() by Route\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"DLP Events by Route\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Route\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 30\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastDLP\\n| summarize count() by Action\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"DLP Events by Actions Triggered\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Action\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 29\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastDLP\\n| summarize count() by Policy\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"DLP Events by Policies Triggered\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Policy\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 27\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"33%\"}}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"5\"},\"name\":\"group - 36\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"ba10bbf5-0743-4e41-8555-11302a815979\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time_Range\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_iep\\\"\\r\\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Route\",\"size\":0,\"showAnalytics\":true,\"title\":\"Internal Email Protection by Route\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_iep\\\"\\r\\n| project\\r\\n ['Aggregate ID'],\\r\\n ['Processing ID'] ,\\r\\n ['Account ID'] ,\\r\\n Type,\\r\\n ['Event Time'],\\r\\n ['Sender Envelope'] ,\\r\\n Subject,\\r\\n Recipients,\\r\\n ['Url Category'],\\r\\n ['Scan Results'] ,\\r\\n Route,\\r\\n ['Message ID'] ,\\r\\n ['Monitored Domain Source'] ,\\r\\n ['Similar Domain'] ,\\r\\n ['Sub Type'] \",\"size\":0,\"showAnalytics\":true,\"title\":\"Internal Event Protection Events\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"6\"},\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"ba10bbf5-0743-4e41-8555-11302a815979\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time_Range\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_journal\\\"\\r\\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Direction\",\"size\":0,\"showAnalytics\":true,\"title\":\"Journal Messages by Direction\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_journal\\\"\\r\\n| project\\r\\n ['Aggregate ID'] ,\\r\\n ['Processing ID'],\\r\\n ['Account ID'],\\r\\n Type,\\r\\n ['Event Time'],\\r\\n ['Sender Envelope'] ,\\r\\n Recipients,\\r\\n Direction,\\r\\n ['Sub Type'] \",\"size\":0,\"showAnalytics\":true,\"title\":\"Journal Message Events\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"9\"},\"name\":\"group - 8 - Copy\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"3301a4a8-8498-43bd-8a9b-fd331320f2a6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time_Range\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type ==\\\"email_spam\\\" and isnotempty(Route)\\r\\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Route\",\"size\":0,\"showAnalytics\":true,\"title\":\"Spam Messages by Route\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\"},\"name\":\"query - 1\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_spam\\\"\\r\\n| project\\r\\n ['Aggregate ID'] ,\\r\\n ['Processing ID'],\\r\\n ['Account ID'] ,\\r\\n Type,\\r\\n ['Event Time'],\\r\\n ['Sender Envelope'] ,\\r\\n Subject,\\r\\n Recipients,\\r\\n ['Sender IP'] ,\\r\\n ['Sender Domain'] ,\\r\\n ['Sender Header'],\\r\\n Route,\\r\\n ['Sub Type'] \",\"size\":0,\"showAnalytics\":true,\"title\":\"Spam Message Events\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":10000,\"filter\":true}},\"name\":\"query - 2\",\"styleSettings\":{\"margin\":\"5px\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastCG\\r\\n| where Type == \\\"email_spam\\\" and isnotempty(['Sender IP'])\\r\\n| extend senderGeoDetails = geo_info_from_ip_address(['Sender IP'])\\r\\n| extend latitude = senderGeoDetails.latitude, longitude = senderGeoDetails.longitude, country = senderGeoDetails.country, state = senderGeoDetails.state, city = senderGeoDetails.city\\r\\n| where isnotempty(latitude) and isnotempty(longitude)\\r\\n| extend label = strcat(\\r\\n iif(strlen(city) > 0, strcat(city, \\\", \\\"), \\\"\\\"),\\r\\n iif(strlen(state) > 0, strcat(state, \\\", \\\"), \\\"\\\"),\\r\\n country\\r\\n)\\r\\n| extend label = trim(\\\", \\\", label)\\r\\n| extend label = iif(strlen(label) > 0, label, \\\"N/A\\\")\\r\\n| summarize count() by tostring(latitude), tostring(longitude), label\",\"size\":0,\"showAnalytics\":true,\"title\":\"Spam Messages by Source Country\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"map\",\"mapSettings\":{\"locInfo\":\"LatLong\",\"latitude\":\"latitude\",\"longitude\":\"longitude\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"minData\":-1,\"labelSettings\":\"label\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"nodeColorField\":\"count_\",\"colorAggregation\":\"Sum\",\"type\":\"heatmap\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"5px\",\"maxWidth\":\"50%\",\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"8\"},\"name\":\"group - 10\"},{\"type\":1,\"content\":{\"json\":\"#### 📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 7\"}],\"fromTemplateId\":\"Sentinel-Mimecast-Secure-Email-Gateway-Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId4'),'/'))))]", + "properties": { + "description": "@{workbookKey=Mimecast_SEG_Workbook; logoFileName=Mimecast.svg; description=A workbook providing insights into Mimecast Secure Email Gateway.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Mimecast Secure Email Gateway Workbook; templateRelativePath=Mimecast_SEG_Workbook.json; subtitle=; provider=Mimecast}.description", + "parentId": "[variables('workbookId4')]", + "contentId": "[variables('_workbookContentId4')]", + "kind": "Workbook", + "version": "[variables('workbookVersion4')]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "SEG_CG_CL", + "kind": "DataType" + }, + { + "contentId": "Seg_Dlp_CL", + "kind": "DataType" + }, + { + "contentId": "MimecastSEGAPI", + "kind": "DataConnector" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId4')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook4-name')]", + "contentProductId": "[variables('_workbookcontentProductId4')]", + "id": "[variables('_workbookcontentProductId4')]", + "version": "[variables('workbookVersion4')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_TTP_Workbook Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion5')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId5')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "A workbook providing insights into Mimecast Targeted Threat Protection." + }, + "properties": { + "displayName": "[parameters('workbook5-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"82fedb33-961a-4199-a5ab-16340948ed10\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time_Range\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"value\":{\"durationMs\":1209600000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":1,\"content\":{\"json\":\"# Advanced Threat Detections\"},\"name\":\"text - 17\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let TableMapping = dynamic(\\n {\\n \\\"Ttp_Url_CL\\\" : \\\"URL Protect\\\",\\n \\\"Ttp_Attachment_CL\\\" : \\\"Attachment Protect\\\",\\n \\\"Ttp_Impersonation_CL\\\" : \\\"Impersonation Protect\\\"\\n });\\nunion MimecastTTPUrl, MimecastTTPAttachment, MimecastTTPImpersonation\\n| extend Type = tostring(TableMapping[Type])\\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Type\",\"size\":3,\"showAnalytics\":true,\"title\":\"Detection counts for Attachment Protect, URL Protect and Impersonation Protect\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Type\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"Type\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"nodeIdField\":\"Type\",\"sourceIdField\":\"Count\",\"targetIdField\":\"Type\",\"graphOrientation\":3,\"showOrientationToggles\":false,\"staticNodeSize\":100,\"hivesMargin\":5},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"MimecastTTPUrl\",\"label\":\"URL Protect\"},{\"seriesName\":\"MimecastTTPAttachment\",\"label\":\"Attachment Protect\"},{\"seriesName\":\"MimecastTTPImpersonation\",\"label\":\"Impersonation Protect\"}]},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Count\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Count\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Count\",\"heatmapPalette\":\"greenRed\"}}},\"name\":\"query - 8\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"0a398a65-91c9-4af5-8a10-c2fd5bdf205a\",\"cellValue\":\"setTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"URL Protect\",\"subTarget\":\"url\",\"preText\":\"\",\"style\":\"link\"},{\"id\":\"f3d459a1-2475-4589-95dd-e614960b82f9\",\"cellValue\":\"setTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Attachment Protect\",\"subTarget\":\"attachment\",\"style\":\"link\"},{\"id\":\"323ca7b8-5d5b-41e1-8d0d-a6cdb385f2e3\",\"cellValue\":\"setTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Impersonation Protect\",\"subTarget\":\"impersonation\",\"style\":\"link\"}]},\"name\":\"links - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl\\n| where ['Scan Result'] == \\\"malicious\\\"\\n| make-series Count=count() default=0 on ['Event Time'] step 1d\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Malicious URL Detections\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"graphSettings\":{\"type\":0},\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"MimecastTTPUrl\",\"label\":\"URL Protect\"}]},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"name\":\"query - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl\\n| where ['Scan Result'] == \\\"malicious\\\"\\n and ['From User Email Address'] contains \\\"@\\\"\\n| summarize count() by ['From User Email Address']\\n| top 10 by count_\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Senders of Malicious URLs\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"From User Email Address\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl\\n| where ['Scan Result'] == \\\"malicious\\\" and isnotempty(Url)\\n| summarize count() by Url\\n| top 10 by count_\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Malicious URLs\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Url\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl\\n| where ['Scan Result'] == \\\"malicious\\\"\\n and ['User Email Address'] contains \\\"@\\\"\\n| summarize count() by ['User Email Address']\\n| top 10 by count_\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Targeted Recipients\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"User Email Address\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true,\"ySettings\":{\"numberFormatSettings\":{\"unit\":0,\"options\":{\"style\":\"decimal\",\"useGrouping\":true}}}}},\"customWidth\":\"33\",\"name\":\"query - 4\"}]},\"name\":\"dounts group 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl\\n| where ['Scan Result'] == \\\"malicious\\\" and isnotempty(['Advanced Phishing Result Credential Theft Brands'])\\n| summarize count() by ['Advanced Phishing Result Credential Theft Brands']\\n| top 10 by count_\\n\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Advanced Phishing Results - Credential Theft Brands\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"advancedPhishingResult_CredentialTheftTags_s\",\"sortOrder\":1}]},\"sortBy\":[{\"itemKey\":\"advancedPhishingResult_CredentialTheftTags_s\",\"sortOrder\":1}],\"chartSettings\":{\"group\":\"Advanced Phishing Result Credential Theft Brands\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl\\n| where ['Scan Result'] == \\\"malicious\\\" and isnotempty( ['Advanced Phishing Result Credential Theft Evidence'])\\n| summarize count() by ['Advanced Phishing Result Credential Theft Evidence']\\n| top 10 by count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Advanced Phishing Results - Credential Theft Evidence\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false},\"chartSettings\":{\"group\":\"Advanced Phishing Result Credential Theft Evidence\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl\\n| where ['Scan Result'] == \\\"malicious\\\" and isnotempty(['Advanced Phishing Result Credential Theft Tags'])\\n| summarize count() by ['Advanced Phishing Result Credential Theft Tags']\\n| top 10 by count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Advanced Phishing Result - Credential Theft Tags\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"hierarchySettings\":{\"treeType\":1,\"groupBy\":[\"advancedPhishingResult_CredentialTheftTags_s\"]},\"labelSettings\":[{\"columnId\":\"advancedPhishingResult_CredentialTheftTags_s\",\"label\":\"Credential Theft Tags\"},{\"columnId\":\"url_s\",\"label\":\"URLs\"},{\"columnId\":\"count_\",\"label\":\"Occurences\"}]},\"chartSettings\":{\"group\":\"Advanced Phishing Result Credential Theft Tags\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 14\"}]},\"name\":\"dounts group 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl\\n| where ['Scan Result'] == \\\"malicious\\\" and isnotempty(['Ttp Definition'])\\n| summarize count() by ['Ttp Definition']\\n| top 10 by count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 URL Protect Definitions\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Ttp Definition\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 16\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl\\n| where ['Scan Result'] == \\\"malicious\\\" and isnotempty(['Admin Override'])\\n| summarize count() by ['Admin Override']\\n| top 10 by count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Admin Over-rides\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Admin Override\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 19\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl\\n| where ['Scan Result'] == \\\"malicious\\\" and isnotempty(Action)\\n| summarize count() by Action\\n| top 10 by count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 URL Protect Actions\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Action\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 18\"}]},\"name\":\"dounts group 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl\\n| where ['Scan Result'] == \\\"malicious\\\" and isnotempty(['User Override'])\\n| summarize count() by ['User Override']\\n| top 10 by count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 User Over-rides\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"User Override\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 22\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl\\n| where ['Scan Result'] == \\\"malicious\\\" and isnotempty(['Sending IP'])\\n| summarize count() by ['Sending IP']\\n| top 10 by count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Sending IP Addresses\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Sending IP\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 26\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl\\n| where ['Scan Result'] == \\\"malicious\\\" and isnotempty(Category)\\n| summarize count() by Category\\n| top 10 by count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Categories\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Category\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 24\"}]},\"name\":\"dounts group 4\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl\\n| where ['Scan Result'] == \\\"malicious\\\" and isnotempty(['User Awareness Action'])\\n| summarize count() by ['User Awareness Action']\\n| top 10 by count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 User Awareness Action\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"User Awareness Action\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 27\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl\\n| where ['Scan Result'] == \\\"malicious\\\" and isnotempty(Subject)\\n| summarize count() by Subject\\n| top 10 by count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Email Subjects Related To Malicious URLs\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Subject\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 31\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPUrl\\n| where ['Scan Result'] == \\\"malicious\\\" and isnotempty(Actions)\\n| summarize count() by Actions\\n| top 10 by count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Internal Email Protect Mitigations by Actions\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Actions\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 30\"}]},\"name\":\"dounts group 5\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 6\"}]},\"conditionalVisibility\":{\"parameterName\":\"setTab\",\"comparison\":\"isEqualTo\",\"value\":\"url\"},\"name\":\"group - 8\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPAttachment \\n| where Result != \\\"safe\\\"\\n| make-series Count=count() default=0 on ['Event Time'] step 1d\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Malicious Attachment Detections\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"MimecastTTPAttachment\",\"label\":\"Attachment Protect\"}]}},\"name\":\"query - 13\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPAttachment\\n| where Result != \\\"safe\\\"\\n and ['Recipient Address'] contains \\\"@\\\"\\n| summarize count() by ['Recipient Address']\\n| top 10 by count_\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Recipients of Malicious Attachments\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Recipient Address\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPAttachment\\n| where Result != \\\"safe\\\" and isnotempty(['Action Triggered'])\\n| summarize count() by ['Action Triggered']\\n| top 10 by count_\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Protection Actions Triggered\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Action Triggered\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPAttachment\\n| where Result != \\\"safe\\\"\\n and ['Sender Address'] contains \\\"@\\\"\\n| summarize count() by ['Sender Address']\\n| top 10 by count_\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Senders of Malicious Attachments\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Sender Address\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 6\"}]},\"name\":\"dounts group 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPAttachment\\n| where Result != \\\"safe\\\" and isnotempty(['File Type'])\\n| summarize count() by ['File Type']\\n| top 10 by count_\\n\\n\\n\\n\\n\\n\\n\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Malicious Attachment File Types\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"File Type\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPAttachment\\n| where Result != \\\"safe\\\" and isnotempty(Details)\\n| summarize count() by Details\\n| top 10 by count_\\n\\n\\n\\n\\n\\n\\n\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Attachment Protect Event Details\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Details\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 13\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPAttachment\\n| where isnotempty(Result)\\n| summarize count() by Result\\n\\n\\n\\n\\n\\n\\n\\n\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Attachment Event Results\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Result\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"33\",\"name\":\"query - 12\"}]},\"name\":\"dounts group 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPAttachment\\n| where Result != \\\"safe\\\" and isnotempty(Subject)\\n| summarize count() by Subject\\n| top 10 by count_\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Subjects for Emails Containing Malicious Attachments\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Subject\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 16\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPAttachment\\n| where Result != \\\"safe\\\" and isnotempty(['File Hash'])\\n| summarize count() by ['File Hash']\\n| top 10 by count_\\n\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Malicious Sha256 File Hashes\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"File Hash\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 18\"}]},\"name\":\"dounts group 3\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"setTab\",\"comparison\":\"isEqualTo\",\"value\":\"attachment\"},\"name\":\"group - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPImpersonation\\n| where ['Tagged Malicious'] == true\\n| make-series Count=count() default=0 on ['Event Time'] step 1d\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Malicious Impersonation Detections\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"count_\",\"label\":\"Impersonation Protect\"}]}},\"name\":\"query - 12\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPImpersonation\\n| where ['Tagged Malicious'] == true\\n and ['Recipient Address'] contains \\\"@\\\"\\n| summarize count() by ['Recipient Address']\\n| top 10 by count_\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Recipients of Impersonation Emails\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Recipient Address\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 7\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPImpersonation\\n| where ['Tagged Malicious'] == true\\n and ['Sender Address'] contains \\\"@\\\"\\n| summarize count() by ['Sender Address']\\n| top 10 by count_\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Top 10 Senders of Impersonation Emails\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Sender Address\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 6\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"name\":\"donuts group 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Top 10 Impersonation Events\\n\"},\"name\":\"text - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPImpersonation\\n| where ['Tagged Malicious'] == true and isnotempty(['Impersonation Results'])\\n| summarize count() by ['Impersonation Results']\\n|extend ['Impersonation Results'] = trim(@\\\"[\\\\[\\\\]]\\\",['Impersonation Results'])\\n|extend ['Impersonation Results'] = trim(@\\\"[\\\\{\\\\}]\\\",['Impersonation Results'])\\n| extend ['Impersonation Results'] = replace_string(['Impersonation Results'],',',', ') \\n| extend ['Impersonation Results'] = replace_string(['Impersonation Results'],'\\\"','') \\n| top 10 by count_\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Grouped by Impersonation Result\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"recipientAddress_s\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"graphSettings\":{\"type\":0,\"topContent\":{\"columnMatch\":\"TenantId\",\"formatter\":1},\"centerContent\":{\"columnMatch\":\"hits_d\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}},\"chartSettings\":{\"yAxis\":[\"count_\"],\"group\":\"Impersonation Results\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"count_\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"count_\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"count_\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"MimecastTTPImpersonation\\n| where ['Tagged Malicious'] == true and isnotempty(Identifiers)\\n| summarize count() by Identifiers\\n|extend Identifiers = trim(@\\\"[\\\\[\\\\]]\\\",Identifiers)\\n| extend Identifiers = replace_string(Identifiers,'\\\"','') \\n| top 10 by count_\\n\",\"size\":3,\"showAnalytics\":true,\"title\":\"Grouped by Impersonation Identifiers\",\"timeContextFromParameter\":\"Time_Range\",\"showRefreshButton\":true,\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"Identifiers\",\"createOtherGroup\":10,\"showMetrics\":false,\"showLegend\":true}},\"customWidth\":\"50\",\"name\":\"query - 10\"}]},\"name\":\"dounts group 2\"},{\"type\":1,\"content\":{\"json\":\"📝 ***Refresh the web page to fetch details of recently collected events***\"},\"name\":\"text - 3\"}]},\"conditionalVisibility\":{\"parameterName\":\"setTab\",\"comparison\":\"isEqualTo\",\"value\":\"impersonation\"},\"name\":\"group - 6\"}],\"fromTemplateId\":\"Sentinel-Mimecast-Targeted-Threat-Protection-Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId5'),'/'))))]", + "properties": { + "description": "@{workbookKey=Mimecast_TTP_Workbook; logoFileName=Mimecast.svg; description=A workbook providing insights into Mimecast Targeted Threat Protection.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Mimecast Targeted Threat Protection Workbook; templateRelativePath=Mimecast_TTP_Workbook.json; subtitle=; provider=Mimecast}.description", + "parentId": "[variables('workbookId5')]", + "contentId": "[variables('_workbookContentId5')]", + "kind": "Workbook", + "version": "[variables('workbookVersion5')]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "Ttp_Attachment_CL", + "kind": "DataType" + }, + { + "contentId": "Ttp_Impersonation_CL", + "kind": "DataType" + }, + { + "contentId": "Ttp_Url_CL", + "kind": "DataType" + }, + { + "contentId": "MimecastTTPAPI", + "kind": "DataConnector" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId5')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook5-name')]", + "contentProductId": "[variables('_workbookcontentProductId5')]", + "id": "[variables('_workbookcontentProductId5')]", + "version": "[variables('workbookVersion5')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast-Data-Connector-Trigger-Sync Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Mimecast-Data-Connector-Trigger-Sync", + "type": "string" + }, + "Client ID": { + "type": "String", + "metadata": { + "description": "Enter the Azure Client ID" + } + }, + "Client Secret": { + "type": "SecureString", + "metadata": { + "description": "Enter the Azure Client Secret" + } + }, + "Resource Group": { + "type": "String", + "metadata": { + "description": "Enter the Azure Resource Group Name in which your Mimecast data connectors are available" + } + }, + "Subscription ID": { + "type": "SecureString", + "metadata": { + "description": "Enter the Azure Subscription ID in which your Mimecast data connectors are available, make sure that the subscription id is as per the Azure portal at all places" + } + }, + "Tenant ID": { + "type": "SecureString", + "metadata": { + "description": "Enter the Azure Tenant ID" + } + } + }, + "variables": { + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Client ID": { + "defaultValue": "[[trim(parameters('Client ID'))]", + "type": "String" + }, + "Client Secret": { + "defaultValue": "[[trim(parameters('Client Secret'))]", + "type": "SecureString" + }, + "Resource Group": { + "defaultValue": "[[trim(parameters('Resource Group'))]", + "type": "String" + }, + "Subscription ID": { + "defaultValue": "[[trim(parameters('Subscription ID'))]", + "type": "SecureString" + }, + "Tenant ID": { + "defaultValue": "[[trim(parameters('Tenant ID'))]", + "type": "SecureString" + } + }, + "triggers": { + "manual": { + "type": "Request", + "kind": "Http" + } + }, + "actions": { + "For_each_app": { + "foreach": "@body('Get_all_Mimecast_Function_apps')", + "actions": { + "Sync_timer_trigger_request": { + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Bearer @{body('Parse_Auth_token')?['access_token']} " + }, + "method": "POST", + "uri": "https://@{variables('Manage')}.azure.com/subscriptions/@{variables('Subscription Id')}/resourceGroups/@{variables('Resource Group Name')}/providers/Microsoft.Web/sites/@{items('For_each_app')?['name']}/syncfunctiontriggers?api-version=2022-03-01" + } + } + }, + "runAfter": { + "Get_all_Mimecast_Function_apps": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_Auth_token": { + "runAfter": { + "Initialize_Management_variable": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": "client_id=@{variables('Client Id')}&\nclient_secret=@{variables('Client Secret')}&\ngrant_type=client_credentials&\nscope=https://@{variables('Manage')}.azure.com/.default", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "method": "POST", + "uri": "https://login.@{variables('MicrosoftOnline')}.com/@{variables('Tenant Id')}/oauth2/v2.0/token" + } + }, + "Get_all_Mimecast_Function_apps": { + "runAfter": { + "Get_all_running_function_app": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@body('Get_all_running_function_app')", + "where": "@or(startsWith(item()?['name'], 'Mimecast'))" + } + }, + "Get_all_running_function_app": { + "runAfter": { + "Parse_function_app_list": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@body('Parse_function_app_list')?['value']", + "where": "@equals(item()?['properties']?['state'], 'Running')" + } + }, + "Get_function_app_list": { + "runAfter": { + "Parse_Auth_token": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Bearer @{body('Parse_Auth_token')?['access_token']} " + }, + "method": "GET", + "uri": "https://@{variables('Manage')}.azure.com/subscriptions/@{variables('Subscription Id')}/resourceGroups/@{variables('Resource Group Name')}/providers/Microsoft.Web/sites?api-version=2022-03-01" + } + }, + "Initialize_Client_Id": { + "runAfter": { + "Initialize_Tenant_Id": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Client Id", + "type": "string", + "value": "@parameters('Client ID')" + } + ] + } + }, + "Initialize_Client_Secret": { + "runAfter": { + "Initialize_Client_Id": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Client Secret", + "type": "string", + "value": "@parameters('Client Secret')" + } + ] + } + }, + "Initialize_Management_variable": { + "runAfter": { + "Initialize_Microsoftonline_variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Manage", + "type": "string", + "value": "management" + } + ] + } + }, + "Initialize_Microsoftonline_variable": { + "runAfter": { + "Subscription_Id": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "MicrosoftOnline", + "type": "string", + "value": "microsoftonline" + } + ] + } + }, + "Initialize_Resource_Group": { + "runAfter": { + "Initialize_Client_Secret": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Resource Group Name", + "type": "string", + "value": "@parameters('Resource Group')" + } + ] + } + }, + "Initialize_Tenant_Id": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Tenant Id", + "type": "string", + "value": "@parameters('Tenant ID')" + } + ] + } + }, + "Parse_Auth_token": { + "runAfter": { + "Get_Auth_token": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Auth_token')", + "schema": { + "properties": { + "access_token": { + "type": "string" + }, + "expires_in": { + "type": "integer" + }, + "ext_expires_in": { + "type": "integer" + }, + "token_type": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Parse_function_app_list": { + "runAfter": { + "Get_function_app_list": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_function_app_list')", + "schema": { + "properties": { + "value": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "identity": { + "properties": { + "principalId": { + "type": "string" + }, + "tenantId": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "kind": { + "type": "string" + }, + "location": { + "type": "string" + }, + "name": { + "type": "string" + }, + "properties": { + "properties": { + "adminEnabled": { + "type": "boolean" + }, + "afdEnabled": { + "type": "boolean" + }, + "availabilityState": { + "type": "string" + }, + "clientAffinityEnabled": { + "type": "boolean" + }, + "clientCertEnabled": { + "type": "boolean" + }, + "clientCertMode": { + "type": "string" + }, + "containerSize": { + "type": "integer" + }, + "contentAvailabilityState": { + "type": "string" + }, + "csrs": { + "type": "array" + }, + "customDomainVerificationId": { + "type": "string" + }, + "dailyMemoryTimeQuota": { + "type": "integer" + }, + "defaultHostName": { + "type": "string" + }, + "defaultHostNameScope": { + "type": "string" + }, + "deploymentId": { + "type": "string" + }, + "dnsConfiguration": { + "type": "object" + }, + "eligibleLogCategories": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "enabledHostNames": { + "items": { + "type": "string" + }, + "type": "array" + }, + "endToEndEncryptionEnabled": { + "type": "boolean" + }, + "ftpUsername": { + "type": "string" + }, + "ftpsHostName": { + "type": "string" + }, + "functionsRuntimeAdminIsolationEnabled": { + "type": "boolean" + }, + "homeStamp": { + "type": "string" + }, + "hostNameSslStates": { + "items": { + "properties": { + "hostType": { + "type": "string" + }, + "ipBasedSslState": { + "type": "string" + }, + "name": { + "type": "string" + }, + "sslState": { + "type": "string" + } + }, + "required": [ + "name", + "sslState", + "ipBasedSslResult", + "virtualIP", + "virtualIPv6", + "thumbprint", + "certificateResourceId", + "toUpdate", + "toUpdateIpBasedSsl", + "ipBasedSslState", + "hostType" + ], + "type": "object" + }, + "type": "array" + }, + "hostNames": { + "items": { + "type": "string" + }, + "type": "array" + }, + "hostNamesDisabled": { + "type": "boolean" + }, + "httpsOnly": { + "type": "boolean" + }, + "hyperV": { + "type": "boolean" + }, + "inboundIpAddress": { + "type": "string" + }, + "ipMode": { + "type": "string" + }, + "isXenon": { + "type": "boolean" + }, + "keyVaultReferenceIdentity": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "lastModifiedTimeUtc": { + "type": "string" + }, + "name": { + "type": "string" + }, + "outboundIpAddresses": { + "type": "string" + }, + "possibleInboundIpAddresses": { + "type": "string" + }, + "possibleOutboundIpAddresses": { + "type": "string" + }, + "redundancyMode": { + "type": "string" + }, + "repositorySiteName": { + "type": "string" + }, + "reserved": { + "type": "boolean" + }, + "resourceGroup": { + "type": "string" + }, + "runtimeAvailabilityState": { + "type": "string" + }, + "scmSiteAlsoStopped": { + "type": "boolean" + }, + "secretsCollection": { + "type": "array" + }, + "selfLink": { + "type": "string" + }, + "serverFarmId": { + "type": "string" + }, + "siteConfig": { + "properties": { + "acrUseManagedIdentityCreds": { + "type": "boolean" + }, + "alwaysOn": { + "type": "boolean" + }, + "functionAppScaleLimit": { + "type": "integer" + }, + "http20Enabled": { + "type": "boolean" + }, + "linuxFxVersion": { + "type": "string" + }, + "minimumElasticInstanceCount": { + "type": "integer" + }, + "numberOfWorkers": { + "type": "integer" + } + }, + "type": "object" + }, + "siteDisabledReason": { + "type": "integer" + }, + "siteProperties": { + "properties": { + "properties": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "name", + "value" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "sku": { + "type": "string" + }, + "state": { + "type": "string" + }, + "storageAccountRequired": { + "type": "boolean" + }, + "storageRecoveryDefaultState": { + "type": "string" + }, + "usageState": { + "type": "string" + }, + "vnetBackupRestoreEnabled": { + "type": "boolean" + }, + "vnetContentShareEnabled": { + "type": "boolean" + }, + "vnetImagePullEnabled": { + "type": "boolean" + }, + "vnetRouteAllEnabled": { + "type": "boolean" + }, + "webSpace": { + "type": "string" + } + }, + "type": "object" + }, + "tags": { + "properties": { + "Jira": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + } + }, + "required": [ + "id", + "name", + "type", + "kind", + "location", + "properties" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "Subscription_Id": { + "runAfter": { + "Initialize_Resource_Group": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Subscription Id", + "type": "string", + "value": "@parameters('Subscription ID')" + } + ] + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Mimecast-Data-Connector-Trigger-Sync", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": "[variables('TemplateEmptyArray')]" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ], + "metadata": { + "title": "Mimecast-Data-Connector-Trigger-Sync", + "description": "Playbook to sync timer trigger of all Mimecast data connectors.", + "prerequisites": [ + "Users must have a below Microsoft credentials:", + "1.Tenant ID", + "2.Client ID", + "3.Client Secret", + "4.Resource Group Name", + "5.Subscription ID" + ], + "postDeployment": [ + "Run the playbook to sync timer trigger of all Mimecast data connectors." + ], + "tags": [ + "Mimecast", + "Sync", + "Timer", + "Trigger" + ], + "lastUpdateTime": "2024-09-24T14:43:22.217Z", + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "Playbook", + "displayName": "Mimecast-Data-Connector-Trigger-Sync", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject1').parserTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_AT_Performane_Detail Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject1').parserVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject1')._parserName1]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast Awareness Training Performance Details", + "category": "Microsoft Sentinel Parser", + "functionAlias": "AwarenessPerformanceDetails", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet Awareness_Performance_Details_view = view() {\nunion isfuzzy=true dummy_table,\nAwareness_Performance_Details_CL\n| extend [\"Email\"] = column_ifexists('email_s', ''),\n [\"Name\"] = column_ifexists('name_s', ''),\n [\"Num of Correct\"] = column_ifexists('numCorrect_d', ''),\n [\"Num of Incorrect\"] = column_ifexists('numIncorrect_d', ''),\n [\"Num of Not Watched\"] = column_ifexists('numNotWatched_d', ''),\n [\"User Details\"] = column_ifexists('userDetails_s',''),\n [\"User State\"] = column_ifexists('userState_s',''),\n [\"Department\"] = column_ifexists('department_s',''),\n [\"Time Generated\"] = column_ifexists('TimeGenerated','')\n | summarize arg_max([\"Time Generated\"] , *) by [\"Email\"] ,[\"Num of Correct\"] , [\"Num of Incorrect\"], [\"Num of Not Watched\"],[\"Name\"] , [\"User Details\"] , [\"User State\"] , [\"Department\"]\n| project [\"Email\"] ,[\"Num of Correct\"] , [\"Num of Incorrect\"], [\"Num of Not Watched\"],[\"Name\"] , [\"User Details\"] , [\"User State\"] , [\"Department\"]\n};\nAwareness_Performance_Details_view\n \n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AwarenessPerformanceDetails')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "name": "Mimecast", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject1').parserContentId1]", + "contentKind": "Parser", + "displayName": "Parser for Mimecast Awareness Training Performance Details", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", + "version": "[variables('parserObject1').parserVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject1')._parserName1]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast Awareness Training Performance Details", + "category": "Microsoft Sentinel Parser", + "functionAlias": "AwarenessPerformanceDetails", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet Awareness_Performance_Details_view = view() {\nunion isfuzzy=true dummy_table,\nAwareness_Performance_Details_CL\n| extend [\"Email\"] = column_ifexists('email_s', ''),\n [\"Name\"] = column_ifexists('name_s', ''),\n [\"Num of Correct\"] = column_ifexists('numCorrect_d', ''),\n [\"Num of Incorrect\"] = column_ifexists('numIncorrect_d', ''),\n [\"Num of Not Watched\"] = column_ifexists('numNotWatched_d', ''),\n [\"User Details\"] = column_ifexists('userDetails_s',''),\n [\"User State\"] = column_ifexists('userState_s',''),\n [\"Department\"] = column_ifexists('department_s',''),\n [\"Time Generated\"] = column_ifexists('TimeGenerated','')\n | summarize arg_max([\"Time Generated\"] , *) by [\"Email\"] ,[\"Num of Correct\"] , [\"Num of Incorrect\"], [\"Num of Not Watched\"],[\"Name\"] , [\"User Details\"] , [\"User State\"] , [\"Department\"]\n| project [\"Email\"] ,[\"Num of Correct\"] , [\"Num of Incorrect\"], [\"Num of Not Watched\"],[\"Name\"] , [\"User Details\"] , [\"User State\"] , [\"Department\"]\n};\nAwareness_Performance_Details_view\n \n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject1')._parserId1,'/'))))]", + "dependsOn": [ + "[variables('parserObject1')._parserId1]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AwarenessPerformanceDetails')]", + "contentId": "[variables('parserObject1').parserContentId1]", + "kind": "Parser", + "version": "[variables('parserObject1').parserVersion1]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject2').parserTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_AT_Safe_Score Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject2').parserVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject2')._parserName2]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast Awareness Training Safe Score", + "category": "Microsoft Sentinel Parser", + "functionAlias": "AwarenessSafeScore", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet Awareness_Safe_Score_view = view() {\nunion isfuzzy=true dummy_table,\nAwareness_SafeScore_Details_CL\n| extend [\"Email Address\"] = column_ifexists('emailAddress_s', ''),\n [\"Name\"] = column_ifexists('name_s', ''),\n [\"Risk\"] = column_ifexists('risk_s', ''),\n [\"Human Error\"]= column_ifexists('humanError_s', ''),\n [\"Sentiment\"] = column_ifexists('sentiment_s', ''),\n [\"Engagement\"] = column_ifexists('engagement_s', ''),\n [\"Knowledge\"] = column_ifexists('knowledge_s', ''),\n [\"User State\"] = column_ifexists('userState_s', ''),\n [\"Department\"] = column_ifexists('department_s', ''),\n [\"Time Generated\"] = column_ifexists('TimeGenerated', '')\n| summarize arg_max([\"Time Generated\"] , *) by [\"Email Address\"] , [\"Name\"] , [\"Risk\"] , [\"Human Error\"] , [\"Sentiment\"] , [\"Engagement\"] , [\"Knowledge\"], [\"User State\"] , [\"Department\"] \n| project [\"Email Address\"] , [\"Name\"] , [\"Risk\"] , [\"Human Error\"] , [\"Sentiment\"] , [\"Engagement\"] , [\"Knowledge\"], [\"User State\"] , [\"Department\"] \n};\nAwareness_Safe_Score_view\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", + "dependsOn": [ + "[variables('parserObject2')._parserId2]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AwarenessSafeScore')]", + "contentId": "[variables('parserObject2').parserContentId2]", + "kind": "Parser", + "version": "[variables('parserObject2').parserVersion2]", + "source": { + "name": "Mimecast", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject2').parserContentId2]", + "contentKind": "Parser", + "displayName": "Parser for Mimecast Awareness Training Safe Score", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]", + "version": "[variables('parserObject2').parserVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject2')._parserName2]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast Awareness Training Safe Score", + "category": "Microsoft Sentinel Parser", + "functionAlias": "AwarenessSafeScore", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet Awareness_Safe_Score_view = view() {\nunion isfuzzy=true dummy_table,\nAwareness_SafeScore_Details_CL\n| extend [\"Email Address\"] = column_ifexists('emailAddress_s', ''),\n [\"Name\"] = column_ifexists('name_s', ''),\n [\"Risk\"] = column_ifexists('risk_s', ''),\n [\"Human Error\"]= column_ifexists('humanError_s', ''),\n [\"Sentiment\"] = column_ifexists('sentiment_s', ''),\n [\"Engagement\"] = column_ifexists('engagement_s', ''),\n [\"Knowledge\"] = column_ifexists('knowledge_s', ''),\n [\"User State\"] = column_ifexists('userState_s', ''),\n [\"Department\"] = column_ifexists('department_s', ''),\n [\"Time Generated\"] = column_ifexists('TimeGenerated', '')\n| summarize arg_max([\"Time Generated\"] , *) by [\"Email Address\"] , [\"Name\"] , [\"Risk\"] , [\"Human Error\"] , [\"Sentiment\"] , [\"Engagement\"] , [\"Knowledge\"], [\"User State\"] , [\"Department\"] \n| project [\"Email Address\"] , [\"Name\"] , [\"Risk\"] , [\"Human Error\"] , [\"Sentiment\"] , [\"Engagement\"] , [\"Knowledge\"], [\"User State\"] , [\"Department\"] \n};\nAwareness_Safe_Score_view\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", + "dependsOn": [ + "[variables('parserObject2')._parserId2]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AwarenessSafeScore')]", + "contentId": "[variables('parserObject2').parserContentId2]", + "kind": "Parser", + "version": "[variables('parserObject2').parserVersion2]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject3').parserTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_AT_User_Data Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject3').parserVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject3')._parserName3]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast Awareness Training User Data", + "category": "Microsoft Sentinel Parser", + "functionAlias": "AwarenessUserData", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet Awareness_User_Data_view = view() {\nunion isfuzzy=true dummy_table,\nAwareness_User_Data_CL\n| extend [\"Time Generated\"] = column_ifexists('TimeGenerated', ''),\n[\"Time Reported\"] = column_ifexists('timeReported_t', ''),\n[\"Name\"] = column_ifexists('name_s', ''),\n[\"Email\"] = column_ifexists('email_s', ''),\n[\"Template Name\"] = column_ifexists('templateName_s', ''),\n[\"Status\"] = column_ifexists('status_s', ''),\n[\"Num of Campaigns Clicked\"] = column_ifexists('numCampaignsClicked_d', ''),\n[\"Num of Campaigns Sent\"] = column_ifexists('numCampaignsSent_d', ''),\n[\"Num of Correct Answers\"] = column_ifexists('numCorrectAnswers_d', ''),\n[\"Num of Training Modules Assigned\"] = column_ifexists('numTrainingModulesAssigned_d', ''),\n[\"Num of Incorrect Answers\"] = column_ifexists('numIncorrectAnswers_d', ''),\n[\"User State\"] = column_ifexists('userState_s', ''),\n[\"Clicked IP\"] = column_ifexists('clickedIp_s', ''),\n[\"Reaction Time\"] = column_ifexists('reactionTime_d', ''),\n[\"Time Opened\"] = column_ifexists('timeOpened_t', ''),\n[\"Department\"] = column_ifexists('department_s', ''),\n[\"Time Scheduled\"] = column_ifexists('timeScheduled_t',''),\n[\"Time Clicked\"] = column_ifexists('timeClicked_t', '')\n| summarize arg_max([\"Time Generated\"] , *) by [\"Time Reported\"] , [\"Name\"], [\"Email\"] , [\"Template Name\"], [\"Status\"] , [\"Num of Campaigns Clicked\"], [\"Num of Campaigns Sent\"], [\"Num of Correct Answers\"] , [\"Num of Training Modules Assigned\"] , [\"Num of Incorrect Answers\"] , [\"User State\"], [\"Clicked IP\"], [\"Reaction Time\"], [\"Time Opened\"], [\"Time Clicked\"] , [\"Time Scheduled\"] , [\"Department\"]\n| project [\"Time Reported\"] , [\"Name\"], [\"Email\"] , [\"Template Name\"], [\"Status\"] , [\"Num of Campaigns Clicked\"], [\"Num of Campaigns Sent\"], [\"Num of Correct Answers\"] , [\"Num of Training Modules Assigned\"] , [\"Num of Incorrect Answers\"] , [\"User State\"], [\"Clicked IP\"], [\"Reaction Time\"], [\"Time Opened\"], [\"Time Clicked\"] , [\"Time Scheduled\"] , [\"Department\"]\n};\nAwareness_User_Data_view\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", + "dependsOn": [ + "[variables('parserObject3')._parserId3]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AwarenessUserData')]", + "contentId": "[variables('parserObject3').parserContentId3]", + "kind": "Parser", + "version": "[variables('parserObject3').parserVersion3]", + "source": { + "name": "Mimecast", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject3').parserContentId3]", + "contentKind": "Parser", + "displayName": "Parser for Mimecast Awareness Training User Data", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject3').parserContentId3,'-', '1.0.0')))]", + "version": "[variables('parserObject3').parserVersion3]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject3')._parserName3]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast Awareness Training User Data", + "category": "Microsoft Sentinel Parser", + "functionAlias": "AwarenessUserData", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet Awareness_User_Data_view = view() {\nunion isfuzzy=true dummy_table,\nAwareness_User_Data_CL\n| extend [\"Time Generated\"] = column_ifexists('TimeGenerated', ''),\n[\"Time Reported\"] = column_ifexists('timeReported_t', ''),\n[\"Name\"] = column_ifexists('name_s', ''),\n[\"Email\"] = column_ifexists('email_s', ''),\n[\"Template Name\"] = column_ifexists('templateName_s', ''),\n[\"Status\"] = column_ifexists('status_s', ''),\n[\"Num of Campaigns Clicked\"] = column_ifexists('numCampaignsClicked_d', ''),\n[\"Num of Campaigns Sent\"] = column_ifexists('numCampaignsSent_d', ''),\n[\"Num of Correct Answers\"] = column_ifexists('numCorrectAnswers_d', ''),\n[\"Num of Training Modules Assigned\"] = column_ifexists('numTrainingModulesAssigned_d', ''),\n[\"Num of Incorrect Answers\"] = column_ifexists('numIncorrectAnswers_d', ''),\n[\"User State\"] = column_ifexists('userState_s', ''),\n[\"Clicked IP\"] = column_ifexists('clickedIp_s', ''),\n[\"Reaction Time\"] = column_ifexists('reactionTime_d', ''),\n[\"Time Opened\"] = column_ifexists('timeOpened_t', ''),\n[\"Department\"] = column_ifexists('department_s', ''),\n[\"Time Scheduled\"] = column_ifexists('timeScheduled_t',''),\n[\"Time Clicked\"] = column_ifexists('timeClicked_t', '')\n| summarize arg_max([\"Time Generated\"] , *) by [\"Time Reported\"] , [\"Name\"], [\"Email\"] , [\"Template Name\"], [\"Status\"] , [\"Num of Campaigns Clicked\"], [\"Num of Campaigns Sent\"], [\"Num of Correct Answers\"] , [\"Num of Training Modules Assigned\"] , [\"Num of Incorrect Answers\"] , [\"User State\"], [\"Clicked IP\"], [\"Reaction Time\"], [\"Time Opened\"], [\"Time Clicked\"] , [\"Time Scheduled\"] , [\"Department\"]\n| project [\"Time Reported\"] , [\"Name\"], [\"Email\"] , [\"Template Name\"], [\"Status\"] , [\"Num of Campaigns Clicked\"], [\"Num of Campaigns Sent\"], [\"Num of Correct Answers\"] , [\"Num of Training Modules Assigned\"] , [\"Num of Incorrect Answers\"] , [\"User State\"], [\"Clicked IP\"], [\"Reaction Time\"], [\"Time Opened\"], [\"Time Clicked\"] , [\"Time Scheduled\"] , [\"Department\"]\n};\nAwareness_User_Data_view\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject3')._parserId3,'/'))))]", + "dependsOn": [ + "[variables('parserObject3')._parserId3]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AwarenessUserData')]", + "contentId": "[variables('parserObject3').parserContentId3]", + "kind": "Parser", + "version": "[variables('parserObject3').parserVersion3]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject4').parserTemplateSpecName4]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_AT_Watchlist Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject4').parserVersion4]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject4')._parserName4]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast Awareness Training Watchlist", + "category": "Microsoft Sentinel Parser", + "functionAlias": "AwarenessWatchlist", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet Awareness_Watchlist_view = view() {\nunion isfuzzy=true dummy_table,\nAwareness_Watchlist_Details_CL\n| extend [\"Email\" ]= column_ifexists('email_s', ''),\n [\"Name\"] = column_ifexists('name_s', ''),\n [\"Watchlist Count\"] = column_ifexists('watchlistCount_d', 0),\n [\"User State\"] = column_ifexists('userState_s', ''),\n [\"Department\"] = column_ifexists('department_s', ''),\n [\"Time Generated\"] = column_ifexists('Time Generated', '')\n| summarize arg_max([\"Time Generated\"], *) by [\"Email\" ], [\"Name\"] , [\"Watchlist Count\"] , [\"User State\"], [\"Department\"]\n| project [\"Time Generated\"], [\"Email\" ], [\"Name\"] , [\"Watchlist Count\"] , [\"User State\"], [\"Department\"]\n};\nAwareness_Watchlist_view\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]", + "dependsOn": [ + "[variables('parserObject4')._parserId4]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AwarenessWatchlist')]", + "contentId": "[variables('parserObject4').parserContentId4]", + "kind": "Parser", + "version": "[variables('parserObject4').parserVersion4]", + "source": { + "name": "Mimecast", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject4').parserContentId4]", + "contentKind": "Parser", + "displayName": "Parser for Mimecast Awareness Training Watchlist", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject4').parserContentId4,'-', '1.0.0')))]", + "version": "[variables('parserObject4').parserVersion4]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject4')._parserName4]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast Awareness Training Watchlist", + "category": "Microsoft Sentinel Parser", + "functionAlias": "AwarenessWatchlist", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet Awareness_Watchlist_view = view() {\nunion isfuzzy=true dummy_table,\nAwareness_Watchlist_Details_CL\n| extend [\"Email\" ]= column_ifexists('email_s', ''),\n [\"Name\"] = column_ifexists('name_s', ''),\n [\"Watchlist Count\"] = column_ifexists('watchlistCount_d', 0),\n [\"User State\"] = column_ifexists('userState_s', ''),\n [\"Department\"] = column_ifexists('department_s', ''),\n [\"Time Generated\"] = column_ifexists('Time Generated', '')\n| summarize arg_max([\"Time Generated\"], *) by [\"Email\" ], [\"Name\"] , [\"Watchlist Count\"] , [\"User State\"], [\"Department\"]\n| project [\"Time Generated\"], [\"Email\" ], [\"Name\"] , [\"Watchlist Count\"] , [\"User State\"], [\"Department\"]\n};\nAwareness_Watchlist_view\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject4')._parserId4,'/'))))]", + "dependsOn": [ + "[variables('parserObject4')._parserId4]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'AwarenessWatchlist')]", + "contentId": "[variables('parserObject4').parserContentId4]", + "kind": "Parser", + "version": "[variables('parserObject4').parserVersion4]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject5').parserTemplateSpecName5]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_Audit Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject5').parserVersion5]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject5')._parserName5]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for MimecastAudit", + "category": "Microsoft Sentinel Parser", + "functionAlias": "MimecastAudit", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet MimecastAudit_view = view() {\nunion isfuzzy=true dummy_table,\nAudit_CL\n| extend [\"Id\"] = column_ifexists('id_s', ''),\n [\"Audit Type\"] = column_ifexists('auditType_s', ''),\n [\"User\"] = column_ifexists('user_s', ''),\n [\"Event Time\"] = column_ifexists('eventTime_t', ''),\n [\"Event Info\"] = column_ifexists('eventInfo_s', ''),\n [\"Category\"] = column_ifexists('Category',''),\n [\"Time Generated\"] = column_ifexists('TimeGenerated','')\n| extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime( [\"Event Time\"] )) \n| parse-kv [\"Event Info\"] as (IP: string, Application:string ) with (pair_delimiter=',', kv_delimiter=':') \n| summarize arg_max(TimeGenerated, *) by [\"Category\"] , [\"Audit Type\"] , [\"User\"] , [\"Event Info\"] , [\"Event Time\"] , [\"Id\"]\n| project [\"Time Generated\"] ,[\"Source IP\"] = IP ,Application , [\"Category\"] , [\"Audit Type\"] , [\"User\"] , [\"Event Info\"] , [\"Event Time\"] , [\"Id\"]\n};\nMimecastAudit_view\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", + "dependsOn": [ + "[variables('parserObject5')._parserId5]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastAudit')]", + "contentId": "[variables('parserObject5').parserContentId5]", + "kind": "Parser", + "version": "[variables('parserObject5').parserVersion5]", + "source": { + "name": "Mimecast", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject5').parserContentId5]", + "contentKind": "Parser", + "displayName": "Parser for MimecastAudit", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject5').parserContentId5,'-', '1.0.0')))]", + "version": "[variables('parserObject5').parserVersion5]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject5')._parserName5]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for MimecastAudit", + "category": "Microsoft Sentinel Parser", + "functionAlias": "MimecastAudit", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet MimecastAudit_view = view() {\nunion isfuzzy=true dummy_table,\nAudit_CL\n| extend [\"Id\"] = column_ifexists('id_s', ''),\n [\"Audit Type\"] = column_ifexists('auditType_s', ''),\n [\"User\"] = column_ifexists('user_s', ''),\n [\"Event Time\"] = column_ifexists('eventTime_t', ''),\n [\"Event Info\"] = column_ifexists('eventInfo_s', ''),\n [\"Category\"] = column_ifexists('Category',''),\n [\"Time Generated\"] = column_ifexists('TimeGenerated','')\n| extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime( [\"Event Time\"] )) \n| parse-kv [\"Event Info\"] as (IP: string, Application:string ) with (pair_delimiter=',', kv_delimiter=':') \n| summarize arg_max(TimeGenerated, *) by [\"Category\"] , [\"Audit Type\"] , [\"User\"] , [\"Event Info\"] , [\"Event Time\"] , [\"Id\"]\n| project [\"Time Generated\"] ,[\"Source IP\"] = IP ,Application , [\"Category\"] , [\"Audit Type\"] , [\"User\"] , [\"Event Info\"] , [\"Event Time\"] , [\"Id\"]\n};\nMimecastAudit_view\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject5')._parserId5,'/'))))]", + "dependsOn": [ + "[variables('parserObject5')._parserId5]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastAudit')]", + "contentId": "[variables('parserObject5').parserContentId5]", + "kind": "Parser", + "version": "[variables('parserObject5').parserVersion5]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject6').parserTemplateSpecName6]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_Cloud_Integrated Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject6').parserVersion6]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject6')._parserName6]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast Cloud Integrated", + "category": "Microsoft Sentinel Parser", + "functionAlias": "MimecastCloudIntegrated", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet MimecastCloudIntegrated = view() {\nunion isfuzzy=true dummy_table,\nCloud_Integrated_CL\n| extend Category = column_ifexists('Category', ''),\n [\"Time Generated\"] = column_ifexists('TimeGenerated', ''),\n [\"Event Time\"] = column_ifexists('timestamp_d', ''),\n ['Account ID'] = column_ifexists('accountId_s', ''),\n ['Aggregate ID'] = column_ifexists('aggregateId_s', ''),\n ['Processing ID'] = column_ifexists('processingId_s', ''),\n ['Message ID'] = column_ifexists('messageId_s', ''),\n [\"Attachments\"] = column_ifexists('attachments_s', ''),\n [\"Recipients\"] = column_ifexists('recipients_s', ''),\n [\"Tags\"] = column_ifexists('tags_s', ''),\n ['Policies Applied'] = column_ifexists('policiesApplied_s', ''),\n ['Historical Mail'] = column_ifexists('historicalMail_b', ''),\n ['Sender IP'] = column_ifexists('senderIp_s', ''),\n ['Sender Envelope'] = column_ifexists('senderEnvelope_s', ''),\n [\"Subject\"]= column_ifexists('subject_s', ''),\n [\"Source\"] = column_ifexists('source_s', ''),\n ['Threat State'] = column_ifexists('threatState_s', ''),\n ['Threat Type'] = column_ifexists('threatType_s', ''),\n [\"Direction\"] = column_ifexists('direction_s', ''),\n ['Sender Header'] = column_ifexists('senderHeader_s', ''),\n [\"Type\"] = column_ifexists('type_s', ''),\n [\"Subtype\"] = column_ifexists('subtype_s', '')\n| summarize arg_max([\"Time Generated\"] , *) by [\"Event Time\"],\n [\"Type\"],\n ['Account ID'],\n ['Aggregate ID'],\n ['Processing ID'],\n ['Message ID'],\n [\"Attachments\"],\n [\"Recipients\"],\n [\"Tags\"],\n ['Policies Applied'],\n ['Historical Mail'],\n ['Sender IP'],\n ['Sender Envelope'],\n [\"Subject\"],\n [\"Source\"],\n ['Threat State'],\n ['Threat Type'],\n [\"Direction\"],\n ['Sender Header'],\n [\"Subtype\"]\n| extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime(unixtime_milliseconds_todatetime( tolong([\"Event Time\"])) ) )\n| project [\"Event Time\"] ,\n [\"Time Generated\"],\n ['Account ID'],\n ['Aggregate ID'],\n ['Processing ID'],\n ['Message ID'],\n [\"Attachments\"],\n [\"Recipients\"],\n [\"Tags\"],\n ['Policies Applied'],\n ['Historical Mail'],\n ['Sender IP'],\n ['Sender Envelope'],\n [\"Subject\"],\n [\"Source\"],\n ['Threat State'],\n ['Threat Type'],\n [\"Direction\"],\n ['Sender Header'],\n [\"Type\"],\n [\"Subtype\"]\n};\nMimecastCloudIntegrated\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject6')._parserId6,'/'))))]", + "dependsOn": [ + "[variables('parserObject6')._parserId6]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastCloudIntegrated')]", + "contentId": "[variables('parserObject6').parserContentId6]", + "kind": "Parser", + "version": "[variables('parserObject6').parserVersion6]", + "source": { + "name": "Mimecast", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject6').parserContentId6]", + "contentKind": "Parser", + "displayName": "Parser for Mimecast Cloud Integrated", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject6').parserContentId6,'-', '1.0.0')))]", + "version": "[variables('parserObject6').parserVersion6]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject6')._parserName6]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast Cloud Integrated", + "category": "Microsoft Sentinel Parser", + "functionAlias": "MimecastCloudIntegrated", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet MimecastCloudIntegrated = view() {\nunion isfuzzy=true dummy_table,\nCloud_Integrated_CL\n| extend Category = column_ifexists('Category', ''),\n [\"Time Generated\"] = column_ifexists('TimeGenerated', ''),\n [\"Event Time\"] = column_ifexists('timestamp_d', ''),\n ['Account ID'] = column_ifexists('accountId_s', ''),\n ['Aggregate ID'] = column_ifexists('aggregateId_s', ''),\n ['Processing ID'] = column_ifexists('processingId_s', ''),\n ['Message ID'] = column_ifexists('messageId_s', ''),\n [\"Attachments\"] = column_ifexists('attachments_s', ''),\n [\"Recipients\"] = column_ifexists('recipients_s', ''),\n [\"Tags\"] = column_ifexists('tags_s', ''),\n ['Policies Applied'] = column_ifexists('policiesApplied_s', ''),\n ['Historical Mail'] = column_ifexists('historicalMail_b', ''),\n ['Sender IP'] = column_ifexists('senderIp_s', ''),\n ['Sender Envelope'] = column_ifexists('senderEnvelope_s', ''),\n [\"Subject\"]= column_ifexists('subject_s', ''),\n [\"Source\"] = column_ifexists('source_s', ''),\n ['Threat State'] = column_ifexists('threatState_s', ''),\n ['Threat Type'] = column_ifexists('threatType_s', ''),\n [\"Direction\"] = column_ifexists('direction_s', ''),\n ['Sender Header'] = column_ifexists('senderHeader_s', ''),\n [\"Type\"] = column_ifexists('type_s', ''),\n [\"Subtype\"] = column_ifexists('subtype_s', '')\n| summarize arg_max([\"Time Generated\"] , *) by [\"Event Time\"],\n [\"Type\"],\n ['Account ID'],\n ['Aggregate ID'],\n ['Processing ID'],\n ['Message ID'],\n [\"Attachments\"],\n [\"Recipients\"],\n [\"Tags\"],\n ['Policies Applied'],\n ['Historical Mail'],\n ['Sender IP'],\n ['Sender Envelope'],\n [\"Subject\"],\n [\"Source\"],\n ['Threat State'],\n ['Threat Type'],\n [\"Direction\"],\n ['Sender Header'],\n [\"Subtype\"]\n| extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime(unixtime_milliseconds_todatetime( tolong([\"Event Time\"])) ) )\n| project [\"Event Time\"] ,\n [\"Time Generated\"],\n ['Account ID'],\n ['Aggregate ID'],\n ['Processing ID'],\n ['Message ID'],\n [\"Attachments\"],\n [\"Recipients\"],\n [\"Tags\"],\n ['Policies Applied'],\n ['Historical Mail'],\n ['Sender IP'],\n ['Sender Envelope'],\n [\"Subject\"],\n [\"Source\"],\n ['Threat State'],\n ['Threat Type'],\n [\"Direction\"],\n ['Sender Header'],\n [\"Type\"],\n [\"Subtype\"]\n};\nMimecastCloudIntegrated\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject6')._parserId6,'/'))))]", + "dependsOn": [ + "[variables('parserObject6')._parserId6]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastCloudIntegrated')]", + "contentId": "[variables('parserObject6').parserContentId6]", + "kind": "Parser", + "version": "[variables('parserObject6').parserVersion6]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject7').parserTemplateSpecName7]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_SEG_CG Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject7').parserVersion7]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject7')._parserName7]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast SEG Cloud Gateway", + "category": "Microsoft Sentinel Parser", + "functionAlias": "MimecastCG", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet MimecastCG_view = view() {\nunion isfuzzy=true dummy_table,\nSeg_Cg_CL\n| extend \n [\"Time Generated\"] = column_ifexists('TimeGenerated', ''),\n [\"Url Category\"] = columnifexists(\"urlCategory_s\", \"\"),\n [\"Scan Results\"] = columnifexists(\"scanResults_s\", \"\"),\n [\"File Name\"] = columnifexists(\"fileName_s\", \"\"),\n [\"Sha256\"] = columnifexists(\"sha256_s\", \"\"),\n [\"File Extension\"] = columnifexists(\"fileExtension_s\", \"\"),\n [\"Virus Found\"] = columnifexists(\"virusFound_s\", \"\"),\n [\"Sha1\"] = columnifexists(\"sha1_s\", \"\"),\n [\"Sender Domain\"] = columnifexists(\"senderDomain_s\", \"\"),\n [\"Md5\"] = columnifexists(\"md5_g\", \"\"),\n [\"Custom Threat Dictionary\"] = columnifexists(\"customThreatDictionary_s\", \"\"),\n [\"Items Detected\"] = columnifexists(\"itemsDetected_s\", \"\"),\n [\"Similar Custom External Domain\"] = columnifexists(\"similarCustomExternalDomain_s\", \"\"),\n [\"Tagged External\"] = columnifexists(\"taggedExternal_s\", \"\"),\n [\"Similar Internal Domain\"] = columnifexists(\"similarInternalDomain_s\", \"\"),\n [\"New Domain\"] = columnifexists(\"newDomain_s\", \"\"),\n [\"Internal User Name\"] = columnifexists(\"internalUserName_s\", \"\"),\n [\"Mimecast Threat Dictionary\"] = columnifexists(\"mimecastThreatDictionary_s\", \"\"),\n [\"Similar Mimecast External Domain\"] = columnifexists(\"similarMimecastExternalDomain_s\", \"\"),\n [\"Custom Name Match\"] = columnifexists(\"customNameMatch_s\", \"\"),\n [\"Tagged Malicious\"] = columnifexists(\"taggedMalicious_s\", \"\"),\n [\"Reply Mismatch\"] = columnifexists(\"replyMismatch_s\", \"\"),\n [\"Aggregate ID S\"] = columnifexists(\"aggregateId_s\", \"\"),\n [\"Aggregate ID G\"] = columnifexists(\"aggregateId_g\", \"\"),\n [\"Rejection Type\"] = columnifexists(\"rejectionType_s\", \"\"),\n [\"Rejection Code\"] = columnifexists(\"rejectionCode_s\", \"\"),\n [\"Rejection Info\"] = columnifexists(\"rejectionInfo_s\", \"\"),\n [\"Delivered\"] = columnifexists(\"delivered_s\", \"\"),\n [\"Destination IP\"] = columnifexists(\"destinationIp_s\", \"\"),\n [\"Host Name\"] = columnifexists(\"Hostname_s\", \"\"),\n [\"Delivery Attempts\"] = columnifexists(\"deliveryAttempts_s\", \"\"),\n [\"TLS Used\"] = columnifexists(\"tlsUsed_s\", \"\"),\n [\"Delivery Errors\"] = columnifexists(\"deliveryErrors_s\", \"\"),\n [\"Attachments\"] = columnifexists(\"attachments_s\", \"\"),\n [\"Route\"] = columnifexists(\"route_s\", \"\"),\n [\"Processing ID\"] = columnifexists(\"processingId_s\", \"\"),\n [\"Account ID\"] = columnifexists(\"accountId_s\", \"\"),\n [\"Action\"] = columnifexists(\"action_s\", \"\"),\n [\"Event Time\"] = columnifexists(\"timestamp_d\", \"\"),\n [\"Sender Envelope\"] = columnifexists(\"senderEnvelope_s\", \"\"),\n [\"Message ID\"] = columnifexists(\"messageId_s\", \"\"),\n [\"Subject\"] = columnifexists(\"subject_s\", \"\"),\n [\"Total of Size Attachments\"] = columnifexists(\"totalSizeAttachments_s\", \"\"),\n [\"Number of Attachments\"] = columnifexists(\"numberAttachments_s\", \"\"),\n [\"Email Size\"] = columnifexists(\"emailSize_s\", \"\"),\n [\"Type\"] = columnifexists(\"type_s\", \"\"),\n [\"Sub Type\"] = columnifexists(\"subtype_s\", \"\"),\n [\"Monitored Domain Source\"] = columnifexists(\"monitoredDomainSource_s\", \"\"),\n [\"Similar Domain\"] = columnifexists(\"similarDomain_s\", \"\"),\n [\"Offset\"] = columnifexists(\"_offset_d\", \"\"),\n [\"Partition\"] = columnifexists(\"_partition_d\", \"\"),\n [\"Hold Reason\"] = columnifexists(\"holdReason_s\", \"\"),\n [\"Recipients\"] = columnifexists(\"recipients_s\", \"\"),\n [\"Sender IP\"] = columnifexists(\"senderIp_s\", \"\"),\n [\"Direction\"] = columnifexists(\"direction_s\", \"\"),\n [\"Sender Header\"] = columnifexists(\"senderHeader_s\", \"\"),\n [\"TLS Version\"] = columnifexists(\"tlsVersion_s\", \"\"),\n [\"TLS Cipher\"] = columnifexists(\"tlsCipher_s\", \"\"),\n [\"Spam Info\"] = columnifexists(\"spamInfo_s\", \"\"),\n [\"Spam Processing Detail\"] = columnifexists(\"spamProcessingDetail_s\", \"\")\n| summarize arg_max([\"Time Generated\"], *) by \n [\"Url Category\"],\n [\"Scan Results\"],\n [\"File Name\"],\n [\"Sha256\"],\n [\"File Extension\"],\n [\"Virus Found\"],\n [\"Sha1\"],\n [\"Sender Domain\"],\n [\"Md5\"],\n [\"Custom Threat Dictionary\"],\n [\"Items Detected\"],\n [\"Similar Custom External Domain\"],\n [\"Tagged External\"],\n [\"Similar Internal Domain\"],\n [\"New Domain\"],\n [\"Internal User Name\"],\n [\"Mimecast Threat Dictionary\"],\n [\"Similar Mimecast External Domain\"],\n [\"Custom Name Match\"],\n [\"Tagged Malicious\"],\n [\"Reply Mismatch\"],\n [\"Aggregate ID\"] = coalesce([\"Aggregate ID S\"], [\"Aggregate ID G\"]),\n [\"Rejection Type\"],\n [\"Rejection Code\"],\n [\"Rejection Info\"],\n [\"Delivered\"],\n [\"Destination IP\"],\n [\"Host Name\"],\n [\"Delivery Attempts\"],\n [\"TLS Used\"],\n [\"Delivery Errors\"],\n [\"Attachments\"],\n [\"Route\"],\n [\"Processing ID\"],\n [\"Account ID\"],\n [\"Action\"],\n [\"Event Time\"],\n [\"Sender Envelope\"],\n [\"Message ID\"],\n [\"Subject\"],\n [\"Total of Size Attachments\"],\n [\"Number of Attachments\"],\n [\"Email Size\"],\n [\"Type\"],\n [\"Sub Type\"],\n [\"Monitored Domain Source\"],\n [\"Similar Domain\"],\n [\"Hold Reason\"],\n [\"Recipients\"],\n [\"Sender IP\"],\n [\"Direction\"],\n [\"Sender Header\"],\n [\"TLS Version\"],\n [\"TLS Cipher\"],\n [\"Spam Info\"],\n [\"Spam Processing Detail\"]\n| extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime(unixtime_milliseconds_todatetime( tolong([\"Event Time\"]) )) )\n| extend ['Message ID'] = trim(@\"[\\<\\>]\", ['Message ID'] )\n| project \n [\"Time Generated\"],\n [\"Url Category\"],\n [\"Scan Results\"],\n [\"File Name\"],\n [\"Sha256\"],\n [\"File Extension\"],\n [\"Virus Found\"],\n [\"Sha1\"],\n [\"Sender Domain\"],\n [\"Md5\"],\n [\"Custom Threat Dictionary\"],\n [\"Items Detected\"],\n [\"Similar Custom External Domain\"],\n [\"Tagged External\"],\n [\"Similar Internal Domain\"],\n [\"New Domain\"],\n [\"Internal User Name\"],\n [\"Mimecast Threat Dictionary\"],\n [\"Similar Mimecast External Domain\"],\n [\"Custom Name Match\"],\n [\"Tagged Malicious\"],\n [\"Reply Mismatch\"],\n [\"Aggregate ID\"] = coalesce([\"Aggregate ID S\"], [\"Aggregate ID G\"]),\n [\"Rejection Type\"],\n [\"Rejection Code\"],\n [\"Rejection Info\"],\n [\"Delivered\"],\n [\"Destination IP\"],\n [\"Host Name\"],\n [\"Delivery Attempts\"],\n [\"TLS Used\"],\n [\"Delivery Errors\"],\n [\"Attachments\"],\n [\"Route\"],\n [\"Processing ID\"],\n [\"Account ID\"],\n [\"Action\"],\n [\"Event Time\"] ,\n [\"Sender Envelope\"],\n [\"Message ID\"],\n [\"Subject\"],\n [\"Total of Size Attachments\"],\n [\"Number of Attachments\"],\n [\"Email Size\"],\n [\"Type\"],\n [\"Sub Type\"],\n [\"Monitored Domain Source\"],\n [\"Similar Domain\"],\n [\"Offset\"],\n [\"Partition\"],\n [\"Hold Reason\"],\n [\"Recipients\"],\n [\"Sender IP\"],\n [\"Direction\"],\n [\"Sender Header\"],\n [\"TLS Version\"],\n [\"TLS Cipher\"],\n [\"Spam Info\"],\n [\"Spam Processing Detail\"]\n};\nMimecastCG_view\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject7')._parserId7,'/'))))]", + "dependsOn": [ + "[variables('parserObject7')._parserId7]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastCG')]", + "contentId": "[variables('parserObject7').parserContentId7]", + "kind": "Parser", + "version": "[variables('parserObject7').parserVersion7]", + "source": { + "name": "Mimecast", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject7').parserContentId7]", + "contentKind": "Parser", + "displayName": "Parser for Mimecast SEG Cloud Gateway", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject7').parserContentId7,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject7').parserContentId7,'-', '1.0.0')))]", + "version": "[variables('parserObject7').parserVersion7]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject7')._parserName7]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast SEG Cloud Gateway", + "category": "Microsoft Sentinel Parser", + "functionAlias": "MimecastCG", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet MimecastCG_view = view() {\nunion isfuzzy=true dummy_table,\nSeg_Cg_CL\n| extend \n [\"Time Generated\"] = column_ifexists('TimeGenerated', ''),\n [\"Url Category\"] = columnifexists(\"urlCategory_s\", \"\"),\n [\"Scan Results\"] = columnifexists(\"scanResults_s\", \"\"),\n [\"File Name\"] = columnifexists(\"fileName_s\", \"\"),\n [\"Sha256\"] = columnifexists(\"sha256_s\", \"\"),\n [\"File Extension\"] = columnifexists(\"fileExtension_s\", \"\"),\n [\"Virus Found\"] = columnifexists(\"virusFound_s\", \"\"),\n [\"Sha1\"] = columnifexists(\"sha1_s\", \"\"),\n [\"Sender Domain\"] = columnifexists(\"senderDomain_s\", \"\"),\n [\"Md5\"] = columnifexists(\"md5_g\", \"\"),\n [\"Custom Threat Dictionary\"] = columnifexists(\"customThreatDictionary_s\", \"\"),\n [\"Items Detected\"] = columnifexists(\"itemsDetected_s\", \"\"),\n [\"Similar Custom External Domain\"] = columnifexists(\"similarCustomExternalDomain_s\", \"\"),\n [\"Tagged External\"] = columnifexists(\"taggedExternal_s\", \"\"),\n [\"Similar Internal Domain\"] = columnifexists(\"similarInternalDomain_s\", \"\"),\n [\"New Domain\"] = columnifexists(\"newDomain_s\", \"\"),\n [\"Internal User Name\"] = columnifexists(\"internalUserName_s\", \"\"),\n [\"Mimecast Threat Dictionary\"] = columnifexists(\"mimecastThreatDictionary_s\", \"\"),\n [\"Similar Mimecast External Domain\"] = columnifexists(\"similarMimecastExternalDomain_s\", \"\"),\n [\"Custom Name Match\"] = columnifexists(\"customNameMatch_s\", \"\"),\n [\"Tagged Malicious\"] = columnifexists(\"taggedMalicious_s\", \"\"),\n [\"Reply Mismatch\"] = columnifexists(\"replyMismatch_s\", \"\"),\n [\"Aggregate ID S\"] = columnifexists(\"aggregateId_s\", \"\"),\n [\"Aggregate ID G\"] = columnifexists(\"aggregateId_g\", \"\"),\n [\"Rejection Type\"] = columnifexists(\"rejectionType_s\", \"\"),\n [\"Rejection Code\"] = columnifexists(\"rejectionCode_s\", \"\"),\n [\"Rejection Info\"] = columnifexists(\"rejectionInfo_s\", \"\"),\n [\"Delivered\"] = columnifexists(\"delivered_s\", \"\"),\n [\"Destination IP\"] = columnifexists(\"destinationIp_s\", \"\"),\n [\"Host Name\"] = columnifexists(\"Hostname_s\", \"\"),\n [\"Delivery Attempts\"] = columnifexists(\"deliveryAttempts_s\", \"\"),\n [\"TLS Used\"] = columnifexists(\"tlsUsed_s\", \"\"),\n [\"Delivery Errors\"] = columnifexists(\"deliveryErrors_s\", \"\"),\n [\"Attachments\"] = columnifexists(\"attachments_s\", \"\"),\n [\"Route\"] = columnifexists(\"route_s\", \"\"),\n [\"Processing ID\"] = columnifexists(\"processingId_s\", \"\"),\n [\"Account ID\"] = columnifexists(\"accountId_s\", \"\"),\n [\"Action\"] = columnifexists(\"action_s\", \"\"),\n [\"Event Time\"] = columnifexists(\"timestamp_d\", \"\"),\n [\"Sender Envelope\"] = columnifexists(\"senderEnvelope_s\", \"\"),\n [\"Message ID\"] = columnifexists(\"messageId_s\", \"\"),\n [\"Subject\"] = columnifexists(\"subject_s\", \"\"),\n [\"Total of Size Attachments\"] = columnifexists(\"totalSizeAttachments_s\", \"\"),\n [\"Number of Attachments\"] = columnifexists(\"numberAttachments_s\", \"\"),\n [\"Email Size\"] = columnifexists(\"emailSize_s\", \"\"),\n [\"Type\"] = columnifexists(\"type_s\", \"\"),\n [\"Sub Type\"] = columnifexists(\"subtype_s\", \"\"),\n [\"Monitored Domain Source\"] = columnifexists(\"monitoredDomainSource_s\", \"\"),\n [\"Similar Domain\"] = columnifexists(\"similarDomain_s\", \"\"),\n [\"Offset\"] = columnifexists(\"_offset_d\", \"\"),\n [\"Partition\"] = columnifexists(\"_partition_d\", \"\"),\n [\"Hold Reason\"] = columnifexists(\"holdReason_s\", \"\"),\n [\"Recipients\"] = columnifexists(\"recipients_s\", \"\"),\n [\"Sender IP\"] = columnifexists(\"senderIp_s\", \"\"),\n [\"Direction\"] = columnifexists(\"direction_s\", \"\"),\n [\"Sender Header\"] = columnifexists(\"senderHeader_s\", \"\"),\n [\"TLS Version\"] = columnifexists(\"tlsVersion_s\", \"\"),\n [\"TLS Cipher\"] = columnifexists(\"tlsCipher_s\", \"\"),\n [\"Spam Info\"] = columnifexists(\"spamInfo_s\", \"\"),\n [\"Spam Processing Detail\"] = columnifexists(\"spamProcessingDetail_s\", \"\")\n| summarize arg_max([\"Time Generated\"], *) by \n [\"Url Category\"],\n [\"Scan Results\"],\n [\"File Name\"],\n [\"Sha256\"],\n [\"File Extension\"],\n [\"Virus Found\"],\n [\"Sha1\"],\n [\"Sender Domain\"],\n [\"Md5\"],\n [\"Custom Threat Dictionary\"],\n [\"Items Detected\"],\n [\"Similar Custom External Domain\"],\n [\"Tagged External\"],\n [\"Similar Internal Domain\"],\n [\"New Domain\"],\n [\"Internal User Name\"],\n [\"Mimecast Threat Dictionary\"],\n [\"Similar Mimecast External Domain\"],\n [\"Custom Name Match\"],\n [\"Tagged Malicious\"],\n [\"Reply Mismatch\"],\n [\"Aggregate ID\"] = coalesce([\"Aggregate ID S\"], [\"Aggregate ID G\"]),\n [\"Rejection Type\"],\n [\"Rejection Code\"],\n [\"Rejection Info\"],\n [\"Delivered\"],\n [\"Destination IP\"],\n [\"Host Name\"],\n [\"Delivery Attempts\"],\n [\"TLS Used\"],\n [\"Delivery Errors\"],\n [\"Attachments\"],\n [\"Route\"],\n [\"Processing ID\"],\n [\"Account ID\"],\n [\"Action\"],\n [\"Event Time\"],\n [\"Sender Envelope\"],\n [\"Message ID\"],\n [\"Subject\"],\n [\"Total of Size Attachments\"],\n [\"Number of Attachments\"],\n [\"Email Size\"],\n [\"Type\"],\n [\"Sub Type\"],\n [\"Monitored Domain Source\"],\n [\"Similar Domain\"],\n [\"Hold Reason\"],\n [\"Recipients\"],\n [\"Sender IP\"],\n [\"Direction\"],\n [\"Sender Header\"],\n [\"TLS Version\"],\n [\"TLS Cipher\"],\n [\"Spam Info\"],\n [\"Spam Processing Detail\"]\n| extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime(unixtime_milliseconds_todatetime( tolong([\"Event Time\"]) )) )\n| extend ['Message ID'] = trim(@\"[\\<\\>]\", ['Message ID'] )\n| project \n [\"Time Generated\"],\n [\"Url Category\"],\n [\"Scan Results\"],\n [\"File Name\"],\n [\"Sha256\"],\n [\"File Extension\"],\n [\"Virus Found\"],\n [\"Sha1\"],\n [\"Sender Domain\"],\n [\"Md5\"],\n [\"Custom Threat Dictionary\"],\n [\"Items Detected\"],\n [\"Similar Custom External Domain\"],\n [\"Tagged External\"],\n [\"Similar Internal Domain\"],\n [\"New Domain\"],\n [\"Internal User Name\"],\n [\"Mimecast Threat Dictionary\"],\n [\"Similar Mimecast External Domain\"],\n [\"Custom Name Match\"],\n [\"Tagged Malicious\"],\n [\"Reply Mismatch\"],\n [\"Aggregate ID\"] = coalesce([\"Aggregate ID S\"], [\"Aggregate ID G\"]),\n [\"Rejection Type\"],\n [\"Rejection Code\"],\n [\"Rejection Info\"],\n [\"Delivered\"],\n [\"Destination IP\"],\n [\"Host Name\"],\n [\"Delivery Attempts\"],\n [\"TLS Used\"],\n [\"Delivery Errors\"],\n [\"Attachments\"],\n [\"Route\"],\n [\"Processing ID\"],\n [\"Account ID\"],\n [\"Action\"],\n [\"Event Time\"] ,\n [\"Sender Envelope\"],\n [\"Message ID\"],\n [\"Subject\"],\n [\"Total of Size Attachments\"],\n [\"Number of Attachments\"],\n [\"Email Size\"],\n [\"Type\"],\n [\"Sub Type\"],\n [\"Monitored Domain Source\"],\n [\"Similar Domain\"],\n [\"Offset\"],\n [\"Partition\"],\n [\"Hold Reason\"],\n [\"Recipients\"],\n [\"Sender IP\"],\n [\"Direction\"],\n [\"Sender Header\"],\n [\"TLS Version\"],\n [\"TLS Cipher\"],\n [\"Spam Info\"],\n [\"Spam Processing Detail\"]\n};\nMimecastCG_view\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject7')._parserId7,'/'))))]", + "dependsOn": [ + "[variables('parserObject7')._parserId7]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastCG')]", + "contentId": "[variables('parserObject7').parserContentId7]", + "kind": "Parser", + "version": "[variables('parserObject7').parserVersion7]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject8').parserTemplateSpecName8]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_SEG_DLP Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject8').parserVersion8]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject8')._parserName8]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast SEG Data Leak Prevention", + "category": "Microsoft Sentinel Parser", + "functionAlias": "MimecastDLP", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet MimecastSEG_view = view() {\nunion isfuzzy=true dummy_table,\nSeg_Dlp_CL\n| extend [\"Sender Address\"] = column_ifexists('senderAddress_s', ''),\n [\"Recipient Address\"] = column_ifexists('recipientAddress_s', ''),\n [\"Subject\"] = column_ifexists('subject_s', ''),\n [\"Event Time\"] = column_ifexists('eventTime_t', ''),\n [\"Route\"] = column_ifexists('route_s', ''),\n [\"Policy\"] = column_ifexists('policy_s', ''),\n [\"Action\"] = column_ifexists('action_s', ''),\n [\"Message ID\"] = column_ifexists('messageId_s', ''),\n [\"Time Generated\"] = column_ifexists('TimeGenerated', '')\n| summarize arg_max(TimeGenerated, *) by [\"Sender Address\"], [\"Recipient Address\"], [\"Subject\"], [\"Route\"], [\"Policy\"], [\"Action\"], [\"Event Time\"], [\"Message ID\"]\n| extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime( tolong([\"Event Time\"]) ) )\n| project [\"Time Generated\"], [\"Sender Address\"], [\"Recipient Address\"], [\"Subject\"], [\"Route\"], [\"Policy\"], [\"Action\"], [\"Event Time\"], [\"Message ID\"]\n};\nMimecastSEG_view\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject8')._parserId8,'/'))))]", + "dependsOn": [ + "[variables('parserObject8')._parserId8]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastDLP')]", + "contentId": "[variables('parserObject8').parserContentId8]", + "kind": "Parser", + "version": "[variables('parserObject8').parserVersion8]", + "source": { + "name": "Mimecast", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject8').parserContentId8]", + "contentKind": "Parser", + "displayName": "Parser for Mimecast SEG Data Leak Prevention", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject8').parserContentId8,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject8').parserContentId8,'-', '1.0.0')))]", + "version": "[variables('parserObject8').parserVersion8]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject8')._parserName8]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast SEG Data Leak Prevention", + "category": "Microsoft Sentinel Parser", + "functionAlias": "MimecastDLP", + "query": "let dummy_table = datatable(TimeGenerated: datetime) [];\nlet MimecastSEG_view = view() {\nunion isfuzzy=true dummy_table,\nSeg_Dlp_CL\n| extend [\"Sender Address\"] = column_ifexists('senderAddress_s', ''),\n [\"Recipient Address\"] = column_ifexists('recipientAddress_s', ''),\n [\"Subject\"] = column_ifexists('subject_s', ''),\n [\"Event Time\"] = column_ifexists('eventTime_t', ''),\n [\"Route\"] = column_ifexists('route_s', ''),\n [\"Policy\"] = column_ifexists('policy_s', ''),\n [\"Action\"] = column_ifexists('action_s', ''),\n [\"Message ID\"] = column_ifexists('messageId_s', ''),\n [\"Time Generated\"] = column_ifexists('TimeGenerated', '')\n| summarize arg_max(TimeGenerated, *) by [\"Sender Address\"], [\"Recipient Address\"], [\"Subject\"], [\"Route\"], [\"Policy\"], [\"Action\"], [\"Event Time\"], [\"Message ID\"]\n| extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime( tolong([\"Event Time\"]) ) )\n| project [\"Time Generated\"], [\"Sender Address\"], [\"Recipient Address\"], [\"Subject\"], [\"Route\"], [\"Policy\"], [\"Action\"], [\"Event Time\"], [\"Message ID\"]\n};\nMimecastSEG_view\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject8')._parserId8,'/'))))]", + "dependsOn": [ + "[variables('parserObject8')._parserId8]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastDLP')]", + "contentId": "[variables('parserObject8').parserContentId8]", + "kind": "Parser", + "version": "[variables('parserObject8').parserVersion8]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject9').parserTemplateSpecName9]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_TTP_Attachment Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject9').parserVersion9]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject9')._parserName9]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast TTP ATTACHMENT", + "category": "Microsoft Sentinel Parser", + "functionAlias": "MimecastTTPAttachment", + "query": "let dummy_table = datatable(TimeGenerated: datetime, senderAddress_s: string, recipientAddress_s: string, messageId_s: string) [];\nlet MimecastTTPAttachment = view() {\nunion isfuzzy=true dummy_table,\nTtp_Attachment_CL\n| summarize arg_max(TimeGenerated, *) by senderAddress_s, recipientAddress_s, messageId_s\n| extend [\"Time Generated\"] = column_ifexists('TimeGenerated', ''),\n [\"Type\"] = column_ifexists('Type', ''),\n [\"Mimecast Event ID\"] = 'ttp_attachment',\n [\"Mimecast Event Category\"] = 'ttp_attachment',\n [\"Action Triggered\"] = column_ifexists('actionTriggered_s', ''),\n [\"Event Time\"] = column_ifexists('date_t', ''),\n [\"Definition\"] = column_ifexists('definition_s', ''),\n [\"Details\"] = column_ifexists('details_s', ''),\n [\"File Hash\"] = column_ifexists('fileHash_s', ''),\n [\"File Name\"] = column_ifexists('fileName_s', ''),\n [\"File Type\"] = column_ifexists('fileType_s', ''),\n [\"Message ID\"] = column_ifexists('messageId_s', ''),\n [\"Recipient Address\"] = column_ifexists('recipientAddress_s', ''),\n [\"Result\"] = column_ifexists('result_s', ''),\n [\"Route\"] = column_ifexists('route_s', ''),\n [\"Sender Address\"] = column_ifexists('senderAddress_s', ''),\n [\"Subject\"] = column_ifexists('subject_s', '')\n| extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime(( [\"Event Time\"]) ) )\n| project [\"Time Generated\"] , [\"Type\"], [\"Mimecast Event ID\"], [\"Mimecast Event Category\"], [\"Action Triggered\"],[\"Event Time\"] , [\"Definition\"], [\"Details\"], [\"File Hash\"], [\"File Name\"], [\"File Type\"], [\"Message ID\"], [\"Recipient Address\"], [\"Result\"], [\"Route\"], [\"Sender Address\"], [\"Subject\"] \n};\nMimecastTTPAttachment\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject9')._parserId9,'/'))))]", + "dependsOn": [ + "[variables('parserObject9')._parserId9]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastTTPAttachment')]", + "contentId": "[variables('parserObject9').parserContentId9]", + "kind": "Parser", + "version": "[variables('parserObject9').parserVersion9]", + "source": { + "name": "Mimecast", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject9').parserContentId9]", + "contentKind": "Parser", + "displayName": "Parser for Mimecast TTP ATTACHMENT", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject9').parserContentId9,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject9').parserContentId9,'-', '1.0.0')))]", + "version": "[variables('parserObject9').parserVersion9]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject9')._parserName9]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast TTP ATTACHMENT", + "category": "Microsoft Sentinel Parser", + "functionAlias": "MimecastTTPAttachment", + "query": "let dummy_table = datatable(TimeGenerated: datetime, senderAddress_s: string, recipientAddress_s: string, messageId_s: string) [];\nlet MimecastTTPAttachment = view() {\nunion isfuzzy=true dummy_table,\nTtp_Attachment_CL\n| summarize arg_max(TimeGenerated, *) by senderAddress_s, recipientAddress_s, messageId_s\n| extend [\"Time Generated\"] = column_ifexists('TimeGenerated', ''),\n [\"Type\"] = column_ifexists('Type', ''),\n [\"Mimecast Event ID\"] = 'ttp_attachment',\n [\"Mimecast Event Category\"] = 'ttp_attachment',\n [\"Action Triggered\"] = column_ifexists('actionTriggered_s', ''),\n [\"Event Time\"] = column_ifexists('date_t', ''),\n [\"Definition\"] = column_ifexists('definition_s', ''),\n [\"Details\"] = column_ifexists('details_s', ''),\n [\"File Hash\"] = column_ifexists('fileHash_s', ''),\n [\"File Name\"] = column_ifexists('fileName_s', ''),\n [\"File Type\"] = column_ifexists('fileType_s', ''),\n [\"Message ID\"] = column_ifexists('messageId_s', ''),\n [\"Recipient Address\"] = column_ifexists('recipientAddress_s', ''),\n [\"Result\"] = column_ifexists('result_s', ''),\n [\"Route\"] = column_ifexists('route_s', ''),\n [\"Sender Address\"] = column_ifexists('senderAddress_s', ''),\n [\"Subject\"] = column_ifexists('subject_s', '')\n| extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime(( [\"Event Time\"]) ) )\n| project [\"Time Generated\"] , [\"Type\"], [\"Mimecast Event ID\"], [\"Mimecast Event Category\"], [\"Action Triggered\"],[\"Event Time\"] , [\"Definition\"], [\"Details\"], [\"File Hash\"], [\"File Name\"], [\"File Type\"], [\"Message ID\"], [\"Recipient Address\"], [\"Result\"], [\"Route\"], [\"Sender Address\"], [\"Subject\"] \n};\nMimecastTTPAttachment\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject9')._parserId9,'/'))))]", + "dependsOn": [ + "[variables('parserObject9')._parserId9]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastTTPAttachment')]", + "contentId": "[variables('parserObject9').parserContentId9]", + "kind": "Parser", + "version": "[variables('parserObject9').parserVersion9]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject10').parserTemplateSpecName10]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_TTP_Impersonation Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject10').parserVersion10]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject10')._parserName10]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast TTP Impersonation", + "category": "Microsoft Sentinel Parser", + "functionAlias": "MimecastTTPImpersonation", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string) [];\nlet MimecastTTPImpersonation = view() {\nunion isfuzzy=true dummy_table,\nTtp_Impersonation_CL\n| summarize arg_max(TimeGenerated, *) by id_s\n| extend \n [\"Time Generated\"] = column_ifexists('TimeGenerated', ''),\n [\"Type\"] = column_ifexists('Type', ''),\n [\"Mimecast Event ID\"] = 'ttp_impersonation',\n [\"Mimecast Event Category\"] = 'ttp_impersonation',\n [\"Action\"] = column_ifexists('action_s',''),\n [\"Definition\"] = column_ifexists('definition_s',''),\n [\"Event Time\"] = column_ifexists('eventTime_t',''),\n [\"Hits\"] = column_ifexists('hits_d',''),\n [\"ID\"] = column_ifexists('id_s',''),\n [\"Identifiers\"] = column_ifexists('identifiers_s',''),\n [\"Impersonation Results\"] = column_ifexists('impersonationResults_s',''),\n [\"Message ID\"] = column_ifexists('messageId_s',''),\n [\"Recipient Address\"] = column_ifexists('recipientAddress_s',''),\n [\"Sender Address\"] = column_ifexists('senderAddress_s',''),\n [\"Sender IP Address\"] = column_ifexists('senderIpAddress_s',''),\n [\"Subject\"] = column_ifexists('subject_s',''),\n [\"Tagged External\"] = column_ifexists('taggedExternal_b',''),\n [\"Tagged Malicious\"] = column_ifexists('taggedMalicious_b','')\n| extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime(( [\"Event Time\"]) ) )\n| project [\"Time Generated\"], [\"ID\"], [\"Mimecast Event ID\"], [\"Mimecast Event Category\"], [\"Action\"], [\"Definition\"], [\"Event Time\"], [\"Hits\"], [\"Identifiers\"], [\"Impersonation Results\"], [\"Message ID\"], [\"Recipient Address\"], [\"Sender Address\"], [\"Sender IP Address\"], [\"Subject\"], [\"Tagged External\"], [\"Tagged Malicious\"], [\"Type\"] \n};\nMimecastTTPImpersonation\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject10')._parserId10,'/'))))]", + "dependsOn": [ + "[variables('parserObject10')._parserId10]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastTTPImpersonation')]", + "contentId": "[variables('parserObject10').parserContentId10]", + "kind": "Parser", + "version": "[variables('parserObject10').parserVersion10]", + "source": { + "name": "Mimecast", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject10').parserContentId10]", + "contentKind": "Parser", + "displayName": "Parser for Mimecast TTP Impersonation", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject10').parserContentId10,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject10').parserContentId10,'-', '1.0.0')))]", + "version": "[variables('parserObject10').parserVersion10]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject10')._parserName10]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast TTP Impersonation", + "category": "Microsoft Sentinel Parser", + "functionAlias": "MimecastTTPImpersonation", + "query": "let dummy_table = datatable(TimeGenerated: datetime, id_s: string) [];\nlet MimecastTTPImpersonation = view() {\nunion isfuzzy=true dummy_table,\nTtp_Impersonation_CL\n| summarize arg_max(TimeGenerated, *) by id_s\n| extend \n [\"Time Generated\"] = column_ifexists('TimeGenerated', ''),\n [\"Type\"] = column_ifexists('Type', ''),\n [\"Mimecast Event ID\"] = 'ttp_impersonation',\n [\"Mimecast Event Category\"] = 'ttp_impersonation',\n [\"Action\"] = column_ifexists('action_s',''),\n [\"Definition\"] = column_ifexists('definition_s',''),\n [\"Event Time\"] = column_ifexists('eventTime_t',''),\n [\"Hits\"] = column_ifexists('hits_d',''),\n [\"ID\"] = column_ifexists('id_s',''),\n [\"Identifiers\"] = column_ifexists('identifiers_s',''),\n [\"Impersonation Results\"] = column_ifexists('impersonationResults_s',''),\n [\"Message ID\"] = column_ifexists('messageId_s',''),\n [\"Recipient Address\"] = column_ifexists('recipientAddress_s',''),\n [\"Sender Address\"] = column_ifexists('senderAddress_s',''),\n [\"Sender IP Address\"] = column_ifexists('senderIpAddress_s',''),\n [\"Subject\"] = column_ifexists('subject_s',''),\n [\"Tagged External\"] = column_ifexists('taggedExternal_b',''),\n [\"Tagged Malicious\"] = column_ifexists('taggedMalicious_b','')\n| extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime(( [\"Event Time\"]) ) )\n| project [\"Time Generated\"], [\"ID\"], [\"Mimecast Event ID\"], [\"Mimecast Event Category\"], [\"Action\"], [\"Definition\"], [\"Event Time\"], [\"Hits\"], [\"Identifiers\"], [\"Impersonation Results\"], [\"Message ID\"], [\"Recipient Address\"], [\"Sender Address\"], [\"Sender IP Address\"], [\"Subject\"], [\"Tagged External\"], [\"Tagged Malicious\"], [\"Type\"] \n};\nMimecastTTPImpersonation\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject10')._parserId10,'/'))))]", + "dependsOn": [ + "[variables('parserObject10')._parserId10]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastTTPImpersonation')]", + "contentId": "[variables('parserObject10').parserContentId10]", + "kind": "Parser", + "version": "[variables('parserObject10').parserVersion10]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject11').parserTemplateSpecName11]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast_TTP_Url Data Parser with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject11').parserVersion11]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject11')._parserName11]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast TTP URL", + "category": "Microsoft Sentinel Parser", + "functionAlias": "MimecastTTPUrl", + "query": "let dummy_table = datatable(TimeGenerated: datetime, userEmailAddress_s: string, fromUserEmailAddress_s: string, messageId_s: string, sendingIp_s: string, url_s: string) [];\nlet MimecastTTPUrl = view() {\nunion isfuzzy=true dummy_table,\nTtp_Url_CL\n| summarize arg_max(TimeGenerated, *) by userEmailAddress_s,fromUserEmailAddress_s, sendingIp_s, messageId_s, url_s\n| extend \n [\"Category\"] = column_ifexists('Category', ''),\n [\"Time Generated\"] = column_ifexists('TimeGenerated', ''),\n [\"Type\"] = column_ifexists('Type', ''),\n [\"Tag Map Dangerous File Ext Content Check Dangerous Mimetypes Url File Download\"] = column_ifexists('tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s', ''),\n [\"Tag Map Dangerous File Ext Content Check Dangerous Exts Url File Download\"] = column_ifexists('tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s', ''),\n [\"Tag Map Advanced Phishing Credential Theft Evidence\"] = column_ifexists('tagMap_AdvancedPhishing_CredentialTheftEvidence_s', ''),\n [\"Tag Map Advanced Phishing Credential Theft Tags\"] = column_ifexists('tagMap_AdvancedPhishing_CredentialTheftTags_s', ''),\n [\"Mimecast Event ID\"] = 'ttp_url',\n [\"Mimecast Event Category\"] = 'ttp_url',\n [\"Advanced Phishing Result Credential Theft Brands\"] = column_ifexists('advancedPhishingResult_CredentialTheftBrands_s', ''),\n [\"Advanced Phishing Result Credential Theft Evidence\"] = column_ifexists('advancedPhishingResult_CredentialTheftEvidence_s', ''),\n [\"Advanced Phishing Result Credential Theft Tags\"] = column_ifexists('advancedPhishingResult_CredentialTheftTags_s', ''),\n [\"Tag Map Url Reputation Scan Type\"] = column_ifexists('tagMap_UrlReputationScan_Type_s', ''),\n [\"Tag Map Url Reputation Scan Url\"] = column_ifexists('tagMap_UrlReputationScan_Url_s', ''),\n [\"Tag Map Dangerous File Ext Inspect File Exts\"] = column_ifexists('tagMap_DangerousFileExt_Inspect_FileExts_s', ''),\n [\"Tag Map Dangerous File Ext Inspect Mime Types\"] = column_ifexists('tagMap_DangerousFileExt_Inspect_MimeTypes_s', ''),\n [\"Tag Map Dangerous File Ext Content Check Content Scanners Blocked\"] = column_ifexists('tagMap_DangerousFileExt_ContentCheck_ContentScannersBlocked_s', ''),\n [\"User Email Address\"] = column_ifexists('userEmailAddress_s', ''),\n [\"From User Email Address\"] = column_ifexists('fromUserEmailAddress_s', ''),\n [\"Url\"] = column_ifexists('url_s', ''),\n [\"Ttp Definition\"] = column_ifexists('ttpDefinition_s', ''),\n [\"Subject\"] = column_ifexists('subject_s', ''),\n [\"Action\"] = column_ifexists('action_s', ''),\n [\"Admin Override\"] = column_ifexists('adminOverride_s', ''),\n [\"User Override\"] = column_ifexists('userOverride_s', ''),\n [\"Scan Result\"] = column_ifexists('scanResult_s', ''),\n [\"Sending IP\"] = column_ifexists('sendingIp_s', ''),\n [\"User Awareness Action\"] = column_ifexists('userAwarenessAction_s', ''),\n ['Event Time'] = column_ifexists('date_t', ''),\n [\"Actions\"] = column_ifexists('actions_s', ''),\n [\"Route\"] = column_ifexists('route_s', ''),\n [\"Creation Method\"] = column_ifexists('creationMethod_s', ''),\n [\"Email Parts Description\"] = column_ifexists('emailPartsDescription_s', ''),\n [\"Message ID\"] = column_ifexists('messageId_s', ''),\n [\"Tag Map Url Reputation Scan Url Block\"] = column_ifexists('tagMap_UrlReputationScan_UrlBlock_s', ''),\n [\"Tag Map Customer Managed Urls Managed Url Entry\"] = column_ifexists('tagMap_CustomerManagedUrls_ManagedUrlEntry_s', ''),\n [\"Tag Map Customer Managed Urls Blocklisted\"] = column_ifexists('tagMap_CustomerManagedUrls_Blocklisted_s', ''),\n [\"Tag Map Av Scanning Content Check Av Signature Name\"] = column_ifexists('tagMap_AvScanning_ContentCheck_AvSignatureName_s', ''),\n [\"Tag Map Av Scanning Scanner Info Category Trigger\"] = column_ifexists('tagMap_AvScanning_ScannerInfo_CategoryTrigger_s', ''),\n [\"Tag Map Av Scanning Content Check Av Signature File Exts\"] = column_ifexists('tagMap_AvScanning_ContentCheck_AvSignatureFileExts_s', ''),\n [\"Tag Map Av Scanning Content Check Url File Download Filename\"] = column_ifexists('tagMap_AvScanning_ContentCheck_UrlFileDownloadFilename_s', '')\n| extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime(( [\"Event Time\"]) ) )\n| project [\"Category\"] ,[\"Time Generated\"] ,\n [\"Mimecast Event ID\"],\n [\"Mimecast Event Category\"],\n [\"User Email Address\"],\n [\"From User Email Address\"],\n [\"Url\"],\n [\"Ttp Definition\"],\n [\"Subject\"],\n [\"Action\"],\n [\"Admin Override\"],\n [\"User Override\"],\n [\"Scan Result\"],\n [\"Sending IP\"],\n [\"User Awareness Action\"],\n ['Event Time'],\n [\"Actions\"],\n [\"Route\"],\n [\"Creation Method\"],\n [\"Email Parts Description\"],\n [\"Message ID\"],\n [\"Tag Map Dangerous File Ext Content Check Dangerous Mimetypes Url File Download\"],\n [\"Tag Map Dangerous File Ext Content Check Dangerous Exts Url File Download\"],\n [\"Tag Map Advanced Phishing Credential Theft Evidence\"],\n [\"Tag Map Advanced Phishing Credential Theft Tags\"],\n [\"Advanced Phishing Result Credential Theft Brands\"],\n [\"Advanced Phishing Result Credential Theft Evidence\"],\n [\"Advanced Phishing Result Credential Theft Tags\"],\n [\"Tag Map Url Reputation Scan Type\"],\n [\"Tag Map Url Reputation Scan Url\"],\n [\"Tag Map Dangerous File Ext Inspect File Exts\"],\n [\"Tag Map Dangerous File Ext Inspect Mime Types\"],\n [\"Tag Map Dangerous File Ext Content Check Content Scanners Blocked\"],\n [\"Tag Map Url Reputation Scan Url Block\"],\n [\"Tag Map Customer Managed Urls Managed Url Entry\"],\n [\"Tag Map Customer Managed Urls Blocklisted\"],\n [\"Tag Map Av Scanning Content Check Av Signature Name\"],\n [\"Tag Map Av Scanning Scanner Info Category Trigger\"],\n [\"Tag Map Av Scanning Content Check Av Signature File Exts\"],\n [\"Tag Map Av Scanning Content Check Url File Download Filename\"],\n [\"Type\"]\n};\nMimecastTTPUrl\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject11')._parserId11,'/'))))]", + "dependsOn": [ + "[variables('parserObject11')._parserId11]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastTTPUrl')]", + "contentId": "[variables('parserObject11').parserContentId11]", + "kind": "Parser", + "version": "[variables('parserObject11').parserVersion11]", + "source": { + "name": "Mimecast", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject11').parserContentId11]", + "contentKind": "Parser", + "displayName": "Parser for Mimecast TTP URL", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject11').parserContentId11,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject11').parserContentId11,'-', '1.0.0')))]", + "version": "[variables('parserObject11').parserVersion11]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject11')._parserName11]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Mimecast TTP URL", + "category": "Microsoft Sentinel Parser", + "functionAlias": "MimecastTTPUrl", + "query": "let dummy_table = datatable(TimeGenerated: datetime, userEmailAddress_s: string, fromUserEmailAddress_s: string, messageId_s: string, sendingIp_s: string, url_s: string) [];\nlet MimecastTTPUrl = view() {\nunion isfuzzy=true dummy_table,\nTtp_Url_CL\n| summarize arg_max(TimeGenerated, *) by userEmailAddress_s,fromUserEmailAddress_s, sendingIp_s, messageId_s, url_s\n| extend \n [\"Category\"] = column_ifexists('Category', ''),\n [\"Time Generated\"] = column_ifexists('TimeGenerated', ''),\n [\"Type\"] = column_ifexists('Type', ''),\n [\"Tag Map Dangerous File Ext Content Check Dangerous Mimetypes Url File Download\"] = column_ifexists('tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s', ''),\n [\"Tag Map Dangerous File Ext Content Check Dangerous Exts Url File Download\"] = column_ifexists('tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s', ''),\n [\"Tag Map Advanced Phishing Credential Theft Evidence\"] = column_ifexists('tagMap_AdvancedPhishing_CredentialTheftEvidence_s', ''),\n [\"Tag Map Advanced Phishing Credential Theft Tags\"] = column_ifexists('tagMap_AdvancedPhishing_CredentialTheftTags_s', ''),\n [\"Mimecast Event ID\"] = 'ttp_url',\n [\"Mimecast Event Category\"] = 'ttp_url',\n [\"Advanced Phishing Result Credential Theft Brands\"] = column_ifexists('advancedPhishingResult_CredentialTheftBrands_s', ''),\n [\"Advanced Phishing Result Credential Theft Evidence\"] = column_ifexists('advancedPhishingResult_CredentialTheftEvidence_s', ''),\n [\"Advanced Phishing Result Credential Theft Tags\"] = column_ifexists('advancedPhishingResult_CredentialTheftTags_s', ''),\n [\"Tag Map Url Reputation Scan Type\"] = column_ifexists('tagMap_UrlReputationScan_Type_s', ''),\n [\"Tag Map Url Reputation Scan Url\"] = column_ifexists('tagMap_UrlReputationScan_Url_s', ''),\n [\"Tag Map Dangerous File Ext Inspect File Exts\"] = column_ifexists('tagMap_DangerousFileExt_Inspect_FileExts_s', ''),\n [\"Tag Map Dangerous File Ext Inspect Mime Types\"] = column_ifexists('tagMap_DangerousFileExt_Inspect_MimeTypes_s', ''),\n [\"Tag Map Dangerous File Ext Content Check Content Scanners Blocked\"] = column_ifexists('tagMap_DangerousFileExt_ContentCheck_ContentScannersBlocked_s', ''),\n [\"User Email Address\"] = column_ifexists('userEmailAddress_s', ''),\n [\"From User Email Address\"] = column_ifexists('fromUserEmailAddress_s', ''),\n [\"Url\"] = column_ifexists('url_s', ''),\n [\"Ttp Definition\"] = column_ifexists('ttpDefinition_s', ''),\n [\"Subject\"] = column_ifexists('subject_s', ''),\n [\"Action\"] = column_ifexists('action_s', ''),\n [\"Admin Override\"] = column_ifexists('adminOverride_s', ''),\n [\"User Override\"] = column_ifexists('userOverride_s', ''),\n [\"Scan Result\"] = column_ifexists('scanResult_s', ''),\n [\"Sending IP\"] = column_ifexists('sendingIp_s', ''),\n [\"User Awareness Action\"] = column_ifexists('userAwarenessAction_s', ''),\n ['Event Time'] = column_ifexists('date_t', ''),\n [\"Actions\"] = column_ifexists('actions_s', ''),\n [\"Route\"] = column_ifexists('route_s', ''),\n [\"Creation Method\"] = column_ifexists('creationMethod_s', ''),\n [\"Email Parts Description\"] = column_ifexists('emailPartsDescription_s', ''),\n [\"Message ID\"] = column_ifexists('messageId_s', ''),\n [\"Tag Map Url Reputation Scan Url Block\"] = column_ifexists('tagMap_UrlReputationScan_UrlBlock_s', ''),\n [\"Tag Map Customer Managed Urls Managed Url Entry\"] = column_ifexists('tagMap_CustomerManagedUrls_ManagedUrlEntry_s', ''),\n [\"Tag Map Customer Managed Urls Blocklisted\"] = column_ifexists('tagMap_CustomerManagedUrls_Blocklisted_s', ''),\n [\"Tag Map Av Scanning Content Check Av Signature Name\"] = column_ifexists('tagMap_AvScanning_ContentCheck_AvSignatureName_s', ''),\n [\"Tag Map Av Scanning Scanner Info Category Trigger\"] = column_ifexists('tagMap_AvScanning_ScannerInfo_CategoryTrigger_s', ''),\n [\"Tag Map Av Scanning Content Check Av Signature File Exts\"] = column_ifexists('tagMap_AvScanning_ContentCheck_AvSignatureFileExts_s', ''),\n [\"Tag Map Av Scanning Content Check Url File Download Filename\"] = column_ifexists('tagMap_AvScanning_ContentCheck_UrlFileDownloadFilename_s', '')\n| extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime(( [\"Event Time\"]) ) )\n| project [\"Category\"] ,[\"Time Generated\"] ,\n [\"Mimecast Event ID\"],\n [\"Mimecast Event Category\"],\n [\"User Email Address\"],\n [\"From User Email Address\"],\n [\"Url\"],\n [\"Ttp Definition\"],\n [\"Subject\"],\n [\"Action\"],\n [\"Admin Override\"],\n [\"User Override\"],\n [\"Scan Result\"],\n [\"Sending IP\"],\n [\"User Awareness Action\"],\n ['Event Time'],\n [\"Actions\"],\n [\"Route\"],\n [\"Creation Method\"],\n [\"Email Parts Description\"],\n [\"Message ID\"],\n [\"Tag Map Dangerous File Ext Content Check Dangerous Mimetypes Url File Download\"],\n [\"Tag Map Dangerous File Ext Content Check Dangerous Exts Url File Download\"],\n [\"Tag Map Advanced Phishing Credential Theft Evidence\"],\n [\"Tag Map Advanced Phishing Credential Theft Tags\"],\n [\"Advanced Phishing Result Credential Theft Brands\"],\n [\"Advanced Phishing Result Credential Theft Evidence\"],\n [\"Advanced Phishing Result Credential Theft Tags\"],\n [\"Tag Map Url Reputation Scan Type\"],\n [\"Tag Map Url Reputation Scan Url\"],\n [\"Tag Map Dangerous File Ext Inspect File Exts\"],\n [\"Tag Map Dangerous File Ext Inspect Mime Types\"],\n [\"Tag Map Dangerous File Ext Content Check Content Scanners Blocked\"],\n [\"Tag Map Url Reputation Scan Url Block\"],\n [\"Tag Map Customer Managed Urls Managed Url Entry\"],\n [\"Tag Map Customer Managed Urls Blocklisted\"],\n [\"Tag Map Av Scanning Content Check Av Signature Name\"],\n [\"Tag Map Av Scanning Scanner Info Category Trigger\"],\n [\"Tag Map Av Scanning Content Check Av Signature File Exts\"],\n [\"Tag Map Av Scanning Content Check Url File Download Filename\"],\n [\"Type\"]\n};\nMimecastTTPUrl\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject11')._parserId11,'/'))))]", + "dependsOn": [ + "[variables('parserObject11')._parserId11]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'MimecastTTPUrl')]", + "contentId": "[variables('parserObject11').parserContentId11]", + "kind": "Parser", + "version": "[variables('parserObject11').parserVersion11]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "Mimecast Awareness Training (using Azure Functions)", + "publisher": "Mimecast", + "descriptionMarkdown": "The data connector for [Mimecast Awareness Training](https://community.mimecast.com/s/article/Azure-Sentinel) provides customers with the visibility into security events related to the Targeted Threat Protection inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. \nThe Mimecast products included within the connector are: \n- Performance Details \n- Safe Score Details \n- User Data\n- Watchlist Details\n", + "graphQueries": [ + { + "metricName": "Total Performance Details data received", + "legend": "Awareness_Performance_Details_CL", + "baseQuery": "Awareness_Performance_Details_CL" + }, + { + "metricName": "Total Safe Score Details data received", + "legend": "Awareness_SafeScore_Details_CL", + "baseQuery": "Awareness_SafeScore_Details_CL" + }, + { + "metricName": "Total User Data received", + "legend": "Awareness_User_Data_CL", + "baseQuery": "Awareness_User_Data_CL" + }, + { + "metricName": "Total Watchlist Details data received", + "legend": "Awareness_Watchlist_Details_CL", + "baseQuery": "Awareness_Watchlist_Details_CL" + } + ], + "sampleQueries": [ + { + "description": "Awareness_Performance_Details_CL", + "query": "Awareness_Performance_Details_CL\n| sort by TimeGenerated desc" + }, + { + "description": "Awareness_SafeScore_Details_CL", + "query": "Awareness_SafeScore_Details_CL\n| sort by TimeGenerated desc" + }, + { + "description": "Awareness_User_Data_CL", + "query": "Awareness_User_Data_CL\n| sort by TimeGenerated desc" + }, + { + "description": "Awareness_Watchlist_Details_CL", + "query": "Awareness_User_Data_CL\n| sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "Awareness_Performance_Details_CL", + "lastDataReceivedQuery": "Awareness_Performance_Details_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Awareness_SafeScore_Details_CL", + "lastDataReceivedQuery": "Awareness_SafeScore_Details_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Awareness_User_Data_CL", + "lastDataReceivedQuery": "Awareness_User_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Awareness_Watchlist_Details_CL", + "lastDataReceivedQuery": "Awareness_Watchlist_Details_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Awareness_Performance_Details_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "Awareness_SafeScore_Details_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "Awareness_User_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "Awareness_Watchlist_Details_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "See the documentation to learn more about API on the [Rest API reference](https://integrations.mimecast.com/documentation/)" + } + ] + }, + "instructionSteps": [ + { + "description": "You need to have a resource group created with a subscription you are going to use.", + "title": "Resource group" + }, + { + "description": "You need to have an Azure App registered for this connector to use\n1. Application Id\n2. Tenant Id\n3. Client Id\n4. Client Secret", + "title": "Functions app" + }, + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)", + "title": "Configuration:" + }, + { + "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Mimecast Awareness Training Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MimecastAT-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n3. Enter the below information : \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBase URL (Default: https://api.services.mimecast.com) \n\t\tMimecast Client ID \n\t\tMimecast Client Secret \n\t\tLog Level (Default: INFO) \n\t\tSchedule (0 0 */1 * * *) \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Azure Resource Manager (ARM) Template" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "Mimecast Awareness Training (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Mimecast Awareness Training (using Azure Functions)", + "publisher": "Mimecast", + "descriptionMarkdown": "The data connector for [Mimecast Awareness Training](https://community.mimecast.com/s/article/Azure-Sentinel) provides customers with the visibility into security events related to the Targeted Threat Protection inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. \nThe Mimecast products included within the connector are: \n- Performance Details \n- Safe Score Details \n- User Data\n- Watchlist Details\n", + "graphQueries": [ + { + "metricName": "Total Performance Details data received", + "legend": "Awareness_Performance_Details_CL", + "baseQuery": "Awareness_Performance_Details_CL" + }, + { + "metricName": "Total Safe Score Details data received", + "legend": "Awareness_SafeScore_Details_CL", + "baseQuery": "Awareness_SafeScore_Details_CL" + }, + { + "metricName": "Total User Data received", + "legend": "Awareness_User_Data_CL", + "baseQuery": "Awareness_User_Data_CL" + }, + { + "metricName": "Total Watchlist Details data received", + "legend": "Awareness_Watchlist_Details_CL", + "baseQuery": "Awareness_Watchlist_Details_CL" + } + ], + "dataTypes": [ + { + "name": "Awareness_Performance_Details_CL", + "lastDataReceivedQuery": "Awareness_Performance_Details_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Awareness_SafeScore_Details_CL", + "lastDataReceivedQuery": "Awareness_SafeScore_Details_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Awareness_User_Data_CL", + "lastDataReceivedQuery": "Awareness_User_Data_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Awareness_Watchlist_Details_CL", + "lastDataReceivedQuery": "Awareness_Watchlist_Details_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Awareness_Performance_Details_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "Awareness_SafeScore_Details_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "Awareness_User_Data_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "Awareness_Watchlist_Details_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Awareness_Performance_Details_CL", + "query": "Awareness_Performance_Details_CL\n| sort by TimeGenerated desc" + }, + { + "description": "Awareness_SafeScore_Details_CL", + "query": "Awareness_SafeScore_Details_CL\n| sort by TimeGenerated desc" + }, + { + "description": "Awareness_User_Data_CL", + "query": "Awareness_User_Data_CL\n| sort by TimeGenerated desc" + }, + { + "description": "Awareness_Watchlist_Details_CL", + "query": "Awareness_User_Data_CL\n| sort by TimeGenerated desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "See the documentation to learn more about API on the [Rest API reference](https://integrations.mimecast.com/documentation/)" + } + ] + }, + "instructionSteps": [ + { + "description": "You need to have a resource group created with a subscription you are going to use.", + "title": "Resource group" + }, + { + "description": "You need to have an Azure App registered for this connector to use\n1. Application Id\n2. Tenant Id\n3. Client Id\n4. Client Secret", + "title": "Functions app" + }, + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)", + "title": "Configuration:" + }, + { + "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Mimecast Awareness Training Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MimecastAT-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n3. Enter the below information : \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBase URL (Default: https://api.services.mimecast.com) \n\t\tMimecast Client ID \n\t\tMimecast Client Secret \n\t\tLog Level (Default: INFO) \n\t\tSchedule (0 0 */1 * * *) \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Azure Resource Manager (ARM) Template" + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId2')]", + "title": "Mimecast Audit (using Azure Functions)", + "publisher": "Mimecast", + "descriptionMarkdown": "The data connector for [Mimecast Audit](https://community.mimecast.com/s/article/Azure-Sentinel) provides customers with the visibility into security events related to audit and authentication events within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into user activity, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. \nThe Mimecast products included within the connector are: \nAudit\n ", + "graphQueries": [ + { + "metricName": "Total Audit data received", + "legend": "MimecastAudit_CL", + "baseQuery": "MimecastAudit_CL" + } + ], + "sampleQueries": [ + { + "description": "MimecastAudit_CL", + "query": "MimecastAudit_CL\n| sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "MimecastAudit_CL", + "lastDataReceivedQuery": "MimecastAudit_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "MimecastAudit_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "See the documentation to learn more about API on the [Rest API reference](https://integrations.mimecast.com/documentation/)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)", + "title": "Configuration:" + }, + { + "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Mimecast Audit Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MimecastAuditAzureDeploy-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n3. Enter the below information : \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBase URL (Default: https://api.services.mimecast.com) \n\t\tStart Date \n\t\tMimecast Client ID \n\t\tMimecast Client Secret \n\t\tLog Level (Default: INFO) \n\t\tSchedule (0 0 */1 * * *) \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Deploy the Mimecast Audit Data Connector:" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId2')]", + "contentKind": "DataConnector", + "displayName": "Mimecast Audit (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId2')]", + "id": "[variables('_dataConnectorcontentProductId2')]", + "version": "[variables('dataConnectorVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId2')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Mimecast Audit (using Azure Functions)", + "publisher": "Mimecast", + "descriptionMarkdown": "The data connector for [Mimecast Audit](https://community.mimecast.com/s/article/Azure-Sentinel) provides customers with the visibility into security events related to audit and authentication events within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into user activity, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. \nThe Mimecast products included within the connector are: \nAudit\n ", + "graphQueries": [ + { + "metricName": "Total Audit data received", + "legend": "MimecastAudit_CL", + "baseQuery": "MimecastAudit_CL" + } + ], + "dataTypes": [ + { + "name": "MimecastAudit_CL", + "lastDataReceivedQuery": "MimecastAudit_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "MimecastAudit_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "MimecastAudit_CL", + "query": "MimecastAudit_CL\n| sort by TimeGenerated desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "See the documentation to learn more about API on the [Rest API reference](https://integrations.mimecast.com/documentation/)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)", + "title": "Configuration:" + }, + { + "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Mimecast Audit Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MimecastAuditAzureDeploy-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n3. Enter the below information : \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBase URL (Default: https://api.services.mimecast.com) \n\t\tStart Date \n\t\tMimecast Client ID \n\t\tMimecast Client Secret \n\t\tLog Level (Default: INFO) \n\t\tSchedule (0 0 */1 * * *) \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Deploy the Mimecast Audit Data Connector:" + } + ], + "id": "[variables('_uiConfigId2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion3')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId3')]", + "title": "Mimecast Cloud Integrated (using Azure Functions)", + "publisher": "Mimecast", + "descriptionMarkdown": "The data connector for [Mimecast Cloud Integrated](https://community.mimecast.com/s/article/Azure-Sentinel) provides customers with the visibility into security events related to the Cloud Integrated inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities.", + "graphQueries": [ + { + "metricName": "Total Cloud Integrated data received", + "legend": "Cloud_Integrated_CL", + "baseQuery": "Cloud_Integrated_CL" + } + ], + "sampleQueries": [ + { + "description": "Cloud_Integrated_CL", + "query": "Cloud_Integrated_CL\n| sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "Cloud_Integrated_CL", + "lastDataReceivedQuery": "Cloud_Integrated_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Cloud_Integrated_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "See the documentation to learn more about API on the [Rest API reference](https://integrations.mimecast.com/documentation/)" + } + ] + }, + "instructionSteps": [ + { + "description": "You need to have a resource group created with a subscription you are going to use.", + "title": "Resource group" + }, + { + "description": "You need to have an Azure App registered for this connector to use\n1. Application Id\n2. Tenant Id\n3. Client Id\n4. Client Secret", + "title": "Functions app" + }, + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)", + "title": "Configuration:" + }, + { + "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Mimecast Cloud Integrated Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MimecastCI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n3. Enter the below information : \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBase URL (Default: https://api.services.mimecast.com) \n\t\tMimecast Client ID \n\t\tMimecast Client Secret \n\t\tLog Level (Default: INFO) \n\t\tSchedule (0 */30 * * * *) \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Azure Resource Manager (ARM) Template" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", + "contentId": "[variables('_dataConnectorContentId3')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion3')]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId3')]", + "contentKind": "DataConnector", + "displayName": "Mimecast Cloud Integrated (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId3')]", + "id": "[variables('_dataConnectorcontentProductId3')]", + "version": "[variables('dataConnectorVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId3'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId3')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId3'))]", + "contentId": "[variables('_dataConnectorContentId3')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion3')]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId3'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Mimecast Cloud Integrated (using Azure Functions)", + "publisher": "Mimecast", + "descriptionMarkdown": "The data connector for [Mimecast Cloud Integrated](https://community.mimecast.com/s/article/Azure-Sentinel) provides customers with the visibility into security events related to the Cloud Integrated inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities.", + "graphQueries": [ + { + "metricName": "Total Cloud Integrated data received", + "legend": "Cloud_Integrated_CL", + "baseQuery": "Cloud_Integrated_CL" + } + ], + "dataTypes": [ + { + "name": "Cloud_Integrated_CL", + "lastDataReceivedQuery": "Cloud_Integrated_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Cloud_Integrated_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Cloud_Integrated_CL", + "query": "Cloud_Integrated_CL\n| sort by TimeGenerated desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "See the documentation to learn more about API on the [Rest API reference](https://integrations.mimecast.com/documentation/)" + } + ] + }, + "instructionSteps": [ + { + "description": "You need to have a resource group created with a subscription you are going to use.", + "title": "Resource group" + }, + { + "description": "You need to have an Azure App registered for this connector to use\n1. Application Id\n2. Tenant Id\n3. Client Id\n4. Client Secret", + "title": "Functions app" + }, + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)", + "title": "Configuration:" + }, + { + "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Mimecast Cloud Integrated Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MimecastCI-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n3. Enter the below information : \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBase URL (Default: https://api.services.mimecast.com) \n\t\tMimecast Client ID \n\t\tMimecast Client Secret \n\t\tLog Level (Default: INFO) \n\t\tSchedule (0 */30 * * * *) \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Azure Resource Manager (ARM) Template" + } + ], + "id": "[variables('_uiConfigId3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion4')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId4'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId4')]", + "title": "Mimecast Secure Email Gateway (using Azure Functions)", + "publisher": "Mimecast", + "descriptionMarkdown": "The data connector for [Mimecast Secure Email Gateway](https://community.mimecast.com/s/article/Azure-Sentinel) allows easy log collection from the Secure Email Gateway to surface email insight and user activity within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. Mimecast products and features required: \n- Mimecast Cloud Gateway \n- Mimecast Data Leak Prevention\n ", + "graphQueries": [ + { + "metricName": "Total Cloud Gateway data received", + "legend": "Seg_Cg_CL", + "baseQuery": "Seg_Cg_CL" + }, + { + "metricName": "Total Data Leak Prevention data received", + "legend": "Seg_Dlp_CL", + "baseQuery": "Seg_Dlp_CL" + } + ], + "sampleQueries": [ + { + "description": "Seg_Cg_CL", + "query": "Seg_Cg_CL\n| sort by TimeGenerated desc" + }, + { + "description": "Seg_Dlp_CL", + "query": "Seg_Dlp_CL\n| sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "Seg_Cg_CL", + "lastDataReceivedQuery": "Seg_Cg_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Seg_Dlp_CL", + "lastDataReceivedQuery": "Seg_Dlp_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Seg_Cg_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "Seg_Dlp_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "See the documentation to learn more about API on the [Rest API reference](https://integrations.mimecast.com/documentation/)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)", + "title": "Configuration:" + }, + { + "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Mimecast Secure Email Gateway Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MimecastSEGAzureDeploy-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n3. Enter the below information : \n\t\tBase URL (Default: https://api.services.mimecast.com) \n\t\tMimecast Client ID \n\t\tMimecast Client Secret \n\t\tSchedule (0 */30 * * * *) \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tLog Level (Default: INFO) \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Deploy the Mimecast Secure Email Gateway Data Connector:" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", + "contentId": "[variables('_dataConnectorContentId4')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion4')]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId4')]", + "contentKind": "DataConnector", + "displayName": "Mimecast Secure Email Gateway (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId4')]", + "id": "[variables('_dataConnectorcontentProductId4')]", + "version": "[variables('dataConnectorVersion4')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId4'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId4')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId4'))]", + "contentId": "[variables('_dataConnectorContentId4')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion4')]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId4'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Mimecast Secure Email Gateway (using Azure Functions)", + "publisher": "Mimecast", + "descriptionMarkdown": "The data connector for [Mimecast Secure Email Gateway](https://community.mimecast.com/s/article/Azure-Sentinel) allows easy log collection from the Secure Email Gateway to surface email insight and user activity within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. Mimecast products and features required: \n- Mimecast Cloud Gateway \n- Mimecast Data Leak Prevention\n ", + "graphQueries": [ + { + "metricName": "Total Cloud Gateway data received", + "legend": "Seg_Cg_CL", + "baseQuery": "Seg_Cg_CL" + }, + { + "metricName": "Total Data Leak Prevention data received", + "legend": "Seg_Dlp_CL", + "baseQuery": "Seg_Dlp_CL" + } + ], + "dataTypes": [ + { + "name": "Seg_Cg_CL", + "lastDataReceivedQuery": "Seg_Cg_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Seg_Dlp_CL", + "lastDataReceivedQuery": "Seg_Dlp_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Seg_Cg_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "Seg_Dlp_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Seg_Cg_CL", + "query": "Seg_Cg_CL\n| sort by TimeGenerated desc" + }, + { + "description": "Seg_Dlp_CL", + "query": "Seg_Dlp_CL\n| sort by TimeGenerated desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "See the documentation to learn more about API on the [Rest API reference](https://integrations.mimecast.com/documentation/)" + } + ] + }, + "instructionSteps": [ + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)", + "title": "Configuration:" + }, + { + "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Mimecast Secure Email Gateway Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MimecastSEGAzureDeploy-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n3. Enter the below information : \n\t\tBase URL (Default: https://api.services.mimecast.com) \n\t\tMimecast Client ID \n\t\tMimecast Client Secret \n\t\tSchedule (0 */30 * * * *) \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tLog Level (Default: INFO) \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Deploy the Mimecast Secure Email Gateway Data Connector:" + } + ], + "id": "[variables('_uiConfigId4')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Mimecast data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion5')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId5'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId5')]", + "title": "Mimecast Targeted Threat Protection (using Azure Functions)", + "publisher": "Mimecast", + "descriptionMarkdown": "The data connector for [Mimecast Targeted Threat Protection](https://community.mimecast.com/s/article/Azure-Sentinel) provides customers with the visibility into security events related to the Targeted Threat Protection inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. \nThe Mimecast products included within the connector are: \n- URL Protect \n- Impersonation Protect \n- Attachment Protect\n", + "graphQueries": [ + { + "metricName": "Total URL Protect data received", + "legend": "Ttp_Url_CL", + "baseQuery": "Ttp_Url_CL" + }, + { + "metricName": "Total Attachment Protect data received", + "legend": "Ttp_Attachment_CL", + "baseQuery": "Ttp_Attachment_CL" + }, + { + "metricName": "Total Impersonation Protect data received", + "legend": "Ttp_Impersonation_CL", + "baseQuery": "Ttp_Impersonation_CL" + } + ], + "sampleQueries": [ + { + "description": "Ttp_Url_CL", + "query": "Ttp_Url_CL\n| sort by TimeGenerated desc" + }, + { + "description": "Ttp_Attachment_CL", + "query": "Ttp_Attachment_CL\n| sort by TimeGenerated desc" + }, + { + "description": "Ttp_Impersonation_CL", + "query": "Ttp_Impersonation_CL\n| sort by TimeGenerated desc" + } + ], + "dataTypes": [ + { + "name": "Ttp_Url_CL", + "lastDataReceivedQuery": "Ttp_Url_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Ttp_Attachment_CL", + "lastDataReceivedQuery": "Ttp_Attachment_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Ttp_Impersonation_CL", + "lastDataReceivedQuery": "Ttp_Impersonation_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Ttp_Url_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "Ttp_Attachment_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "Ttp_Impersonation_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "See the documentation to learn more about API on the [Rest API reference](https://integrations.mimecast.com/documentation/)" + } + ] + }, + "instructionSteps": [ + { + "description": "You need to have a resource group created with a subscription you are going to use.", + "title": "Resource group" + }, + { + "description": "You need to have an Azure App registered for this connector to use\n1. Application Id\n2. Tenant Id\n3. Client Id\n4. Client Secret", + "title": "Functions app" + }, + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)", + "title": "Configuration:" + }, + { + "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Mimecast Targeted Threat Protection Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MimecastTTPAzureDeploy-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n3. Enter the below information : \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBase URL (Default: https://api.services.mimecast.com) \n\t\tStart Date \n\t\tMimecast Client ID \n\t\tMimecast Client Secret \n\t\tLog Level (Default: INFO) \n\t\tSchedule (0 0 */1 * * *) \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Azure Resource Manager (ARM) Template" + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId5'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]", + "contentId": "[variables('_dataConnectorContentId5')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion5')]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId5')]", + "contentKind": "DataConnector", + "displayName": "Mimecast Targeted Threat Protection (using Azure Functions)", + "contentProductId": "[variables('_dataConnectorcontentProductId5')]", + "id": "[variables('_dataConnectorcontentProductId5')]", + "version": "[variables('dataConnectorVersion5')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId5'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId5')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId5'))]", + "contentId": "[variables('_dataConnectorContentId5')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion5')]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId5'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "Mimecast Targeted Threat Protection (using Azure Functions)", + "publisher": "Mimecast", + "descriptionMarkdown": "The data connector for [Mimecast Targeted Threat Protection](https://community.mimecast.com/s/article/Azure-Sentinel) provides customers with the visibility into security events related to the Targeted Threat Protection inspection technologies within Microsoft Sentinel. The data connector provides pre-created dashboards to allow analysts to view insight into email based threats, aid in incident correlation and reduce investigation response times coupled with custom alert capabilities. \nThe Mimecast products included within the connector are: \n- URL Protect \n- Impersonation Protect \n- Attachment Protect\n", + "graphQueries": [ + { + "metricName": "Total URL Protect data received", + "legend": "Ttp_Url_CL", + "baseQuery": "Ttp_Url_CL" + }, + { + "metricName": "Total Attachment Protect data received", + "legend": "Ttp_Attachment_CL", + "baseQuery": "Ttp_Attachment_CL" + }, + { + "metricName": "Total Impersonation Protect data received", + "legend": "Ttp_Impersonation_CL", + "baseQuery": "Ttp_Impersonation_CL" + } + ], + "dataTypes": [ + { + "name": "Ttp_Url_CL", + "lastDataReceivedQuery": "Ttp_Url_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Ttp_Attachment_CL", + "lastDataReceivedQuery": "Ttp_Attachment_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Ttp_Impersonation_CL", + "lastDataReceivedQuery": "Ttp_Impersonation_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "Ttp_Url_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "Ttp_Attachment_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)", + "Ttp_Impersonation_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "Ttp_Url_CL", + "query": "Ttp_Url_CL\n| sort by TimeGenerated desc" + }, + { + "description": "Ttp_Attachment_CL", + "query": "Ttp_Attachment_CL\n| sort by TimeGenerated desc" + }, + { + "description": "Ttp_Impersonation_CL", + "query": "Ttp_Impersonation_CL\n| sort by TimeGenerated desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions on the workspace are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Azure Subscription", + "description": "Azure Subscription with owner role is required to register an application in Microsoft Entra ID and assign role of contributor to app in resource group." + }, + { + "name": "Microsoft.Web/sites permissions", + "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)." + }, + { + "name": "REST API Credentials/permissions", + "description": "See the documentation to learn more about API on the [Rest API reference](https://integrations.mimecast.com/documentation/)" + } + ] + }, + "instructionSteps": [ + { + "description": "You need to have a resource group created with a subscription you are going to use.", + "title": "Resource group" + }, + { + "description": "You need to have an Azure App registered for this connector to use\n1. Application Id\n2. Tenant Id\n3. Client Id\n4. Client Secret", + "title": "Functions app" + }, + { + "description": ">**NOTE:** This connector uses Azure Functions to connect to a Mimecast API to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + }, + { + "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." + }, + { + "description": "**STEP 1 - Configuration steps for the Mimecast API**\n\nGo to ***Azure portal ---> App registrations ---> [your_app] ---> Certificates & secrets ---> New client secret*** and create a new secret (save the Value somewhere safe right away because you will not be able to preview it later)", + "title": "Configuration:" + }, + { + "description": "**STEP 2 - Deploy Mimecast API Connector**\n\n>**IMPORTANT:** Before deploying the Mimecast API connector, have the Workspace ID and Workspace Primary Key (can be copied from the following), as well as the Mimecast API authorization key(s) or Token, readily available.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Workspace ID" + }, + "type": "CopyableLabel" + }, + { + "parameters": { + "fillWith": [ + "PrimaryKey" + ], + "label": "Primary Key" + }, + "type": "CopyableLabel" + } + ] + }, + { + "description": "Use this method for automated deployment of the Mimecast Targeted Threat Protection Data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-MimecastTTPAzureDeploy-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n3. Enter the below information : \n\t\tWorkspace ID \n\t\tWorkspace Key \n\t\tBase URL (Default: https://api.services.mimecast.com) \n\t\tStart Date \n\t\tMimecast Client ID \n\t\tMimecast Client Secret \n\t\tLog Level (Default: INFO) \n\t\tSchedule (0 0 */1 * * *) \n\t\tApp Insights Workspace Resource ID \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "title": "Azure Resource Manager (ARM) Template" + } + ], + "id": "[variables('_uiConfigId5')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Mimecast", + "publisherDisplayName": "Mimecast", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

An Azure app to enable Mimecast data to be viewed using analytical tables and charts which are brought into Azure.

\n

Data Connectors: 5, Parsers: 11, Workbooks: 5, Analytic Rules: 13, Playbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "Mimecast", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Mimecast", + "email": "[variables('_email')]" + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject7')._analyticRulecontentId7]", + "version": "[variables('analyticRuleObject7').analyticRuleVersion7]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", + "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject10')._analyticRulecontentId10]", + "version": "[variables('analyticRuleObject10').analyticRuleVersion10]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject11')._analyticRulecontentId11]", + "version": "[variables('analyticRuleObject11').analyticRuleVersion11]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject12')._analyticRulecontentId12]", + "version": "[variables('analyticRuleObject12').analyticRuleVersion12]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject13')._analyticRulecontentId13]", + "version": "[variables('analyticRuleObject13').analyticRuleVersion13]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId2')]", + "version": "[variables('workbookVersion2')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId3')]", + "version": "[variables('workbookVersion3')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId4')]", + "version": "[variables('workbookVersion4')]" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId5')]", + "version": "[variables('workbookVersion5')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Mimecast Data Connector Trigger Sync')]", + "version": "[variables('playbookVersion1')]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject1').parserContentId1]", + "version": "[variables('parserObject1').parserVersion1]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject2').parserContentId2]", + "version": "[variables('parserObject2').parserVersion2]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject3').parserContentId3]", + "version": "[variables('parserObject3').parserVersion3]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject4').parserContentId4]", + "version": "[variables('parserObject4').parserVersion4]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject5').parserContentId5]", + "version": "[variables('parserObject5').parserVersion5]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject6').parserContentId6]", + "version": "[variables('parserObject6').parserVersion6]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject7').parserContentId7]", + "version": "[variables('parserObject7').parserVersion7]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject8').parserContentId8]", + "version": "[variables('parserObject8').parserVersion8]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject9').parserContentId9]", + "version": "[variables('parserObject9').parserVersion9]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject10').parserContentId10]", + "version": "[variables('parserObject10').parserVersion10]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject11').parserContentId11]", + "version": "[variables('parserObject11').parserVersion11]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId2')]", + "version": "[variables('dataConnectorVersion2')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId3')]", + "version": "[variables('dataConnectorVersion3')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId4')]", + "version": "[variables('dataConnectorVersion4')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId5')]", + "version": "[variables('dataConnectorVersion5')]" + } + ] + }, + "firstPublishDate": "2024-09-10", + "lastPublishDate": "2024-09-10", + "providers": [ + "Mimecast" + ], + "categories": { + "domains": [ + "Security - Network" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/Mimecast/Package/testParameters.json b/Solutions/Mimecast/Package/testParameters.json new file mode 100644 index 00000000000..a6004ba15f1 --- /dev/null +++ b/Solutions/Mimecast/Package/testParameters.json @@ -0,0 +1,64 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "Mimecast Audit Workbook", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook2-name": { + "type": "string", + "defaultValue": "Mimecast Awareness Training Workbook", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook3-name": { + "type": "string", + "defaultValue": "Mimecast Cloud Integrated Workbook", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook4-name": { + "type": "string", + "defaultValue": "Mimecast Secure Email Gateway Workbook", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + }, + "workbook5-name": { + "type": "string", + "defaultValue": "Mimecast Targeted Threat Protection Workbook", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } +} diff --git a/Solutions/Mimecast/Parsers/MimecastAT/Mimecast_AT_Performane_Detail.yaml b/Solutions/Mimecast/Parsers/MimecastAT/Mimecast_AT_Performane_Detail.yaml new file mode 100644 index 00000000000..afca18f3525 --- /dev/null +++ b/Solutions/Mimecast/Parsers/MimecastAT/Mimecast_AT_Performane_Detail.yaml @@ -0,0 +1,27 @@ +id: c6376b96-24ca-4113-932f-a069f1c62479 +Function: + Title: Parser for Mimecast Awareness Training Performance Details + Version: '1.0.0' + LastUpdated: '2024-07-27' +Category: Microsoft Sentinel Parser +FunctionName: AwarenessPerformanceDetails +FunctionAlias: AwarenessPerformanceDetails +FunctionQuery: | + let dummy_table = datatable(TimeGenerated: datetime) []; + let Awareness_Performance_Details_view = view() { + union isfuzzy=true dummy_table, + Awareness_Performance_Details_CL + | extend ["Email"] = column_ifexists('email_s', ''), + ["Name"] = column_ifexists('name_s', ''), + ["Num of Correct"] = column_ifexists('numCorrect_d', ''), + ["Num of Incorrect"] = column_ifexists('numIncorrect_d', ''), + ["Num of Not Watched"] = column_ifexists('numNotWatched_d', ''), + ["User Details"] = column_ifexists('userDetails_s',''), + ["User State"] = column_ifexists('userState_s',''), + ["Department"] = column_ifexists('department_s',''), + ["Time Generated"] = column_ifexists('TimeGenerated','') + | summarize arg_max(["Time Generated"] , *) by ["Email"] ,["Num of Correct"] , ["Num of Incorrect"], ["Num of Not Watched"],["Name"] , ["User Details"] , ["User State"] , ["Department"] + | project ["Email"] ,["Num of Correct"] , ["Num of Incorrect"], ["Num of Not Watched"],["Name"] , ["User Details"] , ["User State"] , ["Department"] + }; + Awareness_Performance_Details_view + \ No newline at end of file diff --git a/Solutions/Mimecast/Parsers/MimecastAT/Mimecast_AT_Safe_Score.yaml b/Solutions/Mimecast/Parsers/MimecastAT/Mimecast_AT_Safe_Score.yaml new file mode 100644 index 00000000000..4f6d6f79f2c --- /dev/null +++ b/Solutions/Mimecast/Parsers/MimecastAT/Mimecast_AT_Safe_Score.yaml @@ -0,0 +1,27 @@ +id: 06c97d41-652a-4ff0-9bf5-dca775126fff +Function: + Title: Parser for Mimecast Awareness Training Safe Score + Version: '1.0.0' + LastUpdated: '2024-07-27' +Category: Microsoft Sentinel Parser +FunctionName: AwarenessSafeScore +FunctionAlias: AwarenessSafeScore +FunctionQuery: | + let dummy_table = datatable(TimeGenerated: datetime) []; + let Awareness_Safe_Score_view = view() { + union isfuzzy=true dummy_table, + Awareness_SafeScore_Details_CL + | extend ["Email Address"] = column_ifexists('emailAddress_s', ''), + ["Name"] = column_ifexists('name_s', ''), + ["Risk"] = column_ifexists('risk_s', ''), + ["Human Error"]= column_ifexists('humanError_s', ''), + ["Sentiment"] = column_ifexists('sentiment_s', ''), + ["Engagement"] = column_ifexists('engagement_s', ''), + ["Knowledge"] = column_ifexists('knowledge_s', ''), + ["User State"] = column_ifexists('userState_s', ''), + ["Department"] = column_ifexists('department_s', ''), + ["Time Generated"] = column_ifexists('TimeGenerated', '') + | summarize arg_max(["Time Generated"] , *) by ["Email Address"] , ["Name"] , ["Risk"] , ["Human Error"] , ["Sentiment"] , ["Engagement"] , ["Knowledge"], ["User State"] , ["Department"] + | project ["Email Address"] , ["Name"] , ["Risk"] , ["Human Error"] , ["Sentiment"] , ["Engagement"] , ["Knowledge"], ["User State"] , ["Department"] + }; + Awareness_Safe_Score_view diff --git a/Solutions/Mimecast/Parsers/MimecastAT/Mimecast_AT_User_Data.yaml b/Solutions/Mimecast/Parsers/MimecastAT/Mimecast_AT_User_Data.yaml new file mode 100644 index 00000000000..87971cfbcfb --- /dev/null +++ b/Solutions/Mimecast/Parsers/MimecastAT/Mimecast_AT_User_Data.yaml @@ -0,0 +1,35 @@ +id: bf754aad-692b-46cd-b5b4-6f044bd105a4 +Function: + Title: Parser for Mimecast Awareness Training User Data + Version: '1.0.0' + LastUpdated: '2024-07-27' +Category: Microsoft Sentinel Parser +FunctionName: AwarenessUserData +FunctionAlias: AwarenessUserData +FunctionQuery: | + let dummy_table = datatable(TimeGenerated: datetime) []; + let Awareness_User_Data_view = view() { + union isfuzzy=true dummy_table, + Awareness_User_Data_CL + | extend ["Time Generated"] = column_ifexists('TimeGenerated', ''), + ["Time Reported"] = column_ifexists('timeReported_t', ''), + ["Name"] = column_ifexists('name_s', ''), + ["Email"] = column_ifexists('email_s', ''), + ["Template Name"] = column_ifexists('templateName_s', ''), + ["Status"] = column_ifexists('status_s', ''), + ["Num of Campaigns Clicked"] = column_ifexists('numCampaignsClicked_d', ''), + ["Num of Campaigns Sent"] = column_ifexists('numCampaignsSent_d', ''), + ["Num of Correct Answers"] = column_ifexists('numCorrectAnswers_d', ''), + ["Num of Training Modules Assigned"] = column_ifexists('numTrainingModulesAssigned_d', ''), + ["Num of Incorrect Answers"] = column_ifexists('numIncorrectAnswers_d', ''), + ["User State"] = column_ifexists('userState_s', ''), + ["Clicked IP"] = column_ifexists('clickedIp_s', ''), + ["Reaction Time"] = column_ifexists('reactionTime_d', ''), + ["Time Opened"] = column_ifexists('timeOpened_t', ''), + ["Department"] = column_ifexists('department_s', ''), + ["Time Scheduled"] = column_ifexists('timeScheduled_t',''), + ["Time Clicked"] = column_ifexists('timeClicked_t', '') + | summarize arg_max(["Time Generated"] , *) by ["Time Reported"] , ["Name"], ["Email"] , ["Template Name"], ["Status"] , ["Num of Campaigns Clicked"], ["Num of Campaigns Sent"], ["Num of Correct Answers"] , ["Num of Training Modules Assigned"] , ["Num of Incorrect Answers"] , ["User State"], ["Clicked IP"], ["Reaction Time"], ["Time Opened"], ["Time Clicked"] , ["Time Scheduled"] , ["Department"] + | project ["Time Reported"] , ["Name"], ["Email"] , ["Template Name"], ["Status"] , ["Num of Campaigns Clicked"], ["Num of Campaigns Sent"], ["Num of Correct Answers"] , ["Num of Training Modules Assigned"] , ["Num of Incorrect Answers"] , ["User State"], ["Clicked IP"], ["Reaction Time"], ["Time Opened"], ["Time Clicked"] , ["Time Scheduled"] , ["Department"] + }; + Awareness_User_Data_view \ No newline at end of file diff --git a/Solutions/Mimecast/Parsers/MimecastAT/Mimecast_AT_Watchlist.yaml b/Solutions/Mimecast/Parsers/MimecastAT/Mimecast_AT_Watchlist.yaml new file mode 100644 index 00000000000..2e9b99cc818 --- /dev/null +++ b/Solutions/Mimecast/Parsers/MimecastAT/Mimecast_AT_Watchlist.yaml @@ -0,0 +1,24 @@ +id: 7afbe4ec-9fa1-429d-9a25-6c3f0519330e +Function: + Title: Parser for Mimecast Awareness Training Watchlist + Version: '1.0.0' + LastUpdated: '2024-07-27' +Category: Microsoft Sentinel Parser +FunctionName: AwarenessWatchlist +FunctionAlias: AwarenessWatchlist +FunctionQuery: | + let dummy_table = datatable(TimeGenerated: datetime) []; + let Awareness_Watchlist_view = view() { + union isfuzzy=true dummy_table, + Awareness_Watchlist_Details_CL + | extend ["Email" ]= column_ifexists('email_s', ''), + ["Name"] = column_ifexists('name_s', ''), + ["Watchlist Count"] = column_ifexists('watchlistCount_d', 0), + ["User State"] = column_ifexists('userState_s', ''), + ["Department"] = column_ifexists('department_s', ''), + ["Time Generated"] = column_ifexists('Time Generated', '') + | summarize arg_max(["Time Generated"], *) by ["Email" ], ["Name"] , ["Watchlist Count"] , ["User State"], ["Department"] + | project ["Time Generated"], ["Email" ], ["Name"] , ["Watchlist Count"] , ["User State"], ["Department"] + }; + Awareness_Watchlist_view + diff --git a/Solutions/Mimecast/Parsers/MimecastAudit/Mimecast_Audit.yaml b/Solutions/Mimecast/Parsers/MimecastAudit/Mimecast_Audit.yaml new file mode 100644 index 00000000000..1284f18cc9d --- /dev/null +++ b/Solutions/Mimecast/Parsers/MimecastAudit/Mimecast_Audit.yaml @@ -0,0 +1,26 @@ +id: 679b2b50-2611-4358-9686-5948587cbb47 +Function: + Title: Parser for MimecastAudit + Version: '1.0.0' + LastUpdated: '2024-07-08' +Category: Microsoft Sentinel Parser +FunctionName: MimecastAudit +FunctionAlias: MimecastAudit +FunctionQuery: | + let dummy_table = datatable(TimeGenerated: datetime) []; + let MimecastAudit_view = view() { + union isfuzzy=true dummy_table, + Audit_CL + | extend ["Id"] = column_ifexists('id_s', ''), + ["Audit Type"] = column_ifexists('auditType_s', ''), + ["User"] = column_ifexists('user_s', ''), + ["Event Time"] = column_ifexists('eventTime_t', ''), + ["Event Info"] = column_ifexists('eventInfo_s', ''), + ["Category"] = column_ifexists('Category',''), + ["Time Generated"] = column_ifexists('TimeGenerated','') + | extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime( ["Event Time"] )) + | parse-kv ["Event Info"] as (IP: string, Application:string ) with (pair_delimiter=',', kv_delimiter=':') + | summarize arg_max(TimeGenerated, *) by ["Category"] , ["Audit Type"] , ["User"] , ["Event Info"] , ["Event Time"] , ["Id"] + | project ["Time Generated"] ,["Source IP"] = IP ,Application , ["Category"] , ["Audit Type"] , ["User"] , ["Event Info"] , ["Event Time"] , ["Id"] + }; + MimecastAudit_view \ No newline at end of file diff --git a/Solutions/Mimecast/Parsers/MimecastCI/Mimecast_Cloud_Integrated.yaml b/Solutions/Mimecast/Parsers/MimecastCI/Mimecast_Cloud_Integrated.yaml new file mode 100644 index 00000000000..6390479268c --- /dev/null +++ b/Solutions/Mimecast/Parsers/MimecastCI/Mimecast_Cloud_Integrated.yaml @@ -0,0 +1,79 @@ +id: c78aaea4-8a16-4e8b-9722-073e7181efd1 +Function: + Title: Parser for Mimecast Cloud Integrated + Version: "1.0.0" + LastUpdated: "2024-07-25" +Category: Microsoft Sentinel Parser +FunctionName: MimecastCloudIntegrated +FunctionAlias: MimecastCloudIntegrated +FunctionQuery: | + let dummy_table = datatable(TimeGenerated: datetime) []; + let MimecastCloudIntegrated = view() { + union isfuzzy=true dummy_table, + Cloud_Integrated_CL + | extend Category = column_ifexists('Category', ''), + ["Time Generated"] = column_ifexists('TimeGenerated', ''), + ["Event Time"] = column_ifexists('timestamp_d', ''), + ['Account ID'] = column_ifexists('accountId_s', ''), + ['Aggregate ID'] = column_ifexists('aggregateId_s', ''), + ['Processing ID'] = column_ifexists('processingId_s', ''), + ['Message ID'] = column_ifexists('messageId_s', ''), + ["Attachments"] = column_ifexists('attachments_s', ''), + ["Recipients"] = column_ifexists('recipients_s', ''), + ["Tags"] = column_ifexists('tags_s', ''), + ['Policies Applied'] = column_ifexists('policiesApplied_s', ''), + ['Historical Mail'] = column_ifexists('historicalMail_b', ''), + ['Sender IP'] = column_ifexists('senderIp_s', ''), + ['Sender Envelope'] = column_ifexists('senderEnvelope_s', ''), + ["Subject"]= column_ifexists('subject_s', ''), + ["Source"] = column_ifexists('source_s', ''), + ['Threat State'] = column_ifexists('threatState_s', ''), + ['Threat Type'] = column_ifexists('threatType_s', ''), + ["Direction"] = column_ifexists('direction_s', ''), + ['Sender Header'] = column_ifexists('senderHeader_s', ''), + ["Type"] = column_ifexists('type_s', ''), + ["Subtype"] = column_ifexists('subtype_s', '') + | summarize arg_max(["Time Generated"] , *) by ["Event Time"], + ["Type"], + ['Account ID'], + ['Aggregate ID'], + ['Processing ID'], + ['Message ID'], + ["Attachments"], + ["Recipients"], + ["Tags"], + ['Policies Applied'], + ['Historical Mail'], + ['Sender IP'], + ['Sender Envelope'], + ["Subject"], + ["Source"], + ['Threat State'], + ['Threat Type'], + ["Direction"], + ['Sender Header'], + ["Subtype"] + | extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime(unixtime_milliseconds_todatetime( tolong(["Event Time"])) ) ) + | project ["Event Time"] , + ["Time Generated"], + ['Account ID'], + ['Aggregate ID'], + ['Processing ID'], + ['Message ID'], + ["Attachments"], + ["Recipients"], + ["Tags"], + ['Policies Applied'], + ['Historical Mail'], + ['Sender IP'], + ['Sender Envelope'], + ["Subject"], + ["Source"], + ['Threat State'], + ['Threat Type'], + ["Direction"], + ['Sender Header'], + ["Type"], + ["Subtype"] + }; + MimecastCloudIntegrated \ No newline at end of file diff --git a/Solutions/Mimecast/Parsers/MimecastSEG/Mimecast_SEG_CG.yaml b/Solutions/Mimecast/Parsers/MimecastSEG/Mimecast_SEG_CG.yaml new file mode 100644 index 00000000000..1eaf28f86db --- /dev/null +++ b/Solutions/Mimecast/Parsers/MimecastSEG/Mimecast_SEG_CG.yaml @@ -0,0 +1,195 @@ +id: 91267889-770d-451b-9ed8-d3ed260c48e3 +Function: + Title: Parser for Mimecast SEG Cloud Gateway + Version: "1.0.0" + LastUpdated: "2024-07-25" +Category: Microsoft Sentinel Parser +FunctionName: MimecastCG +FunctionAlias: MimecastCG +FunctionQuery: | + let dummy_table = datatable(TimeGenerated: datetime) []; + let MimecastCG_view = view() { + union isfuzzy=true dummy_table, + Seg_Cg_CL + | extend + ["Time Generated"] = column_ifexists('TimeGenerated', ''), + ["Url Category"] = columnifexists("urlCategory_s", ""), + ["Scan Results"] = columnifexists("scanResults_s", ""), + ["File Name"] = columnifexists("fileName_s", ""), + ["Sha256"] = columnifexists("sha256_s", ""), + ["File Extension"] = columnifexists("fileExtension_s", ""), + ["Virus Found"] = columnifexists("virusFound_s", ""), + ["Sha1"] = columnifexists("sha1_s", ""), + ["Sender Domain"] = columnifexists("senderDomain_s", ""), + ["Md5"] = columnifexists("md5_g", ""), + ["Custom Threat Dictionary"] = columnifexists("customThreatDictionary_s", ""), + ["Items Detected"] = columnifexists("itemsDetected_s", ""), + ["Similar Custom External Domain"] = columnifexists("similarCustomExternalDomain_s", ""), + ["Tagged External"] = columnifexists("taggedExternal_s", ""), + ["Similar Internal Domain"] = columnifexists("similarInternalDomain_s", ""), + ["New Domain"] = columnifexists("newDomain_s", ""), + ["Internal User Name"] = columnifexists("internalUserName_s", ""), + ["Mimecast Threat Dictionary"] = columnifexists("mimecastThreatDictionary_s", ""), + ["Similar Mimecast External Domain"] = columnifexists("similarMimecastExternalDomain_s", ""), + ["Custom Name Match"] = columnifexists("customNameMatch_s", ""), + ["Tagged Malicious"] = columnifexists("taggedMalicious_s", ""), + ["Reply Mismatch"] = columnifexists("replyMismatch_s", ""), + ["Aggregate ID S"] = columnifexists("aggregateId_s", ""), + ["Aggregate ID G"] = columnifexists("aggregateId_g", ""), + ["Rejection Type"] = columnifexists("rejectionType_s", ""), + ["Rejection Code"] = columnifexists("rejectionCode_s", ""), + ["Rejection Info"] = columnifexists("rejectionInfo_s", ""), + ["Delivered"] = columnifexists("delivered_s", ""), + ["Destination IP"] = columnifexists("destinationIp_s", ""), + ["Host Name"] = columnifexists("Hostname_s", ""), + ["Delivery Attempts"] = columnifexists("deliveryAttempts_s", ""), + ["TLS Used"] = columnifexists("tlsUsed_s", ""), + ["Delivery Errors"] = columnifexists("deliveryErrors_s", ""), + ["Attachments"] = columnifexists("attachments_s", ""), + ["Route"] = columnifexists("route_s", ""), + ["Processing ID"] = columnifexists("processingId_s", ""), + ["Account ID"] = columnifexists("accountId_s", ""), + ["Action"] = columnifexists("action_s", ""), + ["Event Time"] = columnifexists("timestamp_d", ""), + ["Sender Envelope"] = columnifexists("senderEnvelope_s", ""), + ["Message ID"] = columnifexists("messageId_s", ""), + ["Subject"] = columnifexists("subject_s", ""), + ["Total of Size Attachments"] = columnifexists("totalSizeAttachments_s", ""), + ["Number of Attachments"] = columnifexists("numberAttachments_s", ""), + ["Email Size"] = columnifexists("emailSize_s", ""), + ["Type"] = columnifexists("type_s", ""), + ["Sub Type"] = columnifexists("subtype_s", ""), + ["Monitored Domain Source"] = columnifexists("monitoredDomainSource_s", ""), + ["Similar Domain"] = columnifexists("similarDomain_s", ""), + ["Offset"] = columnifexists("_offset_d", ""), + ["Partition"] = columnifexists("_partition_d", ""), + ["Hold Reason"] = columnifexists("holdReason_s", ""), + ["Recipients"] = columnifexists("recipients_s", ""), + ["Sender IP"] = columnifexists("senderIp_s", ""), + ["Direction"] = columnifexists("direction_s", ""), + ["Sender Header"] = columnifexists("senderHeader_s", ""), + ["TLS Version"] = columnifexists("tlsVersion_s", ""), + ["TLS Cipher"] = columnifexists("tlsCipher_s", ""), + ["Spam Info"] = columnifexists("spamInfo_s", ""), + ["Spam Processing Detail"] = columnifexists("spamProcessingDetail_s", "") + | summarize arg_max(["Time Generated"], *) by + ["Url Category"], + ["Scan Results"], + ["File Name"], + ["Sha256"], + ["File Extension"], + ["Virus Found"], + ["Sha1"], + ["Sender Domain"], + ["Md5"], + ["Custom Threat Dictionary"], + ["Items Detected"], + ["Similar Custom External Domain"], + ["Tagged External"], + ["Similar Internal Domain"], + ["New Domain"], + ["Internal User Name"], + ["Mimecast Threat Dictionary"], + ["Similar Mimecast External Domain"], + ["Custom Name Match"], + ["Tagged Malicious"], + ["Reply Mismatch"], + ["Aggregate ID"] = coalesce(["Aggregate ID S"], ["Aggregate ID G"]), + ["Rejection Type"], + ["Rejection Code"], + ["Rejection Info"], + ["Delivered"], + ["Destination IP"], + ["Host Name"], + ["Delivery Attempts"], + ["TLS Used"], + ["Delivery Errors"], + ["Attachments"], + ["Route"], + ["Processing ID"], + ["Account ID"], + ["Action"], + ["Event Time"], + ["Sender Envelope"], + ["Message ID"], + ["Subject"], + ["Total of Size Attachments"], + ["Number of Attachments"], + ["Email Size"], + ["Type"], + ["Sub Type"], + ["Monitored Domain Source"], + ["Similar Domain"], + ["Hold Reason"], + ["Recipients"], + ["Sender IP"], + ["Direction"], + ["Sender Header"], + ["TLS Version"], + ["TLS Cipher"], + ["Spam Info"], + ["Spam Processing Detail"] + | extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime(unixtime_milliseconds_todatetime( tolong(["Event Time"]) )) ) + | extend ['Message ID'] = trim(@"[\<\>]", ['Message ID'] ) + | project + ["Time Generated"], + ["Url Category"], + ["Scan Results"], + ["File Name"], + ["Sha256"], + ["File Extension"], + ["Virus Found"], + ["Sha1"], + ["Sender Domain"], + ["Md5"], + ["Custom Threat Dictionary"], + ["Items Detected"], + ["Similar Custom External Domain"], + ["Tagged External"], + ["Similar Internal Domain"], + ["New Domain"], + ["Internal User Name"], + ["Mimecast Threat Dictionary"], + ["Similar Mimecast External Domain"], + ["Custom Name Match"], + ["Tagged Malicious"], + ["Reply Mismatch"], + ["Aggregate ID"] = coalesce(["Aggregate ID S"], ["Aggregate ID G"]), + ["Rejection Type"], + ["Rejection Code"], + ["Rejection Info"], + ["Delivered"], + ["Destination IP"], + ["Host Name"], + ["Delivery Attempts"], + ["TLS Used"], + ["Delivery Errors"], + ["Attachments"], + ["Route"], + ["Processing ID"], + ["Account ID"], + ["Action"], + ["Event Time"] , + ["Sender Envelope"], + ["Message ID"], + ["Subject"], + ["Total of Size Attachments"], + ["Number of Attachments"], + ["Email Size"], + ["Type"], + ["Sub Type"], + ["Monitored Domain Source"], + ["Similar Domain"], + ["Offset"], + ["Partition"], + ["Hold Reason"], + ["Recipients"], + ["Sender IP"], + ["Direction"], + ["Sender Header"], + ["TLS Version"], + ["TLS Cipher"], + ["Spam Info"], + ["Spam Processing Detail"] + }; + MimecastCG_view diff --git a/Solutions/Mimecast/Parsers/MimecastSEG/Mimecast_SEG_DLP.yaml b/Solutions/Mimecast/Parsers/MimecastSEG/Mimecast_SEG_DLP.yaml new file mode 100644 index 00000000000..a2f1dcf6b11 --- /dev/null +++ b/Solutions/Mimecast/Parsers/MimecastSEG/Mimecast_SEG_DLP.yaml @@ -0,0 +1,27 @@ +id: 1cdd670a-dec9-4d15-97a1-75043a1e631a +Function: + Title: Parser for Mimecast SEG Data Leak Prevention + Version: "1.0.0" + LastUpdated: "2024-07-25" +Category: Microsoft Sentinel Parser +FunctionName: MimecastDLP +FunctionAlias: MimecastDLP +FunctionQuery: | + let dummy_table = datatable(TimeGenerated: datetime) []; + let MimecastSEG_view = view() { + union isfuzzy=true dummy_table, + Seg_Dlp_CL + | extend ["Sender Address"] = column_ifexists('senderAddress_s', ''), + ["Recipient Address"] = column_ifexists('recipientAddress_s', ''), + ["Subject"] = column_ifexists('subject_s', ''), + ["Event Time"] = column_ifexists('eventTime_t', ''), + ["Route"] = column_ifexists('route_s', ''), + ["Policy"] = column_ifexists('policy_s', ''), + ["Action"] = column_ifexists('action_s', ''), + ["Message ID"] = column_ifexists('messageId_s', ''), + ["Time Generated"] = column_ifexists('TimeGenerated', '') + | summarize arg_max(TimeGenerated, *) by ["Sender Address"], ["Recipient Address"], ["Subject"], ["Route"], ["Policy"], ["Action"], ["Event Time"], ["Message ID"] + | extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime( tolong(["Event Time"]) ) ) + | project ["Time Generated"], ["Sender Address"], ["Recipient Address"], ["Subject"], ["Route"], ["Policy"], ["Action"], ["Event Time"], ["Message ID"] + }; + MimecastSEG_view \ No newline at end of file diff --git a/Solutions/Mimecast/Parsers/MimecastTTP/Mimecast_TTP_Attachment.yaml b/Solutions/Mimecast/Parsers/MimecastTTP/Mimecast_TTP_Attachment.yaml new file mode 100644 index 00000000000..61871aed3e6 --- /dev/null +++ b/Solutions/Mimecast/Parsers/MimecastTTP/Mimecast_TTP_Attachment.yaml @@ -0,0 +1,35 @@ +id: aea16729-fdd1-43aa-84bd-9127c0c53d03 +Function: + Title: Parser for Mimecast TTP ATTACHMENT + Version: "1.0.0" + LastUpdated: "2024-07-15" +Category: Microsoft Sentinel Parser +FunctionName: MimecastTTPAttachment +FunctionAlias: MimecastTTPAttachment +FunctionQuery: | + let dummy_table = datatable(TimeGenerated: datetime, senderAddress_s: string, recipientAddress_s: string, messageId_s: string) []; + let MimecastTTPAttachment = view() { + union isfuzzy=true dummy_table, + Ttp_Attachment_CL + | summarize arg_max(TimeGenerated, *) by senderAddress_s, recipientAddress_s, messageId_s + | extend ["Time Generated"] = column_ifexists('TimeGenerated', ''), + ["Type"] = column_ifexists('Type', ''), + ["Mimecast Event ID"] = 'ttp_attachment', + ["Mimecast Event Category"] = 'ttp_attachment', + ["Action Triggered"] = column_ifexists('actionTriggered_s', ''), + ["Event Time"] = column_ifexists('date_t', ''), + ["Definition"] = column_ifexists('definition_s', ''), + ["Details"] = column_ifexists('details_s', ''), + ["File Hash"] = column_ifexists('fileHash_s', ''), + ["File Name"] = column_ifexists('fileName_s', ''), + ["File Type"] = column_ifexists('fileType_s', ''), + ["Message ID"] = column_ifexists('messageId_s', ''), + ["Recipient Address"] = column_ifexists('recipientAddress_s', ''), + ["Result"] = column_ifexists('result_s', ''), + ["Route"] = column_ifexists('route_s', ''), + ["Sender Address"] = column_ifexists('senderAddress_s', ''), + ["Subject"] = column_ifexists('subject_s', '') + | extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime(( ["Event Time"]) ) ) + | project ["Time Generated"] , ["Type"], ["Mimecast Event ID"], ["Mimecast Event Category"], ["Action Triggered"],["Event Time"] , ["Definition"], ["Details"], ["File Hash"], ["File Name"], ["File Type"], ["Message ID"], ["Recipient Address"], ["Result"], ["Route"], ["Sender Address"], ["Subject"] + }; + MimecastTTPAttachment \ No newline at end of file diff --git a/Solutions/Mimecast/Parsers/MimecastTTP/Mimecast_TTP_Impersonation.yaml b/Solutions/Mimecast/Parsers/MimecastTTP/Mimecast_TTP_Impersonation.yaml new file mode 100644 index 00000000000..74fd392914d --- /dev/null +++ b/Solutions/Mimecast/Parsers/MimecastTTP/Mimecast_TTP_Impersonation.yaml @@ -0,0 +1,37 @@ +id: 50371940-df79-4db6-8bd9-267379ae0e31 +Function: + Title: Parser for Mimecast TTP Impersonation + Version: "1.0.0" + LastUpdated: "2024-07-15" +Category: Microsoft Sentinel Parser +FunctionName: MimecastTTPImpersonation +FunctionAlias: MimecastTTPImpersonation +FunctionQuery: | + let dummy_table = datatable(TimeGenerated: datetime, id_s: string) []; + let MimecastTTPImpersonation = view() { + union isfuzzy=true dummy_table, + Ttp_Impersonation_CL + | summarize arg_max(TimeGenerated, *) by id_s + | extend + ["Time Generated"] = column_ifexists('TimeGenerated', ''), + ["Type"] = column_ifexists('Type', ''), + ["Mimecast Event ID"] = 'ttp_impersonation', + ["Mimecast Event Category"] = 'ttp_impersonation', + ["Action"] = column_ifexists('action_s',''), + ["Definition"] = column_ifexists('definition_s',''), + ["Event Time"] = column_ifexists('eventTime_t',''), + ["Hits"] = column_ifexists('hits_d',''), + ["ID"] = column_ifexists('id_s',''), + ["Identifiers"] = column_ifexists('identifiers_s',''), + ["Impersonation Results"] = column_ifexists('impersonationResults_s',''), + ["Message ID"] = column_ifexists('messageId_s',''), + ["Recipient Address"] = column_ifexists('recipientAddress_s',''), + ["Sender Address"] = column_ifexists('senderAddress_s',''), + ["Sender IP Address"] = column_ifexists('senderIpAddress_s',''), + ["Subject"] = column_ifexists('subject_s',''), + ["Tagged External"] = column_ifexists('taggedExternal_b',''), + ["Tagged Malicious"] = column_ifexists('taggedMalicious_b','') + | extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime(( ["Event Time"]) ) ) + | project ["Time Generated"], ["ID"], ["Mimecast Event ID"], ["Mimecast Event Category"], ["Action"], ["Definition"], ["Event Time"], ["Hits"], ["Identifiers"], ["Impersonation Results"], ["Message ID"], ["Recipient Address"], ["Sender Address"], ["Sender IP Address"], ["Subject"], ["Tagged External"], ["Tagged Malicious"], ["Type"] + }; + MimecastTTPImpersonation \ No newline at end of file diff --git a/Solutions/Mimecast/Parsers/MimecastTTP/Mimecast_TTP_Url.yaml b/Solutions/Mimecast/Parsers/MimecastTTP/Mimecast_TTP_Url.yaml new file mode 100644 index 00000000000..1b67774e54c --- /dev/null +++ b/Solutions/Mimecast/Parsers/MimecastTTP/Mimecast_TTP_Url.yaml @@ -0,0 +1,99 @@ +id: 275bacf7-edef-4436-9e5c-beee419aeb1a +Function: + Title: Parser for Mimecast TTP URL + Version: "1.0.0" + LastUpdated: "2024-07-15" +Category: Microsoft Sentinel Parser +FunctionName: MimecastTTPUrl +FunctionAlias: MimecastTTPUrl +FunctionQuery: | + let dummy_table = datatable(TimeGenerated: datetime, userEmailAddress_s: string, fromUserEmailAddress_s: string, messageId_s: string, sendingIp_s: string, url_s: string) []; + let MimecastTTPUrl = view() { + union isfuzzy=true dummy_table, + Ttp_Url_CL + | summarize arg_max(TimeGenerated, *) by userEmailAddress_s,fromUserEmailAddress_s, sendingIp_s, messageId_s, url_s + | extend + ["Category"] = column_ifexists('Category', ''), + ["Time Generated"] = column_ifexists('TimeGenerated', ''), + ["Type"] = column_ifexists('Type', ''), + ["Tag Map Dangerous File Ext Content Check Dangerous Mimetypes Url File Download"] = column_ifexists('tagMap_DangerousFileExt_ContentCheck_DangerousMimetypesUrlFileDownload_s', ''), + ["Tag Map Dangerous File Ext Content Check Dangerous Exts Url File Download"] = column_ifexists('tagMap_DangerousFileExt_ContentCheck_DangerousExtsUrlFileDownload_s', ''), + ["Tag Map Advanced Phishing Credential Theft Evidence"] = column_ifexists('tagMap_AdvancedPhishing_CredentialTheftEvidence_s', ''), + ["Tag Map Advanced Phishing Credential Theft Tags"] = column_ifexists('tagMap_AdvancedPhishing_CredentialTheftTags_s', ''), + ["Mimecast Event ID"] = 'ttp_url', + ["Mimecast Event Category"] = 'ttp_url', + ["Advanced Phishing Result Credential Theft Brands"] = column_ifexists('advancedPhishingResult_CredentialTheftBrands_s', ''), + ["Advanced Phishing Result Credential Theft Evidence"] = column_ifexists('advancedPhishingResult_CredentialTheftEvidence_s', ''), + ["Advanced Phishing Result Credential Theft Tags"] = column_ifexists('advancedPhishingResult_CredentialTheftTags_s', ''), + ["Tag Map Url Reputation Scan Type"] = column_ifexists('tagMap_UrlReputationScan_Type_s', ''), + ["Tag Map Url Reputation Scan Url"] = column_ifexists('tagMap_UrlReputationScan_Url_s', ''), + ["Tag Map Dangerous File Ext Inspect File Exts"] = column_ifexists('tagMap_DangerousFileExt_Inspect_FileExts_s', ''), + ["Tag Map Dangerous File Ext Inspect Mime Types"] = column_ifexists('tagMap_DangerousFileExt_Inspect_MimeTypes_s', ''), + ["Tag Map Dangerous File Ext Content Check Content Scanners Blocked"] = column_ifexists('tagMap_DangerousFileExt_ContentCheck_ContentScannersBlocked_s', ''), + ["User Email Address"] = column_ifexists('userEmailAddress_s', ''), + ["From User Email Address"] = column_ifexists('fromUserEmailAddress_s', ''), + ["Url"] = column_ifexists('url_s', ''), + ["Ttp Definition"] = column_ifexists('ttpDefinition_s', ''), + ["Subject"] = column_ifexists('subject_s', ''), + ["Action"] = column_ifexists('action_s', ''), + ["Admin Override"] = column_ifexists('adminOverride_s', ''), + ["User Override"] = column_ifexists('userOverride_s', ''), + ["Scan Result"] = column_ifexists('scanResult_s', ''), + ["Sending IP"] = column_ifexists('sendingIp_s', ''), + ["User Awareness Action"] = column_ifexists('userAwarenessAction_s', ''), + ['Event Time'] = column_ifexists('date_t', ''), + ["Actions"] = column_ifexists('actions_s', ''), + ["Route"] = column_ifexists('route_s', ''), + ["Creation Method"] = column_ifexists('creationMethod_s', ''), + ["Email Parts Description"] = column_ifexists('emailPartsDescription_s', ''), + ["Message ID"] = column_ifexists('messageId_s', ''), + ["Tag Map Url Reputation Scan Url Block"] = column_ifexists('tagMap_UrlReputationScan_UrlBlock_s', ''), + ["Tag Map Customer Managed Urls Managed Url Entry"] = column_ifexists('tagMap_CustomerManagedUrls_ManagedUrlEntry_s', ''), + ["Tag Map Customer Managed Urls Blocklisted"] = column_ifexists('tagMap_CustomerManagedUrls_Blocklisted_s', ''), + ["Tag Map Av Scanning Content Check Av Signature Name"] = column_ifexists('tagMap_AvScanning_ContentCheck_AvSignatureName_s', ''), + ["Tag Map Av Scanning Scanner Info Category Trigger"] = column_ifexists('tagMap_AvScanning_ScannerInfo_CategoryTrigger_s', ''), + ["Tag Map Av Scanning Content Check Av Signature File Exts"] = column_ifexists('tagMap_AvScanning_ContentCheck_AvSignatureFileExts_s', ''), + ["Tag Map Av Scanning Content Check Url File Download Filename"] = column_ifexists('tagMap_AvScanning_ContentCheck_UrlFileDownloadFilename_s', '') + | extend ['Event Time'] = iff( isempty( ['Event Time']) ,now() , todatetime(( ["Event Time"]) ) ) + | project ["Category"] ,["Time Generated"] , + ["Mimecast Event ID"], + ["Mimecast Event Category"], + ["User Email Address"], + ["From User Email Address"], + ["Url"], + ["Ttp Definition"], + ["Subject"], + ["Action"], + ["Admin Override"], + ["User Override"], + ["Scan Result"], + ["Sending IP"], + ["User Awareness Action"], + ['Event Time'], + ["Actions"], + ["Route"], + ["Creation Method"], + ["Email Parts Description"], + ["Message ID"], + ["Tag Map Dangerous File Ext Content Check Dangerous Mimetypes Url File Download"], + ["Tag Map Dangerous File Ext Content Check Dangerous Exts Url File Download"], + ["Tag Map Advanced Phishing Credential Theft Evidence"], + ["Tag Map Advanced Phishing Credential Theft Tags"], + ["Advanced Phishing Result Credential Theft Brands"], + ["Advanced Phishing Result Credential Theft Evidence"], + ["Advanced Phishing Result Credential Theft Tags"], + ["Tag Map Url Reputation Scan Type"], + ["Tag Map Url Reputation Scan Url"], + ["Tag Map Dangerous File Ext Inspect File Exts"], + ["Tag Map Dangerous File Ext Inspect Mime Types"], + ["Tag Map Dangerous File Ext Content Check Content Scanners Blocked"], + ["Tag Map Url Reputation Scan Url Block"], + ["Tag Map Customer Managed Urls Managed Url Entry"], + ["Tag Map Customer Managed Urls Blocklisted"], + ["Tag Map Av Scanning Content Check Av Signature Name"], + ["Tag Map Av Scanning Scanner Info Category Trigger"], + ["Tag Map Av Scanning Content Check Av Signature File Exts"], + ["Tag Map Av Scanning Content Check Url File Download Filename"], + ["Type"] + }; + MimecastTTPUrl \ No newline at end of file diff --git a/Solutions/Mimecast/Playbooks/Mimecast Data Connector Trigger Sync/Images/Mimecast Data Connector Trigger Sync.png b/Solutions/Mimecast/Playbooks/Mimecast Data Connector Trigger Sync/Images/Mimecast Data Connector Trigger Sync.png new file mode 100644 index 00000000000..980bba475a6 Binary files /dev/null and b/Solutions/Mimecast/Playbooks/Mimecast Data Connector Trigger Sync/Images/Mimecast Data Connector Trigger Sync.png differ diff --git a/Solutions/Mimecast/Playbooks/Mimecast Data Connector Trigger Sync/README.md b/Solutions/Mimecast/Playbooks/Mimecast Data Connector Trigger Sync/README.md new file mode 100644 index 00000000000..8d8bd3b6e4d --- /dev/null +++ b/Solutions/Mimecast/Playbooks/Mimecast Data Connector Trigger Sync/README.md @@ -0,0 +1,39 @@ +# Mimecast Data Connectors Trigger Sync + +* [Summary](#Summary) +* [Prerequisites](#Prerequisites) +* [Deployment instructions](#Deployment-instructions) +* [Post-Deployment instructions](#Post-Deployment-instructions) + + +## Summary + +Playbook to sync timer trigger of all Mimecast data connectors. + +### Prerequisites + +* Users must have a below Microsoft Azure credentials: + * Tenant ID + * Client ID + * Client Secret + * Resource Group Name + * Subscription ID + +### Deployment instructions + +1. To deploy the Playbook, click the Deploy to Azure button. This will launch the ARM Template deployment wizard. +2. Fill in the required parameters: + * Subscription : Select Subscription in which you want to deploy the Logic App. + * Resource Group: Select Resource Group name in which you want to deploy the Logic App. + * Playbook Name: Enter the playbook name + * Tenant ID : Enter the Azure Tenant ID. + * Client ID : Enter the Azure Client ID. + * Client Secret : Enter the Azure Client Secret. + * Resource Group Name : Enter the Azure Resource Group Name in which your Mimecast data connectors are available. + * Subscription ID : Enter the Azure Subscription ID in which your Mimecast data connectors are available. + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FMehul-web%2FMimecast_Maintemplate%2Fmain%2FPlaybooks%2FMimecast%2520Data%2520Connector%2520Trigger%2520Sync%2Fazuredeploy.json) [![Deploy to Azure](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FMehul-web%2FMimecast_Maintemplate%2Fmain%2FPlaybooks%2FMimecast%2520Data%2520Connector%2520Trigger%2520Sync%2Fazuredeploy.json) + +### Post-Deployment instructions + +a. Run the playbook to sync timer trigger of all Mimecast Data connectors diff --git a/Solutions/Mimecast/Playbooks/Mimecast Data Connector Trigger Sync/azuredeploy.json b/Solutions/Mimecast/Playbooks/Mimecast Data Connector Trigger Sync/azuredeploy.json new file mode 100644 index 00000000000..c80fc4d022c --- /dev/null +++ b/Solutions/Mimecast/Playbooks/Mimecast Data Connector Trigger Sync/azuredeploy.json @@ -0,0 +1,688 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Mimecast-Data-Connector-Trigger-Sync", + "description": "Playbook to sync timer trigger of all Mimecast data connectors.", + "prerequisites": [ + "Users must have a below Microsoft credentials:", + "1.Tenant ID", + "2.Client ID", + "3.Client Secret", + "4.Resource Group Name", + "5.Subscription ID" + ], + "postDeployment": [ "Run the playbook to sync timer trigger of all Mimecast data connectors." ], + "entities": [], + "tags": [ + "Mimecast", + "Sync", + "Timer", + "Trigger" + ], + "support": { + "tier": "community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Mimecast" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Mimecast-Data-Connector-Trigger-Sync", + "type": "string" + }, + "Client ID": { + "type": "String", + "metadata": { + "description": "Enter the Azure Client ID" + } + }, + "Client Secret": { + "type": "SecureString", + "metadata": { + "description": "Enter the Azure Client Secret" + } + }, + "Resource Group": { + "type": "String", + "metadata": { + "description": "Enter the Azure Resource Group Name in which your Mimecast data connectors are available" + } + }, + "Subscription ID": { + "type": "SecureString", + "metadata": { + "description": "Enter the Azure Subscription ID in which your Mimecast data connectors are available, make sure that the subscription id is as per the Azure portal at all places" + } + }, + "Tenant ID": { + "type": "SecureString", + "metadata": { + "description": "Enter the Azure Tenant ID" + } + } + }, + "variables": { + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Client ID": { + "defaultValue": "[trim(parameters('Client ID'))]", + "type": "String" + }, + "Client Secret": { + "defaultValue": "[trim(parameters('Client Secret'))]", + "type": "SecureString" + }, + "Resource Group": { + "defaultValue": "[trim(parameters('Resource Group'))]", + "type": "String" + }, + "Subscription ID": { + "defaultValue": "[trim(parameters('Subscription ID'))]", + "type": "SecureString" + }, + "Tenant ID": { + "defaultValue": "[trim(parameters('Tenant ID'))]", + "type": "SecureString" + } + }, + "triggers": { + "manual": { + "type": "Request", + "kind": "Http", + "inputs": { + } + } + }, + "actions": { + "For_each_app": { + "foreach": "@body('Get_all_Mimecast_Function_apps')", + "actions": { + "Sync_timer_trigger_request": { + "runAfter": { + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Bearer @{body('Parse_Auth_token')?['access_token']} " + }, + "method": "POST", + "uri": "https://@{variables('Manage')}.azure.com/subscriptions/@{variables('Subscription Id')}/resourceGroups/@{variables('Resource Group Name')}/providers/Microsoft.Web/sites/@{items('For_each_app')?['name']}/syncfunctiontriggers?api-version=2022-03-01" + } + } + }, + "runAfter": { + "Get_all_Mimecast_Function_apps": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_Auth_token": { + "runAfter": { + "Initialize_Management_variable": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": "client_id=@{variables('Client Id')}\u0026\nclient_secret=@{variables('Client Secret')}\u0026\ngrant_type=client_credentials\u0026\nscope=https://@{variables('Manage')}.azure.com/.default", + "headers": { + "Content-Type": "application/x-www-form-urlencoded" + }, + "method": "POST", + "uri": "https://login.@{variables('MicrosoftOnline')}.com/@{variables('Tenant Id')}/oauth2/v2.0/token" + } + }, + "Get_all_Mimecast_Function_apps": { + "runAfter": { + "Get_all_running_function_app": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@body('Get_all_running_function_app')", + "where": "@or(startsWith(item()?['name'], 'Mimecast'))" + } + }, + "Get_all_running_function_app": { + "runAfter": { + "Parse_function_app_list": [ + "Succeeded" + ] + }, + "type": "Query", + "inputs": { + "from": "@body('Parse_function_app_list')?['value']", + "where": "@equals(item()?['properties']?['state'], 'Running')" + } + }, + "Get_function_app_list": { + "runAfter": { + "Parse_Auth_token": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "headers": { + "Authorization": "Bearer @{body('Parse_Auth_token')?['access_token']} " + }, + "method": "GET", + "uri": "https://@{variables('Manage')}.azure.com/subscriptions/@{variables('Subscription Id')}/resourceGroups/@{variables('Resource Group Name')}/providers/Microsoft.Web/sites?api-version=2022-03-01" + } + }, + "Initialize_Client_Id": { + "runAfter": { + "Initialize_Tenant_Id": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Client Id", + "type": "string", + "value": "@parameters('Client ID')" + } + ] + } + }, + "Initialize_Client_Secret": { + "runAfter": { + "Initialize_Client_Id": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Client Secret", + "type": "string", + "value": "@parameters('Client Secret')" + } + ] + } + }, + "Initialize_Management_variable": { + "runAfter": { + "Initialize_Microsoftonline_variable": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Manage", + "type": "string", + "value": "management" + } + ] + } + }, + "Initialize_Microsoftonline_variable": { + "runAfter": { + "Subscription_Id": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "MicrosoftOnline", + "type": "string", + "value": "microsoftonline" + } + ] + } + }, + "Initialize_Resource_Group": { + "runAfter": { + "Initialize_Client_Secret": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Resource Group Name", + "type": "string", + "value": "@parameters('Resource Group')" + } + ] + } + }, + "Initialize_Tenant_Id": { + "runAfter": { + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Tenant Id", + "type": "string", + "value": "@parameters('Tenant ID')" + } + ] + } + }, + "Parse_Auth_token": { + "runAfter": { + "Get_Auth_token": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_Auth_token')", + "schema": { + "properties": { + "access_token": { + "type": "string" + }, + "expires_in": { + "type": "integer" + }, + "ext_expires_in": { + "type": "integer" + }, + "token_type": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "Parse_function_app_list": { + "runAfter": { + "Get_function_app_list": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('Get_function_app_list')", + "schema": { + "properties": { + "value": { + "items": { + "properties": { + "id": { + "type": "string" + }, + "identity": { + "properties": { + "principalId": { + "type": "string" + }, + "tenantId": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "kind": { + "type": "string" + }, + "location": { + "type": "string" + }, + "name": { + "type": "string" + }, + "properties": { + "properties": { + "adminEnabled": { + "type": "boolean" + }, + "afdEnabled": { + "type": "boolean" + }, + "availabilityState": { + "type": "string" + }, + "clientAffinityEnabled": { + "type": "boolean" + }, + "clientCertEnabled": { + "type": "boolean" + }, + "clientCertMode": { + "type": "string" + }, + "containerSize": { + "type": "integer" + }, + "contentAvailabilityState": { + "type": "string" + }, + "csrs": { + "type": "array" + }, + "customDomainVerificationId": { + "type": "string" + }, + "dailyMemoryTimeQuota": { + "type": "integer" + }, + "defaultHostName": { + "type": "string" + }, + "defaultHostNameScope": { + "type": "string" + }, + "deploymentId": { + "type": "string" + }, + "dnsConfiguration": { + "type": "object" + }, + "eligibleLogCategories": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "enabledHostNames": { + "items": { + "type": "string" + }, + "type": "array" + }, + "endToEndEncryptionEnabled": { + "type": "boolean" + }, + "ftpUsername": { + "type": "string" + }, + "ftpsHostName": { + "type": "string" + }, + "functionsRuntimeAdminIsolationEnabled": { + "type": "boolean" + }, + "homeStamp": { + "type": "string" + }, + "hostNameSslStates": { + "items": { + "properties": { + "hostType": { + "type": "string" + }, + "ipBasedSslState": { + "type": "string" + }, + "name": { + "type": "string" + }, + "sslState": { + "type": "string" + } + }, + "required": [ + "name", + "sslState", + "ipBasedSslResult", + "virtualIP", + "virtualIPv6", + "thumbprint", + "certificateResourceId", + "toUpdate", + "toUpdateIpBasedSsl", + "ipBasedSslState", + "hostType" + ], + "type": "object" + }, + "type": "array" + }, + "hostNames": { + "items": { + "type": "string" + }, + "type": "array" + }, + "hostNamesDisabled": { + "type": "boolean" + }, + "httpsOnly": { + "type": "boolean" + }, + "hyperV": { + "type": "boolean" + }, + "inboundIpAddress": { + "type": "string" + }, + "ipMode": { + "type": "string" + }, + "isXenon": { + "type": "boolean" + }, + "keyVaultReferenceIdentity": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "lastModifiedTimeUtc": { + "type": "string" + }, + "name": { + "type": "string" + }, + "outboundIpAddresses": { + "type": "string" + }, + "possibleInboundIpAddresses": { + "type": "string" + }, + "possibleOutboundIpAddresses": { + "type": "string" + }, + "redundancyMode": { + "type": "string" + }, + "repositorySiteName": { + "type": "string" + }, + "reserved": { + "type": "boolean" + }, + "resourceGroup": { + "type": "string" + }, + "runtimeAvailabilityState": { + "type": "string" + }, + "scmSiteAlsoStopped": { + "type": "boolean" + }, + "secretsCollection": { + "type": "array" + }, + "selfLink": { + "type": "string" + }, + "serverFarmId": { + "type": "string" + }, + "siteConfig": { + "properties": { + "acrUseManagedIdentityCreds": { + "type": "boolean" + }, + "alwaysOn": { + "type": "boolean" + }, + "functionAppScaleLimit": { + "type": "integer" + }, + "http20Enabled": { + "type": "boolean" + }, + "linuxFxVersion": { + "type": "string" + }, + "minimumElasticInstanceCount": { + "type": "integer" + }, + "numberOfWorkers": { + "type": "integer" + } + }, + "type": "object" + }, + "siteDisabledReason": { + "type": "integer" + }, + "siteProperties": { + "properties": { + "properties": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": [ + "string", + "null" + ] + } + }, + "required": [ + "name", + "value" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "sku": { + "type": "string" + }, + "state": { + "type": "string" + }, + "storageAccountRequired": { + "type": "boolean" + }, + "storageRecoveryDefaultState": { + "type": "string" + }, + "usageState": { + "type": "string" + }, + "vnetBackupRestoreEnabled": { + "type": "boolean" + }, + "vnetContentShareEnabled": { + "type": "boolean" + }, + "vnetImagePullEnabled": { + "type": "boolean" + }, + "vnetRouteAllEnabled": { + "type": "boolean" + }, + "webSpace": { + "type": "string" + } + }, + "type": "object" + }, + "tags": { + "properties": { + "Jira": { + "type": "string" + } + }, + "type": "object" + }, + "type": { + "type": "string" + } + }, + "required": [ + "id", + "name", + "type", + "kind", + "location", + "properties" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + } + }, + "Subscription_Id": { + "runAfter": { + "Initialize_Resource_Group": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "Subscription Id", + "type": "string", + "value": "@parameters('Subscription ID')" + } + ] + } + } + }, + "outputs": { + } + }, + "parameters": { + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Mimecast-Data-Connector-Trigger-Sync", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + ] + } + ] +} diff --git a/Solutions/Mimecast/ReleaseNotes.md b/Solutions/Mimecast/ReleaseNotes.md new file mode 100644 index 00000000000..d5b5f748d35 --- /dev/null +++ b/Solutions/Mimecast/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified** | **Change History** | +|---------------|--------------------------------|------------------------------------------------------------------------| +| 3.0.0 | 09-09-2024 | Initial Solution Release | diff --git a/Solutions/Mimecast/SolutionMetadata.json b/Solutions/Mimecast/SolutionMetadata.json new file mode 100644 index 00000000000..e66cb668115 --- /dev/null +++ b/Solutions/Mimecast/SolutionMetadata.json @@ -0,0 +1,20 @@ +{ + "publisherId": "mimecastnorthamerica1584469118674", + "offerId": "azure-sentinel-solution-mimecast", + "firstPublishDate": "2024-09-10", + "lastPublishDate": "2024-09-10", + "providers": [ + "Mimecast" + ], + "categories": { + "domains": [ + "Security - Network" + ] + }, + "support": { + "name": "Mimecast", + "email": "support@mimecast.com", + "tier": "Partner", + "link": "https://community.mimecast.com/s/contactsupport" + } +} \ No newline at end of file diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Audit/MimecastAuditBlack.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Audit/MimecastAuditBlack.png new file mode 100644 index 00000000000..fe717922414 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Audit/MimecastAuditBlack.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Audit/MimecastAuditWhite.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Audit/MimecastAuditWhite.png new file mode 100644 index 00000000000..2ac81e15b34 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Audit/MimecastAuditWhite.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Awareness Training/MimecastAwarenessTrainingBlack1.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Awareness Training/MimecastAwarenessTrainingBlack1.png new file mode 100644 index 00000000000..991b4b0b48f Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Awareness Training/MimecastAwarenessTrainingBlack1.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Awareness Training/MimecastAwarenessTrainingBlack2.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Awareness Training/MimecastAwarenessTrainingBlack2.png new file mode 100644 index 00000000000..a9d73534263 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Awareness Training/MimecastAwarenessTrainingBlack2.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Awareness Training/MimecastAwarenessTrainingBlack3.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Awareness Training/MimecastAwarenessTrainingBlack3.png new file mode 100644 index 00000000000..6226cd6225f Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Awareness Training/MimecastAwarenessTrainingBlack3.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Awareness Training/MimecastAwarenessTrainingWhite1.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Awareness Training/MimecastAwarenessTrainingWhite1.png new file mode 100644 index 00000000000..3959d1371b5 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Awareness Training/MimecastAwarenessTrainingWhite1.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Awareness Training/MimecastAwarenessTrainingWhite2.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Awareness Training/MimecastAwarenessTrainingWhite2.png new file mode 100644 index 00000000000..6c930402ef3 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Awareness Training/MimecastAwarenessTrainingWhite2.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Awareness Training/MimecastAwarenessTrainingWhite3.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Awareness Training/MimecastAwarenessTrainingWhite3.png new file mode 100644 index 00000000000..423c5b9803d Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Awareness Training/MimecastAwarenessTrainingWhite3.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Cloud Integrated/MimecastCIBlack.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Cloud Integrated/MimecastCIBlack.png new file mode 100644 index 00000000000..9ab15cf8ca7 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Cloud Integrated/MimecastCIBlack.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Cloud Integrated/MimecastCIWhite.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Cloud Integrated/MimecastCIWhite.png new file mode 100644 index 00000000000..5902bc28a5e Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Cloud Integrated/MimecastCIWhite.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastDLPBlack.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastDLPBlack.png new file mode 100644 index 00000000000..33b64e2bb60 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastDLPBlack.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastDLPWhite.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastDLPWhite.png new file mode 100644 index 00000000000..1e663d3a202 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastDLPWhite.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack1.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack1.png new file mode 100644 index 00000000000..f871843278c Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack1.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack2.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack2.png new file mode 100644 index 00000000000..f00c01b5748 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack2.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack3.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack3.png new file mode 100644 index 00000000000..bf305b4b827 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack3.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack4.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack4.png new file mode 100644 index 00000000000..2ba78c995fd Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack4.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack5.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack5.png new file mode 100644 index 00000000000..cf34b291dc4 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack5.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack6.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack6.png new file mode 100644 index 00000000000..5550cc6b0a5 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack6.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack7.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack7.png new file mode 100644 index 00000000000..c5357120cce Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack7.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack8.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack8.png new file mode 100644 index 00000000000..2656cd47933 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGBlack8.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite1.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite1.png new file mode 100644 index 00000000000..f824bcce67f Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite1.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite2.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite2.png new file mode 100644 index 00000000000..eb480b25baa Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite2.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite3.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite3.png new file mode 100644 index 00000000000..49c121949ca Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite3.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite4.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite4.png new file mode 100644 index 00000000000..1e52508f9e6 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite4.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite5.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite5.png new file mode 100644 index 00000000000..d5c24b438cd Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite5.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite6.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite6.png new file mode 100644 index 00000000000..ce78941098a Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite6.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite7.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite7.png new file mode 100644 index 00000000000..ad4158c2544 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite7.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite8.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite8.png new file mode 100644 index 00000000000..c3e0a356b4e Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Secure Email Gateway/MimecastSEGWhite8.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Targeted Threat Protection/MimecastTTPBlack1.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Targeted Threat Protection/MimecastTTPBlack1.png new file mode 100644 index 00000000000..57a919e0284 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Targeted Threat Protection/MimecastTTPBlack1.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Targeted Threat Protection/MimecastTTPBlack2.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Targeted Threat Protection/MimecastTTPBlack2.png new file mode 100644 index 00000000000..ec81ea65bd9 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Targeted Threat Protection/MimecastTTPBlack2.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Targeted Threat Protection/MimecastTTPBlack3.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Targeted Threat Protection/MimecastTTPBlack3.png new file mode 100644 index 00000000000..66d1ac6b40f Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Targeted Threat Protection/MimecastTTPBlack3.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Targeted Threat Protection/MimecastTTPWhite1.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Targeted Threat Protection/MimecastTTPWhite1.png new file mode 100644 index 00000000000..c1608ef8157 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Targeted Threat Protection/MimecastTTPWhite1.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Targeted Threat Protection/MimecastTTPWhite2.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Targeted Threat Protection/MimecastTTPWhite2.png new file mode 100644 index 00000000000..ec2673fb528 Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Targeted Threat Protection/MimecastTTPWhite2.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Targeted Threat Protection/MimecastTTPWhite3.png b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Targeted Threat Protection/MimecastTTPWhite3.png new file mode 100644 index 00000000000..24093f9975e Binary files /dev/null and b/Solutions/Mimecast/Workbooks/Images/Preview/Mimecast Targeted Threat Protection/MimecastTTPWhite3.png differ diff --git a/Solutions/Mimecast/Workbooks/Images/Preview/README.md b/Solutions/Mimecast/Workbooks/Images/Preview/README.md new file mode 100644 index 00000000000..e69de29bb2d diff --git a/Solutions/Mimecast/Workbooks/Mimecast_Audit_Workbook.json b/Solutions/Mimecast/Workbooks/Mimecast_Audit_Workbook.json new file mode 100644 index 00000000000..9479df4da51 --- /dev/null +++ b/Solutions/Mimecast/Workbooks/Mimecast_Audit_Workbook.json @@ -0,0 +1,578 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "82fedb33-961a-4199-a5ab-16340948ed10", + "version": "KqlParameterItem/1.0", + "name": "time_range", + "label": "Time Range", + "type": 4, + "isRequired": true, + "value": { + "durationMs": 1209600000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastAudit\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Category\n", + "size": 0, + "showAnalytics": true, + "title": "Audit & Authentication Events by Category", + "timeContextFromParameter": "time_range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "tileSettings": { + "titleContent": { + "columnMatch": "auditType_s", + "formatter": 1 + }, + "subtitleContent": { + "columnMatch": "count_" + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": true, + "sortCriteriaField": "auditType_s", + "size": "auto" + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "auditType_s", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "count_", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "chartSettings": { + "group": "Category", + "createOtherGroup": 10, + "seriesLabelSettings": [ + { + "seriesName": "reporting_logs", + "label": "Reporting " + }, + { + "seriesName": "authentication_logs", + "label": "Authentication" + }, + { + "seriesName": "case_review_logs", + "label": "Case Review" + }, + { + "seriesName": "account_logs", + "label": "Account" + }, + { + "seriesName": "profile_group_logs", + "label": "Profile Group" + }, + { + "seriesName": "user_account_and_role_logs", + "label": "User Account and Roles" + }, + { + "seriesName": "mimecast_access_logs", + "label": "Mimecast Acess" + }, + { + "seriesName": "archive_service_logs", + "label": "Archive Service" + }, + { + "seriesName": "policy_logs", + "label": "Policy " + }, + { + "seriesName": "awareness_training_logs", + "label": "Awareness Training" + }, + { + "seriesName": "secure_messaging_logs", + "label": "Secure Messaging" + }, + { + "seriesName": "integrations_and_apis", + "label": "Integrations and API's" + } + ] + } + }, + "name": "query - 18", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastAudit\n| summarize count() by ['Audit Type'] ", + "size": 3, + "showAnalytics": true, + "title": "Audit Events by Type", + "timeContextFromParameter": "time_range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Audit Type", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 15", + "styleSettings": { + "margin": "5px", + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastAudit\n| where Category == \"account_logs\"\n| summarize count() by ['Audit Type']", + "size": 3, + "showAnalytics": true, + "title": "Account Events", + "timeContextFromParameter": "time_range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Audit Type", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 4", + "styleSettings": { + "margin": "5px", + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastAudit\n| where Category == \"authentication_logs\"\n| summarize count() by ['Audit Type']\n", + "size": 3, + "showAnalytics": true, + "title": "Authentication Events", + "timeContextFromParameter": "time_range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Audit Type", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 6", + "styleSettings": { + "margin": "5px", + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastAudit\n| where Category == \"mimecast_access_logs\"\n| summarize count() by ['Audit Type']", + "size": 3, + "showAnalytics": true, + "title": "Mimecast Support Access Events", + "timeContextFromParameter": "time_range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Audit Type", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 8", + "styleSettings": { + "margin": "5px", + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastAudit\n| where Category == \"archive_service_logs\"\n| summarize count() by ['Audit Type']", + "size": 3, + "showAnalytics": true, + "title": "Archive Service Events", + "timeContextFromParameter": "time_range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Audit Type", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 10", + "styleSettings": { + "margin": "5px", + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastAudit\n| where Category == \"user_account_and_role_logs\"\n| summarize count() by ['Audit Type']", + "size": 3, + "showAnalytics": true, + "title": "User Account and Role Events", + "timeContextFromParameter": "time_range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Audit Type", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 12", + "styleSettings": { + "margin": "5px", + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastAudit\n| where Category == \"policy_logs\"\n| summarize count() by ['Audit Type']", + "size": 3, + "showAnalytics": true, + "title": "Policy Events", + "timeContextFromParameter": "time_range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Audit Type", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "name": "query - 14", + "styleSettings": { + "margin": "5px", + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastAudit\n| where ['Audit Type'] == \"User Logged On\" and Application !=\"\"\n| summarize count() by Application", + "size": 3, + "showAnalytics": true, + "title": "Successful Logins by Application", + "timeContextFromParameter": "time_range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Application", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "name": "query - 8", + "styleSettings": { + "margin": "5px", + "maxWidth": "50%" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastAudit\n| where ['Source IP'] !=\"unknown\" and ['Audit Type'] == \"User Logged On\"\n| summarize count() by User, Application, ['Source IP'] , [\"Event Time\"] ", + "size": 0, + "showAnalytics": true, + "title": "Successful Logins by User, App and Source IP", + "timeContextFromParameter": "time_range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true, + "labelSettings": [ + { + "columnId": "count_", + "label": "Successful Logins" + } + ] + }, + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "user_s", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "user_s", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "count_", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "chartSettings": { + "createOtherGroup": 0 + }, + "mapSettings": { + "locInfo": "AzureResource", + "locInfoColumn": "src_s", + "sizeAggregation": "Count", + "legendMetric": "count_", + "legendAggregation": "Sum", + "itemColorSettings": { + "nodeColorField": "count_", + "colorAggregation": "Sum", + "type": "thresholds", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "blue" + } + ] + } + } + }, + "name": "query - 12", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastAudit\n| where ['Source IP'] !=\"unknown\" and ['Audit Type'] == \"Logon Authentication Failed\"\n| summarize [\"Failed Login\"] = count() by User, Application, ['Source IP'], ['Event Time']", + "size": 0, + "showAnalytics": true, + "title": "Failed Logins by User, App and Source IP", + "timeContextFromParameter": "time_range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true, + "sortBy": [ + { + "itemKey": "User", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "User", + "sortOrder": 1 + } + ] + }, + "name": "query - 14", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + } + ] + }, + "name": "group - 5" + }, + { + "type": 1, + "content": { + "json": "#### 📝***Refresh the web page to fetch details of recently collected events***\r\n" + }, + "name": "text - 4" + } + ] + }, + "name": "group - 9" + } + ], + "fromTemplateId": "Sentinel-Mimecast-Audit-Workbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/Mimecast/Workbooks/Mimecast_Awareness_Training_Workbook.json b/Solutions/Mimecast/Workbooks/Mimecast_Awareness_Training_Workbook.json new file mode 100644 index 00000000000..3e6eed05ae1 --- /dev/null +++ b/Solutions/Mimecast/Workbooks/Mimecast_Awareness_Training_Workbook.json @@ -0,0 +1,1216 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "6c07c649-3f3c-4383-ac47-32494f912d63", + "cellValue": "setTab", + "linkTarget": "parameter", + "linkLabel": "Human Risk Overview", + "subTarget": "HumanRisk", + "style": "link" + }, + { + "id": "5884fe55-37eb-4fb0-8835-61de095259ed", + "cellValue": "setTab", + "linkTarget": "parameter", + "linkLabel": "Awareness Training", + "subTarget": "AwarenessTraining", + "style": "link" + }, + { + "id": "d69c5034-e10a-4d89-b776-dede3e65da34", + "cellValue": "setTab", + "linkTarget": "parameter", + "linkLabel": "Phishing Training", + "subTarget": "PhishingTraining", + "style": "link" + } + ] + }, + "name": "links - 5" + }, + { + "type": 1, + "content": { + "json": "\r\n\r\n---" + }, + "name": "text - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "568f52ad-774c-4bf2-84e2-b0b7d5610797", + "version": "KqlParameterItem/1.0", + "name": "Time_Range", + "label": "Time Range", + "type": 4, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + }, + { + "id": "0f645fbe-75ca-4eff-a2ed-c25bacdedfc7", + "version": "KqlParameterItem/1.0", + "name": "Email", + "type": 1, + "query": "print tostring('*')", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 0 - Copy" + }, + { + "type": 1, + "content": { + "json": "### Watchlist Panels\r\n\r\n----" + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessWatchlist\r\n| where ('{Email}' == \"*\" or Email == '{Email}') and isnotempty(Email)\r\n| summarize Count = count() by ['Watchlist Count']\r\n| project tostring(toint(['Watchlist Count'])) , Count\r\n\r\n", + "size": 3, + "showAnalytics": true, + "title": "Breakdown by Watchlist Count", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Watchlist Count", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "35", + "name": "query - 0", + "styleSettings": { + "maxWidth": "35%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessWatchlist\r\n| project Email , Name , [\"Watchlist Count\"] , ['User State'] ", + "size": 0, + "showAnalytics": true, + "title": "Watchlist Overview", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "65", + "name": "query - 2", + "styleSettings": { + "margin": "5px", + "maxWidth": "65%", + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "### Performance Panels\r\n\r\n\r\n----" + }, + "name": "text - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessPerformanceDetails\r\n| project Email , ['Num of Correct'] , ['Num of Incorrect'] , ['Num of Not Watched'] , Name , ['User Details'] , ['User State'] , Department ", + "size": 0, + "showAnalytics": true, + "title": "Performance Overview", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 4", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessPerformanceDetails\r\n| where ('{Email}' == \"*\" or Email == '{Email}') and isnotempty(Email)\r\n| summarize Count = count() by tostring( toint(['Num of Correct'])) ", + "size": 0, + "showAnalytics": true, + "title": "Correct Number by Count", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "unstackedbar", + "chartSettings": { + "group": "Num of Correct", + "createOtherGroup": null + } + }, + "customWidth": "33", + "name": "query - 1", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessPerformanceDetails\r\n| where ('{Email}' == \"*\" or Email == '{Email}') and isnotempty(Email)\r\n| summarize Count = count() by tostring( toint(['Num of Incorrect'])) \r\n\r\n\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Incorrect Number by Count", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "33", + "name": "query - 4", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessPerformanceDetails\r\n| where ('{Email}' == \"*\" or Email == '{Email}') and isnotempty(Email)\r\n| sort by ['Num of Not Watched'] \r\n| summarize Count = count() by tostring( toint(['Num of Not Watched'])) \r\n", + "size": 0, + "showAnalytics": true, + "title": "Not Watched by Count", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "33", + "name": "query - 0", + "styleSettings": { + "maxWidth": "33%" + } + } + ] + }, + "name": "group - 8" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "### User Stats Panels\r\n\r\n----" + }, + "name": "text - 9" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "994dee73-1b2c-43cd-b3e5-e91e6c3495ab", + "version": "KqlParameterItem/1.0", + "name": "Template_Name", + "label": "Template Name", + "type": 2, + "quote": "'", + "delimiter": ",", + "query": "AwarenessUserData\r\n| where ('{Email}' == \"*\" or Email == '{Email}') \r\n and isnotempty(Email)\r\n| where isnotempty(['Template Name'])\r\n| distinct ['Template Name']\r\n| sort by ['Template Name'] asc", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "selectAllValue": "*", + "showDefault": false + }, + "timeContext": { + "durationMs": 2419200000 + }, + "timeContextFromParameter": "Time_Range", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 0 - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessUserData\r\n| project Name , Email , Status, ['Template Name'] , ['Num of Campaigns Clicked'] , ['Num of Campaigns Sent'] , ['Num of Correct Answers'] , ['Num of Incorrect Answers'] , ['Num of Training Modules Assigned'] , ['User State'] , ['Clicked IP'] , ['Reaction Time'] , ['Time Clicked'] , ['Time Opened'] , ['Time Reported'] , ['Time Scheduled']", + "size": 0, + "showAnalytics": true, + "title": "User Stats Overview", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 9", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessUserData\r\n| where ('{Email}' == \"*\" or Email == '{Email}') \r\n and isnotempty(Email)\r\n and isnotempty(['Template Name'])\r\n| where ( ('{Template_Name}') == \"*\" or ['Template Name'] == ('{Template_Name}'))\r\n| summarize Count = count() by ['Num of Campaigns Sent']\r\n| project tostring(toint(['Num of Campaigns Sent'])) , Count\r\n\r\n\r\n", + "size": 3, + "showAnalytics": true, + "title": "Breakdown by Number of Campaigns Sent", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "graphSettings": { + "type": 0 + }, + "chartSettings": { + "group": "Num of Campaigns Sent", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 0", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessUserData\r\n| where ('{Email}' == \"*\" or Email == '{Email}') \r\n and isnotempty(Email)\r\n and isnotempty(['Template Name'])\r\n| where ( ('{Template_Name}') == \"*\" or ['Template Name'] == ('{Template_Name}'))\r\n| summarize Count = count() by ['Num of Campaigns Clicked']\r\n| project tostring(toint(['Num of Campaigns Clicked'])) , Count\r\n\r\n", + "size": 3, + "showAnalytics": true, + "title": "Breakdown by Number of Campaigns Clicked", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Num of Campaigns Clicked", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 1", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessUserData\r\n| where ('{Email}' == \"*\" or Email == '{Email}') \r\n and isnotempty(Email)\r\n and isnotempty(['Template Name'])\r\n| where ( ('{Template_Name}') == \"*\" or ['Template Name'] == ('{Template_Name}'))\r\n| summarize Count = count() by ['Num of Training Modules Assigned']\r\n| project tostring(toint(['Num of Training Modules Assigned'])) , Count\r\n\r\n", + "size": 3, + "showAnalytics": true, + "title": "Breakdown by Number of Training Modules Assigned", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Num of Training Modules Assigned", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 1", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessUserData\r\n| where ('{Email}' == \"*\" or Email == '{Email}') \r\n and isnotempty(Email)\r\n and isnotempty(['Template Name'])\r\n| where ( ('{Template_Name}') == \"*\" or ['Template Name'] == ('{Template_Name}'))\r\n| summarize Count = count() by ['Num of Correct Answers']\r\n| project tostring(toint(['Num of Correct Answers'])) , Count\r\n\r\n", + "size": 3, + "showAnalytics": true, + "title": "Breakdown by Number of Correct Answers", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Num of Correct Answers", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 1", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessUserData\r\n| where ('{Email}' == \"*\" or Email == '{Email}') \r\n and isnotempty(Email)\r\n and isnotempty(['Template Name'])\r\n| where ( ('{Template_Name}') == \"*\" or ['Template Name'] == ('{Template_Name}'))\r\n| summarize Count = count() by ['Num of Incorrect Answers']\r\n| project tostring(toint(['Num of Incorrect Answers'])) , Count\r\n\r\n", + "size": 3, + "showAnalytics": true, + "title": "Breakdown by Number of Incorrect Answers", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Num of Incorrect Answers", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 1", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessUserData\r\n| where ('{Email}' == \"*\" or Email == '{Email}') \r\n and isnotempty(Email)\r\n and isnotempty(['Template Name'])\r\n| where ( ('{Template_Name}') == \"*\" or ['Template Name'] == ('{Template_Name}'))\r\n| where isnotempty(['Clicked IP'] )\r\n| summarize Count = count() by ['Clicked IP']\r\n| project tostring(['Clicked IP']) , Count\r\n\r\n", + "size": 3, + "showAnalytics": true, + "title": "Breakdown by Clicked Ip", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Clicked IP", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 1", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 1, + "content": { + "json": "#### 📝***Refresh the web page to fetch details of recently collected events***\r\n" + }, + "name": "text - 5 - Copy" + } + ] + }, + "conditionalVisibility": { + "parameterName": "setTab", + "comparison": "isEqualTo", + "value": "AwarenessTraining" + }, + "name": "group - 3", + "styleSettings": { + "padding": "10px" + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "setTab", + "comparison": "isEqualTo", + "value": "AwarenessTraining" + }, + "name": "group - 1", + "styleSettings": { + "padding": "10px" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "f9053e40-ba9b-40ed-afe4-8ab6731de894", + "version": "KqlParameterItem/1.0", + "name": "Time_Range", + "label": "Time Range", + "type": 4, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + }, + { + "id": "2025c297-a05f-43e6-8af9-f24122e95e81", + "version": "KqlParameterItem/1.0", + "name": "Email", + "type": 1, + "query": "print tostring('*')", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "dafsaf", + "comparison": "isNotEqualTo" + }, + "name": "parameters - 0 - Copy" + } + ] + }, + "conditionalVisibility": { + "parameterName": "setTab", + "comparison": "isEqualTo", + "value": "AwarenessTraining" + }, + "name": "group - 4", + "styleSettings": { + "padding": "10px" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "6a8902e3-d3e9-4465-9976-aaf29c1db37d", + "version": "KqlParameterItem/1.0", + "name": "Time_Range", + "label": "Time Range", + "type": 4, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + }, + { + "id": "316968d2-96df-4bb9-acf7-b04a018c203f", + "version": "KqlParameterItem/1.0", + "name": "Email", + "type": 1, + "query": "print tostring('*')", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 0 - Copy" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessSafeScore\r\n| where ('{Email}' == \"*\" or ['Email Address'] == '{Email}') and isnotempty(['Email Address'])\r\n| summarize Count = count() by Risk\r\n| order by Risk desc\r\n| take 1", + "size": 3, + "title": "Highest Risk", + "timeContextFromParameter": "Time_Range", + "exportFieldName": "Risk", + "exportParameterName": "HighestRisk", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Risk", + "formatter": 12, + "formatOptions": { + "palette": "auto" + } + }, + "rightContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "min": 0, + "palette": "turquoise" + } + }, + "showBorder": false + }, + "textSettings": { + "style": "bignumber" + } + }, + "name": "query - 5" + }, + { + "type": 1, + "content": { + "json": "💡 To view Risk details, please click on above tile" + }, + "conditionalVisibility": { + "parameterName": "HighestRisk", + "comparison": "isEqualTo" + }, + "name": "text - 12" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessSafeScore\r\n| where ('{Email}' == \"*\" or ['Email Address'] == '{Email}') and isnotempty(['Email Address'])\r\n|project [\"Email Address\"] , Name , Risk , [\"Human Error\"], Sentiment, Engagement , Knowledge , ['User State']\r\n| order by Risk desc\r\n", + "size": 0, + "showAnalytics": true, + "title": "Highest Risk Details", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "filter": true + }, + "tileSettings": { + "titleContent": { + "columnMatch": "Risk", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + } + }, + "showBorder": false + }, + "textSettings": { + "style": "bignumber" + } + }, + "conditionalVisibility": { + "parameterName": "HighestRisk", + "comparison": "isNotEqualTo" + }, + "name": "query - 5 - Copy", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + } + ] + }, + "name": "group - 12" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessSafeScore\r\n| where ('{Email}' == \"*\" or ['Email Address'] == '{Email}') and isnotempty(['Email Address'])\r\n| summarize Count = count() by Risk\r\n| project Risk, Count\r\n", + "size": 3, + "showAnalytics": true, + "title": "Breakdown by Risk", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Risk", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 1", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessSafeScore\r\n| where ('{Email}' == \"*\" or ['Email Address'] == '{Email}') and isnotempty(['Email Address'])\r\n| summarize Count = count() by ['Human Error']\r\n| project ['Human Error'], Count\r\n\r\n", + "size": 3, + "showAnalytics": true, + "title": "Breakdown by Human Error", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Human Error", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 1", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessSafeScore\r\n| where ('{Email}' == \"*\" or ['Email Address'] == '{Email}') and isnotempty(['Email Address'])\r\n| summarize Count = count() by Sentiment\r\n\r\n\r\n", + "size": 3, + "showAnalytics": true, + "title": "Breakdown by Sentiment", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Sentiment", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 2", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessSafeScore\r\n| where ('{Email}' == \"*\" or ['Email Address'] == '{Email}') and isnotempty(['Email Address'])\r\n| summarize Count = count() by Engagement\r\n\r\n\r\n\r\n", + "size": 3, + "showAnalytics": true, + "title": "Breakdown by Engagement", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Engagement", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 3", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessSafeScore\r\n| where ('{Email}' == \"*\" or ['Email Address'] == '{Email}') and isnotempty(['Email Address'])\r\n| summarize Count = count() by Knowledge\r\n\r\n\r\n", + "size": 3, + "showAnalytics": true, + "title": "Breakdown by Knowledge", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Knowledge", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 4", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessSafeScore\r\n| where ('{Email}' == \"*\" or ['Email Address'] == '{Email}') and isnotempty(['Email Address'])\r\n| summarize Count = count() by ['User State'] \r\n\r\n\r\n", + "size": 3, + "showAnalytics": true, + "title": "Breakdown by User State", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "User State", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 5", + "styleSettings": { + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessSafeScore\r\n| project [\"Email Address\"] , Name , Risk , [\"Human Error\"] , Sentiment, Engagement , Knowledge , ['User State'] ", + "size": 0, + "showAnalytics": true, + "title": "Safe Scores Overview", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 8", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "#### 📝***Refresh the web page to fetch details of recently collected events***\r\n" + }, + "name": "text - 5 - Copy - Copy" + } + ] + }, + "conditionalVisibility": { + "parameterName": "setTab", + "comparison": "isEqualTo", + "value": "HumanRisk" + }, + "name": "group - 3", + "styleSettings": { + "padding": "10px" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "03fcf595-8dee-44c7-9d71-c09a88138a32", + "version": "KqlParameterItem/1.0", + "name": "Time_Range", + "label": "Time Range", + "type": 4, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + }, + { + "id": "41460584-1c2c-4af8-9aab-086bb8aff8eb", + "version": "KqlParameterItem/1.0", + "name": "Email", + "type": 1, + "query": "print tostring('*')", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 0 - Copy - Copy" + }, + { + "type": 1, + "content": { + "json": "### To see an phishing training details , go to the Awareness Training tab and check the User Stats Overview panel.\r\n", + "style": "info" + }, + "name": "text - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessUserData\r\n| where ('{Email}' == \"*\" or Email == '{Email}') \r\n and isnotempty(Email)\r\n| summarize by Email, ['Template Name']\r\n| summarize Count = count() by ['Template Name']\r\n| order by Count desc\r\n| take 10\r\n| project ['Template Name'], Count\r\n", + "size": 0, + "showAnalytics": true, + "title": "Breakdown of Top 10 Template Names ", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" + }, + "name": "query - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "AwarenessUserData\r\n| where ('{Email}' == \"*\" or Email == '{Email}') and isnotempty(Email)\r\n| where Status == \"CLICKED\"\r\n| summarize arg_max(['Reaction Time'], *) by Email, ['Template Name']\r\n| project Email, ['Reaction Time'], ['Time Clicked'] , ['Time Opened'], ['Template Name']\r\n| order by ['Reaction Time'] asc \r\n", + "size": 0, + "showAnalytics": true, + "title": "Users Clicked on Phishing data", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 7", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "#### 📝***Refresh the web page to fetch details of recently collected events***\r\n" + }, + "name": "text - 4" + } + ] + }, + "conditionalVisibility": { + "parameterName": "setTab", + "comparison": "isEqualTo", + "value": "PhishingTraining" + }, + "name": "group - 11" + } + ], + "fromTemplateId": "Sentinel-Mimecast-Awareness-Training-Workbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/Mimecast/Workbooks/Mimecast_Cloud_Integrated_Workbook.json b/Solutions/Mimecast/Workbooks/Mimecast_Cloud_Integrated_Workbook.json new file mode 100644 index 00000000000..2e4001ae3eb --- /dev/null +++ b/Solutions/Mimecast/Workbooks/Mimecast_Cloud_Integrated_Workbook.json @@ -0,0 +1,957 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "c1d5c69f-05f2-459b-a6ce-f09fe2c4c1c6", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "label": "Time Range", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 0" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| where Tags contains \"MALWARE\"\r\n| count", + "size": 3, + "showAnalytics": true, + "title": "Malware Tags Count", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportParameterName": "Malware", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "query - 1", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| where Tags contains \"PHISHING\"\r\n| count", + "size": 3, + "showAnalytics": true, + "title": "Phishing Tags Count", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportParameterName": "Phishing", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "query - 2", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| where Tags contains \"UNTRUSTWORTHY\"\r\n| count", + "size": 3, + "showAnalytics": true, + "title": "Untrustworthy Tags Count", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportParameterName": "Untrustworthy", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "query - 3", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| where Tags contains \"SPAM\"\r\n| count", + "size": 3, + "showAnalytics": true, + "title": "Spam Tags Count", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportParameterName": "Spam", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "query - 4", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 Click on the tiles above to view threat details" + }, + "conditionalVisibilities": [ + { + "parameterName": "Malware", + "comparison": "isEqualTo" + }, + { + "parameterName": "Phishing", + "comparison": "isEqualTo" + }, + { + "parameterName": "Untrustworthy", + "comparison": "isEqualTo" + }, + { + "parameterName": "Spam", + "comparison": "isEqualTo" + } + ], + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| where Tags contains \"MALWARE\"\r\n| project-rename Sender = ['Sender Envelope']\r\n| extend Recipients = replace_string(Recipients,'\"','') \r\n| extend Recipients = replace_string(Recipients,',',', ') \r\n| extend Recipients = trim(@\"[\\[\\]]\",Recipients)\r\n| extend Tags = replace_string(Tags,'\"','') \r\n| extend Tags = replace_string(Tags,',',', ') \r\n| extend Tags = trim(@\"[\\[\\]]\",Tags)\r\n| extend Attachments = replace_string(Attachments,'\"','') \r\n| extend Attachments = replace_string(Attachments,',',', ') \r\n|extend Attachments = trim(@\"[\\[\\]]\",Attachments)\r\n| extend ['Message ID'] = trim(@\"[\\<\\>]\", ['Message ID'] )\r\n| project Sender,\r\n ['Sender IP'],\r\n Recipients,\r\n Tags,\r\n ['Policies Applied'],\r\n ['Account ID'],\r\n ['Aggregate ID'],\r\n ['Processing ID'],\r\n ['Message ID'],\r\n ['Threat State'],\r\n ['Threat Type'],\r\n ['Event Time'],\r\n Attachments,\r\n Subject,\r\n Source,\r\n Direction,\r\n ['Sender Header'],\r\n ['Historical Mail'],\r\n Type,\r\n Subtype\r\n ", + "size": 0, + "showAnalytics": true, + "title": "Malware Tags Details", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "Malware", + "comparison": "isNotEqualTo" + }, + "name": "query - 4", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| where Tags contains \"PHISHING\"\r\n| project-rename Sender = ['Sender Envelope']\r\n| extend Recipients = replace_string(Recipients,'\"','') \r\n| extend Recipients = replace_string(Recipients,',',', ') \r\n| extend Recipients = trim(@\"[\\[\\]]\",Recipients)\r\n| extend Tags = replace_string(Tags,'\"','') \r\n| extend Tags = replace_string(Tags,',',', ') \r\n| extend Tags = trim(@\"[\\[\\]]\",Tags)\r\n| extend Attachments = replace_string(Attachments,'\"','') \r\n| extend Attachments = replace_string(Attachments,',',', ') \r\n|extend Attachments = trim(@\"[\\[\\]]\",Attachments)\r\n| extend ['Message ID'] = trim(@\"[\\<\\>]\", ['Message ID'] )\r\n| project Sender,\r\n ['Sender IP'],\r\n Recipients,\r\n Tags,\r\n ['Policies Applied'],\r\n ['Account ID'],\r\n ['Aggregate ID'],\r\n ['Processing ID'],\r\n ['Message ID'],\r\n ['Threat State'],\r\n ['Threat Type'],\r\n ['Event Time'],\r\n Attachments,\r\n Subject,\r\n Source,\r\n Direction,\r\n ['Sender Header'],\r\n ['Historical Mail'],\r\n Type,\r\n Subtype", + "size": 0, + "showAnalytics": true, + "title": "Phishing Tags Details", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "Phishing", + "comparison": "isNotEqualTo" + }, + "name": "query - 6", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| where Tags contains \"UNTRUSTWORTHY\"\r\n| project-rename Sender = ['Sender Envelope']\r\n| extend Recipients = replace_string(Recipients,'\"','') \r\n| extend Recipients = replace_string(Recipients,',',', ') \r\n| extend Recipients = trim(@\"[\\[\\]]\",Recipients)\r\n| extend Tags = replace_string(Tags,'\"','') \r\n| extend Tags = replace_string(Tags,',',', ') \r\n| extend Tags = trim(@\"[\\[\\]]\",Tags)\r\n| extend Attachments = replace_string(Attachments,'\"','') \r\n| extend Attachments = replace_string(Attachments,',',', ') \r\n|extend Attachments = trim(@\"[\\[\\]]\",Attachments)\r\n| extend ['Message ID'] = trim(@\"[\\<\\>]\", ['Message ID'] )\r\n| project Sender,\r\n ['Sender IP'],\r\n Recipients,\r\n Tags,\r\n ['Policies Applied'],\r\n ['Account ID'],\r\n ['Aggregate ID'],\r\n ['Processing ID'],\r\n ['Message ID'],\r\n ['Threat State'],\r\n ['Threat Type'],\r\n ['Event Time'],\r\n Attachments,\r\n Subject,\r\n Source,\r\n Direction,\r\n ['Sender Header'],\r\n ['Historical Mail'],\r\n Type,\r\n Subtype", + "size": 0, + "showAnalytics": true, + "title": "Untrustworthy Tags Details", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "Untrustworthy", + "comparison": "isNotEqualTo" + }, + "name": "query - 7", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| where Tags contains \"SPAM\"\r\n| project-rename Sender = ['Sender Envelope']\r\n| extend Recipients = replace_string(Recipients,'\"','') \r\n| extend Recipients = replace_string(Recipients,',',', ') \r\n| extend Recipients = trim(@\"[\\[\\]]\",Recipients)\r\n| extend Tags = replace_string(Tags,'\"','') \r\n| extend Tags = replace_string(Tags,',',', ') \r\n| extend Tags = trim(@\"[\\[\\]]\",Tags)\r\n| extend Attachments = replace_string(Attachments,'\"','') \r\n| extend Attachments = replace_string(Attachments,',',', ') \r\n|extend Attachments = trim(@\"[\\[\\]]\",Attachments)\r\n| extend ['Message ID'] = trim(@\"[\\<\\>]\", ['Message ID'] )\r\n| project Sender,\r\n ['Sender IP'],\r\n Recipients,\r\n Tags,\r\n ['Policies Applied'],\r\n ['Account ID'],\r\n ['Aggregate ID'],\r\n ['Processing ID'],\r\n ['Message ID'],\r\n ['Threat State'],\r\n ['Threat Type'],\r\n ['Event Time'],\r\n Attachments,\r\n Subject,\r\n Source,\r\n Direction,\r\n ['Sender Header'],\r\n ['Historical Mail'],\r\n Type,\r\n Subtype", + "size": 0, + "showAnalytics": true, + "title": "Spam Tags Details", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "Spam", + "comparison": "isNotEqualTo" + }, + "name": "query - 8", + "styleSettings": { + "showBorder": true + } + } + ] + }, + "name": "group - 22" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| where isnotempty(Direction)\r\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Direction", + "size": 0, + "showAnalytics": true, + "title": "Email Traffic by Route", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "name": "query - 5", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| parse-kv ['Policies Applied'] as (action: string) with ( kv_delimiter=\":\", pair_delimiter=\",\", quote='\"')\r\n| extend Action = replace_string(trim(@\"\\s\", action),\"_\",\" \")\r\n| where isnotempty(Action)\r\n| summarize count() by Action", + "size": 0, + "showAnalytics": true, + "title": "Types of Policy Action", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportFieldName": "series", + "exportParameterName": "Action", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "chartSettings": { + "xAxis": "Action", + "yAxis": [ + "count_" + ] + } + }, + "name": "query - 6", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 Click on 'Types of Policy Action' bar chart to see 'Policy Mode for Action'" + }, + "conditionalVisibility": { + "parameterName": "Action", + "comparison": "isEqualTo" + }, + "name": "text - 1" + } + ], + "exportParameters": true + }, + "name": "group - 17" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| parse-kv ['Policies Applied'] as (action: string, mode: string) with ( kv_delimiter=\":\", pair_delimiter=\",\", quote='\"')\r\n| extend Action = replace_string(trim(@\"\\s\", action),\"_\",\" \"), Mode = replace_string(trim(@\"\\s\", mode),\"_\",\" \")\r\n| where Action == '{Action}' and isnotempty(Mode)\r\n| summarize count() by Mode", + "size": 3, + "showAnalytics": true, + "title": "Policy Mode for Action : {Action}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportFieldName": "series", + "exportParameterName": "Mode", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Mode", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "Action", + "comparison": "isNotEqualTo" + }, + "name": "query - 7", + "styleSettings": { + "padding": "69px", + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 Click on 'Policy Mode for Action: {Action}' pie chart to see 'Details of Emails for Policy Mode and Policy Action'" + }, + "conditionalVisibilities": [ + { + "parameterName": "Mode", + "comparison": "isEqualTo" + }, + { + "parameterName": "Action", + "comparison": "isNotEqualTo" + } + ], + "name": "text - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| parse-kv ['Policies Applied'] as (action: string, mode: string) with ( kv_delimiter=\":\", pair_delimiter=\",\", quote='\"')\r\n| extend Action = replace_string(trim(@\"\\s\", action),\"_\",\" \"), Mode = replace_string(trim(@\"\\s\", mode),\"_\",\" \")\r\n| where Action == '{Action}' and Mode == '{Mode}'\r\n| extend ['Threat Type'] = replace_string(['Threat Type'],\"_\",\" \"), ['Threat State'] = replace_string(['Threat State'],\"_\",\" \")\r\n| project-rename Sender = ['Sender Envelope']\r\n| extend Recipients = replace_string(Recipients,'\"','') \r\n| extend Recipients = replace_string(Recipients,',',', ') \r\n| extend Recipients = trim(@\"[\\[\\]]\",Recipients)\r\n| project Sender, Recipients, Subject, ['Threat State'], ['Threat Type']", + "size": 0, + "showAnalytics": true, + "title": "Details of Emails for Policy Mode: {Mode} and Policy Action: {Action}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "50", + "conditionalVisibilities": [ + { + "parameterName": "Action", + "comparison": "isNotEqualTo" + }, + { + "parameterName": "Mode", + "comparison": "isNotEqualTo" + } + ], + "name": "query - 19", + "styleSettings": { + "showBorder": true + } + } + ], + "exportParameters": true + }, + "name": "group - 21" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| extend ['Threat Type'] = replace_string(trim(@\"\\s\", ['Threat Type']),\"_\",\" \")\r\n| where isnotempty(['Threat Type'])\r\n| summarize count() by ['Threat Type']", + "size": 0, + "showAnalytics": true, + "title": "Threat Detection", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportFieldName": "series", + "exportParameterName": "ThreatType", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "name": "query - 8", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 Click on 'Threat Detection' bar chart to see 'Threat State for Type'" + }, + "conditionalVisibility": { + "parameterName": "ThreatType", + "comparison": "isEqualTo" + }, + "name": "text - 1" + } + ], + "exportParameters": true + }, + "name": "group - 18" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| extend ['Threat Type'] = replace_string(trim(@\"\\s\", ['Threat Type']),\"_\",\" \"),\r\n ['Threat State'] = replace_string(trim(@\"\\s\", ['Threat State']),\"_\",\" \")\r\n| where ['Threat Type'] == '{ThreatType}' and isnotempty(['Threat State'])\r\n| summarize count() by ['Threat State']", + "size": 3, + "showAnalytics": true, + "title": "Threat State for Type: {ThreatType}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportFieldName": "series", + "exportParameterName": "ThreatState", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "conditionalVisibility": { + "parameterName": "ThreatType", + "comparison": "isNotEqualTo" + }, + "name": "query - 9", + "styleSettings": { + "padding": "69px", + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 Click on 'Threat State for Type: {ThreatType}' pie chart to see 'Details of Emails for Threat State and Threat Type'" + }, + "conditionalVisibilities": [ + { + "parameterName": "ThreatState", + "comparison": "isEqualTo" + }, + { + "parameterName": "ThreatType", + "comparison": "isNotEqualTo" + } + ], + "name": "text - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| extend ['Threat Type'] = replace_string(trim(@\"\\s\", ['Threat Type']),\"_\",\" \"),\r\n ['Threat State'] = replace_string(trim(@\"\\s\", ['Threat State']),\"_\",\" \")\r\n| where ['Threat Type'] == '{ThreatType}' and ['Threat State'] == '{ThreatState}'\r\n| project-rename Sender = ['Sender Envelope']\r\n| extend Recipients = replace_string(Recipients,'\"','') \r\n| extend Recipients = replace_string(Recipients,',',', ') \r\n| extend Recipients = trim(@\"[\\[\\]]\",Recipients)\r\n| project Sender, Recipients, Subject, ['Threat State'], ['Threat Type']", + "size": 0, + "showAnalytics": true, + "title": "Details of Emails for Threat State: {ThreatState} and Threat Type: {ThreatType}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "50", + "conditionalVisibilities": [ + { + "parameterName": "ThreatType", + "comparison": "isNotEqualTo" + }, + { + "parameterName": "ThreatState", + "comparison": "isNotEqualTo" + } + ], + "name": "query - 18", + "styleSettings": { + "showBorder": true + } + } + ], + "exportParameters": true + }, + "name": "group - 20" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| extend senderGeoDetails = geo_info_from_ip_address(['Sender IP'])\r\n| extend latitude = senderGeoDetails.latitude, longitude = senderGeoDetails.longitude, country = senderGeoDetails.country, state = senderGeoDetails.state, city = senderGeoDetails.city\r\n| where isnotempty(latitude) and isnotempty(longitude)\r\n| extend label = strcat(\r\n iif(strlen(city) > 0, strcat(city, \", \"), \"\"),\r\n iif(strlen(state) > 0, strcat(state, \", \"), \"\"),\r\n country\r\n)\r\n| extend label = trim(\", \", label)\r\n| extend label = iif(strlen(label) > 0, label, \"N/A\")\r\n| summarize count() by tostring(latitude), tostring(longitude), label", + "size": 3, + "showAnalytics": true, + "title": "Messages Sent by Country", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "map", + "mapSettings": { + "locInfo": "LatLong", + "latitude": "latitude", + "longitude": "longitude", + "sizeSettings": "count_", + "sizeAggregation": "Sum", + "labelSettings": "label", + "legendMetric": "count_", + "legendAggregation": "Sum", + "itemColorSettings": { + "nodeColorField": "count_", + "colorAggregation": "Sum", + "type": "heatmap", + "heatmapPalette": "greenRed" + } + } + }, + "name": "query - 15", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| where Direction == \"INBOUND\"\r\n| extend details = geo_info_from_ip_address(['Sender IP'])\r\n| extend Country = trim(@\"\\s\", tostring(details.country))\r\n| where isnotempty(Country)\r\n| summarize count() by Country\r\n| top 10 by count_ ", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Inbound Email Detections by Origin", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Country", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "name": "query - 10", + "styleSettings": { + "padding": "49px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| extend Domain = tostring(split(['Sender Envelope'],\"@\")[1])\r\n| where isnotempty(Domain)\r\n| summarize count() by Domain\r\n| top 10 by count_", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Sender Domains", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Domain", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "name": "query - 11", + "styleSettings": { + "padding": "49px", + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| extend Subtype = replace_string(trim(@\"\\s\", Subtype),\"_\",\" \")\r\n| where isnotempty(Subtype)\r\n| summarize count() by Subtype\r\n", + "size": 3, + "showAnalytics": true, + "title": "Threat Sub Types", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "exportFieldName": "series", + "exportParameterName": "Subtype", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "100", + "name": "query - 12", + "styleSettings": { + "padding": "49px", + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 Click on 'Threat Sub Types' pie chart to see 'Details of Emails for Sub Type'" + }, + "conditionalVisibility": { + "parameterName": "Subtype", + "comparison": "isEqualTo" + }, + "name": "text - 1" + } + ], + "exportParameters": true + }, + "customWidth": "50", + "name": "group - 19" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| where ['Sender Envelope'] contains \"@\"\r\n| summarize count() by ['Sender Envelope']\r\n| top 10 by count_", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Senders", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Sender Envelope", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "name": "query - 13", + "styleSettings": { + "padding": "49px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| extend ['Threat Type'] = replace_string(['Threat Type'],\"_\",\" \"),\r\n ['Threat State'] = replace_string(['Threat State'],\"_\",\" \"),\r\n Subtype = replace_string(trim(@\"\\s\", Subtype),\"_\",\" \")\r\n| where Subtype == '{Subtype}'\r\n| project-rename Sender = ['Sender Envelope']\r\n| extend Recipients = replace_string(Recipients,'\"','') \r\n| extend Recipients = replace_string(Recipients,',',', ') \r\n| extend Recipients = trim(@\"[\\[\\]]\",Recipients)\r\n| project Sender, Recipients, Subject, ['Threat State'], ['Threat Type']", + "size": 0, + "showAnalytics": true, + "title": "Details of Emails for Sub Type: {Subtype}", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "Subtype", + "comparison": "isNotEqualTo" + }, + "name": "query - 17", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| extend recipients = todynamic(Recipients)\r\n| mv-expand recipients\r\n| where recipients contains \"@\"\r\n| summarize count() by tostring(recipients)\r\n| top 10 by count_", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Receivers", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "recipients", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "name": "query - 14", + "styleSettings": { + "padding": "49px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| where Type == \"urlclick\"\r\n| project-rename Sender = ['Sender Envelope']\r\n| extend Recipients = replace_string(Recipients,'\"','') \r\n| extend Recipients = replace_string(Recipients,',',', ') \r\n| extend Recipients = trim(@\"[\\[\\]]\",Recipients)\r\n| extend Tags = replace_string(Tags,'\"','') \r\n| extend Tags = replace_string(Tags,',',', ') \r\n| extend Tags = trim(@\"[\\[\\]]\",Tags)\r\n| extend Attachments = replace_string(Attachments,'\"','') \r\n| extend Attachments = replace_string(Attachments,',',', ') \r\n|extend Attachments = trim(@\"[\\[\\]]\",Attachments)\r\n| extend ['Message ID'] = trim(@\"[\\<\\>]\", ['Message ID'] )\r\n| project Sender,\r\n ['Sender IP'],\r\n Recipients,\r\n ['Threat State'],\r\n ['Threat Type'],\r\n ['Policies Applied'],\r\n ['Account ID'],\r\n ['Aggregate ID'],\r\n ['Processing ID'],\r\n ['Message ID'],\r\n [\"Event Time\"],\r\n Attachments,\r\n Tags,\r\n Subject,\r\n Source,\r\n Direction,\r\n ['Sender Header'],\r\n ['Historical Mail'],\r\n Type,\r\n Subtype", + "size": 0, + "showAnalytics": true, + "title": "Url Protect Overview", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 20", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCloudIntegrated\r\n| where Type == \"entities\"\r\n| project-rename Sender = ['Sender Envelope']\r\n| extend Recipients = replace_string(Recipients,'\"','') \r\n| extend Recipients = replace_string(Recipients,',',', ') \r\n| extend Recipients = trim(@\"[\\[\\]]\",Recipients)\r\n| extend Tags = replace_string(Tags,'\"','') \r\n| extend Tags = replace_string(Tags,',',', ') \r\n| extend Tags = trim(@\"[\\[\\]]\",Tags)\r\n| extend Attachments = replace_string(Attachments,'\"','') \r\n| extend Attachments = replace_string(Attachments,',',', ') \r\n|extend Attachments = trim(@\"[\\[\\]]\",Attachments)\r\n| extend ['Message ID'] = trim(@\"[\\<\\>]\", ['Message ID'] )\r\n| project Type, Sender,\r\n ['Sender IP'],\r\n Recipients,\r\n ['Threat State'],\r\n ['Threat Type'],\r\n ['Policies Applied'],\r\n ['Account ID'],\r\n ['Aggregate ID'],\r\n ['Processing ID'],\r\n ['Message ID'],\r\n [\"Event Time\"],\r\n Attachments,\r\n Tags,\r\n Subject,\r\n Source,\r\n Direction,\r\n ['Sender Header'],\r\n ['Historical Mail'],\r\n Subtype", + "size": 0, + "showAnalytics": true, + "title": "Entities Overview", + "timeContextFromParameter": "TimeRange", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 20 - Copy", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "📝 ***Refresh the web page to fetch details of recently collected events***" + }, + "name": "text - 16" + } + ] + }, + "name": "group - 0" + } + ], + "fromTemplateId": "Sentinel-Mimecast-Cloud-Integrated-Workbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/Mimecast/Workbooks/Mimecast_SEG_Workbook.json b/Solutions/Mimecast/Workbooks/Mimecast_SEG_Workbook.json new file mode 100644 index 00000000000..e2b2ed35f56 --- /dev/null +++ b/Solutions/Mimecast/Workbooks/Mimecast_SEG_Workbook.json @@ -0,0 +1,2688 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "f951ba63-69db-4e29-b73e-700430a58329", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "Email Activity Summary", + "subTarget": "2", + "style": "link" + }, + { + "id": "6cb5e992-de3d-43c4-8b2c-32b56cf33cc1", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "Email Receipt", + "subTarget": "1", + "preText": "Email Receipt", + "style": "link" + }, + { + "id": "43335114-8770-48e6-b02f-c9b7ee185cc1", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "Email Delivery", + "subTarget": "3", + "style": "link" + }, + { + "id": "ffbb9e0f-8551-4797-b28a-fdda3671f1f5", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "AV / AS", + "subTarget": "7", + "style": "link" + }, + { + "id": "7438a20b-c11b-45b9-8c90-1e69e47fa220", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "TLS", + "subTarget": "4", + "style": "link" + }, + { + "id": "312e014c-a77d-4b0f-8d76-e25c13ed3716", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "Email Spam", + "subTarget": "8", + "style": "link", + "linkIsContextBlade": true + }, + { + "id": "6d11cffc-b20e-42be-95d1-8812a2d876e5", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "Internal Email Protect", + "subTarget": "6", + "style": "link" + }, + { + "id": "b2026a8b-8136-4d89-b26c-cffda38fcdee", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "Email Journal", + "subTarget": "9", + "style": "link" + }, + { + "id": "8605b3c8-3b53-42ac-9e6c-cbf235909733", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "Data Leak Prevention", + "subTarget": "5", + "style": "link" + } + ] + }, + "name": "links - 1" + }, + { + "type": 1, + "content": { + "json": "--- " + }, + "name": "text - 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "b627c016-a002-4b73-a1b6-9c2e30f91d86", + "version": "KqlParameterItem/1.0", + "name": "Time_Range", + "label": "Time Range", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 0", + "styleSettings": { + "margin": "5px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type ==\"email_delivery\"\r\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Direction", + "size": 0, + "showAnalytics": true, + "title": "Email Traffic", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "name": "query - 1", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let min_t = toscalar(\r\n MimecastCG \r\n | where Type == \"email_receipt\" and isnotempty(['Rejection Type'])\r\n | summarize min_time = min(['Event Time'])\r\n | extend min_t = iff(isempty(min_time),now(),min_time)\r\n | project min_t);\r\nMimecastCG \r\n| where Type == \"email_receipt\" and isnotempty(['Rejection Type']) \r\n| make-series Trend = count() default = 0 on ['Event Time'] from min_t to now() step 1d by tostring(['Rejection Type']) \r\n| project-away ['Event Time'] \r\n| extend Count = array_sum(Trend) \r\n| project ['Rejection Type'] , Count, ['Spark Line'] = Trend \r\n| order by Count desc", + "size": 0, + "showAnalytics": true, + "title": "Rejections", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Count", + "formatter": 4, + "formatOptions": { + "min": 0, + "palette": "lightBlue" + } + }, + { + "columnMatch": "Spark Line", + "formatter": 9, + "formatOptions": { + "palette": "blue" + } + } + ] + } + }, + "customWidth": "33", + "name": "query - 2", + "styleSettings": { + "margin": "5px", + "maxWidth": "33%", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\r\nlet min_t = toscalar(\r\n MimecastCG \r\n | where Type == \"email_delivery\" and isnotempty(['Rejection Type'])\r\n | summarize min_time = min(['Event Time'])\r\n | extend min_t = iff(isempty(min_time),now(),min_time)\r\n | project min_t);\r\nMimecastCG \r\n| where Type == \"email_delivery\" and isnotempty(['Rejection Type'])\r\n| make-series Trend = count() default = 0 on ['Event Time'] from min_t to now() step 1d by tostring(['Rejection Type']) \r\n| project-away ['Event Time'] \r\n| extend Count = array_sum(Trend) \r\n| project ['Rejection Type'], Count, ['Spark Line'] = Trend \r\n| order by Count desc", + "size": 0, + "showAnalytics": true, + "title": "Delivery Failures", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Count", + "formatter": 4, + "formatOptions": { + "min": 0, + "palette": "lightBlue" + } + }, + { + "columnMatch": "Spark Line", + "formatter": 9, + "formatOptions": { + "palette": "blue" + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 2 - Copy", + "styleSettings": { + "margin": "5px", + "maxWidth": "33%", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let min_t = toscalar(\r\n MimecastCG\r\n | where Type == \"email_process\" and isnotempty(['Hold Reason'])\r\n | summarize min_time = min(['Event Time'])\r\n | extend min_t = iff(isempty(min_time),now(),min_time)\r\n | project min_t);\r\nMimecastCG\r\n| where Type == \"email_process\" and isnotempty(['Hold Reason'])\r\n| make-series Trend = count() default = 0 on ['Event Time'] from min_t to now() step 1d by tostring(['Hold Reason'])\r\n| project-away ['Event Time']\r\n| extend Count=array_sum(Trend)\r\n| project ['Hold Reason'], Count,['Spark Line'] = Trend\r\n| order by Count desc", + "size": 0, + "showAnalytics": true, + "title": "Held", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Count", + "formatter": 4, + "formatOptions": { + "min": 0, + "palette": "lightBlue" + } + }, + { + "columnMatch": "Spark Line", + "formatter": 9, + "formatOptions": { + "palette": "blue" + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 2 - Copy", + "styleSettings": { + "margin": "5px", + "maxWidth": "33%", + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "2" + }, + "name": "group - 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "3eec960e-69f2-487a-986f-e3b495ce6818", + "version": "KqlParameterItem/1.0", + "name": "Time_Range", + "label": "Time Range", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 0", + "styleSettings": { + "margin": "5px" + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type== \"email_receipt\"\r\n| summarize count() by Direction, Action, ['Sender IP']\r\n| summarize sum(count_)\r\n| project TotalCount = sum_count_", + "size": 3, + "showAnalytics": true, + "title": "Total Messages Received", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "exportedParameters": [ + { + "fieldName": "TotalCount", + "parameterName": "MessagesReceived" + }, + { + "fieldName": "TotalCount", + "parameterName": "TileAction", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "TotalCount", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "blue" + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "query - 0", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type== \"email_receipt\"\r\n| where Action in~ (\"Acc\", \"RTY\")\r\n| summarize count() by Direction, Action, ['Sender IP']\r\n| summarize sum(count_)\r\n| project TotalCount = sum_count_\r\n", + "size": 3, + "showAnalytics": true, + "title": "Total Messages Accepted", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "exportedParameters": [ + { + "fieldName": "TotalCount", + "parameterName": "MessagesAccepted" + }, + { + "fieldName": "TotalCount", + "parameterName": "TileAction", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "TotalCount", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "green" + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "query - 0 - Copy", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type== \"email_receipt\"\r\n| where Action in~ (\"REJ\", \"BNC\")\r\n| summarize count() by Direction, Action, ['Sender IP']\r\n| summarize sum(count_)\r\n| project TotalCount = sum_count_\r\n\r\n// Rej and Bnc are considered as blocked", + "size": 3, + "showAnalytics": true, + "title": "Total Messages Rejected", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "exportedParameters": [ + { + "fieldName": "TotalCount", + "parameterName": "MessagesRejected" + }, + { + "fieldName": "TotalCount", + "parameterName": "TileAction", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "TotalCount", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "amethyst" + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "query - 0 - Copy - Copy", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type== \"email_receipt\" and Action in~ (\"Acc\", \"RTY\")\r\n| where isempty( ['TLS Version'])\r\n| summarize count() by Direction, Action, ['Sender IP']\r\n| summarize sum(count_)\r\n| project TotalCount = sum_count_\r\n\r\n//Acc and Rty are considered as delivered", + "size": 3, + "showAnalytics": true, + "title": "Total Messages Accepted without TLS", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "exportedParameters": [ + { + "fieldName": "TotalCount", + "parameterName": "MessagesAcceptedwithoutTLS" + }, + { + "fieldName": "TotalCount", + "parameterName": "TileAction", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "TotalCount", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "orangeDark" + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "query - 0 - Copy - Copy - Copy", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 To view message details, please click on any of the tiles above" + }, + "conditionalVisibility": { + "parameterName": "TileAction", + "comparison": "isEqualTo" + }, + "name": "text - 8" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type== \"email_receipt\"\r\n| project ['Aggregate ID'] ,\r\n['Processing ID'],\r\n['Account ID'] ,\r\n['Action'],\r\n['Type'],\r\n['Sender Envelope'] ,\r\n['Message ID'] ,\r\n['Subject'],\r\n['Recipients'] ,\r\n['Sender IP'] ,\r\n['Rejection Type'] ,\r\n['Rejection Code'] ,\r\n['Direction'] ,\r\n['Number of Attachments'] ,\r\n['Sender Header'] ,\r\n['Rejection Info'] ,\r\n[\"TLS Version\"],\r\n[\"TLS Cipher\"],\r\n['Spam Info'] ,\r\n['Spam Processing Detail'] ,\r\n['Virus Found'] ,\r\n['Event Time'] ,\r\n['Sub Type'] ", + "size": 0, + "showAnalytics": true, + "title": "Messages Received", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "MessagesReceived", + "comparison": "isNotEqualTo" + }, + "name": "query - 2", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type== \"email_receipt\"\r\n| where Action in~ (\"Acc\", \"RTY\")\r\n| project ['Aggregate ID'] ,\r\n['Processing ID'],\r\n['Account ID'] ,\r\n['Action'],\r\n['Type'],\r\n['Sender Envelope'] ,\r\n['Message ID'] ,\r\n['Subject'],\r\n['Recipients'] ,\r\n['Sender IP'] ,\r\n['Rejection Type'] ,\r\n['Rejection Code'] ,\r\n['Direction'] ,\r\n['Number of Attachments'] ,\r\n['Sender Header'] ,\r\n['Rejection Info'] ,\r\n[\"TLS Version\"],\r\n[\"TLS Cipher\"],\r\n['Spam Info'] ,\r\n['Spam Processing Detail'] ,\r\n['Virus Found'] ,\r\n['Event Time'] ,\r\n['Sub Type'] ", + "size": 0, + "showAnalytics": true, + "title": "Messages Accepted", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "MessagesAccepted", + "comparison": "isNotEqualTo" + }, + "name": "query - 2 - Copy", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type== \"email_receipt\"\r\n| where Action in~ (\"REJ\", \"BNC\")\r\n| project ['Aggregate ID'] ,\r\n['Processing ID'],\r\n['Account ID'] ,\r\n['Action'],\r\n['Type'],\r\n['Sender Envelope'] ,\r\n['Message ID'] ,\r\n['Subject'],\r\n['Recipients'] ,\r\n['Sender IP'] ,\r\n['Rejection Type'] ,\r\n['Rejection Code'] ,\r\n['Direction'] ,\r\n['Number of Attachments'] ,\r\n['Sender Header'] ,\r\n['Rejection Info'] ,\r\n[\"TLS Version\"],\r\n[\"TLS Cipher\"],\r\n['Spam Info'] ,\r\n['Spam Processing Detail'] ,\r\n['Virus Found'] ,\r\n['Event Time'] ,\r\n['Sub Type'] ", + "size": 0, + "showAnalytics": true, + "title": "Messages Rejected", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "MessagesRejected", + "comparison": "isNotEqualTo" + }, + "name": "query - 2 - Copy - Copy", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_receipt\" and Action in~ (\"Acc\", \"RTY\")\r\n| where isempty([\"TLS Version\"])\r\n| project \r\n['Aggregate ID'] ,\r\n['Processing ID'] ,\r\n['Account ID'],\r\n['Action'],\r\n['Type'],\r\n['Sender Envelope'],\r\n['Message ID'] ,\r\n['Subject'] ,\r\n['Recipients'] ,\r\n['Sender IP'] ,\r\n['Rejection Type'] ,\r\n['Rejection Code'] ,\r\n['Direction'] ,\r\n['Number of Attachments'] ,\r\n['Sender Header'] ,\r\n['Rejection Info'],\r\n[\"TLS Version\"],\r\n[\"TLS Cipher\"],\r\n['Spam Info'] ,\r\n['Spam Processing Detail'] ,\r\n['Virus Found'] ,\r\n['Event Time'],\r\n['Sub Type']", + "size": 0, + "showAnalytics": true, + "title": "Messages Accepted without TLS", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "MessagesAcceptedwithoutTLS", + "comparison": "isNotEqualTo" + }, + "name": "query - 2 - Copy - Copy - Copy", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + } + ] + }, + "name": "group - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type== \"email_receipt\" and Action in~ (\"Acc\", \"RTY\")\r\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Direction", + "size": 0, + "showAnalytics": true, + "title": "Messages Accepted by Route", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "name": "query - 2", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type== \"email_receipt\" and Action in~ (\"Acc\", \"RTY\") and isnotempty( ['Sender IP'])\r\n| extend senderGeoDetails = geo_info_from_ip_address(['Sender IP'])\r\n| extend latitude = senderGeoDetails.latitude, longitude = senderGeoDetails.longitude, country = senderGeoDetails.country, state = senderGeoDetails.state, city = senderGeoDetails.city\r\n| where isnotempty(latitude) and isnotempty(longitude)\r\n| extend label = strcat(\r\n iif(strlen(city) > 0, strcat(city, \", \"), \"\"),\r\n iif(strlen(state) > 0, strcat(state, \", \"), \"\"),\r\n country\r\n)\r\n| extend label = trim(\", \", label)\r\n| extend label = iif(strlen(label) > 0, label, \"N/A\")\r\n| summarize count() by tostring(latitude), tostring(longitude), label", + "size": 0, + "showAnalytics": true, + "title": "Messages Accepted by Source Country", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "map", + "mapSettings": { + "locInfo": "LatLong", + "latitude": "latitude", + "longitude": "longitude", + "sizeSettings": "count_", + "sizeAggregation": "Sum", + "minData": -1, + "labelSettings": "label", + "legendMetric": "count_", + "legendAggregation": "Sum", + "itemColorSettings": { + "nodeColorField": "count_", + "colorAggregation": "Sum", + "type": "heatmap", + "heatmapPalette": "greenRed" + } + } + }, + "customWidth": "50", + "name": "query - 3", + "styleSettings": { + "margin": "5px", + "maxWidth": "50%", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type== \"email_receipt\" and Action in~ (\"REJ\", \"BNC\") and isnotempty( ['Sender IP'])\r\n| extend senderGeoDetails = geo_info_from_ip_address(['Sender IP'])\r\n| extend latitude = senderGeoDetails.latitude, longitude = senderGeoDetails.longitude, country = senderGeoDetails.country, state = senderGeoDetails.state, city = senderGeoDetails.city\r\n| where isnotempty(latitude) and isnotempty(longitude)\r\n| extend label = strcat(\r\n iif(strlen(city) > 0, strcat(city, \", \"), \"\"),\r\n iif(strlen(state) > 0, strcat(state, \", \"), \"\"),\r\n country\r\n)\r\n| extend label = trim(\", \", label)\r\n| extend label = iif(strlen(label) > 0, label, \"N/A\")\r\n| summarize count() by tostring(latitude), tostring(longitude), label", + "size": 0, + "showAnalytics": true, + "title": "Messages Rejected by Source Country", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "map", + "mapSettings": { + "locInfo": "LatLong", + "latitude": "latitude", + "longitude": "longitude", + "sizeSettings": "count_", + "sizeAggregation": "Sum", + "minData": -1, + "labelSettings": "label", + "legendMetric": "count_", + "legendAggregation": "Sum", + "itemColorSettings": { + "nodeColorField": "count_", + "colorAggregation": "Sum", + "type": "heatmap", + "heatmapPalette": "greenRed" + } + } + }, + "customWidth": "50", + "name": "query - 3 - Copy", + "styleSettings": { + "margin": "5px", + "maxWidth": "50%", + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "1" + }, + "name": "group - 0" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "3eec960e-69f2-487a-986f-e3b495ce6818", + "version": "KqlParameterItem/1.0", + "name": "Time_Range", + "label": "Time Range", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 0", + "styleSettings": { + "margin": "5px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_delivery\" and Delivered == \"true\"\r\n| summarize count() by Direction , Delivered , ['Destination IP'] , ['TLS Used'] \r\n| summarize sum(count_)\r\n| project TotalCount = sum_count_", + "size": 3, + "showAnalytics": true, + "title": "Total Messages Delivered", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "exportedParameters": [ + { + "fieldName": "TotalCount", + "parameterName": "MessageDelivered" + }, + { + "fieldName": "TotalCount", + "parameterName": "TileAction", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "TotalCount", + "formatter": 12, + "formatOptions": { + "palette": "auto" + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "query - 0", + "styleSettings": { + "margin": "5px", + "maxWidth": "25%", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_delivery\" and Delivered == \"false\" and Direction == \"Outbound\"\r\n| summarize count() by Direction , Delivered , ['TLS Used'] \r\n| summarize sum(count_)\r\n| project TotalCount = sum_count_", + "size": 3, + "showAnalytics": true, + "title": "Total Outbound Delivery Failures", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "exportedParameters": [ + { + "fieldName": "TotalCount", + "parameterName": "Outbounddeliveryfailures" + }, + { + "fieldName": "TotalCount", + "parameterName": "TileAction", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "TotalCount", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "purple" + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "query - 0 - Copy", + "styleSettings": { + "margin": "5px", + "maxWidth": "25%", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_delivery\" and Delivered == \"false\" and Direction == \"Inbound\"\r\n| summarize count() by Direction , Delivered , ['Destination IP'] , ['TLS Used'] \r\n| summarize sum(count_)\r\n| project TotalCount = sum_count_", + "size": 3, + "showAnalytics": true, + "title": "Total Inbound Delivery Failures", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "exportedParameters": [ + { + "fieldName": "TotalCount", + "parameterName": "InboundDeliveryFailures" + }, + { + "fieldName": "TotalCount", + "parameterName": "TileAction", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "TotalCount", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "greenDark" + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "query - 0 - Copy - Copy", + "styleSettings": { + "margin": "5px", + "maxWidth": "25%", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_delivery\" and Delivered == \"true\" and ['TLS Used'] == \"No\"\r\n| summarize count() by Direction , Delivered , ['Destination IP'] , ['TLS Used'] \r\n| summarize sum(count_)\r\n| project TotalCount = sum_count_", + "size": 3, + "showAnalytics": true, + "title": "Total Messages Delivered without TLS", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "exportedParameters": [ + { + "fieldName": "TotalCount", + "parameterName": "MessagesDeliveredwithoutTLS" + }, + { + "fieldName": "TotalCount", + "parameterName": "TileAction", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "TotalCount", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "orangeDark" + } + }, + "showBorder": false + } + }, + "customWidth": "25", + "name": "query - 0 - Copy - Copy", + "styleSettings": { + "margin": "5px", + "maxWidth": "25%", + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 To view message details, please click on any of the tiles above" + }, + "conditionalVisibility": { + "parameterName": "TileAction", + "comparison": "isEqualTo" + }, + "name": "text - 9" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_delivery\" and Delivered == \"true\"\r\n| project \r\n [\"Aggregate ID\"] ,\r\n [\"Processing ID\"],\r\n [\"Delivered\"] ,\r\n [\"Destination IP\"] ,\r\n [\"Host Name\"],\r\n [\"Delivery Attempts\"] ,\r\n [\"TLS Used\"] ,\r\n [\"Route\"] ,\r\n [\"Account ID\"] ,\r\n [\"Event Time\"] ,\r\n [\"Sender Envelope\"] ,\r\n [\"Message ID\"] ,\r\n [\"Subject\"] ,\r\n [\"Total of Size Attachments\"] ,\r\n [\"Number of Attachments\"] ,\r\n [\"Email Size\"] ,\r\n [\"Type\"] ,\r\n [\"Sub Type\"] ,\r\n [\"Recipients\"] ,\r\n [\"Direction\"] ,\r\n [\"TLS Version\"] ,\r\n [\"TLS Cipher\"] ,\r\n [\"Delivery Errors\"] ,\r\n [\"Rejection Type\"] ,\r\n [\"Rejection Code\"] ,\r\n [\"Rejection Info\"] \r\n", + "size": 0, + "showAnalytics": true, + "title": "Messages Delivered", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "MessageDelivered", + "comparison": "isNotEqualTo" + }, + "name": "query - 7", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_delivery\" and Delivered == \"false\" and Direction == \"Outbound\"\r\n| project \r\n [\"Aggregate ID\"] ,\r\n [\"Processing ID\"],\r\n [\"Delivered\"] ,\r\n [\"Destination IP\"] ,\r\n [\"Host Name\"] ,\r\n [\"Delivery Attempts\"] ,\r\n [\"TLS Used\"] ,\r\n [\"Route\"] ,\r\n [\"Account ID\"] ,\r\n [\"Event Time\"] ,\r\n [\"Sender Envelope\"] ,\r\n [\"Message ID\"] ,\r\n [\"Subject\"] ,\r\n [\"Total of Size Attachments\"] ,\r\n [\"Number of Attachments\"] ,\r\n [\"Email Size\"] ,\r\n [\"Type\"] ,\r\n [\"Sub Type\"] ,\r\n [\"Recipients\"] ,\r\n [\"Direction\"] ,\r\n [\"TLS Version\"] ,\r\n [\"TLS Cipher\"] ,\r\n [\"Delivery Errors\"] ,\r\n [\"Rejection Type\"] ,\r\n [\"Rejection Code\"] ,\r\n [\"Rejection Info\"] \r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Outbound Delivery Failures", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "Outbounddeliveryfailures", + "comparison": "isNotEqualTo" + }, + "name": "query - 8", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_delivery\" and Delivered == \"false\" and Direction == \"Inbound\"\r\n| project \r\n [\"Aggregate ID\"] ,\r\n [\"Processing ID\"],\r\n [\"Delivered\"] ,\r\n [\"Destination IP\"] ,\r\n [\"Host Name\"] ,\r\n [\"Delivery Attempts\"] ,\r\n [\"TLS Used\"] ,\r\n [\"Route\"] ,\r\n [\"Account ID\"] ,\r\n [\"Event Time\"] ,\r\n [\"Sender Envelope\"] ,\r\n [\"Message ID\"] ,\r\n [\"Subject\"] ,\r\n [\"Total of Size Attachments\"] ,\r\n [\"Number of Attachments\"] ,\r\n [\"Email Size\"] ,\r\n [\"Type\"] ,\r\n [\"Sub Type\"] ,\r\n [\"Recipients\"] ,\r\n [\"Direction\"] ,\r\n [\"TLS Version\"] ,\r\n [\"TLS Cipher\"] ,\r\n [\"Delivery Errors\"] ,\r\n [\"Rejection Type\"] ,\r\n [\"Rejection Code\"] ,\r\n [\"Rejection Info\"] \r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Inbound Delivery Failures", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "InboundDeliveryFailures", + "comparison": "isNotEqualTo" + }, + "name": "query - 8 - Copy", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_delivery\" and Delivered == \"true\" and [\"TLS Used\"] == \"No\"\r\n| project \r\n [\"Aggregate ID\"] ,\r\n [\"Processing ID\"],\r\n [\"Delivered\"] ,\r\n [\"Destination IP\"] ,\r\n [\"Host Name\"] ,\r\n [\"Delivery Attempts\"] ,\r\n [\"TLS Used\"] ,\r\n [\"Route\"] ,\r\n [\"Account ID\"] ,\r\n [\"Event Time\"] ,\r\n [\"Sender Envelope\"] ,\r\n [\"Message ID\"] ,\r\n [\"Subject\"] ,\r\n [\"Total of Size Attachments\"] ,\r\n [\"Number of Attachments\"] ,\r\n [\"Email Size\"] ,\r\n [\"Type\"] ,\r\n [\"Sub Type\"] ,\r\n [\"Recipients\"] ,\r\n [\"Direction\"] ,\r\n [\"TLS Version\"] ,\r\n [\"TLS Cipher\"] ,\r\n [\"Delivery Errors\"] ,\r\n [\"Rejection Type\"] ,\r\n [\"Rejection Code\"] ,\r\n [\"Rejection Info\"] \r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Messages Delivered without TLS", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "MessagesDeliveredwithoutTLS", + "comparison": "isNotEqualTo" + }, + "name": "query - 8 - Copy - Copy", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_delivery\" and Delivered == \"true\" \r\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Direction", + "size": 0, + "showAnalytics": true, + "title": "Messages Delivered by Route", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "name": "query - 4", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_delivery\"\r\n| project \r\n [\"Aggregate ID\"] ,\r\n [\"Processing ID\"],\r\n [\"Delivered\"] ,\r\n [\"Destination IP\"] ,\r\n [\"Host Name\"] ,\r\n [\"Delivery Attempts\"] ,\r\n [\"TLS Used\"] ,\r\n [\"Route\"] ,\r\n [\"Account ID\"] ,\r\n [\"Event Time\"] ,\r\n [\"Sender Envelope\"] ,\r\n [\"Message ID\"] ,\r\n [\"Subject\"] ,\r\n [\"Total of Size Attachments\"] ,\r\n [\"Number of Attachments\"] ,\r\n [\"Email Size\"] ,\r\n [\"Type\"] ,\r\n [\"Sub Type\"] ,\r\n [\"Recipients\"] ,\r\n [\"Direction\"] ,\r\n [\"TLS Version\"] ,\r\n [\"TLS Cipher\"] ,\r\n [\"Delivery Errors\"] ,\r\n [\"Rejection Type\"] ,\r\n [\"Rejection Code\"] ,\r\n [\"Rejection Info\"] \r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Message Delivery Events", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 7", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_delivery\" and Delivered == \"true\" and Direction == \"Outbound\"\r\n| summarize Count = count() by Direction , Delivered , ['Destination IP'] , ['TLS Used'] \r\n| extend geo_info = geo_info_from_ip_address(['Destination IP'])\r\n| extend latitude = geo_info.latitude, longitude = geo_info.longitude, country = geo_info.country , state = geo_info.state , city = geo_info.state\r\n| where isnotempty(latitude) and isnotempty(longitude)\r\n| extend label = strcat(\r\n iif(strlen(city) > 0, strcat(city, \", \"), \"\"),\r\n iif(strlen(state) > 0, strcat(state, \", \"), \"\"),\r\n country\r\n)\r\n| extend label = trim(\", \", label)\r\n| extend label = iif(strlen(label) > 0, label, \"N/A\")\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Messages Delivered Outbound by Destination Country", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "map", + "mapSettings": { + "locInfo": "LatLong", + "locInfoColumn": "DestinationIp", + "latitude": "latitude", + "longitude": "longitude", + "sizeSettings": "Count", + "sizeAggregation": "Sum", + "labelSettings": "label", + "legendMetric": "Count", + "legendAggregation": "Sum", + "itemColorSettings": { + "nodeColorField": "Count", + "colorAggregation": "Sum", + "type": "heatmap", + "heatmapPalette": "greenRed" + } + } + }, + "customWidth": "50", + "name": "query - 6", + "styleSettings": { + "margin": "5px", + "maxWidth": "50%", + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "3" + }, + "name": "group - 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "578d7b4c-c261-429f-b39e-a7d3c5ef2d66", + "version": "KqlParameterItem/1.0", + "name": "Time_Range", + "label": "Time Range", + "type": 4, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type ==\"email_antivirus\"\r\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Route", + "size": 0, + "showAnalytics": true, + "title": "Anti-Virus Traffic", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "name": "query - 1", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_receipt\" and Action in~ (\"Acc\", \"Rty\") and ['Rejection Type'] ==\"Virus Signature Detection\"\r\n| summarize count() \r\n", + "size": 3, + "showAnalytics": true, + "title": "Total Viruses Rejected", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "exportedParameters": [ + { + "fieldName": "count_", + "parameterName": "CountTVR", + "parameterType": 1 + }, + { + "fieldName": "count_", + "parameterName": "Tileaction", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "blue" + } + }, + "showBorder": false + } + }, + "customWidth": "33", + "name": "query - 0", + "styleSettings": { + "margin": "5px", + "maxWidth": "33%", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_receipt\" and isnotempty( ['Spam Info']) and ['Spam Info'] != \"[]\"\r\n| summarize count() \r\n", + "size": 3, + "showAnalytics": true, + "title": "Total Messages Rejected as Spam", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "exportedParameters": [ + { + "fieldName": "count_", + "parameterName": "CountRS", + "parameterType": 1 + }, + { + "fieldName": "count_", + "parameterName": "Tileaction", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "green" + } + }, + "showBorder": false + } + }, + "customWidth": "33", + "name": "query - 0 - Copy", + "styleSettings": { + "margin": "5px", + "maxWidth": "33%", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_process\" and ['Hold Reason'] == \"Spm\"\r\n| summarize count() \r\n\r\n", + "size": 3, + "showAnalytics": true, + "title": "Total Messages Held as Spam", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "exportedParameters": [ + { + "fieldName": "count_", + "parameterName": "CountHS", + "parameterType": 1 + }, + { + "fieldName": "count_", + "parameterName": "Tileaction", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "amethyst" + } + }, + "showBorder": false + } + }, + "customWidth": "33", + "name": "query - 0 - Copy - Copy", + "styleSettings": { + "margin": "5px", + "maxWidth": "33%", + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "💡 To view message details, please click on any of the tiles above" + }, + "conditionalVisibility": { + "parameterName": "Tileaction", + "comparison": "isEqualTo" + }, + "name": "text - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_receipt\" and Action in~ (\"Acc\", \"Rty\") and [\"Rejection Type\"] ==\"Virus Signature Detection\"\r\n| project [\"Aggregate ID\"], [\"Recipients\"] , [\"Action\"] , [\"Event Time\"] ,[\"Sender Envelope\"] , [\"Message ID\"] , [\"Subject\"] , [\"Number of Attachments\"] , [\"Type\"] = Type, [\"Sub Type\"] , [\"Sender IP\"] , [\"Direction\"], [\"Sender Header\"] , [\"TLS Version\"] , [\"TLS Cipher\"] , [\"Spam Info\"] ,[\"Virus Found\"] , [\"Spam Processing Detail\"],[\"Rejection Type\"] ,[\"Rejection Code\"], [\"Rejection Info\"] , [\"Processing ID\"] , [\"Account ID\"] \r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Viruses Rejected", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "CountTVR", + "comparison": "isNotEqualTo" + }, + "name": "query - 7", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_receipt\" and isnotempty(['Spam Info']) and ['Spam Info'] != \"[]\"\r\n| project [\"Aggregate ID\"], [\"Recipients\"] , [\"Action\"] , [\"Event Time\"] ,[\"Sender Envelope\"] , [\"Message ID\"] , [\"Subject\"] , [\"Number of Attachments\"] , [\"Type\"] = Type, [\"Sub Type\"] , [\"Sender IP\"] , [\"Direction\"], [\"Sender Header\"] , [\"TLS Version\"] , [\"TLS Cipher\"] , [\"Spam Info\"] ,[\"Virus Found\"] , [\"Spam Processing Detail\"],[\"Rejection Type\"] ,[\"Rejection Code\"], [\"Rejection Info\"] , [\"Processing ID\"] , [\"Account ID\"] \r\n\r\n\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Messages Rejected as Spam", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + }, + "tileSettings": { + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "blue" + } + }, + "showBorder": false + } + }, + "conditionalVisibility": { + "parameterName": "CountRS", + "comparison": "isNotEqualTo" + }, + "name": "query - 0 - Copy - Copy", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_process\" and ['Hold Reason'] == \"Spm\"\r\n| project [\"Aggregate ID\"], [\"Recipients\"] , [\"Action\"] , [\"Event Time\"], ['Hold Reason'] ,[\"Sender Envelope\"] , [\"Message ID\"] , [\"Subject\"] , [\"Number of Attachments\"] , [\"Type\"] = Type, [\"Sub Type\"] , [\"Sender IP\"] , [\"Direction\"], [\"Sender Header\"] , [\"TLS Version\"] , [\"TLS Cipher\"] , [\"Spam Info\"] ,[\"Virus Found\"] , [\"Spam Processing Detail\"],[\"Rejection Type\"] ,[\"Rejection Code\"], [\"Rejection Info\"] , [\"Processing ID\"] , [\"Account ID\"] \r\n\r\n\r\n\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Messages Held as Spam", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "conditionalVisibility": { + "parameterName": "CountHS", + "comparison": "isNotEqualTo" + }, + "name": "query - 9", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_receipt\" and isnotempty(['Virus Found'])\r\n| summarize Count = count() by ['Sender Envelope'] , Recipients , ['Sender IP'],['Virus Found'] , ['Event Time']\r\n| sort by Count desc\r\n| extend Sender = ['Sender Envelope'] , Recipient = Recipients , [\"Source IP\"] = ['Sender IP'], [\"Virus Name\"] = ['Virus Found']\r\n| project Sender, Recipient, [\"Source IP\"], [\"Virus Name\"], Count , ['Event Time']\r\n| extend Count = iff(isnull(Count), 0, Count)\r\n", + "size": 0, + "showAnalytics": true, + "title": "Messages Rejected Due to Virus", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + }, + "tileSettings": { + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "blue" + } + }, + "showBorder": false + } + }, + "customWidth": "50", + "name": "query - 0 - Copy", + "styleSettings": { + "margin": "5px", + "maxWidth": "50%", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_receipt\" and isnotempty(['Spam Info'] ) and ['Spam Info'] != \"[]\"\r\n| summarize Count = count() by ['Sender Envelope'] , Recipients , ['Sender IP'],['Spam Info'] , ['Event Time']\r\n| sort by Count desc\r\n| extend Sender = ['Sender Envelope'] , Recipient = Recipients , [\"Source IP\"] = ['Sender IP'], [\"Spam Information\"] = ['Spam Info'] \r\n| project Sender, Recipient, [\"Source IP\"], [\"Spam Information\"], Count ,['Event Time']\r\n| extend Count = iff(isnull(Count), 0, Count)\r\n", + "size": 0, + "showAnalytics": true, + "title": "Messages Rejected as Spam", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "rowLimit": 10000, + "filter": true + }, + "tileSettings": { + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "min": -1, + "palette": "blue" + } + }, + "showBorder": false + } + }, + "customWidth": "50", + "name": "query - 0 - Copy - Copy - Copy", + "styleSettings": { + "margin": "5px", + "maxWidth": "50%", + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "7" + }, + "name": "group - 7" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "02075565-ceae-47c2-ba15-44b2f74313c4", + "version": "KqlParameterItem/1.0", + "name": "Time_Range", + "label": "Time Range", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_delivery\" and Delivered == \"true\" and isnotnull(['TLS Used'])\r\n| make-series Count=count() default=0 on ['Event Time'] step 1d by ['TLS Used']", + "size": 0, + "showAnalytics": true, + "title": "TLS Delivery", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "name": "query - 1", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_delivery\" and Delivered== \"true\" and isnotempty(['TLS Version'])\r\n| summarize Count = count(Recipients) by bin(['Event Time'] , 1d), ['TLS Version']", + "size": 0, + "showAnalytics": true, + "title": "TLS Versions (Delivery)", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar", + "chartSettings": { + "group": "TLS Version", + "createOtherGroup": null + } + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "margin": "5px", + "maxWidth": "50%", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_receipt\" and isnotempty(['TLS Version'])\r\n| summarize Count = count(Recipients) by bin(['Event Time'] , 1d), ['TLS Version']", + "size": 0, + "showAnalytics": true, + "title": "TLS Versions (Receipt)", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar", + "chartSettings": { + "group": "TLS Version", + "createOtherGroup": null + } + }, + "customWidth": "50", + "name": "query - 2 - Copy", + "styleSettings": { + "margin": "5px", + "maxWidth": "50%", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_delivery\" and isnotempty(['TLS Cipher'])\r\n| summarize count() by Cipher = ['TLS Cipher'] \r\n| sort by count_ desc", + "size": 0, + "showAnalytics": true, + "title": "Delivery Ciphers", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar", + "gridSettings": { + "rowLimit": 10000, + "filter": true + }, + "chartSettings": { + "group": "Cipher", + "createOtherGroup": null + } + }, + "customWidth": "50", + "name": "query - 2 - Copy - Copy", + "styleSettings": { + "margin": "5px", + "maxWidth": "50%", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_receipt\" and isnotempty(['TLS Cipher'])\r\n| summarize count() by Cipher = ['TLS Cipher'] \r\n| sort by count_ desc\r\n", + "size": 0, + "showAnalytics": true, + "title": "Receipt Ciphers", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar", + "gridSettings": { + "rowLimit": 10000, + "filter": true + }, + "chartSettings": { + "group": "Cipher", + "createOtherGroup": null + } + }, + "customWidth": "50", + "name": "query - 6", + "styleSettings": { + "margin": "5px", + "maxWidth": "50%", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_delivery\" and ['TLS Used'] == \"No\" and Delivered == \"true\"\r\n| extend temp = split(Recipients, \"@\")\r\n| extend [\"Recipient Domain\"] = tostring(temp[1])\r\n| summarize Count = count() by [\"Recipient Domain\"] \r\n| top 10 by Count", + "size": 0, + "showAnalytics": true, + "title": "Top 10 Recipient Domains not Using TLS", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar", + "chartSettings": { + "group": "*", + "createOtherGroup": null + } + }, + "customWidth": "50", + "name": "query - 6", + "styleSettings": { + "margin": "5px", + "maxWidth": "50%", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_receipt\" and Action in~ (\"Acc\", \"Rty\") and isempty(['TLS Version'])\r\n| extend temp = split(['Sender Envelope'], \"@\")\r\n| extend [\"Sending Domain\"] = tostring(temp[1])\r\n| summarize Count = count() by [\"Sending Domain\"] \r\n| top 10 by Count", + "size": 0, + "showAnalytics": true, + "title": "Top 10 Sending Domains not Using TLS", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar", + "chartSettings": { + "group": "Sending Domain", + "createOtherGroup": null + } + }, + "customWidth": "50", + "name": "query - 4", + "styleSettings": { + "margin": "5px", + "maxWidth": "50%", + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "4" + }, + "name": "group - 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "cbe43313-4782-4061-b7c0-d48e146bfeb1", + "version": "KqlParameterItem/1.0", + "name": "Time_Range", + "label": "Time Range", + "type": 4, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 4", + "styleSettings": { + "margin": "5px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastDLP\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Action\n", + "size": 0, + "showAnalytics": true, + "title": "Data Leak Prevention Events", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart", + "chartSettings": { + "group": "*", + "createOtherGroup": 25, + "seriesLabelSettings": [ + { + "seriesName": "data_leak_prevention_notification", + "label": "Notification" + }, + { + "seriesName": "data_leak_prevention_hold", + "label": "Hold" + }, + { + "seriesName": "data_leak_prevention_smart_folder", + "label": "Smart Folder" + }, + { + "seriesName": "data_leak_prevention_secure_messaging", + "label": "Secure Messaging" + }, + { + "seriesName": "data_leak_prevention_secure_delivery", + "label": "Secure Delivery" + }, + { + "seriesName": "data_leak_prevention_bounce", + "label": "Bounce" + }, + { + "seriesName": "data_leak_prevention_stationery", + "label": "Stationary" + }, + { + "seriesName": "data_leak_prevention_delete", + "label": "Delete" + }, + { + "seriesName": "data_leak_prevention_meta_expire", + "label": "Meta Expire" + }, + { + "seriesName": "data_leak_prevention_content_expire", + "label": "Content Expire" + } + ] + } + }, + "name": "query - 23", + "styleSettings": { + "margin": "5px" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastDLP\n| summarize count() by Route\n", + "size": 3, + "showAnalytics": true, + "title": "DLP Events by Route", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Route", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 30", + "styleSettings": { + "margin": "5px", + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastDLP\n| summarize count() by Action\n", + "size": 3, + "showAnalytics": true, + "title": "DLP Events by Actions Triggered", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Action", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 29", + "styleSettings": { + "margin": "5px", + "maxWidth": "33%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastDLP\n| summarize count() by Policy\n", + "size": 3, + "showAnalytics": true, + "title": "DLP Events by Policies Triggered", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Policy", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 27", + "styleSettings": { + "margin": "5px", + "maxWidth": "33%" + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "5" + }, + "name": "group - 36" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "ba10bbf5-0743-4e41-8555-11302a815979", + "version": "KqlParameterItem/1.0", + "name": "Time_Range", + "label": "Time Range", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_iep\"\r\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Route", + "size": 0, + "showAnalytics": true, + "title": "Internal Email Protection by Route", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "name": "query - 2", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_iep\"\r\n| project\r\n ['Aggregate ID'],\r\n ['Processing ID'] ,\r\n ['Account ID'] ,\r\n Type,\r\n ['Event Time'],\r\n ['Sender Envelope'] ,\r\n Subject,\r\n Recipients,\r\n ['Url Category'],\r\n ['Scan Results'] ,\r\n Route,\r\n ['Message ID'] ,\r\n ['Monitored Domain Source'] ,\r\n ['Similar Domain'] ,\r\n ['Sub Type'] ", + "size": 0, + "showAnalytics": true, + "title": "Internal Event Protection Events", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 2", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "6" + }, + "name": "group - 8" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "ba10bbf5-0743-4e41-8555-11302a815979", + "version": "KqlParameterItem/1.0", + "name": "Time_Range", + "label": "Time Range", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_journal\"\r\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Direction", + "size": 0, + "showAnalytics": true, + "title": "Journal Messages by Direction", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "name": "query - 2", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_journal\"\r\n| project\r\n ['Aggregate ID'] ,\r\n ['Processing ID'],\r\n ['Account ID'],\r\n Type,\r\n ['Event Time'],\r\n ['Sender Envelope'] ,\r\n Recipients,\r\n Direction,\r\n ['Sub Type'] ", + "size": 0, + "showAnalytics": true, + "title": "Journal Message Events", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 2", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "9" + }, + "name": "group - 8 - Copy" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "3301a4a8-8498-43bd-8a9b-fd331320f2a6", + "version": "KqlParameterItem/1.0", + "name": "Time_Range", + "label": "Time Range", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type ==\"email_spam\" and isnotempty(Route)\r\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Route", + "size": 0, + "showAnalytics": true, + "title": "Spam Messages by Route", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "timechart" + }, + "name": "query - 1", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_spam\"\r\n| project\r\n ['Aggregate ID'] ,\r\n ['Processing ID'],\r\n ['Account ID'] ,\r\n Type,\r\n ['Event Time'],\r\n ['Sender Envelope'] ,\r\n Subject,\r\n Recipients,\r\n ['Sender IP'] ,\r\n ['Sender Domain'] ,\r\n ['Sender Header'],\r\n Route,\r\n ['Sub Type'] ", + "size": 0, + "showAnalytics": true, + "title": "Spam Message Events", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "filter": true + } + }, + "name": "query - 2", + "styleSettings": { + "margin": "5px", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastCG\r\n| where Type == \"email_spam\" and isnotempty(['Sender IP'])\r\n| extend senderGeoDetails = geo_info_from_ip_address(['Sender IP'])\r\n| extend latitude = senderGeoDetails.latitude, longitude = senderGeoDetails.longitude, country = senderGeoDetails.country, state = senderGeoDetails.state, city = senderGeoDetails.city\r\n| where isnotempty(latitude) and isnotempty(longitude)\r\n| extend label = strcat(\r\n iif(strlen(city) > 0, strcat(city, \", \"), \"\"),\r\n iif(strlen(state) > 0, strcat(state, \", \"), \"\"),\r\n country\r\n)\r\n| extend label = trim(\", \", label)\r\n| extend label = iif(strlen(label) > 0, label, \"N/A\")\r\n| summarize count() by tostring(latitude), tostring(longitude), label", + "size": 0, + "showAnalytics": true, + "title": "Spam Messages by Source Country", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "map", + "mapSettings": { + "locInfo": "LatLong", + "latitude": "latitude", + "longitude": "longitude", + "sizeSettings": "count_", + "sizeAggregation": "Sum", + "minData": -1, + "labelSettings": "label", + "legendMetric": "count_", + "legendAggregation": "Sum", + "itemColorSettings": { + "nodeColorField": "count_", + "colorAggregation": "Sum", + "type": "heatmap", + "heatmapPalette": "greenRed" + } + } + }, + "customWidth": "50", + "name": "query - 3", + "styleSettings": { + "margin": "5px", + "maxWidth": "50%", + "showBorder": true + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "8" + }, + "name": "group - 10" + }, + { + "type": 1, + "content": { + "json": "#### 📝 ***Refresh the web page to fetch details of recently collected events***" + }, + "name": "text - 7" + } + ], + "fromTemplateId": "Sentinel-Mimecast-Secure-Email-Gateway-Workbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/Mimecast/Workbooks/Mimecast_TTP_Workbook.json b/Solutions/Mimecast/Workbooks/Mimecast_TTP_Workbook.json new file mode 100644 index 00000000000..1691a4dc4e9 --- /dev/null +++ b/Solutions/Mimecast/Workbooks/Mimecast_TTP_Workbook.json @@ -0,0 +1,1225 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "82fedb33-961a-4199-a5ab-16340948ed10", + "version": "KqlParameterItem/1.0", + "name": "Time_Range", + "label": "Time Range", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + }, + "value": { + "durationMs": 1209600000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 2" + }, + { + "type": 1, + "content": { + "json": "# Advanced Threat Detections" + }, + "name": "text - 17" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let TableMapping = dynamic(\n {\n \"Ttp_Url_CL\" : \"URL Protect\",\n \"Ttp_Attachment_CL\" : \"Attachment Protect\",\n \"Ttp_Impersonation_CL\" : \"Impersonation Protect\"\n });\nunion MimecastTTPUrl, MimecastTTPAttachment, MimecastTTPImpersonation\n| extend Type = tostring(TableMapping[Type])\n| make-series Count=count() default=0 on ['Event Time'] step 1d by Type", + "size": 3, + "showAnalytics": true, + "title": "Detection counts for Attachment Protect, URL Protect and Impersonation Protect", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "Type", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "Type", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "Count", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + }, + "nodeIdField": "Type", + "sourceIdField": "Count", + "targetIdField": "Type", + "graphOrientation": 3, + "showOrientationToggles": false, + "staticNodeSize": 100, + "hivesMargin": 5 + }, + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "MimecastTTPUrl", + "label": "URL Protect" + }, + { + "seriesName": "MimecastTTPAttachment", + "label": "Attachment Protect" + }, + { + "seriesName": "MimecastTTPImpersonation", + "label": "Impersonation Protect" + } + ] + }, + "mapSettings": { + "locInfo": "LatLong", + "sizeSettings": "Count", + "sizeAggregation": "Sum", + "legendMetric": "Count", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "Count", + "heatmapPalette": "greenRed" + } + } + }, + "name": "query - 8" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "0a398a65-91c9-4af5-8a10-c2fd5bdf205a", + "cellValue": "setTab", + "linkTarget": "parameter", + "linkLabel": "URL Protect", + "subTarget": "url", + "preText": "", + "style": "link" + }, + { + "id": "f3d459a1-2475-4589-95dd-e614960b82f9", + "cellValue": "setTab", + "linkTarget": "parameter", + "linkLabel": "Attachment Protect", + "subTarget": "attachment", + "style": "link" + }, + { + "id": "323ca7b8-5d5b-41e1-8d0d-a6cdb385f2e3", + "cellValue": "setTab", + "linkTarget": "parameter", + "linkLabel": "Impersonation Protect", + "subTarget": "impersonation", + "style": "link" + } + ] + }, + "name": "links - 7" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\"\n| make-series Count=count() default=0 on ['Event Time'] step 1d\n", + "size": 3, + "showAnalytics": true, + "title": "Malicious URL Detections", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "graphSettings": { + "type": 0 + }, + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "MimecastTTPUrl", + "label": "URL Protect" + } + ] + }, + "mapSettings": { + "locInfo": "LatLong" + } + }, + "name": "query - 11" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\"\n and ['From User Email Address'] contains \"@\"\n| summarize count() by ['From User Email Address']\n| top 10 by count_\n", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Senders of Malicious URLs", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "From User Email Address", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\" and isnotempty(Url)\n| summarize count() by Url\n| top 10 by count_\n", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Malicious URLs", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Url", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 8" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\"\n and ['User Email Address'] contains \"@\"\n| summarize count() by ['User Email Address']\n| top 10 by count_\n", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Targeted Recipients", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "User Email Address", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true, + "ySettings": { + "numberFormatSettings": { + "unit": 0, + "options": { + "style": "decimal", + "useGrouping": true + } + } + } + } + }, + "customWidth": "33", + "name": "query - 4" + } + ] + }, + "name": "dounts group 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\" and isnotempty(['Advanced Phishing Result Credential Theft Brands'])\n| summarize count() by ['Advanced Phishing Result Credential Theft Brands']\n| top 10 by count_\n\n", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Advanced Phishing Results - Credential Theft Brands", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "sortBy": [ + { + "itemKey": "advancedPhishingResult_CredentialTheftTags_s", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "advancedPhishingResult_CredentialTheftTags_s", + "sortOrder": 1 + } + ], + "chartSettings": { + "group": "Advanced Phishing Result Credential Theft Brands", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\" and isnotempty( ['Advanced Phishing Result Credential Theft Evidence'])\n| summarize count() by ['Advanced Phishing Result Credential Theft Evidence']\n| top 10 by count_", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Advanced Phishing Results - Credential Theft Evidence", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "tileSettings": { + "showBorder": false + }, + "chartSettings": { + "group": "Advanced Phishing Result Credential Theft Evidence", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 12" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\" and isnotempty(['Advanced Phishing Result Credential Theft Tags'])\n| summarize count() by ['Advanced Phishing Result Credential Theft Tags']\n| top 10 by count_", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Advanced Phishing Result - Credential Theft Tags", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "gridSettings": { + "hierarchySettings": { + "treeType": 1, + "groupBy": [ + "advancedPhishingResult_CredentialTheftTags_s" + ] + }, + "labelSettings": [ + { + "columnId": "advancedPhishingResult_CredentialTheftTags_s", + "label": "Credential Theft Tags" + }, + { + "columnId": "url_s", + "label": "URLs" + }, + { + "columnId": "count_", + "label": "Occurences" + } + ] + }, + "chartSettings": { + "group": "Advanced Phishing Result Credential Theft Tags", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 14" + } + ] + }, + "name": "dounts group 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\" and isnotempty(['Ttp Definition'])\n| summarize count() by ['Ttp Definition']\n| top 10 by count_", + "size": 3, + "showAnalytics": true, + "title": "Top 10 URL Protect Definitions", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Ttp Definition", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 16" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\" and isnotempty(['Admin Override'])\n| summarize count() by ['Admin Override']\n| top 10 by count_", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Admin Over-rides", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Admin Override", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 19" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\" and isnotempty(Action)\n| summarize count() by Action\n| top 10 by count_", + "size": 3, + "showAnalytics": true, + "title": "Top 10 URL Protect Actions", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Action", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 18" + } + ] + }, + "name": "dounts group 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\" and isnotempty(['User Override'])\n| summarize count() by ['User Override']\n| top 10 by count_", + "size": 3, + "showAnalytics": true, + "title": "Top 10 User Over-rides", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "User Override", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 22" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\" and isnotempty(['Sending IP'])\n| summarize count() by ['Sending IP']\n| top 10 by count_", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Sending IP Addresses", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Sending IP", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 26" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\" and isnotempty(Category)\n| summarize count() by Category\n| top 10 by count_", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Categories", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Category", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 24" + } + ] + }, + "name": "dounts group 4" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\" and isnotempty(['User Awareness Action'])\n| summarize count() by ['User Awareness Action']\n| top 10 by count_", + "size": 3, + "showAnalytics": true, + "title": "Top 10 User Awareness Action", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "User Awareness Action", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 27" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\" and isnotempty(Subject)\n| summarize count() by Subject\n| top 10 by count_", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Email Subjects Related To Malicious URLs", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Subject", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 31" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPUrl\n| where ['Scan Result'] == \"malicious\" and isnotempty(Actions)\n| summarize count() by Actions\n| top 10 by count_", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Internal Email Protect Mitigations by Actions", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Actions", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 30" + } + ] + }, + "name": "dounts group 5" + }, + { + "type": 1, + "content": { + "json": "📝 ***Refresh the web page to fetch details of recently collected events***" + }, + "name": "text - 6" + } + ] + }, + "conditionalVisibility": { + "parameterName": "setTab", + "comparison": "isEqualTo", + "value": "url" + }, + "name": "group - 8" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPAttachment \n| where Result != \"safe\"\n| make-series Count=count() default=0 on ['Event Time'] step 1d\n", + "size": 3, + "showAnalytics": true, + "title": "Malicious Attachment Detections", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "MimecastTTPAttachment", + "label": "Attachment Protect" + } + ] + } + }, + "name": "query - 13" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPAttachment\n| where Result != \"safe\"\n and ['Recipient Address'] contains \"@\"\n| summarize count() by ['Recipient Address']\n| top 10 by count_\n", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Recipients of Malicious Attachments", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Recipient Address", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPAttachment\n| where Result != \"safe\" and isnotempty(['Action Triggered'])\n| summarize count() by ['Action Triggered']\n| top 10 by count_\n", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Protection Actions Triggered", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Action Triggered", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 8" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPAttachment\n| where Result != \"safe\"\n and ['Sender Address'] contains \"@\"\n| summarize count() by ['Sender Address']\n| top 10 by count_\n", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Senders of Malicious Attachments", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Sender Address", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 6" + } + ] + }, + "name": "dounts group 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPAttachment\n| where Result != \"safe\" and isnotempty(['File Type'])\n| summarize count() by ['File Type']\n| top 10 by count_\n\n\n\n\n\n\n\n", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Malicious Attachment File Types", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "File Type", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPAttachment\n| where Result != \"safe\" and isnotempty(Details)\n| summarize count() by Details\n| top 10 by count_\n\n\n\n\n\n\n\n", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Attachment Protect Event Details", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Details", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 13" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPAttachment\n| where isnotempty(Result)\n| summarize count() by Result\n\n\n\n\n\n\n\n\n", + "size": 3, + "showAnalytics": true, + "title": "Attachment Event Results", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Result", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "33", + "name": "query - 12" + } + ] + }, + "name": "dounts group 2" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPAttachment\n| where Result != \"safe\" and isnotempty(Subject)\n| summarize count() by Subject\n| top 10 by count_\n", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Subjects for Emails Containing Malicious Attachments", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Subject", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "name": "query - 16" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPAttachment\n| where Result != \"safe\" and isnotempty(['File Hash'])\n| summarize count() by ['File Hash']\n| top 10 by count_\n\n", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Malicious Sha256 File Hashes", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "File Hash", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "name": "query - 18" + } + ] + }, + "name": "dounts group 3" + }, + { + "type": 1, + "content": { + "json": "📝 ***Refresh the web page to fetch details of recently collected events***" + }, + "name": "text - 4" + } + ] + }, + "conditionalVisibility": { + "parameterName": "setTab", + "comparison": "isEqualTo", + "value": "attachment" + }, + "name": "group - 7" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPImpersonation\n| where ['Tagged Malicious'] == true\n| make-series Count=count() default=0 on ['Event Time'] step 1d\n", + "size": 3, + "showAnalytics": true, + "title": "Malicious Impersonation Detections", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart", + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "count_", + "label": "Impersonation Protect" + } + ] + } + }, + "name": "query - 12" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPImpersonation\n| where ['Tagged Malicious'] == true\n and ['Recipient Address'] contains \"@\"\n| summarize count() by ['Recipient Address']\n| top 10 by count_", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Recipients of Impersonation Emails", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Recipient Address", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "name": "query - 7", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPImpersonation\n| where ['Tagged Malicious'] == true\n and ['Sender Address'] contains \"@\"\n| summarize count() by ['Sender Address']\n| top 10 by count_\n", + "size": 3, + "showAnalytics": true, + "title": "Top 10 Senders of Impersonation Emails", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Sender Address", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "name": "query - 6", + "styleSettings": { + "maxWidth": "50" + } + } + ] + }, + "name": "donuts group 1" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "## Top 10 Impersonation Events\n" + }, + "name": "text - 8" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPImpersonation\n| where ['Tagged Malicious'] == true and isnotempty(['Impersonation Results'])\n| summarize count() by ['Impersonation Results']\n|extend ['Impersonation Results'] = trim(@\"[\\[\\]]\",['Impersonation Results'])\n|extend ['Impersonation Results'] = trim(@\"[\\{\\}]\",['Impersonation Results'])\n| extend ['Impersonation Results'] = replace_string(['Impersonation Results'],',',', ') \n| extend ['Impersonation Results'] = replace_string(['Impersonation Results'],'\"','') \n| top 10 by count_\n", + "size": 3, + "showAnalytics": true, + "title": "Grouped by Impersonation Result", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "recipientAddress_s", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "count_", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "TenantId", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "hits_d", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "chartSettings": { + "yAxis": [ + "count_" + ], + "group": "Impersonation Results", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + }, + "mapSettings": { + "locInfo": "LatLong", + "sizeSettings": "count_", + "sizeAggregation": "Sum", + "legendMetric": "count_", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "count_", + "heatmapPalette": "greenRed" + } + } + }, + "customWidth": "50", + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "MimecastTTPImpersonation\n| where ['Tagged Malicious'] == true and isnotempty(Identifiers)\n| summarize count() by Identifiers\n|extend Identifiers = trim(@\"[\\[\\]]\",Identifiers)\n| extend Identifiers = replace_string(Identifiers,'\"','') \n| top 10 by count_\n", + "size": 3, + "showAnalytics": true, + "title": "Grouped by Impersonation Identifiers", + "timeContextFromParameter": "Time_Range", + "showRefreshButton": true, + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "group": "Identifiers", + "createOtherGroup": 10, + "showMetrics": false, + "showLegend": true + } + }, + "customWidth": "50", + "name": "query - 10" + } + ] + }, + "name": "dounts group 2" + }, + { + "type": 1, + "content": { + "json": "📝 ***Refresh the web page to fetch details of recently collected events***" + }, + "name": "text - 3" + } + ] + }, + "conditionalVisibility": { + "parameterName": "setTab", + "comparison": "isEqualTo", + "value": "impersonation" + }, + "name": "group - 6" + } + ], + "fromTemplateId": "Sentinel-Mimecast-Targeted-Threat-Protection-Workbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/MimecastSEG/Data Connectors/azuredeploy_MimecastSEG_AzureFunctionApp.json b/Solutions/MimecastSEG/Data Connectors/azuredeploy_MimecastSEG_AzureFunctionApp.json index b940ab9ba21..ffbcdb9b25f 100644 --- a/Solutions/MimecastSEG/Data Connectors/azuredeploy_MimecastSEG_AzureFunctionApp.json +++ b/Solutions/MimecastSEG/Data Connectors/azuredeploy_MimecastSEG_AzureFunctionApp.json @@ -8,6 +8,12 @@ "description": "The name of the function app that you wish to create." } }, + "hostingPlan": { + "type": "string", + "metadata": { + "description": "The name of the Azure App Services Plan where this function app will run." + } + }, "objectId": { "type": "string", "metadata": { @@ -114,7 +120,7 @@ }, "variables": { "functionAppName": "[parameters('appName')]", - "hostingPlanName": "[parameters('appName')]", + "hostingPlanName": "[parameters('hostingPlan')]", "applicationInsightsName": "[parameters('appName')]", "storageAccountName": "[parameters('appName')]" }, diff --git a/Solutions/Okta Single Sign-On/Package/3.0.10.zip b/Solutions/Okta Single Sign-On/Package/3.0.10.zip new file mode 100644 index 00000000000..a0d6f14bcfe Binary files /dev/null and b/Solutions/Okta Single Sign-On/Package/3.0.10.zip differ diff --git a/Solutions/Okta Single Sign-On/Package/mainTemplate.json b/Solutions/Okta Single Sign-On/Package/mainTemplate.json index 171b320b485..eae49f17781 100644 --- a/Solutions/Okta Single Sign-On/Package/mainTemplate.json +++ b/Solutions/Okta Single Sign-On/Package/mainTemplate.json @@ -55,7 +55,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Okta Single Sign-On", - "_solutionVersion": "3.0.9", + "_solutionVersion": "3.0.10", "solutionId": "azuresentinel.azure-sentinel-solution-okta", "_solutionId": "[variables('solutionId')]", "analyticRuleObject1": { @@ -231,10 +231,9 @@ "_parserName1": "[concat(parameters('workspace'),'/','OktaSSO')]", "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'OktaSSO')]", "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('OktaSSO-Parser')))]", - "parserVersion1": "1.0.1", + "parserVersion1": "1.0.2", "parserContentId1": "OktaSSO-Parser" }, - "SessionId": "authenticationContext_externalSessionId_s", "_SessionId": "[variables('SessionId')]", "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" @@ -249,7 +248,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "FailedLoginsFromUnknownOrInvalidUser_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -368,7 +367,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "LoginfromUsersfromDifferentCountrieswithin3hours_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -478,7 +477,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "PasswordSpray_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -588,7 +587,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "PhishingDetection_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -659,8 +658,8 @@ } ], "customDetails": { - "UserAgent": "client_userAgent_rawUserAgent_s", - "Location": "Location" + "Location": "Location", + "UserAgent": "client_userAgent_rawUserAgent_s" } } }, @@ -715,7 +714,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "NewDeviceLocationCriticalOperation_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -788,12 +787,12 @@ } ], "customDetails": { - "SessionId": "[variables('_SessionId')]", - "Location": "Location" + "Location": "Location", + "SessionId": "[variables('_SessionId')]" }, "alertDetailsOverride": { - "alertDisplayNameFormat": "New Device/Location {{Location}} sign-in along with critical operation", - "alertDescriptionFormat": "This query identifies users seen login from new geo location/country {{Location}} as well as a new device and performing critical operations\n" + "alertDescriptionFormat": "This query identifies users seen login from new geo location/country {{Location}} as well as a new device and performing critical operations\n", + "alertDisplayNameFormat": "New Device/Location {{Location}} sign-in along with critical operation" } } }, @@ -848,7 +847,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "MFAFatigue_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -962,7 +961,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "HighRiskAdminActivity_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -1033,7 +1032,7 @@ } ], "customDetails": { - "SessionId": "authenticationContext_externalSessionId_s" + "SessionId": "[variables('_SessionId')]" } } }, @@ -1088,7 +1087,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "DeviceRegistrationMaliciousIP_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1211,7 +1210,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "UserSessionImpersonation_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -1329,7 +1328,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta Single Sign-On data connector with template version 3.0.9", + "description": "Okta Single Sign-On data connector with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -2685,7 +2684,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.0.9", + "description": "AdminPrivilegeGrant_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -2770,7 +2769,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.0.9", + "description": "CreateAPIToken_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -2855,7 +2854,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.0.9", + "description": "ImpersonationSession_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -2940,7 +2939,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.0.9", + "description": "RareMFAOperation_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -3025,7 +3024,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.0.9", + "description": "UserPasswordReset_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -3110,7 +3109,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.0.9", + "description": "NewDeviceRegistration_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -3195,7 +3194,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.0.9", + "description": "LoginsVPSProvider_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -3280,7 +3279,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.0.9", + "description": "LoginNordVPN_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -3365,7 +3364,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.0.9", + "description": "LoginFromMultipleLocations_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -3450,7 +3449,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.0.9", + "description": "LegacyAuthentication_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -3535,7 +3534,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OktaCustomConnector Playbook with template version 3.0.9", + "description": "OktaCustomConnector Playbook with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -4798,7 +4797,7 @@ ], "metadata": { "comments": "This OKTA connector uses okta API to perform different actions on the user accounts.", - "lastUpdateTime": "2024-10-14T18:36:21.775Z", + "lastUpdateTime": "2024-11-07T18:58:15.778Z", "releaseNotes": { "version": "1.0", "title": "[variables('blanks')]", @@ -4830,7 +4829,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.0.9", + "description": "Okta-EnrichIncidentWithUserDetails Playbook with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -5189,7 +5188,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta-PromptUser Playbook with template version 3.0.9", + "description": "Okta-PromptUser Playbook with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -5640,7 +5639,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Okta-ResponseFromTeams Playbook with template version 3.0.9", + "description": "Okta-ResponseFromTeams Playbook with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -6147,7 +6146,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OktaSingleSignOn Workbook with template version 3.0.9", + "description": "OktaSingleSignOn Workbook with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -6243,7 +6242,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "OktaSSO Data Parser with template version 3.0.9", + "description": "OktaSSO Data Parser with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -6260,7 +6259,7 @@ "displayName": "Backward Compatibility Parser for Okta SSO", "category": "Microsoft Sentinel Parser", "functionAlias": "OktaSSO", - "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n actor_alternateId_s:string,\n actor_detailEntry_s:string,\n actor_displayName_s:string,\n actor_id_s:string,\n actor_type_s:string,\n authenticationContext_authenticationProvider_s:string,\n authenticationContext_authenticationStep_d:double,\n authenticationContext_credentialProvider_s:string,\n authenticationContext_credentialType_s:string,\n authenticationContext_externalSessionId_s:string,\n authenticationContext_interface_s:string,\n authenticationContext_issuerId_s:string,\n authenticationContext_issuerType_s:string,\n client_device_s:string,\n client_geographicalContext_city_s:string,\n client_geographicalContext_country_s:string,\n client_geographicalContext_geolocation_lat_d:double,\n client_geographicalContext_geolocation_lon_d:double,\n client_geographicalContext_postalCode_s:string,\n client_geographicalContext_state_s:string,\n client_id_s:string,\n client_ipAddress_s:string,\n client_userAgent_browser_s:string,\n client_userAgent_os_s:string,\n client_userAgent_rawUserAgent_s:string,\n client_zone_s:string,\n debugContext_debugData_s:string,\n displayMessage_s:string,\n eventType_s:string,\n legacyEventType_s:string,\n uuid_g:string,\n outcome_reason_s:string,\n outcome_result_s:string,\n request_ipChain_s:string,\n securityContext_asNumber_d:double,\n securityContext_asOrg_s:string,\n securityContext_domain_s:string,\n securityContext_isp_s:string,\n securityContext_isProxy_b:bool,\n severity_s:string,\n target_s:string,\n transaction_details_s:string,\n transaction_id_s:string,\n transaction_type_s:string,\n version_s:string\n )[];\n let Oktav2_empty = datatable(\n TimeGenerated:datetime,\n OriginalActorAlternateId:string,\n ActorDetailEntry:string,\n ActorDisplayName:string,\n OriginalUserId:string,\n OriginalUserType:string,\n AuthenticationContextAuthenticationProvider:string,\n AuthenticationContextAuthenticationStep: real,\n AuthenticationContextCredentialProvider: string,\n LogonMethod: string,\n ActorSessionId: string,\n AuthenticationContextInterface:string,\n AuthenticationContextIssuerId:string,\n AuthenticationContextIssuerType:string,\n OriginalClientDevice:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude: double,\n SrcGeoLongtitude: double,\n SrcGeoPostalCode: string,\n SrcGeoRegion: string,\n SrcDvcId: string,\n SrcIpAddr: string,\n ActingAppName: string,\n SrcDvcOs: string,\n HttpUserAgent: string,\n SrcZone: string,\n DebugData: string,\n EventMessage: string,\n EventOriginalType: string,\n LegacyEventType: string,\n EventOriginalUid: string,\n EventOriginalResultDetails: string,\n OriginalOutcomeResult: string,\n Request: string,\n SecurityContextAsNumber: real,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SrcIsp: string,\n SecurityContextIsProxy: bool,\n OriginalSeverity: string,\n OriginalTarget: string,\n TransactionDetail: string,\n TransactionId: string,\n TransactionType: string,\n Version: string\n)[];\nlet Oktav2 = union isfuzzy=true Oktav2_empty, OktaV2_CL |\n project TimeGenerated,\n actor_alternateId_s=OriginalActorAlternateId,\n actor_detailEntry_s=tostring(ActorDetailEntry),\n actor_displayName_s=ActorDisplayName,\n actor_id_s=OriginalUserId,\n actor_type_s=OriginalUserType,\n authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n authenticationContext_credentialType_s=LogonMethod,\n authenticationContext_externalSessionId_s=ActorSessionId,\n authenticationContext_interface_s=AuthenticationContextInterface,\n authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n client_device_s=OriginalClientDevice,\n client_geographicalContext_city_s=SrcGeoCity,\n client_geographicalContext_country_s=SrcGeoCountry,\n client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n client_geographicalContext_state_s=SrcGeoRegion,\n client_id_s=SrcDvcId,\n client_ipAddress_s=SrcIpAddr,\n client_userAgent_browser_s=ActingAppName,\n client_userAgent_os_s=SrcDvcOs,\n client_userAgent_rawUserAgent_s=HttpUserAgent,\n client_zone_s=SrcZone,\n debugContext_debugData_s=tostring(DebugData),\n displayMessage_s=EventMessage,\n eventType_s=EventOriginalType,\n legacyEventType_s=LegacyEventType,\n uuid_g=EventOriginalUid,\n outcome_reason_s=EventOriginalResultDetails,\n outcome_result_s=OriginalOutcomeResult,\n request_ipChain_s=tostring(Request),\n securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n securityContext_asOrg_s=SecurityContextAsOrg,\n securityContext_domain_s=SecurityContextDomain,\n securityContext_isp_s=SrcIsp,\n securityContext_isProxy_b=SecurityContextIsProxy,\n severity_s=OriginalSeverity,\n target_s=tostring(OriginalTarget),\n transaction_details_s=tostring(TransactionDetail),\n transaction_id_s=TransactionId,\n transaction_type_s=TransactionType,\n version_s = Version;\n union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n", + "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n actor_alternateId_s:string,\n actor_detailEntry_s:string,\n actor_displayName_s:string,\n actor_id_s:string,\n actor_type_s:string,\n authenticationContext_authenticationProvider_s:string,\n authenticationContext_authenticationStep_d:double,\n authenticationContext_credentialProvider_s:string,\n authenticationContext_credentialType_s:string,\n authenticationContext_externalSessionId_s:string,\n authenticationContext_interface_s:string,\n authenticationContext_issuerId_s:string,\n authenticationContext_issuerType_s:string,\n client_device_s:string,\n client_geographicalContext_city_s:string,\n client_geographicalContext_country_s:string,\n client_geographicalContext_geolocation_lat_d:double,\n client_geographicalContext_geolocation_lon_d:double,\n client_geographicalContext_postalCode_s:string,\n client_geographicalContext_state_s:string,\n client_id_s:string,\n client_ipAddress_s:string,\n client_userAgent_browser_s:string,\n client_userAgent_os_s:string,\n client_userAgent_rawUserAgent_s:string,\n client_zone_s:string,\n debugContext_debugData_s:string,\n displayMessage_s:string,\n eventType_s:string,\n legacyEventType_s:string,\n uuid_g:string,\n outcome_reason_s:string,\n outcome_result_s:string,\n request_ipChain_s:string,\n securityContext_asNumber_d:double,\n securityContext_asOrg_s:string,\n securityContext_domain_s:string,\n securityContext_isp_s:string,\n securityContext_isProxy_b:bool,\n severity_s:string,\n target_s:string,\n transaction_details_s:string,\n transaction_id_s:string,\n transaction_type_s:string,\n version_s:string\n )[];\n let Oktav2_empty = datatable(\n TimeGenerated:datetime,\n OriginalActorAlternateId:string,\n ActorDetailEntry:dynamic,\n ActorDisplayName:string,\n OriginalUserId:string,\n OriginalUserType:string,\n AuthenticationContextAuthenticationProvider:string,\n AuthenticationContextAuthenticationStep: int,\n AuthenticationContextCredentialProvider: string,\n LogonMethod: string,\n ActorSessionId: string,\n AuthenticationContextInterface:string,\n AuthenticationContextIssuerId:string,\n AuthenticationContextIssuerType:string,\n OriginalClientDevice:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude: double,\n SrcGeoLongtitude: double,\n SrcGeoPostalCode: string,\n SrcGeoRegion: string,\n SrcDvcId: string,\n SrcIpAddr: string,\n ActingAppName: string,\n SrcDvcOs: string,\n HttpUserAgent: string,\n SrcZone: string,\n DebugData: dynamic,\n EventMessage: string,\n EventOriginalType: string,\n LegacyEventType: string,\n EventOriginalUid: string,\n EventOriginalResultDetails: string,\n OriginalOutcomeResult: string,\n Request: dynamic,\n SecurityContextAsNumber: int,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SrcIsp: string,\n DomainName: string ,\n SecurityContextIsProxy: bool,\n OriginalSeverity: string,\n OriginalTarget: dynamic,\n TransactionDetail: dynamic,\n TransactionId: string,\n TransactionType: string,\n Version: string\n)[];\nlet Oktav2 = union isfuzzy=true Oktav2_empty, OktaV2_CL |\n project TimeGenerated,\n actor_alternateId_s=OriginalActorAlternateId,\n actor_detailEntry_s=tostring(ActorDetailEntry),\n domain_s=DomainName,\n actor_displayName_s=ActorDisplayName,\n actor_id_s=OriginalUserId,\n actor_type_s=OriginalUserType,\n authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n authenticationContext_credentialType_s=LogonMethod,\n authenticationContext_externalSessionId_s=ActorSessionId,\n authenticationContext_interface_s=AuthenticationContextInterface,\n authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n client_device_s=OriginalClientDevice,\n client_geographicalContext_city_s=SrcGeoCity,\n client_geographicalContext_country_s=SrcGeoCountry,\n client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n client_geographicalContext_state_s=SrcGeoRegion,\n client_id_s=SrcDvcId,\n client_ipAddress_s=SrcIpAddr,\n client_userAgent_browser_s=ActingAppName,\n client_userAgent_os_s=SrcDvcOs,\n client_userAgent_rawUserAgent_s=HttpUserAgent,\n client_zone_s=SrcZone,\n debugContext_debugData_s=tostring(DebugData),\n displayMessage_s=EventMessage,\n eventType_s=EventOriginalType,\n legacyEventType_s=LegacyEventType,\n uuid_g=EventOriginalUid,\n outcome_reason_s=EventOriginalResultDetails,\n outcome_result_s=OriginalOutcomeResult,\n request_ipChain_s=tostring(Request),\n securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n securityContext_asOrg_s=SecurityContextAsOrg,\n securityContext_domain_s=SecurityContextDomain,\n securityContext_isp_s=SrcIsp,\n securityContext_isProxy_b=SecurityContextIsProxy,\n severity_s=OriginalSeverity,\n target_s=tostring(OriginalTarget),\n transaction_details_s=tostring(TransactionDetail),\n transaction_id_s=TransactionId,\n transaction_type_s=TransactionType,\n version_s = Version;\n union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n", "functionParameters": "", "version": 2, "tags": [ @@ -6310,8 +6309,8 @@ "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", "displayName": "Backward Compatibility Parser for Okta SSO", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.1')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.1')))]", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.2')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.2')))]", "version": "[variables('parserObject1').parserVersion1]" } }, @@ -6325,7 +6324,7 @@ "displayName": "Backward Compatibility Parser for Okta SSO", "category": "Microsoft Sentinel Parser", "functionAlias": "OktaSSO", - "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n actor_alternateId_s:string,\n actor_detailEntry_s:string,\n actor_displayName_s:string,\n actor_id_s:string,\n actor_type_s:string,\n authenticationContext_authenticationProvider_s:string,\n authenticationContext_authenticationStep_d:double,\n authenticationContext_credentialProvider_s:string,\n authenticationContext_credentialType_s:string,\n authenticationContext_externalSessionId_s:string,\n authenticationContext_interface_s:string,\n authenticationContext_issuerId_s:string,\n authenticationContext_issuerType_s:string,\n client_device_s:string,\n client_geographicalContext_city_s:string,\n client_geographicalContext_country_s:string,\n client_geographicalContext_geolocation_lat_d:double,\n client_geographicalContext_geolocation_lon_d:double,\n client_geographicalContext_postalCode_s:string,\n client_geographicalContext_state_s:string,\n client_id_s:string,\n client_ipAddress_s:string,\n client_userAgent_browser_s:string,\n client_userAgent_os_s:string,\n client_userAgent_rawUserAgent_s:string,\n client_zone_s:string,\n debugContext_debugData_s:string,\n displayMessage_s:string,\n eventType_s:string,\n legacyEventType_s:string,\n uuid_g:string,\n outcome_reason_s:string,\n outcome_result_s:string,\n request_ipChain_s:string,\n securityContext_asNumber_d:double,\n securityContext_asOrg_s:string,\n securityContext_domain_s:string,\n securityContext_isp_s:string,\n securityContext_isProxy_b:bool,\n severity_s:string,\n target_s:string,\n transaction_details_s:string,\n transaction_id_s:string,\n transaction_type_s:string,\n version_s:string\n )[];\n let Oktav2_empty = datatable(\n TimeGenerated:datetime,\n OriginalActorAlternateId:string,\n ActorDetailEntry:string,\n ActorDisplayName:string,\n OriginalUserId:string,\n OriginalUserType:string,\n AuthenticationContextAuthenticationProvider:string,\n AuthenticationContextAuthenticationStep: real,\n AuthenticationContextCredentialProvider: string,\n LogonMethod: string,\n ActorSessionId: string,\n AuthenticationContextInterface:string,\n AuthenticationContextIssuerId:string,\n AuthenticationContextIssuerType:string,\n OriginalClientDevice:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude: double,\n SrcGeoLongtitude: double,\n SrcGeoPostalCode: string,\n SrcGeoRegion: string,\n SrcDvcId: string,\n SrcIpAddr: string,\n ActingAppName: string,\n SrcDvcOs: string,\n HttpUserAgent: string,\n SrcZone: string,\n DebugData: string,\n EventMessage: string,\n EventOriginalType: string,\n LegacyEventType: string,\n EventOriginalUid: string,\n EventOriginalResultDetails: string,\n OriginalOutcomeResult: string,\n Request: string,\n SecurityContextAsNumber: real,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SrcIsp: string,\n SecurityContextIsProxy: bool,\n OriginalSeverity: string,\n OriginalTarget: string,\n TransactionDetail: string,\n TransactionId: string,\n TransactionType: string,\n Version: string\n)[];\nlet Oktav2 = union isfuzzy=true Oktav2_empty, OktaV2_CL |\n project TimeGenerated,\n actor_alternateId_s=OriginalActorAlternateId,\n actor_detailEntry_s=tostring(ActorDetailEntry),\n actor_displayName_s=ActorDisplayName,\n actor_id_s=OriginalUserId,\n actor_type_s=OriginalUserType,\n authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n authenticationContext_credentialType_s=LogonMethod,\n authenticationContext_externalSessionId_s=ActorSessionId,\n authenticationContext_interface_s=AuthenticationContextInterface,\n authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n client_device_s=OriginalClientDevice,\n client_geographicalContext_city_s=SrcGeoCity,\n client_geographicalContext_country_s=SrcGeoCountry,\n client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n client_geographicalContext_state_s=SrcGeoRegion,\n client_id_s=SrcDvcId,\n client_ipAddress_s=SrcIpAddr,\n client_userAgent_browser_s=ActingAppName,\n client_userAgent_os_s=SrcDvcOs,\n client_userAgent_rawUserAgent_s=HttpUserAgent,\n client_zone_s=SrcZone,\n debugContext_debugData_s=tostring(DebugData),\n displayMessage_s=EventMessage,\n eventType_s=EventOriginalType,\n legacyEventType_s=LegacyEventType,\n uuid_g=EventOriginalUid,\n outcome_reason_s=EventOriginalResultDetails,\n outcome_result_s=OriginalOutcomeResult,\n request_ipChain_s=tostring(Request),\n securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n securityContext_asOrg_s=SecurityContextAsOrg,\n securityContext_domain_s=SecurityContextDomain,\n securityContext_isp_s=SrcIsp,\n securityContext_isProxy_b=SecurityContextIsProxy,\n severity_s=OriginalSeverity,\n target_s=tostring(OriginalTarget),\n transaction_details_s=tostring(TransactionDetail),\n transaction_id_s=TransactionId,\n transaction_type_s=TransactionType,\n version_s = Version;\n union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n", + "query": "let Okta_SSO = view () {\nlet Oktav1_empty = datatable(\n actor_alternateId_s:string,\n actor_detailEntry_s:string,\n actor_displayName_s:string,\n actor_id_s:string,\n actor_type_s:string,\n authenticationContext_authenticationProvider_s:string,\n authenticationContext_authenticationStep_d:double,\n authenticationContext_credentialProvider_s:string,\n authenticationContext_credentialType_s:string,\n authenticationContext_externalSessionId_s:string,\n authenticationContext_interface_s:string,\n authenticationContext_issuerId_s:string,\n authenticationContext_issuerType_s:string,\n client_device_s:string,\n client_geographicalContext_city_s:string,\n client_geographicalContext_country_s:string,\n client_geographicalContext_geolocation_lat_d:double,\n client_geographicalContext_geolocation_lon_d:double,\n client_geographicalContext_postalCode_s:string,\n client_geographicalContext_state_s:string,\n client_id_s:string,\n client_ipAddress_s:string,\n client_userAgent_browser_s:string,\n client_userAgent_os_s:string,\n client_userAgent_rawUserAgent_s:string,\n client_zone_s:string,\n debugContext_debugData_s:string,\n displayMessage_s:string,\n eventType_s:string,\n legacyEventType_s:string,\n uuid_g:string,\n outcome_reason_s:string,\n outcome_result_s:string,\n request_ipChain_s:string,\n securityContext_asNumber_d:double,\n securityContext_asOrg_s:string,\n securityContext_domain_s:string,\n securityContext_isp_s:string,\n securityContext_isProxy_b:bool,\n severity_s:string,\n target_s:string,\n transaction_details_s:string,\n transaction_id_s:string,\n transaction_type_s:string,\n version_s:string\n )[];\n let Oktav2_empty = datatable(\n TimeGenerated:datetime,\n OriginalActorAlternateId:string,\n ActorDetailEntry:dynamic,\n ActorDisplayName:string,\n OriginalUserId:string,\n OriginalUserType:string,\n AuthenticationContextAuthenticationProvider:string,\n AuthenticationContextAuthenticationStep: int,\n AuthenticationContextCredentialProvider: string,\n LogonMethod: string,\n ActorSessionId: string,\n AuthenticationContextInterface:string,\n AuthenticationContextIssuerId:string,\n AuthenticationContextIssuerType:string,\n OriginalClientDevice:string,\n SrcGeoCity:string,\n SrcGeoCountry:string,\n SrcGeoLatitude: double,\n SrcGeoLongtitude: double,\n SrcGeoPostalCode: string,\n SrcGeoRegion: string,\n SrcDvcId: string,\n SrcIpAddr: string,\n ActingAppName: string,\n SrcDvcOs: string,\n HttpUserAgent: string,\n SrcZone: string,\n DebugData: dynamic,\n EventMessage: string,\n EventOriginalType: string,\n LegacyEventType: string,\n EventOriginalUid: string,\n EventOriginalResultDetails: string,\n OriginalOutcomeResult: string,\n Request: dynamic,\n SecurityContextAsNumber: int,\n SecurityContextAsOrg: string,\n SecurityContextDomain: string,\n SrcIsp: string,\n DomainName: string ,\n SecurityContextIsProxy: bool,\n OriginalSeverity: string,\n OriginalTarget: dynamic,\n TransactionDetail: dynamic,\n TransactionId: string,\n TransactionType: string,\n Version: string\n)[];\nlet Oktav2 = union isfuzzy=true Oktav2_empty, OktaV2_CL |\n project TimeGenerated,\n actor_alternateId_s=OriginalActorAlternateId,\n actor_detailEntry_s=tostring(ActorDetailEntry),\n domain_s=DomainName,\n actor_displayName_s=ActorDisplayName,\n actor_id_s=OriginalUserId,\n actor_type_s=OriginalUserType,\n authenticationContext_authenticationProvider_s=AuthenticationContextAuthenticationProvider,\n authenticationContext_authenticationStep_d=toreal(AuthenticationContextAuthenticationStep),\n authenticationContext_credentialProvider_s=AuthenticationContextCredentialProvider,\n authenticationContext_credentialType_s=LogonMethod,\n authenticationContext_externalSessionId_s=ActorSessionId,\n authenticationContext_interface_s=AuthenticationContextInterface,\n authenticationContext_issuerId_s=AuthenticationContextIssuerId,\n authenticationContext_issuerType_s=AuthenticationContextIssuerType,\n client_device_s=OriginalClientDevice,\n client_geographicalContext_city_s=SrcGeoCity,\n client_geographicalContext_country_s=SrcGeoCountry,\n client_geographicalContext_geolocation_lat_d=SrcGeoLatitude,\n client_geographicalContext_geolocation_lon_d=SrcGeoLongtitude,\n client_geographicalContext_postalCode_s=SrcGeoPostalCode,\n client_geographicalContext_state_s=SrcGeoRegion,\n client_id_s=SrcDvcId,\n client_ipAddress_s=SrcIpAddr,\n client_userAgent_browser_s=ActingAppName,\n client_userAgent_os_s=SrcDvcOs,\n client_userAgent_rawUserAgent_s=HttpUserAgent,\n client_zone_s=SrcZone,\n debugContext_debugData_s=tostring(DebugData),\n displayMessage_s=EventMessage,\n eventType_s=EventOriginalType,\n legacyEventType_s=LegacyEventType,\n uuid_g=EventOriginalUid,\n outcome_reason_s=EventOriginalResultDetails,\n outcome_result_s=OriginalOutcomeResult,\n request_ipChain_s=tostring(Request),\n securityContext_asNumber_d=toreal(SecurityContextAsNumber),\n securityContext_asOrg_s=SecurityContextAsOrg,\n securityContext_domain_s=SecurityContextDomain,\n securityContext_isp_s=SrcIsp,\n securityContext_isProxy_b=SecurityContextIsProxy,\n severity_s=OriginalSeverity,\n target_s=tostring(OriginalTarget),\n transaction_details_s=tostring(TransactionDetail),\n transaction_id_s=TransactionId,\n transaction_type_s=TransactionType,\n version_s = Version;\n union isfuzzy=true Oktav1_empty, Oktav2, Okta_CL\n};\nOkta_SSO()\n", "functionParameters": "", "version": 2, "tags": [ @@ -6371,7 +6370,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.9", + "version": "3.0.10", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Okta Single Sign-On", diff --git a/Solutions/Okta Single Sign-On/Parsers/OktaSSO.yaml b/Solutions/Okta Single Sign-On/Parsers/OktaSSO.yaml index e6e5b2ff38a..e7d97bfbb9e 100644 --- a/Solutions/Okta Single Sign-On/Parsers/OktaSSO.yaml +++ b/Solutions/Okta Single Sign-On/Parsers/OktaSSO.yaml @@ -1,7 +1,7 @@ id: ee884976-418c-472d-8a91-3533f4aa15d0 Function: Title: Backward Compatibility Parser for Okta SSO - Version: '1.0.1' + Version: '1.0.2' LastUpdated: '2023-09-07' Category: Microsoft Sentinel Parser FunctionName: OktaSSO @@ -58,12 +58,12 @@ FunctionQuery: | let Oktav2_empty = datatable( TimeGenerated:datetime, OriginalActorAlternateId:string, - ActorDetailEntry:string, + ActorDetailEntry:dynamic, ActorDisplayName:string, OriginalUserId:string, OriginalUserType:string, AuthenticationContextAuthenticationProvider:string, - AuthenticationContextAuthenticationStep: real, + AuthenticationContextAuthenticationStep: int, AuthenticationContextCredentialProvider: string, LogonMethod: string, ActorSessionId: string, @@ -83,22 +83,23 @@ FunctionQuery: | SrcDvcOs: string, HttpUserAgent: string, SrcZone: string, - DebugData: string, + DebugData: dynamic, EventMessage: string, EventOriginalType: string, LegacyEventType: string, EventOriginalUid: string, EventOriginalResultDetails: string, OriginalOutcomeResult: string, - Request: string, - SecurityContextAsNumber: real, + Request: dynamic, + SecurityContextAsNumber: int, SecurityContextAsOrg: string, SecurityContextDomain: string, SrcIsp: string, + DomainName: string , SecurityContextIsProxy: bool, OriginalSeverity: string, - OriginalTarget: string, - TransactionDetail: string, + OriginalTarget: dynamic, + TransactionDetail: dynamic, TransactionId: string, TransactionType: string, Version: string @@ -107,6 +108,7 @@ FunctionQuery: | project TimeGenerated, actor_alternateId_s=OriginalActorAlternateId, actor_detailEntry_s=tostring(ActorDetailEntry), + domain_s=DomainName, actor_displayName_s=ActorDisplayName, actor_id_s=OriginalUserId, actor_type_s=OriginalUserType, diff --git a/Solutions/Okta Single Sign-On/ReleaseNotes.md b/Solutions/Okta Single Sign-On/ReleaseNotes.md index 7a57ff182b8..7043f9018d1 100644 --- a/Solutions/Okta Single Sign-On/ReleaseNotes.md +++ b/Solutions/Okta Single Sign-On/ReleaseNotes.md @@ -1,5 +1,7 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------------------------| +| 3.0.10 | 08-11-2024 | Updated **Parser** to fix the schema | +| 3.0.9 | 17-10-2024 | Updated package to fix connectivity of CCP connector | | 3.0.8 | 14-08-2024 | Data Connector Globally Available | | 3.0.7 | 25-04-2024 | Repackaged for parser issue with old names | | 3.0.6 | 17-04-2024 | Repackaged solution for parser fix | diff --git a/Solutions/Oracle Cloud Infrastructure/Data Connectors/AzureFunctionOCILogs/main.py b/Solutions/Oracle Cloud Infrastructure/Data Connectors/AzureFunctionOCILogs/main.py index 698537110c0..94aef01a2a3 100644 --- a/Solutions/Oracle Cloud Infrastructure/Data Connectors/AzureFunctionOCILogs/main.py +++ b/Solutions/Oracle Cloud Infrastructure/Data Connectors/AzureFunctionOCILogs/main.py @@ -102,7 +102,7 @@ def get_cursor_by_group(sc, sid, group_name, instance_name): return response.data.value def get_cursor_by_partition(client, stream_id, partition): - print("Creating a cursor for partition {}".format(partition)) + logging.info("Creating a cursor for partition {}".format(partition)) cursor_details = oci.streaming.models.CreateCursorDetails( partition=partition, type=oci.streaming.models.CreateCursorDetails.TYPE_TRIM_HORIZON) diff --git a/Solutions/Oracle Cloud Infrastructure/Data Connectors/OCILogsConn.zip b/Solutions/Oracle Cloud Infrastructure/Data Connectors/OCILogsConn.zip index 7da825d6bf7..7958dd5c045 100644 Binary files a/Solutions/Oracle Cloud Infrastructure/Data Connectors/OCILogsConn.zip and b/Solutions/Oracle Cloud Infrastructure/Data Connectors/OCILogsConn.zip differ diff --git a/Solutions/PaloAlto-PAN-OS/Analytic Rules/FileHashEntity_Covid19_CommonSecurityLog.yaml b/Solutions/PaloAlto-PAN-OS/Analytic Rules/FileHashEntity_Covid19_CommonSecurityLog.yaml index 5aba013bee0..6c6bfcbe3d8 100644 --- a/Solutions/PaloAlto-PAN-OS/Analytic Rules/FileHashEntity_Covid19_CommonSecurityLog.yaml +++ b/Solutions/PaloAlto-PAN-OS/Analytic Rules/FileHashEntity_Covid19_CommonSecurityLog.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: PaloAltoNetworks - dataTypes: - - CommonSecurityLog - - connectorId: PaloAltoNetworksAma - dataTypes: - - CommonSecurityLog - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -72,5 +66,5 @@ entityMappings: columnName: FileHashValue - identifier: Algorithm columnName: FileHashType -version: 1.3.5 +version: 1.3.6 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml index b34d5bfb4aa..110e00a0d2f 100644 --- a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml +++ b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml @@ -10,12 +10,6 @@ description: | severity: Low status: Available requiredDataConnectors: - - connectorId: PaloAltoNetworks - dataTypes: - - CommonSecurityLog - - connectorId: PaloAltoNetworksAma - dataTypes: - - CommonSecurityLog - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -68,5 +62,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.4 +version: 1.0.5 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml index 9c1c9fa0848..af0bd93a483 100644 --- a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml +++ b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml @@ -7,12 +7,6 @@ description: | severity: Low status: Available requiredDataConnectors: - - connectorId: PaloAltoNetworks - dataTypes: - - CommonSecurityLog - - connectorId: PaloAltoNetworksAma - dataTypes: - - CommonSecurityLog - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -68,5 +62,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.6 +version: 1.0.7 kind: Scheduled diff --git a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-UnusualThreatSignatures.yaml b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-UnusualThreatSignatures.yaml index db90df11763..28aa6900ad2 100644 --- a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-UnusualThreatSignatures.yaml +++ b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-UnusualThreatSignatures.yaml @@ -7,12 +7,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: PaloAltoNetworks - dataTypes: - - CommonSecurityLog - - connectorId: PaloAltoNetworksAma - dataTypes: - - CommonSecurityLog - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -59,5 +53,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: SourceIP -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAlto-PAN-OS/Hunting Queries/Palo Alto - potential beaconing detected.yaml b/Solutions/PaloAlto-PAN-OS/Hunting Queries/Palo Alto - potential beaconing detected.yaml index 396e79a855a..288f1461538 100644 --- a/Solutions/PaloAlto-PAN-OS/Hunting Queries/Palo Alto - potential beaconing detected.yaml +++ b/Solutions/PaloAlto-PAN-OS/Hunting Queries/Palo Alto - potential beaconing detected.yaml @@ -6,12 +6,6 @@ description: | severity: Low status: Available requiredDataConnectors: - - connectorId: PaloAltoNetworks - dataTypes: - - CommonSecurityLog - - connectorId: PaloAltoNetworksAma - dataTypes: - - CommonSecurityLog - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -64,4 +58,4 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.4 \ No newline at end of file +version: 1.0.5 \ No newline at end of file diff --git a/Solutions/PaloAlto-PAN-OS/Hunting Queries/PaloAlto-HighRiskPorts.yaml b/Solutions/PaloAlto-PAN-OS/Hunting Queries/PaloAlto-HighRiskPorts.yaml index 9364a983912..01614a828e3 100644 --- a/Solutions/PaloAlto-PAN-OS/Hunting Queries/PaloAlto-HighRiskPorts.yaml +++ b/Solutions/PaloAlto-PAN-OS/Hunting Queries/PaloAlto-HighRiskPorts.yaml @@ -4,12 +4,6 @@ description: | 'Identifies network connections whose ports are frequent targets of attacks and should not cross network boundaries or reach untrusted public networks. Consider updating the firewall policies to block the connections.' requiredDataConnectors: - - connectorId: PaloAltoNetworks - dataTypes: - - CommonSecurityLog - - connectorId: PaloAltoNetworksAma - dataTypes: - - CommonSecurityLog - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -116,4 +110,4 @@ entityMappings: fieldMappings: - identifier: Address columnName: DestinationIP -version: 1.0.1 +version: 1.0.2 diff --git a/Solutions/PaloAlto-PAN-OS/Package/3.0.7.zip b/Solutions/PaloAlto-PAN-OS/Package/3.0.7.zip index c13ebb456b9..06971f5bcb2 100644 Binary files a/Solutions/PaloAlto-PAN-OS/Package/3.0.7.zip and b/Solutions/PaloAlto-PAN-OS/Package/3.0.7.zip differ diff --git a/Solutions/PaloAlto-PAN-OS/Package/createUiDefinition.json b/Solutions/PaloAlto-PAN-OS/Package/createUiDefinition.json index 45288c8c705..4bf8c64ce83 100644 --- a/Solutions/PaloAlto-PAN-OS/Package/createUiDefinition.json +++ b/Solutions/PaloAlto-PAN-OS/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Palo Alto Networks (Firewall)](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Workbooks:** 2, **Analytic Rules:** 4, **Hunting Queries:** 2, **Custom Azure Logic Apps Connectors:** 2, **Playbooks:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Palo Alto Networks (Firewall)](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connector:** 1,**Workbooks:** 2, **Analytic Rules:** 4, **Hunting Queries:** 2, **Custom Azure Logic Apps Connectors:** 2, **Playbooks:** 7\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,30 +51,6 @@ } ], "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for PaloAlto-PAN-OS. You can get PaloAlto-PAN-OS CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, { "name": "workbooks", "label": "Workbooks", @@ -246,7 +222,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies network connections whose ports are frequent targets of attacks and should not cross network boundaries or reach untrusted public networks.\nConsider updating the firewall policies to block the connections. This hunting query depends on PaloAltoNetworks PaloAltoNetworksAma CefAma data connector (CommonSecurityLog CommonSecurityLog CommonSecurityLog Parser or Table)" + "text": "Identifies network connections whose ports are frequent targets of attacks and should not cross network boundaries or reach untrusted public networks.\nConsider updating the firewall policies to block the connections. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -260,7 +236,7 @@ "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Identifies beaconing patterns from PAN traffic logs based on recurrent timedelta patterns.\n Reference Blog:https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586 This hunting query depends on PaloAltoNetworks PaloAltoNetworksAma CefAma data connector (CommonSecurityLog CommonSecurityLog CommonSecurityLog Parser or Table)" + "text": "Identifies beaconing patterns from PAN traffic logs based on recurrent timedelta patterns.\n Reference Blog:https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detect-network-beaconing-via-intra-request-time-delta-patterns/ba-p/779586 This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] diff --git a/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json b/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json index e7637667c3c..e680cbaff9d 100644 --- a/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json +++ b/Solutions/PaloAlto-PAN-OS/Package/mainTemplate.json @@ -52,31 +52,13 @@ "_solutionVersion": "3.0.7", "solutionId": "azuresentinel.azure-sentinel-solution-paloaltopanos", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "PaloAltoNetworks", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "PaloAltoNetworks", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "PaloAltoNetworksAma", - "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "PaloAltoNetworksAma", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", - "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "huntingQueryObject1": { - "huntingQueryVersion1": "1.0.1", + "huntingQueryVersion1": "1.0.2", "_huntingQuerycontentId1": "0a57accf-3548-4e38-a861-99687c958f59", "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('0a57accf-3548-4e38-a861-99687c958f59')))]" }, "huntingQueryObject2": { - "huntingQueryVersion2": "1.0.4", + "huntingQueryVersion2": "1.0.5", "_huntingQuerycontentId2": "2f8522fc-7807-4f0a-b53d-458296edab8d", "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('2f8522fc-7807-4f0a-b53d-458296edab8d')))]" }, @@ -94,32 +76,32 @@ "_workbookContentId2": "[variables('workbookContentId2')]", "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.2", + "analyticRuleVersion1": "1.0.3", "_analyticRulecontentId1": "89a86f70-615f-4a79-9621-6f68c50f365f", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '89a86f70-615f-4a79-9621-6f68c50f365f')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('89a86f70-615f-4a79-9621-6f68c50f365f')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','89a86f70-615f-4a79-9621-6f68c50f365f','-', '1.0.2')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','89a86f70-615f-4a79-9621-6f68c50f365f','-', '1.0.3')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.3.5", + "analyticRuleVersion2": "1.3.6", "_analyticRulecontentId2": "2be4ef67-a93f-4d8a-981a-88158cb73abd", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '2be4ef67-a93f-4d8a-981a-88158cb73abd')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('2be4ef67-a93f-4d8a-981a-88158cb73abd')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2be4ef67-a93f-4d8a-981a-88158cb73abd','-', '1.3.5')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2be4ef67-a93f-4d8a-981a-88158cb73abd','-', '1.3.6')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.4", + "analyticRuleVersion3": "1.0.5", "_analyticRulecontentId3": "f0be259a-34ac-4946-aa15-ca2b115d5feb", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f0be259a-34ac-4946-aa15-ca2b115d5feb')]", "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f0be259a-34ac-4946-aa15-ca2b115d5feb')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f0be259a-34ac-4946-aa15-ca2b115d5feb','-', '1.0.4')))]" + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f0be259a-34ac-4946-aa15-ca2b115d5feb','-', '1.0.5')))]" }, "analyticRuleObject4": { - "analyticRuleVersion4": "1.0.6", + "analyticRuleVersion4": "1.0.7", "_analyticRulecontentId4": "5b72f527-e3f6-4a00-9908-8e4fee14da9f", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '5b72f527-e3f6-4a00-9908-8e4fee14da9f')]", "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('5b72f527-e3f6-4a00-9908-8e4fee14da9f')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b72f527-e3f6-4a00-9908-8e4fee14da9f','-', '1.0.6')))]" + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','5b72f527-e3f6-4a00-9908-8e4fee14da9f','-', '1.0.7')))]" }, "PaloAlto_PAN-OS_Rest_API_CustomConnector": "PaloAlto_PAN-OS_Rest_API_CustomConnector", "_PaloAlto_PAN-OS_Rest_API_CustomConnector": "[variables('PaloAlto_PAN-OS_Rest_API_CustomConnector')]", @@ -197,708 +179,6 @@ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "PaloAlto-PAN-OS data connector with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] Palo Alto Networks (Firewall) via Legacy Agent", - "publisher": "Palo Alto Networks", - "descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Palo Alto Networks", - "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n" - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | sort by TimeGenerated" - }, - { - "description": "THREAT activity", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | where Activity == \"THREAT\"\n | sort by TimeGenerated" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" - ] - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (PaloAlto)", - "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding) and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure) steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1. Set the Syslog server format to **BSD**.\n\n2. The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)", - "title": "2. Forward Palo Alto Networks logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "metadata": { - "id": "ef80260c-3aec-43bc-a1e5-c2f2372c9adc", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "community" - }, - "author": { - "name": "Palo Alto Networks" - }, - "support": { - "name": "Palo Alto Networks", - "link": "https://www.paloaltonetworks.com/company/contact-support", - "tier": "developer" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "PaloAlto-PAN-OS", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Palo Alto Networks (Firewall) via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "PaloAlto-PAN-OS", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Palo Alto Networks (Firewall) via Legacy Agent", - "publisher": "Palo Alto Networks", - "descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Palo Alto Networks", - "baseQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (PaloAlto)", - "lastDataReceivedQuery": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" - ] - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | sort by TimeGenerated" - }, - { - "description": "THREAT activity", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | where Activity == \"THREAT\"\n | sort by TimeGenerated" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding) and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure) steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1. Set the Syslog server format to **BSD**.\n\n2. The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)", - "title": "2. Forward Palo Alto Networks logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "PaloAlto-PAN-OS data connector with template version 3.0.7", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "[Deprecated] Palo Alto Networks (Firewall) via AMA", - "publisher": "Palo Alto Networks", - "descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Palo Alto Networks", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks' \n |where DeviceProduct has 'PAN-OS'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | sort by TimeGenerated" - }, - { - "description": "THREAT activity", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | where Activity == \"THREAT\"\n | sort by TimeGenerated" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks' \n |where DeviceProduct =~ 'PAN-OS'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" - ] - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (PaloAlto)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks' \n |where DeviceProduct has 'PAN-OS'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Palo Alto Networks logs to Syslog agent", - "description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding) and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure) steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1. Set the Syslog server format to **BSD**.\n\n2. The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)" - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "metadata": { - "id": "ef80260c-3aec-43bc-a1e5-c2f2372c9adc", - "version": "1.0.0", - "kind": "dataConnector", - "source": { - "kind": "community" - }, - "author": { - "name": "Palo Alto Networks" - }, - "support": { - "name": "Palo Alto Networks", - "link": "https://www.paloaltonetworks.com/company/contact-support", - "tier": "developer" - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "PaloAlto-PAN-OS", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Palo Alto Networks (Firewall) via AMA", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "PaloAlto-PAN-OS", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Palo Alto Networks (Firewall) via AMA", - "publisher": "Palo Alto Networks", - "descriptionMarkdown": "The Palo Alto Networks firewall connector allows you to easily connect your Palo Alto Networks logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Palo Alto Networks", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks' \n |where DeviceProduct has 'PAN-OS'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (PaloAlto)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks' \n |where DeviceProduct has 'PAN-OS'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks' \n |where DeviceProduct =~ 'PAN-OS'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" - ] - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | sort by TimeGenerated" - }, - { - "description": "THREAT activity", - "query": "\nCommonSecurityLog\n| where DeviceVendor == \"Palo Alto Networks\"\n| where DeviceProduct has \"PAN-OS\"\n\n | where Activity == \"THREAT\"\n | sort by TimeGenerated" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Forward Palo Alto Networks logs to Syslog agent", - "description": "Configure Palo Alto Networks to forward Syslog messages in CEF format to your Microsoft Sentinel workspace via the Syslog agent.\n\nGo to [configure Palo Alto Networks NGFW for sending CEF events.](https://aka.ms/sentinel-paloaltonetworks-readme)\n\nGo to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding) and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure) steps 2, 3, choose your version, and follow the instructions using the following guidelines:\n\n1. Set the Syslog server format to **BSD**.\n\n2. The copy/paste operations from the PDF might change the text and insert random characters. To avoid this, copy the text to an editor and remove any characters that might break the log format before pasting it.\n\n[Learn more >](https://aka.ms/CEFPaloAlto)" - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "id": "[variables('_uiConfigId2')]" - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -975,9 +255,9 @@ "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "contentKind": "HuntingQuery", "displayName": "Palo Alto - high-risk ports", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.1')))]", - "version": "1.0.1" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.2')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.2')))]", + "version": "1.0.2" } }, { @@ -1060,9 +340,9 @@ "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", "contentKind": "HuntingQuery", "displayName": "Palo Alto - potential beaconing detected", - "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.4')))]", - "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.4')))]", - "version": "1.0.4" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.5')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.5')))]", + "version": "1.0.5" } }, { @@ -1285,18 +565,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworksAma", - "dataTypes": [ - "CommonSecurityLog" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -1408,18 +676,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworksAma", - "dataTypes": [ - "CommonSecurityLog" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -1574,18 +830,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworksAma", - "dataTypes": [ - "CommonSecurityLog" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -1709,18 +953,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PaloAltoNetworks", - "dataTypes": [ - "CommonSecurityLog" - ] - }, - { - "connectorId": "PaloAltoNetworksAma", - "dataTypes": [ - "CommonSecurityLog" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -9933,7 +9165,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "PaloAlto-PAN-OS", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Palo Alto Networks (Firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 2, Workbooks: 2, Analytic Rules: 4, Hunting Queries: 2, Custom Azure Logic Apps Connectors: 2, Playbooks: 7

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Palo Alto Networks (Firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connector: 1Workbooks: 2, Analytic Rules: 4, Hunting Queries: 2, Custom Azure Logic Apps Connectors: 2, Playbooks: 7

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -9957,16 +9189,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "HuntingQuery", "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", diff --git a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md index 0c0d5eef8f2..ddaabecabd5 100644 --- a/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md +++ b/Solutions/PaloAlto-PAN-OS/ReleaseNotes.md @@ -1,6 +1,7 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 3.0.7 | 08-01-2024 | Updated **Analytic Rule** for entity mappings | +| 3.0.7 | 11-11-2024 | Removed Deprecated **Data Connector** | +| | | Updated **Analytic Rule** for entity mappings | | 3.0.6 | 12-07-2024 | Deprecated **Data Connector** | | 3.0.5 | 30-04-2024 | Updated the **Data Connector** to fix conectivity criteria query | | 3.0.4 | 16-04-2024 | Fixed existing rule for sites with private IP addresses other than 10/8 | diff --git a/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json b/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json index 93a2778e1f6..fb561bd5ac9 100644 --- a/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json +++ b/Solutions/PaloAlto-PAN-OS/data/Solution_PaloAlto-PAN-OS.json @@ -3,10 +3,6 @@ "Author": "Microsoft - support@microsoft.com", "Logo": "", "Description": "The [Palo Alto Networks (Firewall)](https://www.paloaltonetworks.com/network-security/next-generation-firewall) Solution for Microsoft Sentinel allows you to easily connect your Palo Alto Networks Firewall logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization's network and improves your security operation capabilities. This solution also contains playbooks to help in automated remediation.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.", - "Data Connectors": [ - "Solutions/PaloAlto-PAN-OS/Data Connectors/PaloAltoNetworks.json", - "Solutions/PaloAlto-PAN-OS/Data Connectors/template_PaloAltoNetworksAMA.json" - ], "Hunting Queries": [ "Solutions/PaloAlto-PAN-OS/Hunting Queries/PaloAlto-HighRiskPorts.yaml", "Solutions/PaloAlto-PAN-OS/Hunting Queries/Palo Alto - potential beaconing detected.yaml" diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml index 81401f5c774..5896c8273f1 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml @@ -5,12 +5,6 @@ description: | severity: Low status: Available requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -41,5 +35,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLDroppingSessionWithSentTraffic.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLDroppingSessionWithSentTraffic.yaml index abf28003630..fa10805393f 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLDroppingSessionWithSentTraffic.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLDroppingSessionWithSentTraffic.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -42,5 +36,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.3 +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLFileTypeWasChanged.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLFileTypeWasChanged.yaml index 9a6dab968bd..911bed836ce 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLFileTypeWasChanged.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLFileTypeWasChanged.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -38,5 +32,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: FileCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml index 5baa1a91f52..5ef42bacff5 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLInboundRiskPorts.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -35,5 +29,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleAttackWithoutResponse.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleAttackWithoutResponse.yaml index 62b781dce53..23f40b19968 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleAttackWithoutResponse.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleAttackWithoutResponse.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -41,5 +35,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: UrlCustomEntity -version: 1.0.3 +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleFlooding.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleFlooding.yaml index f2686a7c25d..cb2a057acf0 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleFlooding.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossibleFlooding.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -38,5 +32,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.3 +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossiblePortScan.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossiblePortScan.yaml index 9bdf086a6a3..038b0fa17f0 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossiblePortScan.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPossiblePortScan.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -35,5 +29,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.3 +version: 1.0.4 kind: Scheduled diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPrivilegesWasChanged.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPrivilegesWasChanged.yaml index a6d86b1007e..4d322af5ea8 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPrivilegesWasChanged.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPrivilegesWasChanged.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -40,5 +34,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.3 +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml index 02aebf9a6c0..4ab6e4eea8c 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLPutMethodInHighRiskFileType.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -36,5 +30,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: FileCustomEntity -version: 1.0.3 +version: 1.0.4 kind: Scheduled diff --git a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLUnexpectedCountries.yaml b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLUnexpectedCountries.yaml index 9ce90b596bb..069b83cab9d 100644 --- a/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLUnexpectedCountries.yaml +++ b/Solutions/PaloAltoCDL/Analytic Rules/PaloAltoCDLUnexpectedCountries.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -39,5 +33,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.3 +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAltoCDL/Data/Solution_PaloAltoCDL.json b/Solutions/PaloAltoCDL/Data/Solution_PaloAltoCDL.json index ed4b296cc48..a286bb9d729 100644 --- a/Solutions/PaloAltoCDL/Data/Solution_PaloAltoCDL.json +++ b/Solutions/PaloAltoCDL/Data/Solution_PaloAltoCDL.json @@ -21,10 +21,6 @@ "Hunting Queries/PaloAltoCDLRareFileRequests.yaml", "Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml" ], - "Data Connectors": [ - "Data Connectors/Connector_PaloAlto_CDL_CEF.json", - "Data Connectors/template_PaloAlto_CDLAMA.json" - ], "Analytic Rules": [ "Analytic Rules/PaloAltoCDLConflictingMacAddress.yaml", "Analytic Rules/PaloAltoCDLDroppingSessionWithSentTraffic.yaml", @@ -43,7 +39,7 @@ "Metadata": "SolutionMetadata.json", "BasePath": "C:\\One\\Azure\\Azure-Sentinel\\Solutions\\PaloAltoCDL", - "Version": "3.0.2", + "Version": "3.0.3", "TemplateSpec": true, "Is1PConnector": false } \ No newline at end of file diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLCriticalEventResult.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLCriticalEventResult.yaml index c2108395bd9..cb6c5cc49da 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLCriticalEventResult.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLCriticalEventResult.yaml @@ -4,12 +4,6 @@ description: | 'Query shows critical event result' severity: Medium requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLFilePermissionWithPutRequest.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLFilePermissionWithPutRequest.yaml index 68a1bc837aa..6cfe481311c 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLFilePermissionWithPutRequest.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLFilePermissionWithPutRequest.yaml @@ -4,12 +4,6 @@ description: | 'Query shows file permission with PUT or POST request' severity: Medium requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIPsByPorts.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIPsByPorts.yaml index 331208ffe6c..efc46cf2cf3 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIPsByPorts.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIPsByPorts.yaml @@ -4,12 +4,6 @@ description: | 'Query shows destination ports by IP address.' severity: Low requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIncompleteApplicationProtocol.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIncompleteApplicationProtocol.yaml index 66496442fd6..b412b0a3908 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIncompleteApplicationProtocol.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLIncompleteApplicationProtocol.yaml @@ -4,12 +4,6 @@ description: | 'Query shows incomplete application protocol' severity: Medium requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLMultiDenyResultbyUser.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLMultiDenyResultbyUser.yaml index 6473eb5e7f3..4b6edc9a17b 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLMultiDenyResultbyUser.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLMultiDenyResultbyUser.yaml @@ -4,12 +4,6 @@ description: | 'Query shows multiple Deny results by user' severity: Medium requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedAgentVersions.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedAgentVersions.yaml index 0aa78622ebf..0274a20abeb 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedAgentVersions.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedAgentVersions.yaml @@ -4,12 +4,6 @@ description: | 'Query shows agents which are not updated to the latest version' severity: Medium requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedConfigVersions.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedConfigVersions.yaml index 8d2279994f2..439d8c41740 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedConfigVersions.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLOutdatedConfigVersions.yaml @@ -4,12 +4,6 @@ description: | 'Query shows outdated config vesions' severity: Medium requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareApplicationLayerProtocol.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareApplicationLayerProtocol.yaml index d70b005bff6..f19781610a2 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareApplicationLayerProtocol.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareApplicationLayerProtocol.yaml @@ -4,12 +4,6 @@ description: | 'Query shows Rare application layer protocols' severity: Low requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareFileRequests.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareFileRequests.yaml index 8492ccf00ab..c737cd51626 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareFileRequests.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRareFileRequests.yaml @@ -4,12 +4,6 @@ description: | 'Query shows rare files observed' severity: Medium requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml index e12311d296e..4b6588e22fe 100644 --- a/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml +++ b/Solutions/PaloAltoCDL/Hunting Queries/PaloAltoCDLRarePortsbyUser.yaml @@ -4,12 +4,6 @@ description: | 'Query shows rare ports by user.' severity: Medium requiredDataConnectors: - - connectorId: PaloAltoCDL - dataTypes: - - PaloAltoCDLEvent - - connectorId: PaloAltoCDLAma - dataTypes: - - PaloAltoCDLEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/PaloAltoCDL/Package/3.0.3.zip b/Solutions/PaloAltoCDL/Package/3.0.3.zip new file mode 100644 index 00000000000..8f1142309f3 Binary files /dev/null and b/Solutions/PaloAltoCDL/Package/3.0.3.zip differ diff --git a/Solutions/PaloAltoCDL/Package/createUiDefinition.json b/Solutions/PaloAltoCDL/Package/createUiDefinition.json index 88db1a6526d..5a4f27d54d1 100644 --- a/Solutions/PaloAltoCDL/Package/createUiDefinition.json +++ b/Solutions/PaloAltoCDL/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAltoCDL/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) solution provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/strata-logging-service/log-reference/log-forwarding-schema-overview) into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/PaloAltoCDL/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) solution provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/strata-logging-service/log-reference/log-forwarding-schema-overview) into Microsoft Sentinel.\n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connector:** 1,**Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,44 +51,6 @@ } ], "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for PaloAltoCDL. You can get PaloAltoCDL CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors2-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for PaloAltoCDL. You can get PaloAltoCDL CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-parser-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, { "name": "workbooks", "label": "Workbooks", @@ -330,7 +292,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows critical event result This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)" + "text": "Query shows critical event result This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -344,7 +306,7 @@ "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows file permission with PUT or POST request This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)" + "text": "Query shows file permission with PUT or POST request This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -358,7 +320,7 @@ "name": "huntingquery3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows destination ports by IP address. This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)" + "text": "Query shows destination ports by IP address. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -372,7 +334,7 @@ "name": "huntingquery4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows incomplete application protocol This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)" + "text": "Query shows incomplete application protocol This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -386,7 +348,7 @@ "name": "huntingquery5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows multiple Deny results by user This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)" + "text": "Query shows multiple Deny results by user This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -400,7 +362,7 @@ "name": "huntingquery6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows agents which are not updated to the latest version This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)" + "text": "Query shows agents which are not updated to the latest version This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -414,7 +376,7 @@ "name": "huntingquery7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows outdated config vesions This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)" + "text": "Query shows outdated config vesions This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -428,7 +390,7 @@ "name": "huntingquery8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows Rare application layer protocols This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)" + "text": "Query shows Rare application layer protocols This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -442,7 +404,7 @@ "name": "huntingquery9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows rare files observed This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)" + "text": "Query shows rare files observed This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -456,7 +418,7 @@ "name": "huntingquery10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows rare ports by user. This hunting query depends on PaloAltoCDL PaloAltoCDLAma CefAma data connector (PaloAltoCDLEvent PaloAltoCDLEvent CommonSecurityLog Parser or Table)" + "text": "Query shows rare ports by user. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] diff --git a/Solutions/PaloAltoCDL/Package/mainTemplate.json b/Solutions/PaloAltoCDL/Package/mainTemplate.json index c6b5685ee62..6e694a165ae 100644 --- a/Solutions/PaloAltoCDL/Package/mainTemplate.json +++ b/Solutions/PaloAltoCDL/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "PaloAltoCDL", - "_solutionVersion": "3.0.2", + "_solutionVersion": "3.0.3", "solutionId": "azuresentinel.azure-sentinel-solution-paloaltocdl", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", @@ -108,93 +108,75 @@ "_huntingQuerycontentId10": "ce9d58ce-51cd-11ec-bf63-0242ac130002", "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('ce9d58ce-51cd-11ec-bf63-0242ac130002')))]" }, - "uiConfigId1": "PaloAltoCDL", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "PaloAltoCDL", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "PaloAltoCDLAma", - "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "PaloAltoCDLAma", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", - "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.2", + "analyticRuleVersion1": "1.0.3", "_analyticRulecontentId1": "976d2eee-51cb-11ec-bf63-0242ac130002", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '976d2eee-51cb-11ec-bf63-0242ac130002')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('976d2eee-51cb-11ec-bf63-0242ac130002')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','976d2eee-51cb-11ec-bf63-0242ac130002','-', '1.0.2')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','976d2eee-51cb-11ec-bf63-0242ac130002','-', '1.0.3')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.3", + "analyticRuleVersion2": "1.0.4", "_analyticRulecontentId2": "ba663b74-51f4-11ec-bf63-0242ac130002", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'ba663b74-51f4-11ec-bf63-0242ac130002')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('ba663b74-51f4-11ec-bf63-0242ac130002')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ba663b74-51f4-11ec-bf63-0242ac130002','-', '1.0.3')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','ba663b74-51f4-11ec-bf63-0242ac130002','-', '1.0.4')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.2", + "analyticRuleVersion3": "1.0.3", "_analyticRulecontentId3": "9150ad68-51c8-11ec-bf63-0242ac130002", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9150ad68-51c8-11ec-bf63-0242ac130002')]", "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9150ad68-51c8-11ec-bf63-0242ac130002')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9150ad68-51c8-11ec-bf63-0242ac130002','-', '1.0.2')))]" + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9150ad68-51c8-11ec-bf63-0242ac130002','-', '1.0.3')))]" }, "analyticRuleObject4": { - "analyticRuleVersion4": "1.0.2", + "analyticRuleVersion4": "1.0.3", "_analyticRulecontentId4": "b2dd2dac-51c9-11ec-bf63-0242ac130002", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b2dd2dac-51c9-11ec-bf63-0242ac130002')]", "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b2dd2dac-51c9-11ec-bf63-0242ac130002')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2dd2dac-51c9-11ec-bf63-0242ac130002','-', '1.0.2')))]" + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b2dd2dac-51c9-11ec-bf63-0242ac130002','-', '1.0.3')))]" }, "analyticRuleObject5": { - "analyticRuleVersion5": "1.0.3", + "analyticRuleVersion5": "1.0.4", "_analyticRulecontentId5": "b6d54840-51d3-11ec-bf63-0242ac130002", "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b6d54840-51d3-11ec-bf63-0242ac130002')]", "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b6d54840-51d3-11ec-bf63-0242ac130002')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b6d54840-51d3-11ec-bf63-0242ac130002','-', '1.0.3')))]" + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b6d54840-51d3-11ec-bf63-0242ac130002','-', '1.0.4')))]" }, "analyticRuleObject6": { - "analyticRuleVersion6": "1.0.3", + "analyticRuleVersion6": "1.0.4", "_analyticRulecontentId6": "feb185cc-51f4-11ec-bf63-0242ac130002", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'feb185cc-51f4-11ec-bf63-0242ac130002')]", "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('feb185cc-51f4-11ec-bf63-0242ac130002')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','feb185cc-51f4-11ec-bf63-0242ac130002','-', '1.0.3')))]" + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','feb185cc-51f4-11ec-bf63-0242ac130002','-', '1.0.4')))]" }, "analyticRuleObject7": { - "analyticRuleVersion7": "1.0.3", + "analyticRuleVersion7": "1.0.4", "_analyticRulecontentId7": "3575a9c0-51c9-11ec-bf63-0242ac130002", "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '3575a9c0-51c9-11ec-bf63-0242ac130002')]", "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('3575a9c0-51c9-11ec-bf63-0242ac130002')))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3575a9c0-51c9-11ec-bf63-0242ac130002','-', '1.0.3')))]" + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','3575a9c0-51c9-11ec-bf63-0242ac130002','-', '1.0.4')))]" }, "analyticRuleObject8": { - "analyticRuleVersion8": "1.0.3", + "analyticRuleVersion8": "1.0.4", "_analyticRulecontentId8": "38f9e010-51ca-11ec-bf63-0242ac130002", "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '38f9e010-51ca-11ec-bf63-0242ac130002')]", "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('38f9e010-51ca-11ec-bf63-0242ac130002')))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','38f9e010-51ca-11ec-bf63-0242ac130002','-', '1.0.3')))]" + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','38f9e010-51ca-11ec-bf63-0242ac130002','-', '1.0.4')))]" }, "analyticRuleObject9": { - "analyticRuleVersion9": "1.0.3", + "analyticRuleVersion9": "1.0.4", "_analyticRulecontentId9": "f12e9d10-51ca-11ec-bf63-0242ac130002", "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f12e9d10-51ca-11ec-bf63-0242ac130002')]", "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f12e9d10-51ca-11ec-bf63-0242ac130002')))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f12e9d10-51ca-11ec-bf63-0242ac130002','-', '1.0.3')))]" + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f12e9d10-51ca-11ec-bf63-0242ac130002','-', '1.0.4')))]" }, "analyticRuleObject10": { - "analyticRuleVersion10": "1.0.3", + "analyticRuleVersion10": "1.0.4", "_analyticRulecontentId10": "9fcc7734-4d1b-11ec-81d3-0242ac130003", "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9fcc7734-4d1b-11ec-81d3-0242ac130003')]", "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9fcc7734-4d1b-11ec-81d3-0242ac130003')))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9fcc7734-4d1b-11ec-81d3-0242ac130003','-', '1.0.3')))]" + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9fcc7734-4d1b-11ec-81d3-0242ac130003','-', '1.0.4')))]" }, "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, @@ -208,7 +190,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDL Workbook with template version 3.0.2", + "description": "PaloAltoCDL Workbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -271,6 +253,10 @@ { "contentId": "PaloAltoCDLAma", "kind": "DataConnector" + }, + { + "contentId": "CefAma", + "kind": "DataConnector" } ] } @@ -300,7 +286,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLEvent Data Parser with template version 3.0.2", + "description": "PaloAltoCDLEvent Data Parser with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -314,7 +300,7 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "PaloAltoCDLEvent", + "displayName": "Parser for PaloAltoCDLEvent", "category": "Microsoft Sentinel Parser", "functionAlias": "PaloAltoCDLEvent", "query": "CommonSecurityLog\n| where DeviceVendor =~ 'Palo Alto Networks'\n| where DeviceProduct =~ 'LF'\n| extend EventVendor = 'Palo Alto Networks'\n| extend EventProduct = 'Cortex Data Lake'\n| extend EventSchemaVersion = 0.2\n| extend EventCount = 1\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3)\n| parse-kv AdditionalExtensions as (PanOSConfigVersion:string, start:datetime, PanOSBytes:int, PanOSSessionStartTime:datetime, PanOSSourceLocation:string, PanOSDestinationLocation:string, PanOSPacketsSent:int, PanOSPacketsReceived:int, PanOSDGHierarchyLevel1:string, PanOSDGHierarchyLevel2:string, PanOSDGHierarchyLevel3:string, PanOSDGHierarchyLevel4:string, PanOSVirtualSystemName:string, PanOSSourceUUID:string, PanOSDestinationUUID:string, PanOSIMSI:string, PanOSIMEI:string, PanOSParentSessionID:string, PanOSParentStarttime:datetime, PanOSTunnel:string, PanOSEndpointAssociationID:string, PanOSChunksTotal:int, PanOSChunksSent:int, PanOSChunksReceived:int, PanOSRuleUUID:string, PanOSHTTP2Connection:string, PanOSLinkChangeCount:int, PanOSSDWANPolicyName:string, PanOSLinkSwitches:string, PanOSSDWANCluster:string, PanOSSDWANDeviceType:string, PanOSSDWANClusterType:string, PanOSSDWANSite:string, PanOSDynamicUserGroupName:string, [\"PanOSX-Forwarded-ForIP\"]:string, PanOSSourceDeviceCategory:string, PanOSSourceDeviceProfile:string, PanOSSourceDeviceModel:string, PanOSSourceDeviceVendor:string, PanOSSourceDeviceOSFamily:string, PanOSSourceDeviceOSVersion:string, PanOSSourceDeviceHost:string, PanOSSourceDeviceMac:string, PanOSDestinationDeviceCategory:string, PanOSDestinationDeviceProfile:string, PanOSDestinationDeviceModel:string, PanOSDestinationDeviceVendor:string, PanOSDestinationDeviceOSFamily:string, PanOSDestinationDeviceOSVersion:string, PanOSDestinationDeviceHost:string, PanOSDestinationDeviceMac:string, PanOSContainerID:string, PanOSContainerNameSpace:string, PanOSContainerName:string, PanOSSourceEDL:string, PanOSDestinationEDL:string, PanOSGPHostID:string, PanOSEndpointSerialNumber:string, PanOSSourceDynamicAddressGroup:string, PanOSDestinationDynamicAddressGroup:string, PanOSHASessionOwner:string, PanOSTimeGeneratedHighResolution:string, PanOSNSSAINetworkSliceType:string, PanOSNSSAINetworkSliceDifferentiator:string, PanOSURLCounter:string, [\"PanOSX-Forwarded-For\"]:string, PanOSReferer:string, PanOSInlineMLVerdict:string, PanOSContentVersion:string, PanOSSigFlags:string, PanOSHTTPHeaders:string, PanOSURLCategoryList:string, PanOSHostID:string, PanOSThreatID:string, PanOSFileHash:string, PanOSApplianceOrCloud:string, PanOSFileType:string, PanOSSenderEmail:string, PanOSEmailSubject:string, PanOSRecipientEmail:string, PanOSReportID:string, PanOSThreatCategory:string, PanOSDomainEDL:string, PanOSPartialHash:string, PanOSTunnelEventType:string, PanOSMobileSubscriberISDN:string, PanOSAccessPointName:string, PanOSRadioAccessTechnology:string, PanOSTunnelMessageType:string, PanOSMobileIP:string, PanOSTunnelEndpointID1:string, PanOSTunnelEndpointID2:string, PanOSTunnelInterface:string, PanOSTunnelCauseCode:string, PanOSMobileCountryCode:string, PanOSMobileNetworkCode:string, PanOSMobileAreaCode:string, PanOSMobileBaseStationCode:string, PanOSTunnelEventCode:string, PanOSPacketsDroppedMax:string, PanOSPacketsDroppedTunnel:string, PanOSTunnelInspectionRule:string, PanOSTunnelRemoteUserIP:string, PanOSTunnelRemoteIMSIID:string, PanOSProtocolDataUnitsessionID:string, end:string, PanOSUGFlags:string, PanOSUserIdentifiedBySource:string, PanOSTag:string, PanOSEventTime:datetime, PanOSDeviceGroup:string, PanOSTemplate:string, PanOSSourceUser:string, PanOSHipMatchType:string, PanOSSource:string, PanOSTimestampDeviceIdentification:string, deviceExternalID:string, PanOSVirtualSystem:string, Name:string, PanOSStage:string, PanOSAuthMethod:string, PanOSTunnelType:string, PanOSSourceRegion:string, PanOSPrivateIPv4:string, PanOSPrivateIPv6:string, PanOSEndpointSN:string, PanOSGlobalProtectClientVersion:string, PanOSEndpointOSType:string, PanOSEndpointOSVersion:string, PanOSCountOfRepeats:string, PanOSQuarantineReason:string, PanOSConnectionError:string, PanOSDescription:string, PanOSGlobalProtectGatewayLocation:string, PanOSLoginDuration:string, PanOSConnectionMethod:string, PanOSConnectionErrorID:string, PanOSPortal:string, PanOSSequenceNo:string, PanOSGatewaySelectionType:string, PanOSSSLResponseTime:string, PanOSGatewayPriority:string, PanOSAttemptedGateways:string, PanOSGateway:string, PanOSVirtualSystemID:string, startTime:datetime, PanOSRecordType:string, PanOSCloudDNSClientIP:string, PanOSDNSResolverIP:string, PanOSDNSCategory:string, DestinationDNSDomain:string, suser0:string, duser0:string) with (pair_delimiter=';', kv_delimiter='=', quote=\"'\")\n| extend DvcIpAddr = iff(DeviceCustomIPv6Address1Label == \"Device IPv6 Address\", DeviceCustomIPv6Address1, \"\")\n , DstIpAddr = iff(DeviceCustomIPv6Address3Label == \"Destination IPv6 Address\", DeviceCustomIPv6Address3, \"\")\n , SrcIpAddr = iff(DeviceCustomIPv6Address2Label == \"Source IPv6 Address\", DeviceCustomIPv6Address2, \"\")\n , EventResultDetails = coalesce(column_ifexists(\"reason\",\"\"),column_ifexists(\"Reason\",\"\"))\n , SrcZone = iff(DeviceCustomString4Label == \"FromZone\", DeviceCustomString4, \"\") \n , DstZone = iff(DeviceCustomString5Label == \"Zone\", DeviceCustomString5, \"\") \n , NetworkPackets = iff(DeviceCustomNumber2Label == \"PacketsTotal\", DeviceCustomNumber2, int(null))\n , NetworkDuration = iff(DeviceCustomNumber3Label == \"SessionDuration\", DeviceCustomNumber3, int(null))\n , NetworkSessionId = iff(DeviceCustomNumber1Label == \"SessionID\", DeviceCustomNumber1, int(null))\n , EventStartTime = coalesce(column_ifexists(\"StartTime\",datetime(null))\n , todatetime(column_ifexists(\"start\",\"\")))\n , EventEndTime = coalesce(column_ifexists(\"EventEndTime\",datetime(null))\n , todatetime(column_ifexists(\"end\",\"\")))\n , EventType = coalesce(column_ifexists(\"DeviceEventCategory\",\"\"), column_ifexists(\"cat\",\"\"))\n| project-rename EventProductVersion = DeviceVersion\n , DvcId = DeviceExternalID\n , DvcHostname = DeviceName\n , DstNatPortNumber = DestinationTranslatedPort\n , DstHostname = DestinationHostName\n , SrcNatPortNumber = SourceTranslatedPort\n , SrcFileName = FileName\n , SrcFilePath = FilePath\n , EventMessage = Message\n , EventSeverity = LogSeverity\n , EventResult = Activity\n , DstPortNumber = DestinationPort\n , DstUserId = DestinationUserID\n , EventResourceId = DeviceEventClassID\n , HttpRequestMethod = RequestMethod\n , Url = RequestURL\n , HttpContentFormat = RequestContext\n , SrcHostname = SourceHostName\n , DvcAction = DeviceAction\n , DstDomain = DestinationNTDomain\n , SrcPortNumber = SourcePort\n , DvcInboundInterface = DeviceInboundInterface\n , DvcOutboundInterface = DeviceOutboundInterface\n , NetworkProtocol = Protocol\n , NetworkApplicationProtocol = ApplicationProtocol\n , SrcDomain = SourceNTDomain\n , SrcUserId = SourceUserID\n , DstBytes = ReceivedBytes\n , SrcBytes = SentBytes\n| extend EventTimeIngested = todatetime(ReceiptTime)\n| extend SrcNatIpAddr = case(isempty(SourceIP), SourceTranslatedAddress, \n pack_array(SourceTranslatedAddress,SourceIP))\n| extend DstNatIpAddr = case(isempty(DestinationIP), DestinationTranslatedAddress,\n pack_array(DestinationTranslatedAddress, DestinationIP))\n | extend SrcUsername = case(isempty(suser0), SourceUserName, \n pack_array(SourceUserName,suser0))\n | extend DstUsername = case(isempty(duser0), DestinationUserName,\n pack_array(DestinationUserName,duser0))\n| project-away ReceiptTime, Type, StartTime, EndTime, DeviceVendor, DeviceProduct, duser0, DestinationUserName, suser0, SourceUserName, AdditionalExtensions, DestinationTranslatedAddress, DestinationIP,SourceTranslatedAddress, SourceIP, DeviceCustom*, FlexString*\n \n", @@ -366,7 +352,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", - "displayName": "PaloAltoCDLEvent", + "displayName": "Parser for PaloAltoCDLEvent", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.1.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.1.0')))]", "version": "[variables('parserObject1').parserVersion1]" @@ -379,7 +365,7 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "PaloAltoCDLEvent", + "displayName": "Parser for PaloAltoCDLEvent", "category": "Microsoft Sentinel Parser", "functionAlias": "PaloAltoCDLEvent", "query": "CommonSecurityLog\n| where DeviceVendor =~ 'Palo Alto Networks'\n| where DeviceProduct =~ 'LF'\n| extend EventVendor = 'Palo Alto Networks'\n| extend EventProduct = 'Cortex Data Lake'\n| extend EventSchemaVersion = 0.2\n| extend EventCount = 1\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3)\n| parse-kv AdditionalExtensions as (PanOSConfigVersion:string, start:datetime, PanOSBytes:int, PanOSSessionStartTime:datetime, PanOSSourceLocation:string, PanOSDestinationLocation:string, PanOSPacketsSent:int, PanOSPacketsReceived:int, PanOSDGHierarchyLevel1:string, PanOSDGHierarchyLevel2:string, PanOSDGHierarchyLevel3:string, PanOSDGHierarchyLevel4:string, PanOSVirtualSystemName:string, PanOSSourceUUID:string, PanOSDestinationUUID:string, PanOSIMSI:string, PanOSIMEI:string, PanOSParentSessionID:string, PanOSParentStarttime:datetime, PanOSTunnel:string, PanOSEndpointAssociationID:string, PanOSChunksTotal:int, PanOSChunksSent:int, PanOSChunksReceived:int, PanOSRuleUUID:string, PanOSHTTP2Connection:string, PanOSLinkChangeCount:int, PanOSSDWANPolicyName:string, PanOSLinkSwitches:string, PanOSSDWANCluster:string, PanOSSDWANDeviceType:string, PanOSSDWANClusterType:string, PanOSSDWANSite:string, PanOSDynamicUserGroupName:string, [\"PanOSX-Forwarded-ForIP\"]:string, PanOSSourceDeviceCategory:string, PanOSSourceDeviceProfile:string, PanOSSourceDeviceModel:string, PanOSSourceDeviceVendor:string, PanOSSourceDeviceOSFamily:string, PanOSSourceDeviceOSVersion:string, PanOSSourceDeviceHost:string, PanOSSourceDeviceMac:string, PanOSDestinationDeviceCategory:string, PanOSDestinationDeviceProfile:string, PanOSDestinationDeviceModel:string, PanOSDestinationDeviceVendor:string, PanOSDestinationDeviceOSFamily:string, PanOSDestinationDeviceOSVersion:string, PanOSDestinationDeviceHost:string, PanOSDestinationDeviceMac:string, PanOSContainerID:string, PanOSContainerNameSpace:string, PanOSContainerName:string, PanOSSourceEDL:string, PanOSDestinationEDL:string, PanOSGPHostID:string, PanOSEndpointSerialNumber:string, PanOSSourceDynamicAddressGroup:string, PanOSDestinationDynamicAddressGroup:string, PanOSHASessionOwner:string, PanOSTimeGeneratedHighResolution:string, PanOSNSSAINetworkSliceType:string, PanOSNSSAINetworkSliceDifferentiator:string, PanOSURLCounter:string, [\"PanOSX-Forwarded-For\"]:string, PanOSReferer:string, PanOSInlineMLVerdict:string, PanOSContentVersion:string, PanOSSigFlags:string, PanOSHTTPHeaders:string, PanOSURLCategoryList:string, PanOSHostID:string, PanOSThreatID:string, PanOSFileHash:string, PanOSApplianceOrCloud:string, PanOSFileType:string, PanOSSenderEmail:string, PanOSEmailSubject:string, PanOSRecipientEmail:string, PanOSReportID:string, PanOSThreatCategory:string, PanOSDomainEDL:string, PanOSPartialHash:string, PanOSTunnelEventType:string, PanOSMobileSubscriberISDN:string, PanOSAccessPointName:string, PanOSRadioAccessTechnology:string, PanOSTunnelMessageType:string, PanOSMobileIP:string, PanOSTunnelEndpointID1:string, PanOSTunnelEndpointID2:string, PanOSTunnelInterface:string, PanOSTunnelCauseCode:string, PanOSMobileCountryCode:string, PanOSMobileNetworkCode:string, PanOSMobileAreaCode:string, PanOSMobileBaseStationCode:string, PanOSTunnelEventCode:string, PanOSPacketsDroppedMax:string, PanOSPacketsDroppedTunnel:string, PanOSTunnelInspectionRule:string, PanOSTunnelRemoteUserIP:string, PanOSTunnelRemoteIMSIID:string, PanOSProtocolDataUnitsessionID:string, end:string, PanOSUGFlags:string, PanOSUserIdentifiedBySource:string, PanOSTag:string, PanOSEventTime:datetime, PanOSDeviceGroup:string, PanOSTemplate:string, PanOSSourceUser:string, PanOSHipMatchType:string, PanOSSource:string, PanOSTimestampDeviceIdentification:string, deviceExternalID:string, PanOSVirtualSystem:string, Name:string, PanOSStage:string, PanOSAuthMethod:string, PanOSTunnelType:string, PanOSSourceRegion:string, PanOSPrivateIPv4:string, PanOSPrivateIPv6:string, PanOSEndpointSN:string, PanOSGlobalProtectClientVersion:string, PanOSEndpointOSType:string, PanOSEndpointOSVersion:string, PanOSCountOfRepeats:string, PanOSQuarantineReason:string, PanOSConnectionError:string, PanOSDescription:string, PanOSGlobalProtectGatewayLocation:string, PanOSLoginDuration:string, PanOSConnectionMethod:string, PanOSConnectionErrorID:string, PanOSPortal:string, PanOSSequenceNo:string, PanOSGatewaySelectionType:string, PanOSSSLResponseTime:string, PanOSGatewayPriority:string, PanOSAttemptedGateways:string, PanOSGateway:string, PanOSVirtualSystemID:string, startTime:datetime, PanOSRecordType:string, PanOSCloudDNSClientIP:string, PanOSDNSResolverIP:string, PanOSDNSCategory:string, DestinationDNSDomain:string, suser0:string, duser0:string) with (pair_delimiter=';', kv_delimiter='=', quote=\"'\")\n| extend DvcIpAddr = iff(DeviceCustomIPv6Address1Label == \"Device IPv6 Address\", DeviceCustomIPv6Address1, \"\")\n , DstIpAddr = iff(DeviceCustomIPv6Address3Label == \"Destination IPv6 Address\", DeviceCustomIPv6Address3, \"\")\n , SrcIpAddr = iff(DeviceCustomIPv6Address2Label == \"Source IPv6 Address\", DeviceCustomIPv6Address2, \"\")\n , EventResultDetails = coalesce(column_ifexists(\"reason\",\"\"),column_ifexists(\"Reason\",\"\"))\n , SrcZone = iff(DeviceCustomString4Label == \"FromZone\", DeviceCustomString4, \"\") \n , DstZone = iff(DeviceCustomString5Label == \"Zone\", DeviceCustomString5, \"\") \n , NetworkPackets = iff(DeviceCustomNumber2Label == \"PacketsTotal\", DeviceCustomNumber2, int(null))\n , NetworkDuration = iff(DeviceCustomNumber3Label == \"SessionDuration\", DeviceCustomNumber3, int(null))\n , NetworkSessionId = iff(DeviceCustomNumber1Label == \"SessionID\", DeviceCustomNumber1, int(null))\n , EventStartTime = coalesce(column_ifexists(\"StartTime\",datetime(null))\n , todatetime(column_ifexists(\"start\",\"\")))\n , EventEndTime = coalesce(column_ifexists(\"EventEndTime\",datetime(null))\n , todatetime(column_ifexists(\"end\",\"\")))\n , EventType = coalesce(column_ifexists(\"DeviceEventCategory\",\"\"), column_ifexists(\"cat\",\"\"))\n| project-rename EventProductVersion = DeviceVersion\n , DvcId = DeviceExternalID\n , DvcHostname = DeviceName\n , DstNatPortNumber = DestinationTranslatedPort\n , DstHostname = DestinationHostName\n , SrcNatPortNumber = SourceTranslatedPort\n , SrcFileName = FileName\n , SrcFilePath = FilePath\n , EventMessage = Message\n , EventSeverity = LogSeverity\n , EventResult = Activity\n , DstPortNumber = DestinationPort\n , DstUserId = DestinationUserID\n , EventResourceId = DeviceEventClassID\n , HttpRequestMethod = RequestMethod\n , Url = RequestURL\n , HttpContentFormat = RequestContext\n , SrcHostname = SourceHostName\n , DvcAction = DeviceAction\n , DstDomain = DestinationNTDomain\n , SrcPortNumber = SourcePort\n , DvcInboundInterface = DeviceInboundInterface\n , DvcOutboundInterface = DeviceOutboundInterface\n , NetworkProtocol = Protocol\n , NetworkApplicationProtocol = ApplicationProtocol\n , SrcDomain = SourceNTDomain\n , SrcUserId = SourceUserID\n , DstBytes = ReceivedBytes\n , SrcBytes = SentBytes\n| extend EventTimeIngested = todatetime(ReceiptTime)\n| extend SrcNatIpAddr = case(isempty(SourceIP), SourceTranslatedAddress, \n pack_array(SourceTranslatedAddress,SourceIP))\n| extend DstNatIpAddr = case(isempty(DestinationIP), DestinationTranslatedAddress,\n pack_array(DestinationTranslatedAddress, DestinationIP))\n | extend SrcUsername = case(isempty(suser0), SourceUserName, \n pack_array(SourceUserName,suser0))\n | extend DstUsername = case(isempty(duser0), DestinationUserName,\n pack_array(DestinationUserName,duser0))\n| project-away ReceiptTime, Type, StartTime, EndTime, DeviceVendor, DeviceProduct, duser0, DestinationUserName, suser0, SourceUserName, AdditionalExtensions, DestinationTranslatedAddress, DestinationIP,SourceTranslatedAddress, SourceIP, DeviceCustom*, FlexString*\n \n", @@ -432,7 +418,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLCriticalEventResult_HuntingQueries Hunting Query with template version 3.0.2", + "description": "PaloAltoCDLCriticalEventResult_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -517,7 +503,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLFilePermissionWithPutRequest_HuntingQueries Hunting Query with template version 3.0.2", + "description": "PaloAltoCDLFilePermissionWithPutRequest_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -602,7 +588,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLIPsByPorts_HuntingQueries Hunting Query with template version 3.0.2", + "description": "PaloAltoCDLIPsByPorts_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -687,7 +673,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLIncompleteApplicationProtocol_HuntingQueries Hunting Query with template version 3.0.2", + "description": "PaloAltoCDLIncompleteApplicationProtocol_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -772,7 +758,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLMultiDenyResultbyUser_HuntingQueries Hunting Query with template version 3.0.2", + "description": "PaloAltoCDLMultiDenyResultbyUser_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -857,7 +843,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLOutdatedAgentVersions_HuntingQueries Hunting Query with template version 3.0.2", + "description": "PaloAltoCDLOutdatedAgentVersions_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -942,7 +928,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLOutdatedConfigVersions_HuntingQueries Hunting Query with template version 3.0.2", + "description": "PaloAltoCDLOutdatedConfigVersions_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -1027,7 +1013,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLRareApplicationLayerProtocol_HuntingQueries Hunting Query with template version 3.0.2", + "description": "PaloAltoCDLRareApplicationLayerProtocol_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -1112,7 +1098,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLRareFileRequests_HuntingQueries Hunting Query with template version 3.0.2", + "description": "PaloAltoCDLRareFileRequests_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -1197,7 +1183,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLRarePortsbyUser_HuntingQueries Hunting Query with template version 3.0.2", + "description": "PaloAltoCDLRarePortsbyUser_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -1273,672 +1259,6 @@ "version": "1.0.0" } }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "PaloAltoCDL data connector with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent", - "publisher": "Palo Alto Networks", - "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/strata-logging-service/log-reference/log-forwarding-schema-overview) into Microsoft Sentinel.", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "PaloAltoNetworksCDL", - "baseQuery": "PaloAltoCDLEvent" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Destinations", - "query": "PaloAltoCDLEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (PaloAltoNetworksCDL)", - "lastDataReceivedQuery": "PaloAltoCDLEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "PaloAltoCDLEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a Syslog Server.", - "title": "2. Configure Cortex Data Lake to forward logs to a Syslog Server using CEF" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "PaloAltoCDL", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "PaloAltoCDL", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via Legacy Agent", - "publisher": "Palo Alto Networks", - "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/strata-logging-service/log-reference/log-forwarding-schema-overview) into Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "PaloAltoNetworksCDL", - "baseQuery": "PaloAltoCDLEvent" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (PaloAltoNetworksCDL)", - "lastDataReceivedQuery": "PaloAltoCDLEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "PaloAltoCDLEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(1d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Destinations", - "query": "PaloAltoCDLEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a Syslog Server.", - "title": "2. Configure Cortex Data Lake to forward logs to a Syslog Server using CEF" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution." - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "PaloAltoCDL data connector with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via AMA", - "publisher": "Palo Alto Networks", - "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/strata-logging-service/log-reference/log-forwarding-schema-overview) into Microsoft Sentinel.", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "PaloAltoNetworksCDL", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ - { - "description": "Top 10 Destinations", - "query": "PaloAltoCDLEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (PaloAltoNetworksCDL)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Configure Cortex Data Lake to forward logs to a Syslog Server using CEF", - "description": "[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a Syslog Server." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "PaloAltoCDL", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via AMA", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "PaloAltoCDL", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Palo Alto Networks Cortex Data Lake (CDL) via AMA", - "publisher": "Palo Alto Networks", - "descriptionMarkdown": "The [Palo Alto Networks CDL](https://www.paloaltonetworks.com/cortex/cortex-data-lake) data connector provides the capability to ingest [CDL logs](https://docs.paloaltonetworks.com/strata-logging-service/log-reference/log-forwarding-schema-overview) into Microsoft Sentinel.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "PaloAltoNetworksCDL", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (PaloAltoNetworksCDL)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Palo Alto Networks'\n |where DeviceProduct =~ 'LF'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "Top 10 Destinations", - "query": "PaloAltoCDLEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" - }, - { - "title": "Step B. Configure Cortex Data Lake to forward logs to a Syslog Server using CEF", - "description": "[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a Syslog Server." - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "id": "[variables('_uiConfigId2')]", - "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**PaloAltoCDLEvent**](https://aka.ms/sentinel-paloaltocdl-parser) which is deployed with the Microsoft Sentinel Solution." - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -1948,7 +1268,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLConflictingMacAddress_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "PaloAltoCDLConflictingMacAddress_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -1975,18 +1295,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PaloAltoCDL", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, - { - "connectorId": "PaloAltoCDLAma", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -2003,22 +1311,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountCustomEntity" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ] + ], + "entityType": "IP" } ] } @@ -2074,7 +1382,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLDroppingSessionWithSentTraffic_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "PaloAltoCDLDroppingSessionWithSentTraffic_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -2101,18 +1409,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PaloAltoCDL", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, - { - "connectorId": "PaloAltoCDLAma", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -2129,22 +1425,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountCustomEntity" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ] + ], + "entityType": "IP" } ] } @@ -2200,7 +1496,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLFileTypeWasChanged_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "PaloAltoCDLFileTypeWasChanged_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -2227,18 +1523,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PaloAltoCDL", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, - { - "connectorId": "PaloAltoCDLAma", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -2255,22 +1539,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountCustomEntity" } - ] + ], + "entityType": "Account" }, { - "entityType": "File", "fieldMappings": [ { "identifier": "Name", "columnName": "FileCustomEntity" } - ] + ], + "entityType": "File" } ] } @@ -2326,7 +1610,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLInboundRiskPorts_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "PaloAltoCDLInboundRiskPorts_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -2353,18 +1637,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PaloAltoCDL", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, - { - "connectorId": "PaloAltoCDLAma", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -2381,13 +1653,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ] + ], + "entityType": "IP" } ] } @@ -2443,7 +1715,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLPossibleAttackWithoutResponse_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "PaloAltoCDLPossibleAttackWithoutResponse_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -2470,18 +1742,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PaloAltoCDL", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, - { - "connectorId": "PaloAltoCDLAma", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -2498,31 +1758,31 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountCustomEntity" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "UrlCustomEntity" } - ] + ], + "entityType": "URL" } ] } @@ -2578,7 +1838,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLPossibleFlooding_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "PaloAltoCDLPossibleFlooding_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -2605,18 +1865,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PaloAltoCDL", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, - { - "connectorId": "PaloAltoCDLAma", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -2633,22 +1881,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountCustomEntity" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ] + ], + "entityType": "IP" } ] } @@ -2704,7 +1952,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLPossiblePortScan_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "PaloAltoCDLPossiblePortScan_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -2731,18 +1979,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PaloAltoCDL", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, - { - "connectorId": "PaloAltoCDLAma", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -2758,13 +1994,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ] + ], + "entityType": "IP" } ] } @@ -2820,7 +2056,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLPrivilegesWasChanged_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "PaloAltoCDLPrivilegesWasChanged_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -2847,18 +2083,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PaloAltoCDL", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, - { - "connectorId": "PaloAltoCDLAma", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -2875,13 +2099,13 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountCustomEntity" } - ] + ], + "entityType": "Account" } ] } @@ -2937,7 +2161,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLPutMethodInHighRiskFileType_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "PaloAltoCDLPutMethodInHighRiskFileType_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -2964,18 +2188,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PaloAltoCDL", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, - { - "connectorId": "PaloAltoCDLAma", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -2992,13 +2204,13 @@ ], "entityMappings": [ { - "entityType": "File", "fieldMappings": [ { "identifier": "Name", "columnName": "FileCustomEntity" } - ] + ], + "entityType": "File" } ] } @@ -3054,7 +2266,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PaloAltoCDLUnexpectedCountries_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "PaloAltoCDLUnexpectedCountries_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -3081,18 +2293,6 @@ "triggerThreshold": 0, "status": "Available", "requiredDataConnectors": [ - { - "connectorId": "PaloAltoCDL", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, - { - "connectorId": "PaloAltoCDLAma", - "dataTypes": [ - "PaloAltoCDLEvent" - ] - }, { "connectorId": "CefAma", "dataTypes": [ @@ -3109,22 +2309,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { "identifier": "Name", "columnName": "AccountCustomEntity" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } - ] + ], + "entityType": "IP" } ] } @@ -3176,12 +2376,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.2", + "version": "3.0.3", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "PaloAltoCDL", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Palo Alto Networks CDL solution provides the capability to ingest CDL logs into Microsoft Sentinel.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Palo Alto Networks CDL solution provides the capability to ingest CDL logs into Microsoft Sentinel.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connector: 1,Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3265,16 +2465,6 @@ "contentId": "[variables('huntingQueryObject10')._huntingQuerycontentId10]", "version": "[variables('huntingQueryObject10').huntingQueryVersion10]" }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "AnalyticsRule", "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", diff --git a/Solutions/PaloAltoCDL/ReleaseNotes.md b/Solutions/PaloAltoCDL/ReleaseNotes.md index 117fa0ff7ed..d96f8218854 100644 --- a/Solutions/PaloAltoCDL/ReleaseNotes.md +++ b/Solutions/PaloAltoCDL/ReleaseNotes.md @@ -1,7 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| -| 3.0.2 | 12-07-2024 | Deprecated **Data Connector** | +| 3.0.3 | 12-11-2024 | Removed Deprecated **Data Connector** | +| 3.0.2 | 12-07-2024 | Deprecated **Data Connector** | | 3.0.1 | 12-06-2024 | Optimized parser | -| 3.0.0 | 25-09-2023 | Addition of new PaloAltoCDL AMA **Data Connector** | | - - +| 3.0.0 | 25-09-2023 | Addition of new PaloAltoCDL AMA **Data Connector** | diff --git a/Solutions/Pure Storage/Analytic Rules/FB-FabricModuleUnhealthy.yaml b/Solutions/Pure Storage/Analytic Rules/FB-FabricModuleUnhealthy.yaml new file mode 100644 index 00000000000..3815dbd9549 --- /dev/null +++ b/Solutions/Pure Storage/Analytic Rules/FB-FabricModuleUnhealthy.yaml @@ -0,0 +1,44 @@ +id: a8130dcc-3617-41c0-a7ac-5f352bcfffaf +name: External Fabric Module XFM1 is unhealthy +version: 1.0.0 +kind: NRT +description: External Fabric Module XFM1 is unhealthy +severity: High +tactics: +- Execution +relevantTechniques: +- T0871 +query: |2- + Syslog + | where SyslogMessage has "purity.alert" + | extend Message = replace_string(SyslogMessage, "#012", "\n") + | extend UTCTime = extract(@"UTC Time:\s*(\d{4}\s\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2})\sUTC", 1, SyslogMessage) + | extend PureAlertID = extract(@"Alert ID: ([\w-]+)", 1, SyslogMessage) + | extend PureMessage = extract(@"\(Alert ID: [\w-]+\)\s(.*?)\s\[\d+\]", 1, SyslogMessage) + | extend PureSeverity = extract(@"\s(\w+)\s", 1, SyslogMessage) + | extend PureAlertState = extract(@"purity\.alert:\s\w+\s(\w+)", 1, SyslogMessage) + | extend PureObjectName = extract(@"\s(\S+):", 1, SyslogMessage) + | extend PureProcessID = extract(@"\[(\d+)\]", 1, SyslogMessage) + | extend PureAction = extract(@"Suggested Action:\s*(.*?)(?:\s*Knowledge Base Article:|$)", 1, SyslogMessage) + | extend PureUrl = extract(@"Knowledge Base Article:\s*(.*)", 1, SyslogMessage) + | project PureMessage, TimeGenerated, PureProcessID, HostIP, Computer, PureObjectName, PureSeverity, PureAlertID, PureAlertState, PureAction, PureUrl + | where PureMessage matches regex @"(External Fabric Module XFM1 is unhealthy)" +entityMappings: +- entityType: IP + fieldMappings: + - identifier: Address + columnName: HostIP +suppressionEnabled: false +suppressionDuration: 5h +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: 5h + matchingMethod: AllEntities + groupByEntities: [] + groupByAlertDetails: [] + groupByCustomDetails: [] +eventGroupingSettings: + aggregationKind: SingleAlert \ No newline at end of file diff --git a/Solutions/Pure Storage/Data/Solution_PureStorage.json b/Solutions/Pure Storage/Data/Solution_PureStorage.json index 97f19172c54..bd07303b5f0 100644 --- a/Solutions/Pure Storage/Data/Solution_PureStorage.json +++ b/Solutions/Pure Storage/Data/Solution_PureStorage.json @@ -3,15 +3,20 @@ "Author": "Pure Storage - support@purestorage.com", "Logo": "", "Description": "Solution for Microsoft Sentinel to ingest logs from PureStorage arrays", - "Parsers": ["Parsers/PureStorageParser.yaml"], + "Parsers": [ + "Parsers/PureStorageFlashArrayParser.yaml", + "Parsers/PureStorageFlashBladeParser.yaml" + ], "Analytic Rules": [ "Analytic Rules/PureFailedLogin.yaml", - "Analytic Rules/PureControllerFailed.yaml" + "Analytic Rules/PureControllerFailed.yaml", + "Analytic Rules/FB-FabricModuleUnhealthy.yaml" ], "Playbooks": [ "Playbooks/Pure-Storage-User-Delete/azuredeploy.json", "Playbooks/Pure-Storage-Volumes-Snapshot/azuredeploy.json", - "Playbooks/Pure-Storage-Protection-Groups-Snapshot/azuredeploy.json" + "Playbooks/Pure-Storage-Protection-Groups-Snapshot/azuredeploy.json", + "Playbooks/Pure-Storage-FlashBlade-File-System-Snapshot/azuredeploy.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Pure Storage", "Version": "3.0.1", diff --git a/Solutions/Pure Storage/Package/3.0.3.zip b/Solutions/Pure Storage/Package/3.0.3.zip new file mode 100644 index 00000000000..487b8decaea Binary files /dev/null and b/Solutions/Pure Storage/Package/3.0.3.zip differ diff --git a/Solutions/Pure Storage/Package/createUiDefinition.json b/Solutions/Pure Storage/Package/createUiDefinition.json index e841a042439..103eb8dfd91 100644 --- a/Solutions/Pure Storage/Package/createUiDefinition.json +++ b/Solutions/Pure Storage/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Pure%20Storage/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nSolution for Microsoft Sentinel to ingest logs from PureStorage arrays\n\n**Parsers:** 1, **Analytic Rules:** 2, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Pure%20Storage/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nSolution for Microsoft Sentinel to ingest logs from PureStorage arrays\n\n**Parsers:** 2, **Analytic Rules:** 3, **Playbooks:** 4\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -104,6 +104,20 @@ } } ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "External Fabric Module XFM1 is unhealthy", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "External Fabric Module XFM1 is unhealthy" + } + } + ] } ] }, diff --git a/Solutions/Pure Storage/Package/mainTemplate.json b/Solutions/Pure Storage/Package/mainTemplate.json index b1b23de1851..b55ed3578be 100644 --- a/Solutions/Pure Storage/Package/mainTemplate.json +++ b/Solutions/Pure Storage/Package/mainTemplate.json @@ -33,15 +33,22 @@ "email": "support@purestorage.com", "_email": "[variables('email')]", "_solutionName": "Pure Storage", - "_solutionVersion": "3.0.2", + "_solutionVersion": "3.0.3", "solutionId": "purestoragemarketplaceadmin.microsoft-sentinel-solution-purestorage", "_solutionId": "[variables('solutionId')]", "parserObject1": { - "_parserName1": "[concat(parameters('workspace'),'/','Pure Storage Parser')]", - "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Pure Storage Parser')]", - "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('PureStorageParserV1-Parser')))]", + "_parserName1": "[concat(parameters('workspace'),'/','PureStorageFlashArrayParserV1')]", + "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'PureStorageFlashArrayParserV1')]", + "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('PureStorageFlashArrayParserV1-Parser')))]", "parserVersion1": "1.0.0", - "parserContentId1": "PureStorageParserV1-Parser" + "parserContentId1": "PureStorageFlashArrayParserV1-Parser" + }, + "parserObject2": { + "_parserName2": "[concat(parameters('workspace'),'/','PureStorageFlashBladeParserV1')]", + "_parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'PureStorageFlashBladeParserV1')]", + "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('PureStorageFlashBladeParserV1-Parser')))]", + "parserVersion2": "1.0.0", + "parserContentId2": "PureStorageFlashBladeParserV1-Parser" }, "analyticRuleObject1": { "analyticRuleVersion1": "1.0.0", @@ -57,32 +64,47 @@ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c317b007-84e7-4449-93f4-4444f6638fd0')))]", "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c317b007-84e7-4449-93f4-4444f6638fd0','-', '1.0.0')))]" }, - "Pure-Storage-User-Delete": "Pure-Storage-User-Delete", - "_Pure-Storage-User-Delete": "[variables('Pure-Storage-User-Delete')]", + "analyticRuleObject3": { + "analyticRuleVersion3": "1.0.0", + "_analyticRulecontentId3": "a8130dcc-3617-41c0-a7ac-5f352bcfffaf", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'a8130dcc-3617-41c0-a7ac-5f352bcfffaf')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('a8130dcc-3617-41c0-a7ac-5f352bcfffaf')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','a8130dcc-3617-41c0-a7ac-5f352bcfffaf','-', '1.0.0')))]" + }, + "Pure-Storage-FlashBlade-File-System-Snapshot": "Pure-Storage-FlashBlade-File-System-Snapshot", + "_Pure-Storage-FlashBlade-File-System-Snapshot": "[variables('Pure-Storage-FlashBlade-File-System-Snapshot')]", "playbookVersion1": "1.0", - "playbookContentId1": "Pure-Storage-User-Delete", + "playbookContentId1": "Pure-Storage-FlashBlade-File-System-Snapshot", "_playbookContentId1": "[variables('playbookContentId1')]", "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", "blanks": "[replace('b', 'b', '')]", - "Pure-Storage-Volumes-Snapshot": "Pure-Storage-Volumes-Snapshot", - "_Pure-Storage-Volumes-Snapshot": "[variables('Pure-Storage-Volumes-Snapshot')]", + "Pure-Storage-User-Delete": "Pure-Storage-User-Delete", + "_Pure-Storage-User-Delete": "[variables('Pure-Storage-User-Delete')]", "playbookVersion2": "1.0", - "playbookContentId2": "Pure-Storage-Volumes-Snapshot", + "playbookContentId2": "Pure-Storage-User-Delete", "_playbookContentId2": "[variables('playbookContentId2')]", "playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]", "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]", "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]", - "Pure-Storage-Protection-Groups-Snapshot": "Pure-Storage-Protection-Groups-Snapshot", - "_Pure-Storage-Protection-Groups-Snapshot": "[variables('Pure-Storage-Protection-Groups-Snapshot')]", + "Pure-Storage-Volumes-Snapshot": "Pure-Storage-Volumes-Snapshot", + "_Pure-Storage-Volumes-Snapshot": "[variables('Pure-Storage-Volumes-Snapshot')]", "playbookVersion3": "1.0", - "playbookContentId3": "Pure-Storage-Protection-Groups-Snapshot", + "playbookContentId3": "Pure-Storage-Volumes-Snapshot", "_playbookContentId3": "[variables('playbookContentId3')]", "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", + "Pure-Storage-Protection-Groups-Snapshot": "Pure-Storage-Protection-Groups-Snapshot", + "_Pure-Storage-Protection-Groups-Snapshot": "[variables('Pure-Storage-Protection-Groups-Snapshot')]", + "playbookVersion4": "1.0", + "playbookContentId4": "Pure-Storage-Protection-Groups-Snapshot", + "_playbookContentId4": "[variables('playbookContentId4')]", + "playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]", + "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]", + "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]", "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ @@ -95,7 +117,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PureStorageParser Data Parser with template version 3.0.2", + "description": "PureStorageFlashArrayParser Data Parser with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -109,16 +131,16 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Pure Storage Parser", - "category": "PureStorageParser", - "functionAlias": "PureStorageParserV1", + "displayName": "Pure Storage FlashArray Parser", + "category": "PureStorageFlashArrayParser", + "functionAlias": "PureStorageFlashArrayParserV1", "query": "Syslog\n| where SyslogMessage has \"purity.alert\"\n| extend Message = replace_regex(SyslogMessage, \"#012\", \"\\n\")\n| extend ParsedLog = extract_all(@\"((?P.*?)\\[(?P.*?)\\]:\\s(?P.*)\\[(?P\\w+)\\][\\s\\S]*Severity:\\s*(?P\\S+)\\s*(Tag:\\s*(?P\\S+))?\\s*UTC([\\s\\S]*)Array Name:\\s*(?P\\S+)\\s*Domain:\\s*(?P\\S+)\\s*(?P[\\s\\S]*))\", dynamic(['process','processid','object','objectname','responsecode','severity','reason','domainorigin','part2log']), Message)\n| mv-expand ParsedLog\n| extend ResidueLog = tostring(ParsedLog[8])\n| extend Rlog = extract_all(@\"(((Suggested Action:\\s*(?P[\\s\\S]*)\\s*Knowledge Base Article:\\s*(?P.*))|(Knowledge Base Article:\\s*(?P.*)\\s*Suggested Action:\\s*(?P.*)\\s*)|(Suggested Action:\\s*(?P[\\s\\S]*)))(([\\s\\S]*)Purity Version:\\s*(?P.*))?\\s*([\\s\\S]*)Variables: \\(below\\)\\s*(?P[\\s\\S]*))\", dynamic(['action','url','pversion','subject']),ResidueLog)\n| mv-expand Rlog\n| extend PureLogType = ParsedLog[0], PureProcessID = ParsedLog[1], PureObject = ParsedLog[2], PureCode = ParsedLog[4], PureSeverity = ParsedLog[5], PureReason = ParsedLog[6], PureObjectName = ParsedLog[3], PureDomainOrigin = ParsedLog[7], PureAction = Rlog[0], PureUrl = Rlog[1], PureVersion = Rlog[2], PureMessage = Rlog[3]\n| project-away ResidueLog, Rlog, ParsedLog\n", "functionParameters": "", "version": 2, "tags": [ { "name": "description", - "value": "Parser to extract Pure Storage related info from log" + "value": "Parser to extract Pure Storage FlashArray related info from log" } ] } @@ -131,7 +153,7 @@ "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Pure Storage Parser')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'PureStorageFlashArrayParserV1')]", "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", "version": "[variables('parserObject1').parserVersion1]", @@ -161,7 +183,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('parserObject1').parserContentId1]", "contentKind": "Parser", - "displayName": "Pure Storage Parser", + "displayName": "Pure Storage FlashArray Parser", "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject1').parserContentId1,'-', '1.0.0')))]", "version": "[variables('parserObject1').parserVersion1]" @@ -174,16 +196,16 @@ "location": "[parameters('workspace-location')]", "properties": { "eTag": "*", - "displayName": "Pure Storage Parser", - "category": "PureStorageParser", - "functionAlias": "PureStorageParserV1", + "displayName": "Pure Storage FlashArray Parser", + "category": "PureStorageFlashArrayParser", + "functionAlias": "PureStorageFlashArrayParserV1", "query": "Syslog\n| where SyslogMessage has \"purity.alert\"\n| extend Message = replace_regex(SyslogMessage, \"#012\", \"\\n\")\n| extend ParsedLog = extract_all(@\"((?P.*?)\\[(?P.*?)\\]:\\s(?P.*)\\[(?P\\w+)\\][\\s\\S]*Severity:\\s*(?P\\S+)\\s*(Tag:\\s*(?P\\S+))?\\s*UTC([\\s\\S]*)Array Name:\\s*(?P\\S+)\\s*Domain:\\s*(?P\\S+)\\s*(?P[\\s\\S]*))\", dynamic(['process','processid','object','objectname','responsecode','severity','reason','domainorigin','part2log']), Message)\n| mv-expand ParsedLog\n| extend ResidueLog = tostring(ParsedLog[8])\n| extend Rlog = extract_all(@\"(((Suggested Action:\\s*(?P[\\s\\S]*)\\s*Knowledge Base Article:\\s*(?P.*))|(Knowledge Base Article:\\s*(?P.*)\\s*Suggested Action:\\s*(?P.*)\\s*)|(Suggested Action:\\s*(?P[\\s\\S]*)))(([\\s\\S]*)Purity Version:\\s*(?P.*))?\\s*([\\s\\S]*)Variables: \\(below\\)\\s*(?P[\\s\\S]*))\", dynamic(['action','url','pversion','subject']),ResidueLog)\n| mv-expand Rlog\n| extend PureLogType = ParsedLog[0], PureProcessID = ParsedLog[1], PureObject = ParsedLog[2], PureCode = ParsedLog[4], PureSeverity = ParsedLog[5], PureReason = ParsedLog[6], PureObjectName = ParsedLog[3], PureDomainOrigin = ParsedLog[7], PureAction = Rlog[0], PureUrl = Rlog[1], PureVersion = Rlog[2], PureMessage = Rlog[3]\n| project-away ResidueLog, Rlog, ParsedLog\n", "functionParameters": "", "version": 2, "tags": [ { "name": "description", - "value": "Parser to extract Pure Storage related info from log" + "value": "Parser to extract Pure Storage FlashArray related info from log" } ] } @@ -197,7 +219,7 @@ "[variables('parserObject1')._parserId1]" ], "properties": { - "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Pure Storage Parser')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'PureStorageFlashArrayParserV1')]", "contentId": "[variables('parserObject1').parserContentId1]", "kind": "Parser", "version": "[variables('parserObject1').parserVersion1]", @@ -218,6 +240,138 @@ } } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject2').parserTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "PureStorageFlashBladeParser Data Parser with template version 3.0.3", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject2').parserVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject2')._parserName2]", + "apiVersion": "2022-10-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Pure Storage FlashBlade Parser", + "category": "PureStorageFlashBladeParser", + "functionAlias": "PureStorageFlashBladeParserV1", + "query": "Syslog\n| where SyslogMessage has \"purity.alert\"\n| extend Message = replace_string(SyslogMessage, \"#012\", \"\\n\")\n| extend UTCTime = extract(@\"UTC Time:\\s*(\\d{4}\\s\\w{3}\\s\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})\\sUTC\", 1, SyslogMessage)\n| extend PureAlertID = extract(@\"Alert ID: ([\\w-]+)\", 1, SyslogMessage)\n| extend PureMessage = extract(@\"\\(Alert ID: [\\w-]+\\)\\s(.*?)\\s\\[\\d+\\]\", 1, SyslogMessage)\n| extend PureSeverity = extract(@\"\\s(\\w+)\\s\", 1, SyslogMessage)\n| extend PureAlertState = extract(@\"purity\\.alert:\\s\\w+\\s(\\w+)\", 1, SyslogMessage)\n| extend PureObjectName = extract(@\"\\s(\\S+):\", 1, SyslogMessage)\n| extend PureProcessID = extract(@\"\\[(\\d+)\\]\", 1, SyslogMessage)\n| extend PureAction = extract(@\"Suggested Action:\\s*(.*?)(?:\\s*Knowledge Base Article:|$)\", 1, SyslogMessage)\n| extend PureUrl = extract(@\"Knowledge Base Article:\\s*(.*)\", 1, SyslogMessage)\n| project PureMessage, TimeGenerated, PureProcessID, HostIP, Computer, PureObjectName, PureSeverity, PureAlertID, PureAlertState, PureAction, PureUrl\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Parser to extract Pure Storage FlashBlade related info from log" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", + "dependsOn": [ + "[variables('parserObject2')._parserId2]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'PureStorageFlashBladeParserV1')]", + "contentId": "[variables('parserObject2').parserContentId2]", + "kind": "Parser", + "version": "[variables('parserObject2').parserVersion2]", + "source": { + "name": "Pure Storage", + "kind": "Solution", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Pure Storage", + "email": "[variables('_email')]" + }, + "support": { + "name": "purestoragemarketplaceadmin", + "email": "support@purestorage.com", + "tier": "Partner", + "link": "https://support.purestorage.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('parserObject2').parserContentId2]", + "contentKind": "Parser", + "displayName": "Pure Storage FlashBlade Parser", + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('parserObject2').parserContentId2,'-', '1.0.0')))]", + "version": "[variables('parserObject2').parserVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2022-10-01", + "name": "[variables('parserObject2')._parserName2]", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Pure Storage FlashBlade Parser", + "category": "PureStorageFlashBladeParser", + "functionAlias": "PureStorageFlashBladeParserV1", + "query": "Syslog\n| where SyslogMessage has \"purity.alert\"\n| extend Message = replace_string(SyslogMessage, \"#012\", \"\\n\")\n| extend UTCTime = extract(@\"UTC Time:\\s*(\\d{4}\\s\\w{3}\\s\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})\\sUTC\", 1, SyslogMessage)\n| extend PureAlertID = extract(@\"Alert ID: ([\\w-]+)\", 1, SyslogMessage)\n| extend PureMessage = extract(@\"\\(Alert ID: [\\w-]+\\)\\s(.*?)\\s\\[\\d+\\]\", 1, SyslogMessage)\n| extend PureSeverity = extract(@\"\\s(\\w+)\\s\", 1, SyslogMessage)\n| extend PureAlertState = extract(@\"purity\\.alert:\\s\\w+\\s(\\w+)\", 1, SyslogMessage)\n| extend PureObjectName = extract(@\"\\s(\\S+):\", 1, SyslogMessage)\n| extend PureProcessID = extract(@\"\\[(\\d+)\\]\", 1, SyslogMessage)\n| extend PureAction = extract(@\"Suggested Action:\\s*(.*?)(?:\\s*Knowledge Base Article:|$)\", 1, SyslogMessage)\n| extend PureUrl = extract(@\"Knowledge Base Article:\\s*(.*)\", 1, SyslogMessage)\n| project PureMessage, TimeGenerated, PureProcessID, HostIP, Computer, PureObjectName, PureSeverity, PureAlertID, PureAlertState, PureAction, PureUrl\n", + "functionParameters": "", + "version": 2, + "tags": [ + { + "name": "description", + "value": "Parser to extract Pure Storage FlashBlade related info from log" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "location": "[parameters('workspace-location')]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('parserObject2')._parserId2,'/'))))]", + "dependsOn": [ + "[variables('parserObject2')._parserId2]" + ], + "properties": { + "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'PureStorageFlashBladeParserV1')]", + "contentId": "[variables('parserObject2').parserContentId2]", + "kind": "Parser", + "version": "[variables('parserObject2').parserVersion2]", + "source": { + "kind": "Solution", + "name": "Pure Storage", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Pure Storage", + "email": "[variables('_email')]" + }, + "support": { + "name": "purestoragemarketplaceadmin", + "email": "support@purestorage.com", + "tier": "Partner", + "link": "https://support.purestorage.com" + } + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -227,7 +381,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PureFailedLogin_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "PureFailedLogin_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -249,7 +403,6 @@ "suppressionDuration": "PT1H", "suppressionEnabled": false, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "CredentialAccess" ], @@ -258,168 +411,614 @@ ], "entityMappings": [ { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "HostIP", + "identifier": "Address" + } + ] + }, + { + "entityType": "Account", + "fieldMappings": [ + { + "columnName": "PureLogin", + "identifier": "Name" + } + ] + }, + { + "entityType": "Host", + "fieldMappings": [ + { + "columnName": "PureArrayName", + "identifier": "HostName" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDynamicProperties": [] + }, + "incidentConfiguration": { + "groupingConfiguration": { + "enabled": false, + "lookbackDuration": "PT5H", + "matchingMethod": "AllEntities", + "reopenClosedIncident": false + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "properties": { + "description": "Pure Storage Analytics Rule 1", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", + "source": { + "kind": "Solution", + "name": "Pure Storage", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Pure Storage", + "email": "[variables('_email')]" + }, + "support": { + "name": "purestoragemarketplaceadmin", + "email": "support@purestorage.com", + "tier": "Partner", + "link": "https://support.purestorage.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "contentKind": "AnalyticsRule", + "displayName": "Pure Failed Login", + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "PureControllerFailed_AnalyticalRules Analytics Rule with template version 3.0.3", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "Detect controller failure and take appropriate response action.", + "displayName": "Pure Controller Failed", + "enabled": false, + "query": "Syslog\n| where SyslogMessage has \"purity.alert\"\n| extend Message = replace_regex(SyslogMessage, \"#012\", \"\\n\")\n| extend ParsedLog = extract_all(@\"((?P.*?)\\[(?P.*?)\\]:\\s(?P.*)\\[(?P\\w+)\\][\\s\\S]*Severity:\\s*(?P\\S+)\\s*(Tag:\\s*(?P\\S+))?\\s*UTC([\\s\\S]*)Array Name:\\s*(?P\\S+)\\s*Domain:\\s*(?P\\S+)\\s*(?P[\\s\\S]*))\", dynamic(['process','processid','object','objectname','responsecode','severity','reason','domainorigin','part2log']), Message)\n| mv-expand ParsedLog\n| extend ResidueLog = tostring(ParsedLog[8])\n| extend Rlog = extract_all(@\"(((Suggested Action:\\s*(?P[\\s\\S]*)\\s*Knowledge Base Article:\\s*(?P.*))|(Knowledge Base Article:\\s*(?P.*)\\s*Suggested Action:\\s*(?P.*)\\s*)|(Suggested Action:\\s*(?P[\\s\\S]*)))(([\\s\\S]*)Purity Version:\\s*(?P.*))?\\s*([\\s\\S]*)Variables: \\(below\\)\\s*(?P[\\s\\S]*))\", dynamic(['action','url','pversion','subject']),ResidueLog)\n| mv-expand Rlog\n| extend PureLogType = ParsedLog[0], PureProcessID = ParsedLog[1], PureObject = ParsedLog[2], PureCode = ParsedLog[4], PureSeverity = ParsedLog[5], PureReason = ParsedLog[6], PureObjectName = ParsedLog[3], PureDomainOrigin = ParsedLog[7], PureAction = Rlog[0], PureUrl = Rlog[1], PureVersion = Rlog[2], PureMessage = Rlog[3]\n| project-away ResidueLog, Rlog, ParsedLog\n| where PureObject matches regex @\"(Controllers ct[0-9] have failed)\"", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "tactics": [ + "Execution" + ], + "techniques": [ + "T0871" + ], + "entityMappings": [ + { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "HostIP" + "columnName": "HostIP", + "identifier": "Address" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDynamicProperties": [] + }, + "incidentConfiguration": { + "groupingConfiguration": { + "enabled": false, + "lookbackDuration": "PT5H", + "matchingMethod": "AllEntities", + "reopenClosedIncident": false + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", + "properties": { + "description": "Pure Storage Analytics Rule 2", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "source": { + "kind": "Solution", + "name": "Pure Storage", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Pure Storage", + "email": "[variables('_email')]" + }, + "support": { + "name": "purestoragemarketplaceadmin", + "email": "support@purestorage.com", + "tier": "Partner", + "link": "https://support.purestorage.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "contentKind": "AnalyticsRule", + "displayName": "Pure Controller Failed", + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "FB-FabricModuleUnhealthy_AnalyticalRules Analytics Rule with template version 3.0.3", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "apiVersion": "2023-02-01-preview", + "kind": "NRT", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "External Fabric Module XFM1 is unhealthy", + "displayName": "External Fabric Module XFM1 is unhealthy", + "enabled": false, + "query": "Syslog\n| where SyslogMessage has \"purity.alert\"\n| extend Message = replace_string(SyslogMessage, \"#012\", \"\\n\")\n| extend UTCTime = extract(@\"UTC Time:\\s*(\\d{4}\\s\\w{3}\\s\\d{1,2}\\s\\d{2}:\\d{2}:\\d{2})\\sUTC\", 1, SyslogMessage)\n| extend PureAlertID = extract(@\"Alert ID: ([\\w-]+)\", 1, SyslogMessage)\n| extend PureMessage = extract(@\"\\(Alert ID: [\\w-]+\\)\\s(.*?)\\s\\[\\d+\\]\", 1, SyslogMessage)\n| extend PureSeverity = extract(@\"\\s(\\w+)\\s\", 1, SyslogMessage)\n| extend PureAlertState = extract(@\"purity\\.alert:\\s\\w+\\s(\\w+)\", 1, SyslogMessage)\n| extend PureObjectName = extract(@\"\\s(\\S+):\", 1, SyslogMessage)\n| extend PureProcessID = extract(@\"\\[(\\d+)\\]\", 1, SyslogMessage)\n| extend PureAction = extract(@\"Suggested Action:\\s*(.*?)(?:\\s*Knowledge Base Article:|$)\", 1, SyslogMessage)\n| extend PureUrl = extract(@\"Knowledge Base Article:\\s*(.*)\", 1, SyslogMessage)\n| project PureMessage, TimeGenerated, PureProcessID, HostIP, Computer, PureObjectName, PureSeverity, PureAlertID, PureAlertState, PureAction, PureUrl\n| where PureMessage matches regex @\"(External Fabric Module XFM1 is unhealthy)\"", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "status": "Available", + "tactics": [ + "Execution" + ], + "techniques": [ + "T0871" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "HostIP", + "identifier": "Address" + } + ] + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "incidentConfiguration": { + "groupingConfiguration": { + "enabled": false, + "lookbackDuration": "5h", + "matchingMethod": "AllEntities", + "reopenClosedIncident": false + }, + "createIncident": true + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", + "properties": { + "description": "Pure Storage Analytics Rule 3", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", + "source": { + "kind": "Solution", + "name": "Pure Storage", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Pure Storage", + "email": "[variables('_email')]" + }, + "support": { + "name": "purestoragemarketplaceadmin", + "email": "support@purestorage.com", + "tier": "Partner", + "link": "https://support.purestorage.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "contentKind": "AnalyticsRule", + "displayName": "External Fabric Module XFM1 is unhealthy", + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Pure-Storage-File-System-Snapshot-WF Playbook with template version 3.0.3", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion1')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Pure-Storage-File-System-Snapshot-WF", + "type": "string" + } + }, + "variables": { + "AzuresentinelConnectionName": "[[concat('Azuresentinel-', parameters('PlaybookName'))]", + "KeyvaultConnectionName": "[[concat('Keyvault-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Entities_-_Get_Accounts": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "path": "/entities/account" + } + }, + "Entities_-_Get_IPs": { + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "path": "/entities/ip" + } + }, + "IP_Loop": { + "foreach": "@body('Entities_-_Get_IPs')?['IPs']", + "actions": { + "Get_secret": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent(replace(items('IP_Loop')?['Address'], '.', '-'))}/value" + } + }, + "Fetching_API_version": { + "runAfter": { + "Get_secret": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "uri": "https://@{item()?['Address']}/api/api_version", + "method": "GET" + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } + }, + "Retrieving_auth_token": { + "runAfter": { + "Fetching_API_version": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "uri": "https://@{item()?['Address']}/api/login", + "method": "POST", + "headers": { + "api-token": "@{body('Get_secret')?['value']}" + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } + }, + "Get_FileSystem_list": { + "runAfter": { + "Retrieving_auth_token": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent(concat(replace(items('IP_Loop')?['Address'], '.', '-'),'-filesystem'))}/value" + } + }, + "FileSystem_snapshot": { + "runAfter": { + "Get_FileSystem_list": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "uri": "https://@{item()?['Address']}/api/@{last(body('Fetching_API_version')?['versions'])}/file-system-snapshots", + "method": "POST", + "headers": { + "X-Auth-Token": "@{outputs('Retrieving_auth_token')?['headers']['x-auth-token']}" + }, + "queries": { + "source_names": "@{body('Get_FileSystem_list')?['value']}" + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } + }, + "Logout_of_the_FlashBlade": { + "runAfter": { + "FileSystem_snapshot": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "uri": "https://@{item()?['Address']}/api/logout", + "method": "POST", + "headers": { + "X-Auth-Token": "@{outputs('Retrieving_auth_token')?['headers']['x-auth-token']}" + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } + } + }, + "runAfter": { + "Entities_-_Get_IPs": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzuresentinelConnectionName'))]", + "connectionName": "[[variables('AzuresentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]" + }, + "keyvault": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", + "connectionName": "[[variables('KeyvaultConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Keyvault')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + }, + "accessControl": { + "triggers": { + "allowedCallerIpAddresses": [ + { + "addressRange": "10.21.241.30-10.21.241.37" } - ], - "entityType": "IP" + ] }, - { - "fieldMappings": [ + "contents": { + "allowedCallerIpAddresses": [ { - "identifier": "Name", - "columnName": "PureLogin" + "addressRange": "10.21.241.30-10.21.241.37" } - ], - "entityType": "Account" + ] }, - { - "fieldMappings": [ + "actions": { + "allowedCallerIpAddresses": [ { - "identifier": "HostName", - "columnName": "PureArrayName" + "addressRange": "10.21.241.30-10.21.241.37" } - ], - "entityType": "Host" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "alertDetailsOverride": { - "alertDynamicProperties": [] - }, - "incidentConfiguration": { - "createIncident": true, - "groupingConfiguration": { - "enabled": false, - "reopenClosedIncident": false, - "matchingMethod": "AllEntities", - "lookbackDuration": "PT5H" + ] } } - } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "Pure-Storage-File-System-Snapshot", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2019-05-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzuresentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" + ] }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", + "type": "Microsoft.Web/connections", + "apiVersion": "2018-07-01-preview", + "name": "[[variables('AzuresentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "Pure Storage Analytics Rule 1", - "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", - "source": { - "kind": "Solution", - "name": "Pure Storage", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Pure Storage", - "email": "[variables('_email')]" - }, - "support": { - "name": "purestoragemarketplaceadmin", - "email": "support@purestorage.com", - "tier": "Partner", - "link": "https://support.purestorage.com" + "displayName": "[[variables('AzuresentinelConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" } } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "contentKind": "AnalyticsRule", - "displayName": "Pure Failed Login", - "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", - "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "PureControllerFailed_AnalyticalRules Analytics Rule with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", - "parameters": {}, - "variables": {}, - "resources": [ + }, { - "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "apiVersion": "2023-02-01-preview", - "kind": "NRT", - "location": "[parameters('workspace-location')]", + "type": "Microsoft.Web/connections", + "apiVersion": "2018-07-01-preview", + "name": "[[variables('KeyvaultConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", "properties": { - "description": "Detect controller failure and take appropriate response action.", - "displayName": "Pure Controller Failed", - "enabled": false, - "query": "Syslog\n| where SyslogMessage has \"purity.alert\"\n| extend Message = replace_regex(SyslogMessage, \"#012\", \"\\n\")\n| extend ParsedLog = extract_all(@\"((?P.*?)\\[(?P.*?)\\]:\\s(?P.*)\\[(?P\\w+)\\][\\s\\S]*Severity:\\s*(?P\\S+)\\s*(Tag:\\s*(?P\\S+))?\\s*UTC([\\s\\S]*)Array Name:\\s*(?P\\S+)\\s*Domain:\\s*(?P\\S+)\\s*(?P[\\s\\S]*))\", dynamic(['process','processid','object','objectname','responsecode','severity','reason','domainorigin','part2log']), Message)\n| mv-expand ParsedLog\n| extend ResidueLog = tostring(ParsedLog[8])\n| extend Rlog = extract_all(@\"(((Suggested Action:\\s*(?P[\\s\\S]*)\\s*Knowledge Base Article:\\s*(?P.*))|(Knowledge Base Article:\\s*(?P.*)\\s*Suggested Action:\\s*(?P.*)\\s*)|(Suggested Action:\\s*(?P[\\s\\S]*)))(([\\s\\S]*)Purity Version:\\s*(?P.*))?\\s*([\\s\\S]*)Variables: \\(below\\)\\s*(?P[\\s\\S]*))\", dynamic(['action','url','pversion','subject']),ResidueLog)\n| mv-expand Rlog\n| extend PureLogType = ParsedLog[0], PureProcessID = ParsedLog[1], PureObject = ParsedLog[2], PureCode = ParsedLog[4], PureSeverity = ParsedLog[5], PureReason = ParsedLog[6], PureObjectName = ParsedLog[3], PureDomainOrigin = ParsedLog[7], PureAction = Rlog[0], PureUrl = Rlog[1], PureVersion = Rlog[2], PureMessage = Rlog[3]\n| project-away ResidueLog, Rlog, ParsedLog\n| where PureObject matches regex @\"(Controllers ct[0-9] have failed)\"", - "severity": "High", - "suppressionDuration": "PT1H", - "suppressionEnabled": false, - "status": "Available", - "requiredDataConnectors": [], - "tactics": [ - "Execution" - ], - "techniques": [ - "T0871" - ], - "entityMappings": [ - { - "fieldMappings": [ - { - "identifier": "Address", - "columnName": "HostIP" - } - ], - "entityType": "IP" - } - ], - "eventGroupingSettings": { - "aggregationKind": "SingleAlert" - }, - "alertDetailsOverride": { - "alertDynamicProperties": [] - }, - "incidentConfiguration": { - "createIncident": true, - "groupingConfiguration": { - "enabled": false, - "reopenClosedIncident": false, - "matchingMethod": "AllEntities", - "lookbackDuration": "PT5H" - } + "displayName": "[[variables('KeyvaultConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-3')]" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", "properties": { - "description": "Pure Storage Analytics Rule 2", - "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "kind": "AnalyticsRule", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", + "parentId": "[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[variables('playbookVersion1')]", "source": { "kind": "Solution", "name": "Pure Storage", @@ -437,34 +1036,64 @@ } } } - ] + ], + "metadata": { + "title": "Pure Storage FlashBlade File System Snapshot", + "description": "This playbook gets triggered when a Microsoft Sentinel Incident created for suspicious activity and it takes files system snapshot of specific file systems listed in key vault", + "prerequisites": [ + "1. Azure Key vault is required for storing the Pure Storage FlashBlade API token , create key vault if not exists", + "2. Store API token as a secret in vault, with your storage array IP in dash notation as key name. Eg: 8-8-8-8", + "3. Store file systems list as a secret in vault, with key name as follows. Eg: 8-8-8-8-filesystem", + "4. Store name of the file system to be snapshotted as comma separated values for the key created in previous step" + ], + "postDeployment": [ + "**a. Authorize playbook**", + "Once deployment is complete, we need to add the playbook in the access policy of the Keyvault [learn how](https://docs.microsoft.com/azure/key-vault/general/assign-access-policy-portal)" + ], + "lastUpdateTime": "2024-10-09T00:00:00Z", + "entities": [ + "IP", + "Host", + "Account" + ], + "tags": [ + "Remediation" + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "contentKind": "AnalyticsRule", - "displayName": "Pure Controller Failed", - "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", - "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" + "contentId": "[variables('_playbookContentId1')]", + "contentKind": "Playbook", + "displayName": "Pure-Storage-File-System-Snapshot-WF", + "contentProductId": "[variables('_playbookcontentProductId1')]", + "id": "[variables('_playbookcontentProductId1')]", + "version": "[variables('playbookVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName1')]", + "name": "[variables('playbookTemplateSpecName2')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Pure-Storage-User-Delete Playbook with template version 3.0.2", + "description": "Pure-Storage-User-Delete Playbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion1')]", + "contentVersion": "[variables('playbookVersion2')]", "parameters": { "PlaybookName": { "defaultValue": "Pure-Storage-User-Delete", @@ -744,12 +1373,12 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", "properties": { - "parentId": "[variables('playbookId1')]", - "contentId": "[variables('_playbookContentId1')]", + "parentId": "[variables('playbookId2')]", + "contentId": "[variables('_playbookContentId2')]", "kind": "Playbook", - "version": "[variables('playbookVersion1')]", + "version": "[variables('playbookVersion2')]", "source": { "kind": "Solution", "name": "Pure Storage", @@ -802,27 +1431,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId1')]", + "contentId": "[variables('_playbookContentId2')]", "contentKind": "Playbook", "displayName": "Pure-Storage-User-Delete", - "contentProductId": "[variables('_playbookcontentProductId1')]", - "id": "[variables('_playbookcontentProductId1')]", - "version": "[variables('playbookVersion1')]" + "contentProductId": "[variables('_playbookcontentProductId2')]", + "id": "[variables('_playbookcontentProductId2')]", + "version": "[variables('playbookVersion2')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName2')]", + "name": "[variables('playbookTemplateSpecName3')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Pure-Storage-Volumes-Snapshot Playbook with template version 3.0.2", + "description": "Pure-Storage-Volumes-Snapshot Playbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion2')]", + "contentVersion": "[variables('playbookVersion3')]", "parameters": { "PlaybookName": { "defaultValue": "Pure-Storage-Volumes-Snapshot", @@ -1095,12 +1724,12 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", "properties": { - "parentId": "[variables('playbookId2')]", - "contentId": "[variables('_playbookContentId2')]", + "parentId": "[variables('playbookId3')]", + "contentId": "[variables('_playbookContentId3')]", "kind": "Playbook", - "version": "[variables('playbookVersion2')]", + "version": "[variables('playbookVersion3')]", "source": { "kind": "Solution", "name": "Pure Storage", @@ -1153,27 +1782,27 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId2')]", + "contentId": "[variables('_playbookContentId3')]", "contentKind": "Playbook", "displayName": "Pure-Storage-Volumes-Snapshot", - "contentProductId": "[variables('_playbookcontentProductId2')]", - "id": "[variables('_playbookcontentProductId2')]", - "version": "[variables('playbookVersion2')]" + "contentProductId": "[variables('_playbookcontentProductId3')]", + "id": "[variables('_playbookcontentProductId3')]", + "version": "[variables('playbookVersion3')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName3')]", + "name": "[variables('playbookTemplateSpecName4')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Pure-Storage-Protection-Groups-Snapshot Playbook with template version 3.0.2", + "description": "Pure-Storage-Protection-Groups-Snapshot Playbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion3')]", + "contentVersion": "[variables('playbookVersion4')]", "parameters": { "PlaybookName": { "defaultValue": "Pure-Storage-Protection-Groups-Snapshot", @@ -1446,12 +2075,12 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", "properties": { - "parentId": "[variables('playbookId3')]", - "contentId": "[variables('_playbookContentId3')]", + "parentId": "[variables('playbookId4')]", + "contentId": "[variables('_playbookContentId4')]", "kind": "Playbook", - "version": "[variables('playbookVersion3')]", + "version": "[variables('playbookVersion4')]", "source": { "kind": "Solution", "name": "Pure Storage", @@ -1506,12 +2135,12 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId3')]", + "contentId": "[variables('_playbookContentId4')]", "contentKind": "Playbook", "displayName": "Pure-Storage-Protection-Groups-Snapshot", - "contentProductId": "[variables('_playbookcontentProductId3')]", - "id": "[variables('_playbookcontentProductId3')]", - "version": "[variables('playbookVersion3')]" + "contentProductId": "[variables('_playbookcontentProductId4')]", + "id": "[variables('_playbookcontentProductId4')]", + "version": "[variables('playbookVersion4')]" } }, { @@ -1519,12 +2148,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.2", + "version": "3.0.3", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Pure Storage", "publisherDisplayName": "purestoragemarketplaceadmin", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Solution for Microsoft Sentinel to ingest logs from PureStorage arrays

\n

Parsers: 1, Analytic Rules: 2, Playbooks: 3

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Solution for Microsoft Sentinel to ingest logs from PureStorage arrays

\n

Parsers: 2, Analytic Rules: 3, Playbooks: 4

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -1554,6 +2183,11 @@ "contentId": "[variables('parserObject1').parserContentId1]", "version": "[variables('parserObject1').parserVersion1]" }, + { + "kind": "Parser", + "contentId": "[variables('parserObject2').parserContentId2]", + "version": "[variables('parserObject2').parserVersion2]" + }, { "kind": "AnalyticsRule", "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", @@ -1564,20 +2198,30 @@ "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" + }, { "kind": "Playbook", - "contentId": "[variables('_Pure-Storage-User-Delete')]", + "contentId": "[variables('_Pure-Storage-FlashBlade-File-System-Snapshot')]", "version": "[variables('playbookVersion1')]" }, { "kind": "Playbook", - "contentId": "[variables('_Pure-Storage-Volumes-Snapshot')]", + "contentId": "[variables('_Pure-Storage-User-Delete')]", "version": "[variables('playbookVersion2')]" }, { "kind": "Playbook", - "contentId": "[variables('_Pure-Storage-Protection-Groups-Snapshot')]", + "contentId": "[variables('_Pure-Storage-Volumes-Snapshot')]", "version": "[variables('playbookVersion3')]" + }, + { + "kind": "Playbook", + "contentId": "[variables('_Pure-Storage-Protection-Groups-Snapshot')]", + "version": "[variables('playbookVersion4')]" } ] }, diff --git a/Solutions/Pure Storage/Parsers/PureStorageParser.yaml b/Solutions/Pure Storage/Parsers/PureStorageFlashArrayParser.yaml similarity index 86% rename from Solutions/Pure Storage/Parsers/PureStorageParser.yaml rename to Solutions/Pure Storage/Parsers/PureStorageFlashArrayParser.yaml index 2eff657f811..8281c85bd60 100644 --- a/Solutions/Pure Storage/Parsers/PureStorageParser.yaml +++ b/Solutions/Pure Storage/Parsers/PureStorageFlashArrayParser.yaml @@ -1,12 +1,12 @@ id: 008b25eb-aeec-4751-9a42-3a0102e9774b -Description: Parser to extract Pure Storage related info from log +Description: Parser to extract Pure Storage FlashArray related info from log Function: - Title: Pure Storage Parser + Title: Pure Storage FlashArray Parser Version: '1.0.0' LastUpdated: Jan 29th 2024 -Category: PureStorageParser -FunctionName: PureStorageParserV1 -FunctionAlias: PureStorageParserV1 +Category: PureStorageFlashArrayParser +FunctionName: PureStorageFlashArrayParserV1 +FunctionAlias: PureStorageFlashArrayParserV1 FunctionQuery: | Syslog | where SyslogMessage has "purity.alert" diff --git a/Solutions/Pure Storage/Parsers/PureStorageFlashBladeParser.yaml b/Solutions/Pure Storage/Parsers/PureStorageFlashBladeParser.yaml new file mode 100644 index 00000000000..fa7878444e2 --- /dev/null +++ b/Solutions/Pure Storage/Parsers/PureStorageFlashBladeParser.yaml @@ -0,0 +1,23 @@ +id: c76dff08-ca13-467d-a143-c33cc226585c +Description: Parser to extract Pure Storage FlashBlade related info from log +Function: + Title: Pure Storage FlashBlade Parser + Version: '1.0.0' + LastUpdated: Oct 10th 2024 +Category: PureStorageFlashBladeParser +FunctionName: PureStorageFlashBladeParserV1 +FunctionAlias: PureStorageFlashBladeParserV1 +FunctionQuery: | + Syslog + | where SyslogMessage has "purity.alert" + | extend Message = replace_string(SyslogMessage, "#012", "\n") + | extend UTCTime = extract(@"UTC Time:\s*(\d{4}\s\w{3}\s\d{1,2}\s\d{2}:\d{2}:\d{2})\sUTC", 1, SyslogMessage) + | extend PureAlertID = extract(@"Alert ID: ([\w-]+)", 1, SyslogMessage) + | extend PureMessage = extract(@"\(Alert ID: [\w-]+\)\s(.*?)\s\[\d+\]", 1, SyslogMessage) + | extend PureSeverity = extract(@"\s(\w+)\s", 1, SyslogMessage) + | extend PureAlertState = extract(@"purity\.alert:\s\w+\s(\w+)", 1, SyslogMessage) + | extend PureObjectName = extract(@"\s(\S+):", 1, SyslogMessage) + | extend PureProcessID = extract(@"\[(\d+)\]", 1, SyslogMessage) + | extend PureAction = extract(@"Suggested Action:\s*(.*?)(?:\s*Knowledge Base Article:|$)", 1, SyslogMessage) + | extend PureUrl = extract(@"Knowledge Base Article:\s*(.*)", 1, SyslogMessage) + | project PureMessage, TimeGenerated, PureProcessID, HostIP, Computer, PureObjectName, PureSeverity, PureAlertID, PureAlertState, PureAction, PureUrl \ No newline at end of file diff --git a/Solutions/Pure Storage/Playbooks/Pure-Storage-FlashBlade-File-System-Snapshot/azuredeploy.json b/Solutions/Pure Storage/Playbooks/Pure-Storage-FlashBlade-File-System-Snapshot/azuredeploy.json new file mode 100644 index 00000000000..48602eae961 --- /dev/null +++ b/Solutions/Pure Storage/Playbooks/Pure-Storage-FlashBlade-File-System-Snapshot/azuredeploy.json @@ -0,0 +1,322 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "Pure Storage FlashBlade File System Snapshot", + "description": "This playbook gets triggered when a Microsoft Sentinel Incident created for suspicious activity and it takes files system snapshot of specific file systems listed in key vault", + "prerequisites": [ + "1. Azure Key vault is required for storing the Pure Storage FlashBlade API token , create key vault if not exists", + "2. Store API token as a secret in vault, with your storage array IP in dash notation as key name. Eg: 8-8-8-8", + "3. Store file systems list as a secret in vault, with key name as follows. Eg: 8-8-8-8-filesystem", + "4. Store name of the file system to be snapshotted as comma separated values for the key created in previous step" + ], + "postDeployment": [ + "**a. Authorize playbook**", + "Once deployment is complete, we need to add the playbook in the access policy of the Keyvault [learn how](https://docs.microsoft.com/azure/key-vault/general/assign-access-policy-portal)" + ], + "prerequisitesDeployTemplateFile": "", + "lastUpdateTime": "2024-10-09T00:00:00.000Z", + "entities": [ + "IP", + "Host", + "Account" + ], + "tags": [ + "Remediation" + ], + "support": { + "tier": "community", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Pure Storage - security-solutions-support@purestorage.com" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "Pure-Storage-File-System-Snapshot-WF", + "type": "string" + } + }, + "variables": { + "AzuresentinelConnectionName": "[concat('Azuresentinel-', parameters('PlaybookName'))]", + "KeyvaultConnectionName": "[concat('Keyvault-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Entities_-_Get_Accounts": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "path": "/entities/account" + } + }, + "Entities_-_Get_IPs": { + "runAfter": { + "Entities_-_Get_Accounts": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "path": "/entities/ip" + } + }, + "IP_Loop": { + "foreach": "@body('Entities_-_Get_IPs')?['IPs']", + "actions": { + "Get_secret": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent(replace(items('IP_Loop')?['Address'], '.', '-'))}/value" + } + }, + "Fetching_API_version": { + "runAfter": { + "Get_secret": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "uri": "https://@{item()?['Address']}/api/api_version", + "method": "GET" + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } + }, + "Retrieving_auth_token": { + "runAfter": { + "Fetching_API_version": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "uri": "https://@{item()?['Address']}/api/login", + "method": "POST", + "headers": { + "api-token": "@{body('Get_secret')?['value']}" + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } + }, + "Get_FileSystem_list": { + "runAfter": { + "Retrieving_auth_token": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "/secrets/@{encodeURIComponent(concat(replace(items('IP_Loop')?['Address'], '.', '-'),'-filesystem'))}/value" + } + }, + "FileSystem_snapshot": { + "runAfter": { + "Get_FileSystem_list": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "uri": "https://@{item()?['Address']}/api/@{last(body('Fetching_API_version')?['versions'])}/file-system-snapshots", + "method": "POST", + "headers": { + "X-Auth-Token": "@{outputs('Retrieving_auth_token')?['headers']['x-auth-token']}" + }, + "queries": { + "source_names": "@{body('Get_FileSystem_list')?['value']}" + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } + }, + "Logout_of_the_FlashBlade": { + "runAfter": { + "FileSystem_snapshot": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "uri": "https://@{item()?['Address']}/api/logout", + "method": "POST", + "headers": { + "X-Auth-Token": "@{outputs('Retrieving_auth_token')?['headers']['x-auth-token']}" + } + }, + "runtimeConfiguration": { + "contentTransfer": { + "transferMode": "Chunked" + } + } + } + }, + "runAfter": { + "Entities_-_Get_IPs": [ + "Succeeded" + ] + }, + "type": "Foreach" + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzuresentinelConnectionName'))]", + "connectionName": "[variables('AzuresentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + }, + "keyvault": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", + "connectionName": "[variables('KeyvaultConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + }, + "accessControl": { + "triggers": { + "allowedCallerIpAddresses": [ + { + "addressRange": "10.21.241.30-10.21.241.37" + } + ] + }, + "contents": { + "allowedCallerIpAddresses": [ + { + "addressRange": "10.21.241.30-10.21.241.37" + } + ] + }, + "actions": { + "allowedCallerIpAddresses": [ + { + "addressRange": "10.21.241.30-10.21.241.37" + } + ] + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "Pure-Storage-File-System-Snapshot", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2019-05-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzuresentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2018-07-01-preview", + "name": "[variables('AzuresentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzuresentinelConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2018-07-01-preview", + "name": "[variables('KeyvaultConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('KeyvaultConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Keyvault')]" + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/Pure Storage/ReleaseNotes.md b/Solutions/Pure Storage/ReleaseNotes.md index 2b103908cb2..d0950acf86e 100644 --- a/Solutions/Pure Storage/ReleaseNotes.md +++ b/Solutions/Pure Storage/ReleaseNotes.md @@ -1,4 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------| -| 3.0.1 | 03-05-2024 | Repackaged for parser issue fix on reinstall
Added 2 new **Analytic Rules** and 3 new **Playbooks** | -| 3.0.0 | 05-02-2024 | Initial Solution Release - Parser Only | +| 3.0.3 | 05-11-2024 | Added new **Analytic Rule** a **Playbook** and a **Parser** | +| 3.0.2 | 09-05-2024 | Repackaged for **Parser** issue fix on reinstall | +| 3.0.1 | 03-05-2024 | Repackaged for **Parser** issue fix on reinstall
Added 2 new **Analytic Rules** and 3 new **Playbooks** | +| 3.0.0 | 05-02-2024 | Initial Solution Release - **Parser** Only | diff --git a/Solutions/README.md b/Solutions/README.md index 75f61267585..fd0d6cc1386 100644 --- a/Solutions/README.md +++ b/Solutions/README.md @@ -77,39 +77,10 @@ Since solutions use ARM templates, you can customize the solution text as well a ## Step 3 – Publish your solution -The Microsoft Sentinel solution publishing experience is powered by the [Microsoft Partner Center](https://docs.microsoft.com/partner-center/overview). +For a detailed walkthrough of how to publish your solutions, please refer to the following links - -### Registration (one-time) - -If you or your company is a first-time app publisher on Azure Marketplace, [follow the steps](https://docs.microsoft.com/azure/marketplace/partner-center-portal/create-account) to register and create a [Commercial Marketplace](https://docs.microsoft.com/azure/marketplace/overview) account in Partner Center. This process provides you with a unique **Publisher ID** and access to the Commercial Marketplace authoring and publishing experience, where you'll create, certify, and publish your solution. - -### Author and publish a solution offer - -The following steps reference the Partner Center's more detailed documentation. - -1. [Create an Azure application type offer](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer) and configure the offer setup details as per the relevant guidance. -> Ensure that the OfferID contains the keyword "sentinel". Consider using the format: `microsoft-sentinel-solution-` - -2. [Configure](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer-properties) the Offer properties. - -3. Configure the [Offer listing details](https://docs.microsoft.com/azure/marketplace/azure-app-offer-listing), including the title, description, pictures, videos, support information, and so on. - * As one of your search keywords, add `f1de974b-f438-4719-b423-8bf704ba2aef` to have your solution appear in the Microsoft Sentinel content hub. - * Ensure to provide CSP (Cloud Solution Provider) Program contact and relevant CSP information as requested. This will enable you to offer the solution to CSP subscriptions and increased visibility and adoption of your solution. Refer to the [CSP FAQs](#csp-cloud-solution-provider) for further details on why this is recommended for Microsoft Sentinel solutions. - * If you want to start your solution in Preview (Public Preview), you can do so by appending "(Preview)" in the solution / offer title. This will ensure your offer gets tagged with Preview tag in Microsoft Sentinel Content hub. - -4. [Create a plan](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer-plans) and select **Solution Template** as the plan type. - * If your offer needs to be available for customers from U.S. federal, state, local, or tribal entities, follow the steps to select the *Azure Government* check box and subsquent guidance. - -5. [Configure](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer-solution) the **Solutions template** plan. This is where you’ll upload the zip file that you'd created in step two and set a version for your package. Make sure to follow the versioning guidance described in step 2, above. - -6. [Enable CSP for your offer](https://docs.microsoft.com/azure/marketplace/azure-app-marketing) by going to the *Resell through CSPs* tab in Partner Center and selecting *Any partner in the CSP program*. This will enable you to offer the solution to CSP subscriptions and increased visibility and adoption of your solution. Refer to the [CSP FAQs](#csp-cloud-solution-provider) for further details on why this is recommended for Microsoft Sentinel solutions. - -7. [Validate and test](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer-test-publish) your solution offer. - -8. After the validation passes, [publish the offer live](https://docs.microsoft.com/azure/marketplace/create-new-azure-apps-offer-test-publish#publish-your-offer-live). This will trigger the certification process, which can take up to 3 business days. - - -**Note:** You must make the offer public in order for it to show up in the Microsoft Sentinel content hub so that customers can find it. +1. Publish solutions to Microsoft Sentinel - https://learn.microsoft.com/en-us/azure/sentinel/publish-sentinel-solutions +2. Solution tracking after publishing in the Microsoft Partner center - https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-post-publish-tracking ## Feedback diff --git a/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json b/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json index 58745037d18..dbc33554635 100644 --- a/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json +++ b/Solutions/RubrikSecurityCloud/Data/Solution_RubrikSecurityCloud.json @@ -22,7 +22,7 @@ "Data Connectors/RubrikWebhookEvents/RubrikWebhookEvents_FunctionApp.json" ], "BasePath": "C:\\Azure-Sentinel\\Solutions\\RubrikSecurityCloud", - "Version": "3.2.0", + "Version": "3.2.1", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/RubrikSecurityCloud/Package/3.2.1.zip b/Solutions/RubrikSecurityCloud/Package/3.2.1.zip new file mode 100644 index 00000000000..daeba8ac591 Binary files /dev/null and b/Solutions/RubrikSecurityCloud/Package/3.2.1.zip differ diff --git a/Solutions/RubrikSecurityCloud/Package/mainTemplate.json b/Solutions/RubrikSecurityCloud/Package/mainTemplate.json index 75944cc9801..43459c8a6e0 100644 --- a/Solutions/RubrikSecurityCloud/Package/mainTemplate.json +++ b/Solutions/RubrikSecurityCloud/Package/mainTemplate.json @@ -33,7 +33,7 @@ "email": "ben.meadowcroft@rubrik.com", "_email": "[variables('email')]", "_solutionName": "RubrikSecurityCloud", - "_solutionVersion": "3.2.0", + "_solutionVersion": "3.2.1", "solutionId": "rubrik_inc.rubrik_sentinel", "_solutionId": "[variables('solutionId')]", "RubrikCustomConnector": "RubrikCustomConnector", @@ -190,7 +190,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikCustomConnector Playbook with template version 3.2.0", + "description": "RubrikCustomConnector Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -356,7 +356,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikAnomalyAnalysis Playbook with template version 3.2.0", + "description": "RubrikAnomalyAnalysis Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -3413,7 +3413,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikAnomalyIncidentResponse Playbook with template version 3.2.0", + "description": "RubrikAnomalyIncidentResponse Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -4111,7 +4111,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikDataObjectDiscovery Playbook with template version 3.2.0", + "description": "RubrikDataObjectDiscovery Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -6722,7 +6722,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikFilesetRansomwareDiscovery Playbook with template version 3.2.0", + "description": "RubrikFilesetRansomwareDiscovery Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion5')]", @@ -7368,7 +7368,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikIOCScan Playbook with template version 3.2.0", + "description": "RubrikIOCScan Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion6')]", @@ -9821,7 +9821,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikPollAsyncResult Playbook with template version 3.2.0", + "description": "RubrikPollAsyncResult Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion7')]", @@ -10685,7 +10685,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikRansomwareDiscoveryAndFileRecovery Playbook with template version 3.2.0", + "description": "RubrikRansomwareDiscoveryAndFileRecovery Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion8')]", @@ -12613,7 +12613,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikRansomwareDiscoveryAndVMRecovery Playbook with template version 3.2.0", + "description": "RubrikRansomwareDiscoveryAndVMRecovery Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion9')]", @@ -16554,7 +16554,7 @@ "RubrikCustomConnector": { "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RubrikcustomconnectorConnectionName'))]", "connectionName": "[[variables('RubrikcustomconnectorConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/customApis/Rubrikcustomconnector')]" + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('Rubrik Connector name'))]" }, "keyvault_1": { "connectionId": "[[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", @@ -16734,7 +16734,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikFileObjectContextAnalysis Playbook with template version 3.2.0", + "description": "RubrikFileObjectContextAnalysis Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion10')]", @@ -19991,7 +19991,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikUserIntelligenceAnalysis Playbook with template version 3.2.0", + "description": "RubrikUserIntelligenceAnalysis Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion11')]", @@ -21957,7 +21957,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikRetrieveUserIntelligenceInformation Playbook with template version 3.2.0", + "description": "RubrikRetrieveUserIntelligenceInformation Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion12')]", @@ -23657,7 +23657,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikAnomalyGenerateDownloadableLink Playbook with template version 3.2.0", + "description": "RubrikAnomalyGenerateDownloadableLink Playbook with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion13')]", @@ -24977,7 +24977,7 @@ "DownloadLink", "Rubrik" ], - "lastUpdateTime": "2024-04-22T00:14:11.499Z", + "lastUpdateTime": "2024-04-21T00:00:00Z", "releaseNotes": { "version": "1.0", "title": "[variables('blanks')]", @@ -25009,7 +25009,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RubrikSecurityCloud data connector with template version 3.2.0", + "description": "RubrikSecurityCloud data connector with template version 3.2.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -25438,7 +25438,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.2.0", + "version": "3.2.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "RubrikSecurityCloud", diff --git a/Solutions/RubrikSecurityCloud/Playbooks/RubrikFileObjectContextAnalysis/azuredeploy.json b/Solutions/RubrikSecurityCloud/Playbooks/RubrikFileObjectContextAnalysis/azuredeploy.json index bb1b66313f6..8e5f7a3b461 100644 --- a/Solutions/RubrikSecurityCloud/Playbooks/RubrikFileObjectContextAnalysis/azuredeploy.json +++ b/Solutions/RubrikSecurityCloud/Playbooks/RubrikFileObjectContextAnalysis/azuredeploy.json @@ -35,6 +35,7 @@ "4. In principal section, search by copied object ID. Click next.", "5. Click review + create." ], + "lastUpdateTime": "2024-04-22T00:14:08.736Z", "entities": [ "account", "url" diff --git a/Solutions/RubrikSecurityCloud/Playbooks/RubrikRansomwareDiscoveryAndVMRecovery/azuredeploy.json b/Solutions/RubrikSecurityCloud/Playbooks/RubrikRansomwareDiscoveryAndVMRecovery/azuredeploy.json index 2de8ba41ea9..ce65ed2d3b4 100644 --- a/Solutions/RubrikSecurityCloud/Playbooks/RubrikRansomwareDiscoveryAndVMRecovery/azuredeploy.json +++ b/Solutions/RubrikSecurityCloud/Playbooks/RubrikRansomwareDiscoveryAndVMRecovery/azuredeploy.json @@ -88,7 +88,7 @@ { "properties": { "provisioningState": "Succeeded", - "state": "Disabled", + "state": "Enabled", "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion": "1.0.0.0", @@ -4044,7 +4044,7 @@ "RubrikCustomConnector": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('RubrikcustomconnectorConnectionName'))]", "connectionName": "[variables('RubrikcustomconnectorConnectionName')]", - "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/customApis/Rubrikcustomconnector')]" + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/customApis/', parameters('Rubrik Connector name'))]" }, "keyvault_1": { "connectionId": "[resourceId('Microsoft.Web/connections', variables('KeyvaultConnectionName'))]", diff --git a/Solutions/RubrikSecurityCloud/ReleaseNotes.md b/Solutions/RubrikSecurityCloud/ReleaseNotes.md index f58d0af8ae8..6dc9ee7d3e2 100644 --- a/Solutions/RubrikSecurityCloud/ReleaseNotes.md +++ b/Solutions/RubrikSecurityCloud/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| +| 3.2.1 | 11-11-2024 | Fixed the issue of Custom Connector id parameter in RubrikRansomwareDiscoveryAndVmRecovery playbook. | | 3.2.0 | 24-02-2024 | Added 3 new Playbooks(RubrikFileObjectContextAnalysis, RubrikUserIntelligenceAnalysis, RubrikRetrieveUserIntelligenceInformation) for FileObject and User, fixed clusterLocation issue of Collect_IOC_Scan_Data adaptive card in RubrikRansomwareDiscoveryAndVmRecovery playbook and updated python packages to fix vulnerability CVE-2023-50782 of cryptography module. Enhanced Anomaly Analysis playbook and added RubrikAnomalyGenerateDownloadableLink playbook. | | 3.1.0 | 20-10-2023 | Updated the **DataConnector** code by implementing Durable Function App. | | 3.0.0 | 14-07-2023 | Updated the title in such a way that user can identify the adaptive card based on incident. | \ No newline at end of file diff --git a/Solutions/SAP/sapcon-instance-update.sh b/Solutions/SAP/sapcon-instance-update.sh index 5412a8aa2b6..85c5a2e0234 100755 --- a/Solutions/SAP/sapcon-instance-update.sh +++ b/Solutions/SAP/sapcon-instance-update.sh @@ -208,7 +208,7 @@ while IFS= read -r contname; do # Image is on preview, and no newer version is available log "Current agent is in preview branch, and release branch has an older build (current release id is $containerreleaseid, latest is $imagereleaseid). Not updating this agent" else - log_update "Agent image for agent $contname is newer than the one in the container registry. Agent release id $containerreleaseid, release id of image available in container registry: $imagereleaseid. Not updating this agent" + log "Agent image for agent $contname is newer than the one in the container registry. Agent release id $containerreleaseid, release id of image available in container registry: $imagereleaseid. Not updating this agent" fi continue elif [ "$imagereleaseid" -gt "$containerreleaseid" ] || [ "$FORCE" == 1 ]; then diff --git a/Solutions/SentinelOne/Data Connectors/SentinelOneAPISentinelConn.zip b/Solutions/SentinelOne/Data Connectors/SentinelOneAPISentinelConn.zip index e8c6515379d..46bb8242999 100644 Binary files a/Solutions/SentinelOne/Data Connectors/SentinelOneAPISentinelConn.zip and b/Solutions/SentinelOne/Data Connectors/SentinelOneAPISentinelConn.zip differ diff --git a/Solutions/SentinelOne/Data Connectors/requirements.txt b/Solutions/SentinelOne/Data Connectors/requirements.txt index ec22576ddbb..56a4d3209cd 100644 --- a/Solutions/SentinelOne/Data Connectors/requirements.txt +++ b/Solutions/SentinelOne/Data Connectors/requirements.txt @@ -5,3 +5,5 @@ azure-storage-file-share==12.3.0 azure-functions requests +cffi +cryptography diff --git a/Solutions/Snowflake/Data Connectors/SnowflakeConn.zip b/Solutions/Snowflake/Data Connectors/SnowflakeConn.zip index 7f5ad220bad..4c7b91ca69f 100644 Binary files a/Solutions/Snowflake/Data Connectors/SnowflakeConn.zip and b/Solutions/Snowflake/Data Connectors/SnowflakeConn.zip differ diff --git a/Solutions/Snowflake/Data Connectors/azuredeploy_Snowflake_API_FunctionApp.json b/Solutions/Snowflake/Data Connectors/azuredeploy_Snowflake_API_FunctionApp.json index 357177c235c..2d7e0056e83 100644 --- a/Solutions/Snowflake/Data Connectors/azuredeploy_Snowflake_API_FunctionApp.json +++ b/Solutions/Snowflake/Data Connectors/azuredeploy_Snowflake_API_FunctionApp.json @@ -143,7 +143,7 @@ "alwaysOn": true, "reserved": true, "siteConfig": { - "linuxFxVersion": "python|3.8" + "linuxFxVersion": "python|3.11" } }, diff --git a/Solutions/Snowflake/Data Connectors/requirements.txt b/Solutions/Snowflake/Data Connectors/requirements.txt index c9774c5cbc7..1dd0d12913d 100644 --- a/Solutions/Snowflake/Data Connectors/requirements.txt +++ b/Solutions/Snowflake/Data Connectors/requirements.txt @@ -2,4 +2,5 @@ azure-functions requests==2.31.0 python-dateutil==2.8.2 azure-storage-file-share==12.5.0 -snowflake-connector-python==3.0.2 \ No newline at end of file +snowflake-connector-python==3.0.2 +cffi==1.14.6 \ No newline at end of file diff --git a/Solutions/Syslog/Data Connectors/template_Syslog.json b/Solutions/Syslog/Data Connectors/template_Syslog.json index 72adbdf7134..604a041b47c 100644 --- a/Solutions/Syslog/Data Connectors/template_Syslog.json +++ b/Solutions/Syslog/Data Connectors/template_Syslog.json @@ -1,9 +1,8 @@ { "id": "Syslog", - "title": "Syslog", + "title": "Syslog via Legacy Agent", "publisher": "Microsoft", - "descriptionMarkdown": "Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2223807&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", - "additionalRequirementBanner": "[Learn more](https://aka.ms/sysLogInfo)", + "descriptionMarkdown": "Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace.\n\n[Learn more >](https://aka.ms/sysLogInfo)", "graphQueries": [ { "metricName": "Total data received", @@ -56,7 +55,7 @@ "instructionSteps": [ { "title": "1. Install and onboard the agent for Linux", - "description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.", + "description": "You can collect Syslog events from your local machine by installing the agent on it. You can also collect Syslog generated on a different source by running the installation script below on the local machine, where the agent is installed.\n\n> Syslog logs are collected only from **Linux** agents.", "instructions": [ { "parameters": { @@ -105,4 +104,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/Solutions/Syslog/Package/3.0.7.zip b/Solutions/Syslog/Package/3.0.7.zip new file mode 100644 index 00000000000..8b8a91a502c Binary files /dev/null and b/Solutions/Syslog/Package/3.0.7.zip differ diff --git a/Solutions/Syslog/Package/mainTemplate.json b/Solutions/Syslog/Package/mainTemplate.json index e49e0bc701c..261c15d9624 100644 --- a/Solutions/Syslog/Package/mainTemplate.json +++ b/Solutions/Syslog/Package/mainTemplate.json @@ -49,7 +49,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Syslog", - "_solutionVersion": "3.0.6", + "_solutionVersion": "3.0.7", "solutionId": "azuresentinel.azure-sentinel-solution-syslog", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "Syslog", @@ -203,7 +203,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Syslog data connector with template version 3.0.6", + "description": "Syslog data connector with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -219,9 +219,9 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId1')]", - "title": "Syslog", + "title": "Syslog via Legacy Agent", "publisher": "Microsoft", - "descriptionMarkdown": "Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2223807&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", + "descriptionMarkdown": "Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace.\n\n[Learn more >](https://aka.ms/sysLogInfo)", "graphQueries": [ { "metricName": "Total data received", @@ -281,7 +281,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_dataConnectorContentId1')]", "contentKind": "DataConnector", - "displayName": "Syslog", + "displayName": "Syslog via Legacy Agent", "contentProductId": "[variables('_dataConnectorcontentProductId1')]", "id": "[variables('_dataConnectorcontentProductId1')]", "version": "[variables('dataConnectorVersion1')]" @@ -325,9 +325,9 @@ "kind": "StaticUI", "properties": { "connectorUiConfig": { - "title": "Syslog", + "title": "Syslog via Legacy Agent", "publisher": "Microsoft", - "descriptionMarkdown": "Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2223807&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).", + "descriptionMarkdown": "Syslog is an event logging protocol that is common to Linux. Applications will send messages that may be stored on the local machine or delivered to a Syslog collector. When the Agent for Linux is installed, it configures the local Syslog daemon to forward messages to the agent. The agent then sends the message to the workspace.\n\n[Learn more >](https://aka.ms/sysLogInfo)", "graphQueries": [ { "metricName": "Total data received", @@ -349,8 +349,7 @@ ] } ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "[Learn more](https://aka.ms/sysLogInfo)" + "id": "[variables('_uiConfigId1')]" } } }, @@ -363,7 +362,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Syslog data connector with template version 3.0.6", + "description": "Syslog data connector with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -522,7 +521,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LinuxMachines Workbook with template version 3.0.6", + "description": "LinuxMachines Workbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -610,7 +609,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SyslogConnectorsOverviewWorkbook Workbook with template version 3.0.6", + "description": "SyslogConnectorsOverviewWorkbook Workbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -702,7 +701,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FailedLogonAttempts_UnknownUser_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "FailedLogonAttempts_UnknownUser_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -730,16 +729,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Syslog", "dataTypes": [ "Syslog" - ], - "connectorId": "Syslog" + ] }, { + "connectorId": "SyslogAma", "dataTypes": [ "Syslog" - ], - "connectorId": "SyslogAma" + ] } ], "tactics": [ @@ -750,22 +749,22 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "HostIP" + "columnName": "HostIP", + "identifier": "Address" } - ], - "entityType": "IP" + ] } ] } @@ -821,7 +820,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_squid_events_for_mining_pools_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "NRT_squid_events_for_mining_pools_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -845,16 +844,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Syslog", "dataTypes": [ "Syslog" - ], - "connectorId": "Syslog" + ] }, { + "connectorId": "SyslogAma", "dataTypes": [ "Syslog" - ], - "connectorId": "SyslogAma" + ] } ], "tactics": [ @@ -865,31 +864,31 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "User" + "columnName": "User", + "identifier": "FullName" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "URL" + "columnName": "URL", + "identifier": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -945,7 +944,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "squid_cryptomining_pools_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "squid_cryptomining_pools_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -973,16 +972,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Syslog", "dataTypes": [ "Syslog" - ], - "connectorId": "Syslog" + ] }, { + "connectorId": "SyslogAma", "dataTypes": [ "Syslog" - ], - "connectorId": "SyslogAma" + ] } ], "tactics": [ @@ -993,39 +992,39 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "User" + "columnName": "User", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "URL" + "columnName": "URL", + "identifier": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -1081,7 +1080,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "squid_tor_proxies_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "squid_tor_proxies_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -1109,16 +1108,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Syslog", "dataTypes": [ "Syslog" - ], - "connectorId": "Syslog" + ] }, { + "connectorId": "SyslogAma", "dataTypes": [ "Syslog" - ], - "connectorId": "SyslogAma" + ] } ], "tactics": [ @@ -1130,39 +1129,39 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "User" + "columnName": "User", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } - ], - "entityType": "IP" + ] }, { + "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "URL" + "columnName": "URL", + "identifier": "Url" } - ], - "entityType": "URL" + ] } ] } @@ -1218,7 +1217,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ssh_potentialBruteForce_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "ssh_potentialBruteForce_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -1246,16 +1245,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Syslog", "dataTypes": [ "Syslog" - ], - "connectorId": "Syslog" + ] }, { + "connectorId": "SyslogAma", "dataTypes": [ "Syslog" - ], - "connectorId": "SyslogAma" + ] } ], "tactics": [ @@ -1266,40 +1265,40 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Account" + "columnName": "Account", + "identifier": "Name" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } - ], - "entityType": "IP" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" } - ], - "entityType": "Host" + ] }, { + "entityType": "AzureResource", "fieldMappings": [ { - "identifier": "ResourceId", - "columnName": "ResourceId" + "columnName": "ResourceId", + "identifier": "ResourceId" } - ], - "entityType": "AzureResource" + ] } ] } @@ -1355,7 +1354,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "sftp_file_transfer_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "sftp_file_transfer_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -1383,16 +1382,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Syslog", "dataTypes": [ "Syslog" - ], - "connectorId": "Syslog" + ] }, { + "connectorId": "SyslogAma", "dataTypes": [ "Syslog" - ], - "connectorId": "SyslogAma" + ] } ], "tactics": [ @@ -1403,49 +1402,49 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "username" + "columnName": "username", + "identifier": "Name" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "src_ip" + "columnName": "src_ip", + "identifier": "Address" } - ], - "entityType": "IP" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "HostName" } - ], - "entityType": "Host" + ] }, { + "entityType": "File", "fieldMappings": [ { - "identifier": "Name", - "columnName": "FileSample" + "columnName": "FileSample", + "identifier": "Name" } - ], - "entityType": "File" + ] } ], "customDetails": { - "FilesList": "fileslist", - "TransferCount": "count_distinct_filepath" + "TransferCount": "count_distinct_filepath", + "FilesList": "fileslist" }, "incidentConfiguration": { "groupingConfiguration": { - "matchingMethod": "Selected", + "enabled": true, "lookbackDuration": "5h", "groupByEntities": [ "Account", @@ -1509,7 +1508,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "sftp_file_transfer_folders_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "sftp_file_transfer_folders_above_threshold_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -1537,16 +1536,16 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "Syslog", "dataTypes": [ "Syslog" - ], - "connectorId": "Syslog" + ] }, { + "connectorId": "SyslogAma", "dataTypes": [ "Syslog" - ], - "connectorId": "SyslogAma" + ] } ], "tactics": [ @@ -1557,49 +1556,49 @@ ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "username" + "columnName": "username", + "identifier": "Name" } - ], - "entityType": "Account" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "src_ip" + "columnName": "src_ip", + "identifier": "Address" } - ], - "entityType": "IP" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "HostName" } - ], - "entityType": "Host" + ] }, { + "entityType": "File", "fieldMappings": [ { - "identifier": "Name", - "columnName": "DirSample" + "columnName": "DirSample", + "identifier": "Name" } - ], - "entityType": "File" + ] } ], "customDetails": { - "FilesList": "dirlist", - "TransferCount": "count_distinct_dirpath" + "TransferCount": "count_distinct_dirpath", + "FilesList": "dirlist" }, "incidentConfiguration": { "groupingConfiguration": { - "matchingMethod": "Selected", + "enabled": true, "lookbackDuration": "5h", "groupByEntities": [ "Account", @@ -1663,7 +1662,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CryptoCurrencyMiners_HuntingQueries Hunting Query with template version 3.0.6", + "description": "CryptoCurrencyMiners_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -1748,7 +1747,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SCXExecuteRunAsProviders_HuntingQueries Hunting Query with template version 3.0.6", + "description": "SCXExecuteRunAsProviders_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -1833,7 +1832,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CryptoThreatActivity_HuntingQueries Hunting Query with template version 3.0.6", + "description": "CryptoThreatActivity_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -1918,7 +1917,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareProcess_ForLxHost_HuntingQueries Hunting Query with template version 3.0.6", + "description": "RareProcess_ForLxHost_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -2003,7 +2002,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SchedTaskAggregation_HuntingQueries Hunting Query with template version 3.0.6", + "description": "SchedTaskAggregation_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -2088,7 +2087,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SchedTaskEditViaCrontab_HuntingQueries Hunting Query with template version 3.0.6", + "description": "SchedTaskEditViaCrontab_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -2173,7 +2172,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "squid_abused_tlds_HuntingQueries Hunting Query with template version 3.0.6", + "description": "squid_abused_tlds_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -2258,7 +2257,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "squid_malformed_requests_HuntingQueries Hunting Query with template version 3.0.6", + "description": "squid_malformed_requests_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -2343,7 +2342,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "squid_volume_anomalies_HuntingQueries Hunting Query with template version 3.0.6", + "description": "squid_volume_anomalies_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -2428,7 +2427,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SyslogConnectorsOverallStatus Data Parser with template version 3.0.6", + "description": "SyslogConnectorsOverallStatus Data Parser with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -2560,7 +2559,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SyslogConnectorsEventVolumebyDeviceProduct Data Parser with template version 3.0.6", + "description": "SyslogConnectorsEventVolumebyDeviceProduct Data Parser with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject2').parserVersion2]", @@ -2688,7 +2687,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.6", + "version": "3.0.7", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Syslog", diff --git a/Solutions/Syslog/ReleaseNotes.md b/Solutions/Syslog/ReleaseNotes.md index a070085aedd..1137f4b7e77 100644 --- a/Solutions/Syslog/ReleaseNotes.md +++ b/Solutions/Syslog/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.7 | 04-11-2024 | Updated the Syslog **Data Connector** template to latest version | | 3.0.6 | 01-08-2024 | Updated **Analytic rules** for entity mappings and parameter for parser function | | 3.0.5 | 16-07-2024 | Added 2 new Workspace Function **Parsers** and a new **Workbook** | | 3.0.4 | 27-06-2024 | Updated Connectivity criteria query for **Data Connector** | diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportOrchestrator/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportOrchestrator/__init__.py index 035caf2145f..90fe0fe5f32 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportOrchestrator/__init__.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportOrchestrator/__init__.py @@ -1,81 +1,84 @@ +import json import os import logging from datetime import timedelta from ..tenable_helper import TenableExportType, TenableStatus -import azure.functions as func import azure.durable_functions as df logger = logging.getLogger("azure.core.pipeline.policies.http_logging_policy") logger.setLevel(logging.WARNING) -asset_status_and_chunk = 'TenableAssetExportStatusAndSendChunks' -export_poll_schedule_minutes = int(os.getenv('TenableExportPollScheduleInMinutes', '1')) +asset_status_and_chunk = "TenableAssetExportStatusAndSendChunks" +export_poll_schedule_minutes = int(os.getenv("TenableExportPollScheduleInMinutes", "1")) + def orchestrator_function(context: df.DurableOrchestrationContext): - logging.info('started asset export orchestrator') + logging.info("started asset export orchestrator") job_details = context.get_input() - logging.info('loaded job details from orchestrator:') + logging.info("loaded job details from orchestrator:") logging.info(job_details) - asset_job_id = job_details['assetJobId'] if 'assetJobId' in job_details else '' - if asset_job_id == '': + asset_job_id = job_details["assetJobId"] if "assetJobId" in job_details else "" + if asset_job_id == "": return { - 'status': TenableStatus.no_job.value, - 'id': '', - 'chunks': [], - 'assetInstanceId': context.instance_id, - 'type': TenableExportType.asset.value + "status": TenableStatus.no_job.value, + "id": "", + "chunks": [], + "assetInstanceId": context.instance_id, + "type": TenableExportType.asset.value, } chunks = [] - logging.info(f'checking status of job {asset_job_id}, outside while loop') - job_status = yield context.call_activity(asset_status_and_chunk, asset_job_id) - logging.info(f'{asset_job_id} is currently in this state:') + logging.info(f"checking status of job {asset_job_id}, outside while loop") + start_time = job_details.get("start_time", 0) + str_activity_data = json.dumps({"asset_job_id": asset_job_id, "start_time": start_time}) + job_status = yield context.call_activity(asset_status_and_chunk, str_activity_data) + logging.info(f"{asset_job_id} is currently in this state:") logging.info(job_status) - logging.info(job_status['status']) + logging.info(job_status["status"]) - tio_status = ['ERROR', 'CANCELLED', 'FINISHED'] - while not 'status' in job_status or not (job_status['status'] in tio_status): + tio_status = ["ERROR", "CANCELLED", "FINISHED"] + while not "status" in job_status or not (job_status["status"] in tio_status): logging.info( - f'Checking {asset_job_id} after waking up again, inside while loop:') - job_status = yield context.call_activity(asset_status_and_chunk, asset_job_id) - logging.info(f'{asset_job_id} is currently in this state:') + f"Checking {asset_job_id} after waking up again, inside while loop:") + job_status = yield context.call_activity(asset_status_and_chunk, str_activity_data) + logging.info(f"{asset_job_id} is currently in this state:") logging.info(job_status) - if 'status' in job_status and job_status['status'] == 'FINISHED': - logging.info('job is completely finished!') - chunks = job_status['chunks_available'] - logging.info(f'Found these chunks: {chunks}') + if "status" in job_status and job_status["status"] == "FINISHED": + logging.info("job is completely finished!") + chunks = job_status["chunks_available"] + logging.info(f"Found these chunks: {chunks}") break - elif 'status' in job_status and job_status['status'] == 'ERROR': - logging.info('job is completed with Error status!') - chunks = job_status['chunks_available'] - logging.info(f'Found these chunks: {chunks}') + elif "status" in job_status and job_status["status"] == "ERROR": + logging.info("job is completed with Error status!") + chunks = job_status["chunks_available"] + logging.info(f"Found these chunks: {chunks}") break - elif 'status' in job_status and job_status['status'] == 'CANCELLED': - logging.info('job is completed with Cancelled status!') - chunks = job_status['chunks_available'] - logging.info(f'Found these chunks: {chunks}') + elif "status" in job_status and job_status["status"] == "CANCELLED": + logging.info("job is completed with Cancelled status!") + chunks = job_status["chunks_available"] + logging.info(f"Found these chunks: {chunks}") break else: - logging.info('not quite ready, going to sleep...') + logging.info("not quite ready, going to sleep...") next_check = context.current_utc_datetime + timedelta(minutes=export_poll_schedule_minutes) yield context.create_timer(next_check) - logging.info('Checking that chunks exist...') - logging.info(f'Number of chunks: {len(chunks)}') + logging.info("Checking that chunks exist...") + logging.info(f"Number of chunks: {len(chunks)}") tenable_status = TenableStatus.finished.value - if 'status' in job_status and (job_status['status'] == 'CANCELLED' or job_status['status'] == 'ERROR'): + if "status" in job_status and (job_status["status"] == "CANCELLED" or job_status["status"] == "ERROR"): tenable_status = TenableStatus.failed.value return { - 'status': tenable_status, - 'id': asset_job_id, - 'chunks': chunks, - 'assetInstanceId': context.instance_id, - 'type': TenableExportType.asset.value + "status": tenable_status, + "id": asset_job_id, + "chunks": chunks, + "assetInstanceId": context.instance_id, + "type": TenableExportType.asset.value, } diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportStatusAndSendChunks/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportStatusAndSendChunks/__init__.py index 523e3bc9e64..435a6b5bbe4 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportStatusAndSendChunks/__init__.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportStatusAndSendChunks/__init__.py @@ -1,78 +1,88 @@ +import json import logging import os from ..exports_queue import ExportsQueue, ExportsQueueNames from ..exports_store import ExportsTableStore, ExportsTableNames -from ..tenable_helper import TenableIO, TenableStatus, TenableExportType +from ..tenable_helper import TenableIO, TenableStatus, TenableExportType, update_checkpoint_for_last_chunk -connection_string = os.environ['AzureWebJobsStorage'] +connection_string = os.environ["AzureWebJobsStorage"] assets_table_name = ExportsTableNames.TenableAssetExportTable.value assets_queue_name = ExportsQueueNames.TenableAssetExportsQueue.value + def send_chunks_to_queue(exportJobDetails): - logging.info(f'Sending chunk to queue.') - chunks = exportJobDetails.get('chunks_available', []) - exportJobId = exportJobDetails.get('exportJobId', '') + logging.info("Sending chunk to queue.") + chunks = exportJobDetails.get("chunks_available", []) + exportJobId = exportJobDetails.get("exportJobId", "") + start_time = exportJobDetails.get("start_time", 0) + job_status = exportJobDetails.get("status", "") if len(chunks) > 0: assets_table = ExportsTableStore(connection_string, assets_table_name) + update_checkpoint = False for chunk in chunks: + update_checkpoint = update_checkpoint_for_last_chunk(chunk, chunks, job_status) chunk_dtls = assets_table.get(exportJobId, str(chunk)) if chunk_dtls: - current_chunk_status = chunk_dtls['jobStatus'] + current_chunk_status = chunk_dtls["jobStatus"] if ( current_chunk_status == TenableStatus.sent_to_queue.value or current_chunk_status == TenableStatus.finished.value ): - logging.warning(f'Avoiding asset chunk duplicate processing -- {exportJobId} {chunk}. Current status: {current_chunk_status}') + logging.warning(f"Avoiding asset chunk duplicate processing -- {exportJobId} {chunk}. Current status: {current_chunk_status}") continue assets_table.merge(exportJobId, str(chunk), { - 'jobStatus': TenableStatus.sending_to_queue.value, - 'jobType': TenableExportType.asset.value + "jobStatus": TenableStatus.sending_to_queue.value, + "jobType": TenableExportType.asset.value }) assets_queue = ExportsQueue(connection_string, assets_queue_name) try: - sent = assets_queue.send_chunk_info(exportJobId, chunk) - logging.warn(f'chunk queued -- {exportJobId} {chunk}') - logging.warn(sent) + sent = assets_queue.send_chunk_info(exportJobId, chunk, start_time, update_checkpoint) + logging.warning(f"chunk queued -- {exportJobId} {chunk}") + logging.warning(sent) assets_table.merge(exportJobId, str(chunk), { - 'jobStatus': TenableStatus.sent_to_queue.value + "jobStatus": TenableStatus.sent_to_queue.value }) except Exception as e: - logging.warn( - f'Failed to send {exportJobId} - {chunk} to be processed') - logging.warn(e) + logging.warning( + f"Failed to send {exportJobId} - {chunk} to be processed") + logging.warning(e) assets_table.merge(exportJobId, str(chunk), { - 'jobStatus': TenableStatus.sent_to_queue_failed.value, - 'jobType': TenableExportType.asset.value + "jobStatus": TenableStatus.sent_to_queue_failed.value, + "jobType": TenableExportType.asset.value }) else: - logging.info('no chunk found to process.') + logging.info("no chunk found to process.") return -def main(exportJobId: str) -> object: - logging.info('using pyTenable client to check asset export job status') +def main(exportJob: str) -> object: + jsonExportObject = json.loads(exportJob) + exportJobId = jsonExportObject.get("asset_job_id", "") + start_time = jsonExportObject.get("start_time", 0) + logging.info("using pyTenable client to check asset export job status") logging.info( - f'checking status at assets/{exportJobId}/status') + f"checking status at assets/{exportJobId}/status") tio = TenableIO() - job_details = tio.exports.status('assets', exportJobId) + job_details = tio.exports.status("assets", exportJobId) logging.info( - f'received a response from assets/{exportJobId}/status') + f"received a response from assets/{exportJobId}/status") logging.info(job_details) - tio_status = ['ERROR', 'CANCELLED'] - if job_details['status'] not in tio_status: + tio_status = ["ERROR", "CANCELLED"] + if job_details["status"] not in tio_status: try: - job_details['exportJobId'] = exportJobId + job_details["exportJobId"] = exportJobId + job_details["start_time"] = start_time send_chunks_to_queue(job_details) except Exception as e: - logging.warn('error while sending chunks to queue') - logging.warn(job_details) - logging.warn(e) + logging.warning("error while sending chunks to queue") + logging.warning(job_details) + logging.warning(e) return job_details diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportStatusAndSendChunks/function.json b/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportStatusAndSendChunks/function.json index 89e7dd83296..6116f03f684 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportStatusAndSendChunks/function.json +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableAssetExportStatusAndSendChunks/function.json @@ -2,7 +2,7 @@ "scriptFile": "__init__.py", "bindings": [ { - "name": "exportJobId", + "name": "exportJob", "type": "activityTrigger", "direction": "in" } diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableCleanTables/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableCleanTables/__init__.py index 3a93700cc8a..3a4d379883d 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableCleanTables/__init__.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableCleanTables/__init__.py @@ -3,9 +3,11 @@ from ..exports_store import ExportsTableStore, ExportsTableNames -connection_string = os.environ['AzureWebJobsStorage'] +connection_string = os.environ["AzureWebJobsStorage"] assets_export_table_name = ExportsTableNames.TenableAssetExportTable.value vuln_export_table_name = ExportsTableNames.TenableVulnExportTable.value +compliance_export_table_name = ExportsTableNames.TenableComplianceExportTable.value +ingest_compliance_data = True if os.environ.get("ComplianceDataIngestion", "False").lower() == "true" else False def remove_finished_chunks(table_client: ExportsTableStore): @@ -13,14 +15,14 @@ def remove_finished_chunks(table_client: ExportsTableStore): finished_chunks_by_job_id = {} for f in finished_jobs: - job_id = f['PartitionKey'] - chunk_id = f['RowKey'] - if not f['PartitionKey'] in finished_chunks_by_job_id: - finished_chunks_by_job_id[job_id] = [('delete', - {'PartitionKey': job_id, 'RowKey': chunk_id})] + job_id = f["PartitionKey"] + chunk_id = f["RowKey"] + if not f["PartitionKey"] in finished_chunks_by_job_id: + finished_chunks_by_job_id[job_id] = [("delete", + {"PartitionKey": job_id, "RowKey": chunk_id})] else: - finished_chunks_by_job_id[job_id].append(('delete', - {'PartitionKey': job_id, 'RowKey': chunk_id})) + finished_chunks_by_job_id[job_id].append(("delete", + {"PartitionKey": job_id, "RowKey": chunk_id})) logging.info(finished_chunks_by_job_id) batch_size = 50 @@ -28,7 +30,7 @@ def remove_finished_chunks(table_client: ExportsTableStore): batches = [finished_chunks_by_job_id[j][i:i + batch_size] for i in range(0, len(finished_chunks_by_job_id[j]), batch_size)] for batch in batches: - logging.info('deleting batch') + logging.info("deleting batch") table_client.batch(batch) @@ -36,8 +38,12 @@ def main(name: str) -> str: assets_table = ExportsTableStore( connection_string, assets_export_table_name) vuln_table = ExportsTableStore(connection_string, vuln_export_table_name) - logging.info('batch deleting finished chunks from asset table.') + logging.info("batch deleting finished chunks from asset table.") remove_finished_chunks(assets_table) - logging.info('batch deleting finished chunks from vuln table.') + logging.info("batch deleting finished chunks from vuln table.") remove_finished_chunks(vuln_table) + if ingest_compliance_data: + compliance_table = ExportsTableStore(connection_string, compliance_export_table_name) + logging.info("batch deleting finished chunks from compliance table.") + remove_finished_chunks(compliance_table) return True diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableCleanUpOrchestrator/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableCleanUpOrchestrator/__init__.py index e430084b8c0..d0c0d5c0172 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableCleanUpOrchestrator/__init__.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableCleanUpOrchestrator/__init__.py @@ -1,20 +1,20 @@ import os from datetime import timedelta -import azure.functions as func import azure.durable_functions as df -generate_stats_activity_name = 'TenableGenerateJobStats' -clean_tables_name = 'TenableCleanTables' -cleanup_schedule_minutes = int(os.getenv('TenableCleanupScheduleInMinutes', '10')) +generate_stats_activity_name = "TenableGenerateJobStats" +clean_tables_name = "TenableCleanTables" +cleanup_schedule_minutes = int(os.getenv("TenableCleanupScheduleInMinutes", "10")) -def orchestrator_function(context: df.DurableOrchestrationContext): - yield context.call_activity(generate_stats_activity_name, '') - yield context.call_activity(clean_tables_name, '') +def orchestrator_function(context: df.DurableOrchestrationContext): + yield context.call_activity(generate_stats_activity_name, "") + yield context.call_activity(clean_tables_name, "") next_check = context.current_utc_datetime + timedelta(minutes=cleanup_schedule_minutes) yield context.create_timer(next_check) context.continue_as_new(None) -main = df.Orchestrator.create(orchestrator_function) \ No newline at end of file + +main = df.Orchestrator.create(orchestrator_function) diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportOrchestrator/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportOrchestrator/__init__.py new file mode 100644 index 00000000000..77a1c5f2cc5 --- /dev/null +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportOrchestrator/__init__.py @@ -0,0 +1,112 @@ +"""Orchestrator function for compliance export jobs.""" + +import json +import os +import logging +from datetime import timedelta +from ..tenable_helper import TenableExportType, TenableStatus + +import azure.durable_functions as df + +logger = logging.getLogger("azure.core.pipeline.policies.http_logging_policy") +logger.setLevel(logging.WARNING) + +compliance_status_and_chunk = "TenableComplianceExportStatusAndSendChunks" +export_poll_schedule_minutes = int(os.getenv("TenableExportPollScheduleInMinutes", "1")) +chunks_found_log = "Found these chunks: {}" + + +def orchestrator_function(context: df.DurableOrchestrationContext): + """ + Orchestrator function to check the status of compliance export job and store chunks_available. + + Args: + context: The durable orchestration context + + Returns: + A dictionary containing the status, id, chunks, complianceInstanceId and type of the job + """ + logging.info("started compliance export orchestrator") + job_details = context.get_input() + logging.info("loaded job details from orchestrator:") + logging.info(job_details) + + compliance_job_id = ( + job_details["complianceJobId"] if "complianceJobId" in job_details else "" + ) + if compliance_job_id == "": + return { + "status": TenableStatus.no_job.value, + "id": "", + "chunks": [], + "complianceInstanceId": context.instance_id, + "type": TenableExportType.compliance.value, + } + + chunks = [] + logging.info( + "checking status of job {}, outside while loop".format(compliance_job_id) + ) + start_time = job_details.get("start_time", 0) + str_activity_data = json.dumps({"compliance_job_id": compliance_job_id, "start_time": start_time}) + job_status = yield context.call_activity( + compliance_status_and_chunk, str_activity_data + ) + logging.info("{} is currently in this state:".format(compliance_job_id)) + logging.info(job_status) + logging.info(job_status["status"]) + + tio_status = ["ERROR", "CANCELLED", "FINISHED"] + while ("status" not in job_status) or (job_status["status"] not in tio_status): + logging.info( + "Checking {} after waking up again, inside while loop:".format( + compliance_job_id + ) + ) + job_status = yield context.call_activity( + compliance_status_and_chunk, str_activity_data + ) + logging.info("{} is currently in this state:".format(compliance_job_id)) + logging.info(job_status) + + if "status" in job_status and job_status["status"] == "FINISHED": + logging.info("job is completely finished!") + chunks = job_status["chunks_available"] + logging.info(chunks_found_log.format(chunks)) + break + elif "status" in job_status and job_status["status"] == "ERROR": + logging.info("job is completed with Error status!") + chunks = job_status["chunks_available"] + logging.info(chunks_found_log.format(chunks)) + break + elif "status" in job_status and job_status["status"] == "CANCELLED": + logging.info("job is completed with Cancelled status!") + chunks = job_status["chunks_available"] + logging.info(chunks_found_log.format(chunks)) + break + else: + logging.info("not quite ready, going to sleep...") + next_check = context.current_utc_datetime + timedelta( + minutes=export_poll_schedule_minutes + ) + yield context.create_timer(next_check) + + logging.info("Checking that chunks exist...") + logging.info("Number of chunks: {}".format(len(chunks))) + + tenable_status = TenableStatus.finished.value + if "status" in job_status and ( + job_status["status"] == "CANCELLED" or job_status["status"] == "ERROR" + ): + tenable_status = TenableStatus.failed.value + + return { + "status": tenable_status, + "id": compliance_job_id, + "chunks": chunks, + "complianceInstanceId": context.instance_id, + "type": TenableExportType.compliance.value, + } + + +main = df.Orchestrator.create(orchestrator_function) diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportOrchestrator/function.json b/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportOrchestrator/function.json new file mode 100644 index 00000000000..82fabb9a853 --- /dev/null +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportOrchestrator/function.json @@ -0,0 +1,10 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "context", + "type": "orchestrationTrigger", + "direction": "in" + } + ] +} \ No newline at end of file diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportStatusAndSendChunks/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportStatusAndSendChunks/__init__.py new file mode 100644 index 00000000000..5ba6491ffdf --- /dev/null +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportStatusAndSendChunks/__init__.py @@ -0,0 +1,111 @@ +"""Activity function to check compliance export job status and send chunks to queue.""" + +import json +import logging +import os + +from ..exports_queue import ExportsQueue, ExportsQueueNames +from ..exports_store import ExportsTableStore, ExportsTableNames +from ..tenable_helper import TenableIO, TenableStatus, TenableExportType, update_checkpoint_for_last_chunk + +connection_string = os.environ["AzureWebJobsStorage"] +compliance_table_name = ExportsTableNames.TenableComplianceExportTable.value +compliance_queue_name = ExportsQueueNames.TenableComplianceExportsQueue.value + + +def send_chunks_to_queue(export_job_details): + """ + Send chunks of a compliance export job to queue for processing. + + Args: + export_job_details: a dictionary containing the exportJobId and chunks_available + """ + logging.info("Sending chunk to queue.") + chunks = export_job_details.get("chunks_available", []) + export_job_id = export_job_details.get("exportJobId", "") + start_time = export_job_details.get("start_time", 0) + job_status = export_job_details.get("status", "") + + if len(chunks) > 0: + compliance_table = ExportsTableStore(connection_string, compliance_table_name) + update_checkpoint = False + for chunk in chunks: + update_checkpoint = update_checkpoint_for_last_chunk(chunk, chunks, job_status) + chunk_dtls = compliance_table.get(export_job_id, str(chunk)) + if chunk_dtls: + current_chunk_status = chunk_dtls["jobStatus"] + if ( + current_chunk_status == TenableStatus.sent_to_queue.value + or current_chunk_status == TenableStatus.finished.value + ): + logging.warning( + "Avoiding compliance chunk duplicate processing -- {} {}. Current status: {}".format( + export_job_id, chunk, current_chunk_status + ) + ) + continue + + compliance_table.merge( + export_job_id, + str(chunk), + { + "jobStatus": TenableStatus.sending_to_queue.value, + "jobType": TenableExportType.compliance.value, + }, + ) + + compliance_queue = ExportsQueue(connection_string, compliance_queue_name) + try: + sent = compliance_queue.send_chunk_info(export_job_id, chunk, start_time, update_checkpoint) + logging.warning("chunk queued -- {} {}".format(export_job_id, chunk)) + logging.warning(sent) + compliance_table.merge( + export_job_id, + str(chunk), + {"jobStatus": TenableStatus.sent_to_queue.value}, + ) + except Exception as err: + logging.warning( + "Failed to send {} - {} to be processed".format( + export_job_id, chunk + ) + ) + logging.warning(err) + + compliance_table.merge( + export_job_id, + str(chunk), + { + "jobStatus": TenableStatus.sent_to_queue_failed.value, + "jobType": TenableExportType.compliance.value, + }, + ) + else: + logging.info("no chunk found to process.") + return None + + +def main(exportJob: str) -> object: + """Check the status of compliance export job id.""" + json_export_object = json.loads(exportJob) + export_job_id = json_export_object.get("compliance_job_id", "") + start_time = json_export_object.get("start_time", 0) + logging.info("using pyTenable client to check compliance export job status") + logging.info("checking status at compliance/{}/status".format(export_job_id)) + tio = TenableIO() + job_details = tio.exports.status("compliance", export_job_id) + logging.info("received a response from compliance/{}/status".format(export_job_id)) + logging.info(job_details) + + tio_status = ["ERROR", "CANCELLED"] + if job_details["status"] not in tio_status: + try: + job_details["exportJobId"] = export_job_id + job_details["start_time"] = start_time + send_chunks_to_queue(job_details) + except Exception as err: + logging.warning("error while sending chunks to queue") + logging.warning(job_details) + logging.warning(err) + + return job_details diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportStatusAndSendChunks/function.json b/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportStatusAndSendChunks/function.json new file mode 100644 index 00000000000..3d1786e7411 --- /dev/null +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableComplianceExportStatusAndSendChunks/function.json @@ -0,0 +1,10 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "exportJob", + "type": "activityTrigger", + "direction": "in" + } + ] +} \ No newline at end of file diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableExportStarter/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableExportStarter/__init__.py index ce9f5f165fd..7154f73ac95 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableExportStarter/__init__.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableExportStarter/__init__.py @@ -1,32 +1,37 @@ import logging import os -from datetime import datetime, timedelta, timezone +from datetime import datetime, timezone from ..exports_store import ExportsTableStore, ExportsTableNames from ..exports_queue import ExportsQueue, ExportsQueueNames import azure.functions as func import azure.durable_functions as df -connection_string = os.environ['AzureWebJobsStorage'] +connection_string = os.environ["AzureWebJobsStorage"] stats_table_name = ExportsTableNames.TenableExportStatsTable.value assets_export_table_name = ExportsTableNames.TenableAssetExportTable.value vuln_export_table_name = ExportsTableNames.TenableVulnExportTable.value +checkpoint_table_name = ExportsTableNames.TenableExportCheckpointTable.value assets_queue_name = ExportsQueueNames.TenableAssetExportsQueue.value vuln_queue_name = ExportsQueueNames.TenableVulnExportsQueue.value +compliance_export_table_name = ExportsTableNames.TenableComplianceExportTable.value +compliance_queue_name = ExportsQueueNames.TenableComplianceExportsQueue.value +ingest_compliance_data = True if os.environ.get("ComplianceDataIngestion", "False").lower() == "true" else False -orchestrator_function_name = 'TenableExportsOrchestrator' -cleanup_orchestrator_function_name = 'TenableCleanUpOrchestrator' + +orchestrator_function_name = "TenableExportsOrchestrator" +cleanup_orchestrator_function_name = "TenableCleanUpOrchestrator" async def start_new_orchestrator(client, is_first_run=False): stats_table = ExportsTableStore(connection_string, stats_table_name) if is_first_run: - instance_id = await client.start_new(orchestrator_function_name, None, {'isFirstRun': True}) + instance_id = await client.start_new(orchestrator_function_name, None, {"isFirstRun": True}) else: - instance_id = await client.start_new(orchestrator_function_name, None, {'isFirstRun': False}) + instance_id = await client.start_new(orchestrator_function_name, None, {"isFirstRun": False}) logging.info(f"Started orchestration with ID = '{instance_id}'.") - stats_table.merge('main', 'current', { - 'exportsInstanceId': instance_id + stats_table.merge("main", "current", { + "exportsInstanceId": instance_id }) return instance_id @@ -35,23 +40,30 @@ async def start_new_cleanup_orchestrator(client): stats_table = ExportsTableStore(connection_string, stats_table_name) instance_id = await client.start_new(cleanup_orchestrator_function_name, None, None) logging.info(f"Started clean up orchestration with ID = '{instance_id}'.") - stats_table.merge('main', 'current', { - 'cleanupInstanceId': instance_id + stats_table.merge("main", "current", { + "cleanupInstanceId": instance_id }) return instance_id def first_run_setup(): - logging.info('First run detected...') - logging.info('Setting up the following resources:') + logging.info("First run detected...") + logging.info("Setting up the following resources:") logging.info(stats_table_name) logging.info(assets_export_table_name) logging.info(vuln_export_table_name) + logging.info(checkpoint_table_name) logging.info(assets_queue_name) logging.info(vuln_queue_name) + if ingest_compliance_data: + logging.info(compliance_export_table_name) + logging.info(compliance_queue_name) stats_table = ExportsTableStore(connection_string, stats_table_name) stats_table.create() + checkpoint_table = ExportsTableStore(connection_string, checkpoint_table_name) + checkpoint_table.create() + asesets_table = ExportsTableStore( connection_string, assets_export_table_name) asesets_table.create() @@ -65,72 +77,84 @@ def first_run_setup(): vuln_queue = ExportsQueue(connection_string, vuln_queue_name) vuln_queue.create() - stats_table.post('main', 'current', { - 'exportsInstanceId': '', - 'cleanupInstanceId': '', - 'isFirstRun': False + compliance_table = ExportsTableStore(connection_string, compliance_export_table_name) + compliance_table.create() + + compliance_queue = ExportsQueue(connection_string, compliance_queue_name) + compliance_queue.create() + + stats_table.post("main", "current", { + "exportsInstanceId": "", + "cleanupInstanceId": "", + "isFirstRun": False }) + + checkpoint_table.post("assets", "timestamp", {"assets_timestamp": 0}) + + checkpoint_table.post("vulns", "timestamp", {"vulns_timestamp": 0}) + + checkpoint_table.post("compliance", "timestamp", {"compliance_timestamp": 0}) return async def main(mytimer: func.TimerRequest, starter: str) -> None: utc_timestamp = datetime.utcnow().replace( tzinfo=timezone.utc).isoformat() - logging.info('Python timer trigger function ran at %s', utc_timestamp) + logging.info("Python timer trigger function ran at %s", utc_timestamp) client = df.DurableOrchestrationClient(starter) store = ExportsTableStore( connection_string=connection_string, table_name=stats_table_name) - logging.info('looking in table storage for running instance') - job_info = store.get('main', 'current') - logging.info('results from table storage:') + logging.info("looking in table storage for running instance") + job_info = store.get("main", "current") + logging.info("results from table storage:") logging.info(job_info) if job_info is not None: - logging.info('checking if an existing instance was found...') - singleton_instance_id = job_info['exportsInstanceId'] if 'exportsInstanceId' in job_info else '' - logging.info(f'exports instance id value: {singleton_instance_id}') - if not singleton_instance_id == '': + logging.info("checking if an existing instance was found...") + singleton_instance_id = job_info["exportsInstanceId"] if "exportsInstanceId" in job_info else "" + logging.info(f"exports instance id value: {singleton_instance_id}") + if not singleton_instance_id == "": logging.info( - f'Located an existing orchestrator instance: {singleton_instance_id}') + f"Located an existing orchestrator instance: {singleton_instance_id}") existing_instance = await client.get_status(singleton_instance_id) logging.info(existing_instance) logging.info(existing_instance.runtime_status) if existing_instance is None or existing_instance.runtime_status in [df.OrchestrationRuntimeStatus.Completed, df.OrchestrationRuntimeStatus.Failed, df.OrchestrationRuntimeStatus.Terminated, None]: new_instance_id = await start_new_orchestrator(client) - logging.info(f'started new instance -- {new_instance_id}') + logging.info(f"started new instance -- {new_instance_id}") else: logging.info( - 'Export job is already currently running. Will try again later.') + "Export job is already currently running. Will try again later.") else: - logging.info('not a first run, but no instance id found yet.') - logging.info('starting new instance id.') + logging.info("not a first run, but no instance id found yet.") + logging.info("starting new instance id.") new_instance_id = await start_new_orchestrator(client) - logging.info(f'started new instance -- {new_instance_id}') + logging.info(f"started new instance -- {new_instance_id}") - logging.info('checking for an existing cleanup instance was found...') - cleanup_singleton_instance_id = job_info['cleanupInstanceId'] if 'cleanupInstanceId' in job_info else '' - if not cleanup_singleton_instance_id == '': + logging.info("checking for an existing cleanup instance was found...") + cleanup_singleton_instance_id = job_info["cleanupInstanceId"] if "cleanupInstanceId" in job_info else "" + if not cleanup_singleton_instance_id == "": logging.info( - f'Located an existing cleanup orchestrator instance: {cleanup_singleton_instance_id}') + f"Located an existing cleanup orchestrator instance: {cleanup_singleton_instance_id}") existing_cleanup_instance = await client.get_status(cleanup_singleton_instance_id) logging.info(existing_cleanup_instance) logging.info(existing_cleanup_instance.runtime_status) if existing_cleanup_instance is None or existing_cleanup_instance.runtime_status in [df.OrchestrationRuntimeStatus.Completed, df.OrchestrationRuntimeStatus.Failed, df.OrchestrationRuntimeStatus.Terminated, None]: new_cleanup_instance_id = await start_new_cleanup_orchestrator(client) logging.info( - f'started new instance -- {new_cleanup_instance_id}') + f"started new instance -- {new_cleanup_instance_id}") else: logging.info( - 'Cleanup job is already currently running. Will try again later.') + "Cleanup job is already currently running. Will try again later.") else: logging.info( - 'not a first run, but no cleanup instance id found yet.') - logging.info('starting new cleanup instance id.') + "not a first run, but no cleanup instance id found yet.") + logging.info("starting new cleanup instance id.") cleanup_new_instance_id = await start_new_cleanup_orchestrator(client) - logging.info(f'started new instance -- {cleanup_new_instance_id}') + logging.info(f"started new instance -- {cleanup_new_instance_id}") else: first_run_setup() await start_new_orchestrator(client, True) diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableExportsOrchestrator/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableExportsOrchestrator/__init__.py index 493fc620c3d..b3340e07ae1 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableExportsOrchestrator/__init__.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableExportsOrchestrator/__init__.py @@ -1,122 +1,200 @@ import logging import os -from datetime import timedelta, datetime, timezone +from datetime import timedelta +import time -import azure.functions as func import azure.durable_functions as df from ..exports_store import ExportsTableStore, ExportsTableNames from ..tenable_helper import TenableStatus, TenableExportType -connection_string = os.environ['AzureWebJobsStorage'] +connection_string = os.environ["AzureWebJobsStorage"] +ingest_compliance_data = True if os.environ.get("ComplianceDataIngestion", "False").lower() == "true" else False stats_table_name = ExportsTableNames.TenableExportStatsTable.value +checkpoint_table_name = ExportsTableNames.TenableExportCheckpointTable.value export_schedule_minutes = int( - os.getenv('TenableExportScheduleInMinutes', '1440')) -start_asset_job_name = 'TenableStartAssetExportJob' -start_vuln_job_name = 'TenableStartVulnExportJob' -asset_orchestrator_name = 'TenableAssetExportOrchestrator' -vuln_orchestrator_name = 'TenableVulnExportOrchestrator' + os.getenv("TenableExportScheduleInMinutes", "1440")) +start_asset_job_name = "TenableStartAssetExportJob" +start_vuln_job_name = "TenableStartVulnExportJob" +asset_orchestrator_name = "TenableAssetExportOrchestrator" +vuln_orchestrator_name = "TenableVulnExportOrchestrator" +start_compliance_job_name = "TenableStartComplianceExportJob" +compliance_orchestrator_name = "TenableComplianceExportOrchestrator" + +def process_compliance_data(results, stats_store): + """Process compliance data and update Stats table. + + Args: + results (list): Results of sub-orchestrator calls. + stats_store (ExportsTableStore): Object of Stats table to be updated. + """ + try: + compliance_job_finished = results[2] + compliance_id = compliance_job_finished["id"] if "id" in compliance_job_finished else "" + chunks = compliance_job_finished["chunks"] if "chunks" in compliance_job_finished else [ + ] + chunk_ids = ",".join(str(c) for c in chunks) + if compliance_id != "": + stats_store.merge(compliance_id, "prime", { + "status": TenableStatus.finished.value, + "chunks": chunk_ids, + "totalChunksCount": len(chunks) + }) + except IndexError as e: + logging.warning("compliance job returned no results") + logging.warning(e) + def orchestrator_function(context: df.DurableOrchestrationContext): - logging.info('started main orchestrator') + logging.info("started main orchestrator") logging.info( - f'instance id: f{context.instance_id} at {context.current_utc_datetime}') + f"instance id: f{context.instance_id} at {context.current_utc_datetime}") first_run = context.get_input() - if first_run is not None and 'isFirstRun' in first_run and first_run['isFirstRun'] == True: - filter_by_time = 0 + if first_run is not None and "isFirstRun" in first_run and first_run["isFirstRun"]: + assets_timestamp = 0 + vulns_timestamp = 0 + compliance_timestamp = 0 else: - filter_by_time = int( - (datetime.now(timezone.utc) - timedelta(minutes=export_schedule_minutes)).timestamp()) - logging.info('filter by time: %d', filter_by_time) + checkpoint_store = ExportsTableStore(connection_string, checkpoint_table_name) + assets_timestamp = checkpoint_store.get("assets", "timestamp").get("assets_timestamp", 0) + vulns_timestamp = checkpoint_store.get("vulns", "timestamp").get("vulns_timestamp", 0) + compliance_timestamp = checkpoint_store.get("compliance", "timestamp").get("compliance_timestamp", 0) - stats_store = ExportsTableStore(connection_string, stats_table_name) + logging.info("checkpoint timestamp value for assets: %d", assets_timestamp) + logging.info("checkpoint timestamp value for vulns: %d", vulns_timestamp) - asset_export_job_id = yield context.call_activity(start_asset_job_name, filter_by_time) - logging.info('retrieved a new asset job ID') - logging.warn( - f'instance id: f{context.instance_id} working with asset export job {asset_export_job_id}, sending to sub orchestrator') - - stats_store.merge(asset_export_job_id, 'prime', { - 'status': TenableStatus.processing.value, - 'exportType': TenableExportType.asset.value, - 'failedChunks': '', - 'chunks': '', - 'totalChunksCount': 0, - 'jobTimestamp': filter_by_time, - 'startedAt': context.current_utc_datetime.timestamp() + stats_store = ExportsTableStore(connection_string, stats_table_name) + asset_start_time = int(time.time()) + asset_export_job_id = yield context.call_activity(start_asset_job_name, assets_timestamp) + logging.info("retrieved a new asset job ID") + logging.warning( + f"instance id: f{context.instance_id} working with asset export job {asset_export_job_id}, sending to sub orchestrator") + + stats_store.merge(asset_export_job_id, "prime", { + "status": TenableStatus.processing.value, + "exportType": TenableExportType.asset.value, + "failedChunks": "", + "chunks": "", + "totalChunksCount": 0, + "jobTimestamp": assets_timestamp, + "startedAt": context.current_utc_datetime.timestamp() }) logging.info( - f'saved {asset_export_job_id} to stats table. moving to start vuln job.') - - vuln_export_job_id = yield context.call_activity(start_vuln_job_name, filter_by_time) - logging.info('retrieved a new vuln job ID') - logging.warn( - f'instance id: f{context.instance_id} working with vuln export job {vuln_export_job_id}, sending to sub orchestrator') - - stats_store.merge(vuln_export_job_id, 'prime', { - 'status': TenableStatus.processing.value, - 'exportType': TenableExportType.vuln.value, - 'failedChunks': '', - 'chunks': '', - 'totalChunksCount': 0, - 'jobTimestamp': filter_by_time, - 'startedAt': context.current_utc_datetime.timestamp() + f"saved {asset_export_job_id} to stats table. moving to start vuln job.") + vulns_start_time = int(time.time()) + vuln_export_job_id = yield context.call_activity(start_vuln_job_name, vulns_timestamp) + logging.info("retrieved a new vuln job ID") + logging.warning( + f"instance id: f{context.instance_id} working with vuln export job {vuln_export_job_id}, sending to sub orchestrator") + + stats_store.merge(vuln_export_job_id, "prime", { + "status": TenableStatus.processing.value, + "exportType": TenableExportType.vuln.value, + "failedChunks": "", + "chunks": "", + "totalChunksCount": 0, + "jobTimestamp": vulns_timestamp, + "startedAt": context.current_utc_datetime.timestamp() }) + if ingest_compliance_data: + compliance_start_time = int(time.time()) + compliance_export_job_id = yield context.call_activity(start_compliance_job_name, compliance_timestamp) + logging.info("retrieved a new compliance job ID") + logging.warning( + "instance id: {} working with compliance export job {}, sending to sub orchestrator".format( + context.instance_id, compliance_export_job_id + ) + ) + + logging.info("filter by time for compliance: %d", compliance_timestamp) + stats_store.merge(compliance_export_job_id, "prime", { + "status": TenableStatus.processing.value, + "exportType": TenableExportType.compliance.value, + "failedChunks": "", + "chunks": "", + "totalChunksCount": 0, + "jobTimestamp": compliance_timestamp, + "startedAt": context.current_utc_datetime.timestamp() + }) + logging.info( + "saved {} to stats table.".format(compliance_export_job_id)) + else: + logging.info("User opted not to ingest compliance data. Skipping compliance export job") asset_export = context.call_sub_orchestrator(asset_orchestrator_name, { - 'timestamp': filter_by_time, - 'assetJobId': asset_export_job_id, - 'mainOrchestratorInstanceId': context.instance_id + "timestamp": assets_timestamp, + "assetJobId": asset_export_job_id, + "mainOrchestratorInstanceId": context.instance_id, + "start_time": asset_start_time }) - stats_store.merge(asset_export_job_id, 'prime', { - 'status': TenableStatus.sent_to_sub_orchestrator.value + stats_store.merge(asset_export_job_id, "prime", { + "status": TenableStatus.sent_to_sub_orchestrator.value }) vuln_export = context.call_sub_orchestrator(vuln_orchestrator_name, { - 'timestamp': filter_by_time, - 'vulnJobId': vuln_export_job_id, - 'mainOrchestratorInstanceId': context.instance_id + "timestamp": vulns_timestamp, + "vulnJobId": vuln_export_job_id, + "mainOrchestratorInstanceId": context.instance_id, + "start_time": vulns_start_time }) - stats_store.merge(vuln_export_job_id, 'prime', { - 'status': TenableStatus.sent_to_sub_orchestrator.value + stats_store.merge(vuln_export_job_id, "prime", { + "status": TenableStatus.sent_to_sub_orchestrator.value }) - results = yield context.task_all([asset_export, vuln_export]) - logging.info('Finished both jobs!') + if ingest_compliance_data: + compliance_export = context.call_sub_orchestrator(compliance_orchestrator_name, { + "timestamp": compliance_timestamp, + "complianceJobId": compliance_export_job_id, + "mainOrchestratorInstanceId": context.instance_id, + "start_time": compliance_start_time + }) + stats_store.merge(compliance_export_job_id, "prime", { + "status": TenableStatus.sent_to_sub_orchestrator.value + }) + + results = yield context.task_all([asset_export, vuln_export, compliance_export]) + else: + logging.info("User opted not to ingest compliance data. Skipping compliance export sub orchestrator call.") + results = yield context.task_all([asset_export, vuln_export]) + logging.info("Finished all jobs!") logging.info(results) try: asset_job_finished = results[0] - asset_id = asset_job_finished['id'] if 'id' in asset_job_finished else '' - chunks = asset_job_finished['chunks'] if 'chunks' in asset_job_finished else [ + asset_id = asset_job_finished["id"] if "id" in asset_job_finished else "" + chunks = asset_job_finished["chunks"] if "chunks" in asset_job_finished else [ ] - chunk_ids = ','.join(str(c) for c in chunks) - if asset_id != '': - stats_store.merge(asset_id, 'prime', { - 'status': TenableStatus.finished.value, - 'chunks': chunk_ids, - 'totalChunksCount': len(chunks) + chunk_ids = ",".join(str(c) for c in chunks) + if asset_id != "": + stats_store.merge(asset_id, "prime", { + "status": TenableStatus.finished.value, + "chunks": chunk_ids, + "totalChunksCount": len(chunks) }) except IndexError as e: - logging.warn('asset job returned no results') - logging.warn(e) + logging.warning("asset job returned no results") + logging.warning(e) try: vuln_job_finished = results[1] - vuln_id = vuln_job_finished['id'] if 'id' in vuln_job_finished else '' - chunks = vuln_job_finished['chunks'] if 'chunks' in vuln_job_finished else [ + vuln_id = vuln_job_finished["id"] if "id" in vuln_job_finished else "" + chunks = vuln_job_finished["chunks"] if "chunks" in vuln_job_finished else [ ] - chunk_ids = ','.join(str(c) for c in chunks) - if vuln_id != '': - stats_store.merge(vuln_id, 'prime', { - 'status': TenableStatus.finished.value, - 'chunks': chunk_ids, - 'totalChunksCount': len(chunks) + chunk_ids = ",".join(str(c) for c in chunks) + if vuln_id != "": + stats_store.merge(vuln_id, "prime", { + "status": TenableStatus.finished.value, + "chunks": chunk_ids, + "totalChunksCount": len(chunks) }) except IndexError as e: - logging.warn('vuln job returned no results') - logging.warn(e) + logging.warning("vuln job returned no results") + logging.warning(e) + + # condition to process compliance job data only if user opted for it + if ingest_compliance_data: + process_compliance_data(results, stats_store) next_check = context.current_utc_datetime + \ timedelta(minutes=export_schedule_minutes) diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableGenerateJobStats/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableGenerateJobStats/__init__.py index 666afa8e22d..f599dc7906e 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableGenerateJobStats/__init__.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableGenerateJobStats/__init__.py @@ -5,10 +5,12 @@ from ..exports_store import ExportsTableStore, ExportsTableNames -connection_string = os.environ['AzureWebJobsStorage'] +connection_string = os.environ["AzureWebJobsStorage"] stats_table_name = ExportsTableNames.TenableExportStatsTable.value assets_export_table_name = ExportsTableNames.TenableAssetExportTable.value vuln_export_table_name = ExportsTableNames.TenableVulnExportTable.value +compliance_export_table_name = ExportsTableNames.TenableComplianceExportTable.value +ingest_compliance_data = True if os.environ.get("ComplianceDataIngestion", "False").lower() == "true" else False def generate_finished_stats(table_client: ExportsTableStore, stats_table: ExportsTableStore): @@ -17,36 +19,36 @@ def generate_finished_stats(table_client: ExportsTableStore, stats_table: Export for fc in finished_chunks: logging.info(fc) - job_id = fc['PartitionKey'] - chunk_id = fc['RowKey'] - if not fc['PartitionKey'] in jobs_with_finished_chunks: + job_id = fc["PartitionKey"] + chunk_id = fc["RowKey"] + if not fc["PartitionKey"] in jobs_with_finished_chunks: jobs_with_finished_chunks[job_id] = { - 'chunks': [chunk_id] + "chunks": [chunk_id] } else: - jobs_with_finished_chunks[job_id]['chunks'].append(chunk_id) + jobs_with_finished_chunks[job_id]["chunks"].append(chunk_id) for job_id in jobs_with_finished_chunks.keys(): - logging.info(f'sending finished stats for {job_id}') - job = stats_table.get(job_id, 'prime') - existing_finished_chunks = job['finishedChunks'] if 'finishedChunks' in job else '' + logging.info(f"sending finished stats for {job_id}") + job = stats_table.get(job_id, "prime") + existing_finished_chunks = job["finishedChunks"] if "finishedChunks" in job else "" - ids = list(filter(None, existing_finished_chunks.split(','))) - to_add_ids = jobs_with_finished_chunks[job_id]['chunks'] + ids = list(filter(None, existing_finished_chunks.split(","))) + to_add_ids = jobs_with_finished_chunks[job_id]["chunks"] - logging.info(f'checking existing ids: {ids}') + logging.info(f"checking existing ids: {ids}") if sorted(ids) == sorted(to_add_ids): - logging.info('nothing to update here') + logging.info("nothing to update here") continue else: chunk_ids = list(set(ids) | set(to_add_ids)) - chunk_ids_comma_list = ','.join(str(c) for c in chunk_ids) + chunk_ids_comma_list = ",".join(str(c) for c in chunk_ids) - logging.info(f'adding in these chunks {chunk_ids} to finished list') + logging.info(f"adding in these chunks {chunk_ids} to finished list") chunk_count = len(chunk_ids) - result = stats_table.merge(job_id, 'prime', { - 'finishedChunks': chunk_ids_comma_list, - 'finishedChunkCount': chunk_count + result = stats_table.merge(job_id, "prime", { + "finishedChunks": chunk_ids_comma_list, + "finishedChunkCount": chunk_count }) logging.info(result) @@ -57,50 +59,50 @@ def generate_processing_stats(table_client: ExportsTableStore, stats_table: Expo for pc in processing_chunks: logging.info(pc) - job_id = pc['PartitionKey'] - chunk_id = pc['RowKey'] - if not pc['PartitionKey'] in jobs_with_processing_chunks: + job_id = pc["PartitionKey"] + chunk_id = pc["RowKey"] + if not pc["PartitionKey"] in jobs_with_processing_chunks: jobs_with_processing_chunks[job_id] = { - 'chunks': [chunk_id] + "chunks": [chunk_id] } else: - jobs_with_processing_chunks[job_id]['chunks'].append(chunk_id) + jobs_with_processing_chunks[job_id]["chunks"].append(chunk_id) for job_id in jobs_with_processing_chunks.keys(): - logging.info(f'sending processing stats for {job_id}') - job = stats_table.get(job_id, 'prime') - existing_processing_chunks = job['processingChunks'] if 'processingChunks' in job else '' - existing_finished_chunks = job['finishedChunks'] if 'finishedChunks' in job else '' - existing_failed_chunks = job['failedChunks'] if 'failedChunks' in job else '' - - finished_ids = list(filter(None, existing_finished_chunks.split(','))) - failed_ids = list(filter(None, existing_failed_chunks.split(','))) + logging.info(f"sending processing stats for {job_id}") + job = stats_table.get(job_id, "prime") + existing_processing_chunks = job["processingChunks"] if "processingChunks" in job else "" + existing_finished_chunks = job["finishedChunks"] if "finishedChunks" in job else "" + existing_failed_chunks = job["failedChunks"] if "failedChunks" in job else "" + + finished_ids = list(filter(None, existing_finished_chunks.split(","))) + failed_ids = list(filter(None, existing_failed_chunks.split(","))) processing_ids = list( - filter(None, existing_processing_chunks.split(','))) - to_add_ids = jobs_with_processing_chunks[job_id]['chunks'] + filter(None, existing_processing_chunks.split(","))) + to_add_ids = jobs_with_processing_chunks[job_id]["chunks"] chunk_ids = list((set(processing_ids) | set(to_add_ids) ) - set(finished_ids) - set(failed_ids)) chunk_ids_comma_list = ','.join(str(c) for c in chunk_ids) - logging.info(f'adding in these chunks {chunk_ids} to processing list') + logging.info(f"adding in these chunks {chunk_ids} to processing list") update_job = {} chunk_count = len(chunk_ids) if chunk_count > 0: - started_at = job['startedAt'] if 'startedAt' in job else 0 + started_at = job["startedAt"] if "startedAt" in job else 0 if started_at == 0: - update_job.update({'startedAt': datetime.now().timestamp()}) + update_job.update({"startedAt": datetime.now().timestamp()}) else: started_at_time = datetime.fromtimestamp( started_at) + timedelta(days=3) if started_at_time < datetime.now(): - update_job.update({'status': TenableStatus.failed.value}) + update_job.update({"status": TenableStatus.failed.value}) update_job.update({ - 'processingChunks': chunk_ids_comma_list, - 'processingChunkCount': chunk_count + "processingChunks": chunk_ids_comma_list, + "processingChunkCount": chunk_count }) - result = stats_table.merge(job_id, 'prime', update_job) + result = stats_table.merge(job_id, "prime", update_job) logging.info(result) @@ -110,41 +112,41 @@ def generate_failed_stats(table_client: ExportsTableStore, stats_table: ExportsT for fc in failed_chunks: logging.info(fc) - job_id = fc['PartitionKey'] - chunk_id = fc['RowKey'] - if not fc['PartitionKey'] in jobs_with_failed_chunks: + job_id = fc["PartitionKey"] + chunk_id = fc["RowKey"] + if not fc["PartitionKey"] in jobs_with_failed_chunks: jobs_with_failed_chunks[job_id] = { - 'chunks': [chunk_id], 'failedCount': 1} + "chunks": [chunk_id], "failedCount": 1} else: - jobs_with_failed_chunks[job_id]['chunks'].append(chunk_id) - jobs_with_failed_chunks[job_id]['failedCount'] += 1 + jobs_with_failed_chunks[job_id]["chunks"].append(chunk_id) + jobs_with_failed_chunks[job_id]["failedCount"] += 1 for job_id in jobs_with_failed_chunks.keys(): - logging.info(f'sending failure stats for {job_id}') - job = stats_table.get(job_id, 'prime') - existing_failed_chunks = job['failedChunks'] if 'failedChunks' in job else '' + logging.info(f"sending failure stats for {job_id}") + job = stats_table.get(job_id, "prime") + existing_failed_chunks = job["failedChunks"] if "failedChunks" in job else "" - ids = list(filter(None, existing_failed_chunks.split(','))) - to_add_ids = jobs_with_failed_chunks[job_id]['chunks'] + ids = list(filter(None, existing_failed_chunks.split(","))) + to_add_ids = jobs_with_failed_chunks[job_id]["chunks"] - logging.info(f'checking existing ids: {ids}') + logging.info(f"checking existing ids: {ids}") if sorted(ids) == sorted(to_add_ids): - logging.info('nothing to update here') + logging.info("nothing to update here") continue else: chunk_ids = list(set(ids) | set(to_add_ids)) - chunk_ids_comma_list = ','.join(str(c) for c in chunk_ids) + chunk_ids_comma_list = ",".join(str(c) for c in chunk_ids) - logging.info(f'adding in these chunks {chunk_ids} to failure list') + logging.info(f"adding in these chunks {chunk_ids} to failure list") update_job = {} chunk_count = len(chunk_ids) if chunk_count > 0: - update_job['status'] = TenableStatus.failed.value + update_job["status"] = TenableStatus.failed.value update_job.update({ - 'failedChunks': chunk_ids_comma_list, - 'failedChunkCount': chunk_count + "failedChunks": chunk_ids_comma_list, + "failedChunkCount": chunk_count }) result = stats_table.merge(job_id, 'prime', update_job) logging.info(result) @@ -152,9 +154,9 @@ def generate_failed_stats(table_client: ExportsTableStore, stats_table: ExportsT def main(name) -> str: stats_table = ExportsTableStore(connection_string, stats_table_name) - assets_table = ExportsTableStore( - connection_string, assets_export_table_name) + assets_table = ExportsTableStore(connection_string, assets_export_table_name) vuln_table = ExportsTableStore(connection_string, vuln_export_table_name) + compliance_table = ExportsTableStore(connection_string, compliance_export_table_name) generate_finished_stats(assets_table, stats_table) generate_finished_stats(vuln_table, stats_table) @@ -164,4 +166,9 @@ def main(name) -> str: generate_processing_stats(assets_table, stats_table) generate_processing_stats(vuln_table, stats_table) + + if ingest_compliance_data: + generate_finished_stats(compliance_table, stats_table) + generate_failed_stats(compliance_table, stats_table) + generate_processing_stats(compliance_table, stats_table) return True diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessAssetChunkFromQueue/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessAssetChunkFromQueue/__init__.py index 6b127366cd8..b7f946ce197 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessAssetChunkFromQueue/__init__.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessAssetChunkFromQueue/__init__.py @@ -9,77 +9,91 @@ from ..tenable_helper import TenableIO, TenableStatus, TenableChunkPartitioner from tenable.errors import APIError -connection_string = os.environ['AzureWebJobsStorage'] +connection_string = os.environ["AzureWebJobsStorage"] assets_table_name = ExportsTableNames.TenableAssetExportTable.value -workspace_id = os.environ['WorkspaceID'] -workspace_key = os.environ['WorkspaceKey'] -log_analytics_uri = os.getenv('LogAnalyticsUri', '') -log_type = 'Tenable_VM_Assets_CL' +checkpoint_table_name = ExportsTableNames.TenableExportCheckpointTable.value +workspace_id = os.environ["WorkspaceID"] +workspace_key = os.environ["WorkspaceKey"] +log_analytics_uri = os.getenv("LogAnalyticsUri", "") +log_type = "Tenable_VM_Assets_CL" def main(msg: func.QueueMessage) -> None: - logging.info('Python queue trigger function processed a queue item: %s', - msg.get_body().decode('utf-8')) - decoded_message = msg.get_body().decode('utf-8') + logging.info("Python queue trigger function processed a queue item: %s", + msg.get_body().decode("utf-8")) + decoded_message = msg.get_body().decode("utf-8") assets_table = ExportsTableStore(connection_string, assets_table_name) try: export_job_details = json.loads(decoded_message) - export_job_id = export_job_details.get('exportJobId', '') - chunk_id = export_job_details.get('chunkId', '') + export_job_id = export_job_details.get("exportJobId", "") + chunk_id = export_job_details.get("chunkId", "") + start_time = export_job_details.get("startTime", 0) + update_checkpoint = export_job_details.get("updateCheckpoint", False) - if export_job_id == '' or chunk_id == '': - logging.warn('missing information to process a chunk') - logging.warn(f'message sent - {decoded_message}') + if export_job_id == "" or chunk_id == "": + logging.warning("missing information to process a chunk") + logging.warning(f"message sent - {decoded_message}") raise Exception( - f'cannot process without export job ID and chunk ID -- found job ID {export_job_id} - chunk ID {chunk_id}') + "cannot process without export job ID and chunk ID -- " + "found job ID {} - chunk ID {}".format(export_job_id, chunk_id) + ) else: logging.info( - 'using pyTenable client to download asset export job chunk') + "using pyTenable client to download asset export job chunk") logging.info( - f'downloading chunk at assets/{export_job_id}/chunks/{chunk_id}') + f"downloading chunk at assets/{export_job_id}/chunks/{chunk_id}") tio = TenableIO() try: - chunk = tio.exports.chunk('assets', export_job_id, chunk_id) + chunk = tio.exports.chunk("assets", export_job_id, chunk_id) logging.info( - f'received a response from assets/{export_job_id}/chunks/{chunk_id}') + f"received a response from assets/{export_job_id}/chunks/{chunk_id}") - # limiting individual chunk uploaded to sentinel to be < 30 MB size. - sub_chunks = TenableChunkPartitioner.partition_chunks_into_30MB_sub_chunks(chunk) + if len(chunk) == 0: + logging.info("No data found in chunk, chunk_id: {}, job_id: {}".format(chunk_id, export_job_id)) + else: + # limiting individual chunk uploaded to sentinel to be < 30 MB size. + sub_chunks = TenableChunkPartitioner.partition_chunks_into_30MB_sub_chunks(chunk) - for sub_chunk in sub_chunks: - serialized_sub_chunk = json.dumps(sub_chunk) + for sub_chunk in sub_chunks: + serialized_sub_chunk = json.dumps(sub_chunk) - logging.info('Uploading sub-chunk with size: %d', len(serialized_sub_chunk)) + logging.info("Uploading sub-chunk with size: %d", len(serialized_sub_chunk)) - # Send to Azure Sentinel here - az_sentinel = AzureSentinel( - workspace_id, workspace_key, log_type, log_analytics_uri) + # Send to Azure Sentinel here + az_sentinel = AzureSentinel( + workspace_id, workspace_key, log_type, log_analytics_uri) - az_code = az_sentinel.post_data(serialized_sub_chunk) + az_code = az_sentinel.post_data(serialized_sub_chunk) - logging.warning( - f'Azure Sentinel reports the following status code: {az_code}') + logging.warning( + f"Azure Sentinel reports the following status code: {az_code}") assets_table.update_if_found(export_job_id, str(chunk_id), { - 'jobStatus': TenableStatus.finished.value + "jobStatus": TenableStatus.finished.value }) + if update_checkpoint: + logging.info("Updating Assets checkpoint to value: {}".format(start_time)) + checkpoint_table = ExportsTableStore(connection_string, checkpoint_table_name) + checkpoint_table.merge("assets", "timestamp", { + "assets_timestamp": start_time + }) except APIError as e: - logging.warn( - f'Failure to retrieve asset data from Tenable. Response code: {e.code} Request ID: {e.uuid} Export Job ID: {export_job_id} Chunk ID: {chunk_id}') + logging.warning( + f"Failure to retrieve asset data from Tenable. Response code: {e.code} Request ID: {e.uuid} Export Job ID: {export_job_id} Chunk ID: {chunk_id}") assets_table.update_if_found(export_job_id, str(chunk_id), { - 'jobStatus': TenableStatus.failed.value, - 'tenableFailedRequestId': e.uuid, - 'tenableFailedRequestStatusCode': e.code + "jobStatus": TenableStatus.failed.value, + "tenableFailedRequestId": e.uuid, + "tenableFailedRequestStatusCode": e.code }) raise Exception( - f'Retrieving from Tenable failed with status code {e.code}') + f"Retrieving from Tenable failed with status code {e.code}") except Exception as e: assets_table.update_if_found(export_job_id, str(chunk_id), { - 'jobStatus': TenableStatus.failed.value + "jobStatus": TenableStatus.failed.value }) - logging.warn( - f'there was an error processing chunks. message sent - {decoded_message}') - logging.warn(e) + logging.warning( + f"there was an error processing chunks. message sent - {decoded_message}") + logging.warning(e) raise e diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessComplianceChunkFromQueue/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessComplianceChunkFromQueue/__init__.py new file mode 100644 index 00000000000..d6139aace77 --- /dev/null +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessComplianceChunkFromQueue/__init__.py @@ -0,0 +1,144 @@ +"""Queue trigger function for ingesting compliance export job chunks into Sentinel.""" + +import json +import logging +import os + +import azure.functions as func + +from ..exports_store import ExportsTableStore, ExportsTableNames +from ..azure_sentinel import AzureSentinel +from ..tenable_helper import TenableIO, TenableStatus, TenableChunkPartitioner +from tenable.errors import APIError + +connection_string = os.environ["AzureWebJobsStorage"] +compliance_table_name = ExportsTableNames.TenableComplianceExportTable.value +checkpoint_table_name = ExportsTableNames.TenableExportCheckpointTable.value +workspace_id = os.environ["WorkspaceID"] +workspace_key = os.environ["WorkspaceKey"] +log_analytics_uri = os.getenv("LogAnalyticsUri", "") +log_type = "Tenable_VM_Compliance_CL" + + +def main(msg: func.QueueMessage) -> None: + """Ingest compliance export job chunks into Sentinel.""" + logging.info( + "Python queue trigger function processed a queue item: %s", + msg.get_body().decode("utf-8"), + ) + decoded_message = msg.get_body().decode("utf-8") + compliance_table = ExportsTableStore(connection_string, compliance_table_name) + + try: + export_job_details = json.loads(decoded_message) + export_job_id = export_job_details.get("exportJobId", "") + chunk_id = export_job_details.get("chunkId", "") + start_time = export_job_details.get("startTime", 0) + update_checkpoint = export_job_details.get("updateCheckpoint", False) + + if export_job_id == "" or chunk_id == "": + logging.warning( + "missing information to process a chunk: message sent - {}".format( + decoded_message + ) + ) + raise Exception( + "cannot process without export job ID and chunk ID -- found job ID {} - chunk ID {}".format( + export_job_id, chunk_id + ) + ) + else: + logging.info( + "using pyTenable client to download compliance export job chunk" + ) + logging.info( + "downloading chunk at compliance/{}/chunks/{}".format( + export_job_id, chunk_id + ) + ) + tio = TenableIO() + try: + chunk = tio.exports.download_chunk( + "compliance", export_job_id, chunk_id + ) + logging.info( + "received a response from compliance/{}/chunks/{}".format( + export_job_id, chunk_id + ) + ) + if len(chunk) == 0: + logging.info( + "No data found in chunk, chunk_id: {}, job_id: {}".format( + chunk_id, export_job_id + ) + ) + else: + # limiting individual chunk uploaded to sentinel to be < 30 MB size. + sub_chunks = TenableChunkPartitioner.partition_chunks_into_30MB_sub_chunks(chunk) + + for sub_chunk in sub_chunks: + serialized_sub_chunk = json.dumps(sub_chunk) + + logging.info( + "Uploading sub-chunk with size: %d", + len(serialized_sub_chunk), + ) + + # Send to Azure Sentinel here + az_sentinel = AzureSentinel( + workspace_id, workspace_key, log_type, log_analytics_uri + ) + + az_code = az_sentinel.post_data(serialized_sub_chunk) + + logging.warning( + f"Azure Sentinel reports the following status code: {az_code}" + ) + + compliance_table.update_if_found( + export_job_id, + str(chunk_id), + {"jobStatus": TenableStatus.finished.value}, + ) + if update_checkpoint: + logging.info( + "Updating Compliance checkpoint to value: {}".format(start_time) + ) + checkpoint_table = ExportsTableStore( + connection_string, checkpoint_table_name + ) + checkpoint_table.merge( + "compliance", "timestamp", {"compliance_timestamp": start_time} + ) + except APIError as api_err: + logging.warning( + "Failure to retrieve compliance data from Tenable. Response code: {}" + " Request ID: {} Export Job ID: {} Chunk ID: {}".format( + api_err.code, api_err.uuid, export_job_id, chunk_id + ) + ) + compliance_table.update_if_found( + export_job_id, + str(chunk_id), + { + "jobStatus": TenableStatus.failed.value, + "tenableFailedRequestId": api_err.uuid, + "tenableFailedRequestStatusCode": api_err.code, + }, + ) + raise Exception( + "Retrieving from Tenable failed with status code {}".format( + api_err.code + ) + ) + + except Exception as err: + compliance_table.update_if_found( + export_job_id, str(chunk_id), {"jobStatus": TenableStatus.failed.value} + ) + logging.warning( + "there was an error processing chunks: message sent - {}: error - {}".format( + decoded_message, err + ) + ) + raise err diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessComplianceChunkFromQueue/function.json b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessComplianceChunkFromQueue/function.json new file mode 100644 index 00000000000..75f49dcbbe6 --- /dev/null +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessComplianceChunkFromQueue/function.json @@ -0,0 +1,12 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "msg", + "type": "queueTrigger", + "direction": "in", + "queueName": "tenable-compliance-export-queue", + "connection": "AzureWebJobsStorage" + } + ] +} \ No newline at end of file diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedAssetChunkFromQueue/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedAssetChunkFromQueue/__init__.py index aa13eba1f0b..cb8a6330264 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedAssetChunkFromQueue/__init__.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedAssetChunkFromQueue/__init__.py @@ -6,37 +6,37 @@ import azure.functions as func -connection_string = os.environ['AzureWebJobsStorage'] +connection_string = os.environ["AzureWebJobsStorage"] assets_table_name = ExportsTableNames.TenableAssetExportTable.value def main(msg: func.QueueMessage) -> None: - logging.info('Python queue trigger function processed a queue item: %s', - msg.get_body().decode('utf-8')) - decoded_message = msg.get_body().decode('utf-8') + logging.info("Python queue trigger function processed a queue item: %s", + msg.get_body().decode("utf-8")) + decoded_message = msg.get_body().decode("utf-8") try: export_job_details = json.loads(decoded_message) - export_job_id = export_job_details['exportJobId'] if 'exportJobId' in export_job_details else '' - chunk_id = export_job_details['chunkId'] if 'chunkId' in export_job_details else '' + export_job_id = export_job_details["exportJobId"] if "exportJobId" in export_job_details else "" + chunk_id = export_job_details["chunkId"] if "chunkId" in export_job_details else "" - if export_job_id == '' or chunk_id == '': - logging.warn('missing information to process a chunk') - logging.warn(f'message sent - {decoded_message}') - logging.warn( - f'cannot process without export job ID and chunk ID -- found job ID {export_job_id} - chunk ID {chunk_id}') - logging.warn('Removing from asset poison queue') + if export_job_id == "" or chunk_id == "": + logging.warning("missing information to process a chunk") + logging.warning(f"message sent - {decoded_message}") + logging.warning( + f"cannot process without export job ID and chunk ID -- found job ID {export_job_id} - chunk ID {chunk_id}") + logging.warning("Removing from asset poison queue") return assets_table = ExportsTableStore( connection_string, assets_table_name) if assets_table.get(export_job_id, chunk_id) is not None: assets_table.merge(export_job_id, str(chunk_id), { - 'jobStatus': TenableStatus.failed.value + "jobStatus": TenableStatus.failed.value }) return except Exception as e: - logging.warn('Could not process job or chunk') - logging.warn(f'Raised this exception {e}') - logging.warn('Removing from asset poison queue') + logging.warning("Could not process job or chunk") + logging.warning(f"Raised this exception {e}") + logging.warning("Removing from asset poison queue") return diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedComplianceChunkFromQueue/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedComplianceChunkFromQueue/__init__.py new file mode 100644 index 00000000000..0f5e8188292 --- /dev/null +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedComplianceChunkFromQueue/__init__.py @@ -0,0 +1,59 @@ +"""Queue trigger function for processing failed compliance export job chunks.""" + +import logging +import os +import json +from ..exports_store import ExportsTableStore, ExportsTableNames +from ..tenable_helper import TenableStatus + +import azure.functions as func + +connection_string = os.environ["AzureWebJobsStorage"] +compliance_table_name = ExportsTableNames.TenableComplianceExportTable.value + + +def main(msg: func.QueueMessage) -> None: + """Process failed compliance export job chunks. + + Args: + msg (func.QueueMessage): Queue message + """ + logging.info( + "Python queue trigger compliance failure function processed a queue item: %s", + msg.get_body().decode("utf-8"), + ) + decoded_message = msg.get_body().decode("utf-8") + + try: + export_job_details = json.loads(decoded_message) + export_job_id = ( + export_job_details["exportJobId"] + if "exportJobId" in export_job_details + else "" + ) + chunk_id = ( + export_job_details["chunkId"] if "chunkId" in export_job_details else "" + ) + + if export_job_id == "" or chunk_id == "": + logging.warning("missing information to process a chunk") + logging.warning("message sent - {}".format(decoded_message)) + logging.warning( + "cannot process without export job ID and chunk ID -- found job ID {} - chunk ID {}".format( + export_job_id, chunk_id + ) + ) + logging.warning("Removing from compliance poison queue") + return + + compliance_table = ExportsTableStore(connection_string, compliance_table_name) + if compliance_table.get(export_job_id, chunk_id) is not None: + compliance_table.merge( + export_job_id, str(chunk_id), {"jobStatus": TenableStatus.failed.value} + ) + return + except Exception as err: + logging.warning("Could not process job or chunk") + logging.warning("Raised this exception {}".format(err)) + logging.warning("Removing from compliance poison queue") + return diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedComplianceChunkFromQueue/function.json b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedComplianceChunkFromQueue/function.json new file mode 100644 index 00000000000..7a89b985b0d --- /dev/null +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedComplianceChunkFromQueue/function.json @@ -0,0 +1,12 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "msg", + "type": "queueTrigger", + "direction": "in", + "queueName": "tenable-compliance-export-queue-poison", + "connection": "AzureWebJobsStorage" + } + ] +} \ No newline at end of file diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedVulnChunkFromQueue/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedVulnChunkFromQueue/__init__.py index 125bdf6a4c5..59a4a851be5 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedVulnChunkFromQueue/__init__.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessFailedVulnChunkFromQueue/__init__.py @@ -6,37 +6,37 @@ import azure.functions as func -connection_string = os.environ['AzureWebJobsStorage'] +connection_string = os.environ["AzureWebJobsStorage"] vuln_table_name = ExportsTableNames.TenableVulnExportTable.value def main(msg: func.QueueMessage) -> None: - logging.info('Python queue trigger vuln failure function processed a queue item: %s', - msg.get_body().decode('utf-8')) - decoded_message = msg.get_body().decode('utf-8') + logging.info("Python queue trigger vuln failure function processed a queue item: %s", + msg.get_body().decode("utf-8")) + decoded_message = msg.get_body().decode("utf-8") try: export_job_details = json.loads(decoded_message) - export_job_id = export_job_details['exportJobId'] if 'exportJobId' in export_job_details else '' - chunk_id = export_job_details['chunkId'] if 'chunkId' in export_job_details else '' + export_job_id = export_job_details["exportJobId"] if "exportJobId" in export_job_details else "" + chunk_id = export_job_details["chunkId"] if "chunkId" in export_job_details else "" - if export_job_id == '' or chunk_id == '': - logging.warn('missing information to process a chunk') - logging.warn(f'message sent - {decoded_message}') - logging.warn( - f'cannot process without export job ID and chunk ID -- found job ID {export_job_id} - chunk ID {chunk_id}') - logging.warn('Removing from vuln poison queue') + if export_job_id == "" or chunk_id == "": + logging.warning("missing information to process a chunk") + logging.warning(f"message sent - {decoded_message}") + logging.warning( + f"cannot process without export job ID and chunk ID -- found job ID {export_job_id} - chunk ID {chunk_id}") + logging.warning("Removing from vuln poison queue") return vuln_table = ExportsTableStore( connection_string, vuln_table_name) if vuln_table.get(export_job_id, chunk_id) is not None: vuln_table.merge(export_job_id, str(chunk_id), { - 'jobStatus': TenableStatus.failed.value + "jobStatus": TenableStatus.failed.value }) return except Exception as e: - logging.warn('Could not process job or chunk') - logging.warn(f'Raised this exception {e}') - logging.warn('Removing from vuln poison queue') + logging.warning("Could not process job or chunk") + logging.warning(f"Raised this exception {e}") + logging.warning("Removing from vuln poison queue") return diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessVulnChunkFromQueue/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessVulnChunkFromQueue/__init__.py index 798de698902..aa3d1d1f280 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessVulnChunkFromQueue/__init__.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableProcessVulnChunkFromQueue/__init__.py @@ -8,81 +8,97 @@ from ..azure_sentinel import AzureSentinel from tenable.errors import APIError -connection_string = os.environ['AzureWebJobsStorage'] +connection_string = os.environ["AzureWebJobsStorage"] vuln_table_name = ExportsTableNames.TenableVulnExportTable.value -workspace_id = os.environ['WorkspaceID'] -workspace_key = os.environ['WorkspaceKey'] -log_analytics_uri = os.getenv('LogAnalyticsUri', '') -log_type = 'Tenable_VM_Vuln_CL' +checkpoint_table_name = ExportsTableNames.TenableExportCheckpointTable.value +workspace_id = os.environ["WorkspaceID"] +workspace_key = os.environ["WorkspaceKey"] +log_analytics_uri = os.getenv("LogAnalyticsUri", "") +log_type = "Tenable_VM_Vuln_CL" logger = logging.getLogger("azure.core.pipeline.policies.http_logging_policy") logger.setLevel(logging.WARNING) def main(msg: func.QueueMessage) -> None: - logging.info('Python queue trigger function processed a queue item: %s', - msg.get_body().decode('utf-8')) - decoded_message = msg.get_body().decode('utf-8') + logging.info("Python queue trigger function processed a queue item: %s", + msg.get_body().decode("utf-8")) + decoded_message = msg.get_body().decode("utf-8") vuln_table = ExportsTableStore( connection_string, vuln_table_name) try: export_job_details = json.loads(decoded_message) - export_job_id = export_job_details.get('exportJobId', '') - chunk_id = export_job_details.get('chunkId', '') + export_job_id = export_job_details.get("exportJobId", "") + chunk_id = export_job_details.get("chunkId", "") + start_time = export_job_details.get("startTime", 0) + update_checkpoint = export_job_details.get("updateCheckpoint", False) - if export_job_id == '' or chunk_id == '': - logging.warn('missing information to process a chunk') - logging.warn(f'message sent - {decoded_message}') + if export_job_id == "" or chunk_id == "": + logging.warning("missing information to process a chunk") + logging.warning(f"message sent - {decoded_message}") raise Exception( - f'cannot process without export job ID and chunk ID -- found job ID {export_job_id} - chunk ID {chunk_id}') + f"cannot process without export job ID and chunk ID -- found job ID {export_job_id} - chunk ID {chunk_id}") else: logging.info( - 'using pyTenable client to download asset export job chunk') + "using pyTenable client to download vulnerability export job chunk") logging.info( - f'downloading chunk at vulns/{export_job_id}/chunks/{chunk_id}') + f"downloading chunk at vulns/{export_job_id}/chunks/{chunk_id}") tio = TenableIO() try: - chunk = tio.exports.chunk('vulns', export_job_id, chunk_id) + chunk = tio.exports.chunk("vulns", export_job_id, chunk_id) logging.info( - f'received a response from vulns/{export_job_id}/chunks/{chunk_id}') + f"received a response from vulns/{export_job_id}/chunks/{chunk_id}") - # limiting individual chunk uploaded to sentinel to be < 30 MB size. - sub_chunks = TenableChunkPartitioner.partition_chunks_into_30MB_sub_chunks(chunk) + if len(chunk) == 0: + logging.info("No data found in chunk, chunk_id: {}, job_id: {}".format(chunk_id, export_job_id)) + else: + # limiting individual chunk uploaded to sentinel to be < 30 MB size. + sub_chunks = TenableChunkPartitioner.partition_chunks_into_30MB_sub_chunks(chunk) - for sub_chunk in sub_chunks: - serialized_sub_chunk = json.dumps(sub_chunk) + for sub_chunk in sub_chunks: + serialized_sub_chunk = json.dumps(sub_chunk) - logging.info('Uploading sub-chunk with size: %d', len(serialized_sub_chunk)) + logging.info("Uploading sub-chunk with size: %d", len(serialized_sub_chunk)) - # Send to Azure Sentinel here - az_sentinel = AzureSentinel( - workspace_id, workspace_key, log_type, log_analytics_uri) + # Send to Azure Sentinel here + az_sentinel = AzureSentinel( + workspace_id, workspace_key, log_type, log_analytics_uri) - az_code = az_sentinel.post_data(serialized_sub_chunk) + az_code = az_sentinel.post_data(serialized_sub_chunk) - logging.warning( - f'Azure Sentinel reports the following status code: {az_code}') + logging.warning( + f"Azure Sentinel reports the following status code: {az_code}") vuln_table.update_if_found(export_job_id, str(chunk_id), { - 'jobStatus': TenableStatus.finished.value + "jobStatus": TenableStatus.finished.value }) + if update_checkpoint: + logging.info( + "Updating Vulns checkpoint to value: {}".format(start_time) + ) + checkpoint_table = ExportsTableStore( + connection_string, checkpoint_table_name + ) + checkpoint_table.merge( + "vulns", "timestamp", {"vulns_timestamp": start_time} + ) except APIError as e: - logging.warn( - f'Failure to retrieve asset data from Tenable. Response code: {e.code} Request ID: {e.uuid} Export Job ID: {export_job_id} Chunk ID: {chunk_id}') + logging.warning( + f"Failure to retrieve vulnerability data from Tenable. Response code: {e.code} Request ID: {e.uuid} Export Job ID: {export_job_id} Chunk ID: {chunk_id}") vuln_table.update_if_found(export_job_id, str(chunk_id), { - 'jobStatus': TenableStatus.failed.value, - 'tenableFailedRequestId': e.uuid, - 'tenableFailedRequestStatusCode': e.code + "jobStatus": TenableStatus.failed.value, + "tenableFailedRequestId": e.uuid, + "tenableFailedRequestStatusCode": e.code }) raise Exception( - f'Retrieving from Tenable failed with status code {e.code}') + f"Retrieving from Tenable failed with status code {e.code}") except Exception as e: vuln_table.update_if_found(export_job_id, str(chunk_id), { - 'jobStatus': TenableStatus.failed.value + "jobStatus": TenableStatus.failed.value }) - logging.warn( - f'there was an error processing chunks. message sent - {decoded_message}') - logging.warn(e) + logging.warning( + f"there was an error processing chunks. message sent - {decoded_message}") + logging.warning(e) raise e diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartAssetExportJob/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartAssetExportJob/__init__.py index 0f317b1876c..a94cdc57de2 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartAssetExportJob/__init__.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartAssetExportJob/__init__.py @@ -4,15 +4,15 @@ def main(timestamp: int) -> object: - logging.info('using pyTenable client to create new asset export job') + logging.info("using pyTenable client to create new asset export job") tio = TenableIO() logging.info( - f'requesting a new Asset Export Job from Tenable') + "requesting a new Asset Export Job from Tenable for timestamp={}".format(timestamp)) # limiting chunk size to contain 100 assets details. For some bigger # containers, each chunk is reported to be some hundreds of MBs resulting # into azure function crash due to OOM errors. job_id = tio.exports.assets(updated_at=timestamp, chunk_size=100) - logging.info(f'received a response from Asset Export Job request') + logging.info(f"received a response from Asset Export Job request") logging.info(job_id) return job_id diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartComplianceExportJob/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartComplianceExportJob/__init__.py new file mode 100644 index 00000000000..f51c462b350 --- /dev/null +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartComplianceExportJob/__init__.py @@ -0,0 +1,38 @@ +"""Activity function to start a new compliance export job.""" + +import logging + +from ..tenable_helper import TenableIO + + +def main(timestamp: int) -> object: + """ + Create a new compliance export job using the pyTenable client. + + Args: + timestamp (int): The timestamp to filter compliance details. + + Returns: + object: The job ID of the created compliance export job as a string. + """ + logging.info("using pyTenable client to create new compliance export job") + tio = TenableIO() + logging.info("requesting a new Compliance Export Job from Tenable") + # limiting chunk size to contain 100 compliance details. For some bigger + # containers, each chunk is reported to be some hundreds of MBs resulting + # into azure function crash due to OOM errors. + if timestamp == 0: + logging.info("Timestamp is 0. Fetching all compliance details") + job_id = tio.exports.compliance(use_iterator=False, num_findings=100) + else: + logging.info("Fetching compliance details for timestamp: {}".format(timestamp)) + job_id = tio.exports.compliance( + use_iterator=False, num_findings=100, indexed_at=timestamp + ) + + logging.info( + "received a response from Compliance Export Job request. job_id = {}".format( + job_id + ) + ) + return str(job_id) diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartComplianceExportJob/function.json b/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartComplianceExportJob/function.json new file mode 100644 index 00000000000..706dc18487a --- /dev/null +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartComplianceExportJob/function.json @@ -0,0 +1,10 @@ +{ + "scriptFile": "__init__.py", + "bindings": [ + { + "name": "timestamp", + "type": "activityTrigger", + "direction": "in" + } + ] +} \ No newline at end of file diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartVulnExportJob/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartVulnExportJob/__init__.py index 4b42253da35..e819b12c89b 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartVulnExportJob/__init__.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableStartVulnExportJob/__init__.py @@ -1,18 +1,44 @@ import logging +import os from ..tenable_helper import TenableIO +severity = os.environ.get("LowestSeveritytoStore", "") +SEVERITIES = ["info", "low", "medium", "high", "critical"] + def main(timestamp: int) -> object: - logging.info('using pyTenable client to create new vuln export job') + logging.info("using pyTenable client to create new vuln export job") tio = TenableIO() - logging.info( - f'requesting a new Vuln Export Job from Tenable') - # limiting number of assets to 50. For some bigger containers, + logging.info("requesting a new Vuln Export Job from Tenable for timestamp: {}".format(timestamp)) + # limiting number of assets to 50. For some bigger containers, # each chunk is reported to be some hundreds of MBs resulting # into azure function crash due to OOM errors. - job_id = tio.exports.vulns(last_found=timestamp, num_assets=50) + if severity and severity.lower() in SEVERITIES: + logging.info("Selected lowest severity: {}".format(severity)) + logging.info( + "Fetching vulnerability Data for severity: {}".format( + SEVERITIES[SEVERITIES.index(severity.lower()):] + ) + ) + job_id = tio.exports.vulns( + last_found=timestamp, + num_assets=50, + severity=SEVERITIES[SEVERITIES.index(severity.lower()):], + ) + else: + logging.warning( + "Either 'Lowest Severity to Store' parameter is not set or value is not from allowed values" + "(info,low,medium,high,critical)." + ) + logging.info( + "Fetching vulnerability Data for severity {} considering default Info as lowest severity value.".format( + SEVERITIES + ) + ) + job_id = tio.exports.vulns( + last_found=timestamp, num_assets=50, severity=SEVERITIES + ) - logging.info(f'received a response from Vuln Export Job request') - logging.info(job_id) + logging.info(f"received a response from Vuln Export Job request{job_id}") return job_id diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableVM.json b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVM.json index 7bd0917dc68..d3da7c12acb 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableVM.json +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVM.json @@ -2,7 +2,7 @@ "id": "TenableVM", "title": "Tenable Vulnerability Management", "publisher": "Tenable", - "descriptionMarkdown": "The TVM data connector provides the ability to ingest Asset and Vulnerability data into Microsoft Sentinel using TVM REST APIs. Refer to [API documentation](https://developer.tenable.com/reference) for more information. The connector provides the ability to get data which helps to examine potential security risks, get insight into your computing assets, diagnose configuration problems and more", + "descriptionMarkdown": "The TVM data connector provides the ability to ingest Asset, Vulnerability and Compliance data into Microsoft Sentinel using TVM REST APIs. Refer to [API documentation](https://developer.tenable.com/reference) for more information. The connector provides the ability to get data which helps to examine potential security risks, get insight into your computing assets, diagnose configuration problems and more", "additionalRequirementBanner": "These queries and workbooks are dependent on a [**TenableVM parser for vulnerabilities**](https://aka.ms/sentinel-TenableApp-TenableVMVulnerabilities-parser) and a [**TenableVM parser for assets**](https://aka.ms/sentinel-TenableApp-TenableVMAssets-parser) based on Kusto to work as expected which is deployed with the Microsoft Sentinel Solution.", "graphQueries": [ { @@ -14,6 +14,11 @@ "metricName": "Total data received", "legend": "Tenable_VM_Vuln_CL", "baseQuery": "Tenable_VM_Vuln_CL" + }, + { + "metricName": "Total data received", + "legend": "Tenable_VM_Compliance_CL", + "baseQuery": "Tenable_VM_Compliance_CL" } ], "sampleQueries": [ @@ -25,6 +30,10 @@ "description": "Tenable VM Report - All Vulns", "query": "Tenable_VM_Vuln_CL\n | sort by TimeGenerated desc" }, + { + "description": "Tenable VM Report - All Compliance", + "query": "Tenable_VM_Compliance_CL\n | sort by TimeGenerated desc" + }, { "description": "Select unique vulnerabilities by a specific asset.", "query": "Tenable_VM_Vuln_CL\n | where asset_fqdn_s has \"one.one.one.one\"\n | summarize any(asset_fqdn_s, plugin_id_d, plugin_cve_s) by plugin_id_d" @@ -42,6 +51,10 @@ { "name": "Tenable_VM_Vuln_CL", "lastDataReceivedQuery": "Tenable_VM_Vuln_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Tenable_VM_Compliance_CL", + "lastDataReceivedQuery": "Tenable_VM_Compliance_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ @@ -56,6 +69,12 @@ "value": [ "Tenable_VM_Vuln_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "Tenable_VM_Compliance_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] } ], "availability": { @@ -99,7 +118,7 @@ "instructionSteps": [ { "title": "", - "description": ">**NOTE:** This connector uses Azure Durable Functions to connect to the TenableVM API to pull [assets](https://developer.tenable.com/reference#exports-assets-download-chunk) and [vulnerabilities](https://developer.tenable.com/reference#exports-vulns-request-export) at a regular interval into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + "description": ">**NOTE:** This connector uses Azure Durable Functions to connect to the TenableVM API to pull [assets](https://developer.tenable.com/reference#exports-assets-download-chunk), [vulnerabilities](https://developer.tenable.com/reference#exports-vulns-request-export) and [compliance](https://developer.tenable.com/reference#exports-compliance-request-export)(if selected) at a regular interval into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." }, { "title": "", @@ -110,7 +129,7 @@ }, { "title": "", - "description": "**STEP 1 - Configuration steps for TenableVM\n\n [Follow the instructions](https://docs.tenable.com/vulnerability-management/Content/Settings/my-account/GenerateAPIKey.htm) to obtain the required API credentials. \n" + "description": "**STEP 1 - Configuration steps for TenableVM**\n\n [Follow the instructions](https://docs.tenable.com/vulnerability-management/Content/Settings/my-account/GenerateAPIKey.htm) to obtain the required API credentials. \n" }, { "title": "", @@ -138,7 +157,7 @@ }, { "title": "Option 1 - Azure Resource Manager (ARM) Template", - "description": "Use this method for automated deployment of the TenableVM Vulnerability Management Report data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-TenableVM-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **TenableAccessKey** and **TenableSecretKey** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy." + "description": "Use this method for automated deployment of the TenableVM Vulnerability Management Report data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-TenableVM-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **TenableAccessKey** and **TenableSecretKey** and deploy. \n4. Select **Lowest Severity to Store** to set the lowest vulnerability severity. Default is Info. \n5. Select true for **Compliance Data Ingestion** to ingest Compliance data. Default is false. \n6. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n7. Click **Purchase** to deploy." }, { "title": "Option 2 - Manual Deployment of Azure Functions", @@ -150,7 +169,7 @@ }, { "title": "", - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tTenableAccessKey\n\t\tTenableSecretKey\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**." + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tTenableAccessKey\n\t\tTenableSecretKey\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tLowestSeveritytoStore\n\t\tComplianceDataIngestion\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**." } ], "metadata": { diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableVMAzureSentinelConnector310.zip b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVMAzureSentinelConnector310.zip new file mode 100644 index 00000000000..15329b27403 Binary files /dev/null and b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVMAzureSentinelConnector310.zip differ diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportOrchestrator/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportOrchestrator/__init__.py index 89fea175b8c..9f83bfd31d5 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportOrchestrator/__init__.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportOrchestrator/__init__.py @@ -1,3 +1,4 @@ +import json import os import logging from datetime import timedelta @@ -6,77 +7,79 @@ import azure.functions as func import azure.durable_functions as df -vuln_status_and_chunk = 'TenableVulnExportStatusAndSendChunks' -export_poll_schedule_minutes = int(os.getenv('TenableExportPollScheduleInMinutes', '1')) +vuln_status_and_chunk = "TenableVulnExportStatusAndSendChunks" +export_poll_schedule_minutes = int(os.getenv("TenableExportPollScheduleInMinutes", "1")) def orchestrator_function(context: df.DurableOrchestrationContext): - logging.info('started vuln export orchestrator') + logging.info("started vuln export orchestrator") job_details = context.get_input() - logging.info('loaded job details from orchestrator:') + logging.info("loaded job details from orchestrator:") logging.info(job_details) - vuln_job_id = job_details['vulnJobId'] if 'vulnJobId' in job_details else '' - if vuln_job_id == '': + vuln_job_id = job_details["vulnJobId"] if "vulnJobId" in job_details else "" + if vuln_job_id == "": return { - 'status': TenableStatus.no_job.value, - 'id': '', - 'chunks': [], - 'vulnInstanceId': context.instance_id, - 'type': TenableExportType.vuln.value + "status": TenableStatus.no_job.value, + "id": "", + "chunks": [], + "vulnInstanceId": context.instance_id, + "type": TenableExportType.vuln.value } chunks = [] - logging.info(f'checking status of job {vuln_job_id}, outside while loop') - job_status = yield context.call_activity(vuln_status_and_chunk, vuln_job_id) + logging.info(f"checking status of job {vuln_job_id}, outside while loop") + start_time = job_details.get("start_time", 0) + str_activity_data = json.dumps({"vuln_job_id": vuln_job_id, "start_time": start_time}) + job_status = yield context.call_activity(vuln_status_and_chunk, str_activity_data) - logging.info(f'{vuln_job_id} is currently in this state:') + logging.info(f"{vuln_job_id} is currently in this state:") logging.info(job_status) - logging.info(job_status['status']) + logging.info(job_status["status"]) - tio_status = ['ERROR', 'CANCELLED', 'FINISHED'] - while not 'status' in job_status or not (job_status['status'] in tio_status): - job_status = yield context.call_activity(vuln_status_and_chunk, vuln_job_id) + tio_status = ["ERROR", "CANCELLED", "FINISHED"] + while not "status" in job_status or not (job_status["status"] in tio_status): + job_status = yield context.call_activity(vuln_status_and_chunk, str_activity_data) logging.info( - f'Checking {vuln_job_id} after waking up again, inside while loop:') + f"Checking {vuln_job_id} after waking up again, inside while loop:") logging.info(job_status) - logging.info(job_status['status']) + logging.info(job_status["status"]) - if 'status' in job_status and job_status['status'] == 'FINISHED': - logging.info('job is completely finished!') - chunks = job_status['chunks_available'] - logging.info(f'Found these chunks: {chunks}') + if "status" in job_status and job_status["status"] == "FINISHED": + logging.info("job is completely finished!") + chunks = job_status["chunks_available"] + logging.info(f"Found these chunks: {chunks}") break - elif 'status' in job_status and job_status['status'] == 'ERROR': - logging.info('job is completed with Error status!') - chunks = job_status['chunks_available'] - logging.info(f'Found these chunks: {chunks}') + elif "status" in job_status and job_status["status"] == "ERROR": + logging.info("job is completed with Error status!") + chunks = job_status["chunks_available"] + logging.info(f"Found these chunks: {chunks}") break - elif 'status' in job_status and job_status['status'] == 'CANCELLED': - logging.info('job is completed with Cancelled status!') - chunks = job_status['chunks_available'] - logging.info(f'Found these chunks: {chunks}') + elif "status" in job_status and job_status["status"] == "CANCELLED": + logging.info("job is completed with Cancelled status!") + chunks = job_status["chunks_available"] + logging.info(f"Found these chunks: {chunks}") break else: - logging.info('not quite ready, going to sleep...') + logging.info("not quite ready, going to sleep...") next_check = context.current_utc_datetime + timedelta(minutes=export_poll_schedule_minutes) yield context.create_timer(next_check) logging.info( - f'all chunks have been sent to process! {vuln_job_id} finally COMPLETED') - logging.info('Checking that chunks exist...') - logging.info(f'Number of chunks: {len(chunks)}') + f"all chunks have been sent to process! {vuln_job_id} finally COMPLETED") + logging.info("Checking that chunks exist...") + logging.info(f"Number of chunks: {len(chunks)}") tenable_status = TenableStatus.finished.value - if 'status' in job_status and (job_status['status'] == 'CANCELLED' or job_status['status'] == 'ERROR'): + if "status" in job_status and (job_status["status"] == "CANCELLED" or job_status["status"] == "ERROR"): tenable_status = TenableStatus.failed.value return { - 'status': tenable_status, - 'id': vuln_job_id, - 'chunks': chunks, - 'vulnInstanceId': context.instance_id, - 'type': TenableExportType.vuln.value + "status": tenable_status, + "id": vuln_job_id, + "chunks": chunks, + "vulnInstanceId": context.instance_id, + "type": TenableExportType.vuln.value } diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportStatusAndSendChunks/__init__.py b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportStatusAndSendChunks/__init__.py index b3e8c7eff19..43c5260e582 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportStatusAndSendChunks/__init__.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportStatusAndSendChunks/__init__.py @@ -1,84 +1,95 @@ +import json import logging import os from ..exports_queue import ExportsQueue, ExportsQueueNames from ..exports_store import ExportsTableStore, ExportsTableNames -from ..tenable_helper import TenableIO, TenableStatus, TenableExportType +from ..tenable_helper import TenableIO, TenableStatus, TenableExportType, update_checkpoint_for_last_chunk # from tenable.io import TenableIO -connection_string = os.environ['AzureWebJobsStorage'] +connection_string = os.environ["AzureWebJobsStorage"] vuln_export_table_name = ExportsTableNames.TenableVulnExportTable.value vuln_queue_name = ExportsQueueNames.TenableVulnExportsQueue.value def send_chunks_to_queue(exportJobDetails): - logging.info(f'Sending chunk to queue.') - chunks = exportJobDetails.get('chunks_available', []) - exportJobId = exportJobDetails.get('exportJobId', '') + logging.info(f"Sending chunk to queue.") + chunks = exportJobDetails.get("chunks_available", []) + exportJobId = exportJobDetails.get("exportJobId", "") + start_time = exportJobDetails.get("start_time", 0) + job_status = exportJobDetails.get("status", "") if len(chunks) > 0: vuln_table = ExportsTableStore( connection_string, vuln_export_table_name) + update_checkpoint = False for chunk in chunks: + update_checkpoint = update_checkpoint_for_last_chunk(chunk, chunks, job_status) chunk_dtls = vuln_table.get(exportJobId, str(chunk)) if chunk_dtls: - current_chunk_status = chunk_dtls['jobStatus'] + current_chunk_status = chunk_dtls["jobStatus"] if ( current_chunk_status == TenableStatus.sent_to_queue.value or current_chunk_status == TenableStatus.finished.value ): logging.warning( - f'Avoiding vuln chunk duplicate processing -- {exportJobId} {chunk}. Current status: {current_chunk_status}') + f"Avoiding vuln chunk duplicate processing -- {exportJobId} {chunk}. Current status: {current_chunk_status}") continue vuln_table.post(exportJobId, str(chunk), { - 'jobStatus': TenableStatus.sending_to_queue.value, - 'jobType': TenableExportType.vuln.value + "jobStatus": TenableStatus.sending_to_queue.value, + "jobType": TenableExportType.vuln.value }) vuln_queue = ExportsQueue(connection_string, vuln_queue_name) try: - sent = vuln_queue.send_chunk_info(exportJobId, chunk) - logging.warn(f'chunk queued -- {exportJobId} {chunk}') - logging.warn(sent) + sent = vuln_queue.send_chunk_info( + exportJobId, chunk, start_time, update_checkpoint + ) + logging.warning(f"chunk queued -- {exportJobId} {chunk}") + logging.warning(sent) vuln_table.merge(exportJobId, str(chunk), { - 'jobStatus': TenableStatus.sent_to_queue.value + "jobStatus": TenableStatus.sent_to_queue.value }) except Exception as e: - logging.warn( - f'Failed to send {exportJobId} - {chunk} to be processed') - logging.warn(e) + logging.warning( + f"Failed to send {exportJobId} - {chunk} to be processed") + logging.warning(e) vuln_table.merge(exportJobId, str(chunk), { - 'jobStatus': TenableStatus.sent_to_queue_failed.value, - 'jobType': TenableExportType.asset.value + "jobStatus": TenableStatus.sent_to_queue_failed.value, + "jobType": TenableExportType.vuln.value }) else: - logging.info('no chunk found to process.') + logging.info("no chunk found to process.") return -def main(exportJobId: str) -> object: - logging.info('using pyTenable client to check asset export job status') +def main(exportJob: str) -> object: + jsonExportObject = json.loads(exportJob) + exportJobId = jsonExportObject.get("vuln_job_id", "") + start_time = jsonExportObject.get("start_time", 0) + logging.info("using pyTenable client to check vulnerability export job status") logging.info( - f'checking status at vulns/{exportJobId}/status') + f"checking status at vulns/{exportJobId}/status") tio = TenableIO() - job_details = tio.exports.status('vulns', exportJobId) - # r = tio.get(f'{get_vuln_export_url()}/{exportJobId}/status') + job_details = tio.exports.status("vulns", exportJobId) + # r = tio.get(f"{get_vuln_export_url()}/{exportJobId}/status") logging.info( - f'received a response from vulns/{exportJobId}/status') + f"received a response from vulns/{exportJobId}/status") logging.info(job_details) - tio_status = ['ERROR', 'CANCELLED'] - if job_details['status'] not in tio_status: + tio_status = ["ERROR", "CANCELLED"] + if job_details["status"] not in tio_status: try: - job_details['exportJobId'] = exportJobId + job_details["exportJobId"] = exportJobId + job_details["start_time"] = start_time send_chunks_to_queue(job_details) except Exception as e: - logging.warn('error while sending chunks to queue') - logging.warn(job_details) - logging.warn(e) + logging.warning("error while sending chunks to queue") + logging.warning(job_details) + logging.warning(e) return job_details diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportStatusAndSendChunks/function.json b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportStatusAndSendChunks/function.json index 89e7dd83296..6116f03f684 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportStatusAndSendChunks/function.json +++ b/Solutions/Tenable App/Data Connectors/TenableVM/TenableVulnExportStatusAndSendChunks/function.json @@ -2,7 +2,7 @@ "scriptFile": "__init__.py", "bindings": [ { - "name": "exportJobId", + "name": "exportJob", "type": "activityTrigger", "direction": "in" } diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/azure_sentinel.py b/Solutions/Tenable App/Data Connectors/TenableVM/azure_sentinel.py index 60e53510234..a63dc06c350 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/azure_sentinel.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/azure_sentinel.py @@ -9,12 +9,12 @@ class AzureSentinel: - def __init__(self, workspace_id, workspace_key, log_type, log_analytics_url=''): + def __init__(self, workspace_id, workspace_key, log_type, log_analytics_url=""): self._workspace_id = workspace_id self._workspace_key = workspace_key self._log_type = log_type - if ((log_analytics_url in (None, '') or str(log_analytics_url).isspace())): - log_analytics_url = 'https://' + self._workspace_id + '.ods.opinsights.azure.com' + if ((log_analytics_url in (None, "") or str(log_analytics_url).isspace())): + log_analytics_url = "https://" + self._workspace_id + ".ods.opinsights.azure.com" pattern = r"https:\/\/([\w\-]+)\.ods\.opinsights\.azure.([a-zA-Z\.]+)$" if not re.match(pattern, str(log_analytics_url)): @@ -22,7 +22,7 @@ def __init__(self, workspace_id, workspace_key, log_type, log_analytics_url=''): self._log_analytics_url = log_analytics_url def build_signature(self, date, content_length, method, content_type, resource): - x_headers = 'x-ms-date:' + date + x_headers = "x-ms-date:" + date string_to_hash = method + "\n" + \ str(content_length) + "\n" + content_type + \ "\n" + x_headers + "\n" + resource @@ -35,30 +35,30 @@ def build_signature(self, date, content_length, method, content_type, resource): return authorization def post_data(self, body): - logging.info('constructing post to send to Azure Sentinel.') - method = 'POST' - content_type = 'application/json' - resource = '/api/logs' - rfc1123date = datetime.utcnow().strftime('%a, %d %b %Y %H:%M:%S GMT') + logging.info("constructing post to send to Azure Sentinel.") + method = "POST" + content_type = "application/json" + resource = "/api/logs" + rfc1123date = datetime.utcnow().strftime("%a, %d %b %Y %H:%M:%S GMT") content_length = len(body) - logging.info('build signature.') + logging.info("build signature.") signature = self.build_signature( rfc1123date, content_length, method, content_type, resource) - logging.info('signature built.') - uri = self._log_analytics_url + resource + '?api-version=2016-04-01' + logging.info("signature built.") + uri = self._log_analytics_url + resource + "?api-version=2016-04-01" headers = { - 'content-type': content_type, - 'Authorization': signature, - 'Log-Type': self._log_type, - 'x-ms-date': rfc1123date + "content-type": content_type, + "Authorization": signature, + "Log-Type": self._log_type, + "x-ms-date": rfc1123date } - logging.info('sending post to Azure Sentinel.') + logging.info("sending post to Azure Sentinel.") response = requests.post(uri, data=body, headers=headers) logging.info(response.status_code) if (response.status_code >= 200 and response.status_code <= 299): return response.status_code else: - logging.warn("Events are not processed into Azure. Response code: {}".format( + logging.warning("Events are not processed into Azure. Response code: {}".format( response.status_code)) raise Exception( - f'Sending to Azure Sentinel failed with status code {response.status_code}') + f"Sending to Azure Sentinel failed with status code {response.status_code}") diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/azuredeploy_Connector_TenableVM_AzureFunction.json b/Solutions/Tenable App/Data Connectors/TenableVM/azuredeploy_Connector_TenableVM_AzureFunction.json index af6d0f29b82..fda4a393f16 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/azuredeploy_Connector_TenableVM_AzureFunction.json +++ b/Solutions/Tenable App/Data Connectors/TenableVM/azuredeploy_Connector_TenableVM_AzureFunction.json @@ -8,22 +8,56 @@ "maxLength": 11, "type": "string" }, - "workspaceID": { - "type": "securestring" + "WorkspaceID": { + "type": "string", + "metadata": { + "description": "Enter Workspace ID of log analytics Workspace" + } }, - "workspaceKey": { - "type": "securestring" + "WorkspaceKey": { + "type": "securestring", + "metadata": { + "description": "Enter Primary Key of log analytics Workspace" + } }, - "tenableAccessKey": { + "TenableAccessKey": { "type": "securestring", "metadata": { - "description": "An access key for using the Tenable API (required)" + "description": "Enter Access key for using the Tenable API" } }, - "tenableSecretKey": { - "type": "securestring" + "TenableSecretKey": { + "type": "securestring", + "metadata": { + "description": "Enter Tenable Secret Key for Authentication" + } }, - "tenableExportScheduleInMinutes": { + "Lowest Severity to Store": { + "defaultValue": "Info", + "allowedValues": [ + "Critical", + "High", + "Medium", + "Low", + "Info" + ], + "metadata": { + "description": "The Lowest Vulnerability severity to store." + }, + "type": "string" + }, + "ComplianceDataIngestion": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Select true if you want to enable compliance data ingestion from Tenable VM. Default is false." + }, + "allowedValues": [ + true, + false + ] + }, + "TenableExportScheduleInMinutes": { "type": "int", "defaultValue": 1440 }, @@ -82,7 +116,8 @@ } }, "keySource": "Microsoft.Storage" - } + }, + "minimumTlsVersion": "TLS1_2" } }, { @@ -162,16 +197,18 @@ "APPINSIGHTS_INSTRUMENTATIONKEY": "[reference(resourceId('Microsoft.insights/components', variables('FunctionName')), '2015-05-01').InstrumentationKey]", "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(resourceId('microsoft.insights/components', variables('FunctionName')), '2015-05-01').ConnectionString]", "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', toLower(variables('FunctionName')),';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', toLower(variables('functionName'))), '2019-06-01').keys[0].value, ';EndpointSuffix=',toLower(variables('StorageSuffix')))]", - "WorkspaceID": "[parameters('workspaceID')]", - "WorkspaceKey": "[parameters('workspaceKey')]", - "TIO_SECRET_KEY": "[parameters('tenableSecretKey')]", - "TIO_ACCESS_KEY": "[parameters('tenableAccessKey')]", - "TenableExportScheduleInMinutes": "[parameters('tenableExportScheduleInMinutes')]", + "WorkspaceID": "[parameters('WorkspaceID')]", + "WorkspaceKey": "[parameters('WorkspaceKey')]", + "TIO_SECRET_KEY": "[parameters('TenableSecretKey')]", + "TIO_ACCESS_KEY": "[parameters('TenableAccessKey')]", + "LowestSeveritytoStore": "[parameters('Lowest Severity to Store')]", + "ComplianceDataIngestion": "[parameters('ComplianceDataIngestion')]", + "TenableExportScheduleInMinutes": "[parameters('TenableExportScheduleInMinutes')]", "PyTenableUAVendor": "Microsoft", "PyTenableUAProduct": "Azure Sentinel", "PyTenableUABuild": "0.0.1", "logAnalyticsUri": "[variables('LogAnaltyicsUri')]", - "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-TenableVMAzureSentinelConnector-functionapp" + "WEBSITE_RUN_FROM_PACKAGE": "https://aka.ms/sentinel-TenableVMAzureSentinelConnector310-functionapp" } } ] diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/exports_queue.py b/Solutions/Tenable App/Data Connectors/TenableVM/exports_queue.py index 3bda7282ea7..cb5eb77de18 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/exports_queue.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/exports_queue.py @@ -18,17 +18,19 @@ def create(self): try: queue_client.create_queue() except ResourceExistsError: - logging.warn(f'Queue {self.queue_name} already exists') + logging.warning(f"Queue {self.queue_name} already exists") - def send_chunk_info(self, export_job_id, chunk_id): + def send_chunk_info(self, export_job_id, chunk_id, start_time, update_checkpoint=False): with QueueClient.from_connection_string(self.connection_string, self.queue_name, message_encode_policy=BinaryBase64EncodePolicy(), message_decode_policy=BinaryBase64DecodePolicy()) as queue_client: - chunk_info = {'exportJobId': export_job_id, 'chunkId': chunk_id} - return queue_client.send_message(json.dumps(chunk_info).encode('utf-8')) + chunk_info = {"exportJobId": export_job_id, "chunkId": chunk_id, "startTime": start_time, "updateCheckpoint": update_checkpoint} + return queue_client.send_message(json.dumps(chunk_info).encode("utf-8")) class ExportsQueueNames(Enum): - TenableAssetExportsQueue = 'tenable-asset-export-queue' - TenableVulnExportsQueue = 'tenable-vuln-export-queue' - TenableAssetExportsPoisonQueue = 'tenable-asset-export-queue-poison' - TenableVulnExportsPoisonQueue = 'tenable-vuln-export-queue-poison' + TenableAssetExportsQueue = "tenable-asset-export-queue" + TenableVulnExportsQueue = "tenable-vuln-export-queue" + TenableComplianceExportsQueue = "tenable-compliance-export-queue" + TenableAssetExportsPoisonQueue = "tenable-asset-export-queue-poison" + TenableVulnExportsPoisonQueue = "tenable-vuln-export-queue-poison" + TenableComplianceExportsPoisonQueue = "tenable-compliance-export-queue-poison" diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/exports_store.py b/Solutions/Tenable App/Data Connectors/TenableVM/exports_store.py index fc02bea7ab8..e4a1624682e 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/exports_store.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/exports_store.py @@ -17,38 +17,38 @@ def create(self): try: table_client.create_table() except ResourceExistsError: - logging.warn("Table already exists") + logging.warning("Table already exists") def post(self, pk: str, rk: str, data: dict = None): with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client: entity_template = { - 'PartitionKey': pk, - 'RowKey': rk, + "PartitionKey": pk, + "RowKey": rk, } if data is not None: entity_template.update(data) try: table_client.create_entity(entity_template) except Exception as e: - logging.warn('could not post entity to table') - logging.warn(e) + logging.warning("could not post entity to table") + logging.warning(e) raise e def get(self, pk: str, rk: str): with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client: try: logging.info( - f'looking for {pk} - {rk} on table {self.table_name}') + f"looking for {pk} - {rk} on table {self.table_name}") return table_client.get_entity(pk, rk) except ResourceNotFoundError: return None def upsert(self, pk: str, rk: str, data: dict = None): with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client: - logging.info(f'upserting {pk} - {rk} on table {self.table_name}') + logging.info(f"upserting {pk} - {rk} on table {self.table_name}") entity_template = { - 'PartitionKey': pk, - 'RowKey': rk, + "PartitionKey": pk, + "RowKey": rk, } if data is not None: entity_template.update(data) @@ -72,8 +72,8 @@ def query_by_partition_key(self, pk): def query_for_finished_chunks_by_partition_key(self, pk): table_client = TableClient.from_connection_string( self.connection_string, self.table_name) - parameters = {'key': pk, 'status': TenableStatus.finished.value} - name_filter = 'PartitionKey eq @key and jobStatus eq @status' + parameters = {"key": pk, "status": TenableStatus.finished.value} + name_filter = "PartitionKey eq @key and jobStatus eq @status" try: return table_client.query_entities(name_filter, parameters=parameters) except HttpResponseError as e: @@ -83,8 +83,8 @@ def query_for_finished_chunks_by_partition_key(self, pk): def query_for_all_finished_chunks(self): table_client = TableClient.from_connection_string( self.connection_string, self.table_name) - parameters = {'status': TenableStatus.finished.value} - name_filter = 'jobStatus eq @status' + parameters = {"status": TenableStatus.finished.value} + name_filter = "jobStatus eq @status" try: return table_client.query_entities(name_filter, parameters=parameters) except HttpResponseError as e: @@ -94,8 +94,8 @@ def query_for_all_finished_chunks(self): def query_for_failed_chunks_by_partition_key(self, pk): table_client = TableClient.from_connection_string( self.connection_string, self.table_name) - parameters = {'key': pk, 'status': TenableStatus.failed.value} - name_filter = 'PartitionKey eq @key and jobStatus eq @status' + parameters = {"key": pk, "status": TenableStatus.failed.value} + name_filter = "PartitionKey eq @key and jobStatus eq @status" try: return table_client.query_entities(name_filter, parameters=parameters) except HttpResponseError as e: @@ -105,8 +105,8 @@ def query_for_failed_chunks_by_partition_key(self, pk): def query_for_all_failed_chunks(self): table_client = TableClient.from_connection_string( self.connection_string, self.table_name) - parameters = {'status': TenableStatus.failed.value} - name_filter = 'jobStatus eq @status' + parameters = {"status": TenableStatus.failed.value} + name_filter = "jobStatus eq @status" try: return table_client.query_entities(name_filter, parameters=parameters) except HttpResponseError as e: @@ -117,12 +117,12 @@ def query_for_all_processing_chunks(self): table_client = TableClient.from_connection_string( self.connection_string, self.table_name) parameters = { - 'failedStatus': TenableStatus.failed.value, - 'processingStatus': TenableStatus.processing.value, - 'sentStatus': TenableStatus.sent_to_queue.value, - 'sendingStatus': TenableStatus.sending_to_queue.value + "failedStatus": TenableStatus.failed.value, + "processingStatus": TenableStatus.processing.value, + "sentStatus": TenableStatus.sent_to_queue.value, + "sendingStatus": TenableStatus.sending_to_queue.value } - name_filter = 'jobStatus eq @failedStatus or jobStatus eq @processingStatus or jobStatus eq @sentStatus or jobStatus eq @sendingStatus' + name_filter = "jobStatus eq @failedStatus or jobStatus eq @processingStatus or jobStatus eq @sentStatus or jobStatus eq @sendingStatus" try: return table_client.query_entities(name_filter, parameters=parameters) except HttpResponseError as e: @@ -140,10 +140,10 @@ def list_all(self): def merge(self, pk: str, rk: str, data: dict = None): with TableClient.from_connection_string(self.connection_string, self.table_name) as table_client: - logging.info(f'upserting {pk} - {rk} on table {self.table_name}') + logging.info(f"upserting {pk} - {rk} on table {self.table_name}") entity_template = { - 'PartitionKey': pk, - 'RowKey': rk, + "PartitionKey": pk, + "RowKey": rk, } if data is not None: entity_template.update(data) @@ -154,3 +154,6 @@ class ExportsTableNames(Enum): TenableExportStatsTable = "TenableExportStatsTable" TenableAssetExportTable = "TenableAssetExportTable" TenableVulnExportTable = "TenableVulnExportTable" + TenableComplianceExportTable = "TenableComplianceExportTable" + TenableExportCheckpointTable = "TenableExportCheckpointTable" + diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/host.json b/Solutions/Tenable App/Data Connectors/TenableVM/host.json index 519fe11b518..325b8148c54 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/host.json +++ b/Solutions/Tenable App/Data Connectors/TenableVM/host.json @@ -11,5 +11,16 @@ "extensionBundle": { "id": "Microsoft.Azure.Functions.ExtensionBundle", "version": "[3.*, 4.0.0)" + }, + "extensions": { + "durableTask": { + "storageProvider": { + "type": "AzureStorage" + } + } + }, + "concurrency": { + "dynamicConcurrencyEnabled": true, + "snapshotPersistenceEnabled": true } -} +} \ No newline at end of file diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/requirements.txt b/Solutions/Tenable App/Data Connectors/TenableVM/requirements.txt index 7d796f89fed..b2bacd7b379 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/requirements.txt +++ b/Solutions/Tenable App/Data Connectors/TenableVM/requirements.txt @@ -6,5 +6,5 @@ azure-data-tables==12.1.0 azure-functions==1.7.2 azure-functions-durable==1.0.3 azure-storage-queue==12.4.0 -pyTenable==1.3.3 +pyTenable==1.5.3 requests==2.32.2 \ No newline at end of file diff --git a/Solutions/Tenable App/Data Connectors/TenableVM/tenable_helper.py b/Solutions/Tenable App/Data Connectors/TenableVM/tenable_helper.py index e885a554b18..08bcf382d79 100644 --- a/Solutions/Tenable App/Data Connectors/TenableVM/tenable_helper.py +++ b/Solutions/Tenable App/Data Connectors/TenableVM/tenable_helper.py @@ -3,7 +3,7 @@ import json from tenable.io import TenableIO as BaseIO -from tenable.io.exports import ExportsAPI +from tenable.io.exports.api import ExportsAPI from enum import Enum from queue import Queue from typing import List, Dict @@ -29,9 +29,9 @@ def chunk(self, export_type: str, uuid: str, chunk: int) -> list: class TenableIO(BaseIO): def __init__(self, **kwargs): - kwargs['vendor'] = os.getenv('PyTenableUAVendor', 'Microsoft') - kwargs['product'] = os.getenv('PyTenableUAProduct', 'Azure Sentinel') - kwargs['build'] = os.getenv('PyTenableUABuild', '0.0.1') + kwargs["vendor"] = os.getenv("PyTenableUAVendor", "Microsoft") + kwargs["product"] = os.getenv("PyTenableUAProduct", "Azure Sentinel") + kwargs["build"] = os.getenv("PyTenableUABuild", "0.0.1") super().__init__(**kwargs) @property @@ -40,18 +40,20 @@ def exports(self): class TenableStatus(Enum): - finished = 'FINISHED' - failed = 'FAILED' - no_job = 'NO_JOB_FOUND' - processing = 'PROCESSING' - sending_to_queue = 'SENDING_TO_QUEUE' - sent_to_queue = 'SENT_TO_QUEUE' - sent_to_queue_failed = 'SENT_TO_QUEUE_FAILED' - sent_to_sub_orchestrator = 'SENT_TO_SUB_ORCHESTRATOR' + finished = "FINISHED" + failed = "FAILED" + no_job = "NO_JOB_FOUND" + processing = "PROCESSING" + sending_to_queue = "SENDING_TO_QUEUE" + sent_to_queue = "SENT_TO_QUEUE" + sent_to_queue_failed = "SENT_TO_QUEUE_FAILED" + sent_to_sub_orchestrator = "SENT_TO_SUB_ORCHESTRATOR" + class TenableExportType(Enum): - asset = 'ASSET_EXPORT_JOB' - vuln = 'VULN_EXPORT_JOB' + asset = "ASSET_EXPORT_JOB" + vuln = "VULN_EXPORT_JOB" + compliance = "COMPLIANCE_EXPORT_JOB" class TenableChunkPartitioner: @@ -62,7 +64,7 @@ class TenableChunkPartitioner: @staticmethod def partition_chunks_into_30MB_sub_chunks(inputChunk: List[Dict]) -> List[List[Dict]]: - ''' + """ This method divides export chunks received from Tenable.io response, into multiple sub-chunks such that each sub-chunk is <= 30MB. @@ -70,11 +72,11 @@ def partition_chunks_into_30MB_sub_chunks(inputChunk: List[Dict]) -> List[List[D https://docs.microsoft.com/azure/azure-monitor/logs/data-collector-api#data-limits. Parameters: - inputChunk (List[Dict]): List containing vuln/assets objects in chunk. + inputChunk (List[Dict]): List containing vuln/assets/compliance objects in chunk. Returns: List[List[Dict]] -> List containing one or more sub-chunks created out of input chunk. - ''' + """ queue = Queue() output_sub_chunks = [] @@ -109,6 +111,25 @@ def partition_chunks_into_30MB_sub_chunks(inputChunk: List[Dict]) -> List[List[D logging.info('Re-enqueued 2 sub-chunks with elements: %d <-> %d', len(left_chunk), len(right_chunk)) - logging.info('Created %d output sub-chunks.', len(output_sub_chunks)) + logging.info("Created %d output sub-chunks.", len(output_sub_chunks)) return output_sub_chunks + + +def update_checkpoint_for_last_chunk(chunk, chunks, job_status): + """ + Check for last chunk from list of chunks. + + Args: + chunk (int): chunk id + chunks (list): List of chunk ids + job_status (str): status of the job + + Returns: + bool: Returns True if last chunk is found, otherwise False + """ + if chunk == chunks[-1] and job_status.upper() == "FINISHED": + logging.info("last chunk and job finished, set update checkpoint flag to true.") + return True + else: + return False diff --git a/Solutions/Tenable App/Package/3.0.1.zip b/Solutions/Tenable App/Package/3.0.1.zip index 2c352577d98..495b1215f99 100644 Binary files a/Solutions/Tenable App/Package/3.0.1.zip and b/Solutions/Tenable App/Package/3.0.1.zip differ diff --git a/Solutions/Tenable App/Package/mainTemplate.json b/Solutions/Tenable App/Package/mainTemplate.json index 6e72676c06c..911d6fe9b45 100644 --- a/Solutions/Tenable App/Package/mainTemplate.json +++ b/Solutions/Tenable App/Package/mainTemplate.json @@ -268,10 +268,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "TenableIE", "dataTypes": [ "Tenable_IE_CL" - ], - "connectorId": "TenableIE" + ] } ], "tactics": [ @@ -282,7 +282,6 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { "columnName": "HostName", @@ -292,7 +291,8 @@ "columnName": "DnsDomain", "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" } ] } @@ -375,10 +375,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "TenableIE", "dataTypes": [ "Tenable_IE_CL" - ], - "connectorId": "TenableIE" + ] } ], "tactics": [ @@ -389,7 +389,6 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { "columnName": "HostName", @@ -399,7 +398,8 @@ "columnName": "DnsDomain", "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" } ] } @@ -482,10 +482,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "TenableIE", "dataTypes": [ "Tenable_IE_CL" - ], - "connectorId": "TenableIE" + ] } ], "tactics": [ @@ -499,7 +499,6 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { "columnName": "HostName", @@ -509,7 +508,8 @@ "columnName": "DnsDomain", "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" } ] } @@ -592,10 +592,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "TenableIE", "dataTypes": [ "Tenable_IE_CL" - ], - "connectorId": "TenableIE" + ] } ], "tactics": [ @@ -609,7 +609,6 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { "columnName": "HostName", @@ -619,7 +618,8 @@ "columnName": "DnsDomain", "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" } ] } @@ -702,10 +702,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "TenableIE", "dataTypes": [ "Tenable_IE_CL" - ], - "connectorId": "TenableIE" + ] } ], "tactics": [ @@ -716,7 +716,6 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { "columnName": "HostName", @@ -726,7 +725,8 @@ "columnName": "DnsDomain", "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" } ] } @@ -809,10 +809,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "TenableIE", "dataTypes": [ "Tenable_IE_CL" - ], - "connectorId": "TenableIE" + ] } ], "tactics": [ @@ -823,7 +823,6 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { "columnName": "HostName", @@ -833,7 +832,8 @@ "columnName": "DnsDomain", "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" } ] } @@ -916,10 +916,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "TenableIE", "dataTypes": [ "Tenable_IE_CL" - ], - "connectorId": "TenableIE" + ] } ], "tactics": [ @@ -933,7 +933,6 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { "columnName": "HostName", @@ -943,7 +942,8 @@ "columnName": "DnsDomain", "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" } ] } @@ -1026,10 +1026,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "TenableIE", "dataTypes": [ "Tenable_IE_CL" - ], - "connectorId": "TenableIE" + ] } ], "tactics": [ @@ -1040,7 +1040,6 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { "columnName": "HostName", @@ -1050,7 +1049,8 @@ "columnName": "DnsDomain", "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" } ] } @@ -1133,10 +1133,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "TenableIE", "dataTypes": [ "Tenable_IE_CL" - ], - "connectorId": "TenableIE" + ] } ], "tactics": [ @@ -1147,7 +1147,6 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { "columnName": "HostName", @@ -1157,7 +1156,8 @@ "columnName": "DnsDomain", "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" } ] } @@ -1240,10 +1240,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "TenableIE", "dataTypes": [ "Tenable_IE_CL" - ], - "connectorId": "TenableIE" + ] } ], "tactics": [ @@ -1257,7 +1257,6 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { "columnName": "HostName", @@ -1267,7 +1266,8 @@ "columnName": "DnsDomain", "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" } ] } @@ -1350,10 +1350,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "TenableIE", "dataTypes": [ "Tenable_IE_CL" - ], - "connectorId": "TenableIE" + ] } ], "tactics": [ @@ -1364,7 +1364,6 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { "columnName": "HostName", @@ -1374,7 +1373,8 @@ "columnName": "DnsDomain", "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" } ] } @@ -1457,10 +1457,10 @@ "status": "Available", "requiredDataConnectors": [ { + "connectorId": "TenableIE", "dataTypes": [ "Tenable_IE_CL" - ], - "connectorId": "TenableIE" + ] } ], "tactics": [ @@ -1471,7 +1471,6 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { "columnName": "HostName", @@ -1481,7 +1480,8 @@ "columnName": "DnsDomain", "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" } ] } @@ -1999,7 +1999,7 @@ "id": "[variables('_uiConfigId2')]", "title": "Tenable Vulnerability Management (using Azure Functions)", "publisher": "Tenable", - "descriptionMarkdown": "The TVM data connector provides the ability to ingest Asset and Vulnerability data into Microsoft Sentinel using TVM REST APIs. Refer to [API documentation](https://developer.tenable.com/reference) for more information. The connector provides the ability to get data which helps to examine potential security risks, get insight into your computing assets, diagnose configuration problems and more", + "descriptionMarkdown": "The TVM data connector provides the ability to ingest Asset, Vulnerability and Compliance data into Microsoft Sentinel using TVM REST APIs. Refer to [API documentation](https://developer.tenable.com/reference) for more information. The connector provides the ability to get data which helps to examine potential security risks, get insight into your computing assets, diagnose configuration problems and more", "additionalRequirementBanner": "These queries and workbooks are dependent on a [**TenableVM parser for vulnerabilities**](https://aka.ms/sentinel-TenableApp-TenableVMVulnerabilities-parser) and a [**TenableVM parser for assets**](https://aka.ms/sentinel-TenableApp-TenableVMAssets-parser) based on Kusto to work as expected which is deployed with the Microsoft Sentinel Solution.", "graphQueries": [ { @@ -2011,6 +2011,11 @@ "metricName": "Total data received", "legend": "Tenable_VM_Vuln_CL", "baseQuery": "Tenable_VM_Vuln_CL" + }, + { + "metricName": "Total data received", + "legend": "Tenable_VM_Compliance_CL", + "baseQuery": "Tenable_VM_Compliance_CL" } ], "sampleQueries": [ @@ -2022,6 +2027,10 @@ "description": "Tenable VM Report - All Vulns", "query": "Tenable_VM_Vuln_CL\n | sort by TimeGenerated desc" }, + { + "description": "Tenable VM Report - All Compliance", + "query": "Tenable_VM_Compliance_CL\n | sort by TimeGenerated desc" + }, { "description": "Select unique vulnerabilities by a specific asset.", "query": "Tenable_VM_Vuln_CL\n | where asset_fqdn_s has \"one.one.one.one\"\n | summarize any(asset_fqdn_s, plugin_id_d, plugin_cve_s) by plugin_id_d" @@ -2039,6 +2048,10 @@ { "name": "Tenable_VM_Vuln_CL", "lastDataReceivedQuery": "Tenable_VM_Vuln_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Tenable_VM_Compliance_CL", + "lastDataReceivedQuery": "Tenable_VM_Compliance_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ @@ -2053,6 +2066,12 @@ "value": [ "Tenable_VM_Vuln_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "Tenable_VM_Compliance_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] } ], "availability": { @@ -2095,7 +2114,7 @@ }, "instructionSteps": [ { - "description": ">**NOTE:** This connector uses Azure Durable Functions to connect to the TenableVM API to pull [assets](https://developer.tenable.com/reference#exports-assets-download-chunk) and [vulnerabilities](https://developer.tenable.com/reference#exports-vulns-request-export) at a regular interval into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + "description": ">**NOTE:** This connector uses Azure Durable Functions to connect to the TenableVM API to pull [assets](https://developer.tenable.com/reference#exports-assets-download-chunk), [vulnerabilities](https://developer.tenable.com/reference#exports-vulns-request-export) and [compliance](https://developer.tenable.com/reference#exports-compliance-request-export)(if selected) at a regular interval into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." }, { "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." @@ -2104,7 +2123,7 @@ "description": ">**NOTE:** This data connector depends on a [**TenableVM parser for vulnerabilities**](https://aka.ms/sentinel-TenableApp-TenableVMVulnerabilities-parser) and a [**TenableVM parser for assets**](https://aka.ms/sentinel-TenableApp-TenableVMAssets-parser) based on a Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution." }, { - "description": "**STEP 1 - Configuration steps for TenableVM\n\n [Follow the instructions](https://docs.tenable.com/vulnerability-management/Content/Settings/my-account/GenerateAPIKey.htm) to obtain the required API credentials. \n" + "description": "**STEP 1 - Configuration steps for TenableVM**\n\n [Follow the instructions](https://docs.tenable.com/vulnerability-management/Content/Settings/my-account/GenerateAPIKey.htm) to obtain the required API credentials. \n" }, { "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function App**\n\n>**IMPORTANT:** Before deploying the Workspace data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", @@ -2130,7 +2149,7 @@ ] }, { - "description": "Use this method for automated deployment of the TenableVM Vulnerability Management Report data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-TenableVM-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **TenableAccessKey** and **TenableSecretKey** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "description": "Use this method for automated deployment of the TenableVM Vulnerability Management Report data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-TenableVM-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **TenableAccessKey** and **TenableSecretKey** and deploy. \n4. Select **Lowest Severity to Store** to set the lowest vulnerability severity. Default is Info. \n5. Select true for **Compliance Data Ingestion** to ingest Compliance data. Default is false. \n6. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n7. Click **Purchase** to deploy.", "title": "Option 1 - Azure Resource Manager (ARM) Template" }, { @@ -2141,7 +2160,7 @@ "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-TenableVMAzureSentinelConnector-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. TenableVMXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." }, { - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tTenableAccessKey\n\t\tTenableSecretKey\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**." + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tTenableAccessKey\n\t\tTenableSecretKey\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tLowestSeveritytoStore\n\t\tComplianceDataIngestion\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**." } ], "metadata": { @@ -2243,7 +2262,7 @@ "connectorUiConfig": { "title": "Tenable Vulnerability Management (using Azure Functions)", "publisher": "Tenable", - "descriptionMarkdown": "The TVM data connector provides the ability to ingest Asset and Vulnerability data into Microsoft Sentinel using TVM REST APIs. Refer to [API documentation](https://developer.tenable.com/reference) for more information. The connector provides the ability to get data which helps to examine potential security risks, get insight into your computing assets, diagnose configuration problems and more", + "descriptionMarkdown": "The TVM data connector provides the ability to ingest Asset, Vulnerability and Compliance data into Microsoft Sentinel using TVM REST APIs. Refer to [API documentation](https://developer.tenable.com/reference) for more information. The connector provides the ability to get data which helps to examine potential security risks, get insight into your computing assets, diagnose configuration problems and more", "graphQueries": [ { "metricName": "Total data received", @@ -2254,6 +2273,11 @@ "metricName": "Total data received", "legend": "Tenable_VM_Vuln_CL", "baseQuery": "Tenable_VM_Vuln_CL" + }, + { + "metricName": "Total data received", + "legend": "Tenable_VM_Compliance_CL", + "baseQuery": "Tenable_VM_Compliance_CL" } ], "dataTypes": [ @@ -2264,6 +2288,10 @@ { "name": "Tenable_VM_Vuln_CL", "lastDataReceivedQuery": "Tenable_VM_Vuln_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "Tenable_VM_Compliance_CL", + "lastDataReceivedQuery": "Tenable_VM_Compliance_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ @@ -2278,6 +2306,12 @@ "value": [ "Tenable_VM_Vuln_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" ] + }, + { + "type": "IsConnectedQuery", + "value": [ + "Tenable_VM_Compliance_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] } ], "sampleQueries": [ @@ -2289,6 +2323,10 @@ "description": "Tenable VM Report - All Vulns", "query": "Tenable_VM_Vuln_CL\n | sort by TimeGenerated desc" }, + { + "description": "Tenable VM Report - All Compliance", + "query": "Tenable_VM_Compliance_CL\n | sort by TimeGenerated desc" + }, { "description": "Select unique vulnerabilities by a specific asset.", "query": "Tenable_VM_Vuln_CL\n | where asset_fqdn_s has \"one.one.one.one\"\n | summarize any(asset_fqdn_s, plugin_id_d, plugin_cve_s) by plugin_id_d" @@ -2338,7 +2376,7 @@ }, "instructionSteps": [ { - "description": ">**NOTE:** This connector uses Azure Durable Functions to connect to the TenableVM API to pull [assets](https://developer.tenable.com/reference#exports-assets-download-chunk) and [vulnerabilities](https://developer.tenable.com/reference#exports-vulns-request-export) at a regular interval into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + "description": ">**NOTE:** This connector uses Azure Durable Functions to connect to the TenableVM API to pull [assets](https://developer.tenable.com/reference#exports-assets-download-chunk), [vulnerabilities](https://developer.tenable.com/reference#exports-vulns-request-export) and [compliance](https://developer.tenable.com/reference#exports-compliance-request-export)(if selected) at a regular interval into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." }, { "description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App." @@ -2347,7 +2385,7 @@ "description": ">**NOTE:** This data connector depends on a [**TenableVM parser for vulnerabilities**](https://aka.ms/sentinel-TenableApp-TenableVMVulnerabilities-parser) and a [**TenableVM parser for assets**](https://aka.ms/sentinel-TenableApp-TenableVMAssets-parser) based on a Kusto Function to work as expected which is deployed with the Microsoft Sentinel Solution." }, { - "description": "**STEP 1 - Configuration steps for TenableVM\n\n [Follow the instructions](https://docs.tenable.com/vulnerability-management/Content/Settings/my-account/GenerateAPIKey.htm) to obtain the required API credentials. \n" + "description": "**STEP 1 - Configuration steps for TenableVM**\n\n [Follow the instructions](https://docs.tenable.com/vulnerability-management/Content/Settings/my-account/GenerateAPIKey.htm) to obtain the required API credentials. \n" }, { "description": "**STEP 2 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function App**\n\n>**IMPORTANT:** Before deploying the Workspace data connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", @@ -2373,7 +2411,7 @@ ] }, { - "description": "Use this method for automated deployment of the TenableVM Vulnerability Management Report data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-TenableVM-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **TenableAccessKey** and **TenableSecretKey** and deploy. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.", + "description": "Use this method for automated deployment of the TenableVM Vulnerability Management Report data connector using an ARM Template.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-TenableVM-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **TenableAccessKey** and **TenableSecretKey** and deploy. \n4. Select **Lowest Severity to Store** to set the lowest vulnerability severity. Default is Info. \n5. Select true for **Compliance Data Ingestion** to ingest Compliance data. Default is false. \n6. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n7. Click **Purchase** to deploy.", "title": "Option 1 - Azure Resource Manager (ARM) Template" }, { @@ -2384,7 +2422,7 @@ "description": "**1. Deploy a Function App**\n\n> **NOTE:** You will need to [prepare VS code](https://docs.microsoft.com/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.\n\n1. Download the [Azure Function App](https://aka.ms/sentinel-TenableVMAzureSentinelConnector-functionapp) file. Extract archive to your local development computer.\n2. Start VS Code. Choose File in the main menu and select Open Folder.\n3. Select the top level folder from extracted files.\n4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.\nIf you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**\nIf you're already signed in, go to the next step.\n5. Provide the following information at the prompts:\n\n\ta. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.\n\n\tb. **Select Subscription:** Choose the subscription to use.\n\n\tc. Select **Create new Function App in Azure** (Don't choose the Advanced option)\n\n\td. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. TenableVMXXXXX).\n\n\te. **Select a runtime:** Choose Python 3.11.\n\n\tf. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.\n\n6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.\n7. Go to Azure Portal for the Function App configuration." }, { - "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tTenableAccessKey\n\t\tTenableSecretKey\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**." + "description": "**2. Configure the Function App**\n\n1. In the Function App, select the Function App Name and select **Configuration**.\n2. In the **Application settings** tab, select **New application setting**.\n3. Add each of the following application settings individually, with their respective string values (case-sensitive): \n\t\tTenableAccessKey\n\t\tTenableSecretKey\n\t\tWorkspaceID\n\t\tWorkspaceKey\n\t\tLowestSeveritytoStore\n\t\tComplianceDataIngestion\n\t\tlogAnalyticsUri (optional)\n> - Use logAnalyticsUri to override the log analytics API endpoint for dedicated cloud. For example, for public cloud, leave the value empty; for Azure GovUS cloud environment, specify the value in the following format: `https://.ods.opinsights.azure.us`.\n3. Once all application settings have been entered, click **Save**." } ], "id": "[variables('_uiConfigId2')]", diff --git a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_CloudAppEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_CloudAppEvents.yaml index ad209b99b8e..ec65631354b 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_CloudAppEvents.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_CloudAppEvents.yaml @@ -29,14 +29,13 @@ query: | | where isnotempty(EmailSenderAddress) | join kind=innerunique (CloudAppEvents | extend User_Id = tostring(RawEventData.UserId) - | where User_Id != "" + | where isnotempty(User_Id) | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Application) | extend CloudAppEvents_TimeGenerated = TimeGenerated - | extend User_id = tostring(User_Id) - | where User_id matches regex emailregex) on $left.EmailSenderAddress == $right.User_id + | where User_Id matches regex emailregex) on $left.EmailSenderAddress == $right.User_Id | where CloudAppEvents_TimeGenerated < ExpirationDateTime - | summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, User_id - | extend Name = tostring(split(User_id, '@', 0)[0]), UPNSuffix = tostring(split(User_id, '@', 1)[0]) + | summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, User_Id + | extend Name = tostring(split(User_Id, '@', 0)[0]), UPNSuffix = tostring(split(User_Id, '@', 1)[0]) | extend timestamp = CloudAppEvents_TimeGenerated entityMappings: - entityType: Account @@ -47,5 +46,5 @@ entityMappings: columnName: User_Id - identifier: UPNSuffix columnName: UPNSuffix -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_CloudAppEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_CloudAppEvents.yaml index 4b4adc81e2a..908357032ef 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_CloudAppEvents.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_CloudAppEvents.yaml @@ -35,6 +35,7 @@ query: | IP_Indicators | join kind=innerunique ( CloudAppEvents + | where isnotempty(IPAddress) | where TimeGenerated >= ago(dt_lookBack) | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.TI_ipEntity == $right.IPAddress | where CloudAppEvents_TimeGenerated < ExpirationDateTime @@ -67,5 +68,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: EmailSourceIPAddress -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml index 0eb6c07984f..4cf5827192c 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/imDns_DomainEntity_DnsEvents.yaml @@ -69,7 +69,7 @@ query: | | extend DNS_TimeGenerated = TimeGenerated ) on $left.DomainName==$right.DnsQuery | where DNS_TimeGenerated < ExpirationDateTime - | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType + | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, Domain, DnsQuery, DnsQueryType | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc) entityMappings: @@ -89,6 +89,10 @@ entityMappings: fieldMappings: - identifier: Url columnName: Url + - entityType: DNS + fieldMappings: + - identifier: DomainName + columnName: Domain customDetails: LatestIndicatorTime: LatestIndicatorTime Description: Description @@ -101,5 +105,5 @@ customDetails: SourceIPAddress: SrcIpAddr DnsQuery: DnsQuery QueryType: DnsQueryType -version: 1.1.7 -kind: Scheduled \ No newline at end of file +version: 1.1.8 +kind: Scheduled diff --git a/Solutions/Threat Intelligence/Package/3.0.7.zip b/Solutions/Threat Intelligence/Package/3.0.7.zip new file mode 100644 index 00000000000..87caeb6496b Binary files /dev/null and b/Solutions/Threat Intelligence/Package/3.0.7.zip differ diff --git a/Solutions/Threat Intelligence/Package/mainTemplate.json b/Solutions/Threat Intelligence/Package/mainTemplate.json index bc32eadc20c..6f962281184 100644 --- a/Solutions/Threat Intelligence/Package/mainTemplate.json +++ b/Solutions/Threat Intelligence/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Threat Intelligence", - "_solutionVersion": "3.0.6", + "_solutionVersion": "3.0.7", "solutionId": "azuresentinel.azure-sentinel-solution-threatintelligence-taxii", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "ThreatIntelligenceTaxii", @@ -423,11 +423,11 @@ "_analyticRulecontentProductId43": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','d23ed927-5be3-4902-a9c1-85f841eb4fa1','-', '1.0.6')))]" }, "analyticRuleObject44": { - "analyticRuleVersion44": "1.1.7", + "analyticRuleVersion44": "1.1.8", "_analyticRulecontentId44": "999e9f5d-db4a-4b07-a206-29c4e667b7e8", "analyticRuleId44": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '999e9f5d-db4a-4b07-a206-29c4e667b7e8')]", "analyticRuleTemplateSpecName44": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('999e9f5d-db4a-4b07-a206-29c4e667b7e8')))]", - "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','999e9f5d-db4a-4b07-a206-29c4e667b7e8','-', '1.1.7')))]" + "_analyticRulecontentProductId44": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','999e9f5d-db4a-4b07-a206-29c4e667b7e8','-', '1.1.8')))]" }, "analyticRuleObject45": { "analyticRuleVersion45": "1.2.4", @@ -458,11 +458,11 @@ "_analyticRulecontentProductId48": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b97e118c-b7fa-42a6-84de-2e13443fbb8f','-', '1.0.3')))]" }, "analyticRuleObject49": { - "analyticRuleVersion49": "1.0.2", + "analyticRuleVersion49": "1.0.3", "_analyticRulecontentId49": "47b9bb10-d216-4359-8cef-08ca2c67e5be", "analyticRuleId49": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '47b9bb10-d216-4359-8cef-08ca2c67e5be')]", "analyticRuleTemplateSpecName49": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('47b9bb10-d216-4359-8cef-08ca2c67e5be')))]", - "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','47b9bb10-d216-4359-8cef-08ca2c67e5be','-', '1.0.2')))]" + "_analyticRulecontentProductId49": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','47b9bb10-d216-4359-8cef-08ca2c67e5be','-', '1.0.3')))]" }, "analyticRuleObject50": { "analyticRuleVersion50": "1.0.3", @@ -472,11 +472,11 @@ "_analyticRulecontentProductId50": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','2f6bbf88-f5b0-49a3-b2b5-97fc3664e4d4','-', '1.0.3')))]" }, "analyticRuleObject51": { - "analyticRuleVersion51": "1.0.2", + "analyticRuleVersion51": "1.0.3", "_analyticRulecontentId51": "4e0a6fc8-697e-4455-be47-831b41ea91ac", "analyticRuleId51": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4e0a6fc8-697e-4455-be47-831b41ea91ac')]", "analyticRuleTemplateSpecName51": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4e0a6fc8-697e-4455-be47-831b41ea91ac')))]", - "_analyticRulecontentProductId51": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4e0a6fc8-697e-4455-be47-831b41ea91ac','-', '1.0.2')))]" + "_analyticRulecontentProductId51": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4e0a6fc8-697e-4455-be47-831b41ea91ac','-', '1.0.3')))]" }, "analyticRuleObject52": { "analyticRuleVersion52": "1.0.3", @@ -498,7 +498,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.6", + "description": "Threat Intelligence data connector with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -657,7 +657,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.6", + "description": "Threat Intelligence data connector with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -816,7 +816,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.6", + "description": "Threat Intelligence data connector with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion3')]", @@ -1059,7 +1059,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.6", + "description": "Threat Intelligence data connector with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion4')]", @@ -1327,7 +1327,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intelligence data connector with template version 3.0.6", + "description": "Threat Intelligence data connector with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion5')]", @@ -1486,7 +1486,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ThreatIntelligence Workbook with template version 3.0.6", + "description": "ThreatIntelligence Workbook with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1590,7 +1590,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.0.6", + "description": "FileEntity_OfficeActivity_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -1671,7 +1671,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.0.6", + "description": "FileEntity_SecurityEvent_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -1752,7 +1752,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.0.6", + "description": "FileEntity_Syslog_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -1833,7 +1833,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.0.6", + "description": "FileEntity_VMConnection_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -1914,7 +1914,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.0.6", + "description": "FileEntity_WireData_HuntingQueries Hunting Query with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -1995,7 +1995,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -2049,31 +2049,31 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "PA_Url" + "columnName": "PA_Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -2129,7 +2129,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -2189,44 +2189,44 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "InitiatingProcessCommandLine" + "columnName": "InitiatingProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -2282,7 +2282,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -2342,39 +2342,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -2430,7 +2430,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -2490,21 +2490,21 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "RecipientEmailAddress" + "columnName": "RecipientEmailAddress", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -2560,7 +2560,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -2620,30 +2620,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "RecipientEmailAddress" + "columnName": "RecipientEmailAddress", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -2699,7 +2699,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -2765,32 +2765,32 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ], "customDetails": { - "EventTime": "Event_TimeGenerated", + "IoCExpirationTime": "ExpirationDateTime", "ActivityGroupNames": "ActivityGroupNames", "IoCConfidenceScore": "ConfidenceScore", - "IoCDescription": "Description", - "ThreatType": "ThreatType", "IndicatorId": "IndicatorId", - "IoCExpirationTime": "ExpirationDateTime" + "ThreatType": "ThreatType", + "IoCDescription": "Description", + "EventTime": "Event_TimeGenerated" }, "alertDetailsOverride": { "alertDescriptionFormat": "A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.", @@ -2849,7 +2849,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -2909,31 +2909,31 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "PA_Url" + "columnName": "PA_Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -2989,7 +2989,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -3055,31 +3055,31 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IP_addr" + "columnName": "IP_addr", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -3135,7 +3135,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -3195,39 +3195,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "HostIP" + "columnName": "HostIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -3283,7 +3283,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "EmailEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -3343,39 +3343,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Caller" + "columnName": "Caller", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "CallerIpAddress" + "columnName": "CallerIpAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -3431,7 +3431,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "EmailEntity_EmailEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -3491,21 +3491,21 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "RecipientEmailAddress" + "columnName": "RecipientEmailAddress", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -3561,7 +3561,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "EmailEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", @@ -3621,39 +3621,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -3709,7 +3709,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "EmailEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", @@ -3769,31 +3769,31 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "DestinationUserID" + "columnName": "DestinationUserID", + "identifier": "Name" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -3849,7 +3849,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "EmailEntity_SecurityAlert_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", @@ -3909,30 +3909,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "EntityEmail" + "columnName": "EntityEmail", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -3988,7 +3988,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "EmailEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", @@ -4060,44 +4060,44 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "TargetUserName" + "columnName": "TargetUserName", + "identifier": "Name" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IpAddress" + "columnName": "IpAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -4153,7 +4153,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "EmailEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", @@ -4219,39 +4219,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserPrincipalName" + "columnName": "UserPrincipalName", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -4307,7 +4307,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "FileHashEntity_CommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", @@ -4367,69 +4367,69 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "SourceUserName" + "columnName": "SourceUserName", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "FileHash", "fieldMappings": [ { - "identifier": "Value", - "columnName": "FileHashValue" + "columnName": "FileHashValue", + "identifier": "Value" }, { - "identifier": "Algorithm", - "columnName": "FileHashType" + "columnName": "FileHashType", + "identifier": "Algorithm" } - ] + ], + "entityType": "FileHash" } ] } @@ -4485,7 +4485,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_DeviceFileEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "FileHashEntity_DeviceFileEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", @@ -4545,43 +4545,43 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "RequestAccountName" + "columnName": "RequestAccountName", + "identifier": "Name" }, { - "identifier": "Sid", - "columnName": "RequestAccountSid" + "columnName": "RequestAccountSid", + "identifier": "Sid" }, { - "identifier": "NTDomain", - "columnName": "RequestAccountDomain" + "columnName": "RequestAccountDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "FileHash", "fieldMappings": [ { - "identifier": "Value", - "columnName": "FileHashValue" + "columnName": "FileHashValue", + "identifier": "Value" }, { - "identifier": "Algorithm", - "columnName": "FileHashType" + "columnName": "FileHashType", + "identifier": "Algorithm" } - ] + ], + "entityType": "FileHash" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ] } @@ -4637,7 +4637,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "FileHashEntity_SecurityEvent_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", @@ -4709,60 +4709,60 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Account" + "columnName": "Account", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "FileHash", "fieldMappings": [ { - "identifier": "Value", - "columnName": "FileHashValue" + "columnName": "FileHashValue", + "identifier": "Value" }, { - "identifier": "Algorithm", - "columnName": "FileHashType" + "columnName": "FileHashType", + "identifier": "Algorithm" } - ] + ], + "entityType": "FileHash" } ] } @@ -4818,7 +4818,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_AppServiceHTTPLogs_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", @@ -4872,53 +4872,53 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "CsUsername" + "columnName": "CsUsername", + "identifier": "Name" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "CIp" + "columnName": "CIp", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "AzureResource", "fieldMappings": [ { - "identifier": "ResourceId", - "columnName": "_ResourceId" + "columnName": "_ResourceId", + "identifier": "ResourceId" } - ] + ], + "entityType": "AzureResource" } ], "alertDetailsOverride": { @@ -4977,7 +4977,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_AWSCloudTrail_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject21').analyticRuleVersion21]", @@ -5037,31 +5037,31 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "ObjectGuid", - "columnName": "UserIdentityUserName" + "columnName": "UserIdentityUserName", + "identifier": "ObjectGuid" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIpAddress" + "columnName": "SourceIpAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -5117,7 +5117,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_AzureActivity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject22').analyticRuleVersion22]", @@ -5177,57 +5177,57 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Caller" + "columnName": "Caller", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Account", "fieldMappings": [ { - "identifier": "AadUserId", - "columnName": "AadUserId" + "columnName": "AadUserId", + "identifier": "AadUserId" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "CallerIpAddress" + "columnName": "CallerIpAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "AzureResource", "fieldMappings": [ { - "identifier": "ResourceId", - "columnName": "ResourceId" + "columnName": "ResourceId", + "identifier": "ResourceId" } - ] + ], + "entityType": "AzureResource" } ] } @@ -5283,7 +5283,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_AzureFirewall_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject23').analyticRuleVersion23]", @@ -5343,22 +5343,22 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "TI_ipEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -5414,7 +5414,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_AzureKeyVault_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject24').analyticRuleVersion24]", @@ -5474,22 +5474,22 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "AzureResource", "fieldMappings": [ { - "identifier": "ResourceId", - "columnName": "ResourceId" + "columnName": "ResourceId", + "identifier": "ResourceId" } - ] + ], + "entityType": "AzureResource" } ] } @@ -5545,7 +5545,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_AzureNetworkAnalytics_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject25').analyticRuleVersion25]", @@ -5599,39 +5599,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "TI_ipEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -5687,7 +5687,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_AzureSQL_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject26').analyticRuleVersion26]", @@ -5747,13 +5747,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -5809,7 +5809,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject27').analyticRuleVersion27]", @@ -5869,13 +5869,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "CS_ipEntity" + "columnName": "CS_ipEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -5931,7 +5931,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject28').analyticRuleVersion28]", @@ -5991,44 +5991,44 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "TI_ipEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "RemoteUrl" + "columnName": "RemoteUrl", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "HostName" } - ] + ], + "entityType": "Host" } ] } @@ -6084,7 +6084,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject29').analyticRuleVersion29]", @@ -6144,39 +6144,39 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "ClientIP" + "columnName": "ClientIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -6232,7 +6232,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_imWebSession_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject30').analyticRuleVersion30]", @@ -6298,23 +6298,23 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "DstIpAddr" + "columnName": "DstIpAddr", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ], "customDetails": { - "EventTime": "imNWS_TimeGenerated", + "IoCExpirationTime": "ExpirationDateTime", "ActivityGroupNames": "ActivityGroupNames", "IoCConfidenceScore": "ConfidenceScore", - "IoCDescription": "Description", - "ThreatType": "ThreatType", "IndicatorId": "IndicatorId", - "IoCExpirationTime": "ExpirationDateTime" + "ThreatType": "ThreatType", + "IoCDescription": "Description", + "EventTime": "imNWS_TimeGenerated" }, "alertDetailsOverride": { "alertDescriptionFormat": "The source address {{SrcIpAddr}} of the web request for the URL {{Url}} matches a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence feed for more information about the indicator.", @@ -6373,7 +6373,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject31').analyticRuleVersion31]", @@ -6433,39 +6433,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserId" + "columnName": "UserId", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "TI_ipEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -6521,7 +6521,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_SigninLogs_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject32').analyticRuleVersion32]", @@ -6587,39 +6587,39 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserPrincipalName" + "columnName": "UserPrincipalName", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -6675,7 +6675,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_VMConnection_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject33').analyticRuleVersion33]", @@ -6735,35 +6735,35 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "RemoteIp" + "columnName": "RemoteIp", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -6819,7 +6819,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_W3CIISLog_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject34').analyticRuleVersion34]", @@ -6879,40 +6879,40 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "csUserName" + "columnName": "csUserName", + "identifier": "Name" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "cIP" + "columnName": "cIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -6968,7 +6968,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "URLEntity_AuditLogs_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject35').analyticRuleVersion35]", @@ -7028,47 +7028,47 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "userPrincipalName" + "columnName": "userPrincipalName", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "AccountUPNSuffix" + "columnName": "AccountUPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "TargetResourceDisplayName" + "columnName": "TargetResourceDisplayName", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -7124,7 +7124,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "URLEntity_DeviceNetworkEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject36').analyticRuleVersion36]", @@ -7184,44 +7184,44 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "InitiatingProcessCommandLine" + "columnName": "InitiatingProcessCommandLine", + "identifier": "CommandLine" } - ] + ], + "entityType": "Process" } ] } @@ -7277,7 +7277,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "URLEntity_EmailUrlInfo_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject37').analyticRuleVersion37]", @@ -7337,30 +7337,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "RecipientEmailAddress" + "columnName": "RecipientEmailAddress", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -7416,7 +7416,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "URLEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject38').analyticRuleVersion38]", @@ -7476,30 +7476,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "User" + "columnName": "User", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -7555,7 +7555,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "URLEntity_PaloAlto_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject39').analyticRuleVersion39]", @@ -7615,31 +7615,31 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "PA_Url" + "columnName": "PA_Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -7695,7 +7695,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "URLEntity_SecurityAlerts_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject40').analyticRuleVersion40]", @@ -7761,22 +7761,22 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "Compromised_Host" + "columnName": "Compromised_Host", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -7832,7 +7832,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "URLEntity_Syslog_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject41').analyticRuleVersion41]", @@ -7892,31 +7892,31 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "HostIP" + "columnName": "HostIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -7972,7 +7972,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_UrlClickEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "URLEntity_UrlClickEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject42').analyticRuleVersion42]", @@ -8032,30 +8032,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountUpn" + "columnName": "AccountUpn", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" } ] } @@ -8111,7 +8111,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_DuoSecurity_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject43').analyticRuleVersion43]", @@ -8171,30 +8171,30 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "user_name_s" + "columnName": "user_name_s", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "access_device_ip_s" + "columnName": "access_device_ip_s", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -8250,7 +8250,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "imDns_DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "imDns_DomainEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject44').analyticRuleVersion44]", @@ -8267,7 +8267,7 @@ "description": "Identifies a match in DNS events from any Domain IOC from TI\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM DNS schema'", "displayName": "TI map Domain entity to Dns Events (ASIM DNS Schema)", "enabled": false, - "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelligenceIndicator\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \n | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;\nDomainTIs\n | join (\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, DnsQuery, DnsQueryType\n| extend HostName = tostring(split(Dvc, \".\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\n", + "query": "let HAS_ANY_MAX = 10000;\nlet dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet DomainTIs= ThreatIntelligenceIndicator\n // Picking up only IOC's that contain the entities we want\n | where isnotempty(DomainName)\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now();\nlet Domains = DomainTIs | where isnotempty(DomainName) |summarize NDomains=dcount(DomainName), DomainsList=make_set(DomainName) \n | project DomainList = iff(NDomains > HAS_ANY_MAX, dynamic([]), DomainsList) ;\nDomainTIs\n | join (\n _Im_Dns(starttime=ago(dt_lookBack), domain_has_any=toscalar(Domains))\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.DnsQuery\n| where DNS_TimeGenerated < ExpirationDateTime\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Url, DNS_TimeGenerated, Dvc, SrcIpAddr, Domain, DnsQuery, DnsQueryType\n| extend HostName = tostring(split(Dvc, \".\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -8352,53 +8352,62 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Dvc" + "columnName": "Dvc", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" + }, + { + "fieldMappings": [ + { + "columnName": "Domain", + "identifier": "DomainName" + } + ], + "entityType": "DNS" } ], "customDetails": { - "SourceIPAddress": "SrcIpAddr", "DnsQuery": "DnsQuery", + "QueryType": "DnsQueryType", + "SourceIPAddress": "SrcIpAddr", "ActivityGroupNames": "ActivityGroupNames", - "ConfidenceScore": "ConfidenceScore", "Description": "Description", "LatestIndicatorTime": "LatestIndicatorTime", - "DNSRequestTime": "DNS_TimeGenerated", - "ThreatType": "ThreatType", "IndicatorId": "IndicatorId", - "QueryType": "DnsQueryType", - "ExpirationDateTime": "ExpirationDateTime" + "ThreatType": "ThreatType", + "DNSRequestTime": "DNS_TimeGenerated", + "ExpirationDateTime": "ExpirationDateTime", + "ConfidenceScore": "ConfidenceScore" } } }, @@ -8453,7 +8462,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "imDns_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "imDns_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject45').analyticRuleVersion45]", @@ -8555,44 +8564,44 @@ ], "entityMappings": [ { - "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Dvc" + "columnName": "Dvc", + "identifier": "FullName" } - ] + ], + "entityType": "Host" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IoC" + "columnName": "IoC", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SrcIpAddr" + "columnName": "SrcIpAddr", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ], "customDetails": { - "SourceIPAddress": "SrcIpAddr", "DnsQuery": "DnsQuery", + "SourceIPAddress": "SrcIpAddr", "ActivityGroupNames": "ActivityGroupNames", - "ConfidenceScore": "ConfidenceScore", "Description": "Description", "LatestIndicatorTime": "LatestIndicatorTime", - "DNSRequestTime": "imDns_mintime", - "ThreatType": "ThreatType", "IndicatorId": "IndicatorId", - "ExpirationDateTime": "ExpirationDateTime" + "ThreatType": "ThreatType", + "DNSRequestTime": "imDns_mintime", + "ExpirationDateTime": "ExpirationDateTime", + "ConfidenceScore": "ConfidenceScore" }, "alertDetailsOverride": { "alertDescriptionFormat": "The response address {{IoC}} to a DNS query matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.", @@ -8651,7 +8660,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject46').analyticRuleVersion46]", @@ -8796,25 +8805,25 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IoCIP" + "columnName": "IoCIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ], "customDetails": { - "ActivityGroupNames": "ActivityGroupNames", + "IoCExpirationTime": "ExpirationDateTime", "EventEndTime": "imNWS_maxtime", - "IoCConfidenceScore": "ConfidenceScore", - "IoCDescription": "Description", - "ThreatType": "ThreatType", - "IoCIPDirection": "IoCDirection", "EventStartTime": "imNWS_mintime", + "ActivityGroupNames": "ActivityGroupNames", + "IoCConfidenceScore": "ConfidenceScore", "IndicatorId": "IndicatorId", - "IoCExpirationTime": "ExpirationDateTime" + "ThreatType": "ThreatType", + "IoCDescription": "Description", + "IoCIPDirection": "IoCDirection" }, "alertDetailsOverride": { "alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator.", @@ -8873,7 +8882,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Threat Intel Matches to GitHub Audit Logs_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "Threat Intel Matches to GitHub Audit Logs_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject47').analyticRuleVersion47]", @@ -8927,22 +8936,22 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } - ] + ], + "entityType": "Account" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -8998,7 +9007,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "DomainEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject48').analyticRuleVersion48]", @@ -9046,22 +9055,22 @@ ], "entityMappings": [ { - "entityType": "DNS", "fieldMappings": [ { - "identifier": "DomainName", - "columnName": "DomainName" + "columnName": "DomainName", + "identifier": "DomainName" } - ] + ], + "entityType": "DNS" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -9117,7 +9126,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EmailEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "EmailEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject49').analyticRuleVersion49]", @@ -9134,7 +9143,7 @@ "description": "Identifies compromises and attacks and detect malicious activities in one's email entity from TI", "displayName": "Preview - TI map Email entity to Cloud App Events", "enabled": false, - "query": "let dt_lookBack = 10d;\nlet ioc_lookBack = 30d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(EmailSenderAddress)\n | join kind=innerunique (CloudAppEvents\n| extend User_Id = tostring(RawEventData.UserId)\n| where User_Id != \"\"\n| where TimeGenerated >= ago(dt_lookBack) and isnotempty(Application)\n| extend CloudAppEvents_TimeGenerated = TimeGenerated \n| extend User_id = tostring(User_Id)\n| where User_id matches regex emailregex) on $left.EmailSenderAddress == $right.User_id\n| where CloudAppEvents_TimeGenerated < ExpirationDateTime\n| summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, User_id\n| extend Name = tostring(split(User_id, '@', 0)[0]), UPNSuffix = tostring(split(User_id, '@', 1)[0])\n| extend timestamp = CloudAppEvents_TimeGenerated\n", + "query": "let dt_lookBack = 10d;\nlet ioc_lookBack = 30d;\nlet emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(EmailSenderAddress)\n | join kind=innerunique (CloudAppEvents\n| extend User_Id = tostring(RawEventData.UserId)\n| where isnotempty(User_Id)\n| where TimeGenerated >= ago(dt_lookBack) and isnotempty(Application)\n| extend CloudAppEvents_TimeGenerated = TimeGenerated \n| where User_Id matches regex emailregex) on $left.EmailSenderAddress == $right.User_Id\n| where CloudAppEvents_TimeGenerated < ExpirationDateTime\n| summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, User_Id\n| extend Name = tostring(split(User_Id, '@', 0)[0]), UPNSuffix = tostring(split(User_Id, '@', 1)[0])\n| extend timestamp = CloudAppEvents_TimeGenerated\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -9165,21 +9174,21 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "DisplayName", - "columnName": "Name" + "columnName": "Name", + "identifier": "DisplayName" }, { - "identifier": "FullName", - "columnName": "User_Id" + "columnName": "User_Id", + "identifier": "FullName" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } - ] + ], + "entityType": "Account" } ] } @@ -9235,7 +9244,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileHashEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "FileHashEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject50').analyticRuleVersion50]", @@ -9289,44 +9298,44 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "DestinationIP" + "columnName": "DestinationIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIP" + "columnName": "SourceIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "HostName" } - ] + ], + "entityType": "Host" }, { - "entityType": "FileHash", "fieldMappings": [ { - "identifier": "Value", - "columnName": "FileHashValue" + "columnName": "FileHashValue", + "identifier": "Value" }, { - "identifier": "Algorithm", - "columnName": "FileHashType" + "columnName": "FileHashType", + "identifier": "Algorithm" } - ] + ], + "entityType": "FileHash" } ] } @@ -9382,7 +9391,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IPEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "IPEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject51').analyticRuleVersion51]", @@ -9399,7 +9408,7 @@ "description": "Identifies compromises and attacks and detect malicious activities in one's IP entity from TI", "displayName": "Preview - TI map IP entity to Cloud App Events", "enabled": false, - "query": "let dt_lookBack = 1d;\nlet ioc_lookBack = 14d; \nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP)\nor isnotempty(EmailSourceIpAddress)\nor isnotempty(NetworkDestinationIP)\nor isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity);\nIP_Indicators\n | join kind=innerunique (\n CloudAppEvents\n | where TimeGenerated >= ago(dt_lookBack)\n | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.TI_ipEntity == $right.IPAddress\n | where CloudAppEvents_TimeGenerated < ExpirationDateTime\n | summarize CloudAppEventsTimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, IPAddress\n | extend\n Description = max_CloudAppEvents_TimeGenerated_Description,\n ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames,\n ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType,\n ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime,\n ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore,\n TI_ipEntity = max_CloudAppEvents_TimeGenerated_TI_ipEntity,\n NetworkDestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP,\n NetworkSourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP,\n EmailSourceIPAddress = max_CloudAppEvents_TimeGenerated_EmailSourceIpAddress\n | project CloudAppEventsTimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, NetworkDestinationIP, NetworkSourceIP, EmailSourceIPAddress\n", + "query": "let dt_lookBack = 1d;\nlet ioc_lookBack = 14d; \nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where isnotempty(NetworkIP)\nor isnotempty(EmailSourceIpAddress)\nor isnotempty(NetworkDestinationIP)\nor isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity);\nIP_Indicators\n | join kind=innerunique (\n CloudAppEvents\n | where isnotempty(IPAddress)\n | where TimeGenerated >= ago(dt_lookBack)\n | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.TI_ipEntity == $right.IPAddress\n | where CloudAppEvents_TimeGenerated < ExpirationDateTime\n | summarize CloudAppEventsTimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, IPAddress\n | extend\n Description = max_CloudAppEvents_TimeGenerated_Description,\n ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames,\n ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType,\n ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime,\n ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore,\n TI_ipEntity = max_CloudAppEvents_TimeGenerated_TI_ipEntity,\n NetworkDestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP,\n NetworkSourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP,\n EmailSourceIPAddress = max_CloudAppEvents_TimeGenerated_EmailSourceIpAddress\n | project CloudAppEventsTimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, NetworkDestinationIP, NetworkSourceIP, EmailSourceIPAddress\n", "queryFrequency": "PT1H", "queryPeriod": "P14D", "severity": "Medium", @@ -9430,40 +9439,40 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "TI_ipEntity" + "columnName": "TI_ipEntity", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "NetworkDestinationIP" + "columnName": "NetworkDestinationIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "NetworkSourceIP" + "columnName": "NetworkSourceIP", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "EmailSourceIPAddress" + "columnName": "EmailSourceIPAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" } ] } @@ -9519,7 +9528,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "URLEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.6", + "description": "URLEntity_CloudAppEvents_AnalyticalRules Analytics Rule with template version 3.0.7", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject52').analyticRuleVersion52]", @@ -9567,52 +9576,52 @@ ], "entityMappings": [ { - "entityType": "Account", "fieldMappings": [ { - "identifier": "ObjectGuid", - "columnName": "AccountObjectId" + "columnName": "AccountObjectId", + "identifier": "ObjectGuid" }, { - "identifier": "FullName", - "columnName": "userPrincipalName" + "columnName": "userPrincipalName", + "identifier": "FullName" }, { - "identifier": "DisplayName", - "columnName": "AccountDisplayName" + "columnName": "AccountDisplayName", + "identifier": "DisplayName" } - ] + ], + "entityType": "Account" }, { - "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "Url" + "columnName": "Url", + "identifier": "Url" } - ] + ], + "entityType": "URL" }, { - "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPAddress" + "columnName": "IPAddress", + "identifier": "Address" } - ] + ], + "entityType": "IP" }, { - "entityType": "CloudApplication", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Application" + "columnName": "Application", + "identifier": "Name" }, { - "identifier": "AppId", - "columnName": "ApplicationID" + "columnName": "ApplicationID", + "identifier": "AppId" } - ] + ], + "entityType": "CloudApplication" } ] } @@ -9664,7 +9673,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.6", + "version": "3.0.7", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Threat Intelligence", diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneAttackDiscoveryDetectionRisks.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneAttackDiscoveryDetectionRisks.yaml index e6f783f5f8b..7e547e14b1a 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneAttackDiscoveryDetectionRisks.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneAttackDiscoveryDetectionRisks.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -35,5 +29,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandLineSuspiciousRequests.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandLineSuspiciousRequests.yaml index fcdaea809e2..15563a7af98 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandLineSuspiciousRequests.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandLineSuspiciousRequests.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -36,5 +30,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandsInRequest.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandsInRequest.yaml index 2375d421a81..9720adb5f1c 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandsInRequest.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneCommandsInRequest.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -33,5 +27,5 @@ entityMappings: fieldMappings: - identifier: Url columnName: UrlCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml index 0a4e583b3b3..720670bde50 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneDvcAccessPermissionWasChanged.yaml @@ -5,12 +5,6 @@ description: | severity: Medium status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -48,5 +42,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.3 +version: 1.0.4 kind: Scheduled diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneInboundRemoteAccess.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneInboundRemoteAccess.yaml index a9e68ad7396..ccc31b3d9b0 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneInboundRemoteAccess.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneInboundRemoteAccess.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -37,5 +31,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneMultipleDenyOrTerminateActionOnSingleIp.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneMultipleDenyOrTerminateActionOnSingleIp.yaml index e1190923179..51793e8822c 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneMultipleDenyOrTerminateActionOnSingleIp.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneMultipleDenyOrTerminateActionOnSingleIp.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -35,5 +29,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml index ba043f4baf4..213d8f95187 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOnePossibleExploitOrExecuteOperation.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -38,5 +32,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneRiskCnCEvents.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneRiskCnCEvents.yaml index 1ab43031a40..1ade51e3958 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneRiskCnCEvents.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneRiskCnCEvents.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -35,5 +29,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSpywareWithFailedResponse.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSpywareWithFailedResponse.yaml index 50300d50e41..6f438ccc076 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSpywareWithFailedResponse.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSpywareWithFailedResponse.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -36,5 +30,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSuspiciousConnections.yaml b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSuspiciousConnections.yaml index 66e29f85fd5..ee23f578fe6 100644 --- a/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSuspiciousConnections.yaml +++ b/Solutions/Trend Micro Apex One/Analytic Rules/TMApexOneSuspiciousConnections.yaml @@ -5,12 +5,6 @@ description: | severity: High status: Available requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog @@ -37,5 +31,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: AccountCustomEntity -version: 1.0.2 +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json b/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json index 4317f743ca3..05e5298b873 100644 --- a/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json +++ b/Solutions/Trend Micro Apex One/Data/Solution_Trend Micro Apex One.json @@ -3,10 +3,6 @@ "Author": "Microsoft - support@microsoft.com", "Logo": "", "Description": "The [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://aka.ms/sentinel-TrendMicroApex-OneEvents) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://aka.ms/sentinel-TrendMicroApex-OneCentral) for more information. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.", - "Data Connectors": [ - "Data Connectors/TrendMicro_ApexOne.json", - "Data Connectors/template_TrendMicro_ApexOneAMA.json" - ], "Parsers": [ "Parsers/TMApexOneEvent.yaml" ], @@ -41,7 +37,7 @@ "azuresentinel.azure-sentinel-solution-commoneventformat" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Trend Micro Apex One", - "Version": "3.0.2", + "Version": "3.0.3", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedAction.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedAction.yaml index 11dfd2adb27..63984fcf12b 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedAction.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedAction.yaml @@ -4,12 +4,6 @@ description: | 'Shows behavior monitoring actions taken for files.' severity: Medium requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedOperation.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedOperation.yaml index 691215e84d2..0e947a419cc 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedOperation.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTranslatedOperation.yaml @@ -4,12 +4,6 @@ description: | 'Shows behavior monitoring operations by users.' severity: Medium requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTriggeredPolicy.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTriggeredPolicy.yaml index 2e70ec9df21..a621188e72f 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTriggeredPolicy.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTriggeredPolicy.yaml @@ -4,12 +4,6 @@ description: | 'Shows behavior monitoring triggered policy by command line.' severity: Medium requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTypesOfEvent.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTypesOfEvent.yaml index 9c594156b93..f54950e7ced 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTypesOfEvent.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneBehaviorMonitoringTypesOfEvent.yaml @@ -4,12 +4,6 @@ description: | 'Shows behavior monitoring event types.' severity: Medium requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneChannelType.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneChannelType.yaml index 021d74ebd03..55dc3da2cf8 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneChannelType.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneChannelType.yaml @@ -4,12 +4,6 @@ description: | 'Shows channel type.' severity: Medium requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml index a3e5cf19239..dba0850056a 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneDataLossPreventionAction.yaml @@ -4,12 +4,6 @@ description: | 'Shows data loss prevention action by IP address.' severity: Medium requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneRareAppProtocolByIP.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneRareAppProtocolByIP.yaml index dfb19b5b475..c486e0d2a57 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneRareAppProtocolByIP.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneRareAppProtocolByIP.yaml @@ -4,12 +4,6 @@ description: | 'Query searches rare application protocols by Ip address.' severity: Medium requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSpywareDetection.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSpywareDetection.yaml index a8c3de137b9..f5aee084a5b 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSpywareDetection.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSpywareDetection.yaml @@ -4,12 +4,6 @@ description: | 'Query searches spyware detection events.' severity: Medium requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSuspiciousFiles.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSuspiciousFiles.yaml index 49db2f36cbd..1e9b0e0d4b8 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSuspiciousFiles.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneSuspiciousFiles.yaml @@ -4,12 +4,6 @@ description: | 'Query searches suspicious files events.' severity: Medium requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneTopSources.yaml b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneTopSources.yaml index 6047603dee4..d916e897deb 100644 --- a/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneTopSources.yaml +++ b/Solutions/Trend Micro Apex One/Hunting Queries/TMApexOneTopSources.yaml @@ -4,12 +4,6 @@ description: | 'Query shows list of top sources with alerts.' severity: Medium requiredDataConnectors: - - connectorId: TrendMicroApexOne - dataTypes: - - TMApexOneEvent - - connectorId: TrendMicroApexOneAma - dataTypes: - - TMApexOneEvent - connectorId: CefAma dataTypes: - CommonSecurityLog diff --git a/Solutions/Trend Micro Apex One/Package/3.0.3.zip b/Solutions/Trend Micro Apex One/Package/3.0.3.zip new file mode 100644 index 00000000000..ad2c3a0eaeb Binary files /dev/null and b/Solutions/Trend Micro Apex One/Package/3.0.3.zip differ diff --git a/Solutions/Trend Micro Apex One/Package/createUiDefinition.json b/Solutions/Trend Micro Apex One/Package/createUiDefinition.json index c5a114e2d8c..713f8766814 100644 --- a/Solutions/Trend Micro Apex One/Package/createUiDefinition.json +++ b/Solutions/Trend Micro Apex One/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20Apex%20One/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://aka.ms/sentinel-TrendMicroApex-OneEvents) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://aka.ms/sentinel-TrendMicroApex-OneCentral) for more information. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Trend%20Micro%20Apex%20One/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Trend Micro Apex One](https://www.trendmicro.com/business/products/user-protection/sps/endpoint.htmlhttps:/www.trendmicro.com/business/products/user-protection/sps/endpoint.html) solution for Microsoft Sentinel enables ingestion of [Trend Micro Apex One events](https://aka.ms/sentinel-TrendMicroApex-OneEvents) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://aka.ms/sentinel-TrendMicroApex-OneCentral) for more information. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n**NOTE:** Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by **Aug 31, 2024**.\n\n**Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,37 +51,6 @@ } ], "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This Solution installs the data connector for Trend Micro Apex One. You can get Trend Micro Apex One CommonSecurityLog data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-parser-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "The Solution installs a parser that transforms the ingested data into Microsoft Sentinel normalized format. The normalized format enables better correlation of different types of data from different data sources to drive end-to-end outcomes seamlessly in security monitoring, hunting, incident investigation and response scenarios in Microsoft Sentinel." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, { "name": "workbooks", "label": "Workbooks", @@ -323,7 +292,7 @@ "name": "huntingquery1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Shows behavior monitoring actions taken for files. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)" + "text": "Shows behavior monitoring actions taken for files. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -337,7 +306,7 @@ "name": "huntingquery2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Shows behavior monitoring operations by users. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)" + "text": "Shows behavior monitoring operations by users. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -351,7 +320,7 @@ "name": "huntingquery3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Shows behavior monitoring triggered policy by command line. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)" + "text": "Shows behavior monitoring triggered policy by command line. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -365,7 +334,7 @@ "name": "huntingquery4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Shows behavior monitoring event types. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)" + "text": "Shows behavior monitoring event types. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -379,7 +348,7 @@ "name": "huntingquery5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Shows channel type. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)" + "text": "Shows channel type. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -393,7 +362,7 @@ "name": "huntingquery6-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Shows data loss prevention action by IP address. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)" + "text": "Shows data loss prevention action by IP address. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -407,7 +376,7 @@ "name": "huntingquery7-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches rare application protocols by Ip address. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)" + "text": "Query searches rare application protocols by Ip address. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -421,7 +390,7 @@ "name": "huntingquery8-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches spyware detection events. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)" + "text": "Query searches spyware detection events. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -435,7 +404,7 @@ "name": "huntingquery9-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query searches suspicious files events. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)" + "text": "Query searches suspicious files events. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] @@ -449,7 +418,7 @@ "name": "huntingquery10-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Query shows list of top sources with alerts. This hunting query depends on TrendMicroApexOne TrendMicroApexOneAma CefAma data connector (TMApexOneEvent TMApexOneEvent CommonSecurityLog Parser or Table)" + "text": "Query shows list of top sources with alerts. This hunting query depends on CefAma data connector (CommonSecurityLog Parser or Table)" } } ] diff --git a/Solutions/Trend Micro Apex One/Package/mainTemplate.json b/Solutions/Trend Micro Apex One/Package/mainTemplate.json index 427acb2f138..e70468cffdd 100644 --- a/Solutions/Trend Micro Apex One/Package/mainTemplate.json +++ b/Solutions/Trend Micro Apex One/Package/mainTemplate.json @@ -41,27 +41,9 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Trend Micro Apex One", - "_solutionVersion": "3.0.2", + "_solutionVersion": "3.0.3", "solutionId": "azuresentinel.azure-sentinel-solution-trendmicroapexone", "_solutionId": "[variables('solutionId')]", - "uiConfigId1": "TrendMicroApexOne", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "TrendMicroApexOne", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", - "dataConnectorVersion1": "1.0.0", - "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", - "uiConfigId2": "TrendMicroApexOneAma", - "_uiConfigId2": "[variables('uiConfigId2')]", - "dataConnectorContentId2": "TrendMicroApexOneAma", - "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", - "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "_dataConnectorId2": "[variables('dataConnectorId2')]", - "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", - "dataConnectorVersion2": "1.0.0", - "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "parserObject1": { "_parserName1": "[concat(parameters('workspace'),'/','Trend Micro Apex One Data Parser')]", "_parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'Trend Micro Apex One Data Parser')]", @@ -77,74 +59,74 @@ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "analyticRuleObject1": { - "analyticRuleVersion1": "1.0.2", + "analyticRuleVersion1": "1.0.3", "_analyticRulecontentId1": "7a3193b8-67b7-11ec-90d6-0242ac120003", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7a3193b8-67b7-11ec-90d6-0242ac120003')]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7a3193b8-67b7-11ec-90d6-0242ac120003')))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7a3193b8-67b7-11ec-90d6-0242ac120003','-', '1.0.2')))]" + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7a3193b8-67b7-11ec-90d6-0242ac120003','-', '1.0.3')))]" }, "analyticRuleObject2": { - "analyticRuleVersion2": "1.0.2", + "analyticRuleVersion2": "1.0.3", "_analyticRulecontentId2": "4d7199b2-67b8-11ec-90d6-0242ac120003", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4d7199b2-67b8-11ec-90d6-0242ac120003')]", "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4d7199b2-67b8-11ec-90d6-0242ac120003')))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d7199b2-67b8-11ec-90d6-0242ac120003','-', '1.0.2')))]" + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4d7199b2-67b8-11ec-90d6-0242ac120003','-', '1.0.3')))]" }, "analyticRuleObject3": { - "analyticRuleVersion3": "1.0.2", + "analyticRuleVersion3": "1.0.3", "_analyticRulecontentId3": "4a9a5900-67b7-11ec-90d6-0242ac120003", "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '4a9a5900-67b7-11ec-90d6-0242ac120003')]", "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('4a9a5900-67b7-11ec-90d6-0242ac120003')))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4a9a5900-67b7-11ec-90d6-0242ac120003','-', '1.0.2')))]" + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','4a9a5900-67b7-11ec-90d6-0242ac120003','-', '1.0.3')))]" }, "analyticRuleObject4": { - "analyticRuleVersion4": "1.0.3", + "analyticRuleVersion4": "1.0.4", "_analyticRulecontentId4": "b463b952-67b8-11ec-90d6-0242ac120003", "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b463b952-67b8-11ec-90d6-0242ac120003')]", "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b463b952-67b8-11ec-90d6-0242ac120003')))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b463b952-67b8-11ec-90d6-0242ac120003','-', '1.0.3')))]" + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b463b952-67b8-11ec-90d6-0242ac120003','-', '1.0.4')))]" }, "analyticRuleObject5": { - "analyticRuleVersion5": "1.0.2", + "analyticRuleVersion5": "1.0.3", "_analyticRulecontentId5": "6303235a-ee70-42a4-b969-43e7b969b916", "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '6303235a-ee70-42a4-b969-43e7b969b916')]", "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('6303235a-ee70-42a4-b969-43e7b969b916')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6303235a-ee70-42a4-b969-43e7b969b916','-', '1.0.2')))]" + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','6303235a-ee70-42a4-b969-43e7b969b916','-', '1.0.3')))]" }, "analyticRuleObject6": { - "analyticRuleVersion6": "1.0.2", + "analyticRuleVersion6": "1.0.3", "_analyticRulecontentId6": "cd94e078-67b7-11ec-90d6-0242ac120003", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'cd94e078-67b7-11ec-90d6-0242ac120003')]", "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('cd94e078-67b7-11ec-90d6-0242ac120003')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cd94e078-67b7-11ec-90d6-0242ac120003','-', '1.0.2')))]" + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','cd94e078-67b7-11ec-90d6-0242ac120003','-', '1.0.3')))]" }, "analyticRuleObject7": { - "analyticRuleVersion7": "1.0.4", + "analyticRuleVersion7": "1.0.5", "_analyticRulecontentId7": "e289d762-6cc2-11ec-90d6-0242ac120003", "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e289d762-6cc2-11ec-90d6-0242ac120003')]", "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e289d762-6cc2-11ec-90d6-0242ac120003')))]", - "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e289d762-6cc2-11ec-90d6-0242ac120003','-', '1.0.4')))]" + "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e289d762-6cc2-11ec-90d6-0242ac120003','-', '1.0.5')))]" }, "analyticRuleObject8": { - "analyticRuleVersion8": "1.0.2", + "analyticRuleVersion8": "1.0.3", "_analyticRulecontentId8": "1a87cd10-67b7-11ec-90d6-0242ac120003", "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1a87cd10-67b7-11ec-90d6-0242ac120003')]", "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1a87cd10-67b7-11ec-90d6-0242ac120003')))]", - "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1a87cd10-67b7-11ec-90d6-0242ac120003','-', '1.0.2')))]" + "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1a87cd10-67b7-11ec-90d6-0242ac120003','-', '1.0.3')))]" }, "analyticRuleObject9": { - "analyticRuleVersion9": "1.0.2", + "analyticRuleVersion9": "1.0.3", "_analyticRulecontentId9": "c92d9fe4-67b6-11ec-90d6-0242ac120003", "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'c92d9fe4-67b6-11ec-90d6-0242ac120003')]", "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('c92d9fe4-67b6-11ec-90d6-0242ac120003')))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c92d9fe4-67b6-11ec-90d6-0242ac120003','-', '1.0.2')))]" + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','c92d9fe4-67b6-11ec-90d6-0242ac120003','-', '1.0.3')))]" }, "analyticRuleObject10": { - "analyticRuleVersion10": "1.0.2", + "analyticRuleVersion10": "1.0.3", "_analyticRulecontentId10": "9e3dc038-67b7-11ec-90d6-0242ac120003", "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '9e3dc038-67b7-11ec-90d6-0242ac120003')]", "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('9e3dc038-67b7-11ec-90d6-0242ac120003')))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9e3dc038-67b7-11ec-90d6-0242ac120003','-', '1.0.2')))]" + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9e3dc038-67b7-11ec-90d6-0242ac120003','-', '1.0.3')))]" }, "huntingQueryObject1": { "huntingQueryVersion1": "1.0.0", @@ -199,682 +181,6 @@ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Trend Micro Apex One data connector with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "[Deprecated] Trend Micro Apex One via Legacy Agent", - "publisher": "Trend Micro", - "descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://aka.ms/sentinel-TrendMicroApex-OneEvents) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://aka.ms/sentinel-TrendMicroApex-OneCentral) for more information.", - "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "TrendMicroApexOne", - "baseQuery": "TMApexOneEvent" - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nTMApexOneEvent\n| sort by TimeGenerated" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (TrendMicroApexOne)", - "lastDataReceivedQuery": "TMApexOneEvent\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "TMApexOneEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">This data connector depends on a parser based on a Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": ">**NOTE:** This data connector has been developed using Trend Micro Apex Central 2019" - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**.", - "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Trend Micro Apex One", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId1')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Trend Micro Apex One via Legacy Agent", - "contentProductId": "[variables('_dataConnectorcontentProductId1')]", - "id": "[variables('_dataConnectorcontentProductId1')]", - "version": "[variables('dataConnectorVersion1')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "Trend Micro Apex One", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Trend Micro Apex One via Legacy Agent", - "publisher": "Trend Micro", - "descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://aka.ms/sentinel-TrendMicroApex-OneEvents) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://aka.ms/sentinel-TrendMicroApex-OneCentral) for more information.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "TrendMicroApexOne", - "baseQuery": "TMApexOneEvent" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (TrendMicroApexOne)", - "lastDataReceivedQuery": "TMApexOneEvent\n | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "TMApexOneEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nTMApexOneEvent\n| sort by TimeGenerated" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": ">This data connector depends on a parser based on a Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution." - }, - { - "description": ">**NOTE:** This data connector has been developed using Trend Micro Apex Central 2019" - }, - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**.", - "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]", - "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution." - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", - "apiVersion": "2023-04-01-preview", - "name": "[variables('dataConnectorTemplateSpecName2')]", - "location": "[parameters('workspace-location')]", - "dependsOn": [ - "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" - ], - "properties": { - "description": "Trend Micro Apex One data connector with template version 3.0.2", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion2')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId2')]", - "title": "[Deprecated] Trend Micro Apex One via AMA", - "publisher": "Trend Micro", - "descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://aka.ms/sentinel-TrendMicroApex-OneEvents) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://aka.ms/sentinel-TrendMicroApex-OneCentral) for more information.", - "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "TrendMicroApexOne", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nTMApexOneEvent\n| sort by TimeGenerated" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (TrendMicroApexOne)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">This data connector depends on a parser based on a Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine", - "instructions": [] - }, - { - "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**.", - "instructions": [] - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Trend Micro Apex One", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - } - ] - }, - "packageKind": "Solution", - "packageVersion": "[variables('_solutionVersion')]", - "packageName": "[variables('_solutionName')]", - "packageId": "[variables('_solutionId')]", - "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_dataConnectorContentId2')]", - "contentKind": "DataConnector", - "displayName": "[Deprecated] Trend Micro Apex One via AMA", - "contentProductId": "[variables('_dataConnectorcontentProductId2')]", - "id": "[variables('_dataConnectorcontentProductId2')]", - "version": "[variables('dataConnectorVersion2')]" - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2023-04-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId2')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", - "contentId": "[variables('_dataConnectorContentId2')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion2')]", - "source": { - "kind": "Solution", - "name": "Trend Micro Apex One", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Microsoft", - "email": "[variables('_email')]" - }, - "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" - } - } - }, - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "title": "[Deprecated] Trend Micro Apex One via AMA", - "publisher": "Trend Micro", - "descriptionMarkdown": "The [Trend Micro Apex One](https://www.trendmicro.com/en_us/business/products/user-protection/sps/endpoint.html) data connector provides the capability to ingest [Trend Micro Apex One events](https://aka.ms/sentinel-TrendMicroApex-OneEvents) into Microsoft Sentinel. Refer to [Trend Micro Apex Central](https://aka.ms/sentinel-TrendMicroApex-OneCentral) for more information.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "TrendMicroApexOne", - "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (TrendMicroApexOne)", - "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n |where DeviceVendor =~ 'Trend Micro'\n |where DeviceProduct =~ 'Apex Central'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "All logs", - "query": "\nTMApexOneEvent\n| sort by TimeGenerated" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "write": true, - "read": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ], - "customs": [ - { - "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" - }, - { - "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" - } - ] - }, - "instructionSteps": [ - { - "description": ">This data connector depends on a parser based on a Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution.", - "instructions": [ - { - "parameters": { - "title": "1. Kindly follow the steps to configure the data connector", - "instructionSteps": [ - { - "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", - "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine", - "instructions": [] - }, - { - "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**.", - "instructions": [] - }, - { - "title": "Step C. Validate connection", - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" - }, - "type": "CopyableLabel" - } - ] - } - ] - }, - "type": "InstructionStepsGroup" - } - ] - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "2. Secure your machine " - } - ], - "id": "[variables('_uiConfigId2')]", - "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**TMApexOneEvent**](https://aka.ms/sentinel-TMApexOneEvent-parser) which is deployed with the Microsoft Sentinel Solution." - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -884,7 +190,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneEvent Data Parser with template version 3.0.2", + "description": "TMApexOneEvent Data Parser with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserObject1').parserVersion1]", @@ -1016,7 +322,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TrendMicroApexOne Workbook with template version 3.0.2", + "description": "TrendMicroApexOne Workbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1073,11 +379,7 @@ "kind": "DataType" }, { - "contentId": "TrendMicroApexOne", - "kind": "DataConnector" - }, - { - "contentId": "TrendMicroApexOneAma", + "contentId": "CefAma", "kind": "DataConnector" } ] @@ -1108,7 +410,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneAttackDiscoveryDetectionRisks_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "TMApexOneAttackDiscoveryDetectionRisks_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -1136,22 +438,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "TrendMicroApexOneAma", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -1165,8 +455,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } ] }, @@ -1174,8 +464,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] } @@ -1233,7 +523,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneCommandLineSuspiciousRequests_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "TMApexOneCommandLineSuspiciousRequests_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -1261,22 +551,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "TrendMicroApexOneAma", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -1290,8 +568,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } ] }, @@ -1299,8 +577,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] } @@ -1358,7 +636,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneCommandsInRequest_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "TMApexOneCommandsInRequest_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -1386,22 +664,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "TrendMicroApexOneAma", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -1416,8 +682,8 @@ "entityType": "URL", "fieldMappings": [ { - "identifier": "Url", - "columnName": "UrlCustomEntity" + "columnName": "UrlCustomEntity", + "identifier": "Url" } ] } @@ -1475,7 +741,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneDvcAccessPermissionWasChanged_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "TMApexOneDvcAccessPermissionWasChanged_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -1503,22 +769,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "TrendMicroApexOneAma", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -1532,8 +786,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] } @@ -1591,7 +845,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneInboundRemoteAccess_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "TMApexOneInboundRemoteAccess_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -1619,22 +873,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "TrendMicroApexOneAma", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -1648,8 +890,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } ] }, @@ -1657,8 +899,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] } @@ -1716,7 +958,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneMultipleDenyOrTerminateActionOnSingleIp_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "TMApexOneMultipleDenyOrTerminateActionOnSingleIp_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -1744,22 +986,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "TrendMicroApexOneAma", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -1773,8 +1003,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } ] } @@ -1832,7 +1062,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOnePossibleExploitOrExecuteOperation_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "TMApexOnePossibleExploitOrExecuteOperation_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -1860,22 +1090,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "TrendMicroApexOneAma", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -1890,8 +1108,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } ] }, @@ -1899,8 +1117,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] } @@ -1958,7 +1176,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneRiskCnCEvents_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "TMApexOneRiskCnCEvents_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1986,22 +1204,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "TrendMicroApexOneAma", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -2015,8 +1221,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } ] }, @@ -2024,8 +1230,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] } @@ -2083,7 +1289,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneSpywareWithFailedResponse_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "TMApexOneSpywareWithFailedResponse_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -2111,22 +1317,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "TrendMicroApexOneAma", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -2140,8 +1334,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } ] }, @@ -2149,8 +1343,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] } @@ -2208,7 +1402,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneSuspiciousConnections_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "TMApexOneSuspiciousConnections_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -2236,22 +1430,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "TrendMicroApexOne", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "TrendMicroApexOneAma", - "dataTypes": [ - "TMApexOneEvent" - ] - }, - { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "tactics": [ @@ -2265,8 +1447,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } ] }, @@ -2274,8 +1456,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "Name" } ] } @@ -2333,7 +1515,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneBehaviorMonitoringTranslatedAction_HuntingQueries Hunting Query with template version 3.0.2", + "description": "TMApexOneBehaviorMonitoringTranslatedAction_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -2418,7 +1600,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneBehaviorMonitoringTranslatedOperation_HuntingQueries Hunting Query with template version 3.0.2", + "description": "TMApexOneBehaviorMonitoringTranslatedOperation_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -2503,7 +1685,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneBehaviorMonitoringTriggeredPolicy_HuntingQueries Hunting Query with template version 3.0.2", + "description": "TMApexOneBehaviorMonitoringTriggeredPolicy_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -2588,7 +1770,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneBehaviorMonitoringTypesOfEvent_HuntingQueries Hunting Query with template version 3.0.2", + "description": "TMApexOneBehaviorMonitoringTypesOfEvent_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -2673,7 +1855,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneChannelType_HuntingQueries Hunting Query with template version 3.0.2", + "description": "TMApexOneChannelType_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -2758,7 +1940,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneDataLossPreventionAction_HuntingQueries Hunting Query with template version 3.0.2", + "description": "TMApexOneDataLossPreventionAction_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -2843,7 +2025,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneRareAppProtocolByIP_HuntingQueries Hunting Query with template version 3.0.2", + "description": "TMApexOneRareAppProtocolByIP_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -2928,7 +2110,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneSpywareDetection_HuntingQueries Hunting Query with template version 3.0.2", + "description": "TMApexOneSpywareDetection_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -3013,7 +2195,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneSuspiciousFiles_HuntingQueries Hunting Query with template version 3.0.2", + "description": "TMApexOneSuspiciousFiles_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -3098,7 +2280,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TMApexOneTopSources_HuntingQueries Hunting Query with template version 3.0.2", + "description": "TMApexOneTopSources_HuntingQueries Hunting Query with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -3179,12 +2361,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.2", + "version": "3.0.3", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Trend Micro Apex One", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Trend Micro Apex One solution for Microsoft Sentinel enables ingestion of Trend Micro Apex One events into Microsoft Sentinel. Refer to Trend Micro Apex Central for more information.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Data Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Trend Micro Apex One solution for Microsoft Sentinel enables ingestion of Trend Micro Apex One events into Microsoft Sentinel. Refer to Trend Micro Apex Central for more information.

\n

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

\n

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors are about to be deprecated by Aug 31, 2024.

\n

Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -3208,16 +2390,6 @@ }, "dependencies": { "criteria": [ - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId2')]", - "version": "[variables('dataConnectorVersion2')]" - }, { "kind": "Parser", "contentId": "[variables('parserObject1').parserContentId1]", diff --git a/Solutions/Trend Micro Apex One/ReleaseNotes.md b/Solutions/Trend Micro Apex One/ReleaseNotes.md index dc60abb18ee..a459363351e 100644 --- a/Solutions/Trend Micro Apex One/ReleaseNotes.md +++ b/Solutions/Trend Micro Apex One/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.3 | 13-12-2024 | Removed Deprecated **Data Connectors** | | 3.0.2 | 12-07-2024 | Deprecated **Data Connector** | | 3.0.1 | 25-10-2023 | **Hunting Query** column corrected | -| 3.0.0 | 22-09-2023 | Addition of new Trend Micro Apex One AMA **Data connector** | | +| 3.0.0 | 22-09-2023 | Addition of new Trend Micro Apex One AMA **Data connector** | | diff --git a/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DataConnectorDefination.json b/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DataConnectorDefination.json index 6d00d9bacac..e96be9db6e8 100644 --- a/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DataConnectorDefination.json +++ b/Solutions/VMware Carbon Black Cloud/Data Connectors/VMwareCarbonBlackCloud_ccp/CarbonBlack_DataConnectorDefination.json @@ -47,7 +47,36 @@ "baseQuery": "ASimAuthenticationEventLogs | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'" } ], - "sampleQueries": [], + "sampleQueries": [ + { + "description": "Get a sample of CarbonBlack Alert logs", + "query": "CarbonBlack_Alerts_CL\n | take 10" + }, + { + "description": "Get a sample of CarbonBlack Watchlist logs", + "query": "CarbonBlack_Watchlist_CL\n| take 10" + }, + { + "description": "Get a sample of Carbonblack ASimNetwork Session logs", + "query": "ASimNetworkSessionLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10" + }, + { + "description": "Get a sample of CarbonBlack ASimProcess Event logs", + "query": "ASimProcessEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10" + }, + { + "description": "Get a sample of CarbonBlack ASimFile Event logs", + "query": "ASimFileEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10" + }, + { + "description": "Get a sample of CarbonBlack ASimRegistry Event logs", + "query": "ASimRegistryEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10" + }, + { + "description": "Get a sample of CarbonBlack ASimAuthentication Event logs", + "query": "ASimAuthenticationEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10" + } + ], "dataTypes": [ { "name": "CarbonBlack_Alerts_CL", diff --git a/Solutions/VMware Carbon Black Cloud/Package/3.0.3.zip b/Solutions/VMware Carbon Black Cloud/Package/3.0.3.zip new file mode 100644 index 00000000000..59c736d9ee7 Binary files /dev/null and b/Solutions/VMware Carbon Black Cloud/Package/3.0.3.zip differ diff --git a/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json b/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json index 38af927a5a4..1a908fe95fb 100644 --- a/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json +++ b/Solutions/VMware Carbon Black Cloud/Package/createUiDefinition.json @@ -64,7 +64,7 @@ } }, { - "name": "dataconnectors-link2", + "name": "dataconnectors-link1", "type": "Microsoft.Common.TextBlock", "options": { "link": { @@ -225,4 +225,4 @@ "workspace": "[basics('workspace')]" } } -} +} \ No newline at end of file diff --git a/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json b/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json index 4daff88ace3..9d8b76701b8 100644 --- a/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json +++ b/Solutions/VMware Carbon Black Cloud/Package/mainTemplate.json @@ -55,7 +55,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "VMware Carbon Black Cloud", - "_solutionVersion": "3.0.2", + "_solutionVersion": "3.0.3", "solutionId": "azuresentinel.azure-sentinel-solution-vmwarecarbonblack", "_solutionId": "[variables('solutionId')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", @@ -199,6 +199,36 @@ "baseQuery": "ASimAuthenticationEventLogs | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'" } ], + "sampleQueries": [ + { + "description": "Get a sample of CarbonBlack Alert logs", + "query": "CarbonBlack_Alerts_CL\n | take 10" + }, + { + "description": "Get a sample of CarbonBlack Watchlist logs", + "query": "CarbonBlack_Watchlist_CL\n| take 10" + }, + { + "description": "Get a sample of Carbonblack ASimNetwork Session logs", + "query": "ASimNetworkSessionLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10" + }, + { + "description": "Get a sample of CarbonBlack ASimProcess Event logs", + "query": "ASimProcessEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10" + }, + { + "description": "Get a sample of CarbonBlack ASimFile Event logs", + "query": "ASimFileEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10" + }, + { + "description": "Get a sample of CarbonBlack ASimRegistry Event logs", + "query": "ASimRegistryEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10" + }, + { + "description": "Get a sample of CarbonBlack ASimAuthentication Event logs", + "query": "ASimAuthenticationEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10" + } + ], "dataTypes": [ { "name": "CarbonBlack_Alerts_CL", @@ -2173,6 +2203,36 @@ "baseQuery": "ASimAuthenticationEventLogs | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'" } ], + "sampleQueries": [ + { + "description": "Get a sample of CarbonBlack Alert logs", + "query": "CarbonBlack_Alerts_CL\n | take 10" + }, + { + "description": "Get a sample of CarbonBlack Watchlist logs", + "query": "CarbonBlack_Watchlist_CL\n| take 10" + }, + { + "description": "Get a sample of Carbonblack ASimNetwork Session logs", + "query": "ASimNetworkSessionLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10" + }, + { + "description": "Get a sample of CarbonBlack ASimProcess Event logs", + "query": "ASimProcessEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10" + }, + { + "description": "Get a sample of CarbonBlack ASimFile Event logs", + "query": "ASimFileEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10" + }, + { + "description": "Get a sample of CarbonBlack ASimRegistry Event logs", + "query": "ASimRegistryEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10" + }, + { + "description": "Get a sample of CarbonBlack ASimAuthentication Event logs", + "query": "ASimAuthenticationEventLogs\n | where EventProduct == 'Carbon Black Cloud' and EventVendor == 'VMWare'\n| take 10" + } + ], "dataTypes": [ { "name": "CarbonBlack_Alerts_CL", @@ -2565,7 +2625,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "VMware Carbon Black Cloud data connector with template version 3.0.2", + "description": "VMware Carbon Black Cloud data connector with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -2978,7 +3038,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CriticalThreatDetected_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "CriticalThreatDetected_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -3091,7 +3151,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "KnownMalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.2", + "description": "KnownMalwareDetected_AnalyticalRules Analytics Rule with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -3213,7 +3273,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "VMwareCarbonBlack Workbook with template version 3.0.2", + "description": "VMwareCarbonBlack Workbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -3309,7 +3369,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CarbonBlackConnector Playbook with template version 3.0.2", + "description": "CarbonBlackConnector Playbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -4975,7 +5035,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EndpointTakeActionFromTeams-CarbonBlack Playbook with template version 3.0.2", + "description": "EndpointTakeActionFromTeams-CarbonBlack Playbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion2')]", @@ -6778,7 +6838,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IsolateEndpoint-CarbonBlack Playbook with template version 3.0.2", + "description": "IsolateEndpoint-CarbonBlack Playbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion3')]", @@ -7521,7 +7581,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EndpointEnrichment-CarbonBlack Playbook with template version 3.0.2", + "description": "EndpointEnrichment-CarbonBlack Playbook with template version 3.0.3", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion4')]", @@ -7945,7 +8005,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.2", + "version": "3.0.3", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "VMware Carbon Black Cloud", diff --git a/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md b/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md index 016a1ec3595..b4bc33b9dd6 100644 --- a/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md +++ b/Solutions/VMware Carbon Black Cloud/ReleaseNotes.md @@ -1,4 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|-----------------------------------------------------------| +| 3.0.3 | 28-10-2024 | Added Sample Queries to the CCP **Data Connector** template | +| 3.0.2 | 15-10-2024 | Added new CCP **Data Connector** to the Solution | | 3.0.1 | 17-04-2024 | Added Azure Deploy button for government portal deployments in **Data connectors** | -| 3.0.0 | 19-02-2024 | Alterts API integration done in Carbon Black **Function App** | +| 3.0.0 | 19-02-2024 | Alterts API integration done in Carbon Black **Function App** | \ No newline at end of file diff --git a/Solutions/VaronisSaaS/Data Connectors/VaronisSaaS_API_FunctionApp.json b/Solutions/VaronisSaaS/Data Connectors/VaronisSaaS_API_FunctionApp.json index 3817bc22e48..93067261cef 100644 --- a/Solutions/VaronisSaaS/Data Connectors/VaronisSaaS_API_FunctionApp.json +++ b/Solutions/VaronisSaaS/Data Connectors/VaronisSaaS_API_FunctionApp.json @@ -86,7 +86,7 @@ "instructionSteps": [ { "title": "", - "description": ">**NOTE:** This connector uses Azure Functions to connect to Varonis DatAlert service to pull alerts into Azure Sentinel. This might result in additional data ingestion costs. See the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." + "description": ">**NOTE:** This connector uses Azure Functions to connect to Varonis DatAlert service to pull alerts into Microsoft Sentinel. This might result in additional data ingestion costs. See the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details." }, { "title": "", @@ -113,7 +113,7 @@ }, { "title": "", - "description": "Use this method for automated deployment of the data connector using an ARM Template.\n\n1. Click the Deploy to Azure button. \n\n\t[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fvkorenkov-varonis%2Fsentinel%2Fmaster%2Fazuredeploy.json)\n2. Select the preferred Subscription, Resource Group, Region, Storage Account Type.\n3. Enter Log Analytics Workspace Name, Varonis FQDN, Varonis SaaS API Key.\n4. Click Review + Create, Create." + "description": "Use this method for automated deployment of the data connector using an ARM Template.\n\n1. Click the Deploy to Azure button. \n\n\t[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FVaronisSaaS%2FData%2520Connectors%2Fazuredeploy.json)\n2. Select the preferred Subscription, Resource Group, Region, Storage Account Type.\n3. Enter Log Analytics Workspace Name, Varonis FQDN, Varonis SaaS API Key.\n4. Click Review + Create, Create." } ] } \ No newline at end of file diff --git a/Solutions/VaronisSaaS/Package/3.0.0.zip b/Solutions/VaronisSaaS/Package/3.0.0.zip index e3d56c2b494..4f3f489fe46 100644 Binary files a/Solutions/VaronisSaaS/Package/3.0.0.zip and b/Solutions/VaronisSaaS/Package/3.0.0.zip differ diff --git a/Solutions/VaronisSaaS/Package/createUiDefinition.json b/Solutions/VaronisSaaS/Package/createUiDefinition.json index a25dc8263d1..3d9a32087d2 100644 --- a/Solutions/VaronisSaaS/Package/createUiDefinition.json +++ b/Solutions/VaronisSaaS/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Varonis SaaS integration allows you to retrieve Varonis DatAlert alerts, create incident and pull activities related to the alerts for conducting investigations.\n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/VaronisSaaS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Varonis SaaS integration allows you to retrieve Varonis DatAlert alerts, create incident and pull activities related to the alerts for conducting investigations.\n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", diff --git a/Solutions/VaronisSaaS/Package/mainTemplate.json b/Solutions/VaronisSaaS/Package/mainTemplate.json index 211ff0f6607..895ac4b2039 100644 --- a/Solutions/VaronisSaaS/Package/mainTemplate.json +++ b/Solutions/VaronisSaaS/Package/mainTemplate.json @@ -40,7 +40,7 @@ "variables": { "_solutionName": "VaronisSaaS", "_solutionVersion": "3.0.0", - "solutionId": "varonis.azure-sentinel-solution-varonis", + "solutionId": "varonis.microsoft-sentinel-solution-varonissaas", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", "workbookContentId1": "VaronisSaaSWorkbook", @@ -88,7 +88,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"388e603c-a5b1-40db-808f-d5dc5301793e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range\",\"label\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":259200000}},{\"id\":\"e1c3e667-d431-419e-ae03-2da2f7f2d42f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"page\",\"label\":\"Page\",\"type\":1,\"isGlobal\":true,\"isHiddenWhenLocked\":true,\"value\":\"main\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"global-parameters\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"30fe89ad-9eba-419e-8d9e-53c6805870db\",\"cellValue\":\"page\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Main\",\"subTarget\":\"main\",\"preText\":\"Main\",\"style\":\"link\"},{\"id\":\"5822aaf8-5ad8-49c6-acf8-491b439fbc1a\",\"cellValue\":\"page\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Threats\",\"subTarget\":\"threats\",\"style\":\"link\"},{\"id\":\"7266371b-70ac-4b79-abda-43169b26d760\",\"cellValue\":\"page\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Users\",\"subTarget\":\"users\",\"style\":\"link\"},{\"id\":\"3e007191-772f-48aa-8ac0-dfc9947f85c7\",\"cellValue\":\"page\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Assets\",\"subTarget\":\"assets\",\"style\":\"link\"},{\"id\":\"e585bed2-37bc-4bfe-8269-cd12726a8fe9\",\"cellValue\":\"page\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Devices\",\"subTarget\":\"devices\",\"style\":\"link\"}]},\"name\":\"links - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let days = dynamic([\\\"Sun\\\", \\\"Mon\\\", \\\"Tue\\\", \\\"Wed\\\", \\\"Thu\\\", \\\"Fri\\\", \\\"Sat\\\"]);\\nlet months = dynamic([\\\"Jan\\\", \\\"Feb\\\", \\\"Mar\\\", \\\"Apr\\\", \\\"May\\\", \\\"Jun\\\", \\\"Jul\\\", \\\"Aug\\\", \\\"Sep\\\", \\\"Oct\\\", \\\"Nov\\\", \\\"Dec\\\"]);\\nVaronisAlerts_CL\\n| extend day_of_week = days[toint(dayofweek(AlertTime_t)/1d)]\\n| extend month_of_year = months[getmonth(AlertTime_t)]\\n| extend day_of_month = dayofmonth(AlertTime_t)\\n| extend day_str = strcat(day_of_week, \\\" \\\", month_of_year, \\\" \\\", day_of_month)\\n| extend day = todatetime(format_datetime(AlertTime_t, 'yyyy-MM-dd'))\\n| summarize alert_count = count() by day, day_str, AlertSeverity_s\\n| order by day asc, AlertSeverity_s\\n| project Day = day_str, Alerts = alert_count, Severity = AlertSeverity_s\",\"size\":1,\"showAnalytics\":true,\"title\":\"ALERTS OVER TIME\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"xAxis\":\"Day\",\"yAxis\":[\"Alerts\"],\"group\":\"Severity\",\"showLegend\":true}},\"name\":\"ALERTS OVER TIME - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"VaronisAlerts_CL\\r\\n| where isnotempty( ThreatDetectionPolicyName_s)\\r\\n| summarize alerts_count = count() by ThreatDetectionPolicyName_s\\r\\n| project Threat = ThreatDetectionPolicyName_s, Alerts = alerts_count\\r\\n| take 4\",\"size\":0,\"showAnalytics\":true,\"title\":\"TOP ALERTED THREAT MODELS\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Threat\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Alerts\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Alerts\",\"sortOrderField\":2,\"size\":\"full\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Alerts\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Alerts\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Alerts\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"TOP ALERTED THREAT MODELS\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"VaronisAlerts_CL\\r\\n| extend json_arr = parse_json(UserNames_s)\\r\\n| where isnotempty(json_arr)\\r\\n| mv-expand json_arr\\r\\n| summarize alerts_count = count() by tostring(json_arr)\\r\\n| project User = json_arr, Alerts = alerts_count\\r\\n| take 4\",\"size\":0,\"showAnalytics\":true,\"title\":\" TOP ALERTED USERS\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"User\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Alerts\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Alerts\",\"sortOrderField\":2,\"size\":\"full\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Alerts\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Alerts\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Alerts\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\" TOP ALERTED USERS\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"VaronisAlerts_CL\\r\\n| extend json_arr = parse_json(Assets_s)\\r\\n| where isnotempty(json_arr)\\r\\n| mv-expand json_arr\\r\\n| summarize alerts_count = count() by tostring(json_arr)\\r\\n| project Asset = json_arr, Alerts = alerts_count\\r\\n| take 4\",\"size\":0,\"showAnalytics\":true,\"title\":\"TOP ALERTED ASSETS\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Asset\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Alerts\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Alerts\",\"sortOrderField\":2,\"size\":\"full\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Alerts\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Alerts\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Alerts\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"TOP ALERTED ASSETS\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"VaronisAlerts_CL\\r\\n| extend json_arr = parse_json(DeviceNames_s)\\r\\n| where isnotempty(json_arr)\\r\\n| mv-expand json_arr\\r\\n| summarize alerts_count = count() by tostring(json_arr)\\r\\n| project Device = json_arr, Alerts = alerts_count\\r\\n| take 4\",\"size\":0,\"showAnalytics\":true,\"title\":\"TOP ALERTED DEVICES\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Device\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Alerts\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Alerts\",\"sortOrderField\":2,\"size\":\"full\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Alerts\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Alerts\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Alerts\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"TOP ALERTED DEVICES\"}]},\"conditionalVisibility\":{\"parameterName\":\"page\",\"comparison\":\"isEqualTo\",\"value\":\"main\"},\"name\":\"main-page\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let days = dynamic([\\\"Sun\\\", \\\"Mon\\\", \\\"Tue\\\", \\\"Wed\\\", \\\"Thu\\\", \\\"Fri\\\", \\\"Sat\\\"]);\\nlet months = dynamic([\\\"Jan\\\", \\\"Feb\\\", \\\"Mar\\\", \\\"Apr\\\", \\\"May\\\", \\\"Jun\\\", \\\"Jul\\\", \\\"Aug\\\", \\\"Sep\\\", \\\"Oct\\\", \\\"Nov\\\", \\\"Dec\\\"]);\\nVaronisAlerts_CL\\n| extend day_of_week = days[toint(dayofweek(AlertTime_t)/1d)]\\n| extend month_of_year = months[getmonth(AlertTime_t)]\\n| extend day_of_month = dayofmonth(AlertTime_t)\\n| extend day_str = strcat(day_of_week, \\\" \\\", month_of_year, \\\" \\\", day_of_month)\\n| extend day = todatetime(format_datetime(AlertTime_t, 'yyyy-MM-dd'))\\n| extend group_var = ThreatDetectionPolicyName_s\\n| summarize alert_count = count() by day, day_str, group_var\\n| order by day asc, group_var\\n| project Day = day_str, Alerts = alert_count, Threat = group_var\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"THREAT MODEL NAMES\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"xAxis\":\"Day\",\"yAxis\":[\"Alerts\"],\"group\":\"Threat\",\"showLegend\":true}},\"name\":\"alerts-threats-day\"}]},\"conditionalVisibility\":{\"parameterName\":\"page\",\"comparison\":\"isEqualTo\",\"value\":\"threats\"},\"name\":\"threats-page\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let days = dynamic([\\\"Sun\\\", \\\"Mon\\\", \\\"Tue\\\", \\\"Wed\\\", \\\"Thu\\\", \\\"Fri\\\", \\\"Sat\\\"]);\\nlet months = dynamic([\\\"Jan\\\", \\\"Feb\\\", \\\"Mar\\\", \\\"Apr\\\", \\\"May\\\", \\\"Jun\\\", \\\"Jul\\\", \\\"Aug\\\", \\\"Sep\\\", \\\"Oct\\\", \\\"Nov\\\", \\\"Dec\\\"]);\\nVaronisAlerts_CL\\n| extend day_of_week = days[toint(dayofweek(AlertTime_t)/1d)]\\n| extend month_of_year = months[getmonth(AlertTime_t)]\\n| extend day_of_month = dayofmonth(AlertTime_t)\\n| extend day_str = strcat(day_of_week, \\\" \\\", month_of_year, \\\" \\\", day_of_month)\\n| extend day = todatetime(format_datetime(AlertTime_t, 'yyyy-MM-dd'))\\n| extend json_arr = parse_json(UserNames_s)\\n| where isnotempty(json_arr)\\n| mv-expand json_arr\\n| extend group_var = tostring(json_arr)\\n| summarize alert_count = count() by day, day_str, group_var\\n| order by day asc, group_var\\n| project Day = day_str, Alerts = alert_count, User = group_var\",\"size\":1,\"showAnalytics\":true,\"title\":\"USERS\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"xAxis\":\"Day\",\"yAxis\":[\"Alerts\"],\"group\":\"User\",\"showLegend\":true}},\"name\":\"alerts-users-day\"}]},\"conditionalVisibility\":{\"parameterName\":\"page\",\"comparison\":\"isEqualTo\",\"value\":\"users\"},\"name\":\"users-page\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let days = dynamic([\\\"Sun\\\", \\\"Mon\\\", \\\"Tue\\\", \\\"Wed\\\", \\\"Thu\\\", \\\"Fri\\\", \\\"Sat\\\"]);\\nlet months = dynamic([\\\"Jan\\\", \\\"Feb\\\", \\\"Mar\\\", \\\"Apr\\\", \\\"May\\\", \\\"Jun\\\", \\\"Jul\\\", \\\"Aug\\\", \\\"Sep\\\", \\\"Oct\\\", \\\"Nov\\\", \\\"Dec\\\"]);\\nVaronisAlerts_CL\\n| extend day_of_week = days[toint(dayofweek(AlertTime_t)/1d)]\\n| extend month_of_year = months[getmonth(AlertTime_t)]\\n| extend day_of_month = dayofmonth(AlertTime_t)\\n| extend day_str = strcat(day_of_week, \\\" \\\", month_of_year, \\\" \\\", day_of_month)\\n| extend day = todatetime(format_datetime(AlertTime_t, 'yyyy-MM-dd'))\\n| extend json_arr = parse_json(Assets_s)\\n| where isnotempty(json_arr)\\n| mv-expand json_arr\\n| extend group_var = tostring(json_arr)\\n| summarize alert_count = count() by day, day_str, group_var\\n| order by day asc, group_var\\n| project Day = day_str, Alerts = alert_count, Asset = group_var\",\"size\":1,\"showAnalytics\":true,\"title\":\"ASSETS\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"xAxis\":\"Day\",\"yAxis\":[\"Alerts\"],\"group\":\"Asset\",\"showLegend\":true}},\"name\":\"alerts-assets\"}]},\"conditionalVisibility\":{\"parameterName\":\"page\",\"comparison\":\"isEqualTo\",\"value\":\"assets\"},\"name\":\"assets-page\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let days = dynamic([\\\"Sun\\\", \\\"Mon\\\", \\\"Tue\\\", \\\"Wed\\\", \\\"Thu\\\", \\\"Fri\\\", \\\"Sat\\\"]);\\nlet months = dynamic([\\\"Jan\\\", \\\"Feb\\\", \\\"Mar\\\", \\\"Apr\\\", \\\"May\\\", \\\"Jun\\\", \\\"Jul\\\", \\\"Aug\\\", \\\"Sep\\\", \\\"Oct\\\", \\\"Nov\\\", \\\"Dec\\\"]);\\nVaronisAlerts_CL\\n| extend day_of_week = days[toint(dayofweek(AlertTime_t)/1d)]\\n| extend month_of_year = months[getmonth(AlertTime_t)]\\n| extend day_of_month = dayofmonth(AlertTime_t)\\n| extend day_str = strcat(day_of_week, \\\" \\\", month_of_year, \\\" \\\", day_of_month)\\n| extend day = todatetime(format_datetime(AlertTime_t, 'yyyy-MM-dd'))\\n| extend json_arr = parse_json(DeviceNames_s)\\n| where isnotempty(json_arr)\\n| mv-expand json_arr\\n| extend group_var = tostring(json_arr)\\n| summarize alert_count = count() by day, day_str, group_var\\n| order by day asc, group_var\\n| project Day = day_str, Alerts = alert_count, Device = group_var\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"DEVICES\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"xAxis\":\"Day\",\"yAxis\":[\"Alerts\"],\"group\":\"Device\",\"showLegend\":true}},\"name\":\"alerts-devices-day\"}]},\"conditionalVisibility\":{\"parameterName\":\"page\",\"comparison\":\"isEqualTo\",\"value\":\"devices\"},\"name\":\"devices-page\"}],\"fallbackResourceIds\":[\"/subscriptions/4aef56e4-24c5-49ca-9ce1-b6123134b874/resourcegroups/vrns_azure_arc_rg/providers/microsoft.operationalinsights/workspaces/vrns-log-analytics-api-ws\"],\"fromTemplateId\":\"https://sentinelus.hosting.portal.azure.net/sentinelus/Content/1.0.02484.3403-231021-003920/Scenarios/Ecosystem/Content/Workbooks/CustomWorkbook.json\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"388e603c-a5b1-40db-808f-d5dc5301793e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range\",\"label\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":259200000}},{\"id\":\"e1c3e667-d431-419e-ae03-2da2f7f2d42f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"page\",\"label\":\"Page\",\"type\":1,\"isGlobal\":true,\"isHiddenWhenLocked\":true,\"value\":\"main\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"global-parameters\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"30fe89ad-9eba-419e-8d9e-53c6805870db\",\"cellValue\":\"page\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Main\",\"subTarget\":\"main\",\"preText\":\"Main\",\"style\":\"link\"},{\"id\":\"5822aaf8-5ad8-49c6-acf8-491b439fbc1a\",\"cellValue\":\"page\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Threats\",\"subTarget\":\"threats\",\"style\":\"link\"},{\"id\":\"7266371b-70ac-4b79-abda-43169b26d760\",\"cellValue\":\"page\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Users\",\"subTarget\":\"users\",\"style\":\"link\"},{\"id\":\"3e007191-772f-48aa-8ac0-dfc9947f85c7\",\"cellValue\":\"page\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Assets\",\"subTarget\":\"assets\",\"style\":\"link\"},{\"id\":\"e585bed2-37bc-4bfe-8269-cd12726a8fe9\",\"cellValue\":\"page\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Devices\",\"subTarget\":\"devices\",\"style\":\"link\"}]},\"name\":\"links - 6\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let days = dynamic([\\\"Sun\\\", \\\"Mon\\\", \\\"Tue\\\", \\\"Wed\\\", \\\"Thu\\\", \\\"Fri\\\", \\\"Sat\\\"]);\\nlet months = dynamic([\\\"Jan\\\", \\\"Feb\\\", \\\"Mar\\\", \\\"Apr\\\", \\\"May\\\", \\\"Jun\\\", \\\"Jul\\\", \\\"Aug\\\", \\\"Sep\\\", \\\"Oct\\\", \\\"Nov\\\", \\\"Dec\\\"]);\\nVaronisAlerts_CL\\n| extend day_of_week = days[toint(dayofweek(AlertTime_t)/1d)]\\n| extend month_of_year = months[getmonth(AlertTime_t)]\\n| extend day_of_month = dayofmonth(AlertTime_t)\\n| extend day_str = strcat(day_of_week, \\\" \\\", month_of_year, \\\" \\\", day_of_month)\\n| extend day = todatetime(format_datetime(AlertTime_t, 'yyyy-MM-dd'))\\n| summarize alert_count = count() by day, day_str, AlertSeverity_s\\n| order by day asc, AlertSeverity_s\\n| project Day = day_str, Alerts = alert_count, Severity = AlertSeverity_s\",\"size\":1,\"showAnalytics\":true,\"title\":\"ALERTS OVER TIME\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"xAxis\":\"Day\",\"yAxis\":[\"Alerts\"],\"group\":\"Severity\",\"showLegend\":true}},\"name\":\"ALERTS OVER TIME - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"VaronisAlerts_CL\\r\\n| where isnotempty( ThreatDetectionPolicyName_s)\\r\\n| summarize alerts_count = count() by ThreatDetectionPolicyName_s\\r\\n| project Threat = ThreatDetectionPolicyName_s, Alerts = alerts_count\\r\\n| take 4\",\"size\":0,\"showAnalytics\":true,\"title\":\"TOP ALERTED THREAT MODELS\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Threat\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Alerts\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Alerts\",\"sortOrderField\":2,\"size\":\"full\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Alerts\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Alerts\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Alerts\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"TOP ALERTED THREAT MODELS\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"VaronisAlerts_CL\\r\\n| extend json_arr = parse_json(UserNames_s)\\r\\n| where isnotempty(json_arr)\\r\\n| mv-expand json_arr\\r\\n| summarize alerts_count = count() by tostring(json_arr)\\r\\n| project User = json_arr, Alerts = alerts_count\\r\\n| take 4\",\"size\":0,\"showAnalytics\":true,\"title\":\" TOP ALERTED USERS\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"User\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Alerts\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Alerts\",\"sortOrderField\":2,\"size\":\"full\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Alerts\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Alerts\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Alerts\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\" TOP ALERTED USERS\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"VaronisAlerts_CL\\r\\n| extend json_arr = parse_json(Assets_s)\\r\\n| where isnotempty(json_arr)\\r\\n| mv-expand json_arr\\r\\n| summarize alerts_count = count() by tostring(json_arr)\\r\\n| project Asset = json_arr, Alerts = alerts_count\\r\\n| take 4\",\"size\":0,\"showAnalytics\":true,\"title\":\"TOP ALERTED ASSETS\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Asset\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Alerts\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Alerts\",\"sortOrderField\":2,\"size\":\"full\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Alerts\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Alerts\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Alerts\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"TOP ALERTED ASSETS\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"VaronisAlerts_CL\\r\\n| extend json_arr = parse_json(DeviceNames_s)\\r\\n| where isnotempty(json_arr)\\r\\n| mv-expand json_arr\\r\\n| summarize alerts_count = count() by tostring(json_arr)\\r\\n| project Device = json_arr, Alerts = alerts_count\\r\\n| take 4\",\"size\":0,\"showAnalytics\":true,\"title\":\"TOP ALERTED DEVICES\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Device\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"Alerts\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false,\"sortCriteriaField\":\"Alerts\",\"sortOrderField\":2,\"size\":\"full\"},\"mapSettings\":{\"locInfo\":\"LatLong\",\"sizeSettings\":\"Alerts\",\"sizeAggregation\":\"Sum\",\"legendMetric\":\"Alerts\",\"legendAggregation\":\"Sum\",\"itemColorSettings\":{\"type\":\"heatmap\",\"colorAggregation\":\"Sum\",\"nodeColorField\":\"Alerts\",\"heatmapPalette\":\"greenRed\"}}},\"customWidth\":\"50\",\"name\":\"TOP ALERTED DEVICES\"}]},\"conditionalVisibility\":{\"parameterName\":\"page\",\"comparison\":\"isEqualTo\",\"value\":\"main\"},\"name\":\"main-page\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let days = dynamic([\\\"Sun\\\", \\\"Mon\\\", \\\"Tue\\\", \\\"Wed\\\", \\\"Thu\\\", \\\"Fri\\\", \\\"Sat\\\"]);\\nlet months = dynamic([\\\"Jan\\\", \\\"Feb\\\", \\\"Mar\\\", \\\"Apr\\\", \\\"May\\\", \\\"Jun\\\", \\\"Jul\\\", \\\"Aug\\\", \\\"Sep\\\", \\\"Oct\\\", \\\"Nov\\\", \\\"Dec\\\"]);\\nVaronisAlerts_CL\\n| extend day_of_week = days[toint(dayofweek(AlertTime_t)/1d)]\\n| extend month_of_year = months[getmonth(AlertTime_t)]\\n| extend day_of_month = dayofmonth(AlertTime_t)\\n| extend day_str = strcat(day_of_week, \\\" \\\", month_of_year, \\\" \\\", day_of_month)\\n| extend day = todatetime(format_datetime(AlertTime_t, 'yyyy-MM-dd'))\\n| extend group_var = ThreatDetectionPolicyName_s\\n| summarize alert_count = count() by day, day_str, group_var\\n| order by day asc, group_var\\n| project Day = day_str, Alerts = alert_count, Threat = group_var\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"THREAT MODEL NAMES\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"xAxis\":\"Day\",\"yAxis\":[\"Alerts\"],\"group\":\"Threat\",\"showLegend\":true}},\"name\":\"alerts-threats-day\"}]},\"conditionalVisibility\":{\"parameterName\":\"page\",\"comparison\":\"isEqualTo\",\"value\":\"threats\"},\"name\":\"threats-page\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let days = dynamic([\\\"Sun\\\", \\\"Mon\\\", \\\"Tue\\\", \\\"Wed\\\", \\\"Thu\\\", \\\"Fri\\\", \\\"Sat\\\"]);\\nlet months = dynamic([\\\"Jan\\\", \\\"Feb\\\", \\\"Mar\\\", \\\"Apr\\\", \\\"May\\\", \\\"Jun\\\", \\\"Jul\\\", \\\"Aug\\\", \\\"Sep\\\", \\\"Oct\\\", \\\"Nov\\\", \\\"Dec\\\"]);\\nVaronisAlerts_CL\\n| extend day_of_week = days[toint(dayofweek(AlertTime_t)/1d)]\\n| extend month_of_year = months[getmonth(AlertTime_t)]\\n| extend day_of_month = dayofmonth(AlertTime_t)\\n| extend day_str = strcat(day_of_week, \\\" \\\", month_of_year, \\\" \\\", day_of_month)\\n| extend day = todatetime(format_datetime(AlertTime_t, 'yyyy-MM-dd'))\\n| extend json_arr = parse_json(UserNames_s)\\n| where isnotempty(json_arr)\\n| mv-expand json_arr\\n| extend group_var = tostring(json_arr)\\n| summarize alert_count = count() by day, day_str, group_var\\n| order by day asc, group_var\\n| project Day = day_str, Alerts = alert_count, User = group_var\",\"size\":1,\"showAnalytics\":true,\"title\":\"USERS\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"xAxis\":\"Day\",\"yAxis\":[\"Alerts\"],\"group\":\"User\",\"showLegend\":true}},\"name\":\"alerts-users-day\"}]},\"conditionalVisibility\":{\"parameterName\":\"page\",\"comparison\":\"isEqualTo\",\"value\":\"users\"},\"name\":\"users-page\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let days = dynamic([\\\"Sun\\\", \\\"Mon\\\", \\\"Tue\\\", \\\"Wed\\\", \\\"Thu\\\", \\\"Fri\\\", \\\"Sat\\\"]);\\nlet months = dynamic([\\\"Jan\\\", \\\"Feb\\\", \\\"Mar\\\", \\\"Apr\\\", \\\"May\\\", \\\"Jun\\\", \\\"Jul\\\", \\\"Aug\\\", \\\"Sep\\\", \\\"Oct\\\", \\\"Nov\\\", \\\"Dec\\\"]);\\nVaronisAlerts_CL\\n| extend day_of_week = days[toint(dayofweek(AlertTime_t)/1d)]\\n| extend month_of_year = months[getmonth(AlertTime_t)]\\n| extend day_of_month = dayofmonth(AlertTime_t)\\n| extend day_str = strcat(day_of_week, \\\" \\\", month_of_year, \\\" \\\", day_of_month)\\n| extend day = todatetime(format_datetime(AlertTime_t, 'yyyy-MM-dd'))\\n| extend json_arr = parse_json(Assets_s)\\n| where isnotempty(json_arr)\\n| mv-expand json_arr\\n| extend group_var = tostring(json_arr)\\n| summarize alert_count = count() by day, day_str, group_var\\n| order by day asc, group_var\\n| project Day = day_str, Alerts = alert_count, Asset = group_var\",\"size\":1,\"showAnalytics\":true,\"title\":\"ASSETS\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"xAxis\":\"Day\",\"yAxis\":[\"Alerts\"],\"group\":\"Asset\",\"showLegend\":true}},\"name\":\"alerts-assets\"}]},\"conditionalVisibility\":{\"parameterName\":\"page\",\"comparison\":\"isEqualTo\",\"value\":\"assets\"},\"name\":\"assets-page\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let days = dynamic([\\\"Sun\\\", \\\"Mon\\\", \\\"Tue\\\", \\\"Wed\\\", \\\"Thu\\\", \\\"Fri\\\", \\\"Sat\\\"]);\\nlet months = dynamic([\\\"Jan\\\", \\\"Feb\\\", \\\"Mar\\\", \\\"Apr\\\", \\\"May\\\", \\\"Jun\\\", \\\"Jul\\\", \\\"Aug\\\", \\\"Sep\\\", \\\"Oct\\\", \\\"Nov\\\", \\\"Dec\\\"]);\\nVaronisAlerts_CL\\n| extend day_of_week = days[toint(dayofweek(AlertTime_t)/1d)]\\n| extend month_of_year = months[getmonth(AlertTime_t)]\\n| extend day_of_month = dayofmonth(AlertTime_t)\\n| extend day_str = strcat(day_of_week, \\\" \\\", month_of_year, \\\" \\\", day_of_month)\\n| extend day = todatetime(format_datetime(AlertTime_t, 'yyyy-MM-dd'))\\n| extend json_arr = parse_json(DeviceNames_s)\\n| where isnotempty(json_arr)\\n| mv-expand json_arr\\n| extend group_var = tostring(json_arr)\\n| summarize alert_count = count() by day, day_str, group_var\\n| order by day asc, group_var\\n| project Day = day_str, Alerts = alert_count, Device = group_var\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"DEVICES\",\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"chartSettings\":{\"xAxis\":\"Day\",\"yAxis\":[\"Alerts\"],\"group\":\"Device\",\"showLegend\":true}},\"name\":\"alerts-devices-day\"}]},\"conditionalVisibility\":{\"parameterName\":\"page\",\"comparison\":\"isEqualTo\",\"value\":\"devices\"},\"name\":\"devices-page\"}],\"fromTemplateId\":\"https://sentinelus.hosting.portal.azure.net/sentinelus/Content/1.0.02484.3403-231021-003920/Scenarios/Ecosystem/Content/Workbooks/CustomWorkbook.json\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -113,10 +113,10 @@ "name": "Varonis" }, "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" + "name": "Varonis", + "email": "support@varonis.com", + "tier": "Partner", + "link": "https://www.varonis.com/resources/support" }, "dependencies": { "operator": "AND", @@ -281,7 +281,7 @@ ] }, { - "description": "Use this method for automated deployment of the data connector using an ARM Template.\n\n1. Click the Deploy to Azure button. \n\n\t[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fvkorenkov-varonis%2Fsentinel%2Fmaster%2Fazuredeploy.json)\n2. Select the preferred Subscription, Resource Group, Region, Storage Account Type.\n3. Enter Log Analytics Workspace Name, Varonis FQDN, Varonis SaaS API Key.\n4. Click Review + Create, Create." + "description": "Use this method for automated deployment of the data connector using an ARM Template.\n\n1. Click the Deploy to Azure button. \n\n\t[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FVaronisSaaS%2FData%2520Connectors%2Fazuredeploy.json)\n2. Select the preferred Subscription, Resource Group, Region, Storage Account Type.\n3. Enter Log Analytics Workspace Name, Varonis FQDN, Varonis SaaS API Key.\n4. Click Review + Create, Create." } ] } @@ -305,10 +305,10 @@ "name": "Varonis" }, "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" + "name": "Varonis", + "email": "support@varonis.com", + "tier": "Partner", + "link": "https://www.varonis.com/resources/support" } } } @@ -349,10 +349,10 @@ "name": "Varonis" }, "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" + "name": "Varonis", + "email": "support@varonis.com", + "tier": "Partner", + "link": "https://www.varonis.com/resources/support" } } }, @@ -472,7 +472,7 @@ ] }, { - "description": "Use this method for automated deployment of the data connector using an ARM Template.\n\n1. Click the Deploy to Azure button. \n\n\t[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fvkorenkov-varonis%2Fsentinel%2Fmaster%2Fazuredeploy.json)\n2. Select the preferred Subscription, Resource Group, Region, Storage Account Type.\n3. Enter Log Analytics Workspace Name, Varonis FQDN, Varonis SaaS API Key.\n4. Click Review + Create, Create." + "description": "Use this method for automated deployment of the data connector using an ARM Template.\n\n1. Click the Deploy to Azure button. \n\n\t[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FVaronisSaaS%2FData%2520Connectors%2Fazuredeploy.json)\n2. Select the preferred Subscription, Resource Group, Region, Storage Account Type.\n3. Enter Log Analytics Workspace Name, Varonis FQDN, Varonis SaaS API Key.\n4. Click Review + Create, Create." } ], "id": "[variables('_uiConfigId1')]" @@ -488,8 +488,8 @@ "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "VaronisSaaS", - "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Varonis SaaS integration allows you to retrieve Varonis DatAlert alerts, create incident and pull activities related to the alerts for conducting investigations.

\n

Data Connectors: 1, Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "publisherDisplayName": "Varonis", + "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Varonis SaaS integration allows you to retrieve Varonis DatAlert alerts, create incident and pull activities related to the alerts for conducting investigations.

\n

Data Connectors: 1, Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -505,10 +505,10 @@ "name": "Varonis" }, "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" + "name": "Varonis", + "email": "support@varonis.com", + "tier": "Partner", + "link": "https://www.varonis.com/resources/support" }, "dependencies": { "operator": "AND", diff --git a/Solutions/VaronisSaaS/SolutionMetadata.json b/Solutions/VaronisSaaS/SolutionMetadata.json index 05e7b0ac46a..cc47f0055e8 100644 --- a/Solutions/VaronisSaaS/SolutionMetadata.json +++ b/Solutions/VaronisSaaS/SolutionMetadata.json @@ -1,6 +1,6 @@ { "publisherId": "varonis", - "offerId": "azure-sentinel-solution-varonis", + "offerId": "microsoft-sentinel-solution-varonissaas", "firstPublishDate": "2023-11-10", "lastPublishDate": "2023-11-10", "providers": ["Varonis"], @@ -9,10 +9,10 @@ "verticals": [] }, "support": { - "name": "Microsoft Corporation", - "email": "support@microsoft.com", - "tier": "Microsoft", - "link": "https://support.microsoft.com" + "name": "Varonis", + "email": "support@varonis.com", + "tier": "Partner", + "link": "https://www.varonis.com/resources/support" } } diff --git a/Solutions/Vectra XDR/Data Connectors/VectraDataConnector/azuredeploy_Connector_VectraXDR_AzureFunction.json b/Solutions/Vectra XDR/Data Connectors/VectraDataConnector/azuredeploy_Connector_VectraXDR_AzureFunction.json index 0be93ddf04d..db2835edd6d 100644 --- a/Solutions/Vectra XDR/Data Connectors/VectraDataConnector/azuredeploy_Connector_VectraXDR_AzureFunction.json +++ b/Solutions/Vectra XDR/Data Connectors/VectraDataConnector/azuredeploy_Connector_VectraXDR_AzureFunction.json @@ -276,7 +276,8 @@ } }, "keySource": "Microsoft.Storage" - } + }, + "minimumTlsVersion": "TLS1_2" } }, { diff --git a/Solutions/Windows Firewall/Data Connectors/template_WindowsFirewallAma.JSON b/Solutions/Windows Firewall/Data Connectors/template_WindowsFirewallAma.JSON index d62f39cc8a1..b14d419584e 100644 --- a/Solutions/Windows Firewall/Data Connectors/template_WindowsFirewallAma.JSON +++ b/Solutions/Windows Firewall/Data Connectors/template_WindowsFirewallAma.JSON @@ -1,6 +1,6 @@ { "id": "WindowsFirewallAma", - "title": "Windows Firewall Events via AMA (Preview)", + "title": "Windows Firewall Events via AMA", "publisher": "Microsoft", "descriptionMarkdown": "Windows Firewall is a Microsoft Windows application that filters information coming to your system from the internet and blocking potentially harmful programs. The firewall software blocks most programs from communicating through the firewall. To stream your Windows Firewall application logs collected from your machines, use the Azure Monitor agent (AMA) to stream those logs to the Microsoft Sentinel workspace.\n\nA configured data collection endpoint (DCE) is required to be linked with the data collection rule (DCR) created for the AMA to collect logs. For this connector, a DCE is automatically created in the same region as the workspace. If you already use a DCE stored in the same region, it's possible to change the default created DCE and use your existing one through the API. DCEs can be located in your resources with **SentinelDCE** prefix in the resource name.\n\nFor more information, see the following articles:\n- [Data collection endpoints in Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-endpoint-overview?tabs=portal)\n- [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2228623&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci)", "graphQueries": [ diff --git a/Solutions/Windows Firewall/Package/3.0.2.zip b/Solutions/Windows Firewall/Package/3.0.2.zip index 4ac2a16a2f7..8b1eaf43b1a 100644 Binary files a/Solutions/Windows Firewall/Package/3.0.2.zip and b/Solutions/Windows Firewall/Package/3.0.2.zip differ diff --git a/Solutions/Windows Firewall/Package/mainTemplate.json b/Solutions/Windows Firewall/Package/mainTemplate.json index 4763bf9ef7c..92720f9f6d9 100644 --- a/Solutions/Windows Firewall/Package/mainTemplate.json +++ b/Solutions/Windows Firewall/Package/mainTemplate.json @@ -256,7 +256,7 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId2')]", - "title": "Windows Firewall Events via AMA (Preview)", + "title": "Windows Firewall Events via AMA", "publisher": "Microsoft", "descriptionMarkdown": "Windows Firewall is a Microsoft Windows application that filters information coming to your system from the internet and blocking potentially harmful programs. The firewall software blocks most programs from communicating through the firewall. To stream your Windows Firewall application logs collected from your machines, use the Azure Monitor agent (AMA) to stream those logs to the Microsoft Sentinel workspace.\n\nA configured data collection endpoint (DCE) is required to be linked with the data collection rule (DCR) created for the AMA to collect logs. For this connector, a DCE is automatically created in the same region as the workspace. If you already use a DCE stored in the same region, it's possible to change the default created DCE and use your existing one through the API. DCEs can be located in your resources with **SentinelDCE** prefix in the resource name.\n\nFor more information, see the following articles:\n- [Data collection endpoints in Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-endpoint-overview?tabs=portal)\n- [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2228623&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci)", "graphQueries": [ @@ -316,7 +316,7 @@ "contentSchemaVersion": "3.0.0", "contentId": "[variables('_dataConnectorContentId2')]", "contentKind": "DataConnector", - "displayName": "Windows Firewall Events via AMA (Preview)", + "displayName": "Windows Firewall Events via AMA", "contentProductId": "[variables('_dataConnectorcontentProductId2')]", "id": "[variables('_dataConnectorcontentProductId2')]", "version": "[variables('dataConnectorVersion2')]" @@ -360,7 +360,7 @@ "kind": "StaticUI", "properties": { "connectorUiConfig": { - "title": "Windows Firewall Events via AMA (Preview)", + "title": "Windows Firewall Events via AMA", "publisher": "Microsoft", "descriptionMarkdown": "Windows Firewall is a Microsoft Windows application that filters information coming to your system from the internet and blocking potentially harmful programs. The firewall software blocks most programs from communicating through the firewall. To stream your Windows Firewall application logs collected from your machines, use the Azure Monitor agent (AMA) to stream those logs to the Microsoft Sentinel workspace.\n\nA configured data collection endpoint (DCE) is required to be linked with the data collection rule (DCR) created for the AMA to collect logs. For this connector, a DCE is automatically created in the same region as the workspace. If you already use a DCE stored in the same region, it's possible to change the default created DCE and use your existing one through the API. DCEs can be located in your resources with **SentinelDCE** prefix in the resource name.\n\nFor more information, see the following articles:\n- [Data collection endpoints in Azure Monitor](https://learn.microsoft.com/azure/azure-monitor/essentials/data-collection-endpoint-overview?tabs=portal)\n- [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2228623&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci)", "graphQueries": [ diff --git a/Solutions/ZeroFox/Data Connectors/CTI/AzureFunctionZeroFoxCTI.zip b/Solutions/ZeroFox/Data Connectors/CTI/AzureFunctionZeroFoxCTI.zip index 1599602a7e7..f4e3409c0e9 100644 Binary files a/Solutions/ZeroFox/Data Connectors/CTI/AzureFunctionZeroFoxCTI.zip and b/Solutions/ZeroFox/Data Connectors/CTI/AzureFunctionZeroFoxCTI.zip differ diff --git a/Solutions/ZeroFox/Data Connectors/CTI/requirements.txt b/Solutions/ZeroFox/Data Connectors/CTI/requirements.txt index 35024c3f4a3..2053947859f 100644 --- a/Solutions/ZeroFox/Data Connectors/CTI/requirements.txt +++ b/Solutions/ZeroFox/Data Connectors/CTI/requirements.txt @@ -6,5 +6,5 @@ requests==2.32.2 azure-functions==1.19.0 responses==0.25.0 pytest==8.2.0 -aiohttp==3.9.5 +aiohttp==3.10.2 python-dateutil==2.9.0.post0 diff --git a/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.txt b/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.txt deleted file mode 100644 index 15a16325a56..00000000000 --- a/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.txt +++ /dev/null @@ -1,98 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as ZNSegmentAudit. -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. ZNSegmentAudit | take 10). -// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -let AuditTypesTable = datatable(auditType_d: double, AuditType: string) [ - 0, "Unspecified", - 1, "Asset is being added to protection", - 2, "Asset added to protection", - 3, "Asset failed adding to protection", - 4, "Asset is being removed from protection", - 5, "Removed asset from protection", - 6, "Failed removing asset from protection", - 7, "Asset added to learning", - 8, "Asset removed from learning", - 9, "Access rule created", - 10, "Access rule deleted", - 11, "Access rule expired", - 12, "Access rule edited", - 17, "MFA access policy created", - 18, "MFA access policy deleted", - 19, "MFA access policy edited", - 20, "JIT rule created", - 21, "JIT rule deleted", - 22, "JIT rule expired", - 23, "JIT rule revived", - 24, "JIT rule edited", - 25, "API Token created", - 26, "API Token deleted", - 27, "API Token regenerated", - 28, "Asset learning is extended", - 29, "Outbound block rule created", - 30, "Outbound block rule deleted", - 31, "Outbound block rule expired", - 32, "Outbound block rule edited", - 33, "Inbound block rule created", - 34, "Inbound block rule deleted", - 35, "Inbound block rule expired", - 36, "Inbound block rule edited", - 37, "Inbound rule pseudo edited", - 38, "Outbound rule pseudo edited" -]; -let EnforcementSourceTypeTable = datatable (enforcementSource_d: double, EnforcementSource: string) [ - 1, "Reactive Policy", - 2, "Automated", - 3, "Access Portal", - 4, "Admin Portal", - 5, "AI", - 6, "API" -]; -let UserRoleTypeTable = datatable (userRole_d: double, UserRole: string) [ - 1, "Admin", - 2, "Viewer", - 3, "Regular", - 4, "API - Full Access", - 5, "API - Read Only", - 6, "Self Service" -]; -union isfuzzy=true ZNSegmentAuditNativePoller_CL, ZNSegmentAudit_CL -| project-away TimeGenerated -| lookup kind=leftouter AuditTypesTable on auditType_d -| lookup kind=leftouter EnforcementSourceTypeTable on enforcementSource_d -| lookup kind=leftouter UserRoleTypeTable on userRole_d -| extend entity=parse_json(destinationEntitiesList_s) -| extend EventVendor="Zero Networks", - EventProduct="Segment Audit", - AuditTypeId=column_ifexists('auditType_d', ''), - TimeGenerated=unixtime_milliseconds_todatetime(timestamp_d), - EnforcementSourceId=column_ifexists('enforcementSource_d', ''), - UserRoleId=column_ifexists('userRole_d', ''), - DestinationEntityName = ['entity'][0].name, - DestinationEntityId = ['entity'][0].id, - Details=column_ifexists('details_s', ''), - PerformedById=column_ifexists('performedBy_id_s', ''), - PerformedByName=column_ifexists('performedBy_name_s', ''), - PerformedByGuid=column_ifexists('performedBy_id_g', ''), - ReportedObjectGuid=column_ifexists('reportedObjectId_g', ''), - ReportedObjectId=column_ifexists('reportedObjectId_s', '') -| extend Rule=parse_json(Details).rule, - ReactivePolicy=parse_json(Details).rp -| project - TimeGenerated, - EventVendor, - EventProduct, - AuditTypeId, - AuditType, - DestinationEntityId, - DestinationEntityName, - EnforcementSourceId, - EnforcementSource, - PerformedByGuid, - PerformedById, - PerformedByName, - ReportedObjectGuid, - ReportedObjectId, - UserRoleId, - UserRole, - Rule, - ReactivePolicy diff --git a/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.yaml b/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.yaml index be2f94cb775..0315e2fff68 100644 --- a/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.yaml +++ b/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.yaml @@ -1,38 +1,38 @@ id: 4677df99-9bff-4b87-a7b9-575091361d82 Function: Title: Parser for ZNSegmentAudit - Version: '1.0.0' - LastUpdated: '2023-08-23' + Version: '1.0.1' + LastUpdated: '2024-10-08' Category: Microsoft Sentinel Parser FunctionName: ZNSegmentAudit FunctionAlias: ZNSegmentAudit FunctionQuery: | let AuditTypesTable = datatable(auditType_d: double, AuditType: string) [ 0, "Unspecified", - 1, "Asset is being added to protection", - 2, "Asset added to protection", - 3, "Asset failed adding to protection", - 4, "Asset is being removed from protection", - 5, "Removed asset from protection", - 6, "Failed removing asset from protection", - 7, "Asset added to learning", - 8, "Asset removed from learning", - 9, "Access rule created", - 10, "Access rule deleted", - 11, "Access rule expired", - 12, "Access rule edited", - 17, "MFA access policy created", - 18, "MFA access policy deleted", - 19, "MFA access policy edited", - 20, "JIT rule created", - 21, "JIT rule deleted", - 22, "JIT rule expired", - 23, "JIT rule revived", - 24, "JIT rule edited", + 1, "Asset is being segmented (network)", + 2, "Asset segmented (network)", + 3, "Asset failed being segmented (network)", + 4, "Asset is being unsegmented (network)", + 5, "Asset unsegmented (network)", + 6, "Asset failed being unsegmented (network)", + 7, "Asset added to learning (network)", + 8, "Asset removed from learning (network)", + 9, "Inbound allow rule created", + 10, "Inbound allow rule deleted", + 11, "Inbound allow rule expired", + 12, "Inbound allow rule edited", + 17, "Inbound MFA policy created", + 18, "Inbound MFA policy edited", + 19, "Inbound MFA policy deleted", + 20, "Inbound JIT rule created", + 21, "Inbound JIT rule deleted", + 22, "Inbound JIT rule expired", + 23, "Inbound JIT rule revived", + 24, "Inbound JIT rule edited", 25, "API Token created", 26, "API Token deleted", 27, "API Token regenerated", - 28, "Asset learning is extended", + 28, "Asset segmentation date postponed (network)", 29, "Outbound block rule created", 30, "Outbound block rule deleted", 31, "Outbound block rule expired", @@ -41,8 +41,107 @@ FunctionQuery: | 34, "Inbound block rule deleted", 35, "Inbound block rule expired", 36, "Inbound block rule edited", - 37, "Inbound rule pseudo edited", - 38, "Outbound rule pseudo edited" + 39, "Asset unsegmented (network) (overriding policy)", + 40, "Asset is being unsegmented (network) (overriding policy)", + 41, "Asset removed from learning (network) (overriding policy)", + 42, "Asset is being segmented (network) (policy)", + 43, "Asset segmented (network) (policy)", + 44, "Asset added to learning (network) (policy)", + 45, "Segmentation policy created", + 46, "Segmentation policy deleted", + 47, "Segmentation policy edited", + 48, "Inbound JIT access rejected", + 49, "Inbound JIT fallback rule created", + 50, "Inbound JIT fallback rule deleted", + 51, "Inbound JIT fallback rule expired", + 53, "Outbound allow rule created", + 54, "Outbound allow rule deleted", + 55, "Outbound allow rule expired", + 56, "Outbound allow rule edited", + 58, "Admin portal role changed to admin", + 59, "Admin portal role changed to viewer", + 60, "Admin portal role revoked", + 61, "Outbound JIT rule created", + 62, "Outbound JIT rule deleted", + 63, "Outbound JIT rule expired", + 64, "Outbound MFA policy created", + 65, "Outbound MFA policy deleted", + 66, "Outbound MFA policy edited", + 67, "Outbound JIT access rejected", + 68, "Asset learning is done (network)", + 69, "Asset learning (policy) is done (network)", + 70, "Manual Linux asset created", + 71, "Manual OT/IoT asset created", + 72, "Asset learning extended (network)", + 73, "Admin portal logon", + 74, "Asset manager added", + 75, "Asset manager removed", + 76, "Asset is monitored by Cloud connector", + 77, "Asset is no longer monitored by Cloud connector", + 78, "Asset is monitored by Segment server", + 79, "Asset is back to learning (network)", + 80, "Manual OT/IoT asset edited", + 81, "Admin portal role changed to operator", + 82, "Segment server deployed", + 83, "AI inbound allow rule rejected", + 84, "AI inbound block rule rejected", + 85, "AI outbound allow rule rejected", + 86, "AI outbound block rule rejected", + 87, "AI inbound allow rule approved", + 88, "AI inbound block rule approved", + 89, "AI outbound allow rule approved", + 90, "AI outbound block rule approved", + 91, "AI inbound allow rule approved with changes", + 92, "AI inbound block rule approved with changes", + 93, "AI outbound allow rule approved with changes", + 94, "AI outbound block rule approved with changes", + 95, "Connect region created", + 96, "Connect session created", + 97, "Connect session expired", + 98, "Connect session revoked", + 99, "Connect session logged out", + 100, "User access configuration created", + 101, "User access configuration edited", + 102, "User access configuration deleted", + 103, "Connect server deployed", + 104, "Connect asset created", + 105, "Asset segmentation postponed (network) (pending review rules)", + 106, "Connect region edited", + 107, "Connect server edited", + 108, "Asset is being segmented (identity)", + 109, "Asset segmented (identity)", + 110, "Asset is being unsegmented (identity)", + 111, "Asset unsegmented (identity)", + 112, "Identity rule created", + 113, "Identity rule deleted", + 114, "Identity rule expired", + 115, "Identity rule edited", + 116, "User segmented (identity)", + 117, "User unsegmented (identity)", + 118, "User added to learning (identity)", + 119, "User removed from learning (identity)", + 120, "Asset added to RPC monitoring", + 121, "Asset removed from RPC monitoring", + 122, "User classification changed", + 123, "Connect session extended", + 124, "Asset marked as inactive by repository (deleted)", + 125, "Asset marked as active by repository", + 126, "Asset marked as inactive by user", + 127, "Asset marked as active by user", + 128, "Break glass configuration activated", + 129, "Break glass configuration deactivated", + 130, "Asset marked as inactive by repository (disable)", + 131, "Asset marked as active by repository (enable)", + 132, "Break glass configuration activated (asset)", + 133, "Break glass configuration deactivated (asset)", + 134, "Asset is being segmented (RPC)", + 135, "Asset segmented (RPC)", + 136, "Asset is being unsegmented (RPC)", + 137, "Asset unsegmented (RPC)", + 138, "Rules RPC rule created", + 139, "Rules RPC rule deleted", + 140, "Rules RPC rule expired", + 141, "Rules RPC rule edited" ]; let EnforcementSourceTypeTable = datatable (enforcementSource_d: double, EnforcementSource: string) [ 1, "Reactive Policy", @@ -50,7 +149,8 @@ FunctionQuery: | 3, "Access Portal", 4, "Admin Portal", 5, "AI", - 6, "API" + 6, "API", + 7, "Setup" ]; let UserRoleTypeTable = datatable (userRole_d: double, UserRole: string) [ 1, "Admin", @@ -58,7 +158,12 @@ FunctionQuery: | 3, "Regular", 4, "API - Full Access", 5, "API - Read Only", - 6, "Self Service" + 6, "Self Service", + 7, "CloudConnectorProvisioning", + 8, "JAMF Asset", + 9, "Asset Manager", + 10, "Operator", + 11, "Service Now Token" ]; union isfuzzy=true ZNSegmentAuditNativePoller_CL, ZNSegmentAudit_CL | project-away TimeGenerated diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index 44fdc2a3243..a4e765cff53 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -175,8 +175,7 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "PaloAltoNetworks", - "PaloAltoNetworksAma" + "CefAma" ], "previewImagesFileNames": [ "PaloAltoOverviewWhite1.png", @@ -200,8 +199,7 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "PaloAltoNetworks", - "PaloAltoNetworksAma" + "CefAma" ], "previewImagesFileNames": [ "PaloAltoNetworkThreatWhite1.png", @@ -2837,8 +2835,7 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "TrendMicroApexOne", - "TrendMicroApexOneAma" + "CefAma" ], "previewImagesFileNames": [ "TrendMicroApexOneBlack.png", @@ -2905,8 +2902,7 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "PaloAltoCDL", - "PaloAltoCDLAma" + "CefAma" ], "previewImagesFileNames": [ "PaloAltoBlack.png", @@ -3594,8 +3590,7 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "CiscoSEG", - "CiscoSEGAma" + "CefAma" ], "previewImagesFileNames": [ "CiscoSEGBlack.png", @@ -4565,8 +4560,6 @@ "Zscaler", "ZscalerAma", "MicrosoftSysmonForLinux", - "PaloAltoNetworks", - "PaloAltoNetworksAma", "AzureMonitor(VMInsights)", "AzureFirewall", "AzureNSG", @@ -4576,7 +4569,8 @@ "CheckPoint", "Fortinet", "CiscoMeraki", - "FortinetAma" + "FortinetAma", + "CefAma" ], "previewImagesFileNames": [], "version": "1.0.0", diff --git a/Tools/MDO Power BI Dashboard/MDO Detection Details Report - v1.22 (Sentinel,LogAnalytics).pbit b/Tools/MDO Power BI Dashboard/MDO Detection Details Report - v1.22 (Sentinel,LogAnalytics).pbit new file mode 100644 index 00000000000..16bac6d62d1 Binary files /dev/null and b/Tools/MDO Power BI Dashboard/MDO Detection Details Report - v1.22 (Sentinel,LogAnalytics).pbit differ diff --git a/Tools/MDO Power BI Dashboard/Media/MDOLA1.png b/Tools/MDO Power BI Dashboard/Media/MDOLA1.png new file mode 100644 index 00000000000..4868952fbf0 Binary files /dev/null and b/Tools/MDO Power BI Dashboard/Media/MDOLA1.png differ diff --git a/Tools/MDO Power BI Dashboard/Media/MDOLA2.png b/Tools/MDO Power BI Dashboard/Media/MDOLA2.png new file mode 100644 index 00000000000..f1d1fe59e86 Binary files /dev/null and b/Tools/MDO Power BI Dashboard/Media/MDOLA2.png differ diff --git a/Tools/MDO Power BI Dashboard/Media/MDOLA3.png b/Tools/MDO Power BI Dashboard/Media/MDOLA3.png new file mode 100644 index 00000000000..7e348e45928 Binary files /dev/null and b/Tools/MDO Power BI Dashboard/Media/MDOLA3.png differ diff --git a/Tools/MDO Power BI Dashboard/Readme.md b/Tools/MDO Power BI Dashboard/Readme.md index 8b230f81293..8f225b71d24 100644 --- a/Tools/MDO Power BI Dashboard/Readme.md +++ b/Tools/MDO Power BI Dashboard/Readme.md @@ -4,18 +4,29 @@ [Overview](#overview)
[Example View of Microsoft Defender for Office 365 (MDO) Detection Details Report](#example-view-of-microsoft-defender-for-office-365-mdo-detection-details-report)
-[How to use the .pbit file](#how-to-use-the-pbit-file)
+[How to use the .pbit file for Log Analytics/Sentinel](#how-to-use-the-pbit-file-for-log-analyticssentinel)
+[How to use the .pbit file for the Hunting API](#how-to-use-the-pbit-file-for-the-hunting-api)
[How to publish to Power BI online and configure scheduled auto-refresh](#how-to-publish-to-power-bi-online-and-configure-scheduled-auto-refresh)
## Overview -This report template will give you an example how to use Microsoft 365 Defender Hunting API to build a custom report using Power BI. This way you can visualise Microsoft Defender for Office 365 (MDO) data based on your organisation needs. +These templates will give you an example how to build a Microsoft Defender for Office 365 custom report using Power BI. This way you can visualize Microsoft Defender for Office 365 (MDO) data based on your organization needs. +Sentinel/Log Analytics version: +* Requires the Defender XDR connector in Sentinel for the EmailEvents, EmailPostDeliveryEvents, EmailUrlInfo, UrlClickEvents and CloudAppEvents tables as described here: [Connect data from Microsoft Defender XDR to Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?tabs=MDO#connect-events) or a custom solution to push the data into a Log Analytics workspace +* Requires at least read permission for the Log Analytics workspace +* For the maps visuals the Azure Maps option should be enabled in the tenant settings: [Manage Azure Maps Power BI visual within your organization](https://learn.microsoft.com/en-us/azure/azure-maps/power-bi-visual-manage-access) +* Based on the retention of the tables in Log Analytics the data can be stored for up to 12 years [Manage data retention in a Log Analytics workspace](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-retention-configure?tabs=portal-3%2Cportal-1%2Cportal-2#configure-table-level-retention) + +M365D Hunting API version (legacy): +* No longer a fully supported API and can break at any moment, being replaced by the Microsoft Graph security API. Using Microsoft Graph directly in PowerBI is not recommended or supported: [Lack of Support for Microsoft Graph in Power Query](https://learn.microsoft.com/en-us/power-query/connecting-to-graph) * It is using Delegated model to connect to the M365D Hunting API. No need for app registration simply need an admin account which can run the underlying Hunting queries using the API. * Access to the Advanced hunting feature in the M365 Defender portal is needed through appropriate permission and license. * The built-in Security Reader or Security Administrator role is enough to have the report working for example. * Defender for Office 365 Plan 2 standalone or included in Microsoft 365 A5/E5/F5/G5 Security -* This is intended to be a template, we encourage everybody to modify queries, visualisations, bring in more data sets based on organisation needs. + +General considerations: +* These are intended to be a template, we encourage everybody to modify queries, visualizations, bring in more data sets based on organization needs. * The “ReadMe” tab of the template files has more information about terminology used in the template. * This not intended to be a permanent or complete solution rather show an example how to create custom Microsoft Defender for Office 365 (MDO) reports using the hunting API and Power BI. @@ -23,7 +34,13 @@ This report template will give you an example how to use Microsoft 365 Defender ![MDOPowerBI1](Media/MDOPowerBI1.png) -## How to use the .pbit file +## How to use the .pbit file for Log Analytics/Sentinel + +Opening the .pbit file will prompt for the Log Analytics Workspace ID at first run.

![MDOLA1](Media/MDOLA1.png)

+It can be found in the Azure Portal on the Log Analytics page:

![MDOLA2](Media/MDOLA2.png)

+After that make sure you sign in with the “Organization account” with permissions to the Log Analytics Workspace:

![MDOLA3](Media/MDOLA3.png)

+ +## How to use the .pbit file for the Hunting API Using the .pbit file will load the template with no data and ask for Authentication at first run. Power BI will ask for connect/Authenticate to the data source (Hunting API in M365D)

![MDOPowerBI2](Media/MDOPowerBI2.png)

diff --git a/Workbooks/1Password.json b/Workbooks/1Password.json index 7cfad028e0c..36f5244b76a 100644 --- a/Workbooks/1Password.json +++ b/Workbooks/1Password.json @@ -17,7 +17,7 @@ ], "parameters": [ { - "id": "1ca69445-60fc-4806-b43d-ac7e6aad630a", + "id": "1ca69445-60fc-4806-b43d-ac7e6aad63", "version": "KqlParameterItem/1.0", "name": "Subscription", "type": 6, diff --git a/Workbooks/Data_Latency_Workbook.json b/Workbooks/Data_Latency_Workbook.json new file mode 100644 index 00000000000..90bdb030e79 --- /dev/null +++ b/Workbooks/Data_Latency_Workbook.json @@ -0,0 +1,1073 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "a8d98716-5abc-414f-8fd1-de08f527b28e", + "version": "KqlParameterItem/1.0", + "name": "Time_Range", + "type": 4, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let unwanted_devices = dynamic (['{computerdevice}','{computerdevice1','{computerdevice2}','{computerdevice3}']);\r\nCommonSecurityLog\r\n| where DeviceVendor contains \"Fortinet\"\r\n| summarize LastReceivedTime = max(TimeGenerated) by Computer\r\n| where Computer !in~ (unwanted_devices)\r\n| extend TimeDifference_in_hours = (now() - LastReceivedTime) / 1hour\r\n| project Computer, LastReceivedTime, TimeDifference_in_hours\r\n| sort by TimeDifference_in_hours desc \r\n", + "size": 0, + "title": "Fortinet Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 5", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where TimeGenerated > ago(30d)\r\n| where DeviceVendor contains \"Sonicwall\"\r\n| summarize LastReceivedTime = max(TimeGenerated) by Computer\r\n| extend TimeDifference_in_hours = (now() - LastReceivedTime) / 1hour\r\n| project Computer, LastReceivedTime, TimeDifference_in_hours\r\n| sort by TimeDifference_in_hours desc ", + "size": 0, + "title": "Sonicwall Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 1", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where DeviceVendor contains \"Trend Micro\"\r\n| summarize LastReceivedTime = max(TimeGenerated) by Computer\r\n| extend TimeDifference_hours = (now() - LastReceivedTime) / 1hour\r\n| project Computer, LastReceivedTime, TimeDifference_hours\r\n| sort by TimeDifference_hours desc ", + "size": 0, + "title": "TrendMicro Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where TimeGenerated > ago(30d)\r\n| where DeviceVendor contains \"Forcepoint\"\r\n| summarize LastReceivedTime = max(TimeGenerated) by Computer\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n| project Computer, LastReceivedTime, TimeDifference", + "size": 0, + "title": "Forcepoint Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 3", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let unwanted_devices = dynamic (['{computerdevice}','{computerdevice1','{computerdevice2}','{computerdevice3}']);\r\nCommonSecurityLog\r\n| where TimeGenerated > ago(30d)\r\n| where DeviceVendor contains \"Imperva Inc.\"\r\n| summarize LastReceivedTime = max(TimeGenerated) by Computer\r\n| where Computer !in~ (unwanted_devices)\r\n| extend TimeDifference_in_hours = (now() - LastReceivedTime) / 1hour\r\n| project Computer, LastReceivedTime, TimeDifference_in_hours\r\n| sort by TimeDifference_in_hours desc ", + "size": 0, + "title": "Imperva Inc Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "sourceColumn": "LastReceivedTime", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "redBright", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 4", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let unwanted_devices = dynamic (['{computerdevice}','{computerdevice1','{computerdevice2}','{computerdevice3}']);\r\nCommonSecurityLog\r\n| where DeviceVendor contains \"Cyber-Ark\"\r\n| summarize LastReceivedTime = max(TimeGenerated) by Computer\r\n| where Computer in~ (unwanted_devices)\r\n| extend TimeDifference_in_hours = (now() - LastReceivedTime) / 1hour\r\n| project Computer, LastReceivedTime, TimeDifference_in_hours\r\n| sort by TimeDifference_in_hours desc ", + "size": 0, + "title": "Cyberark Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 6", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where TimeGenerated > ago(30d)\r\n| where DeviceVendor contains \"JSonar\"\r\n| summarize LastReceivedTime = max(TimeGenerated) by Computer\r\n| extend TimeDifference_in_hours = (now() - LastReceivedTime) / 1hour\r\n| project Computer, LastReceivedTime, TimeDifference_in_hours\r\n| sort by TimeDifference_in_hours desc ", + "size": 0, + "title": "Jsonar Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 6 - Copy", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "CommonSecurityLog\r\n| where TimeGenerated > ago(30d)\r\n| where DeviceVendor contains \"F5\"\r\n| summarize LastReceivedTime = max(TimeGenerated) by Computer\r\n| extend TimeDifference_in_hours = (now() - LastReceivedTime) / 1hour\r\n| project Computer, LastReceivedTime, TimeDifference_in_hours\r\n| sort by TimeDifference_in_hours desc ", + "size": 0, + "title": "F5 Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 6 - Copy - Copy", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "F5Telemetry_LTM_CL\r\n| where TimeGenerated > ago(30d)\r\n| summarize LastReceivedTime = max(TimeGenerated) by hostname_s\r\n| where hostname_s != ''\r\n| extend TimeDifference_in_hours = (now() - LastReceivedTime) / 1hour\r\n| project hostname_s, LastReceivedTime, TimeDifference_in_hours\r\n| sort by TimeDifference_in_hours desc ", + "size": 0, + "title": "F5 LTM Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "hostname_s", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 6 - Copy - Copy - Copy", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "F5Telemetry_ASM_CL\r\n| where TimeGenerated > ago(30d)\r\n| summarize LastReceivedTime = max(TimeGenerated) by hostname_s\r\n| where hostname_s != ''\r\n| extend TimeDifference_in_hours = (now() - LastReceivedTime) / 1hour\r\n| project hostname_s, LastReceivedTime, TimeDifference_in_hours\r\n| sort by TimeDifference_in_hours desc ", + "size": 0, + "title": "F5 ASM Lastseen", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "hostname_s", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Computer", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 6 - Copy - Copy - Copy - Copy", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "50", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "OfficeActivity\r\n| summarize LastReceivedTime = max(TimeGenerated) by Type\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n| union (\r\nAWSCloudTrail\r\n| summarize LastReceivedTime = max(TimeGenerated) by Type\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n)\r\n| union (\r\nNetskope_CL\r\n| summarize LastReceivedTime = max(TimeGenerated) by Type\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n)\r\n| union ( \r\nAWSCloudWatch\r\n| summarize LastReceivedTime = max(TimeGenerated) by Type\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n)\r\n| union ( \r\nAzureActivity\r\n| summarize LastReceivedTime = max(TimeGenerated) by Type\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n)\r\n| union (\r\nTrendMicro_XDR_Health_Check_CL\r\n| summarize LastReceivedTime = max(TimeGenerated) by Type\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n)\r\n| union (\r\nTrendMicro_XDR_OAT_CL\r\n| summarize LastReceivedTime = max(TimeGenerated) by Type\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n)\r\n| union (\r\nTrendMicro_XDR_OAT_Health_Check_CL\r\n| summarize LastReceivedTime = max(TimeGenerated) by Type\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n)\r\n| union (\r\nTrendMicro_XDR_WORKBENCH_CL\r\n| summarize LastReceivedTime = max(TimeGenerated) by Type\r\n| extend TimeDifference = (now() - LastReceivedTime) / 1hour\r\n)\r\n| sort by TimeDifference desc ", + "size": 0, + "title": "Data Sources Latency", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Type", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "<", + "thresholdValue": "1", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": ">", + "thresholdValue": "1", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "name": "Data Sources Latency" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let heartbeatCount = (\r\n Heartbeat\r\n | where (TimeGenerated > ago(1d))\r\n | where ResourceProvider == 'Microsoft.HybridCompute' and ResourceType == 'machines'\r\n | where Category == \"Azure Monitor Agent\"\r\n | summarize arg_max(TimeGenerated, *) by Computer\r\n | summarize LastHeartbeat = max(TimeGenerated) by Computer\r\n | extend State = iff(LastHeartbeat < ago(30m), 'Unhealthy', 'Healthy')\r\n | summarize Count = dcount(Computer) by State);\r\ndatatable(State: string, Rank: int)[\"Unhealthy\", 0, \"Healthy\", 1]\r\n| join kind = leftouter heartbeatCount on State\r\n| extend Count = iff(isempty(State1), 0, Count)\r\n| project-away State1\r\n| extend Rank = iff(State == 'Unhealthy' and Count == 0, 2, Rank)\r\n| order by Rank asc\r\n| project-reorder State, Count", + "size": 0, + "title": "Agents Health Snapshot", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart", + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "Healthy", + "color": "green" + }, + { + "seriesName": "Unhealthy", + "color": "redBright" + } + ] + } + }, + "customWidth": "30", + "name": "query - 11", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "30" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": " Heartbeat\r\n | where (TimeGenerated > ago(1d))\r\n | where ResourceProvider == 'Microsoft.HybridCompute' and ResourceType == 'machines'\r\n | where Category == \"Azure Monitor Agent\"\r\n | summarize arg_max(TimeGenerated, *) by Computer\r\n | summarize LastHeartbeat = max(TimeGenerated) by Computer, OSType\r\n | extend Server_State = iff(LastHeartbeat < ago(30m), 'Unhealthy', 'Healthy') // and iff(x == 1,'Unhealthy', 'Healthy')\r\n | join ARCLatency on $left.Computer == $right. Computer \r\n | project-away Computer1, LastReceivedTime\r\n | project Computer, OSType, Server_State, LastHeartbeat, TimeDifference\r\n | extend Time_Diff_in_Mins = toint(TimeDifference)\r\n | project-away TimeDifference\r\n | sort by Time_Diff_in_Mins desc", + "size": 0, + "title": "Azure ARC enabled server details", + "timeContextFromParameter": "Time_Range", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Server_State", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Healthy", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Unhealthy", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "lightBlue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Time_Diff_in_Mins", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": ">=", + "thresholdValue": "60", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "20", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "5", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "70", + "name": "query - 10", + "styleSettings": { + "margin": "50", + "padding": "50", + "maxWidth": "70", + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Heartbeat\r\n | where (TimeGenerated > ago(7d))\r\n | where ResourceProvider == 'Microsoft.HybridCompute' and ResourceType == 'machines'\r\n | where Category == \"Azure Monitor Agent\"\r\n | summarize by Computer, OSType, OSName\r\n | join kind=innerunique SecurityEvent on $left.Computer == $right. Computer\r\n | where TimeGenerated >= ago(30d)\r\n | extend Day = bin(TimeGenerated,1d)\r\n | extend Quantity = _BilledSize\r\n | project Quantity,TimeGenerated,Computer,Day\r\n | sort by TimeGenerated asc\r\n | summarize EventCount = sum(Quantity) by Computer, Day\r\n | extend GB = EventCount/1073741824\r\n | extend MB = GB * 1024\r\n | project Day, Computer, EventCount, MB\r\n | sort by Day desc\r\n | union (Heartbeat\r\n | where (TimeGenerated > ago(7d))\r\n | where ResourceProvider == 'Microsoft.HybridCompute' and ResourceType == 'machines'\r\n | where Category == \"Azure Monitor Agent\"\r\n | summarize by Computer, OSType, OSName\r\n | where OSType contains \"linux\"\r\n | join kind=innerunique Syslog on $left.Computer==$right.Computer\r\n | where TimeGenerated >= ago(30d)\r\n | extend Day = bin(TimeGenerated,1d)\r\n | extend Quantity = _BilledSize\r\n | project Quantity,TimeGenerated,Computer,Day\r\n | sort by TimeGenerated asc\r\n | summarize EventCount = sum(Quantity) by Computer, Day\r\n | extend GB = EventCount/1073741824\r\n | extend MB = GB * 1024\r\n | project Day, Computer, EventCount, MB\r\n | sort by Day desc\r\n )\r\n | sort by Day, Computer desc \r\n | project-away EventCount", + "size": 0, + "title": "Azure ARC servers ingestion trend over 7 days", + "timeContext": { + "durationMs": 604800000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "unstackedbar" + }, + "name": "query - 12" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let windows=(_GetWatchlist('PNL_IND_Windows_Prod')| project Hostname); \r\nSecurityEvent \r\n| summarize Last_Received_time = max(TimeGenerated) by Computer\r\n| union ( Windowslogs\r\n| summarize Last_Received_time = max(TimeGenerated) by Computer\r\n)\r\n| distinct Computer, Last_Received_time\r\n| where Computer !contains \"PINENOIL\"\r\n| where Computer in (windows)\r\n| extend Reporting_Computer = Computer\r\n| extend TimeDifference = ( now() - Last_Received_time) / 1hour\r\n| project-away Computer\r\n| sort by TimeDifference desc\r\n| project Reporting_Computer, Last_Received_time, TimeDifference", + "size": 0, + "title": "Windows Devices", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": ">=", + "thresholdValue": "60", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "30", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "10", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "name": "query - 13" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let Linux=(_GetWatchlist('PNL_IND_Linux_Prod')| project Hostname); \r\nSyslog\r\n| summarize Last_Received_time = max(TimeGenerated) by Computer\r\n| distinct Computer, Last_Received_time\r\n| where Computer !contains \"PINENOIL\"\r\n| where Computer in (Linux)\r\n| extend Reporting_Computer = Computer\r\n| extend TimeDifference = ( now() - Last_Received_time) / 1hour\r\n| project-away Computer\r\n| sort by TimeDifference desc\r\n| project Reporting_Computer, Last_Received_time, TimeDifference", + "size": 0, + "title": "Linux Devices", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeDifference", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": ">=", + "thresholdValue": "60", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "30", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "10", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "name": "query - 13 - Copy" + } + ], + "fallbackResourceIds": [ + "" + ], + "fromTemplateId": "Sentinel-Data-latnecy-workbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" + } \ No newline at end of file diff --git a/Workbooks/Images/Logos/CTERA_Logo.svg b/Workbooks/Images/Logos/CTERA_Logo.svg new file mode 100644 index 00000000000..4217888dfc1 --- /dev/null +++ b/Workbooks/Images/Logos/CTERA_Logo.svg @@ -0,0 +1,228 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/Workbooks/Images/Preview/CTERASMBLogsWorkbookBlack.png b/Workbooks/Images/Preview/CTERASMBLogsWorkbookBlack.png new file mode 100644 index 00000000000..f652810301b Binary files /dev/null and b/Workbooks/Images/Preview/CTERASMBLogsWorkbookBlack.png differ diff --git a/Workbooks/Images/Preview/CTERASMBLogsWorkbookWhite.png b/Workbooks/Images/Preview/CTERASMBLogsWorkbookWhite.png new file mode 100644 index 00000000000..cf4c9ef91ba Binary files /dev/null and b/Workbooks/Images/Preview/CTERASMBLogsWorkbookWhite.png differ diff --git a/Workbooks/Images/Preview/CorelightBlack1.png b/Workbooks/Images/Preview/CorelightBlack1.png new file mode 100644 index 00000000000..da21b369c45 Binary files /dev/null and b/Workbooks/Images/Preview/CorelightBlack1.png differ diff --git a/Workbooks/Images/Preview/CorelightBlack2.png b/Workbooks/Images/Preview/CorelightBlack2.png new file mode 100644 index 00000000000..a48fff34fc6 Binary files /dev/null and b/Workbooks/Images/Preview/CorelightBlack2.png differ diff --git a/Workbooks/Images/Preview/CorelightBlack3.png b/Workbooks/Images/Preview/CorelightBlack3.png new file mode 100644 index 00000000000..f3ecd0556b9 Binary files /dev/null and b/Workbooks/Images/Preview/CorelightBlack3.png differ diff --git a/Workbooks/Images/Preview/CorelightBlack4.png b/Workbooks/Images/Preview/CorelightBlack4.png new file mode 100644 index 00000000000..6ebf83c9903 Binary files /dev/null and b/Workbooks/Images/Preview/CorelightBlack4.png differ diff --git a/Workbooks/Images/Preview/CorelightBlack5.png b/Workbooks/Images/Preview/CorelightBlack5.png new file mode 100644 index 00000000000..c16acfe2343 Binary files /dev/null and b/Workbooks/Images/Preview/CorelightBlack5.png differ diff --git a/Workbooks/Images/Preview/CorelightBlack6.png b/Workbooks/Images/Preview/CorelightBlack6.png new file mode 100644 index 00000000000..56b68c0b9c6 Binary files /dev/null and b/Workbooks/Images/Preview/CorelightBlack6.png differ diff --git a/Workbooks/Images/Preview/CorelightBlack7.png b/Workbooks/Images/Preview/CorelightBlack7.png new file mode 100644 index 00000000000..2f2b04dc542 Binary files /dev/null and b/Workbooks/Images/Preview/CorelightBlack7.png differ diff --git a/Workbooks/Images/Preview/CorelightBlack8.png b/Workbooks/Images/Preview/CorelightBlack8.png new file mode 100644 index 00000000000..90284b8f52f Binary files /dev/null and b/Workbooks/Images/Preview/CorelightBlack8.png differ diff --git a/Workbooks/Images/Preview/CorelightWhite1.png b/Workbooks/Images/Preview/CorelightWhite1.png new file mode 100644 index 00000000000..3d2f92ca505 Binary files /dev/null and b/Workbooks/Images/Preview/CorelightWhite1.png differ diff --git a/Workbooks/Images/Preview/CorelightWhite2.png b/Workbooks/Images/Preview/CorelightWhite2.png new file mode 100644 index 00000000000..e1fdcb60eee Binary files /dev/null and b/Workbooks/Images/Preview/CorelightWhite2.png differ diff --git a/Workbooks/Images/Preview/CorelightWhite3.png b/Workbooks/Images/Preview/CorelightWhite3.png new file mode 100644 index 00000000000..eb98f618b6a Binary files /dev/null and b/Workbooks/Images/Preview/CorelightWhite3.png differ diff --git a/Workbooks/Images/Preview/CorelightWhite4.png b/Workbooks/Images/Preview/CorelightWhite4.png new file mode 100644 index 00000000000..8cd3ab6e366 Binary files /dev/null and b/Workbooks/Images/Preview/CorelightWhite4.png differ diff --git a/Workbooks/Images/Preview/CorelightWhite5.png b/Workbooks/Images/Preview/CorelightWhite5.png new file mode 100644 index 00000000000..9eb1bfe8b1f Binary files /dev/null and b/Workbooks/Images/Preview/CorelightWhite5.png differ diff --git a/Workbooks/Images/Preview/CorelightWhite6.png b/Workbooks/Images/Preview/CorelightWhite6.png new file mode 100644 index 00000000000..bc59a56b960 Binary files /dev/null and b/Workbooks/Images/Preview/CorelightWhite6.png differ diff --git a/Workbooks/Images/Preview/CorelightWhite7.png b/Workbooks/Images/Preview/CorelightWhite7.png new file mode 100644 index 00000000000..aab83ec694b Binary files /dev/null and b/Workbooks/Images/Preview/CorelightWhite7.png differ diff --git a/Workbooks/Images/Preview/CorelightWhite8.png b/Workbooks/Images/Preview/CorelightWhite8.png new file mode 100644 index 00000000000..a523921cbb6 Binary files /dev/null and b/Workbooks/Images/Preview/CorelightWhite8.png differ diff --git a/Workbooks/Images/Preview/Data_Latency_Black.png b/Workbooks/Images/Preview/Data_Latency_Black.png new file mode 100644 index 00000000000..650d4f1f9c1 Binary files /dev/null and b/Workbooks/Images/Preview/Data_Latency_Black.png differ diff --git a/Workbooks/Images/Preview/Data_Latency_White.png b/Workbooks/Images/Preview/Data_Latency_White.png new file mode 100644 index 00000000000..1ba166889b7 Binary files /dev/null and b/Workbooks/Images/Preview/Data_Latency_White.png differ diff --git a/Workbooks/Images/Preview/MimecastAuditBlack.png b/Workbooks/Images/Preview/MimecastAuditBlack.png new file mode 100644 index 00000000000..fe717922414 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastAuditBlack.png differ diff --git a/Workbooks/Images/Preview/MimecastAuditWhite.png b/Workbooks/Images/Preview/MimecastAuditWhite.png new file mode 100644 index 00000000000..2ac81e15b34 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastAuditWhite.png differ diff --git a/Workbooks/Images/Preview/MimecastAwarenessTrainingBlack1.png b/Workbooks/Images/Preview/MimecastAwarenessTrainingBlack1.png new file mode 100644 index 00000000000..991b4b0b48f Binary files /dev/null and b/Workbooks/Images/Preview/MimecastAwarenessTrainingBlack1.png differ diff --git a/Workbooks/Images/Preview/MimecastAwarenessTrainingBlack2.png b/Workbooks/Images/Preview/MimecastAwarenessTrainingBlack2.png new file mode 100644 index 00000000000..a9d73534263 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastAwarenessTrainingBlack2.png differ diff --git a/Workbooks/Images/Preview/MimecastAwarenessTrainingBlack3.png b/Workbooks/Images/Preview/MimecastAwarenessTrainingBlack3.png new file mode 100644 index 00000000000..6226cd6225f Binary files /dev/null and b/Workbooks/Images/Preview/MimecastAwarenessTrainingBlack3.png differ diff --git a/Workbooks/Images/Preview/MimecastAwarenessTrainingWhite1.png b/Workbooks/Images/Preview/MimecastAwarenessTrainingWhite1.png new file mode 100644 index 00000000000..3959d1371b5 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastAwarenessTrainingWhite1.png differ diff --git a/Workbooks/Images/Preview/MimecastAwarenessTrainingWhite2.png b/Workbooks/Images/Preview/MimecastAwarenessTrainingWhite2.png new file mode 100644 index 00000000000..6c930402ef3 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastAwarenessTrainingWhite2.png differ diff --git a/Workbooks/Images/Preview/MimecastAwarenessTrainingWhite3.png b/Workbooks/Images/Preview/MimecastAwarenessTrainingWhite3.png new file mode 100644 index 00000000000..423c5b9803d Binary files /dev/null and b/Workbooks/Images/Preview/MimecastAwarenessTrainingWhite3.png differ diff --git a/Workbooks/Images/Preview/MimecastCIBlack.png b/Workbooks/Images/Preview/MimecastCIBlack.png new file mode 100644 index 00000000000..9ab15cf8ca7 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastCIBlack.png differ diff --git a/Workbooks/Images/Preview/MimecastCIWhite.png b/Workbooks/Images/Preview/MimecastCIWhite.png new file mode 100644 index 00000000000..5902bc28a5e Binary files /dev/null and b/Workbooks/Images/Preview/MimecastCIWhite.png differ diff --git a/Workbooks/Images/Preview/MimecastDLPBlack.png b/Workbooks/Images/Preview/MimecastDLPBlack.png new file mode 100644 index 00000000000..33b64e2bb60 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastDLPBlack.png differ diff --git a/Workbooks/Images/Preview/MimecastDLPWhite.png b/Workbooks/Images/Preview/MimecastDLPWhite.png new file mode 100644 index 00000000000..1e663d3a202 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastDLPWhite.png differ diff --git a/Workbooks/Images/Preview/MimecastSEGBlack1.png b/Workbooks/Images/Preview/MimecastSEGBlack1.png new file mode 100644 index 00000000000..f871843278c Binary files /dev/null and b/Workbooks/Images/Preview/MimecastSEGBlack1.png differ diff --git a/Workbooks/Images/Preview/MimecastSEGBlack2.png b/Workbooks/Images/Preview/MimecastSEGBlack2.png new file mode 100644 index 00000000000..f00c01b5748 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastSEGBlack2.png differ diff --git a/Workbooks/Images/Preview/MimecastSEGBlack3.png b/Workbooks/Images/Preview/MimecastSEGBlack3.png new file mode 100644 index 00000000000..bf305b4b827 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastSEGBlack3.png differ diff --git a/Workbooks/Images/Preview/MimecastSEGBlack4.png b/Workbooks/Images/Preview/MimecastSEGBlack4.png new file mode 100644 index 00000000000..2ba78c995fd Binary files /dev/null and b/Workbooks/Images/Preview/MimecastSEGBlack4.png differ diff --git a/Workbooks/Images/Preview/MimecastSEGBlack5.png b/Workbooks/Images/Preview/MimecastSEGBlack5.png new file mode 100644 index 00000000000..cf34b291dc4 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastSEGBlack5.png differ diff --git a/Workbooks/Images/Preview/MimecastSEGBlack6.png b/Workbooks/Images/Preview/MimecastSEGBlack6.png new file mode 100644 index 00000000000..5550cc6b0a5 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastSEGBlack6.png differ diff --git a/Workbooks/Images/Preview/MimecastSEGBlack7.png b/Workbooks/Images/Preview/MimecastSEGBlack7.png new file mode 100644 index 00000000000..c5357120cce Binary files /dev/null and b/Workbooks/Images/Preview/MimecastSEGBlack7.png differ diff --git a/Workbooks/Images/Preview/MimecastSEGBlack8.png b/Workbooks/Images/Preview/MimecastSEGBlack8.png new file mode 100644 index 00000000000..2656cd47933 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastSEGBlack8.png differ diff --git a/Workbooks/Images/Preview/MimecastSEGWhite1.png b/Workbooks/Images/Preview/MimecastSEGWhite1.png new file mode 100644 index 00000000000..f824bcce67f Binary files /dev/null and b/Workbooks/Images/Preview/MimecastSEGWhite1.png differ diff --git a/Workbooks/Images/Preview/MimecastSEGWhite2.png b/Workbooks/Images/Preview/MimecastSEGWhite2.png new file mode 100644 index 00000000000..eb480b25baa Binary files /dev/null and b/Workbooks/Images/Preview/MimecastSEGWhite2.png differ diff --git a/Workbooks/Images/Preview/MimecastSEGWhite3.png b/Workbooks/Images/Preview/MimecastSEGWhite3.png new file mode 100644 index 00000000000..49c121949ca Binary files /dev/null and b/Workbooks/Images/Preview/MimecastSEGWhite3.png differ diff --git a/Workbooks/Images/Preview/MimecastSEGWhite4.png b/Workbooks/Images/Preview/MimecastSEGWhite4.png new file mode 100644 index 00000000000..1e52508f9e6 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastSEGWhite4.png differ diff --git a/Workbooks/Images/Preview/MimecastSEGWhite5.png b/Workbooks/Images/Preview/MimecastSEGWhite5.png new file mode 100644 index 00000000000..d5c24b438cd Binary files /dev/null and b/Workbooks/Images/Preview/MimecastSEGWhite5.png differ diff --git a/Workbooks/Images/Preview/MimecastSEGWhite6.png b/Workbooks/Images/Preview/MimecastSEGWhite6.png new file mode 100644 index 00000000000..ce78941098a Binary files /dev/null and b/Workbooks/Images/Preview/MimecastSEGWhite6.png differ diff --git a/Workbooks/Images/Preview/MimecastSEGWhite7.png b/Workbooks/Images/Preview/MimecastSEGWhite7.png new file mode 100644 index 00000000000..ad4158c2544 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastSEGWhite7.png differ diff --git a/Workbooks/Images/Preview/MimecastSEGWhite8.png b/Workbooks/Images/Preview/MimecastSEGWhite8.png new file mode 100644 index 00000000000..c3e0a356b4e Binary files /dev/null and b/Workbooks/Images/Preview/MimecastSEGWhite8.png differ diff --git a/Workbooks/Images/Preview/MimecastTTPBlack1.png b/Workbooks/Images/Preview/MimecastTTPBlack1.png new file mode 100644 index 00000000000..57a919e0284 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastTTPBlack1.png differ diff --git a/Workbooks/Images/Preview/MimecastTTPBlack2.png b/Workbooks/Images/Preview/MimecastTTPBlack2.png new file mode 100644 index 00000000000..ec81ea65bd9 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastTTPBlack2.png differ diff --git a/Workbooks/Images/Preview/MimecastTTPBlack3.png b/Workbooks/Images/Preview/MimecastTTPBlack3.png new file mode 100644 index 00000000000..66d1ac6b40f Binary files /dev/null and b/Workbooks/Images/Preview/MimecastTTPBlack3.png differ diff --git a/Workbooks/Images/Preview/MimecastTTPWhite1.png b/Workbooks/Images/Preview/MimecastTTPWhite1.png new file mode 100644 index 00000000000..c1608ef8157 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastTTPWhite1.png differ diff --git a/Workbooks/Images/Preview/MimecastTTPWhite2.png b/Workbooks/Images/Preview/MimecastTTPWhite2.png new file mode 100644 index 00000000000..ec2673fb528 Binary files /dev/null and b/Workbooks/Images/Preview/MimecastTTPWhite2.png differ diff --git a/Workbooks/Images/Preview/MimecastTTPWhite3.png b/Workbooks/Images/Preview/MimecastTTPWhite3.png new file mode 100644 index 00000000000..24093f9975e Binary files /dev/null and b/Workbooks/Images/Preview/MimecastTTPWhite3.png differ diff --git a/Workbooks/Images/Preview/Syslog_Bifurcation_Black.png b/Workbooks/Images/Preview/Syslog_Bifurcation_Black.png new file mode 100644 index 00000000000..26fd69e1f56 Binary files /dev/null and b/Workbooks/Images/Preview/Syslog_Bifurcation_Black.png differ diff --git a/Workbooks/Images/Preview/Syslog_Bifurcation_White.png b/Workbooks/Images/Preview/Syslog_Bifurcation_White.png new file mode 100644 index 00000000000..ae362f51f80 Binary files /dev/null and b/Workbooks/Images/Preview/Syslog_Bifurcation_White.png differ diff --git a/Workbooks/Images/Preview/User_Analytics_Black.png b/Workbooks/Images/Preview/User_Analytics_Black.png new file mode 100644 index 00000000000..5e6970ba55e Binary files /dev/null and b/Workbooks/Images/Preview/User_Analytics_Black.png differ diff --git a/Workbooks/Images/Preview/User_Analytics_White.png b/Workbooks/Images/Preview/User_Analytics_White.png new file mode 100644 index 00000000000..8fd7b14baa3 Binary files /dev/null and b/Workbooks/Images/Preview/User_Analytics_White.png differ diff --git a/Workbooks/Syslog-Bifurcation.json b/Workbooks/Syslog-Bifurcation.json new file mode 100644 index 00000000000..a647f3c87f9 --- /dev/null +++ b/Workbooks/Syslog-Bifurcation.json @@ -0,0 +1,751 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "## Data Ingestion Comparison Hourly\n---\n" + }, + "name": "text - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where TimeGenerated > ago(1d)\r\n| summarize Size = sum(_BilledSize)\r\n| extend GB = Size/1073741824", + "size": 4, + "title": "Syslog - 24Hr", + "noDataMessage": "No Datra found", + "noDataMessageStyle": 3, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000 + }, + "sortBy": [] + }, + "customWidth": "28", + "name": "query - 11", + "styleSettings": { + "maxWidth": "28" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where TimeGenerated >= ago(30d)\r\n| project TimeGenerated,Computer\r\n| sort by TimeGenerated desc\r\n| take 1", + "size": 4, + "title": "Syslog Last log Received", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 1 + } + }, + "customWidth": "34", + "name": "query - 15", + "styleSettings": { + "maxWidth": "34" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where TimeGenerated >= ago(30d)\r\n| extend Day = bin(TimeGenerated,1d)\r\n| extend Quantity = _BilledSize\r\n| project Day,Quantity,TimeGenerated,Computer\r\n| sort by TimeGenerated desc\r\n| summarize EventCount = sum(Quantity) by Day\r\n| extend GB = EventCount/1073741824\r\n", + "size": 0, + "title": "Daily Ingestion - Syslog", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "GB", + "formatter": 8, + "formatOptions": { + "palette": "greenRed" + } + } + ], + "sortBy": [ + { + "itemKey": "Day", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "Day", + "sortOrder": 2 + } + ] + }, + "customWidth": "38", + "name": "query - 23", + "styleSettings": { + "maxWidth": "38" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where TimeGenerated > ago(30d)\r\n| extend Day = bin(TimeGenerated,1d)\r\n| extend Quantity = _BilledSize\r\n| project Day,Quantity,TimeGenerated,Computer\r\n| sort by TimeGenerated desc\r\n| summarize IngestionVolume_bytes= sum(Quantity) by Day, Computer\r\n| extend GB = IngestionVolume_bytes/1073741824\r\n| sort by Day desc", + "size": 2, + "title": "Daily Ingestion - Syslog on the basis of Computer", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "GB", + "formatter": 8, + "formatOptions": { + "palette": "greenRed" + } + } + ], + "rowLimit": 10000 + } + }, + "customWidth": "60", + "name": "query - 23", + "styleSettings": { + "maxWidth": "60" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let AZ1 = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"PA-VM-AZ1\" | sort by TimeGenerated desc | take 1;\r\nlet AZ2 = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"PA-VM-AZ2\" | sort by TimeGenerated desc | take 1;\r\nlet AZ3 = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"PA-VM-AZ3\" | sort by TimeGenerated desc | take 1;\r\nlet DHCP = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"DHCP_CL\" | sort by TimeGenerated desc | take 1;\r\nlet DHCP1 = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"DHCP_CL\" | sort by TimeGenerated desc | take 1;\r\nlet AD = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"Active Directory\" | sort by TimeGenerated desc | take 1;\r\nlet AD1 = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"Active Directory\" | sort by TimeGenerated desc | take 1;\r\nlet AD2 = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"Active Directory\" | sort by TimeGenerated desc | take 1;\r\nlet AD3 = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"Active Directory\" | sort by TimeGenerated desc | take 1;\r\nlet AD4 = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"Active Directory\" | sort by TimeGenerated desc | take 1;\r\nlet AD5 = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"Active Directory\" | sort by TimeGenerated desc | take 1;\r\nlet AD6 = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"Active Directory\" | sort by TimeGenerated desc | take 1;\r\nlet AD7 = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"Active Directory\" | sort by TimeGenerated desc | take 1;\r\nlet AD8 = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"Active Directory\" | sort by TimeGenerated desc | take 1;\r\nlet AD9 = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"Active Directory\" | sort by TimeGenerated desc | take 1;\r\nlet AD10 = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"Active Directory\" | sort by TimeGenerated desc | take 1;\r\nlet AD11 = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"Active Directory\" | sort by TimeGenerated desc | take 1;\r\nlet CisASA = Syslog | where Computer == \"{Computername}\" | project TimeGenerated,Computer,SourceName = \"Cisco ASA\" | sort by TimeGenerated desc | take 1;\r\nunion AZ1,AZ2,AZ3,DHCP,DHCP1,AD,AD1,AD2,AD3,AD4,AD5,AD5,AD6,AD7,AD7,AD8,AD9,AD10,AD11,CisASA\r\n| where TimeGenerated >= ago(30d)\r\n| sort by SourceName asc\r\n\r\n", + "size": 2, + "title": "Last Log Received", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "40", + "name": "query - 22", + "styleSettings": { + "maxWidth": "40" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where Computer in (\"{Computername}\")\r\n//| where Computer != \"{Computername}\"\r\n| where TimeGenerated > ago(1d)\r\n| summarize Size = sum(_BilledSize)\r\n| extend GB = Size/1073741824", + "size": 1, + "title": "Palo Alto for 24 Hours", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "GB", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueLight", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "EventCount", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + } + ] + }, + "sortBy": [] + }, + "customWidth": "29", + "name": "query - 4", + "styleSettings": { + "maxWidth": "29" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where TimeGenerated >= ago(30d)\r\n| where Computer in (\"{Computername}\",\"{Computername}\")\r\n| extend Day = bin(TimeGenerated,1d)\r\n| extend Quantity = _BilledSize\r\n| project Day,Quantity,TimeGenerated,Computer\r\n| summarize EventCount= sum(Quantity) by Day\r\n| extend GB = EventCount/1073741824\r\n| sort by Day", + "size": 1, + "title": "Daily Ingestion - Palo Alto", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "GB", + "formatter": 8, + "formatOptions": { + "palette": "greenRed" + } + } + ], + "sortBy": [ + { + "itemKey": "Day", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "Day", + "sortOrder": 2 + } + ] + }, + "customWidth": "36", + "name": "query - 13", + "styleSettings": { + "maxWidth": "36" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let AZ1 = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"PA-VM-AZ1\" | sort by TimeGenerated desc | take 1;\r\nlet AZ2 = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"PA-VM-AZ2\" | sort by TimeGenerated desc | take 1;\r\nlet AZ3 = Syslog | where Computer in (\"{Computername}\") | project TimeGenerated,Computer,SourceName = \"PA-VM-AZ3\" | sort by TimeGenerated desc | take 1;\r\nunion AZ1,AZ2,AZ3\r\n| where TimeGenerated >= ago(30d)", + "size": 1, + "title": "Palo Alto", + "noDataMessage": "No datra found for 2 days", + "noDataMessageStyle": 3, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "sortBy": [ + { + "itemKey": "Computer", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "Computer", + "sortOrder": 1 + } + ] + }, + "customWidth": "34", + "name": "query - 14", + "styleSettings": { + "maxWidth": "34" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let AZ1 = Syslog | where Computer == \"{Computername}\" | where TimeGenerated >= ago(30d) | extend Day = bin(TimeGenerated,1d) | extend Quantity = _BilledSize |project Day,Quantity,TimeGenerated,Computer | summarize IngestionVolume_bytes= sum(Quantity) by Day | extend GB = IngestionVolume_bytes/1073741824 | extend SourceName = \"PA-VM-AZ1\" | sort by Day desc;\r\nlet AZ2 = Syslog | where Computer == \"{Computername}\" | where TimeGenerated >= ago(30d) | extend Day = bin(TimeGenerated,1d) | extend Quantity = _BilledSize |project Day,Quantity,TimeGenerated,Computer | summarize IngestionVolume_bytes= sum(Quantity) by Day | extend GB = IngestionVolume_bytes/1073741824 | extend SourceName = \"PA-VM-AZ2\" | sort by Day desc;\r\nlet AZ3 = Syslog | where Computer == \"{Computername}\" | where TimeGenerated >= ago(30d) | extend Day = bin(TimeGenerated,1d) | extend Quantity = _BilledSize |project Day,Quantity,TimeGenerated,Computer | summarize IngestionVolume_bytes= sum(Quantity) by Day | extend GB = IngestionVolume_bytes/1073741824 | extend SourceName = \"PA-VM-AZ3\" | sort by Day desc;\r\nunion AZ1,AZ2,AZ3\r\n| sort by Day desc ", + "size": 0, + "title": "Daily Ingestion Volume of Palo Alto - Segregated on the basis of machine", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "GB", + "formatter": 8, + "formatOptions": { + "palette": "greenRed" + } + }, + { + "columnMatch": "SourceName", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "PA-VM-AZ1", + "representation": "gray", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "PA-VM-AZ2", + "representation": "grayBlue", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "PA-VM-AZ3", + "representation": "turquoise", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blueLight", + "text": "{0}{1}" + } + ] + } + } + ], + "sortBy": [ + { + "itemKey": "$gen_heatmap_GB_2", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "$gen_heatmap_GB_2", + "sortOrder": 2 + } + ] + }, + "customWidth": "50", + "name": "query - 24", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where Computer == \"{Computername}\"\r\n| where TimeGenerated > ago(30d)\r\n| summarize Size = sum(_BilledSize),EventCount = count() by bin(TimeGenerated, 1d)\r\n| extend GB = Size/1073741824\r\n| project TimeGenerated,GB,EventCount", + "size": 1, + "title": "PA-VM-AZ1", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "GB", + "formatter": 8, + "formatOptions": { + "palette": "brown" + } + }, + { + "columnMatch": "Size_GB", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + } + ], + "sortBy": [ + { + "itemKey": "TimeGenerated", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "TimeGenerated", + "sortOrder": 2 + } + ] + }, + "customWidth": "50", + "name": "query - 8", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where Computer == \"{Computername}\"\r\n| where TimeGenerated > ago(30d)\r\n| project TimeGenerated,Computer\r\n| sort by TimeGenerated desc\r\n| take 1", + "size": 4, + "title": "PA-VM-AZ1 - Last Log Received", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "sortBy": [] + }, + "customWidth": "35", + "name": "query - 16", + "styleSettings": { + "maxWidth": "35" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n|where Computer == \"{Computername}\"\r\n| where TimeGenerated > ago(30d)\r\n| summarize Size = sum(_BilledSize),EventCount = count() by bin(TimeGenerated, 1d)\r\n| extend GB = Size/1073741824\r\n| project TimeGenerated,GB,EventCount", + "size": 1, + "title": "PA-VM-AZ2", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "GB", + "formatter": 8, + "formatOptions": { + "palette": "yellow" + } + }, + { + "columnMatch": "Size_GB", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + } + ], + "sortBy": [ + { + "itemKey": "TimeGenerated", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "TimeGenerated", + "sortOrder": 2 + } + ] + }, + "customWidth": "50", + "name": "query - 10", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n|where Computer == \"{Computername}\"\r\n| where TimeGenerated > ago(30d)\r\n| project TimeGenerated,Computer\r\n| sort by TimeGenerated desc\r\n| take 1", + "size": 4, + "title": "PA-VM-AZ2 - Last Log Received", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "35", + "name": "query - 17", + "styleSettings": { + "maxWidth": "35" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where Computer == \"{Computername}\"\r\n| where TimeGenerated > ago(30d)\r\n| summarize Size = sum(_BilledSize),EventCount = count() by bin(TimeGenerated, 1d)\r\n| extend GB = Size/1073741824\r\n| project TimeGenerated,GB,EventCount", + "size": 1, + "title": "\t PA-VM-AZ3", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "GB", + "formatter": 8, + "formatOptions": { + "palette": "magenta" + } + }, + { + "columnMatch": "Size_GB", + "formatter": 8, + "formatOptions": { + "palette": "blue" + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 9", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where Computer == \"{Computername}\"\r\n| where TimeGenerated > ago(30d)\r\n| project TimeGenerated,Computer\r\n| sort by TimeGenerated desc\r\n| take 1", + "size": 4, + "title": "PA-VM-AZ3 - Last Log Received", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "35", + "name": "query - 18", + "styleSettings": { + "maxWidth": "35" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where HostName in (\"{Computername}\" , \"{Computername}\")\r\n| where TimeGenerated > ago(30d)\r\n| summarize Size = sum(_BilledSize),EventCount = count() by bin(TimeGenerated, 1d)\r\n| extend GB = Size/1073741824\r\n| project TimeGenerated,GB,EventCount", + "size": 1, + "title": "DHCP", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "GB", + "formatter": 8, + "formatOptions": { + "palette": "greenRed" + } + } + ], + "sortBy": [ + { + "itemKey": "TimeGenerated", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "TimeGenerated", + "sortOrder": 2 + } + ] + }, + "customWidth": "50", + "name": "query - 5", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where HostName in (\"{Computername}\" , \"{Computername}\")\r\n| where TimeGenerated > ago(30d)\r\n| project TimeGenerated,Computer\r\n| sort by TimeGenerated desc\r\n| take 1", + "size": 4, + "title": "DHCP - Last Log Received", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "35", + "name": "query - 19", + "styleSettings": { + "maxWidth": "35" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where Computer in (\"{Computername}\",\"{Computername}\",\"{Computername}\",\"{Computername}\",\"{Computername}\",\"{Computername}\")\r\n| where TimeGenerated > ago(30d)\r\n| summarize Size = sum(_BilledSize),EventCount = count() by bin(TimeGenerated, 1d)\r\n| extend GB = Size/1073741824\r\n| project TimeGenerated,GB,EventCount", + "size": 1, + "title": "Active Directory", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "EventCount", + "formatter": 8, + "formatOptions": { + "palette": "orange" + } + } + ], + "sortBy": [ + { + "itemKey": "TimeGenerated", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "TimeGenerated", + "sortOrder": 2 + } + ] + }, + "customWidth": "50", + "name": "query - 6", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where Computer in (\"{Computername}\",\"{Computername}\",\"{Computername}\",\"{Computername}\",\"{Computername}\",\"{Computername}\")\r\n| where TimeGenerated >= ago(30d)\r\n| project TimeGenerated,Computer\r\n| sort by TimeGenerated desc\r\n| take 1", + "size": 4, + "title": "Active Directory - Last Log Received", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "38", + "name": "query - 20", + "styleSettings": { + "maxWidth": "38" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where Computer == \"{Computername}\"\r\n| where EventTime > ago(30d)\r\n| summarize Size = sum(_BilledSize),EventCount = count() by bin(TimeGenerated, 1d)\r\n| extend GB = Size/1073741824\r\n| project TimeGenerated,GB,EventCount\r\n", + "size": 0, + "title": "CiscoASA", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "EventCount", + "formatter": 8, + "formatOptions": { + "palette": "red" + } + } + ], + "sortBy": [ + { + "itemKey": "TimeGenerated", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "TimeGenerated", + "sortOrder": 2 + } + ] + }, + "customWidth": "50", + "name": "query - 7", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "Syslog\r\n| where Computer == \"{Computername}\"\r\n| where TimeGenerated >= ago(30d)\r\n| project TimeGenerated, Computer\r\n| sort by TimeGenerated desc\r\n| take 1", + "size": 4, + "title": "CiscoASA - Last Log Received", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "35", + "name": "query - 21", + "styleSettings": { + "maxWidth": "35" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "union *\r\n| project TimeGenerated, TableName = Type\r\n| summarize by TableName\r\n| sort by TableName asc\r\n//| where TableName contains \"AuditLogs\"\r\n//| sort by TimeGenerated desc\r\n//| take 1", + "size": 0, + "showRefreshButton": true, + "exportMultipleValues": true, + "exportedParameters": [ + { + "fieldName": "TableName", + "parameterName": "TableName", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "query - 25" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let TableName_ = dynamic({TableName});\r\nunion *\r\n| project TimeGenerated, TableName = Type\r\n| where TableName in (TableName_)\r\n| sort by TimeGenerated desc\r\n| take 1", + "size": 0, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "query - 26" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//let TableName = \"OfficeActivity,Heartbeat,SentinelHealth,AADServicePrincipalSignLogs,SecurityAlert,SecurityIncident,Usage\"\r\nlet TableName_ = dynamic({TableName});\r\nunion withsource=_TableName *\r\n| where TimeGenerated > ago(24h) // Change the time range to 6 hours\r\n//| extend Hour = bin(TimeGenerated, 1h) // Bin the time into hours\r\n| summarize\r\n Entries = count(),\r\n Size = sum(_BilledSize),\r\n last_log = datetime_diff(\"second\", now(), max(TimeGenerated)),\r\n estimate = sumif(_BilledSize, _IsBillable == true)\r\n by _TableName, _IsBillable,TimeGenerated\r\n| project\r\n TimeGenerated,\r\n //['Hour'] = Hour,\r\n ['TableName'] = _TableName,\r\n ['Table Size'] = Size,\r\n ['Table Entries'] = Entries,\r\n ['Size per Entry'] = 1.0 * Size / Entries,\r\n ['IsBillable'] = _IsBillable\r\n| order by TimeGenerated, ['Table Size'] desc,['TableName']\r\n| sort by TimeGenerated desc \r\n| project TimeGenerated,['TableName'] \r\n| where ['TableName'] contains TableName_\r\n| summarize by ['TableName'], TimeGenerated\r\n\r\n", + "size": 0, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "rowLimit": 10000, + "sortBy": [ + { + "itemKey": "TimeGenerated", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "TimeGenerated", + "sortOrder": 2 + } + ] + }, + "customWidth": "30", + "name": "query - 3", + "styleSettings": { + "maxWidth": "30" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let TableName_ = dynamic({TableName});\r\nunion withsource=_TableName *\r\n| where TimeGenerated > ago(30d) // Change the time range to 6 hours\r\n| extend DateTime = bin(TimeGenerated, 1h) // Bin the time into hours\r\n| summarize\r\n Entries = count(),\r\n Size = sum(_BilledSize),\r\n last_log = datetime_diff(\"second\", now(), max(TimeGenerated)),\r\n estimate = sumif(_BilledSize, _IsBillable == true)\r\n by DateTime, _TableName, _IsBillable\r\n| project\r\n ['DateTime'] = DateTime,\r\n ['Table Name'] = _TableName,\r\n ['Table Size'] = Size,\r\n ['Table Entries'] = Entries,\r\n ['Size per Entry'] = 1.0 * Size / Entries,\r\n ['IsBillable'] = _IsBillable\r\n| order by DateTime , ['Table Size'] desc\r\n| where ['Table Name'] contains tostring(TableName_)\r\n| extend PreviousSize = prev(['Table Size'],1)\r\n| extend SizeChange = ['Table Size'] - PreviousSize\r\n| project PreviousSize, ['Table Name'], DateTime, TableSize = SizeChange\r\n| project-away PreviousSize\r\n", + "size": 0, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "sortBy": [] + }, + "customWidth": "30", + "name": "query - 2", + "styleSettings": { + "maxWidth": "30" + } + } + ], + "fallbackResourceIds": [ + "" + ], + "fromTemplateId": "sentinel-syslog-bifurcation", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Workbooks/User_Analytics_Workbook.json b/Workbooks/User_Analytics_Workbook.json new file mode 100644 index 00000000000..904ac90bf6e --- /dev/null +++ b/Workbooks/User_Analytics_Workbook.json @@ -0,0 +1,556 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "## User Analytics and Discovery" + }, + "name": "text - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "IdentityInfo \n| extend UserPrincipalName = AccountUPN\n| extend UserDisplayName = AccountDisplayName\n| summarize by UserDisplayName,UserPrincipalName\n| sort by UserDisplayName asc", + "size": 0, + "title": "Select User", + "timeContext": { + "durationMs": 2592000000 + }, + "exportMultipleValues": true, + "exportedParameters": [ + { + "fieldName": "UserPrincipalName", + "parameterName": "UserPrincipalName", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Identity", + "formatter": 0, + "numberFormat": { + "unit": 0, + "options": { + "style": "decimal" + } + }, + "tooltipFormat": {} + } + ], + "rowLimit": 10000, + "filter": true + } + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nIdentityInfo\r\n| where TimeGenerated >= ago(90d)\r\n| extend UserPrincipalName = AccountUPN\r\n| extend UserDisplayName = AccountDisplayName\r\n| where UserPrincipalName contains UserPrincipalName_\r\n| project-away Department,EmployeeId,JobTitle,MailAddress,Manager,CompanyName,Phone,IsAccountEnabled,SourceSystem,TenantId,\t\r\nAccountName,BlastRadius,RiskState,RiskLevelDetails,AccountDomain,AccountSID,TimeGenerated,AccountUPN,AccountObjectId,AccountTenantId,GivenName,Surname,OnPremisesAccountObjectId,OnPremisesExtensionAttributes,Tags,AccountCreationTime,InvestigationPriority,OnPremisesDistinguishedName,InvestigationPriorityPercentile,RiskLevel,AdditionalMailAddresses,AssignedRoles,StreetAddress,City,Country,State,IsServiceAccount,DeletedDateTime,RelatedAccounts,LastSeenDate,UACFlags,UserState,AccountDisplayName,UserAccountControl,EntityRiskScore,ServicePrincipals,Applications,UserStateChangedOn,UserType,ExtensionProperty,IsMFARegistered,AccountCloudSID,Type,UserPrincipalName,ChangeSource\r\n| project GroupMembership,UserDisplayName\r\n| take 1\r\n", + "size": 0, + "title": "User Group Membership", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "sortBy": [], + "tileSettings": { + "showBorder": false + } + }, + "customWidth": "50", + "name": "query - 14", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nIdentityInfo\r\n| where TimeGenerated >= ago(90d)\r\n| extend UserPrincipalName = AccountUPN\r\n| extend UserDisplayName = AccountDisplayName\r\n| where UserPrincipalName contains UserPrincipalName_\r\n| project UserDisplayName,Department,EmployeeId,JobTitle,MailAddress,Manager,CompanyName,Phone,IsAccountEnabled,SourceSystem,TimeGenerated\r\n| summarize by TimeGenerated,UserDisplayName,Department,EmployeeId,JobTitle,MailAddress,Manager,CompanyName,Phone,IsAccountEnabled,SourceSystem\r\n| take 1", + "size": 4, + "title": "User Details", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "30", + "name": "query - 13", + "styleSettings": { + "maxWidth": "30" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nSigninLogs\r\n| where TimeGenerated >= ago(90d)\r\n| where UserPrincipalName contains UserPrincipalName_\r\n| extend DeviceBrowser = tostring(DeviceDetail.browser)\r\n| extend DeviceId = tostring(DeviceDetail.deviceId)\r\n| extend DeviceDisplayName = tostring(DeviceDetail.displayName)\r\n| extend DeviceOperatingSystem = tostring(DeviceDetail.operatingSystem)\r\n| extend DeviceTrustType = tostring(DeviceDetail.trustType)\r\n| extend DeviceIsManaged = tostring(DeviceDetail.isManaged)\r\n| extend City = tostring(LocationDetails.city)\r\n| extend CountryOrRegion = tostring(LocationDetails.countryOrRegion)\r\n| extend State = tostring(LocationDetails.state)\r\n| extend StatusAdditionalDetails = tostring(Status.additionalDetails)\r\n| extend StatusFailureReason = tostring(Status.failureReason)\r\n| project TimeGenerated,OperationName,UserDisplayName,UserPrincipalName,IPAddress,UserType,UserId,AuthenticationRequirement,AppDisplayName,AppId, ClientAppUsed, Location, RiskDetail,RiskState,IsRisky,RiskLevelDuringSignIn,DeviceDisplayName,DeviceBrowser,DeviceId,DeviceOperatingSystem,DeviceTrustType,City,State,StatusAdditionalDetails,StatusFailureReason,AutonomousSystemNumber,CrossTenantAccessType\r\n| summarize by UserDisplayName,RiskDetail,RiskState,IsRisky,RiskLevelDuringSignIn\r\n//| project-away TimeGenerated,OperationName,UserPrincipalName,IPAddress,UserType,UserId,AuthenticationRequirement,AppDisplayName,AppId, ClientAppUsed, Location,DeviceDisplayName,DeviceBrowser,DeviceId,DeviceOperatingSystem,DeviceTrustType,City,State,StatusAdditionalDetails,StatusFailureReason,AutonomousSystemNumber,CrossTenantAccessType", + "size": 4, + "title": "User Risky Details", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "30", + "name": "query - 10", + "styleSettings": { + "margin": "50", + "maxWidth": "30" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nSigninLogs\r\n| where TimeGenerated >= ago(1d)\r\n| where UserPrincipalName contains UserPrincipalName_\r\n| extend DeviceBrowser = tostring(DeviceDetail.browser)\r\n| extend DeviceId = tostring(DeviceDetail.deviceId)\r\n| extend DeviceDisplayName = tostring(DeviceDetail.displayName)\r\n| extend DeviceOperatingSystem = tostring(DeviceDetail.operatingSystem)\r\n| extend DeviceTrustType = tostring(DeviceDetail.trustType)\r\n| extend DeviceIsManaged = tostring(DeviceDetail.isManaged)\r\n| extend City = tostring(LocationDetails.city)\r\n| extend CountryOrRegion = tostring(LocationDetails.countryOrRegion)\r\n| extend State = tostring(LocationDetails.state)\r\n| extend StatusAdditionalDetails = tostring(Status.additionalDetails)\r\n| extend StatusFailureReason = tostring(Status.failureReason)\r\n| project TimeGenerated,OperationName,UserDisplayName,UserPrincipalName,IPAddress,UserType,UserId,AuthenticationRequirement,AppDisplayName,AppId, ClientAppUsed, Location, RiskDetail,RiskState,IsRisky,RiskLevelDuringSignIn,DeviceDisplayName,DeviceBrowser,DeviceId,DeviceOperatingSystem,DeviceTrustType,City,State,StatusAdditionalDetails,StatusFailureReason,AutonomousSystemNumber,CrossTenantAccessType\r\n| summarize by UserDisplayName,DeviceDisplayName,DeviceId,DeviceTrustType\r\n//| project-away TimeGenerated,OperationName,UserPrincipalName,IPAddress,UserType,UserId,AuthenticationRequirement,AppDisplayName,AppId, ClientAppUsed, Location,DeviceDisplayName,DeviceBrowser,DeviceId,DeviceOperatingSystem,DeviceTrustType,City,State,StatusAdditionalDetails,StatusFailureReason,AutonomousSystemNumber,CrossTenantAccessType,DeviceDisplayName,DeviceOperatingSystem", + "size": 4, + "title": "User Sign In - Device Details", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "40", + "name": "query - 11", + "styleSettings": { + "maxWidth": "40" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nAuditLogs\r\n| where TimeGenerated > ago(30d)\r\n| where ActivityDisplayName == \"Add member to role\"\r\n| where Identity ==\"Microsoft Office 365 Portal\"\r\n| extend Initiator = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\r\n| extend TargetResource = tostring(TargetResources[0].userPrincipalName)\r\n| where TargetResource contains tostring(UserPrincipalName_)\r\n| extend RoleAssigned = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))\r\n| extend RoleAssigned1 = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[2].oldValue)))\r\n| project TimeGenerated , OperationName, Identity , TargetResource , Initiator , UserPrincipalName_ , RoleAssigned , RoleAssigned1 \r\n", + "size": 4, + "showAnalytics": true, + "title": "Recent Roles Assigned to User", + "noDataMessage": "No Results for Selected User", + "noDataMessageStyle": 3, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "UserPrincipal", + "comparison": "isNotEqualTo", + "value": "None" + }, + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nSigninLogs\r\n| where TimeGenerated >= ago(24h)\r\n| where UserPrincipalName contains UserPrincipalName_\r\n| extend DeviceBrowser = tostring(DeviceDetail.browser)\r\n| extend DeviceId = tostring(DeviceDetail.deviceId)\r\n| extend DeviceDisplayName = tostring(DeviceDetail.displayName)\r\n| extend DeviceOperatingSystem = tostring(DeviceDetail.operatingSystem)\r\n| extend DeviceTrustType = tostring(DeviceDetail.trustType)\r\n| extend DeviceIsManaged = tostring(DeviceDetail.isManaged)\r\n| extend City = tostring(LocationDetails.city)\r\n| extend CountryOrRegion = tostring(LocationDetails.countryOrRegion)\r\n| extend State = tostring(LocationDetails.state)\r\n| extend StatusAdditionalDetails = tostring(Status.additionalDetails)\r\n| extend StatusFailureReason = tostring(Status.failureReason)\r\n| project TimeGenerated,OperationName,UserDisplayName,UserPrincipalName,IPAddress,UserType,UserId,AuthenticationRequirement,AppDisplayName,AppId, ClientAppUsed, Location, RiskDetail,RiskState,IsRisky,RiskLevelDuringSignIn,DeviceDisplayName,DeviceBrowser,DeviceId,DeviceOperatingSystem,DeviceTrustType,City,State,StatusAdditionalDetails,StatusFailureReason,AutonomousSystemNumber,CrossTenantAccessType\r\n//| summarize by UserDisplayName,UserPrincipalName\r\n| project-away UserPrincipalName,RiskDetail,RiskState,IsRisky,RiskLevelDuringSignIn,DeviceDisplayName,DeviceBrowser,DeviceId,DeviceOperatingSystem,DeviceTrustType,CrossTenantAccessType,AutonomousSystemNumber,AppId,AuthenticationRequirement,UserId", + "size": 1, + "title": "User Sign In Activity", + "noDataMessage": "No Results for Selected User", + "noDataMessageStyle": 3, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "StatusFailureReason", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "contains", + "thresholdValue": "Device Authentication Required ", + "representation": "4", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Strong Authentication is required.", + "representation": "2", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Access has been blocked due to conditional access policies.", + "representation": "1", + "text": "{0}{1}" + }, + { + "operator": "contains", + "thresholdValue": "Flow token expired", + "representation": "1", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "Unknown", + "text": "{0}{1}" + } + ] + } + } + ], + "sortBy": [ + { + "itemKey": "OperationName", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "OperationName", + "sortOrder": 2 + } + ] + }, + "name": "query - 9" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nBehaviorAnalytics\r\n//search 'UserPrincipalName_'\r\n| where TimeGenerated >= ago(1d)\r\n| where UserPrincipalName contains UserPrincipalName_\r\n| extend AccountDomain_ = tostring(UsersInsights.AccountDomain)\r\n| extend AccountObjectID_ = tostring(UsersInsights.AccountObjectID)\r\n| extend OnPremisesSID_ = tostring(UsersInsights.OnPremisesSID)\r\n| extend App_ = tostring(ActivityInsights.App)\r\n| extend CountryUncommonlyConnectedFromInTenant_ = tostring(ActivityInsights.CountryUncommonlyConnectedFromInTenant)\r\n| extend FirstTimeDeviceObservedInTenant_ = tostring(ActivityInsights.FirstTimeDeviceObservedInTenant)\r\n| extend FirstTimeUserAccessedResource_ = tostring(ActivityInsights.FirstTimeUserAccessedResource)\r\n| extend FirstTimeUserConnectedFromCountry_ = tostring(ActivityInsights.FirstTimeUserConnectedFromCountry)\r\n| extend FirstTimeUserUsedApp_ = tostring(ActivityInsights.FirstTimeUserUsedApp)\r\n| extend Resource_ = tostring(ActivityInsights.Resource)\r\n| project TimeGenerated,ActivityType,ActionType,UserName,SourceIPAddress,SourceIPLocation,SourceDevice,AccountDomain_,AccountObjectID_,OnPremisesSID_ ,App_,Resource_,InvestigationPriority\r\n//AppIdUncommonlyAccessedInTenant_,CountryUncommonlyConnectedFromInTenant_,FirstTimeDeviceObservedInTenant_,FirstTimeUserAccessedResource_ ,FirstTimeUserConnectedFromCountry_,FirstTimeUserUsedApp_,", + "size": 0, + "title": "User Behaviour Analysis", + "noDataMessage": "No Results for Selected User", + "noDataMessageStyle": 3, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "ActivityType", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "FailedLogOn", + "representation": "Sev0", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ActionType", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Device Authentication Required", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Flow token expired - Authentication Failed", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Sign-in", + "representation": "green", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Access has been blocked due to conditional access policies", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "User did not pass the MFA challenge", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "User did not pass the MFA challenge (non interactive)", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": null, + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "InvestigationPriority", + "formatter": 8, + "formatOptions": { + "palette": "greenRed" + } + } + ], + "sortBy": [ + { + "itemKey": "$gen_thresholds_ActionType_2", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "$gen_thresholds_ActionType_2", + "sortOrder": 1 + } + ] + }, + "name": "query - 12" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nSigninLogs\r\n| where TimeGenerated > ago(30d) \r\n| where UserPrincipalName contains tostring(UserPrincipalName_)\r\n| extend City = tostring(LocationDetails.city)\r\n| extend Country = tostring(LocationDetails.countryOrRegion)\r\n| extend State = tostring(LocationDetails.state)\r\n| summarize arg_max(TimeGenerated, SourceSystem ,City,Country,State, AppDisplayName,IPAddress,ConditionalAccessStatus, DeviceDetail,UserType) by Identity\r\n\r\n", + "size": 4, + "title": "User Recent Log In Details", + "noDataMessage": "No data for selected user", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "query - 8" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nIdentityInfo \r\n| where AccountUPN contains UserPrincipalName_\r\n| extend Role1 = tostring(AssignedRoles[0])\r\n| extend Role2= tostring(AssignedRoles[1])\r\n| extend Role3 = tostring(AssignedRoles[2])\r\n| extend Role4 = tostring(AssignedRoles[3])\r\n| extend Role5= tostring(AssignedRoles[4])\r\n| extend Role6 = tostring(AssignedRoles[5])\r\n| extend Role7 = tostring(AssignedRoles[6])\r\n| summarize arg_max ( AccountUPN , Role1, Role2 , Role3 , Role4 ,Role5 , Role6 , Role7 , AssignedRoles) by AccountName", + "size": 0, + "showAnalytics": true, + "title": "Active Directory Roles Assigned to User", + "noDataMessage": "No Information for User", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "AccountUPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "turquoise", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nIdentityInfo \r\n| where TimeGenerated> ago(30d)\r\n| where AccountUPN contains UserPrincipalName_\r\n| extend Group1 = tostring(GroupMembership[0])\r\n| extend Group2= tostring(GroupMembership[1])\r\n| extend Group3 = tostring(GroupMembership[2])\r\n| extend Group4 = tostring(GroupMembership[3])\r\n| extend Group5 = tostring(GroupMembership[4])\r\n| extend Group6 = tostring(GroupMembership[5])\r\n| summarize arg_max(AccountUPN, Group1, Group2, Group3, Group4, Group5 , Group6 ) by AccountName", + "size": 0, + "title": "User Group Info", + "noDataMessage": "No data Available for User", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "AccountUPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "representation": "turquoise", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "turquoise", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nIntuneDevices\r\n| where TimeGenerated> ago(30d)\r\n| where isnotempty(UPN)\r\n| where UPN contains UserPrincipalName_\r\n| summarize arg_max(OperationName , UPN , LastContact , OSVersion ,OS, SerialNumber, CompliantState ,Ownership, ManagedBy ,Model, Manufacturer , DeviceState , IMEI , JoinType, WifiMacAddress) by DeviceName", + "size": 0, + "title": "User Device ", + "noDataMessage": "No results for Selected User", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 8640000000, + "endTime": "2023-01-09T10:17:00.000Z" + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "UPN", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "turquoise", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "50", + "name": "query - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nIdentityInfo\r\n| where TimeGenerated> ago(30d)\r\n| where AccountUPN contains UserPrincipalName_\r\n| where isnotempty(RiskLevel)\r\n| where RiskLevel <> \"None\"\r\n| summarize arg_max(RiskState, RiskLevel) by AccountDisplayName ", + "size": 0, + "title": "Risk State of User", + "noDataMessage": "No Results for Selected User", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "query - 7", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let UserPrincipalName_ = dynamic({UserPrincipalName});\r\nSecurityIncident\r\n| where TimeGenerated> ago(30d)\r\n| extend SystemAlertId = tostring(AlertIds[0])\r\n| extend AssignedTo_ = tostring(Owner.assignedTo)\r\n| summarize arg_max(TimeGenerated , *) by IncidentNumber\r\n| join SecurityAlert on SystemAlertId\r\n| extend EntityName = tostring(parse_json(Entities)[1].DisplayName)\r\n| where EntityName contains UserPrincipalName_\r\n| project TimeGenerated ,IncidentNumber,Severity, Title , Description ,AssignedTo_, EntityName, IncidentUrl", + "size": 0, + "showAnalytics": true, + "title": "Recent Incident Related to User", + "noDataMessage": "No Results for Selected User", + "noDataMessageStyle": 3, + "timeContext": { + "durationMs": 2592000000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "High", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "gray", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "IncidentUrl", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url" + } + } + ], + "filter": true + } + }, + "name": "query - 3" + } + ], + "fallbackResourceIds": [ + "" + ], + "fromTemplateId": "sentinel-user-analytics-workbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" + } \ No newline at end of file diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index 34c13b3c0f8..6bb23bf2bc5 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -282,7 +282,6 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "PaloAltoNetworks", "CefAma" ], "previewImagesFileNames": [ @@ -307,7 +306,6 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "PaloAltoNetworks", "CefAma" ], "previewImagesFileNames": [ @@ -364,7 +362,6 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "Fortinet", "CefAma" ], "previewImagesFileNames": [ @@ -1328,7 +1325,7 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "Fortinet" + "CefAma" ], "previewImagesFileNames": [ "workbook-iotassetdiscovery-screenshot-Black.PNG", @@ -3528,8 +3525,6 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "TrendMicroApexOne", - "TrendMicroApexOneAma", "CefAma" ], "previewImagesFileNames": [ @@ -3620,8 +3615,6 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "PaloAltoCDL", - "PaloAltoCDLAma", "CefAma" ], "previewImagesFileNames": [ @@ -3932,7 +3925,23 @@ "CorelightMainBlack1.png", "CorelightMainWhite1.png", "CorelightSoftwareBlack1.png", - "CorelightSoftwareWhite1.png" + "CorelightSoftwareWhite1.png", + "CorelightWhite1.png", + "CorelightWhite2.png", + "CorelightWhite3.png", + "CorelightWhite4.png", + "CorelightWhite5.png", + "CorelightWhite6.png", + "CorelightWhite7.png", + "CorelightWhite8.png", + "CorelightBlack1.png", + "CorelightBlack2.png", + "CorelightBlack3.png", + "CorelightBlack4.png", + "CorelightBlack5.png", + "CorelightBlack6.png", + "CorelightBlack7.png", + "CorelightBlack8.png" ], "version": "1.0.0", "title": "Corelight", @@ -4389,8 +4398,6 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "CiscoSEG", - "CiscoSEGAma", "CefAma" ], "previewImagesFileNames": [ @@ -5501,7 +5508,6 @@ "WindowsForwardedEvents", "Zscaler", "MicrosoftSysmonForLinux", - "PaloAltoNetworks", "AzureMonitor(VMInsights)", "AzureFirewall", "AzureNSG", @@ -5509,7 +5515,6 @@ "Corelight", "AIVectraStream", "CheckPoint", - "Fortinet", "CiscoMeraki", "CefAma" ], @@ -5646,169 +5651,169 @@ "provider": "Microsoft Sentinel Community" }, { - "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC-Online", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook, dedicated to Exchange Online environments is built to have a simple view of non-standard RBAC delegations on an Exchange Online tenant. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment.", - "dataTypesDependencies": [ - "ESIExchangeOnlineConfig_CL" - ], - "dataConnectorsDependencies": [ - "ESI-ExchangeOnlineCollector" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeLeastPrivilegewithRBAC-OnlineBlack.png", - "MicrosoftExchangeLeastPrivilegewithRBAC-OnlineWhite.png" - ], - "version": "1.1.0", - "title": "Microsoft Exchange Least Privilege with RBAC - Online", - "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC - Online.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment. Required Data Connector: Exchange Security Insights On-Premises Collector.", - "dataTypesDependencies": [ - "ESIExchangeConfig_CL" - ], - "dataConnectorsDependencies": [ - "ESI-ExchangeOnPremisesCollector", - "ESI-ExchangeAdminAuditLogEvents" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeLeastPrivilegewithRBACBlack.png", - "MicrosoftExchangeLeastPrivilegewithRBACWhite.png" - ], - "version": "1.0.1", - "title": "Microsoft Exchange Least Privilege with RBAC", - "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "MicrosoftExchangeSearchAdminAuditLog", - "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Exchange Audit Event logs via Legacy Agent.", - "dataTypesDependencies": [ - "ESIExchangeConfig_CL" - ], - "dataConnectorsDependencies": [ - "ESI-ExchangeOnPremisesCollector", - "ESI-ExchangeAdminAuditLogEvents" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeSearchAdminAuditLogBlack.png", - "MicrosoftExchangeSearchAdminAuditLogWhite.png" - ], - "version": "1.0.1", - "title": "Microsoft Exchange Search AdminAuditLog", - "templateRelativePath": "Microsoft Exchange Search AdminAuditLog.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "MicrosoftExchangeSearchAdminAuditLog-Online", - "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook is dedicated to Online Exchange organizations. It uses the Office Activity logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Microsoft 365 (Exchange).", - "dataTypesDependencies": [ - "OfficeActivity" - ], - "dataConnectorsDependencies": [ - "Office365" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeOnlineSearchAdminAuditLogBlack.png", - "MicrosoftExchangeOnlineSearchAdminAuditLogWhite.png" - ], - "version": "1.0.0", - "title": "Microsoft Exchange Search AdminAuditLog - Online", - "templateRelativePath": "Microsoft Exchange Search AdminAuditLog - Online.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "MicrosoftExchangeSecurityMonitoring", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers. Required Data Connector: Exchange Audit Event logs via Legacy Agent.", - "dataTypesDependencies": [ - "ESIExchangeConfig_CL" - ], - "dataConnectorsDependencies": [ - "ESI-ExchangeOnPremisesCollector", - "ESI-ExchangeAdminAuditLogEvents" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeSecurityMonitoringBlack.png", - "MicrosoftExchangeSecurityMonitoringWhite.png" - ], - "version": "1.0.1", - "title": "Microsoft Exchange Admin Activity", - "templateRelativePath": "Microsoft Exchange Admin Activity.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "MicrosoftExchangeAdminActivity-Online", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook is dedicated to Online Exchange organizations. It uses Office Activity logs. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. Required Data Connector: Microsoft 365 (Exchange).", - "dataTypesDependencies": [ - "OfficeActivity" - ], - "dataConnectorsDependencies": [ - "Office365" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeAdminActivity-OnlineBlack.png", - "MicrosoftExchangeAdminActivity-OnlineWhite.png" - ], - "version": "1.0.0", - "title": "Microsoft Exchange Online Admin Activity", - "templateRelativePath": "Microsoft Exchange Admin Activity - Online.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "MicrosoftExchangeSecurityReview-Online", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook is dedicated to Exchange Online tenants. It displays and highlights current Security configuration on various Exchange components specific to Online including delegations, the transport configuration and the linked security risks, and risky protocols.", - "dataTypesDependencies": [ - "ESIExchangeOnlineConfig_CL" - ], - "dataConnectorsDependencies": [ - "ESI-ExchangeOnlineCollector" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeSecurityReview-OnlineBlack.png", - "MicrosoftExchangeSecurityReview-OnlineWhite.png" - ], - "version": "1.1.0", - "title": "Microsoft Exchange Security Review - Online", - "templateRelativePath": "Microsoft Exchange Security Review - Online.json", - "subtitle": "", - "provider": "Microsoft" - }, - { - "workbookKey": "MicrosoftExchangeSecurityReview", - "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector.", - "dataTypesDependencies": [ - "ESIExchangeConfig_CL" - ], - "dataConnectorsDependencies": [ - "ESI-ExchangeOnPremisesCollector", - "ESI-ExchangeAdminAuditLogEvents" - ], - "previewImagesFileNames": [ - "MicrosoftExchangeSecurityReviewBlack.png", - "MicrosoftExchangeSecurityReviewWhite.png" - ], - "version": "1.0.1", - "title": "Microsoft Exchange Security Review", - "templateRelativePath": "Microsoft Exchange Security Review.json", - "subtitle": "", - "provider": "Microsoft" - }, + "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC-Online", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook, dedicated to Exchange Online environments is built to have a simple view of non-standard RBAC delegations on an Exchange Online tenant. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment.", + "dataTypesDependencies": [ + "ESIExchangeOnlineConfig_CL" + ], + "dataConnectorsDependencies": [ + "ESI-ExchangeOnlineCollector" + ], + "previewImagesFileNames": [ + "MicrosoftExchangeLeastPrivilegewithRBAC-OnlineBlack.png", + "MicrosoftExchangeLeastPrivilegewithRBAC-OnlineWhite.png" + ], + "version": "1.1.0", + "title": "Microsoft Exchange Least Privilege with RBAC - Online", + "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC - Online.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment. Required Data Connector: Exchange Security Insights On-Premises Collector.", + "dataTypesDependencies": [ + "ESIExchangeConfig_CL" + ], + "dataConnectorsDependencies": [ + "ESI-ExchangeOnPremisesCollector", + "ESI-ExchangeAdminAuditLogEvents" + ], + "previewImagesFileNames": [ + "MicrosoftExchangeLeastPrivilegewithRBACBlack.png", + "MicrosoftExchangeLeastPrivilegewithRBACWhite.png" + ], + "version": "1.0.1", + "title": "Microsoft Exchange Least Privilege with RBAC", + "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "MicrosoftExchangeSearchAdminAuditLog", + "logoFileName": "Azure_Sentinel.svg", + "description": "This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Exchange Audit Event logs via Legacy Agent.", + "dataTypesDependencies": [ + "ESIExchangeConfig_CL" + ], + "dataConnectorsDependencies": [ + "ESI-ExchangeOnPremisesCollector", + "ESI-ExchangeAdminAuditLogEvents" + ], + "previewImagesFileNames": [ + "MicrosoftExchangeSearchAdminAuditLogBlack.png", + "MicrosoftExchangeSearchAdminAuditLogWhite.png" + ], + "version": "1.0.1", + "title": "Microsoft Exchange Search AdminAuditLog", + "templateRelativePath": "Microsoft Exchange Search AdminAuditLog.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "MicrosoftExchangeSearchAdminAuditLog-Online", + "logoFileName": "Azure_Sentinel.svg", + "description": "This workbook is dedicated to Online Exchange organizations. It uses the Office Activity logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Microsoft 365 (Exchange).", + "dataTypesDependencies": [ + "OfficeActivity" + ], + "dataConnectorsDependencies": [ + "Office365" + ], + "previewImagesFileNames": [ + "MicrosoftExchangeOnlineSearchAdminAuditLogBlack.png", + "MicrosoftExchangeOnlineSearchAdminAuditLogWhite.png" + ], + "version": "1.0.0", + "title": "Microsoft Exchange Search AdminAuditLog - Online", + "templateRelativePath": "Microsoft Exchange Search AdminAuditLog - Online.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "MicrosoftExchangeSecurityMonitoring", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers. Required Data Connector: Exchange Audit Event logs via Legacy Agent.", + "dataTypesDependencies": [ + "ESIExchangeConfig_CL" + ], + "dataConnectorsDependencies": [ + "ESI-ExchangeOnPremisesCollector", + "ESI-ExchangeAdminAuditLogEvents" + ], + "previewImagesFileNames": [ + "MicrosoftExchangeSecurityMonitoringBlack.png", + "MicrosoftExchangeSecurityMonitoringWhite.png" + ], + "version": "1.0.1", + "title": "Microsoft Exchange Admin Activity", + "templateRelativePath": "Microsoft Exchange Admin Activity.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "MicrosoftExchangeAdminActivity-Online", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook is dedicated to Online Exchange organizations. It uses Office Activity logs. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. Required Data Connector: Microsoft 365 (Exchange).", + "dataTypesDependencies": [ + "OfficeActivity" + ], + "dataConnectorsDependencies": [ + "Office365" + ], + "previewImagesFileNames": [ + "MicrosoftExchangeAdminActivity-OnlineBlack.png", + "MicrosoftExchangeAdminActivity-OnlineWhite.png" + ], + "version": "1.0.1", + "title": "Microsoft Exchange Admin Activity - Online", + "templateRelativePath": "Microsoft Exchange Admin Activity - Online.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "MicrosoftExchangeSecurityReview-Online", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook is dedicated to Exchange Online tenants. It displays and highlights current Security configuration on various Exchange components specific to Online including delegations, the transport configuration and the linked security risks, and risky protocols.", + "dataTypesDependencies": [ + "ESIExchangeOnlineConfig_CL" + ], + "dataConnectorsDependencies": [ + "ESI-ExchangeOnlineCollector" + ], + "previewImagesFileNames": [ + "MicrosoftExchangeSecurityReview-OnlineBlack.png", + "MicrosoftExchangeSecurityReview-OnlineWhite.png" + ], + "version": "1.1.0", + "title": "Microsoft Exchange Security Review - Online", + "templateRelativePath": "Microsoft Exchange Security Review - Online.json", + "subtitle": "", + "provider": "Microsoft" + }, + { + "workbookKey": "MicrosoftExchangeSecurityReview", + "logoFileName": "Azure_Sentinel.svg", + "description": "This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector.", + "dataTypesDependencies": [ + "ESIExchangeConfig_CL" + ], + "dataConnectorsDependencies": [ + "ESI-ExchangeOnPremisesCollector", + "ESI-ExchangeAdminAuditLogEvents" + ], + "previewImagesFileNames": [ + "MicrosoftExchangeSecurityReviewBlack.png", + "MicrosoftExchangeSecurityReviewWhite.png" + ], + "version": "2.0.0", + "title": "Microsoft Exchange Security Review", + "templateRelativePath": "Microsoft Exchange Security Review.json", + "subtitle": "", + "provider": "Microsoft" + }, { "workbookKey": "ibossMalwareAndC2Workbook", "logoFileName": "iboss_logo.svg", @@ -7165,6 +7170,126 @@ "subtitle": "", "provider": "MailGuard 365" }, + { + "workbookKey": "Mimecast_Audit_Workbook", + "logoFileName": "Mimecast.svg", + "description": "A workbook providing insights into Mimecast Audit.", + "dataTypesDependencies": [ + "Audit_CL" + ], + "dataConnectorsDependencies" : ["MimecastAuditAPI"], + "previewImagesFileNames": [ + "MimecastAuditBlack.png", + "MimecastAuditWhite.png" + ], + "version": "1.0.0", + "title": "Mimecast Audit Workbook", + "templateRelativePath": "Mimecast_Audit_Workbook.json", + "subtitle": "", + "provider": "Mimecast" + }, + { + "workbookKey": "Mimecast_TTP_Workbook", + "logoFileName": "Mimecast.svg", + "description": "A workbook providing insights into Mimecast Targeted Threat Protection.", + "dataTypesDependencies": [ + "Ttp_Attachment_CL", + "Ttp_Impersonation_CL", + "Ttp_Url_CL" + ], + "dataConnectorsDependencies" : ["MimecastTTPAPI"], + "previewImagesFileNames": [ + "MimecastTTPWhite1.png", + "MimecastTTPWhite2.png", + "MimecastTTPWhite3.png", + "MimecastTTPBlack1.png", + "MimecastTTPBlack2.png", + "MimecastTTPBlack3.png" + ], + "version": "1.0.0", + "title": "Mimecast Targeted Threat Protection Workbook", + "templateRelativePath": "Mimecast_TTP_Workbook.json", + "subtitle": "", + "provider": "Mimecast" + }, + { + "workbookKey": "Mimecast_Awareness_Training_Workbook", + "logoFileName": "Mimecast.svg", + "description": "A workbook providing insights into Mimecast Awareness Training.", + "dataTypesDependencies": [ + "Awareness_Performance_Details_CL", + "Awareness_User_Data_CL", + "Awareness_Watchlist_Details_CL", + "Awareness_SafeScore_Details_CL" + ], + "dataConnectorsDependencies" : ["MimecastATAPI"], + "previewImagesFileNames": [ + "MimecastAwarenessTrainingWhite1.png", + "MimecastAwarenessTrainingWhite2.png", + "MimecastAwarenessTrainingWhite3.png", + "MimecastAwarenessTrainingBlack1.png", + "MimecastAwarenessTrainingBlack2.png", + "MimecastAwarenessTrainingBlack3.png" + ], + "version": "1.0.0", + "title": "Mimecast Awareness Training Workbook", + "templateRelativePath": "Mimecast_Awareness_Training_Workbook.json", + "subtitle": "", + "provider": "Mimecast" + }, + { + "workbookKey": "Mimecast_SEG_Workbook", + "logoFileName": "Mimecast.svg", + "description": "A workbook providing insights into Mimecast Secure Email Gateway.", + "dataTypesDependencies": [ + "SEG_CG_CL", + "Seg_Dlp_CL" + ], + "dataConnectorsDependencies" : ["MimecastSEGAPI"], + "previewImagesFileNames": [ + "MimecastSEGBlack1.png", + "MimecastSEGBlack2.png", + "MimecastSEGBlack3.png", + "MimecastSEGBlack4.png", + "MimecastSEGBlack5.png", + "MimecastSEGBlack6.png", + "MimecastSEGBlack7.png", + "MimecastSEGBlack8.png", + "MimecastDLPWhite.png", + "MimecastDLPBlack.png", + "MimecastSEGWhite1.png", + "MimecastSEGWhite2.png", + "MimecastSEGWhite3.png", + "MimecastSEGWhite4.png", + "MimecastSEGWhite5.png", + "MimecastSEGWhite6.png", + "MimecastSEGWhite7.png", + "MimecastSEGWhite8.png" + ], + "version": "1.0.0", + "title": "Mimecast Secure Email Gateway Workbook", + "templateRelativePath": "Mimecast_SEG_Workbook.json", + "subtitle": "", + "provider": "Mimecast" + }, + { + "workbookKey": "Mimecast_Cloud_Integrated_Workbook", + "logoFileName": "Mimecast.svg", + "description": "A workbook providing insights into Mimecast Cloud Integrated.", + "dataTypesDependencies": [ + "Cloud_Integrated_CL" + ], + "dataConnectorsDependencies" : ["MimecastCIAPI"], + "previewImagesFileNames": [ + "MimecastCIWhite.png", + "MimecastCIBlack.png" + ], + "version": "1.0.0", + "title": "Mimecast Cloud Integrated Workbook", + "templateRelativePath": "Mimecast_Cloud_Integrated_Workbook.json", + "subtitle": "", + "provider": "Mimecast" + }, { "workbookKey": "MimecastTIRegionalWorkbook", "logoFileName": "Mimecast.svg", @@ -8186,5 +8311,105 @@ "templateRelativePath": "TeamCymruScout.json", "subtitle": "", "provider": "Team Cymru" - } -] + }, + { + "workbookKey": "CTERA_Workbook", + "logoFileName": "CTERA_Logo.svg", + "description": "This Workbook provides an overview of CTERA log ingestion and operations, offering insights into various activities and potential security incidents.", + "dataTypesDependencies": [ + "Syslog" + ], + "dataConnectorsDependencies": [ + "CTERA" + ], + "previewImagesFileNames": [ + "CTERASMBLogsWorkbookWhite.png", + "CTERASMBLogsWorkbookBlack.png" + ], + "version": "1.0.0", + "title": "CTERA Audit Logs Ingestion", + "templateRelativePath": "CTERA_Workbook.json", + "provider": "CTERA" + }, + { + "workbookKey": "Data_Latency", + "logoFileName": "Azure_Sentinel.svg", + "description": "The Latency Details workbook offers a comprehensive view of latency across data connectors and log sources. It shows the timestamp of the last data received and calculates the time elapsed since the last ingestion for each data source, covering both Windows and Linux machines, enabling efficient monitoring and troubleshooting of data flow.", + "dataTypesDependencies": [ + "Syslog", + "SecurityEvents", + "AzureActivity" + ], + "dataConnectorsDependencies": [ + "Syslog", + "SecurityEvents", + "AzureActivity" + ], + "previewImagesFileNames": [ + "Data_Latency_Black.png", + "Data_Latency_White.png" + ], + "version": "1.0.0", + "title": "Data Latency Workbook", + "templateRelativePath": "Data_Latency_Workbook.json", + "subtitle": "", + "provider": "InspiraEnterprise", + "source": { + "kind": "Community" + } + }, + { + "workbookKey": "User_Analytics", + "logoFileName": "Azure_Sentinel.svg", + "description": "The User Analytics Workbook is designed to provide a comprehensive overview of individual user activities and attributes within your organization. This custom solution aggregates and visualizes critical data related to users, including their group memberships, personal information, sign-in activities, recently assigned roles, behaviour analysis, assigned Entra ID (Formerly known as Active Directory (AD)) roles, risk status, and any recent incidents associated with the user.\nBy consolidating this information into a single, user-friendly workbook, organizations can easily monitor and analyze user behaviour, track changes in roles and responsibilities, and assess potential risks associated with user accounts. This solution enhances your ability to conduct detailed user analytics, supporting better decision-making and improved security oversight.", + "dataTypesDependencies": [ + "SigninLogs", + "AuditLogs", + "AzureActivity" + ], + "dataConnectorsDependencies": [ + "AzureActiveDirectory", + "AzureActivity" + ], + "previewImagesFileNames": [ + "User_Analytics_Black.png", + "User_Analytics_White.png" + + ], + "version": "1.0.0", + "title": "User Analytics", + "templateRelativePath": "User_Analytics_Workbook.json", + "subtitle": "", + "provider": "InspiraEnterprise", + "author": { + "name": "InspiraEnterprise" + } + }, + { + "workbookKey": "Syslog-Bifurcation", + "logoFileName": "Azure_Sentinel.svg", + "description": "The Data Ingestion Comparison Hourly workbook offers a comprehensive view of ingested data, presenting the total data volume and ingestion amounts in GB, categorized by each hour. This breakdown helps in monitoring and comparing data ingestion trends over time, ensuring visibility into hourly ingestion patterns and potential anomalies.", + "dataTypesDependencies": [ + "Syslog", + "SecurityEvents", + "AzureActivity" + ], + "dataConnectorsDependencies": [ + "Syslog", + "SecurityEvents", + "AzureActivity" + ], + "previewImagesFileNames": [ + "Syslog_Bifurcation_Black.png", + "Syslog_Bifurcation_White.png" + ], + "version": "1.0.0", + "title": "Syslog Bifurcation", + "templateRelativePath": "Syslog-Bifurcation.json", + "subtitle": "", + "provider": "InspiraEnterprise", + "author": { + "name": "InspiraEnterprise" + } + } +] \ No newline at end of file